@varshylinc/team-management 0.1.0

package/dist/server/services/ownership.service.js

@@ -0,0 +1,102 @@
+const TRANSFER_EXPIRY_HOURS = 48;
+export async function initiateTransfer(pool, adapter, { orgId, fromUserId, toUserId, baseUrl, }) {
+    // Validate target is an active admin (not owner)
+    const targetMembership = await pool.query(`SELECT role FROM tm_memberships WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`, [orgId, toUserId]);
+    if (targetMembership.rows.length === 0) {
+        throw new Error('Target user is not a member of this organization');
+    }
+    if (targetMembership.rows[0].role !== 'admin') {
+        throw new Error('Ownership can only be transferred to an admin member');
+    }
+    // Check no pending transfer exists
+    const pending = await pool.query(`SELECT id FROM tm_ownership_transfers
+     WHERE org_id = $1 AND status = 'pending' AND expires_at > NOW()`, [orgId]);
+    if (pending.rows.length > 0) {
+        throw new Error('A pending ownership transfer already exists for this organization');
+    }
+    const expiresAt = new Date(Date.now() + TRANSFER_EXPIRY_HOURS * 60 * 60 * 1000);
+    const result = await pool.query(`INSERT INTO tm_ownership_transfers (org_id, from_user_id, to_user_id, status, expires_at)
+     VALUES ($1, $2, $3, 'pending', $4)
+     RETURNING *`, [orgId, fromUserId, toUserId, expiresAt]);
+    const transfer = result.rows[0];
+    // Send email to target user
+    const orgResult = await pool.query(`SELECT name FROM tm_organizations WHERE id = $1`, [orgId]);
+    const fromUser = await adapter.getUserById(fromUserId);
+    const toUser = await adapter.getUserById(toUserId);
+    const orgName = orgResult.rows[0]?.name ?? 'Unknown Organization';
+    const fromName = fromUser?.name ?? fromUser?.email ?? 'The current owner';
+    if (toUser?.email) {
+        try {
+            await adapter.sendOwnershipTransferEmail({
+                to: toUser.email,
+                orgName,
+                fromName,
+                transferUrl: `${baseUrl}/orgs/${orgId}/transfer/accept`,
+            });
+        }
+        catch (e) {
+            adapter.logger.warn('[ownership] Failed to send transfer email', {
+                transferId: transfer.id,
+                error: e.message,
+            });
+        }
+    }
+    return transfer;
+}
+export async function acceptTransfer(pool, adapter, { orgId, acceptingUserId }) {
+    const client = await pool.connect();
+    try {
+        await client.query('BEGIN');
+        const transferResult = await client.query(`SELECT * FROM tm_ownership_transfers
+       WHERE org_id = $1 AND status = 'pending' AND expires_at > NOW()
+       FOR UPDATE`, [orgId]);
+        if (transferResult.rows.length === 0) {
+            throw new Error('No valid pending transfer found for this organization');
+        }
+        const transfer = transferResult.rows[0];
+        if (transfer.to_user_id !== acceptingUserId) {
+            throw new Error('Only the designated recipient can accept this transfer');
+        }
+        // Atomic: demote old owner first (avoids two-owner constraint), then promote new owner
+        await client.query(`UPDATE tm_memberships SET role = 'admin', updated_at = NOW()
+       WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`, [orgId, transfer.from_user_id]);
+        await client.query(`UPDATE tm_memberships SET role = 'owner', updated_at = NOW()
+       WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`, [orgId, transfer.to_user_id]);
+        // Update denormalized owner_user_id on org
+        await client.query(`UPDATE tm_organizations SET owner_user_id = $1, updated_at = NOW() WHERE id = $2`, [transfer.to_user_id, orgId]);
+        // Mark transfer as accepted
+        await client.query(`UPDATE tm_ownership_transfers
+       SET status = 'accepted', accepted_at = NOW()
+       WHERE id = $1`, [transfer.id]);
+        await client.query('COMMIT');
+    }
+    catch (e) {
+        await client.query('ROLLBACK');
+        throw e;
+    }
+    finally {
+        client.release();
+    }
+}
+export async function cancelTransfer(pool, { orgId, cancelledByUserId }) {
+    const result = await pool.query(`UPDATE tm_ownership_transfers
+     SET status = 'cancelled', cancelled_at = NOW(), cancelled_by_user_id = $1
+     WHERE org_id = $2 AND status = 'pending'`, [cancelledByUserId, orgId]);
+    if ((result.rowCount ?? 0) === 0) {
+        throw new Error('No pending transfer found to cancel');
+    }
+}
+export async function getPendingTransfer(pool, orgId) {
+    const result = await pool.query(`SELECT * FROM tm_ownership_transfers
+     WHERE org_id = $1 AND status = 'pending' AND expires_at > NOW()
+     ORDER BY initiated_at DESC
+     LIMIT 1`, [orgId]);
+    return result.rows[0] ?? null;
+}
+export async function expireTransfers(pool) {
+    const result = await pool.query(`UPDATE tm_ownership_transfers
+     SET status = 'expired'
+     WHERE status = 'pending' AND expires_at <= NOW()`);
+    return result.rowCount ?? 0;
+}
+//# sourceMappingURL=ownership.service.js.map

package/dist/server/services/ownership.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ownership.service.js","sourceRoot":"","sources":["../../../src/server/services/ownership.service.ts"],"names":[],"mappings":"AAGA,MAAM,qBAAqB,GAAG,EAAE,CAAC;AAEjC,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAU,EACV,OAA4B,EAC5B,EACE,KAAK,EACL,UAAU,EACV,QAAQ,EACR,OAAO,GACkE;IAE3E,iDAAiD;IACjD,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,KAAK,CACvC,2FAA2F,EAC3F,CAAC,KAAK,EAAE,QAAQ,CAAC,CAClB,CAAC;IACF,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IAED,mCAAmC;IACnC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAC9B;qEACiE,EACjE,CAAC,KAAK,CAAC,CACR,CAAC;IACF,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,qBAAqB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEhF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B;;iBAEa,EACb,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,CAAC,CACzC,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEhC,4BAA4B;IAC5B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,iDAAiD,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;IAC/F,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IACnD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,IAAI,sBAAsB,CAAC;IAClE,MAAM,QAAQ,GAAG,QAAQ,EAAE,IAAI,IAAI,QAAQ,EAAE,KAAK,IAAI,mBAAmB,CAAC;IAE1E,IAAI,MAAM,EAAE,KAAK,EAAE,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,0BAA0B,CAAC;gBACvC,EAAE,EAAE,MAAM,CAAC,KAAK;gBAChB,OAAO;gBACP,QAAQ;gBACR,WAAW,EAAE,GAAG,OAAO,SAAS,KAAK,kBAAkB;aACxD,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,2CAA2C,EAAE;gBAC/D,UAAU,EAAE,QAAQ,CAAC,EAAE;gBACvB,KAAK,EAAG,CAAW,CAAC,OAAO;aAC5B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAU,EACV,OAA4B,EAC5B,EAAE,KAAK,EAAE,eAAe,EAA8C;IAEtE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,KAAK,CACvC;;kBAEY,EACZ,CAAC,KAAK,CAAC,CACR,CAAC;QACF,IAAI,cAAc,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC3E,CAAC;QAED,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,IAAI,QAAQ,CAAC,UAAU,KAAK,eAAe,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;QAC5E,CAAC;QAED,uFAAuF;QACvF,MAAM,MAAM,CAAC,KAAK,CAChB;iEAC2D,EAC3D,CAAC,KAAK,EAAE,QAAQ,CAAC,YAAY,CAAC,CAC/B,CAAC;QACF,MAAM,MAAM,CAAC,KAAK,CAChB;iEAC2D,EAC3D,CAAC,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC,CAC7B,CAAC;QAEF,2CAA2C;QAC3C,MAAM,MAAM,CAAC,KAAK,CAChB,kFAAkF,EAClF,CAAC,QAAQ,CAAC,UAAU,EAAE,KAAK,CAAC,CAC7B,CAAC;QAEF,4BAA4B;QAC5B,MAAM,MAAM,CAAC,KAAK,CAChB;;qBAEe,EACf,CAAC,QAAQ,CAAC,EAAE,CAAC,CACd,CAAC;QAEF,MAAM,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC/B,MAAM,CAAC,CAAC;IACV,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,OAAO,EAAE,CAAC;IACnB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAU,EACV,EAAE,KAAK,EAAE,iBAAiB,EAAgD;IAE1E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B;;8CAE0C,EAC1C,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAC3B,CAAC;IACF,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,IAAU,EACV,KAAa;IAEb,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B;;;aAGS,EACT,CAAC,KAAK,CAAC,CACR,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;AAChC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAU;IAC9C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B;;sDAEkD,CACnD,CAAC;IACF,OAAO,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC;AAC9B,CAAC"}

package/dist/server/services/password-reset.service.d.ts

@@ -0,0 +1,12 @@
+import type { Pool } from 'pg';
+import type { ServerModuleAdapter } from '../types.js';
+export declare function requestPasswordReset(pool: Pool, adapter: ServerModuleAdapter, { email, baseUrl, triggeredBySuperAdmin: _triggeredBySuperAdmin, }: {
+    email: string;
+    baseUrl: string;
+    triggeredBySuperAdmin?: boolean;
+}): Promise<void>;
+export declare function resetPassword(pool: Pool, adapter: ServerModuleAdapter, { token, newPassword }: {
+    token: string;
+    newPassword: string;
+}): Promise<void>;
+//# sourceMappingURL=password-reset.service.d.ts.map

package/dist/server/services/password-reset.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset.service.d.ts","sourceRoot":"","sources":["../../../src/server/services/password-reset.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,KAAK,EAA0B,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAQ/E,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,mBAAmB,EAC5B,EACE,KAAK,EACL,OAAO,EACP,qBAAqB,EAAE,sBAA8B,GACtD,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,qBAAqB,CAAC,EAAE,OAAO,CAAA;CAAE,GACrE,OAAO,CAAC,IAAI,CAAC,CA+Bf;AAED,wBAAsB,aAAa,CACjC,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,mBAAmB,EAC5B,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GAC7D,OAAO,CAAC,IAAI,CAAC,CAsCf"}

package/dist/server/services/password-reset.service.js

@@ -0,0 +1,54 @@
+import { generateToken, sha256 } from '../crypto.js';
+import { writeAuditEvent } from './audit.service.js';
+const RESET_EXPIRY_HOURS = 2;
+const RATE_LIMIT_MAX = 3;
+const RATE_LIMIT_WINDOW_HOURS = 1;
+export async function requestPasswordReset(pool, adapter, { email, baseUrl, triggeredBySuperAdmin: _triggeredBySuperAdmin = false, }) {
+    // Always return success — do not leak whether email exists
+    const user = await adapter.findUserByEmail(email);
+    if (!user)
+        return;
+    // Rate limit: 3 requests per email per hour
+    const rateCheck = await pool.query(`SELECT COUNT(*) FROM tm_password_reset_requests
+     WHERE user_id = $1 AND created_at > NOW() - INTERVAL '${RATE_LIMIT_WINDOW_HOURS} hours'
+       AND used_at IS NULL`, [user.id]);
+    const count = parseInt(rateCheck.rows[0].count, 10);
+    if (count >= RATE_LIMIT_MAX) {
+        // Silently return — don't reveal rate limit to potential attackers
+        return;
+    }
+    const token = generateToken(32);
+    const tokenHash = sha256(token);
+    const expiresAt = new Date(Date.now() + RESET_EXPIRY_HOURS * 60 * 60 * 1000);
+    await pool.query(`INSERT INTO tm_password_reset_requests (user_id, token_hash, expires_at)
+     VALUES ($1, $2, $3)`, [user.id, tokenHash, expiresAt]);
+    const resetUrl = `${baseUrl}/reset-password?token=${token}`;
+    await adapter.sendPasswordResetEmail({ to: email, resetUrl });
+}
+export async function resetPassword(pool, adapter, { token, newPassword }) {
+    if (!newPassword || newPassword.length < 8) {
+        throw new Error('Password must be at least 8 characters');
+    }
+    const tokenHash = sha256(token);
+    const result = await pool.query(`SELECT * FROM tm_password_reset_requests
+     WHERE token_hash = $1 AND used_at IS NULL AND expires_at > NOW()`, [tokenHash]);
+    if (result.rows.length === 0) {
+        throw new Error('Invalid or expired password reset token');
+    }
+    const request = result.rows[0];
+    const hashedPassword = await adapter.hashPassword(newPassword);
+    await adapter.setUserPassword(request.user_id, hashedPassword);
+    // Mark token as used
+    await pool.query(`UPDATE tm_password_reset_requests SET used_at = NOW() WHERE id = $1`, [request.id]);
+    // Invalidate all sessions for security
+    await adapter.invalidateAllUserSessions(request.user_id);
+    await writeAuditEvent({
+        pool,
+        orgId: null,
+        actorUserId: request.user_id,
+        action: 'user.password_reset',
+        targetType: 'user',
+        targetId: request.user_id,
+    });
+}
+//# sourceMappingURL=password-reset.service.js.map

package/dist/server/services/password-reset.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-reset.service.js","sourceRoot":"","sources":["../../../src/server/services/password-reset.service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAErD,MAAM,kBAAkB,GAAG,CAAC,CAAC;AAC7B,MAAM,cAAc,GAAG,CAAC,CAAC;AACzB,MAAM,uBAAuB,GAAG,CAAC,CAAC;AAElC,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAU,EACV,OAA4B,EAC5B,EACE,KAAK,EACL,OAAO,EACP,qBAAqB,EAAE,sBAAsB,GAAG,KAAK,GACe;IAEtE,2DAA2D;IAC3D,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAClD,IAAI,CAAC,IAAI;QAAE,OAAO;IAElB,4CAA4C;IAC5C,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAChC;6DACyD,uBAAuB;2BACzD,EACvB,CAAC,IAAI,CAAC,EAAE,CAAC,CACV,CAAC;IACF,MAAM,KAAK,GAAG,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACpD,IAAI,KAAK,IAAI,cAAc,EAAE,CAAC;QAC5B,mEAAmE;QACnE,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GAAG,aAAa,CAAC,EAAE,CAAC,CAAC;IAChC,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAChC,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,kBAAkB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAE7E,MAAM,IAAI,CAAC,KAAK,CACd;yBACqB,EACrB,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,SAAS,CAAC,CAChC,CAAC;IAEF,MAAM,QAAQ,GAAG,GAAG,OAAO,yBAAyB,KAAK,EAAE,CAAC;IAE5D,MAAM,OAAO,CAAC,sBAAsB,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;AAChE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAAU,EACV,OAA4B,EAC5B,EAAE,KAAK,EAAE,WAAW,EAA0C;IAE9D,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAEhC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B;sEACkE,EAClE,CAAC,SAAS,CAAC,CACZ,CAAC;IACF,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,cAAc,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;IAE/D,MAAM,OAAO,CAAC,eAAe,CAAC,OAAO,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;IAE/D,qBAAqB;IACrB,MAAM,IAAI,CAAC,KAAK,CACd,qEAAqE,EACrE,CAAC,OAAO,CAAC,EAAE,CAAC,CACb,CAAC;IAEF,uCAAuC;IACvC,MAAM,OAAO,CAAC,yBAAyB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEzD,MAAM,eAAe,CAAC;QACpB,IAAI;QACJ,KAAK,EAAE,IAAI;QACX,WAAW,EAAE,OAAO,CAAC,OAAO;QAC5B,MAAM,EAAE,qBAAqB;QAC7B,UAAU,EAAE,MAAM;QAClB,QAAQ,EAAE,OAAO,CAAC,OAAO;KAC1B,CAAC,CAAC;AACL,CAAC"}

package/dist/server/services/super-admin.service.d.ts

@@ -0,0 +1,59 @@
+import type { Pool } from 'pg';
+import type { TmOrganization, TmMembership, OrgRole, ServerModuleAdapter } from '../types.js';
+export declare function listAllOrgs(pool: Pool): Promise<TmOrganization[]>;
+export declare function getOrgForAdmin(pool: Pool, orgId: number): Promise<TmOrganization & {
+    memberCount: number;
+}>;
+export declare function getUserForAdmin(pool: Pool, adapter: ServerModuleAdapter, userId: number): Promise<{
+    id: number;
+    email: string;
+    name?: string;
+    memberships: TmMembership[];
+}>;
+export declare function restoreOrg(pool: Pool, { orgId, superAdminUserId, reason, }: {
+    orgId: number;
+    superAdminUserId: number;
+    reason: string;
+}): Promise<void>;
+export declare function appointOwner(pool: Pool, { orgId, targetUserId, superAdminUserId, reason, }: {
+    orgId: number;
+    targetUserId: number;
+    superAdminUserId: number;
+    reason: string;
+}): Promise<void>;
+export declare function hardDeleteOrg(pool: Pool, { orgId, superAdminUserId, legalBasis, }: {
+    orgId: number;
+    superAdminUserId: number;
+    legalBasis: string;
+}): Promise<void>;
+export declare function addMemberAdmin(pool: Pool, { orgId, userId, role, superAdminUserId, reason, }: {
+    orgId: number;
+    userId: number;
+    role: OrgRole;
+    superAdminUserId: number;
+    reason: string;
+}): Promise<void>;
+export declare function removeMemberAdmin(pool: Pool, { orgId, userId, superAdminUserId, reason, }: {
+    orgId: number;
+    userId: number;
+    superAdminUserId: number;
+    reason: string;
+}): Promise<void>;
+export declare function lockUser(pool: Pool, adapter: ServerModuleAdapter, { userId, superAdminUserId, reason, }: {
+    userId: number;
+    superAdminUserId: number;
+    reason: string;
+}): Promise<void>;
+export declare function unlockUser(pool: Pool, adapter: ServerModuleAdapter, { userId, superAdminUserId, reason, }: {
+    userId: number;
+    superAdminUserId: number;
+    reason: string;
+}): Promise<void>;
+export declare function triggerPasswordReset(pool: Pool, adapter: ServerModuleAdapter, { userId, superAdminUserId, reason, baseUrl, }: {
+    userId: number;
+    superAdminUserId: number;
+    reason: string;
+    baseUrl: string;
+}): Promise<void>;
+export declare function seedSuperAdmin(pool: Pool, adapter: ServerModuleAdapter, email: string): Promise<void>;
+//# sourceMappingURL=super-admin.service.d.ts.map

package/dist/server/services/super-admin.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"super-admin.service.d.ts","sourceRoot":"","sources":["../../../src/server/services/super-admin.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAI9F,wBAAsB,WAAW,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAKvE;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,IAAI,EACV,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,cAAc,GAAG;IAAE,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC,CAanD;AAED,wBAAsB,eAAe,CACnC,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,mBAAmB,EAC5B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,YAAY,EAAE,CAAA;CAAE,CAAC,CASpF;AAED,wBAAsB,UAAU,CAC9B,IAAI,EAAE,IAAI,EACV,EACE,KAAK,EACL,gBAAgB,EAChB,MAAM,GACP,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC7D,OAAO,CAAC,IAAI,CAAC,CAmBf;AAED,wBAAsB,YAAY,CAChC,IAAI,EAAE,IAAI,EACV,EACE,KAAK,EACL,YAAY,EACZ,gBAAgB,EAChB,MAAM,GACP,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACnF,OAAO,CAAC,IAAI,CAAC,CA6Cf;AAED,wBAAsB,aAAa,CACjC,IAAI,EAAE,IAAI,EACV,EACE,KAAK,EACL,gBAAgB,EAChB,UAAU,GACX,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,GACjE,OAAO,CAAC,IAAI,CAAC,CAkBf;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,IAAI,EACV,EACE,KAAK,EACL,MAAM,EACN,IAAI,EACJ,gBAAgB,EAChB,MAAM,GACP,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,OAAO,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC5F,OAAO,CAAC,IAAI,CAAC,CAqBf;AAED,wBAAsB,iBAAiB,CACrC,IAAI,EAAE,IAAI,EACV,EACE,KAAK,EACL,MAAM,EACN,gBAAgB,EAChB,MAAM,GACP,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC7E,OAAO,CAAC,IAAI,CAAC,CAkBf;AAED,wBAAsB,QAAQ,CAC5B,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,mBAAmB,EAC5B,EACE,MAAM,EACN,gBAAgB,EAChB,MAAM,GACP,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC9D,OAAO,CAAC,IAAI,CAAC,CAqBf;AAED,wBAAsB,UAAU,CAC9B,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,mBAAmB,EAC5B,EACE,MAAM,EACN,gBAAgB,EAChB,MAAM,GACP,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC9D,OAAO,CAAC,IAAI,CAAC,CAgBf;AAED,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,mBAAmB,EAC5B,EACE,MAAM,EACN,gBAAgB,EAChB,MAAM,EACN,OAAO,GACR,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAC/E,OAAO,CAAC,IAAI,CAAC,CAoBf;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,mBAAmB,EAC5B,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,IAAI,CAAC,CAaf"}

package/dist/server/services/super-admin.service.js

@@ -0,0 +1,187 @@
+import { writeAuditEvent } from './audit.service.js';
+import { requestPasswordReset } from './password-reset.service.js';
+export async function listAllOrgs(pool) {
+    const result = await pool.query(`SELECT * FROM tm_organizations ORDER BY created_at DESC`);
+    return result.rows;
+}
+export async function getOrgForAdmin(pool, orgId) {
+    const result = await pool.query(`SELECT o.*,
+            COUNT(m.id) FILTER (WHERE m.removed_at IS NULL) AS member_count
+     FROM tm_organizations o
+     LEFT JOIN tm_memberships m ON m.org_id = o.id
+     WHERE o.id = $1
+     GROUP BY o.id`, [orgId]);
+    if (result.rows.length === 0)
+        throw new Error('Organization not found');
+    const row = result.rows[0];
+    return { ...row, memberCount: parseInt(row.member_count, 10) };
+}
+export async function getUserForAdmin(pool, adapter, userId) {
+    const user = await adapter.getUserById(userId);
+    if (!user)
+        throw new Error('User not found');
+    const memberships = await pool.query(`SELECT * FROM tm_memberships WHERE user_id = $1 ORDER BY joined_at DESC`, [userId]);
+    return { ...user, memberships: memberships.rows };
+}
+export async function restoreOrg(pool, { orgId, superAdminUserId, reason, }) {
+    const result = await pool.query(`UPDATE tm_organizations
+     SET deleted_at = NULL, delete_scheduled_for = NULL, deleted_by_user_id = NULL, updated_at = NOW()
+     WHERE id = $1 AND deleted_at IS NOT NULL`, [orgId]);
+    if ((result.rowCount ?? 0) === 0)
+        throw new Error('Organization not found or not deleted');
+    await writeAuditEvent({
+        pool,
+        orgId,
+        actorUserId: superAdminUserId,
+        actorType: 'super_admin',
+        action: 'org.restored',
+        targetType: 'org',
+        targetId: orgId,
+        reason,
+    });
+}
+export async function appointOwner(pool, { orgId, targetUserId, superAdminUserId, reason, }) {
+    const client = await pool.connect();
+    try {
+        await client.query('BEGIN');
+        // Demote current owner to admin
+        await client.query(`UPDATE tm_memberships SET role = 'admin', updated_at = NOW()
+       WHERE org_id = $1 AND role = 'owner' AND removed_at IS NULL`, [orgId]);
+        // Upsert new owner
+        await client.query(`INSERT INTO tm_memberships (org_id, user_id, role, joined_at)
+       VALUES ($1, $2, 'owner', NOW())
+       ON CONFLICT (org_id, user_id) WHERE removed_at IS NULL
+       DO UPDATE SET role = 'owner', removed_at = NULL, updated_at = NOW()`, [orgId, targetUserId]);
+        // Update denormalized owner field
+        await client.query(`UPDATE tm_organizations SET owner_user_id = $1, updated_at = NOW() WHERE id = $2`, [targetUserId, orgId]);
+        await client.query('COMMIT');
+    }
+    catch (e) {
+        await client.query('ROLLBACK');
+        throw e;
+    }
+    finally {
+        client.release();
+    }
+    await writeAuditEvent({
+        pool,
+        orgId,
+        actorUserId: superAdminUserId,
+        actorType: 'super_admin',
+        action: 'org.owner_appointed',
+        targetType: 'user',
+        targetId: targetUserId,
+        reason,
+    });
+}
+export async function hardDeleteOrg(pool, { orgId, superAdminUserId, legalBasis, }) {
+    if (!legalBasis || legalBasis.trim().length < 10) {
+        throw new Error('A legal basis of at least 10 characters is required for hard delete');
+    }
+    await writeAuditEvent({
+        pool,
+        orgId,
+        actorUserId: superAdminUserId,
+        actorType: 'super_admin',
+        action: 'org.hard_deleted',
+        targetType: 'org',
+        targetId: orgId,
+        reason: legalBasis,
+    });
+    // Hard delete — cascades to memberships, invitations, etc.
+    await pool.query(`DELETE FROM tm_organizations WHERE id = $1`, [orgId]);
+}
+export async function addMemberAdmin(pool, { orgId, userId, role, superAdminUserId, reason, }) {
+    await pool.query(`INSERT INTO tm_memberships (org_id, user_id, role, joined_at)
+     VALUES ($1, $2, $3, NOW())
+     ON CONFLICT (org_id, user_id)
+     DO UPDATE SET role = EXCLUDED.role, removed_at = NULL, removed_by_user_id = NULL,
+                   removal_reason = NULL, updated_at = NOW()`, [orgId, userId, role]);
+    await writeAuditEvent({
+        pool,
+        orgId,
+        actorUserId: superAdminUserId,
+        actorType: 'super_admin',
+        action: 'org.member_added_admin',
+        targetType: 'user',
+        targetId: userId,
+        after: { role },
+        reason,
+    });
+}
+export async function removeMemberAdmin(pool, { orgId, userId, superAdminUserId, reason, }) {
+    await pool.query(`UPDATE tm_memberships
+     SET removed_at = NOW(), removed_by_user_id = $1, removal_reason = $2, updated_at = NOW()
+     WHERE org_id = $3 AND user_id = $4 AND removed_at IS NULL`, [superAdminUserId, reason, orgId, userId]);
+    await writeAuditEvent({
+        pool,
+        orgId,
+        actorUserId: superAdminUserId,
+        actorType: 'super_admin',
+        action: 'org.member_removed_admin',
+        targetType: 'user',
+        targetId: userId,
+        reason,
+    });
+}
+export async function lockUser(pool, adapter, { userId, superAdminUserId, reason, }) {
+    await pool.query(`INSERT INTO tm_user_locks (user_id, locked_by, reason, locked_at)
+     VALUES ($1, $2, $3, NOW())
+     ON CONFLICT (user_id) DO UPDATE SET locked_by = EXCLUDED.locked_by,
+       reason = EXCLUDED.reason, locked_at = EXCLUDED.locked_at, unlocked_at = NULL`, [userId, superAdminUserId, reason]);
+    await adapter.invalidateAllUserSessions(userId);
+    await writeAuditEvent({
+        pool,
+        orgId: null,
+        actorUserId: superAdminUserId,
+        actorType: 'super_admin',
+        action: 'user.locked',
+        targetType: 'user',
+        targetId: userId,
+        reason,
+    });
+}
+export async function unlockUser(pool, adapter, { userId, superAdminUserId, reason, }) {
+    await pool.query(`UPDATE tm_user_locks SET unlocked_at = NOW() WHERE user_id = $1 AND unlocked_at IS NULL`, [userId]);
+    await writeAuditEvent({
+        pool,
+        orgId: null,
+        actorUserId: superAdminUserId,
+        actorType: 'super_admin',
+        action: 'user.unlocked',
+        targetType: 'user',
+        targetId: userId,
+        reason,
+    });
+}
+export async function triggerPasswordReset(pool, adapter, { userId, superAdminUserId, reason, baseUrl, }) {
+    const user = await adapter.getUserById(userId);
+    if (!user)
+        throw new Error('User not found');
+    await requestPasswordReset(pool, adapter, {
+        email: user.email,
+        baseUrl,
+        triggeredBySuperAdmin: true,
+    });
+    await writeAuditEvent({
+        pool,
+        orgId: null,
+        actorUserId: superAdminUserId,
+        actorType: 'super_admin',
+        action: 'user.password_reset_triggered',
+        targetType: 'user',
+        targetId: userId,
+        reason,
+    });
+}
+export async function seedSuperAdmin(pool, adapter, email) {
+    const user = await adapter.findUserByEmail(email);
+    if (!user) {
+        // User not found — skip silently (idempotent)
+        return;
+    }
+    await pool.query(`INSERT INTO tm_super_admins (user_id, granted_at)
+     VALUES ($1, NOW())
+     ON CONFLICT (user_id) DO NOTHING`, [user.id]);
+}
+//# sourceMappingURL=super-admin.service.js.map

package/dist/server/services/super-admin.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"super-admin.service.js","sourceRoot":"","sources":["../../../src/server/services/super-admin.service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAEnE,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAU;IAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B,yDAAyD,CAC1D,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAU,EACV,KAAa;IAEb,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B;;;;;mBAKe,EACf,CAAC,KAAK,CAAC,CACR,CAAC;IACF,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IACxE,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3B,OAAO,EAAE,GAAG,GAAG,EAAE,WAAW,EAAE,QAAQ,CAAC,GAAG,CAAC,YAAY,EAAE,EAAE,CAAC,EAAE,CAAC;AACjE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAU,EACV,OAA4B,EAC5B,MAAc;IAEd,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAE7C,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,KAAK,CAClC,yEAAyE,EACzE,CAAC,MAAM,CAAC,CACT,CAAC;IACF,OAAO,EAAE,GAAG,IAAI,EAAE,WAAW,EAAE,WAAW,CAAC,IAAI,EAAE,CAAC;AACpD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,IAAU,EACV,EACE,KAAK,EACL,gBAAgB,EAChB,MAAM,GACsD;IAE9D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B;;8CAE0C,EAC1C,CAAC,KAAK,CAAC,CACR,CAAC;IACF,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAE3F,MAAM,eAAe,CAAC;QACpB,IAAI;QACJ,KAAK;QACL,WAAW,EAAE,gBAAgB;QAC7B,SAAS,EAAE,aAAa;QACxB,MAAM,EAAE,cAAc;QACtB,UAAU,EAAE,KAAK;QACjB,QAAQ,EAAE,KAAK;QACf,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAU,EACV,EACE,KAAK,EACL,YAAY,EACZ,gBAAgB,EAChB,MAAM,GAC4E;IAEpF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,gCAAgC;QAChC,MAAM,MAAM,CAAC,KAAK,CAChB;mEAC6D,EAC7D,CAAC,KAAK,CAAC,CACR,CAAC;QAEF,mBAAmB;QACnB,MAAM,MAAM,CAAC,KAAK,CAChB;;;2EAGqE,EACrE,CAAC,KAAK,EAAE,YAAY,CAAC,CACtB,CAAC;QAEF,kCAAkC;QAClC,MAAM,MAAM,CAAC,KAAK,CAChB,kFAAkF,EAClF,CAAC,YAAY,EAAE,KAAK,CAAC,CACtB,CAAC;QAEF,MAAM,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC/B,MAAM,CAAC,CAAC;IACV,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,OAAO,EAAE,CAAC;IACnB,CAAC;IAED,MAAM,eAAe,CAAC;QACpB,IAAI;QACJ,KAAK;QACL,WAAW,EAAE,gBAAgB;QAC7B,SAAS,EAAE,aAAa;QACxB,MAAM,EAAE,qBAAqB;QAC7B,UAAU,EAAE,MAAM;QAClB,QAAQ,EAAE,YAAY;QACtB,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAAU,EACV,EACE,KAAK,EACL,gBAAgB,EAChB,UAAU,GACsD;IAElE,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACjD,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;IACzF,CAAC;IAED,MAAM,eAAe,CAAC;QACpB,IAAI;QACJ,KAAK;QACL,WAAW,EAAE,gBAAgB;QAC7B,SAAS,EAAE,aAAa;QACxB,MAAM,EAAE,kBAAkB;QAC1B,UAAU,EAAE,KAAK;QACjB,QAAQ,EAAE,KAAK;QACf,MAAM,EAAE,UAAU;KACnB,CAAC,CAAC;IAEH,2DAA2D;IAC3D,MAAM,IAAI,CAAC,KAAK,CAAC,4CAA4C,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;AAC1E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAU,EACV,EACE,KAAK,EACL,MAAM,EACN,IAAI,EACJ,gBAAgB,EAChB,MAAM,GACqF;IAE7F,MAAM,IAAI,CAAC,KAAK,CACd;;;;6DAIyD,EACzD,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,CACtB,CAAC;IAEF,MAAM,eAAe,CAAC;QACpB,IAAI;QACJ,KAAK;QACL,WAAW,EAAE,gBAAgB;QAC7B,SAAS,EAAE,aAAa;QACxB,MAAM,EAAE,wBAAwB;QAChC,UAAU,EAAE,MAAM;QAClB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,EAAE,IAAI,EAAE;QACf,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,IAAU,EACV,EACE,KAAK,EACL,MAAM,EACN,gBAAgB,EAChB,MAAM,GACsE;IAE9E,MAAM,IAAI,CAAC,KAAK,CACd;;+DAE2D,EAC3D,CAAC,gBAAgB,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAC1C,CAAC;IAEF,MAAM,eAAe,CAAC;QACpB,IAAI;QACJ,KAAK;QACL,WAAW,EAAE,gBAAgB;QAC7B,SAAS,EAAE,aAAa;QACxB,MAAM,EAAE,0BAA0B;QAClC,UAAU,EAAE,MAAM;QAClB,QAAQ,EAAE,MAAM;QAChB,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,IAAU,EACV,OAA4B,EAC5B,EACE,MAAM,EACN,gBAAgB,EAChB,MAAM,GACuD;IAE/D,MAAM,IAAI,CAAC,KAAK,CACd;;;oFAGgF,EAChF,CAAC,MAAM,EAAE,gBAAgB,EAAE,MAAM,CAAC,CACnC,CAAC;IAEF,MAAM,OAAO,CAAC,yBAAyB,CAAC,MAAM,CAAC,CAAC;IAEhD,MAAM,eAAe,CAAC;QACpB,IAAI;QACJ,KAAK,EAAE,IAAI;QACX,WAAW,EAAE,gBAAgB;QAC7B,SAAS,EAAE,aAAa;QACxB,MAAM,EAAE,aAAa;QACrB,UAAU,EAAE,MAAM;QAClB,QAAQ,EAAE,MAAM;QAChB,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,IAAU,EACV,OAA4B,EAC5B,EACE,MAAM,EACN,gBAAgB,EAChB,MAAM,GACuD;IAE/D,MAAM,IAAI,CAAC,KAAK,CACd,yFAAyF,EACzF,CAAC,MAAM,CAAC,CACT,CAAC;IAEF,MAAM,eAAe,CAAC;QACpB,IAAI;QACJ,KAAK,EAAE,IAAI;QACX,WAAW,EAAE,gBAAgB;QAC7B,SAAS,EAAE,aAAa;QACxB,MAAM,EAAE,eAAe;QACvB,UAAU,EAAE,MAAM;QAClB,QAAQ,EAAE,MAAM;QAChB,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAU,EACV,OAA4B,EAC5B,EACE,MAAM,EACN,gBAAgB,EAChB,MAAM,EACN,OAAO,GACuE;IAEhF,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAE7C,MAAM,oBAAoB,CAAC,IAAI,EAAE,OAAO,EAAE;QACxC,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO;QACP,qBAAqB,EAAE,IAAI;KAC5B,CAAC,CAAC;IAEH,MAAM,eAAe,CAAC;QACpB,IAAI;QACJ,KAAK,EAAE,IAAI;QACX,WAAW,EAAE,gBAAgB;QAC7B,SAAS,EAAE,aAAa;QACxB,MAAM,EAAE,+BAA+B;QACvC,UAAU,EAAE,MAAM;QAClB,QAAQ,EAAE,MAAM;QAChB,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAU,EACV,OAA4B,EAC5B,KAAa;IAEb,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAClD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,8CAA8C;QAC9C,OAAO;IACT,CAAC;IAED,MAAM,IAAI,CAAC,KAAK,CACd;;sCAEkC,EAClC,CAAC,IAAI,CAAC,EAAE,CAAC,CACV,CAAC;AACJ,CAAC"}

package/dist/server/types.d.ts

@@ -0,0 +1,186 @@
+import type { Request } from 'express';
+export type OrgRole = 'owner' | 'admin' | 'member' | 'viewer';
+export type AuditActorType = 'user' | 'super_admin';
+export type TransferStatus = 'pending' | 'accepted' | 'cancelled' | 'expired';
+export interface TmOrganization {
+    id: number;
+    name: string;
+    slug: string;
+    owner_user_id: number;
+    settings: Record<string, unknown>;
+    deleted_at: Date | null;
+    delete_scheduled_for: Date | null;
+    deleted_by_user_id: number | null;
+    created_at: Date;
+    updated_at: Date;
+}
+export interface TmMembership {
+    id: number;
+    org_id: number;
+    user_id: number;
+    role: OrgRole;
+    joined_at: Date;
+    removed_at: Date | null;
+    removed_by_user_id: number | null;
+    removal_reason: string | null;
+    created_at: Date;
+    updated_at: Date;
+}
+export interface TmInvitation {
+    id: number;
+    org_id: number;
+    invited_by_user_id: number;
+    email: string;
+    role: OrgRole;
+    token_hash: string;
+    code_encrypted: string;
+    expires_at: Date;
+    accepted_at: Date | null;
+    revoked_at: Date | null;
+    revoked_by_user_id: number | null;
+    resent_count: number;
+    created_at: Date;
+    updated_at: Date;
+}
+export interface TmAuditEvent {
+    id: string;
+    org_id: number | null;
+    actor_user_id: number | null;
+    actor_type: AuditActorType;
+    action: string;
+    target_type: string | null;
+    target_id: string | null;
+    before_state: Record<string, unknown> | null;
+    after_state: Record<string, unknown> | null;
+    ip: string | null;
+    user_agent: string | null;
+    reason: string | null;
+    created_at: Date;
+}
+export interface TmOwnershipTransfer {
+    id: number;
+    org_id: number;
+    from_user_id: number;
+    to_user_id: number;
+    status: TransferStatus;
+    initiated_at: Date;
+    accepted_at: Date | null;
+    cancelled_at: Date | null;
+    cancelled_by_user_id: number | null;
+    expires_at: Date;
+}
+export interface TmPasswordResetRequest {
+    id: number;
+    user_id: number;
+    token_hash: string;
+    expires_at: Date;
+    used_at: Date | null;
+    created_at: Date;
+}
+export interface ServerModuleAdapter {
+    getCurrentUserId(req: Request): Promise<number | null>;
+    getOrganizationIdForUser(userId: number): Promise<number | null>;
+    isUserOrgAdmin(userId: number, orgId: number): Promise<boolean>;
+    logger: {
+        info(message: string, meta?: Record<string, unknown>): void;
+        warn(message: string, meta?: Record<string, unknown>): void;
+        error(message: string, meta?: Record<string, unknown>): void;
+    };
+    getUserById(userId: number): Promise<{
+        id: number;
+        email: string;
+        name?: string;
+    } | null>;
+    getUsersByIds(userIds: number[]): Promise<Array<{
+        id: number;
+        email: string;
+        name?: string;
+    }>>;
+    findUserByEmail(email: string): Promise<{
+        id: number;
+        email: string;
+    } | null>;
+    createUserFromInvite(data: {
+        email: string;
+        orgId: number;
+        role: OrgRole;
+    }): Promise<{
+        id: number;
+        email: string;
+    }>;
+    setUserPassword(userId: number, passwordHash: string): Promise<void>;
+    hashPassword(plaintext: string): Promise<string>;
+    verifyPassword(plaintext: string, hash: string): Promise<boolean>;
+    invalidateAllUserSessions(userId: number): Promise<void>;
+    sendInviteEmail(data: {
+        to: string;
+        orgName: string;
+        inviterName: string;
+        role: OrgRole;
+        magicLinkUrl: string;
+        code: string;
+    }): Promise<void>;
+    sendOwnershipTransferEmail(data: {
+        to: string;
+        orgName: string;
+        fromName: string;
+        transferUrl: string;
+    }): Promise<void>;
+    sendEmailChangeVerification(data: {
+        to: string;
+        verifyUrl: string;
+    }): Promise<void>;
+    sendEmailChangeOldNotice(data: {
+        to: string;
+        newEmail: string;
+        cancelUrl: string;
+    }): Promise<void>;
+    sendEmailChangedFinalNotice(data: {
+        to: string;
+        oldEmail: string;
+        newEmail: string;
+    }): Promise<void>;
+    sendPasswordResetEmail(data: {
+        to: string;
+        resetUrl: string;
+    }): Promise<void>;
+    sendOrgDeletionNotice(data: {
+        to: string;
+        orgName: string;
+        scheduledFor: Date;
+    }): Promise<void>;
+    emitNotification(data: {
+        userId: number;
+        type: string;
+        payload: Record<string, unknown>;
+    }): Promise<void>;
+}
+export interface TeamManagementFeatureFlags {
+    enableInvites?: boolean;
+    enableAuditLog?: boolean;
+    enableOwnershipTransfer?: boolean;
+    enableEmailChange?: boolean;
+    enablePasswordReset?: boolean;
+    enableSuperAdmin?: boolean;
+    enableSharedAccess?: boolean;
+    enableHardDelete?: boolean;
+}
+export interface TeamManagementConfig {
+    featureFlags?: TeamManagementFeatureFlags;
+    baseUrl?: string;
+}
+export interface TeamManagementServerModule {
+    router: import('express').Router;
+    runMigrations(): Promise<{
+        applied: string[];
+        skipped: string[];
+    }>;
+    /** Alias for runMigrations — for test convenience */
+    migrate(): Promise<{
+        applied: string[];
+        skipped: string[];
+    }>;
+}
+export declare const ROLE_HIERARCHY: Record<OrgRole, number>;
+export declare function roleAtLeast(userRole: OrgRole, required: OrgRole): boolean;
+//# sourceMappingURL=types.d.ts.map

package/dist/server/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/server/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAEvC,MAAM,MAAM,OAAO,GAAG,OAAO,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAC9D,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,aAAa,CAAC;AACpD,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,UAAU,GAAG,WAAW,GAAG,SAAS,CAAC;AAE9E,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,oBAAoB,EAAE,IAAI,GAAG,IAAI,CAAC;IAClC,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,OAAO,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;IAChB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,kBAAkB,EAAE,MAAM,CAAC;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,OAAO,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,IAAI,CAAC;IACjB,WAAW,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,kBAAkB,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,UAAU,EAAE,cAAc,CAAC;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC7C,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAC5C,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,cAAc,CAAC;IACvB,YAAY,EAAE,IAAI,CAAC;IACnB,WAAW,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,YAAY,EAAE,IAAI,GAAG,IAAI,CAAC;IAC1B,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,UAAU,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,sBAAsB;IACrC,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,CAAC;IACjB,OAAO,EAAE,IAAI,GAAG,IAAI,CAAC;IACrB,UAAU,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,mBAAmB;IAElC,gBAAgB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACvD,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACjE,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAChE,MAAM,EAAE;QACN,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;QAC5D,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;QAC5D,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;KAC9D,CAAC;IAEF,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;IAC1F,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC,CAAC;IAC/F,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;IAC9E,oBAAoB,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACpH,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrE,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACjD,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAClE,yBAAyB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACzD,eAAe,CAAC,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,OAAO,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9I,0BAA0B,CAAC,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACxH,2BAA2B,CAAC,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpF,wBAAwB,CAAC,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnG,2BAA2B,CAAC,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrG,sBAAsB,CAAC,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,qBAAqB,CAAC,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,IAAI,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChG,gBAAgB,CAAC,IAAI,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3G;AAED,MAAM,WAAW,0BAA0B;IACzC,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED,MAAM,WAAW,oBAAoB;IACnC,YAAY,CAAC,EAAE,0BAA0B,CAAC;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,0BAA0B;IACzC,MAAM,EAAE,OAAO,SAAS,EAAE,MAAM,CAAC;IACjC,aAAa,IAAI,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IACnE,qDAAqD;IACrD,OAAO,IAAI,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CAC9D;AAGD,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAoD,CAAC;AAExG,wBAAgB,WAAW,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,GAAG,OAAO,CAEzE"}

package/dist/server/types.js

@@ -0,0 +1,6 @@
+// Role permission helpers — values are spaced by 10 so future roles can be inserted
+export const ROLE_HIERARCHY = { viewer: 10, member: 20, admin: 30, owner: 40 };
+export function roleAtLeast(userRole, required) {
+    return ROLE_HIERARCHY[userRole] >= ROLE_HIERARCHY[required];
+}
+//# sourceMappingURL=types.js.map