name: B2B Org Refactor Plan overview: Phased refactor of imasD Portal to support VENDOR (ImasD)/PARTNER/CLIENT company kinds, unified onboarding with immutable PARTNER role, Position-based org context, L1/L2 support assignments, agent routing with user availability/ranking, Bull Board queue isolation, and segregated permission layers—while preserving Kafka sync compatibility. todos:

id: phase1-schema content: "Phase 1: Prisma schema — CompanyKind, Position, Team, PartnerRegistry, ClientSupport, SupportAgent, User.presenceActive/priorityRank, migration + backfill" status: pending
id: phase2-rbac content: "Phase 2: Permission layers (GENERAL/SYSTEM/PARTNER), Role.isLocked, locked PARTNER/SUPPORT role templates, RBAC API guards" status: pending
id: phase3-onboarding content: "Phase 3: Unified onboarding — onboardingKind on token, generate-link auth matrix, completeOnboarding PARTNER/CLIENT branches" status: pending
id: phase4-isolation content: "Phase 4: Session INTERNAL position default, tenant-scoped query filters, Bull Board VENDOR-only gate" status: pending
id: phase5-support content: "Phase 5: SupportAgent CRUD, routing service, email notifications, SUPPORT role provisioning on client onboarding" status: pending
id: phase6-sync content: "Phase 6: Extend Kafka entity/user sync schemas and SF/SMP consumers" status: pending
id: phase7-frontend content: "Phase 7: Frontend — onboarding kind selector, agent management UI, presence toggle" status: pending
id: phase8-tests-ci content: "Phase 8: Unit/integration/security tests + wire node:test in CI" status: pending isProject: false

B2B Platform Refactor: Vendors, Partners & End Clients

Terminology (locked)

Actor	`Company.kind`	Role(s)	Notes
ImasD / PBO	`VENDOR`	System roles + `User.admin`	Platform operator; sole Bull Board access
Reseller	`PARTNER`	Immutable `PARTNER` role + ADMIN/MANAGER/USER	Created via vendor-only partner onboarding
End customer	`CLIENT`	ADMIN/MANAGER/USER + `SUPPORT` (L1/L2 agents)	Created via vendor or partner onboarding

Naming guardrail: Role.PARTNER (RBAC) != PositionType org enum. Recommend renaming position enum to ORG_PARTNER / ORG_PBO in schema to avoid code collisions.

Current baseline (schema.prisma)

Company has no kind; org is Department + DepartmentUser only
Default roles: ADMIN/MANAGER/USER via default-roles.ts
Onboarding: single path in onboarding.controller.ts; auto-ADMIN for all @imasdconsult.com
Permissions: flat portal:* tree in portal-permissions.ts; system: true flag exists but is not layered
Bull Board: queues.route.ts allows User.admin OR portal:queue:view (managers today)
Support tickets: company-scoped in support.controller.ts; emails to SUPPORT_EMAIL on submit
Entity sync: only client | company | department (entity.ts)

Target architecture

[Diagram]

┌─────────────────────────────────────────────────────────────────┐
│                        UNIFIED ONBOARDING                        │
├─────────────────────────────────────────────────────────────────┤
│  Generate Link (auth-gated)                                      │
│    ├─ kind=PARTNER  → only VENDOR users (system perms)           │
│    └─ kind=CLIENT   → VENDOR users OR PARTNER role holders       │
│                          (+ L1 partner ref if from partner)      │
├─────────────────────────────────────────────────────────────────┤
│  Same wizard UI (/onboarding) — token carries onboardingKind     │
├─────────────────────────────────────────────────────────────────┤
│  Complete (branch by kind)                                       │
│    PARTNER: Company.kind=PARTNER + PartnerRegistry + locked role │
│    CLIENT:  Company.kind=CLIENT + ClientSupport + SUPPORT role   │
└─────────────────────────────────────────────────────────────────┘

1. Database schema (PostgreSQL / Prisma)

1.1 Enums

CREATE TYPE "CompanyKind" AS ENUM ('VENDOR', 'PARTNER', 'CLIENT');
CREATE TYPE "PositionType" AS ENUM ('INTERNAL', 'EXTERNAL', 'ORG_PARTNER', 'PBO');
CREATE TYPE "OnboardingKind" AS ENUM ('PARTNER', 'CLIENT');
CREATE TYPE "PermissionLayer" AS ENUM ('GENERAL', 'SYSTEM', 'PARTNER');
CREATE TYPE "SupportTier" AS ENUM ('L1', 'L2');

1.2 Core extensions

company

kind CompanyKind NOT NULL DEFAULT 'CLIENT'
Partial unique index: exactly one VENDOR row (enforced in migration seed + app guard)
Index on kind

user (abstract presence/ranking — not support-named)

priorityRank Int NOT NULL DEFAULT 0 — higher = preferred for routing tie-breaks
presenceActive Boolean NOT NULL DEFAULT true — general availability (OOO/off-duty); reusable beyond support

role

isLocked Boolean NOT NULL DEFAULT false — true for system PARTNER and SUPPORT template roles
permissionLayer PermissionLayer NOT NULL DEFAULT 'GENERAL'

permission

layer PermissionLayer NOT NULL DEFAULT 'GENERAL' — segregates catalog in API/UI

1.3 New tables

team / sub_team

model Team {
  id           String
  companyId    String
  departmentId String?
  name         String
  isDefault    Boolean @default(false)
  deletedAt    DateTime?
}
model SubTeam { /* teamId, companyId, departmentId, name, isDefault */ }

position (org only — no permissions)

model Position {
  id           String @id
  userId       String
  companyId    String
  departmentId String?
  teamId       String?
  subTeamId    String?
  type         PositionType
  title        String?        // e.g. "CTO"
  createdBy    String?
  createdAt    DateTime
  updatedAt    DateTime
  deletedAt    DateTime?
  @@index([userId, type])
  @@index([companyId])
}

Constraint (app-level + partial unique index): one INTERNAL per userId where deletedAt IS NULL.

partner_registry

model PartnerRegistry {
  vendorCompanyId  String   // VENDOR (ImasD)
  partnerCompanyId String   // PARTNER
  createdAt        DateTime
  @@id([vendorCompanyId, partnerCompanyId])
}

client_support (one row per tier per client — exactly one L1 and one L2)

model ClientSupport {
  id                String      @id
  clientCompanyId   String      // CLIENT company receiving support
  tier              SupportTier // L1 or L2
  providerCompanyId String      // company responsible for this tier
  createdAt         DateTime
  updatedAt         DateTime

  @@unique([clientCompanyId, tier])  // enforces exactly one L1 + one L2 per client
  @@index([providerCompanyId])
}

Tier semantics and validation (app + DB checks):

Tier	`providerCompanyId` must be	Typical case
`L1`	`PARTNER` or `VENDOR`	Partner reseller, or ImasD on direct sale
`L2`	`VENDOR` only	Always ImasD (escalation)

Provisioning rules:

Every CLIENT company must have exactly 2 rows after onboarding: one L1, one L2
Direct ImasD sale (no partner): L1.providerCompanyId = VENDOR and L2.providerCompanyId = VENDOR (same company, different tiers)
Partner-sourced client: L1.providerCompanyId = PARTNER, L2.providerCompanyId = VENDOR
Upsert helper ensureClientSupportCoverage(clientCompanyId, l1ProviderId, l2ProviderId) creates/updates both rows atomically in a transaction

support_agent (users designated as agents within a provider company)

model SupportAgent {
  id                String  @id
  userId            String
  providerCompanyId String  // PARTNER (L1) or VENDOR (L2) company the agent belongs to
  clientCompanyId   String? // null = pool agent for all clients under this provider
  priorityOverride  Int?    // optional; falls back to user.priorityRank
  active            Boolean @default(true)
  createdAt         DateTime

  @@unique([userId, providerCompanyId, clientCompanyId])
  @@index([providerCompanyId, active])
  @@index([clientCompanyId])
}

invitation_token extension

onboardingKind OnboardingKind? — set at link generation

1.4 ER diagram (ASCII)

Client 1──* Company (kind: VENDOR|PARTNER|CLIENT)
Company 1──* Department 1──* Team 1──* SubTeam
User 1──* Position *──1 Company/Department/Team/SubTeam
User 1──* UserRole *──1 Role (isLocked?)
PartnerRegistry: VENDOR.company ── PARTNER.company
ClientSupport: CLIENT.company × {L1, L2} ──► provider Company (PARTNER or VENDOR)
SupportAgent: User ── provider Company ──? specific CLIENT.company
SupportTicket ── CLIENT.company (existing)

1.5 Migration / backfill (prisma/migrations)

Add columns/tables with nullable defaults
Seed ImasD company as sole kind=VENDOR (env IMASD_VENDOR_COMPANY_ID)
Backfill existing companies as CLIENT (or infer PARTNER later manually)
Migrate department_user → position (type=INTERNAL or EXTERNAL)
Seed permission layers + locked PARTNER/SUPPORT role templates
Remove auto-ADMIN grants for @imasdconsult.com in new onboardings (retain explicit ClientSupport + SupportAgent rows for legacy via script)

2. Permission model (three layers)

Extend portal-permissions.ts:

Layer	Key prefix	Assignable on	Examples
`GENERAL`	`portal:`	All companies	`user:view`, `ticket:create`
`SYSTEM`	`portal:system:`	VENDOR only	`onboarding:partner`, `onboarding:client`, `queue:view`, `config:edit`
`PARTNER`	`portal:partner:`	PARTNER only (requires `partner_registry`)	`onboarding:client`, `client:view` (scoped)

Immutable PARTNER role (on PARTNER companies):

Created at partner onboarding with fixed RolePermission set (layer=PARTNER)
isLocked=true — block in rbac.controller.ts: updateRole, deleteRole, assignPermissionsToRole, removePermissionsFromRole
UI: hide edit controls in role management for locked roles
Assignment of locked role to users remains allowed (INTERNAL positions only)

SUPPORT role (on CLIENT companies):

Locked template; permissions: ticket:view (scoped), ticket:create messages — not portal:system:queue:view
Assigned to L1/L2 users listed in support provisioning

Middleware (rbac/http/context.ts):

Resolve company.kind on every permission check
Reject SYSTEM layer grants if kind != VENDOR
Reject PARTNER layer grants if kind != PARTNER or missing registry row

3. Unified onboarding (onboarding.controller.ts)

3.1 Link generation

Extend onboardingGenerateLinkSchema:

onboardingKind: z.enum(['PARTNER', 'CLIENT'])
sponsorPartnerCompanyId: z.string().uuid().optional() // required when generator is PARTNER

`onboardingKind`	Who can generate	Result
`PARTNER`	VENDOR + `portal:system:onboarding:partner`	New PARTNER company
`CLIENT`	VENDOR + `portal:system:onboarding:client` OR PARTNER + `portal:partner:onboarding:client`	New CLIENT company

Replace assertInternalAdmin in onboarding-invites.ts with permission + kind checks.

3.2 Complete flow branches

PARTNER completion:

Company.kind = PARTNER
PartnerRegistry(vendor=ImasD, partner=newCo)
createDefaultRolesForCompany + createLockedPartnerRole
Assign initial admin: INTERNAL position + PARTNER role (locked) + ADMIN
No ClientSupport, no SUPPORT role, no auto-ADMIN for ImasD staff

CLIENT completion:

Company.kind = CLIENT
ensureClientSupportCoverage(client, tier=L1, provider=sponsorPartner ?? ImasD) + ensureClientSupportCoverage(client, tier=L2, provider=ImasD) — two rows, @@unique([clientCompanyId, tier]) guarantees no duplicates
createDefaultRolesForCompany + createLockedSupportRole
Assign initial admin: INTERNAL + ADMIN
Resolve L1 agents: active SupportAgent rows where providerCompanyId = L1.providerCompanyId and (clientCompanyId = client OR clientCompanyId IS NULL)
Resolve L2 agents: same pattern for L2.providerCompanyId (VENDOR pool)
Assign SUPPORT role to resolved L1/L2 users in client company scope
No PARTNER role on CLIENT company

3.3 UI (onboarding/page.tsx)

Same wizard; optional banner when data-removed=PARTNER
Generate-link modal: kind selector + vendor-only partner checkbox
Role picker in invites: never show PARTNER or SUPPORT (server-enforced)

4. Session & data isolation

4.1 Primary company (auth/utils/queries.ts)

current_company_id: cookie/header validated against accessible set
Default company: position WHERE type=INTERNAL (not first RBAC company)
accessible_company_ids: union of position companies + RBAC grants

4.2 Visibility rules (API query filters)

Context	Rule
User lists in CLIENT app tables	Exclude users whose only VENDOR positions are `PBO` unless viewer is PBO/VENDOR
PARTNER role	Never returned in role APIs for `kind=CLIENT` companies
Cross-tenant	All list endpoints filter by `current_company_id`; assert FK ownership
ImasD staff	Visible in VENDOR context; hidden from CLIENT user pickers unless SUPPORT-assigned

Implement shared helper: buildCompanyScopedUserWhere(companyId, viewerContext) used in users.controller.ts.

4.3 Bull Board isolation (queues.route.ts)

New rule (confirmed): access only if:

current_company_id belongs to Company.kind=VENDOR, AND
portal:system:queue:view OR User.admin

Remove portal:queue:view from MANAGER default on non-VENDOR companies; migrate key to portal:system:queue:view.

5. Support routing & notifications

[Diagram]

Router service (new: apps/backend/src/services/support-agent-router.ts):

Input: clientCompanyId, optional applicationId
Load both ClientSupport rows (tier=L1 and tier=L2); fail closed if either missing
For each tier, resolve SupportAgent rows where providerCompanyId matches and (clientCompanyId = client OR clientCompanyId IS NULL)
Notify L1 agents first; include L2 agents for visibility/escalation (configurable via notifyL2OnCreate flag)
Filter: support_agent.active, user.presenceActive, user.banned != true
Sort: COALESCE(priorityOverride, user.priorityRank) DESC
Output: email list for add-support-agent-notification.ts (new job type)

Extend support.controller.ts createSupportTicket to call router after existing sendSupportTicketToTeam.

Partner agent designation API (new routes under /app/support-agents):

CRUD SupportAgent — gated by portal:partner:support:manage on PARTNER company
VENDOR manages L2 pool via portal:system:support:manage

6. Kafka sync extension (Phase 5)

Update entity.ts: add team, sub_team, position, partner_registry, client_support.

Update sync-service.ts publishers and smartfactory portal-sync consumers.

User sync payload: include positions[], primaryCompanyId (INTERNAL), companyKind per membership.

7. Execution phases

Phase 1 — Schema & migrations (no behavior change)

Prisma models + migrations + seed VENDOR kind
Backfill positions from department_user
Add User.presenceActive, User.priorityRank
PR: migration: add company kind position support tables

Phase 2 — Permission layers & locked roles

Permission catalog split GENERAL/SYSTEM/PARTNER
Role.isLocked enforcement in RBAC API
createLockedPartnerRole, createLockedSupportRole templates
Bull Board gate to VENDOR + system queue perm
PR: feat(rbac): segregate permission layers and lock system roles

Phase 3 — Unified onboarding

onboardingKind on token + generate-link auth matrix
Branch completeOnboarding PARTNER vs CLIENT
Remove blanket ImasD ADMIN grant (feature flag data-removed=false)
Schemas + api-client regen
PR: feat(onboarding): unified partner and client provisioning

Phase 4 — Session & isolation

INTERNAL position default in auth middleware
Company-scoped user/role query filters
Hide locked roles from CLIENT company role APIs
Frontend switcher uses position breadcrumb
PR: feat(session): position-based context and tenant isolation

Phase 5 — Support engine

SupportAgent CRUD API
Router service + email job + transactional template
Assign SUPPORT role on client onboarding
PR: feat(support): agent routing and partner designation

Phase 6 — Sync & downstream apps

Entity/user sync schema bump
SF/SMP consumer updates
Full sync backfill job
PR: feat(sync): publish positions and client support coverage

Phase 7 — Frontend polish

Onboarding link modal kind selector
Support agent management UI for PARTNER admins
User profile: presenceActive toggle + priorityRank (admin-only edit)
PR: feat(frontend): partner onboarding and support agent UI

8. Testing strategy

Unit tests (`node:test` — extend existing pattern in rbac/tests)

Module	Cases
`support-agent-router`	No agents; all `presenceActive=false`; priority tie-break; L1 then L2 tier resolution; missing L1/L2 row fails closed
`client-support-coverage`	Duplicate tier rejected; direct sale L1=L2 vendor; partner sale L1=partner L2=vendor
`locked-role-guard`	Reject permission mutation on `isLocked` roles; allow user assignment
`company-kind-guard`	SYSTEM perm rejected on CLIENT; PARTNER perm rejected without registry
`position-resolver`	Single INTERNAL; missing INTERNAL fallback; deleted position ignored

Integration tests (new `apps/backend/src/tests/integration/`)

Onboarding PARTNER creates registry + locked role; CLIENT does not
Onboarding CLIENT from PARTNER creates two ClientSupport rows (L1=partner, L2=vendor); duplicate tier insert fails on @@unique
Direct sale creates L1=L2=vendor (two rows, same providerCompanyId)
RBAC API returns 403 on editing PARTNER role permissions
Bull Board 403 for PARTNER company user with old queue perm
Support ticket creation enqueues N agent emails (mock nodemailer/Bull)

Security / isolation tests

PARTNER user A cannot list users from CLIENT company B
CLIENT admin cannot see portal:system:queue:view in effective permissions
PARTNER role not in GET /rbac/roles for CLIENT company
Cross-tenant ticket access returns 404/403
PBO-position users hidden from CLIENT user tables

Wire tests in CI

Add to apps/backend/package.json: "test": "node --test --import tsx src/**/*.test.ts"

9. Git commit & PR strategy

Branch: feat/b2b-org-refactor with stacked PRs into main.

PR	Commits (Conventional)	Scope
PR-1	`migration: add CompanyKind Position ClientSupport tables`	Schema only
PR-2	`feat(rbac): add permission layers and Role.isLocked`	RBAC catalog + guards
PR-3	`feat(rbac): enforce locked role mutation guard`	Controller + tests
PR-4	`feat(onboarding): add onboardingKind to invitation token`	Schemas + JWT
PR-5	`feat(onboarding): partner completion provisioning`	Controller branch
PR-6	`feat(onboarding): client completion with ClientSupport`	Controller branch
PR-7	`fix(onboarding): remove auto imasd admin grant`	Breaking; flag first
PR-8	`feat(auth): resolve primary company from INTERNAL position`	Session
PR-9	`feat(users): tenant-scoped list filters`	Isolation
PR-10	`feat(admin): restrict Bull Board to VENDOR company`	Queue isolation
PR-11	`feat(support): agent router and email dispatch`	Routing engine
PR-12	`feat(support): SupportAgent CRUD API`	Partner agents
PR-13	`feat(sync): extend entity sync schema v2`	Kafka
PR-14	`feat(frontend): onboarding kind and agent UI`	UI

Deployment: feature flags per phase (POSITION_SESSION_ENABLED, ONBOARDING_KIND_ENABLED, SUPPORT_AGENT_ROUTING_ENABLED); enable in staging → prod after backfill jobs complete.

10. Risks & mitigations

Risk	Mitigation
Breaking existing onboardings	Feature flags; dual-read `department_user` during migration
Manager loses Bull Board access	Expected; document migration to VENDOR-only
PARTNER/PBO name collision	Rename position enums to `ORG_*`
Kafka consumers lag	Versioned events; deploy consumers before publishers
Over-notification to agents	Debounce per ticket; `notifyOnNewTicket` flag on `SupportAgent`

11. Environment variables (new)

IMASD_VENDOR_COMPANY_ID — sole VENDOR company UUID
ONBOARDING_LEGACY_IMD_ADMIN — temporary rollback for auto-ADMIN behavior
POSITION_SESSION_ENABLED — gradual session rollout