@open-mercato/cli 0.6.6-develop.5598.1.5e7d48d297 → 0.6.6-develop.5617.1.62538c48ca

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/cli",
-  "version": "0.6.6-develop.5598.1.5e7d48d297",
+  "version": "0.6.6-develop.5617.1.62538c48ca",
   "type": "module",
   "main": "./dist/index.js",
   "exports": {
@@ -59,8 +59,8 @@
     "@mikro-orm/decorators": "^7.1.4",
     "@mikro-orm/migrations": "^7.1.4",
     "@mikro-orm/postgresql": "^7.1.4",
-    "@open-mercato/queue": "0.6.6-develop.5598.1.5e7d48d297",
-    "@open-mercato/shared": "0.6.6-develop.5598.1.5e7d48d297",
+    "@open-mercato/queue": "0.6.6-develop.5617.1.62538c48ca",
+    "@open-mercato/shared": "0.6.6-develop.5617.1.62538c48ca",
     "cross-spawn": "^7.0.6",
     "pg": "8.21.0",
     "semver": "^7.8.4",
@@ -70,10 +70,10 @@
     "typescript": "^6.0.3"
   },
   "peerDependencies": {
-    "@open-mercato/shared": "0.6.6-develop.5598.1.5e7d48d297"
+    "@open-mercato/shared": "0.6.6-develop.5617.1.62538c48ca"
   },
   "devDependencies": {
-    "@open-mercato/shared": "0.6.6-develop.5598.1.5e7d48d297",
+    "@open-mercato/shared": "0.6.6-develop.5617.1.62538c48ca",
     "@types/jest": "^30.0.0",
     "jest": "^30.4.2",
     "ts-jest": "^29.4.11"

package/src/lib/__tests__/init-secrets.test.ts

@@ -1,15 +1,33 @@
 import { resolveInitDerivedSecrets } from '../init-secrets'
 
 describe('resolveInitDerivedSecrets', () => {
-  it('defaults derived passwords to secret', () => {
+  it("seeds the well-known 'secret' password in non-production when no env overrides are set", () => {
     const env: NodeJS.ProcessEnv = {}
     const result = resolveInitDerivedSecrets({ email: 'piotr@gmail.com', env })
     expect(result.adminEmail).toBe('admin@gmail.com')
     expect(result.employeeEmail).toBe('employee@gmail.com')
+    // Dev/test default: the documented demo password, so `yarn dev` /
+    // `mercato init` workflows stay predictable across runs.
     expect(result.adminPassword).toBe('secret')
     expect(result.employeePassword).toBe('secret')
   })
 
+  it('generates random derived passwords in production when no env overrides are set', () => {
+    const env: NodeJS.ProcessEnv = { NODE_ENV: 'production' }
+    const result = resolveInitDerivedSecrets({ email: 'piotr@gmail.com', env })
+    expect(result.adminEmail).toBe('admin@gmail.com')
+    expect(result.employeeEmail).toBe('employee@gmail.com')
+    // Production must never seed the hardcoded default — that was the bug.
+    expect(result.adminPassword).not.toBe('secret')
+    expect(result.employeePassword).not.toBe('secret')
+    expect(typeof result.adminPassword).toBe('string')
+    expect(typeof result.employeePassword).toBe('string')
+    expect(result.adminPassword!.length).toBeGreaterThanOrEqual(16)
+    expect(result.employeePassword!.length).toBeGreaterThanOrEqual(16)
+    // 96 bits of entropy: two independently generated secrets must not collide.
+    expect(result.adminPassword).not.toBe(result.employeePassword)
+  })
+
   it('respects explicit derived overrides', () => {
     const env: NodeJS.ProcessEnv = {
       OM_INIT_ADMIN_EMAIL: 'admin@acme.com',
@@ -24,11 +42,9 @@ describe('resolveInitDerivedSecrets', () => {
     expect(result.employeePassword).toBe('EmployeeSecret')
   })
 
-  it('generates random secrets when enabled', () => {
-    const env: NodeJS.ProcessEnv = {
-      OM_INIT_GENERATE_RANDOM_PASSWORD: 'true',
-    }
-    const randomBuffer = Buffer.from('abcdefghi')
+  it('uses the provided randomSource (base64url-encoded 12 bytes) in production', () => {
+    const env: NodeJS.ProcessEnv = { NODE_ENV: 'production' }
+    const randomBuffer = Buffer.from('abcdefghijkl')
     const randomSource = () => randomBuffer
     const expected = randomBuffer.toString('base64url')
     const result = resolveInitDerivedSecrets({ email: 'boss@acme.com', env, randomSource })
@@ -36,6 +52,21 @@ describe('resolveInitDerivedSecrets', () => {
     expect(result.employeePassword).toBe(expected)
   })
 
+  it('ignores the deprecated OM_INIT_GENERATE_RANDOM_PASSWORD toggle in production (randomization is unconditional)', () => {
+    // The toggle was a partial mitigation when 'secret' was still the default.
+    // Now production randomization is always-on when env vars are unset, so the
+    // flag is a no-op — setting it should not change the output shape.
+    const warn = jest.spyOn(console, 'warn').mockImplementation(() => undefined)
+    try {
+      const env: NodeJS.ProcessEnv = { NODE_ENV: 'production', OM_INIT_GENERATE_RANDOM_PASSWORD: 'true' }
+      const result = resolveInitDerivedSecrets({ email: 'boss@acme.com', env })
+      expect(result.adminPassword).not.toBe('secret')
+      expect(typeof result.adminPassword).toBe('string')
+    } finally {
+      warn.mockRestore()
+    }
+  })
+
   it('skips derived accounts without a domain', () => {
     const env: NodeJS.ProcessEnv = {}
     const result = resolveInitDerivedSecrets({ email: 'local', env })

package/src/lib/init-secrets.ts

@@ -3,8 +3,6 @@ import { randomBytes } from 'node:crypto'
 
 type EnvReader = (key: string) => string | undefined
 
-const DEFAULT_DERIVED_PASSWORD = 'secret'
-
 function readEnvValue(env: NodeJS.ProcessEnv, key: string): string | undefined {
   const value = env[key]
   if (typeof value !== 'string') return undefined
@@ -24,6 +22,14 @@ export type InitDerivedSecrets = {
   employeePassword: string | null
 }
 
+// Well-known dev/demo password baked into local bootstrap flows so developers
+// keep the documented "log in as admin@<domain> with password 'secret'" UX.
+// Only used when NODE_ENV !== 'production' and the OM_INIT_*_PASSWORD env vars
+// are unset — production paths always use a random 96-bit secret.
+const DEMO_DERIVED_PASSWORD = 'secret'
+
+let warnedAboutDeprecatedRandomToggle = false
+
 export function resolveInitDerivedSecrets(options: {
   email: string
   env?: NodeJS.ProcessEnv
@@ -34,14 +40,28 @@ export function resolveInitDerivedSecrets(options: {
   const [, domain] = String(options.email ?? '').split('@')
   const adminEmail = envRead('OM_INIT_ADMIN_EMAIL') ?? resolveEmailFromDomain(domain, 'admin')
   const employeeEmail = envRead('OM_INIT_EMPLOYEE_EMAIL') ?? resolveEmailFromDomain(domain, 'employee')
-  const randomEnabled = parseBooleanToken(envRead('OM_INIT_GENERATE_RANDOM_PASSWORD') ?? '') === true
+  // OM_INIT_GENERATE_RANDOM_PASSWORD used to be an opt-in toggle for random
+  // derived secrets; in production it is now the unconditional behaviour when
+  // no override is set. Surface a one-time deprecation warning so existing
+  // operators notice their config is no longer required.
+  if (parseBooleanToken(envRead('OM_INIT_GENERATE_RANDOM_PASSWORD') ?? '') === true && !warnedAboutDeprecatedRandomToggle) {
+    warnedAboutDeprecatedRandomToggle = true
+    console.warn(
+      '⚠️  OM_INIT_GENERATE_RANDOM_PASSWORD is deprecated and no longer required: derived admin/employee passwords are always randomized in production when overrides are unset.',
+    )
+  }
+  const isProduction = (env.NODE_ENV ?? '').trim().toLowerCase() === 'production'
   const randomize = options.randomSource ?? randomBytes
-  const randomSecret = () => randomize(9).toString('base64url')
+  const randomSecret = () => randomize(12).toString('base64url')
   const resolvePassword = (key: string, emailValue: string | null) => {
     if (!emailValue) return null
     const envValue = envRead(key)
     if (envValue) return envValue
-    return randomEnabled ? randomSecret() : DEFAULT_DERIVED_PASSWORD
+    // Non-production (dev/test/staging defaults): seed the documented demo
+    // password so `yarn dev` / `mercato init` workflows stay predictable.
+    // Production: generate a fresh random secret so credentials are never
+    // hardcoded and the operator-facing CLI prints the value once.
+    return isProduction ? randomSecret() : DEMO_DERIVED_PASSWORD
   }
 
   return {
@@ -51,4 +71,3 @@ export function resolveInitDerivedSecrets(options: {
     employeePassword: resolvePassword('OM_INIT_EMPLOYEE_PASSWORD', employeeEmail),
   }
 }
-

package/src/lib/testing/integration.ts

@@ -1660,6 +1660,15 @@ function buildReusableEnvironment(
     NODE_ENV: 'production',
     JWT_SECRET: process.env.JWT_SECRET ?? 'om-ephemeral-integration-jwt-secret',
     OM_SECURITY_MFA_SETUP_SECRET: process.env.OM_SECURITY_MFA_SETUP_SECRET ?? 'om-ephemeral-integration-mfa-setup-secret',
+    // Integration probe + tests expect `admin@acme.com / secret` and
+    // `employee@acme.com / secret`. NODE_ENV=production routes derived-user
+    // password resolution through the random-fallback branch unless these
+    // env vars are explicitly set; without the override every fresh
+    // ephemeral run would mint random passwords and the login probe would
+    // never converge. This is the documented production contract: set
+    // OM_INIT_*_PASSWORD to fix the seeded credential.
+    OM_INIT_ADMIN_PASSWORD: process.env.OM_INIT_ADMIN_PASSWORD ?? 'secret',
+    OM_INIT_EMPLOYEE_PASSWORD: process.env.OM_INIT_EMPLOYEE_PASSWORD ?? 'secret',
     OM_INTEGRATION_TEST: 'true',
     OM_ENABLE_ENTERPRISE_MODULES: enterpriseModulesFlag,
     OM_ENABLE_ENTERPRISE_MODULES_SSO: process.env.OM_ENABLE_ENTERPRISE_MODULES_SSO ?? enterpriseModulesFlag,
@@ -1671,6 +1680,11 @@ function buildReusableEnvironment(
     // not have to call flushPendingCrudAccessLogs() explicitly.
     OM_CRUD_ACCESS_LOG_BLOCKING: process.env.OM_CRUD_ACCESS_LOG_BLOCKING ?? '1',
     OM_WEBHOOKS_ALLOW_PRIVATE_URLS: process.env.OM_WEBHOOKS_ALLOW_PRIVATE_URLS ?? '1',
+    // Keep the bus in the Playwright process (used by in-test queue-drain helpers)
+    // on the same delivery mode as the app server it drives: inline persistent
+    // delivery so event side effects are deterministic for assertions. See the
+    // matching OM_EVENTS_SINGLE_DELIVERY note on the app server environment below.
+    OM_EVENTS_SINGLE_DELIVERY: process.env.OM_EVENTS_SINGLE_DELIVERY ?? 'false',
     ENABLE_CRUD_API_CACHE: 'true',
     MOCK_GATEWAY_WEBHOOK_SECRET: 'open-mercato-mock-dev-webhook-secret',
     MOCK_CARRIER_WEBHOOK_SECRET: 'open-mercato-mock-dev-carrier-webhook-secret',
@@ -2956,6 +2970,11 @@ export async function startEphemeralEnvironment(options: EphemeralRuntimeOptions
       JWT_SECRET: process.env.JWT_SECRET ?? 'om-ephemeral-integration-jwt-secret',
       OM_SECURITY_MFA_SETUP_SECRET: process.env.OM_SECURITY_MFA_SETUP_SECRET ?? 'om-ephemeral-integration-mfa-setup-secret',
       NODE_ENV: 'production',
+      // See the auth-probe block above: pin derived-user passwords to the
+      // documented 'secret' so the ephemeral login probe converges under
+      // NODE_ENV=production.
+      OM_INIT_ADMIN_PASSWORD: process.env.OM_INIT_ADMIN_PASSWORD ?? 'secret',
+      OM_INIT_EMPLOYEE_PASSWORD: process.env.OM_INIT_EMPLOYEE_PASSWORD ?? 'secret',
       // Pool sizing for the ephemeral integration runtime. Defaults were once
       // very aggressive (max=5, idle=1000) which exposed flaky 'timeout exceeded
       // when trying to connect' errors on `progressService.createJob`-backed
@@ -2987,6 +3006,18 @@ export async function startEphemeralEnvironment(options: EphemeralRuntimeOptions
       CI: 'true',
       TENANT_DATA_ENCRYPTION_FALLBACK_KEY: process.env.TENANT_DATA_ENCRYPTION_FALLBACK_KEY ?? 'om-ephemeral-integration-fallback-key',
       AUTO_SPAWN_WORKERS: process.env.AUTO_SPAWN_WORKERS ?? 'true',
+      // Process persistent event subscribers INLINE in the request that emits
+      // the event (legacy dual-dispatch), rather than the production default of
+      // worker-only single delivery. Integration specs assert event side effects
+      // (sync mappings, workflow-trigger instances, notifications) immediately
+      // after the emitting API call and poll for them on short budgets; routing
+      // those subscribers through the async events worker makes the side effect
+      // race the poll under the 15-shard CI load, which surfaced as flaky
+      // timeouts in TC-CRM-028 (inbound sync mapping) and TC-WF-008 (event-
+      // triggered workflow) once single-delivery became default-ON. Inline
+      // delivery makes the side effects deterministic for tests; production keeps
+      // the single-delivery default. Honor an explicit override if the caller set one.
+      OM_EVENTS_SINGLE_DELIVERY: process.env.OM_EVENTS_SINGLE_DELIVERY ?? 'false',
       AUTO_SPAWN_SCHEDULER: 'false',
       // Hide the demo feedback floating action button — it lives at
       // `fixed bottom-6 right-6 z-banner` and consistently intercepts pointer

package/src/mercato.ts

@@ -1080,6 +1080,11 @@ export async function run(argv = process.argv) {
         '--email', email,
         '--password', password,
         '--roles', roles,
+        // `mercato init` is the dev/demo bootstrap flow — it explicitly wants
+        // the derived admin@/employee@ demo accounts. Standalone callers of
+        // `mercato auth setup` must opt in themselves; without this flag the
+        // setup command no longer seeds those accounts by default.
+        '--include-demo-users',
       ]
       if (skipPasswordPolicy) {
         setupArgs.push('--skip-password-policy')