|
| 1 | +# B2B / Organizations — opt-in |
| 2 | + |
| 3 | +This template ships as a **BASE tier** app: the `auth:email` module set only. |
| 4 | +Out of the box it has authentication (sign in / up / out, password reset, email |
| 5 | +verification), an account/profile surface, and a place to build your own app |
| 6 | +data. It ships **no** organization, members, roles, or invite code — so a base |
| 7 | +app builds clean with zero org imports. |
| 8 | + |
| 9 | +Multi-tenant / team features (organizations, members, roles, org settings) are a |
| 10 | +deliberate **opt-in**. You add them in two coordinated steps; you do **not** |
| 11 | +hand-write the org UI — the registry org blocks already implement it. |
| 12 | + |
| 13 | +## 1. Provision the org modules |
| 14 | + |
| 15 | +The base default module set lives in `packages/provision/src/modules.ts` |
| 16 | +(`AUTH_EMAIL_MODULES`). To go b2b, extend it with `ORG_MODULES` (also exported |
| 17 | +from that file) when creating the database: |
| 18 | + |
| 19 | +```ts |
| 20 | +// packages/provision/src/create-db.ts |
| 21 | +import { asModules, AUTH_EMAIL_MODULES, ORG_MODULES } from './modules.js'; |
| 22 | + |
| 23 | +const APP_MODULES = [...AUTH_EMAIL_MODULES, ...ORG_MODULES]; |
| 24 | +// ... |
| 25 | +modules: asModules(APP_MODULES), |
| 26 | +``` |
| 27 | + |
| 28 | +`ORG_MODULES` mirrors the `organization` flow's backend module set from the |
| 29 | +flow catalog (`references/flows.json`): the org-scoped `permissions`, `limits`, |
| 30 | +`levels`, `memberships`, `profiles`, `hierarchy` modules plus app- and |
| 31 | +org-scoped `invites`. All scoped modules are tuple form |
| 32 | +(`['memberships_module', { scope: 'org' }]`) — the colon-string form |
| 33 | +(`'memberships_module:org'`) is rejected by the provision proc. |
| 34 | + |
| 35 | +After provisioning, re-run codegen (`pnpm codegen`) so the generated admin SDK |
| 36 | +(`@sdk/admin`) gains the org / members / invites query + mutation hooks that the |
| 37 | +org blocks consume. |
| 38 | + |
| 39 | +## 2. Add the registry org blocks |
| 40 | + |
| 41 | +Install the organization blocks from the Constructive blocks registry and mount |
| 42 | +them on your org routes — they bring their own data hooks, wired to the |
| 43 | +org-scoped admin SDK: |
| 44 | + |
| 45 | +```bash |
| 46 | +npx shadcn@latest add org-create-card org-members-list org-roles-editor org-settings-form |
| 47 | +``` |
| 48 | + |
| 49 | +| Block | Purpose | |
| 50 | +| ------------------- | ---------------------------------------- | |
| 51 | +| `org-create-card` | Create a new organization | |
| 52 | +| `org-members-list` | List / manage members of an organization | |
| 53 | +| `org-roles-editor` | Edit member roles & permissions | |
| 54 | +| `org-settings-form` | Organization profile & settings | |
| 55 | + |
| 56 | +Then reintroduce the org navigation seam that the base intentionally leaves |
| 57 | +minimal: |
| 58 | + |
| 59 | +- `src/lib/navigation/sidebar-config.ts` — add an `Organizations` nav entry and |
| 60 | + an org-level nav group. |
| 61 | +- `src/lib/navigation/use-entity-params.ts` — reintroduce the `orgId` path param |
| 62 | + (and an org switcher) so `/orgs/[orgId]/*` routes resolve. |
| 63 | +- `src/app-routes.ts` — add the org-scoped routes; the |
| 64 | + `requiredPermission: 'app-admin'` gate in `RouteGuard` is already present for |
| 65 | + app-admin surfaces to reuse. |
| 66 | + |
| 67 | +That's the whole opt-in: provision the modules, regenerate the SDK, drop in the |
| 68 | +blocks, and wire the routes. No org UI is hand-written in this template. |
| 69 | + |
| 70 | +## 3. Prerequisite: the org-create RLS permission bit |
| 71 | + |
| 72 | +Creating an organization is a `createUser` with **`type = 2`** (an org is modelled |
| 73 | +as an entity-typed user row). The `users` table is RLS-protected, and the INSERT |
| 74 | +policy for entity-type rows requires the **acting** user to hold the |
| 75 | +**`create_entity`** app permission. Without it the create fails with: |
| 76 | + |
| 77 | +``` |
| 78 | +new row violates row-level security policy for table "users" |
| 79 | +``` |
| 80 | + |
| 81 | +`create_entity` is the 5th app-permission bit defined by `initialize_permissions` |
| 82 | +(app scope) — i.e. bit value `0x10000` (`1 << 16`) in the 64-bit app permission |
| 83 | +mask. The actor must have it set on their **app membership** row before they call |
| 84 | +the org-create mutation (the `org-create-card` block). |
| 85 | + |
| 86 | +How this template grants it: `packages/provision/src/create-db.ts` already |
| 87 | +elevates the bootstrap admin to full permissions right after provisioning — it |
| 88 | +resolves **this tenant's** `memberships_public` schema via the metaschema |
| 89 | +(scoped by `database_id`, not a floating `LIKE`) and runs: |
| 90 | + |
| 91 | +```sql |
| 92 | +UPDATE "<tenant>_memberships_public".app_memberships |
| 93 | + SET is_admin = true, is_owner = true, |
| 94 | + permissions = (64 one-bits)::bit(64) -- includes the create_entity bit |
| 95 | + WHERE actor_id = $1; |
| 96 | +``` |
| 97 | + |
| 98 | +So the admin user that `create-db` registers can create orgs out of the box. For |
| 99 | +**non-admin** users who must create orgs, grant just the `create_entity` bit on |
| 100 | +their app membership (set bit `0x10000`, or via the admin SDK |
| 101 | +`appMembership.update`) — do not blanket-grant `is_admin`. |
| 102 | + |
| 103 | +### Note: `@constructive-io/node` and `*.localhost` ("fetch failed") |
| 104 | + |
| 105 | +`create-db.ts` registers the org/admin user against the per-tenant auth host |
| 106 | +`auth-<sub>.localhost` using `@constructive-io/node`'s `auth.createClient`. The |
| 107 | +convenience `{ endpoint }` form builds a `FetchAdapter` that calls |
| 108 | +`globalThis.fetch` directly. On many Linux/CI hosts Node cannot resolve |
| 109 | +`*.localhost` (ENOTFOUND → **"fetch failed"**), and undici also drops a manual |
| 110 | +`Host` header, breaking subdomain routing. (macOS resolves `*.localhost` to |
| 111 | +127.0.0.1, so it often "just works" locally — but CI will not.) |
| 112 | + |
| 113 | +Workaround — pass a `NodeHttpAdapter` (exported by `@constructive-io/node`) |
| 114 | +instead of `endpoint`; it rewrites the hostname to `localhost` and injects the |
| 115 | +original host as the `Host` header: |
| 116 | + |
| 117 | +```ts |
| 118 | +import { auth, NodeHttpAdapter } from '@constructive-io/node'; |
| 119 | + |
| 120 | +const dbAuthClient = auth.createClient({ |
| 121 | + adapter: new NodeHttpAdapter(`http://auth-${databaseName}.localhost:3000/graphql`), |
| 122 | +}); |
| 123 | +``` |
| 124 | + |
| 125 | +The package's own raw-HTTP path (`helpers.rawExecute`) already routes through |
| 126 | +`@constructive-io/fetch`'s `createFetch()`, which applies the same rewrite — so |
| 127 | +prefer that (or `NodeHttpAdapter`) for any `*.localhost` call that errors with |
| 128 | +"fetch failed" in CI. |
0 commit comments