@naisys/erp 3.0.1 → 3.0.3

package/dist/generated/prisma/internal/prismaNamespace.js

@@ -282,6 +282,7 @@ export const UserScalarFieldEnum = {
     id: 'id',
     uuid: 'uuid',
     username: 'username',
+    title: 'title',
     passwordHash: 'passwordHash',
     apiKeyHash: 'apiKeyHash',
     isAgent: 'isAgent',

package/dist/middleware/auth-middleware.js

@@ -1,6 +1,6 @@
 import { AuthCache, urlMatchesPrefix } from "@naisys/common";
 import { extractBearerToken, hashToken, SESSION_COOKIE_NAME, } from "@naisys/common-node";
-import { findAgentByApiKey } from "@naisys/hub-database";
+import { findAgentByApiKey, findHubUserTitleByUuid } from "@naisys/hub-database";
 import { findSession, findUserByApiKey } from "@naisys/supervisor-database";
 import erpDb from "../database/erpDb.js";
 import { isSupervisorAuth } from "./supervisorAuth.js";
@@ -17,6 +17,7 @@ async function materializeErpUser(localUser) {
     return {
         id: localUser.id,
         username: localUser.username,
+        title: localUser.title,
         permissions: await loadPermissions(localUser.id),
     };
 }
@@ -33,11 +34,26 @@ async function loadCookieUserSso(tokenHash) {
     const session = await findSession(tokenHash);
     if (!session)
         return null;
-    return erpDb.user.upsert({
+    const existing = await erpDb.user.findUnique({
         where: { uuid: session.uuid },
-        create: { uuid: session.uuid, username: session.username },
-        update: {},
     });
+    if (!existing) {
+        const title = (await findHubUserTitleByUuid(session.uuid)) ?? "";
+        return erpDb.user.create({
+            data: { uuid: session.uuid, username: session.username, title },
+        });
+    }
+    // Agents mirror hub title; non-agents own their title locally.
+    if (existing.isAgent) {
+        const title = (await findHubUserTitleByUuid(session.uuid)) ?? "";
+        if (title !== existing.title) {
+            return erpDb.user.update({
+                where: { id: existing.id },
+                data: { title },
+            });
+        }
+    }
+    return existing;
 }
 async function loadCookieUserStandalone(tokenHash) {
     const session = await erpDb.session.findUnique({
@@ -64,11 +80,27 @@ async function loadApiKeyUserSso(apiKey) {
     if (!match)
         return null;
     const isAgent = supervisorUser?.isAgent ?? !!hubAgent;
-    return erpDb.user.upsert({
+    const existing = await erpDb.user.findUnique({
         where: { uuid: match.uuid },
-        create: { uuid: match.uuid, username: match.username, isAgent },
-        update: {},
     });
+    const fetchTitle = async () => hubAgent?.title ?? (await findHubUserTitleByUuid(match.uuid)) ?? "";
+    if (!existing) {
+        const title = await fetchTitle();
+        return erpDb.user.create({
+            data: { uuid: match.uuid, username: match.username, isAgent, title },
+        });
+    }
+    // Agents mirror hub title; non-agents own their title locally.
+    if (existing.isAgent) {
+        const title = await fetchTitle();
+        if (title !== existing.title) {
+            return erpDb.user.update({
+                where: { id: existing.id },
+                data: { title },
+            });
+        }
+    }
+    return existing;
 }
 export function hasPermission(user, permission) {
     if (!user)

package/dist/route-helpers.js

@@ -37,16 +37,18 @@ export function mutationResult(request, reply, full, slim) {
 }
 // --- Shared Prisma include for audit user fields ---
 export const includeUsers = {
-    createdBy: { select: { username: true } },
-    updatedBy: { select: { username: true } },
+    createdBy: { select: { username: true, title: true } },
+    updatedBy: { select: { username: true, title: true } },
 };
 // --- Formatting helpers ---
 export function formatAuditFields(item) {
     return {
         createdAt: item.createdAt.toISOString(),
         createdBy: item.createdBy.username,
+        createdByTitle: item.createdBy.title,
         updatedAt: item.updatedAt.toISOString(),
         updatedBy: item.updatedBy.username,
+        updatedByTitle: item.updatedBy.title,
     };
 }
 export function formatDate(d) {

package/dist/routes/operations/operation-dependencies.js

@@ -27,6 +27,7 @@ function formatDependency(dep) {
         predecessorTitle: dep.predecessor.title,
         createdAt: dep.createdAt.toISOString(),
         createdBy: dep.createdBy.username,
+        createdByTitle: dep.createdBy.title,
     };
 }
 function depActionTemplates(basePath, revStatus, user) {

package/dist/routes/operations/operation-field-refs.js

@@ -37,6 +37,7 @@ function formatFieldRef(orderKey, revNo, seqNo, revStatus, user, ref) {
         })),
         createdAt: ref.createdAt.toISOString(),
         createdBy: ref.createdBy.username,
+        createdByTitle: ref.createdBy.title,
         _links: childItemLinks(base, ref.seqNo, "Field Refs", `/orders/${orderKey}/revs/${revNo}/ops/${seqNo}`, "Operation", "FieldRef"),
         _actions: deleteAction(`${API_PREFIX}${base}/${ref.seqNo}`, revStatus, user),
     };

package/dist/routes/operations/operation-run-comments.js

@@ -27,6 +27,7 @@ function formatComment(orderKey, runNo, seqNo, comment) {
         body: comment.body,
         createdAt: comment.createdAt.toISOString(),
         createdBy: comment.createdBy.username,
+        createdByTitle: comment.createdBy.title,
         _links: [
             selfLink(`/${commentResource(orderKey, runNo, seqNo)}/${comment.id}`),
         ],

package/dist/routes/operations/operation-runs.js

@@ -156,6 +156,7 @@ export async function formatOpRun(orderKey, runNo, user, opRun) {
         workCenterKey: opRun.operation.workCenter?.key ?? null,
         status: opRun.status,
         assignedTo: opRun.assignedTo?.username ?? null,
+        assignedToTitle: opRun.assignedTo?.title ?? null,
         cost: opRun.cost,
         tokens: opRun.tokens,
         note: opRun.statusNote ?? null,
@@ -203,6 +204,7 @@ export async function formatOpRunTransition(orderKey, runNo, user, opRun) {
         id: opRun.id,
         status: opRun.status,
         assignedTo: opRun.assignedTo?.username ?? null,
+        assignedToTitle: opRun.assignedTo?.title ?? null,
         cost: opRun.cost,
         tokens: opRun.tokens,
         note: opRun.statusNote ?? null,
@@ -225,6 +227,7 @@ function formatListOpRun(opRun) {
         workCenterKey: opRun.operation.workCenter?.key ?? null,
         status: opRun.status,
         assignedTo: opRun.assignedTo?.username ?? null,
+        assignedToTitle: opRun.assignedTo?.title ?? null,
         cost: opRun.cost,
         tokens: opRun.tokens,
         note: opRun.statusNote ?? null,

package/dist/routes/production/dispatch.js

@@ -20,7 +20,7 @@ export default function dispatchRoutes(fastify) {
             },
         },
         handler: async (request) => {
-            const { page, pageSize, status, priority, search, viewAs, canWork, clockedIn, } = request.query;
+            const { page, pageSize, status, workCenter, search, viewAs, canWork, clockedIn, } = request.query;
             // Resolve the perspective user for canWork computation
             let perspectiveUserId = request.erpUser?.id;
             let perspectivePerms = new Set(request.erpUser?.permissions ?? []);
@@ -48,9 +48,9 @@ export default function dispatchRoutes(fastify) {
                 status: { in: status ? [status] : DEFAULT_OP_STATUSES },
                 orderRun: {
                     status: { in: OPEN_ORDER_STATUSES },
-                    ...(priority ? { priority } : {}),
                 },
             };
+            const operationFilters = {};
             // canWork filter: only show ops where the perspective user can work
             if (canWork) {
                 // Restrict to statuses the user has permission for
@@ -67,11 +67,18 @@ export default function dispatchRoutes(fastify) {
                 where.status = { in: filteredStatuses };
                 // Work center access
                 if (userWcIds.length > 0) {
-                    where.operation = {
-                        OR: [{ workCenterId: null }, { workCenterId: { in: userWcIds } }],
-                    };
+                    operationFilters.OR = [
+                        { workCenterId: null },
+                        { workCenterId: { in: userWcIds } },
+                    ];
                 }
             }
+            if (workCenter) {
+                operationFilters.workCenter = { key: workCenter };
+            }
+            if (Object.keys(operationFilters).length > 0) {
+                where.operation = operationFilters;
+            }
             if (search) {
                 where.OR = [
                     { operation: { title: { contains: search } } },
@@ -93,11 +100,10 @@ export default function dispatchRoutes(fastify) {
                                 workCenter: { select: { key: true, id: true } },
                             },
                         },
-                        assignedTo: { select: { username: true } },
+                        assignedTo: { select: { username: true, title: true } },
                         orderRun: {
                             select: {
                                 runNo: true,
-                                priority: true,
                                 dueAt: true,
                                 order: { select: { key: true } },
                                 orderRev: { select: { revNo: true } },
@@ -127,8 +133,8 @@ export default function dispatchRoutes(fastify) {
                         workCenterKey: opRun.operation.workCenter?.key ?? null,
                         canWork: itemCanWork,
                         status: opRun.status,
-                        priority: opRun.orderRun.priority,
                         assignedTo: opRun.assignedTo?.username ?? null,
+                        assignedToTitle: opRun.assignedTo?.title ?? null,
                         dueAt: opRun.orderRun.dueAt,
                         createdAt: opRun.createdAt.toISOString(),
                     };
@@ -139,7 +145,7 @@ export default function dispatchRoutes(fastify) {
                 _links: [
                     ...paginationLinks("dispatch", page, pageSize, total, {
                         status,
-                        priority,
+                        workCenter,
                         search,
                         viewAs,
                         canWork: canWork ? "true" : undefined,

package/dist/routes/production/labor-tickets.js

@@ -88,6 +88,7 @@ function formatLaborTicket(orderKey, runNo, seqNo, ticket) {
         operationRunId: ticket.operationRunId,
         userId: ticket.userId,
         username: ticket.user.username,
+        userTitle: ticket.user.title,
         runId: ticket.runId,
         clockIn: ticket.clockIn.toISOString(),
         clockOut: formatDate(ticket.clockOut),

package/dist/routes/production/work-centers.js

@@ -58,8 +58,10 @@ function formatWorkCenter(wc, user) {
         userAssignments: wc.userAssignments.map((a) => ({
             userId: a.user.id,
             username: a.user.username,
+            userTitle: a.user.title,
             createdAt: a.createdAt.toISOString(),
             createdBy: a.createdBy?.username ?? null,
+            createdByTitle: a.createdBy?.title ?? null,
             _actions: [
                 {
                     rel: "remove",

package/dist/routes/users/auth.js

@@ -52,7 +52,9 @@ export default function authRoutes(fastify) {
                 data: { userId: user.id, tokenHash, expiresAt },
             });
             reply.setCookie(SESSION_COOKIE_NAME, token, sessionCookieOptions(expiresAt));
-            return { user: { id: user.id, username: user.username } };
+            return {
+                user: { id: user.id, username: user.username, title: user.title },
+            };
         },
     });
     // LOGOUT
@@ -92,6 +94,7 @@ export default function authRoutes(fastify) {
             return {
                 id: request.erpUser.id,
                 username: request.erpUser.username,
+                title: request.erpUser.title,
                 permissions: request.erpUser.permissions,
             };
         },

package/dist/routes/users/users.js

@@ -13,9 +13,15 @@ function userItemLinks(username) {
         schemaLink("UpdateUser"),
     ];
 }
-function userActions(username, isSelf, isAdmin) {
+function userActions(username, isAgent, isSelf, isAdmin) {
     const href = `${API_PREFIX}/users/${username}`;
     const actions = [];
+    // In SSO mode the supervisor owns passwords (passkey-only) and external API
+    // keys, so ERP doesn't expose its own change-password / rotate-key actions.
+    const sso = isSupervisorAuth();
+    // Title is editable when the user isn't an SSO-managed agent (whose title
+    // is mirrored from the hub on every auth).
+    const titleEditable = !isAgent || !sso;
     if (isAdmin) {
         actions.push({
             rel: "update",
@@ -23,12 +29,9 @@ function userActions(username, isSelf, isAdmin) {
             method: "PUT",
             title: "Update",
             schema: `${API_PREFIX}/schemas/UpdateUser`,
-            body: { username: "" },
+            body: { username: "", ...(titleEditable ? { title: "" } : {}) },
         });
     }
-    // In SSO mode the supervisor owns passwords (passkey-only) and external API
-    // keys, so ERP doesn't expose its own change-password / rotate-key actions.
-    const sso = isSupervisorAuth();
     if (isSelf && !sso) {
         actions.push({
             rel: "change-password",
@@ -90,6 +93,7 @@ export function formatUser(user, currentUserId, currentUserPermissions, options)
     return {
         id: user.id,
         username: user.username,
+        title: user.title,
         isAgent: user.isAgent,
         createdAt: user.createdAt.toISOString(),
         updatedAt: user.updatedAt.toISOString(),
@@ -101,13 +105,14 @@ export function formatUser(user, currentUserId, currentUserPermissions, options)
             _actions: permissionActions(user.username, p.permission, isSelf, isAdmin),
         })),
         _links: userItemLinks(user.username),
-        _actions: userActions(user.username, isSelf, isAdmin),
+        _actions: userActions(user.username, user.isAgent, isSelf, isAdmin),
     };
 }
 function formatListUser(user) {
     return {
         id: user.id,
         username: user.username,
+        title: user.title,
         isAgent: user.isAgent,
         createdAt: user.createdAt.toISOString(),
         permissionCount: user.permissions.length,
@@ -293,7 +298,7 @@ export default function userRoutes(fastify) {
             };
         }
         try {
-            const user = await createUserForAgent(hubAgent.username, hubAgent.uuid);
+            const user = await createUserForAgent(hubAgent.username, hubAgent.uuid, hubAgent.title);
             const full = formatUser(user, request.erpUser.id, request.erpUser.permissions);
             reply.code(201);
             return mutationResult(request, reply, full, {
@@ -350,16 +355,23 @@ export default function userRoutes(fastify) {
             return { success: false, message: "User not found" };
         }
         const isAdmin = hasPermission(request.erpUser, "erp_admin");
-        // In SSO mode the supervisor owns passwords, so we strip any password
-        // field before forwarding the update — even from admins.
         const sso = isSupervisorAuth();
-        const body = isAdmin
-            ? sso
-                ? { username: request.body.username }
-                : request.body
-            : sso
-                ? {}
-                : { password: request.body.password };
+        // Field-level gating:
+        // - username: admin-only.
+        // - password: non-SSO only (supervisor owns passwords in SSO mode).
+        // - title: editable unless the target is an SSO-managed agent (whose
+        //   title is mirrored from the hub on every auth).
+        const titleEditable = !targetUser.isAgent || !sso;
+        const body = {};
+        if (isAdmin && request.body.username !== undefined) {
+            body.username = request.body.username;
+        }
+        if (!sso && request.body.password !== undefined) {
+            body.password = request.body.password;
+        }
+        if (titleEditable && request.body.title !== undefined) {
+            body.title = request.body.title;
+        }
         try {
             const user = await updateUser(targetUser.id, body);
             authCache.clear();

package/dist/services/operations/operation-dependency-service.js

@@ -1,7 +1,7 @@
 import erpDb from "../../database/erpDb.js";
 const depInclude = {
     predecessor: { select: { seqNo: true, title: true } },
-    createdBy: { select: { username: true } },
+    createdBy: { select: { username: true, title: true } },
 };
 export async function listDependencies(operationId) {
     return erpDb.operationDependency.findMany({

package/dist/services/operations/operation-run-comment-service.js

@@ -1,7 +1,7 @@
 import erpDb from "../../database/erpDb.js";
 // --- Prisma include & result type ---
 export const includeComment = {
-    createdBy: { select: { username: true } },
+    createdBy: { select: { username: true, title: true } },
 };
 // --- Lookups ---
 export async function listComments(operationRunId) {

package/dist/services/operations/operation-run-service.js

@@ -20,9 +20,9 @@ export const includeOp = {
             orderRev: { select: { revNo: true, description: true } },
         },
     },
-    assignedTo: { select: { username: true } },
-    createdBy: { select: { username: true } },
-    updatedBy: { select: { username: true } },
+    assignedTo: { select: { username: true, title: true } },
+    createdBy: { select: { username: true, title: true } },
+    updatedBy: { select: { username: true, title: true } },
 };
 // --- Lookups ---
 export async function listOpRuns(runId) {
@@ -47,9 +47,9 @@ export async function listOpRuns(runId) {
                 },
             },
             _count: { select: { stepRuns: true } },
-            assignedTo: { select: { username: true } },
-            createdBy: { select: { username: true } },
-            updatedBy: { select: { username: true } },
+            assignedTo: { select: { username: true, title: true } },
+            createdBy: { select: { username: true, title: true } },
+            updatedBy: { select: { username: true, title: true } },
         },
         orderBy: { operation: { seqNo: "asc" } },
     });

package/dist/services/operations/step-run-service.js

@@ -44,8 +44,8 @@ export const includeStepRunWithFields = {
             },
         },
     },
-    createdBy: { select: { username: true } },
-    updatedBy: { select: { username: true } },
+    createdBy: { select: { username: true, title: true } },
+    updatedBy: { select: { username: true, title: true } },
 };
 // --- Lightweight include (step metadata only, no field values) ---
 export const includeStepRun = {
@@ -62,8 +62,8 @@ export const includeStepRun = {
             },
         },
     },
-    createdBy: { select: { username: true } },
-    updatedBy: { select: { username: true } },
+    createdBy: { select: { username: true, title: true } },
+    updatedBy: { select: { username: true, title: true } },
 };
 // --- Lookups ---
 export async function listStepRuns(opRunId) {

package/dist/services/orders/order-run-service.js

@@ -8,8 +8,8 @@ export const includeRev = {
     orderRev: { select: { revNo: true, description: true } },
     order: { select: { item: { select: { key: true } } } },
     itemInstances: { select: { id: true, key: true }, take: 1 },
-    createdBy: { select: { username: true } },
-    updatedBy: { select: { username: true } },
+    createdBy: { select: { username: true, title: true } },
+    updatedBy: { select: { username: true, title: true } },
 };
 // --- Lookups ---
 export async function listOrderRuns(where, page, pageSize) {

package/dist/services/production/field-ref-service.js

@@ -15,7 +15,7 @@ const includeFieldRef = {
             },
         },
     },
-    createdBy: { select: { username: true } },
+    createdBy: { select: { username: true, title: true } },
 };
 export async function listFieldRefs(operationId) {
     return erpDb.operationFieldRef.findMany({

package/dist/services/production/labor-ticket-service.js

@@ -3,9 +3,9 @@ import erpDb from "../../database/erpDb.js";
 import { writeAuditEntry } from "../audit.js";
 // --- Prisma include & result type ---
 export const includeLaborTicket = {
-    user: { select: { username: true } },
-    createdBy: { select: { username: true } },
-    updatedBy: { select: { username: true } },
+    user: { select: { username: true, title: true } },
+    createdBy: { select: { username: true, title: true } },
+    updatedBy: { select: { username: true, title: true } },
 };
 // --- Helpers ---
 /**

package/dist/services/production/work-center-service.js

@@ -5,8 +5,8 @@ const includeDetail = {
     ...includeUsers,
     userAssignments: {
         include: {
-            user: { select: { id: true, username: true } },
-            createdBy: { select: { username: true } },
+            user: { select: { id: true, username: true, title: true } },
+            createdBy: { select: { username: true, title: true } },
         },
         orderBy: { user: { username: "asc" } },
     },

package/dist/services/user-service.js

@@ -1,5 +1,6 @@
 import { SUPER_ADMIN_USERNAME } from "@naisys/common";
 import { generatePersistentUserApiKey } from "@naisys/common-node";
+import { findHubUserTitleByUuid, findHubUserTitlesByUuids, } from "@naisys/hub-database";
 import { ensureSuperAdmin } from "@naisys/supervisor-database";
 import bcrypt from "bcryptjs";
 import { randomUUID } from "crypto";
@@ -52,11 +53,12 @@ export async function getUserByUuid(uuid) {
         include: includePermissions,
     });
 }
-export async function createUserForAgent(username, uuid) {
+export async function createUserForAgent(username, uuid, title) {
     return erpDb.user.create({
         data: {
             username,
             uuid,
+            title,
             isAgent: true,
         },
         include: includePermissions,
@@ -80,6 +82,9 @@ export async function updateUser(id, data) {
     if (data.username !== undefined) {
         updateData.username = data.username;
     }
+    if (data.title !== undefined) {
+        updateData.title = data.title;
+    }
     if (data.password !== undefined) {
         updateData.passwordHash = await bcrypt.hash(data.password, SALT_ROUNDS);
     }
@@ -165,16 +170,29 @@ export async function ensureLocalSuperAdmin(password) {
  */
 export async function ensureSupervisorSuperAdmin() {
     const result = await ensureSuperAdmin();
-    await erpDb.user.upsert({
+    // Super admin is a non-agent — seed title from hub on first bootstrap,
+    // but leave it alone afterwards so local edits stick.
+    const existing = await erpDb.user.findUnique({
         where: { uuid: result.user.uuid },
-        create: {
-            uuid: result.user.uuid,
-            username: result.user.username,
-        },
-        update: {
-            username: result.user.username,
-        },
     });
+    if (existing) {
+        if (existing.username !== result.user.username) {
+            await erpDb.user.update({
+                where: { id: existing.id },
+                data: { username: result.user.username },
+            });
+        }
+    }
+    else {
+        const title = (await findHubUserTitleByUuid(result.user.uuid)) ?? "";
+        await erpDb.user.create({
+            data: {
+                uuid: result.user.uuid,
+                username: result.user.username,
+                title,
+            },
+        });
+    }
     const localSuperAdmin = await erpDb.user.findUnique({
         where: { uuid: result.user.uuid },
     });
@@ -182,6 +200,37 @@ export async function ensureSupervisorSuperAdmin() {
         await ensureErpAdminPermission(localSuperAdmin.id);
     }
 }
+/**
+ * Pull the latest title from the hub for every agent user in ERP and update
+ * any drift. Non-agents are skipped — they own their title locally. Runs at
+ * ERP startup (SSO mode) so agent titles stay fresh even if the agent hasn't
+ * authenticated recently to trigger the per-request refresh in auth-middleware.
+ */
+export async function syncAgentTitlesFromHub() {
+    const agents = await erpDb.user.findMany({
+        where: { isAgent: true },
+        select: { id: true, uuid: true, title: true },
+    });
+    if (agents.length === 0)
+        return;
+    const hubTitles = await findHubUserTitlesByUuids(agents.map((a) => a.uuid));
+    let updated = 0;
+    for (const agent of agents) {
+        const hubTitle = hubTitles.get(agent.uuid);
+        if (hubTitle === undefined)
+            continue; // not in hub, leave as-is
+        if (hubTitle === agent.title)
+            continue;
+        await erpDb.user.update({
+            where: { id: agent.id },
+            data: { title: hubTitle },
+        });
+        updated++;
+    }
+    if (updated > 0) {
+        console.log(`[ERP] Synced ${updated} agent title(s) from hub.`);
+    }
+}
 /**
  * Ensure a user has the erp_admin permission.
  */