liblaber
diff --git a/‎.github/workflows/e2e-tests.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/e2e-tests.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 0 deletions b/‎.gitignore‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 2 additions & 0 deletions b/‎Dockerfile‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 59 additions & 1 deletion b/‎README.md‎
Lines changed: 59 additions & 1 deletion
diff --git a/‎app/access-denied/page.tsx‎
Lines changed: 159 additions & 0 deletions b/‎app/access-denied/page.tsx‎
Lines changed: 159 additions & 0 deletions
diff --git a/‎app/api/[resource]/[resourceId]/eligible-members/route.ts‎
Lines changed: 41 additions & 0 deletions b/‎app/api/[resource]/[resourceId]/eligible-members/route.ts‎
Lines changed: 41 additions & 0 deletions
@@ -15,7 +15,7 @@ jobs:
   e2e-tests:
     name: 🧪 Run E2E Tests
     runs-on: ubuntu-latest
-    timeout-minutes: 10
+    timeout-minutes: 25
 
     steps:
       - name: 📥 Checkout code
 
@@ -61,3 +61,5 @@ snapshots
 tsconfig.tsbuildinfo
 .instanceid
 tunnel.config
+
+next-env.d.ts
@@ -20,6 +20,8 @@ RUN npm install -g pnpm && pnpm install
 # Last supported deno version for netlify is 2.2.4
 RUN npm install -g deno@2.2.4
 
+RUN npm install -g sst
+
 RUN echo "LC_ALL=en_US.UTF-8" >> /etc/environment
 RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
 RUN echo "LANG=en_US.UTF-8" > /etc/locale.conf
 
@@ -177,7 +177,62 @@ Run the following command to set up and start the app:
 pnpm run quickstart
 ```
 
-**That's it! 🎉** The app will be available at [http://localhost:3000](http://localhost:3000/)
+**That's it! 🎉** The app will be available at [http://localhost:3000](http://localhost:3000/)
+
+### **Quickstart Behavior**
+
+The `pnpm run quickstart` command now **always pulls the latest code and Docker images** to ensure you're running the most up-to-date version. Here's what happens:
+
+- ✅ **Always rebuilds** Docker images with latest code
+- ✅ **Preserves your database** by default (keeps existing data)
+- ✅ **Interactive prompts** if you have existing data
+- ✅ **Migration support** for database schema changes
+
+**Additional quickstart options:**
+
+```bash
+# Standard quickstart (preserves database)
+pnpm run quickstart
+
+# Fresh start (removes all existing data)
+pnpm run quickstart:fresh
+
+# Explicitly preserve database
+pnpm run quickstart:preserve
+```
+
+**Database Migration**
+
+If you encounter database issues after updating, use the migration tool:
+
+```bash
+pnpm run docker:migrate
+```
+
+This provides options to:
+
+- Auto-migrate database schema
+- Create backups before migrating
+- Reset database (⚠️ **loses all data**)
+
+### How Quickstart Handles Your Data
+
+**Your data is PRESERVED when:**
+
+- You run `pnpm run quickstart:preserve`
+- You run the standard `pnpm run quickstart` and choose to preserve data when prompted (this is the default)
+
+**Your data is REMOVED (fresh start) when:**
+
+- You run `pnpm run quickstart:fresh`
+- You run the standard `pnpm run quickstart` and choose to reset the database when prompted
+- No existing data is found (e.g., on first-time setup)
+
+**Important Notes:**
+
+- 🔄 **Code is always updated** - Docker images are rebuilt with latest code
+- 💾 **Database behavior is configurable** - You control whether to keep or reset data
+- ⚠️ **Schema changes may require migration** - Use `pnpm run docker:migrate` if needed
 
 ### **Option 2: Manual Installation**
 
@@ -347,8 +402,11 @@ pnpm run dev
 - [**Contributing Guidelines**](https://github.com/liblaber/ai/blob/main/CONTRIBUTING.md) - How to contribute to the project
 - [Security & Privacy](docs/security-and-privacy.md)
 - [Configuration](docs/configuration.md)
+- [Deploy on EC2 with HTTPS & Auto-Restart](docs/ec2.md)
 - [Getting Started](docs/getting-started.md)
 - [Features](docs/features.md)
+- [Environments](docs/environments.md)
+- [Team Roles and Permissions](docs/team-roles-and-permissions.md)
 - [Tips](docs/tips.md)
 - [Governance](docs/governance.md)
 - [License](LICENSE)
 
@@ -0,0 +1,159 @@
+'use client';
+
+import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '~/components/ui/Card';
+import { Button } from '~/components/ui/Button';
+import { Logo } from '~/components/Logo';
+import { signOut } from '~/auth/auth-client';
+import { useRouter } from 'next/navigation';
+import { useState } from 'react';
+
+export default function AccessDeniedPage() {
+  const router = useRouter();
+  const [isRefreshing, setIsRefreshing] = useState(false);
+
+  const handleSignOut = async () => {
+    await signOut();
+  };
+
+  const handleRefresh = async () => {
+    setIsRefreshing(true);
+
+    try {
+      // Check permissions again
+      const response = await fetch('/api/me/permissions/check', {
+        method: 'GET',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+      });
+
+      if (response.ok) {
+        const data = await response.json();
+
+        if (data && typeof data === 'object' && 'hasPermissions' in data) {
+          const hasPermissions = data.hasPermissions as boolean;
+
+          if (hasPermissions) {
+            // User now has permissions, redirect to main app
+            router.push('/');
+            return;
+          }
+        }
+      }
+
+      // If still no permissions, refresh the page to show updated state
+      router.refresh();
+    } catch (error) {
+      console.error('Error checking permissions:', error);
+      // On error, just refresh the page
+      router.refresh();
+    } finally {
+      setIsRefreshing(false);
+    }
+  };
+
+  return (
+    <div className="min-h-screen bg-depth-1 flex items-center justify-center p-4">
+      <div className="w-full max-w-md">
+        {/* Logo */}
+        <div className="flex justify-center mb-8">
+          <Logo />
+        </div>
+
+        {/* Access Denied Card */}
+        <Card className="w-full">
+          <CardHeader className="text-center">
+            <div className="mx-auto mb-4 w-16 h-16 bg-red-500/10 rounded-full flex items-center justify-center">
+              <svg
+                className="w-8 h-8 text-red-500"
+                fill="none"
+                stroke="currentColor"
+                viewBox="0 0 24 24"
+                xmlns="http://www.w3.org/2000/svg"
+              >
+                <path
+                  strokeLinecap="round"
+                  strokeLinejoin="round"
+                  strokeWidth={2}
+                  d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z"
+                />
+              </svg>
+            </div>
+            <CardTitle className="text-xl text-red-500">Access Denied</CardTitle>
+            <CardDescription className="text-secondary">
+              You don't have permission to access this application
+            </CardDescription>
+          </CardHeader>
+
+          <CardContent className="space-y-4">
+            <div className="text-center text-sm text-secondary space-y-2">
+              <p>Your account has been created, but you don't have any permissions assigned yet.</p>
+              <p>Please contact your administrator to get the appropriate access levels.</p>
+            </div>
+
+            <div className="flex flex-col space-y-3">
+              <Button onClick={handleRefresh} variant="primary" className="w-full" disabled={isRefreshing}>
+                {isRefreshing ? (
+                  <>
+                    <svg
+                      className="animate-spin -ml-1 mr-2 h-4 w-4 text-white"
+                      xmlns="http://www.w3.org/2000/svg"
+                      fill="none"
+                      viewBox="0 0 24 24"
+                    >
+                      <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4" />
+                      <path
+                        className="opacity-75"
+                        fill="currentColor"
+                        d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"
+                      />
+                    </svg>
+                    Checking Permissions...
+                  </>
+                ) : (
+                  <>
+                    <svg
+                      className="w-4 h-4 mr-2"
+                      fill="none"
+                      stroke="currentColor"
+                      viewBox="0 0 24 24"
+                      xmlns="http://www.w3.org/2000/svg"
+                    >
+                      <path
+                        strokeLinecap="round"
+                        strokeLinejoin="round"
+                        strokeWidth={2}
+                        d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15"
+                      />
+                    </svg>
+                    Refresh & Check Permissions
+                  </>
+                )}
+              </Button>
+
+              <Button onClick={handleSignOut} variant="outline" className="w-full">
+                Sign Out
+              </Button>
+            </div>
+          </CardContent>
+        </Card>
+
+        {/* Help Text */}
+        <div className="mt-6 text-center text-xs text-secondary">
+          <p>
+            Need help? Contact your system administrator or check the{' '}
+            <a
+              href="https://docs.liblab.ai"
+              target="_blank"
+              rel="noopener noreferrer"
+              className="text-accent-500 hover:text-accent-400 underline"
+            >
+              documentation
+            </a>
+            .
+          </p>
+        </div>
+      </div>
+    </div>
+  );
+}
@@ -0,0 +1,41 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getResourceConfig, getEligibleMembersForResource } from '~/lib/utils/resource-utils';
+import { requireUserAbility } from '~/auth/session';
+import { PermissionAction, Prisma } from '@prisma/client';
+import { subject } from '@casl/ability';
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ resource: string; resourceId: string }> },
+) {
+  try {
+    const { userAbility } = await requireUserAbility(request);
+    const { resource, resourceId } = await params;
+    const resourceConfig = getResourceConfig(resource);
+
+    const { fetchResource, permissionResource, roleScope } = resourceConfig;
+
+    const resourceData = await fetchResource(resourceId);
+
+    if (userAbility.cannot(PermissionAction.read, subject(permissionResource, resourceData))) {
+      return NextResponse.json({ success: false, error: 'Forbidden' }, { status: 403 });
+    }
+
+    const eligibleMembers = await getEligibleMembersForResource(resourceId, roleScope, permissionResource);
+
+    return NextResponse.json({ success: true, eligibleMembers });
+  } catch (error) {
+    if (error instanceof Error && error.message.startsWith('Invalid resource type')) {
+      return NextResponse.json({ success: false, error: 'Invalid route' }, { status: 400 });
+    }
+
+    if (error instanceof Prisma.PrismaClientKnownRequestError && error.code === 'P2025') {
+      return NextResponse.json(
+        { success: false, error: `${error.meta?.modelName || 'Resource'} not found` },
+        { status: 404 },
+      );
+    }
+
+    return NextResponse.json({ success: false, error: 'Failed to retrieve eligible members' }, { status: 500 });
+  }
+}