Remove multi-tenant company_id scoping from entire codebase

Drop company_id column from all 22 domain tables via migration. Remove companyId from JWT payload, auth plugins, all service method signatures (~215 occurrences), all route handlers (~105 occurrences), test runner, test suites, and frontend auth store/types. The company table stays as store settings (name, timezone). Tenant isolation in a SaaS deployment would be at the database level (one DB per customer) not the application level. All 107 API tests pass. Zero TSC errors across all packages.
2026-03-29 14:58:33 -05:00
parent 55f8591cf1
commit d36c6f7135
35 changed files with 353 additions and 511 deletions
--- a/packages/backend/src/services/lookup.service.ts
+++ b/packages/backend/src/services/lookup.service.ts
@@ -1,4 +1,4 @@
-import { eq, and } from 'drizzle-orm'
+import { eq } from 'drizzle-orm'
 import type { PostgresJsDatabase } from 'drizzle-orm/postgres-js'
 import { ForbiddenError } from '../lib/errors.js'
 import {
@@ -14,46 +14,44 @@ function createLookupService(
  systemSeeds: ReadonlyArray<{ slug: string; name: string; description: string; sortOrder: number }>,
 ) {
  return {
-    async seedForCompany(db: PostgresJsDatabase<any>, companyId: string) {
+    async seedDefaults(db: PostgresJsDatabase<any>) {
      const existing = await db
        .select()
        .from(table)
-        .where(and(eq(table.companyId, companyId), eq(table.isSystem, true)))
+        .where(eq(table.isSystem, true))
        .limit(1)

      if (existing.length > 0) return // already seeded

      await db.insert(table).values(
        systemSeeds.map((seed) => ({
-          companyId,
          ...seed,
          isSystem: true,
        })),
      )
    },

-    async list(db: PostgresJsDatabase<any>, companyId: string) {
+    async list(db: PostgresJsDatabase<any>) {
      return db
        .select()
        .from(table)
-        .where(and(eq(table.companyId, companyId), eq(table.isActive, true)))
+        .where(eq(table.isActive, true))
        .orderBy(table.sortOrder)
    },

-    async getBySlug(db: PostgresJsDatabase<any>, companyId: string, slug: string) {
+    async getBySlug(db: PostgresJsDatabase<any>, slug: string) {
      const [row] = await db
        .select()
        .from(table)
-        .where(and(eq(table.companyId, companyId), eq(table.slug, slug)))
+        .where(eq(table.slug, slug))
        .limit(1)
      return row ?? null
    },

-    async create(db: PostgresJsDatabase<any>, companyId: string, input: LookupCreateInput) {
+    async create(db: PostgresJsDatabase<any>, input: LookupCreateInput) {
      const [row] = await db
        .insert(table)
        .values({
-          companyId,
          name: input.name,
          slug: input.slug,
          description: input.description,
@@ -64,12 +62,12 @@ function createLookupService(
      return row
    },

-    async update(db: PostgresJsDatabase<any>, companyId: string, id: string, input: LookupUpdateInput) {
+    async update(db: PostgresJsDatabase<any>, id: string, input: LookupUpdateInput) {
      // Prevent modifying system rows' slug or system flag
      const existing = await db
        .select()
        .from(table)
-        .where(and(eq(table.id, id), eq(table.companyId, companyId)))
+        .where(eq(table.id, id))
        .limit(1)

      if (!existing[0]) return null
@@ -80,16 +78,16 @@ function createLookupService(
      const [row] = await db
        .update(table)
        .set(input)
-        .where(and(eq(table.id, id), eq(table.companyId, companyId)))
+        .where(eq(table.id, id))
        .returning()
      return row ?? null
    },

-    async delete(db: PostgresJsDatabase<any>, companyId: string, id: string) {
+    async delete(db: PostgresJsDatabase<any>, id: string) {
      const existing = await db
        .select()
        .from(table)
-        .where(and(eq(table.id, id), eq(table.companyId, companyId)))
+        .where(eq(table.id, id))
        .limit(1)

      if (!existing[0]) return null
@@ -99,13 +97,13 @@ function createLookupService(

      const [row] = await db
        .delete(table)
-        .where(and(eq(table.id, id), eq(table.companyId, companyId)))
+        .where(eq(table.id, id))
        .returning()
      return row ?? null
    },

-    async validateSlug(db: PostgresJsDatabase<any>, companyId: string, slug: string): Promise<boolean> {
-      const row = await this.getBySlug(db, companyId, slug)
+    async validateSlug(db: PostgresJsDatabase<any>, slug: string): Promise<boolean> {
+      const row = await this.getBySlug(db, slug)
      return row !== null && row.isActive
    },
  }