@open-mercato/cli 0.4.7 → 0.4.8-canary-d3f23076fd

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/cli",
-  "version": "0.4.7",
+  "version": "0.4.8-canary-d3f23076fd",
   "type": "module",
   "main": "./dist/index.js",
   "exports": {
@@ -58,21 +58,22 @@
     "@mikro-orm/core": "^6.6.2",
     "@mikro-orm/migrations": "^6.6.2",
     "@mikro-orm/postgresql": "^6.6.2",
-    "@open-mercato/shared": "0.4.7",
+    "@open-mercato/shared": "0.4.8-canary-d3f23076fd",
     "pg": "8.20.0",
     "testcontainers": "^11.12.0",
     "typescript": "^5.9.3"
   },
   "peerDependencies": {
-    "@open-mercato/shared": "0.4.7"
+    "@open-mercato/shared": "0.4.8-canary-d3f23076fd"
   },
   "devDependencies": {
-    "@open-mercato/shared": "0.4.7",
+    "@open-mercato/shared": "0.4.8-canary-d3f23076fd",
     "@types/jest": "^30.0.0",
     "jest": "^30.2.0",
     "ts-jest": "^29.4.6"
   },
   "publishConfig": {
     "access": "public"
-  }
+  },
+  "stableVersion": "0.4.7"
 }

package/src/lib/generators/__tests__/module-subset.test.ts

@@ -361,7 +361,7 @@ describe('generateModuleRegistryCli with module subsets', () => {
 })
 
 describe('all generated files are valid with varying subsets', () => {
-  it('produces all 9 generated files even when no modules have matching content', async () => {
+  it('produces all generated files even when no modules have matching content', async () => {
     scaffoldModule(tmpDir, 'bare_mod', 'pkg', ['acl.ts'])
     const enabled: ModuleEntry[] = [
       { id: 'bare_mod', from: '@open-mercato/core' },
@@ -380,6 +380,10 @@ describe('all generated files are valid with varying subsets', () => {
       'events.generated.ts',
       'analytics.generated.ts',
       'translations-fields.generated.ts',
+      'security-mfa-providers.generated.ts',
+      'security-sudo.generated.ts',
+      'frontend-middleware.generated.ts',
+      'backend-middleware.generated.ts',
     ]
     for (const file of expectedFiles) {
       const content = readGenerated(tmpDir, file)
@@ -433,6 +437,42 @@ describe('all generated files are valid with varying subsets', () => {
     expect(aiTools).not.toContain('no_ai')
   })
 
+  it('security generated registries are empty when no module provides security convention files', async () => {
+    scaffoldModule(tmpDir, 'no_security', 'pkg', ['setup.ts'])
+    const resolver = createMockResolver(tmpDir, [
+      { id: 'no_security', from: '@open-mercato/core' },
+    ])
+    await generateModuleRegistry({ resolver, quiet: true })
+
+    const mfaProviders = readGenerated(tmpDir, 'security-mfa-providers.generated.ts')!
+    const sudoTargets = readGenerated(tmpDir, 'security-sudo.generated.ts')!
+
+    expect(mfaProviders).toContain('export const securityMfaProviderEntries')
+    expect(mfaProviders).not.toContain('no_security')
+    expect(sudoTargets).toContain('export const securitySudoTargetEntries')
+    expect(sudoTargets).toContain('const entriesRaw: SecuritySudoTargetEntryRaw[] = [\n]')
+    expect(sudoTargets).not.toContain('no_security')
+  })
+
+  it('discovers security convention files into dedicated generated registries', async () => {
+    scaffoldModule(tmpDir, 'security_ext', 'pkg', [
+      'security.mfa-providers.ts',
+      'security.sudo.ts',
+    ])
+    const resolver = createMockResolver(tmpDir, [
+      { id: 'security_ext', from: '@open-mercato/core' },
+    ])
+    await generateModuleRegistry({ resolver, quiet: true })
+
+    const mfaProviders = readGenerated(tmpDir, 'security-mfa-providers.generated.ts')!
+    const sudoTargets = readGenerated(tmpDir, 'security-sudo.generated.ts')!
+
+    expect(mfaProviders).toContain('security_ext')
+    expect(mfaProviders).toContain('mfaProviders')
+    expect(sudoTargets).toContain('security_ext')
+    expect(sudoTargets).toContain('sudoTargets')
+  })
+
   it('notifications.generated.ts uses typed fallback for legacy "types" export', async () => {
     scaffoldModule(tmpDir, 'notif_mod', 'pkg', ['notifications.ts'])
     const resolver = createMockResolver(tmpDir, [
@@ -444,4 +484,20 @@ describe('all generated files are valid with varying subsets', () => {
     expect(notifications).toContain('as any).types')
     expect(notifications).toContain('as NotificationTypeDefinition[]')
   })
+
+  it('discovers frontend and backend middleware conventions', async () => {
+    scaffoldModule(tmpDir, 'security', 'pkg', [
+      'frontend/middleware.ts',
+      'backend/middleware.ts',
+    ])
+    const resolver = createMockResolver(tmpDir, [
+      { id: 'security', from: '@open-mercato/core' },
+    ])
+    await generateModuleRegistry({ resolver, quiet: true })
+
+    const frontendMiddleware = readGenerated(tmpDir, 'frontend-middleware.generated.ts')!
+    const backendMiddleware = readGenerated(tmpDir, 'backend-middleware.generated.ts')!
+    expect(frontendMiddleware).toContain("moduleId: 'security'")
+    expect(backendMiddleware).toContain("moduleId: 'security'")
+  })
 })

package/src/lib/generators/__tests__/scanner.test.ts

@@ -339,7 +339,8 @@ describe('resolveModuleFile', () => {
     const conventionFiles = [
       'acl.ts', 'ce.ts', 'search.ts', 'notifications.ts',
       'ai-tools.ts', 'events.ts', 'analytics.ts', 'setup.ts',
-      'translations.ts', 'data/extensions.ts', 'data/fields.ts',
+      'translations.ts', 'security.mfa-providers.ts', 'security.sudo.ts',
+      'data/extensions.ts', 'data/fields.ts',
     ]
     for (const file of conventionFiles) {
       touch(file, 'pkg')

package/src/lib/generators/module-registry.ts

@@ -407,6 +407,10 @@ export async function generateModuleRegistry(options: ModuleRegistryOptions): Pr
   const analyticsChecksumFile = path.join(outputDir, 'analytics.generated.checksum')
   const transFieldsOutFile = path.join(outputDir, 'translations-fields.generated.ts')
   const transFieldsChecksumFile = path.join(outputDir, 'translations-fields.generated.checksum')
+  const securityMfaProvidersOutFile = path.join(outputDir, 'security-mfa-providers.generated.ts')
+  const securityMfaProvidersChecksumFile = path.join(outputDir, 'security-mfa-providers.generated.checksum')
+  const securitySudoOutFile = path.join(outputDir, 'security-sudo.generated.ts')
+  const securitySudoChecksumFile = path.join(outputDir, 'security-sudo.generated.checksum')
   const enrichersOutFile = path.join(outputDir, 'enrichers.generated.ts')
   const enrichersChecksumFile = path.join(outputDir, 'enrichers.generated.checksum')
   const interceptorsOutFile = path.join(outputDir, 'interceptors.generated.ts')
@@ -419,6 +423,10 @@ export async function generateModuleRegistry(options: ModuleRegistryOptions): Pr
   const guardsChecksumFile = path.join(outputDir, 'guards.generated.checksum')
   const commandInterceptorsOutFile = path.join(outputDir, 'command-interceptors.generated.ts')
   const commandInterceptorsChecksumFile = path.join(outputDir, 'command-interceptors.generated.checksum')
+  const frontendMiddlewareOutFile = path.join(outputDir, 'frontend-middleware.generated.ts')
+  const frontendMiddlewareChecksumFile = path.join(outputDir, 'frontend-middleware.generated.checksum')
+  const backendMiddlewareOutFile = path.join(outputDir, 'backend-middleware.generated.ts')
+  const backendMiddlewareChecksumFile = path.join(outputDir, 'backend-middleware.generated.checksum')
 
   const enabled = resolver.loadEnabledModules()
   const imports: string[] = []
@@ -450,6 +458,10 @@ export async function generateModuleRegistry(options: ModuleRegistryOptions): Pr
   const analyticsImports: string[] = []
   const transFieldsConfigs: string[] = []
   const transFieldsImports: string[] = []
+  const securityMfaProviderConfigs: string[] = []
+  const securityMfaProviderImports: string[] = []
+  const securitySudoConfigs: string[] = []
+  const securitySudoImports: string[] = []
   const enricherConfigs: string[] = []
   const enricherImports: string[] = []
   const interceptorConfigs: string[] = []
@@ -462,6 +474,10 @@ export async function generateModuleRegistry(options: ModuleRegistryOptions): Pr
   const guardImports: string[] = []
   const commandInterceptorConfigs: string[] = []
   const commandInterceptorImports: string[] = []
+  const frontendMiddlewareConfigs: string[] = []
+  const frontendMiddlewareImports: string[] = []
+  const backendMiddlewareConfigs: string[] = []
+  const backendMiddlewareImports: string[] = []
 
   // UMES conflict detection: collect file paths during module processing
   const umesConflictSources: Array<{
@@ -735,6 +751,24 @@ export async function generateModuleRegistry(options: ModuleRegistryOptions): Pr
       configExpr: (n, id) => `{ moduleId: '${id}', fields: (${n}.default ?? ${n}.translatableFields ?? {}) as Record<string, string[]> }`,
     })
 
+    processStandaloneConfig({
+      roots, imps, modId, importIdRef,
+      relativePath: 'security.mfa-providers.ts',
+      prefix: 'SECURITY_MFA_PROVIDERS',
+      standaloneImports: securityMfaProviderImports,
+      standaloneConfigs: securityMfaProviderConfigs,
+      configExpr: (n, id) => `{ moduleId: '${id}', providers: ((${n}.default ?? ${n}.mfaProviders ?? []) as unknown[]) }`,
+    })
+
+    processStandaloneConfig({
+      roots, imps, modId, importIdRef,
+      relativePath: 'security.sudo.ts',
+      prefix: 'SECURITY_SUDO',
+      standaloneImports: securitySudoImports,
+      standaloneConfigs: securitySudoConfigs,
+      configExpr: (n, id) => `{ moduleId: '${id}', targets: ((${n}.default ?? ${n}.sudoTargets ?? []) as Array<Record<string, unknown>>) }`,
+    })
+
     // Inbox Actions: inbox-actions.ts
     {
       const resolved = resolveModuleFile(roots, imps, 'inbox-actions.ts')
@@ -768,6 +802,26 @@ export async function generateModuleRegistry(options: ModuleRegistryOptions): Pr
       configExpr: (n, id) => `{ moduleId: '${id}', interceptors: ((${n} as any).interceptors ?? (${n} as any).default ?? []) }`,
     })
 
+    // 10g. Frontend page middleware: frontend/middleware.ts
+    processStandaloneConfig({
+      roots, imps, modId, importIdRef,
+      relativePath: 'frontend/middleware.ts',
+      prefix: 'FRONTEND_MIDDLEWARE',
+      standaloneImports: frontendMiddlewareImports,
+      standaloneConfigs: frontendMiddlewareConfigs,
+      configExpr: (n, id) => `{ moduleId: '${id}', middleware: ((${n} as any).middleware ?? (${n} as any).default ?? []) }`,
+    })
+
+    // 10h. Backend page middleware: backend/middleware.ts
+    processStandaloneConfig({
+      roots, imps, modId, importIdRef,
+      relativePath: 'backend/middleware.ts',
+      prefix: 'BACKEND_MIDDLEWARE',
+      standaloneImports: backendMiddlewareImports,
+      standaloneConfigs: backendMiddlewareConfigs,
+      configExpr: (n, id) => `{ moduleId: '${id}', middleware: ((${n} as any).middleware ?? (${n} as any).default ?? []) }`,
+    })
+
     // 11. Setup: setup.ts
     {
       const setup = resolveConventionFile(roots, imps, 'setup.ts', 'SETUP', modId, importIdRef, imports)
@@ -1151,6 +1205,31 @@ export const allTranslatableEntityTypes = Object.keys(allFields)
 
 // Auto-register on import (side-effect)
 registerTranslatableFields(allFields)
+`
+
+  const securityMfaProviderEntriesLiteral = securityMfaProviderConfigs.join(',\n  ')
+  const securityMfaProviderImportSection = securityMfaProviderImports.join('\n')
+  const securityMfaProvidersOutput = `// AUTO-GENERATED by mercato generate registry
+${securityMfaProviderImportSection ? `${securityMfaProviderImportSection}\n` : ''}type SecurityMfaProviderEntry = { moduleId: string; providers: unknown[] }
+
+export const securityMfaProviderEntries: SecurityMfaProviderEntry[] = [
+${securityMfaProviderEntriesLiteral ? `  ${securityMfaProviderEntriesLiteral}\n` : ''}]
+`
+
+  const securitySudoEntriesLiteral = securitySudoConfigs.join(',\n  ')
+  const securitySudoImportSection = securitySudoImports.join('\n')
+  const securitySudoOutput = `// AUTO-GENERATED by mercato generate registry
+import type { SecuritySudoTarget, SecuritySudoTargetEntry } from '@open-mercato/enterprise/modules/security'
+${securitySudoImportSection ? `\n${securitySudoImportSection}\n` : '\n'}
+type SecuritySudoTargetEntryRaw = { moduleId: string; targets: Array<Record<string, unknown>> }
+
+const entriesRaw: SecuritySudoTargetEntryRaw[] = [
+${securitySudoEntriesLiteral ? `  ${securitySudoEntriesLiteral}\n` : ''}]
+
+export const securitySudoTargetEntries: SecuritySudoTargetEntry[] = entriesRaw.map((entry) => ({
+  moduleId: entry.moduleId,
+  targets: entry.targets as SecuritySudoTarget[],
+}))
 `
 
   const notificationEntriesLiteral = notificationTypes.join(',\n  ')
@@ -1429,6 +1508,8 @@ export const allAiTools = aiToolConfigEntries.flatMap(e => e.tools)
   writeGeneratedFile({ outFile: eventsOutFile, checksumFile: eventsChecksumFile, content: eventsOutput, structureChecksum, result, quiet })
   writeGeneratedFile({ outFile: analyticsOutFile, checksumFile: analyticsChecksumFile, content: analyticsOutput, structureChecksum, result, quiet })
   writeGeneratedFile({ outFile: transFieldsOutFile, checksumFile: transFieldsChecksumFile, content: transFieldsOutput, structureChecksum, result, quiet })
+  writeGeneratedFile({ outFile: securityMfaProvidersOutFile, checksumFile: securityMfaProvidersChecksumFile, content: securityMfaProvidersOutput, structureChecksum, result, quiet })
+  writeGeneratedFile({ outFile: securitySudoOutFile, checksumFile: securitySudoChecksumFile, content: securitySudoOutput, structureChecksum, result, quiet })
 
   // Enrichers generated file
   const enricherEntriesLiteral = enricherConfigs.join(',\n  ')
@@ -1518,6 +1599,46 @@ ${commandInterceptorEntriesLiteral ? `  ${commandInterceptorEntriesLiteral}\n` :
 `
   writeGeneratedFile({ outFile: commandInterceptorsOutFile, checksumFile: commandInterceptorsChecksumFile, content: commandInterceptorsOutput, structureChecksum, result, quiet })
 
+  const frontendMiddlewareEntriesLiteral = frontendMiddlewareConfigs.join(',\n  ')
+  const frontendMiddlewareImportSection = frontendMiddlewareImports.join('\n')
+  const frontendMiddlewareOutput = `// AUTO-GENERATED by mercato generate registry
+import type { PageMiddlewareRegistryEntry, PageRouteMiddleware } from '@open-mercato/shared/modules/middleware/page'
+${frontendMiddlewareImportSection ? `\n${frontendMiddlewareImportSection}\n` : '\n'}type FrontendMiddlewareEntry = { moduleId: string; middleware: PageRouteMiddleware[] }
+
+const entriesRaw: FrontendMiddlewareEntry[] = [
+${frontendMiddlewareEntriesLiteral ? `  ${frontendMiddlewareEntriesLiteral}\n` : ''}]
+
+export const frontendMiddlewareEntries: PageMiddlewareRegistryEntry[] = entriesRaw
+`
+  writeGeneratedFile({
+    outFile: frontendMiddlewareOutFile,
+    checksumFile: frontendMiddlewareChecksumFile,
+    content: frontendMiddlewareOutput,
+    structureChecksum,
+    result,
+    quiet,
+  })
+
+  const backendMiddlewareEntriesLiteral = backendMiddlewareConfigs.join(',\n  ')
+  const backendMiddlewareImportSection = backendMiddlewareImports.join('\n')
+  const backendMiddlewareOutput = `// AUTO-GENERATED by mercato generate registry
+import type { PageMiddlewareRegistryEntry, PageRouteMiddleware } from '@open-mercato/shared/modules/middleware/page'
+${backendMiddlewareImportSection ? `\n${backendMiddlewareImportSection}\n` : '\n'}type BackendMiddlewareEntry = { moduleId: string; middleware: PageRouteMiddleware[] }
+
+const entriesRaw: BackendMiddlewareEntry[] = [
+${backendMiddlewareEntriesLiteral ? `  ${backendMiddlewareEntriesLiteral}\n` : ''}]
+
+export const backendMiddlewareEntries: PageMiddlewareRegistryEntry[] = entriesRaw
+`
+  writeGeneratedFile({
+    outFile: backendMiddlewareOutFile,
+    checksumFile: backendMiddlewareChecksumFile,
+    content: backendMiddlewareOutput,
+    structureChecksum,
+    result,
+    quiet,
+  })
+
   return result
 }
 

package/src/lib/testing/__tests__/integration.test.ts

@@ -14,10 +14,12 @@ import {
   readEphemeralEnvironmentState,
   clearEphemeralEnvironmentState,
   resolveBuildCacheTtlSeconds,
+  resolveAppReadyTimeoutMs,
   shouldReuseBuildArtifacts,
 } from '../integration'
 
 const CACHE_TTL_ENV_VAR = 'OM_INTEGRATION_BUILD_CACHE_TTL_SECONDS'
+const APP_READY_TIMEOUT_ENV_VAR = 'OM_INTEGRATION_APP_READY_TIMEOUT_SECONDS'
 const resolver = createResolver()
 const projectRootDirectory = resolver.getRootDir()
 
@@ -36,6 +38,7 @@ describe('integration cache and options', () => {
   const ephemeralEnvFilePath = path.join(projectRootDirectory, '.ai', 'qa', 'ephemeral-env.json')
   const ephemeralLegacyEnvFilePath = path.join(projectRootDirectory, '.ai', 'qa', 'ephemeral-env.md')
   const originalCacheTtl = process.env[CACHE_TTL_ENV_VAR]
+  const originalAppReadyTimeout = process.env[APP_READY_TIMEOUT_ENV_VAR]
   let originalEphemeralEnvState: string | null = null
   let originalEphemeralLegacyEnvState: string | null = null
 
@@ -61,6 +64,11 @@ describe('integration cache and options', () => {
     } else {
       process.env[CACHE_TTL_ENV_VAR] = originalCacheTtl
     }
+    if (originalAppReadyTimeout === undefined) {
+      delete process.env[APP_READY_TIMEOUT_ENV_VAR]
+    } else {
+      process.env[APP_READY_TIMEOUT_ENV_VAR] = originalAppReadyTimeout
+    }
     await restoreEphemeralStateFiles(originalEphemeralEnvState, originalEphemeralLegacyEnvState)
   })
 
@@ -68,6 +76,9 @@ describe('integration cache and options', () => {
     const baseUrl = 'http://127.0.0.1:5001'
     const fetchSpy = jest.spyOn(global, 'fetch').mockImplementation(async (input) => {
       const url = typeof input === 'string' ? input : String(input)
+      if (url.endsWith('/api/auth/login')) {
+        return { status: 401, text: async () => '' } as unknown as Response
+      }
       if (url.endsWith('/login')) {
         return {
           status: 200,
@@ -77,9 +88,6 @@ describe('integration cache and options', () => {
       if (url.includes('/_next/static/chunks/app-healthcheck.js')) {
         return { status: 200, text: async () => '' } as unknown as Response
       }
-      if (url.endsWith('/api/auth/login')) {
-        return { status: 401, text: async () => '' } as unknown as Response
-      }
       return { status: 200, text: async () => '' } as unknown as Response
     })
 
@@ -113,6 +121,87 @@ describe('integration cache and options', () => {
     }
   }, 20000)
 
+  it('reuses an existing environment when /login returns a redirect status other than 302', async () => {
+    const baseUrl = 'http://127.0.0.1:5001'
+    const fetchSpy = jest.spyOn(global, 'fetch').mockImplementation(async (input) => {
+      const url = typeof input === 'string' ? input : String(input)
+      if (url.endsWith('/api/auth/login')) {
+        return { status: 401, text: async () => '' } as unknown as Response
+      }
+      if (url.endsWith('/login')) {
+        return { status: 308, text: async () => '' } as unknown as Response
+      }
+      return { status: 200, text: async () => '' } as unknown as Response
+    })
+
+    try {
+      await writeEphemeralEnvironmentState({
+        baseUrl,
+        port: 5001,
+        logPrefix: 'integration',
+        captureScreenshots: true,
+      })
+
+      const environment = await tryReuseExistingEnvironment({
+        verbose: false,
+        captureScreenshots: true,
+        logPrefix: 'integration',
+        forceRebuild: false,
+      })
+
+      expect(environment).not.toBeNull()
+      expect(environment).toMatchObject({
+        baseUrl,
+        port: 5001,
+        ownedByCurrentProcess: false,
+      })
+    } finally {
+      fetchSpy.mockRestore()
+    }
+  })
+
+  it('reuses an existing environment when /login returns healthy HTML without static asset references', async () => {
+    const baseUrl = 'http://127.0.0.1:5001'
+    const fetchSpy = jest.spyOn(global, 'fetch').mockImplementation(async (input) => {
+      const url = typeof input === 'string' ? input : String(input)
+      if (url.endsWith('/api/auth/login')) {
+        return { status: 401, text: async () => '' } as unknown as Response
+      }
+      if (url.endsWith('/login')) {
+        return {
+          status: 200,
+          text: async () => '<!doctype html><html><body><form data-auth-ready="0"></form></body></html>',
+        } as unknown as Response
+      }
+      return { status: 200, text: async () => '' } as unknown as Response
+    })
+
+    try {
+      await writeEphemeralEnvironmentState({
+        baseUrl,
+        port: 5001,
+        logPrefix: 'integration',
+        captureScreenshots: false,
+      })
+
+      const environment = await tryReuseExistingEnvironment({
+        verbose: false,
+        captureScreenshots: false,
+        logPrefix: 'integration',
+        forceRebuild: false,
+      })
+
+      expect(environment).not.toBeNull()
+      expect(environment).toMatchObject({
+        baseUrl,
+        port: 5001,
+        ownedByCurrentProcess: false,
+      })
+    } finally {
+      fetchSpy.mockRestore()
+    }
+  })
+
   it('falls back to rebuilding when the ephemeral environment state is unreachable', async () => {
     const baseUrl = 'http://127.0.0.1:5001'
     const fetchSpy = jest.spyOn(global, 'fetch').mockResolvedValue({ status: 500 } as unknown as Response)
@@ -223,6 +312,20 @@ describe('integration cache and options', () => {
     warn.mockRestore()
   })
 
+  it('resolves app readiness timeout from env variable', () => {
+    delete process.env[APP_READY_TIMEOUT_ENV_VAR]
+    expect(resolveAppReadyTimeoutMs('integration')).toBe(90_000)
+
+    process.env[APP_READY_TIMEOUT_ENV_VAR] = '180'
+    expect(resolveAppReadyTimeoutMs('integration')).toBe(180_000)
+
+    const warn = jest.spyOn(console, 'warn').mockImplementation(() => {})
+    process.env[APP_READY_TIMEOUT_ENV_VAR] = '0'
+    expect(resolveAppReadyTimeoutMs('integration')).toBe(90_000)
+    expect(warn).toHaveBeenCalledWith(expect.stringContaining('Invalid'))
+    warn.mockRestore()
+  })
+
   it('reuses build artifacts only with matching source fingerprint and fresh cache state', async () => {
     const tempRoot = await mkdtemp(path.join(os.tmpdir(), 'om-int-cache-test-'))
     try {