Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(platform): harden access scoping and delivery baseline

Browse Source
This commit is contained in:
Hartmut Nörenberg
2026-03-30 00:27:31 +02:00
parent 00b936fa1f
commit 819345acfa
109 changed files with 26142 additions and 8081 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/app/api/sse/timeline/route.ts
+49 -9
View File
@@ -1,6 +1,8 @@
import { eventBus } from "@capakraken/api/sse";
import { loadRoleDefaults } from "@capakraken/api";
import { eventBus, permissionAudience, roleAudience, userAudience } from "@capakraken/api/sse";
import { startReminderScheduler } from "@capakraken/api/lib/reminder-scheduler";
import { SSE_EVENT_TYPES } from "@capakraken/shared";
import { prisma } from "@capakraken/db";
import { resolvePermissions, SSE_EVENT_TYPES, SystemRole, type PermissionOverrides } from "@capakraken/shared";
import { auth } from "~/server/auth.js";
// Start the reminder scheduler (idempotent — only starts once)
@@ -16,6 +18,38 @@ export async function GET() {
return new Response("Unauthorized", { status: 401 });
}
const sessionUser = session.user as typeof session.user & { id?: string };
if (!sessionUser.id) {
return new Response("Unauthorized", { status: 401 });
}
const dbUser = await prisma.user.findUnique({
where: { id: sessionUser.id },
select: {
id: true,
systemRole: true,
permissionOverrides: true,
},
});
if (!dbUser) {
return new Response("Unauthorized", { status: 401 });
}
const roleDefaults = await loadRoleDefaults();
const permissions = resolvePermissions(
dbUser.systemRole as SystemRole,
dbUser.permissionOverrides as PermissionOverrides | null,
roleDefaults,
);
const audiences = new Set<string>([
userAudience(dbUser.id),
roleAudience(dbUser.systemRole),
]);
for (const permission of permissions) {
audiences.add(permissionAudience(permission));
}
const encoder = new TextEncoder();
const stream = new ReadableStream({
@@ -26,13 +60,19 @@ export async function GET() {
);
// Subscribe to event bus
const unsubscribe = eventBus.subscribe((event) => {
try {
controller.enqueue(encoder.encode(`data: ${JSON.stringify(event)}\n\n`));
} catch {
// Client disconnected
}
});
const unsubscribe = eventBus.subscribe(
(event) => {
try {
controller.enqueue(encoder.encode(`data: ${JSON.stringify(event)}\n\n`));
} catch {
// Client disconnected
}
},
{
audiences,
includeUnscoped: false,
},
);
// Heartbeat every 30 seconds
const heartbeat = setInterval(() => {