npm - guardrail-core - Versions diffs - 1.0.0 - Mend

guardrail-core 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (189) hide show

package/dist/__tests__/autopilot.test.d.ts +7 -0
package/dist/__tests__/autopilot.test.d.ts.map +1 -0
package/dist/__tests__/autopilot.test.js +156 -0
package/dist/__tests__/tier-config.test.d.ts +9 -0
package/dist/__tests__/tier-config.test.d.ts.map +1 -0
package/dist/__tests__/tier-config.test.js +230 -0
package/dist/__tests__/utils/hash-inline.test.d.ts +2 -0
package/dist/__tests__/utils/hash-inline.test.d.ts.map +1 -0
package/dist/__tests__/utils/hash-inline.test.js +62 -0
package/dist/__tests__/utils/hash.test.d.ts +3 -0
package/dist/__tests__/utils/hash.test.d.ts.map +1 -0
package/dist/__tests__/utils/hash.test.js +95 -0
package/dist/__tests__/utils/simple.test.d.ts +1 -0
package/dist/__tests__/utils/simple.test.d.ts.map +1 -0
package/dist/__tests__/utils/simple.test.js +10 -0
package/dist/__tests__/utils/utils-simple.test.d.ts +1 -0
package/dist/__tests__/utils/utils-simple.test.d.ts.map +1 -0
package/dist/__tests__/utils/utils-simple.test.js +6 -0
package/dist/__tests__/utils/utils.test.d.ts +15 -0
package/dist/__tests__/utils/utils.test.d.ts.map +1 -0
package/dist/__tests__/utils/utils.test.js +172 -0
package/dist/autopilot/autopilot-runner.d.ts +33 -0
package/dist/autopilot/autopilot-runner.d.ts.map +1 -0
package/dist/autopilot/autopilot-runner.js +479 -0
package/dist/autopilot/index.d.ts +6 -0
package/dist/autopilot/index.d.ts.map +1 -0
package/dist/autopilot/index.js +25 -0
package/dist/autopilot/types.d.ts +102 -0
package/dist/autopilot/types.d.ts.map +1 -0
package/dist/autopilot/types.js +18 -0
package/dist/cache/index.d.ts +7 -0
package/dist/cache/index.d.ts.map +1 -0
package/dist/cache/index.js +22 -0
package/dist/cache/redis-cache.d.ts +145 -0
package/dist/cache/redis-cache.d.ts.map +1 -0
package/dist/cache/redis-cache.js +459 -0
package/dist/ci/github-actions.d.ts +77 -0
package/dist/ci/github-actions.d.ts.map +1 -0
package/dist/ci/github-actions.js +277 -0
package/dist/ci/index.d.ts +12 -0
package/dist/ci/index.d.ts.map +1 -0
package/dist/ci/index.js +27 -0
package/dist/ci/pre-commit.d.ts +65 -0
package/dist/ci/pre-commit.d.ts.map +1 -0
package/dist/ci/pre-commit.js +286 -0
package/dist/entitlements.d.ts +149 -0
package/dist/entitlements.d.ts.map +1 -0
package/dist/entitlements.js +464 -0
package/dist/env.d.ts +113 -0
package/dist/env.d.ts.map +1 -0
package/dist/env.js +204 -0
package/dist/fix-packs/__tests__/generate-fix-packs.test.d.ts +7 -0
package/dist/fix-packs/__tests__/generate-fix-packs.test.d.ts.map +1 -0
package/dist/fix-packs/__tests__/generate-fix-packs.test.js +250 -0
package/dist/fix-packs/generate-fix-packs.d.ts +15 -0
package/dist/fix-packs/generate-fix-packs.d.ts.map +1 -0
package/dist/fix-packs/generate-fix-packs.js +505 -0
package/dist/fix-packs/index.d.ts +8 -0
package/dist/fix-packs/index.d.ts.map +1 -0
package/dist/fix-packs/index.js +23 -0
package/dist/fix-packs/types.d.ts +113 -0
package/dist/fix-packs/types.d.ts.map +1 -0
package/dist/fix-packs/types.js +71 -0
package/dist/index.d.ts +13 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +28 -0
package/dist/metrics/prometheus.d.ts +99 -0
package/dist/metrics/prometheus.d.ts.map +1 -0
package/dist/metrics/prometheus.js +306 -0
package/dist/quota-ledger.d.ts +119 -0
package/dist/quota-ledger.d.ts.map +1 -0
package/dist/quota-ledger.js +462 -0
package/dist/rbac/__tests__/permissions.test.d.ts +8 -0
package/dist/rbac/__tests__/permissions.test.d.ts.map +1 -0
package/dist/rbac/__tests__/permissions.test.js +350 -0
package/dist/rbac/index.d.ts +9 -0
package/dist/rbac/index.d.ts.map +1 -0
package/dist/rbac/index.js +32 -0
package/dist/rbac/permissions.d.ts +71 -0
package/dist/rbac/permissions.d.ts.map +1 -0
package/dist/rbac/permissions.js +247 -0
package/dist/rbac/types.d.ts +69 -0
package/dist/rbac/types.d.ts.map +1 -0
package/dist/rbac/types.js +213 -0
package/dist/tier-config.d.ts +203 -0
package/dist/tier-config.d.ts.map +1 -0
package/dist/tier-config.js +675 -0
package/dist/types.d.ts +365 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +5 -0
package/dist/utils.d.ts +36 -0
package/dist/utils.d.ts.map +1 -0
package/dist/utils.js +127 -0
package/dist/verified-autofix/__tests__/format-validator.test.d.ts +11 -0
package/dist/verified-autofix/__tests__/format-validator.test.d.ts.map +1 -0
package/dist/verified-autofix/__tests__/format-validator.test.js +285 -0
package/dist/verified-autofix/__tests__/pipeline.test.d.ts +11 -0
package/dist/verified-autofix/__tests__/pipeline.test.d.ts.map +1 -0
package/dist/verified-autofix/__tests__/pipeline.test.js +389 -0
package/dist/verified-autofix/__tests__/repo-fingerprint.test.d.ts +11 -0
package/dist/verified-autofix/__tests__/repo-fingerprint.test.d.ts.map +1 -0
package/dist/verified-autofix/__tests__/repo-fingerprint.test.js +236 -0
package/dist/verified-autofix/__tests__/workspace.test.d.ts +11 -0
package/dist/verified-autofix/__tests__/workspace.test.d.ts.map +1 -0
package/dist/verified-autofix/__tests__/workspace.test.js +314 -0
package/dist/verified-autofix/format-validator.d.ts +101 -0
package/dist/verified-autofix/format-validator.d.ts.map +1 -0
package/dist/verified-autofix/format-validator.js +446 -0
package/dist/verified-autofix/index.d.ts +14 -0
package/dist/verified-autofix/index.d.ts.map +1 -0
package/dist/verified-autofix/index.js +39 -0
package/dist/verified-autofix/pipeline.d.ts +68 -0
package/dist/verified-autofix/pipeline.d.ts.map +1 -0
package/dist/verified-autofix/pipeline.js +330 -0
package/dist/verified-autofix/repo-fingerprint.d.ts +56 -0
package/dist/verified-autofix/repo-fingerprint.d.ts.map +1 -0
package/dist/verified-autofix/repo-fingerprint.js +396 -0
package/dist/verified-autofix/workspace.d.ts +83 -0
package/dist/verified-autofix/workspace.d.ts.map +1 -0
package/dist/verified-autofix/workspace.js +454 -0
package/dist/verified-autofix.d.ts +182 -0
package/dist/verified-autofix.d.ts.map +1 -0
package/dist/verified-autofix.js +1021 -0
package/dist/visualization/dependency-graph.d.ts +79 -0
package/dist/visualization/dependency-graph.d.ts.map +1 -0
package/dist/visualization/dependency-graph.js +399 -0
package/dist/visualization/index.d.ts +5 -0
package/dist/visualization/index.d.ts.map +1 -0
package/dist/visualization/index.js +20 -0
package/package.json +29 -0
package/src/__tests__/autopilot.test.ts +196 -0
package/src/__tests__/tier-config.test.ts +289 -0
package/src/__tests__/utils/hash-inline.test.ts +76 -0
package/src/__tests__/utils/hash.test.ts +119 -0
package/src/__tests__/utils/simple.test.ts +10 -0
package/src/__tests__/utils/utils-simple.test.ts +5 -0
package/src/__tests__/utils/utils.test.ts +203 -0
package/src/autopilot/autopilot-runner.ts +503 -0
package/src/autopilot/index.ts +6 -0
package/src/autopilot/types.ts +119 -0
package/src/cache/index.ts +7 -0
package/src/cache/redis-cache.d.ts +155 -0
package/src/cache/redis-cache.d.ts.map +1 -0
package/src/cache/redis-cache.ts +517 -0
package/src/ci/github-actions.ts +335 -0
package/src/ci/index.ts +12 -0
package/src/ci/pre-commit.ts +338 -0
package/src/db/usage-schema.prisma +114 -0
package/src/entitlements.ts +570 -0
package/src/env.d.ts +68 -0
package/src/env.d.ts.map +1 -0
package/src/env.ts +247 -0
package/src/fix-packs/__tests__/generate-fix-packs.test.ts +317 -0
package/src/fix-packs/generate-fix-packs.ts +577 -0
package/src/fix-packs/index.ts +8 -0
package/src/fix-packs/types.ts +206 -0
package/src/index.d.ts +7 -0
package/src/index.d.ts.map +1 -0
package/src/index.ts +12 -0
package/src/metrics/prometheus.d.ts +104 -0
package/src/metrics/prometheus.d.ts.map +1 -0
package/src/metrics/prometheus.ts +446 -0
package/src/quota-ledger.ts +548 -0
package/src/rbac/__tests__/permissions.test.ts +446 -0
package/src/rbac/index.ts +46 -0
package/src/rbac/permissions.ts +301 -0
package/src/rbac/types.ts +298 -0
package/src/tier-config.json +157 -0
package/src/tier-config.ts +815 -0
package/src/types.d.ts +365 -0
package/src/types.d.ts.map +1 -0
package/src/types.ts +441 -0
package/src/utils.d.ts +36 -0
package/src/utils.d.ts.map +1 -0
package/src/utils.ts +140 -0
package/src/verified-autofix/__tests__/format-validator.test.ts +335 -0
package/src/verified-autofix/__tests__/pipeline.test.ts +419 -0
package/src/verified-autofix/__tests__/repo-fingerprint.test.ts +241 -0
package/src/verified-autofix/__tests__/workspace.test.ts +373 -0
package/src/verified-autofix/format-validator.ts +517 -0
package/src/verified-autofix/index.ts +63 -0
package/src/verified-autofix/pipeline.ts +403 -0
package/src/verified-autofix/repo-fingerprint.ts +459 -0
package/src/verified-autofix/workspace.ts +531 -0
package/src/verified-autofix.ts +1187 -0
package/src/visualization/dependency-graph.d.ts +85 -0
package/src/visualization/dependency-graph.d.ts.map +1 -0
package/src/visualization/dependency-graph.ts +495 -0
package/src/visualization/index.ts +5 -0

package/src/rbac/permissions.ts ADDED Viewed

@@ -0,0 +1,301 @@
+/**
+ * RBAC Permission Checker
+ *
+ * Core permission checking logic for role-based access control.
+ * Provides functions to verify user permissions against required permissions.
+ */
+import { Tier, TIER_ORDER } from '../tier-config';
+import {
+  Permission,
+  PERMISSIONS,
+  PermissionCheck,
+  PermissionMatrix,
+  RBACContext,
+  Role,
+  ROLE_HIERARCHY,
+  ROLE_PERMISSIONS,
+  ROLES,
+} from './types';
+// ============================================================================
+// PERMISSION CHECKING
+// ============================================================================
+/**
+ * Check if a role has a specific permission
+ */
+export function roleHasPermission(role: Role, permission: Permission): boolean {
+  const permissions = ROLE_PERMISSIONS[role];
+  return permissions.includes(permission);
+}
+/**
+ * Check if a user has a specific permission based on their role
+ */
+export function hasPermission(
+  context: RBACContext,
+  permission: Permission
+): PermissionCheck {
+  if (!context.role || !ROLES.includes(context.role)) {
+    return {
+      allowed: false,
+      reason: 'Invalid or missing role',
+    };
+  }
+  const hasAccess = roleHasPermission(context.role, permission);
+  if (!hasAccess) {
+    const requiredRole = getMinimumRoleForPermission(permission);
+    return {
+      allowed: false,
+      reason: `Permission '${permission}' requires at least '${requiredRole}' role`,
+      requiredRole,
+      requiredPermissions: [permission],
+    };
+  }
+  return { allowed: true };
+}
+/**
+ * Check if a user has ALL of the specified permissions
+ */
+export function hasAllPermissions(
+  context: RBACContext,
+  permissions: Permission[]
+): PermissionCheck {
+  const missingPermissions: Permission[] = [];
+  for (const permission of permissions) {
+    if (!roleHasPermission(context.role, permission)) {
+      missingPermissions.push(permission);
+    }
+  }
+  if (missingPermissions.length > 0) {
+    return {
+      allowed: false,
+      reason: `Missing required permissions: ${missingPermissions.join(', ')}`,
+      requiredPermissions: missingPermissions,
+    };
+  }
+  return { allowed: true };
+}
+/**
+ * Check if a user has ANY of the specified permissions
+ */
+export function hasAnyPermission(
+  context: RBACContext,
+  permissions: Permission[]
+): PermissionCheck {
+  for (const permission of permissions) {
+    if (roleHasPermission(context.role, permission)) {
+      return { allowed: true };
+    }
+  }
+  return {
+    allowed: false,
+    reason: `Requires at least one of: ${permissions.join(', ')}`,
+    requiredPermissions: permissions,
+  };
+}
+// ============================================================================
+// ROLE COMPARISON
+// ============================================================================
+/**
+ * Compare two roles and return their relative hierarchy
+ * Returns positive if role1 > role2, negative if role1 < role2, 0 if equal
+ */
+export function compareRoles(role1: Role, role2: Role): number {
+  return ROLE_HIERARCHY[role1] - ROLE_HIERARCHY[role2];
+}
+/**
+ * Check if role1 is higher than or equal to role2 in the hierarchy
+ */
+export function isRoleAtLeast(role: Role, minimumRole: Role): boolean {
+  return ROLE_HIERARCHY[role] >= ROLE_HIERARCHY[minimumRole];
+}
+/**
+ * Get the minimum role required for a specific permission
+ */
+export function getMinimumRoleForPermission(permission: Permission): Role {
+  // Check roles from lowest to highest
+  const orderedRoles: Role[] = ['viewer', 'compliance-auditor', 'dev', 'admin', 'owner'];
+  for (const role of orderedRoles) {
+    if (roleHasPermission(role, permission)) {
+      return role;
+    }
+  }
+  // Default to owner if permission not found
+  return 'owner';
+}
+/**
+ * Get all permissions for a role (including inherited)
+ */
+export function getEffectivePermissions(role: Role): Permission[] {
+  return [...ROLE_PERMISSIONS[role]];
+}
+// ============================================================================
+// TIER-BASED RESTRICTIONS
+// ============================================================================
+/**
+ * Check if a tier allows a specific operation with RBAC
+ */
+export function checkTierAndPermission(
+  context: RBACContext,
+  permission: Permission,
+  requiredTier: Tier
+): PermissionCheck {
+  // First check permission
+  const permissionCheck = hasPermission(context, permission);
+  if (!permissionCheck.allowed) {
+    return permissionCheck;
+  }
+  // Then check tier if provided
+  if (context.tier) {
+    const userTierIndex = TIER_ORDER.indexOf(context.tier as Tier);
+    const requiredTierIndex = TIER_ORDER.indexOf(requiredTier);
+    if (userTierIndex < requiredTierIndex) {
+      return {
+        allowed: false,
+        reason: `This feature requires ${requiredTier} tier or higher`,
+      };
+    }
+  }
+  return { allowed: true };
+}
+// ============================================================================
+// PERMISSION MATRIX
+// ============================================================================
+/**
+ * Generate a permission matrix for UI display
+ */
+export function generatePermissionMatrix(): PermissionMatrix {
+  const matrix: Record<Role, Record<Permission, boolean>> = {} as Record<Role, Record<Permission, boolean>>;
+  for (const role of ROLES) {
+    matrix[role] = {} as Record<Permission, boolean>;
+    for (const permission of PERMISSIONS) {
+      matrix[role][permission] = roleHasPermission(role, permission);
+    }
+  }
+  return {
+    roles: [...ROLES],
+    permissions: [...PERMISSIONS],
+    matrix,
+  };
+}
+// ============================================================================
+// ROLE ASSIGNMENT VALIDATION
+// ============================================================================
+/**
+ * Check if a user can assign a specific role to another user
+ * Users can only assign roles lower than their own
+ */
+export function canAssignRole(
+  assignerRole: Role,
+  targetRole: Role
+): PermissionCheck {
+  // Must have assign_roles permission
+  if (!roleHasPermission(assignerRole, 'assign_roles')) {
+    return {
+      allowed: false,
+      reason: 'You do not have permission to assign roles',
+    };
+  }
+  // Cannot assign a role equal to or higher than your own (except owner can assign admin)
+  if (assignerRole === 'owner') {
+    return { allowed: true };
+  }
+  if (ROLE_HIERARCHY[targetRole] >= ROLE_HIERARCHY[assignerRole]) {
+    return {
+      allowed: false,
+      reason: `Cannot assign role '${targetRole}' - must be lower than your role '${assignerRole}'`,
+    };
+  }
+  return { allowed: true };
+}
+/**
+ * Check if a user can remove another user from the team
+ */
+export function canRemoveMember(
+  removerRole: Role,
+  targetRole: Role
+): PermissionCheck {
+  // Must have remove_members permission
+  if (!roleHasPermission(removerRole, 'remove_members')) {
+    return {
+      allowed: false,
+      reason: 'You do not have permission to remove members',
+    };
+  }
+  // Cannot remove owner
+  if (targetRole === 'owner') {
+    return {
+      allowed: false,
+      reason: 'Cannot remove the team owner',
+    };
+  }
+  // Cannot remove someone with equal or higher role (unless owner)
+  if (removerRole !== 'owner' && ROLE_HIERARCHY[targetRole] >= ROLE_HIERARCHY[removerRole]) {
+    return {
+      allowed: false,
+      reason: `Cannot remove a member with role '${targetRole}' - must have a lower role than yours`,
+    };
+  }
+  return { allowed: true };
+}
+// ============================================================================
+// VALIDATION UTILITIES
+// ============================================================================
+/**
+ * Validate if a string is a valid role
+ */
+export function isValidRole(role: string): role is Role {
+  return ROLES.includes(role as Role);
+}
+/**
+ * Validate if a string is a valid permission
+ */
+export function isValidPermission(permission: string): permission is Permission {
+  return PERMISSIONS.includes(permission as Permission);
+}
+/**
+ * Get role from string with validation
+ */
+export function parseRole(role: string): Role | null {
+  return isValidRole(role) ? role : null;
+}

package/src/rbac/types.ts ADDED Viewed

@@ -0,0 +1,298 @@
+/**
+ * RBAC Type Definitions
+ *
+ * Core types for Role-Based Access Control system.
+ * Defines roles, permissions, and related interfaces.
+ */
+// ============================================================================
+// ROLES
+// ============================================================================
+export const ROLES = ['owner', 'admin', 'dev', 'viewer', 'compliance-auditor'] as const;
+export type Role = typeof ROLES[number];
+/** Role hierarchy for permission inheritance (higher index = more permissions) */
+export const ROLE_HIERARCHY: Record<Role, number> = {
+  'viewer': 0,
+  'compliance-auditor': 1,
+  'dev': 2,
+  'admin': 3,
+  'owner': 4,
+};
+// ============================================================================
+// PERMISSIONS
+// ============================================================================
+export const PERMISSIONS = [
+  // Team Management
+  'manage_team',
+  'invite_members',
+  'remove_members',
+  'assign_roles',
+  // Audit & Compliance
+  'view_audit',
+  'export_audit',
+  'manage_compliance',
+  'view_compliance',
+  // Reports
+  'view_reports',
+  'export_reports',
+  'create_reports',
+  // Operations
+  'run_scan',
+  'run_reality',
+  'run_autopilot',
+  'run_fix',
+  'run_gate',
+  // Policies
+  'view_policies',
+  'manage_policies',
+  'create_policies',
+  // Projects
+  'view_projects',
+  'create_projects',
+  'delete_projects',
+  'manage_project_settings',
+  // API & Integrations
+  'manage_api_keys',
+  'view_api_keys',
+  'manage_webhooks',
+  'manage_integrations',
+  // Billing
+  'view_billing',
+  'manage_billing',
+  // Admin
+  'view_dashboard',
+  'admin_settings',
+] as const;
+export type Permission = typeof PERMISSIONS[number];
+// ============================================================================
+// ROLE-PERMISSION MAPPING
+// ============================================================================
+/**
+ * Default permissions for each role.
+ * Roles inherit permissions from lower roles in the hierarchy.
+ */
+export const ROLE_PERMISSIONS: Record<Role, Permission[]> = {
+  'viewer': [
+    'view_dashboard',
+    'view_projects',
+    'view_reports',
+    'view_compliance',
+    'view_policies',
+  ],
+  'compliance-auditor': [
+    // Inherits viewer permissions
+    'view_dashboard',
+    'view_projects',
+    'view_reports',
+    'view_compliance',
+    'view_policies',
+    // Additional audit permissions
+    'view_audit',
+    'export_audit',
+    'export_reports',
+  ],
+  'dev': [
+    // Inherits viewer permissions
+    'view_dashboard',
+    'view_projects',
+    'view_reports',
+    'view_compliance',
+    'view_policies',
+    // Dev operations
+    'run_scan',
+    'run_reality',
+    'run_fix',
+    'run_gate',
+    'create_projects',
+    'view_api_keys',
+  ],
+  'admin': [
+    // Inherits dev permissions
+    'view_dashboard',
+    'view_projects',
+    'view_reports',
+    'view_compliance',
+    'view_policies',
+    'run_scan',
+    'run_reality',
+    'run_fix',
+    'run_gate',
+    'create_projects',
+    'view_api_keys',
+    // Admin permissions
+    'manage_team',
+    'invite_members',
+    'remove_members',
+    'assign_roles',
+    'run_autopilot',
+    'manage_policies',
+    'create_policies',
+    'delete_projects',
+    'manage_project_settings',
+    'manage_api_keys',
+    'manage_webhooks',
+    'manage_integrations',
+    'view_audit',
+    'export_audit',
+    'export_reports',
+    'create_reports',
+    'manage_compliance',
+    'view_billing',
+  ],
+  'owner': [
+    // All permissions
+    'manage_team',
+    'invite_members',
+    'remove_members',
+    'assign_roles',
+    'view_audit',
+    'export_audit',
+    'manage_compliance',
+    'view_compliance',
+    'view_reports',
+    'export_reports',
+    'create_reports',
+    'run_scan',
+    'run_reality',
+    'run_autopilot',
+    'run_fix',
+    'run_gate',
+    'view_policies',
+    'manage_policies',
+    'create_policies',
+    'view_projects',
+    'create_projects',
+    'delete_projects',
+    'manage_project_settings',
+    'manage_api_keys',
+    'view_api_keys',
+    'manage_webhooks',
+    'manage_integrations',
+    'view_billing',
+    'manage_billing',
+    'view_dashboard',
+    'admin_settings',
+  ],
+};
+// ============================================================================
+// INTERFACES
+// ============================================================================
+export interface RoleAssignment {
+  userId: string;
+  teamId: string;
+  role: Role;
+  assignedBy: string;
+  assignedAt: Date;
+}
+export interface PermissionCheck {
+  allowed: boolean;
+  reason?: string;
+  requiredRole?: Role;
+  requiredPermissions?: Permission[];
+}
+export interface TeamMemberWithRole {
+  id: string;
+  userId: string;
+  email: string;
+  name: string;
+  role: Role;
+  joinedAt: Date;
+  lastActive?: Date;
+}
+export interface TeamInvitation {
+  id: string;
+  teamId: string;
+  email: string;
+  role: Role;
+  invitedBy: string;
+  expiresAt: Date;
+  status: 'pending' | 'accepted' | 'expired' | 'revoked';
+}
+export interface RBACContext {
+  userId: string;
+  teamId: string;
+  role: Role;
+  permissions: Permission[];
+  tier?: string;
+}
+export interface PermissionMatrix {
+  roles: Role[];
+  permissions: Permission[];
+  matrix: Record<Role, Record<Permission, boolean>>;
+}
+// ============================================================================
+// ROLE METADATA
+// ============================================================================
+export interface RoleMetadata {
+  name: Role;
+  displayName: string;
+  description: string;
+  color: string;
+  icon: string;
+}
+export const ROLE_METADATA: Record<Role, RoleMetadata> = {
+  'owner': {
+    name: 'owner',
+    displayName: 'Owner',
+    description: 'Full access to all features including billing and team deletion',
+    color: '#8B5CF6', // purple
+    icon: 'crown',
+  },
+  'admin': {
+    name: 'admin',
+    displayName: 'Admin',
+    description: 'Manage team members, settings, and run all operations',
+    color: '#3B82F6', // blue
+    icon: 'shield',
+  },
+  'dev': {
+    name: 'dev',
+    displayName: 'Developer',
+    description: 'Run scans, fixes, and manage projects',
+    color: '#10B981', // green
+    icon: 'code',
+  },
+  'viewer': {
+    name: 'viewer',
+    displayName: 'Viewer',
+    description: 'View-only access to dashboards and reports',
+    color: '#6B7280', // gray
+    icon: 'eye',
+  },
+  'compliance-auditor': {
+    name: 'compliance-auditor',
+    displayName: 'Compliance Auditor',
+    description: 'View and export audit logs and compliance reports',
+    color: '#F59E0B', // amber
+    icon: 'clipboard-check',
+  },
+};