Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(platform): harden access scoping and delivery baseline

Browse Source
This commit is contained in:
Hartmut Nörenberg
2026-03-30 00:27:31 +02:00
parent 00b936fa1f
commit 819345acfa
109 changed files with 26142 additions and 8081 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/app/(app)/projects/[id]/scenario/page.tsx
+1 -1
View File
@@ -20,7 +20,7 @@ export default async function ScenarioPage({ params }: ScenarioPageProps) {
// Load resources and roles for the pickers
const [resources, roles] = await Promise.all([
trpc.resource.list({ isActive: true }),
trpc.resource.listStaff({ isActive: true }),
trpc.role.list({ isActive: true }),
]);
apps/web/src/app/(app)/resources/ResourcesClient.tsx
+7 -5
View File
@@ -212,7 +212,7 @@ export function ResourcesClient() {
fetchNextPage,
hasNextPage,
// Keep this boundary shallow; the full TRPC inference here trips TS depth limits.
} = (trpc.resource.list.useInfiniteQuery as any)(
} = (trpc.resource.listStaff.useInfiniteQuery as any)(
{
isActive: isActiveFilter === "all" ? undefined : isActiveFilter === "active",
search: search || undefined,
@@ -309,13 +309,15 @@ export function ResourcesClient() {
// ─── Mutations ────────────────────────────────────────────────────────────
const deactivateMutation = trpc.resource.deactivate.useMutation({
onSuccess: async () => {
await utils.resource.list.invalidate();
onSuccess: () => {
void utils.resource.directory.invalidate();
void utils.resource.listStaff.invalidate();
},
});
const batchDeactivateMutation = trpc.resource.batchDeactivate.useMutation({
onSuccess: async () => {
await utils.resource.list.invalidate();
onSuccess: () => {
void utils.resource.directory.invalidate();
void utils.resource.listStaff.invalidate();
selection.clear();
},
});
apps/web/src/app/api/sse/timeline/route.ts
+49 -9
View File
@@ -1,6 +1,8 @@
import { eventBus } from "@capakraken/api/sse";
import { loadRoleDefaults } from "@capakraken/api";
import { eventBus, permissionAudience, roleAudience, userAudience } from "@capakraken/api/sse";
import { startReminderScheduler } from "@capakraken/api/lib/reminder-scheduler";
import { SSE_EVENT_TYPES } from "@capakraken/shared";
import { prisma } from "@capakraken/db";
import { resolvePermissions, SSE_EVENT_TYPES, SystemRole, type PermissionOverrides } from "@capakraken/shared";
import { auth } from "~/server/auth.js";
// Start the reminder scheduler (idempotent — only starts once)
@@ -16,6 +18,38 @@ export async function GET() {
return new Response("Unauthorized", { status: 401 });
}
const sessionUser = session.user as typeof session.user & { id?: string };
if (!sessionUser.id) {
return new Response("Unauthorized", { status: 401 });
}
const dbUser = await prisma.user.findUnique({
where: { id: sessionUser.id },
select: {
id: true,
systemRole: true,
permissionOverrides: true,
},
});
if (!dbUser) {
return new Response("Unauthorized", { status: 401 });
}
const roleDefaults = await loadRoleDefaults();
const permissions = resolvePermissions(
dbUser.systemRole as SystemRole,
dbUser.permissionOverrides as PermissionOverrides | null,
roleDefaults,
);
const audiences = new Set<string>([
userAudience(dbUser.id),
roleAudience(dbUser.systemRole),
]);
for (const permission of permissions) {
audiences.add(permissionAudience(permission));
}
const encoder = new TextEncoder();
const stream = new ReadableStream({
@@ -26,13 +60,19 @@ export async function GET() {
);
// Subscribe to event bus
const unsubscribe = eventBus.subscribe((event) => {
try {
controller.enqueue(encoder.encode(`data: ${JSON.stringify(event)}\n\n`));
} catch {
// Client disconnected
}
});
const unsubscribe = eventBus.subscribe(
(event) => {
try {
controller.enqueue(encoder.encode(`data: ${JSON.stringify(event)}\n\n`));
} catch {
// Client disconnected
}
},
{
audiences,
includeUnscoped: false,
},
);
// Heartbeat every 30 seconds
const heartbeat = setInterval(() => {