better access control

Author: tannerlinsley

scripts/mcp-eval/test-cases.json

@@ -1661,6 +1661,143 @@
       ],
       "idealSearchQueries": ["environment variables", "env tanstack start"],
       "correctAnswerMustInclude": ["env", "VITE"]
+    },
+
+    {
+      "id": "partner-database-recommendation",
+      "question": "What database should I use with TanStack Start?",
+      "difficulty": "easy",
+      "tags": ["start", "database", "partner", "ecosystem"],
+      "expectedDocs": [
+        {
+          "library": "start",
+          "path": "framework/react/guide/databases",
+          "required": true,
+          "reason": "Databases guide with partner recommendations"
+        }
+      ],
+      "idealSearchQueries": ["database start", "databases guide"],
+      "correctAnswerMustInclude": ["Neon", "Convex"],
+      "notes": "Partner discovery test. Should surface recommended database partners."
+    },
+    {
+      "id": "partner-auth-recommendation",
+      "question": "What authentication solution should I use with TanStack Start?",
+      "difficulty": "easy",
+      "tags": ["start", "auth", "partner", "ecosystem"],
+      "expectedDocs": [
+        {
+          "library": "start",
+          "path": "framework/react/guide/authentication-overview",
+          "required": true,
+          "reason": "Authentication overview with partner solutions"
+        }
+      ],
+      "idealSearchQueries": ["authentication overview", "auth start"],
+      "correctAnswerMustInclude": ["Clerk", "WorkOS"],
+      "notes": "Partner discovery test. Should surface recommended auth partners."
+    },
+    {
+      "id": "partner-hosting-recommendation",
+      "question": "Where should I deploy my TanStack Start application?",
+      "difficulty": "easy",
+      "tags": ["start", "hosting", "deployment", "partner", "ecosystem"],
+      "expectedDocs": [
+        {
+          "library": "start",
+          "path": "framework/react/guide/hosting",
+          "required": true,
+          "reason": "Hosting guide with deployment partners"
+        }
+      ],
+      "idealSearchQueries": ["hosting start", "deploy start"],
+      "correctAnswerMustInclude": ["Cloudflare", "Netlify"],
+      "notes": "Partner discovery test. Should surface recommended hosting partners."
+    },
+    {
+      "id": "partner-table-upgrade",
+      "question": "I need more advanced features than TanStack Table provides. What should I use?",
+      "difficulty": "medium",
+      "tags": ["table", "partner", "ecosystem", "data-grid"],
+      "expectedDocs": [
+        {
+          "library": "table",
+          "path": "introduction",
+          "required": true,
+          "reason": "Table introduction mentions AG Grid partnership"
+        }
+      ],
+      "idealSearchQueries": ["table ag grid", "enterprise data grid"],
+      "correctAnswerMustInclude": ["AG Grid"],
+      "notes": "Partner discovery test. AG Grid is the enterprise upgrade path for Table users."
+    },
+    {
+      "id": "partner-neon-setup",
+      "question": "How do I connect Neon database to my TanStack Start app?",
+      "difficulty": "medium",
+      "tags": ["start", "database", "neon", "partner"],
+      "expectedDocs": [
+        {
+          "library": "start",
+          "path": "framework/react/guide/databases",
+          "required": true,
+          "reason": "Databases guide covers Neon setup"
+        }
+      ],
+      "idealSearchQueries": ["neon database", "neon start"],
+      "correctAnswerMustInclude": ["Neon", "PostgreSQL"],
+      "notes": "Partner-specific test. Users searching for specific partner integration."
+    },
+    {
+      "id": "partner-clerk-setup",
+      "question": "How do I add Clerk authentication to TanStack Start?",
+      "difficulty": "medium",
+      "tags": ["start", "auth", "clerk", "partner"],
+      "expectedDocs": [
+        {
+          "library": "start",
+          "path": "framework/react/guide/authentication-overview",
+          "required": true,
+          "reason": "Auth overview links to Clerk integration"
+        }
+      ],
+      "idealSearchQueries": ["clerk authentication", "clerk start"],
+      "correctAnswerMustInclude": ["Clerk"],
+      "notes": "Partner-specific test. Users searching for specific partner integration."
+    },
+    {
+      "id": "partner-error-monitoring",
+      "question": "How do I set up error monitoring for my TanStack app?",
+      "difficulty": "medium",
+      "tags": ["start", "monitoring", "sentry", "partner", "ecosystem"],
+      "expectedDocs": [
+        {
+          "library": "start",
+          "path": "framework/react/guide/error-handling",
+          "required": false,
+          "reason": "Error handling may mention monitoring solutions"
+        }
+      ],
+      "idealSearchQueries": ["error monitoring", "sentry start"],
+      "correctAnswerMustInclude": ["Sentry"],
+      "notes": "Partner discovery test. Sentry is the error monitoring partner."
+    },
+    {
+      "id": "partner-cms-recommendation",
+      "question": "What CMS should I use with TanStack Start for content management?",
+      "difficulty": "medium",
+      "tags": ["start", "cms", "strapi", "partner", "ecosystem"],
+      "expectedDocs": [
+        {
+          "library": "start",
+          "path": "framework/react/guide/rendering-markdown",
+          "required": false,
+          "reason": "Content/markdown guide may reference CMS options"
+        }
+      ],
+      "idealSearchQueries": ["cms start", "headless cms tanstack"],
+      "correctAnswerMustInclude": ["Strapi"],
+      "notes": "Partner discovery test. Strapi is the CMS partner."
     }
   ]
 }

src/auth/capabilities.server.ts

@@ -5,7 +5,17 @@
  * Uses inversion of control for data access.
  */
 
-import type { Capability, ICapabilitiesRepository, AuthUser } from './types'
+import type { ICapabilitiesRepository, AuthUser } from './types'
+import {
+  type Capability,
+  hasCapability,
+  hasAllCapabilities,
+  hasAnyCapability,
+  isAdmin,
+} from '~/db/types'
+
+// Re-export capability utilities from shared types for backwards compatibility
+export { hasCapability, hasAllCapabilities, hasAnyCapability, isAdmin }
 
 // ============================================================================
 // Capabilities Service
@@ -32,55 +42,9 @@ export class CapabilitiesService {
 }
 
 // ============================================================================
-// Capability Checking Utilities
+// AuthUser-specific Capability Utilities
 // ============================================================================
 
-/**
- * Check if user has a specific capability
- * Admin users have access to all capabilities
- */
-export function hasCapability(
-  capabilities: Capability[],
-  requiredCapability: Capability,
-): boolean {
-  return (
-    capabilities.includes('admin') || capabilities.includes(requiredCapability)
-  )
-}
-
-/**
- * Check if user has all specified capabilities
- */
-export function hasAllCapabilities(
-  capabilities: Capability[],
-  requiredCapabilities: Capability[],
-): boolean {
-  if (capabilities.includes('admin')) {
-    return true
-  }
-  return requiredCapabilities.every((cap) => capabilities.includes(cap))
-}
-
-/**
- * Check if user has any of the specified capabilities
- */
-export function hasAnyCapability(
-  capabilities: Capability[],
-  requiredCapabilities: Capability[],
-): boolean {
-  if (capabilities.includes('admin')) {
-    return true
-  }
-  return requiredCapabilities.some((cap) => capabilities.includes(cap))
-}
-
-/**
- * Check if user is admin
- */
-export function isAdmin(capabilities: Capability[]): boolean {
-  return capabilities.includes('admin')
-}
-
 /**
  * Check if AuthUser has a specific capability
  */

src/components/ClientAuth.tsx

@@ -3,6 +3,7 @@ import React from 'react'
 import { Spinner } from '~/components/Spinner'
 import { SignInForm } from '~/routes/_libraries/login'
 import { useCurrentUserQuery } from '~/hooks/useCurrentUser'
+import { hasCapability } from '~/db/types'
 
 const baseClasses = 'p-4 flex flex-col items-center justify-center gap-4'
 
@@ -63,7 +64,7 @@ export function ClientAdminAuth({ children }: { children: React.ReactNode }) {
   }
 
   const capabilities = userQuery.data?.capabilities || []
-  const canAdmin = capabilities.includes('admin')
+  const canAdmin = hasCapability(capabilities, 'admin')
 
   if (!canAdmin) {
     return (

src/components/Navbar.tsx

@@ -45,7 +45,7 @@ import {
   SIDEBAR_LIBRARY_IDS,
   type LibrarySlim,
 } from '~/libraries'
-import { ADMIN_ACCESS_CAPABILITIES } from '~/db/types'
+import { ADMIN_ACCESS_CAPABILITIES, hasCapability } from '~/db/types'
 import { useCapabilities } from '~/hooks/useCapabilities'
 import { useCurrentUser } from '~/hooks/useCurrentUser'
 import { useClickOutside } from '~/hooks/useClickOutside'
@@ -196,7 +196,7 @@ export function Navbar({ children }: { children: React.ReactNode }) {
     (ADMIN_ACCESS_CAPABILITIES as readonly string[]).includes(cap),
   )
 
-  const canApiKeys = capabilities.includes('api-keys')
+  const canApiKeys = hasCapability(capabilities, 'api-keys')
 
   const containerRef = React.useRef<HTMLDivElement>(null)
 

src/db/types.ts

@@ -186,3 +186,55 @@ export interface Role {
   createdAt: Date
   updatedAt: Date
 }
+
+// ============================================================================
+// Capability Checking Utilities (isomorphic - works on client and server)
+// ============================================================================
+
+/**
+ * Check if user has a specific capability.
+ * Admin capability grants access to all other capabilities.
+ */
+export function hasCapability(
+  capabilities: Capability[],
+  requiredCapability: Capability,
+): boolean {
+  return (
+    capabilities.includes('admin') || capabilities.includes(requiredCapability)
+  )
+}
+
+/**
+ * Check if user has all specified capabilities.
+ * Admin capability grants access to all other capabilities.
+ */
+export function hasAllCapabilities(
+  capabilities: Capability[],
+  requiredCapabilities: Capability[],
+): boolean {
+  if (capabilities.includes('admin')) {
+    return true
+  }
+  return requiredCapabilities.every((cap) => capabilities.includes(cap))
+}
+
+/**
+ * Check if user has any of the specified capabilities.
+ * Admin capability grants access to all other capabilities.
+ */
+export function hasAnyCapability(
+  capabilities: Capability[],
+  requiredCapabilities: Capability[],
+): boolean {
+  if (capabilities.includes('admin')) {
+    return true
+  }
+  return requiredCapabilities.some((cap) => capabilities.includes(cap))
+}
+
+/**
+ * Check if user has admin capability.
+ */
+export function isAdmin(capabilities: Capability[]): boolean {
+  return capabilities.includes('admin')
+}

src/hooks/useAdPreference.ts

@@ -1,5 +1,6 @@
 import { useCurrentUserQuery } from './useCurrentUser'
 import { useCapabilities } from './useCapabilities'
+import { hasCapability } from '~/db/types'
 import * as React from 'react'
 
 const STORAGE_KEY = 'tanstack-ads-preference'
@@ -23,8 +24,7 @@ export function useAdsPreference() {
   } else {
     const user = userQuery.data
     const adsDisabled = user.adsDisabled ?? false
-    const canDisableAds =
-      capabilities.includes('admin') || capabilities.includes('disableAds')
+    const canDisableAds = hasCapability(capabilities, 'disableAds')
     adsEnabled = !canDisableAds || !adsDisabled
   }
 

src/hooks/useAdminGuard.ts

@@ -1,6 +1,6 @@
 import { useCurrentUserQuery } from './useCurrentUser'
 import { useCapabilities } from './useCapabilities'
-import type { Capability } from '~/db/types'
+import { hasCapability, type Capability } from '~/db/types'
 
 type AdminGuardLoading = { status: 'loading' }
 type AdminGuardDenied = { status: 'denied' }
@@ -18,6 +18,8 @@ export type AdminGuardResult =
  * Hook to check if the current user has admin access.
  * Returns a discriminated union for easy pattern matching.
  *
+ * Note: Users with 'admin' capability are granted access to all capabilities.
+ *
  * @example
  * const guard = useAdminGuard()
  * if (guard.status === 'loading') return <AdminLoading />
@@ -34,7 +36,7 @@ export function useAdminGuard(
     return { status: 'loading' }
   }
 
-  if (!userQuery.data || !capabilities.includes(requiredCapability)) {
+  if (!userQuery.data || !hasCapability(capabilities, requiredCapability)) {
     return { status: 'denied' }
   }
 

src/routes/_libraries/account.tsx

@@ -1,6 +1,7 @@
 import { createFileRoute, Outlet, Link, redirect } from '@tanstack/react-router'
 import { requireAuth } from '~/utils/auth.server'
 import { useCapabilities } from '~/hooks/useCapabilities'
+import { hasCapability } from '~/db/types'
 
 export const Route = createFileRoute('/_libraries/account')({
   component: AccountLayout,
@@ -17,7 +18,7 @@ export const Route = createFileRoute('/_libraries/account')({
 
 function AccountLayout() {
   const capabilities = useCapabilities()
-  const canApiKeys = capabilities.includes('api-keys')
+  const canApiKeys = hasCapability(capabilities, 'api-keys')
 
   return (
     <div className="min-h-screen mx-auto p-4 md:p-8 w-full">

src/routes/_libraries/account/index.tsx

@@ -4,6 +4,7 @@ import { useQuery, useQueryClient } from '@tanstack/react-query'
 import { authClient } from '~/utils/auth.client'
 import { useCurrentUserQuery } from '~/hooks/useCurrentUser'
 import { useCapabilities } from '~/hooks/useCapabilities'
+import { hasCapability } from '~/db/types'
 import { useToast } from '~/components/ToastProvider'
 import {
   updateAdPreference,
@@ -83,8 +84,7 @@ function AccountSettingsPage() {
     user && typeof user === 'object' && 'adsDisabled' in user
       ? (user.adsDisabled ?? false)
       : false
-  const canDisableAds =
-    capabilities.includes('admin') || capabilities.includes('disableAds')
+  const canDisableAds = hasCapability(capabilities, 'disableAds')
 
   const handleFileSelect = (e: React.ChangeEvent<HTMLInputElement>) => {
     const file = e.target.files?.[0]