npm - @wopr-network/platform-core - Versions diffs - 1.68.0 → 1.70.0 - Mend

@wopr-network/platform-core 1.68.0 → 1.70.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

package/dist/backup/types.d.ts +1 -1
package/dist/db/schema/pool-config.d.ts +41 -0
package/dist/db/schema/pool-config.js +5 -0
package/dist/db/schema/pool-instances.d.ts +126 -0
package/dist/db/schema/pool-instances.js +10 -0
package/dist/server/__tests__/build-container.test.d.ts +1 -0
package/dist/server/__tests__/build-container.test.js +339 -0
package/dist/server/__tests__/container.test.d.ts +1 -0
package/dist/server/__tests__/container.test.js +173 -0
package/dist/server/__tests__/lifecycle.test.d.ts +1 -0
package/dist/server/__tests__/lifecycle.test.js +90 -0
package/dist/server/__tests__/mount-routes.test.d.ts +1 -0
package/dist/server/__tests__/mount-routes.test.js +151 -0
package/dist/server/boot-config.d.ts +51 -0
package/dist/server/boot-config.js +7 -0
package/dist/server/container.d.ts +97 -0
package/dist/server/container.js +148 -0
package/dist/server/index.d.ts +33 -0
package/dist/server/index.js +66 -0
package/dist/server/lifecycle.d.ts +25 -0
package/dist/server/lifecycle.js +56 -0
package/dist/server/middleware/__tests__/admin-auth.test.d.ts +1 -0
package/dist/server/middleware/__tests__/admin-auth.test.js +59 -0
package/dist/server/middleware/__tests__/tenant-proxy.test.d.ts +1 -0
package/dist/server/middleware/__tests__/tenant-proxy.test.js +268 -0
package/dist/server/middleware/admin-auth.d.ts +18 -0
package/dist/server/middleware/admin-auth.js +38 -0
package/dist/server/middleware/tenant-proxy.d.ts +56 -0
package/dist/server/middleware/tenant-proxy.js +162 -0
package/dist/server/mount-routes.d.ts +30 -0
package/dist/server/mount-routes.js +74 -0
package/dist/server/routes/__tests__/admin.test.d.ts +1 -0
package/dist/server/routes/__tests__/admin.test.js +267 -0
package/dist/server/routes/__tests__/crypto-webhook.test.d.ts +1 -0
package/dist/server/routes/__tests__/crypto-webhook.test.js +137 -0
package/dist/server/routes/__tests__/provision-webhook.test.d.ts +1 -0
package/dist/server/routes/__tests__/provision-webhook.test.js +212 -0
package/dist/server/routes/__tests__/stripe-webhook.test.d.ts +1 -0
package/dist/server/routes/__tests__/stripe-webhook.test.js +65 -0
package/dist/server/routes/admin.d.ts +129 -0
package/dist/server/routes/admin.js +294 -0
package/dist/server/routes/crypto-webhook.d.ts +23 -0
package/dist/server/routes/crypto-webhook.js +82 -0
package/dist/server/routes/provision-webhook.d.ts +38 -0
package/dist/server/routes/provision-webhook.js +160 -0
package/dist/server/routes/stripe-webhook.d.ts +10 -0
package/dist/server/routes/stripe-webhook.js +29 -0
package/dist/server/services/hot-pool-claim.d.ts +30 -0
package/dist/server/services/hot-pool-claim.js +92 -0
package/dist/server/services/hot-pool.d.ts +25 -0
package/dist/server/services/hot-pool.js +129 -0
package/dist/server/services/pool-repository.d.ts +44 -0
package/dist/server/services/pool-repository.js +72 -0
package/dist/server/test-container.d.ts +15 -0
package/dist/server/test-container.js +103 -0
package/dist/trpc/auth-helpers.d.ts +17 -0
package/dist/trpc/auth-helpers.js +26 -0
package/dist/trpc/container-factories.d.ts +300 -0
package/dist/trpc/container-factories.js +80 -0
package/dist/trpc/index.d.ts +2 -0
package/dist/trpc/index.js +2 -0
package/drizzle/migrations/0025_hot_pool_tables.sql +29 -0
package/package.json +5 -1
package/src/db/schema/pool-config.ts +6 -0
package/src/db/schema/pool-instances.ts +11 -0
package/src/server/__tests__/build-container.test.ts +402 -0
package/src/server/__tests__/container.test.ts +207 -0
package/src/server/__tests__/lifecycle.test.ts +106 -0
package/src/server/__tests__/mount-routes.test.ts +169 -0
package/src/server/boot-config.ts +84 -0
package/src/server/container.ts +264 -0
package/src/server/index.ts +92 -0
package/src/server/lifecycle.ts +72 -0
package/src/server/middleware/__tests__/admin-auth.test.ts +67 -0
package/src/server/middleware/__tests__/tenant-proxy.test.ts +308 -0
package/src/server/middleware/admin-auth.ts +51 -0
package/src/server/middleware/tenant-proxy.ts +192 -0
package/src/server/mount-routes.ts +113 -0
package/src/server/routes/__tests__/admin.test.ts +320 -0
package/src/server/routes/__tests__/crypto-webhook.test.ts +167 -0
package/src/server/routes/__tests__/provision-webhook.test.ts +323 -0
package/src/server/routes/__tests__/stripe-webhook.test.ts +73 -0
package/src/server/routes/admin.ts +360 -0
package/src/server/routes/crypto-webhook.ts +110 -0
package/src/server/routes/provision-webhook.ts +212 -0
package/src/server/routes/stripe-webhook.ts +36 -0
package/src/server/services/hot-pool-claim.ts +130 -0
package/src/server/services/hot-pool.ts +174 -0
package/src/server/services/pool-repository.ts +107 -0
package/src/server/test-container.ts +120 -0
package/src/trpc/auth-helpers.ts +28 -0
package/src/trpc/container-factories.ts +114 -0
package/src/trpc/index.ts +9 -0

package/dist/server/services/hot-pool-claim.js ADDED Viewed

@@ -0,0 +1,92 @@
+/**
+ * Atomic hot pool claiming.
+ *
+ * Uses IPoolRepository for all DB operations. No raw pool.query().
+ */
+import { randomBytes } from "node:crypto";
+import { logger } from "../../config/logger.js";
+import { replenishPool } from "./hot-pool.js";
+/**
+ * Claim a warm pool instance, rename it, create a fleet profile,
+ * and register the proxy route.
+ *
+ * Returns the claim result on success, or null if the pool is empty.
+ */
+export async function claimPoolInstance(container, repo, name, tenantId, _adminUser, config) {
+    if (!container.fleet)
+        throw new Error("Fleet services required for pool claim");
+    const pc = container.productConfig;
+    const containerPort = pc.fleet?.containerPort ?? 3100;
+    const containerImage = pc.fleet?.containerImage ?? "ghcr.io/wopr-network/platform:latest";
+    const platformDomain = pc.product?.domain ?? "localhost";
+    const prefix = config?.containerPrefix ?? "wopr";
+    // ---- Step 1: Atomically claim a warm instance ----
+    const claimed = await repo.claimWarm(tenantId, name);
+    if (!claimed)
+        return null;
+    const { id: instanceId, containerId } = claimed;
+    // ---- Step 2: Rename Docker container ----
+    const docker = container.fleet.docker;
+    const containerName = `${prefix}-${name}`;
+    try {
+        const c = docker.getContainer(containerId);
+        await c.rename({ name: containerName });
+        logger.info(`Pool claim: renamed container to ${containerName}`);
+    }
+    catch (err) {
+        logger.error("Pool claim: rename failed", { error: err.message });
+        await repo.markDead(instanceId);
+        return null;
+    }
+    // ---- Step 3: Create fleet profile ----
+    const serviceKeyRepo = container.fleet.serviceKeyRepo;
+    const gatewayKey = serviceKeyRepo ? await serviceKeyRepo.generate(tenantId, instanceId) : crypto.randomUUID();
+    const store = container.fleet.profileStore;
+    const profile = {
+        id: instanceId,
+        name,
+        tenantId,
+        image: containerImage,
+        description: `Managed instance: ${name}`,
+        env: {
+            PORT: String(containerPort),
+            HOST: "0.0.0.0",
+            NODE_ENV: "production",
+            PROVISION_SECRET: config?.provisionSecret ?? "",
+            BETTER_AUTH_SECRET: randomBytes(32).toString("hex"),
+            DATA_HOME: "/data",
+            HOSTED_MODE: "true",
+            DEPLOYMENT_MODE: "hosted_proxy",
+            DEPLOYMENT_EXPOSURE: "private",
+            MIGRATION_AUTO_APPLY: "true",
+            GATEWAY_KEY: gatewayKey,
+        },
+        restartPolicy: "unless-stopped",
+        releaseChannel: "stable",
+        updatePolicy: "manual",
+    };
+    await store.save(profile);
+    logger.info(`Pool claim: saved fleet profile for ${name} (${instanceId})`);
+    // ---- Step 4: Register proxy route ----
+    try {
+        if (container.fleet.proxy.addRoute) {
+            await container.fleet.proxy.addRoute({
+                instanceId,
+                subdomain: name,
+                upstreamHost: containerName,
+                upstreamPort: containerPort,
+                healthy: true,
+            });
+            logger.info(`Pool claim: registered proxy route ${name}.${platformDomain}`);
+        }
+    }
+    catch (err) {
+        logger.error("Pool claim: proxy route registration failed", { error: err.message });
+    }
+    // ---- Step 5: Replenish pool in background ----
+    replenishPool(container, repo, { provisionSecret: config?.provisionSecret ?? "" }).catch((err) => {
+        logger.error("Pool replenish after claim failed", { error: err.message });
+    });
+    const subdomain = `${name}.${platformDomain}`;
+    return { id: instanceId, name, subdomain };
+}

package/dist/server/services/hot-pool.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * Hot pool manager — pre-provisions warm containers for instant claiming.
+ *
+ * Reads desired pool size from DB (`pool_config` table) via IPoolRepository.
+ * Periodically replenishes the pool and cleans up dead containers.
+ *
+ * All config is DB-driven — no env vars for pool size, container image,
+ * or port. Admin API updates pool_config, this reads it.
+ */
+import type { PlatformContainer } from "../container.js";
+import type { IPoolRepository } from "./pool-repository.js";
+export interface HotPoolConfig {
+    /** Shared secret for provision auth between platform and managed instances. */
+    provisionSecret: string;
+    /** Replenish interval in ms. Default: 60_000. */
+    replenishIntervalMs?: number;
+}
+export interface HotPoolHandles {
+    replenishTimer: ReturnType<typeof setInterval>;
+    stop: () => void;
+}
+export declare function getPoolSize(repo: IPoolRepository): Promise<number>;
+export declare function setPoolSize(repo: IPoolRepository, size: number): Promise<void>;
+export declare function replenishPool(container: PlatformContainer, repo: IPoolRepository, config: HotPoolConfig): Promise<void>;
+export declare function startHotPool(container: PlatformContainer, repo: IPoolRepository, config: HotPoolConfig): Promise<HotPoolHandles>;

package/dist/server/services/hot-pool.js ADDED Viewed

@@ -0,0 +1,129 @@
+/**
+ * Hot pool manager — pre-provisions warm containers for instant claiming.
+ *
+ * Reads desired pool size from DB (`pool_config` table) via IPoolRepository.
+ * Periodically replenishes the pool and cleans up dead containers.
+ *
+ * All config is DB-driven — no env vars for pool size, container image,
+ * or port. Admin API updates pool_config, this reads it.
+ */
+import { logger } from "../../config/logger.js";
+// ---------------------------------------------------------------------------
+// Pool size — delegates to repository
+// ---------------------------------------------------------------------------
+export async function getPoolSize(repo) {
+    return repo.getPoolSize();
+}
+export async function setPoolSize(repo, size) {
+    return repo.setPoolSize(size);
+}
+// ---------------------------------------------------------------------------
+// Warm container management
+// ---------------------------------------------------------------------------
+async function createWarmContainer(container, repo, config) {
+    if (!container.fleet)
+        throw new Error("Fleet services required for hot pool");
+    const pc = container.productConfig;
+    const containerImage = pc.fleet?.containerImage ?? "ghcr.io/wopr-network/platform:latest";
+    const containerPort = pc.fleet?.containerPort ?? 3100;
+    const provisionSecret = config.provisionSecret;
+    const dockerNetwork = pc.fleet?.dockerNetwork ?? "";
+    const docker = container.fleet.docker;
+    const id = crypto.randomUUID();
+    const containerName = `pool-${id.slice(0, 8)}`;
+    const volumeName = `pool-${id.slice(0, 8)}`;
+    try {
+        // Init volume permissions
+        const init = await docker.createContainer({
+            Image: containerImage,
+            Entrypoint: ["/bin/sh", "-c"],
+            Cmd: ["chown -R 999:999 /data"],
+            User: "root",
+            HostConfig: { Binds: [`${volumeName}:/data`] },
+        });
+        await init.start();
+        await init.wait();
+        await init.remove();
+        const warmContainer = await docker.createContainer({
+            Image: containerImage,
+            name: containerName,
+            Env: [`PORT=${containerPort}`, `PROVISION_SECRET=${provisionSecret}`, "HOME=/data"],
+            HostConfig: {
+                Binds: [`${volumeName}:/data`],
+                RestartPolicy: { Name: "unless-stopped" },
+            },
+        });
+        await warmContainer.start();
+        if (dockerNetwork) {
+            const network = docker.getNetwork(dockerNetwork);
+            await network.connect({ Container: warmContainer.id });
+        }
+        await repo.insertWarm(id, warmContainer.id);
+        logger.info(`Hot pool: created warm container ${containerName} (${id})`);
+    }
+    catch (err) {
+        logger.error("Hot pool: failed to create warm container", {
+            error: err.message,
+        });
+    }
+}
+export async function replenishPool(container, repo, config) {
+    const desired = await repo.getPoolSize();
+    const current = await repo.warmCount();
+    const deficit = desired - current;
+    if (deficit <= 0)
+        return;
+    logger.info(`Hot pool: replenishing ${deficit} container(s) (have ${current}, want ${desired})`);
+    for (let i = 0; i < deficit; i++) {
+        await createWarmContainer(container, repo, config);
+    }
+}
+async function cleanupDead(container, repo) {
+    if (!container.fleet)
+        return;
+    const docker = container.fleet.docker;
+    const warmInstances = await repo.listWarm();
+    for (const instance of warmInstances) {
+        try {
+            const c = docker.getContainer(instance.containerId);
+            const info = await c.inspect();
+            if (!info.State.Running) {
+                await repo.markDead(instance.id);
+                try {
+                    await c.remove({ force: true });
+                }
+                catch {
+                    /* already gone */
+                }
+                logger.warn(`Hot pool: marked dead container ${instance.id}`);
+            }
+        }
+        catch {
+            await repo.markDead(instance.id);
+            logger.warn(`Hot pool: marked missing container ${instance.id} as dead`);
+        }
+    }
+    await repo.deleteDead();
+}
+// ---------------------------------------------------------------------------
+// Lifecycle
+// ---------------------------------------------------------------------------
+export async function startHotPool(container, repo, config) {
+    await cleanupDead(container, repo);
+    await replenishPool(container, repo, config);
+    const intervalMs = config.replenishIntervalMs ?? 60_000;
+    const replenishTimer = setInterval(async () => {
+        try {
+            await cleanupDead(container, repo);
+            await replenishPool(container, repo, config);
+        }
+        catch (err) {
+            logger.error("Hot pool tick failed", { error: err.message });
+        }
+    }, intervalMs);
+    logger.info("Hot pool manager started");
+    return {
+        replenishTimer,
+        stop: () => clearInterval(replenishTimer),
+    };
+}

package/dist/server/services/pool-repository.d.ts ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * Repository for hot pool database operations.
+ *
+ * Encapsulates all pool_config and pool_instances queries behind
+ * a testable interface. No raw pool.query() outside this file.
+ */
+import type { Pool } from "pg";
+export interface PoolInstance {
+    id: string;
+    containerId: string;
+    status: string;
+    tenantId: string | null;
+    name: string | null;
+}
+export interface IPoolRepository {
+    getPoolSize(): Promise<number>;
+    setPoolSize(size: number): Promise<void>;
+    warmCount(): Promise<number>;
+    insertWarm(id: string, containerId: string): Promise<void>;
+    listWarm(): Promise<PoolInstance[]>;
+    markDead(id: string): Promise<void>;
+    deleteDead(): Promise<void>;
+    claimWarm(tenantId: string, name: string): Promise<{
+        id: string;
+        containerId: string;
+    } | null>;
+    updateInstanceStatus(id: string, status: string): Promise<void>;
+}
+export declare class DrizzlePoolRepository implements IPoolRepository {
+    private pool;
+    constructor(pool: Pool);
+    getPoolSize(): Promise<number>;
+    setPoolSize(size: number): Promise<void>;
+    warmCount(): Promise<number>;
+    insertWarm(id: string, containerId: string): Promise<void>;
+    listWarm(): Promise<PoolInstance[]>;
+    markDead(id: string): Promise<void>;
+    deleteDead(): Promise<void>;
+    claimWarm(tenantId: string, name: string): Promise<{
+        id: string;
+        containerId: string;
+    } | null>;
+    updateInstanceStatus(id: string, status: string): Promise<void>;
+}

package/dist/server/services/pool-repository.js ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * Repository for hot pool database operations.
+ *
+ * Encapsulates all pool_config and pool_instances queries behind
+ * a testable interface. No raw pool.query() outside this file.
+ */
+export class DrizzlePoolRepository {
+    pool;
+    constructor(pool) {
+        this.pool = pool;
+    }
+    async getPoolSize() {
+        try {
+            const res = await this.pool.query("SELECT pool_size FROM pool_config WHERE id = 1");
+            return res.rows[0]?.pool_size ?? 2;
+        }
+        catch {
+            return 2;
+        }
+    }
+    async setPoolSize(size) {
+        await this.pool.query("INSERT INTO pool_config (id, pool_size) VALUES (1, $1) ON CONFLICT (id) DO UPDATE SET pool_size = $1", [size]);
+    }
+    async warmCount() {
+        const res = await this.pool.query("SELECT COUNT(*)::int AS count FROM pool_instances WHERE status = 'warm'");
+        return res.rows[0].count;
+    }
+    async insertWarm(id, containerId) {
+        await this.pool.query("INSERT INTO pool_instances (id, container_id, status) VALUES ($1, $2, 'warm')", [
+            id,
+            containerId,
+        ]);
+    }
+    async listWarm() {
+        const res = await this.pool.query("SELECT id, container_id, status, tenant_id, name FROM pool_instances WHERE status = 'warm'");
+        return res.rows.map((r) => ({
+            id: r.id,
+            containerId: r.container_id,
+            status: r.status,
+            tenantId: r.tenant_id ?? null,
+            name: r.name ?? null,
+        }));
+    }
+    async markDead(id) {
+        await this.pool.query("UPDATE pool_instances SET status = 'dead' WHERE id = $1", [id]);
+    }
+    async deleteDead() {
+        await this.pool.query("DELETE FROM pool_instances WHERE status = 'dead'");
+    }
+    async claimWarm(tenantId, name) {
+        const res = await this.pool.query(`UPDATE pool_instances
+          SET status = 'claimed',
+              claimed_at = NOW(),
+              tenant_id = $1,
+              name = $2
+        WHERE id = (
+          SELECT id FROM pool_instances
+           WHERE status = 'warm'
+           ORDER BY created_at ASC
+           LIMIT 1
+             FOR UPDATE SKIP LOCKED
+        )
+        RETURNING id, container_id`, [tenantId, name]);
+        if (res.rowCount === 0)
+            return null;
+        const row = res.rows[0];
+        return { id: row.id, containerId: row.container_id };
+    }
+    async updateInstanceStatus(id, status) {
+        await this.pool.query("UPDATE pool_instances SET status = $1 WHERE id = $2", [status, id]);
+    }
+}

package/dist/server/test-container.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * createTestContainer — builds a PlatformContainer with sensible mock
+ * defaults for unit tests. All feature sub-containers default to null.
+ * Core services get minimal stubs that satisfy their interfaces.
+ *
+ * Usage:
+ *   const c = createTestContainer();
+ *   const c2 = createTestContainer({ creditLedger: myCustomLedger });
+ */
+import type { PlatformContainer } from "./container.js";
+/**
+ * Create a PlatformContainer pre-filled with no-op stubs.
+ * Pass overrides for any field you need to customize in your test.
+ */
+export declare function createTestContainer(overrides?: Partial<PlatformContainer>): PlatformContainer;

package/dist/server/test-container.js ADDED Viewed

@@ -0,0 +1,103 @@
+/**
+ * createTestContainer — builds a PlatformContainer with sensible mock
+ * defaults for unit tests. All feature sub-containers default to null.
+ * Core services get minimal stubs that satisfy their interfaces.
+ *
+ * Usage:
+ *   const c = createTestContainer();
+ *   const c2 = createTestContainer({ creditLedger: myCustomLedger });
+ */
+// ---------------------------------------------------------------------------
+// Stub factories (satisfy interface contracts with no-op implementations)
+// ---------------------------------------------------------------------------
+function stubLedger() {
+    const zero = 0;
+    const emptyEntry = {};
+    return {
+        post: async () => emptyEntry,
+        credit: async () => emptyEntry,
+        debit: async () => emptyEntry,
+        balance: async () => zero,
+        hasReferenceId: async () => false,
+        history: async () => [],
+        tenantsWithBalance: async () => [],
+        memberUsage: async () => [],
+        lifetimeSpend: async () => zero,
+        lifetimeSpendBatch: async () => new Map(),
+        expiredCredits: async () => [],
+        trialBalance: async () => ({ balanced: true }),
+        accountBalance: async () => zero,
+        seedSystemAccounts: async () => { },
+        existsByReferenceIdLike: async () => false,
+        sumPurchasesForPeriod: async () => zero,
+        getActiveTenantIdsInWindow: async () => [],
+        debitCapped: async () => null,
+    };
+}
+function stubOrgMemberRepo() {
+    return {
+        listMembers: async () => [],
+        addMember: async () => { },
+        updateMemberRole: async () => { },
+        removeMember: async () => { },
+        findMember: async () => null,
+        countAdminsAndOwners: async () => 0,
+        listInvites: async () => [],
+        createInvite: async () => { },
+        findInviteById: async () => null,
+        findInviteByToken: async () => null,
+        deleteInvite: async () => { },
+        deleteAllMembers: async () => { },
+        deleteAllInvites: async () => { },
+        listOrgsByUser: async () => [],
+        markInviteAccepted: async () => { },
+    };
+}
+function stubUserRoleRepo() {
+    return {
+        getTenantIdByUserId: async () => null,
+        grantRole: async () => { },
+        revokeRole: async () => false,
+        listRolesByUser: async () => [],
+        listUsersByRole: async () => [],
+        isPlatformAdmin: async () => false,
+    };
+}
+function stubProductConfig() {
+    return {
+        product: {
+            slug: "test",
+            name: "Test Product",
+        },
+        navItems: [],
+        domains: [],
+        features: null,
+        fleet: null,
+        billing: null,
+    };
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Create a PlatformContainer pre-filled with no-op stubs.
+ * Pass overrides for any field you need to customize in your test.
+ */
+export function createTestContainer(overrides) {
+    const defaults = {
+        db: {},
+        pool: { end: async () => { } },
+        productConfig: stubProductConfig(),
+        creditLedger: stubLedger(),
+        orgMemberRepo: stubOrgMemberRepo(),
+        orgService: {},
+        userRoleRepo: stubUserRoleRepo(),
+        // Feature sub-containers default to null (not enabled)
+        fleet: null,
+        crypto: null,
+        stripe: null,
+        gateway: null,
+        hotPool: null,
+    };
+    return { ...defaults, ...overrides };
+}

package/dist/trpc/auth-helpers.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * Shared auth helper factories for tRPC routers.
+ *
+ * These helpers can be constructed with explicit deps (for container-based DI)
+ * instead of relying on module-level singletons.
+ */
+import type { IOrgMemberRepository } from "../tenancy/org-member-repository.js";
+/**
+ * Creates an assertOrgAdminOrOwner function closed over the given repository.
+ *
+ * Usage:
+ * ```ts
+ * const assertOrgAdmin = createAssertOrgAdminOrOwner(container.orgMemberRepo);
+ * await assertOrgAdmin(tenantId, userId);
+ * ```
+ */
+export declare function createAssertOrgAdminOrOwner(orgMemberRepo: IOrgMemberRepository): (tenantId: string, userId: string) => Promise<void>;

package/dist/trpc/auth-helpers.js ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * Shared auth helper factories for tRPC routers.
+ *
+ * These helpers can be constructed with explicit deps (for container-based DI)
+ * instead of relying on module-level singletons.
+ */
+import { TRPCError } from "@trpc/server";
+/**
+ * Creates an assertOrgAdminOrOwner function closed over the given repository.
+ *
+ * Usage:
+ * ```ts
+ * const assertOrgAdmin = createAssertOrgAdminOrOwner(container.orgMemberRepo);
+ * await assertOrgAdmin(tenantId, userId);
+ * ```
+ */
+export function createAssertOrgAdminOrOwner(orgMemberRepo) {
+    return async function assertOrgAdminOrOwner(tenantId, userId) {
+        if (tenantId === userId)
+            return;
+        const member = await orgMemberRepo.findMember(tenantId, userId);
+        if (!member || (member.role !== "owner" && member.role !== "admin")) {
+            throw new TRPCError({ code: "FORBIDDEN", message: "Organization admin access required" });
+        }
+    };
+}