feat(auth): add apiKey resource and permissions to roles and decorators

Marfuen · Marfuen · commit dc37a007805c · 2026-02-11T13:57:20.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -40,6 +40,10 @@ yarn-error.log*
 # turbo
 .turbo
 
+# claude code - personal settings and memory (commands/ is shared)
+.claude/settings.local.json
+.claude/projects/
+
 # react-email
 .react-email
 packages/email/public
diff --git a/apps/api/src/auth/auth.server.ts b/apps/api/src/auth/auth.server.ts
@@ -39,6 +39,7 @@ const statement = {
   finding: ['create', 'read', 'update', 'delete'],
   questionnaire: ['create', 'read', 'update', 'delete', 'respond'],
   integration: ['create', 'read', 'update', 'delete'],
+  apiKey: ['create', 'read', 'delete'],
   app: ['read'],
   trust: ['read', 'update'],
 } as const;
@@ -59,6 +60,7 @@ const owner = ac.newRole({
   finding: ['create', 'read', 'update', 'delete'],
   questionnaire: ['create', 'read', 'update', 'delete', 'respond'],
   integration: ['create', 'read', 'update', 'delete'],
+  apiKey: ['create', 'read', 'delete'],
   app: ['read'],
   trust: ['read', 'update'],
 });
@@ -77,6 +79,7 @@ const admin = ac.newRole({
   finding: ['create', 'read', 'update', 'delete'],
   questionnaire: ['create', 'read', 'update', 'delete', 'respond'],
   integration: ['create', 'read', 'update', 'delete'],
+  apiKey: ['create', 'read', 'delete'],
   app: ['read'],
   trust: ['read', 'update'],
 });
diff --git a/apps/api/src/auth/require-permission.decorator.ts b/apps/api/src/auth/require-permission.decorator.ts
@@ -65,6 +65,7 @@ export type GRCResource =
   | 'finding'
   | 'questionnaire'
   | 'integration'
+  | 'apiKey'
   | 'cloud-security'
   | 'training'
   | 'app'
diff --git a/apps/api/src/auth/service-token.config.ts b/apps/api/src/auth/service-token.config.ts
@@ -29,6 +29,16 @@ export const SERVICE_DEFINITIONS: Record<string, ServiceDefinition> = {
     name: 'Portal App',
     permissions: ['training:read', 'training:update'],
   },
+  trust: {
+    envVar: 'SERVICE_TOKEN_TRUST',
+    name: 'Trust Portal',
+    permissions: [
+      'trust:read',
+      'organization:read',
+      'questionnaire:read',
+      'questionnaire:respond',
+    ],
+  },
 };
 
 /**
diff --git a/apps/api/src/organization/organization.controller.ts b/apps/api/src/organization/organization.controller.ts
@@ -285,7 +285,7 @@ export class OrganizationController {
   }
 
   @Get('primary-color')
-  @RequirePermission('organization', 'read')
+  @UseGuards() // Override class-level guards — public endpoint for trust portal (uses token or auth)
   @ApiOperation(ORGANIZATION_OPERATIONS.getPrimaryColor)
   @ApiQuery({
     name: 'token',
diff --git a/apps/api/src/roles/roles.service.ts b/apps/api/src/roles/roles.service.ts
@@ -19,6 +19,7 @@ const VALID_RESOURCES: Record<string, string[]> = {
   finding: ['create', 'read', 'update', 'delete'],
   questionnaire: ['create', 'read', 'update', 'delete', 'respond'],
   integration: ['create', 'read', 'update', 'delete'],
+  apiKey: ['create', 'read', 'delete'],
   app: ['read'],
   trust: ['read', 'update'],
 };
diff --git a/apps/app/src/app/(app)/[orgId]/settings/roles/components/PermissionMatrix.tsx b/apps/app/src/app/(app)/[orgId]/settings/roles/components/PermissionMatrix.tsx
@@ -11,6 +11,8 @@ import {
  * These map to the permission resources defined in @auth/permissions.ts
  */
 const RESOURCES = [
+  { key: 'organization', label: 'Organization', description: 'Manage organization settings' },
+  { key: 'member', label: 'Members', description: 'Manage team members and roles' },
   { key: 'control', label: 'Controls', description: 'Manage security controls' },
   { key: 'evidence', label: 'Evidence', description: 'Manage compliance evidence' },
   { key: 'policy', label: 'Policies', description: 'Manage organizational policies' },
@@ -22,6 +24,8 @@ const RESOURCES = [
   { key: 'finding', label: 'Findings', description: 'Manage audit findings' },
   { key: 'questionnaire', label: 'Questionnaires', description: 'Manage security questionnaires' },
   { key: 'integration', label: 'Integrations', description: 'Manage third-party integrations' },
+  { key: 'apiKey', label: 'API Keys', description: 'Manage API keys for programmatic access' },
+  { key: 'trust', label: 'Trust Center', description: 'Manage trust portal and access requests' },
 ] as const;
 
 type ResourceKey = (typeof RESOURCES)[number]['key'];
@@ -38,6 +42,14 @@ type AccessLevel = 'none' | 'view' | 'edit';
  * Maps access levels to the actual permission actions for each resource
  */
 const ACCESS_LEVEL_MAPPING: Record<ResourceKey, Record<Exclude<AccessLevel, 'none'>, string[]>> = {
+  organization: {
+    view: ['read'],
+    edit: ['read', 'update'],
+  },
+  member: {
+    view: ['read'],
+    edit: ['create', 'read', 'update', 'delete'],
+  },
   control: {
     view: ['read', 'export'],
     edit: ['create', 'read', 'update', 'delete', 'assign', 'export'],
@@ -82,6 +94,14 @@ const ACCESS_LEVEL_MAPPING: Record<ResourceKey, Record<Exclude<AccessLevel, 'non
     view: ['read'],
     edit: ['create', 'read', 'update', 'delete'],
   },
+  apiKey: {
+    view: ['read'],
+    edit: ['create', 'read', 'delete'],
+  },
+  trust: {
+    view: ['read'],
+    edit: ['read', 'update'],
+  },
 };
 
 interface PermissionMatrixProps {
diff --git a/packages/docs/openapi.json b/packages/docs/openapi.json

Original file line number	Diff line number	Diff line change
`@@ -285,7 +285,7 @@ export class OrganizationController {`
`285`	`285`	`}`
`286`	`286`
`287`	`287`	`@Get('primary-color')`
`288`		`- @RequirePermission('organization', 'read')`
	`288`	`+ @UseGuards() // Override class-level guards — public endpoint for trust portal (uses token or auth)`
`289`	`289`	`@ApiOperation(ORGANIZATION_OPERATIONS.getPrimaryColor)`
`290`	`290`	`@ApiQuery({`
`291`	`291`	`name: 'token',`