mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-06 21:46:40 +02:00
Garry Tan
46c82ce8ec
New `gstack team` CLI with create, members, set subcommands. Migration adds team_settings (admin-only), alert_cooldowns (edge-fn dedup), and create_team() SECURITY DEFINER RPC for atomic team + first member creation. 9 tests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
95 lines
3.1 KiB
PL/PgSQL
95 lines
3.1 KiB
PL/PgSQL
-- 007_team_settings_and_functions.sql — Team settings, alert cooldowns, and RPC functions.
|
|
--
|
|
-- Adds:
|
|
-- 1. team_settings (key-value per team, admin-only)
|
|
-- 2. alert_cooldowns (dedup for regression alerts, edge-fn only)
|
|
-- 3. create_team() RPC (SECURITY DEFINER — atomic team + first member creation)
|
|
|
|
-- ─── team_settings ──────────────────────────────────────────
|
|
|
|
create table if not exists team_settings (
|
|
team_id uuid references teams(id) on delete cascade,
|
|
key text not null,
|
|
value text not null,
|
|
updated_at timestamptz default now(),
|
|
primary key (team_id, key)
|
|
);
|
|
|
|
alter table team_settings enable row level security;
|
|
|
|
-- Admins can read settings
|
|
create policy "admin_read_settings" on team_settings
|
|
for select using (
|
|
team_id in (
|
|
select team_id from team_members
|
|
where user_id = auth.uid() and role in ('owner', 'admin')
|
|
)
|
|
);
|
|
|
|
-- Admins can write settings
|
|
create policy "admin_write_settings" on team_settings
|
|
for all using (
|
|
team_id in (
|
|
select team_id from team_members
|
|
where user_id = auth.uid() and role in ('owner', 'admin')
|
|
)
|
|
);
|
|
|
|
-- ─── alert_cooldowns ────────────────────────────────────────
|
|
|
|
create table if not exists alert_cooldowns (
|
|
team_id uuid references teams(id) on delete cascade,
|
|
repo_slug text not null,
|
|
alert_type text not null,
|
|
last_sent_at timestamptz not null default now(),
|
|
primary key (team_id, repo_slug, alert_type)
|
|
);
|
|
|
|
-- No RLS — only accessed by edge functions via service_role key.
|
|
-- Edge functions bypass RLS anyway, but we explicitly leave it disabled
|
|
-- since no user should query this table directly.
|
|
|
|
-- ─── create_team() RPC ──────────────────────────────────────
|
|
|
|
-- SECURITY DEFINER: runs as the table owner, bypassing RLS.
|
|
-- This solves the chicken-and-egg problem: to INSERT the first
|
|
-- team_member, you'd need to already be a member (which the
|
|
-- admins_manage_members policy requires). This function does
|
|
-- both atomically.
|
|
--
|
|
-- Called via: POST /rest/v1/rpc/create_team
|
|
-- Body: { "team_slug": "my-team", "team_name": "My Team" }
|
|
|
|
create or replace function create_team(team_slug text, team_name text)
|
|
returns uuid
|
|
language plpgsql
|
|
security definer
|
|
set search_path = public
|
|
as $$
|
|
declare
|
|
new_team_id uuid;
|
|
begin
|
|
-- Validate inputs
|
|
if team_slug is null or length(trim(team_slug)) = 0 then
|
|
raise exception 'team_slug cannot be empty';
|
|
end if;
|
|
if team_name is null or length(trim(team_name)) = 0 then
|
|
raise exception 'team_name cannot be empty';
|
|
end if;
|
|
if auth.uid() is null then
|
|
raise exception 'must be authenticated';
|
|
end if;
|
|
|
|
-- Create team
|
|
insert into teams (slug, name)
|
|
values (trim(team_slug), trim(team_name))
|
|
returning id into new_team_id;
|
|
|
|
-- Add caller as owner
|
|
insert into team_members (team_id, user_id, role)
|
|
values (new_team_id, auth.uid(), 'owner');
|
|
|
|
return new_team_id;
|
|
end;
|
|
$$;
|