@vibescope/mcp-server 0.0.1

package/src/handlers/organizations.ts

@@ -0,0 +1,550 @@
+/**
+ * Organizations Handlers
+ *
+ * Handles organization management, membership, and project sharing:
+ * - list_organizations
+ * - create_organization
+ * - update_organization
+ * - delete_organization
+ * - list_org_members
+ * - invite_member
+ * - update_member_role
+ * - remove_member
+ * - leave_organization
+ * - share_project_with_org
+ * - update_project_share
+ * - unshare_project
+ * - list_project_shares
+ */
+
+import type { Handler, HandlerRegistry } from './types.js';
+import { validateRequired, validateUUID } from '../validators.js';
+import { randomBytes } from 'crypto';
+
+// Valid roles in order of permission level
+const ROLE_ORDER = ['viewer', 'member', 'admin', 'owner'] as const;
+type Role = (typeof ROLE_ORDER)[number];
+
+// Valid share permissions
+const PERMISSION_ORDER = ['read', 'write', 'admin'] as const;
+type Permission = (typeof PERMISSION_ORDER)[number];
+
+/**
+ * Generate a URL-friendly slug from a name
+ */
+function generateSlug(name: string): string {
+	return name
+		.toLowerCase()
+		.replace(/[^a-z0-9]+/g, '-')
+		.replace(/^-|-$/g, '')
+		.slice(0, 50);
+}
+
+/**
+ * Generate a secure invite token
+ */
+function generateInviteToken(): string {
+	return randomBytes(32).toString('base64url');
+}
+
+// ============================================================================
+// Organization Management
+// ============================================================================
+
+export const listOrganizations: Handler = async (_args, ctx) => {
+	const { supabase, auth } = ctx;
+
+	const { data, error } = await supabase
+		.from('organization_members')
+		.select(`
+			role,
+			joined_at,
+			organizations (
+				id,
+				name,
+				slug,
+				description,
+				logo_url,
+				owner_id,
+				created_at
+			)
+		`)
+		.eq('user_id', auth.userId)
+		.order('joined_at', { ascending: false });
+
+	if (error) throw new Error(`Failed to list organizations: ${error.message}`);
+
+	const organizations = (data || []).map((m) => ({
+		...(m.organizations as unknown as Record<string, unknown>),
+		role: m.role,
+		joined_at: m.joined_at,
+	}));
+
+	return { result: { organizations, count: organizations.length } };
+};
+
+export const createOrganization: Handler = async (args, ctx) => {
+	const { name, description, slug: customSlug } = args as {
+		name: string;
+		description?: string;
+		slug?: string;
+	};
+
+	validateRequired(name, 'name');
+
+	const { supabase, auth } = ctx;
+	const slug = customSlug || generateSlug(name);
+
+	// Check if slug is available
+	const { data: existing } = await supabase
+		.from('organizations')
+		.select('id')
+		.eq('slug', slug)
+		.maybeSingle();
+
+	if (existing) {
+		throw new Error(`Organization slug "${slug}" is already taken`);
+	}
+
+	const { data, error } = await supabase
+		.from('organizations')
+		.insert({
+			name,
+			slug,
+			description: description || null,
+			owner_id: auth.userId,
+		})
+		.select()
+		.single();
+
+	if (error) throw new Error(`Failed to create organization: ${error.message}`);
+
+	return {
+		result: {
+			success: true,
+			organization: data,
+			message: `Organization "${name}" created. You are the owner.`,
+		},
+	};
+};
+
+export const updateOrganization: Handler = async (args, ctx) => {
+	const { organization_id, name, description, logo_url } = args as {
+		organization_id: string;
+		name?: string;
+		description?: string;
+		logo_url?: string;
+	};
+
+	validateRequired(organization_id, 'organization_id');
+	validateUUID(organization_id, 'organization_id');
+
+	const { supabase } = ctx;
+
+	const updates: Record<string, unknown> = {};
+	if (name !== undefined) updates.name = name;
+	if (description !== undefined) updates.description = description;
+	if (logo_url !== undefined) updates.logo_url = logo_url;
+
+	if (Object.keys(updates).length === 0) {
+		throw new Error('No updates provided');
+	}
+
+	const { data, error } = await supabase
+		.from('organizations')
+		.update(updates)
+		.eq('id', organization_id)
+		.select()
+		.single();
+
+	if (error) throw new Error(`Failed to update organization: ${error.message}`);
+
+	return { result: { success: true, organization: data } };
+};
+
+export const deleteOrganization: Handler = async (args, ctx) => {
+	const { organization_id } = args as { organization_id: string };
+
+	validateRequired(organization_id, 'organization_id');
+	validateUUID(organization_id, 'organization_id');
+
+	const { supabase } = ctx;
+
+	const { error } = await supabase
+		.from('organizations')
+		.delete()
+		.eq('id', organization_id);
+
+	if (error) throw new Error(`Failed to delete organization: ${error.message}`);
+
+	return {
+		result: {
+			success: true,
+			message: 'Organization deleted. All shares have been removed.',
+		},
+	};
+};
+
+// ============================================================================
+// Member Management
+// ============================================================================
+
+export const listOrgMembers: Handler = async (args, ctx) => {
+	const { organization_id } = args as { organization_id: string };
+
+	validateRequired(organization_id, 'organization_id');
+	validateUUID(organization_id, 'organization_id');
+
+	const { supabase } = ctx;
+
+	const { data, error } = await supabase
+		.from('organization_members')
+		.select('id, user_id, role, joined_at, invited_by')
+		.eq('organization_id', organization_id)
+		.order('role', { ascending: true })
+		.order('joined_at', { ascending: true });
+
+	if (error) throw new Error(`Failed to list members: ${error.message}`);
+
+	return { result: { members: data || [], count: data?.length || 0 } };
+};
+
+export const inviteMember: Handler = async (args, ctx) => {
+	const { organization_id, email, role = 'member' } = args as {
+		organization_id: string;
+		email: string;
+		role?: 'admin' | 'member' | 'viewer';
+	};
+
+	validateRequired(organization_id, 'organization_id');
+	validateRequired(email, 'email');
+	validateUUID(organization_id, 'organization_id');
+
+	if (!['admin', 'member', 'viewer'].includes(role)) {
+		throw new Error('Invalid role. Must be admin, member, or viewer.');
+	}
+
+	const { supabase, auth } = ctx;
+	const token = generateInviteToken();
+
+	// Check for existing pending invite
+	const { data: existing } = await supabase
+		.from('organization_invites')
+		.select('id')
+		.eq('organization_id', organization_id)
+		.eq('email', email)
+		.is('accepted_at', null)
+		.gt('expires_at', new Date().toISOString())
+		.maybeSingle();
+
+	if (existing) {
+		throw new Error(`A pending invite already exists for ${email}`);
+	}
+
+	const { data, error } = await supabase
+		.from('organization_invites')
+		.insert({
+			organization_id,
+			email,
+			role,
+			token,
+			invited_by: auth.userId,
+		})
+		.select()
+		.single();
+
+	if (error) throw new Error(`Failed to create invite: ${error.message}`);
+
+	return {
+		result: {
+			success: true,
+			invite: data,
+			message: `Invite sent to ${email} with role "${role}"`,
+		},
+	};
+};
+
+export const updateMemberRole: Handler = async (args, ctx) => {
+	const { organization_id, user_id, role } = args as {
+		organization_id: string;
+		user_id: string;
+		role: Role;
+	};
+
+	validateRequired(organization_id, 'organization_id');
+	validateRequired(user_id, 'user_id');
+	validateRequired(role, 'role');
+	validateUUID(organization_id, 'organization_id');
+	validateUUID(user_id, 'user_id');
+
+	if (!ROLE_ORDER.includes(role)) {
+		throw new Error(`Invalid role. Must be one of: ${ROLE_ORDER.join(', ')}`);
+	}
+
+	if (role === 'owner') {
+		throw new Error('Cannot assign owner role. Use transfer ownership instead.');
+	}
+
+	const { supabase, auth } = ctx;
+
+	// Prevent demoting yourself
+	if (user_id === auth.userId) {
+		throw new Error('Cannot change your own role');
+	}
+
+	const { data, error } = await supabase
+		.from('organization_members')
+		.update({ role })
+		.eq('organization_id', organization_id)
+		.eq('user_id', user_id)
+		.neq('role', 'owner') // Cannot change owner's role
+		.select()
+		.single();
+
+	if (error) throw new Error(`Failed to update member role: ${error.message}`);
+
+	return { result: { success: true, member: data } };
+};
+
+export const removeMember: Handler = async (args, ctx) => {
+	const { organization_id, user_id } = args as {
+		organization_id: string;
+		user_id: string;
+	};
+
+	validateRequired(organization_id, 'organization_id');
+	validateRequired(user_id, 'user_id');
+	validateUUID(organization_id, 'organization_id');
+	validateUUID(user_id, 'user_id');
+
+	const { supabase } = ctx;
+
+	const { error } = await supabase
+		.from('organization_members')
+		.delete()
+		.eq('organization_id', organization_id)
+		.eq('user_id', user_id)
+		.neq('role', 'owner'); // Cannot remove owner
+
+	if (error) throw new Error(`Failed to remove member: ${error.message}`);
+
+	return {
+		result: {
+			success: true,
+			message: 'Member removed. Their org-scoped API keys have been invalidated.',
+		},
+	};
+};
+
+export const leaveOrganization: Handler = async (args, ctx) => {
+	const { organization_id } = args as { organization_id: string };
+
+	validateRequired(organization_id, 'organization_id');
+	validateUUID(organization_id, 'organization_id');
+
+	const { supabase, auth } = ctx;
+
+	// Check if user is owner
+	const { data: membership } = await supabase
+		.from('organization_members')
+		.select('role')
+		.eq('organization_id', organization_id)
+		.eq('user_id', auth.userId)
+		.single();
+
+	if (membership?.role === 'owner') {
+		throw new Error('Owner cannot leave. Transfer ownership first or delete the organization.');
+	}
+
+	const { error } = await supabase
+		.from('organization_members')
+		.delete()
+		.eq('organization_id', organization_id)
+		.eq('user_id', auth.userId);
+
+	if (error) throw new Error(`Failed to leave organization: ${error.message}`);
+
+	return {
+		result: {
+			success: true,
+			message: 'You have left the organization.',
+		},
+	};
+};
+
+// ============================================================================
+// Project Sharing
+// ============================================================================
+
+export const shareProjectWithOrg: Handler = async (args, ctx) => {
+	const { project_id, organization_id, permission = 'read' } = args as {
+		project_id: string;
+		organization_id: string;
+		permission?: Permission;
+	};
+
+	validateRequired(project_id, 'project_id');
+	validateRequired(organization_id, 'organization_id');
+	validateUUID(project_id, 'project_id');
+	validateUUID(organization_id, 'organization_id');
+
+	if (!PERMISSION_ORDER.includes(permission)) {
+		throw new Error(`Invalid permission. Must be one of: ${PERMISSION_ORDER.join(', ')}`);
+	}
+
+	const { supabase, auth } = ctx;
+
+	// Verify user owns the project
+	const { data: project } = await supabase
+		.from('projects')
+		.select('id, name')
+		.eq('id', project_id)
+		.eq('user_id', auth.userId)
+		.single();
+
+	if (!project) {
+		throw new Error('Project not found or you are not the owner');
+	}
+
+	// Check if share already exists
+	const { data: existing } = await supabase
+		.from('project_shares')
+		.select('id')
+		.eq('project_id', project_id)
+		.eq('organization_id', organization_id)
+		.maybeSingle();
+
+	if (existing) {
+		throw new Error('Project is already shared with this organization');
+	}
+
+	const { data, error } = await supabase
+		.from('project_shares')
+		.insert({
+			project_id,
+			organization_id,
+			permission,
+			shared_by: auth.userId,
+		})
+		.select()
+		.single();
+
+	if (error) throw new Error(`Failed to share project: ${error.message}`);
+
+	return {
+		result: {
+			success: true,
+			share: data,
+			message: `Project "${project.name}" shared with organization (${permission} access)`,
+		},
+	};
+};
+
+export const updateProjectShare: Handler = async (args, ctx) => {
+	const { project_id, organization_id, permission } = args as {
+		project_id: string;
+		organization_id: string;
+		permission: Permission;
+	};
+
+	validateRequired(project_id, 'project_id');
+	validateRequired(organization_id, 'organization_id');
+	validateRequired(permission, 'permission');
+	validateUUID(project_id, 'project_id');
+	validateUUID(organization_id, 'organization_id');
+
+	if (!PERMISSION_ORDER.includes(permission)) {
+		throw new Error(`Invalid permission. Must be one of: ${PERMISSION_ORDER.join(', ')}`);
+	}
+
+	const { supabase } = ctx;
+
+	const { data, error } = await supabase
+		.from('project_shares')
+		.update({ permission })
+		.eq('project_id', project_id)
+		.eq('organization_id', organization_id)
+		.select()
+		.single();
+
+	if (error) throw new Error(`Failed to update share: ${error.message}`);
+
+	return { result: { success: true, share: data } };
+};
+
+export const unshareProject: Handler = async (args, ctx) => {
+	const { project_id, organization_id } = args as {
+		project_id: string;
+		organization_id: string;
+	};
+
+	validateRequired(project_id, 'project_id');
+	validateRequired(organization_id, 'organization_id');
+	validateUUID(project_id, 'project_id');
+	validateUUID(organization_id, 'organization_id');
+
+	const { supabase } = ctx;
+
+	const { error } = await supabase
+		.from('project_shares')
+		.delete()
+		.eq('project_id', project_id)
+		.eq('organization_id', organization_id);
+
+	if (error) throw new Error(`Failed to unshare project: ${error.message}`);
+
+	return {
+		result: {
+			success: true,
+			message: 'Project share removed. Org members can no longer access this project.',
+		},
+	};
+};
+
+export const listProjectShares: Handler = async (args, ctx) => {
+	const { project_id } = args as { project_id: string };
+
+	validateRequired(project_id, 'project_id');
+	validateUUID(project_id, 'project_id');
+
+	const { supabase } = ctx;
+
+	const { data, error } = await supabase
+		.from('project_shares')
+		.select(`
+			id,
+			permission,
+			shared_at,
+			shared_by,
+			organizations (
+				id,
+				name,
+				slug
+			)
+		`)
+		.eq('project_id', project_id)
+		.order('shared_at', { ascending: false });
+
+	if (error) throw new Error(`Failed to list shares: ${error.message}`);
+
+	return { result: { shares: data || [], count: data?.length || 0 } };
+};
+
+/**
+ * Organizations handlers registry
+ */
+export const organizationHandlers: HandlerRegistry = {
+	list_organizations: listOrganizations,
+	create_organization: createOrganization,
+	update_organization: updateOrganization,
+	delete_organization: deleteOrganization,
+	list_org_members: listOrgMembers,
+	invite_member: inviteMember,
+	update_member_role: updateMemberRole,
+	remove_member: removeMember,
+	leave_organization: leaveOrganization,
+	share_project_with_org: shareProjectWithOrg,
+	update_project_share: updateProjectShare,
+	unshare_project: unshareProject,
+	list_project_shares: listProjectShares,
+};