# dd0c Shared Modules

Reusable code shared across all dd0c products.

## Files

- `auth.ts` — JWT + API key authentication middleware, RBAC, login/signup routes
- `db.ts` — PostgreSQL connection pool with RLS `withTenant()` helper

## Usage

Copy into each product's `src/` directory, or symlink during build.
These are kept here as the canonical source of truth.

## Auth Flow

1. **JWT (Browser/API):** `Authorization: Bearer <token>` → decoded → `req.tenantId`, `req.userId`, `req.userRole`
2. **API Key (Agent/CLI):** `X-API-Key: dd0c_<32hex>` → prefix lookup → bcrypt verify → tenant context
3. **Webhook (HMAC):** Per-provider signature validation (skips JWT middleware)
4. **Slack (Signing Secret):** Slack request signature verification (skips JWT middleware)

## RBAC Hierarchy

`owner > admin > member > viewer`

Use `requireRole(req, reply, 'admin')` in route handlers for access control.