Initial commit: Port Nimara CRM (Layers 0-4)

Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
commit 67d7e6e3d5
572 changed files with 86496 additions and 0 deletions
--- a/tests/integration/permission-matrix.test.ts
+++ b/tests/integration/permission-matrix.test.ts
@@ -0,0 +1,252 @@
+/**
+ * Permission matrix tests.
+ *
+ * Tests the withPermission() guard logic directly using mock AuthContext values.
+ * These tests do NOT require a database and run always.
+ *
+ * Verifies:
+ *  - super_admin bypasses all permission checks
+ *  - viewer can read but not write
+ *  - sales_agent can manage own clients/interests but not admin features
+ *  - sales_manager has elevated but non-admin access
+ *  - director has near-full access
+ *  - deepMerge correctly applies port-level overrides
+ */
+import { describe, it, expect, vi } from 'vitest';
+
+import { withPermission, deepMerge, type AuthContext } from '@/lib/api/helpers';
+import {
+  makeFullPermissions,
+  makeViewerPermissions,
+  makeSalesAgentPermissions,
+  makeSalesManagerPermissions,
+  makeDirectorPermissions,
+} from '../helpers/factories';
+import type { RolePermissions } from '@/lib/db/schema/users';
+import { NextRequest, NextResponse } from 'next/server';
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+function makeCtx(overrides: Partial<AuthContext>): AuthContext {
+  return {
+    userId: 'user-1',
+    portId: 'port-1',
+    portSlug: 'test-port',
+    isSuperAdmin: false,
+    permissions: makeViewerPermissions(),
+    user: { email: 'test@example.com', name: 'Test User' },
+    ipAddress: '127.0.0.1',
+    userAgent: 'vitest/1.0',
+    ...overrides,
+  };
+}
+
+/** Minimal NextRequest for testing permission guards. */
+function makeRequest(): NextRequest {
+  return new NextRequest('http://localhost/api/test', { method: 'GET' });
+}
+
+/** Returns a handler that resolves to 200 OK. */
+function okHandler() {
+  return vi.fn().mockResolvedValue(NextResponse.json({ ok: true }, { status: 200 }));
+}
+
+/**
+ * Invokes the withPermission guard and returns the response status.
+ */
+async function checkPermission(
+  ctx: AuthContext,
+  resource: keyof RolePermissions,
+  action: string,
+): Promise<number> {
+  const handler = okHandler();
+  const guarded = withPermission(resource, action, handler);
+  const response = await guarded(makeRequest(), ctx, {});
+  return response.status;
+}
+
+// ─── super_admin ──────────────────────────────────────────────────────────────
+
+describe('Permission Matrix — super_admin', () => {
+  const ctx = makeCtx({ isSuperAdmin: true, permissions: null });
+
+  it('can access clients.create', async () => {
+    expect(await checkPermission(ctx, 'clients', 'create')).toBe(200);
+  });
+
+  it('can access admin.manage_users', async () => {
+    expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(200);
+  });
+
+  it('can access admin.system_backup', async () => {
+    expect(await checkPermission(ctx, 'admin', 'system_backup')).toBe(200);
+  });
+
+  it('can access invoices.delete', async () => {
+    expect(await checkPermission(ctx, 'invoices', 'delete')).toBe(200);
+  });
+});
+
+// ─── viewer ───────────────────────────────────────────────────────────────────
+
+describe('Permission Matrix — viewer', () => {
+  const ctx = makeCtx({ permissions: makeViewerPermissions() });
+
+  it('can view clients', async () => {
+    expect(await checkPermission(ctx, 'clients', 'view')).toBe(200);
+  });
+
+  it('cannot create clients', async () => {
+    expect(await checkPermission(ctx, 'clients', 'create')).toBe(403);
+  });
+
+  it('cannot update clients', async () => {
+    expect(await checkPermission(ctx, 'clients', 'edit')).toBe(403);
+  });
+
+  it('cannot delete clients', async () => {
+    expect(await checkPermission(ctx, 'clients', 'delete')).toBe(403);
+  });
+
+  it('cannot change interest stage', async () => {
+    expect(await checkPermission(ctx, 'interests', 'change_stage')).toBe(403);
+  });
+
+  it('cannot manage admin settings', async () => {
+    expect(await checkPermission(ctx, 'admin', 'manage_settings')).toBe(403);
+  });
+
+  it('cannot manage webhooks', async () => {
+    expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(403);
+  });
+});
+
+// ─── sales_agent ─────────────────────────────────────────────────────────────
+
+describe('Permission Matrix — sales_agent', () => {
+  const ctx = makeCtx({ permissions: makeSalesAgentPermissions() });
+
+  it('can view clients', async () => {
+    expect(await checkPermission(ctx, 'clients', 'view')).toBe(200);
+  });
+
+  it('can create clients', async () => {
+    expect(await checkPermission(ctx, 'clients', 'create')).toBe(200);
+  });
+
+  it('can edit clients', async () => {
+    expect(await checkPermission(ctx, 'clients', 'edit')).toBe(200);
+  });
+
+  it('cannot delete clients', async () => {
+    expect(await checkPermission(ctx, 'clients', 'delete')).toBe(403);
+  });
+
+  it('cannot merge clients', async () => {
+    expect(await checkPermission(ctx, 'clients', 'merge')).toBe(403);
+  });
+
+  it('can create interests', async () => {
+    expect(await checkPermission(ctx, 'interests', 'create')).toBe(200);
+  });
+
+  it('can change interest stage', async () => {
+    expect(await checkPermission(ctx, 'interests', 'change_stage')).toBe(200);
+  });
+
+  it('cannot manage admin users', async () => {
+    expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(403);
+  });
+
+  it('cannot manage webhooks', async () => {
+    expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(403);
+  });
+
+  it('cannot configure email accounts', async () => {
+    expect(await checkPermission(ctx, 'email', 'configure_account')).toBe(403);
+  });
+});
+
+// ─── sales_manager ────────────────────────────────────────────────────────────
+
+describe('Permission Matrix — sales_manager', () => {
+  const ctx = makeCtx({ permissions: makeSalesManagerPermissions() });
+
+  it('can do everything with clients', async () => {
+    for (const action of ['view', 'create', 'edit', 'delete', 'merge', 'export']) {
+      expect(await checkPermission(ctx, 'clients', action)).toBe(200);
+    }
+  });
+
+  it('can view audit log', async () => {
+    expect(await checkPermission(ctx, 'admin', 'view_audit_log')).toBe(200);
+  });
+
+  it('cannot manage webhooks', async () => {
+    expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(403);
+  });
+
+  it('cannot manage system users', async () => {
+    expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(403);
+  });
+});
+
+// ─── director ─────────────────────────────────────────────────────────────────
+
+describe('Permission Matrix — director', () => {
+  const ctx = makeCtx({ permissions: makeDirectorPermissions() });
+
+  it('can manage webhooks', async () => {
+    expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(200);
+  });
+
+  it('can manage users', async () => {
+    expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(200);
+  });
+
+  it('cannot perform system_backup', async () => {
+    expect(await checkPermission(ctx, 'admin', 'system_backup')).toBe(403);
+  });
+});
+
+// ─── deepMerge ────────────────────────────────────────────────────────────────
+
+describe('deepMerge — permission override merging', () => {
+  it('overrides a single leaf value', () => {
+    const base = { clients: { view: true, create: false } };
+    const override = { clients: { create: true } };
+    const result = deepMerge(base, override) as typeof base;
+    expect(result.clients.create).toBe(true);
+    expect(result.clients.view).toBe(true);
+  });
+
+  it('does not mutate the base object', () => {
+    const base = { a: { b: false } };
+    const override = { a: { b: true } };
+    deepMerge(base, override);
+    expect(base.a.b).toBe(false);
+  });
+
+  it('merges nested objects without removing unrelated keys', () => {
+    const base = { admin: { manage_users: false, view_audit_log: true } };
+    const override = { admin: { manage_users: true } };
+    const result = deepMerge(base, override) as typeof base;
+    expect(result.admin.manage_users).toBe(true);
+    expect(result.admin.view_audit_log).toBe(true);
+  });
+
+  it('override with full-permission block gives full access', () => {
+    const base = makeViewerPermissions() as Record<string, unknown>;
+    const override = { clients: { create: true, edit: true, delete: true, merge: true, export: true } };
+    const result = deepMerge(base, override) as RolePermissions;
+    expect(result.clients.create).toBe(true);
+    expect(result.clients.view).toBe(true); // preserved from base
+  });
+
+  it('handles non-object values (arrays stay as-is)', () => {
+    const base = { events: ['a', 'b'] };
+    const override = { events: ['c'] };
+    const result = deepMerge(base, override) as typeof base;
+    expect(result.events).toEqual(['c']);
+  });
+});