feat(auth): add requireProjectRoleByUser for non-H3 callers

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Ripwords

apps/dashboard/server/lib/permissions.test.ts

@@ -1,5 +1,9 @@
 import { describe, expect, test } from "bun:test"
-import { compareRole, type ProjectRoleName } from "./permissions"
+import { randomBytes } from "node:crypto"
+import { sql } from "drizzle-orm"
+import { db } from "../db"
+import { projects, projectMembers, user } from "../db/schema"
+import { compareRole, requireProjectRoleByUser, type ProjectRoleName } from "./permissions"
 
 describe("compareRole", () => {
   const roles: ProjectRoleName[] = ["viewer", "manager", "developer", "owner"]
@@ -31,3 +35,65 @@ describe("compareRole", () => {
     expect(compareRole("viewer", "owner")).toBe(false)
   })
 })
+
+test("requireProjectRoleByUser — returns role when member meets minimum", async () => {
+  await db.execute(sql`TRUNCATE project_members, projects, "user" RESTART IDENTITY CASCADE`)
+  const userId = randomBytes(16).toString("hex")
+  const projectId = crypto.randomUUID()
+  await db.insert(user).values({
+    id: userId,
+    email: `t-${userId}@example.com`,
+    name: "t",
+    emailVerified: true,
+    role: "member",
+    status: "active",
+    createdAt: new Date(),
+    updatedAt: new Date(),
+  })
+  await db.insert(projects).values({ id: projectId, name: "p", createdBy: userId })
+  await db.insert(projectMembers).values({ projectId, userId, role: "developer" })
+
+  const role = await requireProjectRoleByUser(userId, projectId, "manager")
+  expect(role).toBe("developer")
+})
+
+test("requireProjectRoleByUser — throws 403 when role too low", async () => {
+  await db.execute(sql`TRUNCATE project_members, projects, "user" RESTART IDENTITY CASCADE`)
+  const userId = randomBytes(16).toString("hex")
+  const projectId = crypto.randomUUID()
+  await db.insert(user).values({
+    id: userId,
+    email: `t-${userId}@example.com`,
+    name: "t",
+    emailVerified: true,
+    role: "member",
+    status: "active",
+    createdAt: new Date(),
+    updatedAt: new Date(),
+  })
+  await db.insert(projects).values({ id: projectId, name: "p", createdBy: userId })
+  await db.insert(projectMembers).values({ projectId, userId, role: "viewer" })
+
+  await expect(requireProjectRoleByUser(userId, projectId, "developer")).rejects.toThrow(
+    /insufficient/i,
+  )
+})
+
+test("requireProjectRoleByUser — throws 404 when not a member", async () => {
+  await db.execute(sql`TRUNCATE project_members, projects, "user" RESTART IDENTITY CASCADE`)
+  const userId = randomBytes(16).toString("hex")
+  const projectId = crypto.randomUUID()
+  await db.insert(user).values({
+    id: userId,
+    email: `t-${userId}@example.com`,
+    name: "t",
+    emailVerified: true,
+    role: "member",
+    status: "active",
+    createdAt: new Date(),
+    updatedAt: new Date(),
+  })
+  await db.insert(projects).values({ id: projectId, name: "p", createdBy: userId })
+
+  await expect(requireProjectRoleByUser(userId, projectId, "viewer")).rejects.toThrow(/not found/i)
+})

apps/dashboard/server/lib/permissions.ts

@@ -2,7 +2,7 @@ import { and, eq } from "drizzle-orm"
 import type { H3Event } from "h3"
 import { createError } from "h3"
 import { db } from "../db"
-import { projectMembers } from "../db/schema"
+import { projectMembers, user } from "../db/schema"
 import { auth } from "./auth"
 
 export type ProjectRoleName = "viewer" | "manager" | "developer" | "owner"
@@ -81,3 +81,48 @@ export async function requireProjectRole(
   }
   return { session, effectiveRole: member.role as ProjectRoleName }
 }
+
+/**
+ * Non-event variant of requireProjectRole for callers without an H3Event
+ * (notably MCP tool handlers, which have a verified userId from the JWT
+ * but no incoming H3 request to read a session from).
+ *
+ * Returns the user's effective role on the project. Throws via h3's
+ * createError on the same conditions as requireProjectRole:
+ *   - 401 if the user record doesn't exist or is disabled (defense in depth;
+ *     the JWT was issued from this same auth system, so this is rare)
+ *   - 404 if the user has no project_members row for this project
+ *   - 403 if the user's role rank is below `min`
+ *
+ * Install admins are still treated as effective owners on every project,
+ * matching the event-aware variant's behavior.
+ */
+export async function requireProjectRoleByUser(
+  userId: string,
+  projectId: string,
+  min: ProjectRoleName,
+): Promise<ProjectRoleName> {
+  const [userRow] = await db
+    .select({ role: user.role, status: user.status })
+    .from(user)
+    .where(eq(user.id, userId))
+    .limit(1)
+  if (!userRow || userRow.status === "disabled") {
+    throw createError({ statusCode: 401, statusMessage: "Unauthenticated" })
+  }
+  if (userRow.role === "admin") return "owner"
+
+  const [member] = await db
+    .select({ role: projectMembers.role })
+    .from(projectMembers)
+    .where(and(eq(projectMembers.projectId, projectId), eq(projectMembers.userId, userId)))
+    .limit(1)
+  if (!member) {
+    throw createError({ statusCode: 404, statusMessage: "Project not found" })
+  }
+  const role = member.role as ProjectRoleName
+  if (!compareRole(role, min)) {
+    throw createError({ statusCode: 403, statusMessage: "Insufficient role" })
+  }
+  return role
+}