@open-mercato/cli 0.6.6-develop.5598.1.5e7d48d297 → 0.6.6-develop.5617.1.62538c48ca

package/dist/lib/init-secrets.js

@@ -1,6 +1,5 @@
 import { parseBooleanToken } from "@open-mercato/shared/lib/boolean";
 import { randomBytes } from "node:crypto";
-const DEFAULT_DERIVED_PASSWORD = "secret";
 function readEnvValue(env, key) {
   const value = env[key];
   if (typeof value !== "string") return void 0;
@@ -11,20 +10,28 @@ function resolveEmailFromDomain(domain, prefix) {
   if (!domain) return null;
   return `${prefix}@${domain}`;
 }
+const DEMO_DERIVED_PASSWORD = "secret";
+let warnedAboutDeprecatedRandomToggle = false;
 function resolveInitDerivedSecrets(options) {
   const env = options.env ?? process.env;
   const envRead = (key) => readEnvValue(env, key);
   const [, domain] = String(options.email ?? "").split("@");
   const adminEmail = envRead("OM_INIT_ADMIN_EMAIL") ?? resolveEmailFromDomain(domain, "admin");
   const employeeEmail = envRead("OM_INIT_EMPLOYEE_EMAIL") ?? resolveEmailFromDomain(domain, "employee");
-  const randomEnabled = parseBooleanToken(envRead("OM_INIT_GENERATE_RANDOM_PASSWORD") ?? "") === true;
+  if (parseBooleanToken(envRead("OM_INIT_GENERATE_RANDOM_PASSWORD") ?? "") === true && !warnedAboutDeprecatedRandomToggle) {
+    warnedAboutDeprecatedRandomToggle = true;
+    console.warn(
+      "\u26A0\uFE0F  OM_INIT_GENERATE_RANDOM_PASSWORD is deprecated and no longer required: derived admin/employee passwords are always randomized in production when overrides are unset."
+    );
+  }
+  const isProduction = (env.NODE_ENV ?? "").trim().toLowerCase() === "production";
   const randomize = options.randomSource ?? randomBytes;
-  const randomSecret = () => randomize(9).toString("base64url");
+  const randomSecret = () => randomize(12).toString("base64url");
   const resolvePassword = (key, emailValue) => {
     if (!emailValue) return null;
     const envValue = envRead(key);
     if (envValue) return envValue;
-    return randomEnabled ? randomSecret() : DEFAULT_DERIVED_PASSWORD;
+    return isProduction ? randomSecret() : DEMO_DERIVED_PASSWORD;
   };
   return {
     adminEmail,

package/dist/lib/init-secrets.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/lib/init-secrets.ts"],
-  "sourcesContent": ["import { parseBooleanToken } from '@open-mercato/shared/lib/boolean'\nimport { randomBytes } from 'node:crypto'\n\ntype EnvReader = (key: string) => string | undefined\n\nconst DEFAULT_DERIVED_PASSWORD = 'secret'\n\nfunction readEnvValue(env: NodeJS.ProcessEnv, key: string): string | undefined {\n  const value = env[key]\n  if (typeof value !== 'string') return undefined\n  const trimmed = value.trim()\n  return trimmed.length > 0 ? trimmed : undefined\n}\n\nfunction resolveEmailFromDomain(domain: string | undefined, prefix: string): string | null {\n  if (!domain) return null\n  return `${prefix}@${domain}`\n}\n\nexport type InitDerivedSecrets = {\n  adminEmail: string | null\n  employeeEmail: string | null\n  adminPassword: string | null\n  employeePassword: string | null\n}\n\nexport function resolveInitDerivedSecrets(options: {\n  email: string\n  env?: NodeJS.ProcessEnv\n  randomSource?: (size: number) => Buffer\n}): InitDerivedSecrets {\n  const env = options.env ?? process.env\n  const envRead: EnvReader = (key) => readEnvValue(env, key)\n  const [, domain] = String(options.email ?? '').split('@')\n  const adminEmail = envRead('OM_INIT_ADMIN_EMAIL') ?? resolveEmailFromDomain(domain, 'admin')\n  const employeeEmail = envRead('OM_INIT_EMPLOYEE_EMAIL') ?? resolveEmailFromDomain(domain, 'employee')\n  const randomEnabled = parseBooleanToken(envRead('OM_INIT_GENERATE_RANDOM_PASSWORD') ?? '') === true\n  const randomize = options.randomSource ?? randomBytes\n  const randomSecret = () => randomize(9).toString('base64url')\n  const resolvePassword = (key: string, emailValue: string | null) => {\n    if (!emailValue) return null\n    const envValue = envRead(key)\n    if (envValue) return envValue\n    return randomEnabled ? randomSecret() : DEFAULT_DERIVED_PASSWORD\n  }\n\n  return {\n    adminEmail,\n    employeeEmail,\n    adminPassword: resolvePassword('OM_INIT_ADMIN_PASSWORD', adminEmail),\n    employeePassword: resolvePassword('OM_INIT_EMPLOYEE_PASSWORD', employeeEmail),\n  }\n}\n\n"],
-  "mappings": "AAAA,SAAS,yBAAyB;AAClC,SAAS,mBAAmB;AAI5B,MAAM,2BAA2B;AAEjC,SAAS,aAAa,KAAwB,KAAiC;AAC7E,QAAM,QAAQ,IAAI,GAAG;AACrB,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,QAAM,UAAU,MAAM,KAAK;AAC3B,SAAO,QAAQ,SAAS,IAAI,UAAU;AACxC;AAEA,SAAS,uBAAuB,QAA4B,QAA+B;AACzF,MAAI,CAAC,OAAQ,QAAO;AACpB,SAAO,GAAG,MAAM,IAAI,MAAM;AAC5B;AASO,SAAS,0BAA0B,SAInB;AACrB,QAAM,MAAM,QAAQ,OAAO,QAAQ;AACnC,QAAM,UAAqB,CAAC,QAAQ,aAAa,KAAK,GAAG;AACzD,QAAM,CAAC,EAAE,MAAM,IAAI,OAAO,QAAQ,SAAS,EAAE,EAAE,MAAM,GAAG;AACxD,QAAM,aAAa,QAAQ,qBAAqB,KAAK,uBAAuB,QAAQ,OAAO;AAC3F,QAAM,gBAAgB,QAAQ,wBAAwB,KAAK,uBAAuB,QAAQ,UAAU;AACpG,QAAM,gBAAgB,kBAAkB,QAAQ,kCAAkC,KAAK,EAAE,MAAM;AAC/F,QAAM,YAAY,QAAQ,gBAAgB;AAC1C,QAAM,eAAe,MAAM,UAAU,CAAC,EAAE,SAAS,WAAW;AAC5D,QAAM,kBAAkB,CAAC,KAAa,eAA8B;AAClE,QAAI,CAAC,WAAY,QAAO;AACxB,UAAM,WAAW,QAAQ,GAAG;AAC5B,QAAI,SAAU,QAAO;AACrB,WAAO,gBAAgB,aAAa,IAAI;AAAA,EAC1C;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,eAAe,gBAAgB,0BAA0B,UAAU;AAAA,IACnE,kBAAkB,gBAAgB,6BAA6B,aAAa;AAAA,EAC9E;AACF;",
+  "sourcesContent": ["import { parseBooleanToken } from '@open-mercato/shared/lib/boolean'\nimport { randomBytes } from 'node:crypto'\n\ntype EnvReader = (key: string) => string | undefined\n\nfunction readEnvValue(env: NodeJS.ProcessEnv, key: string): string | undefined {\n  const value = env[key]\n  if (typeof value !== 'string') return undefined\n  const trimmed = value.trim()\n  return trimmed.length > 0 ? trimmed : undefined\n}\n\nfunction resolveEmailFromDomain(domain: string | undefined, prefix: string): string | null {\n  if (!domain) return null\n  return `${prefix}@${domain}`\n}\n\nexport type InitDerivedSecrets = {\n  adminEmail: string | null\n  employeeEmail: string | null\n  adminPassword: string | null\n  employeePassword: string | null\n}\n\n// Well-known dev/demo password baked into local bootstrap flows so developers\n// keep the documented \"log in as admin@<domain> with password 'secret'\" UX.\n// Only used when NODE_ENV !== 'production' and the OM_INIT_*_PASSWORD env vars\n// are unset \u2014 production paths always use a random 96-bit secret.\nconst DEMO_DERIVED_PASSWORD = 'secret'\n\nlet warnedAboutDeprecatedRandomToggle = false\n\nexport function resolveInitDerivedSecrets(options: {\n  email: string\n  env?: NodeJS.ProcessEnv\n  randomSource?: (size: number) => Buffer\n}): InitDerivedSecrets {\n  const env = options.env ?? process.env\n  const envRead: EnvReader = (key) => readEnvValue(env, key)\n  const [, domain] = String(options.email ?? '').split('@')\n  const adminEmail = envRead('OM_INIT_ADMIN_EMAIL') ?? resolveEmailFromDomain(domain, 'admin')\n  const employeeEmail = envRead('OM_INIT_EMPLOYEE_EMAIL') ?? resolveEmailFromDomain(domain, 'employee')\n  // OM_INIT_GENERATE_RANDOM_PASSWORD used to be an opt-in toggle for random\n  // derived secrets; in production it is now the unconditional behaviour when\n  // no override is set. Surface a one-time deprecation warning so existing\n  // operators notice their config is no longer required.\n  if (parseBooleanToken(envRead('OM_INIT_GENERATE_RANDOM_PASSWORD') ?? '') === true && !warnedAboutDeprecatedRandomToggle) {\n    warnedAboutDeprecatedRandomToggle = true\n    console.warn(\n      '\u26A0\uFE0F  OM_INIT_GENERATE_RANDOM_PASSWORD is deprecated and no longer required: derived admin/employee passwords are always randomized in production when overrides are unset.',\n    )\n  }\n  const isProduction = (env.NODE_ENV ?? '').trim().toLowerCase() === 'production'\n  const randomize = options.randomSource ?? randomBytes\n  const randomSecret = () => randomize(12).toString('base64url')\n  const resolvePassword = (key: string, emailValue: string | null) => {\n    if (!emailValue) return null\n    const envValue = envRead(key)\n    if (envValue) return envValue\n    // Non-production (dev/test/staging defaults): seed the documented demo\n    // password so `yarn dev` / `mercato init` workflows stay predictable.\n    // Production: generate a fresh random secret so credentials are never\n    // hardcoded and the operator-facing CLI prints the value once.\n    return isProduction ? randomSecret() : DEMO_DERIVED_PASSWORD\n  }\n\n  return {\n    adminEmail,\n    employeeEmail,\n    adminPassword: resolvePassword('OM_INIT_ADMIN_PASSWORD', adminEmail),\n    employeePassword: resolvePassword('OM_INIT_EMPLOYEE_PASSWORD', employeeEmail),\n  }\n}\n"],
+  "mappings": "AAAA,SAAS,yBAAyB;AAClC,SAAS,mBAAmB;AAI5B,SAAS,aAAa,KAAwB,KAAiC;AAC7E,QAAM,QAAQ,IAAI,GAAG;AACrB,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,QAAM,UAAU,MAAM,KAAK;AAC3B,SAAO,QAAQ,SAAS,IAAI,UAAU;AACxC;AAEA,SAAS,uBAAuB,QAA4B,QAA+B;AACzF,MAAI,CAAC,OAAQ,QAAO;AACpB,SAAO,GAAG,MAAM,IAAI,MAAM;AAC5B;AAaA,MAAM,wBAAwB;AAE9B,IAAI,oCAAoC;AAEjC,SAAS,0BAA0B,SAInB;AACrB,QAAM,MAAM,QAAQ,OAAO,QAAQ;AACnC,QAAM,UAAqB,CAAC,QAAQ,aAAa,KAAK,GAAG;AACzD,QAAM,CAAC,EAAE,MAAM,IAAI,OAAO,QAAQ,SAAS,EAAE,EAAE,MAAM,GAAG;AACxD,QAAM,aAAa,QAAQ,qBAAqB,KAAK,uBAAuB,QAAQ,OAAO;AAC3F,QAAM,gBAAgB,QAAQ,wBAAwB,KAAK,uBAAuB,QAAQ,UAAU;AAKpG,MAAI,kBAAkB,QAAQ,kCAAkC,KAAK,EAAE,MAAM,QAAQ,CAAC,mCAAmC;AACvH,wCAAoC;AACpC,YAAQ;AAAA,MACN;AAAA,IACF;AAAA,EACF;AACA,QAAM,gBAAgB,IAAI,YAAY,IAAI,KAAK,EAAE,YAAY,MAAM;AACnE,QAAM,YAAY,QAAQ,gBAAgB;AAC1C,QAAM,eAAe,MAAM,UAAU,EAAE,EAAE,SAAS,WAAW;AAC7D,QAAM,kBAAkB,CAAC,KAAa,eAA8B;AAClE,QAAI,CAAC,WAAY,QAAO;AACxB,UAAM,WAAW,QAAQ,GAAG;AAC5B,QAAI,SAAU,QAAO;AAKrB,WAAO,eAAe,aAAa,IAAI;AAAA,EACzC;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,eAAe,gBAAgB,0BAA0B,UAAU;AAAA,IACnE,kBAAkB,gBAAgB,6BAA6B,aAAa;AAAA,EAC9E;AACF;",
   "names": []
 }

package/dist/lib/testing/integration.js

@@ -1215,6 +1215,15 @@ function buildReusableEnvironment(baseUrl, databaseUrl, queueBaseDir, captureScr
     NODE_ENV: "production",
     JWT_SECRET: process.env.JWT_SECRET ?? "om-ephemeral-integration-jwt-secret",
     OM_SECURITY_MFA_SETUP_SECRET: process.env.OM_SECURITY_MFA_SETUP_SECRET ?? "om-ephemeral-integration-mfa-setup-secret",
+    // Integration probe + tests expect `admin@acme.com / secret` and
+    // `employee@acme.com / secret`. NODE_ENV=production routes derived-user
+    // password resolution through the random-fallback branch unless these
+    // env vars are explicitly set; without the override every fresh
+    // ephemeral run would mint random passwords and the login probe would
+    // never converge. This is the documented production contract: set
+    // OM_INIT_*_PASSWORD to fix the seeded credential.
+    OM_INIT_ADMIN_PASSWORD: process.env.OM_INIT_ADMIN_PASSWORD ?? "secret",
+    OM_INIT_EMPLOYEE_PASSWORD: process.env.OM_INIT_EMPLOYEE_PASSWORD ?? "secret",
     OM_INTEGRATION_TEST: "true",
     OM_ENABLE_ENTERPRISE_MODULES: enterpriseModulesFlag,
     OM_ENABLE_ENTERPRISE_MODULES_SSO: process.env.OM_ENABLE_ENTERPRISE_MODULES_SSO ?? enterpriseModulesFlag,
@@ -1226,6 +1235,11 @@ function buildReusableEnvironment(baseUrl, databaseUrl, queueBaseDir, captureScr
     // not have to call flushPendingCrudAccessLogs() explicitly.
     OM_CRUD_ACCESS_LOG_BLOCKING: process.env.OM_CRUD_ACCESS_LOG_BLOCKING ?? "1",
     OM_WEBHOOKS_ALLOW_PRIVATE_URLS: process.env.OM_WEBHOOKS_ALLOW_PRIVATE_URLS ?? "1",
+    // Keep the bus in the Playwright process (used by in-test queue-drain helpers)
+    // on the same delivery mode as the app server it drives: inline persistent
+    // delivery so event side effects are deterministic for assertions. See the
+    // matching OM_EVENTS_SINGLE_DELIVERY note on the app server environment below.
+    OM_EVENTS_SINGLE_DELIVERY: process.env.OM_EVENTS_SINGLE_DELIVERY ?? "false",
     ENABLE_CRUD_API_CACHE: "true",
     MOCK_GATEWAY_WEBHOOK_SECRET: "open-mercato-mock-dev-webhook-secret",
     MOCK_CARRIER_WEBHOOK_SECRET: "open-mercato-mock-dev-carrier-webhook-secret",
@@ -2343,6 +2357,11 @@ async function startEphemeralEnvironment(options) {
       JWT_SECRET: process.env.JWT_SECRET ?? "om-ephemeral-integration-jwt-secret",
       OM_SECURITY_MFA_SETUP_SECRET: process.env.OM_SECURITY_MFA_SETUP_SECRET ?? "om-ephemeral-integration-mfa-setup-secret",
       NODE_ENV: "production",
+      // See the auth-probe block above: pin derived-user passwords to the
+      // documented 'secret' so the ephemeral login probe converges under
+      // NODE_ENV=production.
+      OM_INIT_ADMIN_PASSWORD: process.env.OM_INIT_ADMIN_PASSWORD ?? "secret",
+      OM_INIT_EMPLOYEE_PASSWORD: process.env.OM_INIT_EMPLOYEE_PASSWORD ?? "secret",
       // Pool sizing for the ephemeral integration runtime. Defaults were once
       // very aggressive (max=5, idle=1000) which exposed flaky 'timeout exceeded
       // when trying to connect' errors on `progressService.createJob`-backed
@@ -2374,6 +2393,18 @@ async function startEphemeralEnvironment(options) {
       CI: "true",
       TENANT_DATA_ENCRYPTION_FALLBACK_KEY: process.env.TENANT_DATA_ENCRYPTION_FALLBACK_KEY ?? "om-ephemeral-integration-fallback-key",
       AUTO_SPAWN_WORKERS: process.env.AUTO_SPAWN_WORKERS ?? "true",
+      // Process persistent event subscribers INLINE in the request that emits
+      // the event (legacy dual-dispatch), rather than the production default of
+      // worker-only single delivery. Integration specs assert event side effects
+      // (sync mappings, workflow-trigger instances, notifications) immediately
+      // after the emitting API call and poll for them on short budgets; routing
+      // those subscribers through the async events worker makes the side effect
+      // race the poll under the 15-shard CI load, which surfaced as flaky
+      // timeouts in TC-CRM-028 (inbound sync mapping) and TC-WF-008 (event-
+      // triggered workflow) once single-delivery became default-ON. Inline
+      // delivery makes the side effects deterministic for tests; production keeps
+      // the single-delivery default. Honor an explicit override if the caller set one.
+      OM_EVENTS_SINGLE_DELIVERY: process.env.OM_EVENTS_SINGLE_DELIVERY ?? "false",
       AUTO_SPAWN_SCHEDULER: "false",
       // Hide the demo feedback floating action button — it lives at
       // `fixed bottom-6 right-6 z-banner` and consistently intercepts pointer