Package Exports
- @codragraph/org
- @codragraph/org/audit
- @codragraph/org/auth
- @codragraph/org/dist/audit/cas-log.d.ts
- @codragraph/org/dist/audit/cas-log.d.ts.map
- @codragraph/org/dist/audit/cas-log.js
- @codragraph/org/dist/audit/cas-log.js.map
- @codragraph/org/dist/audit/event.d.ts
- @codragraph/org/dist/audit/event.d.ts.map
- @codragraph/org/dist/audit/event.js
- @codragraph/org/dist/audit/event.js.map
- @codragraph/org/dist/audit/interface.d.ts
- @codragraph/org/dist/audit/interface.d.ts.map
- @codragraph/org/dist/audit/interface.js
- @codragraph/org/dist/audit/interface.js.map
- @codragraph/org/dist/auth/in-memory.d.ts
- @codragraph/org/dist/auth/in-memory.d.ts.map
- @codragraph/org/dist/auth/in-memory.js
- @codragraph/org/dist/auth/in-memory.js.map
- @codragraph/org/dist/auth/interface.d.ts
- @codragraph/org/dist/auth/interface.d.ts.map
- @codragraph/org/dist/auth/interface.js
- @codragraph/org/dist/auth/interface.js.map
- @codragraph/org/dist/index.d.ts
- @codragraph/org/dist/index.d.ts.map
- @codragraph/org/dist/index.js
- @codragraph/org/dist/index.js.map
- @codragraph/org/dist/rbac/check.d.ts
- @codragraph/org/dist/rbac/check.d.ts.map
- @codragraph/org/dist/rbac/check.js
- @codragraph/org/dist/rbac/check.js.map
- @codragraph/org/dist/rbac/roles.d.ts
- @codragraph/org/dist/rbac/roles.d.ts.map
- @codragraph/org/dist/rbac/roles.js
- @codragraph/org/dist/rbac/roles.js.map
- @codragraph/org/dist/tenancy/context.d.ts
- @codragraph/org/dist/tenancy/context.d.ts.map
- @codragraph/org/dist/tenancy/context.js
- @codragraph/org/dist/tenancy/context.js.map
- @codragraph/org/dist/tenancy/path.d.ts
- @codragraph/org/dist/tenancy/path.d.ts.map
- @codragraph/org/dist/tenancy/path.js
- @codragraph/org/dist/tenancy/path.js.map
- @codragraph/org/dist/types.d.ts
- @codragraph/org/dist/types.d.ts.map
- @codragraph/org/dist/types.js
- @codragraph/org/dist/types.js.map
- @codragraph/org/rbac
- @codragraph/org/tenancy
- @codragraph/org/types
Readme
@codragraph/org
Multi-tenant orgs, SSO, RBAC, and tamper-evident audit logging for the CodraGraph platform.
This is Phase 5 of the CodraGraph roadmap — the org-features layer that turns the local-first OSS into something that can be operated for multiple teams or customers under one server. It is unblocked by the 2026-04-29 relicense to Apache-2.0.
What's in here
| Module | What it does |
|---|---|
tenancy |
withTenant / requireTenant AsyncLocalStorage scoping. Path helpers that refuse to escape the org root. |
rbac |
viewer < member < admin < owner. Default policy covers the core CodraGraph resources; integrators extend by composing additional entries. |
audit |
Append-only, tamper-evident log. Each event is a content-addressed object (sha256 of canonical JSON = the id). Re-hashing verifies. Re-uses @codragraph/graphstore's CAS for storage. |
auth |
Provider-agnostic SsoProvider interface. Includes InMemorySsoProvider for tests. OIDC and SAML reference impls land in follow-ups. |
Install
npm install @codragraph/orgQuick start
import {
CasAuditLogger,
DEFAULT_POLICY,
checkPermission,
makeOrgId,
makeUserId,
withTenant,
} from "@codragraph/org";
import { FsCAS } from "@codragraph/graphstore/dist/cas/fs-cas.js";
const cas = new FsCAS({ root: "/var/codragraph/cas" });
const audit = new CasAuditLogger(cas, "/var/codragraph/audit");
await withTenant({ orgId: makeOrgId("org_acme") }, async () => {
if (!checkPermission(DEFAULT_POLICY, "member", "repo.analyze")) return;
// ... do work ...
await audit.record({
ts: new Date().toISOString(),
orgId: makeOrgId("org_acme"),
actor: { kind: "user", userId: makeUserId("user_alice") },
action: "repo.analyze",
resource: { type: "repo", id: "demo" },
result: "success",
});
});License
Apache-2.0