@wopr-network/platform-core 1.16.0 → 1.18.0

package/dist/auth/tenant-access.test.js

@@ -15,6 +15,8 @@ function mockOrgMemberRepo(overrides = {}) {
         deleteInvite: vi.fn().mockResolvedValue(undefined),
         deleteAllMembers: vi.fn().mockResolvedValue(undefined),
         deleteAllInvites: vi.fn().mockResolvedValue(undefined),
+        listOrgsByUser: vi.fn().mockResolvedValue([]),
+        markInviteAccepted: vi.fn().mockResolvedValue(undefined),
         ...overrides,
     };
 }

package/dist/billing/crypto/evm/__tests__/config.test.js

@@ -19,6 +19,16 @@ describe("getTokenConfig", () => {
         expect(cfg.contractAddress).toMatch(/^0x/);
         expect(cfg.contractAddress).toBe("0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913");
     });
+    it("returns USDT on Base", () => {
+        const cfg = getTokenConfig("USDT", "base");
+        expect(cfg.decimals).toBe(6);
+        expect(cfg.contractAddress).toBe("0xfde4C96c8593536E31F229EA8f37b2ADa2699bb2");
+    });
+    it("returns DAI on Base", () => {
+        const cfg = getTokenConfig("DAI", "base");
+        expect(cfg.decimals).toBe(18);
+        expect(cfg.contractAddress).toBe("0x50c5725949A6F0c72E6C4a641F24049A917DB0Cb");
+    });
     it("throws on unsupported token/chain combo", () => {
         // biome-ignore lint/suspicious/noExplicitAny: testing invalid input
         expect(() => getTokenConfig("USDC", "ethereum")).toThrow("Unsupported token");

package/dist/billing/crypto/evm/config.js

@@ -14,6 +14,18 @@ const TOKENS = {
         contractAddress: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
         decimals: 6,
     },
+    "USDT:base": {
+        token: "USDT",
+        chain: "base",
+        contractAddress: "0xfde4C96c8593536E31F229EA8f37b2ADa2699bb2",
+        decimals: 6,
+    },
+    "DAI:base": {
+        token: "DAI",
+        chain: "base",
+        contractAddress: "0x50c5725949A6F0c72E6C4a641F24049A917DB0Cb",
+        decimals: 18,
+    },
 };
 export function getChainConfig(chain) {
     const cfg = CHAINS[chain];

package/dist/billing/crypto/evm/types.d.ts

@@ -1,7 +1,7 @@
 /** Supported EVM chains. */
 export type EvmChain = "base";
 /** Supported stablecoin tokens. */
-export type StablecoinToken = "USDC";
+export type StablecoinToken = "USDC" | "USDT" | "DAI";
 /** Chain configuration. */
 export interface ChainConfig {
     readonly chain: EvmChain;

package/dist/db/schema/organization-members.d.ts

@@ -230,6 +230,40 @@ export declare const organizationInvites: import("drizzle-orm/pg-core").PgTableW
             identity: undefined;
             generated: undefined;
         }, {}, {}>;
+        acceptedAt: import("drizzle-orm/pg-core").PgColumn<{
+            name: "accepted_at";
+            tableName: "organization_invites";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        revokedAt: import("drizzle-orm/pg-core").PgColumn<{
+            name: "revoked_at";
+            tableName: "organization_invites";
+            dataType: "number";
+            columnType: "PgBigInt53";
+            data: number;
+            driverParam: string | number;
+            notNull: false;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
     };
     dialect: "pg";
 }>;

package/dist/db/schema/organization-members.js

@@ -24,4 +24,6 @@ export const organizationInvites = pgTable("organization_invites", {
     createdAt: bigint("created_at", { mode: "number" })
         .notNull()
         .default(sql `(extract(epoch from now()) * 1000)::bigint`),
+    acceptedAt: bigint("accepted_at", { mode: "number" }),
+    revokedAt: bigint("revoked_at", { mode: "number" }),
 }, (table) => [index("idx_org_invites_org_id").on(table.orgId), index("idx_org_invites_token").on(table.token)]);

package/dist/tenancy/org-member-repository.d.ts

@@ -22,6 +22,8 @@ export interface OrgInviteRow {
     token: string;
     expiresAt: number;
     createdAt: number;
+    acceptedAt: number | null;
+    revokedAt: number | null;
 }
 export interface IOrgMemberRepository {
     listMembers(orgId: string): Promise<OrgMemberRow[]>;
@@ -37,6 +39,11 @@ export interface IOrgMemberRepository {
     deleteInvite(inviteId: string): Promise<void>;
     deleteAllMembers(orgId: string): Promise<void>;
     deleteAllInvites(orgId: string): Promise<void>;
+    listOrgsByUser(userId: string): Promise<Array<{
+        orgId: string;
+        role: string;
+    }>>;
+    markInviteAccepted(inviteId: string): Promise<void>;
 }
 export declare class DrizzleOrgMemberRepository implements IOrgMemberRepository {
     private readonly db;
@@ -54,4 +61,9 @@ export declare class DrizzleOrgMemberRepository implements IOrgMemberRepository
     deleteInvite(inviteId: string): Promise<void>;
     deleteAllMembers(orgId: string): Promise<void>;
     deleteAllInvites(orgId: string): Promise<void>;
+    listOrgsByUser(userId: string): Promise<Array<{
+        orgId: string;
+        role: string;
+    }>>;
+    markInviteAccepted(inviteId: string): Promise<void>;
 }

package/dist/tenancy/org-member-repository.js

@@ -29,6 +29,8 @@ function toInvite(row) {
         token: row.token,
         expiresAt: row.expiresAt,
         createdAt: row.createdAt,
+        acceptedAt: row.acceptedAt ?? null,
+        revokedAt: row.revokedAt ?? null,
     };
 }
 export class DrizzleOrgMemberRepository {
@@ -96,4 +98,16 @@ export class DrizzleOrgMemberRepository {
     async deleteAllInvites(orgId) {
         await this.db.delete(organizationInvites).where(eq(organizationInvites.orgId, orgId));
     }
+    async listOrgsByUser(userId) {
+        return this.db
+            .select({ orgId: organizationMembers.orgId, role: organizationMembers.role })
+            .from(organizationMembers)
+            .where(eq(organizationMembers.userId, userId));
+    }
+    async markInviteAccepted(inviteId) {
+        await this.db
+            .update(organizationInvites)
+            .set({ acceptedAt: Date.now() })
+            .where(eq(organizationInvites.id, inviteId));
+    }
 }

package/dist/tenancy/org-service.d.ts

@@ -67,8 +67,17 @@ export declare class OrgService {
     changeRole(orgId: string, actorUserId: string, targetUserId: string, newRole: "admin" | "member"): Promise<void>;
     removeMember(orgId: string, actorUserId: string, targetUserId: string): Promise<void>;
     transferOwnership(orgId: string, actorUserId: string, targetUserId: string): Promise<void>;
+    acceptInvite(token: string, userId: string): Promise<{
+        orgId: string;
+        role: string;
+    }>;
+    listOrgsForUser(userId: string): Promise<Array<{
+        orgId: string;
+        role: string;
+    }>>;
     validateSlug(slug: string): void;
     private buildOrgWithMembers;
     private requireOrg;
-    private requireAdminOrOwner;
+    requireAdminOrOwner(orgId: string, userId: string): Promise<void>;
+    requireOwner(orgId: string, userId: string): Promise<void>;
 }

package/dist/tenancy/org-service.js

@@ -121,6 +121,8 @@ export class OrgService {
             token,
             expiresAt: Date.now() + 7 * 24 * 60 * 60 * 1000,
             createdAt: Date.now(),
+            acceptedAt: null,
+            revokedAt: null,
         };
         await this.memberRepo.createInvite(invite);
         return invite;
@@ -179,6 +181,37 @@ export class OrgService {
         await this.memberRepo.updateMemberRole(orgId, actorUserId, "admin");
         await this.orgRepo.updateOwner(orgId, targetUserId);
     }
+    async acceptInvite(token, userId) {
+        const invite = await this.memberRepo.findInviteByToken(token);
+        if (!invite)
+            throw new TRPCError({ code: "NOT_FOUND", message: "Invite not found" });
+        if (invite.acceptedAt)
+            throw new TRPCError({ code: "BAD_REQUEST", message: "Invite already accepted" });
+        // revokedAt guard — currently no UI sets this field, but the schema supports it
+        // for future use (e.g., admin revokes an outstanding invite).
+        if (invite.revokedAt)
+            throw new TRPCError({ code: "BAD_REQUEST", message: "Invite has been revoked" });
+        if (invite.expiresAt && new Date(invite.expiresAt) < new Date()) {
+            throw new TRPCError({ code: "BAD_REQUEST", message: "Invite has expired" });
+        }
+        // Guard: reject if user is already a member (prevents consuming the invite silently)
+        const existing = await this.memberRepo.findMember(invite.orgId, userId);
+        if (existing) {
+            throw new TRPCError({ code: "CONFLICT", message: "User is already a member of this organization" });
+        }
+        await this.memberRepo.addMember({
+            id: crypto.randomUUID(),
+            orgId: invite.orgId,
+            userId,
+            role: invite.role ?? "member",
+            joinedAt: Date.now(),
+        });
+        await this.memberRepo.markInviteAccepted(invite.id);
+        return { orgId: invite.orgId, role: invite.role ?? "member" };
+    }
+    async listOrgsForUser(userId) {
+        return this.memberRepo.listOrgsByUser(userId);
+    }
     validateSlug(slug) {
         if (!/^[a-z0-9][a-z0-9-]{1,46}[a-z0-9]$/.test(slug)) {
             throw new TRPCError({
@@ -238,4 +271,10 @@ export class OrgService {
             throw new TRPCError({ code: "FORBIDDEN", message: "Admin or owner role required" });
         }
     }
+    async requireOwner(orgId, userId) {
+        const member = await this.memberRepo.findMember(orgId, userId);
+        if (!member || member.role !== "owner") {
+            throw new TRPCError({ code: "FORBIDDEN", message: "Owner role required" });
+        }
+    }
 }

package/dist/tenancy/org-service.test.js

@@ -325,6 +325,8 @@ describe("OrgService", () => {
                 token: "tok-d3",
                 expiresAt: Date.now() + 86400000,
                 createdAt: Date.now(),
+                acceptedAt: null,
+                revokedAt: null,
             });
             await svc.deleteOrg(org.id, owner);
             expect(await orgRepo.getById(org.id)).toBeNull();
@@ -547,6 +549,223 @@ describe("OrgService", () => {
             await expect(svc.removeMember(org.id, owner, admin)).resolves.not.toThrow();
         });
     });
+    describe("listOrgsForUser", () => {
+        it("returns orgs the user is a member of", async () => {
+            const { orgRepo, memberRepo } = await setup(db);
+            const svc = new OrgService(orgRepo, memberRepo, db);
+            const owner = "owner-lof1";
+            const org1 = await orgRepo.createOrg(owner, "List Org 1", "list-org-1");
+            await memberRepo.addMember({
+                id: "mlof1",
+                orgId: org1.id,
+                userId: owner,
+                role: "owner",
+                joinedAt: Date.now(),
+            });
+            const org2 = await orgRepo.createOrg(owner, "List Org 2", "list-org-2");
+            await memberRepo.addMember({
+                id: "mlof2",
+                orgId: org2.id,
+                userId: owner,
+                role: "admin",
+                joinedAt: Date.now(),
+            });
+            const result = await svc.listOrgsForUser(owner);
+            expect(result).toHaveLength(2);
+            expect(result.map((r) => r.orgId).sort()).toEqual([org1.id, org2.id].sort());
+        });
+        it("returns empty array for unknown user", async () => {
+            const { orgRepo, memberRepo } = await setup(db);
+            const svc = new OrgService(orgRepo, memberRepo, db);
+            const result = await svc.listOrgsForUser("totally-unknown-user");
+            expect(result).toEqual([]);
+        });
+    });
+    describe("acceptInvite", () => {
+        it("accepts a valid invite and creates membership", async () => {
+            const { orgRepo, memberRepo } = await setup(db);
+            const svc = new OrgService(orgRepo, memberRepo, db);
+            const owner = "owner-ai1";
+            const org = await orgRepo.createOrg(owner, "Accept Org", "accept-org");
+            await memberRepo.addMember({
+                id: "mai1",
+                orgId: org.id,
+                userId: owner,
+                role: "owner",
+                joinedAt: Date.now(),
+            });
+            const invite = await svc.inviteMember(org.id, owner, "new@example.com", "admin");
+            const result = await svc.acceptInvite(invite.token, "new-user-ai1");
+            expect(result).toEqual({ orgId: org.id, role: "admin" });
+            // Verify membership was created
+            const member = await memberRepo.findMember(org.id, "new-user-ai1");
+            expect(member).not.toBeNull();
+            expect(member?.role).toBe("admin");
+            // Verify invite was marked accepted
+            const updatedInvite = await memberRepo.findInviteByToken(invite.token);
+            expect(updatedInvite?.acceptedAt).not.toBeNull();
+        });
+        it("throws NOT_FOUND for unknown token", async () => {
+            const { orgRepo, memberRepo } = await setup(db);
+            const svc = new OrgService(orgRepo, memberRepo, db);
+            await expect(svc.acceptInvite("bad-token", "user-1")).rejects.toThrow(expect.objectContaining({ code: "NOT_FOUND" }));
+        });
+        it("throws BAD_REQUEST for already-accepted invite", async () => {
+            const { orgRepo, memberRepo } = await setup(db);
+            const svc = new OrgService(orgRepo, memberRepo, db);
+            const owner = "owner-ai2";
+            const org = await orgRepo.createOrg(owner, "Accept Org 2", "accept-org-2");
+            await memberRepo.addMember({
+                id: "mai2",
+                orgId: org.id,
+                userId: owner,
+                role: "owner",
+                joinedAt: Date.now(),
+            });
+            const invite = await svc.inviteMember(org.id, owner, "dup@example.com", "member");
+            await svc.acceptInvite(invite.token, "first-user");
+            await expect(svc.acceptInvite(invite.token, "second-user")).rejects.toThrow(expect.objectContaining({ code: "BAD_REQUEST", message: "Invite already accepted" }));
+        });
+        it("throws BAD_REQUEST for expired invite", async () => {
+            const { orgRepo, memberRepo } = await setup(db);
+            const svc = new OrgService(orgRepo, memberRepo, db);
+            const owner = "owner-ai3";
+            const org = await orgRepo.createOrg(owner, "Accept Org 3", "accept-org-3");
+            await memberRepo.addMember({
+                id: "mai3",
+                orgId: org.id,
+                userId: owner,
+                role: "owner",
+                joinedAt: Date.now(),
+            });
+            // Create an expired invite directly
+            await memberRepo.createInvite({
+                id: "inv-expired",
+                orgId: org.id,
+                email: "expired@example.com",
+                role: "member",
+                invitedBy: owner,
+                token: "tok-expired",
+                expiresAt: Date.now() - 1000, // already expired
+                createdAt: Date.now() - 86400000,
+                acceptedAt: null,
+                revokedAt: null,
+            });
+            await expect(svc.acceptInvite("tok-expired", "late-user")).rejects.toThrow(expect.objectContaining({ code: "BAD_REQUEST", message: "Invite has expired" }));
+        });
+    });
+    describe("requireAdminOrOwner", () => {
+        it("passes for admin", async () => {
+            const { orgRepo, memberRepo } = await setup(db);
+            const svc = new OrgService(orgRepo, memberRepo, db);
+            const owner = "owner-rao1";
+            const admin = "admin-rao1";
+            const org = await orgRepo.createOrg(owner, "RAO Org", "rao-org");
+            await memberRepo.addMember({
+                id: "mrao1",
+                orgId: org.id,
+                userId: owner,
+                role: "owner",
+                joinedAt: Date.now(),
+            });
+            await memberRepo.addMember({
+                id: "mrao2",
+                orgId: org.id,
+                userId: admin,
+                role: "admin",
+                joinedAt: Date.now(),
+            });
+            await expect(svc.requireAdminOrOwner(org.id, admin)).resolves.toBeUndefined();
+        });
+        it("passes for owner", async () => {
+            const { orgRepo, memberRepo } = await setup(db);
+            const svc = new OrgService(orgRepo, memberRepo, db);
+            const owner = "owner-rao2";
+            const org = await orgRepo.createOrg(owner, "RAO Org 2", "rao-org-2");
+            await memberRepo.addMember({
+                id: "mrao3",
+                orgId: org.id,
+                userId: owner,
+                role: "owner",
+                joinedAt: Date.now(),
+            });
+            await expect(svc.requireAdminOrOwner(org.id, owner)).resolves.toBeUndefined();
+        });
+        it("throws FORBIDDEN for regular member", async () => {
+            const { orgRepo, memberRepo } = await setup(db);
+            const svc = new OrgService(orgRepo, memberRepo, db);
+            const owner = "owner-rao3";
+            const member = "member-rao3";
+            const org = await orgRepo.createOrg(owner, "RAO Org 3", "rao-org-3");
+            await memberRepo.addMember({
+                id: "mrao4",
+                orgId: org.id,
+                userId: owner,
+                role: "owner",
+                joinedAt: Date.now(),
+            });
+            await memberRepo.addMember({
+                id: "mrao5",
+                orgId: org.id,
+                userId: member,
+                role: "member",
+                joinedAt: Date.now(),
+            });
+            await expect(svc.requireAdminOrOwner(org.id, member)).rejects.toThrow(expect.objectContaining({ code: "FORBIDDEN" }));
+        });
+        it("throws FORBIDDEN for non-member", async () => {
+            const { orgRepo, memberRepo } = await setup(db);
+            const svc = new OrgService(orgRepo, memberRepo, db);
+            const owner = "owner-rao4";
+            const org = await orgRepo.createOrg(owner, "RAO Org 4", "rao-org-4");
+            await memberRepo.addMember({
+                id: "mrao6",
+                orgId: org.id,
+                userId: owner,
+                role: "owner",
+                joinedAt: Date.now(),
+            });
+            await expect(svc.requireAdminOrOwner(org.id, "stranger")).rejects.toThrow(expect.objectContaining({ code: "FORBIDDEN" }));
+        });
+    });
+    describe("requireOwner", () => {
+        it("passes for owner", async () => {
+            const { orgRepo, memberRepo } = await setup(db);
+            const svc = new OrgService(orgRepo, memberRepo, db);
+            const owner = "owner-ro1";
+            const org = await orgRepo.createOrg(owner, "RO Org", "ro-org");
+            await memberRepo.addMember({
+                id: "mro1",
+                orgId: org.id,
+                userId: owner,
+                role: "owner",
+                joinedAt: Date.now(),
+            });
+            await expect(svc.requireOwner(org.id, owner)).resolves.toBeUndefined();
+        });
+        it("throws FORBIDDEN for admin", async () => {
+            const { orgRepo, memberRepo } = await setup(db);
+            const svc = new OrgService(orgRepo, memberRepo, db);
+            const owner = "owner-ro2";
+            const admin = "admin-ro2";
+            const org = await orgRepo.createOrg(owner, "RO Org 2", "ro-org-2");
+            await memberRepo.addMember({
+                id: "mro2",
+                orgId: org.id,
+                userId: owner,
+                role: "owner",
+                joinedAt: Date.now(),
+            });
+            await memberRepo.addMember({
+                id: "mro3",
+                orgId: org.id,
+                userId: admin,
+                role: "admin",
+                joinedAt: Date.now(),
+            });
+            await expect(svc.requireOwner(org.id, admin)).rejects.toThrow(expect.objectContaining({ code: "FORBIDDEN" }));
+        });
+    });
     describe("buildOrgWithMembers member resolution", () => {
         it("resolves member name and email from userRepo when provided", async () => {
             await pool.query(`CREATE TABLE IF NOT EXISTS "user" (id TEXT PRIMARY KEY, name TEXT, email TEXT, image TEXT, "twoFactorEnabled" BOOLEAN DEFAULT false)`);

package/dist/trpc/index.d.ts

@@ -1 +1 @@
-export { adminProcedure, createCallerFactory, orgMemberProcedure, protectedProcedure, publicProcedure, router, setTrpcOrgMemberRepo, type TRPCContext, tenantProcedure, } from "./init.js";
+export { adminProcedure, createCallerFactory, orgAdminProcedure, orgMemberProcedure, protectedProcedure, publicProcedure, router, setTrpcOrgMemberRepo, type TRPCContext, tenantProcedure, } from "./init.js";

package/dist/trpc/index.js

@@ -1 +1 @@
-export { adminProcedure, createCallerFactory, orgMemberProcedure, protectedProcedure, publicProcedure, router, setTrpcOrgMemberRepo, tenantProcedure, } from "./init.js";
+export { adminProcedure, createCallerFactory, orgAdminProcedure, orgMemberProcedure, protectedProcedure, publicProcedure, router, setTrpcOrgMemberRepo, tenantProcedure, } from "./init.js";

package/dist/trpc/init.d.ts

@@ -46,4 +46,11 @@ export declare const tenantProcedure: import("@trpc/server").TRPCProcedureBuilde
 export declare const orgMemberProcedure: import("@trpc/server").TRPCProcedureBuilder<TRPCContext, object, {
     tenantId: string | undefined;
     user: AuthUser;
+    orgRole: "member" | "admin" | "owner";
+}, import("@trpc/server").TRPCUnsetMarker, import("@trpc/server").TRPCUnsetMarker, import("@trpc/server").TRPCUnsetMarker, import("@trpc/server").TRPCUnsetMarker, false>;
+/** Procedure that requires authentication + org admin/owner role (orgId must be in input). */
+export declare const orgAdminProcedure: import("@trpc/server").TRPCProcedureBuilder<TRPCContext, object, {
+    tenantId: string | undefined;
+    user: AuthUser | undefined;
+    orgRole: "member" | "admin" | "owner";
 }, import("@trpc/server").TRPCUnsetMarker, import("@trpc/server").TRPCUnsetMarker, import("@trpc/server").TRPCUnsetMarker, import("@trpc/server").TRPCUnsetMarker, false>;

package/dist/trpc/init.js

@@ -120,7 +120,22 @@ const isOrgMember = t.middleware(async ({ ctx, next, getRawInput }) => {
     if (!member) {
         throw new TRPCError({ code: "FORBIDDEN", message: "Not a member of this organization" });
     }
-    return next({ ctx: { user: ctx.user, tenantId: ctx.tenantId } });
+    return next({
+        ctx: { user: ctx.user, tenantId: ctx.tenantId, orgRole: member.role },
+    });
 });
 /** Procedure that requires authentication + org membership (orgId must be in input). */
 export const orgMemberProcedure = t.procedure.use(isAuthed).use(isOrgMember);
+/**
+ * Middleware that enforces admin or owner role within an org.
+ * Must be chained after isOrgMember so ctx.orgRole is guaranteed.
+ */
+const isOrgAdmin = t.middleware(async ({ ctx, next }) => {
+    const role = ctx.orgRole;
+    if (role === "member") {
+        throw new TRPCError({ code: "FORBIDDEN", message: "Admin or owner role required" });
+    }
+    return next({ ctx });
+});
+/** Procedure that requires authentication + org admin/owner role (orgId must be in input). */
+export const orgAdminProcedure = orgMemberProcedure.use(isOrgAdmin);

package/dist/trpc/init.test.js

@@ -1,5 +1,5 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
-import { adminProcedure, createCallerFactory, orgMemberProcedure, protectedProcedure, publicProcedure, router, setTrpcOrgMemberRepo, tenantProcedure, } from "./init.js";
+import { adminProcedure, createCallerFactory, orgAdminProcedure, orgMemberProcedure, protectedProcedure, publicProcedure, router, setTrpcOrgMemberRepo, tenantProcedure, } from "./init.js";
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -19,6 +19,8 @@ function makeMockRepo(overrides) {
         deleteInvite: vi.fn().mockResolvedValue(undefined),
         deleteAllMembers: vi.fn().mockResolvedValue(undefined),
         deleteAllInvites: vi.fn().mockResolvedValue(undefined),
+        listOrgsByUser: vi.fn().mockResolvedValue([]),
+        markInviteAccepted: vi.fn().mockResolvedValue(undefined),
         ...overrides,
     };
 }
@@ -29,6 +31,7 @@ const appRouter = router({
     adminHello: adminProcedure.query(() => "admin-ok"),
     tenantHello: tenantProcedure.query(() => "tenant-ok"),
     orgAction: orgMemberProcedure.input((v) => v).mutation(() => "org-ok"),
+    orgAdminAction: orgAdminProcedure.input((v) => v).mutation(() => "org-admin-ok"),
 });
 const createCaller = createCallerFactory(appRouter);
 // ---------------------------------------------------------------------------
@@ -187,4 +190,39 @@ describe("tRPC procedure builders", () => {
             expect(await caller.orgAction({ orgId: "org-1" })).toBe("org-ok");
         });
     });
+    // -----------------------------------------------------------------------
+    // orgAdminProcedure
+    // -----------------------------------------------------------------------
+    describe("orgAdminProcedure", () => {
+        it("rejects regular members", async () => {
+            const repo = makeMockRepo({
+                findMember: vi.fn().mockResolvedValue({ id: "m1", orgId: "org-1", userId: "u1", role: "member", joinedAt: 0 }),
+            });
+            setTrpcOrgMemberRepo(repo);
+            const caller = createCaller({ user: { id: "u1", roles: ["user"] }, tenantId: undefined });
+            await expect(caller.orgAdminAction({ orgId: "org-1" })).rejects.toThrow("Admin or owner role required");
+        });
+        it("allows admin members", async () => {
+            const repo = makeMockRepo({
+                findMember: vi.fn().mockResolvedValue({ id: "m1", orgId: "org-1", userId: "u1", role: "admin", joinedAt: 0 }),
+            });
+            setTrpcOrgMemberRepo(repo);
+            const caller = createCaller({ user: { id: "u1", roles: ["user"] }, tenantId: undefined });
+            expect(await caller.orgAdminAction({ orgId: "org-1" })).toBe("org-admin-ok");
+        });
+        it("allows owner members", async () => {
+            const repo = makeMockRepo({
+                findMember: vi.fn().mockResolvedValue({ id: "m1", orgId: "org-1", userId: "u1", role: "owner", joinedAt: 0 }),
+            });
+            setTrpcOrgMemberRepo(repo);
+            const caller = createCaller({ user: { id: "u1", roles: ["user"] }, tenantId: undefined });
+            expect(await caller.orgAdminAction({ orgId: "org-1" })).toBe("org-admin-ok");
+        });
+        it("rejects non-members", async () => {
+            const repo = makeMockRepo({ findMember: vi.fn().mockResolvedValue(null) });
+            setTrpcOrgMemberRepo(repo);
+            const caller = createCaller({ user: { id: "u1", roles: ["user"] }, tenantId: undefined });
+            await expect(caller.orgAdminAction({ orgId: "org-1" })).rejects.toThrow("Not a member of this organization");
+        });
+    });
 });