Hardening batch: terrain toggle, access lifecycle, auth matrix helpers, identity audit

Author: wilhel1812

AGENTS.md

@@ -7,3 +7,4 @@
 - Any modal/popover that can open on top of another dialog must use `tier="raised"` in `ModalOverlay`.
 - When catching UI errors, use `getUiErrorMessage()` from `src/lib/uiError.ts` for consistent messaging.
 - Do not leave backlog tasks in ambiguous state. Use `[x]` only when code and verification are done.
+- Do not start user-added backlog items without explicit user confirmation in the current thread.

docs/BACKLOG.md

@@ -24,7 +24,7 @@ State: stabilization pass (no net-new product features unless explicitly approve
 - [x] Access request note should be a one time thing for the users. Admins should still be able to see it even after approval, but it shouldn't be an editable field.
 - [x] What does the reject button currently do?
 - [x] Show profile pictures to other users when you click open the user popover. Also show a small one next to any user name in the UI
-- [ ] User should be able to select if 
+- [ ] User should be able to select if e-mail should be visible to everyone or only admins
 
 ## Active stabilization backlog
 
@@ -37,7 +37,9 @@ State: stabilization pass (no net-new product features unless explicitly approve
 - [ ] Restrict sign-ups and approval transitions with explicit lifecycle states
 - [ ] Add dedicated auth/permission tests for critical flows
 - Progress: baseline tests added for auth source resolution and error mapping; endpoint permission matrix still pending.
+- Progress: added access-policy helper matrix tests (`functions/_lib/access.test.ts`) and endpoint gating helpers in users endpoints.
 - [ ] Add dedicated identity reconciliation tests + audit logging coverage
+- Progress: identity reconciliation audit events now persisted in `user_identity_audit`; dedicated reconciliation tests still pending.
 - [x] Add observability for Cloudflare Access auth header/JWT variants
 
 ### Data and storage safety
@@ -73,6 +75,7 @@ State: stabilization pass (no net-new product features unless explicitly approve
 - [ ] Improve explanatory info for FSPL / TwoRay / ITM and defaults
 - [ ] Document map sampling strategies clearly in UI help
 - [ ] Recheck pass/fail interpretation and communication around terrain blocking
+- [x] Add terrain overlay visibility toggle (visual only; simulation still uses loaded terrain)
 
 ### Security and access hardening
 - [x] Productize Access policy templates in-app docs and setup checklist

functions/_lib/access.test.ts

@@ -0,0 +1,49 @@
+import { describe, expect, it } from "vitest";
+import {
+  canDeleteUserAccount,
+  canListUsers,
+  canUpdateUserApproval,
+  canUpdateUserRole,
+  deriveAccountState,
+  type AccessUserLike,
+} from "./access";
+
+const makeUser = (patch: Partial<AccessUserLike>): AccessUserLike => ({
+  id: patch.id ?? "u1",
+  isAdmin: patch.isAdmin ?? false,
+  isApproved: patch.isApproved ?? false,
+  approvedAt: patch.approvedAt ?? null,
+  approvedByUserId: patch.approvedByUserId ?? null,
+});
+
+describe("access matrix", () => {
+  it("derives account lifecycle deterministically", () => {
+    expect(deriveAccountState(makeUser({ isApproved: false, approvedAt: null }))).toBe("pending");
+    expect(deriveAccountState(makeUser({ isApproved: true }))).toBe("approved");
+    expect(deriveAccountState(makeUser({ isAdmin: true, isApproved: false }))).toBe("approved");
+    expect(deriveAccountState(makeUser({ isApproved: false, approvedAt: "2026-01-01T00:00:00Z" }))).toBe(
+      "revoked",
+    );
+  });
+
+  it("enforces admin-only list and disallows self-moderation", () => {
+    const admin = makeUser({ id: "admin", isAdmin: true, isApproved: true });
+    const normal = makeUser({ id: "user", isAdmin: false, isApproved: true });
+
+    expect(canListUsers(admin)).toBe(true);
+    expect(canListUsers(normal)).toBe(false);
+
+    expect(canUpdateUserRole(admin, "user")).toBe(true);
+    expect(canUpdateUserRole(admin, "admin")).toBe(false);
+    expect(canUpdateUserRole(normal, "admin")).toBe(false);
+
+    expect(canUpdateUserApproval(admin, "user")).toBe(true);
+    expect(canUpdateUserApproval(admin, "admin")).toBe(false);
+    expect(canUpdateUserApproval(normal, "admin")).toBe(false);
+
+    expect(canDeleteUserAccount(admin, "user")).toBe(true);
+    expect(canDeleteUserAccount(admin, "admin")).toBe(false);
+    expect(canDeleteUserAccount(normal, "admin")).toBe(false);
+  });
+});
+

functions/_lib/access.ts

@@ -0,0 +1,27 @@
+export type AccessUserLike = {
+  id: string;
+  isAdmin: boolean;
+  isApproved: boolean;
+  approvedAt?: string | null;
+  approvedByUserId?: string | null;
+};
+
+export type AccountState = "pending" | "approved" | "revoked";
+
+export const deriveAccountState = (user: AccessUserLike): AccountState => {
+  if (user.isAdmin || user.isApproved) return "approved";
+  if (user.approvedAt || user.approvedByUserId) return "revoked";
+  return "pending";
+};
+
+export const canListUsers = (user: AccessUserLike): boolean => user.isAdmin;
+
+export const canUpdateUserRole = (actor: AccessUserLike, targetUserId: string): boolean =>
+  actor.isAdmin && actor.id !== targetUserId;
+
+export const canUpdateUserApproval = (actor: AccessUserLike, targetUserId: string): boolean =>
+  actor.isAdmin && actor.id !== targetUserId;
+
+export const canDeleteUserAccount = (actor: AccessUserLike, targetUserId: string): boolean =>
+  actor.isAdmin && actor.id !== targetUserId;
+

functions/_lib/db.ts

@@ -4,7 +4,8 @@ const VISIBILITIES: Visibility[] = ["private", "public_read", "public_write"];
 const ROLES: ResourceRole[] = ["viewer", "editor", "admin"];
 
 let schemaReady: Promise<void> | null = null;
-const SCHEMA_VERSION = "2026-03-12";
+const SCHEMA_VERSION = "2026-03-12b";
+type AccountState = "pending" | "approved" | "revoked";
 
 const sanitizeVisibility = (value: unknown): Visibility =>
   typeof value === "string" && VISIBILITIES.includes(value as Visibility)
@@ -169,6 +170,16 @@ const REQUIRED_COLUMNS: Record<string, string[]> = {
   site_roles: ["site_id", "user_id", "role", "created_at"],
   simulation_roles: ["simulation_id", "user_id", "role", "created_at"],
   resource_changes: ["id", "resource_kind", "resource_id", "action", "actor_user_id", "changed_at", "note"],
+  user_identity_audit: [
+    "id",
+    "event_type",
+    "target_user_id",
+    "source_user_id",
+    "actor_user_id",
+    "idp_email",
+    "details_json",
+    "created_at",
+  ],
 };
 
 export const getSchemaDiagnostics = async (env: Env): Promise<{
@@ -278,13 +289,26 @@ const ensureSchema = async (env: Env): Promise<void> => {
             note TEXT
           )`,
         ),
+        env.DB.prepare(
+          `CREATE TABLE IF NOT EXISTS user_identity_audit (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            event_type TEXT NOT NULL,
+            target_user_id TEXT NOT NULL,
+            source_user_id TEXT,
+            actor_user_id TEXT,
+            idp_email TEXT,
+            details_json TEXT,
+            created_at TEXT NOT NULL
+          )`,
+        ),
         env.DB.prepare("CREATE INDEX IF NOT EXISTS idx_sites_owner ON sites(owner_user_id)"),
         env.DB.prepare("CREATE INDEX IF NOT EXISTS idx_sites_visibility ON sites(visibility)"),
         env.DB.prepare("CREATE INDEX IF NOT EXISTS idx_site_roles_user ON site_roles(user_id)"),
         env.DB.prepare("CREATE INDEX IF NOT EXISTS idx_simulations_owner ON simulations(owner_user_id)"),
         env.DB.prepare("CREATE INDEX IF NOT EXISTS idx_simulations_visibility ON simulations(visibility)"),
         env.DB.prepare("CREATE INDEX IF NOT EXISTS idx_simulation_roles_user ON simulation_roles(user_id)"),
         env.DB.prepare("CREATE INDEX IF NOT EXISTS idx_resource_changes_lookup ON resource_changes(resource_kind, resource_id, changed_at DESC)"),
+        env.DB.prepare("CREATE INDEX IF NOT EXISTS idx_identity_audit_target ON user_identity_audit(target_user_id, created_at DESC)"),
       ]);
 
       const diagnostics = await getSchemaDiagnostics(env);
@@ -327,6 +351,12 @@ const toUserProfile = (row: UserRow) => ({
   avatarUrl: row.avatar_url ?? "",
   isAdmin: row.is_admin === 1,
   isApproved: row.is_approved === 1,
+  accountState:
+    row.is_admin === 1 || row.is_approved === 1
+      ? ("approved" as AccountState)
+      : row.approved_at || row.approved_by_user_id
+        ? ("revoked" as AccountState)
+        : ("pending" as AccountState),
   approvedAt: row.approved_at,
   approvedByUserId: row.approved_by_user_id,
   createdAt: row.created_at,
@@ -407,6 +437,27 @@ const reconcileUserIdentityByIdpEmail = async (
     env.DB.prepare("UPDATE simulation_roles SET user_id = ? WHERE user_id = ?").bind(userId, existing.id),
     env.DB.prepare("UPDATE resource_changes SET actor_user_id = ? WHERE actor_user_id = ?").bind(userId, existing.id),
   ]);
+
+  await env.DB
+    .prepare(
+      `INSERT INTO user_identity_audit
+       (event_type, target_user_id, source_user_id, actor_user_id, idp_email, details_json, created_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?)`,
+    )
+    .bind(
+      "reconciled_by_verified_idp_email",
+      userId,
+      existing.id,
+      userId,
+      normalized,
+      JSON.stringify({
+        mergedFromUserId: existing.id,
+        mergedFromIsAdmin: existing.is_admin === 1,
+        mergedFromIsApproved: existing.is_approved === 1,
+      }),
+      now,
+    )
+    .run();
 };
 
 export const ensureUser = async (
@@ -498,7 +549,10 @@ export const fetchUserProfile = async (env: Env, userId: string) => {
 export const assertUserAccess = async (env: Env, userId: string) => {
   const user = await fetchUserProfile(env, userId);
   if (!user) throw new Error("Unauthorized");
-  if (!user.isApproved && !user.isAdmin) {
+  if (user.accountState === "revoked") {
+    throw new Error("Account access revoked by admin");
+  }
+  if (user.accountState !== "approved") {
     throw new Error("Account pending approval");
   }
   return user;
@@ -585,8 +639,8 @@ export const setUserApproval = async (
     .prepare(
       `UPDATE users
        SET is_approved = ?,
-           approved_at = CASE WHEN ? = 1 THEN ? ELSE NULL END,
-           approved_by_user_id = CASE WHEN ? = 1 THEN ? ELSE NULL END,
+           approved_at = CASE WHEN ? = 1 THEN COALESCE(approved_at, ?) ELSE approved_at END,
+           approved_by_user_id = CASE WHEN ? = 1 THEN COALESCE(approved_by_user_id, ?) ELSE approved_by_user_id END,
            updated_at = ?
        WHERE id = ?`,
     )
@@ -649,7 +703,7 @@ export const listPendingApprovalUsers = async (
     .prepare(
       `SELECT id, username, email, created_at, access_request_note
        FROM users
-       WHERE is_approved = 0
+       WHERE is_approved = 0 AND approved_at IS NULL
        ORDER BY created_at ASC
        LIMIT 200`,
     )

functions/_lib/http.test.ts

@@ -5,6 +5,7 @@ describe("http error normalization", () => {
   it("maps known auth/access errors to stable statuses", () => {
     expect(statusFromErrorMessage("Schema out of date")).toBe(503);
     expect(statusFromErrorMessage("Session revoked by admin")).toBe(401);
+    expect(statusFromErrorMessage("Account access revoked by admin")).toBe(403);
     expect(statusFromErrorMessage("Unauthorized")).toBe(401);
     expect(statusFromErrorMessage("Account pending approval")).toBe(403);
     expect(statusFromErrorMessage("Forbidden")).toBe(403);
@@ -15,6 +16,7 @@ describe("http error normalization", () => {
   it("normalizes common messages", () => {
     expect(normalizeApiErrorMessage("Unauthorized token")).toBe("Unauthorized.");
     expect(normalizeApiErrorMessage("pending approval for account")).toBe("Account pending approval.");
+    expect(normalizeApiErrorMessage("account access revoked by admin")).toBe("Account access revoked by admin.");
     expect(normalizeApiErrorMessage("")).toBe("Request failed.");
   });
 });

functions/_lib/http.ts

@@ -40,6 +40,7 @@ export const handleOptions = (request: Request): Response =>
 export const normalizeApiErrorMessage = (message: string): string => {
   const lower = message.toLowerCase();
   if (lower.includes("session revoked by admin")) return "Session revoked by admin.";
+  if (lower.includes("access revoked by admin")) return "Account access revoked by admin.";
   if (lower.includes("pending approval")) return "Account pending approval.";
   if (lower.includes("unauthorized")) return "Unauthorized.";
   if (lower.includes("forbidden")) return "Forbidden.";
@@ -54,6 +55,7 @@ export const statusFromErrorMessage = (message: string, fallback = 500): number
   const lower = message.toLowerCase();
   if (lower.includes("schema out of date")) return 503;
   if (lower.includes("session revoked by admin")) return 401;
+  if (lower.includes("access revoked by admin")) return 403;
   if (lower.includes("unauthorized")) return 401;
   if (lower.includes("pending approval")) return 403;
   if (lower.includes("forbidden")) return 403;

functions/api/users.ts

@@ -1,4 +1,5 @@
 import { verifyAuth } from "../_lib/auth";
+import { canListUsers } from "../_lib/access";
 import { assertUserAccess, ensureUser, fetchUserProfile, listUsers } from "../_lib/db";
 import { errorResponse, handleOptions, json, withCors } from "../_lib/http";
 import type { Env } from "../_lib/types";
@@ -14,7 +15,7 @@ export const onRequestGet: PagesFunction<Env> = async ({ request, env }) => {
     await assertUserAccess(env, auth.userId);
     const me = await fetchUserProfile(env, auth.userId);
     if (!me) return withCors(request, json({ error: "Unauthorized" }, { status: 401 }));
-    if (!me.isAdmin) return withCors(request, json({ error: "Forbidden" }, { status: 403 }));
+    if (!canListUsers(me)) return withCors(request, json({ error: "Forbidden" }, { status: 403 }));
 
     const users = await listUsers(env);
     return withCors(request, json({ users }));

functions/api/users/[id].ts

@@ -1,4 +1,9 @@
 import { verifyAuth } from "../../_lib/auth";
+import {
+  canDeleteUserAccount,
+  canUpdateUserApproval,
+  canUpdateUserRole,
+} from "../../_lib/access";
 import {
   assertUserAccess,
   deleteUser,
@@ -101,12 +106,15 @@ export const onRequestPatch: PagesFunction<Env> = async ({ request, env, params
       });
     }
     if (body.isAdmin !== undefined) {
-      if (targetId === auth.userId) {
+      if (!canUpdateUserRole(me, targetId)) {
         return withCors(request, json({ error: "Users cannot change their own admin role." }, { status: 400 }));
       }
       user = await setUserAdminFlag(env, targetId, body.isAdmin);
     }
     if (body.isApproved !== undefined) {
+      if (!canUpdateUserApproval(me, targetId)) {
+        return withCors(request, json({ error: "Users cannot change their own approval state." }, { status: 400 }));
+      }
       user = await setUserApproval(env, targetId, body.isApproved, auth.userId);
     }
 
@@ -129,7 +137,7 @@ export const onRequestDelete: PagesFunction<Env> = async ({ request, env, params
 
     const targetId = typeof params.id === "string" ? params.id : "";
     if (!targetId) return withCors(request, json({ error: "Missing user id" }, { status: 400 }));
-    if (targetId === auth.userId) {
+    if (!canDeleteUserAccount(me, targetId)) {
       return withCors(request, json({ error: "Admin cannot delete own account." }, { status: 400 }));
     }
 

src/components/AppShell.tsx

@@ -25,6 +25,10 @@ export function AppShell() {
     void (async () => {
       try {
         const me = await fetchMe();
+        if (me.accountState === "revoked") {
+          setAccessState("locked");
+          return;
+        }
         setAccessState(me.isAdmin || me.isApproved ? "granted" : "pending");
       } catch (error) {
         const message = getUiErrorMessage(error);