@naisys/erp 3.0.0-beta.3

package/dist/services/user-service.js

@@ -0,0 +1,132 @@
+import { getAgentApiKeyByUuid, rotateAgentApiKeyByUuid, } from "@naisys/hub-database";
+import bcrypt from "bcryptjs";
+import { randomBytes, randomUUID } from "crypto";
+import erpDb from "../erpDb.js";
+import { isSupervisorAuth } from "../supervisorAuth.js";
+// --- Prisma include & result type ---
+export const includePermissions = {
+    permissions: true,
+};
+// --- Constants ---
+const SALT_ROUNDS = 10;
+// --- Lookups ---
+export async function listUsers(options) {
+    const { page, pageSize, search } = options;
+    const where = search ? { username: { contains: search } } : {};
+    const [items, total] = await Promise.all([
+        erpDb.user.findMany({
+            where,
+            include: includePermissions,
+            orderBy: { createdAt: "desc" },
+            skip: (page - 1) * pageSize,
+            take: pageSize,
+        }),
+        erpDb.user.count({ where }),
+    ]);
+    return { items, total, pageSize };
+}
+export async function getUserByUsername(username) {
+    return erpDb.user.findUnique({
+        where: { username },
+        include: includePermissions,
+    });
+}
+export async function getUserById(id) {
+    return erpDb.user.findUnique({
+        where: { id },
+        include: includePermissions,
+    });
+}
+export async function getUserApiKey(id) {
+    const user = await erpDb.user.findUnique({
+        where: { id },
+        select: { isAgent: true, uuid: true, apiKey: true },
+    });
+    if (!user)
+        return null;
+    if (user.isAgent && isSupervisorAuth()) {
+        return getAgentApiKeyByUuid(user.uuid);
+    }
+    else {
+        return user.apiKey ?? null;
+    }
+}
+// --- Mutations ---
+export async function getUserByUuid(uuid) {
+    return erpDb.user.findFirst({
+        where: { uuid },
+        include: includePermissions,
+    });
+}
+export async function createUserForAgent(username, uuid) {
+    return erpDb.user.create({
+        data: {
+            username,
+            uuid,
+            passwordHash: "",
+            isAgent: true,
+        },
+        include: includePermissions,
+    });
+}
+export async function createUserWithPassword(data) {
+    const passwordHash = await bcrypt.hash(data.password, SALT_ROUNDS);
+    const uuid = randomUUID();
+    return erpDb.user.create({
+        data: {
+            username: data.username,
+            uuid,
+            passwordHash,
+            isAgent: false,
+            apiKey: randomBytes(32).toString("hex"),
+        },
+        include: includePermissions,
+    });
+}
+export async function updateUser(id, data) {
+    const updateData = {};
+    if (data.username !== undefined) {
+        updateData.username = data.username;
+    }
+    if (data.password !== undefined) {
+        updateData.passwordHash = await bcrypt.hash(data.password, SALT_ROUNDS);
+    }
+    return erpDb.user.update({
+        where: { id },
+        data: updateData,
+        include: includePermissions,
+    });
+}
+export async function deleteUser(id) {
+    return erpDb.user.delete({ where: { id } });
+}
+export async function grantPermission(userId, permission, grantedBy) {
+    return erpDb.userPermission.create({
+        data: { userId, permission, grantedBy },
+    });
+}
+export async function revokePermission(userId, permission) {
+    return erpDb.userPermission.deleteMany({
+        where: { userId, permission },
+    });
+}
+export async function rotateUserApiKey(id) {
+    const newKey = randomBytes(32).toString("hex");
+    const user = await erpDb.user.findUnique({
+        where: { id },
+        select: { isAgent: true, uuid: true },
+    });
+    if (!user)
+        throw new Error("User not found");
+    if (user.isAgent && isSupervisorAuth()) {
+        await rotateAgentApiKeyByUuid(user.uuid, newKey);
+    }
+    else {
+        await erpDb.user.update({
+            where: { id },
+            data: { apiKey: newKey },
+        });
+    }
+    return newKey;
+}
+//# sourceMappingURL=user-service.js.map

package/dist/services/work-center-service.d.ts

@@ -0,0 +1,29 @@
+import type { WorkCenterModel } from "../generated/prisma/models/WorkCenter.js";
+import { type WithAuditUsers } from "../route-helpers.js";
+export type WorkCenterWithDetail = WorkCenterModel & WithAuditUsers & {
+    userAssignments: Array<{
+        user: {
+            id: number;
+            username: string;
+        };
+        createdBy: {
+            username: string;
+        };
+        createdAt: Date;
+    }>;
+    _count: {
+        userAssignments: number;
+    };
+};
+export declare function listWorkCenters(where: Record<string, unknown>, page: number, pageSize: number): Promise<[WorkCenterWithDetail[], number]>;
+export declare function findExisting(key: string): Promise<WorkCenterWithDetail | null>;
+export declare function createWorkCenter(key: string, description: string | undefined, userId: number): Promise<WorkCenterWithDetail>;
+export declare function updateWorkCenter(key: string, data: Record<string, unknown>, userId: number): Promise<WorkCenterWithDetail>;
+export declare function deleteWorkCenter(key: string): Promise<void>;
+export declare function assignUser(workCenterKey: string, username: string, createdById: number): Promise<WorkCenterWithDetail>;
+export declare function removeUser(workCenterKey: string, username: string): Promise<void>;
+export declare function getUserWorkCenterIds(userId: number): Promise<number[]>;
+export declare function findWorkCenterByKey(key: string): Promise<{
+    id: number;
+} | null>;
+//# sourceMappingURL=work-center-service.d.ts.map

package/dist/services/work-center-service.js

@@ -0,0 +1,106 @@
+import erpDb from "../erpDb.js";
+import { includeUsers } from "../route-helpers.js";
+// --- Prisma include & result type ---
+const includeDetail = {
+    ...includeUsers,
+    userAssignments: {
+        include: {
+            user: { select: { id: true, username: true } },
+            createdBy: { select: { username: true } },
+        },
+        orderBy: { user: { username: "asc" } },
+    },
+    _count: { select: { userAssignments: true } },
+};
+// --- Lookups ---
+export async function listWorkCenters(where, page, pageSize) {
+    return Promise.all([
+        erpDb.workCenter.findMany({
+            where,
+            include: includeDetail,
+            skip: (page - 1) * pageSize,
+            take: pageSize,
+            orderBy: { createdAt: "desc" },
+        }),
+        erpDb.workCenter.count({ where }),
+    ]);
+}
+export async function findExisting(key) {
+    return erpDb.workCenter.findUnique({
+        where: { key },
+        include: includeDetail,
+    });
+}
+// --- Mutations ---
+export async function createWorkCenter(key, description, userId) {
+    return erpDb.workCenter.create({
+        data: {
+            key,
+            description,
+            createdById: userId,
+            updatedById: userId,
+        },
+        include: includeDetail,
+    });
+}
+export async function updateWorkCenter(key, data, userId) {
+    return erpDb.workCenter.update({
+        where: { key },
+        data: { ...data, updatedById: userId },
+        include: includeDetail,
+    });
+}
+export async function deleteWorkCenter(key) {
+    await erpDb.workCenter.delete({ where: { key } });
+}
+// --- User assignments ---
+export async function assignUser(workCenterKey, username, createdById) {
+    const workCenter = await erpDb.workCenter.findUniqueOrThrow({
+        where: { key: workCenterKey },
+    });
+    const user = await erpDb.user.findUniqueOrThrow({
+        where: { username },
+    });
+    await erpDb.workCenterUser.create({
+        data: {
+            workCenterId: workCenter.id,
+            userId: user.id,
+            createdById,
+        },
+    });
+    return erpDb.workCenter.findUniqueOrThrow({
+        where: { key: workCenterKey },
+        include: includeDetail,
+    });
+}
+export async function removeUser(workCenterKey, username) {
+    const workCenter = await erpDb.workCenter.findUniqueOrThrow({
+        where: { key: workCenterKey },
+    });
+    const user = await erpDb.user.findUniqueOrThrow({
+        where: { username },
+    });
+    await erpDb.workCenterUser.delete({
+        where: {
+            workCenterId_userId: {
+                workCenterId: workCenter.id,
+                userId: user.id,
+            },
+        },
+    });
+}
+// --- Work center ID lookups for dispatch ---
+export async function getUserWorkCenterIds(userId) {
+    const assignments = await erpDb.workCenterUser.findMany({
+        where: { userId },
+        select: { workCenterId: true },
+    });
+    return assignments.map((a) => a.workCenterId);
+}
+export async function findWorkCenterByKey(key) {
+    return erpDb.workCenter.findUnique({
+        where: { key },
+        select: { id: true },
+    });
+}
+//# sourceMappingURL=work-center-service.js.map

package/dist/supervisorAuth.d.ts

@@ -0,0 +1,3 @@
+export declare function enableSupervisorAuth(): void;
+export declare function isSupervisorAuth(): boolean;
+//# sourceMappingURL=supervisorAuth.d.ts.map

package/dist/supervisorAuth.js

@@ -0,0 +1,16 @@
+/**
+ * Module-level flag indicating whether ERP should use the supervisor/hub
+ * databases for SSO authentication and agent API key lookups.
+ *
+ * Enabled by:
+ *  - SUPERVISOR_AUTH=true environment variable
+ *  - Supervisor calling `enableSupervisorAuth()` before registering the ERP plugin
+ */
+let _enabled = false;
+export function enableSupervisorAuth() {
+    _enabled = true;
+}
+export function isSupervisorAuth() {
+    return _enabled || process.env.SUPERVISOR_AUTH === "true";
+}
+//# sourceMappingURL=supervisorAuth.js.map

package/dist/userService.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Ensure a superadmin user exists in the local ERP database.
+ * For standalone mode (no supervisor auth).
+ */
+export declare function ensureLocalSuperAdmin(): Promise<void>;
+/**
+ * Sync superadmin from supervisor into ERP DB and ensure permissions.
+ * For supervisor auth mode.
+ */
+export declare function ensureSupervisorSuperAdmin(): Promise<void>;
+/**
+ * Ensure a user has the erp_admin permission.
+ */
+export declare function ensureErpAdminPermission(userId: number): Promise<void>;
+/**
+ * Interactive CLI to reset a local user's password.
+ * For standalone mode (no supervisor auth).
+ */
+export declare function resetLocalPassword(): Promise<void>;
+//# sourceMappingURL=userService.d.ts.map

package/dist/userService.js

@@ -0,0 +1,118 @@
+import { SUPER_ADMIN_USERNAME } from "@naisys/common";
+import { ensureSuperAdmin } from "@naisys/supervisor-database";
+import bcrypt from "bcryptjs";
+import { randomBytes, randomUUID } from "crypto";
+import readline from "readline/promises";
+import erpDb from "./erpDb.js";
+const SALT_ROUNDS = 10;
+/**
+ * Ensure a superadmin user exists in the local ERP database.
+ * For standalone mode (no supervisor auth).
+ */
+export async function ensureLocalSuperAdmin() {
+    const existing = await erpDb.user.findUnique({
+        where: { username: SUPER_ADMIN_USERNAME },
+    });
+    if (existing) {
+        // Ensure superadmin has erp_admin permission
+        await ensureErpAdminPermission(existing.id);
+    }
+    else {
+        const password = randomUUID().slice(0, 8);
+        const hash = await bcrypt.hash(password, SALT_ROUNDS);
+        const user = await erpDb.user.create({
+            data: {
+                uuid: randomUUID(),
+                username: SUPER_ADMIN_USERNAME,
+                passwordHash: hash,
+                apiKey: randomBytes(32).toString("hex"),
+            },
+        });
+        await ensureErpAdminPermission(user.id);
+        console.log(`\n  ${SUPER_ADMIN_USERNAME} user created. Password: ${password}`);
+        console.log(`  Change it via --reset-password\n`);
+    }
+    // Warn if agent users exist without supervisor auth
+    const agentCount = await erpDb.user.count({ where: { isAgent: true } });
+    if (agentCount > 0) {
+        console.warn(`[ERP] Warning: ${agentCount} agent user(s) found but supervisor auth is disabled. ` +
+            `Agent API key lookups and authentication will not work. ` +
+            `Start with --supervisor-auth to enable.`);
+    }
+}
+/**
+ * Sync superadmin from supervisor into ERP DB and ensure permissions.
+ * For supervisor auth mode.
+ */
+export async function ensureSupervisorSuperAdmin() {
+    const result = await ensureSuperAdmin();
+    await erpDb.user.upsert({
+        where: { uuid: result.user.uuid },
+        create: {
+            uuid: result.user.uuid,
+            username: result.user.username,
+            passwordHash: result.user.passwordHash,
+            apiKey: result.user.apiKey,
+        },
+        update: {
+            username: result.user.username,
+            passwordHash: result.user.passwordHash,
+            apiKey: result.user.apiKey,
+        },
+    });
+    const localSuperAdmin = await erpDb.user.findUnique({
+        where: { uuid: result.user.uuid },
+    });
+    if (localSuperAdmin) {
+        await ensureErpAdminPermission(localSuperAdmin.id);
+    }
+    if (result.created) {
+        console.log(`[ERP] ${SUPER_ADMIN_USERNAME} user created. Password: ${result.generatedPassword}`);
+    }
+}
+/**
+ * Ensure a user has the erp_admin permission.
+ */
+export async function ensureErpAdminPermission(userId) {
+    const existing = await erpDb.userPermission.findUnique({
+        where: { userId_permission: { userId, permission: "erp_admin" } },
+    });
+    if (!existing) {
+        await erpDb.userPermission.create({
+            data: { userId, permission: "erp_admin" },
+        });
+    }
+}
+/**
+ * Interactive CLI to reset a local user's password.
+ * For standalone mode (no supervisor auth).
+ */
+export async function resetLocalPassword() {
+    const rl = readline.createInterface({
+        input: process.stdin,
+        output: process.stdout,
+    });
+    try {
+        const username = await rl.question("Username: ");
+        const user = await erpDb.user.findUnique({ where: { username } });
+        if (!user) {
+            console.error(`User '${username}' not found.`);
+            process.exit(1);
+        }
+        const password = await rl.question("New password: ");
+        if (password.length < 6) {
+            console.error("Password must be at least 6 characters.");
+            process.exit(1);
+        }
+        const hash = await bcrypt.hash(password, SALT_ROUNDS);
+        await erpDb.user.update({
+            where: { id: user.id },
+            data: { passwordHash: hash },
+        });
+        console.log(`Password reset for '${username}'.`);
+    }
+    finally {
+        rl.close();
+    }
+}
+//# sourceMappingURL=userService.js.map

package/package.json

@@ -0,0 +1,69 @@
+{
+  "name": "@naisys/erp",
+  "version": "3.0.0-beta.3",
+  "description": "NAISYS ERP - Web UI for AI-driven order and work management",
+  "type": "module",
+  "main": "dist/erpServer.js",
+  "bin": {
+    "naisys-erp": "bin/naisys-erp"
+  },
+  "exports": {
+    ".": "./dist/erpServer.js"
+  },
+  "scripts": {
+    "clean": "rimraf dist client-dist .test-naisys",
+    "dev": "tsx watch src/erpServer.ts",
+    "build": "prisma generate && tsc",
+    "bundle": "npx shx rm -rf client-dist && npx shx cp -r ../client/dist client-dist",
+    "start": "node dist/erpServer.js",
+    "start:reset-password": "node dist/erpServer.js --reset-password",
+    "type-check": "tsc --noEmit",
+    "npm:publish:dryrun": "npm publish --dry-run",
+    "npm:publish": "npm publish --access public",
+    "db:generate": "prisma generate",
+    "db:migrate": "prisma migrate dev",
+    "db:push": "prisma db push",
+    "test": "vitest run && npx playwright test"
+  },
+  "files": [
+    "dist",
+    "client-dist",
+    "bin",
+    "!dist/**/*.map",
+    "!dist/**/tests",
+    "!dist/**/*.test.*"
+  ],
+  "dependencies": {
+    "@fastify/cookie": "^11.0.2",
+    "@fastify/cors": "^11.2.0",
+    "@fastify/rate-limit": "^10.3.0",
+    "@fastify/static": "^9.0.0",
+    "@fastify/swagger": "^9.7.0",
+    "@naisys/erp-shared": "3.0.0-beta.3",
+    "@naisys/common": "3.0.0-beta.3",
+    "@naisys/common-node": "3.0.0-beta.3",
+    "@naisys/hub-database": "3.0.0-beta.3",
+    "@naisys/supervisor-database": "3.0.0-beta.3",
+    "@prisma/adapter-better-sqlite3": "^7.5.0",
+    "@prisma/client": "^7.5.0",
+    "@scalar/fastify-api-reference": "^1.48.7",
+    "bcryptjs": "^3.0.2",
+    "dotenv": "^17.3.1",
+    "fastify": "^5.8.2",
+    "fastify-plugin": "^5.1.0",
+    "fastify-type-provider-zod": "^6.1.0",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@playwright/test": "^1.58.2",
+    "@types/better-sqlite3": "^7.6.13",
+    "@types/node": "^25.5.0",
+    "prisma": "^7.5.0",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3",
+    "vitest": "^4.1.0"
+  },
+  "engines": {
+    "node": ">=22.0.0"
+  }
+}