npm - @naisys/erp - Versions diffs - 3.0.0-beta.9 → 3.0.0 - Mend

@naisys/erp 3.0.0-beta.9 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/dist/routes/{work-centers.js → production/work-centers.js} RENAMED Viewed

@@ -1,10 +1,10 @@
 import { AssignWorkCenterUserSchema, CreateWorkCenterSchema, ErrorResponseSchema, KeyCreateResponseSchema, MutateResponseSchema, UpdateWorkCenterSchema, WorkCenterListQuerySchema, WorkCenterListResponseSchema, WorkCenterSchema, } from "@naisys/erp-shared";
 import { z } from "zod/v4";
-import { hasPermission, requirePermission } from "../auth-middleware.js";
-import { notFound } from "../error-handler.js";
-import { API_PREFIX, collectionLink, paginationLinks, schemaLink, selfLink, } from "../hateoas.js";
-import { formatAuditFields, mutationResult } from "../route-helpers.js";
-import { assignUser, createWorkCenter, deleteWorkCenter, findExisting, listWorkCenters, removeUser, updateWorkCenter, } from "../services/work-center-service.js";
+import { notFound } from "../../error-handler.js";
+import { API_PREFIX, collectionLink, paginationLinks, schemaLink, selfLink, } from "../../hateoas.js";
+import { hasPermission, requirePermission, } from "../../middleware/auth-middleware.js";
+import { formatAuditFields, mutationResult, permGate, } from "../../route-helpers.js";
+import { assignUser, createWorkCenter, deleteWorkCenter, findExisting, listWorkCenters, removeUser, updateWorkCenter, } from "../../services/production/work-center-service.js";
 const RESOURCE = "work-centers";
 const KeyParamsSchema = z.object({
     key: z.string(),
@@ -21,9 +21,8 @@ function wcLinks(key) {
     ];
 }
 function wcActions(key, user) {
-    if (!hasPermission(user, "erp_admin"))
-        return [];
     const href = `${API_PREFIX}/${RESOURCE}/${key}`;
+    const gate = permGate(hasPermission(user, "erp_admin"), "erp_admin");
     return [
         {
             rel: "update",
@@ -31,12 +30,14 @@ function wcActions(key, user) {
             method: "PUT",
             title: "Update",
             schema: `${API_PREFIX}/schemas/UpdateWorkCenter`,
+            ...gate,
         },
         {
             rel: "delete",
             href,
             method: "DELETE",
             title: "Delete",
+            ...gate,
         },
         {
             rel: "assignUser",
@@ -44,11 +45,12 @@ function wcActions(key, user) {
             method: "POST",
             title: "Assign User",
             schema: `${API_PREFIX}/schemas/AssignWorkCenterUser`,
+            ...gate,
         },
     ];
 }
 function formatWorkCenter(wc, user) {
-    const isAdmin = hasPermission(user, "erp_admin");
+    const adminGate = permGate(hasPermission(user, "erp_admin"), "erp_admin");
     return {
         id: wc.id,
         key: wc.key,
@@ -58,16 +60,15 @@ function formatWorkCenter(wc, user) {
             username: a.user.username,
             createdAt: a.createdAt.toISOString(),
             createdBy: a.createdBy?.username ?? null,
-            _actions: isAdmin
-                ? [
-                    {
-                        rel: "remove",
-                        href: `${API_PREFIX}/${RESOURCE}/${wc.key}/users/${a.user.username}`,
-                        method: "DELETE",
-                        title: "Remove",
-                    },
-                ]
-                : [],
+            _actions: [
+                {
+                    rel: "remove",
+                    href: `${API_PREFIX}/${RESOURCE}/${wc.key}/users/${a.user.username}`,
+                    method: "DELETE",
+                    title: "Remove",
+                    ...adminGate,
+                },
+            ],
         })),
         ...formatAuditFields(wc),
         _links: wcLinks(wc.key),
@@ -117,17 +118,16 @@ export default function workCenterRoutes(fastify) {
                         hrefTemplate: `${API_PREFIX}/work-centers/{key}`,
                     },
                 ],
-                _actions: hasPermission(request.erpUser, "erp_admin")
-                    ? [
-                        {
-                            rel: "create",
-                            href: `${API_PREFIX}/${RESOURCE}`,
-                            method: "POST",
-                            title: "Create Work Center",
-                            schema: `${API_PREFIX}/schemas/CreateWorkCenter`,
-                        },
-                    ]
-                    : [],
+                _actions: [
+                    {
+                        rel: "create",
+                        href: `${API_PREFIX}/${RESOURCE}`,
+                        method: "POST",
+                        title: "Create Work Center",
+                        schema: `${API_PREFIX}/schemas/CreateWorkCenter`,
+                        ...permGate(hasPermission(request.erpUser, "erp_admin"), "erp_admin"),
+                    },
+                ],
             };
         },
     });

package/dist/routes/root.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { hasPermission } from "../auth-middleware.js";
+import { hasPermission } from "../middleware/auth-middleware.js";
 export default function rootRoute(fastify) {
     fastify.get("/", {
         schema: {

package/dist/routes/{step-field-attachments.js → steps/step-field-attachments.js} RENAMED Viewed

@@ -2,14 +2,14 @@ import { mimeFromFilename } from "@naisys/common";
 import { ErrorResponseSchema, UploadAttachmentResponseSchema, } from "@naisys/erp-shared";
 import { createReadStream, existsSync, statSync } from "fs";
 import { z } from "zod/v4";
-import { requirePermission } from "../auth-middleware.js";
-import erpDb from "../erpDb.js";
-import { conflict, notFound } from "../error-handler.js";
-import { checkOpRunInProgress, checkOrderRunStarted, checkWorkCenterAccess, resolveStepRun, } from "../route-helpers.js";
-import { deleteFieldAttachment, getAttachmentFilePath, uploadAttachment, } from "../services/attachment-service.js";
-import { ensureStepRunFieldRecord } from "../services/field-service.js";
-import { findStepRunWithField, rebuildAttachmentFieldValue, upsertFieldValue, } from "../services/field-value-service.js";
-import { isUserClockedIn } from "../services/labor-ticket-service.js";
+import erpDb from "../../database/erpDb.js";
+import { conflict, notFound } from "../../error-handler.js";
+import { requirePermission } from "../../middleware/auth-middleware.js";
+import { checkOpRunInProgress, checkOrderRunStarted, checkWorkCenterAccess, resolveStepRun, } from "../../route-helpers.js";
+import { deleteFieldAttachment, getAttachmentFilePath, uploadAttachment, } from "../../services/attachment-service.js";
+import { ensureStepRunFieldRecord } from "../../services/production/field-service.js";
+import { findStepRunWithField, rebuildAttachmentFieldValue, upsertFieldValue, } from "../../services/production/field-value-service.js";
+import { isUserClockedIn } from "../../services/production/labor-ticket-service.js";
 const FieldSeqNoParamsSchema = z.object({
     orderKey: z.string(),
     runNo: z.coerce.number().int(),

package/dist/routes/{step-fields.js → steps/step-fields.js} RENAMED Viewed

@@ -1,11 +1,11 @@
 import { BatchCreateFieldSchema, BatchSeqNoCreateResponseSchema, CreateFieldSchema, ErrorResponseSchema, FieldListResponseSchema, FieldSchema, MutateResponseSchema, RevisionStatus, SeqNoCreateResponseSchema, UpdateFieldSchema, } from "@naisys/erp-shared";
 import { z } from "zod/v4";
-import { requirePermission } from "../auth-middleware.js";
-import erpDb from "../erpDb.js";
-import { conflict, notFound } from "../error-handler.js";
-import { API_PREFIX, selfLink } from "../hateoas.js";
-import { calcNextSeqNo, childItemLinks, draftCrudActions, formatAuditFields, mutationResult, resolveActions, resolveStep, } from "../route-helpers.js";
-import { createField, createFields, deleteField, ensureFieldSet, findExistingField, getField, listFields, updateField, } from "../services/field-service.js";
+import erpDb from "../../database/erpDb.js";
+import { conflict, notFound } from "../../error-handler.js";
+import { API_PREFIX, selfLink } from "../../hateoas.js";
+import { requirePermission } from "../../middleware/auth-middleware.js";
+import { calcNextSeqNo, childItemLinks, draftCrudActions, formatAuditFields, mutationResult, resolveActions, resolveStep, } from "../../route-helpers.js";
+import { createField, createFields, deleteField, ensureFieldSet, findExistingField, getField, listFields, updateField, } from "../../services/production/field-service.js";
 const ParamsSchema = z.object({
     orderKey: z.string(),
     revNo: z.coerce.number().int(),

package/dist/routes/{step-run-fields.js → steps/step-run-fields.js} RENAMED Viewed

@@ -1,14 +1,14 @@
 import { BatchFieldValueMutateResponseSchema, BatchFieldValueUpdateResponseSchema, BatchUpdateFieldValuesSchema, DeleteSetMutateResponseSchema, ErrorResponseSchema, fieldTypeString, FieldValueMutateResponseSchema, getValueFormatHint, UpdateFieldValueSchema, } from "@naisys/erp-shared";
 import { z } from "zod/v4";
-import { requirePermission } from "../auth-middleware.js";
-import erpDb from "../erpDb.js";
-import { conflict, notFound, unprocessable } from "../error-handler.js";
-import { API_PREFIX } from "../hateoas.js";
-import { checkOpRunInProgress, checkOrderRunStarted, checkWorkCenterAccess, mutationResult, resolveStepRun, } from "../route-helpers.js";
-import { ensureStepRunFieldRecord } from "../services/field-service.js";
-import { checkFieldValueShape, clearAttachmentFieldValue, deleteFieldValueSet, deserializeFieldValue, findStepRunWithField, serializeFieldValue, upsertFieldValue, validateFieldValue, } from "../services/field-value-service.js";
-import { isUserClockedIn } from "../services/labor-ticket-service.js";
-import { getStepRunWithFields } from "../services/step-run-service.js";
+import erpDb from "../../database/erpDb.js";
+import { conflict, notFound, unprocessable } from "../../error-handler.js";
+import { API_PREFIX } from "../../hateoas.js";
+import { requirePermission } from "../../middleware/auth-middleware.js";
+import { checkOpRunInProgress, checkOrderRunStarted, checkWorkCenterAccess, mutationResult, resolveStepRun, } from "../../route-helpers.js";
+import { getStepRunWithFields } from "../../services/operations/step-run-service.js";
+import { ensureStepRunFieldRecord } from "../../services/production/field-service.js";
+import { checkFieldValueShape, clearAttachmentFieldValue, deleteFieldValueSet, deserializeFieldValue, findStepRunWithField, serializeFieldValue, upsertFieldValue, validateFieldValue, } from "../../services/production/field-value-service.js";
+import { isUserClockedIn } from "../../services/production/labor-ticket-service.js";
 import { computeStepRunHateoas, stepRunResource } from "./step-runs.js";
 const FieldSeqNoParamsSchema = z.object({
     orderKey: z.string(),

package/dist/routes/{step-run-transitions.js → steps/step-run-transitions.js} RENAMED Viewed

@@ -1,11 +1,11 @@
 import { ErrorResponseSchema, StepRunTransitionSlimSchema, TransitionNoteSchema, } from "@naisys/erp-shared";
 import { z } from "zod/v4";
-import { requirePermission } from "../auth-middleware.js";
-import { conflict, notFound, unprocessable } from "../error-handler.js";
-import { checkOpRunInProgress, checkOrderRunStarted, checkWorkCenterAccess, mutationResult, resolveStepRun, } from "../route-helpers.js";
-import { validateCompletionFields } from "../services/field-value-service.js";
-import { isUserClockedIn } from "../services/labor-ticket-service.js";
-import { getStepRunWithFields, updateStepRun, } from "../services/step-run-service.js";
+import { conflict, notFound, unprocessable } from "../../error-handler.js";
+import { requirePermission } from "../../middleware/auth-middleware.js";
+import { checkOpRunInProgress, checkOrderRunStarted, checkWorkCenterAccess, mutationResult, resolveStepRun, } from "../../route-helpers.js";
+import { getStepRunWithFields, updateStepRun, } from "../../services/operations/step-run-service.js";
+import { validateCompletionFields } from "../../services/production/field-value-service.js";
+import { isUserClockedIn } from "../../services/production/labor-ticket-service.js";
 import { formatStepRunTransition } from "./step-runs.js";
 const StepSeqNoParamsSchema = z.object({
     orderKey: z.string(),

package/dist/routes/{step-runs.js → steps/step-runs.js} RENAMED Viewed

@@ -1,12 +1,12 @@
 import { ErrorResponseSchema, fieldTypeString, getValueFormatHint, OperationRunStatus, StepRunListQuerySchema, StepRunListResponseSchema, StepRunSchema, } from "@naisys/erp-shared";
 import { z } from "zod/v4";
-import { hasPermission } from "../auth-middleware.js";
-import { notFound } from "../error-handler.js";
-import { API_PREFIX, selfLink } from "../hateoas.js";
-import { checkWorkCenterAccess, childItemLinks, formatAuditFields, resolveActions, resolveOpRun, resolveStepRun, } from "../route-helpers.js";
-import { deserializeFieldValue, validateCompletionFields, validateFieldValue, } from "../services/field-value-service.js";
-import { isUserClockedIn } from "../services/labor-ticket-service.js";
-import { getStepRunWithFields, listStepRuns, listStepRunsWithFields, } from "../services/step-run-service.js";
+import { notFound } from "../../error-handler.js";
+import { API_PREFIX, selfLink } from "../../hateoas.js";
+import { hasPermission } from "../../middleware/auth-middleware.js";
+import { checkWorkCenterAccess, childItemLinks, formatAuditFields, resolveActions, resolveOpRun, resolveStepRun, } from "../../route-helpers.js";
+import { getStepRunWithFields, listStepRuns, listStepRunsWithFields, } from "../../services/operations/step-run-service.js";
+import { deserializeFieldValue, validateCompletionFields, validateFieldValue, } from "../../services/production/field-value-service.js";
+import { isUserClockedIn } from "../../services/production/labor-ticket-service.js";
 export function stepRunResource(orderKey, runNo, seqNo) {
     return `orders/${orderKey}/runs/${runNo}/ops/${seqNo}/steps`;
 }

package/dist/routes/{steps.js → steps/steps.js} RENAMED Viewed

@@ -1,10 +1,10 @@
 import { BatchCreateStepSchema, BatchSeqNoCreateResponseSchema, CreateStepSchema, ErrorResponseSchema, MutateResponseSchema, RevisionStatus, SeqNoCreateResponseSchema, StepListResponseSchema, StepSchema, UpdateStepSchema, } from "@naisys/erp-shared";
 import { z } from "zod/v4";
-import { requirePermission } from "../auth-middleware.js";
-import { conflict, notFound } from "../error-handler.js";
-import { API_PREFIX, selfLink } from "../hateoas.js";
-import { calcNextSeqNo, childItemLinks, draftCrudActions, formatAuditFields, mutationResult, resolveActions, resolveOperation, } from "../route-helpers.js";
-import { createStep, createSteps, deleteStep, findExisting, getStep, listSteps, updateStep, } from "../services/step-service.js";
+import { conflict, notFound } from "../../error-handler.js";
+import { API_PREFIX, selfLink } from "../../hateoas.js";
+import { requirePermission } from "../../middleware/auth-middleware.js";
+import { calcNextSeqNo, childItemLinks, draftCrudActions, formatAuditFields, mutationResult, resolveActions, resolveOperation, } from "../../route-helpers.js";
+import { createStep, createSteps, deleteStep, findExisting, getStep, listSteps, updateStep, } from "../../services/operations/step-service.js";
 import { formatFieldListResponse } from "./step-fields.js";
 const ParamsSchema = z.object({
     orderKey: z.string(),

package/dist/routes/{auth.js → users/auth.js} RENAMED Viewed

@@ -1,12 +1,12 @@
 import { hashToken, SESSION_COOKIE_NAME, sessionCookieOptions, } from "@naisys/common-node";
 import { AuthUserSchema, ErrorResponseSchema, LoginRequestSchema, LoginResponseSchema, } from "@naisys/erp-shared";
-import { authenticateAndCreateSession, deleteSession, } from "@naisys/supervisor-database";
+import { deleteSession } from "@naisys/supervisor-database";
 import bcrypt from "bcryptjs";
 import { randomUUID } from "crypto";
-import { authCache } from "../auth-middleware.js";
-import erpDb from "../erpDb.js";
-import { unauthorized } from "../error-handler.js";
-import { isSupervisorAuth } from "../supervisorAuth.js";
+import erpDb from "../../database/erpDb.js";
+import { unauthorized } from "../../error-handler.js";
+import { authCache } from "../../middleware/auth-middleware.js";
+import { isSupervisorAuth } from "../../middleware/supervisorAuth.js";
 const SESSION_DURATION_MS = 30 * 24 * 60 * 60 * 1000; // 30 days
 export default function authRoutes(fastify) {
     const app = fastify.withTypeProvider();
@@ -14,7 +14,7 @@ export default function authRoutes(fastify) {
     app.post("/login", {
         config: {
             rateLimit: {
-                max: 5,
+                max: Number(process.env.AUTH_LOGIN_RATE_LIMIT) || 5,
                 timeWindow: "1 minute",
             },
         },
@@ -30,27 +30,15 @@ export default function authRoutes(fastify) {
         },
         handler: async (request, reply) => {
             const { username, password } = request.body;
-            // SSO mode: authenticate against supervisor DB
+            // SSO mode: supervisor handles login via passkey. ERP doesn't accept
+            // password credentials at all — clients should authenticate against
+            // /supervisor/login and reuse the resulting session cookie here.
             if (isSupervisorAuth()) {
-                const authResult = await authenticateAndCreateSession(username, password);
-                if (!authResult) {
-                    return unauthorized(reply, "Invalid username or password");
-                }
-                const ssoData = {
-                    username,
-                    passwordHash: authResult.user.passwordHash,
-                };
-                const user = await erpDb.user.upsert({
-                    where: { uuid: authResult.user.uuid },
-                    create: { uuid: authResult.user.uuid, ...ssoData },
-                    update: ssoData,
-                });
-                reply.setCookie(SESSION_COOKIE_NAME, authResult.token, sessionCookieOptions(authResult.expiresAt));
-                return { user: { id: user.id, username: user.username } };
+                return unauthorized(reply, "Sign in via the supervisor login page (passkey required)");
             }
             // Standalone mode: authenticate against local DB
             const user = await erpDb.user.findUnique({ where: { username } });
-            if (!user) {
+            if (!user || user.passwordHash === null) {
                 return unauthorized(reply, "Invalid username or password");
             }
             const valid = await bcrypt.compare(password, user.passwordHash);

package/dist/routes/{user-permissions.js → users/user-permissions.js} RENAMED Viewed

@@ -1,8 +1,9 @@
 import { ErpPermissionEnum, GrantPermissionSchema } from "@naisys/erp-shared";
 import { z } from "zod/v4";
-import { authCache, requirePermission } from "../auth-middleware.js";
-import { mutationResult } from "../route-helpers.js";
-import { getUserById, getUserByUsername, grantPermission, revokePermission, rotateUserApiKey, } from "../services/user-service.js";
+import { authCache, requirePermission, } from "../../middleware/auth-middleware.js";
+import { isSupervisorAuth } from "../../middleware/supervisorAuth.js";
+import { mutationResult } from "../../route-helpers.js";
+import { getUserById, getUserByUsername, grantPermission, hasUserApiKey, revokePermission, rotateUserApiKey, } from "../../services/user-service.js";
 import { formatUser } from "./users.js";
 export default function userPermissionRoutes(fastify) {
     const app = fastify.withTypeProvider();
@@ -17,14 +18,25 @@ export default function userPermissionRoutes(fastify) {
             params: usernameParams,
         },
     }, async (request, reply) => {
+        if (isSupervisorAuth()) {
+            reply.code(400);
+            return {
+                success: false,
+                message: "API keys are managed by the supervisor when SSO is enabled.",
+            };
+        }
         const targetUser = await getUserByUsername(request.params.username);
         if (!targetUser) {
             reply.code(404);
             return { success: false, message: "User not found" };
         }
-        await rotateUserApiKey(targetUser.id);
+        const apiKey = await rotateUserApiKey(targetUser.id);
         authCache.clear();
-        return { success: true, message: "API key rotated" };
+        return {
+            success: true,
+            message: "API key generated. Copy it now; it cannot be shown again.",
+            apiKey,
+        };
     });
     // GRANT PERMISSION
     app.post("/:username/permissions", {
@@ -45,7 +57,8 @@ export default function userPermissionRoutes(fastify) {
             await grantPermission(targetUser.id, request.body.permission, request.erpUser.id);
             authCache.clear();
             const user = await getUserById(targetUser.id);
-            const full = formatUser(user, request.erpUser.id, request.erpUser.permissions);
+            const hasApiKey = user ? await hasUserApiKey(user.id) : false;
+            const full = formatUser(user, request.erpUser.id, request.erpUser.permissions, { hasApiKey });
             return mutationResult(request, reply, full, {
                 _actions: full._actions,
             });
@@ -91,7 +104,8 @@ export default function userPermissionRoutes(fastify) {
         await revokePermission(targetUser.id, permission);
         authCache.clear();
         const user = await getUserById(targetUser.id);
-        const full = formatUser(user, request.erpUser.id, request.erpUser.permissions);
+        const hasApiKey = user ? await hasUserApiKey(user.id) : false;
+        const full = formatUser(user, request.erpUser.id, request.erpUser.permissions, { hasApiKey });
         return mutationResult(request, reply, full, {
             _actions: full._actions,
         });

package/dist/routes/{users.js → users/users.js} RENAMED Viewed

@@ -1,11 +1,11 @@
 import { ChangePasswordSchema, CreateAgentUserSchema, CreateUserSchema, UpdateUserSchema, } from "@naisys/erp-shared";
 import { getHubAgentById } from "@naisys/hub-database";
 import { z } from "zod/v4";
-import { authCache, hasPermission, requirePermission, } from "../auth-middleware.js";
-import { API_PREFIX, collectionLink, paginationLinks, schemaLink, selfLink, } from "../hateoas.js";
-import { mutationResult } from "../route-helpers.js";
-import { createUserForAgent, createUserWithPassword, deleteUser, getUserApiKey, getUserByUsername, getUserByUuid, listUsers, updateUser, } from "../services/user-service.js";
-import { isSupervisorAuth } from "../supervisorAuth.js";
+import { API_PREFIX, collectionLink, paginationLinks, schemaLink, selfLink, } from "../../hateoas.js";
+import { authCache, hasPermission, requirePermission, } from "../../middleware/auth-middleware.js";
+import { isSupervisorAuth } from "../../middleware/supervisorAuth.js";
+import { mutationResult } from "../../route-helpers.js";
+import { createUserForAgent, createUserWithPassword, deleteUser, getUserByUsername, getUserByUuid, hasUserApiKey, listUsers, updateUser, } from "../../services/user-service.js";
 function userItemLinks(username) {
     return [
         selfLink(`/users/${username}`),
@@ -26,7 +26,10 @@ function userActions(username, isSelf, isAdmin) {
             body: { username: "" },
         });
     }
-    if (isSelf) {
+    // In SSO mode the supervisor owns passwords (passkey-only) and external API
+    // keys, so ERP doesn't expose its own change-password / rotate-key actions.
+    const sso = isSupervisorAuth();
+    if (isSelf && !sso) {
         actions.push({
             rel: "change-password",
             href: `${API_PREFIX}/users/me/password`,
@@ -45,12 +48,14 @@ function userActions(username, isSelf, isAdmin) {
             schema: `${API_PREFIX}/schemas/GrantPermission`,
             body: { permission: "" },
         });
-        actions.push({
-            rel: "rotate-key",
-            href: `${href}/rotate-key`,
-            method: "POST",
-            title: "Rotate API Key",
-        });
+        if (!sso) {
+            actions.push({
+                rel: "rotate-key",
+                href: `${href}/rotate-key`,
+                method: "POST",
+                title: "Generate API Key",
+            });
+        }
         if (!isSelf) {
             actions.push({
                 rel: "delete",
@@ -88,7 +93,7 @@ export function formatUser(user, currentUserId, currentUserPermissions, options)
         isAgent: user.isAgent,
         createdAt: user.createdAt.toISOString(),
         updatedAt: user.updatedAt.toISOString(),
-        apiKey: isAdmin ? (options?.apiKey ?? null) : undefined,
+        hasApiKey: options?.hasApiKey ?? false,
         permissions: user.permissions.map((p) => ({
             permission: p.permission,
             grantedAt: p.grantedAt.toISOString(),
@@ -127,6 +132,7 @@ export default function userRoutes(fastify) {
                 statusCode: 403,
                 error: "Forbidden",
                 message: "Permission 'erp_admin' required",
+                missingPermission: "erp_admin",
             });
             return;
         }
@@ -200,6 +206,13 @@ export default function userRoutes(fastify) {
             });
             return;
         }
+        if (isSupervisorAuth()) {
+            reply.code(400);
+            return {
+                success: false,
+                message: "Passwords are managed by the supervisor when SSO is enabled.",
+            };
+        }
         await updateUser(request.erpUser.id, {
             password: request.body.password,
         });
@@ -222,7 +235,6 @@ export default function userRoutes(fastify) {
             return mutationResult(request, reply, full, {
                 id: full.id,
                 username: full.username,
-                apiKey: full.apiKey,
                 _links: full._links,
                 _actions: full._actions,
             });
@@ -287,7 +299,6 @@ export default function userRoutes(fastify) {
             return mutationResult(request, reply, full, {
                 id: full.id,
                 username: full.username,
-                apiKey: full.apiKey,
                 _links: full._links,
                 _actions: full._actions,
             });
@@ -318,8 +329,10 @@ export default function userRoutes(fastify) {
             reply.code(404);
             return { success: false, message: "User not found" };
         }
-        const apiKey = await getUserApiKey(user.id);
-        return formatUser(user, request.erpUser.id, request.erpUser.permissions, { apiKey });
+        const hasApiKey = isSupervisorAuth()
+            ? false
+            : await hasUserApiKey(user.id);
+        return formatUser(user, request.erpUser.id, request.erpUser.permissions, { hasApiKey });
     });
     // UPDATE USER (admin can update any field; non-admin can only change own password)
     app.put("/:username", {
@@ -337,12 +350,21 @@ export default function userRoutes(fastify) {
             return { success: false, message: "User not found" };
         }
         const isAdmin = hasPermission(request.erpUser, "erp_admin");
-        // Non-admins can only change their own password
-        const body = isAdmin ? request.body : { password: request.body.password };
+        // In SSO mode the supervisor owns passwords, so we strip any password
+        // field before forwarding the update — even from admins.
+        const sso = isSupervisorAuth();
+        const body = isAdmin
+            ? sso
+                ? { username: request.body.username }
+                : request.body
+            : sso
+                ? {}
+                : { password: request.body.password };
         try {
             const user = await updateUser(targetUser.id, body);
             authCache.clear();
-            const full = formatUser(user, request.erpUser.id, request.erpUser.permissions);
+            const hasApiKey = sso ? false : await hasUserApiKey(user.id);
+            const full = formatUser(user, request.erpUser.id, request.erpUser.permissions, { hasApiKey });
             return mutationResult(request, reply, full, {
                 _actions: full._actions,
             });

package/dist/services/attachment-service.js CHANGED Viewed

@@ -2,7 +2,7 @@ import { MAX_ATTACHMENT_SIZE } from "@naisys/common";
 import { createHash, randomBytes } from "crypto";
 import { createWriteStream, existsSync, mkdirSync, renameSync, unlinkSync, } from "fs";
 import { join } from "path";
-import erpDb from "../erpDb.js";
+import erpDb from "../database/erpDb.js";
 function attachmentsDir() {
     return join(process.env.NAISYS_FOLDER || "", "attachments");
 }
@@ -20,7 +20,7 @@ export async function uploadAttachment(fileBuffer, filename, uploadedById, field
     }
     const fileHash = createHash("sha256").update(fileBuffer).digest("hex");
     // Write to temp, then move to content-addressable path
-    const tmpDir = join(attachmentsDir(), "tmp");
+    const tmpDir = join(process.env.NAISYS_FOLDER || "", "tmp", "erp", "attachments");
     mkdirSync(tmpDir, { recursive: true });
     const tmpPath = join(tmpDir, `${Date.now()}_${uploadedById}_${Math.random().toString(36).slice(2)}`);
     const ws = createWriteStream(tmpPath);

package/dist/services/{item-instance-service.js → inventory/item-instance-service.js} RENAMED Viewed

@@ -1,5 +1,5 @@
-import erpDb from "../erpDb.js";
-import { includeUsers } from "../route-helpers.js";
+import erpDb from "../../database/erpDb.js";
+import { includeUsers } from "../../route-helpers.js";
 // --- Prisma include & result type ---
 export const includeItemInstanceRelations = {
     ...includeUsers,

package/dist/services/{item-service.js → inventory/item-service.js} RENAMED Viewed

@@ -1,5 +1,5 @@
-import erpDb from "../erpDb.js";
-import { includeUsers } from "../route-helpers.js";
+import erpDb from "../../database/erpDb.js";
+import { includeUsers } from "../../route-helpers.js";
 // --- Prisma include & result type ---
 export const includeUsersAndFieldSet = {
     ...includeUsers,

package/dist/services/{operation-dependency-service.js → operations/operation-dependency-service.js} RENAMED Viewed

@@ -1,4 +1,4 @@
-import erpDb from "../erpDb.js";
+import erpDb from "../../database/erpDb.js";
 const depInclude = {
     predecessor: { select: { seqNo: true, title: true } },
     createdBy: { select: { username: true } },

package/dist/services/{operation-run-comment-service.js → operations/operation-run-comment-service.js} RENAMED Viewed

@@ -1,4 +1,4 @@
-import erpDb from "../erpDb.js";
+import erpDb from "../../database/erpDb.js";
 // --- Prisma include & result type ---
 export const includeComment = {
     createdBy: { select: { username: true } },

package/dist/services/{operation-run-service.js → operations/operation-run-service.js} RENAMED Viewed

@@ -1,9 +1,10 @@
+import { keyBy } from "@naisys/common";
 import { OperationRunStatus as OperationRunStatusValues, } from "@naisys/erp-shared";
 import { fieldTypeString, getValueFormatHint, } from "@naisys/erp-shared";
+import erpDb from "../../database/erpDb.js";
+import { API_PREFIX } from "../../hateoas.js";
 import { writeAuditEntry } from "../audit.js";
-import erpDb from "../erpDb.js";
-import { API_PREFIX } from "../hateoas.js";
-import { deserializeFieldValue, validateFieldValue, } from "./field-value-service.js";
+import { deserializeFieldValue, validateFieldValue, } from "../production/field-value-service.js";
 // --- Prisma include & result type ---
 export const includeOp = {
     operation: {
@@ -14,6 +15,11 @@ export const includeOp = {
             workCenter: { select: { key: true } },
         },
     },
+    orderRun: {
+        select: {
+            orderRev: { select: { revNo: true, description: true } },
+        },
+    },
     assignedTo: { select: { username: true } },
     createdBy: { select: { username: true } },
     updatedBy: { select: { username: true } },
@@ -35,6 +41,11 @@ export async function listOpRuns(runId) {
                     },
                 },
             },
+            orderRun: {
+                select: {
+                    orderRev: { select: { revNo: true, description: true } },
+                },
+            },
             _count: { select: { stepRuns: true } },
             assignedTo: { select: { username: true } },
             createdBy: { select: { username: true } },
@@ -143,7 +154,7 @@ export async function getOpRunFieldRefSummary(operationId, orderRunId, orderKey,
             },
         },
     });
-    const stepRunMap = new Map(stepRuns.map((sr) => [sr.stepId, sr]));
+    const stepRunMap = keyBy(stepRuns, (sr) => sr.stepId);
     return fieldRefs.map((ref) => {
         const sr = stepRunMap.get(ref.sourceStep.id);
         const storedFieldValues = sr?.fieldRecord?.fieldValues ?? [];

package/dist/services/{operation-service.js → operations/operation-service.js} RENAMED Viewed

@@ -1,5 +1,5 @@
-import erpDb from "../erpDb.js";
-import { calcNextSeqNo, includeUsers, } from "../route-helpers.js";
+import erpDb from "../../database/erpDb.js";
+import { calcNextSeqNo, includeUsers, } from "../../route-helpers.js";
 // --- Prisma include & result type ---
 const includeWorkCenter = {
     workCenter: { select: { key: true } },

package/dist/services/{step-run-service.js → operations/step-run-service.js} RENAMED Viewed

@@ -1,4 +1,4 @@
-import erpDb from "../erpDb.js";
+import erpDb from "../../database/erpDb.js";
 // --- Prisma include & result type ---
 export const includeStepRunWithFields = {
     step: {

package/dist/services/{step-service.js → operations/step-service.js} RENAMED Viewed

@@ -1,5 +1,5 @@
-import erpDb from "../erpDb.js";
-import { calcNextSeqNo, includeUsers, } from "../route-helpers.js";
+import erpDb from "../../database/erpDb.js";
+import { calcNextSeqNo, includeUsers, } from "../../route-helpers.js";
 // --- Prisma include & result type ---
 export const includeUsersAndFields = {
     ...includeUsers,