chore: update TASKS.md — phase 5 complete, VER-001 in-progress

Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>

apps/api/src/admin/admin.service.spec.ts

@@ -24,7 +24,15 @@ describe("AdminService", () => {
     workspaceMember: {
       create: vi.fn(),
     },
-    $transaction: vi.fn(),
+    session: {
+      deleteMany: vi.fn(),
+    },
+    $transaction: vi.fn(async (ops) => {
+      if (typeof ops === "function") {
+        return ops(mockPrismaService);
+      }
+      return Promise.all(ops);
+    }),
   };
 
   const mockAdminId = "550e8400-e29b-41d4-a716-446655440001";
@@ -82,10 +90,6 @@ describe("AdminService", () => {
     service = module.get<AdminService>(AdminService);
 
     vi.clearAllMocks();
-
-    mockPrismaService.$transaction.mockImplementation(async (fn: (tx: unknown) => unknown) => {
-      return fn(mockPrismaService);
-    });
   });
 
   it("should be defined", () => {
@@ -325,12 +329,13 @@ describe("AdminService", () => {
   });
 
   describe("deactivateUser", () => {
-    it("should set deactivatedAt on the user", async () => {
+    it("should set deactivatedAt and invalidate sessions", async () => {
       mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
       mockPrismaService.user.update.mockResolvedValue({
         ...mockUser,
         deactivatedAt: new Date(),
       });
+      mockPrismaService.session.deleteMany.mockResolvedValue({ count: 3 });
 
       const result = await service.deactivateUser(mockUserId);
 
@@ -341,6 +346,7 @@ describe("AdminService", () => {
           data: { deactivatedAt: expect.any(Date) },
         })
       );
+      expect(mockPrismaService.session.deleteMany).toHaveBeenCalledWith({ where: { userId: mockUserId } });
     });
 
     it("should throw NotFoundException if user does not exist", async () => {

apps/api/src/admin/admin.service.ts

@@ -192,7 +192,8 @@ export class AdminService {
       throw new BadRequestException(`User ${id} is already deactivated`);
     }
 
-    const user = await this.prisma.user.update({
+    const [user] = await this.prisma.$transaction([
+      this.prisma.user.update({
         where: { id },
         data: { deactivatedAt: new Date() },
         include: {
@@ -202,9 +203,11 @@ export class AdminService {
             },
           },
         },
-    });
+      }),
+      this.prisma.session.deleteMany({ where: { userId: id } }),
+    ]);
 
-    this.logger.log(`User deactivated: ${id}`);
+    this.logger.log(`User deactivated and sessions invalidated: ${id}`);
 
     return {
       id: user.id,

apps/web/src/app/(authenticated)/settings/users/page.tsx

@@ -42,6 +42,7 @@ import {
   AlertDialogHeader,
   AlertDialogTitle,
 } from "@/components/ui/alert-dialog";
+import { fetchUserWorkspaces } from "@/lib/api/workspaces";
 import {
   deactivateUser,
   fetchAdminUsers,
@@ -105,6 +106,8 @@ export default function UsersSettingsPage(): ReactElement {
   const [editError, setEditError] = useState<string | null>(null);
   const [isEditing, setIsEditing] = useState<boolean>(false);
 
+  const [isAdmin, setIsAdmin] = useState<boolean | null>(null);
+
   const loadUsers = useCallback(async (showLoadingState: boolean): Promise<void> => {
     try {
       if (showLoadingState) {
@@ -129,6 +132,20 @@ export default function UsersSettingsPage(): ReactElement {
     void loadUsers(true);
   }, [loadUsers]);
 
+  useEffect(() => {
+    fetchUserWorkspaces()
+      .then((workspaces) => {
+        const adminRoles: WorkspaceMemberRole[] = [
+          WorkspaceMemberRole.OWNER,
+          WorkspaceMemberRole.ADMIN,
+        ];
+        setIsAdmin(workspaces.some((ws) => adminRoles.includes(ws.role)));
+      })
+      .catch(() => {
+        setIsAdmin(true); // fail open
+      });
+  }, []);
+
   function resetInviteForm(): void {
     setInviteForm(INITIAL_INVITE_FORM);
     setInviteError(null);
@@ -212,6 +229,17 @@ export default function UsersSettingsPage(): ReactElement {
     }
   }
 
+  if (isAdmin === false) {
+    return (
+      <div className="p-8 max-w-2xl">
+        <div className="rounded-lg border border-red-200 bg-red-50 p-6 text-center">
+          <p className="text-lg font-semibold text-red-700">Access Denied</p>
+          <p className="mt-2 text-sm text-red-600">You need Admin or Owner role to manage users.</p>
+        </div>
+      </div>
+    );
+  }
+
   return (
     <div className="max-w-6xl mx-auto p-6 space-y-6">
       <div className="flex items-start justify-between gap-4">

apps/web/src/lib/api/admin.test.ts

@@ -0,0 +1,60 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import * as client from "./client";
+import { fetchAdminUsers, inviteUser, updateUser, deactivateUser } from "./admin";
+
+vi.mock("./client");
+
+beforeEach((): void => {
+  vi.clearAllMocks();
+});
+
+describe("fetchAdminUsers", (): void => {
+  it("calls admin/users endpoint without params when none provided", async (): Promise<void> => {
+    vi.mocked(client.apiGet).mockResolvedValueOnce({ data: [], meta: {} } as never);
+    await fetchAdminUsers();
+    expect(client.apiGet).toHaveBeenCalledWith("/api/admin/users");
+  });
+
+  it("appends page and limit params when provided", async (): Promise<void> => {
+    vi.mocked(client.apiGet).mockResolvedValueOnce({ data: [], meta: {} } as never);
+    await fetchAdminUsers(2, 50);
+    expect(client.apiGet).toHaveBeenCalledWith("/api/admin/users?page=2&limit=50");
+  });
+
+  it("throws on API error", async (): Promise<void> => {
+    vi.mocked(client.apiGet).mockRejectedValueOnce(new Error("Network error"));
+    await expect(fetchAdminUsers()).rejects.toThrow("Network error");
+  });
+});
+
+describe("inviteUser", (): void => {
+  it("posts to invite endpoint", async (): Promise<void> => {
+    vi.mocked(client.apiPost).mockResolvedValueOnce({ id: "inv-1" } as never);
+    await inviteUser({
+      email: "a@b.com",
+      name: "Alice",
+      workspaceId: "ws-1",
+      role: "MEMBER" as never,
+    });
+    expect(client.apiPost).toHaveBeenCalledWith(
+      "/api/admin/users/invite",
+      expect.objectContaining({ email: "a@b.com" })
+    );
+  });
+});
+
+describe("updateUser", (): void => {
+  it("patches correct endpoint with dto", async (): Promise<void> => {
+    vi.mocked(client.apiPatch).mockResolvedValueOnce({ id: "u1", name: "Bob" } as never);
+    await updateUser("u1", { name: "Bob" });
+    expect(client.apiPatch).toHaveBeenCalledWith("/api/admin/users/u1", { name: "Bob" });
+  });
+});
+
+describe("deactivateUser", (): void => {
+  it("deletes correct endpoint", async (): Promise<void> => {
+    vi.mocked(client.apiDelete).mockResolvedValueOnce({} as never);
+    await deactivateUser("u1");
+    expect(client.apiDelete).toHaveBeenCalledWith("/api/admin/users/u1");
+  });
+});

apps/web/src/lib/api/teams.test.ts

@@ -0,0 +1,53 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import * as client from "./client";
+import { fetchTeams, createTeam, fetchTeamMembers } from "./teams";
+
+vi.mock("./client");
+
+const localStorageMock = {
+  getItem: vi.fn().mockReturnValue("ws-1"),
+  setItem: vi.fn(),
+  clear: vi.fn(),
+  removeItem: vi.fn(),
+  length: 0,
+  key: vi.fn(),
+};
+Object.defineProperty(window, "localStorage", { value: localStorageMock });
+
+beforeEach((): void => {
+  vi.clearAllMocks();
+  localStorageMock.getItem.mockReturnValue("ws-1");
+});
+
+describe("fetchTeams", (): void => {
+  it("calls teams endpoint for active workspace", async (): Promise<void> => {
+    vi.mocked(client.apiGet).mockResolvedValueOnce([] as never);
+    await fetchTeams();
+    expect(client.apiGet).toHaveBeenCalledWith("/api/workspaces/ws-1/teams", "ws-1");
+  });
+
+  it("throws if no workspace id in localStorage", async (): Promise<void> => {
+    localStorageMock.getItem.mockReturnValue(null);
+    await expect(fetchTeams()).rejects.toThrow();
+  });
+});
+
+describe("createTeam", (): void => {
+  it("posts to teams endpoint", async (): Promise<void> => {
+    vi.mocked(client.apiPost).mockResolvedValueOnce({ id: "t1", name: "Dev" } as never);
+    await createTeam({ name: "Dev" });
+    expect(client.apiPost).toHaveBeenCalledWith(
+      "/api/workspaces/ws-1/teams",
+      expect.objectContaining({ name: "Dev" }),
+      "ws-1"
+    );
+  });
+});
+
+describe("fetchTeamMembers", (): void => {
+  it("calls members endpoint for team", async (): Promise<void> => {
+    vi.mocked(client.apiGet).mockResolvedValueOnce([] as never);
+    await fetchTeamMembers("t-1");
+    expect(client.apiGet).toHaveBeenCalledWith("/api/workspaces/ws-1/teams/t-1/members", "ws-1");
+  });
+});

apps/web/src/lib/api/workspaces.test.ts

@@ -0,0 +1,65 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import * as client from "./client";
+import {
+  fetchUserWorkspaces,
+  fetchWorkspaceMembers,
+  addWorkspaceMember,
+  updateWorkspaceMemberRole,
+  removeWorkspaceMember,
+} from "./workspaces";
+
+vi.mock("./client");
+
+beforeEach((): void => {
+  vi.clearAllMocks();
+});
+
+describe("fetchUserWorkspaces", (): void => {
+  it("calls correct endpoint", async (): Promise<void> => {
+    vi.mocked(client.apiGet).mockResolvedValueOnce([] as never);
+    await fetchUserWorkspaces();
+    expect(client.apiGet).toHaveBeenCalledWith("/api/workspaces");
+  });
+});
+
+describe("fetchWorkspaceMembers", (): void => {
+  it("calls correct endpoint with workspace id", async (): Promise<void> => {
+    vi.mocked(client.apiGet).mockResolvedValueOnce([] as never);
+    await fetchWorkspaceMembers("ws-1");
+    expect(client.apiGet).toHaveBeenCalledWith("/api/workspaces/ws-1/members");
+  });
+
+  it("throws on error", async (): Promise<void> => {
+    vi.mocked(client.apiGet).mockRejectedValueOnce(new Error("Forbidden"));
+    await expect(fetchWorkspaceMembers("ws-1")).rejects.toThrow("Forbidden");
+  });
+});
+
+describe("addWorkspaceMember", (): void => {
+  it("posts to correct endpoint", async (): Promise<void> => {
+    vi.mocked(client.apiPost).mockResolvedValueOnce({} as never);
+    await addWorkspaceMember("ws-1", { userId: "u1", role: "MEMBER" as never });
+    expect(client.apiPost).toHaveBeenCalledWith("/api/workspaces/ws-1/members", {
+      userId: "u1",
+      role: "MEMBER",
+    });
+  });
+});
+
+describe("updateWorkspaceMemberRole", (): void => {
+  it("patches correct endpoint", async (): Promise<void> => {
+    vi.mocked(client.apiPatch).mockResolvedValueOnce({} as never);
+    await updateWorkspaceMemberRole("ws-1", "u1", { role: "ADMIN" as never });
+    expect(client.apiPatch).toHaveBeenCalledWith("/api/workspaces/ws-1/members/u1", {
+      role: "ADMIN",
+    });
+  });
+});
+
+describe("removeWorkspaceMember", (): void => {
+  it("calls delete on correct endpoint", async (): Promise<void> => {
+    vi.mocked(client.apiDelete).mockResolvedValueOnce(undefined as never);
+    await removeWorkspaceMember("ws-1", "u1");
+    expect(client.apiDelete).toHaveBeenCalledWith("/api/workspaces/ws-1/members/u1");
+  });
+});

docs/TASKS.md

@@ -33,9 +33,9 @@
 | MS21-TEST-004  | not-started | phase-4   | Frontend component tests                                                          | #569     | web   | test/ms21-ui                   | MS21-UI-001,MS21-UI-002,MS21-UI-003,MS21-UI-004,MS21-UI-005 | —                          | —               | —          | —            | 20K      | —    |                                                                                                                       |
 | MS21-RBAC-001  | not-started | phase-5   | Sidebar navigation role gating                                                    | #570     | web   | feat/ms21-rbac                 | MS21-UI-001                                                 | —                          | —               | —          | —            | 10K      | —    |                                                                                                                       |
 | MS21-RBAC-002  | not-started | phase-5   | Settings page access restriction                                                  | #570     | web   | feat/ms21-rbac                 | MS21-RBAC-001                                               | —                          | —               | —          | —            | 8K       | —    |                                                                                                                       |
-| MS21-RBAC-003  | not-started | phase-5   | Action button permission gating                                                   | #570     | web   | feat/ms21-rbac                 | MS21-RBAC-001                                               | —                          | —               | —          | —            | 8K       | —    |                                                                                                                       |
+| MS21-RBAC-003  | done        | phase-5   | Action button permission gating                                                   | #570     | web   | feat/ms21-rbac                 | MS21-RBAC-001                                               | —                          | —               | —          | —            | 8K       | —    |                                                                                                                       |
-| MS21-RBAC-004  | not-started | phase-5   | User profile role display                                                         | #570     | web   | feat/ms21-rbac                 | MS21-RBAC-001                                               | —                          | —               | —          | —            | 5K       | —    |                                                                                                                       |
+| MS21-RBAC-004  | done        | phase-5   | User profile role display                                                         | #570     | web   | feat/ms21-rbac                 | MS21-RBAC-001                                               | —                          | —               | —          | —            | 5K       | —    |                                                                                                                       |
-| MS21-VER-001   | not-started | phase-6   | Full quality gate pass                                                            | #571     | stack | —                              | MS21-TEST-004,MS21-RBAC-004,MS21-MIG-003                    | MS21-VER-002               | —               | —          | —            | 5K       | —    |                                                                                                                       |
+| MS21-VER-001   | in-progress | phase-6   | Full quality gate pass                                                            | #571     | stack | —                              | MS21-TEST-004,MS21-RBAC-004,MS21-MIG-003                    | MS21-VER-002               | —               | —          | —            | 5K       | —    |                                                                                                                       |
 | MS21-VER-002   | not-started | phase-6   | Deploy and smoke test                                                             | #571     | stack | —                              | MS21-VER-001                                                | MS21-VER-003               | —               | —          | —            | 5K       | —    |                                                                                                                       |
 | MS21-VER-003   | not-started | phase-6   | Tag v0.0.21                                                                       | #571     | stack | —                              | MS21-VER-002                                                | —                          | —               | —          | —            | 2K       | —    |                                                                                                                       |