/* ========================================================================= * CTWCAD — Access control (allowlist) and Admin page * ----------------------------------------------------------------------- * Front-end gate ONLY. Real enforcement must happen server-side. * Persists allowlist + public/private mode to localStorage. * =======================================================================*/ const OWNER_EMAIL = "sethbenricks@gmail.com"; const ALLOWLIST_KEY = "ctwcad.allowlist"; const PUBLISH_KEY = "ctwcad.public"; const ROLES = [ { id: "owner", label: "Owner", desc: "Full control. Cannot be removed.", color: "owner" }, { id: "admin", label: "Admin", desc: "Manage members, projects, settings.", color: "admin" }, { id: "member", label: "Member", desc: "Standard collaborator.", color: "member" }, { id: "viewer", label: "Viewer", desc: "Read-only access to shared content.", color: "viewer" }, { id: "guest", label: "Guest", desc: "Limited, time-bound access.", color: "guest" }, ]; // Per-user storage limit defaults (in bytes). // - Owner / admin: unlimited (null) // - Everyone else: 100 MB // An explicit `storageLimit` on the user doc overrides these defaults. const DEFAULT_USER_LIMIT_BYTES = 100 * 1024 * 1024; function effectiveUserLimit(user) { if (!user) return DEFAULT_USER_LIMIT_BYTES; if (user.storageLimit !== undefined && user.storageLimit !== null) { return user.storageLimit; } const isOwnerByEmail = (user.email || "").toLowerCase() === OWNER_EMAIL; const role = (user.role || "").toLowerCase(); if (isOwnerByEmail || role === "owner" || role === "admin") return null; // unlimited return DEFAULT_USER_LIMIT_BYTES; } function fmtLimit(bytes) { if (bytes === null || bytes === undefined) return "Unlimited"; return fmtBytes(bytes); } window.CTWCAD_LIMITS = { DEFAULT_USER_LIMIT_BYTES, effectiveUserLimit, fmtLimit }; const DEFAULT_ALLOWLIST = [ { email: OWNER_EMAIL, role: "owner", addedAt: new Date().toISOString() }, ]; /* localStorage acts as a synchronous cache. In firebase mode we boot by * pulling /access/config from Firestore once on app load (see * bootstrapAccessConfig below) so that the synchronous gate (isAllowed) * still works in existing code paths. Writes go to Firestore AND localStorage * so the next page load is instantly correct. */ function loadAllowlist() { try { const raw = localStorage.getItem(ALLOWLIST_KEY); if (!raw) return DEFAULT_ALLOWLIST.slice(); const arr = JSON.parse(raw); if (!arr.some(e => e.email.toLowerCase() === OWNER_EMAIL)) { arr.unshift(DEFAULT_ALLOWLIST[0]); } return arr; } catch { return DEFAULT_ALLOWLIST.slice(); } } function saveAllowlistLocal(list) { localStorage.setItem(ALLOWLIST_KEY, JSON.stringify(list)); } function saveAllowlist(list) { saveAllowlistLocal(list); // In firebase mode, replace the WHOLE allowlist atomically — single // setDoc on /access/config. Avoids the read-modify-write race that // happened when we fanned out per-entry add/remove calls. Failures // surface as a toast via the ctwcad:save-error event. if (window.CTWCAD_ACTIVE_ADAPTER === "firebase" && window.api?.setAllowlist) { Promise.resolve(window.api.setAllowlist(list)).catch((e) => { console.error("[CTWCAD] setAllowlist write rejected:", e); window.dispatchEvent(new CustomEvent("ctwcad:save-error", { detail: { what: "allowlist", error: e?.code || e?.message || String(e) } })); }); } } function loadPublic() { return localStorage.getItem(PUBLISH_KEY) === "1"; } function savePublicLocal(v) { if (v) localStorage.setItem(PUBLISH_KEY, "1"); else localStorage.removeItem(PUBLISH_KEY); } function savePublic(v) { savePublicLocal(v); if (window.CTWCAD_ACTIVE_ADAPTER === "firebase" && window.api?.setPublic) { Promise.resolve(window.api.setPublic(!!v)).catch((e) => { console.error("[CTWCAD] setPublic write rejected:", e); window.dispatchEvent(new CustomEvent("ctwcad:save-error", { detail: { what: "public", error: e?.code || e?.message || String(e) } })); }); } } function isAllowed(email) { if (loadPublic()) return true; // open beta — anyone with a Google sign-in if (!email) return false; const list = loadAllowlist(); return list.some(e => e.email.toLowerCase() === email.toLowerCase()); } function isOwner(email) { return email && email.toLowerCase() === OWNER_EMAIL; } // Admin = owner OR a user whose role on the allowlist is "admin". // Mirrors the rules' isAdmin() so the UI gates match what the server allows. function isAdmin(email) { if (!email) return false; if (isOwner(email)) return true; const e = email.toLowerCase(); return loadAllowlist().some(x => x.email.toLowerCase() === e && x.role === "admin"); } /* On boot, if firebase is active AND the user is already signed in, pull * the canonical /access/config doc into the localStorage cache so the * synchronous gate gives the right answer. We skip this on the sign-in * screen because /access/config requires auth — the read would just * 401 and we'd waste a round-trip on every cold load. handleSignIn * itself populates the cache after a fresh sign-in. */ async function bootstrapAccessConfig() { if (window.CTWCAD_ACTIVE_ADAPTER !== "firebase" || !window.api?.getAccessConfig) return; try { const cfg = await window.api.getAccessConfig(); if (!cfg) return; if (Array.isArray(cfg.allowlist)) saveAllowlistLocal(cfg.allowlist); savePublicLocal(!!cfg.public); window.dispatchEvent(new CustomEvent("ctwcad:access-config-loaded", { detail: cfg })); } catch (e) { console.warn("[CTWCAD] failed to load /access/config from Firestore:", e?.message); } } function maybeBootstrap() { if (localStorage.getItem("ctwcad.signedIn") === "1") { bootstrapAccessConfig(); } } if (window.api) maybeBootstrap(); else window.addEventListener("DOMContentLoaded", maybeBootstrap); window.CTWCAD_ACCESS = { OWNER_EMAIL, ROLES, loadAllowlist, saveAllowlist, loadPublic, savePublic, isAllowed, isOwner, isAdmin, bootstrapAccessConfig }; /* ---------- "Sign in with Google" picker (mock) -------------------- */ function GoogleAccountPicker({ onPick, onCancel }) { const M = window.FramerMotion.motion; const [custom, setCustom] = useState(""); const accounts = [ { name: "Seth Ricks", email: OWNER_EMAIL, hue: 200, initials: "SR" }, { name: "Tess Carrow", email: "tess@atelier-hw.com", hue: 280, initials: "TC" }, { name: "Dana Friend", email: "dana@meridian.io", hue: 174, initials: "DF" }, { name: "Random visitor", email: "stranger@example.com", hue: 36, initials: "?" }, ]; return (
Choose an account
to continue to CTWCAD
setCustom(e.target.value)} placeholder="or enter another email…" onKeyDown={(e) => { if (e.key === "Enter" && custom.includes("@")) { onPick({ name: custom.split("@")[0], email: custom.toLowerCase(), hue: 200, initials: custom[0]?.toUpperCase() || "?" }); } }} />
Mock OAuth — see notes for real Google Sign-In.
 ); } /* ---------- Access denied screen ----------------------------------- */ function AccessDeniedView({ email, onBack }) { const M = window.FramerMotion.motion; return (

You don't have access yet

CTWCAD is in private beta. Access is invite-only while we test with a small group.

{email}

If you think you should have access, ask the owner to add this address to the allowlist.

); } /* ---------- Confirm dialog (publish to everyone) ------------------- */ function ConfirmDialog({ open, title, body, confirmLabel, danger, onConfirm, onCancel }) { const M = window.FramerMotion.motion; const A = window.FramerMotion.AnimatePresence; return ( {open && ( <>

{title}

{body}

 )} ); } /* ---------- Role picker (popover) ---------------------------------- */ function RolePopover({ open, current, onPick, onClose, anchorRect }) { const M = window.FramerMotion.motion; const A = window.FramerMotion.AnimatePresence; const ref = useRef(null); useEffect(() => { if (!open) return; const onDoc = (e) => { if (ref.current && !ref.current.contains(e.target)) onClose(); }; document.addEventListener("mousedown", onDoc); return () => document.removeEventListener("mousedown", onDoc); }, [open, onClose]); if (!open || !anchorRect) return null; const style = { position: "fixed", top: anchorRect.bottom + 6, left: Math.min(anchorRect.left, window.innerWidth - 280), }; return ( {ROLES.filter(r => r.id !== "owner").map(r => ( ))} ); } /* ---------- Admin page (admins + owner) ---------------------------- Wave-4 layout: tabbed dashboard. The first tab "Overview" surfaces a counts/stats card and a top-storage chart; subsequent tabs each focus on one operational concern (access, files, activity, admin staff). Tabs are CLIENT-SIDE only — every fetch they fire is guarded by the existing Firestore rules, so non-owners just see permission-denied if they somehow reach this page. */ function AdminView({ user, onToast, viewAll, onToggleViewAll, onImpersonate, impersonating, onOpenFile }) { const [list, setList] = useState(loadAllowlist); const [pub, setPub] = useState(loadPublic); const [email, setEmail] = useState(""); const [role, setRole] = useState("member"); const [confirmPublish, setConfirmPublish] = useState(false); const [confirmRevoke, setConfirmRevoke] = useState(false); const [rolePop, setRolePop] = useState(null); // { email, anchor } const [allUsers, setAllUsers] = useState(null); const [allKeys, setAllKeys] = useState(null); // connected devices across users const [userMenu, setUserMenu] = useState(null); // { user, x, y } | null const [limitModal, setLimitModal] = useState(null); // { user } | null const [guestExpModal, setGuestExpModal] = useState(null); // { email } | null // Wave-4: top-level tab. Persisted to localStorage so refresh / navigation // back to /admin keeps the operator on whichever tab they were last using. const [tab, setTab] = useState(() => { const t = localStorage.getItem("ctwcad.admin.tab"); return ["overview", "access", "files", "activity", "staff"].includes(t) ? t : "overview"; }); useEffect(() => { localStorage.setItem("ctwcad.admin.tab", tab); }, [tab]); // Wave-4: allowlist toolbar state (search + sort). const [memberSearch, setMemberSearch] = useState(""); const [memberSort, setMemberSort] = useState("addedAt-desc"); // email-asc | role | addedAt-desc | addedAt-asc const M = window.FramerMotion.motion; const isOwnerUser = isOwner(user?.email); const isAdminUser = isAdmin(user?.email); // Load full member list (with file/project/storage stats) so the cards can // show meaningful numbers next to each name. Errors used to swallow // silently and leave the section showing nothing forever — now we // capture the failure and surface it in the empty-state UI. const [usersError, setUsersError] = useState(null); useEffect(() => { if (!isAdminUser) return; let alive = true; setUsersError(null); window.api.listAllUsers?.().then(u => { if (!alive) return; setAllUsers(u || []); }).catch((err) => { if (!alive) return; console.warn("[CTWCAD] listAllUsers failed:", err?.code || err?.message, err); setUsersError(err?.code || err?.message || "unknown error"); setAllUsers([]); }); window.api.listAllApiKeys?.().then(k => { if (alive) setAllKeys(k); }) .catch((err) => console.warn("[CTWCAD] listAllApiKeys failed:", err?.code || err?.message)); return () => { alive = false; }; }, [isAdminUser, impersonating?.id, viewAll]); const add = () => { const e = email.trim().toLowerCase(); if (!e.includes("@")) { onToast?.("Enter a valid email", "alert-circle"); return; } if (list.some(x => x.email.toLowerCase() === e)) { onToast?.("Already on the list", "info"); return; } const next = [...list, { email: e, role, addedAt: new Date().toISOString() }]; setList(next); saveAllowlist(next); setEmail(""); onToast?.(`Added ${e} as ${role}`, "user-plus"); }; const remove = (e) => { if (e.toLowerCase() === OWNER_EMAIL) { onToast?.("Can't remove the owner", "shield"); return; } const next = list.filter(x => x.email.toLowerCase() !== e.toLowerCase()); setList(next); saveAllowlist(next); onToast?.(`Removed ${e}`, "user-minus"); }; const changeRole = (e, newRole) => { if (e.toLowerCase() === OWNER_EMAIL) return; if (newRole === "guest") { // Guests need an expiration; close the role popover and open the // expiration picker. The actual write happens after the picker // saves (see saveGuestExpiration below). setRolePop(null); setGuestExpModal({ email: e }); return; } const next = list.map(x => x.email.toLowerCase() === e.toLowerCase() // Clear expiresAt when role changes away from guest. ? { ...x, role: newRole, expiresAt: null } : x); setList(next); saveAllowlist(next); setRolePop(null); onToast?.(`${e} → ${newRole}`, "shield-check"); }; const saveGuestExpiration = (email, expiresAtIso) => { const next = list.map(x => x.email.toLowerCase() === email.toLowerCase() ? { ...x, role: "guest", expiresAt: expiresAtIso || null } : x); setList(next); saveAllowlist(next); setGuestExpModal(null); const friendly = expiresAtIso ? `expires ${fmtRelative(expiresAtIso)}` : "no expiration"; onToast?.(`${email} → guest (${friendly})`, "clock"); }; const doPublish = () => { setPub(true); savePublic(true); setConfirmPublish(false); onToast?.("Site is now public — anyone with Google can sign in", "globe"); }; const doRevoke = () => { setPub(false); savePublic(false); setConfirmRevoke(false); onToast?.("Site is private again — allowlist enforced", "lock"); }; if (!isAdminUser) { return (
Admin only
This area is restricted to admins and the workspace owner.
); } // Tab metadata. The header text + sub-line update with the active tab so // the page makes sense even if the operator deep-links to a tab. const TAB_META = { overview: { title: "Admin overview", sub: "System-wide totals and storage." }, access: { title: "Access control", sub: pub ? "Site is public. Anyone signing in with Google can use CTWCAD." : "Only people on the allowlist can sign in. Everyone else sees the beta gate." }, files: { title: "All files", sub: "Every file in the workspace, newest activity first." }, activity: { title: "Activity log", sub: "Audit trail of file changes across all users." }, staff: { title: "Admin staff", sub: "Who else has admin powers besides the owner." }, }; const meta = TAB_META[tab] || TAB_META.overview; return (
ADMIN · {isOwnerUser ? "OWNER" : "STAFF"}

{meta.title}

{meta.sub}

{pub ? "PUBLIC" : "PRIVATE BETA"}
{/* TAB NAVIGATION */} {tab === "overview" && ( )} {tab === "files" && ( )} {tab === "activity" && ( )} {tab === "staff" && ( { setList(next); saveAllowlist(next); }} onToast={onToast} /> )} {tab === "access" && <> {/* PUBLISH MODE */}

Visibility

{pub ? "Public — open to everyone" : "Private beta — invite only"}
{pub ? "Allowlist is bypassed. Anyone with a Google account can sign in. The allowlist below is preserved and will become active again if you make the site private." : "The allowlist below is the only way in. Use Publish to lift the gate when you're ready to launch."}
{pub ? : }
{/* ADD MEMBER */}

Add member

setEmail(e.target.value)} placeholder="person@company.com" onKeyDown={(e) => e.key === "Enter" && add()} />
{/* Live validation: warn early on bad email shape and on duplicates so the operator doesn't have to click Add to see the toast. Empty-state stays silent. */} {(() => { const trimmed = email.trim(); if (!trimmed) return null; const looksLikeEmail = /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(trimmed); if (!looksLikeEmail) { return (
That doesn't look like a valid email.
); } const dup = list.find(x => x.email.toLowerCase() === trimmed.toLowerCase()); if (dup) { return (
{dup.email} is already on the list as {dup.role}.
); } return (
Looks good — press Enter or click Add.
); })()} {pub && (
Site is public. The allowlist is preserved but not enforced — adding members here defines their role for when you switch back to private.
)}
{/* MEMBER LIST */}

Members ({list.length})

{/* Toolbar: search by email + sort. Owner row stays pinned to the top irrespective of sort so the workspace owner is always discoverable. */}
setMemberSearch(e.target.value)} placeholder="Search members…"/> {memberSearch && ( )}
{(() => { const q = memberSearch.trim().toLowerCase(); const visible = q ? list.filter(x => x.email.toLowerCase().includes(q)) : list; return q ? `${visible.length} of ${list.length} match` : `${list.length} total`; })()}
{(() => { const q = memberSearch.trim().toLowerCase(); const filtered = q ? list.filter(x => x.email.toLowerCase().includes(q)) : list.slice(); const ROLE_RANK = { owner: 0, admin: 1, member: 2, viewer: 3, guest: 4 }; filtered.sort((a, b) => { // Owner always first. const aOwn = a.email.toLowerCase() === OWNER_EMAIL ? 0 : 1; const bOwn = b.email.toLowerCase() === OWNER_EMAIL ? 0 : 1; if (aOwn !== bOwn) return aOwn - bOwn; switch (memberSort) { case "email-asc": return a.email.localeCompare(b.email); case "role": return (ROLE_RANK[a.role] ?? 9) - (ROLE_RANK[b.role] ?? 9); case "addedAt-asc": return new Date(a.addedAt || 0) - new Date(b.addedAt || 0); case "addedAt-desc": default: return new Date(b.addedAt || 0) - new Date(a.addedAt || 0); } }); return filtered; })().map((entry, i) => { const isOwn = entry.email.toLowerCase() === OWNER_EMAIL; const roleDef = ROLES.find(r => r.id === entry.role) || ROLES[2]; // Match this allowlist entry to a real /users doc so we can // show their actual usage and pipe the storage modal through // their uid. Members who haven't signed in yet have no // /users doc → show "—" and disable the storage actions. const userDoc = (allUsers || []).find(u => (u.email || "").toLowerCase() === entry.email.toLowerCase()); const used = userDoc?.sizeBytes || 0; const limit = userDoc ? effectiveUserLimit(userDoc) : effectiveUserLimit({ email: entry.email, role: entry.role }); const overLimit = limit !== null && used > limit; const canEditStorage = !!userDoc && (!isOwn || isOwnerUser); const openStorageModal = () => { if (!canEditStorage) return; setLimitModal({ user: userDoc }); }; return ( { if (!canEditStorage) return; e.preventDefault(); e.stopPropagation(); openStorageModal(); }} title={canEditStorage ? "Right-click to edit storage limit" : ""}>
{entry.email}
Added {fmtRelative(entry.addedAt)} {entry.role === "guest" && entry.expiresAt && (() => { const exp = new Date(entry.expiresAt).getTime(); const now = Date.now(); const expired = exp < now; const soon = !expired && (exp - now) < 24 * 3600 * 1000; const cls = "ct-admin-row-expires" + (expired ? " is-expired" : soon ? " is-soon" : ""); return ( <> {" · "} {expired ? `expired ${fmtRelative(entry.expiresAt)}` : `expires ${fmtRelative(entry.expiresAt)}`} ); })()} {entry.role === "guest" && !entry.expiresAt && ( <>{" · "}no expiration )}
); })} {memberSearch.trim() && list.filter(x => x.email.toLowerCase().includes(memberSearch.trim().toLowerCase())).length === 0 && (
No members match "{memberSearch.trim()}".
)}
{/* USERS & IMPERSONATION */}

Users & impersonation

See every member, browse their files in read-only mode, or sign in as them to verify what they see. Impersonation is logged server-side—every action while impersonating is recorded against the admin's account.

{usersError && (
Couldn't load users ({usersError}). Open DevTools → Console for details. Often a cached/stale page — try hard-refresh.
)} {!usersError && allUsers && allUsers.length === 0 && (
No users on file yet. New members appear here the first time they sign in (a /users/<uid> doc gets written then). Make sure people on the allowlist have actually completed the Google sign-in flow at least once.
)}
{(allUsers || Array.from({length: 4})).map((u, i) => { const skeleton = !u; const isMe = u && user?.email && u.email.toLowerCase() === user.email.toLowerCase(); const isCurrent = u && impersonating && impersonating.email.toLowerCase() === u.email.toLowerCase(); const isTargetOwner = u && u.email.toLowerCase() === OWNER_EMAIL; // Non-owner admins can't impersonate or edit the owner. const blockOwnerOps = isTargetOwner && !isOwnerUser; const allowEntry = u && list.find(x => x.email.toLowerCase() === u.email.toLowerCase()); const r = allowEntry?.role || (isTargetOwner ? "owner" : "member"); const roleDef = ROLES.find(x => x.id === r) || ROLES[2]; const userKeys = u && allKeys ? allKeys.filter(k => k.uid === u.id) : null; return ( { if (skeleton || isMe || blockOwnerOps) return; e.preventDefault(); setUserMenu({ user: u, x: e.clientX, y: e.clientY }); }}> {!skeleton && (() => { const limit = effectiveUserLimit(u); const used = u.sizeBytes || 0; const pct = limit ? Math.min(100, (used / limit) * 100) : Math.min(100, (used / (5 * 1024 * 1024 * 1024)) * 100); // 5 GB for visual scale only const overLimit = limit !== null && used > limit; return <> {/* Storage headline — biggest visual hit on the card. Right-click anywhere in here opens the limit modal, so admins can manage storage without hunting for the Edit-limit button. */}
{ if (blockOwnerOps) return; e.preventDefault(); e.stopPropagation(); setLimitModal({ user: u }); }} title={blockOwnerOps ? "" : "Right-click to edit storage limit"}>
{fmtBytes(used)} / {fmtLimit(limit)}
{u.name} {isMe && You} {isCurrent && Viewing now}
{u.email}
{roleDef.label}
{u.fileCount}files
{u.projectCount}projects
{userKeys ? userKeys.length : "·"} connected
; })()} ); })}
{/* CONNECTED DEVICES (all users) */}

Connected desktop apps {allKeys ? `(${allKeys.length})` : ""}

Every CTWCAD desktop install authorized for any user. Revoking signs the desktop app out on its next sync.

{(allKeys || []).map((k, i) => { const targetIsOwner = (k.userEmail || "").toLowerCase() === OWNER_EMAIL; const blockOwnerOps = targetIsOwner && !isOwnerUser; return (
{k.deviceName} · {k.userEmail || k.uid}
{k.os || "—"} · {k.appVersion ? `v${k.appVersion}` : "version unknown"} · {k.lastUsedAt ? ` last used ${fmtRelative(k.lastUsedAt)}` : " never used"} · added {fmtRelative(k.createdAt)}
); })} {allKeys && allKeys.length === 0 && (
No connected desktop apps yet.
)}
{/* HOW IT WORKS */}

How this works

Front-end gate. Anyone reaching the app sees the sign-in prompt only.
No content, dashboard, or files are loaded until access is verified.
Allowlist or open mode. Switch between invite-only and fully public from this page.
Mismatched emails see a friendly "in beta" message while the gate is up.
Roles. Owner, Admin, Member, Viewer, Guest. Click any pill to change a member's role.
Roles drive UI capability flags client-side; the WordPress bridge enforces them server-side.
Real enforcement is server-side. The same allowlist + visibility flag must live on the WordPress bridge plugin.
It rejects API calls from non-allowlisted accounts when private; the front end is just UX.
} setConfirmPublish(false)} onConfirm={doPublish} /> setConfirmRevoke(false)} onConfirm={doRevoke} /> x.email.toLowerCase() === rolePop.email.toLowerCase())?.role)} anchorRect={rolePop?.anchor} onClose={() => setRolePop(null)} onPick={(r) => changeRole(rolePop.email, r)} /> x.email.toLowerCase() === guestExpModal.email.toLowerCase())} onClose={() => setGuestExpModal(null)} onSave={(iso) => saveGuestExpiration(guestExpModal.email, iso)} /> setLimitModal(null)} onSave={async (limitBytes) => { const u = limitModal?.user; if (!u) return; try { await window.api.setUserStorageLimit(u.id, limitBytes); // Update local list optimistically so the card re-renders. setAllUsers((prev) => prev?.map(x => x.id === u.id ? { ...x, storageLimit: limitBytes } : x )); onToast?.(`Updated ${u.name}'s storage limit`, "hard-drive"); } catch (e) { onToast?.(`Couldn't update limit (${e?.code || e?.message || "error"})`, "alert-circle"); } setLimitModal(null); }} /> setUserMenu(null)} onImpersonate={() => { onImpersonate?.(userMenu.user); setUserMenu(null); }} onViewFiles={() => { onToggleViewAll?.(true); onToast?.(`Admin view on — ${userMenu.user.name}'s files now visible`, "eye"); setUserMenu(null); }} onCopyEmail={() => { navigator.clipboard?.writeText(userMenu.user.email); onToast?.("Email copied", "clipboard-check"); setUserMenu(null); }} onChangeRole={() => { // anchor at the click point, then open RolePopover setRolePop({ email: userMenu.user.email, anchor: { left: userMenu.x, top: userMenu.y, right: userMenu.x, bottom: userMenu.y, height: 0 } }); setUserMenu(null); }} onEditStorage={() => { setLimitModal({ user: userMenu.user }); setUserMenu(null); }} />
); } /* ---------- Guest expiration picker ------------------------------ Triggered when an admin sets a member's role to "guest". Lets the admin pick a duration (preset) or specific date/time, or "no expiration". Writes back as an ISO timestamp on the allowlist entry. */ function GuestExpirationModal({ target, onClose, onSave }) { const M = window.FramerMotion.motion; const A = window.FramerMotion.AnimatePresence; // Modes: // "duration" — count + unit (minutes / hours / days / weeks) plus quick presets // "datetime" — specific local date+time picker // "none" — no expiration (admin revokes manually) const [mode, setMode] = useState("duration"); const [durationN, setDurationN] = useState(1); const [durationU, setDurationU] = useState("week"); const [customIso, setCustomIso] = useState(""); // Bigger preset list now that we support sub-day expirations. Each // preset just seeds the number + unit fields so the user can fine- // tune from a starting point. const PRESETS = [ { label: "30 min", n: 30, u: "minute" }, { label: "1 hour", n: 1, u: "hour" }, { label: "4 hours", n: 4, u: "hour" }, { label: "1 day", n: 1, u: "day" }, { label: "1 week", n: 1, u: "week" }, { label: "30 days", n: 30, u: "day" }, { label: "90 days", n: 90, u: "day" }, ]; const UNIT_MS = { minute: 60 * 1000, hour: 60 * 60 * 1000, day: 24 * 60 * 60 * 1000, week: 7 * 24 * 60 * 60 * 1000, }; const durationMs = Math.max(1, durationN) * (UNIT_MS[durationU] || UNIT_MS.day); useEffect(() => { if (!target) return; setMode("duration"); setDurationN(1); setDurationU("week"); // Default custom datetime to "1 week from now" formatted for datetime-local input. const d = new Date(Date.now() + 7 * 24 * 3600 * 1000); const tz = d.getTimezoneOffset(); const localIso = new Date(d.getTime() - tz * 60000).toISOString().slice(0, 16); setCustomIso(localIso); }, [target?.email]); useEffect(() => { if (!target) return; const onKey = (e) => { if (e.key === "Escape") onClose(); }; window.addEventListener("keydown", onKey); return () => window.removeEventListener("keydown", onKey); }, [target, onClose]); if (!target) return null; const submit = (e) => { e?.preventDefault(); if (mode === "none") { onSave(null); return; } if (mode === "duration") { const iso = new Date(Date.now() + durationMs).toISOString(); onSave(iso); return; } if (mode === "datetime") { // datetime-local gives a local time string (no Z). Convert to ISO. const d = new Date(customIso); if (isNaN(d.getTime())) return; onSave(d.toISOString()); return; } }; return ( e.stopPropagation()} onSubmit={submit}>
guest expiration
{target.email}
Pick how long this guest can keep their access. After expiration they'll see the access-denied screen on next sign-in.
{mode === "duration" && ( <>
{PRESETS.map((p) => { const active = durationN === p.n && durationU === p.u; return ( ); })}
setDurationN(Math.max(1, parseInt(e.target.value) || 1))}/>
Will expire {fmtRelative(new Date(Date.now() + durationMs).toISOString())} {" · "} {new Date(Date.now() + durationMs).toLocaleString(undefined, { month: "short", day: "numeric", hour: "numeric", minute: "2-digit", })}
)} {mode === "datetime" && ( setCustomIso(e.target.value)} /> )} {mode === "none" && (
Guest access will not auto-expire. You can still revoke manually by removing the member or changing their role.
)}
); } /* ---------- Storage limit edit modal ----------------------------- */ function StorageLimitModal({ target, onClose, onSave }) { const M = window.FramerMotion.motion; const A = window.FramerMotion.AnimatePresence; const [unlimited, setUnlimited] = useState(false); const [valueMB, setValueMB] = useState("100"); const inputRef = useRef(null); useEffect(() => { if (!target) return; const cur = effectiveUserLimit(target); setUnlimited(cur === null); setValueMB(cur === null ? "100" : String(Math.round(cur / (1024 * 1024)))); setTimeout(() => inputRef.current?.focus(), 50); }, [target?.id]); useEffect(() => { if (!target) return; const onKey = (e) => { if (e.key === "Escape") onClose(); }; window.addEventListener("keydown", onKey); return () => window.removeEventListener("keydown", onKey); }, [target, onClose]); if (!target) return null; const submit = (e) => { e?.preventDefault(); if (unlimited) { onSave(null); return; } const mb = Math.max(0, parseFloat(valueMB) || 0); onSave(Math.round(mb * 1024 * 1024)); }; return ( e.stopPropagation()} onSubmit={submit} >
storage limit
{target.name}
{target.email}
{!unlimited && (
setValueMB(e.target.value)} /> MB
)}
Currently using {fmtBytes(target.sizeBytes || 0)}. Default for members is 100 MB; admins and the owner are unlimited unless overridden.
); } /* ---------- User card right-click menu ---------------------------- */ function UserContextMenu({ open, x, y, user, onClose, onImpersonate, onViewFiles, onCopyEmail, onChangeRole, onEditStorage }) { const M = window.FramerMotion.motion; const A = window.FramerMotion.AnimatePresence; // Clamp position so the menu stays in viewport. Menu is ~220×200ish. const left = Math.min(x ?? 0, window.innerWidth - 232); const top = Math.min(y ?? 0, window.innerHeight - 220); return ( {open && ( <>
{ e.preventDefault(); onClose(); }}/>
{user?.name}
{user?.email}
)} ); } /* ================================================================= * Wave 4 — admin sub-views * ----------------------------------------------------------------- * Each view fetches its own data on mount and is unmounted when the * operator switches tabs. Failed reads degrade to an empty state with * a small note in the console — admins are mostly the workspace * owner, who has rules-level access to all of these collections, so * errors here usually mean a transient network blip or that the page * is stale (cache age > 1h). * =================================================================*/ /* ---------- Overview tab: counts + storage chart ---------------- */ function AdminOverviewView({ allUsers, onToast }) { const [counts, setCounts] = useState(null); // {files, projects, users, hubs, activity7d} const [totalBytes, setTotalBytes] = useState(null); useEffect(() => { let alive = true; window.api.adminGetSystemCounts?.().then(c => { if (alive) setCounts(c); }) .catch(() => { if (alive) setCounts({}); }); window.api.adminGetTotalStorageBytes?.().then(b => { if (alive) setTotalBytes(b); }) .catch(() => {}); return () => { alive = false; }; }, []); // Top-10 storage hogs from the cached allUsers list. Falls back gracefully // if the parent hasn't finished loading allUsers yet. const topUsers = (allUsers || []) .filter(u => (u.sizeBytes || 0) > 0) .slice() .sort((a, b) => (b.sizeBytes || 0) - (a.sizeBytes || 0)) .slice(0, 10); const maxBytes = topUsers[0]?.sizeBytes || 1; const stat = (label, value, sub) => (
{label}
{value === null ?
:
{value}
} {sub &&
{sub}
}
); return ( <>

System totals

{stat("Users", counts?.users ?? null)} {stat("Projects", counts?.projects ?? null)} {stat("Files", counts?.files ?? null)} {stat("Hubs", counts?.hubs ?? null)} {stat("Storage used", totalBytes === null ? null : fmtBytes(totalBytes), allUsers ? `${allUsers.length} signed-in users` : "")} {stat("Activity (7 d)", counts?.activity7d ?? null, "events written this week")}

Top storage by user

{!allUsers && (
Loading user totals…
)} {allUsers && topUsers.length === 0 && (
No files uploaded yet, so nothing to chart.
)} {topUsers.length > 0 && (
{topUsers.map(u => { const pct = Math.max(2, Math.round(((u.sizeBytes || 0) / maxBytes) * 100)); return (
{u.name} {u.email}
{fmtBytes(u.sizeBytes || 0)}
); })}
)}
); } /* ---------- All-files tab: system-wide table ------------------- */ function AdminAllFilesView({ allUsers, onToast, onOpenFile }) { const [files, setFiles] = useState(null); const [search, setSearch] = useState(""); const [kindFilter, setKindFilter] = useState(""); useEffect(() => { let alive = true; window.api.adminListAllFiles?.(200).then(f => { if (alive) setFiles(f || []); }) .catch(() => { if (alive) setFiles([]); }); return () => { alive = false; }; }, []); const kindsAvailable = Array.from(new Set((files || []).map(f => f.kind).filter(Boolean))).sort(); const ownersByUid = {}; (allUsers || []).forEach(u => { ownersByUid[u.id] = u; }); const q = search.trim().toLowerCase(); const visible = (files || []).filter(f => { if (kindFilter && f.kind !== kindFilter) return false; if (!q) return true; const owner = ownersByUid[f.ownerUid] || ownersByUid[f.ownerId]; return (f.name || "").toLowerCase().includes(q) || (owner?.email || "").toLowerCase().includes(q) || (f.kind || "").toLowerCase().includes(q); }); const copyShareLink = async (file) => { try { if (file.shareToken) { const url = `${location.origin}/?share=${file.id}&t=${file.shareToken}`; await navigator.clipboard.writeText(url); onToast?.("Public share link copied", "link"); } else { const url = `${location.origin}/?file=${file.id}`; await navigator.clipboard.writeText(url); onToast?.("Internal file link copied", "link"); } } catch (e) { onToast?.("Couldn't copy link", "alert-circle"); } }; return (
setSearch(e.target.value)} placeholder="Search by name, owner email, kind…"/> {search && ( )}
{files === null ? "Loading…" : `${visible.length} of ${files.length} shown`}
{files === null && (
Loading files… (capped at the 200 most recently updated)
)} {files && files.length === 0 && (
No files visible. If you expected results here, hard-refresh (Ctrl+Shift+R) to clear stale rules cache and try again.
)} {files && files.length > 0 && (
{visible.map(f => { const owner = ownersByUid[f.ownerUid] || ownersByUid[f.ownerId]; const isPublic = f.shareState === "public-read"; return ( ); })}
Name Owner Kind Size Modified Share
{f.name}
{owner?.email || (f.ownerUid ? `${f.ownerUid.slice(0,8)}…` : "—")} {f.kind || "—"} {fmtBytes(f.sizeBytes || 0)} {fmtRelative(f.updatedAt)} {isPublic ? "Public" : "Private"}
)}
); } /* ---------- Activity tab: audit log ---------------------------- */ function AdminActivityView({ allUsers, onToast, onOpenFile }) { const [events, setEvents] = useState(null); const [typeFilter, setTypeFilter] = useState(""); const [actorFilter, setActorFilter] = useState(""); useEffect(() => { let alive = true; window.api.adminListActivity?.(100).then(e => { if (alive) setEvents(e || []); }) .catch(() => { if (alive) setEvents([]); }); return () => { alive = false; }; }, []); const ownersByUid = {}; (allUsers || []).forEach(u => { ownersByUid[u.id] = u; }); const types = Array.from(new Set((events || []).map(e => e.type).filter(Boolean))).sort(); const visible = (events || []).filter(e => { if (typeFilter && e.type !== typeFilter) return false; if (actorFilter && e.actorUid !== actorFilter) return false; return true; }); return (
{events === null ? "Loading…" : `${visible.length} of ${events.length} events`}
{events === null && (
Loading activity…
)} {events && events.length === 0 && (
No activity events yet. Uploads, restores, and shares all write to the audit log automatically.
)} {visible.length > 0 && (
{visible.map(e => { const actor = ownersByUid[e.actorUid]; return (
{fmtRelative(e.at)} {e.type || "event"} {actor && } {actor?.name || (e.actorUid ? e.actorUid.slice(0, 8) + "…" : "Unknown")} {actor?.email && <> · {actor.email}} {e.fileId ? : } {e.source && <> · {e.source}}
); })}
)}
); } /* ---------- Admin staff tab: who else can manage --------------- */ // Surfaces the subset of allowlist entries with role === "admin", plus the // hardcoded owner. Adding/removing admins is the same operation as toggling // an allowlist entry's role to/from "admin" — we just present it through a // dedicated UI so the operator doesn't have to scroll the full member list. function AdminStaffView({ list, isOwnerUser, onSave, onToast }) { const [email, setEmail] = useState(""); const owner = list.find(x => x.email.toLowerCase() === OWNER_EMAIL) || { email: OWNER_EMAIL, role: "owner", addedAt: null }; const admins = list.filter(x => x.role === "admin" && x.email.toLowerCase() !== OWNER_EMAIL); const promote = () => { const e = email.trim().toLowerCase(); if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e)) { onToast?.("Enter a valid email", "alert-circle"); return; } if (e === OWNER_EMAIL) { onToast?.("Owner is already an admin", "info"); return; } const next = list.slice(); const idx = next.findIndex(x => x.email.toLowerCase() === e); if (idx >= 0) { if (next[idx].role === "admin") { onToast?.(`${e} is already an admin`, "info"); return; } next[idx] = { ...next[idx], role: "admin" }; } else { next.push({ email: e, role: "admin", addedAt: new Date().toISOString() }); } onSave(next); setEmail(""); onToast?.(`${e} is now an admin`, "shield-check"); }; const demote = (targetEmail) => { if (targetEmail.toLowerCase() === OWNER_EMAIL) { onToast?.("Can't change the owner's role", "shield"); return; } const next = list.map(x => x.email.toLowerCase() === targetEmail.toLowerCase() ? { ...x, role: "member" } : x); onSave(next); onToast?.(`${targetEmail} → member`, "user-minus"); }; // Live-validation hint for the promote input. const hint = (() => { const trimmed = email.trim().toLowerCase(); if (!trimmed) return null; if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(trimmed)) { return { cls: "is-error", icon: "alert-circle", text: "That doesn't look like an email." }; } if (trimmed === OWNER_EMAIL) { return { cls: "is-warn", icon: "info", text: "Owner already has admin powers." }; } const cur = list.find(x => x.email.toLowerCase() === trimmed); if (cur && cur.role === "admin") { return { cls: "is-warn", icon: "info", text: `${trimmed} is already an admin.` }; } if (cur) { return { cls: "is-ok", icon: "shield-check", text: `Will promote ${trimmed} from ${cur.role} to admin.` }; } return { cls: "is-ok", icon: "user-plus", text: `Will add ${trimmed} to the allowlist as admin.` }; })(); return ( <>

Promote a user to admin

Admins can read and write every collection except the owner's own profile. The owner ({OWNER_EMAIL}) is hardcoded in the rules and can't be removed.

setEmail(e.target.value)} placeholder="person@company.com" onKeyDown={(e) => e.key === "Enter" && promote()}/> → ADMIN
{hint && (
{hint.text}
)}

Current admins ({admins.length + 1})

{/* Owner row — always present, always first, never removable. */}
{owner.email}
Workspace owner · hardcoded in the rules
Owner
{admins.map(a => (
{a.email}
Promoted {a.addedAt ? fmtRelative(a.addedAt) : "—"}
Admin
))} {admins.length === 0 && (
No additional admins. The owner is the sole administrator.
)}
); } function hashHue(s) { let h = 0; for (let i = 0; i < s.length; i++) h = (h * 31 + s.charCodeAt(i)) % 360; return h; } Object.assign(window, { GoogleAccountPicker, AccessDeniedView, AdminView, ConfirmDialog, RolePopover, UserContextMenu, StorageLimitModal, GuestExpirationModal, AdminOverviewView, AdminAllFilesView, AdminActivityView, AdminStaffView, });