mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

Compare commits

base: mosaic:v0.20.0
Branches Tags
mosaic:main mosaic:fix/ci-glibc-image mosaic:fix/dockerfile-npmrc mosaic:fix/matrix-native-binary mosaic:fix/kaniko-cache mosaic:fix/base-image-kaniko-v2 mosaic:fix/base-image-kaniko mosaic:feat/custom-base-image mosaic:ci/pnpm-cache mosaic:fix/interceptor-tests mosaic:fix/kanban-tests mosaic:feat/wire-chat mosaic:feat/usage-widget mosaic:fix/security-hardening mosaic:fix/project-domain-v2 mosaic:feat/kanban-add-task mosaic:fix/project-domain-attach mosaic:fix/logs-page-clean mosaic:fix/workspace-members mosaic:fix/ci-lint-632 mosaic:fix/file-manager-tags mosaic:fix/csrf-debug-log mosaic:fix/controller-type-imports mosaic:fix/system-admin-env mosaic:fix/gateway-cors-trusted-origins mosaic:feat/project-detail-page mosaic:fix/fleet-provider-form-dto-v2 mosaic:fix/ms22-audit mosaic:fix/orchestrator-widgets mosaic:fix/fleet-provider-form-dto mosaic:fix/csrf-bearer-bypass mosaic:fix/ms22-missing-authmodule-imports mosaic:fix/container-lifecycle-config-module mosaic:fix/swarm-compose-ms22-vars mosaic:chore/ms22-p1-complete mosaic:feat/ms22-p1h-settings-ui mosaic:feat/ms22-p1f-onboarding-ui mosaic:feat/ms22-p1i-chat-proxy mosaic:feat/ms22-p1k-idle-reaper mosaic:feat/ms22-p1j-docker mosaic:feat/ms22-p1e-onboarding-api mosaic:feat/ms22-p1g-settings-api mosaic:feat/ms22-p1d-container-mgr mosaic:feat/ms22-p1c-config-api mosaic:chore/ms22-prd-tracking mosaic:feat/ms22-p1a-schema mosaic:feat/ms22-p1b-crypto mosaic:chore/ms22-p1-tasks mosaic:docs/ms22-architecture mosaic:feat/ms22-openclaw-docker mosaic:feat/ms22-openclaw-gateway-module mosaic:chore/ms21-complete mosaic:chore/ms21-final-tasks-done mosaic:fix/ms21-ui-001-qa mosaic:test/ms21-ui-tests mosaic:chore/ms21-tasks-sync mosaic:chore/ms22-phase0-complete mosaic:feat/ms22-ingest-clean mosaic:feat/ms21-ui-users-members mosaic:feat/ms22-task-agent mosaic:chore/tasks-final mosaic:chore/tasks-update mosaic:feat/ms21-session-invalidation mosaic:feat/ms21-rbac-settings mosaic:feat/ms21-teams-page mosaic:feat/ms21-users-page mosaic:feat/ms19-terminal-persistence
mosaic:v0.0.21 mosaic:v0.20.0 mosaic:v0.0.15 mosaic:v0.0.2
..
compare: mosaic:feat/ms21-users-page
Branches Tags
mosaic:main mosaic:fix/ci-glibc-image mosaic:fix/dockerfile-npmrc mosaic:fix/matrix-native-binary mosaic:fix/kaniko-cache mosaic:fix/base-image-kaniko-v2 mosaic:fix/base-image-kaniko mosaic:feat/custom-base-image mosaic:ci/pnpm-cache mosaic:fix/interceptor-tests mosaic:fix/kanban-tests mosaic:feat/wire-chat mosaic:feat/usage-widget mosaic:fix/security-hardening mosaic:fix/project-domain-v2 mosaic:feat/kanban-add-task mosaic:fix/project-domain-attach mosaic:fix/logs-page-clean mosaic:fix/workspace-members mosaic:fix/ci-lint-632 mosaic:fix/file-manager-tags mosaic:fix/csrf-debug-log mosaic:fix/controller-type-imports mosaic:fix/system-admin-env mosaic:fix/gateway-cors-trusted-origins mosaic:feat/project-detail-page mosaic:fix/fleet-provider-form-dto-v2 mosaic:fix/ms22-audit mosaic:fix/orchestrator-widgets mosaic:fix/fleet-provider-form-dto mosaic:fix/csrf-bearer-bypass mosaic:fix/ms22-missing-authmodule-imports mosaic:fix/container-lifecycle-config-module mosaic:fix/swarm-compose-ms22-vars mosaic:chore/ms22-p1-complete mosaic:feat/ms22-p1h-settings-ui mosaic:feat/ms22-p1f-onboarding-ui mosaic:feat/ms22-p1i-chat-proxy mosaic:feat/ms22-p1k-idle-reaper mosaic:feat/ms22-p1j-docker mosaic:feat/ms22-p1e-onboarding-api mosaic:feat/ms22-p1g-settings-api mosaic:feat/ms22-p1d-container-mgr mosaic:feat/ms22-p1c-config-api mosaic:chore/ms22-prd-tracking mosaic:feat/ms22-p1a-schema mosaic:feat/ms22-p1b-crypto mosaic:chore/ms22-p1-tasks mosaic:docs/ms22-architecture mosaic:feat/ms22-openclaw-docker mosaic:feat/ms22-openclaw-gateway-module mosaic:chore/ms21-complete mosaic:chore/ms21-final-tasks-done mosaic:fix/ms21-ui-001-qa mosaic:test/ms21-ui-tests mosaic:chore/ms21-tasks-sync mosaic:chore/ms22-phase0-complete mosaic:feat/ms22-ingest-clean mosaic:feat/ms21-ui-users-members mosaic:feat/ms22-task-agent mosaic:chore/tasks-final mosaic:chore/tasks-update mosaic:feat/ms21-session-invalidation mosaic:feat/ms21-rbac-settings mosaic:feat/ms21-teams-page mosaic:feat/ms21-users-page mosaic:feat/ms19-terminal-persistence
mosaic:v0.0.21 mosaic:v0.20.0 mosaic:v0.0.15 mosaic:v0.0.2

14 Commits
v0.20.0 ... feat/ms21-

Author SHA1 Message Date
Jason Woltje
1310eff96c feat(web): add admin user management components (in progress)
Some checks failed
ci/woodpecker/push/web Pipeline failed
Details 
- InviteUserDialog.tsx
- admin.ts API client

Hit rate limit mid-flight. Continuing work.
 2026-02-28 12:47:44 -06:00
Jason Woltje
85d3f930f3 chore: update TASKS.md — phases 1-3 complete, CI confirmed green (#565) 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-28 18:39:14 +00:00
Jason Woltje
0e6734bdae feat(api): add team management module with CRUD endpoints (#564)
All checks were successful
ci/woodpecker/push/api Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-28 18:24:09 +00:00
Jason Woltje
5bcaaeddd9 fix(api): increase flaky test timeouts for CI (#562)
All checks were successful
ci/woodpecker/push/api Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-28 18:20:39 +00:00
jason.woltje
676a2a288b Merge pull request 'ci: enable turborepo remote cache for all Node.js pipelines' (#527) from ci/turbo-remote-cache into main
Some checks are pending
ci/woodpecker/push/orchestrator Pipeline is pending
Details
ci/woodpecker/push/coordinator Pipeline is running
Details
ci/woodpecker/push/infra Pipeline is running
Details
ci/woodpecker/push/api Pipeline is running
Details
ci/woodpecker/push/web Pipeline was successful
Details 
Reviewed-on: #527
 2026-02-28 18:07:05 +00:00
Jason Woltje
ac16d6ed88 feat(api): add break-glass local authentication module (#559)
Some checks failed
ci/woodpecker/push/orchestrator Pipeline failed
Details
ci/woodpecker/push/api Pipeline failed
Details
ci/woodpecker/push/web Pipeline failed
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-28 18:05:19 +00:00
Jason Woltje
8388d49786 feat(api): add workspace member management endpoints (#556)
Some checks are pending
ci/woodpecker/push/api Pipeline is running
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-28 18:01:05 +00:00
Jason Woltje
20f914ea85 feat(api): add AdminModule with user and workspace management endpoints (#555)
Some checks failed
ci/woodpecker/push/api Pipeline failed
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-28 17:56:54 +00:00
Jason Woltje
1b84741f1a feat(scripts): add jarvis-brain data migration script (#554)
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-28 17:47:07 +00:00
Jason Woltje
ffc10c9a45 feat(api): add MS21 user fields for admin, local auth, and invitations (#553)
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-28 17:47:03 +00:00
jason.woltje
62d9ac0e5a Merge branch 'main' into ci/turbo-remote-cache
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details
2026-02-28 17:42:26 +00:00
Jason Woltje
8098504fb8 chore: bootstrap MS21 Multi-Tenant RBAC Data Migration mission (#552) 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-28 17:12:22 +00:00
Jason Woltje
128431ba58 fix(api,web): separate workspace context from auth session (#551)
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-28 15:14:29 +00:00
Jason Woltje
5ed0a859da ci: enable turborepo remote cache for all Node.js pipelines
Some checks failed
ci/woodpecker/push/api Pipeline failed
Details
ci/woodpecker/push/orchestrator Pipeline failed
Details
ci/woodpecker/push/web Pipeline failed
Details 
Connect to self-hosted turbo cache at turbo.mosaicstack.dev.
Convert lint/typecheck/test/build steps to use pnpm turbo with
remote cache env vars, removing manual build-shared steps since
turbo handles the dependency graph automatically.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-26 19:34:11 -06:00
74 changed files with 6377 additions and 226 deletions
Expand all files Collapse all files

84
.mosaic/orchestrator/mission.json
View File

@@ -1,14 +1,80 @@
{ {
"schema_version": 1, "schema_version": 1,
"mission_id": "prd-implementation-20260222", "mission_id": "ms21-multi-tenant-rbac-data-migration-20260228",
"name": "PRD implementation", "name": "MS21 Multi-Tenant RBAC Data Migration",
"description": "", "description": "Build multi-tenant user/workspace/team management, break-glass auth, RBAC UI enforcement, and migrate jarvis-brain data into Mosaic Stack",
"project_path": "/home/jwoltje/src/mosaic-stack", "project_path": "/home/jwoltje/src/mosaic-stack",
"created_at": "2026-02-23T03:20:55Z", "created_at": "2026-02-28T17:10:22Z",
"status": "active", "status": "active",
"task_prefix": "", "task_prefix": "MS21",
"quality_gates": "", "quality_gates": "pnpm lint && pnpm build && pnpm test",
"milestone_version": "0.0.20", "milestone_version": "0.0.21",
"milestones": [], "milestones": [
"sessions": [] {
"id": "phase-1",
"name": "Schema and Admin API",
"status": "pending",
"branch": "schema-and-admin-api",
"issue_ref": "",
"started_at": "",
"completed_at": ""
},
{
"id": "phase-2",
"name": "Break-Glass Authentication",
"status": "pending",
"branch": "break-glass-authentication",
"issue_ref": "",
"started_at": "",
"completed_at": ""
},
{
"id": "phase-3",
"name": "Data Migration",
"status": "pending",
"branch": "data-migration",
"issue_ref": "",
"started_at": "",
"completed_at": ""
},
{
"id": "phase-4",
"name": "Admin UI",
"status": "pending",
"branch": "admin-ui",
"issue_ref": "",
"started_at": "",
"completed_at": ""
},
{
"id": "phase-5",
"name": "RBAC UI Enforcement",
"status": "pending",
"branch": "rbac-ui-enforcement",
"issue_ref": "",
"started_at": "",
"completed_at": ""
},
{
"id": "phase-6",
"name": "Verification",
"status": "pending",
"branch": "verification",
"issue_ref": "",
"started_at": "",
"completed_at": ""
}
],
"sessions": [
{
"session_id": "sess-001",
"runtime": "unknown",
"started_at": "2026-02-28T17:48:51Z",
"ended_at": "",
"ended_reason": "",
"milestone_at_end": "",
"tasks_completed": [],
"last_task_id": ""
}
]
} }

8
.mosaic/orchestrator/session.lock Normal file
View File

@@ -0,0 +1,8 @@
{
"session_id": "sess-001",
"runtime": "unknown",
"pid": 2396592,
"started_at": "2026-02-28T17:48:51Z",
"project_path": "/tmp/ms21-api-003",
"milestone_id": ""
}

2
apps/api/package.json
View File

@@ -52,6 +52,7 @@
"adm-zip": "^0.5.16", "adm-zip": "^0.5.16",
"archiver": "^7.0.1", "archiver": "^7.0.1",
"axios": "^1.13.5", "axios": "^1.13.5",
"bcryptjs": "^3.0.3",
"better-auth": "^1.4.17", "better-auth": "^1.4.17",
"bullmq": "^5.67.2", "bullmq": "^5.67.2",
"class-transformer": "^0.5.1", "class-transformer": "^0.5.1",
@@ -85,6 +86,7 @@
"@swc/core": "^1.10.18", "@swc/core": "^1.10.18",
"@types/adm-zip": "^0.5.7", "@types/adm-zip": "^0.5.7",
"@types/archiver": "^7.0.0", "@types/archiver": "^7.0.0",
"@types/bcryptjs": "^3.0.0",
"@types/cookie-parser": "^1.4.10", "@types/cookie-parser": "^1.4.10",
"@types/express": "^5.0.1", "@types/express": "^5.0.1",
"@types/highlight.js": "^10.1.0", "@types/highlight.js": "^10.1.0",

8
apps/api/prisma/schema.prisma
View File

@@ -227,6 +227,14 @@ model User {
createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz
updatedAt DateTime @updatedAt @map("updated_at") @db.Timestamptz updatedAt DateTime @updatedAt @map("updated_at") @db.Timestamptz
// MS21: Admin, local auth, and invitation fields
deactivatedAt DateTime? @map("deactivated_at") @db.Timestamptz
isLocalAuth Boolean @default(false) @map("is_local_auth")
passwordHash String? @map("password_hash")
invitedBy String? @map("invited_by") @db.Uuid
invitationToken String? @unique @map("invitation_token")
invitedAt DateTime? @map("invited_at") @db.Timestamptz
// Relations // Relations
ownedWorkspaces Workspace[] @relation("WorkspaceOwner") ownedWorkspaces Workspace[] @relation("WorkspaceOwner")
workspaceMemberships WorkspaceMember[] workspaceMemberships WorkspaceMember[]

258
apps/api/src/admin/admin.controller.spec.ts Normal file
View File

@@ -0,0 +1,258 @@
import { describe, it, expect, beforeEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import { AdminController } from "./admin.controller";
import { AdminService } from "./admin.service";
import { AuthGuard } from "../auth/guards/auth.guard";
import { AdminGuard } from "../auth/guards/admin.guard";
import { WorkspaceMemberRole } from "@prisma/client";
import type { ExecutionContext } from "@nestjs/common";
describe("AdminController", () => {
let controller: AdminController;
let service: AdminService;
const mockAdminService = {
listUsers: vi.fn(),
inviteUser: vi.fn(),
updateUser: vi.fn(),
deactivateUser: vi.fn(),
createWorkspace: vi.fn(),
updateWorkspace: vi.fn(),
};
const mockAuthGuard = {
canActivate: vi.fn((context: ExecutionContext) => {
const request = context.switchToHttp().getRequest();
request.user = {
id: "550e8400-e29b-41d4-a716-446655440001",
email: "admin@example.com",
name: "Admin User",
};
return true;
}),
};
const mockAdminGuard = {
canActivate: vi.fn(() => true),
};
const mockAdminId = "550e8400-e29b-41d4-a716-446655440001";
const mockUserId = "550e8400-e29b-41d4-a716-446655440002";
const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440003";
const mockAdminUser = {
id: mockAdminId,
email: "admin@example.com",
name: "Admin User",
};
const mockUserResponse = {
id: mockUserId,
name: "Test User",
email: "test@example.com",
emailVerified: false,
image: null,
createdAt: new Date("2026-01-01"),
deactivatedAt: null,
isLocalAuth: false,
invitedAt: null,
invitedBy: null,
workspaceMemberships: [],
};
const mockWorkspaceResponse = {
id: mockWorkspaceId,
name: "Test Workspace",
ownerId: mockAdminId,
settings: {},
createdAt: new Date("2026-01-01"),
updatedAt: new Date("2026-01-01"),
memberCount: 1,
};
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
controllers: [AdminController],
providers: [
{
provide: AdminService,
useValue: mockAdminService,
},
],
})
.overrideGuard(AuthGuard)
.useValue(mockAuthGuard)
.overrideGuard(AdminGuard)
.useValue(mockAdminGuard)
.compile();
controller = module.get<AdminController>(AdminController);
service = module.get<AdminService>(AdminService);
vi.clearAllMocks();
});
it("should be defined", () => {
expect(controller).toBeDefined();
});
describe("listUsers", () => {
it("should return paginated users", async () => {
const paginatedResult = {
data: [mockUserResponse],
meta: { total: 1, page: 1, limit: 50, totalPages: 1 },
};
mockAdminService.listUsers.mockResolvedValue(paginatedResult);
const result = await controller.listUsers({ page: 1, limit: 50 });
expect(result).toEqual(paginatedResult);
expect(service.listUsers).toHaveBeenCalledWith(1, 50);
});
it("should use default pagination", async () => {
const paginatedResult = {
data: [],
meta: { total: 0, page: 1, limit: 50, totalPages: 0 },
};
mockAdminService.listUsers.mockResolvedValue(paginatedResult);
await controller.listUsers({});
expect(service.listUsers).toHaveBeenCalledWith(undefined, undefined);
});
});
describe("inviteUser", () => {
it("should invite a user", async () => {
const inviteDto = { email: "new@example.com" };
const invitationResponse = {
userId: "new-id",
invitationToken: "token",
email: "new@example.com",
invitedAt: new Date(),
};
mockAdminService.inviteUser.mockResolvedValue(invitationResponse);
const result = await controller.inviteUser(inviteDto, mockAdminUser);
expect(result).toEqual(invitationResponse);
expect(service.inviteUser).toHaveBeenCalledWith(inviteDto, mockAdminId);
});
it("should invite a user with workspace and role", async () => {
const inviteDto = {
email: "new@example.com",
workspaceId: mockWorkspaceId,
role: WorkspaceMemberRole.ADMIN,
};
mockAdminService.inviteUser.mockResolvedValue({
userId: "new-id",
invitationToken: "token",
email: "new@example.com",
invitedAt: new Date(),
});
await controller.inviteUser(inviteDto, mockAdminUser);
expect(service.inviteUser).toHaveBeenCalledWith(inviteDto, mockAdminId);
});
});
describe("updateUser", () => {
it("should update a user", async () => {
const updateDto = { name: "Updated Name" };
mockAdminService.updateUser.mockResolvedValue({
...mockUserResponse,
name: "Updated Name",
});
const result = await controller.updateUser(mockUserId, updateDto);
expect(result.name).toBe("Updated Name");
expect(service.updateUser).toHaveBeenCalledWith(mockUserId, updateDto);
});
it("should deactivate a user via update", async () => {
const deactivatedAt = "2026-02-28T00:00:00.000Z";
const updateDto = { deactivatedAt };
mockAdminService.updateUser.mockResolvedValue({
...mockUserResponse,
deactivatedAt: new Date(deactivatedAt),
});
const result = await controller.updateUser(mockUserId, updateDto);
expect(result.deactivatedAt).toEqual(new Date(deactivatedAt));
});
});
describe("deactivateUser", () => {
it("should soft-delete a user", async () => {
mockAdminService.deactivateUser.mockResolvedValue({
...mockUserResponse,
deactivatedAt: new Date(),
});
const result = await controller.deactivateUser(mockUserId);
expect(result.deactivatedAt).toBeDefined();
expect(service.deactivateUser).toHaveBeenCalledWith(mockUserId);
});
});
describe("createWorkspace", () => {
it("should create a workspace", async () => {
const createDto = { name: "New Workspace", ownerId: mockAdminId };
mockAdminService.createWorkspace.mockResolvedValue(mockWorkspaceResponse);
const result = await controller.createWorkspace(createDto);
expect(result).toEqual(mockWorkspaceResponse);
expect(service.createWorkspace).toHaveBeenCalledWith(createDto);
});
it("should create workspace with settings", async () => {
const createDto = {
name: "New Workspace",
ownerId: mockAdminId,
settings: { feature: true },
};
mockAdminService.createWorkspace.mockResolvedValue({
...mockWorkspaceResponse,
settings: { feature: true },
});
const result = await controller.createWorkspace(createDto);
expect(result.settings).toEqual({ feature: true });
});
});
describe("updateWorkspace", () => {
it("should update a workspace", async () => {
const updateDto = { name: "Updated Workspace" };
mockAdminService.updateWorkspace.mockResolvedValue({
...mockWorkspaceResponse,
name: "Updated Workspace",
});
const result = await controller.updateWorkspace(mockWorkspaceId, updateDto);
expect(result.name).toBe("Updated Workspace");
expect(service.updateWorkspace).toHaveBeenCalledWith(mockWorkspaceId, updateDto);
});
it("should update workspace settings", async () => {
const updateDto = { settings: { notifications: false } };
mockAdminService.updateWorkspace.mockResolvedValue({
...mockWorkspaceResponse,
settings: { notifications: false },
});
const result = await controller.updateWorkspace(mockWorkspaceId, updateDto);
expect(result.settings).toEqual({ notifications: false });
});
});
});

64
apps/api/src/admin/admin.controller.ts Normal file
View File

@@ -0,0 +1,64 @@
import {
Controller,
Get,
Post,
Patch,
Delete,
Body,
Param,
Query,
UseGuards,
ParseUUIDPipe,
} from "@nestjs/common";
import { AdminService } from "./admin.service";
import { AuthGuard } from "../auth/guards/auth.guard";
import { AdminGuard } from "../auth/guards/admin.guard";
import { CurrentUser } from "../auth/decorators/current-user.decorator";
import type { AuthUser } from "@mosaic/shared";
import { InviteUserDto } from "./dto/invite-user.dto";
import { UpdateUserDto } from "./dto/update-user.dto";
import { CreateWorkspaceDto } from "./dto/create-workspace.dto";
import { UpdateWorkspaceDto } from "./dto/update-workspace.dto";
import { QueryUsersDto } from "./dto/query-users.dto";
@Controller("admin")
@UseGuards(AuthGuard, AdminGuard)
export class AdminController {
constructor(private readonly adminService: AdminService) {}
@Get("users")
async listUsers(@Query() query: QueryUsersDto) {
return this.adminService.listUsers(query.page, query.limit);
}
@Post("users/invite")
async inviteUser(@Body() dto: InviteUserDto, @CurrentUser() user: AuthUser) {
return this.adminService.inviteUser(dto, user.id);
}
@Patch("users/:id")
async updateUser(
@Param("id", new ParseUUIDPipe({ version: "4" })) id: string,
@Body() dto: UpdateUserDto
) {
return this.adminService.updateUser(id, dto);
}
@Delete("users/:id")
async deactivateUser(@Param("id", new ParseUUIDPipe({ version: "4" })) id: string) {
return this.adminService.deactivateUser(id);
}
@Post("workspaces")
async createWorkspace(@Body() dto: CreateWorkspaceDto) {
return this.adminService.createWorkspace(dto);
}
@Patch("workspaces/:id")
async updateWorkspace(
@Param("id", new ParseUUIDPipe({ version: "4" })) id: string,
@Body() dto: UpdateWorkspaceDto
) {
return this.adminService.updateWorkspace(id, dto);
}
}

13
apps/api/src/admin/admin.module.ts Normal file
View File

@@ -0,0 +1,13 @@
import { Module } from "@nestjs/common";
import { AdminController } from "./admin.controller";
import { AdminService } from "./admin.service";
import { PrismaModule } from "../prisma/prisma.module";
import { AuthModule } from "../auth/auth.module";
@Module({
imports: [PrismaModule, AuthModule],
controllers: [AdminController],
providers: [AdminService],
exports: [AdminService],
})
export class AdminModule {}

471
apps/api/src/admin/admin.service.spec.ts Normal file
View File

@@ -0,0 +1,471 @@
import { describe, it, expect, beforeEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import { AdminService } from "./admin.service";
import { PrismaService } from "../prisma/prisma.service";
import { BadRequestException, ConflictException, NotFoundException } from "@nestjs/common";
import { WorkspaceMemberRole } from "@prisma/client";
describe("AdminService", () => {
let service: AdminService;
const mockPrismaService = {
user: {
findMany: vi.fn(),
findUnique: vi.fn(),
count: vi.fn(),
create: vi.fn(),
update: vi.fn(),
},
workspace: {
findUnique: vi.fn(),
create: vi.fn(),
update: vi.fn(),
},
workspaceMember: {
create: vi.fn(),
},
$transaction: vi.fn(),
};
const mockAdminId = "550e8400-e29b-41d4-a716-446655440001";
const mockUserId = "550e8400-e29b-41d4-a716-446655440002";
const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440003";
const mockUser = {
id: mockUserId,
name: "Test User",
email: "test@example.com",
emailVerified: false,
image: null,
createdAt: new Date("2026-01-01"),
updatedAt: new Date("2026-01-01"),
deactivatedAt: null,
isLocalAuth: false,
passwordHash: null,
invitedBy: null,
invitationToken: null,
invitedAt: null,
authProviderId: null,
preferences: {},
workspaceMemberships: [
{
workspaceId: mockWorkspaceId,
userId: mockUserId,
role: WorkspaceMemberRole.MEMBER,
joinedAt: new Date("2026-01-01"),
workspace: { id: mockWorkspaceId, name: "Test Workspace" },
},
],
};
const mockWorkspace = {
id: mockWorkspaceId,
name: "Test Workspace",
ownerId: mockAdminId,
settings: {},
createdAt: new Date("2026-01-01"),
updatedAt: new Date("2026-01-01"),
matrixRoomId: null,
};
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
providers: [
AdminService,
{
provide: PrismaService,
useValue: mockPrismaService,
},
],
}).compile();
service = module.get<AdminService>(AdminService);
vi.clearAllMocks();
mockPrismaService.$transaction.mockImplementation(async (fn: (tx: unknown) => unknown) => {
return fn(mockPrismaService);
});
});
it("should be defined", () => {
expect(service).toBeDefined();
});
describe("listUsers", () => {
it("should return paginated users with memberships", async () => {
mockPrismaService.user.findMany.mockResolvedValue([mockUser]);
mockPrismaService.user.count.mockResolvedValue(1);
const result = await service.listUsers(1, 50);
expect(result.data).toHaveLength(1);
expect(result.data[0]?.id).toBe(mockUserId);
expect(result.data[0]?.workspaceMemberships).toHaveLength(1);
expect(result.meta).toEqual({
total: 1,
page: 1,
limit: 50,
totalPages: 1,
});
});
it("should use default pagination when not provided", async () => {
mockPrismaService.user.findMany.mockResolvedValue([]);
mockPrismaService.user.count.mockResolvedValue(0);
await service.listUsers();
expect(mockPrismaService.user.findMany).toHaveBeenCalledWith(
expect.objectContaining({
skip: 0,
take: 50,
})
);
});
it("should calculate pagination correctly", async () => {
mockPrismaService.user.findMany.mockResolvedValue([]);
mockPrismaService.user.count.mockResolvedValue(150);
const result = await service.listUsers(3, 25);
expect(mockPrismaService.user.findMany).toHaveBeenCalledWith(
expect.objectContaining({
skip: 50,
take: 25,
})
);
expect(result.meta.totalPages).toBe(6);
});
});
describe("inviteUser", () => {
it("should create a user with invitation token", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
const createdUser = {
id: "new-user-id",
email: "new@example.com",
name: "new",
invitationToken: "some-token",
};
mockPrismaService.user.create.mockResolvedValue(createdUser);
const result = await service.inviteUser({ email: "new@example.com" }, mockAdminId);
expect(result.email).toBe("new@example.com");
expect(result.invitationToken).toBeDefined();
expect(result.userId).toBe("new-user-id");
expect(mockPrismaService.user.create).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({
email: "new@example.com",
invitedBy: mockAdminId,
invitationToken: expect.any(String),
}),
})
);
});
it("should add user to workspace when workspaceId provided", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
mockPrismaService.workspace.findUnique.mockResolvedValue(mockWorkspace);
const createdUser = { id: "new-user-id", email: "new@example.com", name: "new" };
mockPrismaService.user.create.mockResolvedValue(createdUser);
await service.inviteUser(
{
email: "new@example.com",
workspaceId: mockWorkspaceId,
role: WorkspaceMemberRole.ADMIN,
},
mockAdminId
);
expect(mockPrismaService.workspaceMember.create).toHaveBeenCalledWith({
data: {
workspaceId: mockWorkspaceId,
userId: "new-user-id",
role: WorkspaceMemberRole.ADMIN,
},
});
});
it("should throw ConflictException if email already exists", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
await expect(service.inviteUser({ email: "test@example.com" }, mockAdminId)).rejects.toThrow(
ConflictException
);
});
it("should throw NotFoundException if workspace does not exist", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
mockPrismaService.workspace.findUnique.mockResolvedValue(null);
await expect(
service.inviteUser({ email: "new@example.com", workspaceId: "non-existent" }, mockAdminId)
).rejects.toThrow(NotFoundException);
});
it("should use email prefix as default name", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
const createdUser = { id: "new-user-id", email: "jane.doe@example.com", name: "jane.doe" };
mockPrismaService.user.create.mockResolvedValue(createdUser);
await service.inviteUser({ email: "jane.doe@example.com" }, mockAdminId);
expect(mockPrismaService.user.create).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({
name: "jane.doe",
}),
})
);
});
it("should use provided name when given", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
const createdUser = { id: "new-user-id", email: "j@example.com", name: "Jane Doe" };
mockPrismaService.user.create.mockResolvedValue(createdUser);
await service.inviteUser({ email: "j@example.com", name: "Jane Doe" }, mockAdminId);
expect(mockPrismaService.user.create).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({
name: "Jane Doe",
}),
})
);
});
});
describe("updateUser", () => {
it("should update user fields", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.user.update.mockResolvedValue({
...mockUser,
name: "Updated Name",
});
const result = await service.updateUser(mockUserId, { name: "Updated Name" });
expect(result.name).toBe("Updated Name");
expect(mockPrismaService.user.update).toHaveBeenCalledWith(
expect.objectContaining({
where: { id: mockUserId },
data: { name: "Updated Name" },
})
);
});
it("should set deactivatedAt when provided", async () => {
const deactivatedAt = "2026-02-28T00:00:00.000Z";
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.user.update.mockResolvedValue({
...mockUser,
deactivatedAt: new Date(deactivatedAt),
});
const result = await service.updateUser(mockUserId, { deactivatedAt });
expect(result.deactivatedAt).toEqual(new Date(deactivatedAt));
});
it("should clear deactivatedAt when set to null", async () => {
const deactivatedUser = { ...mockUser, deactivatedAt: new Date() };
mockPrismaService.user.findUnique.mockResolvedValue(deactivatedUser);
mockPrismaService.user.update.mockResolvedValue({
...deactivatedUser,
deactivatedAt: null,
});
const result = await service.updateUser(mockUserId, { deactivatedAt: null });
expect(result.deactivatedAt).toBeNull();
});
it("should throw NotFoundException if user does not exist", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
await expect(service.updateUser("non-existent", { name: "Test" })).rejects.toThrow(
NotFoundException
);
});
it("should update emailVerified", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.user.update.mockResolvedValue({
...mockUser,
emailVerified: true,
});
const result = await service.updateUser(mockUserId, { emailVerified: true });
expect(result.emailVerified).toBe(true);
});
it("should update preferences", async () => {
const prefs = { theme: "dark" };
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.user.update.mockResolvedValue({
...mockUser,
preferences: prefs,
});
await service.updateUser(mockUserId, { preferences: prefs });
expect(mockPrismaService.user.update).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({ preferences: prefs }),
})
);
});
});
describe("deactivateUser", () => {
it("should set deactivatedAt on the user", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.user.update.mockResolvedValue({
...mockUser,
deactivatedAt: new Date(),
});
const result = await service.deactivateUser(mockUserId);
expect(result.deactivatedAt).toBeDefined();
expect(mockPrismaService.user.update).toHaveBeenCalledWith(
expect.objectContaining({
where: { id: mockUserId },
data: { deactivatedAt: expect.any(Date) },
})
);
});
it("should throw NotFoundException if user does not exist", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
await expect(service.deactivateUser("non-existent")).rejects.toThrow(NotFoundException);
});
it("should throw BadRequestException if user is already deactivated", async () => {
mockPrismaService.user.findUnique.mockResolvedValue({
...mockUser,
deactivatedAt: new Date(),
});
await expect(service.deactivateUser(mockUserId)).rejects.toThrow(BadRequestException);
});
});
describe("createWorkspace", () => {
it("should create a workspace with owner membership", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.workspace.create.mockResolvedValue(mockWorkspace);
const result = await service.createWorkspace({
name: "New Workspace",
ownerId: mockAdminId,
});
expect(result.name).toBe("Test Workspace");
expect(result.memberCount).toBe(1);
expect(mockPrismaService.workspace.create).toHaveBeenCalled();
expect(mockPrismaService.workspaceMember.create).toHaveBeenCalledWith({
data: {
workspaceId: mockWorkspace.id,
userId: mockAdminId,
role: WorkspaceMemberRole.OWNER,
},
});
});
it("should throw NotFoundException if owner does not exist", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
await expect(
service.createWorkspace({ name: "New Workspace", ownerId: "non-existent" })
).rejects.toThrow(NotFoundException);
});
it("should pass settings when provided", async () => {
const settings = { theme: "dark", features: ["chat"] };
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.workspace.create.mockResolvedValue({
...mockWorkspace,
settings,
});
await service.createWorkspace({
name: "New Workspace",
ownerId: mockAdminId,
settings,
});
expect(mockPrismaService.workspace.create).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({ settings }),
})
);
});
});
describe("updateWorkspace", () => {
it("should update workspace name", async () => {
mockPrismaService.workspace.findUnique.mockResolvedValue(mockWorkspace);
mockPrismaService.workspace.update.mockResolvedValue({
...mockWorkspace,
name: "Updated Workspace",
_count: { members: 3 },
});
const result = await service.updateWorkspace(mockWorkspaceId, {
name: "Updated Workspace",
});
expect(result.name).toBe("Updated Workspace");
expect(result.memberCount).toBe(3);
});
it("should update workspace settings", async () => {
const newSettings = { notifications: true };
mockPrismaService.workspace.findUnique.mockResolvedValue(mockWorkspace);
mockPrismaService.workspace.update.mockResolvedValue({
...mockWorkspace,
settings: newSettings,
_count: { members: 1 },
});
const result = await service.updateWorkspace(mockWorkspaceId, {
settings: newSettings,
});
expect(result.settings).toEqual(newSettings);
});
it("should throw NotFoundException if workspace does not exist", async () => {
mockPrismaService.workspace.findUnique.mockResolvedValue(null);
await expect(service.updateWorkspace("non-existent", { name: "Test" })).rejects.toThrow(
NotFoundException
);
});
it("should only update provided fields", async () => {
mockPrismaService.workspace.findUnique.mockResolvedValue(mockWorkspace);
mockPrismaService.workspace.update.mockResolvedValue({
...mockWorkspace,
_count: { members: 1 },
});
await service.updateWorkspace(mockWorkspaceId, { name: "Only Name" });
expect(mockPrismaService.workspace.update).toHaveBeenCalledWith(
expect.objectContaining({
data: { name: "Only Name" },
})
);
});
});
});

306
apps/api/src/admin/admin.service.ts Normal file
View File

@@ -0,0 +1,306 @@
import {
BadRequestException,
ConflictException,
Injectable,
Logger,
NotFoundException,
} from "@nestjs/common";
import { Prisma, WorkspaceMemberRole } from "@prisma/client";
import { randomUUID } from "node:crypto";
import { PrismaService } from "../prisma/prisma.service";
import type { InviteUserDto } from "./dto/invite-user.dto";
import type { UpdateUserDto } from "./dto/update-user.dto";
import type { CreateWorkspaceDto } from "./dto/create-workspace.dto";
import type {
AdminUserResponse,
AdminWorkspaceResponse,
InvitationResponse,
PaginatedResponse,
} from "./types/admin.types";
@Injectable()
export class AdminService {
private readonly logger = new Logger(AdminService.name);
constructor(private readonly prisma: PrismaService) {}
async listUsers(page = 1, limit = 50): Promise<PaginatedResponse<AdminUserResponse>> {
const skip = (page - 1) * limit;
const [users, total] = await Promise.all([
this.prisma.user.findMany({
include: {
workspaceMemberships: {
include: {
workspace: { select: { id: true, name: true } },
},
},
},
orderBy: { createdAt: "desc" },
skip,
take: limit,
}),
this.prisma.user.count(),
]);
return {
data: users.map((user) => ({
id: user.id,
name: user.name,
email: user.email,
emailVerified: user.emailVerified,
image: user.image,
createdAt: user.createdAt,
deactivatedAt: user.deactivatedAt,
isLocalAuth: user.isLocalAuth,
invitedAt: user.invitedAt,
invitedBy: user.invitedBy,
workspaceMemberships: user.workspaceMemberships.map((m) => ({
workspaceId: m.workspaceId,
workspaceName: m.workspace.name,
role: m.role,
joinedAt: m.joinedAt,
})),
})),
meta: {
total,
page,
limit,
totalPages: Math.ceil(total / limit),
},
};
}
async inviteUser(dto: InviteUserDto, inviterId: string): Promise<InvitationResponse> {
const existing = await this.prisma.user.findUnique({
where: { email: dto.email },
});
if (existing) {
throw new ConflictException(`User with email ${dto.email} already exists`);
}
if (dto.workspaceId) {
const workspace = await this.prisma.workspace.findUnique({
where: { id: dto.workspaceId },
});
if (!workspace) {
throw new NotFoundException(`Workspace ${dto.workspaceId} not found`);
}
}
const invitationToken = randomUUID();
const now = new Date();
const user = await this.prisma.$transaction(async (tx) => {
const created = await tx.user.create({
data: {
email: dto.email,
name: dto.name ?? dto.email.split("@")[0] ?? dto.email,
emailVerified: false,
invitedBy: inviterId,
invitationToken,
invitedAt: now,
},
});
if (dto.workspaceId) {
await tx.workspaceMember.create({
data: {
workspaceId: dto.workspaceId,
userId: created.id,
role: dto.role ?? WorkspaceMemberRole.MEMBER,
},
});
}
return created;
});
this.logger.log(`User invited: ${user.email} by ${inviterId}`);
return {
userId: user.id,
invitationToken,
email: user.email,
invitedAt: now,
};
}
async updateUser(id: string, dto: UpdateUserDto): Promise<AdminUserResponse> {
const existing = await this.prisma.user.findUnique({ where: { id } });
if (!existing) {
throw new NotFoundException(`User ${id} not found`);
}
const data: Prisma.UserUpdateInput = {};
if (dto.name !== undefined) {
data.name = dto.name;
}
if (dto.emailVerified !== undefined) {
data.emailVerified = dto.emailVerified;
}
if (dto.preferences !== undefined) {
data.preferences = dto.preferences as Prisma.InputJsonValue;
}
if (dto.deactivatedAt !== undefined) {
data.deactivatedAt = dto.deactivatedAt ? new Date(dto.deactivatedAt) : null;
}
const user = await this.prisma.user.update({
where: { id },
data,
include: {
workspaceMemberships: {
include: {
workspace: { select: { id: true, name: true } },
},
},
},
});
this.logger.log(`User updated: ${id}`);
return {
id: user.id,
name: user.name,
email: user.email,
emailVerified: user.emailVerified,
image: user.image,
createdAt: user.createdAt,
deactivatedAt: user.deactivatedAt,
isLocalAuth: user.isLocalAuth,
invitedAt: user.invitedAt,
invitedBy: user.invitedBy,
workspaceMemberships: user.workspaceMemberships.map((m) => ({
workspaceId: m.workspaceId,
workspaceName: m.workspace.name,
role: m.role,
joinedAt: m.joinedAt,
})),
};
}
async deactivateUser(id: string): Promise<AdminUserResponse> {
const existing = await this.prisma.user.findUnique({ where: { id } });
if (!existing) {
throw new NotFoundException(`User ${id} not found`);
}
if (existing.deactivatedAt) {
throw new BadRequestException(`User ${id} is already deactivated`);
}
const user = await this.prisma.user.update({
where: { id },
data: { deactivatedAt: new Date() },
include: {
workspaceMemberships: {
include: {
workspace: { select: { id: true, name: true } },
},
},
},
});
this.logger.log(`User deactivated: ${id}`);
return {
id: user.id,
name: user.name,
email: user.email,
emailVerified: user.emailVerified,
image: user.image,
createdAt: user.createdAt,
deactivatedAt: user.deactivatedAt,
isLocalAuth: user.isLocalAuth,
invitedAt: user.invitedAt,
invitedBy: user.invitedBy,
workspaceMemberships: user.workspaceMemberships.map((m) => ({
workspaceId: m.workspaceId,
workspaceName: m.workspace.name,
role: m.role,
joinedAt: m.joinedAt,
})),
};
}
async createWorkspace(dto: CreateWorkspaceDto): Promise<AdminWorkspaceResponse> {
const owner = await this.prisma.user.findUnique({ where: { id: dto.ownerId } });
if (!owner) {
throw new NotFoundException(`User ${dto.ownerId} not found`);
}
const workspace = await this.prisma.$transaction(async (tx) => {
const created = await tx.workspace.create({
data: {
name: dto.name,
ownerId: dto.ownerId,
settings: dto.settings ? (dto.settings as Prisma.InputJsonValue) : {},
},
});
await tx.workspaceMember.create({
data: {
workspaceId: created.id,
userId: dto.ownerId,
role: WorkspaceMemberRole.OWNER,
},
});
return created;
});
this.logger.log(`Workspace created: ${workspace.id} with owner ${dto.ownerId}`);
return {
id: workspace.id,
name: workspace.name,
ownerId: workspace.ownerId,
settings: workspace.settings as Record<string, unknown>,
createdAt: workspace.createdAt,
updatedAt: workspace.updatedAt,
memberCount: 1,
};
}
async updateWorkspace(
id: string,
dto: { name?: string; settings?: Record<string, unknown> }
): Promise<AdminWorkspaceResponse> {
const existing = await this.prisma.workspace.findUnique({ where: { id } });
if (!existing) {
throw new NotFoundException(`Workspace ${id} not found`);
}
const data: Prisma.WorkspaceUpdateInput = {};
if (dto.name !== undefined) {
data.name = dto.name;
}
if (dto.settings !== undefined) {
data.settings = dto.settings as Prisma.InputJsonValue;
}
const workspace = await this.prisma.workspace.update({
where: { id },
data,
include: {
_count: { select: { members: true } },
},
});
this.logger.log(`Workspace updated: ${id}`);
return {
id: workspace.id,
name: workspace.name,
ownerId: workspace.ownerId,
settings: workspace.settings as Record<string, unknown>,
createdAt: workspace.createdAt,
updatedAt: workspace.updatedAt,
memberCount: workspace._count.members,
};
}
}

15
apps/api/src/admin/dto/create-workspace.dto.ts Normal file
View File

@@ -0,0 +1,15 @@
import { IsObject, IsOptional, IsString, IsUUID, MaxLength, MinLength } from "class-validator";
export class CreateWorkspaceDto {
@IsString({ message: "name must be a string" })
@MinLength(1, { message: "name must not be empty" })
@MaxLength(255, { message: "name must not exceed 255 characters" })
name!: string;
@IsUUID("4", { message: "ownerId must be a valid UUID" })
ownerId!: string;
@IsOptional()
@IsObject({ message: "settings must be an object" })
settings?: Record<string, unknown>;
}

20
apps/api/src/admin/dto/invite-user.dto.ts Normal file
View File

@@ -0,0 +1,20 @@
import { WorkspaceMemberRole } from "@prisma/client";
import { IsEmail, IsEnum, IsOptional, IsString, IsUUID, MaxLength } from "class-validator";
export class InviteUserDto {
@IsEmail({}, { message: "email must be a valid email address" })
email!: string;
@IsOptional()
@IsString({ message: "name must be a string" })
@MaxLength(255, { message: "name must not exceed 255 characters" })
name?: string;
@IsOptional()
@IsUUID("4", { message: "workspaceId must be a valid UUID" })
workspaceId?: string;
@IsOptional()
@IsEnum(WorkspaceMemberRole, { message: "role must be a valid WorkspaceMemberRole" })
role?: WorkspaceMemberRole;
}

15
apps/api/src/admin/dto/manage-member.dto.ts Normal file
View File

@@ -0,0 +1,15 @@
import { WorkspaceMemberRole } from "@prisma/client";
import { IsEnum, IsUUID } from "class-validator";
export class AddMemberDto {
@IsUUID("4", { message: "userId must be a valid UUID" })
userId!: string;
@IsEnum(WorkspaceMemberRole, { message: "role must be a valid WorkspaceMemberRole" })
role!: WorkspaceMemberRole;
}
export class UpdateMemberRoleDto {
@IsEnum(WorkspaceMemberRole, { message: "role must be a valid WorkspaceMemberRole" })
role!: WorkspaceMemberRole;
}

17
apps/api/src/admin/dto/query-users.dto.ts Normal file
View File

@@ -0,0 +1,17 @@
import { IsInt, IsOptional, Max, Min } from "class-validator";
import { Type } from "class-transformer";
export class QueryUsersDto {
@IsOptional()
@Type(() => Number)
@IsInt({ message: "page must be an integer" })
@Min(1, { message: "page must be at least 1" })
page?: number;
@IsOptional()
@Type(() => Number)
@IsInt({ message: "limit must be an integer" })
@Min(1, { message: "limit must be at least 1" })
@Max(100, { message: "limit must not exceed 100" })
limit?: number;
}

27
apps/api/src/admin/dto/update-user.dto.ts Normal file
View File

@@ -0,0 +1,27 @@
import {
IsBoolean,
IsDateString,
IsObject,
IsOptional,
IsString,
MaxLength,
} from "class-validator";
export class UpdateUserDto {
@IsOptional()
@IsString({ message: "name must be a string" })
@MaxLength(255, { message: "name must not exceed 255 characters" })
name?: string;
@IsOptional()
@IsDateString({}, { message: "deactivatedAt must be a valid ISO 8601 date string" })
deactivatedAt?: string | null;
@IsOptional()
@IsBoolean({ message: "emailVerified must be a boolean" })
emailVerified?: boolean;
@IsOptional()
@IsObject({ message: "preferences must be an object" })
preferences?: Record<string, unknown>;
}

13
apps/api/src/admin/dto/update-workspace.dto.ts Normal file
View File

@@ -0,0 +1,13 @@
import { IsObject, IsOptional, IsString, MaxLength, MinLength } from "class-validator";
export class UpdateWorkspaceDto {
@IsOptional()
@IsString({ message: "name must be a string" })
@MinLength(1, { message: "name must not be empty" })
@MaxLength(255, { message: "name must not exceed 255 characters" })
name?: string;
@IsOptional()
@IsObject({ message: "settings must be an object" })
settings?: Record<string, unknown>;
}

49
apps/api/src/admin/types/admin.types.ts Normal file
View File

@@ -0,0 +1,49 @@
import type { WorkspaceMemberRole } from "@prisma/client";
export interface AdminUserResponse {
id: string;
name: string;
email: string;
emailVerified: boolean;
image: string | null;
createdAt: Date;
deactivatedAt: Date | null;
isLocalAuth: boolean;
invitedAt: Date | null;
invitedBy: string | null;
workspaceMemberships: WorkspaceMembershipResponse[];
}
export interface WorkspaceMembershipResponse {
workspaceId: string;
workspaceName: string;
role: WorkspaceMemberRole;
joinedAt: Date;
}
export interface PaginatedResponse<T> {
data: T[];
meta: {
total: number;
page: number;
limit: number;
totalPages: number;
};
}
export interface InvitationResponse {
userId: string;
invitationToken: string;
email: string;
invitedAt: Date;
}
export interface AdminWorkspaceResponse {
id: string;
name: string;
ownerId: string;
settings: Record<string, unknown>;
createdAt: Date;
updatedAt: Date;
memberCount: number;
}

6
apps/api/src/app.module.ts
View File

@@ -42,6 +42,9 @@ import { SpeechModule } from "./speech/speech.module";
import { DashboardModule } from "./dashboard/dashboard.module"; import { DashboardModule } from "./dashboard/dashboard.module";
import { TerminalModule } from "./terminal/terminal.module"; import { TerminalModule } from "./terminal/terminal.module";
import { PersonalitiesModule } from "./personalities/personalities.module"; import { PersonalitiesModule } from "./personalities/personalities.module";
import { WorkspacesModule } from "./workspaces/workspaces.module";
import { AdminModule } from "./admin/admin.module";
import { TeamsModule } from "./teams/teams.module";
import { RlsContextInterceptor } from "./common/interceptors/rls-context.interceptor"; import { RlsContextInterceptor } from "./common/interceptors/rls-context.interceptor";
@Module({ @Module({
@@ -107,6 +110,9 @@ import { RlsContextInterceptor } from "./common/interceptors/rls-context.interce
DashboardModule, DashboardModule,
TerminalModule, TerminalModule,
PersonalitiesModule, PersonalitiesModule,
WorkspacesModule,
AdminModule,
TeamsModule,
], ],
controllers: [AppController, CsrfController], controllers: [AppController, CsrfController],
providers: [ providers: [

19
apps/api/src/auth/auth.controller.spec.ts
View File

@@ -361,16 +361,13 @@ describe("AuthController", () => {
}); });
describe("getProfile", () => { describe("getProfile", () => {
it("should return complete user profile with workspace fields", () => { it("should return complete user profile with identity fields", () => {
const mockUser: AuthUser = { const mockUser: AuthUser = {
id: "user-123", id: "user-123",
email: "test@example.com", email: "test@example.com",
name: "Test User", name: "Test User",
image: "https://example.com/avatar.jpg", image: "https://example.com/avatar.jpg",
emailVerified: true, emailVerified: true,
workspaceId: "workspace-123",
currentWorkspaceId: "workspace-456",
workspaceRole: "admin",
}; };
const result = controller.getProfile(mockUser); const result = controller.getProfile(mockUser);
@@ -381,13 +378,10 @@ describe("AuthController", () => {
name: mockUser.name, name: mockUser.name,
image: mockUser.image, image: mockUser.image,
emailVerified: mockUser.emailVerified, emailVerified: mockUser.emailVerified,
workspaceId: mockUser.workspaceId,
currentWorkspaceId: mockUser.currentWorkspaceId,
workspaceRole: mockUser.workspaceRole,
}); });
}); });
it("should return user profile with optional fields undefined", () => { it("should return user profile with only required fields", () => {
const mockUser: AuthUser = { const mockUser: AuthUser = {
id: "user-123", id: "user-123",
email: "test@example.com", email: "test@example.com",
@@ -400,12 +394,11 @@ describe("AuthController", () => {
id: mockUser.id, id: mockUser.id,
email: mockUser.email, email: mockUser.email,
name: mockUser.name, name: mockUser.name,
image: undefined,
emailVerified: undefined,
workspaceId: undefined,
currentWorkspaceId: undefined,
workspaceRole: undefined,
}); });
// Workspace fields are not included — served by GET /api/workspaces
expect(result).not.toHaveProperty("workspaceId");
expect(result).not.toHaveProperty("currentWorkspaceId");
expect(result).not.toHaveProperty("workspaceRole");
}); });
}); });

13
apps/api/src/auth/auth.controller.ts
View File

@@ -72,15 +72,10 @@ export class AuthController {
if (user.emailVerified !== undefined) { if (user.emailVerified !== undefined) {
profile.emailVerified = user.emailVerified; profile.emailVerified = user.emailVerified;
} }
if (user.workspaceId !== undefined) {
profile.workspaceId = user.workspaceId; // Workspace context is served by GET /api/workspaces, not the auth profile.
} // The deprecated workspaceId/currentWorkspaceId/workspaceRole fields on
if (user.currentWorkspaceId !== undefined) { // AuthUser are never populated by BetterAuth and are omitted here.
profile.currentWorkspaceId = user.currentWorkspaceId;
}
if (user.workspaceRole !== undefined) {
profile.workspaceRole = user.workspaceRole;
}
return profile; return profile;
} }

7
apps/api/src/auth/auth.module.ts
View File

@@ -3,11 +3,14 @@ import { PrismaModule } from "../prisma/prisma.module";
import { AuthService } from "./auth.service"; import { AuthService } from "./auth.service";
import { AuthController } from "./auth.controller"; import { AuthController } from "./auth.controller";
import { AuthGuard } from "./guards/auth.guard"; import { AuthGuard } from "./guards/auth.guard";
import { LocalAuthController } from "./local/local-auth.controller";
import { LocalAuthService } from "./local/local-auth.service";
import { LocalAuthEnabledGuard } from "./local/local-auth.guard";
@Module({ @Module({
imports: [PrismaModule], imports: [PrismaModule],
controllers: [AuthController], controllers: [AuthController, LocalAuthController],
providers: [AuthService, AuthGuard], providers: [AuthService, AuthGuard, LocalAuthService, LocalAuthEnabledGuard],
exports: [AuthService, AuthGuard], exports: [AuthService, AuthGuard],
}) })
export class AuthModule {} export class AuthModule {}

10
apps/api/src/auth/local/dto/local-login.dto.ts Normal file
View File

@@ -0,0 +1,10 @@
import { IsEmail, IsString, MinLength } from "class-validator";
export class LocalLoginDto {
@IsEmail({}, { message: "email must be a valid email address" })
email!: string;
@IsString({ message: "password must be a string" })
@MinLength(1, { message: "password must not be empty" })
password!: string;
}

20
apps/api/src/auth/local/dto/local-setup.dto.ts Normal file
View File

@@ -0,0 +1,20 @@
import { IsEmail, IsString, MinLength, MaxLength } from "class-validator";
export class LocalSetupDto {
@IsEmail({}, { message: "email must be a valid email address" })
email!: string;
@IsString({ message: "name must be a string" })
@MinLength(1, { message: "name must not be empty" })
@MaxLength(255, { message: "name must not exceed 255 characters" })
name!: string;
@IsString({ message: "password must be a string" })
@MinLength(12, { message: "password must be at least 12 characters" })
@MaxLength(128, { message: "password must not exceed 128 characters" })
password!: string;
@IsString({ message: "setupToken must be a string" })
@MinLength(1, { message: "setupToken must not be empty" })
setupToken!: string;
}

232
apps/api/src/auth/local/local-auth.controller.spec.ts Normal file
View File

@@ -0,0 +1,232 @@
import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import {
NotFoundException,
ForbiddenException,
UnauthorizedException,
ConflictException,
} from "@nestjs/common";
import { LocalAuthController } from "./local-auth.controller";
import { LocalAuthService } from "./local-auth.service";
import { LocalAuthEnabledGuard } from "./local-auth.guard";
describe("LocalAuthController", () => {
let controller: LocalAuthController;
let localAuthService: LocalAuthService;
const mockLocalAuthService = {
setup: vi.fn(),
login: vi.fn(),
};
const mockRequest = {
headers: { "user-agent": "TestAgent/1.0" },
ip: "127.0.0.1",
socket: { remoteAddress: "127.0.0.1" },
};
const originalEnv = {
ENABLE_LOCAL_AUTH: process.env.ENABLE_LOCAL_AUTH,
};
beforeEach(async () => {
process.env.ENABLE_LOCAL_AUTH = "true";
const module: TestingModule = await Test.createTestingModule({
controllers: [LocalAuthController],
providers: [
{
provide: LocalAuthService,
useValue: mockLocalAuthService,
},
],
})
.overrideGuard(LocalAuthEnabledGuard)
.useValue({ canActivate: () => true })
.compile();
controller = module.get<LocalAuthController>(LocalAuthController);
localAuthService = module.get<LocalAuthService>(LocalAuthService);
vi.clearAllMocks();
});
afterEach(() => {
vi.restoreAllMocks();
if (originalEnv.ENABLE_LOCAL_AUTH !== undefined) {
process.env.ENABLE_LOCAL_AUTH = originalEnv.ENABLE_LOCAL_AUTH;
} else {
delete process.env.ENABLE_LOCAL_AUTH;
}
});
describe("setup", () => {
const setupDto = {
email: "admin@example.com",
name: "Break Glass Admin",
password: "securePassword123!",
setupToken: "valid-token-123",
};
const mockSetupResult = {
user: {
id: "user-uuid-123",
email: "admin@example.com",
name: "Break Glass Admin",
isLocalAuth: true,
createdAt: new Date("2026-02-28T00:00:00Z"),
},
session: {
token: "session-token-abc",
expiresAt: new Date("2026-03-07T00:00:00Z"),
},
};
it("should create a break-glass user and return user data with session", async () => {
mockLocalAuthService.setup.mockResolvedValue(mockSetupResult);
const result = await controller.setup(setupDto, mockRequest as never);
expect(result).toEqual({
user: mockSetupResult.user,
session: mockSetupResult.session,
});
expect(mockLocalAuthService.setup).toHaveBeenCalledWith(
"admin@example.com",
"Break Glass Admin",
"securePassword123!",
"valid-token-123",
"127.0.0.1",
"TestAgent/1.0"
);
});
it("should extract client IP from x-forwarded-for header", async () => {
mockLocalAuthService.setup.mockResolvedValue(mockSetupResult);
const reqWithProxy = {
...mockRequest,
headers: {
...mockRequest.headers,
"x-forwarded-for": "203.0.113.50, 70.41.3.18",
},
};
await controller.setup(setupDto, reqWithProxy as never);
expect(mockLocalAuthService.setup).toHaveBeenCalledWith(
expect.any(String) as string,
expect.any(String) as string,
expect.any(String) as string,
expect.any(String) as string,
"203.0.113.50",
"TestAgent/1.0"
);
});
it("should propagate ForbiddenException from service", async () => {
mockLocalAuthService.setup.mockRejectedValue(new ForbiddenException("Invalid setup token"));
await expect(controller.setup(setupDto, mockRequest as never)).rejects.toThrow(
ForbiddenException
);
});
it("should propagate ConflictException from service", async () => {
mockLocalAuthService.setup.mockRejectedValue(
new ConflictException("A user with this email already exists")
);
await expect(controller.setup(setupDto, mockRequest as never)).rejects.toThrow(
ConflictException
);
});
});
describe("login", () => {
const loginDto = {
email: "admin@example.com",
password: "securePassword123!",
};
const mockLoginResult = {
user: {
id: "user-uuid-123",
email: "admin@example.com",
name: "Break Glass Admin",
},
session: {
token: "session-token-abc",
expiresAt: new Date("2026-03-07T00:00:00Z"),
},
};
it("should authenticate and return user data with session", async () => {
mockLocalAuthService.login.mockResolvedValue(mockLoginResult);
const result = await controller.login(loginDto, mockRequest as never);
expect(result).toEqual({
user: mockLoginResult.user,
session: mockLoginResult.session,
});
expect(mockLocalAuthService.login).toHaveBeenCalledWith(
"admin@example.com",
"securePassword123!",
"127.0.0.1",
"TestAgent/1.0"
);
});
it("should propagate UnauthorizedException from service", async () => {
mockLocalAuthService.login.mockRejectedValue(
new UnauthorizedException("Invalid email or password")
);
await expect(controller.login(loginDto, mockRequest as never)).rejects.toThrow(
UnauthorizedException
);
});
});
});
describe("LocalAuthEnabledGuard", () => {
let guard: LocalAuthEnabledGuard;
const originalEnv = process.env.ENABLE_LOCAL_AUTH;
beforeEach(() => {
guard = new LocalAuthEnabledGuard();
});
afterEach(() => {
if (originalEnv !== undefined) {
process.env.ENABLE_LOCAL_AUTH = originalEnv;
} else {
delete process.env.ENABLE_LOCAL_AUTH;
}
});
it("should allow access when ENABLE_LOCAL_AUTH is true", () => {
process.env.ENABLE_LOCAL_AUTH = "true";
expect(guard.canActivate()).toBe(true);
});
it("should throw NotFoundException when ENABLE_LOCAL_AUTH is not set", () => {
delete process.env.ENABLE_LOCAL_AUTH;
expect(() => guard.canActivate()).toThrow(NotFoundException);
});
it("should throw NotFoundException when ENABLE_LOCAL_AUTH is false", () => {
process.env.ENABLE_LOCAL_AUTH = "false";
expect(() => guard.canActivate()).toThrow(NotFoundException);
});
it("should throw NotFoundException when ENABLE_LOCAL_AUTH is empty", () => {
process.env.ENABLE_LOCAL_AUTH = "";
expect(() => guard.canActivate()).toThrow(NotFoundException);
});
});

81
apps/api/src/auth/local/local-auth.controller.ts Normal file
View File

@@ -0,0 +1,81 @@
import {
Controller,
Post,
Body,
UseGuards,
Req,
Logger,
HttpCode,
HttpStatus,
} from "@nestjs/common";
import { Throttle } from "@nestjs/throttler";
import type { Request as ExpressRequest } from "express";
import { SkipCsrf } from "../../common/decorators/skip-csrf.decorator";
import { LocalAuthService } from "./local-auth.service";
import { LocalAuthEnabledGuard } from "./local-auth.guard";
import { LocalLoginDto } from "./dto/local-login.dto";
import { LocalSetupDto } from "./dto/local-setup.dto";
@Controller("auth/local")
@UseGuards(LocalAuthEnabledGuard)
export class LocalAuthController {
private readonly logger = new Logger(LocalAuthController.name);
constructor(private readonly localAuthService: LocalAuthService) {}
/**
* First-time break-glass user creation.
* Requires BREAKGLASS_SETUP_TOKEN from environment.
*/
@Post("setup")
@SkipCsrf()
@Throttle({ strict: { limit: 5, ttl: 60000 } })
async setup(@Body() dto: LocalSetupDto, @Req() req: ExpressRequest) {
const ipAddress = this.getClientIp(req);
const userAgent = req.headers["user-agent"];
this.logger.log(`Break-glass setup attempt from ${ipAddress}`);
const result = await this.localAuthService.setup(
dto.email,
dto.name,
dto.password,
dto.setupToken,
ipAddress,
userAgent
);
return {
user: result.user,
session: result.session,
};
}
/**
* Break-glass login with email + password.
*/
@Post("login")
@SkipCsrf()
@HttpCode(HttpStatus.OK)
@Throttle({ strict: { limit: 10, ttl: 60000 } })
async login(@Body() dto: LocalLoginDto, @Req() req: ExpressRequest) {
const ipAddress = this.getClientIp(req);
const userAgent = req.headers["user-agent"];
const result = await this.localAuthService.login(dto.email, dto.password, ipAddress, userAgent);
return {
user: result.user,
session: result.session,
};
}
private getClientIp(req: ExpressRequest): string {
const forwardedFor = req.headers["x-forwarded-for"];
if (forwardedFor) {
const ips = Array.isArray(forwardedFor) ? forwardedFor[0] : forwardedFor;
return ips?.split(",")[0]?.trim() ?? "unknown";
}
return req.ip ?? req.socket.remoteAddress ?? "unknown";
}
}

15
apps/api/src/auth/local/local-auth.guard.ts Normal file
View File

@@ -0,0 +1,15 @@
import { Injectable, CanActivate, NotFoundException } from "@nestjs/common";
/**
* Guard that checks if local authentication is enabled via ENABLE_LOCAL_AUTH env var.
* Returns 404 when disabled so endpoints are invisible to callers.
*/
@Injectable()
export class LocalAuthEnabledGuard implements CanActivate {
canActivate(): boolean {
if (process.env.ENABLE_LOCAL_AUTH !== "true") {
throw new NotFoundException();
}
return true;
}
}

389
apps/api/src/auth/local/local-auth.service.spec.ts Normal file
View File

@@ -0,0 +1,389 @@
import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import {
ConflictException,
ForbiddenException,
InternalServerErrorException,
UnauthorizedException,
} from "@nestjs/common";
import { hash } from "bcryptjs";
import { LocalAuthService } from "./local-auth.service";
import { PrismaService } from "../../prisma/prisma.service";
describe("LocalAuthService", () => {
let service: LocalAuthService;
const mockTxSession = {
create: vi.fn(),
};
const mockTxWorkspace = {
findFirst: vi.fn(),
create: vi.fn(),
};
const mockTxWorkspaceMember = {
create: vi.fn(),
};
const mockTxUser = {
create: vi.fn(),
findUnique: vi.fn(),
};
const mockTx = {
user: mockTxUser,
workspace: mockTxWorkspace,
workspaceMember: mockTxWorkspaceMember,
session: mockTxSession,
};
const mockPrismaService = {
user: {
findUnique: vi.fn(),
},
session: {
create: vi.fn(),
},
$transaction: vi
.fn()
.mockImplementation((fn: (tx: typeof mockTx) => Promise<unknown>) => fn(mockTx)),
};
const originalEnv = {
BREAKGLASS_SETUP_TOKEN: process.env.BREAKGLASS_SETUP_TOKEN,
};
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
providers: [
LocalAuthService,
{
provide: PrismaService,
useValue: mockPrismaService,
},
],
}).compile();
service = module.get<LocalAuthService>(LocalAuthService);
vi.clearAllMocks();
});
afterEach(() => {
vi.restoreAllMocks();
if (originalEnv.BREAKGLASS_SETUP_TOKEN !== undefined) {
process.env.BREAKGLASS_SETUP_TOKEN = originalEnv.BREAKGLASS_SETUP_TOKEN;
} else {
delete process.env.BREAKGLASS_SETUP_TOKEN;
}
});
describe("setup", () => {
const validSetupArgs = {
email: "admin@example.com",
name: "Break Glass Admin",
password: "securePassword123!",
setupToken: "valid-token-123",
};
const mockCreatedUser = {
id: "user-uuid-123",
email: "admin@example.com",
name: "Break Glass Admin",
isLocalAuth: true,
createdAt: new Date("2026-02-28T00:00:00Z"),
};
const mockWorkspace = {
id: "workspace-uuid-123",
};
beforeEach(() => {
process.env.BREAKGLASS_SETUP_TOKEN = "valid-token-123";
mockPrismaService.user.findUnique.mockResolvedValue(null);
mockTxUser.create.mockResolvedValue(mockCreatedUser);
mockTxWorkspace.findFirst.mockResolvedValue(mockWorkspace);
mockTxWorkspaceMember.create.mockResolvedValue({});
mockTxSession.create.mockResolvedValue({});
});
it("should create a local auth user with hashed password", async () => {
const result = await service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
);
expect(result.user).toEqual(mockCreatedUser);
expect(result.session.token).toBeDefined();
expect(result.session.token.length).toBeGreaterThan(0);
expect(result.session.expiresAt).toBeInstanceOf(Date);
expect(result.session.expiresAt.getTime()).toBeGreaterThan(Date.now());
expect(mockTxUser.create).toHaveBeenCalledWith({
data: expect.objectContaining({
email: "admin@example.com",
name: "Break Glass Admin",
isLocalAuth: true,
emailVerified: true,
passwordHash: expect.any(String) as string,
}),
select: {
id: true,
email: true,
name: true,
isLocalAuth: true,
createdAt: true,
},
});
});
it("should assign OWNER role on default workspace", async () => {
await service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
);
expect(mockTxWorkspaceMember.create).toHaveBeenCalledWith({
data: {
workspaceId: "workspace-uuid-123",
userId: "user-uuid-123",
role: "OWNER",
},
});
});
it("should create a new workspace if none exists", async () => {
mockTxWorkspace.findFirst.mockResolvedValue(null);
mockTxWorkspace.create.mockResolvedValue({ id: "new-workspace-uuid" });
await service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
);
expect(mockTxWorkspace.create).toHaveBeenCalledWith({
data: {
name: "Default Workspace",
ownerId: "user-uuid-123",
settings: {},
},
select: { id: true },
});
expect(mockTxWorkspaceMember.create).toHaveBeenCalledWith({
data: {
workspaceId: "new-workspace-uuid",
userId: "user-uuid-123",
role: "OWNER",
},
});
});
it("should create a BetterAuth-compatible session", async () => {
await service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken,
"192.168.1.1",
"TestAgent/1.0"
);
expect(mockTxSession.create).toHaveBeenCalledWith({
data: {
userId: "user-uuid-123",
token: expect.any(String) as string,
expiresAt: expect.any(Date) as Date,
ipAddress: "192.168.1.1",
userAgent: "TestAgent/1.0",
},
});
});
it("should reject when BREAKGLASS_SETUP_TOKEN is not set", async () => {
delete process.env.BREAKGLASS_SETUP_TOKEN;
await expect(
service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
)
).rejects.toThrow(ForbiddenException);
});
it("should reject when BREAKGLASS_SETUP_TOKEN is empty", async () => {
process.env.BREAKGLASS_SETUP_TOKEN = "";
await expect(
service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
)
).rejects.toThrow(ForbiddenException);
});
it("should reject when setup token does not match", async () => {
await expect(
service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
"wrong-token"
)
).rejects.toThrow(ForbiddenException);
});
it("should reject when email already exists", async () => {
mockPrismaService.user.findUnique.mockResolvedValue({
id: "existing-user",
email: "admin@example.com",
});
await expect(
service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
)
).rejects.toThrow(ConflictException);
});
it("should return session token and expiry", async () => {
const result = await service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
);
expect(typeof result.session.token).toBe("string");
expect(result.session.token.length).toBe(64); // 32 bytes hex
expect(result.session.expiresAt).toBeInstanceOf(Date);
});
});
describe("login", () => {
const validPasswordHash = "$2a$12$LJ3m4ys3Lz/YgP7xYz5k5uU6b5F6X1234567890abcdefghijkl";
beforeEach(async () => {
// Create a real bcrypt hash for testing
const realHash = await hash("securePassword123!", 4); // Low rounds for test speed
mockPrismaService.user.findUnique.mockResolvedValue({
id: "user-uuid-123",
email: "admin@example.com",
name: "Break Glass Admin",
isLocalAuth: true,
passwordHash: realHash,
deactivatedAt: null,
});
mockPrismaService.session.create.mockResolvedValue({});
});
it("should authenticate a valid local auth user", async () => {
const result = await service.login("admin@example.com", "securePassword123!");
expect(result.user).toEqual({
id: "user-uuid-123",
email: "admin@example.com",
name: "Break Glass Admin",
});
expect(result.session.token).toBeDefined();
expect(result.session.expiresAt).toBeInstanceOf(Date);
});
it("should create a session with ip and user agent", async () => {
await service.login("admin@example.com", "securePassword123!", "10.0.0.1", "Mozilla/5.0");
expect(mockPrismaService.session.create).toHaveBeenCalledWith({
data: {
userId: "user-uuid-123",
token: expect.any(String) as string,
expiresAt: expect.any(Date) as Date,
ipAddress: "10.0.0.1",
userAgent: "Mozilla/5.0",
},
});
});
it("should reject when user does not exist", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
await expect(service.login("nonexistent@example.com", "password123456")).rejects.toThrow(
UnauthorizedException
);
});
it("should reject when user is not a local auth user", async () => {
mockPrismaService.user.findUnique.mockResolvedValue({
id: "user-uuid-123",
email: "admin@example.com",
name: "OIDC User",
isLocalAuth: false,
passwordHash: null,
deactivatedAt: null,
});
await expect(service.login("admin@example.com", "password123456")).rejects.toThrow(
UnauthorizedException
);
});
it("should reject when user is deactivated", async () => {
const realHash = await hash("securePassword123!", 4);
mockPrismaService.user.findUnique.mockResolvedValue({
id: "user-uuid-123",
email: "admin@example.com",
name: "Deactivated User",
isLocalAuth: true,
passwordHash: realHash,
deactivatedAt: new Date("2026-01-01"),
});
await expect(service.login("admin@example.com", "securePassword123!")).rejects.toThrow(
new UnauthorizedException("Account has been deactivated")
);
});
it("should reject when password is incorrect", async () => {
await expect(service.login("admin@example.com", "wrongPassword123!")).rejects.toThrow(
UnauthorizedException
);
});
it("should throw InternalServerError when local auth user has no password hash", async () => {
mockPrismaService.user.findUnique.mockResolvedValue({
id: "user-uuid-123",
email: "admin@example.com",
name: "Broken User",
isLocalAuth: true,
passwordHash: null,
deactivatedAt: null,
});
await expect(service.login("admin@example.com", "securePassword123!")).rejects.toThrow(
InternalServerErrorException
);
});
it("should not reveal whether email exists in error messages", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
try {
await service.login("nonexistent@example.com", "password123456");
} catch (error) {
expect(error).toBeInstanceOf(UnauthorizedException);
expect((error as UnauthorizedException).message).toBe("Invalid email or password");
}
});
});
});

230
apps/api/src/auth/local/local-auth.service.ts Normal file
View File

@@ -0,0 +1,230 @@
import {
Injectable,
Logger,
ForbiddenException,
UnauthorizedException,
ConflictException,
InternalServerErrorException,
} from "@nestjs/common";
import { WorkspaceMemberRole } from "@prisma/client";
import { hash, compare } from "bcryptjs";
import { randomBytes, timingSafeEqual } from "crypto";
import { PrismaService } from "../../prisma/prisma.service";
const BCRYPT_ROUNDS = 12;
/** Session expiry: 7 days (matches BetterAuth config in auth.config.ts) */
const SESSION_EXPIRY_MS = 7 * 24 * 60 * 60 * 1000;
interface SetupResult {
user: {
id: string;
email: string;
name: string;
isLocalAuth: boolean;
createdAt: Date;
};
session: {
token: string;
expiresAt: Date;
};
}
interface LoginResult {
user: {
id: string;
email: string;
name: string;
};
session: {
token: string;
expiresAt: Date;
};
}
@Injectable()
export class LocalAuthService {
private readonly logger = new Logger(LocalAuthService.name);
constructor(private readonly prisma: PrismaService) {}
/**
* First-time break-glass user creation.
* Validates the setup token, creates a local auth user with bcrypt-hashed password,
* and assigns OWNER role on the default workspace.
*/
async setup(
email: string,
name: string,
password: string,
setupToken: string,
ipAddress?: string,
userAgent?: string
): Promise<SetupResult> {
this.validateSetupToken(setupToken);
const existing = await this.prisma.user.findUnique({ where: { email } });
if (existing) {
throw new ConflictException("A user with this email already exists");
}
const passwordHash = await hash(password, BCRYPT_ROUNDS);
const result = await this.prisma.$transaction(async (tx) => {
const user = await tx.user.create({
data: {
email,
name,
isLocalAuth: true,
passwordHash,
emailVerified: true,
},
select: {
id: true,
email: true,
name: true,
isLocalAuth: true,
createdAt: true,
},
});
// Find or create a default workspace and assign OWNER role
await this.assignDefaultWorkspace(tx, user.id);
// Create a BetterAuth-compatible session
const session = await this.createSession(tx, user.id, ipAddress, userAgent);
return { user, session };
});
this.logger.log(`Break-glass user created: ${email}`);
return result;
}
/**
* Break-glass login: verify email + password against bcrypt hash.
* Only works for users with isLocalAuth=true.
*/
async login(
email: string,
password: string,
ipAddress?: string,
userAgent?: string
): Promise<LoginResult> {
const user = await this.prisma.user.findUnique({
where: { email },
select: {
id: true,
email: true,
name: true,
isLocalAuth: true,
passwordHash: true,
deactivatedAt: true,
},
});
if (!user?.isLocalAuth) {
throw new UnauthorizedException("Invalid email or password");
}
if (user.deactivatedAt) {
throw new UnauthorizedException("Account has been deactivated");
}
if (!user.passwordHash) {
this.logger.error(`Local auth user ${email} has no password hash`);
throw new InternalServerErrorException("Account configuration error");
}
const passwordValid = await compare(password, user.passwordHash);
if (!passwordValid) {
throw new UnauthorizedException("Invalid email or password");
}
const session = await this.createSession(this.prisma, user.id, ipAddress, userAgent);
this.logger.log(`Break-glass login: ${email}`);
return {
user: { id: user.id, email: user.email, name: user.name },
session,
};
}
/**
* Validate the setup token against the environment variable.
*/
private validateSetupToken(token: string): void {
const expectedToken = process.env.BREAKGLASS_SETUP_TOKEN;
if (!expectedToken || expectedToken.trim() === "") {
throw new ForbiddenException(
"Break-glass setup is not configured. Set BREAKGLASS_SETUP_TOKEN environment variable."
);
}
const tokenBuffer = Buffer.from(token);
const expectedBuffer = Buffer.from(expectedToken);
if (
tokenBuffer.length !== expectedBuffer.length ||
!timingSafeEqual(tokenBuffer, expectedBuffer)
) {
this.logger.warn("Invalid break-glass setup token attempt");
throw new ForbiddenException("Invalid setup token");
}
}
/**
* Find the first workspace or create a default one, then assign OWNER role.
*/
private async assignDefaultWorkspace(
tx: Parameters<Parameters<PrismaService["$transaction"]>[0]>[0],
userId: string
): Promise<void> {
let workspace = await tx.workspace.findFirst({
orderBy: { createdAt: "asc" },
select: { id: true },
});
workspace ??= await tx.workspace.create({
data: {
name: "Default Workspace",
ownerId: userId,
settings: {},
},
select: { id: true },
});
await tx.workspaceMember.create({
data: {
workspaceId: workspace.id,
userId,
role: WorkspaceMemberRole.OWNER,
},
});
}
/**
* Create a BetterAuth-compatible session record.
*/
private async createSession(
tx: { session: { create: typeof PrismaService.prototype.session.create } },
userId: string,
ipAddress?: string,
userAgent?: string
): Promise<{ token: string; expiresAt: Date }> {
const token = randomBytes(32).toString("hex");
const expiresAt = new Date(Date.now() + SESSION_EXPIRY_MS);
await tx.session.create({
data: {
userId,
token,
expiresAt,
ipAddress: ipAddress ?? null,
userAgent: userAgent ?? null,
},
});
return { token, expiresAt };
}
}

2
apps/api/src/common/utils/log-sanitizer.spec.ts
View File

@@ -270,7 +270,7 @@ describe("sanitizeForLogging", () => {
const duration = Date.now() - start; const duration = Date.now() - start;
expect(result.password).toBe("[REDACTED]"); expect(result.password).toBe("[REDACTED]");
expect(duration).toBeLessThan(100); // Should complete in under 100ms expect(duration).toBeLessThan(500); // Should complete in under 500ms
}); });
}); });

2
apps/api/src/coordinator-integration/coordinator-integration.rate-limit.spec.ts
View File

@@ -245,7 +245,7 @@ describe("CoordinatorIntegrationController - Rate Limiting", () => {
.set("X-API-Key", "test-coordinator-key"); .set("X-API-Key", "test-coordinator-key");
expect(response.status).toBe(HttpStatus.TOO_MANY_REQUESTS); expect(response.status).toBe(HttpStatus.TOO_MANY_REQUESTS);
}); }, 30000);
}); });
describe("Per-API-Key Rate Limiting", () => { describe("Per-API-Key Rate Limiting", () => {

13
apps/api/src/teams/dto/create-team.dto.ts Normal file
View File

@@ -0,0 +1,13 @@
import { IsOptional, IsString, MaxLength, MinLength } from "class-validator";
export class CreateTeamDto {
@IsString({ message: "name must be a string" })
@MinLength(1, { message: "name must not be empty" })
@MaxLength(255, { message: "name must not exceed 255 characters" })
name!: string;
@IsOptional()
@IsString({ message: "description must be a string" })
@MaxLength(10000, { message: "description must not exceed 10000 characters" })
description?: string;
}

11
apps/api/src/teams/dto/manage-team-member.dto.ts Normal file
View File

@@ -0,0 +1,11 @@
import { TeamMemberRole } from "@prisma/client";
import { IsEnum, IsOptional, IsUUID } from "class-validator";
export class ManageTeamMemberDto {
@IsUUID("4", { message: "userId must be a valid UUID" })
userId!: string;
@IsOptional()
@IsEnum(TeamMemberRole, { message: "role must be a valid TeamMemberRole" })
role?: TeamMemberRole;
}

150
apps/api/src/teams/teams.controller.spec.ts Normal file
View File

@@ -0,0 +1,150 @@
import { Test, TestingModule } from "@nestjs/testing";
import { describe, it, expect, beforeEach, vi } from "vitest";
import { TeamMemberRole } from "@prisma/client";
import { AuthGuard } from "../auth/guards/auth.guard";
import { PermissionGuard, WorkspaceGuard } from "../common/guards";
import { TeamsController } from "./teams.controller";
import { TeamsService } from "./teams.service";
describe("TeamsController", () => {
let controller: TeamsController;
let service: TeamsService;
const mockTeamsService = {
create: vi.fn(),
findAll: vi.fn(),
addMember: vi.fn(),
removeMember: vi.fn(),
remove: vi.fn(),
};
const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440001";
const mockTeamId = "550e8400-e29b-41d4-a716-446655440002";
const mockUserId = "550e8400-e29b-41d4-a716-446655440003";
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
controllers: [TeamsController],
providers: [
{
provide: TeamsService,
useValue: mockTeamsService,
},
],
})
.overrideGuard(AuthGuard)
.useValue({ canActivate: vi.fn(() => true) })
.overrideGuard(WorkspaceGuard)
.useValue({ canActivate: vi.fn(() => true) })
.overrideGuard(PermissionGuard)
.useValue({ canActivate: vi.fn(() => true) })
.compile();
controller = module.get<TeamsController>(TeamsController);
service = module.get<TeamsService>(TeamsService);
vi.clearAllMocks();
});
it("should be defined", () => {
expect(controller).toBeDefined();
});
describe("create", () => {
it("should create a team in a workspace", async () => {
const createDto = {
name: "Platform Team",
description: "Owns platform services",
};
const createdTeam = {
id: mockTeamId,
workspaceId: mockWorkspaceId,
name: createDto.name,
description: createDto.description,
metadata: {},
createdAt: new Date(),
updatedAt: new Date(),
};
mockTeamsService.create.mockResolvedValue(createdTeam);
const result = await controller.create(createDto, mockWorkspaceId);
expect(result).toEqual(createdTeam);
expect(service.create).toHaveBeenCalledWith(mockWorkspaceId, createDto);
});
});
describe("findAll", () => {
it("should list teams in a workspace", async () => {
const teams = [
{
id: mockTeamId,
workspaceId: mockWorkspaceId,
name: "Platform Team",
description: "Owns platform services",
metadata: {},
createdAt: new Date(),
updatedAt: new Date(),
_count: { members: 2 },
},
];
mockTeamsService.findAll.mockResolvedValue(teams);
const result = await controller.findAll(mockWorkspaceId);
expect(result).toEqual(teams);
expect(service.findAll).toHaveBeenCalledWith(mockWorkspaceId);
});
});
describe("addMember", () => {
it("should add a member to a team", async () => {
const dto = {
userId: mockUserId,
role: TeamMemberRole.ADMIN,
};
const createdTeamMember = {
teamId: mockTeamId,
userId: mockUserId,
role: TeamMemberRole.ADMIN,
joinedAt: new Date(),
user: {
id: mockUserId,
name: "Test User",
email: "test@example.com",
},
};
mockTeamsService.addMember.mockResolvedValue(createdTeamMember);
const result = await controller.addMember(mockTeamId, dto, mockWorkspaceId);
expect(result).toEqual(createdTeamMember);
expect(service.addMember).toHaveBeenCalledWith(mockWorkspaceId, mockTeamId, dto);
});
});
describe("removeMember", () => {
it("should remove a member from a team", async () => {
mockTeamsService.removeMember.mockResolvedValue(undefined);
await controller.removeMember(mockTeamId, mockUserId, mockWorkspaceId);
expect(service.removeMember).toHaveBeenCalledWith(mockWorkspaceId, mockTeamId, mockUserId);
});
});
describe("remove", () => {
it("should delete a team", async () => {
mockTeamsService.remove.mockResolvedValue(undefined);
await controller.remove(mockTeamId, mockWorkspaceId);
expect(service.remove).toHaveBeenCalledWith(mockWorkspaceId, mockTeamId);
});
});
});

51
apps/api/src/teams/teams.controller.ts Normal file
View File

@@ -0,0 +1,51 @@
import { Body, Controller, Delete, Get, Param, Post, UseGuards } from "@nestjs/common";
import { AuthGuard } from "../auth/guards/auth.guard";
import { PermissionGuard, WorkspaceGuard } from "../common/guards";
import { Permission, RequirePermission, Workspace } from "../common/decorators";
import { CreateTeamDto } from "./dto/create-team.dto";
import { ManageTeamMemberDto } from "./dto/manage-team-member.dto";
import { TeamsService } from "./teams.service";
@Controller("workspaces/:workspaceId/teams")
@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
export class TeamsController {
constructor(private readonly teamsService: TeamsService) {}
@Post()
@RequirePermission(Permission.WORKSPACE_ADMIN)
async create(@Body() createTeamDto: CreateTeamDto, @Workspace() workspaceId: string) {
return this.teamsService.create(workspaceId, createTeamDto);
}
@Get()
@RequirePermission(Permission.WORKSPACE_ANY)
async findAll(@Workspace() workspaceId: string) {
return this.teamsService.findAll(workspaceId);
}
@Post(":teamId/members")
@RequirePermission(Permission.WORKSPACE_ADMIN)
async addMember(
@Param("teamId") teamId: string,
@Body() dto: ManageTeamMemberDto,
@Workspace() workspaceId: string
) {
return this.teamsService.addMember(workspaceId, teamId, dto);
}
@Delete(":teamId/members/:userId")
@RequirePermission(Permission.WORKSPACE_ADMIN)
async removeMember(
@Param("teamId") teamId: string,
@Param("userId") userId: string,
@Workspace() workspaceId: string
) {
return this.teamsService.removeMember(workspaceId, teamId, userId);
}
@Delete(":teamId")
@RequirePermission(Permission.WORKSPACE_ADMIN)
async remove(@Param("teamId") teamId: string, @Workspace() workspaceId: string) {
return this.teamsService.remove(workspaceId, teamId);
}
}

13
apps/api/src/teams/teams.module.ts Normal file
View File

@@ -0,0 +1,13 @@
import { Module } from "@nestjs/common";
import { AuthModule } from "../auth/auth.module";
import { PrismaModule } from "../prisma/prisma.module";
import { TeamsController } from "./teams.controller";
import { TeamsService } from "./teams.service";
@Module({
imports: [PrismaModule, AuthModule],
controllers: [TeamsController],
providers: [TeamsService],
exports: [TeamsService],
})
export class TeamsModule {}

286
apps/api/src/teams/teams.service.spec.ts Normal file
View File

@@ -0,0 +1,286 @@
import { BadRequestException, ConflictException, NotFoundException } from "@nestjs/common";
import { Test, TestingModule } from "@nestjs/testing";
import { TeamMemberRole } from "@prisma/client";
import { beforeEach, describe, expect, it, vi } from "vitest";
import { PrismaService } from "../prisma/prisma.service";
import { TeamsService } from "./teams.service";
describe("TeamsService", () => {
let service: TeamsService;
let prisma: PrismaService;
const mockPrismaService = {
team: {
create: vi.fn(),
findMany: vi.fn(),
findFirst: vi.fn(),
deleteMany: vi.fn(),
},
workspaceMember: {
findUnique: vi.fn(),
},
teamMember: {
findUnique: vi.fn(),
create: vi.fn(),
deleteMany: vi.fn(),
},
};
const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440001";
const mockTeamId = "550e8400-e29b-41d4-a716-446655440002";
const mockUserId = "550e8400-e29b-41d4-a716-446655440003";
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
providers: [
TeamsService,
{
provide: PrismaService,
useValue: mockPrismaService,
},
],
}).compile();
service = module.get<TeamsService>(TeamsService);
prisma = module.get<PrismaService>(PrismaService);
vi.clearAllMocks();
});
it("should be defined", () => {
expect(service).toBeDefined();
});
describe("create", () => {
it("should create a team", async () => {
const createDto = {
name: "Platform Team",
description: "Owns platform services",
};
const createdTeam = {
id: mockTeamId,
workspaceId: mockWorkspaceId,
name: createDto.name,
description: createDto.description,
metadata: {},
createdAt: new Date(),
updatedAt: new Date(),
};
mockPrismaService.team.create.mockResolvedValue(createdTeam);
const result = await service.create(mockWorkspaceId, createDto);
expect(result).toEqual(createdTeam);
expect(prisma.team.create).toHaveBeenCalledWith({
data: {
workspaceId: mockWorkspaceId,
name: createDto.name,
description: createDto.description,
},
});
});
});
describe("findAll", () => {
it("should list teams for a workspace", async () => {
const teams = [
{
id: mockTeamId,
workspaceId: mockWorkspaceId,
name: "Platform Team",
description: "Owns platform services",
metadata: {},
createdAt: new Date(),
updatedAt: new Date(),
_count: { members: 1 },
},
];
mockPrismaService.team.findMany.mockResolvedValue(teams);
const result = await service.findAll(mockWorkspaceId);
expect(result).toEqual(teams);
expect(prisma.team.findMany).toHaveBeenCalledWith({
where: { workspaceId: mockWorkspaceId },
include: {
_count: {
select: { members: true },
},
},
orderBy: { createdAt: "asc" },
});
});
});
describe("addMember", () => {
it("should add a workspace member to a team", async () => {
const dto = {
userId: mockUserId,
role: TeamMemberRole.ADMIN,
};
const createdTeamMember = {
teamId: mockTeamId,
userId: mockUserId,
role: TeamMemberRole.ADMIN,
joinedAt: new Date(),
user: {
id: mockUserId,
name: "Test User",
email: "test@example.com",
},
};
mockPrismaService.team.findFirst.mockResolvedValue({ id: mockTeamId });
mockPrismaService.workspaceMember.findUnique.mockResolvedValue({ userId: mockUserId });
mockPrismaService.teamMember.findUnique.mockResolvedValue(null);
mockPrismaService.teamMember.create.mockResolvedValue(createdTeamMember);
const result = await service.addMember(mockWorkspaceId, mockTeamId, dto);
expect(result).toEqual(createdTeamMember);
expect(prisma.team.findFirst).toHaveBeenCalledWith({
where: {
id: mockTeamId,
workspaceId: mockWorkspaceId,
},
select: { id: true },
});
expect(prisma.workspaceMember.findUnique).toHaveBeenCalledWith({
where: {
workspaceId_userId: {
workspaceId: mockWorkspaceId,
userId: mockUserId,
},
},
select: { userId: true },
});
expect(prisma.teamMember.create).toHaveBeenCalledWith({
data: {
teamId: mockTeamId,
userId: mockUserId,
role: TeamMemberRole.ADMIN,
},
include: {
user: {
select: {
id: true,
name: true,
email: true,
},
},
},
});
});
it("should use MEMBER role when role is omitted", async () => {
const dto = { userId: mockUserId };
mockPrismaService.team.findFirst.mockResolvedValue({ id: mockTeamId });
mockPrismaService.workspaceMember.findUnique.mockResolvedValue({ userId: mockUserId });
mockPrismaService.teamMember.findUnique.mockResolvedValue(null);
mockPrismaService.teamMember.create.mockResolvedValue({
teamId: mockTeamId,
userId: mockUserId,
role: TeamMemberRole.MEMBER,
joinedAt: new Date(),
});
await service.addMember(mockWorkspaceId, mockTeamId, dto);
expect(prisma.teamMember.create).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({
role: TeamMemberRole.MEMBER,
}),
})
);
});
it("should throw when team does not belong to workspace", async () => {
mockPrismaService.team.findFirst.mockResolvedValue(null);
await expect(
service.addMember(mockWorkspaceId, mockTeamId, { userId: mockUserId })
).rejects.toThrow(NotFoundException);
expect(prisma.workspaceMember.findUnique).not.toHaveBeenCalled();
});
it("should throw when user is not a workspace member", async () => {
mockPrismaService.team.findFirst.mockResolvedValue({ id: mockTeamId });
mockPrismaService.workspaceMember.findUnique.mockResolvedValue(null);
await expect(
service.addMember(mockWorkspaceId, mockTeamId, { userId: mockUserId })
).rejects.toThrow(BadRequestException);
});
it("should throw when user is already in the team", async () => {
mockPrismaService.team.findFirst.mockResolvedValue({ id: mockTeamId });
mockPrismaService.workspaceMember.findUnique.mockResolvedValue({ userId: mockUserId });
mockPrismaService.teamMember.findUnique.mockResolvedValue({ userId: mockUserId });
await expect(
service.addMember(mockWorkspaceId, mockTeamId, { userId: mockUserId })
).rejects.toThrow(ConflictException);
});
});
describe("removeMember", () => {
it("should remove a member from a team", async () => {
mockPrismaService.team.findFirst.mockResolvedValue({ id: mockTeamId });
mockPrismaService.teamMember.deleteMany.mockResolvedValue({ count: 1 });
await service.removeMember(mockWorkspaceId, mockTeamId, mockUserId);
expect(prisma.teamMember.deleteMany).toHaveBeenCalledWith({
where: {
teamId: mockTeamId,
userId: mockUserId,
},
});
});
it("should throw when team does not belong to workspace", async () => {
mockPrismaService.team.findFirst.mockResolvedValue(null);
await expect(service.removeMember(mockWorkspaceId, mockTeamId, mockUserId)).rejects.toThrow(
NotFoundException
);
expect(prisma.teamMember.deleteMany).not.toHaveBeenCalled();
});
it("should throw when user is not in the team", async () => {
mockPrismaService.team.findFirst.mockResolvedValue({ id: mockTeamId });
mockPrismaService.teamMember.deleteMany.mockResolvedValue({ count: 0 });
await expect(service.removeMember(mockWorkspaceId, mockTeamId, mockUserId)).rejects.toThrow(
NotFoundException
);
});
});
describe("remove", () => {
it("should delete a team", async () => {
mockPrismaService.team.deleteMany.mockResolvedValue({ count: 1 });
await service.remove(mockWorkspaceId, mockTeamId);
expect(prisma.team.deleteMany).toHaveBeenCalledWith({
where: {
id: mockTeamId,
workspaceId: mockWorkspaceId,
},
});
});
it("should throw when team is not found", async () => {
mockPrismaService.team.deleteMany.mockResolvedValue({ count: 0 });
await expect(service.remove(mockWorkspaceId, mockTeamId)).rejects.toThrow(NotFoundException);
});
});
});

130
apps/api/src/teams/teams.service.ts Normal file
View File

@@ -0,0 +1,130 @@
import {
BadRequestException,
ConflictException,
Injectable,
NotFoundException,
} from "@nestjs/common";
import { TeamMemberRole } from "@prisma/client";
import { PrismaService } from "../prisma/prisma.service";
import { CreateTeamDto } from "./dto/create-team.dto";
import { ManageTeamMemberDto } from "./dto/manage-team-member.dto";
@Injectable()
export class TeamsService {
constructor(private readonly prisma: PrismaService) {}
async create(workspaceId: string, createTeamDto: CreateTeamDto) {
return this.prisma.team.create({
data: {
workspaceId,
name: createTeamDto.name,
description: createTeamDto.description ?? null,
},
});
}
async findAll(workspaceId: string) {
return this.prisma.team.findMany({
where: { workspaceId },
include: {
_count: {
select: { members: true },
},
},
orderBy: { createdAt: "asc" },
});
}
async addMember(workspaceId: string, teamId: string, dto: ManageTeamMemberDto) {
await this.ensureTeamInWorkspace(workspaceId, teamId);
const workspaceMember = await this.prisma.workspaceMember.findUnique({
where: {
workspaceId_userId: {
workspaceId,
userId: dto.userId,
},
},
select: { userId: true },
});
if (!workspaceMember) {
throw new BadRequestException(
`User ${dto.userId} must be a workspace member before being added to a team`
);
}
const existingTeamMember = await this.prisma.teamMember.findUnique({
where: {
teamId_userId: {
teamId,
userId: dto.userId,
},
},
select: { userId: true },
});
if (existingTeamMember) {
throw new ConflictException(`User ${dto.userId} is already a member of team ${teamId}`);
}
return this.prisma.teamMember.create({
data: {
teamId,
userId: dto.userId,
role: dto.role ?? TeamMemberRole.MEMBER,
},
include: {
user: {
select: {
id: true,
name: true,
email: true,
},
},
},
});
}
async removeMember(workspaceId: string, teamId: string, userId: string): Promise<void> {
await this.ensureTeamInWorkspace(workspaceId, teamId);
const result = await this.prisma.teamMember.deleteMany({
where: {
teamId,
userId,
},
});
if (result.count === 0) {
throw new NotFoundException(`User ${userId} is not a member of team ${teamId}`);
}
}
async remove(workspaceId: string, teamId: string): Promise<void> {
const result = await this.prisma.team.deleteMany({
where: {
id: teamId,
workspaceId,
},
});
if (result.count === 0) {
throw new NotFoundException(`Team with ID ${teamId} not found`);
}
}
private async ensureTeamInWorkspace(workspaceId: string, teamId: string): Promise<void> {
const team = await this.prisma.team.findFirst({
where: {
id: teamId,
workspaceId,
},
select: { id: true },
});
if (!team) {
throw new NotFoundException(`Team with ID ${teamId} not found`);
}
}
}

13
apps/api/src/workspaces/dto/add-member.dto.ts Normal file
View File

@@ -0,0 +1,13 @@
import { WorkspaceMemberRole } from "@prisma/client";
import { IsEnum, IsUUID } from "class-validator";
/**
* DTO for adding a user to a workspace.
*/
export class AddMemberDto {
@IsUUID("4", { message: "userId must be a valid UUID" })
userId!: string;
@IsEnum(WorkspaceMemberRole, { message: "role must be a valid WorkspaceMemberRole" })
role!: WorkspaceMemberRole;
}

3
apps/api/src/workspaces/dto/index.ts Normal file
View File

@@ -0,0 +1,3 @@
export { AddMemberDto } from "./add-member.dto";
export { UpdateMemberRoleDto } from "./update-member-role.dto";
export { WorkspaceResponseDto } from "./workspace-response.dto";

10
apps/api/src/workspaces/dto/update-member-role.dto.ts Normal file
View File

@@ -0,0 +1,10 @@
import { WorkspaceMemberRole } from "@prisma/client";
import { IsEnum } from "class-validator";
/**
* DTO for updating a workspace member's role.
*/
export class UpdateMemberRoleDto {
@IsEnum(WorkspaceMemberRole, { message: "role must be a valid WorkspaceMemberRole" })
role!: WorkspaceMemberRole;
}

12
apps/api/src/workspaces/dto/workspace-response.dto.ts Normal file
View File

@@ -0,0 +1,12 @@
import type { WorkspaceMemberRole } from "@prisma/client";
/**
* Response DTO for a workspace the authenticated user belongs to.
*/
export class WorkspaceResponseDto {
id!: string;
name!: string;
ownerId!: string;
role!: WorkspaceMemberRole;
createdAt!: Date;
}

3
apps/api/src/workspaces/index.ts Normal file
View File

@@ -0,0 +1,3 @@
export { WorkspacesModule } from "./workspaces.module";
export { WorkspacesService } from "./workspaces.service";
export { WorkspacesController } from "./workspaces.controller";

149
apps/api/src/workspaces/workspaces.controller.spec.ts Normal file
View File

@@ -0,0 +1,149 @@
import { describe, it, expect, beforeEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import { WorkspacesController } from "./workspaces.controller";
import { WorkspacesService } from "./workspaces.service";
import { AuthGuard } from "../auth/guards/auth.guard";
import { WorkspaceGuard, PermissionGuard } from "../common/guards";
import { WorkspaceMemberRole } from "@prisma/client";
import type { AuthUser } from "@mosaic/shared";
describe("WorkspacesController", () => {
let controller: WorkspacesController;
let service: WorkspacesService;
const mockWorkspacesService = {
getUserWorkspaces: vi.fn(),
addMember: vi.fn(),
updateMemberRole: vi.fn(),
removeMember: vi.fn(),
};
const mockUser: AuthUser = {
id: "user-1",
email: "test@example.com",
name: "Test User",
};
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
controllers: [WorkspacesController],
providers: [
{
provide: WorkspacesService,
useValue: mockWorkspacesService,
},
],
})
.overrideGuard(AuthGuard)
.useValue({ canActivate: () => true })
.overrideGuard(WorkspaceGuard)
.useValue({ canActivate: () => true })
.overrideGuard(PermissionGuard)
.useValue({ canActivate: () => true })
.compile();
controller = module.get<WorkspacesController>(WorkspacesController);
service = module.get<WorkspacesService>(WorkspacesService);
vi.clearAllMocks();
});
describe("GET /api/workspaces", () => {
it("should call service with authenticated user id", async () => {
mockWorkspacesService.getUserWorkspaces.mockResolvedValueOnce([]);
await controller.getUserWorkspaces(mockUser);
expect(service.getUserWorkspaces).toHaveBeenCalledWith("user-1");
});
it("should return workspace list from service", async () => {
const mockWorkspaces = [
{
id: "ws-1",
name: "My Workspace",
ownerId: "user-1",
role: WorkspaceMemberRole.OWNER,
createdAt: new Date("2026-01-01"),
},
];
mockWorkspacesService.getUserWorkspaces.mockResolvedValueOnce(mockWorkspaces);
const result = await controller.getUserWorkspaces(mockUser);
expect(result).toEqual(mockWorkspaces);
});
it("should propagate service errors", async () => {
mockWorkspacesService.getUserWorkspaces.mockRejectedValueOnce(new Error("Database error"));
await expect(controller.getUserWorkspaces(mockUser)).rejects.toThrow("Database error");
});
});
describe("POST /api/workspaces/:id/members", () => {
it("should call service with workspace id, actor id, and add member dto", async () => {
const workspaceId = "ws-1";
const addMemberDto = {
userId: "user-2",
role: WorkspaceMemberRole.MEMBER,
};
const mockMember = {
workspaceId,
userId: "user-2",
role: WorkspaceMemberRole.MEMBER,
joinedAt: new Date("2026-02-01"),
};
mockWorkspacesService.addMember.mockResolvedValueOnce(mockMember);
const result = await controller.addMember(workspaceId, addMemberDto, mockUser);
expect(result).toEqual(mockMember);
expect(service.addMember).toHaveBeenCalledWith(workspaceId, mockUser.id, addMemberDto);
});
});
describe("PATCH /api/workspaces/:id/members/:userId", () => {
it("should call service with workspace id, actor id, target user id, and role dto", async () => {
const workspaceId = "ws-1";
const targetUserId = "user-2";
const updateRoleDto = {
role: WorkspaceMemberRole.ADMIN,
};
const mockMember = {
workspaceId,
userId: targetUserId,
role: WorkspaceMemberRole.ADMIN,
joinedAt: new Date("2026-02-01"),
};
mockWorkspacesService.updateMemberRole.mockResolvedValueOnce(mockMember);
const result = await controller.updateMemberRole(
workspaceId,
targetUserId,
updateRoleDto,
mockUser
);
expect(result).toEqual(mockMember);
expect(service.updateMemberRole).toHaveBeenCalledWith(
workspaceId,
mockUser.id,
targetUserId,
updateRoleDto
);
});
});
describe("DELETE /api/workspaces/:id/members/:userId", () => {
it("should call service with workspace id, actor id, and target user id", async () => {
const workspaceId = "ws-1";
const targetUserId = "user-2";
mockWorkspacesService.removeMember.mockResolvedValueOnce(undefined);
await controller.removeMember(workspaceId, targetUserId, mockUser);
expect(service.removeMember).toHaveBeenCalledWith(workspaceId, mockUser.id, targetUserId);
});
});
});

85
apps/api/src/workspaces/workspaces.controller.ts Normal file
View File

@@ -0,0 +1,85 @@
import { Body, Controller, Delete, Get, Param, Patch, Post, UseGuards } from "@nestjs/common";
import { WorkspacesService } from "./workspaces.service";
import { AuthGuard } from "../auth/guards/auth.guard";
import { CurrentUser } from "../auth/decorators/current-user.decorator";
import { WorkspaceGuard, PermissionGuard } from "../common/guards";
import { Permission, RequirePermission } from "../common/decorators";
import type { WorkspaceMember } from "@prisma/client";
import type { AuthenticatedUser } from "../common/types/user.types";
import type { AddMemberDto, UpdateMemberRoleDto, WorkspaceResponseDto } from "./dto";
/**
* User-scoped workspace operations.
*
* Intentionally does NOT use WorkspaceGuard — these routes operate across all
* workspaces the user belongs to, not within a single workspace context.
*/
@Controller("workspaces")
@UseGuards(AuthGuard)
export class WorkspacesController {
constructor(private readonly workspacesService: WorkspacesService) {}
/**
* GET /api/workspaces
* Returns workspaces the authenticated user is a member of.
* Auto-provisions a default workspace if the user has none.
*/
@Get()
async getUserWorkspaces(@CurrentUser() user: AuthenticatedUser): Promise<WorkspaceResponseDto[]> {
return this.workspacesService.getUserWorkspaces(user.id);
}
/**
* POST /api/workspaces/:workspaceId/members
* Add a member to a workspace with the specified role.
* Requires: ADMIN role or higher.
*/
@Post(":workspaceId/members")
@UseGuards(WorkspaceGuard, PermissionGuard)
@RequirePermission(Permission.WORKSPACE_ADMIN)
async addMember(
@Param("workspaceId") workspaceId: string,
@Body() addMemberDto: AddMemberDto,
@CurrentUser() user: AuthenticatedUser
): Promise<WorkspaceMember> {
return this.workspacesService.addMember(workspaceId, user.id, addMemberDto);
}
/**
* PATCH /api/workspaces/:workspaceId/members/:userId
* Change a member role in a workspace.
* Requires: ADMIN role or higher.
*/
@Patch(":workspaceId/members/:userId")
@UseGuards(WorkspaceGuard, PermissionGuard)
@RequirePermission(Permission.WORKSPACE_ADMIN)
async updateMemberRole(
@Param("workspaceId") workspaceId: string,
@Param("userId") targetUserId: string,
@Body() updateMemberRoleDto: UpdateMemberRoleDto,
@CurrentUser() user: AuthenticatedUser
): Promise<WorkspaceMember> {
return this.workspacesService.updateMemberRole(
workspaceId,
user.id,
targetUserId,
updateMemberRoleDto
);
}
/**
* DELETE /api/workspaces/:workspaceId/members/:userId
* Remove a member from a workspace.
* Requires: ADMIN role or higher.
*/
@Delete(":workspaceId/members/:userId")
@UseGuards(WorkspaceGuard, PermissionGuard)
@RequirePermission(Permission.WORKSPACE_ADMIN)
async removeMember(
@Param("workspaceId") workspaceId: string,
@Param("userId") targetUserId: string,
@CurrentUser() user: AuthenticatedUser
): Promise<void> {
await this.workspacesService.removeMember(workspaceId, user.id, targetUserId);
}
}

13
apps/api/src/workspaces/workspaces.module.ts Normal file
View File

@@ -0,0 +1,13 @@
import { Module } from "@nestjs/common";
import { WorkspacesController } from "./workspaces.controller";
import { WorkspacesService } from "./workspaces.service";
import { PrismaModule } from "../prisma/prisma.module";
import { AuthModule } from "../auth/auth.module";
@Module({
imports: [PrismaModule, AuthModule],
controllers: [WorkspacesController],
providers: [WorkspacesService],
exports: [WorkspacesService],
})
export class WorkspacesModule {}

516
apps/api/src/workspaces/workspaces.service.spec.ts Normal file
View File

@@ -0,0 +1,516 @@
import { describe, it, expect, beforeEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import { WorkspacesService } from "./workspaces.service";
import { PrismaService } from "../prisma/prisma.service";
import { WorkspaceMemberRole } from "@prisma/client";
import {
BadRequestException,
ConflictException,
ForbiddenException,
NotFoundException,
} from "@nestjs/common";
describe("WorkspacesService", () => {
let service: WorkspacesService;
const mockUserId = "550e8400-e29b-41d4-a716-446655440001";
const mockAdminUserId = "550e8400-e29b-41d4-a716-446655440010";
const mockMemberUserId = "550e8400-e29b-41d4-a716-446655440011";
const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440002";
const mockWorkspace = {
id: mockWorkspaceId,
name: "Test Workspace",
ownerId: mockUserId,
settings: {},
matrixRoomId: null,
createdAt: new Date("2026-01-01"),
updatedAt: new Date("2026-01-01"),
};
const mockMembership = {
workspaceId: mockWorkspaceId,
userId: mockUserId,
role: WorkspaceMemberRole.OWNER,
joinedAt: new Date("2026-01-01"),
workspace: {
id: mockWorkspaceId,
name: "Test Workspace",
ownerId: mockUserId,
createdAt: new Date("2026-01-01"),
},
};
const mockPrismaService = {
workspaceMember: {
findMany: vi.fn(),
findUnique: vi.fn(),
count: vi.fn(),
create: vi.fn(),
update: vi.fn(),
delete: vi.fn(),
},
workspace: {
create: vi.fn(),
},
user: {
findUnique: vi.fn(),
},
$transaction: vi.fn(),
};
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
providers: [
WorkspacesService,
{
provide: PrismaService,
useValue: mockPrismaService,
},
],
}).compile();
service = module.get<WorkspacesService>(WorkspacesService);
vi.clearAllMocks();
mockPrismaService.$transaction.mockImplementation(
async (fn: (tx: typeof mockPrismaService) => Promise<unknown>) =>
fn(mockPrismaService as unknown as typeof mockPrismaService)
);
});
describe("getUserWorkspaces", () => {
it("should return all workspaces user is a member of", async () => {
mockPrismaService.workspaceMember.findMany.mockResolvedValueOnce([mockMembership]);
const result = await service.getUserWorkspaces(mockUserId);
expect(result).toEqual([
{
id: mockWorkspaceId,
name: "Test Workspace",
ownerId: mockUserId,
role: WorkspaceMemberRole.OWNER,
createdAt: mockMembership.workspace.createdAt,
},
]);
expect(mockPrismaService.workspaceMember.findMany).toHaveBeenCalledWith({
where: { userId: mockUserId },
include: {
workspace: {
select: { id: true, name: true, ownerId: true, createdAt: true },
},
},
orderBy: { joinedAt: "asc" },
});
});
it("should return multiple workspaces ordered by joinedAt", async () => {
const secondWorkspace = {
...mockMembership,
workspaceId: "ws-2",
role: WorkspaceMemberRole.MEMBER,
joinedAt: new Date("2026-02-01"),
workspace: {
id: "ws-2",
name: "Second Workspace",
ownerId: "other-user",
createdAt: new Date("2026-02-01"),
},
};
mockPrismaService.workspaceMember.findMany.mockResolvedValueOnce([
mockMembership,
secondWorkspace,
]);
const result = await service.getUserWorkspaces(mockUserId);
expect(result).toHaveLength(2);
expect(result[0].id).toBe(mockWorkspaceId);
expect(result[1].id).toBe("ws-2");
expect(result[1].role).toBe(WorkspaceMemberRole.MEMBER);
});
it("should auto-provision a default workspace when user has no memberships", async () => {
mockPrismaService.workspaceMember.findMany.mockResolvedValueOnce([]);
mockPrismaService.$transaction.mockImplementationOnce(
async (fn: (tx: typeof mockPrismaService) => Promise<unknown>) => {
const txMock = {
workspaceMember: {
findFirst: vi.fn().mockResolvedValueOnce(null),
create: vi.fn().mockResolvedValueOnce({}),
},
workspace: {
create: vi.fn().mockResolvedValueOnce(mockWorkspace),
},
};
return fn(txMock as unknown as typeof mockPrismaService);
}
);
const result = await service.getUserWorkspaces(mockUserId);
expect(result).toHaveLength(1);
expect(result[0].name).toBe("Test Workspace");
expect(result[0].role).toBe(WorkspaceMemberRole.OWNER);
expect(mockPrismaService.$transaction).toHaveBeenCalledTimes(1);
});
it("should return existing workspace if one was created between initial check and transaction", async () => {
// Simulates a race condition: initial findMany returns [], but inside the
// transaction another request already created a workspace.
mockPrismaService.workspaceMember.findMany.mockResolvedValueOnce([]);
mockPrismaService.$transaction.mockImplementationOnce(
async (fn: (tx: typeof mockPrismaService) => Promise<unknown>) => {
const txMock = {
workspaceMember: {
findFirst: vi.fn().mockResolvedValueOnce(mockMembership),
},
workspace: {
create: vi.fn(),
},
};
return fn(txMock as unknown as typeof mockPrismaService);
}
);
const result = await service.getUserWorkspaces(mockUserId);
expect(result).toHaveLength(1);
expect(result[0].id).toBe(mockWorkspaceId);
expect(result[0].name).toBe("Test Workspace");
});
it("should create workspace with correct data during auto-provisioning", async () => {
mockPrismaService.workspaceMember.findMany.mockResolvedValueOnce([]);
let capturedWorkspaceData: unknown;
let capturedMemberData: unknown;
mockPrismaService.$transaction.mockImplementationOnce(
async (fn: (tx: typeof mockPrismaService) => Promise<unknown>) => {
const txMock = {
workspaceMember: {
findFirst: vi.fn().mockResolvedValueOnce(null),
create: vi.fn().mockImplementation((args: unknown) => {
capturedMemberData = args;
return {};
}),
},
workspace: {
create: vi.fn().mockImplementation((args: unknown) => {
capturedWorkspaceData = args;
return mockWorkspace;
}),
},
};
return fn(txMock as unknown as typeof mockPrismaService);
}
);
await service.getUserWorkspaces(mockUserId);
expect(capturedWorkspaceData).toEqual({
data: {
name: "My Workspace",
ownerId: mockUserId,
settings: {},
},
});
expect(capturedMemberData).toEqual({
data: {
workspaceId: mockWorkspaceId,
userId: mockUserId,
role: WorkspaceMemberRole.OWNER,
},
});
});
it("should not auto-provision when user already has workspaces", async () => {
mockPrismaService.workspaceMember.findMany.mockResolvedValueOnce([mockMembership]);
await service.getUserWorkspaces(mockUserId);
expect(mockPrismaService.$transaction).not.toHaveBeenCalled();
});
it("should propagate database errors", async () => {
mockPrismaService.workspaceMember.findMany.mockRejectedValueOnce(
new Error("Database connection failed")
);
await expect(service.getUserWorkspaces(mockUserId)).rejects.toThrow(
"Database connection failed"
);
});
});
describe("addMember", () => {
const addMemberDto = {
userId: mockMemberUserId,
role: WorkspaceMemberRole.MEMBER,
};
it("should add a new member to the workspace", async () => {
const createdMembership = {
workspaceId: mockWorkspaceId,
userId: mockMemberUserId,
role: WorkspaceMemberRole.MEMBER,
joinedAt: new Date("2026-02-02"),
};
mockPrismaService.user.findUnique.mockResolvedValueOnce({ id: mockMemberUserId });
mockPrismaService.workspaceMember.findUnique
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockAdminUserId,
role: WorkspaceMemberRole.ADMIN,
joinedAt: new Date("2026-01-01"),
})
.mockResolvedValueOnce(null);
mockPrismaService.workspaceMember.create.mockResolvedValueOnce(createdMembership);
const result = await service.addMember(mockWorkspaceId, mockAdminUserId, addMemberDto);
expect(result).toEqual(createdMembership);
expect(mockPrismaService.workspaceMember.create).toHaveBeenCalledWith({
data: {
workspaceId: mockWorkspaceId,
userId: mockMemberUserId,
role: WorkspaceMemberRole.MEMBER,
},
});
});
it("should throw NotFoundException when user does not exist", async () => {
mockPrismaService.workspaceMember.findUnique.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockAdminUserId,
role: WorkspaceMemberRole.ADMIN,
joinedAt: new Date("2026-01-01"),
});
mockPrismaService.user.findUnique.mockResolvedValueOnce(null);
await expect(
service.addMember(mockWorkspaceId, mockAdminUserId, addMemberDto)
).rejects.toThrow(NotFoundException);
});
it("should throw ConflictException when user is already a member", async () => {
mockPrismaService.workspaceMember.findUnique.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockAdminUserId,
role: WorkspaceMemberRole.ADMIN,
joinedAt: new Date("2026-01-01"),
});
mockPrismaService.user.findUnique.mockResolvedValueOnce({ id: mockMemberUserId });
mockPrismaService.workspaceMember.findUnique.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockMemberUserId,
role: WorkspaceMemberRole.MEMBER,
joinedAt: new Date("2026-01-02"),
});
await expect(
service.addMember(mockWorkspaceId, mockAdminUserId, addMemberDto)
).rejects.toThrow(ConflictException);
});
it("should throw ForbiddenException when admin tries to assign OWNER role", async () => {
mockPrismaService.workspaceMember.findUnique.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockAdminUserId,
role: WorkspaceMemberRole.ADMIN,
joinedAt: new Date("2026-01-01"),
});
await expect(
service.addMember(mockWorkspaceId, mockAdminUserId, {
userId: mockMemberUserId,
role: WorkspaceMemberRole.OWNER,
})
).rejects.toThrow(ForbiddenException);
});
});
describe("updateMemberRole", () => {
it("should update a member role", async () => {
const updatedMembership = {
workspaceId: mockWorkspaceId,
userId: mockMemberUserId,
role: WorkspaceMemberRole.ADMIN,
joinedAt: new Date("2026-01-02"),
};
mockPrismaService.workspaceMember.findUnique
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockUserId,
role: WorkspaceMemberRole.OWNER,
joinedAt: new Date("2026-01-01"),
})
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockMemberUserId,
role: WorkspaceMemberRole.MEMBER,
joinedAt: new Date("2026-01-02"),
});
mockPrismaService.workspaceMember.update.mockResolvedValueOnce(updatedMembership);
const result = await service.updateMemberRole(mockWorkspaceId, mockUserId, mockMemberUserId, {
role: WorkspaceMemberRole.ADMIN,
});
expect(result).toEqual(updatedMembership);
expect(mockPrismaService.workspaceMember.update).toHaveBeenCalledWith({
where: {
workspaceId_userId: {
workspaceId: mockWorkspaceId,
userId: mockMemberUserId,
},
},
data: {
role: WorkspaceMemberRole.ADMIN,
},
});
});
it("should throw NotFoundException when target member does not exist", async () => {
mockPrismaService.workspaceMember.findUnique
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockUserId,
role: WorkspaceMemberRole.OWNER,
joinedAt: new Date("2026-01-01"),
})
.mockResolvedValueOnce(null);
await expect(
service.updateMemberRole(mockWorkspaceId, mockUserId, mockMemberUserId, {
role: WorkspaceMemberRole.ADMIN,
})
).rejects.toThrow(NotFoundException);
});
it("should throw BadRequestException when sole owner attempts self-demotion", async () => {
mockPrismaService.workspaceMember.findUnique
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockUserId,
role: WorkspaceMemberRole.OWNER,
joinedAt: new Date("2026-01-01"),
})
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockUserId,
role: WorkspaceMemberRole.OWNER,
joinedAt: new Date("2026-01-01"),
});
mockPrismaService.workspaceMember.count.mockResolvedValueOnce(1);
await expect(
service.updateMemberRole(mockWorkspaceId, mockUserId, mockUserId, {
role: WorkspaceMemberRole.ADMIN,
})
).rejects.toThrow(BadRequestException);
});
it("should throw ForbiddenException when actor tries to change role of higher-ranked member", async () => {
mockPrismaService.workspaceMember.findUnique
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockAdminUserId,
role: WorkspaceMemberRole.ADMIN,
joinedAt: new Date("2026-01-01"),
})
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockUserId,
role: WorkspaceMemberRole.OWNER,
joinedAt: new Date("2026-01-01"),
});
await expect(
service.updateMemberRole(mockWorkspaceId, mockAdminUserId, mockUserId, {
role: WorkspaceMemberRole.MEMBER,
})
).rejects.toThrow(ForbiddenException);
});
});
describe("removeMember", () => {
it("should remove a workspace member", async () => {
mockPrismaService.workspaceMember.findUnique
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockUserId,
role: WorkspaceMemberRole.OWNER,
joinedAt: new Date("2026-01-01"),
})
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockMemberUserId,
role: WorkspaceMemberRole.MEMBER,
joinedAt: new Date("2026-01-02"),
});
mockPrismaService.workspaceMember.delete.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockMemberUserId,
role: WorkspaceMemberRole.MEMBER,
joinedAt: new Date("2026-01-02"),
});
await service.removeMember(mockWorkspaceId, mockUserId, mockMemberUserId);
expect(mockPrismaService.workspaceMember.delete).toHaveBeenCalledWith({
where: {
workspaceId_userId: {
workspaceId: mockWorkspaceId,
userId: mockMemberUserId,
},
},
});
});
it("should throw BadRequestException when trying to remove the last owner", async () => {
mockPrismaService.workspaceMember.findUnique
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockUserId,
role: WorkspaceMemberRole.OWNER,
joinedAt: new Date("2026-01-01"),
})
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockUserId,
role: WorkspaceMemberRole.OWNER,
joinedAt: new Date("2026-01-01"),
});
mockPrismaService.workspaceMember.count.mockResolvedValueOnce(1);
await expect(service.removeMember(mockWorkspaceId, mockUserId, mockUserId)).rejects.toThrow(
BadRequestException
);
});
it("should throw ForbiddenException when admin attempts to remove an owner", async () => {
mockPrismaService.workspaceMember.findUnique
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockAdminUserId,
role: WorkspaceMemberRole.ADMIN,
joinedAt: new Date("2026-01-01"),
})
.mockResolvedValueOnce({
workspaceId: mockWorkspaceId,
userId: mockUserId,
role: WorkspaceMemberRole.OWNER,
joinedAt: new Date("2026-01-01"),
});
await expect(
service.removeMember(mockWorkspaceId, mockAdminUserId, mockUserId)
).rejects.toThrow(ForbiddenException);
});
});
});

345
apps/api/src/workspaces/workspaces.service.ts Normal file
View File

@@ -0,0 +1,345 @@
import {
BadRequestException,
ConflictException,
ForbiddenException,
Injectable,
Logger,
NotFoundException,
} from "@nestjs/common";
import { Prisma, WorkspaceMemberRole } from "@prisma/client";
import type { WorkspaceMember } from "@prisma/client";
import { PrismaService } from "../prisma/prisma.service";
import type { AddMemberDto, UpdateMemberRoleDto, WorkspaceResponseDto } from "./dto";
const WORKSPACE_ROLE_RANK: Record<WorkspaceMemberRole, number> = {
[WorkspaceMemberRole.GUEST]: 1,
[WorkspaceMemberRole.MEMBER]: 2,
[WorkspaceMemberRole.ADMIN]: 3,
[WorkspaceMemberRole.OWNER]: 4,
};
@Injectable()
export class WorkspacesService {
private readonly logger = new Logger(WorkspacesService.name);
constructor(private readonly prisma: PrismaService) {}
/**
* Get all workspaces the user is a member of.
*
* Auto-provisioning: if the user has no workspace memberships (e.g. fresh
* signup via BetterAuth), a default workspace is created atomically and
* returned. This is the only call site for workspace bootstrapping.
*/
async getUserWorkspaces(userId: string): Promise<WorkspaceResponseDto[]> {
const memberships = await this.prisma.workspaceMember.findMany({
where: { userId },
include: {
workspace: {
select: { id: true, name: true, ownerId: true, createdAt: true },
},
},
orderBy: { joinedAt: "asc" },
});
if (memberships.length > 0) {
return memberships.map((m) => ({
id: m.workspace.id,
name: m.workspace.name,
ownerId: m.workspace.ownerId,
role: m.role,
createdAt: m.workspace.createdAt,
}));
}
// Auto-provision a default workspace for new users.
// Re-query inside the transaction to guard against concurrent requests
// both seeing zero memberships and creating duplicate workspaces.
this.logger.log(`Auto-provisioning default workspace for user ${userId}`);
const workspace = await this.prisma.$transaction(async (tx) => {
const existing = await tx.workspaceMember.findFirst({
where: { userId },
include: {
workspace: {
select: { id: true, name: true, ownerId: true, createdAt: true },
},
},
});
if (existing) {
return { ...existing.workspace, alreadyExisted: true as const };
}
const created = await tx.workspace.create({
data: {
name: "My Workspace",
ownerId: userId,
settings: {},
},
});
await tx.workspaceMember.create({
data: {
workspaceId: created.id,
userId,
role: WorkspaceMemberRole.OWNER,
},
});
return { ...created, alreadyExisted: false as const };
});
if (workspace.alreadyExisted) {
return [
{
id: workspace.id,
name: workspace.name,
ownerId: workspace.ownerId,
role: WorkspaceMemberRole.OWNER,
createdAt: workspace.createdAt,
},
];
}
return [
{
id: workspace.id,
name: workspace.name,
ownerId: workspace.ownerId,
role: WorkspaceMemberRole.OWNER,
createdAt: workspace.createdAt,
},
];
}
/**
* Add a member to a workspace.
*/
async addMember(
workspaceId: string,
actorUserId: string,
addMemberDto: AddMemberDto
): Promise<WorkspaceMember> {
const actorMembership = await this.prisma.workspaceMember.findUnique({
where: {
workspaceId_userId: {
workspaceId,
userId: actorUserId,
},
},
select: {
role: true,
},
});
if (!actorMembership) {
throw new ForbiddenException("You are not a member of this workspace");
}
this.assertCanAssignRole(actorMembership.role, addMemberDto.role);
const user = await this.prisma.user.findUnique({
where: { id: addMemberDto.userId },
select: { id: true },
});
if (!user) {
throw new NotFoundException(`User with ID ${addMemberDto.userId} not found`);
}
const existingMembership = await this.prisma.workspaceMember.findUnique({
where: {
workspaceId_userId: {
workspaceId,
userId: addMemberDto.userId,
},
},
select: {
workspaceId: true,
userId: true,
},
});
if (existingMembership) {
throw new ConflictException("User is already a member of this workspace");
}
try {
return await this.prisma.workspaceMember.create({
data: {
workspaceId,
userId: addMemberDto.userId,
role: addMemberDto.role,
},
});
} catch (error) {
if (this.isUniqueConstraintError(error)) {
throw new ConflictException("User is already a member of this workspace");
}
throw error;
}
}
/**
* Update the role of an existing workspace member.
*/
async updateMemberRole(
workspaceId: string,
actorUserId: string,
targetUserId: string,
updateMemberRoleDto: UpdateMemberRoleDto
): Promise<WorkspaceMember> {
return this.prisma.$transaction(async (tx) => {
const actorMembership = await tx.workspaceMember.findUnique({
where: {
workspaceId_userId: {
workspaceId,
userId: actorUserId,
},
},
select: {
role: true,
},
});
if (!actorMembership) {
throw new ForbiddenException("You are not a member of this workspace");
}
const targetMembership = await tx.workspaceMember.findUnique({
where: {
workspaceId_userId: {
workspaceId,
userId: targetUserId,
},
},
select: {
role: true,
},
});
if (!targetMembership) {
throw new NotFoundException(`User ${targetUserId} is not a member of this workspace`);
}
this.assertCanManageTargetMember(actorMembership.role, targetMembership.role);
this.assertCanAssignRole(actorMembership.role, updateMemberRoleDto.role);
if (targetMembership.role === WorkspaceMemberRole.OWNER) {
const isDemotion = updateMemberRoleDto.role !== WorkspaceMemberRole.OWNER;
if (isDemotion) {
const ownerCount = await tx.workspaceMember.count({
where: {
workspaceId,
role: WorkspaceMemberRole.OWNER,
},
});
if (ownerCount <= 1) {
if (actorUserId === targetUserId) {
throw new BadRequestException("Cannot self-demote if you are the sole owner");
}
throw new BadRequestException("Cannot remove the last owner from a workspace");
}
}
}
return tx.workspaceMember.update({
where: {
workspaceId_userId: {
workspaceId,
userId: targetUserId,
},
},
data: {
role: updateMemberRoleDto.role,
},
});
});
}
/**
* Remove a member from a workspace.
*/
async removeMember(
workspaceId: string,
actorUserId: string,
targetUserId: string
): Promise<void> {
await this.prisma.$transaction(async (tx) => {
const actorMembership = await tx.workspaceMember.findUnique({
where: {
workspaceId_userId: {
workspaceId,
userId: actorUserId,
},
},
select: {
role: true,
},
});
if (!actorMembership) {
throw new ForbiddenException("You are not a member of this workspace");
}
const targetMembership = await tx.workspaceMember.findUnique({
where: {
workspaceId_userId: {
workspaceId,
userId: targetUserId,
},
},
select: {
role: true,
},
});
if (!targetMembership) {
throw new NotFoundException(`User ${targetUserId} is not a member of this workspace`);
}
this.assertCanManageTargetMember(actorMembership.role, targetMembership.role);
if (targetMembership.role === WorkspaceMemberRole.OWNER) {
const ownerCount = await tx.workspaceMember.count({
where: {
workspaceId,
role: WorkspaceMemberRole.OWNER,
},
});
if (ownerCount <= 1) {
throw new BadRequestException("Cannot remove the last owner from a workspace");
}
}
await tx.workspaceMember.delete({
where: {
workspaceId_userId: {
workspaceId,
userId: targetUserId,
},
},
});
});
}
private assertCanAssignRole(
actorRole: WorkspaceMemberRole,
requestedRole: WorkspaceMemberRole
): void {
if (WORKSPACE_ROLE_RANK[actorRole] < WORKSPACE_ROLE_RANK[requestedRole]) {
throw new ForbiddenException("You cannot assign a role higher than your own");
}
}
private assertCanManageTargetMember(
actorRole: WorkspaceMemberRole,
targetRole: WorkspaceMemberRole
): void {
if (WORKSPACE_ROLE_RANK[actorRole] < WORKSPACE_ROLE_RANK[targetRole]) {
throw new ForbiddenException("You cannot manage a member with a higher role");
}
}
private isUniqueConstraintError(error: unknown): error is Prisma.PrismaClientKnownRequestError {
return error instanceof Prisma.PrismaClientKnownRequestError && error.code === "P2002";
}
}

19
apps/web/src/app/(authenticated)/profile/page.tsx
View File

@@ -265,23 +265,8 @@ export default function ProfilePage(): ReactElement {
</p> </p>
)} )}
{user?.workspaceRole && ( {/* Workspace role badge — placeholder until workspace context API
<span provides role data via GET /api/workspaces */}
style={{
display: "inline-block",
marginTop: 8,
padding: "3px 10px",
borderRadius: "var(--r)",
background: "rgba(47, 128, 255, 0.1)",
color: "var(--ms-blue-400)",
fontSize: "0.75rem",
fontWeight: 600,
textTransform: "capitalize",
}}
>
{user.workspaceRole}
</span>
)}
</div> </div>
</div> </div>
</div> </div>

19
apps/web/src/app/(authenticated)/settings/workspaces/[id]/page.tsx
View File

@@ -39,6 +39,12 @@ const mockMembers: WorkspaceMemberWithUser[] = [
image: null, image: null,
authProviderId: null, authProviderId: null,
preferences: {}, preferences: {},
deactivatedAt: null,
isLocalAuth: false,
passwordHash: null,
invitedBy: null,
invitationToken: null,
invitedAt: null,
createdAt: new Date("2024-01-15"), createdAt: new Date("2024-01-15"),
updatedAt: new Date("2024-01-15"), updatedAt: new Date("2024-01-15"),
}, },
@@ -56,6 +62,12 @@ const mockMembers: WorkspaceMemberWithUser[] = [
image: null, image: null,
authProviderId: null, authProviderId: null,
preferences: {}, preferences: {},
deactivatedAt: null,
isLocalAuth: false,
passwordHash: null,
invitedBy: null,
invitationToken: null,
invitedAt: null,
createdAt: new Date("2024-01-16"), createdAt: new Date("2024-01-16"),
updatedAt: new Date("2024-01-16"), updatedAt: new Date("2024-01-16"),
}, },
@@ -73,6 +85,12 @@ const mockMembers: WorkspaceMemberWithUser[] = [
image: null, image: null,
authProviderId: null, authProviderId: null,
preferences: {}, preferences: {},
deactivatedAt: null,
isLocalAuth: false,
passwordHash: null,
invitedBy: null,
invitationToken: null,
invitedAt: null,
createdAt: new Date("2024-01-17"), createdAt: new Date("2024-01-17"),
updatedAt: new Date("2024-01-17"), updatedAt: new Date("2024-01-17"),
}, },
@@ -91,7 +109,6 @@ export default function WorkspaceDetailPage({
// TODO: Replace with actual role check when API is implemented // TODO: Replace with actual role check when API is implemented
// Currently hardcoded to OWNER in mock data (line 89) // Currently hardcoded to OWNER in mock data (line 89)
const canInvite = const canInvite =
// eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
currentUserRole === WorkspaceMemberRole.OWNER || currentUserRole === WorkspaceMemberRole.ADMIN; currentUserRole === WorkspaceMemberRole.OWNER || currentUserRole === WorkspaceMemberRole.ADMIN;
const handleUpdateWorkspace = async (name: string): Promise<void> => { const handleUpdateWorkspace = async (name: string): Promise<void> => {

12
apps/web/src/app/settings/workspaces/[id]/teams/[teamId]/page.tsx
View File

@@ -21,6 +21,12 @@ const mockAvailableUsers: User[] = [
image: null, image: null,
authProviderId: null, authProviderId: null,
preferences: {}, preferences: {},
deactivatedAt: null,
isLocalAuth: false,
passwordHash: null,
invitedBy: null,
invitationToken: null,
invitedAt: null,
createdAt: new Date("2026-01-17"), createdAt: new Date("2026-01-17"),
updatedAt: new Date("2026-01-17"), updatedAt: new Date("2026-01-17"),
}, },
@@ -32,6 +38,12 @@ const mockAvailableUsers: User[] = [
image: null, image: null,
authProviderId: null, authProviderId: null,
preferences: {}, preferences: {},
deactivatedAt: null,
isLocalAuth: false,
passwordHash: null,
invitedBy: null,
invitationToken: null,
invitedAt: null,
createdAt: new Date("2026-01-18"), createdAt: new Date("2026-01-18"),
updatedAt: new Date("2026-01-18"), updatedAt: new Date("2026-01-18"),
}, },

333
apps/web/src/components/admin/InviteUserDialog.tsx Normal file
View File

@@ -0,0 +1,333 @@
"use client";
import { useState, type ReactElement, type SyntheticEvent } from "react";
import { Input } from "@/components/ui/input";
import {
Select,
SelectContent,
SelectItem,
SelectTrigger,
SelectValue,
} from "@/components/ui/select";
import type { InviteUserDto, WorkspaceMemberRole } from "@/lib/api/admin";
/* ---------------------------------------------------------------------------
Types
--------------------------------------------------------------------------- */
interface WorkspaceOption {
id: string;
name: string;
}
interface InviteUserDialogProps {
open: boolean;
onOpenChange: (open: boolean) => void;
onSubmit: (data: InviteUserDto) => Promise<void>;
isSubmitting: boolean;
workspaces: WorkspaceOption[];
}
/* ---------------------------------------------------------------------------
Validation
--------------------------------------------------------------------------- */
const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
function validateEmail(value: string): string | null {
const trimmed = value.trim();
if (!trimmed) return "Email is required.";
if (!EMAIL_REGEX.test(trimmed)) return "Please enter a valid email address.";
return null;
}
/* ---------------------------------------------------------------------------
Component
--------------------------------------------------------------------------- */
export function InviteUserDialog({
open,
onOpenChange,
onSubmit,
isSubmitting,
workspaces,
}: InviteUserDialogProps): ReactElement | null {
const [email, setEmail] = useState("");
const [name, setName] = useState("");
const [workspaceId, setWorkspaceId] = useState("");
const [role, setRole] = useState<WorkspaceMemberRole>("MEMBER");
const [formError, setFormError] = useState<string | null>(null);
function resetForm(): void {
setEmail("");
setName("");
setWorkspaceId("");
setRole("MEMBER");
setFormError(null);
}
async function handleSubmit(e: SyntheticEvent): Promise<void> {
e.preventDefault();
setFormError(null);
const emailError = validateEmail(email);
if (emailError) {
setFormError(emailError);
return;
}
try {
const dto: InviteUserDto = {
email: email.trim(),
role,
};
const trimmedName = name.trim();
if (trimmedName) dto.name = trimmedName;
if (workspaceId) dto.workspaceId = workspaceId;
await onSubmit(dto);
resetForm();
} catch (err: unknown) {
setFormError(err instanceof Error ? err.message : "Failed to send invitation.");
}
}
if (!open) return null;
return (
<div
role="dialog"
aria-modal="true"
aria-labelledby="invite-user-title"
style={{
position: "fixed",
inset: 0,
zIndex: 50,
display: "flex",
alignItems: "center",
justifyContent: "center",
}}
>
{/* Backdrop */}
<div
data-testid="invite-dialog-backdrop"
style={{ position: "fixed", inset: 0, background: "rgba(0,0,0,0.5)" }}
onClick={() => {
if (!isSubmitting) {
resetForm();
onOpenChange(false);
}
}}
/>
{/* Dialog */}
<div
style={{
position: "relative",
background: "var(--surface, #fff)",
borderRadius: "8px",
border: "1px solid var(--border, #e5e7eb)",
padding: 24,
width: "100%",
maxWidth: 480,
zIndex: 1,
maxHeight: "90vh",
overflowY: "auto",
}}
>
<h2
id="invite-user-title"
style={{
fontSize: "1.125rem",
fontWeight: 600,
color: "var(--text, #111)",
margin: "0 0 8px",
}}
>
Invite User
</h2>
<p style={{ color: "var(--muted, #6b7280)", fontSize: "0.875rem", margin: "0 0 16px" }}>
Send an invitation to join the platform.
</p>
<form
onSubmit={(e) => {
void handleSubmit(e);
}}
>
{/* Email */}
<div style={{ marginBottom: 16 }}>
<label
htmlFor="invite-email"
style={{
display: "block",
marginBottom: 6,
fontSize: "0.85rem",
fontWeight: 500,
color: "var(--text-2, #374151)",
}}
>
Email <span style={{ color: "var(--danger, #ef4444)" }}>*</span>
</label>
<Input
id="invite-email"
type="email"
value={email}
onChange={(e: React.ChangeEvent<HTMLInputElement>) => {
setEmail(e.target.value);
}}
placeholder="user@example.com"
maxLength={254}
autoFocus
/>
</div>
{/* Name */}
<div style={{ marginBottom: 16 }}>
<label
htmlFor="invite-name"
style={{
display: "block",
marginBottom: 6,
fontSize: "0.85rem",
fontWeight: 500,
color: "var(--text-2, #374151)",
}}
>
Name
</label>
<Input
id="invite-name"
type="text"
value={name}
onChange={(e: React.ChangeEvent<HTMLInputElement>) => {
setName(e.target.value);
}}
placeholder="Full name (optional)"
maxLength={255}
/>
</div>
{/* Workspace */}
{workspaces.length > 0 && (
<div style={{ marginBottom: 16 }}>
<label
htmlFor="invite-workspace"
style={{
display: "block",
marginBottom: 6,
fontSize: "0.85rem",
fontWeight: 500,
color: "var(--text-2, #374151)",
}}
>
Workspace
</label>
<Select
value={workspaceId}
onValueChange={(v) => {
setWorkspaceId(v);
}}
>
<SelectTrigger id="invite-workspace">
<SelectValue placeholder="Select a workspace (optional)" />
</SelectTrigger>
<SelectContent>
{workspaces.map((ws) => (
<SelectItem key={ws.id} value={ws.id}>
{ws.name}
</SelectItem>
))}
</SelectContent>
</Select>
</div>
)}
{/* Role */}
<div style={{ marginBottom: 16 }}>
<label
htmlFor="invite-role"
style={{
display: "block",
marginBottom: 6,
fontSize: "0.85rem",
fontWeight: 500,
color: "var(--text-2, #374151)",
}}
>
Role
</label>
<Select
value={role}
onValueChange={(v) => {
setRole(v as WorkspaceMemberRole);
}}
>
<SelectTrigger id="invite-role">
<SelectValue placeholder="Select role" />
</SelectTrigger>
<SelectContent>
<SelectItem value="MEMBER">Member</SelectItem>
<SelectItem value="ADMIN">Admin</SelectItem>
</SelectContent>
</Select>
</div>
{/* Form error */}
{formError !== null && (
<p
role="alert"
style={{
color: "var(--danger, #ef4444)",
fontSize: "0.85rem",
margin: "0 0 12px",
}}
>
{formError}
</p>
)}
{/* Buttons */}
<div style={{ display: "flex", justifyContent: "flex-end", gap: 8, marginTop: 8 }}>
<button
type="button"
onClick={() => {
resetForm();
onOpenChange(false);
}}
disabled={isSubmitting}
style={{
padding: "8px 16px",
background: "transparent",
border: "1px solid var(--border, #d1d5db)",
borderRadius: "6px",
color: "var(--text-2, #374151)",
fontSize: "0.85rem",
cursor: "pointer",
}}
>
Cancel
</button>
<button
type="submit"
disabled={isSubmitting || !email.trim()}
style={{
padding: "8px 16px",
background: "var(--primary, #111827)",
border: "none",
borderRadius: "6px",
color: "#fff",
fontSize: "0.85rem",
fontWeight: 500,
cursor: isSubmitting || !email.trim() ? "not-allowed" : "pointer",
opacity: isSubmitting || !email.trim() ? 0.6 : 1,
}}
>
{isSubmitting ? "Sending..." : "Send Invitation"}
</button>
</div>
</form>
</div>
</div>
);
}

5
apps/web/src/components/chat/Chat.tsx
View File

@@ -5,6 +5,7 @@ import { useAuth } from "@/lib/auth/auth-context";
import { useChat } from "@/hooks/useChat"; import { useChat } from "@/hooks/useChat";
import { useOrchestratorCommands } from "@/hooks/useOrchestratorCommands"; import { useOrchestratorCommands } from "@/hooks/useOrchestratorCommands";
import { useWebSocket } from "@/hooks/useWebSocket"; import { useWebSocket } from "@/hooks/useWebSocket";
import { useWorkspaceId } from "@/lib/hooks";
import { MessageList } from "./MessageList"; import { MessageList } from "./MessageList";
import { ChatInput, type ModelId, DEFAULT_TEMPERATURE, DEFAULT_MAX_TOKENS } from "./ChatInput"; import { ChatInput, type ModelId, DEFAULT_TEMPERATURE, DEFAULT_MAX_TOKENS } from "./ChatInput";
import { ChatEmptyState } from "./ChatEmptyState"; import { ChatEmptyState } from "./ChatEmptyState";
@@ -89,10 +90,10 @@ export const Chat = forwardRef<ChatRef, ChatProps>(function Chat(
...(initialProjectId !== undefined && { projectId: initialProjectId }), ...(initialProjectId !== undefined && { projectId: initialProjectId }),
}); });
// Use the actual workspace ID for the WebSocket room subscription. // Read workspace ID from localStorage (set by auth-context after session check).
// Cookie-based auth (withCredentials) handles authentication, so no explicit // Cookie-based auth (withCredentials) handles authentication, so no explicit
// token is needed here — pass an empty string as the token placeholder. // token is needed here — pass an empty string as the token placeholder.
const workspaceId = user?.currentWorkspaceId ?? user?.workspaceId ?? ""; const workspaceId = useWorkspaceId() ?? "";
const { isConnected: isWsConnected } = useWebSocket(workspaceId, "", {}); const { isConnected: isWsConnected } = useWebSocket(workspaceId, "", {});
const { isCommand, executeCommand } = useOrchestratorCommands(); const { isCommand, executeCommand } = useOrchestratorCommands();

1
apps/web/src/components/kanban/TaskCard.tsx
View File

@@ -1,4 +1,3 @@
/* eslint-disable @typescript-eslint/no-unsafe-enum-comparison */
"use client"; "use client";
import React from "react"; import React from "react";

1
apps/web/src/components/knowledge/EntryCard.tsx
View File

@@ -1,4 +1,3 @@
/* eslint-disable @typescript-eslint/no-unnecessary-condition */
import React from "react"; import React from "react";
import type { KnowledgeEntryWithTags } from "@mosaic/shared"; import type { KnowledgeEntryWithTags } from "@mosaic/shared";
import { EntryStatus } from "@mosaic/shared"; import { EntryStatus } from "@mosaic/shared";

2
apps/web/src/components/layout/AppSidebar.tsx
View File

@@ -464,7 +464,7 @@ function UserCard({ collapsed }: UserCardProps): React.JSX.Element {
const displayName = user?.name ?? "User"; const displayName = user?.name ?? "User";
const initials = getInitials(displayName); const initials = getInitials(displayName);
const role = user?.workspaceRole ?? "Member"; const role = "Member";
return ( return (
<footer <footer

1
apps/web/src/components/personalities/PersonalityPreview.tsx
View File

@@ -1,4 +1,3 @@
/* eslint-disable @typescript-eslint/no-unsafe-enum-comparison */
"use client"; "use client";
/* eslint-disable @typescript-eslint/no-non-null-assertion */ /* eslint-disable @typescript-eslint/no-non-null-assertion */

3
apps/web/src/components/tasks/TaskItem.test.tsx
View File

@@ -137,8 +137,7 @@ describe("TaskItem", (): void => {
dueDate: null, dueDate: null,
}; };
// eslint-disable-next-line @typescript-eslint/no-explicit-any render(<TaskItem task={taskWithoutDueDate} />);
render(<TaskItem task={taskWithoutDueDate as any} />);
expect(screen.getByText("Test task")).toBeInTheDocument(); expect(screen.getByText("Test task")).toBeInTheDocument();
}); });

1
apps/web/src/components/tasks/TaskItem.tsx
View File

@@ -1,4 +1,3 @@
/* eslint-disable @typescript-eslint/no-unnecessary-condition */
import React from "react"; import React from "react";
import type { Task } from "@mosaic/shared"; import type { Task } from "@mosaic/shared";
import { TaskStatus, TaskPriority } from "@mosaic/shared"; import { TaskStatus, TaskPriority } from "@mosaic/shared";

12
apps/web/src/components/workspace/MemberList.test.tsx
View File

@@ -20,6 +20,12 @@ const makeMember = (
image: null, image: null,
authProviderId: `auth-${overrides.userId}`, authProviderId: `auth-${overrides.userId}`,
preferences: {}, preferences: {},
deactivatedAt: null,
isLocalAuth: false,
passwordHash: null,
invitedBy: null,
invitationToken: null,
invitedAt: null,
createdAt: new Date("2025-01-01"), createdAt: new Date("2025-01-01"),
updatedAt: new Date("2025-01-01"), updatedAt: new Date("2025-01-01"),
}, },
@@ -62,6 +68,12 @@ describe("MemberList", (): void => {
image: null, image: null,
authProviderId: "auth-2", authProviderId: "auth-2",
preferences: {}, preferences: {},
deactivatedAt: null,
isLocalAuth: false,
passwordHash: null,
invitedBy: null,
invitationToken: null,
invitedAt: null,
createdAt: new Date("2025-01-01"), createdAt: new Date("2025-01-01"),
updatedAt: new Date("2025-01-01"), updatedAt: new Date("2025-01-01"),
}, },

97
apps/web/src/lib/api/admin.ts Normal file
View File

@@ -0,0 +1,97 @@
/**
* Admin API Client
* Handles admin-scoped user and workspace management requests.
* These endpoints require AdminGuard (OWNER/ADMIN role).
*/
import { apiGet, apiPost, apiPatch, apiDelete } from "./client";
/* ---------------------------------------------------------------------------
Response Types (mirrors apps/api/src/admin/types/admin.types.ts)
--------------------------------------------------------------------------- */
export type WorkspaceMemberRole = "OWNER" | "ADMIN" | "MEMBER" | "GUEST";
export interface WorkspaceMembershipResponse {
workspaceId: string;
workspaceName: string;
role: WorkspaceMemberRole;
joinedAt: string;
}
export interface AdminUserResponse {
id: string;
name: string;
email: string;
emailVerified: boolean;
image: string | null;
createdAt: string;
deactivatedAt: string | null;
isLocalAuth: boolean;
invitedAt: string | null;
invitedBy: string | null;
workspaceMemberships: WorkspaceMembershipResponse[];
}
export interface PaginatedAdminResponse<T> {
data: T[];
meta: {
total: number;
page: number;
limit: number;
totalPages: number;
};
}
export interface InvitationResponse {
userId: string;
invitationToken: string;
email: string;
invitedAt: string;
}
/* ---------------------------------------------------------------------------
Request DTOs
--------------------------------------------------------------------------- */
export interface InviteUserDto {
email: string;
name?: string;
workspaceId?: string;
role?: WorkspaceMemberRole;
}
export interface UpdateUserDto {
name?: string;
deactivatedAt?: string | null;
emailVerified?: boolean;
preferences?: Record<string, unknown>;
}
/* ---------------------------------------------------------------------------
API Functions
--------------------------------------------------------------------------- */
export async function fetchAdminUsers(
page = 1,
limit = 50
): Promise<PaginatedAdminResponse<AdminUserResponse>> {
return apiGet<PaginatedAdminResponse<AdminUserResponse>>(
`/api/admin/users?page=${String(page)}&limit=${String(limit)}`
);
}
export async function inviteUser(dto: InviteUserDto): Promise<InvitationResponse> {
return apiPost<InvitationResponse>("/api/admin/users/invite", dto);
}
export async function updateUser(
userId: string,
dto: UpdateUserDto
): Promise<AdminUserResponse> {
return apiPatch<AdminUserResponse>(`/api/admin/users/${userId}`, dto);
}
export async function deactivateUser(userId: string): Promise<void> {
await apiDelete(`/api/admin/users/${userId}`);
}

1
apps/web/src/lib/api/index.ts
View File

@@ -15,3 +15,4 @@ export * from "./personalities";
export * from "./telemetry"; export * from "./telemetry";
export * from "./dashboard"; export * from "./dashboard";
export * from "./projects"; export * from "./projects";
export * from "./workspaces";

12
apps/web/src/lib/api/teams.ts
View File

@@ -178,6 +178,12 @@ export const mockTeamWithMembers: TeamWithMembers = {
image: null, image: null,
authProviderId: null, authProviderId: null,
preferences: {}, preferences: {},
deactivatedAt: null,
isLocalAuth: false,
passwordHash: null,
invitedBy: null,
invitationToken: null,
invitedAt: null,
createdAt: new Date("2026-01-15"), createdAt: new Date("2026-01-15"),
updatedAt: new Date("2026-01-15"), updatedAt: new Date("2026-01-15"),
}, },
@@ -195,6 +201,12 @@ export const mockTeamWithMembers: TeamWithMembers = {
image: null, image: null,
authProviderId: null, authProviderId: null,
preferences: {}, preferences: {},
deactivatedAt: null,
isLocalAuth: false,
passwordHash: null,
invitedBy: null,
invitationToken: null,
invitedAt: null,
createdAt: new Date("2026-01-16"), createdAt: new Date("2026-01-16"),
updatedAt: new Date("2026-01-16"), updatedAt: new Date("2026-01-16"),
}, },

26
apps/web/src/lib/api/workspaces.ts Normal file
View File

@@ -0,0 +1,26 @@
/**
* Workspaces API Client
* User-scoped workspace discovery — does NOT require X-Workspace-Id header.
*/
import { apiGet } from "./client";
/**
* A workspace entry from the user's membership list.
* Matches WorkspaceResponseDto from the API.
*/
export interface UserWorkspace {
id: string;
name: string;
ownerId: string;
role: string;
createdAt: string;
}
/**
* Fetch all workspaces the authenticated user is a member of.
* The API auto-provisions a default workspace if the user has none.
*/
export async function fetchUserWorkspaces(): Promise<UserWorkspace[]> {
return apiGet<UserWorkspace[]>("/api/workspaces");
}

92
apps/web/src/lib/auth/auth-context.test.tsx
View File

@@ -10,7 +10,13 @@ vi.mock("../api/client", () => ({
apiPost: vi.fn(), apiPost: vi.fn(),
})); }));
// Mock the workspaces API client
vi.mock("../api/workspaces", () => ({
fetchUserWorkspaces: vi.fn(),
}));
const { apiGet, apiPost } = await import("../api/client"); const { apiGet, apiPost } = await import("../api/client");
const { fetchUserWorkspaces } = await import("../api/workspaces");
/** Helper: returns a date far in the future (1 hour from now) for session mocks */ /** Helper: returns a date far in the future (1 hour from now) for session mocks */
function futureExpiry(): string { function futureExpiry(): string {
@@ -739,19 +745,26 @@ describe("AuthContext", (): void => {
vi.restoreAllMocks(); vi.restoreAllMocks();
}); });
it("should persist currentWorkspaceId to localStorage after session check", async (): Promise<void> => { it("should call fetchUserWorkspaces after successful session check", async (): Promise<void> => {
const mockUser: AuthUser = { const mockUser: AuthUser = {
id: "user-1", id: "user-1",
email: "test@example.com", email: "test@example.com",
name: "Test User", name: "Test User",
currentWorkspaceId: "ws-current-123",
workspaceId: "ws-default-456",
}; };
vi.mocked(apiGet).mockResolvedValueOnce({ vi.mocked(apiGet).mockResolvedValueOnce({
user: mockUser, user: mockUser,
session: { id: "session-1", token: "token123", expiresAt: futureExpiry() }, session: { id: "session-1", token: "token123", expiresAt: futureExpiry() },
}); });
vi.mocked(fetchUserWorkspaces).mockResolvedValueOnce([
{
id: "ws-1",
name: "My Workspace",
ownerId: "user-1",
role: "OWNER",
createdAt: "2026-01-01",
},
]);
render( render(
<AuthProvider> <AuthProvider>
@@ -763,25 +776,36 @@ describe("AuthContext", (): void => {
expect(screen.getByTestId("auth-status")).toHaveTextContent("Authenticated"); expect(screen.getByTestId("auth-status")).toHaveTextContent("Authenticated");
}); });
// currentWorkspaceId takes priority over workspaceId expect(fetchUserWorkspaces).toHaveBeenCalledTimes(1);
expect(localStorageMock.setItem).toHaveBeenCalledWith(
"mosaic-workspace-id",
"ws-current-123"
);
}); });
it("should fall back to workspaceId when currentWorkspaceId is absent", async (): Promise<void> => { it("should persist the first workspace ID to localStorage", async (): Promise<void> => {
const mockUser: AuthUser = { const mockUser: AuthUser = {
id: "user-1", id: "user-1",
email: "test@example.com", email: "test@example.com",
name: "Test User", name: "Test User",
workspaceId: "ws-default-456",
}; };
vi.mocked(apiGet).mockResolvedValueOnce({ vi.mocked(apiGet).mockResolvedValueOnce({
user: mockUser, user: mockUser,
session: { id: "session-1", token: "token123", expiresAt: futureExpiry() }, session: { id: "session-1", token: "token123", expiresAt: futureExpiry() },
}); });
vi.mocked(fetchUserWorkspaces).mockResolvedValueOnce([
{
id: "ws-abc-123",
name: "My Workspace",
ownerId: "user-1",
role: "OWNER",
createdAt: "2026-01-01",
},
{
id: "ws-def-456",
name: "Second Workspace",
ownerId: "other",
role: "MEMBER",
createdAt: "2026-02-01",
},
]);
render( render(
<AuthProvider> <AuthProvider>
@@ -793,24 +817,21 @@ describe("AuthContext", (): void => {
expect(screen.getByTestId("auth-status")).toHaveTextContent("Authenticated"); expect(screen.getByTestId("auth-status")).toHaveTextContent("Authenticated");
}); });
expect(localStorageMock.setItem).toHaveBeenCalledWith( expect(localStorageMock.setItem).toHaveBeenCalledWith("mosaic-workspace-id", "ws-abc-123");
"mosaic-workspace-id",
"ws-default-456"
);
}); });
it("should not write to localStorage when no workspace ID is present on user", async (): Promise<void> => { it("should not write localStorage when fetchUserWorkspaces returns empty array", async (): Promise<void> => {
const mockUser: AuthUser = { const mockUser: AuthUser = {
id: "user-1", id: "user-1",
email: "test@example.com", email: "test@example.com",
name: "Test User", name: "Test User",
// no workspaceId or currentWorkspaceId
}; };
vi.mocked(apiGet).mockResolvedValueOnce({ vi.mocked(apiGet).mockResolvedValueOnce({
user: mockUser, user: mockUser,
session: { id: "session-1", token: "token123", expiresAt: futureExpiry() }, session: { id: "session-1", token: "token123", expiresAt: futureExpiry() },
}); });
vi.mocked(fetchUserWorkspaces).mockResolvedValueOnce([]);
render( render(
<AuthProvider> <AuthProvider>
@@ -828,18 +849,53 @@ describe("AuthContext", (): void => {
); );
}); });
it("should remove workspace ID from localStorage on sign-out", async (): Promise<void> => { it("should handle fetchUserWorkspaces failure gracefully — auth still succeeds", async (): Promise<void> => {
const mockUser: AuthUser = { const mockUser: AuthUser = {
id: "user-1", id: "user-1",
email: "test@example.com", email: "test@example.com",
name: "Test User", name: "Test User",
currentWorkspaceId: "ws-current-123",
}; };
vi.mocked(apiGet).mockResolvedValueOnce({ vi.mocked(apiGet).mockResolvedValueOnce({
user: mockUser, user: mockUser,
session: { id: "session-1", token: "token123", expiresAt: futureExpiry() }, session: { id: "session-1", token: "token123", expiresAt: futureExpiry() },
}); });
vi.mocked(fetchUserWorkspaces).mockRejectedValueOnce(new Error("Network error"));
render(
<AuthProvider>
<TestComponent />
</AuthProvider>
);
await waitFor(() => {
expect(screen.getByTestId("auth-status")).toHaveTextContent("Authenticated");
});
// Auth succeeded despite workspace fetch failure
expect(screen.getByTestId("auth-error")).toHaveTextContent("none");
});
it("should remove workspace ID from localStorage on sign-out", async (): Promise<void> => {
const mockUser: AuthUser = {
id: "user-1",
email: "test@example.com",
name: "Test User",
};
vi.mocked(apiGet).mockResolvedValueOnce({
user: mockUser,
session: { id: "session-1", token: "token123", expiresAt: futureExpiry() },
});
vi.mocked(fetchUserWorkspaces).mockResolvedValueOnce([
{
id: "ws-1",
name: "My Workspace",
ownerId: "user-1",
role: "OWNER",
createdAt: "2026-01-01",
},
]);
vi.mocked(apiPost).mockResolvedValueOnce({ success: true }); vi.mocked(apiPost).mockResolvedValueOnce({ success: true });
render( render(

17
apps/web/src/lib/auth/auth-context.tsx
View File

@@ -11,6 +11,7 @@ import {
} from "react"; } from "react";
import type { AuthUser, AuthSession } from "@mosaic/shared"; import type { AuthUser, AuthSession } from "@mosaic/shared";
import { apiGet, apiPost } from "../api/client"; import { apiGet, apiPost } from "../api/client";
import { fetchUserWorkspaces } from "../api/workspaces";
import { IS_MOCK_AUTH_MODE } from "../config"; import { IS_MOCK_AUTH_MODE } from "../config";
import { parseAuthError } from "./auth-errors"; import { parseAuthError } from "./auth-errors";
@@ -134,10 +135,18 @@ function RealAuthProvider({ children }: { children: ReactNode }): React.JSX.Elem
setUser(session.user); setUser(session.user);
setAuthError(null); setAuthError(null);
// Persist workspace ID to localStorage so useWorkspaceId and apiRequest // Fetch the user's workspace memberships and persist the default.
// can pick it up without re-fetching the session. // Workspace context is an application concern, not an auth concern —
// Prefer currentWorkspaceId (the user's active workspace) over workspaceId. // BetterAuth does not return workspace fields on the session user.
persistWorkspaceId(session.user.currentWorkspaceId ?? session.user.workspaceId); try {
const workspaces = await fetchUserWorkspaces();
const defaultWorkspace = workspaces[0];
if (defaultWorkspace) {
persistWorkspaceId(defaultWorkspace.id);
}
} catch (wsError) {
logAuthError("Failed to fetch workspaces after session check", wsError);
}
// Track session expiry timestamp // Track session expiry timestamp
expiresAtRef.current = new Date(session.session.expiresAt); expiresAtRef.current = new Date(session.session.expiresAt);

2
apps/web/src/lib/hooks/useLayout.ts
View File

@@ -109,7 +109,7 @@ export function useLayout(): UseLayoutReturn {
if (stored) { if (stored) {
const emptyFallback: Record<string, LayoutConfig> = {}; const emptyFallback: Record<string, LayoutConfig> = {};
const parsed = safeJsonParse(stored, isLayoutConfigRecord, emptyFallback); const parsed = safeJsonParse(stored, isLayoutConfigRecord, emptyFallback);
const parsedLayouts = parsed as Record<string, LayoutConfig>; const parsedLayouts = parsed;
if (Object.keys(parsedLayouts).length > 0) { if (Object.keys(parsedLayouts).length > 0) {
setLayouts(parsedLayouts); setLayouts(parsedLayouts);
} else { } else {

85
docs/MISSION-MANIFEST.md
View File

@@ -1,81 +1,52 @@
# Mission Manifest — MS20 Site Stabilization # Mission Manifest — MS21 Multi-Tenant RBAC Data Migration
> Persistent document tracking full mission scope, status, and session history. > Persistent document tracking full mission scope, status, and session history.
> Updated by the orchestrator at each phase transition and milestone completion. > Updated by the orchestrator at each phase transition and milestone completion.
## Mission ## Mission
**ID:** ms20-site-stabilization-20260227 **ID:** ms21-multi-tenant-rbac-data-migration-20260228
**Statement:** Fix runtime bugs, missing API endpoints, orchestrator connectivity, and feature gaps discovered during live site testing at mosaic.woltje.com **Statement:** Build multi-tenant user/workspace/team management, break-glass auth, RBAC UI enforcement, and migrate jarvis-brain data into Mosaic Stack
**Phase:** Complete **Phase:** Intake
**Current Milestone:** MS20-SiteStabilization **Current Milestone:**
**Progress:** 1 / 1 milestones **Progress:** 0 / 6 milestones
**Status:** completed **Status:** active
**Last Updated:** 2026-02-27T12:15Z **Last Updated:** 2026-02-28 17:10 UTC
## Success Criteria ## Success Criteria
1. Domains page: can create and list domains without workspace errors — **PASS** (PR #536) <!-- Define measurable success criteria here -->
2. Projects page: can create new projects without workspace errors — **PASS** (already working)
3. Personalities page: full CRUD works with proper dark mode theming — **PASS** (PR #537, #540)
4. User preferences endpoint (`/users/me/preferences`) returns data — **PASS** (PR #539)
5. Credentials page: can add, view credentials (not just disabled stub) — **PASS** (PR #545)
6. Orchestrator proxy endpoints return real data (no 502) — **PASS** (PR #542; 502s remain because orchestrator service not active in prod, but proxy route works)
7. Orchestrator WebSocket connects successfully — **PASS** (PR #547, #548, #549)
8. Dashboard Agent Status, Task Progress, Orchestrator Events widgets work — **PARTIAL** (widgets render, but orchestrator service not active in prod so data endpoints return 502)
9. Terminal has dedicated `/terminal` page route — **PASS** (PR #538)
10. favicon.ico serves correctly (no 404) — **PASS** (PR #541, #544)
11. `useWorkspaceId` warning resolved — workspace ID persists in localStorage — **PASS** (already in main via auth-context.tsx)
12. All 5 themes render correctly on all affected pages — **PASS** (verified dark mode on personalities, credentials, domains, dashboard)
13. Lint, typecheck, and tests pass — **PASS** (pipeline 680 green — 1445 web tests, 3316 API tests)
14. Deployed and verified at mosaic.woltje.com — **PASS** (Portainer stack 121 redeployed, all pages verified)
## Existing Infrastructure
Key components already built that MS20 builds upon:
| Component | Status | Location |
| ------------------------- | --------------- | ----------------------------------------------- |
| WorkspaceGuard | Working | `apps/api/src/common/guards/workspace.guard.ts` |
| Auto-detect workspace ID | Working (reads) | `apps/web/src/lib/api/client.ts` |
| Credentials API backend | Built (M7) | `apps/api/src/credentials/` |
| Orchestrator proxy routes | Fixed (MS20) | `apps/web/src/app/api/orchestrator/` |
| Terminal components | Built (MS19) | `apps/web/src/components/terminal/` |
| Theme system | Working (MS18) | `apps/web/src/lib/themes/` |
## Milestones ## Milestones
| # | ID | Name | Status | Branch | Issue | Started | Completed | | # | ID | Name | Status | Branch | Issue | Started | Completed |
| --- | ---- | ------------------ | --------- | ------------------------- | ----- | ---------- | ---------- | | --- | ------- | -------------------------- | ------- | ------ | ----- | ------- | --------- |
| 1 | MS20 | Site Stabilization | completed | per-task feature branches | #534 | 2026-02-27 | 2026-02-27 | | 1 | phase-1 | Schema and Admin API | pending | — | — | — | — |
| 2 | phase-2 | Break-Glass Authentication | pending | — | — | — | — |
| 3 | phase-3 | Data Migration | pending | — | — | — | — |
| 4 | phase-4 | Admin UI | pending | — | — | — | — |
| 5 | phase-5 | RBAC UI Enforcement | pending | — | — | — | — |
| 6 | phase-6 | Verification | pending | — | — | — | — |
## Deployment ## Deployment
| Target | URL | Method | | Target | URL | Method |
| --------- | ----------------- | --------------------------- | | ------ | --- | ------ |
| Portainer | mosaic.woltje.com | CI/CD pipeline (Woodpecker) | | — | — | — |
## Token Budget ## Token Budget
| Metric | Value | | Metric | Value |
| ------ | -------------------- | | ------ | ------ |
| Budget | ~400K (estimated) | | Budget | |
| Used | ~263K (across S1-S4) | | Used | 0 |
| Mode | normal | | Mode | normal |
## Session History ## Session History
| Session | Runtime | Started | Duration | Ended Reason | Last Task | | Session | Runtime | Started | Duration | Ended Reason | Last Task |
| ------- | --------------- | ----------------- | -------- | ------------------ | -------------------- | | ------- | ------- | ------- | -------- | ------------ | --------- |
| S1 | Claude Opus 4.6 | 2026-02-27T05:30Z | ~30m | Planning done | PLAN-001 |
| S2 | Claude Opus 4.6 | 2026-02-27T06:00Z | ~2h | Context exhaustion | 5 workers dispatched |
| S3 | Claude Opus 4.6 | 2026-02-27T08:00Z | ~1.5h | Context exhaustion | Recovery + 2 workers |
| S4 | Claude Opus 4.6 | 2026-02-27T10:30Z | ~2h | Mission complete | VER-001 + DOC-001 |
## PRs Merged
13 code PRs + 1 docs PR = 14 total: #536, #537, #538, #539, #540, #541, #542, #543, #544, #545, #547, #548, #549
## Scratchpad ## Scratchpad
Path: `docs/scratchpads/ms20-site-stabilization-20260227.md` Path: `docs/scratchpads/ms21-multi-tenant-rbac-data-migration-20260228.md`

246
docs/PRD-MS21.md Normal file
View File

@@ -0,0 +1,246 @@
# PRD: MS21 — Multi-Tenant Platform, RBAC Enforcement, and Data Migration
## Metadata
- Owner: Jason Woltje
- Orchestrator: Jarvis (OpenClaw)
- Date: 2026-02-28
- Status: in-progress
- Version: 0.0.21
## Problem Statement
Mosaic Stack is a single-user deployment. The Workspace, Team, WorkspaceMember, and RBAC infrastructure exist in the schema and codebase (PermissionGuard, WorkspaceGuard, roles: OWNER/ADMIN/MEMBER/GUEST), but there is no admin UI for managing users, workspaces, or teams. There is no invitation flow, no user management page, and no break-glass authentication mechanism for emergency access without OIDC. Additionally, the platform has no real operational data — jarvis-brain contains 106 projects and 95 tasks that need migrating into Mosaic Stack to make the dashboard, kanban, and project pages useful.
## Objectives
1. Build admin UI for user management (list, invite, deactivate, assign roles)
2. Build workspace management UI (create, configure, manage members)
3. Build team management UI (create teams within workspaces, assign members)
4. Implement user invitation flow (email or link-based)
5. Implement break-glass local authentication (bypass OIDC for emergency access)
6. Enforce RBAC across all UI surfaces (show/hide based on role)
7. Build admin Settings pages for workspace and platform configuration
8. Migrate jarvis-brain data (95 tasks, 106 projects) into Mosaic Stack PostgreSQL
9. Build data import API endpoint for bulk task/project creation
## Completed Work
### Existing Infrastructure (Already Built)
| Component | Status | Location |
| ----------------------------------------------------------------- | -------- | ------------------------------------------------------- |
| Prisma models: User, Workspace, WorkspaceMember, Team, TeamMember | Complete | apps/api/prisma/schema.prisma |
| WorkspaceMemberRole enum (OWNER, ADMIN, MEMBER, GUEST) | Complete | schema.prisma |
| TeamMemberRole enum (OWNER, ADMIN, MEMBER) | Complete | schema.prisma |
| PermissionGuard with role hierarchy | Complete | apps/api/src/common/guards/permission.guard.ts |
| Permission decorator (@RequirePermission) | Complete | apps/api/src/common/decorators/permissions.decorator.ts |
| Permission enum (WORKSPACE_OWNER, ADMIN, MEMBER, ANY) | Complete | permissions.decorator.ts |
| WorkspaceGuard | Complete | apps/api/src/common/guards/workspace.guard.ts |
| RBAC applied to 18+ controllers | Complete | All resource controllers |
| Workspaces CRUD API | Complete | apps/api/src/workspaces/ |
| BetterAuth + Authentik OIDC | Complete | apps/api/src/auth/ |
| AdminGuard | Complete | apps/api/src/auth/guards/admin.guard.ts |
## Scope
### In Scope (MS21)
#### S1: Admin API Endpoints (Backend)
1. GET /api/admin/users — List all users with workspace memberships and roles
2. POST /api/admin/users/invite — Generate invitation (email or link)
3. PATCH /api/admin/users/:id — Update user metadata (deactivate, change global role)
4. DELETE /api/admin/users/:id — Deactivate user (soft delete, preserve data)
5. POST /api/admin/workspaces — Create workspace with owner assignment
6. PATCH /api/admin/workspaces/:id — Update workspace settings
7. POST /api/workspaces/:id/members — Add member to workspace with role
8. PATCH /api/workspaces/:id/members/:userId — Change member role
9. DELETE /api/workspaces/:id/members/:userId — Remove member from workspace
10. POST /api/workspaces/:id/teams — Create team within workspace
11. POST /api/workspaces/:id/teams/:teamId/members — Add member to team
12. DELETE /api/workspaces/:id/teams/:teamId/members/:userId — Remove from team
13. POST /api/import/tasks — Bulk import tasks from jarvis-brain format
14. POST /api/import/projects — Bulk import projects from jarvis-brain format
#### S2: Break-Glass Authentication
15. Add isLocalAuth boolean field to User model (Prisma migration)
16. Add passwordHash optional field to User model (for local auth users)
17. Implement /api/auth/local/login endpoint (email + password, bcrypt)
18. Implement /api/auth/local/setup endpoint (first-time break-glass user creation, requires admin token from env)
19. Break-glass user bypasses OIDC entirely — session-based auth via BetterAuth
20. Environment variable BREAKGLASS_SETUP_TOKEN controls initial setup access
#### S3: Admin UI Pages (Frontend)
21. /settings/users — User management page (table: name, email, role, status, workspaces, last login)
22. User detail/edit dialog (change role, deactivate, view workspace memberships)
23. Invite user dialog (email input, workspace selection, role selection)
24. /settings/workspaces — Workspace management page (list workspaces, member counts)
25. Workspace detail page (members list, team list, settings)
26. Add/remove workspace member dialog with role picker
27. /settings/teams — Team management within workspace context
28. Create team dialog, add/remove team members
#### S4: RBAC UI Enforcement
29. Navigation sidebar: show/hide admin items based on user role
30. Settings pages: restrict access to admin-only pages
31. Action buttons: disable/hide create/delete based on permission level
32. User profile: show current role and workspace memberships
#### S5: Data Migration
33. Build scripts/migrate-brain.ts — TypeScript migration script
34. Read jarvis-brain data/tasks/\*.json (v2.0 format: { version, domain, tasks: [...] })
35. Read jarvis-brain data/projects/\*.json (format: { version, project: {...}, tasks: [...] })
36. Map brain status to Mosaic TaskStatus (done->COMPLETED, in-progress->IN_PROGRESS, backlog/pending/scheduled/not-started/planned->NOT_STARTED, blocked/on-hold->PAUSED, cancelled->ARCHIVED)
37. Map brain priority to Mosaic TaskPriority (critical/high->HIGH, medium->MEDIUM, low->LOW)
38. Create Domain records for unique domains (work, homelab, finances, family, etc.)
39. Create Project records from project data, linking to domains
40. Create Task records linking to projects, preserving brain-specific fields in metadata JSON
41. Preserve blocks, blocked_by, repo, branch, current_milestone, notes in task/project metadata
42. Dry-run mode with validation report before actual import
43. Idempotent — skip records that already exist (match by metadata.brainId)
### Out of Scope
- Federation (MS22)
- Agent task mapping and telemetry (MS23)
- Playwright E2E tests (MS24)
- Email delivery service (invitations stored as links for now)
- User self-registration (admin-only invitation model)
## User/Stakeholder Requirements
1. Jason (admin) can invite Melanie to a shared workspace
2. Jason can create a "USC IT" workspace and invite employees
3. Each user sees only their workspace(s) data
4. Break-glass user can log in without Authentik being available
5. Admin pages are only visible to OWNER/ADMIN roles
6. Data from jarvis-brain appears in the dashboard, kanban, and project pages after migration
7. All existing tests continue to pass after changes
## Functional Requirements
### FR-001: Admin User Management API
- AdminGuard protects all /api/admin/\* routes
- List users returns: id, name, email, emailVerified, createdAt, workspace memberships with roles
- Invite creates a User record with a pending invitation token
- Deactivate sets a deactivatedAt timestamp (new field), does not delete data
- ASSUMPTION: User deactivation is soft-delete via new deactivatedAt field on User model. Rationale: Hard delete would cascade and destroy workspace data.
### FR-002: Workspace Member Management API
- Add member requires WORKSPACE_ADMIN or WORKSPACE_OWNER permission
- Role changes require equal or higher permission (MEMBER cannot promote to ADMIN)
- Cannot remove the last OWNER of a workspace
- Cannot change own role to lower than OWNER if sole owner
### FR-003: Break-Glass Authentication
- Local auth is opt-in per deployment via ENABLE_LOCAL_AUTH=true env var
- Break-glass setup requires a one-time setup token from environment
- Password stored as bcrypt hash, minimum 12 characters
- Break-glass user gets OWNER role on default workspace
- Session management identical to OIDC users (BetterAuth session tokens)
- ASSUMPTION: BetterAuth supports custom credential providers alongside OIDC. Rationale: BetterAuth documentation confirms credential-based auth as a built-in feature.
### FR-004: Admin UI
- User management table with search, sort, filter by role/status
- Inline role editing via dropdown
- Confirmation dialog for destructive actions (deactivate user, remove from workspace)
- PDA-friendly language: "Deactivate" not "Delete", "Pending" not "Expired"
- Responsive design matching existing Settings page patterns
- Dark/light theme support via existing design token system
### FR-005: Data Migration Script
- Standalone TypeScript script in scripts/migrate-brain.ts
- Reads from jarvis-brain path (configurable via --brain-path flag)
- Connects to Mosaic Stack database via DATABASE_URL
- Requires target workspace ID (--workspace-id flag)
- Requires creator user ID (--user-id flag)
- Outputs validation report before writing (dry-run by default)
- --apply flag to execute the migration
- Creates Activity log entries for all imported records
## Technical Design
### Schema Changes (Prisma Migration)
Add to User model:
- deactivatedAt DateTime? (soft delete)
- isLocalAuth Boolean default(false)
- passwordHash String? (bcrypt hash for local auth)
- invitedBy String? Uuid (FK to inviting user)
- invitationToken String? unique
- invitedAt DateTime?
### New NestJS Module: AdminModule
Location: apps/api/src/admin/
Files: admin.module.ts, admin.controller.ts, admin.service.ts, DTOs, specs
### New NestJS Module: LocalAuthModule (Break-Glass)
Location: apps/api/src/auth/local/
Files: local-auth.controller.ts, local-auth.service.ts, DTOs, specs
### Frontend Pages
Location: apps/web/app/(authenticated)/settings/
- users/page.tsx — User management
- workspaces/page.tsx — Workspace list
- workspaces/[id]/page.tsx — Workspace detail (members, teams)
- teams/page.tsx — Team management
## Testing and Verification
1. Baseline: pnpm lint && pnpm build && pnpm test must pass
2. Unit tests for AdminService (user CRUD, invitation flow, permission checks)
3. Unit tests for LocalAuthService (bcrypt hashing, token validation)
4. Unit tests for AdminController (route guards, DTO validation)
5. Integration test: invitation -> acceptance -> workspace access
6. Integration test: break-glass setup -> login -> workspace access
7. Integration test: RBAC prevents unauthorized role changes
8. Migration script test: dry-run produces valid report, apply creates correct records
9. Frontend: admin pages render with correct role gating
10. All 4,772+ existing tests continue to pass
## Quality Gates
pnpm lint && pnpm build && pnpm test
## Delivery Phases
| Phase | Focus | Tasks |
| ----------------------- | ----------------------------------------------------------------------- | ----------------- |
| P1: Schema + Admin API | Prisma migration, AdminModule, user/workspace/team management endpoints | S1 items 1-12 |
| P2: Break-Glass Auth | LocalAuthModule, credential provider, setup flow | S2 items 15-20 |
| P3: Data Migration | Migration script, jarvis-brain to PostgreSQL | S5 items 33-43 |
| P4: Admin UI | Settings pages for users, workspaces, teams | S3 items 21-28 |
| P5: RBAC UI Enforcement | Frontend permission gating, navigation filtering | S4 items 29-32 |
| P6: Verification | Full test pass, deployment, smoke test | All quality gates |
## Risks and Open Questions
1. Risk: BetterAuth credential provider may require specific adapter configuration. Mitigation: Review BetterAuth docs for credential auth alongside OIDC; test in isolation first.
2. Risk: Schema migration on production database. Mitigation: Use Prisma migration with --create-only for review before applying.
3. Risk: jarvis-brain data has fields that don't map 1:1 to Mosaic schema. Mitigation: Use metadata JSON field for overflow; validate with dry-run.
4. Open: Should deactivated users retain active sessions? ASSUMPTION: No, deactivation immediately invalidates all sessions. Rationale: Security best practice.
5. Open: Should break-glass user be auto-created on first deployment? ASSUMPTION: No, requires explicit setup via API with env token. Rationale: Prevents accidental exposure.
## Assumptions
1. User deactivation is soft-delete via deactivatedAt field. Hard delete cascades and destroys workspace data.
2. BetterAuth supports custom credential providers alongside OIDC.
3. Invitation flow uses link-based tokens (no email service required initially).
4. Break-glass auth is off by default, controlled by ENABLE_LOCAL_AUTH env var.
5. Migration script runs outside the API server as a standalone script.
6. Admin pages follow existing Settings page UI patterns (cards, tables, dialogs).

104
docs/TASKS.md
View File

@@ -1,70 +1,38 @@
# Tasks — MS20 Site Stabilization # Tasks — MS21 Multi-Tenant RBAC Data Migration
> Single-writer: orchestrator only. Workers read but never modify. > Single-writer: orchestrator (Jarvis/OpenClaw) only. Workers read but never modify.
| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | notes | | id | status | milestone | description | pr | agent | notes |
| ----------- | ----------- | ---------------------------------------------------------------------------------------- | ----- | ------- | ----------------------------------- | ---------------------------------------------------------------------------------- | ------------------------------------------ | ------------ | ---------- | ------------ | -------- | ---- | ------------------------------------------------------------------------------------------- | |----|--------|-----------|-------------|----|-------|-------|
| SS-PLAN-001 | done | Plan MS20 task breakdown, create milestone + issues, populate TASKS.md | — | — | — | | SS-WS-001,SS-ORCH-001,SS-API-001,SS-UI-001 | orchestrator | 2026-02-27 | 2026-02-27 | 15K | ~15K | Planning complete | | MS21-PLAN-001 | done | phase-1 | Write PRD, init mission, populate TASKS.md | #552 | orchestrator | CI: #552 green |
| SS-WS-001 | done | Fix workspace context for domain creation — domains page POST sends workspace ID | #534 | web | fix/workspace-domain-project-create | SS-PLAN-001 | SS-WS-002 | worker-1 | 2026-02-27 | 2026-02-27 | 15K | ~37K | PR #536 merged. CreateDomainDialog + wsId threading. QA remediated | | MS21-DB-001 | done | phase-1 | Prisma migration: add user fields | #553 | claude-worker-1 | CI: #684 green |
| SS-WS-002 | done | Fix workspace context for project creation — projects page POST sends workspace ID | #534 | web | fix/workspace-domain-project-create | SS-WS-001 | SS-VER-001 | worker-1 | 2026-02-27 | 2026-02-27 | 10K | 0K | Already working — projects/page.tsx uses useWorkspaceId correctly | | MS21-API-001 | done | phase-1 | AdminModule with user/workspace admin endpoints | #555 | claude-worker-2 | CI: #689 green |
| SS-WS-003 | done | Fix useWorkspaceId localStorage initialization — ensure workspace ID persists from login | #534 | web | — | SS-PLAN-001 | SS-VER-001 | — | 2026-02-27 | 2026-02-27 | 15K | 0K | Already in main — auth-context.tsx has WORKSPACE_STORAGE_KEY persistence. PR #546 closed. | | MS21-API-002 | done | phase-1 | Admin user endpoints (list, invite, update, deactivate) | #555 | claude-worker-2 | Combined with API-001 |
| SS-ORCH-001 | done | Fix orchestrator 502 — diagnose and fix proxy connectivity to orchestrator service | #534 | web,api | fix/orchestrator-connectivity | SS-PLAN-001 | SS-ORCH-002 | worker-6 | 2026-02-27 | 2026-02-27 | 25K | ~30K | PR #542 merged. Proxy config + CORS + health endpoint. | | MS21-API-003 | done | phase-1 | Workspace member management endpoints | #556 | codex-worker-1 | CI: #700 green |
| SS-ORCH-002 | done | Fix WebSocket "Reconnecting to server..." — cookie auth + CORS + withCredentials | #534 | web,api | fix/websocket-reconnect | SS-ORCH-001 | SS-VER-001 | worker-8 | 2026-02-27 | 2026-02-27 | 15K | ~25K | PR #547 merged (auth fix), PR #548 (test), PR #549 (CORS origins). All green. | | MS21-API-004 | done | phase-1 | Team management module | #564 | codex-worker-2 | CI: #707 green |
| SS-API-001 | done | Implement personalities API — controller, service, DTOs, Prisma model for CRUD | #534 | api | feat/personalities-api | SS-PLAN-001 | SS-UI-002 | worker-2 | 2026-02-27 | 2026-02-27 | 30K | ~45K | PR #537 merged. Full CRUD, migration, field mapping. Review: 3 should-fix logged | | MS21-API-005 | done | phase-1 | Admin workspace endpoints | #555 | claude-worker-2 | Combined with API-001 |
| SS-API-002 | done | Implement /users/me/preferences endpoint — wire to UserPreference model | #534 | api | feat/user-preferences-endpoint | SS-PLAN-001 | SS-VER-001 | worker-4 | 2026-02-27 | 2026-02-27 | 15K | ~18K | PR #539 merged. Added PATCH endpoint + fixed /api prefix in profile/appearance pages | | MS21-TEST-001 | done | phase-1 | Unit tests for AdminService and AdminController | #555 | claude-worker-2 | 26 tests included |
| SS-UI-001 | done | Credential management UI — enable Add Credential button, create/view forms, wire to API | #534 | web | feat/credential-management-ui | SS-PLAN-001 | SS-VER-001 | worker-9 | 2026-02-27 | 2026-02-27 | 25K | ~25K | PR #545 merged. Full CRUD forms, credential type switching, API wiring. | | MS21-AUTH-001 | done | phase-2 | LocalAuthModule: break-glass auth | #559 | claude-worker-3 | CI: #691 green |
| SS-UI-002 | done | Fix personalities page — dark mode Formality dropdown, save functionality, wire to API | #534 | web | fix/personalities-page | SS-API-001 | SS-VER-001 | worker-5 | 2026-02-27 | 2026-02-27 | 15K | ~10K | PR #540 merged. Select dark mode, 204 handler, deletePersonality type. Review: 3 should-fix | | MS21-AUTH-002 | done | phase-2 | Break-glass setup endpoint | #559 | claude-worker-3 | Combined with AUTH-001 |
| SS-UI-003 | done | Terminal page route — create /terminal page with full-screen terminal panel | #534 | web | feat/terminal-page-route | SS-PLAN-001 | SS-VER-001 | worker-3 | 2026-02-27 | 2026-02-27 | 10K | ~15K | PR #538 merged. /terminal page + sidebar link. Review: 2 should-fix logged | | MS21-AUTH-003 | done | phase-2 | Break-glass login endpoint | #559 | claude-worker-3 | Combined with AUTH-001 |
| SS-UI-004 | done | Add favicon.ico and fix dark mode polish | #534 | web | fix/favicon-polish | SS-PLAN-001 | SS-VER-001 | worker-7 | 2026-02-27 | 2026-02-27 | 5K | ~8K | PR #541 merged. favicon.ico added + layout metadata | | MS21-AUTH-004 | not-started | phase-2 | Deactivation session invalidation | — | — | Deferred |
| SS-VER-001 | done | Verification — full site test, deploy, smoke test | #534 | web,api | fix/websocket-cors-origins | SS-WS-002,SS-WS-003,SS-ORCH-002,SS-API-002,SS-UI-001,SS-UI-002,SS-UI-003,SS-UI-004 | SS-DOC-001 | orchestrator | 2026-02-27 | 2026-02-27 | 15K | ~20K | All pages verified. PR #548 test fix, PR #549 CORS fix. Deployed pipeline 680. | | MS21-TEST-002 | done | phase-2 | Unit tests for LocalAuth | #559 | claude-worker-3 | 27 tests included |
| SS-DOC-001 | in-progress | Documentation — update PRD status, manifest, scratchpad, close mission | #534 | — | — | SS-VER-001 | | orchestrator | 2026-02-27 | | 5K | | | | MS21-MIG-001 | done | phase-3 | Migration script: scripts/migrate-brain.ts | #554 | codex-worker-1 | CI: #688 (test flaky, code clean) |
| MS21-MIG-002 | done | phase-3 | Migration mapping: status/priority/domain mapping | #554 | codex-worker-1 | Included in MIG-001 |
## Summary | MS21-MIG-003 | not-started | phase-3 | Migration execution: run on production database | — | — | Needs deploy |
| MS21-MIG-004 | not-started | phase-3 | Import API endpoints | — | — | |
| Metric | Value | | MS21-TEST-003 | not-started | phase-3 | Migration script tests | — | — | |
| --------------- | ---------------------- | | MS21-UI-001 | not-started | phase-4 | Settings/users page | — | — | |
| Total tasks | 14 | | MS21-UI-002 | not-started | phase-4 | User detail/edit and invite dialogs | — | — | |
| Completed | 13 | | MS21-UI-003 | not-started | phase-4 | Settings/workspaces page (wire to real API) | — | — | Mock data exists |
| In Progress | 1 (SS-DOC-001) | | MS21-UI-004 | not-started | phase-4 | Workspace member management UI | — | — | Components exist |
| Remaining | 0 | | MS21-UI-005 | not-started | phase-4 | Settings/teams page | — | — | |
| Estimated total | ~215K tokens | | MS21-TEST-004 | not-started | phase-4 | Frontend component tests | — | — | |
| Used | ~263K tokens | | MS21-RBAC-001 | not-started | phase-5 | Sidebar navigation role gating | — | — | |
| Milestone | MS20-SiteStabilization | | MS21-RBAC-002 | not-started | phase-5 | Settings page access restriction | — | — | |
| MS21-RBAC-003 | not-started | phase-5 | Action button permission gating | — | — | |
## Dependency Graph | MS21-RBAC-004 | not-started | phase-5 | User profile role display | — | — | |
| MS21-VER-001 | not-started | phase-6 | Full quality gate pass | — | — | |
``` | MS21-VER-002 | not-started | phase-6 | Deploy and smoke test | — | — | |
PLAN-001 ✓ ──┬──→ WS-001 ✓ ──→ WS-002 ✓ ──→ VER-001 ✓ ──→ DOC-001 (in-progress) | MS21-VER-003 | not-started | phase-6 | Tag v0.0.21 | — | — | |
| MS21-FIX-001 | done | phase-1 | Fix flaky CI tests (rate limit timeout + log sanitizer) | #562 | codex-worker-3 | CI: #705 green |
├──→ WS-003 ✓ ──→ VER-001 ✓
├──→ ORCH-001 ✓ ──→ ORCH-002 ✓ ──→ VER-001 ✓
├──→ API-001 ✓ ──→ UI-002 ✓ ──→ VER-001 ✓
├──→ API-002 ✓ ──→ VER-001 ✓
├──→ UI-001 ✓ ──→ VER-001 ✓
├──→ UI-003 ✓ ──→ VER-001 ✓
└──→ UI-004 ✓ ──→ VER-001 ✓
```
## PRs Merged (14 total)
| PR | Title | Branch |
| ---- | ------------------------------------------------------------------ | ----------------------------------- |
| #536 | fix(web): add workspace context to domain creation | fix/workspace-domain-project-create |
| #537 | feat(api): implement personalities CRUD API | feat/personalities-api |
| #538 | feat(web): add dedicated /terminal page route | feat/terminal-page-route |
| #539 | feat(api): implement /users/me/preferences endpoint | feat/user-preferences-endpoint |
| #540 | fix(web): fix personalities page dark mode theming and wire to API | fix/personalities-page |
| #541 | fix(web): add favicon.ico | fix/favicon-polish |
| #542 | fix(web,api): fix orchestrator proxy 502 connectivity | fix/orchestrator-connectivity |
| #543 | chore(orchestrator): update MS20 task tracking for S3 | — |
| #544 | fix(web): convert favicon.ico to RGBA format for Turbopack | fix/favicon-rgba |
| #545 | feat(web): implement credential management UI | feat/credential-management-ui |
| #547 | fix(web,api): fix WebSocket authentication for chat real-time | fix/websocket-reconnect |
| #548 | fix(web): update useWebSocket test for withCredentials | fix/websocket-test-assertion |
| #549 | fix(api): use getTrustedOrigins() for WebSocket CORS | fix/websocket-cors-origins |

49
docs/scratchpads/ms21-multi-tenant-rbac-data-migration-20260228.md Normal file
View File

@@ -0,0 +1,49 @@
# Mission Scratchpad — MS21 Multi-Tenant RBAC Data Migration
> Append-only log. NEVER delete entries. NEVER overwrite sections.
## Original Mission Prompt
```
Build multi-tenant user/workspace/team management with admin UI, break-glass
local authentication (bypass OIDC for emergencies), enforce RBAC across all
UI surfaces, and migrate jarvis-brain data (95 tasks, 106 projects) into
Mosaic Stack PostgreSQL. This unlocks multi-user access for Melanie and
USC employees.
```
## Planning Decisions
### 2026-02-28 — Initial Planning (Orchestrator: Jarvis/OpenClaw)
1. **Phase order**: Schema+API first, then break-glass auth, then data migration, then UI, then RBAC enforcement, then verification. Rationale: Backend must exist before frontend can wire to it; migration can run independently once schema is ready.
2. **Worker strategy**: Up to 6 parallel workers (2 Claude, 2 Codex, 2 GLM). Claude for complex multi-file implementations. Codex for targeted single-file tasks. GLM for documentation and test writing.
3. **Phase 1 parallelization plan**:
- Worker A (Claude): MS21-DB-001 (Prisma migration) — must complete first
- After DB-001 done:
- Worker B (Claude): MS21-API-001 + MS21-API-002 (AdminModule + user endpoints)
- Worker C (Codex): MS21-API-003 (workspace member management)
- Worker D (Codex): MS21-API-004 (team management)
- Worker E (Claude): MS21-API-005 (admin workspace endpoints)
- Worker F (GLM): MS21-TEST-001 (unit tests for admin module)
4. **PRD location**: docs/PRD-MS21.md (separate from main PRD.md to preserve history)
5. **Orchestrator is Jarvis (OpenClaw)** — not a Claude Code session. This is the first hybrid orchestration: OpenClaw manages mission, dispatches workers via mosaic yolo claude, codex exec, and OpenClaw subagents.
## Session Log
| Session | Date | Milestone | Tasks Done | Outcome |
| ------- | ---------- | --------- | ------------- | --------------------------------------------- |
| S1 | 2026-02-28 | Planning | MS21-PLAN-001 | PRD written, mission init, TASKS.md populated |
## Open Questions
- BetterAuth credential provider config alongside OIDC — needs verification in worker task
- Exact sidebar items to gate behind admin role — review during RBAC phase
## Corrections
(none yet)

4
package.json
View File

@@ -17,6 +17,7 @@
"lint:fix": "turbo run lint:fix", "lint:fix": "turbo run lint:fix",
"format": "prettier --write \"**/*.{ts,tsx,js,jsx,json,md}\"", "format": "prettier --write \"**/*.{ts,tsx,js,jsx,json,md}\"",
"format:check": "prettier --check \"**/*.{ts,tsx,js,jsx,json,md}\"", "format:check": "prettier --check \"**/*.{ts,tsx,js,jsx,json,md}\"",
"migrate-brain": "pnpm --filter @mosaic/api exec node --import tsx ../../scripts/migrate-brain.ts",
"test": "turbo run test", "test": "turbo run test",
"test:watch": "turbo run test:watch", "test:watch": "turbo run test:watch",
"test:coverage": "turbo run test:coverage", "test:coverage": "turbo run test:coverage",
@@ -72,7 +73,8 @@
"qs": ">=6.15.0", "qs": ">=6.15.0",
"tough-cookie": ">=4.1.3", "tough-cookie": ">=4.1.3",
"undici": ">=6.23.0", "undici": ">=6.23.0",
"rollup": ">=4.59.0" "rollup": ">=4.59.0",
"serialize-javascript": ">=7.0.3"
} }
} }
} }

7
packages/shared/src/types/auth.types.ts
View File

@@ -13,9 +13,14 @@ export interface AuthUser {
name: string; name: string;
image?: string; image?: string;
emailVerified?: boolean; emailVerified?: boolean;
// Workspace context (added for workspace-scoped operations) /**
* @deprecated Never populated by BetterAuth session. Workspace context is
* fetched separately via GET /api/workspaces. Will be removed in a future pass.
*/
workspaceId?: string; workspaceId?: string;
/** @deprecated See workspaceId. */
currentWorkspaceId?: string; currentWorkspaceId?: string;
/** @deprecated See workspaceId. */
workspaceRole?: string; workspaceRole?: string;
} }

6
packages/shared/src/types/database.types.ts
View File

@@ -27,6 +27,12 @@ export interface User extends BaseEntity {
image: string | null; image: string | null;
authProviderId: string | null; authProviderId: string | null;
preferences: Record<string, unknown>; preferences: Record<string, unknown>;
deactivatedAt: Date | null;
isLocalAuth: boolean;
passwordHash: string | null;
invitedBy: string | null;
invitationToken: string | null;
invitedAt: Date | null;
} }
/** /**

40
pnpm-lock.yaml generated
View File

@@ -16,6 +16,7 @@ overrides:
tough-cookie: '>=4.1.3' tough-cookie: '>=4.1.3'
undici: '>=6.23.0' undici: '>=6.23.0'
rollup: '>=4.59.0' rollup: '>=4.59.0'
serialize-javascript: '>=7.0.3'
importers: importers:
@@ -148,6 +149,9 @@ importers:
axios: axios:
specifier: ^1.13.5 specifier: ^1.13.5
version: 1.13.5 version: 1.13.5
bcryptjs:
specifier: ^3.0.3
version: 3.0.3
better-auth: better-auth:
specifier: ^1.4.17 specifier: ^1.4.17
version: 1.4.17(@prisma/client@6.19.2(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(typescript@5.9.3))(better-sqlite3@12.6.2)(drizzle-orm@0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(next@16.1.6(@babel/core@7.28.6)(@opentelemetry/api@1.9.0)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(pg@8.17.2)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@4.0.18(@opentelemetry/api@1.9.0)(@types/node@22.19.7)(jiti@2.6.1)(jsdom@26.1.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.2)) version: 1.4.17(@prisma/client@6.19.2(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(typescript@5.9.3))(better-sqlite3@12.6.2)(drizzle-orm@0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(next@16.1.6(@babel/core@7.28.6)(@opentelemetry/api@1.9.0)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(pg@8.17.2)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@4.0.18(@opentelemetry/api@1.9.0)(@types/node@22.19.7)(jiti@2.6.1)(jsdom@26.1.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.2))
@@ -242,6 +246,9 @@ importers:
'@types/archiver': '@types/archiver':
specifier: ^7.0.0 specifier: ^7.0.0
version: 7.0.0 version: 7.0.0
'@types/bcryptjs':
specifier: ^3.0.0
version: 3.0.0
'@types/cookie-parser': '@types/cookie-parser':
specifier: ^1.4.10 specifier: ^1.4.10
version: 1.4.10(@types/express@5.0.6) version: 1.4.10(@types/express@5.0.6)
@@ -1596,7 +1603,6 @@ packages:
'@mosaicstack/telemetry-client@0.1.1': '@mosaicstack/telemetry-client@0.1.1':
resolution: {integrity: sha512-1udg6p4cs8rhQgQ2pKCfi7EpRlJieRRhA5CIqthRQ6HQZLgQ0wH+632jEulov3rlHSM1iplIQ+AAe5DWrvSkEA==, tarball: https://git.mosaicstack.dev/api/packages/mosaic/npm/%40mosaicstack%2Ftelemetry-client/-/0.1.1/telemetry-client-0.1.1.tgz} resolution: {integrity: sha512-1udg6p4cs8rhQgQ2pKCfi7EpRlJieRRhA5CIqthRQ6HQZLgQ0wH+632jEulov3rlHSM1iplIQ+AAe5DWrvSkEA==, tarball: https://git.mosaicstack.dev/api/packages/mosaic/npm/%40mosaicstack%2Ftelemetry-client/-/0.1.1/telemetry-client-0.1.1.tgz}
engines: {node: '>=18'}
'@mrleebo/prisma-ast@0.13.1': '@mrleebo/prisma-ast@0.13.1':
resolution: {integrity: sha512-XyroGQXcHrZdvmrGJvsA9KNeOOgGMg1Vg9OlheUsBOSKznLMDl+YChxbkboRHvtFYJEMRYmlV3uoo/njCw05iw==} resolution: {integrity: sha512-XyroGQXcHrZdvmrGJvsA9KNeOOgGMg1Vg9OlheUsBOSKznLMDl+YChxbkboRHvtFYJEMRYmlV3uoo/njCw05iw==}
@@ -3052,6 +3058,10 @@ packages:
'@types/babel__traverse@7.28.0': '@types/babel__traverse@7.28.0':
resolution: {integrity: sha512-8PvcXf70gTDZBgt9ptxJ8elBeBjcLOAcOtoO/mPJjtji1+CdGbHgm77om1GrsPxsiE+uXIpNSK64UYaIwQXd4Q==} resolution: {integrity: sha512-8PvcXf70gTDZBgt9ptxJ8elBeBjcLOAcOtoO/mPJjtji1+CdGbHgm77om1GrsPxsiE+uXIpNSK64UYaIwQXd4Q==}
'@types/bcryptjs@3.0.0':
resolution: {integrity: sha512-WRZOuCuaz8UcZZE4R5HXTco2goQSI2XxjGY3hbM/xDvwmqFWd4ivooImsMx65OKM6CtNKbnZ5YL+YwAwK7c1dg==}
deprecated: This is a stub types definition. bcryptjs provides its own type definitions, so you do not need this installed.
'@types/body-parser@1.19.6': '@types/body-parser@1.19.6':
resolution: {integrity: sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g==} resolution: {integrity: sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g==}
@@ -3788,6 +3798,10 @@ packages:
bcrypt-pbkdf@1.0.2: bcrypt-pbkdf@1.0.2:
resolution: {integrity: sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==} resolution: {integrity: sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==}
bcryptjs@3.0.3:
resolution: {integrity: sha512-GlF5wPWnSa/X5LKM1o0wz0suXIINz1iHRLvTS+sLyi7XPbe5ycmYI3DlZqVGZZtDgl4DmasFg7gOB3JYbphV5g==}
hasBin: true
better-auth@1.4.17: better-auth@1.4.17:
resolution: {integrity: sha512-VmHGQyKsEahkEs37qguROKg/6ypYpNF13D7v/lkbO7w7Aivz0Bv2h+VyUkH4NzrGY0QBKXi1577mGhDCVwp0ew==} resolution: {integrity: sha512-VmHGQyKsEahkEs37qguROKg/6ypYpNF13D7v/lkbO7w7Aivz0Bv2h+VyUkH4NzrGY0QBKXi1577mGhDCVwp0ew==}
peerDependencies: peerDependencies:
@@ -6389,9 +6403,6 @@ packages:
raf-schd@4.0.3: raf-schd@4.0.3:
resolution: {integrity: sha512-tQkJl2GRWh83ui2DiPTJz9wEiMN20syf+5oKfB03yYP7ioZcJwsIK8FjrtLwH1m7C7e+Tt2yYBlrOpdT+dyeIQ==} resolution: {integrity: sha512-tQkJl2GRWh83ui2DiPTJz9wEiMN20syf+5oKfB03yYP7ioZcJwsIK8FjrtLwH1m7C7e+Tt2yYBlrOpdT+dyeIQ==}
randombytes@2.1.0:
resolution: {integrity: sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==}
range-parser@1.2.1: range-parser@1.2.1:
resolution: {integrity: sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==} resolution: {integrity: sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==}
engines: {node: '>= 0.6'} engines: {node: '>= 0.6'}
@@ -6679,8 +6690,9 @@ packages:
resolution: {integrity: sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ==} resolution: {integrity: sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ==}
engines: {node: '>= 18'} engines: {node: '>= 18'}
serialize-javascript@6.0.2: serialize-javascript@7.0.3:
resolution: {integrity: sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==} resolution: {integrity: sha512-h+cZ/XXarqDgCjo+YSyQU/ulDEESGGf8AMK9pPNmhNSl/FzPl6L8pMp1leca5z6NuG6tvV/auC8/43tmovowww==}
engines: {node: '>=20.0.0'}
serve-static@1.16.3: serve-static@1.16.3:
resolution: {integrity: sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==} resolution: {integrity: sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==}
@@ -10355,6 +10367,10 @@ snapshots:
dependencies: dependencies:
'@babel/types': 7.28.6 '@babel/types': 7.28.6
'@types/bcryptjs@3.0.0':
dependencies:
bcryptjs: 3.0.3
'@types/body-parser@1.19.6': '@types/body-parser@1.19.6':
dependencies: dependencies:
'@types/connect': 3.4.38 '@types/connect': 3.4.38
@@ -11275,6 +11291,8 @@ snapshots:
dependencies: dependencies:
tweetnacl: 0.14.5 tweetnacl: 0.14.5
bcryptjs@3.0.3: {}
better-auth@1.4.17(@prisma/client@5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(better-sqlite3@12.6.2)(drizzle-orm@0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(next@16.1.6(@babel/core@7.28.6)(@opentelemetry/api@1.9.0)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(pg@8.17.2)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@4.0.18(@opentelemetry/api@1.9.0)(@types/node@22.19.7)(jiti@2.6.1)(jsdom@26.1.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.2)): better-auth@1.4.17(@prisma/client@5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(better-sqlite3@12.6.2)(drizzle-orm@0.41.0(@opentelemetry/api@1.9.0)(@prisma/client@5.22.0(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(@types/pg@8.16.0)(better-sqlite3@12.6.2)(kysely@0.28.10)(pg@8.17.2)(postgres@3.4.8)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3)))(next@16.1.6(@babel/core@7.28.6)(@opentelemetry/api@1.9.0)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(pg@8.17.2)(prisma@6.19.2(magicast@0.3.5)(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@4.0.18(@opentelemetry/api@1.9.0)(@types/node@22.19.7)(jiti@2.6.1)(jsdom@26.1.0)(terser@5.46.0)(tsx@4.21.0)(yaml@2.8.2)):
dependencies: dependencies:
'@better-auth/core': 1.4.17(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.21)(better-call@1.1.8(zod@4.3.6))(jose@6.1.3)(kysely@0.28.10)(nanostores@1.1.0) '@better-auth/core': 1.4.17(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.21)(better-call@1.1.8(zod@4.3.6))(jose@6.1.3)(kysely@0.28.10)(nanostores@1.1.0)
@@ -13990,10 +14008,6 @@ snapshots:
raf-schd@4.0.3: {} raf-schd@4.0.3: {}
randombytes@2.1.0:
dependencies:
safe-buffer: 5.2.1
range-parser@1.2.1: {} range-parser@1.2.1: {}
raw-body@2.5.3: raw-body@2.5.3:
@@ -14362,9 +14376,7 @@ snapshots:
transitivePeerDependencies: transitivePeerDependencies:
- supports-color - supports-color
serialize-javascript@6.0.2: serialize-javascript@7.0.3: {}
dependencies:
randombytes: 2.1.0
serve-static@1.16.3: serve-static@1.16.3:
dependencies: dependencies:
@@ -14769,7 +14781,7 @@ snapshots:
'@jridgewell/trace-mapping': 0.3.31 '@jridgewell/trace-mapping': 0.3.31
jest-worker: 27.5.1 jest-worker: 27.5.1
schema-utils: 4.3.3 schema-utils: 4.3.3
serialize-javascript: 6.0.2 serialize-javascript: 7.0.3
terser: 5.46.0 terser: 5.46.0
webpack: 5.104.1(@swc/core@1.15.11) webpack: 5.104.1(@swc/core@1.15.11)
optionalDependencies: optionalDependencies:

1207
scripts/migrate-brain.ts Normal file
View File

File diff suppressed because it is too large Load Diff