Expose agent task assignment permissions

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-19 08:14:29 -05:00
parent bcc1d9f3d6
commit f9d685344d
10 changed files with 310 additions and 27 deletions
--- a/server/src/services/access.ts
+++ b/server/src/services/access.ts
@@ -251,6 +251,86 @@ export function accessService(db: Db) {
    });
  }

+  async function listPrincipalGrants(
+    companyId: string,
+    principalType: PrincipalType,
+    principalId: string,
+  ) {
+    return db
+      .select()
+      .from(principalPermissionGrants)
+      .where(
+        and(
+          eq(principalPermissionGrants.companyId, companyId),
+          eq(principalPermissionGrants.principalType, principalType),
+          eq(principalPermissionGrants.principalId, principalId),
+        ),
+      )
+      .orderBy(principalPermissionGrants.permissionKey);
+  }
+
+  async function setPrincipalPermission(
+    companyId: string,
+    principalType: PrincipalType,
+    principalId: string,
+    permissionKey: PermissionKey,
+    enabled: boolean,
+    grantedByUserId: string | null,
+    scope: Record<string, unknown> | null = null,
+  ) {
+    if (!enabled) {
+      await db
+        .delete(principalPermissionGrants)
+        .where(
+          and(
+            eq(principalPermissionGrants.companyId, companyId),
+            eq(principalPermissionGrants.principalType, principalType),
+            eq(principalPermissionGrants.principalId, principalId),
+            eq(principalPermissionGrants.permissionKey, permissionKey),
+          ),
+        );
+      return;
+    }
+
+    await ensureMembership(companyId, principalType, principalId, "member", "active");
+
+    const existing = await db
+      .select()
+      .from(principalPermissionGrants)
+      .where(
+        and(
+          eq(principalPermissionGrants.companyId, companyId),
+          eq(principalPermissionGrants.principalType, principalType),
+          eq(principalPermissionGrants.principalId, principalId),
+          eq(principalPermissionGrants.permissionKey, permissionKey),
+        ),
+      )
+      .then((rows) => rows[0] ?? null);
+
+    if (existing) {
+      await db
+        .update(principalPermissionGrants)
+        .set({
+          scope,
+          grantedByUserId,
+          updatedAt: new Date(),
+        })
+        .where(eq(principalPermissionGrants.id, existing.id));
+      return;
+    }
+
+    await db.insert(principalPermissionGrants).values({
+      companyId,
+      principalType,
+      principalId,
+      permissionKey,
+      scope,
+      grantedByUserId,
+      createdAt: new Date(),
+      updatedAt: new Date(),
+    });
+  }
+
  return {
    isInstanceAdmin,
    canUser,
@@ -264,5 +344,7 @@ export function accessService(db: Db) {
    listUserCompanyAccess,
    setUserCompanyAccess,
    setPrincipalGrants,
+    listPrincipalGrants,
+    setPrincipalPermission,
  };
 }