studiograph 1.3.2 → 1.3.3-next.10

package/dist/server/routes/permissions-api.js

@@ -1,176 +1,48 @@
 /**
  * Permissions API routes
  *
- * GitHub-based org, team, and repo access management.
- * Only available when GitHub org is configured and user has a valid token.
+ * Self-hosted per-collection access management backed by AuthService.
+ * All endpoints require admin role.
  */
-import { loadToken, getAuthenticatedOctokit } from '../../auth/github.js';
-import { GitHubService } from '../../services/github-service.js';
-function getGitHubService(config) {
-    const org = config.github?.org;
-    if (!org)
-        return null;
-    const stored = loadToken();
-    if (!stored)
-        return null;
-    const octokit = getAuthenticatedOctokit(stored.token);
-    return new GitHubService(octokit, org);
-}
-export async function registerPermissionsApiRoutes(fastify, workspaceConfig) {
-    // GET /api/permissions/role — current user's org role and login
-    fastify.get('/api/permissions/role', async (_req, reply) => {
-        const stored = loadToken();
-        const service = getGitHubService(workspaceConfig);
-        if (!service) {
-            return reply.send({ role: null, login: null, reason: 'not_configured' });
-        }
-        try {
-            const role = await service.getCurrentUserRole();
-            return reply.send({ role, login: stored?.user?.login ?? null });
-        }
-        catch (err) {
-            return reply.status(500).send({ error: err.message });
-        }
-    });
-    // GET /api/permissions/members — list org members
-    fastify.get('/api/permissions/members', async (_req, reply) => {
-        const service = getGitHubService(workspaceConfig);
-        if (!service) {
-            return reply.status(400).send({ error: 'GitHub not configured' });
-        }
-        try {
-            const members = await service.listMembers();
-            return reply.send(members);
-        }
-        catch (err) {
-            return reply.status(500).send({ error: err.message });
-        }
-    });
-    // POST /api/permissions/members/invite — invite user to org
-    fastify.post('/api/permissions/members/invite', async (req, reply) => {
-        const service = getGitHubService(workspaceConfig);
-        if (!service) {
-            return reply.status(400).send({ error: 'GitHub not configured' });
-        }
-        const { username } = req.body ?? {};
-        if (!username) {
-            return reply.status(400).send({ error: 'username is required' });
-        }
-        try {
-            const isMember = await service.isOrgMember(username);
-            if (isMember) {
-                return reply.send({ status: 'already_member' });
-            }
-            await service.inviteUser(username);
-            return reply.send({ status: 'invited' });
-        }
-        catch (err) {
-            if (err?.status === 422) {
-                return reply.send({ status: 'already_invited' });
-            }
-            return reply.status(err?.status ?? 500).send({ error: err.message });
-        }
-    });
-    // DELETE /api/permissions/members/:username — remove user from org
-    fastify.delete('/api/permissions/members/:username', async (req, reply) => {
-        const service = getGitHubService(workspaceConfig);
-        if (!service) {
-            return reply.status(400).send({ error: 'GitHub not configured' });
-        }
-        try {
-            await service.removeUser(req.params.username);
-            return reply.send({ ok: true });
-        }
-        catch (err) {
-            return reply.status(err?.status ?? 500).send({ error: err.message });
-        }
-    });
-    // GET /api/permissions/collections — access info for all collections
-    fastify.get('/api/permissions/collections', async (_req, reply) => {
-        const service = getGitHubService(workspaceConfig);
-        if (!service) {
-            return reply.status(400).send({ error: 'GitHub not configured' });
-        }
-        try {
-            const repos = workspaceConfig.repos ?? [];
-            const results = await Promise.all(repos
-                .filter(r => !r.private)
-                .map(async (repo) => {
-                const repoName = extractRepoName(repo.github_url) ?? repo.name;
-                try {
-                    const access = await service.getRepoAccess(repoName);
-                    return { collection: repo.name, repoName, ...access };
-                }
-                catch {
-                    return { collection: repo.name, repoName, teams: [], collaborators: [] };
-                }
-            }));
-            return reply.send(results);
-        }
-        catch (err) {
-            return reply.status(500).send({ error: err.message });
-        }
+export async function registerPermissionsApiRoutes(fastify, authService, workspaceManager) {
+    // GET /api/permissions/collections — all collections with their granted users
+    fastify.get('/api/permissions/collections', async (req, reply) => {
+        const user = req.user;
+        if (user && user.role !== 'admin') {
+            return reply.status(403).send({ error: 'Admin access required' });
+        }
+        const repos = workspaceManager.getAllRepoConfigs();
+        const result = repos.map(repo => ({
+            collection: repo.name,
+            users: authService.getCollectionUsers(repo.name),
+        }));
+        return reply.send(result);
     });
-    // POST /api/permissions/collections/:collection/grant — grant user access via auto-team
-    fastify.post('/api/permissions/collections/:collection/grant', async (req, reply) => {
-        const service = getGitHubService(workspaceConfig);
-        if (!service) {
-            return reply.status(400).send({ error: 'GitHub not configured' });
-        }
-        const { username, permission } = req.body ?? {};
-        if (!username) {
-            return reply.status(400).send({ error: 'username is required' });
-        }
-        const repo = findRepo(workspaceConfig, req.params.collection);
-        if (!repo) {
-            return reply.status(404).send({ error: 'Collection not found' });
-        }
-        const repoName = extractRepoName(repo.github_url) ?? repo.name;
-        try {
-            const result = await service.grantAccessViaTeam(repoName, username, permission ?? 'push');
-            return reply.send(result);
-        }
-        catch (err) {
-            return reply.status(err?.status ?? 500).send({ error: err.message });
-        }
+    // POST /api/permissions/grant — grant user access to a collection
+    fastify.post('/api/permissions/grant', async (req, reply) => {
+        const user = req.user;
+        if (user && user.role !== 'admin') {
+            return reply.status(403).send({ error: 'Admin access required' });
+        }
+        const { userId, collection } = req.body ?? {};
+        if (!userId || !collection) {
+            return reply.status(400).send({ error: 'userId and collection are required' });
+        }
+        authService.grantCollectionAccess(userId, collection);
+        return reply.send({ ok: true });
     });
-    // DELETE /api/permissions/collections/:collection/revoke/:username — revoke user access
-    fastify.delete('/api/permissions/collections/:collection/revoke/:username', async (req, reply) => {
-        const service = getGitHubService(workspaceConfig);
-        if (!service) {
-            return reply.status(400).send({ error: 'GitHub not configured' });
-        }
-        const repo = findRepo(workspaceConfig, req.params.collection);
-        if (!repo) {
-            return reply.status(404).send({ error: 'Collection not found' });
-        }
-        const repoName = extractRepoName(repo.github_url) ?? repo.name;
-        const { username } = req.params;
-        try {
-            try {
-                await service.removeFromTeam(repoName, username);
-            }
-            catch { /* not on team */ }
-            try {
-                await service.revokeUserAccess(repoName, username);
-            }
-            catch { /* not a collaborator */ }
-            return reply.send({ ok: true });
-        }
-        catch (err) {
-            return reply.status(err?.status ?? 500).send({ error: err.message });
-        }
+    // POST /api/permissions/revoke — revoke user access to a collection
+    fastify.post('/api/permissions/revoke', async (req, reply) => {
+        const user = req.user;
+        if (user && user.role !== 'admin') {
+            return reply.status(403).send({ error: 'Admin access required' });
+        }
+        const { userId, collection } = req.body ?? {};
+        if (!userId || !collection) {
+            return reply.status(400).send({ error: 'userId and collection are required' });
+        }
+        authService.revokeCollectionAccess(userId, collection);
+        return reply.send({ ok: true });
     });
 }
-/** Extract repo name from a GitHub URL like https://github.com/org/repo-name.git */
-function extractRepoName(url) {
-    if (!url)
-        return undefined;
-    const match = url.match(/\/([^/]+?)(?:\.git)?$/);
-    return match?.[1];
-}
-/** Find a repo config by collection name */
-function findRepo(config, collection) {
-    return config.repos?.find(r => r.name === collection);
-}
 //# sourceMappingURL=permissions-api.js.map

package/dist/server/routes/permissions-api.js.map

@@ -1 +1 @@
-{"version":3,"file":"permissions-api.js","sourceRoot":"","sources":["../../../src/server/routes/permissions-api.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,SAAS,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAAE,MAAM,kCAAkC,CAAC;AAEjE,SAAS,gBAAgB,CAAC,MAAuB;IAC/C,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;IAC/B,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,MAAM,OAAO,GAAG,uBAAuB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACtD,OAAO,IAAI,aAAa,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAAwB,EACxB,eAAgC;IAGhC,gEAAgE;IAChE,OAAO,CAAC,GAAG,CAAC,uBAAuB,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE;QACzD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC3E,CAAC;QACD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,kBAAkB,EAAE,CAAC;YAChD,OAAO,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,CAAC,CAAC;QAClE,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,kDAAkD;IAClD,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5D,MAAM,OAAO,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,WAAW,EAAE,CAAC;YAC5C,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,4DAA4D;IAC5D,OAAO,CAAC,IAAI,CACV,iCAAiC,EACjC,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QACnB,MAAM,OAAO,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACpE,CAAC;QACD,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QACpC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;YACrD,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,MAAM,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACnC,OAAO,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,GAAG,EAAE,MAAM,KAAK,GAAG,EAAE,CAAC;gBACxB,OAAO,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC,CAAC;YACnD,CAAC;YACD,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC,CACF,CAAC;IAEF,mEAAmE;IACnE,OAAO,CAAC,MAAM,CACZ,oCAAoC,EACpC,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QACnB,MAAM,OAAO,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC9C,OAAO,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;QAClC,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC,CACF,CAAC;IAEF,qEAAqE;IACrE,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE;QAChE,MAAM,OAAO,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,IAAI,EAAE,CAAC;YAC1C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,KAAK;iBACF,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;iBACvB,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;gBAClB,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC;gBAC/D,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;oBACrD,OAAO,EAAE,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,MAAM,EAAE,CAAC;gBACxD,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,EAAE,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;gBAC3E,CAAC;YACH,CAAC,CAAC,CACL,CAAC;YACF,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,wFAAwF;IACxF,OAAO,CAAC,IAAI,CACV,gDAAgD,EAChD,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QACnB,MAAM,OAAO,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACpE,CAAC;QACD,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QAChD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,MAAM,IAAI,GAAG,QAAQ,CAAC,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAC9D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;QACnE,CAAC;QACD,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC;QAE/D,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,kBAAkB,CAAC,QAAQ,EAAE,QAAQ,EAAE,UAAU,IAAI,MAAM,CAAC,CAAC;YAC1F,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5B,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC,CACF,CAAC;IAEF,wFAAwF;IACxF,OAAO,CAAC,MAAM,CACZ,2DAA2D,EAC3D,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QACnB,MAAM,OAAO,GAAG,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,IAAI,GAAG,QAAQ,CAAC,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAC9D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;QACnE,CAAC;QACD,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC;QAC/D,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;QAEhC,IAAI,CAAC;YACH,IAAI,CAAC;gBAAC,MAAM,OAAO,CAAC,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;YACrF,IAAI,CAAC;gBAAC,MAAM,OAAO,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,wBAAwB,CAAC,CAAC;YAC9F,OAAO,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;QAClC,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC;AAED,oFAAoF;AACpF,SAAS,eAAe,CAAC,GAAY;IACnC,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;IACjD,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC;AAED,4CAA4C;AAC5C,SAAS,QAAQ,CAAC,MAAuB,EAAE,UAAkB;IAC3D,OAAO,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;AACxD,CAAC"}
+{"version":3,"file":"permissions-api.js","sourceRoot":"","sources":["../../../src/server/routes/permissions-api.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAAwB,EACxB,WAAwB,EACxB,gBAAkC;IAGlC,8EAA8E;IAC9E,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QAC/D,MAAM,IAAI,GAAI,GAAW,CAAC,IAA4B,CAAC;QACvD,IAAI,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAClC,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,KAAK,GAAG,gBAAgB,CAAC,iBAAiB,EAAE,CAAC;QACnD,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAChC,UAAU,EAAE,IAAI,CAAC,IAAI;YACrB,KAAK,EAAE,WAAW,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;SACjD,CAAC,CAAC,CAAC;QAEJ,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,kEAAkE;IAClE,OAAO,CAAC,IAAI,CACV,wBAAwB,EACxB,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QACnB,MAAM,IAAI,GAAI,GAAW,CAAC,IAA4B,CAAC;QACvD,IAAI,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAClC,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QAC9C,IAAI,CAAC,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;YAC3B,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC,CAAC;QACjF,CAAC;QAED,WAAW,CAAC,qBAAqB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACtD,OAAO,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IAClC,CAAC,CACF,CAAC;IAEF,oEAAoE;IACpE,OAAO,CAAC,IAAI,CACV,yBAAyB,EACzB,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QACnB,MAAM,IAAI,GAAI,GAAW,CAAC,IAA4B,CAAC;QACvD,IAAI,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAClC,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QAC9C,IAAI,CAAC,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;YAC3B,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC,CAAC;QACjF,CAAC;QAED,WAAW,CAAC,sBAAsB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACvD,OAAO,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IAClC,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/server/routes/ws.d.ts

@@ -0,0 +1,7 @@
+/**
+ * WebSocket endpoint — authenticates connections and registers them with the hub.
+ */
+import type { FastifyInstance } from 'fastify';
+import type { AuthService } from '../../services/auth-service.js';
+import type { WsHub } from '../ws-hub.js';
+export declare function registerWsRoute(fastify: FastifyInstance, wsHub: WsHub, authService: AuthService): Promise<void>;

package/dist/server/routes/ws.js

@@ -0,0 +1,35 @@
+/**
+ * WebSocket endpoint — authenticates connections and registers them with the hub.
+ */
+export async function registerWsRoute(fastify, wsHub, authService) {
+    fastify.get('/ws', { websocket: true }, (socket, req) => {
+        // Authenticate via JWT cookie or ?token= query param
+        const cookies = req.cookies;
+        const jwtFromCookie = cookies?.['__sg_token'];
+        const jwtFromQuery = req.query?.token;
+        const token = jwtFromCookie || jwtFromQuery;
+        if (authService.hasUsers()) {
+            if (!token) {
+                socket.send(JSON.stringify({ error: 'Unauthorized' }));
+                socket.close(4001, 'Unauthorized');
+                return;
+            }
+            const user = authService.verifyToken(token);
+            if (!user) {
+                socket.send(JSON.stringify({ error: 'Invalid token' }));
+                socket.close(4001, 'Invalid token');
+                return;
+            }
+            // Determine accessible collections for this user
+            const collections = user.role === 'admin'
+                ? null // admin sees all
+                : authService.getUserCollections(user.id);
+            wsHub.addClient(socket, user, collections);
+        }
+        else {
+            // Open mode — no auth, all collections
+            wsHub.addClient(socket, null, null);
+        }
+    });
+}
+//# sourceMappingURL=ws.js.map

package/dist/server/routes/ws.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ws.js","sourceRoot":"","sources":["../../../src/server/routes/ws.ts"],"names":[],"mappings":"AAAA;;GAEG;AAMH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAAwB,EACxB,KAAY,EACZ,WAAwB;IAExB,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE,EAAE;QACtD,qDAAqD;QACrD,MAAM,OAAO,GAAG,GAAG,CAAC,OAA6C,CAAC;QAClE,MAAM,aAAa,GAAG,OAAO,EAAE,CAAC,YAAY,CAAC,CAAC;QAC9C,MAAM,YAAY,GAAI,GAAG,CAAC,KAAgC,EAAE,KAAK,CAAC;QAClE,MAAM,KAAK,GAAG,aAAa,IAAI,YAAY,CAAC;QAE5C,IAAI,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC;YAC3B,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC;gBACvD,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;gBACnC,OAAO;YACT,CAAC;YACD,MAAM,IAAI,GAAG,WAAW,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YAC5C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC;gBACxD,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;gBACpC,OAAO;YACT,CAAC;YAED,iDAAiD;YACjD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,KAAK,OAAO;gBACvC,CAAC,CAAC,IAAI,CAAE,iBAAiB;gBACzB,CAAC,CAAC,WAAW,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAE5C,KAAK,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC;QAC7C,CAAC;aAAM,CAAC;YACN,uCAAuC;YACvC,KAAK,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACtC,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/server/ws-hub.d.ts

@@ -0,0 +1,36 @@
+/**
+ * WebSocket Hub — event bus for real-time change notifications.
+ *
+ * Tracks authenticated WebSocket connections and broadcasts entity/repo
+ * change events scoped to each client's collection access.
+ */
+import type { WebSocket } from 'ws';
+import type { AuthUser } from '../services/auth-service.js';
+export interface WsChangeEvent {
+    type: 'entity_change';
+    action: 'created' | 'updated' | 'deleted';
+    repo: string;
+    entityType: string;
+    entityId: string;
+    actor: string;
+    source: 'api' | 'git-push';
+    timestamp: string;
+}
+export interface WsRepoSyncEvent {
+    type: 'repo_sync';
+    repo: string;
+    source: 'git-push';
+    actor: string;
+    timestamp: string;
+}
+export type WsEvent = WsChangeEvent | WsRepoSyncEvent;
+export declare class WsHub {
+    private clients;
+    private heartbeatTimer;
+    constructor();
+    addClient(ws: WebSocket, user: AuthUser | null, collections: string[] | null): void;
+    broadcast(event: WsEvent): void;
+    get connectionCount(): number;
+    destroy(): void;
+    private canReceive;
+}

package/dist/server/ws-hub.js

@@ -0,0 +1,63 @@
+/**
+ * WebSocket Hub — event bus for real-time change notifications.
+ *
+ * Tracks authenticated WebSocket connections and broadcasts entity/repo
+ * change events scoped to each client's collection access.
+ */
+export class WsHub {
+    clients = new Set();
+    heartbeatTimer = null;
+    constructor() {
+        // Ping all clients every 30s, drop unresponsive ones
+        this.heartbeatTimer = setInterval(() => {
+            for (const client of this.clients) {
+                if (client.ws.readyState === 1 /* OPEN */) {
+                    client.ws.ping();
+                }
+                else {
+                    this.clients.delete(client);
+                }
+            }
+        }, 30_000);
+    }
+    addClient(ws, user, collections) {
+        const client = {
+            ws,
+            user,
+            collections: collections ? new Set(collections) : null,
+        };
+        this.clients.add(client);
+        ws.on('close', () => this.clients.delete(client));
+        ws.on('error', () => this.clients.delete(client));
+    }
+    broadcast(event) {
+        const payload = JSON.stringify(event);
+        for (const client of this.clients) {
+            if (client.ws.readyState !== 1 /* OPEN */)
+                continue;
+            if (!this.canReceive(client, event.repo))
+                continue;
+            client.ws.send(payload);
+        }
+    }
+    get connectionCount() {
+        return this.clients.size;
+    }
+    destroy() {
+        if (this.heartbeatTimer) {
+            clearInterval(this.heartbeatTimer);
+            this.heartbeatTimer = null;
+        }
+        for (const client of this.clients) {
+            client.ws.close();
+        }
+        this.clients.clear();
+    }
+    canReceive(client, repo) {
+        // Open mode or null collections = receives everything
+        if (!client.collections)
+            return true;
+        return client.collections.has(repo);
+    }
+}
+//# sourceMappingURL=ws-hub.js.map

package/dist/server/ws-hub.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ws-hub.js","sourceRoot":"","sources":["../../src/server/ws-hub.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAgCH,MAAM,OAAO,KAAK;IACR,OAAO,GAAG,IAAI,GAAG,EAAY,CAAC;IAC9B,cAAc,GAA0C,IAAI,CAAC;IAErE;QACE,qDAAqD;QACrD,IAAI,CAAC,cAAc,GAAG,WAAW,CAAC,GAAG,EAAE;YACrC,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClC,IAAI,MAAM,CAAC,EAAE,CAAC,UAAU,KAAK,CAAC,CAAC,UAAU,EAAE,CAAC;oBAC1C,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;gBACnB,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;QACH,CAAC,EAAE,MAAM,CAAC,CAAC;IACb,CAAC;IAED,SAAS,CAAC,EAAa,EAAE,IAAqB,EAAE,WAA4B;QAC1E,MAAM,MAAM,GAAa;YACvB,EAAE;YACF,IAAI;YACJ,WAAW,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI;SACvD,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAEzB,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;QAClD,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IACpD,CAAC;IAED,SAAS,CAAC,KAAc;QACtB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACtC,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,IAAI,MAAM,CAAC,EAAE,CAAC,UAAU,KAAK,CAAC,CAAC,UAAU;gBAAE,SAAS;YACpD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC;gBAAE,SAAS;YACnD,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,IAAI,eAAe;QACjB,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;IAC3B,CAAC;IAED,OAAO;QACL,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,aAAa,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YACnC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QACpB,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAEO,UAAU,CAAC,MAAgB,EAAE,IAAY;QAC/C,sDAAsD;QACtD,IAAI,CAAC,MAAM,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QACrC,OAAO,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;CACF"}

package/dist/services/auth-service.d.ts

@@ -0,0 +1,77 @@
+/**
+ * Authentication service
+ *
+ * SQLite-backed user store with bcrypt password hashing and JWT sessions.
+ * Database lives at .studiograph/auth.db inside the workspace.
+ *
+ * Auth state is portable via .studiograph/auth-seed.json — a JSON export of
+ * all users (with bcrypt hashes) and the JWT secret. The seed file is
+ * committed to the config repo so it syncs between local and Railway:
+ *   local setup → commit → push → Railway redeploy → users restored from seed
+ */
+export interface AuthUser {
+    id: number;
+    email: string;
+    displayName: string;
+    role: 'admin' | 'member';
+    createdAt: string;
+}
+export interface AuthSeed {
+    jwtSecret: string;
+    users: Array<{
+        email: string;
+        password_hash: string;
+        display_name: string;
+        role: string;
+        created_at: string;
+    }>;
+    collection_access?: Array<{
+        user_email: string;
+        collection_name: string;
+    }>;
+}
+export declare class AuthService {
+    private db;
+    private jwtSecret;
+    private sgDir;
+    constructor(workspacePath: string);
+    createUser(email: string, password: string, displayName: string, role?: 'admin' | 'member'): AuthUser;
+    authenticate(email: string, password: string): {
+        user: AuthUser;
+        token: string;
+    } | null;
+    verifyToken(token: string): AuthUser | null;
+    listUsers(): AuthUser[];
+    deleteUser(email: string): boolean;
+    updatePassword(email: string, newPassword: string): boolean;
+    grantCollectionAccess(userId: number, collectionName: string): void;
+    revokeCollectionAccess(userId: number, collectionName: string): void;
+    getUserCollections(userId: number): string[];
+    getCollectionUsers(collectionName: string): AuthUser[];
+    renameCollection(oldName: string, newName: string): void;
+    hasUsers(): boolean;
+    getUserCount(): number;
+    /**
+     * Ensure auth.db and auth-secret are in .studiograph/.gitignore.
+     * Only the seed JSON file should be committed to the config repo.
+     */
+    private ensureGitignore;
+    /**
+     * Export all users and JWT secret to .studiograph/auth-seed.json.
+     * If .studiograph/ is a git repo with a remote, auto-commits and pushes
+     * the seed file so it syncs between environments.
+     */
+    exportSeed(): void;
+    /**
+     * Commit and push auth-seed.json if .studiograph/ is a git repo with a remote.
+     * Non-fatal — logs warnings on failure but never throws.
+     */
+    private pushSeed;
+    /**
+     * Import users and JWT secret from .studiograph/auth-seed.json.
+     * Only runs when the database is empty (fresh boot / volume wipe).
+     */
+    private importFromSeed;
+    close(): void;
+    private toAuthUser;
+}