npm - teamcopilot - Versions diffs - 0.0.1 - Mend

teamcopilot 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (209) hide show

package/dist/utils/index.js ADDED Viewed

@@ -0,0 +1,95 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.apiHandler = apiHandler;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const client_1 = __importDefault(require("../prisma/client"));
+const assert_1 = require("./assert");
+const jwt_secret_1 = require("./jwt-secret");
+function apiHandler(handler, requireAuth) {
+    return async (req, res, next) => {
+        try {
+            const authHeader = req.headers['authorization'];
+            if (!authHeader && requireAuth) {
+                throw {
+                    status: 401,
+                    message: 'Missing authorization header. Please pass an authorization bearer token in the header.'
+                };
+            }
+            if (authHeader) {
+                const rawToken = authHeader.split(' ')[1];
+                (0, assert_1.assertCondition)(rawToken, 'Missing authorization bearer token');
+                try {
+                    const decoded = jsonwebtoken_1.default.verify(rawToken, (0, jwt_secret_1.getJwtSecret)());
+                    const payload = decoded;
+                    (0, assert_1.assertCondition)(typeof payload.sub === "string" && payload.sub.length > 0, "Invalid authorization token subject");
+                    const user = await client_1.default.users.findUnique({
+                        where: {
+                            id: payload.sub
+                        }
+                    });
+                    if (!user) {
+                        throw {
+                            status: 401,
+                            message: 'Invalid authorization token. Please pass a valid authorization bearer token in the header.'
+                        };
+                    }
+                    req.userId = user.id;
+                    req.email = user.email;
+                    req.name = user.name;
+                    req.role = user.role;
+                    req.opencode_session_id = undefined;
+                    req.tokenUse = payload.token_use === "password_change" ? "password_change" : "access";
+                    req.mustChangePassword = user.must_change_password;
+                }
+                catch (e) {
+                    if (e instanceof jsonwebtoken_1.default.JsonWebTokenError || e instanceof jsonwebtoken_1.default.TokenExpiredError) {
+                        const session = await client_1.default.chat_sessions.findFirst({
+                            where: { opencode_session_id: rawToken },
+                            include: {
+                                user: true
+                            }
+                        });
+                        if (session) {
+                            req.userId = session.user.id;
+                            req.email = session.user.email;
+                            req.name = session.user.name;
+                            req.role = session.user.role;
+                            req.opencode_session_id = session.opencode_session_id;
+                            req.tokenUse = "access";
+                            req.mustChangePassword = session.user.must_change_password;
+                            res.locals.skipResponseSanitization = true;
+                        }
+                    }
+                    else {
+                        throw e;
+                    }
+                }
+            }
+            if (requireAuth && !req.userId) {
+                throw {
+                    status: 401,
+                    message: 'Invalid authorization token. Please pass a valid authorization bearer token in the header.'
+                };
+            }
+            if (requireAuth && req.tokenUse === "password_change") {
+                throw {
+                    status: 401,
+                    message: 'This token can only be used to complete password change.'
+                };
+            }
+            if (requireAuth && req.tokenUse === "access" && req.mustChangePassword) {
+                throw {
+                    status: 401,
+                    message: "Password change is required before using this access token."
+                };
+            }
+            await handler(req, res, next);
+        }
+        catch (e) {
+            next(e);
+        }
+    };
+}

package/dist/utils/jwt-secret.js ADDED Viewed

@@ -0,0 +1,63 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadJwtSecret = loadJwtSecret;
+exports.getJwtSecret = getJwtSecret;
+exports.rotateJwtSecret = rotateJwtSecret;
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const client_1 = __importDefault(require("../prisma/client"));
+const assert_1 = require("./assert");
+const AUTH_TOKEN_SECRET_KEY = "jwt_secret";
+let cachedJwtSecret = null;
+function generateJwtSecret() {
+    return node_crypto_1.default.randomBytes(48).toString("hex");
+}
+async function ensureJwtSecret() {
+    const existing = await client_1.default.key_value.findUnique({
+        where: { key: AUTH_TOKEN_SECRET_KEY }
+    });
+    if (existing?.value) {
+        cachedJwtSecret = existing.value;
+        return existing.value;
+    }
+    const generated = generateJwtSecret();
+    try {
+        await client_1.default.key_value.create({
+            data: {
+                key: AUTH_TOKEN_SECRET_KEY,
+                value: generated
+            }
+        });
+        cachedJwtSecret = generated;
+        return generated;
+    }
+    catch (err) {
+        const fallback = await client_1.default.key_value.findUnique({
+            where: { key: AUTH_TOKEN_SECRET_KEY }
+        });
+        if (fallback?.value) {
+            cachedJwtSecret = fallback.value;
+            return fallback.value;
+        }
+        throw err;
+    }
+}
+async function loadJwtSecret() {
+    await ensureJwtSecret();
+}
+function getJwtSecret() {
+    (0, assert_1.assertCondition)(typeof cachedJwtSecret === "string" && cachedJwtSecret.length > 0, "JWT secret not initialized");
+    return cachedJwtSecret;
+}
+async function rotateJwtSecret() {
+    const nextSecret = generateJwtSecret();
+    await client_1.default.key_value.upsert({
+        where: { key: AUTH_TOKEN_SECRET_KEY },
+        create: { key: AUTH_TOKEN_SECRET_KEY, value: nextSecret },
+        update: { value: nextSecret }
+    });
+    cachedJwtSecret = nextSecret;
+    return nextSecret;
+}

package/dist/utils/opencode-auth.js ADDED Viewed

@@ -0,0 +1,126 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getConfiguredModelProviderId = getConfiguredModelProviderId;
+exports.initializeOpencodeAuthStorage = initializeOpencodeAuthStorage;
+exports.getRuntimeProviderAuth = getRuntimeProviderAuth;
+exports.setRuntimeProviderAuth = setRuntimeProviderAuth;
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+const assert_1 = require("./assert");
+const workspace_sync_1 = require("./workspace-sync");
+const WORKSPACE_OPENCODE_DIR = ".opencode";
+const WORKSPACE_AUTH_FILE = "auth.json";
+const RUNTIME_DATA_HOME_DIR = "xdg-data";
+function getWorkspaceOpencodeDir() {
+    return path_1.default.join((0, workspace_sync_1.getWorkspaceDirFromEnv)(), WORKSPACE_OPENCODE_DIR);
+}
+function getRuntimeDataHomePath() {
+    return path_1.default.join(getWorkspaceOpencodeDir(), RUNTIME_DATA_HOME_DIR);
+}
+function getRuntimeAuthPath() {
+    return path_1.default.join(getRuntimeDataHomePath(), "opencode", WORKSPACE_AUTH_FILE);
+}
+function normalizeProviderId(providerId) {
+    return providerId.replace(/\/+$/, "");
+}
+function isNonEmptyString(value) {
+    return typeof value === "string" && value.length > 0;
+}
+function isValidProviderAuthInfo(value) {
+    if (!value || typeof value !== "object") {
+        return false;
+    }
+    const candidate = value;
+    if (candidate.type === "api") {
+        return isNonEmptyString(candidate.key);
+    }
+    if (candidate.type === "oauth") {
+        const hasOptionalAccountId = candidate.accountId === undefined || isNonEmptyString(candidate.accountId);
+        const hasOptionalEnterpriseUrl = candidate.enterpriseUrl === undefined || isNonEmptyString(candidate.enterpriseUrl);
+        return (isNonEmptyString(candidate.refresh)
+            && isNonEmptyString(candidate.access)
+            && typeof candidate.expires === "number"
+            && Number.isFinite(candidate.expires)
+            && hasOptionalAccountId
+            && hasOptionalEnterpriseUrl);
+    }
+    return false;
+}
+async function readAuthRecord(filepath) {
+    try {
+        const content = await promises_1.default.readFile(filepath, "utf-8");
+        const parsed = JSON.parse(content);
+        const entries = {};
+        for (const [providerId, info] of Object.entries(parsed)) {
+            if (!isValidProviderAuthInfo(info)) {
+                continue;
+            }
+            entries[providerId] = info;
+        }
+        return entries;
+    }
+    catch (err) {
+        const nodeError = err;
+        if (nodeError.code === "ENOENT") {
+            return {};
+        }
+        throw err;
+    }
+}
+async function writeAuthRecord(filepath, data) {
+    await promises_1.default.mkdir(path_1.default.dirname(filepath), { recursive: true });
+    const tempPath = `${filepath}.tmp-${process.pid}-${Date.now()}`;
+    await promises_1.default.writeFile(tempPath, `${JSON.stringify(data, null, 2)}\n`, {
+        encoding: "utf-8",
+        mode: 0o600,
+    });
+    await promises_1.default.rename(tempPath, filepath);
+    await promises_1.default.chmod(filepath, 0o600).catch(() => { });
+}
+function getConfiguredModelProviderId() {
+    const model = (0, assert_1.assertEnv)("OPENCODE_MODEL");
+    const [providerId, ...parts] = model.split("/");
+    if (!providerId || parts.length === 0) {
+        throw new Error("OPENCODE_MODEL must be in the format <provider>/<model>");
+    }
+    return providerId;
+}
+function configureOpencodeDataHome() {
+    const runtimeDataHome = getRuntimeDataHomePath();
+    process.env.XDG_DATA_HOME = runtimeDataHome;
+    return runtimeDataHome;
+}
+async function initializeOpencodeAuthStorage() {
+    configureOpencodeDataHome();
+    await promises_1.default.mkdir(getWorkspaceOpencodeDir(), { recursive: true });
+    const runtimeAuthPath = getRuntimeAuthPath();
+    try {
+        await promises_1.default.access(runtimeAuthPath);
+    }
+    catch (err) {
+        const nodeError = err;
+        if (nodeError.code !== "ENOENT") {
+            throw err;
+        }
+        await writeAuthRecord(runtimeAuthPath, {});
+    }
+}
+function getAuthForProvider(record, providerId) {
+    const normalizedProviderId = normalizeProviderId(providerId);
+    return record[providerId] || record[normalizedProviderId] || record[`${normalizedProviderId}/`];
+}
+async function getRuntimeProviderAuth(providerId) {
+    const record = await readAuthRecord(getRuntimeAuthPath());
+    return getAuthForProvider(record, providerId);
+}
+async function setRuntimeProviderAuth(providerId, info) {
+    const normalizedProviderId = normalizeProviderId(providerId);
+    const runtimeRecord = await readAuthRecord(getRuntimeAuthPath());
+    delete runtimeRecord[providerId];
+    delete runtimeRecord[`${normalizedProviderId}/`];
+    runtimeRecord[normalizedProviderId] = info;
+    await writeAuthRecord(getRuntimeAuthPath(), runtimeRecord);
+}

package/dist/utils/opencode-client.js ADDED Viewed

@@ -0,0 +1,109 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getOpencodeClient = getOpencodeClient;
+exports.getOpencodePort = getOpencodePort;
+exports.getWorkspaceDir = getWorkspaceDir;
+exports.getPendingQuestionForSession = getPendingQuestionForSession;
+exports.listPendingPermissionsForSession = listPendingPermissionsForSession;
+exports.listPendingPermissions = listPendingPermissions;
+exports.replyToPendingQuestion = replyToPendingQuestion;
+exports.replyToPendingPermission = replyToPendingPermission;
+const path_1 = __importDefault(require("path"));
+const assert_1 = require("./assert");
+// Use dynamic import for ESM-only SDK
+let _createOpencodeClient = null;
+async function loadSdk() {
+    if (!_createOpencodeClient) {
+        const sdk = await import("@opencode-ai/sdk");
+        _createOpencodeClient = sdk.createOpencodeClient;
+    }
+    return _createOpencodeClient;
+}
+async function getOpencodeClient() {
+    const createOpencodeClient = await loadSdk();
+    const port = (0, assert_1.parseIntStrict)((0, assert_1.assertEnv)("OPENCODE_PORT"), "OPENCODE_PORT");
+    // Get workspace directory from env, resolve relative paths to absolute
+    let workspaceDir = (0, assert_1.assertEnv)("WORKSPACE_DIR");
+    if (!path_1.default.isAbsolute(workspaceDir)) {
+        workspaceDir = path_1.default.resolve(process.cwd(), workspaceDir);
+    }
+    return createOpencodeClient({
+        baseUrl: `http://localhost:${port}`,
+        directory: workspaceDir
+    });
+}
+function getOpencodePort() {
+    return (0, assert_1.parseIntStrict)((0, assert_1.assertEnv)("OPENCODE_PORT"), "OPENCODE_PORT");
+}
+function getOpencodeBaseUrl() {
+    return `http://localhost:${getOpencodePort()}`;
+}
+function getWorkspaceDir() {
+    let workspaceDir = (0, assert_1.assertEnv)("WORKSPACE_DIR");
+    if (!path_1.default.isAbsolute(workspaceDir)) {
+        workspaceDir = path_1.default.resolve(process.cwd(), workspaceDir);
+    }
+    return workspaceDir;
+}
+async function getPendingQuestionForSession(opencodeSessionId) {
+    const workspaceDir = getWorkspaceDir();
+    const response = await fetch(`${getOpencodeBaseUrl()}/question?directory=${encodeURIComponent(workspaceDir)}`);
+    if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`Failed to list pending questions: ${errorText}`);
+    }
+    const questions = await response.json();
+    (0, assert_1.assertCondition)(Array.isArray(questions), "Pending question response is not an array");
+    const match = questions.find((question) => question.sessionID === opencodeSessionId);
+    return match ?? null;
+}
+async function listPendingPermissionsForSession(opencodeSessionId) {
+    const permissions = await listPendingPermissions();
+    const match = permissions.filter((permission) => permission.sessionID === opencodeSessionId);
+    return match;
+}
+async function listPendingPermissions() {
+    const workspaceDir = getWorkspaceDir();
+    const response = await fetch(`${getOpencodeBaseUrl()}/permission?directory=${encodeURIComponent(workspaceDir)}`);
+    if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`Failed to list pending permissions: ${errorText}`);
+    }
+    const permissions = await response.json();
+    (0, assert_1.assertCondition)(Array.isArray(permissions), "Pending permission response is not an array");
+    return permissions;
+}
+async function replyToPendingQuestion(questionId, answers) {
+    const workspaceDir = getWorkspaceDir();
+    const response = await fetch(`${getOpencodeBaseUrl()}/question/${encodeURIComponent(questionId)}/reply?directory=${encodeURIComponent(workspaceDir)}`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json'
+        },
+        body: JSON.stringify({ answers })
+    });
+    if (!response.ok) {
+        const errorText = await response.text();
+        throw new Error(`Failed to reply to pending question: ${errorText}`);
+    }
+}
+async function replyToPendingPermission(_opencodeSessionId, permissionId, response) {
+    const workspaceDir = getWorkspaceDir();
+    const replyResponse = await fetch(`${getOpencodeBaseUrl()}/permission/${encodeURIComponent(permissionId)}/reply?directory=${encodeURIComponent(workspaceDir)}`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json'
+        },
+        body: JSON.stringify({
+            reply: response,
+            message: response === "reject" ? "User rejected permission request" : "User approved permission request"
+        })
+    });
+    if (!replyResponse.ok) {
+        const errorText = await replyResponse.text();
+        throw new Error(`Failed to reply to pending permission: ${errorText}`);
+    }
+}

package/dist/utils/password-policy.js ADDED Viewed

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MIN_PASSWORD_LENGTH = void 0;
+exports.isPasswordValid = isPasswordValid;
+exports.getPasswordPolicyErrorMessage = getPasswordPolicyErrorMessage;
+exports.MIN_PASSWORD_LENGTH = 8;
+function isPasswordValid(password) {
+    return password.length >= exports.MIN_PASSWORD_LENGTH;
+}
+function getPasswordPolicyErrorMessage() {
+    return `Password must be at least ${exports.MIN_PASSWORD_LENGTH} characters`;
+}

package/dist/utils/permission-common.js ADDED Viewed

@@ -0,0 +1,280 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertCommonPermissionMode = assertCommonPermissionMode;
+exports.getResourcePermissionWithUsers = getResourcePermissionWithUsers;
+exports.ensureResourcePermissions = ensureResourcePermissions;
+exports.initializeResourcePermissionsForCreator = initializeResourcePermissionsForCreator;
+exports.addUserToResourcePermissionsIfRestricted = addUserToResourcePermissionsIfRestricted;
+exports.setResourcePermissions = setResourcePermissions;
+const client_1 = __importDefault(require("../prisma/client"));
+const client_2 = require("@prisma/client");
+function assertCommonPermissionMode(mode, label) {
+    if (mode !== "restricted" && mode !== "everyone") {
+        throw {
+            status: 500,
+            message: `Invalid ${label} permission mode: ${mode}`
+        };
+    }
+    return mode;
+}
+async function getExistingUserIds(userIds) {
+    if (userIds.length === 0)
+        return [];
+    const users = await client_1.default.users.findMany({
+        where: { id: { in: userIds } },
+        select: { id: true }
+    });
+    return users.map((user) => user.id);
+}
+async function resolveRestrictedPermissionUserIds(allowedUserIds, ownerUserId) {
+    let dedupedUserIds = Array.from(new Set(allowedUserIds));
+    if (ownerUserId) {
+        const ownerExists = (await getExistingUserIds([ownerUserId])).length === 1;
+        if (ownerExists && !dedupedUserIds.includes(ownerUserId)) {
+            dedupedUserIds = [...dedupedUserIds, ownerUserId];
+        }
+    }
+    if (dedupedUserIds.length === 0) {
+        throw {
+            status: 400,
+            message: "restricted permissions require at least one allowed user"
+        };
+    }
+    const existingUserIds = await getExistingUserIds(dedupedUserIds);
+    if (existingUserIds.length !== dedupedUserIds.length) {
+        throw {
+            status: 400,
+            message: "One or more selected users do not exist"
+        };
+    }
+    return existingUserIds;
+}
+async function getResourcePermissionWithUsers(resourceKind, slug, notFoundLabel) {
+    const permission = await client_1.default.resource_permissions.findUnique({
+        where: {
+            resource_kind_resource_slug: {
+                resource_kind: resourceKind,
+                resource_slug: slug,
+            }
+        },
+        include: {
+            allowedUsers: {
+                include: {
+                    user: {
+                        select: { id: true, name: true, email: true }
+                    }
+                },
+                orderBy: { created_at: "asc" }
+            }
+        }
+    });
+    if (!permission) {
+        throw {
+            status: 500,
+            message: `${notFoundLabel} permissions missing for ${notFoundLabel.toLowerCase()}: ${slug}`
+        };
+    }
+    return permission;
+}
+async function ensureResourcePermissions(resourceKind, slug, candidateUserIds) {
+    const existing = await client_1.default.resource_permissions.findUnique({
+        where: {
+            resource_kind_resource_slug: {
+                resource_kind: resourceKind,
+                resource_slug: slug,
+            }
+        },
+        select: { resource_slug: true }
+    });
+    if (existing)
+        return;
+    const existingUserIds = await getExistingUserIds(Array.from(new Set(candidateUserIds)));
+    const now = BigInt(Date.now());
+    try {
+        await client_1.default.resource_permissions.create({
+            data: {
+                resource_kind: resourceKind,
+                resource_slug: slug,
+                permission_mode: "restricted",
+                created_at: now,
+                updated_at: now,
+                allowedUsers: existingUserIds.length > 0 ? {
+                    createMany: {
+                        data: existingUserIds.map((userId) => ({
+                            user_id: userId,
+                            created_at: now
+                        }))
+                    }
+                } : undefined
+            }
+        });
+    }
+    catch (err) {
+        if (err instanceof client_2.Prisma.PrismaClientKnownRequestError && err.code === "P2002") {
+            return;
+        }
+        throw err;
+    }
+}
+async function initializeResourcePermissionsForCreator(resourceKind, slug, creatorUserId) {
+    const existing = await client_1.default.resource_permissions.findUnique({
+        where: {
+            resource_kind_resource_slug: {
+                resource_kind: resourceKind,
+                resource_slug: slug,
+            }
+        },
+        select: { permission_mode: true }
+    });
+    const now = BigInt(Date.now());
+    if (!existing) {
+        await client_1.default.resource_permissions.create({
+            data: {
+                resource_kind: resourceKind,
+                resource_slug: slug,
+                permission_mode: "restricted",
+                created_at: now,
+                updated_at: now,
+                allowedUsers: {
+                    create: {
+                        user_id: creatorUserId,
+                        created_at: now
+                    }
+                }
+            }
+        });
+        return;
+    }
+    if (existing.permission_mode === "restricted") {
+        await client_1.default.resource_permissions.update({
+            where: {
+                resource_kind_resource_slug: {
+                    resource_kind: resourceKind,
+                    resource_slug: slug,
+                }
+            },
+            data: {
+                updated_at: now,
+                allowedUsers: {
+                    connectOrCreate: {
+                        where: {
+                            resource_kind_resource_slug_user_id: {
+                                resource_kind: resourceKind,
+                                resource_slug: slug,
+                                user_id: creatorUserId,
+                            }
+                        },
+                        create: {
+                            user_id: creatorUserId,
+                            created_at: now
+                        }
+                    }
+                }
+            }
+        });
+    }
+}
+async function addUserToResourcePermissionsIfRestricted(resourceKind, slug, userId, ownerUserId) {
+    const permission = await client_1.default.resource_permissions.findUnique({
+        where: {
+            resource_kind_resource_slug: {
+                resource_kind: resourceKind,
+                resource_slug: slug,
+            }
+        },
+        select: { permission_mode: true }
+    });
+    if (!permission) {
+        await ensureResourcePermissions(resourceKind, slug, [ownerUserId, userId].filter((id) => Boolean(id)));
+        return;
+    }
+    if (permission.permission_mode !== "restricted") {
+        return;
+    }
+    const now = BigInt(Date.now());
+    await client_1.default.resource_permissions.update({
+        where: {
+            resource_kind_resource_slug: {
+                resource_kind: resourceKind,
+                resource_slug: slug,
+            }
+        },
+        data: {
+            updated_at: now,
+            allowedUsers: {
+                connectOrCreate: {
+                    where: {
+                        resource_kind_resource_slug_user_id: {
+                            resource_kind: resourceKind,
+                            resource_slug: slug,
+                            user_id: userId,
+                        }
+                    },
+                    create: {
+                        user_id: userId,
+                        created_at: now
+                    }
+                }
+            }
+        }
+    });
+}
+async function setResourcePermissions(resourceKind, slug, payload, ownerUserId) {
+    const now = BigInt(Date.now());
+    if (payload.mode === "everyone") {
+        await client_1.default.$transaction(async (tx) => {
+            await tx.resource_permissions.update({
+                where: {
+                    resource_kind_resource_slug: {
+                        resource_kind: resourceKind,
+                        resource_slug: slug,
+                    }
+                },
+                data: {
+                    permission_mode: "everyone",
+                    updated_at: now
+                }
+            });
+            await tx.resource_permission_users.deleteMany({
+                where: {
+                    resource_kind: resourceKind,
+                    resource_slug: slug,
+                }
+            });
+        });
+        return getResourcePermissionWithUsers(resourceKind, slug, resourceKind === "workflow" ? "Workflow run" : "Skill access");
+    }
+    const existingUserIds = await resolveRestrictedPermissionUserIds(payload.allowed_user_ids, ownerUserId);
+    await client_1.default.$transaction(async (tx) => {
+        await tx.resource_permissions.update({
+            where: {
+                resource_kind_resource_slug: {
+                    resource_kind: resourceKind,
+                    resource_slug: slug,
+                }
+            },
+            data: {
+                permission_mode: "restricted",
+                updated_at: now
+            }
+        });
+        await tx.resource_permission_users.deleteMany({
+            where: {
+                resource_kind: resourceKind,
+                resource_slug: slug,
+            }
+        });
+        await tx.resource_permission_users.createMany({
+            data: existingUserIds.map((userId) => ({
+                resource_kind: resourceKind,
+                resource_slug: slug,
+                user_id: userId,
+                created_at: now
+            }))
+        });
+    });
+    return getResourcePermissionWithUsers(resourceKind, slug, resourceKind === "workflow" ? "Workflow run" : "Skill access");
+}