@cyberismo/backend 0.0.21 → 0.0.22

package/dist/app.d.ts

@@ -11,11 +11,14 @@
   License along with this program. If not, see <https://www.gnu.org/licenses/>.
 */
 import { Hono } from 'hono';
+import type { CommandManager } from '@cyberismo/data-handler';
 import type { AppVars, TreeOptions } from './types.js';
+import type { AuthProvider } from './auth/types.js';
 /**
  * Create the Hono app for the backend
- * @param projectPath - Path to the project
+ * @param authProvider - Authentication provider
+ * @param commands - CommandManager instance for the project
  */
-export declare function createApp(projectPath?: string, opts?: TreeOptions): Hono<{
+export declare function createApp(authProvider: AuthProvider, commands: CommandManager, opts?: TreeOptions): Hono<{
     Variables: AppVars;
 }, import("hono/types").BlankSchema, "/">;

package/dist/app.js

@@ -12,7 +12,6 @@
 */
 import { Hono } from 'hono';
 import { staticFrontendDirRelative } from './utils.js';
-import { cors } from 'hono/cors';
 import { serveStatic } from '@hono/node-server/serve-static';
 import { attachCommandManager } from './middleware/commandManager.js';
 import calculationsRouter from './domain/calculations/index.js';
@@ -34,20 +33,29 @@ import logicProgramsRouter from './domain/logicPrograms/index.js';
 import { isSSGContext } from 'hono/ssg';
 import treeMiddleware from './middleware/tree.js';
 import projectRouter from './domain/project/index.js';
+import mcpRouter from './domain/mcp/index.js';
+import { createAuthRouter } from './domain/auth/index.js';
+import { createAuthMiddleware } from './middleware/auth.js';
 /**
  * Create the Hono app for the backend
- * @param projectPath - Path to the project
+ * @param authProvider - Authentication provider
+ * @param commands - CommandManager instance for the project
  */
-export function createApp(projectPath, opts) {
+export function createApp(authProvider, commands, opts) {
     const app = new Hono();
-    app.use('/api', cors());
-    app.use('*', serveStatic({
-        root: staticFrontendDirRelative,
-    }));
     app.use(treeMiddleware(opts));
-    // Attach CommandManager to all requests
-    app.use(attachCommandManager(projectPath));
+    // Apply authentication middleware to all API and MCP routes
+    app.use('/api/*', createAuthMiddleware(authProvider));
+    app.use('/mcp', createAuthMiddleware(authProvider));
+    app.use('/mcp/*', createAuthMiddleware(authProvider));
+    // Attach CommandManager to API and MCP routes
+    const commandManagerMiddleware = attachCommandManager(commands);
+    app.use('/api/*', commandManagerMiddleware);
+    app.use('/mcp', commandManagerMiddleware);
+    app.use('/mcp/*', commandManagerMiddleware);
     // Wire up routes
+    app.route('/api/auth', createAuthRouter());
+    // Mount routers
     app.route('/api/calculations', calculationsRouter);
     app.route('/api/cards', cardsRouter);
     app.route('/api/cardTypes', cardTypesRouter);
@@ -63,6 +71,11 @@ export function createApp(projectPath, opts) {
     app.route('/api/logicPrograms', logicProgramsRouter);
     app.route('/api/labels', labelsRouter);
     app.route('/api/project', projectRouter);
+    // MCP endpoint for AI assistant integration
+    app.route('/mcp', mcpRouter);
+    app.use('*', serveStatic({
+        root: staticFrontendDirRelative,
+    }));
     // serve index.html for all other routes
     app.notFound(async (c) => {
         if (c.req.path.startsWith('/api')) {

package/dist/app.js.map

@@ -1 +1 @@
-{"version":3,"file":"app.js","sourceRoot":"","sources":["../src/app.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE;AACF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AACvD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AACtE,OAAO,kBAAkB,MAAM,gCAAgC,CAAC;AAChE,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAClD,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,gBAAgB,MAAM,8BAA8B,CAAC;AAC5D,OAAO,iBAAiB,MAAM,+BAA+B,CAAC;AAC9D,OAAO,gBAAgB,MAAM,8BAA8B,CAAC;AAC5D,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,aAAa,MAAM,2BAA2B,CAAC;AACtD,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,UAAU,MAAM,wBAAwB,CAAC;AAChD,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,YAAY,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,mBAAmB,MAAM,iCAAiC,CAAC;AAClE,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAExC,OAAO,cAAc,MAAM,sBAAsB,CAAC;AAClD,OAAO,aAAa,MAAM,2BAA2B,CAAC;AAEtD;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,WAAoB,EAAE,IAAkB;IAChE,MAAM,GAAG,GAAG,IAAI,IAAI,EAA0B,CAAC;IAE/C,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;IAExB,GAAG,CAAC,GAAG,CACL,GAAG,EACH,WAAW,CAAC;QACV,IAAI,EAAE,yBAAyB;KAChC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9B,wCAAwC;IACxC,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC,WAAW,CAAC,CAAC,CAAC;IAE3C,iBAAiB;IACjB,GAAG,CAAC,KAAK,CAAC,mBAAmB,EAAE,kBAAkB,CAAC,CAAC;IACnD,GAAG,CAAC,KAAK,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;IACrC,GAAG,CAAC,KAAK,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAC7C,GAAG,CAAC,KAAK,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;IAC/C,GAAG,CAAC,KAAK,CAAC,kBAAkB,EAAE,iBAAiB,CAAC,CAAC;IACjD,GAAG,CAAC,KAAK,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;IAC/C,GAAG,CAAC,KAAK,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAC7C,GAAG,CAAC,KAAK,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;IACzC,GAAG,CAAC,KAAK,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAC7C,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IACnC,GAAG,CAAC,KAAK,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAC7C,GAAG,CAAC,KAAK,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAC7C,GAAG,CAAC,KAAK,CAAC,oBAAoB,EAAE,mBAAmB,CAAC,CAAC;IACrD,GAAG,CAAC,KAAK,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IACvC,GAAG,CAAC,KAAK,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;IAEzC,wCAAwC;IACxC,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QACvB,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAClC,OAAO,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;QAClC,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,QAAQ,CACzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,CACvD,CAAC;QACF,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IACH,iBAAiB;IACjB,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QACrB,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;YACrB,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACpC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QACD,OAAO,CAAC,CAAC,IAAI,CACX;YACE,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,uBAAuB;SAC9C,EACD,GAAG,CACJ,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,OAAO,GAAG,CAAC;AACb,CAAC"}
+{"version":3,"file":"app.js","sourceRoot":"","sources":["../src/app.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE;AACF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,yBAAyB,EAAE,MAAM,YAAY,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AACtE,OAAO,kBAAkB,MAAM,gCAAgC,CAAC;AAChE,OAAO,WAAW,MAAM,yBAAyB,CAAC;AAClD,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,gBAAgB,MAAM,8BAA8B,CAAC;AAC5D,OAAO,iBAAiB,MAAM,+BAA+B,CAAC;AAC9D,OAAO,gBAAgB,MAAM,8BAA8B,CAAC;AAC5D,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,aAAa,MAAM,2BAA2B,CAAC;AACtD,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,UAAU,MAAM,wBAAwB,CAAC;AAChD,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,YAAY,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,eAAe,MAAM,6BAA6B,CAAC;AAC1D,OAAO,mBAAmB,MAAM,iCAAiC,CAAC;AAClE,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAGxC,OAAO,cAAc,MAAM,sBAAsB,CAAC;AAClD,OAAO,aAAa,MAAM,2BAA2B,CAAC;AACtD,OAAO,SAAS,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAG5D;;;;GAIG;AACH,MAAM,UAAU,SAAS,CACvB,YAA0B,EAC1B,QAAwB,EACxB,IAAkB;IAElB,MAAM,GAAG,GAAG,IAAI,IAAI,EAA0B,CAAC;IAE/C,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9B,4DAA4D;IAC5D,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,oBAAoB,CAAC,YAAY,CAAC,CAAC,CAAC;IACtD,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,YAAY,CAAC,CAAC,CAAC;IACpD,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,oBAAoB,CAAC,YAAY,CAAC,CAAC,CAAC;IAEtD,8CAA8C;IAC9C,MAAM,wBAAwB,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC;IAChE,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,wBAAwB,CAAC,CAAC;IAC5C,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,wBAAwB,CAAC,CAAC;IAC1C,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,wBAAwB,CAAC,CAAC;IAC5C,iBAAiB;IACjB,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,gBAAgB,EAAE,CAAC,CAAC;IAE3C,gBAAgB;IAChB,GAAG,CAAC,KAAK,CAAC,mBAAmB,EAAE,kBAAkB,CAAC,CAAC;IACnD,GAAG,CAAC,KAAK,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;IACrC,GAAG,CAAC,KAAK,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAC7C,GAAG,CAAC,KAAK,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;IAC/C,GAAG,CAAC,KAAK,CAAC,kBAAkB,EAAE,iBAAiB,CAAC,CAAC;IACjD,GAAG,CAAC,KAAK,CAAC,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;IAC/C,GAAG,CAAC,KAAK,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAC7C,GAAG,CAAC,KAAK,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;IACzC,GAAG,CAAC,KAAK,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAC7C,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IACnC,GAAG,CAAC,KAAK,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAC7C,GAAG,CAAC,KAAK,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAC7C,GAAG,CAAC,KAAK,CAAC,oBAAoB,EAAE,mBAAmB,CAAC,CAAC;IACrD,GAAG,CAAC,KAAK,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IACvC,GAAG,CAAC,KAAK,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;IAEzC,4CAA4C;IAC5C,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAE7B,GAAG,CAAC,GAAG,CACL,GAAG,EACH,WAAW,CAAC;QACV,IAAI,EAAE,yBAAyB;KAChC,CAAC,CACH,CAAC;IAEF,wCAAwC;IACxC,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QACvB,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAClC,OAAO,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;QAClC,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,QAAQ,CACzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,CACvD,CAAC;QACF,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IACH,iBAAiB;IACjB,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QACrB,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;YACrB,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACpC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QACD,OAAO,CAAC,CAAC,IAAI,CACX;YACE,KAAK,EAAE,GAAG,CAAC,OAAO,IAAI,uBAAuB;SAC9C,EACD,GAAG,CACJ,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/auth/index.d.ts

@@ -0,0 +1,16 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+export type { AuthProvider } from './types.js';
+export { MockAuthProvider } from './mock.js';
+export { KeycloakAuthProvider } from './keycloak.js';
+export type { KeycloakConfig } from './keycloak.js';

package/dist/auth/index.js

@@ -0,0 +1,15 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+export { MockAuthProvider } from './mock.js';
+export { KeycloakAuthProvider } from './keycloak.js';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE;AAGF,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC"}

package/dist/auth/keycloak.d.ts

@@ -0,0 +1,27 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+import type { UserInfo } from '../types.js';
+import type { AuthProvider } from './types.js';
+export interface KeycloakConfig {
+    issuer: string;
+    audience: string;
+}
+export declare class KeycloakAuthProvider implements AuthProvider {
+    private readonly issuer;
+    private readonly audience;
+    private jwks;
+    constructor(config: KeycloakConfig);
+    private getJWKS;
+    authenticate(req: Request): Promise<UserInfo | null>;
+    private mapRole;
+}

package/dist/auth/keycloak.js

@@ -0,0 +1,81 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+import { UserRole } from '../types.js';
+export class KeycloakAuthProvider {
+    issuer;
+    audience;
+    jwks = null;
+    constructor(config) {
+        this.issuer = config.issuer;
+        this.audience = config.audience;
+    }
+    getJWKS() {
+        if (!this.jwks) {
+            const jwksUrl = new URL(`${this.issuer.replace(/\/$/, '')}/protocol/openid-connect/certs`);
+            this.jwks = createRemoteJWKSet(jwksUrl);
+        }
+        return this.jwks;
+    }
+    async authenticate(req) {
+        const authHeader = req.headers.get('authorization');
+        if (!authHeader) {
+            return null;
+        }
+        const token = authHeader.replace(/^Bearer\s+/i, '');
+        if (!token) {
+            return null;
+        }
+        try {
+            const jwks = this.getJWKS();
+            const { payload } = await jwtVerify(token, jwks, {
+                issuer: this.issuer,
+                audience: this.audience,
+            });
+            const claims = payload;
+            const role = this.mapRole(claims.realm_access?.roles);
+            if (!claims.sub) {
+                throw new Error('Missing sub');
+            }
+            if (!claims.email) {
+                throw new Error('Missing email');
+            }
+            return {
+                id: claims.sub,
+                email: claims.email,
+                name: claims.name ?? claims.preferred_username ?? 'Unknown',
+                role,
+            };
+        }
+        catch {
+            // TODO: add proper logging
+            return null;
+        }
+    }
+    mapRole(roles) {
+        if (!roles) {
+            throw new Error('Token missing realm_access roles');
+        }
+        if (roles.includes('admin')) {
+            return UserRole.Admin;
+        }
+        if (roles.includes('editor')) {
+            return UserRole.Editor;
+        }
+        if (roles.includes('reader')) {
+            return UserRole.Reader;
+        }
+        throw new Error('No recognized role found in token');
+    }
+}
+//# sourceMappingURL=keycloak.js.map

package/dist/auth/keycloak.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak.js","sourceRoot":"","sources":["../../src/auth/keycloak.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE;AAEF,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAErD,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAkBvC,MAAM,OAAO,oBAAoB;IACd,MAAM,CAAS;IACf,QAAQ,CAAS;IAC1B,IAAI,GAAiD,IAAI,CAAC;IAElE,YAAY,MAAsB;QAChC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IAClC,CAAC;IAEO,OAAO;QACb,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,IAAI,GAAG,CACrB,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,gCAAgC,CAClE,CAAC;YACF,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC1C,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAY;QAC7B,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QACpD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QACpD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;YAC5B,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;gBAC/C,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACxB,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,OAA6B,CAAC;YAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;YAEtD,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;YACjC,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;YACnC,CAAC;YAED,OAAO;gBACL,EAAE,EAAE,MAAM,CAAC,GAAG;gBACd,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,kBAAkB,IAAI,SAAS;gBAC3D,IAAI;aACL,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,2BAA2B;YAC3B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,OAAO,CAAC,KAAgB;QAC9B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,OAAO,QAAQ,CAAC,KAAK,CAAC;QACxB,CAAC;QACD,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,QAAQ,CAAC,MAAM,CAAC;QACzB,CAAC;QACD,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,QAAQ,CAAC,MAAM,CAAC;QACzB,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;CACF"}

package/dist/auth/mock.d.ts

@@ -0,0 +1,23 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+import type { UserInfo } from '../types.js';
+import type { AuthProvider } from './types.js';
+export interface MockUserConfig {
+    name?: string;
+    email?: string;
+}
+export declare class MockAuthProvider implements AuthProvider {
+    private readonly userConfig;
+    constructor(config?: MockUserConfig);
+    authenticate(): Promise<UserInfo>;
+}

package/dist/auth/mock.js

@@ -0,0 +1,28 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+import { UserRole } from '../types.js';
+export class MockAuthProvider {
+    userConfig;
+    constructor(config) {
+        this.userConfig = config ?? {};
+    }
+    async authenticate() {
+        return {
+            id: 'mock-user',
+            email: this.userConfig.email ?? 'admin@cyberismo.local',
+            name: this.userConfig.name ?? 'Local Admin',
+            role: UserRole.Admin,
+        };
+    }
+}
+//# sourceMappingURL=mock.js.map

package/dist/auth/mock.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mock.js","sourceRoot":"","sources":["../../src/auth/mock.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE;AAEF,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AASvC,MAAM,OAAO,gBAAgB;IACV,UAAU,CAAiB;IAE5C,YAAY,MAAuB;QACjC,IAAI,CAAC,UAAU,GAAG,MAAM,IAAI,EAAE,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,OAAO;YACL,EAAE,EAAE,WAAW;YACf,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,uBAAuB;YACvD,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI,IAAI,aAAa;YAC3C,IAAI,EAAE,QAAQ,CAAC,KAAK;SACrB,CAAC;IACJ,CAAC;CACF"}

package/dist/auth/types.d.ts

@@ -0,0 +1,16 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+import type { UserInfo } from '../types.js';
+export interface AuthProvider {
+    authenticate(req: Request): Promise<UserInfo | null>;
+}

package/dist/auth/types.js

@@ -0,0 +1,14 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+export {};
+//# sourceMappingURL=types.js.map

package/dist/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE"}

package/dist/domain/auth/index.d.ts

@@ -0,0 +1,14 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+import { Hono } from 'hono';
+export declare function createAuthRouter(): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;

package/dist/domain/auth/index.js

@@ -0,0 +1,30 @@
+/**
+  Cyberismo
+  Copyright © Cyberismo Ltd and contributors 2026
+  This program is free software: you can redistribute it and/or modify it under
+  the terms of the GNU Affero General Public License version 3 as published by
+  the Free Software Foundation. This program is distributed in the hope that it
+  will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+  See the GNU Affero General Public License for more details.
+  You should have received a copy of the GNU Affero General Public
+  License along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+import { Hono } from 'hono';
+import { getCurrentUser } from '../../middleware/auth.js';
+export function createAuthRouter() {
+    const router = new Hono();
+    /**
+     * GET /api/auth/me
+     * Returns the current user's information (id, email, name, role)
+     */
+    router.get('/me', async (c) => {
+        const user = getCurrentUser(c);
+        if (!user) {
+            return c.json({ error: 'Unauthorized' }, 401);
+        }
+        return c.json(user);
+    });
+    return router;
+}
+//# sourceMappingURL=index.js.map

package/dist/domain/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/domain/auth/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE;AAEF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE1D,MAAM,UAAU,gBAAgB;IAC9B,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IAE1B;;;OAGG;IACH,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC5B,MAAM,IAAI,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;QAE/B,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,GAAG,CAAC,CAAC;QAChD,CAAC;QAED,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtB,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/domain/calculations/index.js

@@ -14,6 +14,8 @@ import { Hono } from 'hono';
 import * as calculationService from './service.js';
 import { createCalculationSchema } from './schema.js';
 import { zValidator } from '../../middleware/zvalidator.js';
+import { UserRole } from '../../types.js';
+import { requireRole } from '../../middleware/auth.js';
 const router = new Hono();
 /**
  * @swagger
@@ -40,7 +42,7 @@ const router = new Hono();
  *       500:
  *         description: Server error
  */
-router.post('/', zValidator('json', createCalculationSchema), async (c) => {
+router.post('/', requireRole(UserRole.Admin), zValidator('json', createCalculationSchema), async (c) => {
     const commands = c.get('commands');
     const { identifier } = c.req.valid('json');
     await calculationService.createCalculation(commands, identifier);

package/dist/domain/calculations/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/domain/calculations/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE;AAEF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,KAAK,kBAAkB,MAAM,cAAc,CAAC;AACnD,OAAO,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAC;AAE5D,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;AAE1B;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACxE,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACnC,MAAM,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAE3C,MAAM,kBAAkB,CAAC,iBAAiB,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IACjE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC,CAAC;AACjE,CAAC,CAAC,CAAC;AAEH,eAAe,MAAM,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/domain/calculations/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE;AAEF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,KAAK,kBAAkB,MAAM,cAAc,CAAC;AACnD,OAAO,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAC;AAC5D,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;AAE1B;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,CAAC,IAAI,CACT,GAAG,EACH,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,EAC3B,UAAU,CAAC,MAAM,EAAE,uBAAuB,CAAC,EAC3C,KAAK,EAAE,CAAC,EAAE,EAAE;IACV,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACnC,MAAM,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAE3C,MAAM,kBAAkB,CAAC,iBAAiB,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IACjE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC,CAAC;AACjE,CAAC,CACF,CAAC;AAEF,eAAe,MAAM,CAAC"}

package/dist/domain/calculations/service.js

@@ -20,16 +20,18 @@ function capitalize(str) {
     return str.charAt(0).toUpperCase() + str.slice(1);
 }
 export async function createCalculation(commands, identifier) {
-    await commands.createCmd.createCalculation(identifier);
-    // Set displayName to capitalized version of identifier
-    const project = await commands.showCmd.showProject();
-    await updateResourceWithOperation(commands, { prefix: project.prefix, type: 'calculations', identifier }, {
-        updateKey: { key: 'displayName' },
-        operation: {
-            name: 'change',
-            target: '',
-            to: capitalize(identifier),
-        },
-    });
+    await commands.atomic(async () => {
+        await commands.createCmd.createCalculation(identifier);
+        // Set displayName to capitalized version of identifier
+        const project = await commands.showCmd.showProject();
+        await updateResourceWithOperation(commands, { prefix: project.prefix, type: 'calculations', identifier }, {
+            updateKey: { key: 'displayName' },
+            operation: {
+                name: 'change',
+                target: '',
+                to: capitalize(identifier),
+            },
+        });
+    }, `Create calculation ${identifier}`);
 }
 //# sourceMappingURL=service.js.map

package/dist/domain/calculations/service.js.map

@@ -1 +1 @@
-{"version":3,"file":"service.js","sourceRoot":"","sources":["../../../src/domain/calculations/service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE;AAGF,OAAO,EAAE,2BAA2B,EAAE,MAAM,yBAAyB,CAAC;AAEtE;;GAEG;AACH,SAAS,UAAU,CAAC,GAAW;IAC7B,IAAI,CAAC,GAAG;QAAE,OAAO,GAAG,CAAC;IACrB,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,QAAwB,EACxB,UAAkB;IAElB,MAAM,QAAQ,CAAC,SAAS,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAEvD,uDAAuD;IACvD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;IACrD,MAAM,2BAA2B,CAC/B,QAAQ,EACR,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,UAAU,EAAE,EAC5D;QACE,SAAS,EAAE,EAAE,GAAG,EAAE,aAAa,EAAE;QACjC,SAAS,EAAE;YACT,IAAI,EAAE,QAAQ;YACd,MAAM,EAAE,EAAE;YACV,EAAE,EAAE,UAAU,CAAC,UAAU,CAAC;SAC3B;KACF,CACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"service.js","sourceRoot":"","sources":["../../../src/domain/calculations/service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE;AAGF,OAAO,EAAE,2BAA2B,EAAE,MAAM,yBAAyB,CAAC;AAEtE;;GAEG;AACH,SAAS,UAAU,CAAC,GAAW;IAC7B,IAAI,CAAC,GAAG;QAAE,OAAO,GAAG,CAAC;IACrB,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,QAAwB,EACxB,UAAkB;IAElB,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE;QAC/B,MAAM,QAAQ,CAAC,SAAS,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QAEvD,uDAAuD;QACvD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QACrD,MAAM,2BAA2B,CAC/B,QAAQ,EACR,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,UAAU,EAAE,EAC5D;YACE,SAAS,EAAE,EAAE,GAAG,EAAE,aAAa,EAAE;YACjC,SAAS,EAAE;gBACT,IAAI,EAAE,QAAQ;gBACd,MAAM,EAAE,EAAE;gBACV,EAAE,EAAE,UAAU,CAAC,UAAU,CAAC;aAC3B;SACF,CACF,CAAC;IACJ,CAAC,EAAE,sBAAsB,UAAU,EAAE,CAAC,CAAC;AACzC,CAAC"}

package/dist/domain/cardTypes/index.js

@@ -14,6 +14,8 @@ import { Hono } from 'hono';
 import * as cardTypeService from './service.js';
 import { createCardTypeSchema, cardTypeNameParamSchema, fieldVisibilityBodySchema, } from './schema.js';
 import { zValidator } from '../../middleware/zvalidator.js';
+import { UserRole } from '../../types.js';
+import { requireRole } from '../../middleware/auth.js';
 const router = new Hono();
 /**
  * @swagger
@@ -29,7 +31,7 @@ const router = new Hono();
  *       500:
  *         description: project_path not set or other internal error
  */
-router.get('/', async (c) => {
+router.get('/', requireRole(UserRole.Reader), async (c) => {
     const commands = c.get('commands');
     try {
         const cardTypes = await cardTypeService.getCardTypes(commands);
@@ -69,7 +71,7 @@ router.get('/', async (c) => {
  *       500:
  *         description: Server error
  */
-router.post('/', zValidator('json', createCardTypeSchema), async (c) => {
+router.post('/', requireRole(UserRole.Admin), zValidator('json', createCardTypeSchema), async (c) => {
     const commands = c.get('commands');
     const { identifier, workflowName } = c.req.valid('json');
     try {
@@ -125,7 +127,7 @@ router.post('/', zValidator('json', createCardTypeSchema), async (c) => {
  *       500:
  *         description: Server error
  */
-router.patch('/:cardTypeName/field-visibility', zValidator('param', cardTypeNameParamSchema), zValidator('json', fieldVisibilityBodySchema), async (c) => {
+router.patch('/:cardTypeName/field-visibility', requireRole(UserRole.Admin), zValidator('param', cardTypeNameParamSchema), zValidator('json', fieldVisibilityBodySchema), async (c) => {
     const commands = c.get('commands');
     const { cardTypeName } = c.req.valid('param');
     const body = c.req.valid('json');

package/dist/domain/cardTypes/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/domain/cardTypes/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE;AAEF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,KAAK,eAAe,MAAM,cAAc,CAAC;AAChD,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAC;AAE5D,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;AAE1B;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1B,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAEnC,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC/D,OAAO,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,CAAC,IAAI,CACX;YACE,KAAK,EAAE,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,cAAc,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE;SACvG,EACD,GAAG,CACJ,CAAC;IACJ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,MAAM,EAAE,oBAAoB,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrE,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACnC,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAEzD,IAAI,CAAC;QACH,MAAM,eAAe,CAAC,cAAc,CAAC,QAAQ,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;QACzE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,CAAC;IAC/D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,CAAC,IAAI,CACX;YACE,KAAK,EAAE,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;SACrE,EACD,GAAG,CACJ,CAAC;IACJ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,MAAM,CAAC,KAAK,CACV,iCAAiC,EACjC,UAAU,CAAC,OAAO,EAAE,uBAAuB,CAAC,EAC5C,UAAU,CAAC,MAAM,EAAE,yBAAyB,CAAC,EAC7C,KAAK,EAAE,CAAC,EAAE,EAAE;IACV,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACnC,MAAM,EAAE,YAAY,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAEjC,IAAI,CAAC;QACH,MAAM,eAAe,CAAC,qBAAqB,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC;QAC1E,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC,CAAC;IACtE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,6DAA6D;QAC7D,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACvE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,EAAE,GAAG,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO,CAAC,CAAC,IAAI,CACX;YACE,KAAK,EAAE,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;SACrE,EACD,GAAG,CACJ,CAAC;IACJ,CAAC;AACH,CAAC,CACF,CAAC;AAEF,eAAe,MAAM,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/domain/cardTypes/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;EAWE;AAEF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,KAAK,eAAe,MAAM,cAAc,CAAC;AAChD,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAC;AAC5D,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD,MAAM,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;AAE1B;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACxD,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAEnC,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC/D,OAAO,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,CAAC,IAAI,CACX;YACE,KAAK,EAAE,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,cAAc,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE;SACvG,EACD,GAAG,CACJ,CAAC;IACJ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,IAAI,CACT,GAAG,EACH,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,EAC3B,UAAU,CAAC,MAAM,EAAE,oBAAoB,CAAC,EACxC,KAAK,EAAE,CAAC,EAAE,EAAE;IACV,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACnC,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAEzD,IAAI,CAAC;QACH,MAAM,eAAe,CAAC,cAAc,CAAC,QAAQ,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;QACzE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,CAAC;IAC/D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,CAAC,IAAI,CACX;YACE,KAAK,EAAE,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;SACrE,EACD,GAAG,CACJ,CAAC;IACJ,CAAC;AACH,CAAC,CACF,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,MAAM,CAAC,KAAK,CACV,iCAAiC,EACjC,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,EAC3B,UAAU,CAAC,OAAO,EAAE,uBAAuB,CAAC,EAC5C,UAAU,CAAC,MAAM,EAAE,yBAAyB,CAAC,EAC7C,KAAK,EAAE,CAAC,EAAE,EAAE;IACV,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACnC,MAAM,EAAE,YAAY,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAEjC,IAAI,CAAC;QACH,MAAM,eAAe,CAAC,qBAAqB,CAAC,QAAQ,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC;QAC1E,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC,CAAC;IACtE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,6DAA6D;QAC7D,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACvE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,EAAE,GAAG,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO,CAAC,CAAC,IAAI,CACX;YACE,KAAK,EAAE,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;SACrE,EACD,GAAG,CACJ,CAAC;IACJ,CAAC;AACH,CAAC,CACF,CAAC;AAEF,eAAe,MAAM,CAAC"}

package/dist/domain/cardTypes/service.js

@@ -34,87 +34,39 @@ function getCurrentGroup(alwaysVisibleFields, optionallyVisibleFields, fieldName
  */
 export async function updateFieldVisibility(commands, cardTypeName, body) {
     const { fieldName, group: targetGroup, index: targetIndex } = body;
-    // Get current card type data
-    const cardType = await commands.showCmd.showResource(cardTypeName, 'cardTypes');
-    if (!cardType) {
-        throw new Error(`Card type '${cardTypeName}' not found`);
-    }
-    const customFields = cardType.customFields || [];
-    const alwaysVisibleFields = cardType.alwaysVisibleFields || [];
-    const optionallyVisibleFields = cardType.optionallyVisibleFields || [];
-    // Validate that the field exists in customFields
-    const fieldExists = customFields.some((f) => f.name === fieldName);
-    if (!fieldExists) {
-        throw new Error(`Field '${fieldName}' does not exist in card type '${cardTypeName}'. `);
-    }
-    const currentGroup = getCurrentGroup(alwaysVisibleFields, optionallyVisibleFields, fieldName);
-    // If same group, just handle reordering
-    if (currentGroup === targetGroup) {
-        if (targetGroup === 'hidden') {
-            // Nothing to reorder in hidden group
-            return;
+    await commands.atomic(async () => {
+        // Read is now inside the write lock
+        const cardType = await commands.showCmd.showResource(cardTypeName, 'cardTypes');
+        if (!cardType) {
+            throw new Error(`Card type '${cardTypeName}' not found`);
+        }
+        const customFields = cardType.customFields || [];
+        const alwaysVisibleFields = cardType.alwaysVisibleFields || [];
+        const optionallyVisibleFields = cardType.optionallyVisibleFields || [];
+        // Validate that the field exists in customFields
+        const fieldExists = customFields.some((f) => f.name === fieldName);
+        if (!fieldExists) {
+            throw new Error(`Field '${fieldName}' does not exist in card type '${cardTypeName}'. `);
         }
-        if (targetIndex !== undefined) {
-            await commands.updateCmd.applyResourceOperation(cardTypeName, {
-                key: groupToKey[targetGroup],
-            }, {
-                name: 'rank',
-                target: fieldName,
-                newIndex: targetIndex,
-            });
+        const currentGroup = getCurrentGroup(alwaysVisibleFields, optionallyVisibleFields, fieldName);
+        // If same group, just handle reordering
+        if (currentGroup === targetGroup) {
+            if (targetGroup !== 'hidden' && targetIndex !== undefined) {
+                await commands.updateCmd.applyResourceOperation(cardTypeName, { key: groupToKey[targetGroup] }, { name: 'rank', target: fieldName, newIndex: targetIndex });
+            }
+            return;
         }
-        return;
-    }
-    // Different group - need to remove from old and add to new
-    let removedFromOld = false;
-    try {
         // Remove from current group (if not hidden)
         if (currentGroup !== 'hidden') {
-            await commands.updateCmd.applyResourceOperation(cardTypeName, {
-                key: groupToKey[currentGroup],
-            }, {
-                name: 'remove',
-                target: fieldName,
-            });
-            removedFromOld = true;
+            await commands.updateCmd.applyResourceOperation(cardTypeName, { key: groupToKey[currentGroup] }, { name: 'remove', target: fieldName });
         }
         // Add to new group (if not hidden)
         if (targetGroup !== 'hidden') {
-            await commands.updateCmd.applyResourceOperation(cardTypeName, {
-                key: groupToKey[targetGroup],
-            }, {
-                name: 'add',
-                target: fieldName,
-            });
-            // Reorder if index specified
+            await commands.updateCmd.applyResourceOperation(cardTypeName, { key: groupToKey[targetGroup] }, { name: 'add', target: fieldName });
             if (targetIndex !== undefined) {
-                await commands.updateCmd.applyResourceOperation(cardTypeName, {
-                    key: groupToKey[targetGroup],
-                }, {
-                    name: 'rank',
-                    target: fieldName,
-                    newIndex: targetIndex,
-                });
-            }
-        }
-    }
-    catch (error) {
-        // Attempt rollback if we removed from old group but failed to add to new
-        if (removedFromOld && currentGroup !== 'hidden') {
-            try {
-                await commands.updateCmd.applyResourceOperation(cardTypeName, {
-                    key: groupToKey[currentGroup],
-                }, {
-                    name: 'add',
-                    target: fieldName,
-                });
-            }
-            catch {
-                // Rollback failed - log but throw original error
-                console.error(`Rollback failed for field '${fieldName}' in card type '${cardTypeName}'`);
+                await commands.updateCmd.applyResourceOperation(cardTypeName, { key: groupToKey[targetGroup] }, { name: 'rank', target: fieldName, newIndex: targetIndex });
             }
         }
-        throw error;
-    }
+    }, `Update field visibility for ${cardTypeName}`);
 }
 //# sourceMappingURL=service.js.map