feat: user invite flow, deactivate/delete, favicon, dashboard loading fix, admin full-width

- Invite flow: admin can invite users by email with role selection; accept-invite page sets password and creates the account; 72-hour token expiry; E2E tests - User deactivate/reactivate/delete: new tRPC procedures + UI buttons; deactivation revokes all active sessions immediately; delete cascades vacation/broadcast records; isActive field added via migration 20260402000000_user_isactive - Auth: block login for inactive users with audit entry - Favicon: SVG favicon + ICO/PNG fallbacks (16, 32, 180, 192, 512px); manifest updated - Dashboard: GridLayout dynamic-import loading skeleton prevents blank dark area on first login before react-grid-layout chunk is cached - Admin users: remove max-w-5xl constraint so table uses full page width - Dev: docker container restart workflow documented in LEARNINGS.md; Prisma generate must run inside the container after schema changes (named node_modules volume) Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-02 20:19:26 +02:00
parent dc5bbdc47d
commit 41eb722369
33 changed files with 6755 additions and 169 deletions
@@ -0,0 +1,162 @@
+#!/usr/bin/env node
+/**
+ * export-dev-seed.mjs
+ *
+ * Dumps the current dev database into packages/db/prisma/dev-seed.sql.
+ * The dump is safe to commit: passwords, TOTP secrets, SMTP credentials,
+ * and webhook secrets are all sanitized before writing.
+ *
+ * Usage:
+ *   node scripts/export-dev-seed.mjs
+ *
+ * Requirements:
+ *   - The capakraken-postgres-1 Docker container must be running
+ *   - DATABASE_URL must point to a local capakraken database
+ */
+
+import { execSync, spawnSync } from "node:child_process";
+import { writeFileSync } from "node:fs";
+import { resolve, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { loadWorkspaceEnv, resolveRealWorkspaceRoot } from "./load-env.mjs";
+
+loadWorkspaceEnv();
+const workspaceRoot = resolveRealWorkspaceRoot();
+
+// ── Safety check ─────────────────────────────────────────────────────────────
+
+const rawUrl = process.env["DATABASE_URL"];
+if (!rawUrl) {
+  console.error("❌  DATABASE_URL is not set.");
+  process.exit(1);
+}
+
+let parsedUrl;
+try {
+  parsedUrl = new URL(rawUrl);
+} catch {
+  console.error("❌  DATABASE_URL is not a valid URL.");
+  process.exit(1);
+}
+
+const host = parsedUrl.hostname;
+if (!["localhost", "127.0.0.1", "::1"].includes(host)) {
+  console.error(`❌  Refusing to export from non-local host: ${host}`);
+  console.error("    export-dev-seed is only for local development databases.");
+  process.exit(1);
+}
+
+// ── Docker container check ────────────────────────────────────────────────────
+
+const CONTAINER = "capakraken-postgres-1";
+const containerCheck = spawnSync("docker", ["inspect", "--format={{.State.Running}}", CONTAINER], {
+  encoding: "utf8",
+});
+if (containerCheck.stdout.trim() !== "true") {
+  console.error(`❌  Container ${CONTAINER} is not running.`);
+  console.error("    Start it with: docker compose up -d postgres");
+  process.exit(1);
+}
+
+// ── Tables to exclude entirely ────────────────────────────────────────────────
+
+const EXCLUDE_TABLES = [
+  "_prisma_migrations",
+  "audit_logs",
+  "active_sessions",
+  "sessions",
+  "accounts",
+  "verification_tokens",
+  "invite_tokens",
+  "notifications",
+  "import_batches",
+  "staged_assignments",
+  "staged_availability_rules",
+  "staged_clients",
+  "staged_projects",
+  "staged_resources",
+  "staged_unresolved_records",
+  "staged_vacations",
+];
+
+const excludeFlags = EXCLUDE_TABLES.flatMap((t) => ["--exclude-table-data", `public.${t}`]);
+
+// ── Run pg_dump inside the Docker container ───────────────────────────────────
+
+const DB_USER = decodeURIComponent(parsedUrl.username) || "capakraken";
+const DB_NAME = parsedUrl.pathname.replace(/^\/+/, "") || "capakraken";
+const DB_PORT = parsedUrl.port || "5432";
+
+console.log(`🔍  Exporting ${DB_USER}@${host}:${DB_PORT}/${DB_NAME} …`);
+
+const pgDumpArgs = [
+  "exec",
+  CONTAINER,
+  "pg_dump",
+  "-U", DB_USER,
+  "-d", DB_NAME,
+  "--data-only",
+  "--no-owner",
+  "--no-acl",
+  "--disable-triggers",
+  ...excludeFlags,
+];
+
+const dump = spawnSync("docker", pgDumpArgs, { encoding: "utf8", maxBuffer: 256 * 1024 * 1024 });
+
+if (dump.status !== 0) {
+  console.error("❌  pg_dump failed:");
+  console.error(dump.stderr);
+  process.exit(1);
+}
+
+// ── Sanitize sensitive values ─────────────────────────────────────────────────
+
+let sql = dump.stdout;
+
+// Replace argon2id password hashes with a clearly invalid placeholder.
+// The import script will update these with a real dev hash.
+sql = sql.replace(/\$argon2id\$[^\t\n\\]*/g, "__DEV_PASSWORD_HASH__");
+
+// Append sanitizing statements (TOTP, SMTP password, webhook secrets).
+// These run after the COPY blocks so they don't require line-level parsing.
+sql += `
+-- ─── Sanitize secrets (applied after data load) ──────────────────────────────
+UPDATE users SET "totpSecret" = NULL, "totpEnabled" = false;
+UPDATE system_settings SET "smtpPassword" = NULL;
+UPDATE webhooks SET secret = NULL;
+`;
+
+// ── Add header ────────────────────────────────────────────────────────────────
+
+const header = `-- CapaKraken dev seed — exported ${new Date().toISOString()}
+-- Source: ${DB_USER}@${host}:${DB_PORT}/${DB_NAME}
+--
+-- Excluded tables:
+${EXCLUDE_TABLES.map((t) => `--   ${t}`).join("\n")}
+--
+-- Sanitized fields:
+--   users.passwordHash     → placeholder (import-dev-seed sets "Dev123456!")
+--   users.totpSecret       → NULL
+--   users.totpEnabled      → false
+--   system_settings.smtpPassword → NULL
+--   webhooks.secret        → NULL
+--
+-- Import with:
+--   node scripts/import-dev-seed.mjs
+-- ─────────────────────────────────────────────────────────────────────────────
+
+`;
+
+// ── Write output ──────────────────────────────────────────────────────────────
+
+const outPath = resolve(workspaceRoot, "packages/db/prisma/dev-seed.sql");
+writeFileSync(outPath, header + sql, "utf8");
+
+const lines = (header + sql).split("\n").length;
+const sizeKb = Math.round(Buffer.byteLength(header + sql, "utf8") / 1024);
+console.log(`✅  Written to packages/db/prisma/dev-seed.sql`);
+console.log(`    ${lines.toLocaleString()} lines · ${sizeKb.toLocaleString()} KB`);
+console.log();
+console.log("Next step: commit dev-seed.sql or share it with your team.");
+console.log("Import it with:  node scripts/import-dev-seed.mjs");
@@ -0,0 +1,174 @@
+#!/usr/bin/env node
+/**
+ * import-dev-seed.mjs
+ *
+ * Imports packages/db/prisma/dev-seed.sql into the local dev database.
+ * Wipes the public schema, re-applies the current Prisma schema, loads the
+ * seed data, then sets every user's password to "Dev123456!" via argon2id.
+ *
+ * Usage:
+ *   node scripts/import-dev-seed.mjs
+ *
+ * Requirements:
+ *   - The capakraken-postgres-1 Docker container must be running
+ *   - DATABASE_URL must point to a local capakraken database
+ *   - dev-seed.sql must exist (run export-dev-seed.mjs first)
+ */
+
+import { execSync, spawnSync } from "node:child_process";
+import { existsSync, readFileSync } from "node:fs";
+import { resolve } from "node:path";
+import { loadWorkspaceEnv, resolveRealWorkspaceRoot } from "./load-env.mjs";
+
+loadWorkspaceEnv();
+const workspaceRoot = resolveRealWorkspaceRoot();
+
+// ── Safety check ─────────────────────────────────────────────────────────────
+
+const rawUrl = process.env["DATABASE_URL"];
+if (!rawUrl) {
+  console.error("❌  DATABASE_URL is not set.");
+  process.exit(1);
+}
+
+let parsedUrl;
+try {
+  parsedUrl = new URL(rawUrl);
+} catch {
+  console.error("❌  DATABASE_URL is not a valid URL.");
+  process.exit(1);
+}
+
+const host = parsedUrl.hostname;
+if (!["localhost", "127.0.0.1", "::1"].includes(host)) {
+  console.error(`❌  Refusing to import into non-local host: ${host}`);
+  console.error("    import-dev-seed is only for local development databases.");
+  process.exit(1);
+}
+
+const DB_USER = decodeURIComponent(parsedUrl.username) || "capakraken";
+const DB_NAME = parsedUrl.pathname.replace(/^\/+/, "") || "capakraken";
+const DB_PORT = parsedUrl.port || "5432";
+
+// ── Docker container check ────────────────────────────────────────────────────
+
+const CONTAINER = "capakraken-postgres-1";
+const containerCheck = spawnSync("docker", ["inspect", "--format={{.State.Running}}", CONTAINER], {
+  encoding: "utf8",
+});
+if (containerCheck.stdout.trim() !== "true") {
+  console.error(`❌  Container ${CONTAINER} is not running.`);
+  console.error("    Start it with: docker compose up -d postgres");
+  process.exit(1);
+}
+
+// ── Check seed file exists ────────────────────────────────────────────────────
+
+const seedPath = resolve(workspaceRoot, "packages/db/prisma/dev-seed.sql");
+if (!existsSync(seedPath)) {
+  console.error("❌  packages/db/prisma/dev-seed.sql not found.");
+  console.error("    Generate it first with: node scripts/export-dev-seed.mjs");
+  process.exit(1);
+}
+
+console.log(`🗑   Wiping public schema in ${DB_USER}@${host}:${DB_PORT}/${DB_NAME} …`);
+
+// ── Drop and recreate the public schema ──────────────────────────────────────
+
+function psql(sql) {
+  const result = spawnSync(
+    "docker",
+    ["exec", "-i", CONTAINER, "psql", "-U", DB_USER, "-d", DB_NAME, "-c", sql],
+    { encoding: "utf8" },
+  );
+  if (result.status !== 0) {
+    console.error("❌  psql command failed:");
+    console.error(result.stderr);
+    process.exit(1);
+  }
+  return result.stdout;
+}
+
+psql("DROP SCHEMA public CASCADE; CREATE SCHEMA public;");
+
+// ── Push current Prisma schema ────────────────────────────────────────────────
+
+console.log("🔧  Applying current Prisma schema (db push) …");
+try {
+  execSync("pnpm db:push", {
+    cwd: workspaceRoot,
+    stdio: "inherit",
+    env: { ...process.env },
+  });
+} catch {
+  console.error("❌  pnpm db:push failed. See output above.");
+  process.exit(1);
+}
+
+// ── Import the seed SQL ───────────────────────────────────────────────────────
+
+console.log("📥  Importing dev-seed.sql …");
+
+const importResult = spawnSync(
+  "docker",
+  ["exec", "-i", CONTAINER, "psql", "-U", DB_USER, "-d", DB_NAME],
+  {
+    encoding: "utf8",
+    input: readFileSync(seedPath, "utf8"),
+    maxBuffer: 256 * 1024 * 1024,
+  },
+);
+
+if (importResult.status !== 0) {
+  console.error("❌  psql import failed:");
+  console.error(importResult.stderr);
+  process.exit(1);
+}
+
+// ── Hash dev password and update all users ────────────────────────────────────
+
+console.log("🔐  Setting dev passwords (Dev123456!) …");
+
+const { hash } = await import("@node-rs/argon2");
+const devHash = await hash("Dev123456!", {
+  memoryCost: 19456,
+  timeCost: 2,
+  outputLen: 32,
+  parallelism: 1,
+});
+
+const updateResult = spawnSync(
+  "docker",
+  [
+    "exec",
+    "-i",
+    CONTAINER,
+    "psql",
+    "-U", DB_USER,
+    "-d", DB_NAME,
+    "-c", `UPDATE users SET "passwordHash" = '${devHash}';`,
+  ],
+  { encoding: "utf8" },
+);
+
+if (updateResult.status !== 0) {
+  console.error("❌  Password update failed:");
+  console.error(updateResult.stderr);
+  process.exit(1);
+}
+
+// ── Summary ───────────────────────────────────────────────────────────────────
+
+const userCount = psql(`SELECT COUNT(*) FROM users;`)
+  .trim()
+  .split("\n")
+  .find((line) => /^\s*\d+\s*$/.test(line))
+  ?.trim() ?? "?";
+
+console.log();
+console.log("✅  Dev seed imported successfully.");
+console.log(`    Users: ${userCount}`);
+console.log("    Password for all accounts: Dev123456!");
+console.log("    Sign in at: http://localhost:3100/auth/signin");
+console.log();
+console.log("Note: TOTP is disabled for all users. Re-enable via Settings if needed.");