refactor: standardize roles in packages/auth package

Author: Marfuen

apps/api/package.json

@@ -13,6 +13,7 @@
     "@aws-sdk/s3-request-presigner": "^3.859.0",
     "@browserbasehq/sdk": "^2.6.0",
     "@browserbasehq/stagehand": "^3.0.5",
+    "@comp/auth": "workspace:*",
     "@comp/integration-platform": "workspace:*",
     "@mendable/firecrawl-js": "^4.9.3",
     "@nestjs/common": "^11.0.1",

apps/api/src/audit/audit-log.utils.ts

@@ -193,20 +193,12 @@ export function buildDescription(
   switch (action) {
     case 'create':
       return `Created ${resource}`;
+    case 'read':
+      return `Viewed ${resource}`;
     case 'update':
       return `Updated ${resource}`;
     case 'delete':
       return `Deleted ${resource}`;
-    case 'publish':
-      return `Published ${resource}`;
-    case 'approve':
-      return `Approved ${resource}`;
-    case 'assign':
-      return `Assigned ${resource}`;
-    case 'upload':
-      return `Uploaded to ${resource}`;
-    case 'export':
-      return `Exported ${resource}`;
     default: {
       const capitalizedAction =
         action.charAt(0).toUpperCase() + action.slice(1);

apps/api/src/auth/api-key.service.ts

@@ -5,6 +5,7 @@ import {
   BadRequestException,
 } from '@nestjs/common';
 import { db } from '@trycompai/db';
+import { statement } from '@comp/auth';
 import { createHash, randomBytes } from 'node:crypto';
 
 /** Result from validating an API key */
@@ -223,29 +224,8 @@ export class ApiKeyService {
    * Returns all valid `resource:action` scope pairs derived from the permission statement.
    */
   getAvailableScopes(): string[] {
-    // Import is dynamic-like but we use a hard-coded map matching the permission statement.
-    // This is kept in sync with packages/auth/src/permissions.ts
-    const resources: Record<string, readonly string[]> = {
-      organization: ['read', 'update', 'delete'],
-      member: ['create', 'read', 'update', 'delete'],
-      invitation: ['create', 'read', 'cancel'],
-      team: ['create', 'read', 'update', 'delete'],
-      control: ['create', 'read', 'update', 'delete', 'assign', 'export'],
-      evidence: ['create', 'read', 'update', 'delete', 'upload', 'export'],
-      policy: ['create', 'read', 'update', 'delete', 'publish', 'approve'],
-      risk: ['create', 'read', 'update', 'delete', 'assess', 'export'],
-      vendor: ['create', 'read', 'update', 'delete', 'assess'],
-      task: ['create', 'read', 'update', 'delete', 'assign', 'complete'],
-      framework: ['create', 'read', 'update', 'delete'],
-      audit: ['create', 'read', 'update', 'export'],
-      finding: ['create', 'read', 'update', 'delete'],
-      questionnaire: ['create', 'read', 'update', 'delete', 'respond'],
-      integration: ['create', 'read', 'update', 'delete'],
-      apiKey: ['create', 'read', 'delete'],
-    };
-
     const scopes: string[] = [];
-    for (const [resource, actions] of Object.entries(resources)) {
+    for (const [resource, actions] of Object.entries(statement)) {
       for (const action of actions) {
         scopes.push(`${resource}:${action}`);
       }

apps/api/src/auth/auth.server.ts

@@ -14,121 +14,7 @@ import {
   multiSession,
   organization,
 } from 'better-auth/plugins';
-import { createAccessControl } from 'better-auth/plugins/access';
-import {
-  defaultStatements,
-  adminAc,
-  ownerAc,
-} from 'better-auth/plugins/organization/access';
-
-// ============================================================================
-// Permissions (inlined from @comp/auth to avoid cross-package TS compilation)
-// ============================================================================
-
-const statement = {
-  ...defaultStatements,
-  organization: ['read', 'update', 'delete'],
-  control: ['create', 'read', 'update', 'delete', 'assign', 'export'],
-  evidence: ['create', 'read', 'update', 'delete', 'upload', 'export'],
-  policy: ['create', 'read', 'update', 'delete', 'publish', 'approve'],
-  risk: ['create', 'read', 'update', 'delete', 'assess', 'export'],
-  vendor: ['create', 'read', 'update', 'delete', 'assess'],
-  task: ['create', 'read', 'update', 'delete', 'assign', 'complete'],
-  framework: ['create', 'read', 'update', 'delete'],
-  audit: ['create', 'read', 'update', 'export'],
-  finding: ['create', 'read', 'update', 'delete'],
-  questionnaire: ['create', 'read', 'update', 'delete', 'respond'],
-  integration: ['create', 'read', 'update', 'delete'],
-  apiKey: ['create', 'read', 'delete'],
-  app: ['read'],
-  trust: ['read', 'update'],
-} as const;
-
-const ac = createAccessControl(statement);
-
-const owner = ac.newRole({
-  ...ownerAc.statements,
-  organization: ['read', 'update', 'delete'],
-  control: ['create', 'read', 'update', 'delete', 'assign', 'export'],
-  evidence: ['create', 'read', 'update', 'delete', 'upload', 'export'],
-  policy: ['create', 'read', 'update', 'delete', 'publish', 'approve'],
-  risk: ['create', 'read', 'update', 'delete', 'assess', 'export'],
-  vendor: ['create', 'read', 'update', 'delete', 'assess'],
-  task: ['create', 'read', 'update', 'delete', 'assign', 'complete'],
-  framework: ['create', 'read', 'update', 'delete'],
-  audit: ['create', 'read', 'update', 'export'],
-  finding: ['create', 'read', 'update', 'delete'],
-  questionnaire: ['create', 'read', 'update', 'delete', 'respond'],
-  integration: ['create', 'read', 'update', 'delete'],
-  apiKey: ['create', 'read', 'delete'],
-  app: ['read'],
-  trust: ['read', 'update'],
-});
-
-const admin = ac.newRole({
-  ...adminAc.statements,
-  organization: ['read', 'update'],
-  control: ['create', 'read', 'update', 'delete', 'assign', 'export'],
-  evidence: ['create', 'read', 'update', 'delete', 'upload', 'export'],
-  policy: ['create', 'read', 'update', 'delete', 'publish', 'approve'],
-  risk: ['create', 'read', 'update', 'delete', 'assess', 'export'],
-  vendor: ['create', 'read', 'update', 'delete', 'assess'],
-  task: ['create', 'read', 'update', 'delete', 'assign', 'complete'],
-  framework: ['create', 'read', 'update', 'delete'],
-  audit: ['create', 'read', 'update', 'export'],
-  finding: ['create', 'read', 'update', 'delete'],
-  questionnaire: ['create', 'read', 'update', 'delete', 'respond'],
-  integration: ['create', 'read', 'update', 'delete'],
-  apiKey: ['create', 'read', 'delete'],
-  app: ['read'],
-  trust: ['read', 'update'],
-});
-
-const auditor = ac.newRole({
-  organization: ['read'],
-  member: ['create'],
-  invitation: ['create'],
-  control: ['read', 'export'],
-  evidence: ['read', 'export'],
-  policy: ['read'],
-  risk: ['read', 'export'],
-  vendor: ['read'],
-  task: ['read'],
-  framework: ['read'],
-  audit: ['read', 'export'],
-  finding: ['create', 'read', 'update'],
-  questionnaire: ['read'],
-  integration: ['read'],
-  app: ['read'],
-  trust: ['read'],
-});
-
-const employee = ac.newRole({
-  task: ['read', 'complete'],
-  evidence: ['read', 'upload'],
-  policy: ['read'],
-  questionnaire: ['read', 'respond'],
-  trust: ['read', 'update'],
-});
-
-const contractor = ac.newRole({
-  task: ['read', 'complete'],
-  evidence: ['read', 'upload'],
-  policy: ['read'],
-  trust: ['read', 'update'],
-});
-
-const allRoles = {
-  owner,
-  admin,
-  auditor,
-  employee,
-  contractor,
-} as const;
-
-// ============================================================================
-// Auth Server Configuration
-// ============================================================================
+import { ac, allRoles } from '@comp/auth';
 
 const MAGIC_LINK_EXPIRES_IN_SECONDS = 60 * 60; // 1 hour
 

apps/api/src/auth/permission.guard.ts

@@ -6,6 +6,7 @@ import {
   Logger,
 } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
+import { RESTRICTED_ROLES, PRIVILEGED_ROLES } from '@comp/auth';
 import { auth } from './auth.server';
 import { resolveServiceByName } from './service-token.config';
 import { AuthenticatedRequest } from './types';
@@ -23,16 +24,6 @@ export interface RequiredPermission {
  */
 export const PERMISSIONS_KEY = 'required_permissions';
 
-/**
- * Roles that require assignment-based filtering for resources
- */
-const RESTRICTED_ROLES = ['employee', 'contractor'];
-
-/**
- * Roles that have full access without assignment filtering
- */
-const PRIVILEGED_ROLES = ['owner', 'admin', 'auditor'];
-
 /**
  * PermissionGuard - Validates user permissions using better-auth's SDK
  *
@@ -196,14 +187,16 @@ export class PermissionGuard implements CanActivate {
     }
 
     // If user has any privileged role, they're not restricted
+    const privileged: readonly string[] = PRIVILEGED_ROLES;
+    const restricted: readonly string[] = RESTRICTED_ROLES;
     const hasPrivilegedRole = roles.some((role) =>
-      PRIVILEGED_ROLES.includes(role),
+      privileged.includes(role),
     );
     if (hasPrivilegedRole) {
       return false;
     }
 
     // Check if all roles are restricted
-    return roles.every((role) => RESTRICTED_ROLES.includes(role));
+    return roles.every((role) => restricted.includes(role));
   }
 }

apps/api/src/auth/require-permission.decorator.ts

@@ -19,7 +19,7 @@ import { PERMISSIONS_KEY, RequiredPermission } from './permission.guard';
  * @example
  * // Use with guards
  * @UseGuards(HybridAuthGuard, PermissionGuard)
- * @RequirePermission('policy', 'publish')
+ * @RequirePermission('policy', 'update')
  * @Post(':id/publish')
  * async publishPolicy(@Param('id') id: string) { ... }
  */
@@ -41,7 +41,7 @@ export const RequirePermission = (
  * // Require permissions on multiple resources
  * @RequirePermissions([
  *   { resource: 'control', actions: ['read'] },
- *   { resource: 'evidence', actions: ['upload'] },
+ *   { resource: 'evidence', actions: ['create'] },
  * ])
  */
 export const RequirePermissions = (permissions: RequiredPermission[]) =>
@@ -72,18 +72,6 @@ export type GRCResource =
   | 'trust';
 
 /**
- * Action types available for GRC resources
+ * Action types available for GRC resources — CRUD only
  */
-export type GRCAction =
-  | 'create'
-  | 'read'
-  | 'update'
-  | 'delete'
-  | 'assign'
-  | 'export'
-  | 'upload'
-  | 'publish'
-  | 'approve'
-  | 'assess'
-  | 'complete'
-  | 'respond';
+export type GRCAction = 'create' | 'read' | 'update' | 'delete';

apps/api/src/auth/service-token.config.ts

@@ -36,7 +36,7 @@ export const SERVICE_DEFINITIONS: Record<string, ServiceDefinition> = {
       'trust:read',
       'organization:read',
       'questionnaire:read',
-      'questionnaire:respond',
+      'questionnaire:update',
     ],
   },
 };

apps/api/src/knowledge-base/knowledge-base.controller.ts

@@ -55,7 +55,7 @@ export class KnowledgeBaseController {
   }
 
   @Post('manual-answers')
-  @RequirePermission('questionnaire', 'respond')
+  @RequirePermission('questionnaire', 'update')
   @HttpCode(HttpStatus.OK)
   @ApiOperation({ summary: 'Save or update a manual answer' })
   @ApiConsumes('application/json')

apps/api/src/organization/organization.service.ts

@@ -6,6 +6,7 @@ import {
   ForbiddenException,
   InternalServerErrorException,
 } from '@nestjs/common';
+import { allRoles } from '@comp/auth';
 import { GetObjectCommand, PutObjectCommand } from '@aws-sdk/client-s3';
 import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
 import { db, Role } from '@trycompai/db';
@@ -316,13 +317,7 @@ export class OrganizationService {
   }
 
   async getRoleNotificationSettings(organizationId: string) {
-    const BUILT_IN_ROLES = [
-      'owner',
-      'admin',
-      'auditor',
-      'employee',
-      'contractor',
-    ] as const;
+    const BUILT_IN_ROLES = Object.keys(allRoles);
 
     const BUILT_IN_DEFAULTS: Record<
       string,

apps/api/src/policies/policies.controller.ts

@@ -159,7 +159,7 @@ export class PoliciesController {
 
   @Post('publish-all')
   @UseGuards(PermissionGuard)
-  @RequirePermission('policy', 'publish')
+  @RequirePermission('policy', 'update')
   @ApiOperation({ summary: 'Publish all draft/needs_review policies' })
   async publishAll(
     @OrganizationId() organizationId: string,
@@ -472,7 +472,7 @@ export class PoliciesController {
 
   @Post(':id/versions/publish')
   @UseGuards(PermissionGuard)
-  @RequirePermission('policy', 'publish')
+  @RequirePermission('policy', 'update')
   @ApiOperation(VERSION_OPERATIONS.publishPolicyVersion)
   @ApiParam(VERSION_PARAMS.policyId)
   @ApiBody(VERSION_BODIES.publishVersion)
@@ -507,7 +507,7 @@ export class PoliciesController {
 
   @Post(':id/versions/:versionId/activate')
   @UseGuards(PermissionGuard)
-  @RequirePermission('policy', 'publish')
+  @RequirePermission('policy', 'update')
   @ApiOperation(VERSION_OPERATIONS.setActivePolicyVersion)
   @ApiParam(VERSION_PARAMS.policyId)
   @ApiParam(VERSION_PARAMS.versionId)
@@ -541,7 +541,7 @@ export class PoliciesController {
 
   @Post(':id/versions/:versionId/submit-for-approval')
   @UseGuards(PermissionGuard)
-  @RequirePermission('policy', 'approve')
+  @RequirePermission('policy', 'update')
   @ApiOperation(VERSION_OPERATIONS.submitVersionForApproval)
   @ApiParam(VERSION_PARAMS.policyId)
   @ApiParam(VERSION_PARAMS.versionId)
@@ -667,7 +667,7 @@ Keep responses helpful and focused on the policy editing task.`;
 
   @Post(':id/deny-changes')
   @UseGuards(PermissionGuard)
-  @RequirePermission('policy', 'approve')
+  @RequirePermission('policy', 'update')
   @ApiOperation({ summary: 'Deny requested policy changes' })
   @ApiParam(POLICY_PARAMS.policyId)
   async denyPolicyChanges(
@@ -687,7 +687,7 @@ Keep responses helpful and focused on the policy editing task.`;
 
   @Post(':id/accept-changes')
   @UseGuards(PermissionGuard)
-  @RequirePermission('policy', 'approve')
+  @RequirePermission('policy', 'update')
   @ApiOperation({ summary: 'Accept requested policy changes and publish' })
   @ApiParam(POLICY_PARAMS.policyId)
   async acceptPolicyChanges(