@naisys/erp 3.0.0-beta.35 → 3.0.0-beta.37

package/client-dist/assets/{index-D3fO2pbt.js → index-jH5OYerq.js}

@@ -83,7 +83,7 @@ var LlmModelSchema = object({
 	outputCost: number().default(0),
 	cacheWriteCost: number().optional(),
 	cacheReadCost: number().optional(),
-	cacheTtlSeconds: number().int().positive().optional(),
+	cacheTtlSeconds: number().int().min(300).optional(),
 	supportsVision: boolean().optional(),
 	supportsHearing: boolean().optional(),
 	supportsComputerUse: boolean().optional()
@@ -127,7 +127,7 @@ object({
 	outputCost: number().default(0),
 	cacheWriteCost: number().optional(),
 	cacheReadCost: number().optional(),
-	cacheTtlSeconds: number().int().positive().optional(),
+	cacheTtlSeconds: number().int().min(300).optional(),
 	supportsVision: boolean().optional(),
 	supportsHearing: boolean().optional(),
 	supportsComputerUse: boolean().optional()

package/client-dist/index.html

@@ -4,6 +4,18 @@
     <meta charset="UTF-8" />
 
     <link rel="icon" type="image/x-icon" href="/erp/favicon.ico" />
+    <link
+      rel="icon"
+      type="image/png"
+      sizes="32x32"
+      href="/erp/favicon-32x32.png"
+    />
+    <link
+      rel="icon"
+      type="image/png"
+      sizes="16x16"
+      href="/erp/favicon-16x16.png"
+    />
     <link
       rel="apple-touch-icon"
       sizes="180x180"
@@ -33,7 +45,7 @@
     <meta name="format-detection" content="telephone=no" />
 
     <title>NAISYS ERP</title>
-    <script type="module" crossorigin src="/erp/assets/index-D3fO2pbt.js"></script>
+    <script type="module" crossorigin src="/erp/assets/index-jH5OYerq.js"></script>
     <link rel="modulepreload" crossorigin href="/erp/assets/rolldown-runtime-CvHMtSRF.js">
     <link rel="modulepreload" crossorigin href="/erp/assets/vendor-DFaFIeiT.js">
     <link rel="stylesheet" crossorigin href="/erp/assets/vendor-CLUPjUnv.css">

package/dist/auth-middleware.js

@@ -83,7 +83,7 @@ export function registerAuthMiddleware(fastify) {
                             data: {
                                 uuid: session.uuid,
                                 username: session.username,
-                                passwordHash: session.passwordHash,
+                                passwordHash: "!sso-passkey-only",
                             },
                         });
                     }

package/dist/erpServer.js

@@ -178,6 +178,7 @@ async function startServer(wizardRan) {
         console.error("[ERP] Failed to start:", err);
         process.exit(1);
     }
+    return fastify;
 }
 // Start server if this file is run directly
 if (process.argv[1] === fileURLToPath(import.meta.url)) {
@@ -207,6 +208,24 @@ if (process.argv[1] === fileURLToPath(import.meta.url)) {
         expandNaisysFolder();
     }
     wizardRan = (await ensureDotEnv(erpExampleUrl, erpWizardConfig)) || wizardRan;
-    void startServer(wizardRan);
+    const fastify = await startServer(wizardRan);
+    let shuttingDown = false;
+    const handleShutdown = async (signal) => {
+        if (shuttingDown) {
+            console.log("[ERP] Force exit");
+            process.exit(1);
+        }
+        shuttingDown = true;
+        console.log(`[ERP] Shutting down (${signal})...`);
+        try {
+            await fastify.close();
+        }
+        catch (err) {
+            console.error("[ERP] Error during fastify.close():", err);
+        }
+        process.exit(0);
+    };
+    process.on("SIGTERM", () => void handleShutdown("SIGTERM"));
+    process.on("SIGINT", () => void handleShutdown("SIGINT"));
 }
 //# sourceMappingURL=erpServer.js.map

package/dist/routes/auth.js

@@ -1,6 +1,6 @@
 import { hashToken, SESSION_COOKIE_NAME, sessionCookieOptions, } from "@naisys/common-node";
 import { AuthUserSchema, ErrorResponseSchema, LoginRequestSchema, LoginResponseSchema, } from "@naisys/erp-shared";
-import { authenticateAndCreateSession, deleteSession, } from "@naisys/supervisor-database";
+import { deleteSession } from "@naisys/supervisor-database";
 import bcrypt from "bcryptjs";
 import { randomUUID } from "crypto";
 import { authCache } from "../auth-middleware.js";
@@ -14,7 +14,7 @@ export default function authRoutes(fastify) {
     app.post("/login", {
         config: {
             rateLimit: {
-                max: 5,
+                max: Number(process.env.AUTH_LOGIN_RATE_LIMIT) || 5,
                 timeWindow: "1 minute",
             },
         },
@@ -30,23 +30,11 @@ export default function authRoutes(fastify) {
         },
         handler: async (request, reply) => {
             const { username, password } = request.body;
-            // SSO mode: authenticate against supervisor DB
+            // SSO mode: supervisor handles login via passkey. ERP doesn't accept
+            // password credentials at all — clients should authenticate against
+            // /supervisor/login and reuse the resulting session cookie here.
             if (isSupervisorAuth()) {
-                const authResult = await authenticateAndCreateSession(username, password);
-                if (!authResult) {
-                    return unauthorized(reply, "Invalid username or password");
-                }
-                const ssoData = {
-                    username,
-                    passwordHash: authResult.user.passwordHash,
-                };
-                const user = await erpDb.user.upsert({
-                    where: { uuid: authResult.user.uuid },
-                    create: { uuid: authResult.user.uuid, ...ssoData },
-                    update: ssoData,
-                });
-                reply.setCookie(SESSION_COOKIE_NAME, authResult.token, sessionCookieOptions(authResult.expiresAt));
-                return { user: { id: user.id, username: user.username } };
+                return unauthorized(reply, "Sign in via the supervisor login page (passkey required)");
             }
             // Standalone mode: authenticate against local DB
             const user = await erpDb.user.findUnique({ where: { username } });

package/dist/userService.js

@@ -45,12 +45,13 @@ export async function ensureLocalSuperAdmin(password) {
     if (agentCount > 0) {
         console.warn(`[ERP] Warning: ${agentCount} agent user(s) found but supervisor auth is disabled. ` +
             `Agent API key lookups and authentication will not work. ` +
-            `Start with --supervisor-auth to enable.`);
+            `Set SUPERVISOR_AUTH=true to enable.`);
     }
 }
 /**
  * Sync superadmin from supervisor into ERP DB and ensure permissions.
- * For supervisor auth mode.
+ * For supervisor auth mode. The supervisor uses passkey-only auth, so the
+ * mirrored ERP row stores a sentinel passwordHash that can never match.
  */
 export async function ensureSupervisorSuperAdmin() {
     const result = await ensureSuperAdmin();
@@ -59,12 +60,11 @@ export async function ensureSupervisorSuperAdmin() {
         create: {
             uuid: result.user.uuid,
             username: result.user.username,
-            passwordHash: result.user.passwordHash,
+            passwordHash: "!sso-passkey-only",
             apiKey: result.user.apiKey,
         },
         update: {
             username: result.user.username,
-            passwordHash: result.user.passwordHash,
             apiKey: result.user.apiKey,
         },
     });

package/npm-shrinkwrap.json

@@ -1,12 +1,12 @@
 {
   "name": "@naisys/erp",
-  "version": "3.0.0-beta.35",
+  "version": "3.0.0-beta.37",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@naisys/erp",
-      "version": "3.0.0-beta.35",
+      "version": "3.0.0-beta.37",
       "dependencies": {
         "@fastify/cookie": "^11.0.2",
         "@fastify/cors": "^11.2.0",
@@ -14,11 +14,11 @@
         "@fastify/rate-limit": "^10.3.0",
         "@fastify/static": "^9.0.0",
         "@fastify/swagger": "^9.7.0",
-        "@naisys/common": "3.0.0-beta.35",
-        "@naisys/common-node": "3.0.0-beta.35",
-        "@naisys/erp-shared": "3.0.0-beta.35",
-        "@naisys/hub-database": "3.0.0-beta.35",
-        "@naisys/supervisor-database": "3.0.0-beta.35",
+        "@naisys/common": "3.0.0-beta.37",
+        "@naisys/common-node": "3.0.0-beta.37",
+        "@naisys/erp-shared": "3.0.0-beta.37",
+        "@naisys/hub-database": "3.0.0-beta.37",
+        "@naisys/supervisor-database": "3.0.0-beta.37",
         "@prisma/adapter-better-sqlite3": "^7.5.0",
         "@prisma/client": "^7.5.0",
         "@scalar/fastify-api-reference": "^1.48.7",
@@ -394,41 +394,41 @@
       }
     },
     "node_modules/@naisys/common": {
-      "version": "3.0.0-beta.35",
-      "resolved": "https://registry.npmjs.org/@naisys/common/-/common-3.0.0-beta.35.tgz",
-      "integrity": "sha512-8SvMZ/D8Ll+ZbnlhovI22Z3sTOhb3im3NLJda9VkBFDJQdfDqacV72YnHmNaG/39VthEzTSn0yrSirJ0O6cgHA==",
+      "version": "3.0.0-beta.37",
+      "resolved": "https://registry.npmjs.org/@naisys/common/-/common-3.0.0-beta.37.tgz",
+      "integrity": "sha512-b0XfCadaPcfewmK9b649WD+ZGB86Uk9BjTrx/tLSgd5Nbx7L6NuzTqTnDFScdeCmtyPk4oUGAzATmXwKTM8bew==",
       "dependencies": {
         "semver": "^7.7.4",
         "zod": "^4.3.6"
       }
     },
     "node_modules/@naisys/common-node": {
-      "version": "3.0.0-beta.35",
-      "resolved": "https://registry.npmjs.org/@naisys/common-node/-/common-node-3.0.0-beta.35.tgz",
-      "integrity": "sha512-IpGH9HepjRATQ0AdQby5sd98keBH3TKcXRhRZpUH13j/vRLlbhZOZgzkqQz/55jrRbbSI84EVGZPxly1dUn/XQ==",
+      "version": "3.0.0-beta.37",
+      "resolved": "https://registry.npmjs.org/@naisys/common-node/-/common-node-3.0.0-beta.37.tgz",
+      "integrity": "sha512-V4yyA79G93OSqZ+6l5FWoMqnATE2It78VkGyziNTqcrv2CIf8UDGbds7hHV+bp/0VplNe6BrZ4P7quYvgyCeeQ==",
       "dependencies": {
-        "@naisys/common": "3.0.0-beta.35",
+        "@naisys/common": "3.0.0-beta.37",
         "better-sqlite3": "^12.6.2",
         "js-yaml": "^4.1.1",
         "pino": "^10.3.1"
       }
     },
     "node_modules/@naisys/erp-shared": {
-      "version": "3.0.0-beta.35",
-      "resolved": "https://registry.npmjs.org/@naisys/erp-shared/-/erp-shared-3.0.0-beta.35.tgz",
-      "integrity": "sha512-wJvAUXNvc7SXvI6JvpQTA2e+1ulW1N0GuPbBhTMh+lMAHEoghkJRuxITsI2VL28Ygsfzdqyk68pLlvTis1VyrQ==",
+      "version": "3.0.0-beta.37",
+      "resolved": "https://registry.npmjs.org/@naisys/erp-shared/-/erp-shared-3.0.0-beta.37.tgz",
+      "integrity": "sha512-CjHqdXX/kmrEROLdqiLK6kTIauK2InTiXfOjyhtTQRVrB3TPmhsnH4qtnFGCDu2G00o2l+D30YUGyFt0ZrQyVw==",
       "dependencies": {
-        "@naisys/common": "3.0.0-beta.35",
+        "@naisys/common": "3.0.0-beta.37",
         "zod": "^4.3.6"
       }
     },
     "node_modules/@naisys/hub-database": {
-      "version": "3.0.0-beta.35",
-      "resolved": "https://registry.npmjs.org/@naisys/hub-database/-/hub-database-3.0.0-beta.35.tgz",
-      "integrity": "sha512-AE1wNMm/kMG/FL8VM8OWJiklA08DHi4iFf6HmZIshvK+br/Llt5h8yh3rSAn5gpYuGcstDjmDKsYm+v79QqtUw==",
+      "version": "3.0.0-beta.37",
+      "resolved": "https://registry.npmjs.org/@naisys/hub-database/-/hub-database-3.0.0-beta.37.tgz",
+      "integrity": "sha512-PI8Jj4niCc6agObLWpP+Am8nrNcwAAk77/OmZmUWq1ZiBW+m5C60PFdfBvzLEZX/6G/JOb0VvI9oLpzFD6VRKg==",
       "dependencies": {
-        "@naisys/common": "3.0.0-beta.35",
-        "@naisys/common-node": "3.0.0-beta.35",
+        "@naisys/common": "3.0.0-beta.37",
+        "@naisys/common-node": "3.0.0-beta.37",
         "@prisma/adapter-better-sqlite3": "^7.5.0",
         "@prisma/client": "^7.5.0",
         "better-sqlite3": "^12.6.2",
@@ -436,12 +436,12 @@
       }
     },
     "node_modules/@naisys/supervisor-database": {
-      "version": "3.0.0-beta.35",
-      "resolved": "https://registry.npmjs.org/@naisys/supervisor-database/-/supervisor-database-3.0.0-beta.35.tgz",
-      "integrity": "sha512-1KEq757n7xfHpO0/cm5iDsmMUv914rxqL9C0pmMsIZro4yK+ma+NeRYmTjpRd4rBS+M1qKn7Tf8VP92D5dUeDQ==",
+      "version": "3.0.0-beta.37",
+      "resolved": "https://registry.npmjs.org/@naisys/supervisor-database/-/supervisor-database-3.0.0-beta.37.tgz",
+      "integrity": "sha512-NSbw5kbBYZIBB7aRkuhMfaARuU8P61RZK1ME1AlEL2UB0DMmXoys1MD49wC2hafP+/MV0B6miLAOIjfy7BAR1g==",
       "dependencies": {
-        "@naisys/common": "3.0.0-beta.35",
-        "@naisys/common-node": "3.0.0-beta.35",
+        "@naisys/common": "3.0.0-beta.37",
+        "@naisys/common-node": "3.0.0-beta.37",
         "@prisma/adapter-better-sqlite3": "^7.5.0",
         "@prisma/client": "^7.5.0",
         "bcryptjs": "^3.0.2",
@@ -940,9 +940,9 @@
       "license": "MIT"
     },
     "node_modules/ajv": {
-      "version": "8.18.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
-      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
+      "version": "8.20.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.20.0.tgz",
+      "integrity": "sha512-Thbli+OlOj+iMPYFBVBfJ3OmCAnaSyNn4M1vz9T6Gka5Jt9ba/HIR56joy65tY6kx/FCF5VXNB819Y7/GUrBGA==",
       "license": "MIT",
       "dependencies": {
         "fast-deep-equal": "^3.1.3",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naisys/erp",
-  "version": "3.0.0-beta.35",
+  "version": "3.0.0-beta.37",
   "description": "NAISYS ERP - Web UI for AI-driven order and work management",
   "type": "module",
   "main": "dist/erpServer.js",
@@ -46,11 +46,11 @@
     "@fastify/rate-limit": "^10.3.0",
     "@fastify/static": "^9.0.0",
     "@fastify/swagger": "^9.7.0",
-    "@naisys/erp-shared": "3.0.0-beta.35",
-    "@naisys/common": "3.0.0-beta.35",
-    "@naisys/common-node": "3.0.0-beta.35",
-    "@naisys/hub-database": "3.0.0-beta.35",
-    "@naisys/supervisor-database": "3.0.0-beta.35",
+    "@naisys/common": "3.0.0-beta.37",
+    "@naisys/common-node": "3.0.0-beta.37",
+    "@naisys/erp-shared": "3.0.0-beta.37",
+    "@naisys/hub-database": "3.0.0-beta.37",
+    "@naisys/supervisor-database": "3.0.0-beta.37",
     "@prisma/adapter-better-sqlite3": "^7.5.0",
     "@prisma/client": "^7.5.0",
     "@scalar/fastify-api-reference": "^1.48.7",
@@ -65,6 +65,7 @@
     "@playwright/test": "^1.58.2",
     "@types/better-sqlite3": "^7.6.13",
     "@types/node": "^25.5.0",
+    "@vitest/coverage-v8": "^4.1.5",
     "prisma": "^7.5.0",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",