npm - @naisys/erp - Versions diffs - 3.0.0-beta.24 → 3.0.0-beta.25 - Mend

@naisys/erp 3.0.0-beta.24 → 3.0.0-beta.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/client-dist/assets/{index-DycEn-R_.js → index-ey6Ixpe7.js} +245 -213
package/client-dist/index.html +1 -1
package/dist/auth-middleware.js +1 -0
package/dist/error-handler.js +3 -0
package/dist/routes/inventory.js +31 -8
package/dist/routes/item-fields.js +18 -16
package/dist/routes/item-instances.js +36 -18
package/dist/routes/items.js +31 -29
package/dist/routes/labor-tickets.js +1 -2
package/dist/routes/operation-run-transitions.js +9 -2
package/dist/routes/operation-runs.js +5 -1
package/dist/routes/order-run-transitions.js +8 -2
package/dist/routes/orders.js +11 -7
package/dist/routes/users.js +1 -0
package/dist/routes/work-centers.js +25 -25
package/dist/services/field-value-service.js +26 -2
package/dist/services/order-run-service.js +64 -17
package/dist/services/order-service.js +9 -0
package/npm-shrinkwrap.json +28 -28
package/package.json +6 -6

package/client-dist/index.html CHANGED Viewed

@@ -33,7 +33,7 @@
     <meta name="format-detection" content="telephone=no" />
     <title>NAISYS ERP</title>
-    <script type="module" crossorigin src="/erp/assets/index-DycEn-R_.js"></script>
+    <script type="module" crossorigin src="/erp/assets/index-ey6Ixpe7.js"></script>
     <link rel="modulepreload" crossorigin href="/erp/assets/rolldown-runtime-CvHMtSRF.js">
     <link rel="modulepreload" crossorigin href="/erp/assets/vendor-MNFI7PUp.js">
     <link rel="stylesheet" crossorigin href="/erp/assets/vendor-CLUPjUnv.css">

package/dist/auth-middleware.js CHANGED Viewed

@@ -34,6 +34,7 @@ export function requirePermission(permission) {
                 statusCode: 403,
                 error: "Forbidden",
                 message: `Permission '${permission}' required`,
+                missingPermission: permission,
             });
             return;
         }

package/dist/error-handler.js CHANGED Viewed

@@ -2,6 +2,9 @@ function send(reply, statusCode, error, message) {
     reply.status(statusCode);
     return { statusCode, error, message };
 }
+export function badRequest(reply, message) {
+    return send(reply, 400, "Bad Request", message);
+}
 export function notFound(reply, message) {
     return send(reply, 404, "Not Found", message);
 }

package/dist/routes/inventory.js CHANGED Viewed

@@ -1,6 +1,36 @@
 import { InventoryListQuerySchema, InventoryListResponseSchema, } from "@naisys/erp-shared";
+import { hasPermission } from "../auth-middleware.js";
 import erpDb from "../erpDb.js";
 import { API_PREFIX, paginationLinks } from "../hateoas.js";
+function buildInventoryActionTemplates(user) {
+    const templates = [
+        {
+            rel: "viewInstance",
+            hrefTemplate: `${API_PREFIX}/items/{itemKey}/instances/{id}`,
+            method: "GET",
+            title: "View Instance",
+        },
+    ];
+    if (hasPermission(user, "item_manager")) {
+        templates.push({
+            rel: "update-field-value",
+            hrefTemplate: `${API_PREFIX}/items/{itemKey}/instances/{id}/fields/{fieldSeqNo}`,
+            method: "PUT",
+            title: "Update Field Value (implicit set 0)",
+            schema: `${API_PREFIX}/schemas/UpdateFieldValue`,
+            body: { value: "" },
+        });
+        templates.push({
+            rel: "update-set-field-value",
+            hrefTemplate: `${API_PREFIX}/items/{itemKey}/instances/{id}/sets/{setIndex}/fields/{fieldSeqNo}`,
+            method: "PUT",
+            title: "Update Field Value (explicit set index)",
+            schema: `${API_PREFIX}/schemas/UpdateFieldValue`,
+            body: { value: "" },
+        });
+    }
+    return templates;
+}
 export default function inventoryRoutes(fastify) {
     const app = fastify.withTypeProvider();
     app.get("/", {
@@ -55,14 +85,7 @@ export default function inventoryRoutes(fastify) {
                 _links: paginationLinks("inventory", page, pageSize, total, {
                     search,
                 }),
-                _actionTemplates: [
-                    {
-                        rel: "viewInstance",
-                        hrefTemplate: `${API_PREFIX}/items/{itemKey}/instances/{id}`,
-                        method: "GET",
-                        title: "View Instance",
-                    },
-                ],
+                _actionTemplates: buildInventoryActionTemplates(request.erpUser),
             };
         },
     });

package/dist/routes/item-fields.js CHANGED Viewed

@@ -4,7 +4,7 @@ import { hasPermission, requirePermission } from "../auth-middleware.js";
 import erpDb from "../erpDb.js";
 import { notFound } from "../error-handler.js";
 import { API_PREFIX, selfLink } from "../hateoas.js";
-import { calcNextSeqNo, childItemLinks, formatAuditFields, mutationResult, } from "../route-helpers.js";
+import { calcNextSeqNo, childItemLinks, formatAuditFields, mutationResult, permGate, } from "../route-helpers.js";
 import { createField, deleteField, ensureFieldSet, findExistingField, getField, listFields, updateField, } from "../services/field-service.js";
 import { findExisting as findExistingItem } from "../services/item-service.js";
 const ParamsSchema = z.object({ key: z.string() });
@@ -27,23 +27,26 @@ function formatField(key, user, field) {
         required: field.required,
         ...formatAuditFields(field),
         _links: childItemLinks(base, field.seqNo, "Fields", `/items/${key}`, "Item", "Field"),
-        _actions: hasPermission(user, "item_manager")
-            ? [
+        _actions: (() => {
+            const gate = permGate(hasPermission(user, "item_manager"), "item_manager");
+            return [
                 {
                     rel: "update",
                     href: `${API_PREFIX}${base}/${field.seqNo}`,
                     method: "PUT",
                     title: "Update",
                     schema: `${API_PREFIX}/schemas/UpdateField`,
+                    ...gate,
                 },
                 {
                     rel: "delete",
                     href: `${API_PREFIX}${base}/${field.seqNo}`,
                     method: "DELETE",
                     title: "Delete",
+                    ...gate,
                 },
-            ]
-            : [],
+            ];
+        })(),
     };
 }
 export default function itemFieldRoutes(fastify) {
@@ -81,17 +84,16 @@ export default function itemFieldRoutes(fastify) {
                         hrefTemplate: `${API_PREFIX}${base}/{seqNo}`,
                     },
                 ],
-                _actions: hasPermission(request.erpUser, "item_manager")
-                    ? [
-                        {
-                            rel: "create",
-                            href: `${API_PREFIX}${base}`,
-                            method: "POST",
-                            title: "Add Field",
-                            schema: `${API_PREFIX}/schemas/CreateField`,
-                        },
-                    ]
-                    : [],
+                _actions: [
+                    {
+                        rel: "create",
+                        href: `${API_PREFIX}${base}`,
+                        method: "POST",
+                        title: "Add Field",
+                        schema: `${API_PREFIX}/schemas/CreateField`,
+                        ...permGate(hasPermission(request.erpUser, "item_manager"), "item_manager"),
+                    },
+                ],
             };
         },
     });

package/dist/routes/item-instances.js CHANGED Viewed

@@ -3,7 +3,7 @@ import { z } from "zod/v4";
 import { hasPermission, requirePermission } from "../auth-middleware.js";
 import { notFound, unprocessable } from "../error-handler.js";
 import { API_PREFIX, paginationLinks, schemaLink, selfLink, } from "../hateoas.js";
-import { formatAuditFields, mutationResult, useFullSerializer, wantsFullResponse, } from "../route-helpers.js";
+import { formatAuditFields, mutationResult, permGate, useFullSerializer, wantsFullResponse, } from "../route-helpers.js";
 import { checkFieldValueShape, deleteFieldValueSet, deserializeFieldValue, serializeFieldValue, upsertFieldValue, validateFieldValue, } from "../services/field-value-service.js";
 import { createItemInstance, deleteItemInstance, ensureItemInstanceFieldRecord, findItemInstance, findItemInstanceWithField, listItemInstances, updateItemInstance, } from "../services/item-instance-service.js";
 import { findExisting as findItem } from "../services/item-service.js";
@@ -59,9 +59,8 @@ function instanceLinks(itemKey, instanceId, inst) {
     return links;
 }
 function instanceActions(itemKey, instanceId, user) {
-    if (!hasPermission(user, "item_manager"))
-        return [];
     const href = `${API_PREFIX}/${instanceBasePath(itemKey)}/${instanceId}`;
+    const gate = permGate(hasPermission(user, "item_manager"), "item_manager");
     return [
         {
             rel: "update",
@@ -70,12 +69,14 @@ function instanceActions(itemKey, instanceId, user) {
             title: "Update",
             schema: `${API_PREFIX}/schemas/UpdateItemInstance`,
             body: { key: "" },
+            ...gate,
         },
         {
             rel: "delete",
             href,
             method: "DELETE",
             title: "Delete",
+            ...gate,
         },
     ];
 }
@@ -122,17 +123,35 @@ function buildFieldValues(inst) {
     return fieldValues;
 }
 function buildActionTemplates(itemKey, instanceId, user, hasFields) {
-    if (!hasPermission(user, "item_manager") || !hasFields)
+    if (!hasFields)
         return [];
     const instanceHref = `${API_PREFIX}/${instanceBasePath(itemKey)}/${instanceId}`;
+    const gate = permGate(hasPermission(user, "item_manager"), "item_manager");
     return [
         {
-            rel: "updateField",
+            rel: "update-field-value",
             hrefTemplate: `${instanceHref}/fields/{fieldSeqNo}`,
             method: "PUT",
-            title: "Update Field Value",
+            title: "Update Field Value (implicit set 0)",
+            schema: `${API_PREFIX}/schemas/UpdateFieldValue`,
+            body: { value: "" },
+            ...gate,
+        },
+        {
+            rel: "update-set-field-value",
+            hrefTemplate: `${instanceHref}/sets/{setIndex}/fields/{fieldSeqNo}`,
+            method: "PUT",
+            title: "Update Field Value (explicit set index)",
             schema: `${API_PREFIX}/schemas/UpdateFieldValue`,
             body: { value: "" },
+            ...gate,
+        },
+        {
+            rel: "delete-set",
+            hrefTemplate: `${instanceHref}/sets/{setIndex}`,
+            method: "DELETE",
+            title: "Delete Field Value Set",
+            ...gate,
         },
     ];
 }
@@ -202,18 +221,17 @@ export default function itemInstanceRoutes(fastify) {
                         hrefTemplate: `${API_PREFIX}/items/${key}/instances/{id}`,
                     },
                 ],
-                _actions: hasPermission(request.erpUser, "item_manager")
-                    ? [
-                        {
-                            rel: "create",
-                            href: `${API_PREFIX}/${base}`,
-                            method: "POST",
-                            title: "Create Instance",
-                            schema: `${API_PREFIX}/schemas/CreateItemInstance`,
-                            body: { key: "" },
-                        },
-                    ]
-                    : [],
+                _actions: [
+                    {
+                        rel: "create",
+                        href: `${API_PREFIX}/${base}`,
+                        method: "POST",
+                        title: "Create Instance",
+                        schema: `${API_PREFIX}/schemas/CreateItemInstance`,
+                        body: { key: "" },
+                        ...permGate(hasPermission(request.erpUser, "item_manager"), "item_manager"),
+                    },
+                ],
             };
         },
     });

package/dist/routes/items.js CHANGED Viewed

@@ -3,7 +3,7 @@ import { z } from "zod/v4";
 import { hasPermission, requirePermission } from "../auth-middleware.js";
 import { notFound } from "../error-handler.js";
 import { API_PREFIX, collectionLink, paginationLinks, schemaLink, selfLink, } from "../hateoas.js";
-import { calcNextSeqNo, childItemLinks, formatAuditFields, mutationResult, } from "../route-helpers.js";
+import { calcNextSeqNo, childItemLinks, formatAuditFields, mutationResult, permGate, } from "../route-helpers.js";
 import { createItem, deleteItem, findExisting, listItems, updateItem, } from "../services/item-service.js";
 const RESOURCE = "items";
 const KeyParamsSchema = z.object({
@@ -17,9 +17,8 @@ function itemLinks(key) {
     ];
 }
 function itemActions(key, user) {
-    if (!hasPermission(user, "item_manager"))
-        return [];
     const href = `${API_PREFIX}/${RESOURCE}/${key}`;
+    const gate = permGate(hasPermission(user, "item_manager"), "item_manager");
     return [
         {
             rel: "update",
@@ -27,12 +26,14 @@ function itemActions(key, user) {
             method: "PUT",
             title: "Update",
             schema: `${API_PREFIX}/schemas/UpdateItem`,
+            ...gate,
         },
         {
             rel: "delete",
             href,
             method: "DELETE",
             title: "Delete",
+            ...gate,
         },
     ];
 }
@@ -44,17 +45,16 @@ function formatItemFieldListResponse(itemKey, user, fields) {
         total: fields.length,
         nextSeqNo: calcNextSeqNo(maxSeq),
         _links: [selfLink(base)],
-        _actions: hasPermission(user, "item_manager")
-            ? [
-                {
-                    rel: "create",
-                    href: `${API_PREFIX}${base}`,
-                    method: "POST",
-                    title: "Add Field",
-                    schema: `${API_PREFIX}/schemas/CreateField`,
-                },
-            ]
-            : [],
+        _actions: [
+            {
+                rel: "create",
+                href: `${API_PREFIX}${base}`,
+                method: "POST",
+                title: "Add Field",
+                schema: `${API_PREFIX}/schemas/CreateField`,
+                ...permGate(hasPermission(user, "item_manager"), "item_manager"),
+            },
+        ],
     };
 }
 function formatItemField(itemKey, user, field) {
@@ -69,23 +69,26 @@ function formatItemField(itemKey, user, field) {
         required: field.required,
         ...formatAuditFields(field),
         _links: childItemLinks(base, field.seqNo, "Fields", `/items/${itemKey}`, "Item", "Field"),
-        _actions: hasPermission(user, "item_manager")
-            ? [
+        _actions: (() => {
+            const gate = permGate(hasPermission(user, "item_manager"), "item_manager");
+            return [
                 {
                     rel: "update",
                     href: `${API_PREFIX}${base}/${field.seqNo}`,
                     method: "PUT",
                     title: "Update",
                     schema: `${API_PREFIX}/schemas/UpdateField`,
+                    ...gate,
                 },
                 {
                     rel: "delete",
                     href: `${API_PREFIX}${base}/${field.seqNo}`,
                     method: "DELETE",
                     title: "Delete",
+                    ...gate,
                 },
-            ]
-            : [],
+            ];
+        })(),
     };
 }
 function formatItem(item, user) {
@@ -139,17 +142,16 @@ export default function itemRoutes(fastify) {
                 _linkTemplates: [
                     { rel: "item", hrefTemplate: `${API_PREFIX}/items/{key}` },
                 ],
-                _actions: hasPermission(request.erpUser, "item_manager")
-                    ? [
-                        {
-                            rel: "create",
-                            href: `${API_PREFIX}/${RESOURCE}`,
-                            method: "POST",
-                            title: "Create Item",
-                            schema: `${API_PREFIX}/schemas/CreateItem`,
-                        },
-                    ]
-                    : [],
+                _actions: [
+                    {
+                        rel: "create",
+                        href: `${API_PREFIX}/${RESOURCE}`,
+                        method: "POST",
+                        title: "Create Item",
+                        schema: `${API_PREFIX}/schemas/CreateItem`,
+                        ...permGate(hasPermission(request.erpUser, "item_manager"), "item_manager"),
+                    },
+                ],
             };
         },
     });

package/dist/routes/labor-tickets.js CHANGED Viewed

@@ -72,14 +72,13 @@ function laborTicketListActions(orderKey, runNo, seqNo, opRunStatus, user, ticke
     return actions;
 }
 function laborTicketActionTemplates(orderKey, runNo, seqNo, user) {
-    if (!hasPermission(user, "order_manager"))
-        return [];
     return [
         {
             rel: "deleteTicket",
             hrefTemplate: `${API_PREFIX}/${laborResource(orderKey, runNo, seqNo)}/{ticketId}`,
             method: "DELETE",
             title: "Delete Ticket",
+            ...permGate(hasPermission(user, "order_manager"), "order_manager"),
         },
     ];
 }

package/dist/routes/operation-run-transitions.js CHANGED Viewed

@@ -113,10 +113,11 @@ export default function operationRunTransitionRoutes(fastify) {
             });
         },
     });
-    // SKIP (pending → skipped)
+    // SKIP (blocked/pending/in_progress → skipped)
     app.post("/:seqNo/skip", {
         schema: {
-            description: "Skip an operation run (pending → skipped)",
+            description: "Skip an operation run (blocked/pending/in_progress → skipped). " +
+                "When skipping an in_progress op, any open labor tickets are clocked out.",
             tags: ["Operation Runs"],
             params: SeqNoParamsSchema,
             body: TransitionNoteSchema,
@@ -143,9 +144,15 @@ export default function operationRunTransitionRoutes(fastify) {
             const statusErr = validateStatusFor("skip", resolved.opRun.status, [
                 OperationRunStatus.blocked,
                 OperationRunStatus.pending,
+                OperationRunStatus.in_progress,
             ]);
             if (statusErr)
                 return conflict(reply, statusErr);
+            // If the op was in progress, close out any active labor tickets so the
+            // recorded cost is accurate before we mark the op skipped.
+            if (resolved.opRun.status === OperationRunStatus.in_progress) {
+                await clockOutAllForOpRun(resolved.opRun.id, userId);
+            }
             const cost = await sumLaborTicketCosts(resolved.opRun.id);
             const opRun = await transitionStatus(resolved.opRun.id, "skip", resolved.opRun.status, OperationRunStatus.skipped, userId, { ...(cost > 0 ? { cost } : undefined), statusNote: note ?? null });
             await unblockSuccessors(resolved.run.id, resolved.opRun.operationId, userId);

package/dist/routes/operation-runs.js CHANGED Viewed

@@ -76,7 +76,11 @@ async function opRunItemActions(orderKey, runNo, seqNo, opRunId, operationId, st
             method: "POST",
             title: "Skip",
             permission: "order_manager",
-            statuses: [OperationRunStatus.blocked, OperationRunStatus.pending],
+            statuses: [
+                OperationRunStatus.blocked,
+                OperationRunStatus.pending,
+                OperationRunStatus.in_progress,
+            ],
             disabledWhen: () => wcErr,
         },
         {

package/dist/routes/order-run-transitions.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { CompleteOrderRunSchema, ErrorResponseSchema, OrderRunStatus, OrderRunTransitionSchema, } from "@naisys/erp-shared";
 import { requirePermission } from "../auth-middleware.js";
-import { conflict, notFound, unprocessable } from "../error-handler.js";
+import { badRequest, conflict, notFound, unprocessable, } from "../error-handler.js";
 import { resolveOrderRun, useFullSerializer, wantsFullResponse, } from "../route-helpers.js";
 import { checkOpsComplete, completeOrderRun, getReopenTarget, sumOpRunCosts, transitionStatus, validateStatusFor, } from "../services/order-run-service.js";
 import { formatRun, orderRunItemActions, RunNoParamsSchema, } from "./order-runs.js";
@@ -89,12 +89,15 @@ export default function orderRunTransitionRoutes(fastify) {
     // COMPLETE (started -> closed, creates item instance)
     app.post("/:runNo/complete", {
         schema: {
-            description: "Complete an order run — creates an item instance and closes the run",
+            description: "Complete an order run — creates an item instance and closes the run. " +
+                "Returns 400 if any required item field is missing, or if any supplied " +
+                "fieldSeqNo doesn't exist on the item.",
             tags: ["Order Runs"],
             params: RunNoParamsSchema,
             body: CompleteOrderRunSchema,
             response: {
                 200: OrderRunTransitionSchema,
+                400: ErrorResponseSchema,
                 404: ErrorResponseSchema,
                 409: ErrorResponseSchema,
                 422: ErrorResponseSchema,
@@ -119,6 +122,9 @@ export default function orderRunTransitionRoutes(fastify) {
             const userId = request.erpUser.id;
             const result = await completeOrderRun(resolved.run.id, resolved.order.id, request.body, userId);
             if (result.error) {
+                if (result.status === 400) {
+                    return badRequest(reply, result.error);
+                }
                 return unprocessable(reply, result.error);
             }
             const run = result.run;

package/dist/routes/orders.js CHANGED Viewed

@@ -4,7 +4,7 @@ import { hasPermission, requirePermission } from "../auth-middleware.js";
 import { conflict, notFound } from "../error-handler.js";
 import { API_PREFIX, collectionLink, paginationLinks, schemaLink, selfLink, } from "../hateoas.js";
 import { formatAuditFields, mutationResult, permGate, resolveActions, } from "../route-helpers.js";
-import { checkHasRevisions, createOrder, deleteOrder, findExisting, listOrders, resolveItemKey, updateOrder, } from "../services/order-service.js";
+import { checkHasRevisions, createOrder, deleteOrder, findExisting, getLatestApprovedRevNo, listOrders, resolveItemKey, updateOrder, } from "../services/order-service.js";
 function orderLinks(resource, key, schemaName) {
     return [
         selfLink(`/${resource}/${key}`),
@@ -64,13 +64,14 @@ const RESOURCE = "orders";
 const KeyParamsSchema = z.object({
     key: z.string(),
 });
-function formatOrder(order, user) {
+function formatOrder(order, user, latestApprovedRevNo) {
     return {
         id: order.id,
         key: order.key,
         description: order.description,
         status: order.status,
         itemKey: order.item?.key ?? null,
+        latestApprovedRevNo,
         ...formatAuditFields(order),
         _links: [
             ...orderLinks(RESOURCE, order.key, "Order"),
@@ -81,8 +82,8 @@ function formatOrder(order, user) {
     };
 }
 function formatListOrder(order, user) {
-    const { _actions, ...rest } = formatOrder(order, user);
-    const { _links: _, ...withoutLinks } = rest;
+    const { _actions, ...rest } = formatOrder(order, user, null);
+    const { _links: _, latestApprovedRevNo: __, ...withoutLinks } = rest;
     return withoutLinks;
 }
 export default function orderRoutes(fastify) {
@@ -159,7 +160,8 @@ export default function orderRoutes(fastify) {
                 }
             }
             const order = await createOrder(key, description, itemId, userId);
-            const full = formatOrder(order, request.erpUser);
+            // Newly-created order has no revisions yet, so latestApprovedRevNo is null
+            const full = formatOrder(order, request.erpUser, null);
             reply.status(201);
             return mutationResult(request, reply, full, {
                 id: full.id,
@@ -186,7 +188,8 @@ export default function orderRoutes(fastify) {
             if (!order) {
                 return notFound(reply, `Order '${key}' not found`);
             }
-            return formatOrder(order, request.erpUser);
+            const latestApprovedRevNo = await getLatestApprovedRevNo(order.id);
+            return formatOrder(order, request.erpUser, latestApprovedRevNo);
         },
     });
     // UPDATE
@@ -225,7 +228,8 @@ export default function orderRoutes(fastify) {
                 }
             }
             const order = await updateOrder(key, dbData, userId);
-            const full = formatOrder(order, request.erpUser);
+            const latestApprovedRevNo = await getLatestApprovedRevNo(order.id);
+            const full = formatOrder(order, request.erpUser, latestApprovedRevNo);
             return mutationResult(request, reply, full, {
                 _actions: full._actions,
             });

package/dist/routes/users.js CHANGED Viewed

@@ -127,6 +127,7 @@ export default function userRoutes(fastify) {
                 statusCode: 403,
                 error: "Forbidden",
                 message: "Permission 'erp_admin' required",
+                missingPermission: "erp_admin",
             });
             return;
         }

package/dist/routes/work-centers.js CHANGED Viewed

@@ -3,7 +3,7 @@ import { z } from "zod/v4";
 import { hasPermission, requirePermission } from "../auth-middleware.js";
 import { notFound } from "../error-handler.js";
 import { API_PREFIX, collectionLink, paginationLinks, schemaLink, selfLink, } from "../hateoas.js";
-import { formatAuditFields, mutationResult } from "../route-helpers.js";
+import { formatAuditFields, mutationResult, permGate } from "../route-helpers.js";
 import { assignUser, createWorkCenter, deleteWorkCenter, findExisting, listWorkCenters, removeUser, updateWorkCenter, } from "../services/work-center-service.js";
 const RESOURCE = "work-centers";
 const KeyParamsSchema = z.object({
@@ -21,9 +21,8 @@ function wcLinks(key) {
     ];
 }
 function wcActions(key, user) {
-    if (!hasPermission(user, "erp_admin"))
-        return [];
     const href = `${API_PREFIX}/${RESOURCE}/${key}`;
+    const gate = permGate(hasPermission(user, "erp_admin"), "erp_admin");
     return [
         {
             rel: "update",
@@ -31,12 +30,14 @@ function wcActions(key, user) {
             method: "PUT",
             title: "Update",
             schema: `${API_PREFIX}/schemas/UpdateWorkCenter`,
+            ...gate,
         },
         {
             rel: "delete",
             href,
             method: "DELETE",
             title: "Delete",
+            ...gate,
         },
         {
             rel: "assignUser",
@@ -44,11 +45,12 @@ function wcActions(key, user) {
             method: "POST",
             title: "Assign User",
             schema: `${API_PREFIX}/schemas/AssignWorkCenterUser`,
+            ...gate,
         },
     ];
 }
 function formatWorkCenter(wc, user) {
-    const isAdmin = hasPermission(user, "erp_admin");
+    const adminGate = permGate(hasPermission(user, "erp_admin"), "erp_admin");
     return {
         id: wc.id,
         key: wc.key,
@@ -58,16 +60,15 @@ function formatWorkCenter(wc, user) {
             username: a.user.username,
             createdAt: a.createdAt.toISOString(),
             createdBy: a.createdBy?.username ?? null,
-            _actions: isAdmin
-                ? [
-                    {
-                        rel: "remove",
-                        href: `${API_PREFIX}/${RESOURCE}/${wc.key}/users/${a.user.username}`,
-                        method: "DELETE",
-                        title: "Remove",
-                    },
-                ]
-                : [],
+            _actions: [
+                {
+                    rel: "remove",
+                    href: `${API_PREFIX}/${RESOURCE}/${wc.key}/users/${a.user.username}`,
+                    method: "DELETE",
+                    title: "Remove",
+                    ...adminGate,
+                },
+            ],
         })),
         ...formatAuditFields(wc),
         _links: wcLinks(wc.key),
@@ -117,17 +118,16 @@ export default function workCenterRoutes(fastify) {
                         hrefTemplate: `${API_PREFIX}/work-centers/{key}`,
                     },
                 ],
-                _actions: hasPermission(request.erpUser, "erp_admin")
-                    ? [
-                        {
-                            rel: "create",
-                            href: `${API_PREFIX}/${RESOURCE}`,
-                            method: "POST",
-                            title: "Create Work Center",
-                            schema: `${API_PREFIX}/schemas/CreateWorkCenter`,
-                        },
-                    ]
-                    : [],
+                _actions: [
+                    {
+                        rel: "create",
+                        href: `${API_PREFIX}/${RESOURCE}`,
+                        method: "POST",
+                        title: "Create Work Center",
+                        schema: `${API_PREFIX}/schemas/CreateWorkCenter`,
+                        ...permGate(hasPermission(request.erpUser, "erp_admin"), "erp_admin"),
+                    },
+                ],
             };
         },
     });