@naisys/erp 3.0.0-beta.8 → 3.0.0

package/dist/generated/prisma/internal/prismaNamespace.js

@@ -225,6 +225,7 @@ export const OperationRunScalarFieldEnum = {
     status: 'status',
     assignedToId: 'assignedToId',
     cost: 'cost',
+    tokens: 'tokens',
     statusNote: 'statusNote',
     completedAt: 'completedAt',
     createdAt: 'createdAt',
@@ -282,7 +283,7 @@ export const UserScalarFieldEnum = {
     uuid: 'uuid',
     username: 'username',
     passwordHash: 'passwordHash',
-    apiKey: 'apiKey',
+    apiKeyHash: 'apiKeyHash',
     isAgent: 'isAgent',
     createdAt: 'createdAt',
     updatedAt: 'updatedAt',
@@ -315,6 +316,7 @@ export const LaborTicketScalarFieldEnum = {
     clockIn: 'clockIn',
     clockOut: 'clockOut',
     cost: 'cost',
+    tokens: 'tokens',
     createdAt: 'createdAt',
     createdById: 'createdById',
     updatedAt: 'updatedAt',

package/dist/middleware/auth-middleware.js

@@ -0,0 +1,146 @@
+import { AuthCache, urlMatchesPrefix } from "@naisys/common";
+import { extractBearerToken, hashToken, SESSION_COOKIE_NAME, } from "@naisys/common-node";
+import { findAgentByApiKey } from "@naisys/hub-database";
+import { findSession, findUserByApiKey } from "@naisys/supervisor-database";
+import erpDb from "../database/erpDb.js";
+import { isSupervisorAuth } from "./supervisorAuth.js";
+const PUBLIC_PREFIXES = ["/erp/api/auth/login", "/erp/api/client-config"];
+export const authCache = new AuthCache();
+async function loadPermissions(userId) {
+    const perms = await erpDb.userPermission.findMany({
+        where: { userId },
+        select: { permission: true },
+    });
+    return perms.map((p) => p.permission);
+}
+async function materializeErpUser(localUser) {
+    return {
+        id: localUser.id,
+        username: localUser.username,
+        permissions: await loadPermissions(localUser.id),
+    };
+}
+async function resolveCookie(token) {
+    const tokenHash = hashToken(token);
+    return authCache.getOrLoad(`cookie:${tokenHash}`, async () => {
+        const localUser = isSupervisorAuth()
+            ? await loadCookieUserSso(tokenHash)
+            : await loadCookieUserStandalone(tokenHash);
+        return localUser ? materializeErpUser(localUser) : null;
+    });
+}
+async function loadCookieUserSso(tokenHash) {
+    const session = await findSession(tokenHash);
+    if (!session)
+        return null;
+    return erpDb.user.upsert({
+        where: { uuid: session.uuid },
+        create: { uuid: session.uuid, username: session.username },
+        update: {},
+    });
+}
+async function loadCookieUserStandalone(tokenHash) {
+    const session = await erpDb.session.findUnique({
+        where: { tokenHash, expiresAt: { gt: new Date() } },
+        include: { user: true },
+    });
+    return session?.user ?? null;
+}
+async function resolveApiKey(apiKey) {
+    const apiKeyHash = hashToken(apiKey);
+    return authCache.getOrLoad(`apikey:${apiKeyHash}`, async () => {
+        const localUser = isSupervisorAuth()
+            ? await loadApiKeyUserSso(apiKey)
+            : await erpDb.user.findUnique({ where: { apiKeyHash } });
+        return localUser ? materializeErpUser(localUser) : null;
+    });
+}
+async function loadApiKeyUserSso(apiKey) {
+    // Try supervisor DB (humans + agents with external keys),
+    // then hub DB (agents matching their hub-issued runtime key).
+    const supervisorUser = await findUserByApiKey(apiKey);
+    const hubAgent = supervisorUser ? null : await findAgentByApiKey(apiKey);
+    const match = supervisorUser ?? hubAgent;
+    if (!match)
+        return null;
+    const isAgent = supervisorUser?.isAgent ?? !!hubAgent;
+    return erpDb.user.upsert({
+        where: { uuid: match.uuid },
+        create: { uuid: match.uuid, username: match.username, isAgent },
+        update: {},
+    });
+}
+export function hasPermission(user, permission) {
+    if (!user)
+        return false;
+    return (user.permissions.includes(permission) ||
+        user.permissions.includes("erp_admin"));
+}
+export function requirePermission(permission) {
+    return async (request, reply) => {
+        if (!request.erpUser) {
+            reply.status(401).send({
+                statusCode: 401,
+                error: "Unauthorized",
+                message: "Authentication required",
+            });
+            return;
+        }
+        if (!hasPermission(request.erpUser, permission)) {
+            reply.status(403).send({
+                statusCode: 403,
+                error: "Forbidden",
+                message: `Permission '${permission}' required`,
+                missingPermission: permission,
+            });
+            return;
+        }
+    };
+}
+function isPublicRoute(url) {
+    // Exact match: API root
+    if (url === "/erp/api/" || url === "/erp/api")
+        return true;
+    for (const prefix of PUBLIC_PREFIXES) {
+        if (urlMatchesPrefix(url, prefix))
+            return true;
+    }
+    if (urlMatchesPrefix(url, "/erp/api/schemas"))
+        return true;
+    // Non-ERP-API paths (static files, supervisor routes, etc.)
+    if (!url.startsWith("/erp/api"))
+        return true;
+    return false;
+}
+export function registerAuthMiddleware(fastify) {
+    const publicRead = process.env.PUBLIC_READ === "true";
+    fastify.decorateRequest("erpUser", undefined);
+    fastify.addHook("onRequest", async (request, reply) => {
+        const token = request.cookies?.[SESSION_COOKIE_NAME];
+        if (token) {
+            const user = await resolveCookie(token);
+            if (user)
+                request.erpUser = user;
+        }
+        if (!request.erpUser) {
+            const apiKey = extractBearerToken(request.headers.authorization);
+            if (apiKey) {
+                const user = await resolveApiKey(apiKey);
+                if (user)
+                    request.erpUser = user;
+            }
+        }
+        if (request.erpUser)
+            return; // Authenticated, always allowed
+        if (isPublicRoute(request.url))
+            return; // Public route
+        if (publicRead && request.method === "GET")
+            return; // Public read mode
+        reply.status(401).send({
+            statusCode: 401,
+            error: "Unauthorized",
+            message: "Authentication required",
+        });
+    });
+}
+//# sourceMappingURL=auth-middleware.js.map

package/dist/route-helpers.js

@@ -1,8 +1,8 @@
 import { permGate, resolveActions as resolveActionsBase, } from "@naisys/common";
 import { OperationRunStatus, OrderRunStatus, RevisionStatus, } from "@naisys/erp-shared";
-import { hasPermission } from "./auth-middleware.js";
-import erpDb from "./erpDb.js";
+import erpDb from "./database/erpDb.js";
 import { API_PREFIX, schemaLink, selfLink } from "./hateoas.js";
+import { hasPermission } from "./middleware/auth-middleware.js";
 // --- Prefer: return=representation (RFC 7240) ---
 /**
  * Returns true when the caller wants the full entity in the mutation response.

package/dist/routes/admin.js

@@ -1,13 +1,15 @@
 import { createReadStream, existsSync, statSync } from "node:fs";
 import fs from "node:fs/promises";
 import { AdminAttachmentListRequestSchema, AdminAttachmentListResponseSchema, AdminInfoResponseSchema, ErrorResponseSchema, ServerLogRequestSchema, ServerLogResponseSchema, } from "@naisys/erp-shared";
+import { getHubVariable } from "@naisys/hub-database";
 import { z } from "zod/v4";
-import { hasPermission, requirePermission } from "../auth-middleware.js";
-import { erpDbPath } from "../dbConfig.js";
-import erpDb from "../erpDb.js";
+import { ERP_DB_VERSION, erpDbPath } from "../database/dbConfig.js";
+import erpDb from "../database/erpDb.js";
 import { notFound } from "../error-handler.js";
 import { paginationLinks } from "../hateoas.js";
+import { hasPermission, requirePermission, } from "../middleware/auth-middleware.js";
 import { getErpLogPath, tailLogFile } from "../services/log-file-service.js";
+import { getPackageVersion } from "../version.js";
 const API_PREFIX = "/erp/api";
 function adminActions(hasAdminPermission) {
     const actions = [];
@@ -44,13 +46,19 @@ export default function adminRoutes(fastify, _options) {
         const hasAdminPerm = hasPermission(request.erpUser, "erp_admin");
         const actions = adminActions(hasAdminPerm);
         const dbPath = erpDbPath();
-        const erpDbSize = await fs
-            .stat(dbPath)
-            .then((s) => s.size)
-            .catch(() => undefined);
+        const [erpDbSize, targetVersion] = await Promise.all([
+            fs
+                .stat(dbPath)
+                .then((s) => s.size)
+                .catch(() => undefined),
+            getHubVariable("TARGET_VERSION"),
+        ]);
         return {
+            erpVersion: getPackageVersion(),
             erpDbPath: dbPath,
             erpDbSize,
+            erpDbVersion: ERP_DB_VERSION,
+            targetVersion: targetVersion || undefined,
             _actions: actions.length > 0 ? actions : undefined,
         };
     });

package/dist/routes/audit.js

@@ -1,5 +1,5 @@
 import { AuditListResponseSchema, AuditQuerySchema } from "@naisys/erp-shared";
-import erpDb from "../erpDb.js";
+import erpDb from "../database/erpDb.js";
 export default function auditRoutes(fastify) {
     const app = fastify.withTypeProvider();
     app.get("/", {

package/dist/routes/{item-fields.js → items/item-fields.js}

@@ -1,12 +1,12 @@
 import { CreateFieldSchema, ErrorResponseSchema, FieldListResponseSchema, FieldSchema, MutateResponseSchema, SeqNoCreateResponseSchema, UpdateFieldSchema, } from "@naisys/erp-shared";
 import { z } from "zod/v4";
-import { hasPermission, requirePermission } from "../auth-middleware.js";
-import erpDb from "../erpDb.js";
-import { notFound } from "../error-handler.js";
-import { API_PREFIX, selfLink } from "../hateoas.js";
-import { calcNextSeqNo, childItemLinks, formatAuditFields, mutationResult, } from "../route-helpers.js";
-import { createField, deleteField, ensureFieldSet, findExistingField, getField, listFields, updateField, } from "../services/field-service.js";
-import { findExisting as findExistingItem } from "../services/item-service.js";
+import erpDb from "../../database/erpDb.js";
+import { notFound } from "../../error-handler.js";
+import { API_PREFIX, selfLink } from "../../hateoas.js";
+import { hasPermission, requirePermission, } from "../../middleware/auth-middleware.js";
+import { calcNextSeqNo, childItemLinks, formatAuditFields, mutationResult, permGate, } from "../../route-helpers.js";
+import { findExisting as findExistingItem } from "../../services/inventory/item-service.js";
+import { createField, deleteField, ensureFieldSet, findExistingField, getField, listFields, updateField, } from "../../services/production/field-service.js";
 const ParamsSchema = z.object({ key: z.string() });
 const FieldParamsSchema = z.object({
     key: z.string(),
@@ -27,23 +27,26 @@ function formatField(key, user, field) {
         required: field.required,
         ...formatAuditFields(field),
         _links: childItemLinks(base, field.seqNo, "Fields", `/items/${key}`, "Item", "Field"),
-        _actions: hasPermission(user, "item_manager")
-            ? [
+        _actions: (() => {
+            const gate = permGate(hasPermission(user, "item_manager"), "item_manager");
+            return [
                 {
                     rel: "update",
                     href: `${API_PREFIX}${base}/${field.seqNo}`,
                     method: "PUT",
                     title: "Update",
                     schema: `${API_PREFIX}/schemas/UpdateField`,
+                    ...gate,
                 },
                 {
                     rel: "delete",
                     href: `${API_PREFIX}${base}/${field.seqNo}`,
                     method: "DELETE",
                     title: "Delete",
+                    ...gate,
                 },
-            ]
-            : [],
+            ];
+        })(),
     };
 }
 export default function itemFieldRoutes(fastify) {
@@ -81,17 +84,16 @@ export default function itemFieldRoutes(fastify) {
                         hrefTemplate: `${API_PREFIX}${base}/{seqNo}`,
                     },
                 ],
-                _actions: hasPermission(request.erpUser, "item_manager")
-                    ? [
-                        {
-                            rel: "create",
-                            href: `${API_PREFIX}${base}`,
-                            method: "POST",
-                            title: "Add Field",
-                            schema: `${API_PREFIX}/schemas/CreateField`,
-                        },
-                    ]
-                    : [],
+                _actions: [
+                    {
+                        rel: "create",
+                        href: `${API_PREFIX}${base}`,
+                        method: "POST",
+                        title: "Add Field",
+                        schema: `${API_PREFIX}/schemas/CreateField`,
+                        ...permGate(hasPermission(request.erpUser, "item_manager"), "item_manager"),
+                    },
+                ],
             };
         },
     });

package/dist/routes/{item-instances.js → items/item-instances.js}

@@ -1,12 +1,12 @@
 import { CreateItemInstanceSchema, DeleteSetMutateResponseSchema, ErrorResponseSchema, fieldTypeString, FieldValueMutateResponseSchema, getValueFormatHint, ItemInstanceListQuerySchema, ItemInstanceListResponseSchema, ItemInstanceSchema, KeyCreateResponseSchema, MutateResponseSchema, UpdateFieldValueSchema, UpdateItemInstanceSchema, } from "@naisys/erp-shared";
 import { z } from "zod/v4";
-import { hasPermission, requirePermission } from "../auth-middleware.js";
-import { notFound, unprocessable } from "../error-handler.js";
-import { API_PREFIX, paginationLinks, schemaLink, selfLink, } from "../hateoas.js";
-import { formatAuditFields, mutationResult, useFullSerializer, wantsFullResponse, } from "../route-helpers.js";
-import { checkFieldValueShape, deleteFieldValueSet, deserializeFieldValue, serializeFieldValue, upsertFieldValue, validateFieldValue, } from "../services/field-value-service.js";
-import { createItemInstance, deleteItemInstance, ensureItemInstanceFieldRecord, findItemInstance, findItemInstanceWithField, listItemInstances, updateItemInstance, } from "../services/item-instance-service.js";
-import { findExisting as findItem } from "../services/item-service.js";
+import { notFound, unprocessable } from "../../error-handler.js";
+import { API_PREFIX, paginationLinks, schemaLink, selfLink, } from "../../hateoas.js";
+import { hasPermission, requirePermission, } from "../../middleware/auth-middleware.js";
+import { formatAuditFields, mutationResult, permGate, useFullSerializer, wantsFullResponse, } from "../../route-helpers.js";
+import { createItemInstance, deleteItemInstance, ensureItemInstanceFieldRecord, findItemInstance, findItemInstanceWithField, listItemInstances, updateItemInstance, } from "../../services/inventory/item-instance-service.js";
+import { findExisting as findItem } from "../../services/inventory/item-service.js";
+import { checkFieldValueShape, deleteFieldValueSet, deserializeFieldValue, serializeFieldValue, upsertFieldValue, validateFieldValue, } from "../../services/production/field-value-service.js";
 const ParamsSchema = z.object({
     key: z.string(),
 });
@@ -59,9 +59,8 @@ function instanceLinks(itemKey, instanceId, inst) {
     return links;
 }
 function instanceActions(itemKey, instanceId, user) {
-    if (!hasPermission(user, "item_manager"))
-        return [];
     const href = `${API_PREFIX}/${instanceBasePath(itemKey)}/${instanceId}`;
+    const gate = permGate(hasPermission(user, "item_manager"), "item_manager");
     return [
         {
             rel: "update",
@@ -70,12 +69,14 @@ function instanceActions(itemKey, instanceId, user) {
             title: "Update",
             schema: `${API_PREFIX}/schemas/UpdateItemInstance`,
             body: { key: "" },
+            ...gate,
         },
         {
             rel: "delete",
             href,
             method: "DELETE",
             title: "Delete",
+            ...gate,
         },
     ];
 }
@@ -122,17 +123,35 @@ function buildFieldValues(inst) {
     return fieldValues;
 }
 function buildActionTemplates(itemKey, instanceId, user, hasFields) {
-    if (!hasPermission(user, "item_manager") || !hasFields)
+    if (!hasFields)
         return [];
     const instanceHref = `${API_PREFIX}/${instanceBasePath(itemKey)}/${instanceId}`;
+    const gate = permGate(hasPermission(user, "item_manager"), "item_manager");
     return [
         {
-            rel: "updateField",
+            rel: "update-field-value",
             hrefTemplate: `${instanceHref}/fields/{fieldSeqNo}`,
             method: "PUT",
-            title: "Update Field Value",
+            title: "Update Field Value (implicit set 0)",
+            schema: `${API_PREFIX}/schemas/UpdateFieldValue`,
+            body: { value: "" },
+            ...gate,
+        },
+        {
+            rel: "update-set-field-value",
+            hrefTemplate: `${instanceHref}/sets/{setIndex}/fields/{fieldSeqNo}`,
+            method: "PUT",
+            title: "Update Field Value (explicit set index)",
             schema: `${API_PREFIX}/schemas/UpdateFieldValue`,
             body: { value: "" },
+            ...gate,
+        },
+        {
+            rel: "delete-set",
+            hrefTemplate: `${instanceHref}/sets/{setIndex}`,
+            method: "DELETE",
+            title: "Delete Field Value Set",
+            ...gate,
         },
     ];
 }
@@ -202,18 +221,17 @@ export default function itemInstanceRoutes(fastify) {
                         hrefTemplate: `${API_PREFIX}/items/${key}/instances/{id}`,
                     },
                 ],
-                _actions: hasPermission(request.erpUser, "item_manager")
-                    ? [
-                        {
-                            rel: "create",
-                            href: `${API_PREFIX}/${base}`,
-                            method: "POST",
-                            title: "Create Instance",
-                            schema: `${API_PREFIX}/schemas/CreateItemInstance`,
-                            body: { key: "" },
-                        },
-                    ]
-                    : [],
+                _actions: [
+                    {
+                        rel: "create",
+                        href: `${API_PREFIX}/${base}`,
+                        method: "POST",
+                        title: "Create Instance",
+                        schema: `${API_PREFIX}/schemas/CreateItemInstance`,
+                        body: { key: "" },
+                        ...permGate(hasPermission(request.erpUser, "item_manager"), "item_manager"),
+                    },
+                ],
             };
         },
     });

package/dist/routes/{items.js → items/items.js}

@@ -1,10 +1,10 @@
 import { CreateItemSchema, ErrorResponseSchema, ItemListQuerySchema, ItemListResponseSchema, ItemSchema, KeyCreateResponseSchema, MutateResponseSchema, UpdateItemSchema, } from "@naisys/erp-shared";
 import { z } from "zod/v4";
-import { hasPermission, requirePermission } from "../auth-middleware.js";
-import { notFound } from "../error-handler.js";
-import { API_PREFIX, collectionLink, paginationLinks, schemaLink, selfLink, } from "../hateoas.js";
-import { calcNextSeqNo, childItemLinks, formatAuditFields, mutationResult, } from "../route-helpers.js";
-import { createItem, deleteItem, findExisting, listItems, updateItem, } from "../services/item-service.js";
+import { notFound } from "../../error-handler.js";
+import { API_PREFIX, collectionLink, paginationLinks, schemaLink, selfLink, } from "../../hateoas.js";
+import { hasPermission, requirePermission, } from "../../middleware/auth-middleware.js";
+import { calcNextSeqNo, childItemLinks, formatAuditFields, mutationResult, permGate, } from "../../route-helpers.js";
+import { createItem, deleteItem, findExisting, listItems, updateItem, } from "../../services/inventory/item-service.js";
 const RESOURCE = "items";
 const KeyParamsSchema = z.object({
     key: z.string(),
@@ -17,9 +17,8 @@ function itemLinks(key) {
     ];
 }
 function itemActions(key, user) {
-    if (!hasPermission(user, "item_manager"))
-        return [];
     const href = `${API_PREFIX}/${RESOURCE}/${key}`;
+    const gate = permGate(hasPermission(user, "item_manager"), "item_manager");
     return [
         {
             rel: "update",
@@ -27,12 +26,14 @@ function itemActions(key, user) {
             method: "PUT",
             title: "Update",
             schema: `${API_PREFIX}/schemas/UpdateItem`,
+            ...gate,
         },
         {
             rel: "delete",
             href,
             method: "DELETE",
             title: "Delete",
+            ...gate,
         },
     ];
 }
@@ -44,17 +45,16 @@ function formatItemFieldListResponse(itemKey, user, fields) {
         total: fields.length,
         nextSeqNo: calcNextSeqNo(maxSeq),
         _links: [selfLink(base)],
-        _actions: hasPermission(user, "item_manager")
-            ? [
-                {
-                    rel: "create",
-                    href: `${API_PREFIX}${base}`,
-                    method: "POST",
-                    title: "Add Field",
-                    schema: `${API_PREFIX}/schemas/CreateField`,
-                },
-            ]
-            : [],
+        _actions: [
+            {
+                rel: "create",
+                href: `${API_PREFIX}${base}`,
+                method: "POST",
+                title: "Add Field",
+                schema: `${API_PREFIX}/schemas/CreateField`,
+                ...permGate(hasPermission(user, "item_manager"), "item_manager"),
+            },
+        ],
     };
 }
 function formatItemField(itemKey, user, field) {
@@ -69,23 +69,26 @@ function formatItemField(itemKey, user, field) {
         required: field.required,
         ...formatAuditFields(field),
         _links: childItemLinks(base, field.seqNo, "Fields", `/items/${itemKey}`, "Item", "Field"),
-        _actions: hasPermission(user, "item_manager")
-            ? [
+        _actions: (() => {
+            const gate = permGate(hasPermission(user, "item_manager"), "item_manager");
+            return [
                 {
                     rel: "update",
                     href: `${API_PREFIX}${base}/${field.seqNo}`,
                     method: "PUT",
                     title: "Update",
                     schema: `${API_PREFIX}/schemas/UpdateField`,
+                    ...gate,
                 },
                 {
                     rel: "delete",
                     href: `${API_PREFIX}${base}/${field.seqNo}`,
                     method: "DELETE",
                     title: "Delete",
+                    ...gate,
                 },
-            ]
-            : [],
+            ];
+        })(),
     };
 }
 function formatItem(item, user) {
@@ -139,17 +142,16 @@ export default function itemRoutes(fastify) {
                 _linkTemplates: [
                     { rel: "item", hrefTemplate: `${API_PREFIX}/items/{key}` },
                 ],
-                _actions: hasPermission(request.erpUser, "item_manager")
-                    ? [
-                        {
-                            rel: "create",
-                            href: `${API_PREFIX}/${RESOURCE}`,
-                            method: "POST",
-                            title: "Create Item",
-                            schema: `${API_PREFIX}/schemas/CreateItem`,
-                        },
-                    ]
-                    : [],
+                _actions: [
+                    {
+                        rel: "create",
+                        href: `${API_PREFIX}/${RESOURCE}`,
+                        method: "POST",
+                        title: "Create Item",
+                        schema: `${API_PREFIX}/schemas/CreateItem`,
+                        ...permGate(hasPermission(request.erpUser, "item_manager"), "item_manager"),
+                    },
+                ],
             };
         },
     });

package/dist/routes/{operation-dependencies.js → operations/operation-dependencies.js}

@@ -1,11 +1,11 @@
 import { CreateOperationDependencySchema, CreateResponseSchema, ErrorResponseSchema, OperationDependencyListResponseSchema, RevisionStatus, } from "@naisys/erp-shared";
 import { z } from "zod/v4";
-import { hasPermission, requirePermission } from "../auth-middleware.js";
-import { conflict, notFound } from "../error-handler.js";
-import { API_PREFIX, selfLink } from "../hateoas.js";
-import { mutationResult, resolveRevision } from "../route-helpers.js";
-import { createDependency, deleteDependency, listDependencies, } from "../services/operation-dependency-service.js";
-import { findExisting } from "../services/operation-service.js";
+import { conflict, notFound } from "../../error-handler.js";
+import { API_PREFIX, selfLink } from "../../hateoas.js";
+import { hasPermission, requirePermission, } from "../../middleware/auth-middleware.js";
+import { mutationResult, resolveRevision } from "../../route-helpers.js";
+import { createDependency, deleteDependency, listDependencies, } from "../../services/operations/operation-dependency-service.js";
+import { findExisting } from "../../services/operations/operation-service.js";
 const ParamsSchema = z.object({
     orderKey: z.string(),
     revNo: z.coerce.number().int(),

package/dist/routes/{operation-field-refs.js → operations/operation-field-refs.js}

@@ -1,11 +1,11 @@
 import { CreateFieldRefSchema, ErrorResponseSchema, FieldRefListResponseSchema, RevisionStatus, SeqNoCreateResponseSchema, } from "@naisys/erp-shared";
 import { z } from "zod/v4";
-import { requirePermission } from "../auth-middleware.js";
-import erpDb from "../erpDb.js";
-import { conflict, notFound } from "../error-handler.js";
-import { API_PREFIX, selfLink } from "../hateoas.js";
-import { calcNextSeqNo, childItemLinks, mutationResult, resolveActions, resolveOperation, } from "../route-helpers.js";
-import { checkDuplicateSource, createFieldRef, deleteFieldRef, findExistingFieldRef, listFieldRefs, } from "../services/field-ref-service.js";
+import erpDb from "../../database/erpDb.js";
+import { conflict, notFound } from "../../error-handler.js";
+import { API_PREFIX, selfLink } from "../../hateoas.js";
+import { requirePermission } from "../../middleware/auth-middleware.js";
+import { calcNextSeqNo, childItemLinks, mutationResult, resolveActions, resolveOperation, } from "../../route-helpers.js";
+import { checkDuplicateSource, createFieldRef, deleteFieldRef, findExistingFieldRef, listFieldRefs, } from "../../services/production/field-ref-service.js";
 const ParamsSchema = z.object({
     orderKey: z.string(),
     revNo: z.coerce.number().int(),

package/dist/routes/{operation-run-comments.js → operations/operation-run-comments.js}

@@ -1,10 +1,10 @@
 import { CreateOperationRunCommentSchema, CreateResponseSchema, ErrorResponseSchema, OperationRunCommentListResponseSchema, OperationRunCommentType, } from "@naisys/erp-shared";
 import { z } from "zod/v4";
-import { requirePermission } from "../auth-middleware.js";
-import { notFound } from "../error-handler.js";
-import { API_PREFIX, selfLink } from "../hateoas.js";
-import { mutationResult, resolveActions, resolveOpRun, } from "../route-helpers.js";
-import { createComment, listComments, } from "../services/operation-run-comment-service.js";
+import { notFound } from "../../error-handler.js";
+import { API_PREFIX, selfLink } from "../../hateoas.js";
+import { requirePermission } from "../../middleware/auth-middleware.js";
+import { mutationResult, resolveActions, resolveOpRun, } from "../../route-helpers.js";
+import { createComment, listComments, } from "../../services/operations/operation-run-comment-service.js";
 function commentResource(orderKey, runNo, seqNo) {
     return `orders/${orderKey}/runs/${runNo}/ops/${seqNo}/comments`;
 }