npm - spine-framework - Versions diffs - 0.1.0 - Mend

spine-framework 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (385) hide show

package/.framework/README.md +129 -0
package/.framework/cli/bin.cjs +14 -0
package/.framework/cli/commands/agents.ts +153 -0
package/.framework/cli/commands/auth.ts +94 -0
package/.framework/cli/commands/create-app.ts +185 -0
package/.framework/cli/commands/dev.ts +295 -0
package/.framework/cli/commands/doctor.ts +442 -0
package/.framework/cli/commands/generate.ts +332 -0
package/.framework/cli/commands/init.ts +272 -0
package/.framework/cli/commands/install-app.ts +391 -0
package/.framework/cli/commands/items.ts +253 -0
package/.framework/cli/commands/migrations.ts +141 -0
package/.framework/cli/commands/pipelines.ts +166 -0
package/.framework/cli/commands/status.ts +197 -0
package/.framework/cli/commands/system.ts +184 -0
package/.framework/cli/commands/test.ts +227 -0
package/.framework/cli/commands/uninstall-app.ts +166 -0
package/.framework/cli/context.ts +268 -0
package/.framework/cli/env-loader.ts +36 -0
package/.framework/cli/index.ts +106 -0
package/.framework/cli/welcome.cjs +45 -0
package/.framework/docs/API.md +384 -0
package/.framework/docs/STABILITY.md +52 -0
package/.framework/docs/admin-routes.md +76 -0
package/.framework/docs/api-docs-progress.md +38 -0
package/.framework/docs/api-governance.md +146 -0
package/.framework/docs/api-testing-results.md +212 -0
package/.framework/docs/apis/admin-configs.md +567 -0
package/.framework/docs/apis/admin-data.md +272 -0
package/.framework/docs/apis/index.md +231 -0
package/.framework/docs/apis/internal.md +295 -0
package/.framework/docs/apis/runtime.md +537 -0
package/.framework/docs/assembly-launch-guide.md +138 -0
package/.framework/docs/audit-results.md +590 -0
package/.framework/docs/authorization-model.md +170 -0
package/.framework/docs/db-api-inventory.md +95 -0
package/.framework/docs/examples/custom-app/README.md +77 -0
package/.framework/docs/examples/custom-function/README.md +27 -0
package/.framework/docs/examples/custom-function/handler.ts +48 -0
package/.framework/docs/examples/custom-webhook/README.md +68 -0
package/.framework/docs/gap-remediation-backlog.md +103 -0
package/.framework/docs/guides/cli-guide.md +224 -0
package/.framework/docs/guides/getting-started.md +103 -0
package/.framework/docs/guides/import-guide.md +193 -0
package/.framework/docs/guides/testing-guide.md +229 -0
package/.framework/docs/permission-examples.md +326 -0
package/.framework/docs/ui-adoption-verification.md +111 -0
package/.framework/docs/ui-api-coverage.md +84 -0
package/.framework/docs/v2-compatibility-audit.md +228 -0
package/.framework/functions/.gitkeep +1 -0
package/.framework/functions/_shared/agent-runner.ts +1097 -0
package/.framework/functions/_shared/app-manifest.ts +184 -0
package/.framework/functions/_shared/audit.ts +150 -0
package/.framework/functions/_shared/db.ts +174 -0
package/.framework/functions/_shared/index.ts +382 -0
package/.framework/functions/_shared/middleware.ts +490 -0
package/.framework/functions/_shared/permissions.ts +1325 -0
package/.framework/functions/_shared/pipeline-runner.ts +731 -0
package/.framework/functions/_shared/principal.ts +760 -0
package/.framework/functions/_shared/schema-utils.ts +967 -0
package/.framework/functions/_shared/testing.ts +258 -0
package/.framework/functions/_shared/trigger-engine.ts +425 -0
package/.framework/functions/_shared/webhook-registration.ts +168 -0
package/.framework/functions/_shared/webhook-registry.ts +129 -0
package/.framework/functions/account-nodes.ts +111 -0
package/.framework/functions/admin-data.ts +606 -0
package/.framework/functions/ai-agents.ts +323 -0
package/.framework/functions/api-keys.ts +376 -0
package/.framework/functions/apps.ts +483 -0
package/.framework/functions/auth.ts +196 -0
package/.framework/functions/debug-auth.ts +107 -0
package/.framework/functions/embeddings.ts +556 -0
package/.framework/functions/integration-routes.ts +523 -0
package/.framework/functions/integrations.ts +319 -0
package/.framework/functions/item-progress.ts +272 -0
package/.framework/functions/logs.ts +438 -0
package/.framework/functions/observability.ts +275 -0
package/.framework/functions/pipeline-executions.ts +494 -0
package/.framework/functions/pipelines.ts +485 -0
package/.framework/functions/prompt-configs.ts +339 -0
package/.framework/functions/roles.ts +387 -0
package/.framework/functions/system-cron.ts +742 -0
package/.framework/functions/system.ts +323 -0
package/.framework/functions/tests.ts +119 -0
package/.framework/functions/timers.ts +357 -0
package/.framework/functions/triggers.ts +563 -0
package/.framework/functions/types.ts +604 -0
package/.framework/migrations/000_foundation.sql +1256 -0
package/.framework/migrations/001_seed.sql +92 -0
package/.framework/migrations/002_seed_constraints.sql +13 -0
package/.framework/migrations/003_auth_user_trigger.sql +59 -0
package/.framework/src/App.tsx +126 -0
package/.framework/src/apps/admin/index.tsx +173 -0
package/.framework/src/components/AppWrapper.tsx +56 -0
package/.framework/src/components/CustomAppLoader.tsx +116 -0
package/.framework/src/components/admin/AdminListPage.tsx +151 -0
package/.framework/src/components/admin/AdminSidebar.tsx +166 -0
package/.framework/src/components/admin/AdminStatsCard.tsx +62 -0
package/.framework/src/components/admin/SortableTableHeader.tsx +42 -0
package/.framework/src/components/app-shell/GenericAppShell.tsx +181 -0
package/.framework/src/components/app-shell/GenericDetailPage.tsx +200 -0
package/.framework/src/components/app-shell/GenericListPage.tsx +116 -0
package/.framework/src/components/app-sidebar.tsx +228 -0
package/.framework/src/components/auth/ProtectedRoute.tsx +88 -0
package/.framework/src/components/layout/AppShell.tsx +91 -0
package/.framework/src/components/layout/Header.tsx +88 -0
package/.framework/src/components/layout/Layout.tsx +95 -0
package/.framework/src/components/layout/Sidebar.tsx +329 -0
package/.framework/src/components/runtime/DataDetailHeader.tsx +77 -0
package/.framework/src/components/runtime/DataDetailPage.tsx +171 -0
package/.framework/src/components/runtime/DataFilters.tsx +91 -0
package/.framework/src/components/runtime/DataHeader.tsx +68 -0
package/.framework/src/components/runtime/DataListPage.tsx +124 -0
package/.framework/src/components/runtime/DataStats.tsx +70 -0
package/.framework/src/components/runtime/DataTable.tsx +174 -0
package/.framework/src/components/runtime/SchemaDetailForm.tsx +134 -0
package/.framework/src/components/runtime/index.ts +18 -0
package/.framework/src/components/search-form.tsx +29 -0
package/.framework/src/components/shared/AgentView.tsx +213 -0
package/.framework/src/components/shared/FieldRenderer.tsx +478 -0
package/.framework/src/components/shared/SchemaFields.tsx +226 -0
package/.framework/src/components/ui/DataTable.tsx +343 -0
package/.framework/src/components/ui/Form.tsx +281 -0
package/.framework/src/components/ui/ItemCard.tsx +296 -0
package/.framework/src/components/ui/ItemListView.tsx +308 -0
package/.framework/src/components/ui/LoadingSpinner.tsx +52 -0
package/.framework/src/components/ui/Modal.tsx +61 -0
package/.framework/src/components/ui/RichTextEditor.tsx +210 -0
package/.framework/src/components/ui/accordion.tsx +82 -0
package/.framework/src/components/ui/alert-dialog.tsx +197 -0
package/.framework/src/components/ui/alert.tsx +76 -0
package/.framework/src/components/ui/aspect-ratio.tsx +11 -0
package/.framework/src/components/ui/avatar.tsx +110 -0
package/.framework/src/components/ui/badge.tsx +49 -0
package/.framework/src/components/ui/breadcrumb.tsx +122 -0
package/.framework/src/components/ui/button-group.tsx +83 -0
package/.framework/src/components/ui/button.tsx +65 -0
package/.framework/src/components/ui/calendar.tsx +222 -0
package/.framework/src/components/ui/card.tsx +100 -0
package/.framework/src/components/ui/carousel.tsx +240 -0
package/.framework/src/components/ui/chart.tsx +373 -0
package/.framework/src/components/ui/checkbox.tsx +31 -0
package/.framework/src/components/ui/collapsible.tsx +33 -0
package/.framework/src/components/ui/combobox.tsx +299 -0
package/.framework/src/components/ui/command.tsx +193 -0
package/.framework/src/components/ui/context-menu.tsx +261 -0
package/.framework/src/components/ui/dialog.tsx +165 -0
package/.framework/src/components/ui/direction.tsx +22 -0
package/.framework/src/components/ui/drawer.tsx +132 -0
package/.framework/src/components/ui/dropdown-menu.tsx +269 -0
package/.framework/src/components/ui/empty.tsx +104 -0
package/.framework/src/components/ui/field.tsx +238 -0
package/.framework/src/components/ui/hover-card.tsx +42 -0
package/.framework/src/components/ui/input-group.tsx +153 -0
package/.framework/src/components/ui/input-otp.tsx +87 -0
package/.framework/src/components/ui/input.tsx +19 -0
package/.framework/src/components/ui/item.tsx +196 -0
package/.framework/src/components/ui/kbd.tsx +26 -0
package/.framework/src/components/ui/label.tsx +22 -0
package/.framework/src/components/ui/menubar.tsx +277 -0
package/.framework/src/components/ui/native-select.tsx +61 -0
package/.framework/src/components/ui/navigation-menu.tsx +164 -0
package/.framework/src/components/ui/pagination.tsx +129 -0
package/.framework/src/components/ui/popover.tsx +87 -0
package/.framework/src/components/ui/progress.tsx +31 -0
package/.framework/src/components/ui/radio-group.tsx +42 -0
package/.framework/src/components/ui/resizable.tsx +50 -0
package/.framework/src/components/ui/scroll-area.tsx +53 -0
package/.framework/src/components/ui/select.tsx +195 -0
package/.framework/src/components/ui/separator.tsx +26 -0
package/.framework/src/components/ui/sheet.tsx +145 -0
package/.framework/src/components/ui/sidebar.tsx +706 -0
package/.framework/src/components/ui/skeleton.tsx +13 -0
package/.framework/src/components/ui/slider.tsx +59 -0
package/.framework/src/components/ui/sonner.tsx +47 -0
package/.framework/src/components/ui/spinner.tsx +10 -0
package/.framework/src/components/ui/switch.tsx +33 -0
package/.framework/src/components/ui/table-primitives.tsx +141 -0
package/.framework/src/components/ui/table.tsx +114 -0
package/.framework/src/components/ui/tabs.tsx +90 -0
package/.framework/src/components/ui/textarea.tsx +18 -0
package/.framework/src/components/ui/toggle-group.tsx +89 -0
package/.framework/src/components/ui/toggle.tsx +45 -0
package/.framework/src/components/ui/tooltip.tsx +57 -0
package/.framework/src/contexts/AppContext.tsx +133 -0
package/.framework/src/contexts/AuthContext.tsx +371 -0
package/.framework/src/hooks/use-mobile.ts +19 -0
package/.framework/src/hooks/useApi.ts +526 -0
package/.framework/src/hooks/useApps.ts +114 -0
package/.framework/src/hooks/useEntityList.ts +190 -0
package/.framework/src/hooks/useEntityRecord.ts +308 -0
package/.framework/src/hooks/useForm.ts +307 -0
package/.framework/src/hooks/useListSchema.ts +264 -0
package/.framework/src/hooks/useSchemaRecord.ts +223 -0
package/.framework/src/index.css +128 -0
package/.framework/src/lib/api.ts +156 -0
package/.framework/src/lib/supabase.ts +94 -0
package/.framework/src/lib/utils.ts +317 -0
package/.framework/src/main.tsx +27 -0
package/.framework/src/pages/DashboardPage.tsx +181 -0
package/.framework/src/pages/NotFoundPage.tsx +39 -0
package/.framework/src/pages/admin/AIAgentDetailPage.tsx +161 -0
package/.framework/src/pages/admin/AIAgentsPage.tsx +318 -0
package/.framework/src/pages/admin/APIKeyDetailPage.tsx +199 -0
package/.framework/src/pages/admin/APIKeysPage.tsx +303 -0
package/.framework/src/pages/admin/AlertsConfigPage.tsx +523 -0
package/.framework/src/pages/admin/AppDetailPage.tsx +493 -0
package/.framework/src/pages/admin/AppsPage.tsx +355 -0
package/.framework/src/pages/admin/DesignedPage.tsx +491 -0
package/.framework/src/pages/admin/EmbeddingDetailPage.tsx +534 -0
package/.framework/src/pages/admin/EmbeddingsPage.tsx +424 -0
package/.framework/src/pages/admin/ExtendedShadcnTestPage.tsx +176 -0
package/.framework/src/pages/admin/IncrementalShadcnTestPage.tsx +109 -0
package/.framework/src/pages/admin/IntegratedDashboard.tsx +402 -0
package/.framework/src/pages/admin/IntegrationDetailPage.tsx +187 -0
package/.framework/src/pages/admin/IntegrationsPage.tsx +301 -0
package/.framework/src/pages/admin/LogsPage.tsx +283 -0
package/.framework/src/pages/admin/MinimalShadcnTestPage.tsx +85 -0
package/.framework/src/pages/admin/ObservabilityDashboard.tsx +470 -0
package/.framework/src/pages/admin/PipelineDetailPage.tsx +183 -0
package/.framework/src/pages/admin/PipelineExecutionsPage.tsx +279 -0
package/.framework/src/pages/admin/PipelinesPage.tsx +390 -0
package/.framework/src/pages/admin/PromptConfigDetailPage.tsx +299 -0
package/.framework/src/pages/admin/PromptConfigsPage.tsx +292 -0
package/.framework/src/pages/admin/ProperlyDesignedPage.tsx +434 -0
package/.framework/src/pages/admin/RoleDetailPage.tsx +273 -0
package/.framework/src/pages/admin/RolesPage.tsx +292 -0
package/.framework/src/pages/admin/SelectTestPage.tsx +61 -0
package/.framework/src/pages/admin/ShadcnTestPage.tsx +588 -0
package/.framework/src/pages/admin/SimpleDashboard.tsx +387 -0
package/.framework/src/pages/admin/TestRunDetailPage.tsx +172 -0
package/.framework/src/pages/admin/TestingDashboard.tsx +257 -0
package/.framework/src/pages/admin/TimerDetailPage.tsx +151 -0
package/.framework/src/pages/admin/TimersPage.tsx +376 -0
package/.framework/src/pages/admin/TriggerDetailPage.tsx +149 -0
package/.framework/src/pages/admin/TriggersPage.tsx +381 -0
package/.framework/src/pages/admin/TypeDetailPage.tsx +694 -0
package/.framework/src/pages/admin/TypesPage.tsx +295 -0
package/.framework/src/pages/auth/LoginPage.tsx +188 -0
package/.framework/src/pages/auth/RegisterPage.tsx +163 -0
package/.framework/src/pages/spine-framework/APIPage.tsx +17 -0
package/.framework/src/pages/spine-framework/CLIPage.tsx +25 -0
package/.framework/src/types/auth.ts +125 -0
package/.framework/src/types/types.ts +407 -0
package/STRUCTURE.md +150 -0
package/config/components.json +25 -0
package/config/deno.lock +108 -0
package/config/package-lock.json +17183 -0
package/config/postcss.config.cjs +10 -0
package/config/tailwind.config.cjs +78 -0
package/config/tsconfig.build.json +32 -0
package/config/tsconfig.cli.json +18 -0
package/config/tsconfig.json +41 -0
package/config/tsconfig.node.json +17 -0
package/config/tsconfig.node.tsbuildinfo +1 -0
package/config/tsconfig.tsbuildinfo +1 -0
package/config/typedoc.json +16 -0
package/config/vite.config.d.ts +2 -0
package/config/vite.config.ts +72 -0
package/dist/cli/commands/agents.d.ts +39 -0
package/dist/cli/commands/agents.d.ts.map +1 -0
package/dist/cli/commands/auth.d.ts +36 -0
package/dist/cli/commands/auth.d.ts.map +1 -0
package/dist/cli/commands/create-app.d.ts +23 -0
package/dist/cli/commands/create-app.d.ts.map +1 -0
package/dist/cli/commands/dev.d.ts +39 -0
package/dist/cli/commands/dev.d.ts.map +1 -0
package/dist/cli/commands/doctor.d.ts +42 -0
package/dist/cli/commands/doctor.d.ts.map +1 -0
package/dist/cli/commands/generate.d.ts +36 -0
package/dist/cli/commands/generate.d.ts.map +1 -0
package/dist/cli/commands/init.d.ts +30 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/install-app.d.ts +30 -0
package/dist/cli/commands/install-app.d.ts.map +1 -0
package/dist/cli/commands/items.d.ts +45 -0
package/dist/cli/commands/items.d.ts.map +1 -0
package/dist/cli/commands/migrations.d.ts +41 -0
package/dist/cli/commands/migrations.d.ts.map +1 -0
package/dist/cli/commands/pipelines.d.ts +40 -0
package/dist/cli/commands/pipelines.d.ts.map +1 -0
package/dist/cli/commands/status.d.ts +23 -0
package/dist/cli/commands/status.d.ts.map +1 -0
package/dist/cli/commands/system.d.ts +29 -0
package/dist/cli/commands/system.d.ts.map +1 -0
package/dist/cli/commands/test.d.ts +46 -0
package/dist/cli/commands/test.d.ts.map +1 -0
package/dist/cli/commands/uninstall-app.d.ts +23 -0
package/dist/cli/commands/uninstall-app.d.ts.map +1 -0
package/dist/cli/context.d.ts +88 -0
package/dist/cli/context.d.ts.map +1 -0
package/dist/cli/env-loader.d.ts +14 -0
package/dist/cli/env-loader.d.ts.map +1 -0
package/dist/cli/index.d.ts +41 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/functions/_shared/agent-runner.d.ts +156 -0
package/dist/functions/_shared/agent-runner.d.ts.map +1 -0
package/dist/functions/_shared/app-manifest.d.ts +68 -0
package/dist/functions/_shared/app-manifest.d.ts.map +1 -0
package/dist/functions/_shared/audit.d.ts +91 -0
package/dist/functions/_shared/audit.d.ts.map +1 -0
package/dist/functions/_shared/db.d.ts +125 -0
package/dist/functions/_shared/db.d.ts.map +1 -0
package/dist/functions/_shared/index.d.ts +298 -0
package/dist/functions/_shared/index.d.ts.map +1 -0
package/dist/functions/_shared/middleware.d.ts +315 -0
package/dist/functions/_shared/middleware.d.ts.map +1 -0
package/dist/functions/_shared/permissions.d.ts +626 -0
package/dist/functions/_shared/permissions.d.ts.map +1 -0
package/dist/functions/_shared/pipeline-runner.d.ts +124 -0
package/dist/functions/_shared/pipeline-runner.d.ts.map +1 -0
package/dist/functions/_shared/principal.d.ts +284 -0
package/dist/functions/_shared/principal.d.ts.map +1 -0
package/dist/functions/_shared/schema-utils.d.ts +181 -0
package/dist/functions/_shared/schema-utils.d.ts.map +1 -0
package/dist/functions/_shared/testing.d.ts +172 -0
package/dist/functions/_shared/testing.d.ts.map +1 -0
package/dist/functions/_shared/trigger-engine.d.ts +140 -0
package/dist/functions/_shared/trigger-engine.d.ts.map +1 -0
package/dist/functions/_shared/webhook-registration.d.ts +81 -0
package/dist/functions/_shared/webhook-registration.d.ts.map +1 -0
package/dist/functions/_shared/webhook-registry.d.ts +57 -0
package/dist/functions/_shared/webhook-registry.d.ts.map +1 -0
package/dist/functions/account-nodes.d.ts +48 -0
package/dist/functions/account-nodes.d.ts.map +1 -0
package/dist/functions/admin-data.d.ts +178 -0
package/dist/functions/admin-data.d.ts.map +1 -0
package/dist/functions/ai-agents.d.ts +125 -0
package/dist/functions/ai-agents.d.ts.map +1 -0
package/dist/functions/api-keys.d.ts +140 -0
package/dist/functions/api-keys.d.ts.map +1 -0
package/dist/functions/apps.d.ts +163 -0
package/dist/functions/apps.d.ts.map +1 -0
package/dist/functions/auth.d.ts +74 -0
package/dist/functions/auth.d.ts.map +1 -0
package/dist/functions/debug-auth.d.ts +33 -0
package/dist/functions/debug-auth.d.ts.map +1 -0
package/dist/functions/embeddings.d.ts +205 -0
package/dist/functions/embeddings.d.ts.map +1 -0
package/dist/functions/integration-routes.d.ts +45 -0
package/dist/functions/integration-routes.d.ts.map +1 -0
package/dist/functions/integrations.d.ts +124 -0
package/dist/functions/integrations.d.ts.map +1 -0
package/dist/functions/item-progress.d.ts +41 -0
package/dist/functions/item-progress.d.ts.map +1 -0
package/dist/functions/logs.d.ts +162 -0
package/dist/functions/logs.d.ts.map +1 -0
package/dist/functions/observability.d.ts +123 -0
package/dist/functions/observability.d.ts.map +1 -0
package/dist/functions/pipeline-executions.d.ts +190 -0
package/dist/functions/pipeline-executions.d.ts.map +1 -0
package/dist/functions/pipelines.d.ts +171 -0
package/dist/functions/pipelines.d.ts.map +1 -0
package/dist/functions/prompt-configs.d.ts +125 -0
package/dist/functions/prompt-configs.d.ts.map +1 -0
package/dist/functions/roles.d.ts +118 -0
package/dist/functions/roles.d.ts.map +1 -0
package/dist/functions/system-cron.d.ts +65 -0
package/dist/functions/system-cron.d.ts.map +1 -0
package/dist/functions/system.d.ts +29 -0
package/dist/functions/system.d.ts.map +1 -0
package/dist/functions/tests.d.ts +28 -0
package/dist/functions/tests.d.ts.map +1 -0
package/dist/functions/timers.d.ts +139 -0
package/dist/functions/timers.d.ts.map +1 -0
package/dist/functions/triggers.d.ts +203 -0
package/dist/functions/triggers.d.ts.map +1 -0
package/dist/functions/types.d.ts +151 -0
package/dist/functions/types.d.ts.map +1 -0
package/dist/src/types/types.d.ts +364 -0
package/dist/src/types/types.d.ts.map +1 -0
package/package.json +192 -0
package/scripts/app-install-cli.ts +286 -0
package/scripts/assemble-frontend.sh +79 -0
package/scripts/assemble-functions.sh +62 -0
package/scripts/assemble.sh +35 -0
package/scripts/boundary-check.sh +106 -0
package/scripts/build-manifest.sh +80 -0
package/scripts/check-core-integrity.sh +82 -0
package/scripts/ingest-chunks.cjs +202 -0
package/scripts/kb-chunk-parser.cjs +312 -0
package/scripts/kb-chunk-parser.ts +330 -0
package/scripts/load-test-app-install.ts +484 -0
package/scripts/netlify-dev-wrapper.sh +22 -0
package/scripts/verify-integrity.sh +69 -0

package/.framework/functions/roles.ts ADDED Viewed

@@ -0,0 +1,387 @@
+/**
+ * @module roles
+ * @audience core-contributor
+ * @layer api-handler
+ * @stability stable
+ *
+ * CRUD API for the `roles` table. Roles define permission sets (`permissions`
+ * JSONB) that are assigned to people within an account.
+ *
+ * **Routed by:** `GET/POST/PATCH/DELETE /.netlify/functions/roles`
+ *
+ * **Authorization model:**
+ * - All reads use `ctx.db` (RLS-scoped). System admins see raw records;
+ *   others get field-level sanitization via `sanitizeRecordData`.
+ * - `create`: requires system admin OR first-surface `canCreate` permission.
+ *   Creating a role with `slug === 'system_admin'` is system-admin-only.
+ * - `update` / `remove`: require authenticated principal. RLS controls row
+ *   access; field-level permissions validated via `validateUpdatePermissions`.
+ * - Slug uniqueness is enforced per-app: checked against `adminDb`.
+ *
+ * INVARIANT: `system_admin` role slug can only be created by system admins.
+ * INVARIANT: soft delete only — roles are set to `is_active = false`.
+ *
+ * @seeAlso middleware.ts (createHandler)
+ * @seeAlso permissions.ts (PermissionEngine, sanitizeRecordData)
+ * @seeAlso audit.ts (emitLog for role.created / role.updated / role.deleted)
+ */
+import { createHandler } from './_shared/middleware'
+import { adminDb } from './_shared/db'
+import { emitLog } from './_shared/audit'
+import { PermissionEngine, sanitizeRecordData } from './_shared/permissions'
+const permissions = PermissionEngine as any
+// ─── HANDLERS ─────────────────────────────────────────────────────────────────
+// ─── CHUNK_START: ROLES_LIST ──────────────────────────────────────────────
+/**
+ * @chunk-id    ROLES_LIST_1_0_0
+ * @version     1.0.0
+ * @hash        b643852233c87c20abd7d62b3f51be9ba7f0f2a4ff02154be239ceef6184811b
+ * @macro       Roles List Handler
+ * @micro       Lists active roles with filtering and permission-based sanitization
+ * @inputs      ctx: CoreContext — Request context with principal and database
+ * @inputs      _body: any — Request body (unused for GET)
+ * @outputs     Array of role records with app join, sanitized for non-admins
+ * @depends-on  [createHandler, PermissionEngine, sanitizeRecordData]
+ * @depended-by [Netlify function routing]
+ * @side-effects [DB queries, permission sanitization]
+ * @tags        roles, list, crud, pagination, permissions
+ */
+export const list = createHandler(async (ctx, _body) => {
+  const { app_id, is_system, limit = '50', offset = '0' } = ctx.query || {}
+  // RLS automatically filters to accessible roles
+  let query = ctx.db
+    .from('roles')
+    .select(`
+      *,
+      app:apps(id, slug, name)
+    `)
+    .eq('is_active', true)
+    .order('is_system', { ascending: false })
+    .order('name')
+  if (app_id) {
+    query = query.eq('app_id', app_id)
+  } else if (app_id === 'null') {
+    query = query.is('app_id', null)
+  }
+  if (is_system !== undefined) {
+    query = query.eq('is_system', is_system === 'true')
+  }
+  const { data, error: err } = await query
+    .range(parseInt(offset), parseInt(offset) + parseInt(limit) - 1)
+  if (err) throw err
+  // System admin sees everything without additional filtering
+  if (permissions.isSystemAdmin(ctx)) {
+    return data
+  }
+  // Filter each role based on field-level permissions
+  const filteredData = []
+  for (const role of data || []) {
+    const roleWithType = { ...role, type: 'role' }
+    const sanitizedRole = await sanitizeRecordData(ctx, roleWithType, 'role')
+      filteredData.push(sanitizedRole)
+  }
+  return filteredData
+})
+// ─── CHUNK_END: ROLES_LIST ────────────────────────────────────────────────
+// ─── CHUNK_START: ROLES_GET ──────────────────────────────────────────────
+/**
+ * @chunk-id    ROLES_GET_1_0_0
+ * @version     1.0.0
+ * @hash        94607bad8b9ff929233ce1b29b6563062d439365ed0413726c5a8d8d0f58474b
+ * @macro       Role Get Handler
+ * @micro       Returns single role record with joins and permission sanitization
+ * @inputs      ctx: CoreContext — Request context with principal and database
+ * @inputs      _body: any — Request body (unused for GET)
+ * @outputs     Sanitized role record with app join
+ * @depends-on  [createHandler, sanitizeRecordData]
+ * @depended-by [Netlify function routing]
+ * @side-effects [DB single row query, permission sanitization]
+ * @tags        roles, get, crud, single-record, permissions
+ */
+export const get = createHandler(async (ctx, _body) => {
+  const { id } = ctx.query || {}
+  if (!id) {
+    throw new Error('Role ID is required')
+  }
+  // RLS ensures user can only access roles in their accessible accounts
+  const { data, error: err } = await ctx.db
+    .from('roles')
+    .select(`
+      *,
+      app:apps(id, slug, name)
+    `)
+    .eq('id', id)
+    .eq('is_active', true)
+    .single()
+  if (err) throw err
+  // Return sanitized data based on field-level permissions
+  const roleWithType = { ...data, type: 'role' }
+  return await sanitizeRecordData(ctx, roleWithType, 'role')
+})
+// ─── CHUNK_END: ROLES_GET ────────────────────────────────────────────────
+// ─── CHUNK_START: ROLES_CREATE ──────────────────────────────────────────────
+/**
+ * @chunk-id    ROLES_CREATE_1_0_0
+ * @version     1.0.0
+ * @hash        7f6646fee88ed72d997eb710feb3778aad114f3a96819390166c8ecbc6eeaa0e
+ * @macro       Role Create Handler
+ * @micro       Creates role with permission validation and audit logging
+ * @inputs      ctx: CoreContext — Request context with principal and database
+ * @inputs      body: object — Role data including slug, name, and optional fields
+ * @outputs     Inserted role record
+ * @depends-on  [createHandler, PermissionEngine, adminDb, emitLog]
+ * @depended-by [Netlify function routing]
+ * @side-effects [DB insert, permission validation, audit logging]
+ * @tags        roles, create, crud, permissions, audit
+ */
+export const create = createHandler(async (ctx, body) => {
+  const { app_id, slug, name, description, permissions: rolePermissions, is_system } = body
+  if (!slug || !name) {
+    throw new Error('slug and name are required')
+  }
+  if (!ctx.principal || ctx.principal.id === 'anonymous' || !ctx.accountId) {
+    throw new Error('User context (person and account) required')
+  }
+  // Guard: system_admin role can only be created by system admins
+  if (slug === 'system_admin' && !permissions.isSystemAdmin(ctx)) {
+    throw new Error('system_admin role can only be created by system administrators')
+  }
+  // Check create permissions using PermissionEngine
+  if (!permissions.isSystemAdmin(ctx)) {
+    const perms = await permissions.resolveFirstSurfacePermissions(
+      ctx.principal.id,
+      ctx.accountId!,
+      'role',
+      'create'
+    )
+    if (!perms.canCreate) {
+      throw new Error('Insufficient permissions to create roles')
+    }
+  }
+  // Check if slug is unique within app using service role (validating uniqueness is a system concern)
+  let query = adminDb
+    .from('roles')
+    .select('id')
+    .eq('slug', slug)
+  if (app_id) {
+    query = query.eq('app_id', app_id)
+  } else {
+    query = query.is('app_id', null)
+  }
+  const { data: existing } = await query.single()
+  if (existing) {
+    throw new Error('Role slug already exists for this app')
+  }
+  // Insert with RLS enforcement
+  const { data, error: err } = await ctx.db
+    .from('roles')
+    .insert({
+      app_id,
+      slug,
+      name,
+      description,
+      permissions: rolePermissions || {},
+      is_system: is_system || false,
+      is_active: true
+    })
+    .select()
+    .single()
+  if (err) throw err
+  await emitLog(ctx, 'role.created', { type: 'role', id: data.id }, { after: data })
+  return data
+})
+// ─── CHUNK_END: ROLES_CREATE ────────────────────────────────────────────────
+// ─── CHUNK_START: ROLES_UPDATE ──────────────────────────────────────────────
+/**
+ * @chunk-id    ROLES_UPDATE_1_0_0
+ * @version     1.0.0
+ * @hash        19803de116b38af5e27bf542ca642228f4661bbf428a4846ed565d0667767580
+ * @macro       Role Update Handler
+ * @micro       Updates role with field-level permission validation and audit logging
+ * @inputs      ctx: CoreContext — Request context with principal and database
+ * @inputs      body: object — Role updates including id and updatable fields
+ * @outputs     Updated role record
+ * @depends-on  [createHandler, PermissionEngine, emitLog]
+ * @depended-by [Netlify function routing]
+ * @side-effects [DB update, permission validation, audit logging]
+ * @tags        roles, update, crud, permissions, audit
+ */
+export const update = createHandler(async (ctx, body) => {
+  const { id, ...updates } = body
+  if (!id) {
+    throw new Error('Role ID is required')
+  }
+  if (!ctx.principal || ctx.principal.id === 'anonymous' || !ctx.accountId) {
+    throw new Error('User context (person and account) required')
+  }
+  // Get current state for audit via RLS
+  const { data: current, error: fetchErr } = await ctx.db
+    .from('roles')
+    .select('*')
+    .eq('id', id)
+    .single()
+  if (fetchErr || !current) {
+    throw new Error('Role not found or access denied')
+  }
+  // Validate field-level permissions
+  const fieldValidation = await permissions.validateUpdatePermissions(
+    ctx,
+    updates,
+    current,
+    'role'
+  )
+  if (!fieldValidation.valid) {
+    throw new Error(fieldValidation.error)
+  }
+  // Update via RLS
+  const { data, error: err } = await ctx.db
+    .from('roles')
+    .update({
+      ...updates,
+      updated_at: new Date().toISOString()
+    })
+    .eq('id', id)
+    .select()
+    .single()
+  if (err) throw err
+  await emitLog(ctx, 'role.updated', { type: 'role', id }, { before: current, after: data })
+  return data
+})
+// ─── CHUNK_END: ROLES_UPDATE ────────────────────────────────────────────────
+// ─── CHUNK_START: ROLES_REMOVE ──────────────────────────────────────────────
+/**
+ * @chunk-id    ROLES_REMOVE_1_0_0
+ * @version     1.0.0
+ * @hash        9194c78a60e7d12b7acf6981bbc56afdfbe9e922c52739394240fca5adcfa069
+ * @macro       Role Remove Handler
+ * @micro       Soft-deletes role with audit logging
+ * @inputs      ctx: CoreContext — Request context with principal and database
+ * @inputs      body: object — Role id for deletion
+ * @outputs     Updated role record with is_active: false
+ * @depends-on  [createHandler, emitLog]
+ * @depended-by [Netlify function routing]
+ * @side-effects [DB soft delete, audit logging]
+ * @tags        roles, remove, soft-delete, audit
+ */
+export const remove = createHandler(async (ctx, body) => {
+  const { id } = body
+  if (!id) {
+    throw new Error('Role ID is required')
+  }
+  if (!ctx.principal || ctx.principal.id === 'anonymous' || !ctx.accountId) {
+    throw new Error('User context (person and account) required')
+  }
+  // Verify access via RLS fetch
+  const { data: current, error: fetchErr } = await ctx.db
+    .from('roles')
+    .select('*')
+    .eq('id', id)
+    .single()
+  if (fetchErr || !current) {
+    throw new Error('Role not found or access denied')
+  }
+  // Soft delete via RLS
+  const { data, error: err } = await ctx.db
+    .from('roles')
+    .update({
+      is_active: false,
+      updated_at: new Date().toISOString()
+    })
+    .eq('id', id)
+    .select()
+    .single()
+  if (err) throw err
+  await emitLog(ctx, 'role.deleted', { type: 'role', id }, { before: current })
+  return data
+})
+// ─── CHUNK_END: ROLES_REMOVE ────────────────────────────────────────────────
+// ─── MAIN HANDLER ────────────────────────────────────────────────────────────
+// ─── CHUNK_START: ROLES_HANDLER ──────────────────────────────────────────────
+/**
+ * @chunk-id    ROLES_HANDLER_1_0_0
+ * @version     1.0.0
+ * @hash        14c00f276a22287ed65c019efe327cbb513f860a408191e299864b05c641833c
+ * @macro       Roles Router
+ * @micro       Routes HTTP methods to appropriate role handlers
+ * @inputs      ctx: CoreContext — Request context with principal and database
+ * @inputs      body: any — Request body for POST/PATCH/DELETE operations
+ * @outputs     Varies — Depends on routed handler (list/get/create/update/remove)
+ * @depends-on  [createHandler, list, get, create, update, remove]
+ * @depended-by [Netlify function routing]
+ * @side-effects [Delegates to appropriate handler]
+ * @tags        roles, router, crud, netlify-function
+ */
+export const handler = createHandler(async (ctx, body) => {
+  const method = ctx.query?.method || 'GET'
+  switch (method) {
+    case 'GET':
+      if (ctx.query?.id) {
+        return await get(ctx, body)
+      } else {
+        return await list(ctx, body)
+      }
+    case 'POST':
+      return await create(ctx, body)
+    case 'PATCH':
+      return await update(ctx, body)
+    case 'DELETE':
+      return await remove(ctx, body)
+    default:
+      throw new Error(`Unsupported method: ${method}`)
+  }
+})
+// ─── CHUNK_END: ROLES_HANDLER ────────────────────────────────────────────────