@naisys/erp 3.0.0-beta.9 → 3.0.0

package/dist/services/{order-revision-service.js → orders/order-revision-service.js}

@@ -1,7 +1,8 @@
+import { mapDefined } from "@naisys/common";
 import { RevisionStatus as RevisionStatusValues, } from "@naisys/erp-shared";
+import erpDb from "../../database/erpDb.js";
+import { includeUsers } from "../../route-helpers.js";
 import { writeAuditEntry } from "../audit.js";
-import erpDb from "../erpDb.js";
-import { includeUsers } from "../route-helpers.js";
 // --- Prisma include & result type ---
 const includeRevisionRelations = {
     ...includeUsers,
@@ -230,9 +231,7 @@ export async function deleteRevision(id) {
                 where: { operationId: { in: opIds } },
                 select: { id: true, fieldSetId: true },
             });
-            const fieldSetIds = steps
-                .map((s) => s.fieldSetId)
-                .filter((id) => id !== null);
+            const fieldSetIds = mapDefined(steps, (s) => s.fieldSetId);
             // Steps reference field_sets via FK, so delete steps first
             await erpTx.step.deleteMany({
                 where: { operationId: { in: opIds } },

package/dist/services/{order-run-service.js → orders/order-run-service.js}

@@ -1,9 +1,11 @@
+import { keyBy, mapDefined } from "@naisys/common";
 import { OperationRunStatus as OperationRunStatusValues, OrderRunStatus as OrderRunStatusValues, } from "@naisys/erp-shared";
+import erpDb from "../../database/erpDb.js";
 import { writeAuditEntry } from "../audit.js";
-import erpDb from "../erpDb.js";
+import { deserializeFieldValue, upsertFieldValue, validateFieldSet, } from "../production/field-value-service.js";
 // --- Prisma include & result type ---
 export const includeRev = {
-    orderRev: { select: { revNo: true } },
+    orderRev: { select: { revNo: true, description: true } },
     order: { select: { item: { select: { key: true } } } },
     itemInstances: { select: { id: true, key: true }, take: 1 },
     createdBy: { select: { username: true } },
@@ -187,9 +189,7 @@ export async function deleteOrderRun(id) {
                 where: { operationRunId: { in: opRunIds } },
                 select: { fieldRecordId: true },
             });
-            const fieldRecordIds = stepRuns
-                .map((s) => s.fieldRecordId)
-                .filter((id) => id !== null);
+            const fieldRecordIds = mapDefined(stepRuns, (s) => s.fieldRecordId);
             if (fieldRecordIds.length > 0) {
                 await tx.fieldValue.deleteMany({
                     where: { fieldRecordId: { in: fieldRecordIds } },
@@ -259,7 +259,7 @@ async function autoGenerateInstanceKey(erpTx, itemId) {
 }
 export async function completeOrderRun(orderRunId, orderId, data, userId) {
     return erpDb.$transaction(async (erpTx) => {
-        // Load the order with its item
+        // Load the order with its item and full item field definitions.
         const order = await erpTx.order.findUniqueOrThrow({
             where: { id: orderId },
             select: {
@@ -270,7 +270,15 @@ export async function completeOrderRun(orderRunId, orderId, data, userId) {
                         fieldSet: {
                             select: {
                                 fields: {
-                                    select: { id: true },
+                                    select: {
+                                        id: true,
+                                        seqNo: true,
+                                        label: true,
+                                        type: true,
+                                        isArray: true,
+                                        required: true,
+                                    },
+                                    orderBy: { seqNo: "asc" },
                                 },
                             },
                         },
@@ -279,14 +287,60 @@ export async function completeOrderRun(orderRunId, orderId, data, userId) {
             },
         });
         if (!order.item) {
-            return { error: "Order has no item assigned — cannot complete" };
+            return {
+                error: "Order has no item assigned — cannot complete",
+                status: 422,
+            };
+        }
+        const itemFields = order.item.fieldSet?.fields ?? [];
+        const fieldsBySeqNo = keyBy(itemFields, (f) => f.seqNo);
+        const fieldsById = keyBy(itemFields, (f) => f.id);
+        // Validate caller-supplied fieldSeqNos exist on the item.
+        const callerValues = data.fieldValues ?? [];
+        for (const fv of callerValues) {
+            if (!fieldsBySeqNo.has(fv.fieldSeqNo)) {
+                return {
+                    error: `Unknown item field seqNo ${fv.fieldSeqNo} — item has no field with that sequence number`,
+                    status: 400,
+                };
+            }
+        }
+        const resolved = new Map();
+        const keyOf = (fieldId, setIndex) => `${fieldId}:${setIndex}`;
+        for (const fv of callerValues) {
+            const def = fieldsBySeqNo.get(fv.fieldSeqNo);
+            const setIndex = fv.setIndex ?? 0;
+            resolved.set(keyOf(def.id, setIndex), {
+                fieldId: def.id,
+                value: fv.value,
+                setIndex,
+            });
+        }
+        // Validate all item fields against caller-supplied values at setIndex 0.
+        // `fieldValues[]` on CompleteOrderRun is flat (no multi-set support), so
+        // we only validate set 0. Flags both missing-required and type-invalid.
+        const failures = validateFieldSet(itemFields, [0], (fieldId, setIndex) => {
+            const def = fieldsById.get(fieldId);
+            const r = resolved.get(keyOf(fieldId, setIndex));
+            if (r)
+                return deserializeFieldValue(r.value, def.isArray);
+            return def.isArray ? [] : "";
+        });
+        if (failures.length > 0) {
+            return {
+                error: `Cannot complete order run: ${failures
+                    .map((f) => `${f.label} — ${f.error}`)
+                    .join("; ")}. Provide values via fieldValues[] using fieldSeqNo.`,
+                status: 400,
+                missingFields: failures.map((f) => f.label),
+            };
         }
         // Determine instance key
         let instanceKey = data.instanceKey;
         if (!instanceKey) {
             const result = await autoGenerateInstanceKey(erpTx, order.item.id);
             if ("error" in result)
-                return result;
+                return { error: result.error, status: 422 };
             instanceKey = result.key;
         }
         // Check for duplicate key
@@ -296,6 +350,7 @@ export async function completeOrderRun(orderRunId, orderId, data, userId) {
         if (existing) {
             return {
                 error: `Instance key "${instanceKey}" already exists for this item`,
+                status: 422,
             };
         }
         // Create the item instance
@@ -309,8 +364,8 @@ export async function completeOrderRun(orderRunId, orderId, data, userId) {
                 updatedById: userId,
             },
         });
-        // Create field record and field values if item has a field set
-        if (order.item.fieldSetId && (data.fieldValues?.length ?? 0) > 0) {
+        // Create field record and field values if we have any to write.
+        if (order.item.fieldSetId && resolved.size > 0) {
             const fieldRecord = await erpTx.fieldRecord.create({
                 data: {
                     fieldSetId: order.item.fieldSetId,
@@ -321,17 +376,8 @@ export async function completeOrderRun(orderRunId, orderId, data, userId) {
                 where: { id: instance.id },
                 data: { fieldRecordId: fieldRecord.id },
             });
-            for (const fv of data.fieldValues ?? []) {
-                await erpTx.fieldValue.create({
-                    data: {
-                        fieldRecordId: fieldRecord.id,
-                        fieldId: fv.fieldId,
-                        setIndex: fv.setIndex ?? 0,
-                        value: fv.value,
-                        createdById: userId,
-                        updatedById: userId,
-                    },
-                });
+            for (const fv of resolved.values()) {
+                await upsertFieldValue(fieldRecord.id, fv.fieldId, fv.setIndex, fv.value, userId, erpTx);
             }
         }
         // Sum operation run costs and transition run to closed

package/dist/services/{order-service.js → orders/order-service.js}

@@ -1,5 +1,6 @@
-import erpDb from "../erpDb.js";
-import { includeUsers } from "../route-helpers.js";
+import { RevisionStatus } from "@naisys/erp-shared";
+import erpDb from "../../database/erpDb.js";
+import { includeUsers } from "../../route-helpers.js";
 // --- Prisma include & result type ---
 const includeOrderRelations = {
     ...includeUsers,
@@ -31,6 +32,14 @@ export async function checkHasRevisions(orderId) {
     });
     return revisionCount > 0;
 }
+// --- Derived fields ---
+export async function getLatestApprovedRevNo(orderId) {
+    const result = await erpDb.orderRevision.aggregate({
+        where: { orderId, status: RevisionStatus.approved },
+        _max: { revNo: true },
+    });
+    return result._max.revNo ?? null;
+}
 // --- Mutations ---
 export async function resolveItemKey(itemKey) {
     if (!itemKey)

package/dist/services/{revision-diff-service.js → orders/revision-diff-service.js}

@@ -1,4 +1,5 @@
-import erpDb from "../erpDb.js";
+import { keyBy, unique } from "@naisys/common";
+import erpDb from "../../database/erpDb.js";
 // --- Prisma deep include for full revision tree ---
 const includeFullTree = {
     operations: {
@@ -41,9 +42,9 @@ function compareProps(pairs) {
     return changes;
 }
 function diffFields(fromFields, toFields) {
-    const fromMap = new Map(fromFields.map((f) => [f.seqNo, f]));
-    const toMap = new Map(toFields.map((f) => [f.seqNo, f]));
-    const allSeqNos = new Set([...fromMap.keys(), ...toMap.keys()]);
+    const fromMap = keyBy(fromFields, (f) => f.seqNo);
+    const toMap = keyBy(toFields, (f) => f.seqNo);
+    const allSeqNos = unique([...fromMap.keys(), ...toMap.keys()]);
     const result = [];
     for (const seqNo of [...allSeqNos].sort((a, b) => a - b)) {
         const from = fromMap.get(seqNo);
@@ -72,9 +73,9 @@ function diffFields(fromFields, toFields) {
     return result;
 }
 function diffSteps(fromSteps, toSteps) {
-    const fromMap = new Map(fromSteps.map((s) => [s.seqNo, s]));
-    const toMap = new Map(toSteps.map((s) => [s.seqNo, s]));
-    const allSeqNos = new Set([...fromMap.keys(), ...toMap.keys()]);
+    const fromMap = keyBy(fromSteps, (s) => s.seqNo);
+    const toMap = keyBy(toSteps, (s) => s.seqNo);
+    const allSeqNos = unique([...fromMap.keys(), ...toMap.keys()]);
     const result = [];
     for (const seqNo of [...allSeqNos].sort((a, b) => a - b)) {
         const from = fromMap.get(seqNo);
@@ -138,9 +139,9 @@ function diffDeps(fromDeps, toDeps) {
     return result;
 }
 function diffOperations(fromOps, toOps) {
-    const fromMap = new Map(fromOps.map((op) => [op.seqNo, op]));
-    const toMap = new Map(toOps.map((op) => [op.seqNo, op]));
-    const allSeqNos = new Set([...fromMap.keys(), ...toMap.keys()]);
+    const fromMap = keyBy(fromOps, (op) => op.seqNo);
+    const toMap = keyBy(toOps, (op) => op.seqNo);
+    const allSeqNos = unique([...fromMap.keys(), ...toMap.keys()]);
     const result = [];
     for (const seqNo of [...allSeqNos].sort((a, b) => a - b)) {
         const from = fromMap.get(seqNo);

package/dist/services/{field-ref-service.js → production/field-ref-service.js}

@@ -1,4 +1,4 @@
-import erpDb from "../erpDb.js";
+import erpDb from "../../database/erpDb.js";
 const includeFieldRef = {
     sourceStep: {
         select: {

package/dist/services/{field-service.js → production/field-service.js}

@@ -1,6 +1,6 @@
 import { FieldType } from "@naisys/erp-shared";
-import erpDb from "../erpDb.js";
-import { calcNextSeqNo, includeUsers, } from "../route-helpers.js";
+import erpDb from "../../database/erpDb.js";
+import { calcNextSeqNo, includeUsers, } from "../../route-helpers.js";
 // --- Lookups ---
 export async function listFields(fieldSetId) {
     return erpDb.field.findMany({

package/dist/services/{field-value-service.js → production/field-value-service.js}

@@ -1,6 +1,6 @@
 import { formatFileSize } from "@naisys/common";
 import { FieldType, } from "@naisys/erp-shared";
-import erpDb from "../erpDb.js";
+import erpDb from "../../database/erpDb.js";
 // --- Lookups ---
 export async function findStepRunWithField(id, opRunId, fieldSeqNo) {
     const stepRun = await erpDb.stepRun.findUnique({
@@ -113,6 +113,30 @@ export function checkFieldValueShape(label, type, isArray, value) {
     }
     return null;
 }
+/**
+ * Validate a list of field definitions across one or more set indexes, given a
+ * way to look up the current value for each (fieldId, setIndex) pair. Returns
+ * one entry per invalid cell; callers format as appropriate. Iteration order
+ * is ascending setIndex, then the order of `fieldDefs` as given.
+ */
+export function validateFieldSet(fieldDefs, setIndexes, getValue) {
+    const failures = [];
+    for (const si of [...setIndexes].sort((a, b) => a - b)) {
+        for (const def of fieldDefs) {
+            const value = getValue(def.id, si);
+            const result = validateFieldValue(def.type, def.isArray, def.required, value);
+            if (!result.valid) {
+                failures.push({
+                    fieldId: def.id,
+                    label: def.label,
+                    setIndex: si,
+                    error: result.error,
+                });
+            }
+        }
+    }
+    return failures;
+}
 export function validateFieldValue(type, isArray, required, value) {
     const shapeErr = checkFieldValueShape("field", type, isArray, value);
     if (shapeErr)
@@ -223,9 +247,9 @@ export async function clearAttachmentFieldValue(fieldRecordId, fieldId, setIndex
     await upsertFieldValue(fieldRecordId, fieldId, setIndex, empty, userId);
 }
 // --- Mutations ---
-export async function upsertFieldValue(fieldRecordId, fieldId, setIndex, value, userId) {
+export async function upsertFieldValue(fieldRecordId, fieldId, setIndex, value, userId, tx = erpDb) {
     const dbValue = serializeFieldValue(value);
-    await erpDb.fieldValue.upsert({
+    await tx.fieldValue.upsert({
         where: {
             fieldRecordId_fieldId_setIndex: { fieldRecordId, fieldId, setIndex },
         },

package/dist/services/production/labor-ticket-backfill.js

@@ -0,0 +1,67 @@
+import { sumAgentMetricsByUuid } from "@naisys/hub-database";
+import { OperationRunStatus } from "@naisys/erp-shared";
+import erpDb from "../../database/erpDb.js";
+/**
+ * Populate `tokens` on labor tickets and operation runs finalized before the
+ * column existed. Idempotent — only touches rows where `tokens IS NULL`, and
+ * only for agent users (others can't have tokens, so their rows stay NULL
+ * and the next startup ignores them too). Requires the hub DB client.
+ */
+export async function backfillOpRunTokens() {
+    const tickets = await erpDb.laborTicket.findMany({
+        where: {
+            tokens: null,
+            clockOut: { not: null },
+            operationRun: {
+                status: {
+                    in: [
+                        OperationRunStatus.completed,
+                        OperationRunStatus.skipped,
+                        OperationRunStatus.failed,
+                    ],
+                },
+            },
+            user: { isAgent: true },
+        },
+        select: {
+            id: true,
+            operationRunId: true,
+            clockIn: true,
+            clockOut: true,
+            user: { select: { uuid: true } },
+        },
+    });
+    if (tickets.length === 0)
+        return;
+    const dirtyOpRunIds = new Set();
+    for (const ticket of tickets) {
+        const { tokens } = await sumAgentMetricsByUuid(ticket.user.uuid, ticket.clockIn, ticket.clockOut);
+        await erpDb.laborTicket.update({
+            where: { id: ticket.id },
+            data: { tokens: Math.round(tokens) },
+        });
+        dirtyOpRunIds.add(ticket.operationRunId);
+    }
+    // Re-aggregate touched op_runs. Skip rows that already have a snapshot so
+    // we never clobber a value set by the normal transition path.
+    for (const opRunId of dirtyOpRunIds) {
+        const opRun = await erpDb.operationRun.findUnique({
+            where: { id: opRunId },
+            select: { tokens: true },
+        });
+        if (!opRun || opRun.tokens !== null)
+            continue;
+        const agg = await erpDb.laborTicket.aggregate({
+            where: { operationRunId: opRunId },
+            _sum: { tokens: true },
+        });
+        const total = agg._sum.tokens ?? 0;
+        if (total > 0) {
+            await erpDb.operationRun.update({
+                where: { id: opRunId },
+                data: { tokens: total },
+            });
+        }
+    }
+}
+//# sourceMappingURL=labor-ticket-backfill.js.map

package/dist/services/{labor-ticket-service.js → production/labor-ticket-service.js}

@@ -1,6 +1,6 @@
-import { getLatestRunInfoByUuid, sumCostsByUuid } from "@naisys/hub-database";
+import { getLatestRunInfoByUuid, sumAgentMetricsByUuid, } from "@naisys/hub-database";
+import erpDb from "../../database/erpDb.js";
 import { writeAuditEntry } from "../audit.js";
-import erpDb from "../erpDb.js";
 // --- Prisma include & result type ---
 export const includeLaborTicket = {
     user: { select: { username: true } },
@@ -9,19 +9,22 @@ export const includeLaborTicket = {
 };
 // --- Helpers ---
 /**
- * Compute the cost for a labor ticket at clock-out time.
+ * Compute cost + tokens for a labor ticket at clock-out time.
  * Agents: sum of hub cost entries for the user within the clock-in/out window.
- * Non-agents: 0.
+ * Non-agents: zeros.
  */
-async function computeCost(userId, clockIn, clockOut) {
+async function computeAgentMetrics(userId, clockIn, clockOut) {
     const user = await erpDb.user.findUnique({
         where: { id: userId },
         select: { isAgent: true, uuid: true },
     });
     if (!user?.isAgent)
-        return 0;
-    const cost = await sumCostsByUuid(user.uuid, clockIn, clockOut);
-    return Math.round(cost * 100) / 100;
+        return { cost: 0, tokens: 0 };
+    const { cost, tokens } = await sumAgentMetricsByUuid(user.uuid, clockIn, clockOut);
+    return {
+        cost: Math.round(cost * 100) / 100,
+        tokens: Math.round(tokens),
+    };
 }
 /**
  * Get the current hub run info (run_id + session start) for an agent user.
@@ -67,10 +70,10 @@ export async function clockIn(operationRunId, userId, actorId) {
             where: { userId, clockOut: null },
         });
         for (const ticket of openTickets) {
-            const cost = await computeCost(userId, ticket.clockIn, now);
+            const { cost, tokens } = await computeAgentMetrics(userId, ticket.clockIn, now);
             await tx.laborTicket.update({
                 where: { id: ticket.id },
-                data: { clockOut: now, cost, updatedById: actorId },
+                data: { clockOut: now, cost, tokens, updatedById: actorId },
             });
         }
         // If no tickets were auto-closed and this is the first ticket for the
@@ -118,10 +121,10 @@ export async function clockOut(operationRunId, opts, actorId) {
         const openTickets = await tx.laborTicket.findMany({ where });
         const updated = [];
         for (const ticket of openTickets) {
-            const cost = await computeCost(ticket.userId, ticket.clockIn, now);
+            const { cost, tokens } = await computeAgentMetrics(ticket.userId, ticket.clockIn, now);
             const result = await tx.laborTicket.update({
                 where: { id: ticket.id },
-                data: { clockOut: now, cost, updatedById: actorId },
+                data: { clockOut: now, cost, tokens, updatedById: actorId },
                 include: includeLaborTicket,
             });
             updated.push(result);
@@ -132,12 +135,15 @@ export async function clockOut(operationRunId, opts, actorId) {
 export async function clockOutAllForOpRun(operationRunId, actorId) {
     await clockOut(operationRunId, {}, actorId);
 }
-export async function sumLaborTicketCosts(operationRunId) {
+export async function sumLaborTicketMetrics(operationRunId) {
     const result = await erpDb.laborTicket.aggregate({
         where: { operationRunId },
-        _sum: { cost: true },
+        _sum: { cost: true, tokens: true },
     });
-    return Math.round((result._sum.cost ?? 0) * 100) / 100;
+    return {
+        cost: Math.round((result._sum.cost ?? 0) * 100) / 100,
+        tokens: result._sum.tokens ?? 0,
+    };
 }
 export async function deleteLaborTicket(ticketId, actorId) {
     await erpDb.$transaction(async (tx) => {

package/dist/services/{work-center-service.js → production/work-center-service.js}

@@ -1,5 +1,5 @@
-import erpDb from "../erpDb.js";
-import { includeUsers } from "../route-helpers.js";
+import erpDb from "../../database/erpDb.js";
+import { includeUsers } from "../../route-helpers.js";
 // --- Prisma include & result type ---
 const includeDetail = {
     ...includeUsers,

package/dist/services/user-service.js

@@ -1,8 +1,9 @@
-import { getAgentApiKeyByUuid, rotateAgentApiKeyByUuid, } from "@naisys/hub-database";
+import { SUPER_ADMIN_USERNAME } from "@naisys/common";
+import { generatePersistentUserApiKey } from "@naisys/common-node";
+import { ensureSuperAdmin } from "@naisys/supervisor-database";
 import bcrypt from "bcryptjs";
-import { randomBytes, randomUUID } from "crypto";
-import erpDb from "../erpDb.js";
-import { isSupervisorAuth } from "../supervisorAuth.js";
+import { randomUUID } from "crypto";
+import erpDb from "../database/erpDb.js";
 // --- Prisma include & result type ---
 export const includePermissions = {
     permissions: true,
@@ -37,19 +38,12 @@ export async function getUserById(id) {
         include: includePermissions,
     });
 }
-export async function getUserApiKey(id) {
+export async function hasUserApiKey(id) {
     const user = await erpDb.user.findUnique({
         where: { id },
-        select: { isAgent: true, uuid: true, apiKey: true },
+        select: { apiKeyHash: true },
     });
-    if (!user)
-        return null;
-    if (user.isAgent && isSupervisorAuth()) {
-        return getAgentApiKeyByUuid(user.uuid);
-    }
-    else {
-        return user.apiKey ?? null;
-    }
+    return !!user?.apiKeyHash;
 }
 // --- Mutations ---
 export async function getUserByUuid(uuid) {
@@ -63,7 +57,6 @@ export async function createUserForAgent(username, uuid) {
         data: {
             username,
             uuid,
-            passwordHash: "",
             isAgent: true,
         },
         include: includePermissions,
@@ -78,7 +71,6 @@ export async function createUserWithPassword(data) {
             uuid,
             passwordHash,
             isAgent: false,
-            apiKey: randomBytes(32).toString("hex"),
         },
         include: includePermissions,
     });
@@ -111,22 +103,96 @@ export async function revokePermission(userId, permission) {
     });
 }
 export async function rotateUserApiKey(id) {
-    const newKey = randomBytes(32).toString("hex");
-    const user = await erpDb.user.findUnique({
-        where: { id },
-        select: { isAgent: true, uuid: true },
+    return generatePersistentUserApiKey(id, {
+        userExists: async (userId) => (await erpDb.user.findUnique({
+            where: { id: userId },
+            select: { id: true },
+        })) !== null,
+        updateApiKeyHash: (userId, apiKeyHash) => erpDb.user.update({
+            where: { id: userId },
+            data: { apiKeyHash },
+        }),
+    });
+}
+// --- Superadmin bootstrap ---
+/**
+ * Ensure a superadmin user exists in the local ERP database.
+ * If a password is supplied, it is used on create and updates the existing one if present.
+ * For standalone mode (no supervisor auth).
+ */
+export async function ensureLocalSuperAdmin(password) {
+    const existing = await erpDb.user.findUnique({
+        where: { username: SUPER_ADMIN_USERNAME },
     });
-    if (!user)
-        throw new Error("User not found");
-    if (user.isAgent && isSupervisorAuth()) {
-        await rotateAgentApiKeyByUuid(user.uuid, newKey);
+    if (existing) {
+        await ensureErpAdminPermission(existing.id);
+        if (password) {
+            const hash = await bcrypt.hash(password, SALT_ROUNDS);
+            await erpDb.user.update({
+                where: { id: existing.id },
+                data: { passwordHash: hash },
+            });
+        }
     }
     else {
-        await erpDb.user.update({
-            where: { id },
-            data: { apiKey: newKey },
+        const finalPassword = password || randomUUID().slice(0, 8);
+        const hash = await bcrypt.hash(finalPassword, SALT_ROUNDS);
+        const user = await erpDb.user.create({
+            data: {
+                uuid: randomUUID(),
+                username: SUPER_ADMIN_USERNAME,
+                passwordHash: hash,
+            },
+        });
+        await ensureErpAdminPermission(user.id);
+        if (!password) {
+            console.log(`\n  ${SUPER_ADMIN_USERNAME} user created. Password: ${finalPassword}`);
+            console.log(`  Change it via the admin UI or with --setup\n`);
+        }
+    }
+    // Warn if agent users exist without supervisor auth
+    const agentCount = await erpDb.user.count({ where: { isAgent: true } });
+    if (agentCount > 0) {
+        console.warn(`[ERP] Warning: ${agentCount} agent user(s) found but supervisor auth is disabled. ` +
+            `Agent API key lookups and authentication will not work. ` +
+            `Set SUPERVISOR_AUTH=true to enable.`);
+    }
+}
+/**
+ * Sync superadmin from supervisor into ERP DB and ensure permissions.
+ * For supervisor auth mode. Supervisor uses passkey-only auth — the
+ * mirrored ERP row has no passwordHash.
+ */
+export async function ensureSupervisorSuperAdmin() {
+    const result = await ensureSuperAdmin();
+    await erpDb.user.upsert({
+        where: { uuid: result.user.uuid },
+        create: {
+            uuid: result.user.uuid,
+            username: result.user.username,
+        },
+        update: {
+            username: result.user.username,
+        },
+    });
+    const localSuperAdmin = await erpDb.user.findUnique({
+        where: { uuid: result.user.uuid },
+    });
+    if (localSuperAdmin) {
+        await ensureErpAdminPermission(localSuperAdmin.id);
+    }
+}
+/**
+ * Ensure a user has the erp_admin permission.
+ */
+export async function ensureErpAdminPermission(userId) {
+    const existing = await erpDb.userPermission.findUnique({
+        where: { userId_permission: { userId, permission: "erp_admin" } },
+    });
+    if (!existing) {
+        await erpDb.userPermission.create({
+            data: { userId, permission: "erp_admin" },
         });
     }
-    return newKey;
 }
 //# sourceMappingURL=user-service.js.map

package/dist/version.js

@@ -0,0 +1,12 @@
+import { readFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { getGitCommitHash } from "@naisys/common-node";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+// Read the server's own package.json (one level up from dist/)
+const pkg = JSON.parse(readFileSync(join(__dirname, "..", "package.json"), "utf-8"));
+const commitHash = getGitCommitHash(__dirname);
+export function getPackageVersion() {
+    return commitHash ? `${pkg.version}/${commitHash}` : pkg.version;
+}
+//# sourceMappingURL=version.js.map