tenseleyflow/shithub / 41454b8

+	"github.com/jackc/pgx/v5/pgxpool"

+// TestTeamGrant_GivesWriteAccess pins the S31 contract: a team grant

+// at `write` on an org repo lets that team's members push, even

+// though they're plain org members (not owners) and have no direct

+// collaborator row.

+func TestTeamGrant_GivesWriteAccess(t *testing.T) {

+	pool := dbtest.NewTestDB(t)

+	ctx := context.Background()

+

+	creator, _ := usersdb.New().CreateUser(ctx, pool, usersdb.CreateUserParams{

+		Username: "alice", DisplayName: "Alice", PasswordHash: fixtureHash,

+	})

+	deps := orgs.Deps{Pool: pool}

+	org, _ := orgs.Create(ctx, deps, orgs.CreateParams{Slug: "acme", CreatedByUserID: creator.ID})

+	repo, _ := reposdb.New().CreateRepo(ctx, pool, reposdb.CreateRepoParams{

+		OwnerOrgID: pgtype.Int8{Int64: org.ID, Valid: true},

+		Name:       "demo", DefaultBranch: "trunk", Visibility: reposdb.RepoVisibilityPublic,

+	})

+	bob, _ := usersdb.New().CreateUser(ctx, pool, usersdb.CreateUserParams{

+		Username: "bob", DisplayName: "Bob", PasswordHash: fixtureHash,

+	})

+	if err := orgs.AddMember(ctx, deps, org.ID, bob.ID, creator.ID, "member"); err != nil {

+		t.Fatalf("add org member: %v", err)

+	}

+	team, _ := orgs.CreateTeam(ctx, deps, orgs.CreateTeamParams{

+		OrgID: org.ID, Slug: "eng", CreatedByUserID: creator.ID,

+	})

+	if err := orgs.AddTeamMember(ctx, deps, team.ID, bob.ID, creator.ID, "member"); err != nil {

+		t.Fatalf("add team member: %v", err)

+	}

+	if err := orgs.GrantTeamRepoAccess(ctx, deps, team.ID, repo.ID, creator.ID, "write"); err != nil {

+		t.Fatalf("grant: %v", err)

+	}

+

+	ref := policy.NewRepoRefFromRepo(repo)

+	bobActor := policy.UserActor(bob.ID, "bob", false, false)

+	pdeps := policy.Deps{Pool: pool}

+

+	if got := policy.Can(ctx, pdeps, bobActor, policy.ActionRepoWrite, ref); !got.Allow {

+		t.Fatalf("team-granted write should allow: %+v", got)

+	}

+

+	// Demote to read → write must now deny.

+	if err := orgs.GrantTeamRepoAccess(ctx, deps, team.ID, repo.ID, creator.ID, "read"); err != nil {

+		t.Fatalf("demote: %v", err)

+	}

+	if got := policy.Can(ctx, pdeps, bobActor, policy.ActionRepoWrite, ref); got.Allow {

+		t.Fatal("after demote to read, write should deny")

+	}

+	// Reads still allow under read role.

+	if got := policy.Can(ctx, pdeps, bobActor, policy.ActionRepoRead, ref); !got.Allow {

+		t.Fatalf("read should still allow at read role: %+v", got)

+	}

+

+	// Revoke entirely → reads on a public repo still allow (visibility),

+	// but for the test of "team membership lost access" we use a

+	// private repo branch:

+	if _, err := pool.Exec(ctx, `UPDATE repos SET visibility='private' WHERE id=$1`, repo.ID); err != nil {

+		t.Fatalf("flip private: %v", err)

+	}

+	// Cache from the previous Can() call may still be hot — start a

+	// fresh request scope by using a new context.

+	if err := orgs.RevokeTeamRepoAccess(ctx, deps, team.ID, repo.ID); err != nil {

+		t.Fatalf("revoke: %v", err)

+	}

+	freshCtx := context.Background()

+	if got := policy.Can(freshCtx, pdeps, bobActor, policy.ActionRepoRead,

+		policy.NewRepoRefFromRepo(reposdbReload(t, pool, repo.ID))); got.Allow {

+		t.Fatalf("after revoke, private read should deny: %+v", got)

+	}

+}

+

+// TestTeamParent_Inheritance pins the one-level parent inheritance

+// rule: a child-team member inherits the parent team's repo grants.

+func TestTeamParent_Inheritance(t *testing.T) {

+	pool := dbtest.NewTestDB(t)

+	ctx := context.Background()

+	creator, _ := usersdb.New().CreateUser(ctx, pool, usersdb.CreateUserParams{

+		Username: "alice", DisplayName: "Alice", PasswordHash: fixtureHash,

+	})

+	deps := orgs.Deps{Pool: pool}

+	org, _ := orgs.Create(ctx, deps, orgs.CreateParams{Slug: "acme", CreatedByUserID: creator.ID})

+	repo, _ := reposdb.New().CreateRepo(ctx, pool, reposdb.CreateRepoParams{

+		OwnerOrgID: pgtype.Int8{Int64: org.ID, Valid: true},

+		Name:       "demo", DefaultBranch: "trunk", Visibility: reposdb.RepoVisibilityPublic,

+	})

+	bob, _ := usersdb.New().CreateUser(ctx, pool, usersdb.CreateUserParams{

+		Username: "bob", DisplayName: "Bob", PasswordHash: fixtureHash,

+	})

+	_ = orgs.AddMember(ctx, deps, org.ID, bob.ID, creator.ID, "member")

+

+	parent, _ := orgs.CreateTeam(ctx, deps, orgs.CreateTeamParams{

+		OrgID: org.ID, Slug: "engineering", CreatedByUserID: creator.ID,

+	})

+	child, _ := orgs.CreateTeam(ctx, deps, orgs.CreateTeamParams{

+		OrgID: org.ID, Slug: "eng-mobile", ParentTeamID: parent.ID,

+		CreatedByUserID: creator.ID,

+	})

+	// Bob is in the CHILD team only. Grant write on the PARENT team.

+	_ = orgs.AddTeamMember(ctx, deps, child.ID, bob.ID, creator.ID, "member")

+	if err := orgs.GrantTeamRepoAccess(ctx, deps, parent.ID, repo.ID, creator.ID, "write"); err != nil {

+		t.Fatalf("parent grant: %v", err)

+	}

+

+	ref := policy.NewRepoRefFromRepo(repo)

+	bobActor := policy.UserActor(bob.ID, "bob", false, false)

+	pdeps := policy.Deps{Pool: pool}

+	if got := policy.Can(ctx, pdeps, bobActor, policy.ActionRepoWrite, ref); !got.Allow {

+		t.Fatalf("child team should inherit parent's write grant: %+v", got)

+	}

+}

+

+// reposdbReload re-fetches a repo row so a follow-up policy.Can sees

+// fresh visibility after a raw UPDATE.

+func reposdbReload(t *testing.T, pool *pgxpool.Pool, id int64) reposdb.Repo {

+	t.Helper()

+	row, err := reposdb.New().GetRepoByID(context.Background(), pool, id)

+	if err != nil {

+		t.Fatalf("reload repo: %v", err)

+	}

+	return row

+}

+

+	"github.com/jackc/pgx/v5/pgtype"

+	// Effective role = MAX(direct collab, team grants). Team path

+	// runs only for org-owned repos (user-owned repos have no

+	// teams). One hop on parent_team_id captures the inherited

+	// grants per S31's one-level-deep rule.

+	best := RoleNone

+	switch {

+	case err == nil:

+		best = roleFromDB(dbRole)

+	case errors.Is(err, pgx.ErrNoRows):

+		// no direct collab row — best stays RoleNone

+	default:

+		return RoleNone, err

+	}

+	if repo.OwnerOrgID != 0 {

+		teamRole, terr := teamGrantedRole(ctx, d, actor.UserID, repo.OwnerOrgID, repo.ID)

+		if terr != nil {

+			return RoleNone, terr

+		}

+		// roleStronger picks the higher-rank role. Don't use

+		// RoleAtLeast here — its `want > 0` guard treats RoleNone

+		// as un-comparable and blocks the legitimate "any role

+		// beats no role" branch.

+		if roleStronger(teamRole, best) {

+			best = teamRole

+		}

+	}

+	cachePut(cache, key, best)

+	return best, nil

+}

+

+// roleStronger reports whether `a` ranks strictly higher than `b`,

+// where RoleNone is the bottom (rank 0). Used to compose role

+// sources (direct collab, team grant, parent-team grant) into a

+// single max — the spec's "effective role = max of all sources"

+// rule.

+func roleStronger(a, b Role) bool {

+	return roleRank(a) > roleRank(b)

+}

+

+// teamGrantedRole computes the highest role the actor inherits from

+// any team in the org that has a grant on the repo. Walks parent

+// teams one hop (per the one-level-nesting cap from migration 0035).

+func teamGrantedRole(ctx context.Context, d Deps, userID, orgID, repoID int64) (Role, error) {

+	rows, err := d.Pool.Query(ctx,

+		`SELECT t.id, t.parent_team_id

+		   FROM team_members m

+		   JOIN teams t ON t.id = m.team_id

+		  WHERE t.org_id = $1 AND m.user_id = $2`,

+		orgID, userID)

+	if err != nil {

+		return RoleNone, err

+	}

+	defer rows.Close()

+	teamIDs := []int64{}

+	for rows.Next() {

+		var id int64

+		var parent pgtype.Int8

+		if err := rows.Scan(&id, &parent); err != nil {

+			return RoleNone, err

+		}

+		teamIDs = append(teamIDs, id)

+		if parent.Valid {

+			teamIDs = append(teamIDs, parent.Int64)

+		}

+	}

+	if err := rows.Err(); err != nil {

+		return RoleNone, err

+	}

+	if len(teamIDs) == 0 {

+	grantRows, err := d.Pool.Query(ctx,

+		`SELECT role::text FROM team_repo_access

+		  WHERE repo_id = $1 AND team_id = ANY($2::bigint[])`,

+		repoID, teamIDs)

+	defer grantRows.Close()

+	best := RoleNone

+	for grantRows.Next() {

+		var role string

+		if err := grantRows.Scan(&role); err != nil {

+			return RoleNone, err

+		}

+		if r := teamRepoRoleToPolicyRole(role); roleStronger(r, best) {

+			best = r

+		}

+	}

+	return best, grantRows.Err()

+// teamRepoRoleToPolicyRole maps the team_repo_role enum string to

+// the policy.Role string. Names align but the typed enums are in

+// different packages so the conversion is explicit.

+func teamRepoRoleToPolicyRole(s string) Role {

+	switch s {

+	case "read":

+		return RoleRead

+	case "triage":

+		return RoleTriage

+	case "write":

+		return RoleWrite

+	case "maintain":

+		return RoleMaintain

+	case "admin":

+		return RoleAdmin

+	}

+	return RoleNone

+}

+

+

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+--

+-- S31 — Teams within organizations.

+--

+-- One level of nesting is intentional and structurally enforced via

+-- two CHECKs:

+--   - parent_team_id != id  (no self-parent)

+--   - if parent_team_id IS NOT NULL then the parent's parent_team_id

+--     is NULL (validated via a trigger; can't express in a row CHECK)

+--

+-- team_repo_access is the per-team repo grant; the per-user grant

+-- continues to live in `repo_collaborators` (S15). Both contribute to

+-- the policy aggregator's max-of-sources rule.

+

+-- +goose Up

+

+CREATE TYPE team_privacy   AS ENUM ('visible', 'secret');

+CREATE TYPE team_role      AS ENUM ('member', 'maintainer');

+CREATE TYPE team_repo_role AS ENUM ('read', 'triage', 'write', 'maintain', 'admin');

+

+CREATE TABLE teams (

+    id                 bigserial    PRIMARY KEY,

+    org_id             bigint       NOT NULL REFERENCES orgs(id) ON DELETE CASCADE,

+    slug               citext       NOT NULL,

+    display_name       text         NOT NULL DEFAULT '',

+    description        text         NOT NULL DEFAULT '',

+    parent_team_id     bigint       REFERENCES teams(id) ON DELETE SET NULL,

+    privacy            team_privacy NOT NULL DEFAULT 'visible',

+    created_by_user_id bigint       REFERENCES users(id) ON DELETE SET NULL,

+    created_at         timestamptz  NOT NULL DEFAULT now(),

+    updated_at         timestamptz  NOT NULL DEFAULT now(),

+

+    CONSTRAINT teams_slug_length CHECK (char_length(slug::text) BETWEEN 1 AND 50),

+    CONSTRAINT teams_no_self_parent CHECK (parent_team_id IS NULL OR parent_team_id <> id),

+    CONSTRAINT teams_org_slug_unique UNIQUE (org_id, slug)

+);

+

+CREATE INDEX teams_org_idx ON teams (org_id);

+CREATE INDEX teams_parent_idx ON teams (parent_team_id) WHERE parent_team_id IS NOT NULL;

+

+CREATE TRIGGER set_updated_at BEFORE UPDATE ON teams

+    FOR EACH ROW EXECUTE FUNCTION tg_set_updated_at();

+

+-- One-level-deep nesting enforcement: a team's parent must itself

+-- have a NULL parent. Implemented as a trigger because the rule

+-- spans rows.

+-- +goose StatementBegin

+CREATE OR REPLACE FUNCTION tg_teams_one_level_nesting() RETURNS trigger AS $$

+DECLARE

+    grandparent_id bigint;

+BEGIN

+    IF NEW.parent_team_id IS NULL THEN

+        RETURN NEW;

+    END IF;

+    SELECT parent_team_id INTO grandparent_id FROM teams WHERE id = NEW.parent_team_id;

+    IF grandparent_id IS NOT NULL THEN

+        RAISE EXCEPTION 'teams: nesting limited to one level (parent already has a parent)'

+            USING ERRCODE = '23514';

+    END IF;

+    RETURN NEW;

+END;

+$$ LANGUAGE plpgsql;

+-- +goose StatementEnd

+

+CREATE TRIGGER tg_teams_one_level_nesting_iu

+    BEFORE INSERT OR UPDATE ON teams

+    FOR EACH ROW EXECUTE FUNCTION tg_teams_one_level_nesting();

+

+-- ─── team_members ─────────────────────────────────────────────────

+CREATE TABLE team_members (

+    team_id          bigint      NOT NULL REFERENCES teams(id) ON DELETE CASCADE,

+    user_id          bigint      NOT NULL REFERENCES users(id) ON DELETE CASCADE,

+    role             team_role   NOT NULL DEFAULT 'member',

+    added_by_user_id bigint      REFERENCES users(id) ON DELETE SET NULL,

+    added_at         timestamptz NOT NULL DEFAULT now(),

+

+    PRIMARY KEY (team_id, user_id)

+);

+

+CREATE INDEX team_members_user_idx ON team_members (user_id);

+

+-- ─── team_repo_access ─────────────────────────────────────────────

+CREATE TABLE team_repo_access (

+    team_id          bigint         NOT NULL REFERENCES teams(id) ON DELETE CASCADE,

+    repo_id          bigint         NOT NULL REFERENCES repos(id) ON DELETE CASCADE,

+    role             team_repo_role NOT NULL DEFAULT 'read',

+    added_by_user_id bigint         REFERENCES users(id) ON DELETE SET NULL,

+    added_at         timestamptz    NOT NULL DEFAULT now(),

+

+    PRIMARY KEY (team_id, repo_id)

+);

+

+CREATE INDEX team_repo_access_repo_idx ON team_repo_access (repo_id);

+

+-- +goose Down

+DROP TABLE IF EXISTS team_repo_access;

+DROP TABLE IF EXISTS team_members;

+DROP TRIGGER IF EXISTS tg_teams_one_level_nesting_iu ON teams;

+DROP FUNCTION IF EXISTS tg_teams_one_level_nesting();

+DROP TABLE IF EXISTS teams;

+DROP TYPE IF EXISTS team_repo_role;

+DROP TYPE IF EXISTS team_role;

+DROP TYPE IF EXISTS team_privacy;

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+

+-- ─── teams ─────────────────────────────────────────────────────────

+

+-- name: CreateTeam :one

+INSERT INTO teams (org_id, slug, display_name, description, parent_team_id, privacy, created_by_user_id)

+VALUES ($1, $2, $3, $4, sqlc.narg(parent_team_id)::bigint, $5, sqlc.narg(created_by_user_id)::bigint)

+RETURNING *;

+

+-- name: GetTeamByID :one

+SELECT * FROM teams WHERE id = $1;

+

+-- name: GetTeamByOrgAndSlug :one

+SELECT * FROM teams WHERE org_id = $1 AND slug = $2;

+

+-- name: ListTeamsForOrg :many

+SELECT * FROM teams WHERE org_id = $1 ORDER BY slug ASC;

+

+-- name: ListChildTeams :many

+SELECT * FROM teams WHERE parent_team_id = $1 ORDER BY slug ASC;

+

+-- name: UpdateTeamProfile :exec

+UPDATE teams SET display_name = $2, description = $3, privacy = $4, updated_at = now()

+WHERE id = $1;

+

+-- name: SetTeamParent :exec

+-- The one-level-nesting BEFORE trigger blocks invalid moves; the

+-- caller surfaces the SQLSTATE 23514 as a friendly error.

+UPDATE teams SET parent_team_id = sqlc.narg(parent_team_id)::bigint, updated_at = now()

+WHERE id = $1;

+

+-- name: DeleteTeam :exec

+-- Children's parent_team_id flips to NULL via the FK ON DELETE SET NULL,

+-- promoting them to top-level — matches the "deleting parent doesn't

+-- delete children" intent in the spec's pitfalls.

+DELETE FROM teams WHERE id = $1;

+

+-- ─── team_members ─────────────────────────────────────────────────

+

+-- name: AddTeamMember :exec

+INSERT INTO team_members (team_id, user_id, role, added_by_user_id)

+VALUES ($1, $2, $3, sqlc.narg(added_by_user_id)::bigint)

+ON CONFLICT (team_id, user_id) DO NOTHING;

+

+-- name: SetTeamMemberRole :exec

+UPDATE team_members SET role = $3 WHERE team_id = $1 AND user_id = $2;

+

+-- name: RemoveTeamMember :exec

+DELETE FROM team_members WHERE team_id = $1 AND user_id = $2;

+

+-- name: ListTeamMembers :many

+SELECT m.team_id, m.user_id, m.role, m.added_by_user_id, m.added_at,

+       u.username, u.display_name

+FROM team_members m

+JOIN users u ON u.id = m.user_id

+WHERE m.team_id = $1 AND u.deleted_at IS NULL

+ORDER BY m.role ASC, u.username ASC;

+

+-- name: ListTeamsForUserInOrg :many

+-- Returns the teams a user directly belongs to within an org. The

+-- policy aggregator unions this with each row's parent_team_id to

+-- get the inherited set.

+SELECT t.id, t.org_id, t.slug, t.display_name, t.description,

+       t.parent_team_id, t.privacy, t.created_by_user_id,

+       t.created_at, t.updated_at,

+       m.role AS member_role

+FROM team_members m

+JOIN teams t ON t.id = m.team_id

+WHERE t.org_id = $1 AND m.user_id = $2;

+

+-- ─── team_repo_access ─────────────────────────────────────────────

+

+-- name: GrantTeamRepoAccess :exec

+INSERT INTO team_repo_access (team_id, repo_id, role, added_by_user_id)

+VALUES ($1, $2, $3, sqlc.narg(added_by_user_id)::bigint)

+ON CONFLICT (team_id, repo_id) DO UPDATE SET role = EXCLUDED.role;

+

+-- name: RevokeTeamRepoAccess :exec

+DELETE FROM team_repo_access WHERE team_id = $1 AND repo_id = $2;

+

+-- name: GetTeamRepoAccess :one

+SELECT * FROM team_repo_access WHERE team_id = $1 AND repo_id = $2;

+

+-- name: ListTeamRepoAccess :many

+-- All repos the team has any grant on; for the team-view page.

+SELECT a.team_id, a.repo_id, a.role, a.added_by_user_id, a.added_at,

+       r.name AS repo_name, r.visibility::text AS visibility

+FROM team_repo_access a

+JOIN repos r ON r.id = a.repo_id

+WHERE a.team_id = $1 AND r.deleted_at IS NULL

+ORDER BY r.name ASC;

+

+-- name: ListRepoTeamGrants :many

+-- All teams with grants on a single repo; for repo settings/access page.

+SELECT a.team_id, a.repo_id, a.role, a.added_by_user_id, a.added_at,

+       t.slug AS team_slug, t.display_name AS team_display_name,

+       t.privacy::text AS team_privacy

+FROM team_repo_access a

+JOIN teams t ON t.id = a.team_id

+WHERE a.repo_id = $1

+ORDER BY t.slug ASC;

+

+-- name: ListTeamAccessForRepoAndTeams :many

+-- Policy hot-path: given a repo and a set of team_ids the actor

+-- belongs to (incl. inherited), return the access rows. Caller picks

+-- the highest role.

+SELECT team_id, repo_id, role

+FROM team_repo_access

+WHERE repo_id = $1 AND team_id = ANY($2::bigint[]);

+type TeamPrivacy string

+

+const (

+	TeamPrivacyVisible TeamPrivacy = "visible"

+	TeamPrivacySecret  TeamPrivacy = "secret"

+)

+

+func (e *TeamPrivacy) Scan(src interface{}) error {

+	switch s := src.(type) {

+	case []byte:

+		*e = TeamPrivacy(s)

+	case string:

+		*e = TeamPrivacy(s)

+	default:

+		return fmt.Errorf("unsupported scan type for TeamPrivacy: %T", src)

+	}

+	return nil

+}

+

+type NullTeamPrivacy struct {

+	TeamPrivacy TeamPrivacy

+	Valid       bool // Valid is true if TeamPrivacy is not NULL

+}

+

+// Scan implements the Scanner interface.

+func (ns *NullTeamPrivacy) Scan(value interface{}) error {

+	if value == nil {

+		ns.TeamPrivacy, ns.Valid = "", false

+		return nil

+	}

+	ns.Valid = true

+	return ns.TeamPrivacy.Scan(value)

+}

+

+// Value implements the driver Valuer interface.

+func (ns NullTeamPrivacy) Value() (driver.Value, error) {

+	if !ns.Valid {

+		return nil, nil

+	}

+	return string(ns.TeamPrivacy), nil

+}

+

+type TeamRepoRole string

+

+const (

+	TeamRepoRoleRead     TeamRepoRole = "read"

+	TeamRepoRoleTriage   TeamRepoRole = "triage"

+	TeamRepoRoleWrite    TeamRepoRole = "write"

+	TeamRepoRoleMaintain TeamRepoRole = "maintain"

+	TeamRepoRoleAdmin    TeamRepoRole = "admin"

+)

+

+func (e *TeamRepoRole) Scan(src interface{}) error {

+	switch s := src.(type) {

+	case []byte:

+		*e = TeamRepoRole(s)

+	case string:

+		*e = TeamRepoRole(s)

+	default:

+		return fmt.Errorf("unsupported scan type for TeamRepoRole: %T", src)

+	}

+	return nil

+}

+

+type NullTeamRepoRole struct {

+	TeamRepoRole TeamRepoRole

+	Valid        bool // Valid is true if TeamRepoRole is not NULL

+}

+

+// Scan implements the Scanner interface.

+func (ns *NullTeamRepoRole) Scan(value interface{}) error {

+	if value == nil {

+		ns.TeamRepoRole, ns.Valid = "", false

+		return nil

+	}

+	ns.Valid = true

+	return ns.TeamRepoRole.Scan(value)

+}

+

+// Value implements the driver Valuer interface.

+func (ns NullTeamRepoRole) Value() (driver.Value, error) {

+	if !ns.Valid {

+		return nil, nil

+	}

+	return string(ns.TeamRepoRole), nil

+}

+

+type TeamRole string

+

+const (

+	TeamRoleMember     TeamRole = "member"

+	TeamRoleMaintainer TeamRole = "maintainer"

+)

+

+func (e *TeamRole) Scan(src interface{}) error {

+	switch s := src.(type) {

+	case []byte:

+		*e = TeamRole(s)

+	case string:

+		*e = TeamRole(s)

+	default:

+		return fmt.Errorf("unsupported scan type for TeamRole: %T", src)

+	}

+	return nil

+}

+

+type NullTeamRole struct {

+	TeamRole TeamRole

+	Valid    bool // Valid is true if TeamRole is not NULL

+}

+

+// Scan implements the Scanner interface.

+func (ns *NullTeamRole) Scan(value interface{}) error {

+	if value == nil {

+		ns.TeamRole, ns.Valid = "", false

+		return nil

+	}

+	ns.Valid = true

+	return ns.TeamRole.Scan(value)

+}

+

+// Value implements the driver Valuer interface.

+func (ns NullTeamRole) Value() (driver.Value, error) {

+	if !ns.Valid {

+		return nil, nil

+	}

+	return string(ns.TeamRole), nil

+}

+

+type Team struct {

+	ID              int64

+	OrgID           int64

+	Slug            string

+	DisplayName     string

+	Description     string

+	ParentTeamID    pgtype.Int8

+	Privacy         TeamPrivacy

+	CreatedByUserID pgtype.Int8

+	CreatedAt       pgtype.Timestamptz

+	UpdatedAt       pgtype.Timestamptz

+}

+

+type TeamMember struct {

+	TeamID        int64

+	UserID        int64

+	Role          TeamRole

+	AddedByUserID pgtype.Int8

+	AddedAt       pgtype.Timestamptz

+}

+

+type TeamRepoAccess struct {

+	TeamID        int64

+	RepoID        int64

+	Role          TeamRepoRole

+	AddedByUserID pgtype.Int8

+	AddedAt       pgtype.Timestamptz

+}

+

+	// ─── team_members ─────────────────────────────────────────────────

+	AddTeamMember(ctx context.Context, db DBTX, arg AddTeamMemberParams) error

+	// SPDX-License-Identifier: AGPL-3.0-or-later

+	// ─── teams ─────────────────────────────────────────────────────────

+	CreateTeam(ctx context.Context, db DBTX, arg CreateTeamParams) (Team, error)

+	// Children's parent_team_id flips to NULL via the FK ON DELETE SET NULL,

+	// promoting them to top-level — matches the "deleting parent doesn't

+	// delete children" intent in the spec's pitfalls.

+	DeleteTeam(ctx context.Context, db DBTX, id int64) error

+	GetTeamByID(ctx context.Context, db DBTX, id int64) (Team, error)

+	GetTeamByOrgAndSlug(ctx context.Context, db DBTX, arg GetTeamByOrgAndSlugParams) (Team, error)

+	GetTeamRepoAccess(ctx context.Context, db DBTX, arg GetTeamRepoAccessParams) (TeamRepoAccess, error)

+	// ─── team_repo_access ─────────────────────────────────────────────

+	GrantTeamRepoAccess(ctx context.Context, db DBTX, arg GrantTeamRepoAccessParams) error

+	ListChildTeams(ctx context.Context, db DBTX, parentTeamID pgtype.Int8) ([]Team, error)

+	// All teams with grants on a single repo; for repo settings/access page.

+	ListRepoTeamGrants(ctx context.Context, db DBTX, repoID int64) ([]ListRepoTeamGrantsRow, error)

+	// Policy hot-path: given a repo and a set of team_ids the actor

+	// belongs to (incl. inherited), return the access rows. Caller picks

+	// the highest role.

+	ListTeamAccessForRepoAndTeams(ctx context.Context, db DBTX, arg ListTeamAccessForRepoAndTeamsParams) ([]ListTeamAccessForRepoAndTeamsRow, error)

+	ListTeamMembers(ctx context.Context, db DBTX, teamID int64) ([]ListTeamMembersRow, error)

+	// All repos the team has any grant on; for the team-view page.

+	ListTeamRepoAccess(ctx context.Context, db DBTX, teamID int64) ([]ListTeamRepoAccessRow, error)

+	ListTeamsForOrg(ctx context.Context, db DBTX, orgID int64) ([]Team, error)

+	// Returns the teams a user directly belongs to within an org. The

+	// policy aggregator unions this with each row's parent_team_id to

+	// get the inherited set.

+	ListTeamsForUserInOrg(ctx context.Context, db DBTX, arg ListTeamsForUserInOrgParams) ([]ListTeamsForUserInOrgRow, error)

+	RemoveTeamMember(ctx context.Context, db DBTX, arg RemoveTeamMemberParams) error

+	RevokeTeamRepoAccess(ctx context.Context, db DBTX, arg RevokeTeamRepoAccessParams) error

+	SetTeamMemberRole(ctx context.Context, db DBTX, arg SetTeamMemberRoleParams) error

+	// The one-level-nesting BEFORE trigger blocks invalid moves; the

+	// caller surfaces the SQLSTATE 23514 as a friendly error.

+	SetTeamParent(ctx context.Context, db DBTX, arg SetTeamParentParams) error

+	UpdateTeamProfile(ctx context.Context, db DBTX, arg UpdateTeamProfileParams) error

+// Code generated by sqlc. DO NOT EDIT.

+// versions:

+//   sqlc v1.31.1

+// source: teams.sql

+

+package orgsdb

+

+import (

+	"context"

+

+	"github.com/jackc/pgx/v5/pgtype"

+)

+

+const addTeamMember = `-- name: AddTeamMember :exec

+

+INSERT INTO team_members (team_id, user_id, role, added_by_user_id)

+VALUES ($1, $2, $3, $4::bigint)

+ON CONFLICT (team_id, user_id) DO NOTHING

+`

+

+type AddTeamMemberParams struct {

+	TeamID        int64

+	UserID        int64

+	Role          TeamRole

+	AddedByUserID pgtype.Int8

+}

+

+// ─── team_members ─────────────────────────────────────────────────

+func (q *Queries) AddTeamMember(ctx context.Context, db DBTX, arg AddTeamMemberParams) error {

+	_, err := db.Exec(ctx, addTeamMember,

+		arg.TeamID,

+		arg.UserID,

+		arg.Role,

+		arg.AddedByUserID,

+	)

+	return err

+}

+

+const createTeam = `-- name: CreateTeam :one

+

+

+INSERT INTO teams (org_id, slug, display_name, description, parent_team_id, privacy, created_by_user_id)

+VALUES ($1, $2, $3, $4, $6::bigint, $5, $7::bigint)

+RETURNING id, org_id, slug, display_name, description, parent_team_id, privacy, created_by_user_id, created_at, updated_at

+`

+

+type CreateTeamParams struct {

+	OrgID           int64

+	Slug            string

+	DisplayName     string

+	Description     string

+	Privacy         TeamPrivacy

+	ParentTeamID    pgtype.Int8

+	CreatedByUserID pgtype.Int8

+}

+

+// SPDX-License-Identifier: AGPL-3.0-or-later

+// ─── teams ─────────────────────────────────────────────────────────

+func (q *Queries) CreateTeam(ctx context.Context, db DBTX, arg CreateTeamParams) (Team, error) {

+	row := db.QueryRow(ctx, createTeam,

+		arg.OrgID,

+		arg.Slug,

+		arg.DisplayName,

+		arg.Description,

+		arg.Privacy,

+		arg.ParentTeamID,

+		arg.CreatedByUserID,

+	)

+	var i Team

+	err := row.Scan(

+		&i.ID,

+		&i.OrgID,

+		&i.Slug,

+		&i.DisplayName,

+		&i.Description,

+		&i.ParentTeamID,

+		&i.Privacy,

+		&i.CreatedByUserID,

+		&i.CreatedAt,

+		&i.UpdatedAt,

+	)

+	return i, err

+}

+

+const deleteTeam = `-- name: DeleteTeam :exec

+DELETE FROM teams WHERE id = $1

+`

+

+// Children's parent_team_id flips to NULL via the FK ON DELETE SET NULL,

+// promoting them to top-level — matches the "deleting parent doesn't

+// delete children" intent in the spec's pitfalls.

+func (q *Queries) DeleteTeam(ctx context.Context, db DBTX, id int64) error {

+	_, err := db.Exec(ctx, deleteTeam, id)

+	return err

+}

+

+const getTeamByID = `-- name: GetTeamByID :one

+SELECT id, org_id, slug, display_name, description, parent_team_id, privacy, created_by_user_id, created_at, updated_at FROM teams WHERE id = $1

+`

+

+func (q *Queries) GetTeamByID(ctx context.Context, db DBTX, id int64) (Team, error) {

+	row := db.QueryRow(ctx, getTeamByID, id)

+	var i Team

+	err := row.Scan(

+		&i.ID,

+		&i.OrgID,

+		&i.Slug,

+		&i.DisplayName,

+		&i.Description,

+		&i.ParentTeamID,

+		&i.Privacy,

+		&i.CreatedByUserID,

+		&i.CreatedAt,

+		&i.UpdatedAt,

+	)

+	return i, err

+}

+

+const getTeamByOrgAndSlug = `-- name: GetTeamByOrgAndSlug :one

+SELECT id, org_id, slug, display_name, description, parent_team_id, privacy, created_by_user_id, created_at, updated_at FROM teams WHERE org_id = $1 AND slug = $2

+`

+

+type GetTeamByOrgAndSlugParams struct {

+	OrgID int64

+	Slug  string

+}

+

+func (q *Queries) GetTeamByOrgAndSlug(ctx context.Context, db DBTX, arg GetTeamByOrgAndSlugParams) (Team, error) {

+	row := db.QueryRow(ctx, getTeamByOrgAndSlug, arg.OrgID, arg.Slug)

+	var i Team

+	err := row.Scan(

+		&i.ID,

+		&i.OrgID,

+		&i.Slug,

+		&i.DisplayName,

+		&i.Description,

+		&i.ParentTeamID,

+		&i.Privacy,

+		&i.CreatedByUserID,

+		&i.CreatedAt,

+		&i.UpdatedAt,

+	)

+	return i, err

+}

+

+const getTeamRepoAccess = `-- name: GetTeamRepoAccess :one

+SELECT team_id, repo_id, role, added_by_user_id, added_at FROM team_repo_access WHERE team_id = $1 AND repo_id = $2

+`

+

+type GetTeamRepoAccessParams struct {

+	TeamID int64

+	RepoID int64

+}

+

+func (q *Queries) GetTeamRepoAccess(ctx context.Context, db DBTX, arg GetTeamRepoAccessParams) (TeamRepoAccess, error) {

+	row := db.QueryRow(ctx, getTeamRepoAccess, arg.TeamID, arg.RepoID)

+	var i TeamRepoAccess

+	err := row.Scan(

+		&i.TeamID,

+		&i.RepoID,

+		&i.Role,

+		&i.AddedByUserID,

+		&i.AddedAt,

+	)

+	return i, err

+}

+

+const grantTeamRepoAccess = `-- name: GrantTeamRepoAccess :exec

+

+INSERT INTO team_repo_access (team_id, repo_id, role, added_by_user_id)

+VALUES ($1, $2, $3, $4::bigint)

+ON CONFLICT (team_id, repo_id) DO UPDATE SET role = EXCLUDED.role

+`

+

+type GrantTeamRepoAccessParams struct {

+	TeamID        int64

+	RepoID        int64

+	Role          TeamRepoRole

+	AddedByUserID pgtype.Int8

+}

+

+// ─── team_repo_access ─────────────────────────────────────────────

+func (q *Queries) GrantTeamRepoAccess(ctx context.Context, db DBTX, arg GrantTeamRepoAccessParams) error {

+	_, err := db.Exec(ctx, grantTeamRepoAccess,

+		arg.TeamID,

+		arg.RepoID,

+		arg.Role,

+		arg.AddedByUserID,

+	)

+	return err

+}

+

+const listChildTeams = `-- name: ListChildTeams :many

+SELECT id, org_id, slug, display_name, description, parent_team_id, privacy, created_by_user_id, created_at, updated_at FROM teams WHERE parent_team_id = $1 ORDER BY slug ASC

+`

+

+func (q *Queries) ListChildTeams(ctx context.Context, db DBTX, parentTeamID pgtype.Int8) ([]Team, error) {

+	rows, err := db.Query(ctx, listChildTeams, parentTeamID)

+	if err != nil {

+		return nil, err

+	}

+	defer rows.Close()

+	items := []Team{}

+	for rows.Next() {

+		var i Team

+		if err := rows.Scan(

+			&i.ID,

+			&i.OrgID,

+			&i.Slug,

+			&i.DisplayName,

+			&i.Description,

+			&i.ParentTeamID,

+			&i.Privacy,

+			&i.CreatedByUserID,

+			&i.CreatedAt,

+			&i.UpdatedAt,

+		); err != nil {

+			return nil, err

+		}

+		items = append(items, i)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, err

+	}

+	return items, nil

+}

+

+const listRepoTeamGrants = `-- name: ListRepoTeamGrants :many

+SELECT a.team_id, a.repo_id, a.role, a.added_by_user_id, a.added_at,

+       t.slug AS team_slug, t.display_name AS team_display_name,

+       t.privacy::text AS team_privacy

+FROM team_repo_access a

+JOIN teams t ON t.id = a.team_id

+WHERE a.repo_id = $1

+ORDER BY t.slug ASC

+`

+

+type ListRepoTeamGrantsRow struct {

+	TeamID          int64

+	RepoID          int64

+	Role            TeamRepoRole

+	AddedByUserID   pgtype.Int8

+	AddedAt         pgtype.Timestamptz

+	TeamSlug        string

+	TeamDisplayName string

+	TeamPrivacy     string

+}

+

+// All teams with grants on a single repo; for repo settings/access page.

+func (q *Queries) ListRepoTeamGrants(ctx context.Context, db DBTX, repoID int64) ([]ListRepoTeamGrantsRow, error) {

+	rows, err := db.Query(ctx, listRepoTeamGrants, repoID)

+	if err != nil {

+		return nil, err

+	}

+	defer rows.Close()

+	items := []ListRepoTeamGrantsRow{}

+	for rows.Next() {

+		var i ListRepoTeamGrantsRow

+		if err := rows.Scan(

+			&i.TeamID,

+			&i.RepoID,

+			&i.Role,

+			&i.AddedByUserID,

+			&i.AddedAt,

+			&i.TeamSlug,

+			&i.TeamDisplayName,

+			&i.TeamPrivacy,

+		); err != nil {

+			return nil, err

+		}

+		items = append(items, i)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, err

+	}

+	return items, nil

+}

+

+const listTeamAccessForRepoAndTeams = `-- name: ListTeamAccessForRepoAndTeams :many

+SELECT team_id, repo_id, role

+FROM team_repo_access

+WHERE repo_id = $1 AND team_id = ANY($2::bigint[])

+`

+

+type ListTeamAccessForRepoAndTeamsParams struct {

+	RepoID  int64

+	Column2 []int64

+}

+

+type ListTeamAccessForRepoAndTeamsRow struct {

+	TeamID int64

+	RepoID int64

+	Role   TeamRepoRole

+}

+

+// Policy hot-path: given a repo and a set of team_ids the actor

+// belongs to (incl. inherited), return the access rows. Caller picks

+// the highest role.

+func (q *Queries) ListTeamAccessForRepoAndTeams(ctx context.Context, db DBTX, arg ListTeamAccessForRepoAndTeamsParams) ([]ListTeamAccessForRepoAndTeamsRow, error) {

+	rows, err := db.Query(ctx, listTeamAccessForRepoAndTeams, arg.RepoID, arg.Column2)

+	if err != nil {

+		return nil, err

+	}

+	defer rows.Close()

+	items := []ListTeamAccessForRepoAndTeamsRow{}

+	for rows.Next() {

+		var i ListTeamAccessForRepoAndTeamsRow

+		if err := rows.Scan(&i.TeamID, &i.RepoID, &i.Role); err != nil {

+			return nil, err

+		}

+		items = append(items, i)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, err

+	}

+	return items, nil

+}

+

+const listTeamMembers = `-- name: ListTeamMembers :many

+SELECT m.team_id, m.user_id, m.role, m.added_by_user_id, m.added_at,

+       u.username, u.display_name

+FROM team_members m

+JOIN users u ON u.id = m.user_id

+WHERE m.team_id = $1 AND u.deleted_at IS NULL

+ORDER BY m.role ASC, u.username ASC

+`

+

+type ListTeamMembersRow struct {

+	TeamID        int64

+	UserID        int64

+	Role          TeamRole

+	AddedByUserID pgtype.Int8

+	AddedAt       pgtype.Timestamptz

+	Username      string

+	DisplayName   string

+}

+

+func (q *Queries) ListTeamMembers(ctx context.Context, db DBTX, teamID int64) ([]ListTeamMembersRow, error) {

+	rows, err := db.Query(ctx, listTeamMembers, teamID)

+	if err != nil {

+		return nil, err

+	}

+	defer rows.Close()

+	items := []ListTeamMembersRow{}

+	for rows.Next() {

+		var i ListTeamMembersRow

+		if err := rows.Scan(

+			&i.TeamID,

+			&i.UserID,

+			&i.Role,

+			&i.AddedByUserID,

+			&i.AddedAt,

+			&i.Username,

+			&i.DisplayName,

+		); err != nil {

+			return nil, err

+		}

+		items = append(items, i)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, err

+	}

+	return items, nil

+}

+

+const listTeamRepoAccess = `-- name: ListTeamRepoAccess :many

+SELECT a.team_id, a.repo_id, a.role, a.added_by_user_id, a.added_at,

+       r.name AS repo_name, r.visibility::text AS visibility

+FROM team_repo_access a

+JOIN repos r ON r.id = a.repo_id

+WHERE a.team_id = $1 AND r.deleted_at IS NULL

+ORDER BY r.name ASC

+`

+

+type ListTeamRepoAccessRow struct {

+	TeamID        int64

+	RepoID        int64

+	Role          TeamRepoRole

+	AddedByUserID pgtype.Int8

+	AddedAt       pgtype.Timestamptz

+	RepoName      string

+	Visibility    string

+}

+

+// All repos the team has any grant on; for the team-view page.

+func (q *Queries) ListTeamRepoAccess(ctx context.Context, db DBTX, teamID int64) ([]ListTeamRepoAccessRow, error) {

+	rows, err := db.Query(ctx, listTeamRepoAccess, teamID)

+	if err != nil {

+		return nil, err