@naisys/erp 3.0.0-beta.6

package/dist/route-helpers.js

@@ -0,0 +1,220 @@
+import { permGate, resolveActions as resolveActionsBase, } from "@naisys/common";
+import { OperationRunStatus, OrderRunStatus, RevisionStatus, } from "@naisys/erp-shared";
+import { hasPermission } from "./auth-middleware.js";
+import erpDb from "./erpDb.js";
+import { API_PREFIX, schemaLink, selfLink } from "./hateoas.js";
+// --- Prefer: return=representation (RFC 7240) ---
+/**
+ * Returns true when the caller wants the full entity in the mutation response.
+ * UI clients send `Prefer: return=representation`; agents get the slim default.
+ */
+export function wantsFullResponse(request) {
+    const prefer = request.headers["prefer"];
+    return typeof prefer === "string" && prefer.includes("return=representation");
+}
+/**
+ * Override Fastify's schema-driven serializer so every field in the
+ * response object is emitted (not just the ones in the slim schema).
+ */
+export function useFullSerializer(reply) {
+    reply.header("content-type", "application/json; charset=utf-8");
+    reply.serializer(JSON.stringify);
+}
+/**
+ * Return `slim` by default, or `full` when the caller sends
+ * `Prefer: return=representation`.
+ *
+ * For full responses we override the serializer so that Fastify
+ * emits all fields instead of stripping them down to the (slim)
+ * response schema.
+ */
+export function mutationResult(request, reply, full, slim) {
+    if (wantsFullResponse(request)) {
+        useFullSerializer(reply);
+        return full;
+    }
+    return slim;
+}
+// --- Shared Prisma include for audit user fields ---
+export const includeUsers = {
+    createdBy: { select: { username: true } },
+    updatedBy: { select: { username: true } },
+};
+// --- Formatting helpers ---
+export function formatAuditFields(item) {
+    return {
+        createdAt: item.createdAt.toISOString(),
+        createdBy: item.createdBy.username,
+        updatedAt: item.updatedAt.toISOString(),
+        updatedBy: item.updatedBy.username,
+    };
+}
+export function formatDate(d) {
+    return d ? d.toISOString() : null;
+}
+export function calcNextSeqNo(currentMax) {
+    return Math.ceil((currentMax + 1) / 10) * 10;
+}
+// --- HATEOAS helpers ---
+export function childItemLinks(basePath, itemKey, collectionTitle, parentPath, parentTitle, schemaName, parentRel = "parent") {
+    return [
+        selfLink(`${basePath}/${itemKey}`),
+        {
+            rel: "collection",
+            href: `${API_PREFIX}${basePath}`,
+            title: collectionTitle,
+        },
+        {
+            rel: parentRel,
+            href: `${API_PREFIX}${parentPath}`,
+            title: parentTitle,
+        },
+        schemaLink(schemaName),
+    ];
+}
+// --- Declarative action resolver (wraps @naisys/common with ERP permission types) ---
+export { permGate };
+export function resolveActions(defs, baseHref, ctx) {
+    return resolveActionsBase(defs, baseHref, ctx, (perm) => hasPermission(ctx.user, perm));
+}
+export function draftCrudActions(href, updateSchemaName, revStatus, user) {
+    return resolveActions([
+        {
+            rel: "update",
+            method: "PUT",
+            title: "Update",
+            schema: `${API_PREFIX}/schemas/${updateSchemaName}`,
+            permission: "order_planner",
+            disabledWhen: (ctx) => ctx.status !== RevisionStatus.draft
+                ? "Can only edit in draft revisions"
+                : null,
+        },
+        {
+            rel: "delete",
+            method: "DELETE",
+            title: "Delete",
+            permission: "order_planner",
+            statuses: [RevisionStatus.draft],
+            hideWithoutPermission: true,
+        },
+    ], href, { status: revStatus, user });
+}
+// --- Status guards (return error message or null) ---
+export function checkOrderRunStarted(status) {
+    return status !== OrderRunStatus.started
+        ? `Order run is not started (status: ${status})`
+        : null;
+}
+export function checkOpRunInProgress(status) {
+    return status !== OperationRunStatus.in_progress
+        ? `Operation run is not in_progress (status: ${status})`
+        : null;
+}
+/**
+ * If the operation has a work center, check that the user is assigned to it.
+ * Returns an error message or null if access is allowed.
+ */
+export async function checkWorkCenterAccess(operationId, user) {
+    if (hasPermission(user, "erp_admin"))
+        return null;
+    const operation = await erpDb.operation.findUnique({
+        where: { id: operationId },
+        select: {
+            workCenter: {
+                select: {
+                    key: true,
+                    userAssignments: {
+                        where: { userId: user.id },
+                        select: { userId: true },
+                    },
+                },
+            },
+        },
+    });
+    if (!operation?.workCenter)
+        return null; // no work center = open to all
+    if (operation.workCenter.userAssignments.length > 0)
+        return null;
+    return `You are not assigned to work center '${operation.workCenter.key}'`;
+}
+// --- Resolution chains ---
+export async function resolveOrder(orderKey) {
+    return erpDb.order.findUnique({ where: { key: orderKey } });
+}
+export async function resolveRevision(orderKey, revNo) {
+    const order = await resolveOrder(orderKey);
+    if (!order)
+        return null;
+    const rev = await erpDb.orderRevision.findFirst({
+        where: { orderId: order.id, revNo },
+    });
+    if (!rev)
+        return null;
+    return { order, rev };
+}
+export async function resolveOperation(orderKey, revNo, opSeqNo) {
+    const result = await resolveRevision(orderKey, revNo);
+    if (!result)
+        return null;
+    const operation = await erpDb.operation.findFirst({
+        where: { orderRevId: result.rev.id, seqNo: opSeqNo },
+    });
+    if (!operation)
+        return null;
+    return { ...result, operation };
+}
+export async function resolveStep(orderKey, revNo, opSeqNo, stepSeqNo) {
+    const result = await resolveOperation(orderKey, revNo, opSeqNo);
+    if (!result)
+        return null;
+    const step = await erpDb.step.findFirst({
+        where: { operationId: result.operation.id, seqNo: stepSeqNo },
+    });
+    if (!step)
+        return null;
+    return { ...result, step };
+}
+export async function resolveOrderRun(orderKey, runNo) {
+    const order = await resolveOrder(orderKey);
+    if (!order)
+        return null;
+    const run = await erpDb.orderRun.findUnique({
+        where: { orderId_runNo: { orderId: order.id, runNo } },
+    });
+    if (!run)
+        return null;
+    return { order, run };
+}
+export async function resolveOpRun(orderKey, runNo, seqNo) {
+    const result = await resolveOrderRun(orderKey, runNo);
+    if (!result)
+        return null;
+    const operation = await erpDb.operation.findFirst({
+        where: { orderRevId: result.run.orderRevId, seqNo },
+    });
+    if (!operation)
+        return null;
+    const opRun = await erpDb.operationRun.findUnique({
+        where: {
+            orderRunId_operationId: {
+                orderRunId: result.run.id,
+                operationId: operation.id,
+            },
+        },
+    });
+    if (!opRun)
+        return null;
+    return { ...result, opRun };
+}
+export async function resolveStepRun(orderKey, runNo, seqNo, stepSeqNo) {
+    const result = await resolveOpRun(orderKey, runNo, seqNo);
+    if (!result)
+        return null;
+    const stepRun = await erpDb.stepRun.findFirst({
+        where: { operationRunId: result.opRun.id, step: { seqNo: stepSeqNo } },
+    });
+    if (!stepRun)
+        return null;
+    return { ...result, stepRun };
+}
+//# sourceMappingURL=route-helpers.js.map

package/dist/routes/admin.js

@@ -0,0 +1,147 @@
+import { createReadStream, existsSync, statSync } from "node:fs";
+import fs from "node:fs/promises";
+import { AdminAttachmentListRequestSchema, AdminAttachmentListResponseSchema, AdminInfoResponseSchema, ErrorResponseSchema, ServerLogRequestSchema, ServerLogResponseSchema, } from "@naisys/erp-shared";
+import { z } from "zod/v4";
+import { hasPermission, requirePermission } from "../auth-middleware.js";
+import { erpDbPath } from "../dbConfig.js";
+import erpDb from "../erpDb.js";
+import { notFound } from "../error-handler.js";
+import { paginationLinks } from "../hateoas.js";
+import { getErpLogPath, tailLogFile } from "../services/log-file-service.js";
+const API_PREFIX = "/api/erp";
+function adminActions(hasAdminPermission) {
+    const actions = [];
+    if (hasAdminPermission) {
+        actions.push({
+            rel: "view-logs",
+            href: `${API_PREFIX}/admin/logs`,
+            method: "GET",
+            title: "View Logs",
+        });
+        actions.push({
+            rel: "view-attachments",
+            href: `${API_PREFIX}/admin/attachments`,
+            method: "GET",
+            title: "View Attachments",
+        });
+    }
+    return actions;
+}
+export default function adminRoutes(fastify, _options) {
+    // GET / — Admin info
+    fastify.get("/", {
+        preHandler: [requirePermission("erp_admin")],
+        schema: {
+            description: "Get ERP admin system info",
+            tags: ["Admin"],
+            response: {
+                200: AdminInfoResponseSchema,
+                500: ErrorResponseSchema,
+            },
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, _reply) => {
+        const hasAdminPerm = hasPermission(request.erpUser, "erp_admin");
+        const actions = adminActions(hasAdminPerm);
+        const dbPath = erpDbPath();
+        const erpDbSize = await fs
+            .stat(dbPath)
+            .then((s) => s.size)
+            .catch(() => undefined);
+        return {
+            erpDbPath: dbPath,
+            erpDbSize,
+            _actions: actions.length > 0 ? actions : undefined,
+        };
+    });
+    // GET /logs — Tail ERP log file
+    fastify.get("/logs", {
+        preHandler: [requirePermission("erp_admin")],
+        schema: {
+            description: "Get tail of the ERP server log file",
+            tags: ["Admin"],
+            querystring: ServerLogRequestSchema,
+            response: {
+                200: ServerLogResponseSchema,
+                500: ErrorResponseSchema,
+            },
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, _reply) => {
+        const { lines, minLevel } = request.query;
+        const cappedLines = Math.min(lines, 1000);
+        const filePath = getErpLogPath();
+        const { entries, fileSize } = await tailLogFile(filePath, cappedLines, minLevel);
+        return {
+            entries,
+            fileName: "erp.log",
+            fileSize,
+        };
+    });
+    // GET /attachments — List all attachments
+    fastify.get("/attachments", {
+        preHandler: [requirePermission("erp_admin")],
+        schema: {
+            description: "List all uploaded attachments",
+            tags: ["Admin"],
+            querystring: AdminAttachmentListRequestSchema,
+            response: {
+                200: AdminAttachmentListResponseSchema,
+                500: ErrorResponseSchema,
+            },
+            security: [{ cookieAuth: [] }],
+        },
+    }, async (request, _reply) => {
+        const { page, pageSize } = request.query;
+        const skip = (page - 1) * pageSize;
+        const [rows, total] = await Promise.all([
+            erpDb.attachment.findMany({
+                orderBy: { createdAt: "desc" },
+                include: {
+                    uploadedBy: { select: { username: true } },
+                },
+                skip,
+                take: pageSize,
+            }),
+            erpDb.attachment.count(),
+        ]);
+        return {
+            attachments: rows.map((r) => ({
+                id: r.publicId,
+                filename: r.filename,
+                fileSize: r.fileSize,
+                fileHash: r.fileHash,
+                uploadedBy: r.uploadedBy.username,
+                createdAt: r.createdAt.toISOString(),
+            })),
+            total,
+            page,
+            pageSize,
+            _links: paginationLinks("admin/attachments", page, pageSize, total),
+        };
+    });
+    // GET /attachments/:id — Download an attachment by ID
+    fastify.get("/attachments/:id", {
+        preHandler: [requirePermission("erp_admin")],
+        schema: {
+            description: "Download an attachment file by ID",
+            tags: ["Admin"],
+            params: z.object({ id: z.string() }),
+        },
+    }, async (request, reply) => {
+        const att = await erpDb.attachment.findUnique({
+            where: { publicId: request.params.id },
+            select: { filepath: true, filename: true, fileSize: true },
+        });
+        if (!att)
+            return notFound(reply, "Attachment not found");
+        if (!existsSync(att.filepath))
+            return notFound(reply, "Attachment file missing from disk");
+        const stat = statSync(att.filepath);
+        reply.header("content-type", "application/octet-stream");
+        reply.header("content-disposition", `attachment; filename="${att.filename.replace(/"/g, '\\"')}"`);
+        reply.header("content-length", stat.size);
+        return reply.send(createReadStream(att.filepath));
+    });
+}
+//# sourceMappingURL=admin.js.map

package/dist/routes/audit.js

@@ -0,0 +1,36 @@
+import { AuditListResponseSchema, AuditQuerySchema } from "@naisys/erp-shared";
+import erpDb from "../erpDb.js";
+export default function auditRoutes(fastify) {
+    const app = fastify.withTypeProvider();
+    app.get("/", {
+        schema: {
+            description: "Get audit log entries for a given entity",
+            tags: ["Audit"],
+            querystring: AuditQuerySchema,
+            response: {
+                200: AuditListResponseSchema,
+            },
+        },
+        handler: async (request) => {
+            const { entityType, entityId } = request.query;
+            const items = await erpDb.auditLog.findMany({
+                where: { entityType, entityId },
+                orderBy: { createdAt: "desc" },
+            });
+            return {
+                items: items.map((item) => ({
+                    id: item.id,
+                    entityType: item.entityType,
+                    entityId: item.entityId,
+                    action: item.action,
+                    field: item.field,
+                    oldValue: item.oldValue,
+                    newValue: item.newValue,
+                    userId: item.userId,
+                    createdAt: item.createdAt.toISOString(),
+                })),
+            };
+        },
+    });
+}
+//# sourceMappingURL=audit.js.map

package/dist/routes/auth.js

@@ -0,0 +1,112 @@
+import { hashToken, SESSION_COOKIE_NAME, sessionCookieOptions, } from "@naisys/common-node";
+import { authenticateAndCreateSession, deleteSession, } from "@naisys/supervisor-database";
+import { AuthUserSchema, ErrorResponseSchema, LoginRequestSchema, LoginResponseSchema, } from "@naisys/erp-shared";
+import bcrypt from "bcryptjs";
+import { randomUUID } from "crypto";
+import { authCache } from "../auth-middleware.js";
+import erpDb from "../erpDb.js";
+import { unauthorized } from "../error-handler.js";
+import { isSupervisorAuth } from "../supervisorAuth.js";
+const SESSION_DURATION_MS = 30 * 24 * 60 * 60 * 1000; // 30 days
+export default function authRoutes(fastify) {
+    const app = fastify.withTypeProvider();
+    // LOGIN
+    app.post("/login", {
+        config: {
+            rateLimit: {
+                max: 5,
+                timeWindow: "1 minute",
+            },
+        },
+        schema: {
+            description: "Authenticate with username and password",
+            tags: ["Auth"],
+            body: LoginRequestSchema,
+            response: {
+                200: LoginResponseSchema,
+                401: ErrorResponseSchema,
+                429: ErrorResponseSchema,
+            },
+        },
+        handler: async (request, reply) => {
+            const { username, password } = request.body;
+            // SSO mode: authenticate against supervisor DB
+            if (isSupervisorAuth()) {
+                const authResult = await authenticateAndCreateSession(username, password);
+                if (!authResult) {
+                    return unauthorized(reply, "Invalid username or password");
+                }
+                const ssoData = {
+                    username,
+                    passwordHash: authResult.user.passwordHash,
+                };
+                const user = await erpDb.user.upsert({
+                    where: { uuid: authResult.user.uuid },
+                    create: { uuid: authResult.user.uuid, ...ssoData },
+                    update: ssoData,
+                });
+                reply.setCookie(SESSION_COOKIE_NAME, authResult.token, sessionCookieOptions(authResult.expiresAt));
+                return { user: { id: user.id, username: user.username } };
+            }
+            // Standalone mode: authenticate against local DB
+            const user = await erpDb.user.findUnique({ where: { username } });
+            if (!user) {
+                return unauthorized(reply, "Invalid username or password");
+            }
+            const valid = await bcrypt.compare(password, user.passwordHash);
+            if (!valid) {
+                return unauthorized(reply, "Invalid username or password");
+            }
+            const token = randomUUID();
+            const tokenHash = hashToken(token);
+            const expiresAt = new Date(Date.now() + SESSION_DURATION_MS);
+            await erpDb.session.create({
+                data: { userId: user.id, tokenHash, expiresAt },
+            });
+            reply.setCookie(SESSION_COOKIE_NAME, token, sessionCookieOptions(expiresAt));
+            return { user: { id: user.id, username: user.username } };
+        },
+    });
+    // LOGOUT
+    app.post("/logout", {
+        schema: {
+            description: "Log out and clear session",
+            tags: ["Auth"],
+        },
+        handler: async (request, reply) => {
+            const token = request.cookies?.[SESSION_COOKIE_NAME];
+            if (token) {
+                const tokenHash = hashToken(token);
+                authCache.invalidate(`cookie:${tokenHash}`);
+                // Delete from local ERP sessions
+                await erpDb.session.deleteMany({ where: { tokenHash } });
+                // Also delete from supervisor sessions (SSO mode)
+                await deleteSession(tokenHash);
+            }
+            reply.clearCookie(SESSION_COOKIE_NAME, { path: "/" });
+            return { ok: true };
+        },
+    });
+    // ME
+    app.get("/me", {
+        schema: {
+            description: "Get current authenticated user",
+            tags: ["Auth"],
+            response: {
+                200: AuthUserSchema,
+                401: ErrorResponseSchema,
+            },
+        },
+        handler: async (request, reply) => {
+            if (!request.erpUser) {
+                return unauthorized(reply, "Not authenticated");
+            }
+            return {
+                id: request.erpUser.id,
+                username: request.erpUser.username,
+                permissions: request.erpUser.permissions,
+            };
+        },
+    });
+}
+//# sourceMappingURL=auth.js.map

package/dist/routes/dispatch.js

@@ -0,0 +1,174 @@
+import { DispatchListQuerySchema, DispatchListResponseSchema, OperationRunStatus, OrderRunStatus, } from "@naisys/erp-shared";
+import erpDb from "../erpDb.js";
+import { API_PREFIX, paginationLinks } from "../hateoas.js";
+import { getUserWorkCenterIds } from "../services/work-center-service.js";
+const OPEN_ORDER_STATUSES = [OrderRunStatus.released, OrderRunStatus.started];
+const DEFAULT_OP_STATUSES = [
+    OperationRunStatus.pending,
+    OperationRunStatus.in_progress,
+    OperationRunStatus.failed,
+];
+export default function dispatchRoutes(fastify) {
+    const app = fastify.withTypeProvider();
+    app.get("/", {
+        schema: {
+            description: "List operation runs across open orders (dispatch view)",
+            tags: ["Dispatch"],
+            querystring: DispatchListQuerySchema,
+            response: {
+                200: DispatchListResponseSchema,
+            },
+        },
+        handler: async (request) => {
+            const { page, pageSize, status, priority, search, viewAs, canWork, clockedIn, } = request.query;
+            // Resolve the perspective user for canWork computation
+            let perspectiveUserId = request.erpUser?.id;
+            let perspectivePerms = new Set(request.erpUser?.permissions ?? []);
+            if (viewAs) {
+                const viewAsUser = await erpDb.user.findUnique({
+                    where: { username: viewAs },
+                    select: {
+                        id: true,
+                        permissions: { select: { permission: true } },
+                    },
+                });
+                if (viewAsUser) {
+                    perspectiveUserId = viewAsUser.id;
+                    perspectivePerms = new Set(viewAsUser.permissions.map((p) => p.permission));
+                }
+            }
+            const isExecutor = perspectivePerms.has("order_executor");
+            const isManager = perspectivePerms.has("order_manager");
+            // Pre-fetch perspective user's work center IDs for canWork computation + filtering
+            const userWcIds = perspectiveUserId
+                ? await getUserWorkCenterIds(perspectiveUserId)
+                : [];
+            const userWcIdSet = new Set(userWcIds);
+            const where = {
+                status: { in: status ? [status] : DEFAULT_OP_STATUSES },
+                orderRun: {
+                    status: { in: OPEN_ORDER_STATUSES },
+                    ...(priority ? { priority } : {}),
+                },
+            };
+            // canWork filter: only show ops where the perspective user can work
+            if (canWork) {
+                // Restrict to statuses the user has permission for
+                const workableStatuses = [];
+                if (isExecutor) {
+                    workableStatuses.push(OperationRunStatus.pending, OperationRunStatus.in_progress);
+                }
+                if (isManager) {
+                    workableStatuses.push(OperationRunStatus.failed);
+                }
+                // Intersect with the requested status filter
+                const currentStatuses = status ? [status] : DEFAULT_OP_STATUSES;
+                const filteredStatuses = currentStatuses.filter((s) => workableStatuses.includes(s));
+                where.status = {
+                    in: filteredStatuses.length > 0 ? filteredStatuses : ["__none__"],
+                };
+                // Work center access
+                if (userWcIds.length > 0) {
+                    where.operation = {
+                        OR: [{ workCenterId: null }, { workCenterId: { in: userWcIds } }],
+                    };
+                }
+            }
+            if (search) {
+                where.OR = [
+                    { operation: { title: { contains: search } } },
+                    { assignedTo: { username: { contains: search } } },
+                    { orderRun: { order: { key: { contains: search } } } },
+                ];
+            }
+            if (clockedIn) {
+                where.laborTickets = { some: { clockOut: null } };
+            }
+            const [items, total] = await Promise.all([
+                erpDb.operationRun.findMany({
+                    where,
+                    include: {
+                        operation: {
+                            select: {
+                                seqNo: true,
+                                title: true,
+                                workCenter: { select: { key: true, id: true } },
+                            },
+                        },
+                        assignedTo: { select: { username: true } },
+                        orderRun: {
+                            select: {
+                                runNo: true,
+                                priority: true,
+                                dueAt: true,
+                                order: { select: { key: true } },
+                                orderRev: { select: { revNo: true } },
+                            },
+                        },
+                    },
+                    skip: (page - 1) * pageSize,
+                    take: pageSize,
+                    orderBy: { orderRun: { dueAt: "asc" } },
+                }),
+                erpDb.operationRun.count({ where }),
+            ]);
+            return {
+                items: items.map((opRun) => {
+                    const wcId = opRun.operation.workCenter?.id ?? null;
+                    const hasWcAccess = wcId === null || userWcIdSet.has(wcId);
+                    // canWork: work center access + permission for the op status
+                    const hasStatusPerm = opRun.status === OperationRunStatus.failed ? isManager : isExecutor;
+                    const itemCanWork = hasWcAccess && hasStatusPerm;
+                    return {
+                        id: opRun.id,
+                        orderKey: opRun.orderRun.order.key,
+                        revNo: opRun.orderRun.orderRev.revNo,
+                        runNo: opRun.orderRun.runNo,
+                        seqNo: opRun.operation.seqNo,
+                        title: opRun.operation.title,
+                        workCenterKey: opRun.operation.workCenter?.key ?? null,
+                        canWork: itemCanWork,
+                        status: opRun.status,
+                        priority: opRun.orderRun.priority,
+                        assignedTo: opRun.assignedTo?.username ?? null,
+                        dueAt: opRun.orderRun.dueAt,
+                        createdAt: opRun.createdAt.toISOString(),
+                    };
+                }),
+                total,
+                page,
+                pageSize,
+                _links: [
+                    ...paginationLinks("dispatch", page, pageSize, total, {
+                        status,
+                        priority,
+                        search,
+                        viewAs,
+                        canWork: canWork ? "true" : undefined,
+                        clockedIn: clockedIn ? "true" : undefined,
+                    }),
+                    {
+                        rel: "work-centers",
+                        href: `${API_PREFIX}/work-centers`,
+                        title: "Work Centers",
+                    },
+                ],
+                _linkTemplates: [
+                    {
+                        rel: "item",
+                        hrefTemplate: `${API_PREFIX}/orders/{orderKey}/runs/{runNo}/ops/{seqNo}`,
+                    },
+                ],
+                _actionTemplates: [
+                    {
+                        rel: "viewOperationRun",
+                        hrefTemplate: `${API_PREFIX}/orders/{orderKey}/runs/{runNo}/ops/{seqNo}`,
+                        method: "GET",
+                        title: "View Operation Run",
+                    },
+                ],
+            };
+        },
+    });
+}
+//# sourceMappingURL=dispatch.js.map