fix(sync): validate employee.role before persisting (limbo-role guard) (#2690)

* fix(sync): validate employee.role against known roles before persisting

The generic employee sync service wrote employee.role straight into
member.role with no validation. A misconfigured DSL (notably the
Microsoft sync, which mapped Entra Graph's jobTitle into role) could
plant strings like "Senior Front End Engineer" in member.role with no
matching organization_role row. The Roles page correctly showed nothing
for these "limbo" roles, but the People list rendered them as Badges
(getRoleLabel falls back to title-case for unknown roles), and any
RBAC check against them silently denied permissions because the value
matched neither a built-in role nor a custom role.

Sanitize employee.role before insert: each comma-separated token must
be either a built-in role (BUILT_IN_ROLE_PERMISSIONS) or an existing
organization_role.name in the same org. Unknown tokens are dropped;
if every token is invalid (or role is empty), fall back to defaultRole.
Log a warning when this happens so a misconfigured DSL is visible in
sync logs instead of silently corrupting data.

Note: this is a forward fix only. Customers with already-polluted
member.role values need a one-time data scrub plus a fix to their
DynamicIntegration.syncDefinition JSON in the database (separate
operations on the DB side, not in this PR).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(sync): self-heal existing members' limbo roles on re-sync

The previous commit guarded *new* member creation against unknown role
strings. This extends the same sanitizer to *existing* members the sync
re-encounters, so customers who already have polluted member.role
values get cleaned up automatically the next time they import — no
manual DB scrub required.

The heal is conservative: it only ever shrinks the role string (drops
unknown tokens, falls back to defaultRole if every token is invalid).
It never overwrites a member's currently-valid role with whatever the
provider sent, so a manually-assigned admin won't get downgraded by a
DSL still mis-mapping jobTitle. Both the "already a member" and the
"reactivate" paths heal.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Marfuen

apps/api/src/integration-platform/services/generic-employee-sync.service.spec.ts

@@ -0,0 +1,244 @@
+import type { SyncEmployee } from '@trycompai/integration-platform';
+
+const mockUserFindUnique = jest.fn();
+const mockUserCreate = jest.fn();
+const mockMemberFindFirst = jest.fn();
+const mockMemberCreate = jest.fn();
+const mockMemberFindMany = jest.fn();
+const mockMemberUpdate = jest.fn();
+const mockOrgRoleFindMany = jest.fn();
+
+jest.mock('@trycompai/auth', () => ({
+  BUILT_IN_ROLE_PERMISSIONS: {
+    owner: {},
+    admin: {},
+    auditor: {},
+    employee: {},
+    contractor: {},
+  },
+}));
+
+jest.mock('@db', () => ({
+  db: {
+    user: {
+      findUnique: (...args: unknown[]) => mockUserFindUnique(...args),
+      create: (...args: unknown[]) => mockUserCreate(...args),
+    },
+    member: {
+      findFirst: (...args: unknown[]) => mockMemberFindFirst(...args),
+      create: (...args: unknown[]) => mockMemberCreate(...args),
+      findMany: (...args: unknown[]) => mockMemberFindMany(...args),
+      update: (...args: unknown[]) => mockMemberUpdate(...args),
+    },
+    organizationRole: {
+      findMany: (...args: unknown[]) => mockOrgRoleFindMany(...args),
+    },
+  },
+}));
+
+import { GenericEmployeeSyncService } from './generic-employee-sync.service';
+
+describe('GenericEmployeeSyncService role validation', () => {
+  let service: GenericEmployeeSyncService;
+
+  const baseEmployee = (
+    overrides: Partial<SyncEmployee> = {},
+  ): SyncEmployee => ({
+    email: 'new-hire@example.com',
+    name: 'New Hire',
+    status: 'active',
+    ...overrides,
+  });
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    service = new GenericEmployeeSyncService();
+
+    // Default: user does not exist (will be created), no existing member,
+    // no other org members (skip phase 2).
+    mockUserFindUnique.mockResolvedValue(null);
+    mockUserCreate.mockResolvedValue({
+      id: 'user_1',
+      email: 'new-hire@example.com',
+    });
+    mockMemberFindFirst.mockResolvedValue(null);
+    mockMemberCreate.mockResolvedValue({ id: 'mem_1' });
+    mockMemberFindMany.mockResolvedValue([]);
+    mockOrgRoleFindMany.mockResolvedValue([]);
+  });
+
+  it('persists a built-in role from the provider as-is', async () => {
+    await service.processEmployees({
+      organizationId: 'org_1',
+      employees: [baseEmployee({ role: 'admin' })],
+    });
+
+    expect(mockMemberCreate).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({ role: 'admin' }),
+      }),
+    );
+  });
+
+  it('persists a known custom role from the provider as-is', async () => {
+    mockOrgRoleFindMany.mockResolvedValue([
+      { name: 'security-engineer' },
+    ]);
+
+    await service.processEmployees({
+      organizationId: 'org_1',
+      employees: [baseEmployee({ role: 'security-engineer' })],
+    });
+
+    expect(mockMemberCreate).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({ role: 'security-engineer' }),
+      }),
+    );
+  });
+
+  it('falls back to defaultRole when provider sends an unknown role (e.g. Microsoft jobTitle)', async () => {
+    await service.processEmployees({
+      organizationId: 'org_1',
+      employees: [baseEmployee({ role: 'Senior Front End Engineer' })],
+      options: { defaultRole: 'employee' },
+    });
+
+    expect(mockMemberCreate).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({ role: 'employee' }),
+      }),
+    );
+  });
+
+  it('falls back to defaultRole when provider sends an empty role', async () => {
+    await service.processEmployees({
+      organizationId: 'org_1',
+      employees: [baseEmployee({ role: '' })],
+      options: { defaultRole: 'contractor' },
+    });
+
+    expect(mockMemberCreate).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({ role: 'contractor' }),
+      }),
+    );
+  });
+
+  it('looks up custom roles scoped to the org being synced', async () => {
+    await service.processEmployees({
+      organizationId: 'org_42',
+      employees: [baseEmployee({ role: 'employee' })],
+    });
+
+    expect(mockOrgRoleFindMany).toHaveBeenCalledWith(
+      expect.objectContaining({
+        where: { organizationId: 'org_42' },
+        select: { name: true },
+      }),
+    );
+  });
+
+  it('keeps only the valid tokens when role is comma-separated', async () => {
+    await service.processEmployees({
+      organizationId: 'org_1',
+      employees: [baseEmployee({ role: 'admin,Senior Front End Engineer' })],
+      options: { defaultRole: 'employee' },
+    });
+
+    expect(mockMemberCreate).toHaveBeenCalledWith(
+      expect.objectContaining({
+        data: expect.objectContaining({ role: 'admin' }),
+      }),
+    );
+  });
+
+  describe('limbo role self-heal on re-sync', () => {
+    it('heals an existing member whose role is entirely invalid', async () => {
+      mockUserFindUnique.mockResolvedValue({
+        id: 'user_1',
+        email: 'mc@example.com',
+      });
+      mockMemberFindFirst.mockResolvedValue({
+        id: 'mem_1',
+        role: 'Senior Front End Engineer',
+        deactivated: false,
+      });
+
+      await service.processEmployees({
+        organizationId: 'org_1',
+        employees: [baseEmployee({ email: 'mc@example.com', role: 'employee' })],
+        options: { defaultRole: 'employee' },
+      });
+
+      expect(mockMemberUpdate).toHaveBeenCalledWith({
+        where: { id: 'mem_1' },
+        data: { role: 'employee' },
+      });
+    });
+
+    it('heals an existing member whose role mixes valid + invalid tokens', async () => {
+      mockUserFindUnique.mockResolvedValue({
+        id: 'user_1',
+        email: 'mc@example.com',
+      });
+      mockMemberFindFirst.mockResolvedValue({
+        id: 'mem_1',
+        role: 'admin,Senior Front End Engineer',
+        deactivated: false,
+      });
+
+      await service.processEmployees({
+        organizationId: 'org_1',
+        employees: [baseEmployee({ email: 'mc@example.com' })],
+      });
+
+      expect(mockMemberUpdate).toHaveBeenCalledWith({
+        where: { id: 'mem_1' },
+        data: { role: 'admin' },
+      });
+    });
+
+    it('does not touch an existing member whose role is already valid', async () => {
+      mockUserFindUnique.mockResolvedValue({
+        id: 'user_1',
+        email: 'mc@example.com',
+      });
+      mockMemberFindFirst.mockResolvedValue({
+        id: 'mem_1',
+        role: 'admin',
+        deactivated: false,
+      });
+
+      await service.processEmployees({
+        organizationId: 'org_1',
+        employees: [baseEmployee({ email: 'mc@example.com' })],
+      });
+
+      expect(mockMemberUpdate).not.toHaveBeenCalled();
+    });
+
+    it('heals AND reactivates a deactivated member with a limbo role', async () => {
+      mockUserFindUnique.mockResolvedValue({
+        id: 'user_1',
+        email: 'mc@example.com',
+      });
+      mockMemberFindFirst.mockResolvedValue({
+        id: 'mem_1',
+        role: 'Senior Front End Engineer',
+        deactivated: true,
+      });
+
+      await service.processEmployees({
+        organizationId: 'org_1',
+        employees: [baseEmployee({ email: 'mc@example.com' })],
+        options: { allowReactivation: true, defaultRole: 'employee' },
+      });
+
+      expect(mockMemberUpdate).toHaveBeenCalledWith({
+        where: { id: 'mem_1' },
+        data: { deactivated: false, isActive: true, role: 'employee' },
+      });
+    });
+  });
+});

apps/api/src/integration-platform/services/generic-employee-sync.service.ts

@@ -1,6 +1,7 @@
 import { Injectable, Logger } from '@nestjs/common';
 import { db } from '@db';
 import type { SyncEmployee } from '@trycompai/integration-platform';
+import { BUILT_IN_ROLE_PERMISSIONS } from '@trycompai/auth';
 
 // ============================================================================
 // Types
@@ -76,6 +77,28 @@ export class GenericEmployeeSyncService {
     const protectedRoles = options.protectedRoles ?? DEFAULT_PROTECTED_ROLES;
     const providerName = options.providerName ?? 'provider';
 
+    // Build the set of role identifiers we'll accept on this sync. Anything
+    // outside this set is dropped (e.g. a Microsoft DSL that mis-maps
+    // jobTitle into role would otherwise plant "Senior Front End Engineer"
+    // strings into member.role with no matching organization_role row).
+    const customRoles: { name: string }[] = await db.organizationRole.findMany({
+      where: { organizationId },
+      select: { name: true },
+    });
+    const validRoleNames = new Set<string>([
+      ...Object.keys(BUILT_IN_ROLE_PERMISSIONS),
+      ...customRoles.map((r) => r.name),
+    ]);
+
+    const sanitizeRole = (raw: string | undefined | null): string => {
+      if (!raw) return defaultRole;
+      const tokens = raw
+        .split(',')
+        .map((t) => t.trim())
+        .filter((t) => t.length > 0 && validRoleNames.has(t));
+      return tokens.length > 0 ? tokens.join(',') : defaultRole;
+    };
+
     const results: SyncResult = {
       success: true,
       totalFound: employees.length,
@@ -149,18 +172,40 @@ export class GenericEmployeeSyncService {
         });
 
         if (existingMember) {
+          // Self-heal limbo roles: if the persisted member.role contains
+          // tokens that don't map to any valid role today (e.g. an Entra
+          // jobTitle planted by a misconfigured DSL pre-fix), drop them.
+          // We only ever shrink the role string here — never overwrite a
+          // valid assignment with whatever the provider sent.
+          const healedRole = sanitizeRole(existingMember.role);
+          const needsHeal = healedRole !== existingMember.role;
+          if (needsHeal) {
+            this.logger.warn(
+              `[GenericSync] Healing limbo role for ${normalizedEmail}: "${existingMember.role}" → "${healedRole}"`,
+            );
+          }
+
           if (existingMember.deactivated && allowReactivation) {
-            // Reactivate the member
             await db.member.update({
               where: { id: existingMember.id },
-              data: { deactivated: false, isActive: true },
+              data: {
+                deactivated: false,
+                isActive: true,
+                ...(needsHeal ? { role: healedRole } : {}),
+              },
             });
             results.reactivated++;
             results.details.push({
               email: normalizedEmail,
               status: 'reactivated',
             });
           } else {
+            if (needsHeal) {
+              await db.member.update({
+                where: { id: existingMember.id },
+                data: { role: healedRole },
+              });
+            }
             results.skipped++;
             results.details.push({
               email: normalizedEmail,
@@ -174,11 +219,17 @@ export class GenericEmployeeSyncService {
         }
 
         // Create new member
+        const sanitizedRole = sanitizeRole(employee.role);
+        if (employee.role && sanitizedRole !== employee.role) {
+          this.logger.warn(
+            `[GenericSync] Provider "${providerName}" sent unrecognized role "${employee.role}" for ${normalizedEmail}; falling back to "${sanitizedRole}"`,
+          );
+        }
         await db.member.create({
           data: {
             organizationId,
             userId: existingUser.id,
-            role: employee.role || defaultRole,
+            role: sanitizedRole,
             isActive: true,
           },
         });