feat: per-vault permissions (v2.20.0)

- Add vault_id column to team_permissions and user_permissions tables
- Teams and users can have different permission levels per vault
- Update get_user_permissions and user_has_permission functions for vault scoping
- Add vault selector UI to PermissionsEditor and UserPermissionsDialog
- Schema version bumped to v20

Author: eldinmiller

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 All notable changes to BluePLM will be documented in this file.
 
+## [2.20.0] - 2025-12-31
+
+### Added
+- **Per-vault permissions**: Teams and individual users can now have different permission levels per vault. Set "All Vaults (Global)" for org-wide permissions, or select a specific vault for vault-scoped permissions. Example: Engineering team can have admin on Production vault but view-only on Archive vault
+
+### Changed
+- **Schema version**: Bumped to v20
+- **Permission functions**: `get_user_permissions` and `user_has_permission` now accept optional `vault_id` parameter for vault-scoped checks
+
+---
+
 ## [2.19.3] - 2025-12-31
 
 ### Fixed

bluePLM.code-workspace

@@ -2,6 +2,9 @@
 	"folders": [
 		{
 			"path": "."
+		},
+		{
+			"path": "../blueplm-site"
 		}
 	],
 	"settings": {}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "blue-plm",
-  "version": "2.19.3",
+  "version": "2.20.0",
   "description": "Product Lifecycle Management for everyone who builds",
   "main": "dist-electron/main.js",
   "scripts": {

src/components/settings/PermissionsEditor.tsx

@@ -41,6 +41,12 @@ import {
   hasPermission
 } from '../../types/permissions'
 
+interface Vault {
+  id: string
+  name: string
+  slug: string
+}
+
 interface PermissionsEditorProps {
   team: Team
   onClose: () => void
@@ -122,11 +128,45 @@ export function PermissionsEditor({ team, onClose, userId, isAdmin }: Permission
   const [showPresets, setShowPresets] = useState(false)
   const [presets, setPresets] = useState<PermissionPreset[]>([])
 
-  // Load permissions
+  // Vault scope state
+  const [vaults, setVaults] = useState<Vault[]>([])
+  const [selectedVaultId, setSelectedVaultId] = useState<string | null>(null) // null = "All Vaults"
+  const [vaultsLoading, setVaultsLoading] = useState(true)
+  
+  // Load vaults for this org
+  useEffect(() => {
+    const loadVaults = async () => {
+      try {
+        const { data: orgData } = await supabase
+          .from('teams')
+          .select('org_id')
+          .eq('id', team.id)
+          .single()
+        
+        if (!orgData) return
+        
+        const { data, error } = await supabase
+          .from('vaults')
+          .select('id, name, slug')
+          .eq('org_id', orgData.org_id)
+          .order('name')
+        
+        if (error) throw error
+        setVaults(data || [])
+      } catch (err) {
+        console.error('Failed to load vaults:', err)
+      } finally {
+        setVaultsLoading(false)
+      }
+    }
+    loadVaults()
+  }, [team.id])
+  
+  // Load permissions when team or vault selection changes
   useEffect(() => {
     loadPermissions()
     loadPresets()
-  }, [team.id])
+  }, [team.id, selectedVaultId])
 
   // Track changes
   useEffect(() => {
@@ -137,11 +177,22 @@ export function PermissionsEditor({ team, onClose, userId, isAdmin }: Permission
   const loadPermissions = async () => {
     setIsLoading(true)
     try {
-      const { data, error } = await supabase
+      // Build query - filter by vault_id (null for "All Vaults", specific ID for vault-specific)
+      let query = supabase
         .from('team_permissions')
         .select('*')
         .eq('team_id', team.id)
 
+      if (selectedVaultId === null) {
+        // "All Vaults" - only load global permissions (vault_id IS NULL)
+        query = query.is('vault_id', null)
+      } else {
+        // Specific vault - load vault-specific permissions
+        query = query.eq('vault_id', selectedVaultId)
+      }
+      
+      const { data, error } = await query
+      
       if (error) throw error
 
       const permsMap: Record<string, PermissionAction[]> = {}
@@ -187,18 +238,29 @@ export function PermissionsEditor({ team, onClose, userId, isAdmin }: Permission
 
     setIsSaving(true)
     try {
-      // Delete existing permissions
-      await supabase
+      // Delete existing permissions for this vault scope only
+      let deleteQuery = supabase
         .from('team_permissions')
         .delete()
         .eq('team_id', team.id)
 
+      if (selectedVaultId === null) {
+        // Delete only global permissions (vault_id IS NULL)
+        deleteQuery = deleteQuery.is('vault_id', null)
+      } else {
+        // Delete only vault-specific permissions
+        deleteQuery = deleteQuery.eq('vault_id', selectedVaultId)
+      }
+      
+      await deleteQuery
+      
       // Insert new permissions (only those with at least one action)
       const newPerms = Object.entries(permissions)
         .filter(([_, actions]) => actions.length > 0)
         .map(([resource, actions]) => ({
           team_id: team.id,
           resource,
+          vault_id: selectedVaultId, // null for "All Vaults", UUID for specific vault
           actions,
           granted_by: userId
         }))
@@ -213,7 +275,10 @@ export function PermissionsEditor({ team, onClose, userId, isAdmin }: Permission
 
       setOriginalPermissions({ ...permissions })
       setHasChanges(false)
-      addToast('success', 'Permissions saved successfully')
+      const vaultName = selectedVaultId 
+        ? vaults.find(v => v.id === selectedVaultId)?.name || 'selected vault'
+        : 'all vaults'
+      addToast('success', `Permissions saved for ${vaultName}`)
     } catch (err) {
       console.error('Failed to save permissions:', err)
       addToast('error', 'Failed to save permissions')
@@ -396,6 +461,27 @@ export function PermissionsEditor({ team, onClose, userId, isAdmin }: Permission
             </p>
           </div>
 
+          {/* Vault scope selector */}
+          <div className="flex items-center gap-2">
+            <Database size={16} className="text-plm-fg-muted" />
+            <select
+              value={selectedVaultId || 'all'}
+              onChange={(e) => {
+                const value = e.target.value
+                setSelectedVaultId(value === 'all' ? null : value)
+              }}
+              disabled={vaultsLoading}
+              className="px-3 py-1.5 text-sm bg-plm-bg border border-plm-border rounded-lg text-plm-fg focus:outline-none focus:border-plm-accent min-w-[160px]"
+            >
+              <option value="all">All Vaults (Global)</option>
+              {vaults.map(vault => (
+                <option key={vault.id} value={vault.id}>
+                  {vault.name}
+                </option>
+              ))}
+            </select>
+          </div>
+          
           {/* Action buttons */}
           <div className="flex items-center gap-2">
             {hasChanges && (
@@ -810,6 +896,12 @@ export function PermissionsEditor({ team, onClose, userId, isAdmin }: Permission
                 {Object.entries(permissions).filter(([_, a]) => a.length > 0).length} resources with permissions
               </span>
             </div>
+            <div className="flex items-center gap-1.5">
+              <Database size={14} />
+              <span>
+                Editing: {selectedVaultId ? vaults.find(v => v.id === selectedVaultId)?.name || 'Vault' : 'All Vaults (Global)'}
+              </span>
+            </div>
             {hasChanges && (
               <div className="flex items-center gap-1.5 text-plm-warning">
                 <AlertTriangle size={14} />

src/components/settings/TeamMembersSettings.tsx

@@ -4672,25 +4672,66 @@ function UserPermissionsDialog({
   onClose: () => void
   currentUserId?: string
 }) {
-  const { addToast } = usePDMStore()
+  const { addToast, organization } = usePDMStore()
   const [permissions, setPermissions] = useState<Record<string, PermissionAction[]>>({})
   const [originalPermissions, setOriginalPermissions] = useState<Record<string, PermissionAction[]>>({})
   const [isLoading, setIsLoading] = useState(true)
   const [isSaving, setIsSaving] = useState(false)
   const [searchQuery, setSearchQuery] = useState('')
 
+  // Vault scope state
+  const [vaults, setVaults] = useState<Vault[]>([])
+  const [selectedVaultId, setSelectedVaultId] = useState<string | null>(null) // null = "All Vaults"
+  const [vaultsLoading, setVaultsLoading] = useState(true)
+  
+  // Load vaults for this org
+  useEffect(() => {
+    const loadVaults = async () => {
+      if (!organization?.id) {
+        setVaultsLoading(false)
+        return
+      }
+      try {
+        const { data, error } = await supabase
+          .from('vaults')
+          .select('id, name, slug')
+          .eq('org_id', organization.id)
+          .order('name')
+        
+        if (error) throw error
+        setVaults(data || [])
+      } catch (err) {
+        console.error('Failed to load vaults:', err)
+      } finally {
+        setVaultsLoading(false)
+      }
+    }
+    loadVaults()
+  }, [organization?.id])
+  
   useEffect(() => {
     loadPermissions()
-  }, [user.id])
+  }, [user.id, selectedVaultId])
 
   const loadPermissions = async () => {
     setIsLoading(true)
     try {
-      const { data, error } = await supabase
+      // Build query - filter by vault_id
+      let query = supabase
         .from('user_permissions')
         .select('*')
         .eq('user_id', user.id)
 
+      if (selectedVaultId === null) {
+        // "All Vaults" - only load global permissions
+        query = query.is('vault_id', null)
+      } else {
+        // Specific vault
+        query = query.eq('vault_id', selectedVaultId)
+      }
+      
+      const { data, error } = await query
+      
       if (error) throw error
 
       const permsMap: Record<string, PermissionAction[]> = {}
@@ -4712,15 +4753,27 @@ function UserPermissionsDialog({
 
     setIsSaving(true)
     try {
-      // Delete existing permissions
-      await supabase.from('user_permissions').delete().eq('user_id', user.id)
+      // Delete existing permissions for this vault scope
+      let deleteQuery = supabase
+        .from('user_permissions')
+        .delete()
+        .eq('user_id', user.id)
+      
+      if (selectedVaultId === null) {
+        deleteQuery = deleteQuery.is('vault_id', null)
+      } else {
+        deleteQuery = deleteQuery.eq('vault_id', selectedVaultId)
+      }
+      
+      await deleteQuery
 
       // Insert new permissions
       const newPerms = Object.entries(permissions)
         .filter(([_, actions]) => actions.length > 0)
         .map(([resource, actions]) => ({
           user_id: user.id,
           resource,
+          vault_id: selectedVaultId,
           actions,
           granted_by: currentUserId
         }))
@@ -4730,7 +4783,10 @@ function UserPermissionsDialog({
         if (error) throw error
       }
 
-      addToast('success', `Permissions saved for ${user.full_name || user.email}`)
+      const vaultName = selectedVaultId 
+        ? vaults.find(v => v.id === selectedVaultId)?.name || 'selected vault'
+        : 'all vaults'
+      addToast('success', `Permissions saved for ${user.full_name || user.email} on ${vaultName}`)
       onClose()
     } catch (err) {
       console.error('Failed to save permissions:', err)
@@ -4779,6 +4835,28 @@ function UserPermissionsDialog({
               These permissions are added to any team permissions (union of all)
             </p>
           </div>
+          
+          {/* Vault scope selector */}
+          <div className="flex items-center gap-2">
+            <Database size={16} className="text-plm-fg-muted" />
+            <select
+              value={selectedVaultId || 'all'}
+              onChange={(e) => {
+                const value = e.target.value
+                setSelectedVaultId(value === 'all' ? null : value)
+              }}
+              disabled={vaultsLoading}
+              className="px-3 py-1.5 text-sm bg-plm-bg border border-plm-border rounded-lg text-plm-fg focus:outline-none focus:border-plm-accent min-w-[160px]"
+            >
+              <option value="all">All Vaults (Global)</option>
+              {vaults.map(vault => (
+                <option key={vault.id} value={vault.id}>
+                  {vault.name}
+                </option>
+              ))}
+            </select>
+          </div>
+          
           <button onClick={onClose} className="p-2 text-plm-fg-muted hover:text-plm-fg hover:bg-plm-highlight rounded-lg">
             <X size={18} />
           </button>

src/lib/schemaVersion.ts

@@ -21,7 +21,7 @@ import { supabase } from './supabase'
 
 // The schema version this app version expects
 // Increment this when releasing app updates that require schema changes
-export const EXPECTED_SCHEMA_VERSION = 19
+export const EXPECTED_SCHEMA_VERSION = 20
 
 // Minimum schema version that will still work (for soft warnings vs hard errors)
 // Set this to allow some backwards compatibility
@@ -48,6 +48,7 @@ export const VERSION_DESCRIPTIONS: Record<number, string> = {
   17: 'admin_remove_user RPC fully removes user from org and auth.users',
   18: 'Fix invited users being added to New Users team when they have specific teams',
   19: 'ensure_user_org_id creates user record if trigger failed (fixes invite after account deletion)',
+  20: 'Per-vault permissions: vault_id column on team_permissions and user_permissions',
 }
 
 export interface SchemaVersionInfo {

src/types/permissions.ts

@@ -222,6 +222,19 @@ export interface TeamPermission {
   id: string
   team_id: string
   resource: string
+  vault_id: string | null  // NULL = all vaults, UUID = specific vault only
+  actions: PermissionAction[]
+  granted_at: string
+  granted_by: string | null
+  updated_at: string
+  updated_by: string | null
+}
+
+export interface UserPermission {
+  id: string
+  user_id: string
+  resource: string
+  vault_id: string | null  // NULL = all vaults, UUID = specific vault only
   actions: PermissionAction[]
   granted_at: string
   granted_by: string | null