@naisys/erp 3.0.0-beta.9 → 3.0.1

package/package.json

@@ -1,22 +1,21 @@
 {
   "name": "@naisys/erp",
-  "version": "3.0.0-beta.9",
+  "version": "3.0.1",
   "description": "NAISYS ERP - Web UI for AI-driven order and work management",
   "type": "module",
   "main": "dist/erpServer.js",
   "bin": {
-    "naisys-erp": "bin/naisys-erp"
+    "naisys-erp": "bin/naisys-erp.js"
   },
   "exports": {
     ".": "./dist/erpServer.js"
   },
   "scripts": {
-    "clean": "rimraf dist client-dist .test-naisys",
+    "clean": "npx rimraf dist client-dist .test-naisys",
     "dev": "tsx watch src/erpServer.ts",
     "build": "prisma generate && tsc",
     "bundle": "npx shx rm -rf client-dist && npx shx cp -r ../client/dist client-dist",
     "start": "node dist/erpServer.js",
-    "start:reset-password": "node dist/erpServer.js --reset-password",
     "type-check": "tsc --noEmit",
     "npm:publish:dryrun": "npm publish --dry-run",
     "npm:publish": "npm publish --access public",
@@ -26,9 +25,11 @@
     "test": "vitest run && npx playwright test"
   },
   "files": [
+    "npm-shrinkwrap.json",
     "dist",
     "client-dist",
     "bin",
+    ".env.example",
     "prisma.config.ts",
     "prisma/schema.prisma",
     "prisma/migrations",
@@ -41,33 +42,34 @@
   "dependencies": {
     "@fastify/cookie": "^11.0.2",
     "@fastify/cors": "^11.2.0",
-    "@fastify/multipart": "^9.4.0",
+    "@fastify/multipart": "^10.0.0",
     "@fastify/rate-limit": "^10.3.0",
-    "@fastify/static": "^9.0.0",
+    "@fastify/static": "^9.1.3",
     "@fastify/swagger": "^9.7.0",
-    "@naisys/erp-shared": "3.0.0-beta.9",
-    "@naisys/common": "3.0.0-beta.9",
-    "@naisys/common-node": "3.0.0-beta.9",
-    "@naisys/hub-database": "3.0.0-beta.9",
-    "@naisys/supervisor-database": "3.0.0-beta.9",
-    "@prisma/adapter-better-sqlite3": "^7.5.0",
-    "@prisma/client": "^7.5.0",
-    "@scalar/fastify-api-reference": "^1.48.7",
-    "bcryptjs": "^3.0.2",
-    "dotenv": "^17.3.1",
-    "fastify": "^5.8.2",
+    "@naisys/common": "3.0.1",
+    "@naisys/common-node": "3.0.1",
+    "@naisys/erp-shared": "3.0.1",
+    "@naisys/hub-database": "3.0.1",
+    "@naisys/supervisor-database": "3.0.1",
+    "@prisma/adapter-better-sqlite3": "^7.8.0",
+    "@prisma/client": "^7.8.0",
+    "@scalar/fastify-api-reference": "^1.57.5",
+    "bcryptjs": "^3.0.3",
+    "dotenv": "^17.4.2",
+    "fastify": "^5.8.5",
     "fastify-plugin": "^5.1.0",
     "fastify-type-provider-zod": "^6.1.0",
-    "zod": "^4.3.6"
+    "zod": "^4.4.3"
   },
   "devDependencies": {
-    "@playwright/test": "^1.58.2",
+    "@playwright/test": "^1.60.0",
     "@types/better-sqlite3": "^7.6.13",
-    "@types/node": "^25.5.0",
-    "prisma": "^7.5.0",
-    "tsx": "^4.21.0",
-    "typescript": "^5.9.3",
-    "vitest": "^4.1.0"
+    "@types/node": "^25.9.1",
+    "@vitest/coverage-v8": "^4.1.7",
+    "prisma": "^7.8.0",
+    "tsx": "^4.22.3",
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.7"
   },
   "engines": {
     "node": ">=22.0.0"

package/prisma/migrations/20260427010000_hash_user_api_keys/migration.sql

@@ -0,0 +1,10 @@
+-- Replace persisted plaintext user API keys with nullable hashes.
+-- Existing plaintext keys are intentionally discarded.
+
+DROP INDEX IF EXISTS "users_api_key_key";
+
+ALTER TABLE "users" RENAME COLUMN "api_key" TO "api_key_hash";
+
+UPDATE "users" SET "api_key_hash" = NULL;
+
+CREATE UNIQUE INDEX "users_api_key_hash_key" ON "users"("api_key_hash");

package/prisma/migrations/20260427020000_nullable_user_password_hash/migration.sql

@@ -0,0 +1,39 @@
+-- Make users.password_hash nullable. NULL means the user is not
+-- password-authable (passkey-only, API-key-only, or agent).
+-- Existing sentinel values are converted to NULL.
+
+PRAGMA foreign_keys=OFF;
+
+CREATE TABLE "users_new" (
+    "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    "uuid" TEXT NOT NULL,
+    "username" TEXT NOT NULL,
+    "password_hash" TEXT,
+    "is_agent" INTEGER NOT NULL DEFAULT 0,
+    "created_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" DATETIME NOT NULL,
+    "deleted_at" DATETIME,
+    "api_key_hash" TEXT
+);
+
+INSERT INTO "users_new" ("id", "uuid", "username", "password_hash", "is_agent", "created_at", "updated_at", "deleted_at", "api_key_hash")
+SELECT
+    "id",
+    "uuid",
+    "username",
+    CASE WHEN "password_hash" IN ('!sso-passkey-only', '!api-key-only', '') THEN NULL ELSE "password_hash" END,
+    "is_agent",
+    "created_at",
+    "updated_at",
+    "deleted_at",
+    "api_key_hash"
+FROM "users";
+
+DROP TABLE "users";
+ALTER TABLE "users_new" RENAME TO "users";
+
+CREATE UNIQUE INDEX "users_uuid_key" ON "users"("uuid");
+CREATE UNIQUE INDEX "users_username_key" ON "users"("username");
+CREATE UNIQUE INDEX "users_api_key_hash_key" ON "users"("api_key_hash");
+
+PRAGMA foreign_keys=ON;

package/prisma/migrations/20260517000000_add_op_run_tokens/migration.sql

@@ -0,0 +1,2 @@
+ALTER TABLE "operation_runs" ADD COLUMN "tokens" INTEGER;
+ALTER TABLE "labor_tickets" ADD COLUMN "tokens" INTEGER;

package/prisma/schema.prisma

@@ -307,6 +307,7 @@ model OperationRun {
   status       OperationRunStatus @default(pending)
   assignedToId Int?               @map("assigned_to_id")
   cost           Float?
+  tokens         Int?
   statusNote     String?          @map("status_note")
   completedAt    DateTime?        @map("completed_at")
   createdAt   DateTime           @default(now()) @map("created_at")
@@ -418,8 +419,8 @@ model User {
   id           Int       @id @default(autoincrement())
   uuid         String    @unique
   username     String    @unique
-  passwordHash String    @map("password_hash")
-  apiKey       String?   @unique @map("api_key")
+  passwordHash String?   @map("password_hash")
+  apiKeyHash   String?   @unique @map("api_key_hash")
   isAgent      Boolean   @default(false) @map("is_agent")
   createdAt    DateTime  @default(now()) @map("created_at")
   updatedAt    DateTime  @updatedAt @map("updated_at")
@@ -518,6 +519,7 @@ model LaborTicket {
   clockIn        DateTime  @map("clock_in")
   clockOut       DateTime? @map("clock_out")
   cost           Float?
+  tokens         Int?
   createdAt      DateTime  @default(now()) @map("created_at")
   createdById    Int       @map("created_by")
   updatedAt      DateTime  @updatedAt @map("updated_at")