deploystackio
diff --git a/‎services/backend/api-spec.json‎
Lines changed: 6803 additions & 6805 deletions b/‎services/backend/api-spec.json‎
Lines changed: 6803 additions & 6805 deletions
diff --git a/‎services/backend/api-spec.yaml‎
Lines changed: 2054 additions & 2056 deletions b/‎services/backend/api-spec.yaml‎
Lines changed: 2054 additions & 2056 deletions
diff --git a/‎services/backend/src/permissions/index.ts‎
Lines changed: 0 additions & 3 deletions b/‎services/backend/src/permissions/index.ts‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎services/backend/src/routes/admin/index.ts‎
Lines changed: 2 additions & 0 deletions b/‎services/backend/src/routes/admin/index.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎…s/backend/src/routes/users/assignRole.ts‎ ‎…nd/src/routes/admin/users/assign-role.ts‎services/backend/src/routes/users/assignRole.ts renamed to services/backend/src/routes/admin/users/assign-role.ts
Lines changed: 22 additions & 23 deletions b/‎…s/backend/src/routes/users/assignRole.ts‎ ‎…nd/src/routes/admin/users/assign-role.ts‎services/backend/src/routes/users/assignRole.ts renamed to services/backend/src/routes/admin/users/assign-role.ts
Lines changed: 22 additions & 23 deletions
diff --git a/‎…s/backend/src/routes/users/deleteUser.ts‎ ‎…backend/src/routes/admin/users/delete.ts‎services/backend/src/routes/users/deleteUser.ts renamed to services/backend/src/routes/admin/users/delete.ts
Lines changed: 22 additions & 43 deletions b/‎…s/backend/src/routes/users/deleteUser.ts‎ ‎…backend/src/routes/admin/users/delete.ts‎services/backend/src/routes/users/deleteUser.ts renamed to services/backend/src/routes/admin/users/delete.ts
Lines changed: 22 additions & 43 deletions
diff --git a/‎services/backend/src/routes/admin/users/index.ts‎
Lines changed: 14 additions & 0 deletions b/‎services/backend/src/routes/admin/users/index.ts‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎…es/backend/src/routes/users/listUsers.ts‎ ‎…s/backend/src/routes/admin/users/list.ts‎services/backend/src/routes/users/listUsers.ts renamed to services/backend/src/routes/admin/users/list.ts
Lines changed: 12 additions & 12 deletions b/‎…es/backend/src/routes/users/listUsers.ts‎ ‎…s/backend/src/routes/admin/users/list.ts‎services/backend/src/routes/users/listUsers.ts renamed to services/backend/src/routes/admin/users/list.ts
Lines changed: 12 additions & 12 deletions
@@ -8,10 +8,7 @@
 // Define all role permissions in one place
 export const ROLE_DEFINITIONS = {
   global_admin: [
-    'users.list',
     'users.view',
-    'users.edit',
-    'users.delete',
     'users.create',
     'roles.manage',
     'system.admin',
 
@@ -3,12 +3,14 @@ import emailRoutes from './email';
 import jobsRoutes from './jobs';
 import mcpRegistryRoutes from './mcp-registry';
 import teamsRoutes from './teams';
+import usersRoutes from './users';
 import oauthProvidersRoutes from './oauth-providers';
 
 export default async function adminRoutes(fastify: FastifyInstance) {
   await fastify.register(emailRoutes, { prefix: '/admin/email' });
   await fastify.register(jobsRoutes);
   await fastify.register(mcpRegistryRoutes);
   await fastify.register(teamsRoutes, { prefix: '/admin' });
+  await fastify.register(usersRoutes, { prefix: '/admin' });
   await fastify.register(oauthProvidersRoutes, { prefix: '/admin' });
 }
@@ -1,29 +1,28 @@
 import type { FastifyInstance } from 'fastify';
-import { UserService } from '../../services/userService';
-import { requirePermission } from '../../middleware/roleMiddleware';
-import { 
-  ERROR_RESPONSE_SCHEMA, 
-  PARAMS_WITH_ID_SCHEMA, 
+import { UserService } from '../../../services/userService';
+import { requireGlobalAdmin } from '../../../middleware/roleMiddleware';
+import {
+  ERROR_RESPONSE_SCHEMA,
+  PARAMS_WITH_ID_SCHEMA,
   ASSIGN_ROLE_REQUEST_SCHEMA,
   type ErrorResponse,
   type ParamsWithId,
   type AssignRoleRequest
 } from './schemas';
 
 // Route-specific Schema Constants
-
 const ASSIGN_ROLE_SUCCESS_RESPONSE_SCHEMA = {
   type: 'object',
   properties: {
-    success: { 
+    success: {
       type: 'boolean',
       description: 'Indicates if the role assignment was successful'
     },
-    data: { 
+    data: {
       type: 'object',
       description: 'Updated user data with new role'
     },
-    message: { 
+    message: {
       type: 'string',
       description: 'Success message'
     }
@@ -38,22 +37,22 @@ interface AssignRoleSuccessResponse {
   message: string;
 }
 
-export default async function assignRoleRoute(server: FastifyInstance) {
+export default async function assignRoleAdminRoute(server: FastifyInstance) {
   const userService = new UserService();
 
-  // PUT /users/:id/role - Assign role to user (admin only)
+  // PUT /admin/users/:id/role - Assign role to user (Global Admin only)
   server.put('/users/:id/role', {
-    preValidation: requirePermission('users.edit'), // ✅ Authorization BEFORE validation
+    preValidation: requireGlobalAdmin(),
     schema: {
-      tags: ['Users'],
-      summary: 'Assign role to user',
-      description: 'Assigns a role to a specific user. Requires admin permissions. Users cannot change their own role. Requires Content-Type: application/json header when sending request body.',
+      tags: ['Admin - Users'],
+      summary: 'Assign role to user (Global Admin)',
+      description: 'Allows global administrators to assign a role to a specific user. Users cannot change their own role. Requires Content-Type: application/json header when sending request body.',
       security: [{ cookieAuth: [] }],
-      
+
       // Fastify validation schemas
       params: PARAMS_WITH_ID_SCHEMA,
       body: ASSIGN_ROLE_REQUEST_SCHEMA,
-      
+
       // OpenAPI documentation (same schemas, reused)
       requestBody: {
         required: true,
@@ -63,7 +62,7 @@ export default async function assignRoleRoute(server: FastifyInstance) {
           }
         }
       },
-      
+
       response: {
         200: {
           ...ASSIGN_ROLE_SUCCESS_RESPONSE_SCHEMA,
@@ -79,7 +78,7 @@ export default async function assignRoleRoute(server: FastifyInstance) {
         },
         403: {
           ...ERROR_RESPONSE_SCHEMA,
-          description: 'Forbidden - Insufficient permissions or cannot change own role'
+          description: 'Forbidden - Cannot change own role'
         },
         404: {
           ...ERROR_RESPONSE_SCHEMA,
@@ -96,7 +95,7 @@ export default async function assignRoleRoute(server: FastifyInstance) {
       // TypeScript type assertions (Fastify has already validated)
       const { id } = request.params as ParamsWithId;
       const { role_id } = request.body as AssignRoleRequest;
-      
+
       // Prevent users from changing their own role
       if (request.user?.id === id) {
         const errorResponse: ErrorResponse = {
@@ -106,9 +105,9 @@ export default async function assignRoleRoute(server: FastifyInstance) {
         const jsonString = JSON.stringify(errorResponse);
         return reply.status(403).type('application/json').send(jsonString);
       }
-      
+
       const success = await userService.assignRole(id, role_id);
-      
+
       if (!success) {
         const errorResponse: ErrorResponse = {
           success: false,
@@ -129,7 +128,7 @@ export default async function assignRoleRoute(server: FastifyInstance) {
       const jsonString = JSON.stringify(successResponse);
       return reply.status(200).type('application/json').send(jsonString);
     } catch (error) {
-      server.log.error(error, 'Error assigning role');
+      server.log.error(error, 'Error assigning role in admin route');
       const errorResponse: ErrorResponse = {
         success: false,
         error: 'Failed to assign role'
 
@@ -1,54 +1,33 @@
 import type { FastifyInstance } from 'fastify';
-import { UserService } from '../../services/userService';
-import { requirePermission } from '../../middleware/roleMiddleware';
-import { 
-  ERROR_RESPONSE_SCHEMA, 
+import { UserService } from '../../../services/userService';
+import { requireGlobalAdmin } from '../../../middleware/roleMiddleware';
+import {
+  ERROR_RESPONSE_SCHEMA,
+  SUCCESS_MESSAGE_RESPONSE_SCHEMA,
   PARAMS_WITH_ID_SCHEMA,
   type ErrorResponse,
+  type SuccessMessageResponse,
   type ParamsWithId
 } from './schemas';
 
-// Route-specific Schema Constants
-
-const DELETE_USER_SUCCESS_RESPONSE_SCHEMA = {
-  type: 'object',
-  properties: {
-    success: { 
-      type: 'boolean',
-      description: 'Indicates if the user deletion was successful'
-    },
-    message: { 
-      type: 'string',
-      description: 'Success message'
-    }
-  },
-  required: ['success', 'message']
-} as const;
-
-// TypeScript interfaces for route-specific types
-interface DeleteUserSuccessResponse {
-  success: boolean;
-  message: string;
-}
-
-export default async function deleteUserRoute(server: FastifyInstance) {
+export default async function deleteUserAdminRoute(server: FastifyInstance) {
   const userService = new UserService();
 
-  // DELETE /users/:id - Delete user (admin only)
+  // DELETE /admin/users/:id - Delete user (Global Admin only)
   server.delete('/users/:id', {
-    preValidation: requirePermission('users.delete'), // ✅ Authorization BEFORE validation
+    preValidation: requireGlobalAdmin(),
     schema: {
-      tags: ['Users'],
-      summary: 'Delete user',
-      description: 'Deletes a user from the system. Requires admin permissions. Users cannot delete themselves.',
+      tags: ['Admin - Users'],
+      summary: 'Delete user (Global Admin)',
+      description: 'Allows global administrators to delete a user from the system. Users cannot delete themselves. Cannot delete the last global administrator.',
       security: [{ cookieAuth: [] }],
-      
+
       // Fastify validation schema
       params: PARAMS_WITH_ID_SCHEMA,
-      
+
       response: {
         200: {
-          ...DELETE_USER_SUCCESS_RESPONSE_SCHEMA,
+          ...SUCCESS_MESSAGE_RESPONSE_SCHEMA,
           description: 'User deleted successfully'
         },
         401: {
@@ -57,7 +36,7 @@ export default async function deleteUserRoute(server: FastifyInstance) {
         },
         403: {
           ...ERROR_RESPONSE_SCHEMA,
-          description: 'Forbidden - Insufficient permissions or cannot delete own account'
+          description: 'Forbidden - Cannot delete own account or last global administrator'
         },
         404: {
           ...ERROR_RESPONSE_SCHEMA,
@@ -73,7 +52,7 @@ export default async function deleteUserRoute(server: FastifyInstance) {
     try {
       // TypeScript type assertion (Fastify has already validated)
       const { id } = request.params as ParamsWithId;
-      
+
       // Prevent users from deleting themselves
       if (request.user?.id === id) {
         const errorResponse: ErrorResponse = {
@@ -83,9 +62,9 @@ export default async function deleteUserRoute(server: FastifyInstance) {
         const jsonString = JSON.stringify(errorResponse);
         return reply.status(403).type('application/json').send(jsonString);
       }
-      
+
       const success = await userService.deleteUser(id);
-      
+
       if (!success) {
         const errorResponse: ErrorResponse = {
           success: false,
@@ -95,7 +74,7 @@ export default async function deleteUserRoute(server: FastifyInstance) {
         return reply.status(404).type('application/json').send(jsonString);
       }
 
-      const successResponse: DeleteUserSuccessResponse = {
+      const successResponse: SuccessMessageResponse = {
         success: true,
         message: 'User deleted successfully'
       };
@@ -110,8 +89,8 @@ export default async function deleteUserRoute(server: FastifyInstance) {
         const jsonString = JSON.stringify(errorResponse);
         return reply.status(403).type('application/json').send(jsonString);
       }
-      
-      server.log.error(error, 'Error deleting user');
+
+      server.log.error(error, 'Error deleting user in admin route');
       const errorResponse: ErrorResponse = {
         success: false,
         error: 'Failed to delete user'
 
@@ -0,0 +1,14 @@
+import { type FastifyInstance } from 'fastify';
+import listUsersAdminRoute from './list';
+import searchUsersAdminRoute from './search';
+import getUserStatsAdminRoute from './stats';
+import deleteUserAdminRoute from './delete';
+import assignRoleAdminRoute from './assign-role';
+
+export default async function adminUsersRoutes(server: FastifyInstance) {
+  await server.register(listUsersAdminRoute);
+  await server.register(searchUsersAdminRoute);
+  await server.register(getUserStatsAdminRoute);
+  await server.register(deleteUserAdminRoute);
+  await server.register(assignRoleAdminRoute);
+}
@@ -1,6 +1,6 @@
 import type { FastifyInstance } from 'fastify';
-import { UserService } from '../../services/userService';
-import { requirePermission } from '../../middleware/roleMiddleware';
+import { UserService } from '../../../services/userService';
+import { requireGlobalAdmin } from '../../../middleware/roleMiddleware';
 import {
   ERROR_RESPONSE_SCHEMA,
   PAGINATION_QUERY_SCHEMA,
@@ -12,16 +12,16 @@ import {
   validatePaginationParams
 } from './schemas';
 
-export default async function listUsersRoute(server: FastifyInstance) {
+export default async function listUsersAdminRoute(server: FastifyInstance) {
   const userService = new UserService();
 
-  // GET /users - List all users (admin only) with pagination
+  // GET /admin/users - List all users (Global Admin only) with pagination
   server.get('/users', {
-    preValidation: requirePermission('users.list'),
+    preValidation: requireGlobalAdmin(),
     schema: {
-      tags: ['Users'],
-      summary: 'List all users',
-      description: 'Retrieves a paginated list of all users in the system. Requires admin permissions. Supports pagination with limit (1-100, default: 20) and offset (default: 0) parameters.',
+      tags: ['Admin - Users'],
+      summary: 'List all users (Global Admin)',
+      description: 'Allows global administrators to retrieve a paginated list of all users in the system. Supports pagination with limit (1-100, default: 20) and offset (default: 0) parameters.',
       security: [{ cookieAuth: [] }],
 
       querystring: PAGINATION_QUERY_SCHEMA,
@@ -41,7 +41,7 @@ export default async function listUsersRoute(server: FastifyInstance) {
         },
         403: {
           ...ERROR_RESPONSE_SCHEMA,
-          description: 'Forbidden - Insufficient permissions'
+          description: 'Forbidden - Global admin required'
         },
         500: {
           ...ERROR_RESPONSE_SCHEMA,
@@ -79,11 +79,11 @@ export default async function listUsersRoute(server: FastifyInstance) {
       const paginatedUsers = serializedUsers.slice(offset, offset + limit);
 
       server.log.info({
-        operation: 'list_users',
+        operation: 'list_users_admin',
         totalResults: total,
         returnedResults: paginatedUsers.length,
         pagination: { limit, offset }
-      }, 'Users list completed');
+      }, 'Admin users list completed');
 
       const successResponse: UsersListPaginatedResponse = {
         success: true,
@@ -111,7 +111,7 @@ export default async function listUsersRoute(server: FastifyInstance) {
         return reply.status(400).type('application/json').send(jsonString);
       }
 
-      server.log.error(error, 'Error fetching users');
+      server.log.error(error, 'Error fetching users in admin route');
       const errorResponse: ErrorResponse = {
         success: false,
         error: 'Failed to fetch users'