@open-mercato/core 0.4.2-canary-10c7a8bf2a → 0.4.2-canary-c84cff7ed5

package/src/modules/auth/api/sidebar/preferences/route.ts

@@ -64,12 +64,16 @@ export async function GET(req: Request) {
     { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },
   ) ?? false
 
-  const settings = await loadSidebarPreference(em, {
-    userId: auth.sub,
-    tenantId: auth.tenantId ?? null,
-    organizationId: auth.orgId ?? null,
-    locale,
-  })
+  // For API key auth, use userId (the actual user) if available
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
+  const settings = effectiveUserId
+    ? await loadSidebarPreference(em, {
+        userId: effectiveUserId,
+        tenantId: auth.tenantId ?? null,
+        organizationId: auth.orgId ?? null,
+        locale,
+      })
+    : null
 
   let rolesPayload: Array<{ id: string; name: string; hasPreference: boolean }> = []
   if (canApplyToRoles) {
@@ -92,11 +96,11 @@ export async function GET(req: Request) {
   return NextResponse.json({
     locale,
     settings: {
-      version: settings.version ?? SIDEBAR_PREFERENCES_VERSION,
-      groupOrder: settings.groupOrder ?? [],
-      groupLabels: settings.groupLabels ?? {},
-      itemLabels: settings.itemLabels ?? {},
-      hiddenItems: settings.hiddenItems ?? [],
+      version: settings?.version ?? SIDEBAR_PREFERENCES_VERSION,
+      groupOrder: settings?.groupOrder ?? [],
+      groupLabels: settings?.groupLabels ?? {},
+      itemLabels: settings?.itemLabels ?? {},
+      hiddenItems: settings?.hiddenItems ?? [],
     },
     canApplyToRoles,
     roles: rolesPayload,
@@ -106,6 +110,11 @@ export async function GET(req: Request) {
 export async function PUT(req: Request) {
   const auth = await getAuthFromRequest(req)
   if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  // For API key auth, use userId (the actual user) if available
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
+  if (!effectiveUserId) {
+    return NextResponse.json({ error: 'Cannot save preferences: no user associated with this API key' }, { status: 403 })
+  }
 
   let parsedBody: unknown
   try {
@@ -182,7 +191,7 @@ export async function PUT(req: Request) {
   }
 
   const settings = await saveSidebarPreference(em, {
-    userId: auth.sub,
+    userId: effectiveUserId,
     tenantId: auth.tenantId ?? null,
     organizationId: auth.orgId ?? null,
     locale,

package/src/modules/auth/api/users/route.ts

@@ -15,6 +15,7 @@ import type { EntityManager } from '@mikro-orm/postgresql'
 import { userCrudEvents, userCrudIndexer } from '@open-mercato/core/modules/auth/commands/users'
 import { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'
+import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 const querySchema = z.object({
   id: z.string().uuid().optional(),
@@ -27,9 +28,11 @@ const querySchema = z.object({
 
 const rawBodySchema = z.object({}).passthrough()
 
+const passwordSchema = buildPasswordSchema()
+
 const userCreateSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   organizationId: z.string().uuid(),
   roles: z.array(z.string()).optional(),
 })
@@ -37,7 +40,7 @@ const userCreateSchema = z.object({
 const userUpdateSchema = z.object({
   id: z.string().uuid(),
   email: z.string().email().optional(),
-  password: z.string().min(6).optional(),
+  password: passwordSchema.optional(),
   organizationId: z.string().uuid().optional(),
   roles: z.array(z.string()).optional(),
 })

package/src/modules/auth/backend/auth/profile/page.meta.ts

@@ -0,0 +1,9 @@
+export const metadata = {
+  requireAuth: true,
+  navHidden: true,
+  pageTitle: 'Profile',
+  pageTitleKey: 'auth.profile.title',
+  breadcrumb: [
+    { label: 'Profile', labelKey: 'auth.profile.title' },
+  ],
+}

package/src/modules/auth/backend/auth/profile/page.tsx

@@ -0,0 +1,174 @@
+"use client"
+import * as React from 'react'
+import { useRouter } from 'next/navigation'
+import { z } from 'zod'
+import { Save } from 'lucide-react'
+import { Page, PageBody } from '@open-mercato/ui/backend/Page'
+import { CrudForm, type CrudField } from '@open-mercato/ui/backend/CrudForm'
+import { apiCall, readApiResultOrThrow } from '@open-mercato/ui/backend/utils/apiCall'
+import { createCrudFormError } from '@open-mercato/ui/backend/utils/serverErrors'
+import { flash } from '@open-mercato/ui/backend/FlashMessages'
+import { LoadingMessage, ErrorMessage } from '@open-mercato/ui/backend/detail'
+import { Button } from '@open-mercato/ui/primitives/button'
+import { useT } from '@open-mercato/shared/lib/i18n/context'
+import { buildPasswordSchema, formatPasswordRequirements, getPasswordPolicy } from '@open-mercato/shared/lib/auth/passwordPolicy'
+
+type ProfileResponse = {
+  email?: string | null
+}
+
+type ProfileUpdateResponse = {
+  ok?: boolean
+  email?: string | null
+}
+
+type ProfileFormValues = {
+  email: string
+  password: string
+  confirmPassword: string
+}
+
+export default function AuthProfilePage() {
+  const t = useT()
+  const router = useRouter()
+  const [loading, setLoading] = React.useState(true)
+  const [error, setError] = React.useState<string | null>(null)
+  const [email, setEmail] = React.useState('')
+  const [formKey, setFormKey] = React.useState(0)
+  const formId = React.useId()
+  const passwordPolicy = React.useMemo(() => getPasswordPolicy(), [])
+  const passwordRequirements = React.useMemo(
+    () => formatPasswordRequirements(passwordPolicy, t),
+    [passwordPolicy, t],
+  )
+  const passwordDescription = React.useMemo(() => (
+    passwordRequirements
+      ? t('auth.password.requirements.help', 'Password requirements: {requirements}', { requirements: passwordRequirements })
+      : undefined
+  ), [passwordRequirements, t])
+
+  React.useEffect(() => {
+    let cancelled = false
+    async function load() {
+      setLoading(true)
+      setError(null)
+      try {
+        const { ok, result } = await apiCall<ProfileResponse>('/api/auth/profile')
+        if (!ok) throw new Error('load_failed')
+        const resolvedEmail = typeof result?.email === 'string' ? result.email : ''
+        if (!cancelled) setEmail(resolvedEmail)
+      } catch (err) {
+        console.error('Failed to load auth profile', err)
+        if (!cancelled) setError(t('auth.profile.form.errors.load', 'Failed to load profile.'))
+      } finally {
+        if (!cancelled) setLoading(false)
+      }
+    }
+    load()
+    return () => { cancelled = true }
+  }, [t])
+
+  const fields = React.useMemo<CrudField[]>(() => [
+    { id: 'email', label: t('auth.profile.form.email', 'Email'), type: 'text', required: true },
+    {
+      id: 'password',
+      label: t('auth.profile.form.password', 'New password'),
+      type: 'text',
+      description: passwordDescription,
+    },
+    { id: 'confirmPassword', label: t('auth.profile.form.confirmPassword', 'Confirm new password'), type: 'text' },
+  ], [passwordDescription, t])
+
+  const schema = React.useMemo(() => {
+    const passwordSchema = buildPasswordSchema({
+      policy: passwordPolicy,
+      message: t('auth.profile.form.errors.passwordRequirements', 'Password must meet the requirements.'),
+    })
+    const optionalPasswordSchema = z.union([z.literal(''), passwordSchema]).optional()
+    return z.object({
+      email: z.string().trim().min(1, t('auth.profile.form.errors.emailRequired', 'Email is required.')),
+      password: optionalPasswordSchema,
+      confirmPassword: z.string().optional(),
+    }).superRefine((values, ctx) => {
+      const password = values.password?.trim() ?? ''
+      const confirmPassword = values.confirmPassword?.trim() ?? ''
+      if ((password || confirmPassword) && password !== confirmPassword) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: t('auth.profile.form.errors.passwordMismatch', 'Passwords do not match.'),
+          path: ['confirmPassword'],
+        })
+      }
+    })
+  }, [passwordPolicy, t])
+
+  const handleSubmit = React.useCallback(async (values: ProfileFormValues) => {
+    const nextEmail = values.email?.trim() ?? ''
+    const password = values.password?.trim() ?? ''
+
+    if (!password && nextEmail === email) {
+      throw createCrudFormError(t('auth.profile.form.errors.noChanges', 'No changes to save.'))
+    }
+
+    const payload: { email: string; password?: string } = { email: nextEmail }
+    if (password) payload.password = password
+
+    const result = await readApiResultOrThrow<ProfileUpdateResponse>(
+      '/api/auth/profile',
+      {
+        method: 'PUT',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify(payload),
+      },
+      { errorMessage: t('auth.profile.form.errors.save', 'Failed to update profile.') },
+    )
+
+    const resolvedEmail = typeof result?.email === 'string' ? result.email : nextEmail
+    setEmail(resolvedEmail)
+    setFormKey((prev) => prev + 1)
+    flash(t('auth.profile.form.success', 'Profile updated.'), 'success')
+    router.refresh()
+  }, [email, router, t])
+
+  return (
+    <Page>
+      <PageBody>
+        {loading ? (
+          <LoadingMessage label={t('auth.profile.form.loading', 'Loading profile...')} />
+        ) : error ? (
+          <ErrorMessage label={error} />
+        ) : (
+          <section className="space-y-6 rounded-lg border bg-background p-6">
+            <header className="flex flex-col gap-4 sm:flex-row sm:items-start sm:justify-between">
+              <div className="space-y-1">
+                <h2 className="text-lg font-semibold">{t('auth.profile.title', 'Profile')}</h2>
+                <p className="text-sm text-muted-foreground">
+                  {t('auth.profile.subtitle', 'Change password')}
+                </p>
+              </div>
+              <Button type="submit" form={formId}>
+                <Save className="size-4 mr-2" />
+                {t('auth.profile.form.save', 'Save changes')}
+              </Button>
+            </header>
+            <CrudForm<ProfileFormValues>
+              key={formKey}
+              formId={formId}
+              schema={schema}
+              fields={fields}
+              initialValues={{
+                email,
+                password: '',
+                confirmPassword: '',
+              }}
+              submitLabel={t('auth.profile.form.save', 'Save changes')}
+              onSubmit={handleSubmit}
+              embedded
+              hideFooterActions
+            />
+          </section>
+        )}
+      </PageBody>
+    </Page>
+  )
+}

package/src/modules/auth/backend/roles/page.tsx

@@ -117,9 +117,9 @@ export default function RolesListPage() {
           onSearchChange={(v) => { setSearch(v); setPage(1) }}
           rowActions={(row) => (
             <RowActions items={[
-              { label: t('common.edit', 'Edit'), href: `/backend/roles/${row.id}/edit` },
-              { label: t('auth.roles.list.actions.showUsers', 'Show users'), href: `/backend/users?roleId=${encodeURIComponent(row.id)}` },
-              { label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
+              { id: 'edit', label: t('common.edit', 'Edit'), href: `/backend/roles/${row.id}/edit` },
+              { id: 'show-users', label: t('auth.roles.list.actions.showUsers', 'Show users'), href: `/backend/users?roleId=${encodeURIComponent(row.id)}` },
+              { id: 'delete', label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
             ]} />
           )}
           sortable

package/src/modules/auth/backend/users/[id]/edit/page.tsx

@@ -12,6 +12,7 @@ import { TenantSelect } from '@open-mercato/core/modules/directory/components/Te
 import { fetchRoleOptions } from '@open-mercato/core/modules/auth/backend/users/roleOptions'
 import { WidgetVisibilityEditor } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
+import { formatPasswordRequirements, getPasswordPolicy } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 type EditUserFormValues = {
   email: string
@@ -108,6 +109,16 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
   const [aclData, setAclData] = React.useState<AclData>({ isSuperAdmin: false, features: [], organizations: null })
   const [customFieldValues, setCustomFieldValues] = React.useState<Record<string, unknown>>({})
   const [actorIsSuperAdmin, setActorIsSuperAdmin] = React.useState(false)
+  const passwordPolicy = React.useMemo(() => getPasswordPolicy(), [])
+  const passwordRequirements = React.useMemo(
+    () => formatPasswordRequirements(passwordPolicy, t),
+    [passwordPolicy, t],
+  )
+  const passwordDescription = React.useMemo(() => (
+    passwordRequirements
+      ? t('auth.password.requirements.help', 'Password requirements: {requirements}', { requirements: passwordRequirements })
+      : undefined
+  ), [passwordRequirements, t])
 
   React.useEffect(() => {
     if (!id) {
@@ -201,7 +212,12 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
   const fields: CrudField[] = React.useMemo(() => {
     const items: CrudField[] = [
       { id: 'email', label: t('auth.users.form.field.email', 'Email'), type: 'text', required: true },
-      { id: 'password', label: t('auth.users.form.field.password', 'Password'), type: 'text' },
+      {
+        id: 'password',
+        label: t('auth.users.form.field.password', 'Password'),
+        type: 'text',
+        description: passwordDescription,
+      },
     ]
     if (actorIsSuperAdmin) {
       items.push({
@@ -251,7 +267,7 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
     })
     items.push({ id: 'roles', label: t('auth.users.form.field.roles', 'Roles'), type: 'tags', loadOptions: loadRoleOptions })
     return items
-  }, [actorIsSuperAdmin, loadRoleOptions, preloadedTenants, selectedOrgId, selectedTenantId, t])
+  }, [actorIsSuperAdmin, loadRoleOptions, passwordDescription, preloadedTenants, selectedOrgId, selectedTenantId, t])
 
   const detailFieldIds = React.useMemo(() => {
     const base: string[] = ['email', 'password', 'organizationId', 'roles']

package/src/modules/auth/backend/users/create/page.tsx

@@ -11,6 +11,7 @@ import { TenantSelect } from '@open-mercato/core/modules/directory/components/Te
 import { fetchRoleOptions } from '@open-mercato/core/modules/auth/backend/users/roleOptions'
 import { Spinner } from '@open-mercato/ui/primitives/spinner'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
+import { formatPasswordRequirements, getPasswordPolicy } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 type CreateUserFormValues = {
   email: string
@@ -84,6 +85,16 @@ export default function CreateUserPage() {
   const [selectedWidgets, setSelectedWidgets] = React.useState<string[]>([])
   const [selectedTenantId, setSelectedTenantId] = React.useState<string | null>(null)
   const [actorIsSuperAdmin, setActorIsSuperAdmin] = React.useState(false)
+  const passwordPolicy = React.useMemo(() => getPasswordPolicy(), [])
+  const passwordRequirements = React.useMemo(
+    () => formatPasswordRequirements(passwordPolicy, t),
+    [passwordPolicy, t],
+  )
+  const passwordDescription = React.useMemo(() => (
+    passwordRequirements
+      ? t('auth.password.requirements.help', 'Password requirements: {requirements}', { requirements: passwordRequirements })
+      : undefined
+  ), [passwordRequirements, t])
 
   React.useEffect(() => {
     let cancelled = false
@@ -156,7 +167,13 @@ export default function CreateUserPage() {
   const fields: CrudField[] = React.useMemo(() => {
     const items: CrudField[] = [
       { id: 'email', label: t('auth.users.form.field.email', 'Email'), type: 'text', required: true },
-      { id: 'password', label: t('auth.users.form.field.password', 'Password'), type: 'text', required: true },
+      {
+        id: 'password',
+        label: t('auth.users.form.field.password', 'Password'),
+        type: 'text',
+        required: true,
+        description: passwordDescription,
+      },
     ]
     if (actorIsSuperAdmin) {
       items.push({
@@ -203,7 +220,7 @@ export default function CreateUserPage() {
     })
     items.push({ id: 'roles', label: t('auth.users.form.field.roles', 'Roles'), type: 'tags', loadOptions: loadRoleOptions })
     return items
-  }, [actorIsSuperAdmin, loadRoleOptions, selectedTenantId, t])
+  }, [actorIsSuperAdmin, loadRoleOptions, passwordDescription, selectedTenantId, t])
 
   const detailFieldIds = React.useMemo(() => {
     const base: string[] = ['email', 'password', 'organizationId', 'roles']

package/src/modules/auth/backend/users/page.tsx

@@ -383,9 +383,9 @@ export default function UsersListPage() {
           perspective={{ tableId: 'auth.users.list' }}
           rowActions={(row) => (
             <RowActions items={[
-              { label: t('common.edit', 'Edit'), href: `/backend/users/${row.id}/edit` },
-              { label: t('auth.users.list.actions.showRoles', 'Show roles'), href: `/backend/roles?userId=${encodeURIComponent(row.id)}` },
-              { label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
+              { id: 'edit', label: t('common.edit', 'Edit'), href: `/backend/users/${row.id}/edit` },
+              { id: 'show-roles', label: t('auth.users.list.actions.showRoles', 'Show roles'), href: `/backend/roles?userId=${encodeURIComponent(row.id)}` },
+              { id: 'delete', label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
             ]} />
           )}
           pagination={{ page, pageSize: 50, total, totalPages, onPageChange: setPage }}

package/src/modules/auth/cli.ts

@@ -16,6 +16,7 @@ import { decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'
 import { env } from 'process'
 import type { KmsService, TenantDek } from '@open-mercato/shared/lib/encryption/kms'
 import crypto from 'node:crypto'
+import { formatPasswordRequirements, getPasswordPolicy, validatePassword } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 const addUser: ModuleCli = {
   command: 'add-user',
@@ -34,6 +35,7 @@ const addUser: ModuleCli = {
       console.error('Usage: mercato auth add-user --email <email> --password <password> --organizationId <id> [--roles customer,employee]')
       return
     }
+    if (!ensurePasswordPolicy(password)) return
     const { resolve } = await createRequestContainer()
     const em = resolve('em') as any
     const org =
@@ -102,6 +104,16 @@ function hashSecret(value: string | null | undefined): string | null {
   return crypto.createHash('sha256').update(normalizeKeyInput(value)).digest('hex').slice(0, 12)
 }
 
+function ensurePasswordPolicy(password: string): boolean {
+  const policy = getPasswordPolicy()
+  const result = validatePassword(password, policy)
+  if (result.ok) return true
+  const requirements = formatPasswordRequirements(policy, (_key, fallback) => fallback)
+  const suffix = requirements ? `: ${requirements}` : ''
+  console.error(`Password does not meet the requirements${suffix}.`)
+  return false
+}
+
 async function withEncryptionDebugDisabled<T>(fn: () => Promise<T>): Promise<T> {
   const previous = process.env.TENANT_DATA_ENCRYPTION_DEBUG
   process.env.TENANT_DATA_ENCRYPTION_DEBUG = 'no'
@@ -406,6 +418,7 @@ const setupApp: ModuleCli = {
       console.error('Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee]')
       return
     }
+    if (!ensurePasswordPolicy(password)) return
     const { resolve } = await createRequestContainer()
     const em = resolve<EntityManager>('em')
     const roleNames = rolesCsv
@@ -595,6 +608,7 @@ const setPassword: ModuleCli = {
       console.error('Usage: mercato auth set-password --email <email> --password <newPassword>')
       return
     }
+    if (!ensurePasswordPolicy(password)) return
     
     const { resolve } = await createRequestContainer()
     const em = resolve('em') as any

package/src/modules/auth/commands/users.ts

@@ -27,6 +27,10 @@ import {
 import { normalizeTenantId } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'
 import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
+import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
+import notificationTypes from '@open-mercato/core/modules/auth/notifications'
+import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 type SerializedUser = {
   email: string
@@ -63,9 +67,11 @@ type UserSnapshots = {
   undo: UserUndoSnapshot
 }
 
+const passwordSchema = buildPasswordSchema()
+
 const createSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   organizationId: z.string().uuid(),
   roles: z.array(z.string()).optional(),
 })
@@ -73,7 +79,7 @@ const createSchema = z.object({
 const updateSchema = z.object({
   id: z.string().uuid(),
   email: z.string().email().optional(),
-  password: z.string().min(6).optional(),
+  password: passwordSchema.optional(),
   organizationId: z.string().uuid().optional(),
   roles: z.array(z.string()).optional(),
 })
@@ -105,6 +111,46 @@ export const userCrudIndexer: CrudIndexerConfig = {
   }),
 }
 
+async function notifyRoleChanges(
+  ctx: CommandRuntimeContext,
+  user: User,
+  assignedRoles: string[],
+  revokedRoles: string[],
+): Promise<void> {
+  const tenantId = user.tenantId ? String(user.tenantId) : null
+  if (!tenantId) return
+  const organizationId = user.organizationId ? String(user.organizationId) : null
+
+  try {
+    const notificationService = resolveNotificationService(ctx.container)
+    if (assignedRoles.length) {
+      const assignedType = notificationTypes.find((type) => type.type === 'auth.role.assigned')
+      if (assignedType) {
+        const notificationInput = buildNotificationFromType(assignedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, { tenantId, organizationId })
+      }
+    }
+
+    if (revokedRoles.length) {
+      const revokedType = notificationTypes.find((type) => type.type === 'auth.role.revoked')
+      if (revokedType) {
+        const notificationInput = buildNotificationFromType(revokedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, { tenantId, organizationId })
+      }
+    }
+  } catch (err) {
+    console.error('[auth.users.roles] Failed to create notification:', err)
+  }
+}
+
 const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
   id: 'auth.users.create',
   async execute(rawInput, ctx) {
@@ -147,8 +193,10 @@ const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
       throw error
     }
 
+    let assignedRoles: string[] = []
     if (Array.isArray(parsed.roles) && parsed.roles.length) {
       await syncUserRoles(em, user, parsed.roles, tenantId)
+      assignedRoles = await loadUserRoleNames(em, String(user.id))
     }
 
     await setCustomFieldsIfAny({
@@ -173,6 +221,10 @@ const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
       indexer: userCrudIndexer,
     })
 
+    if (assignedRoles.length) {
+      await notifyRoleChanges(ctx, user, assignedRoles, [])
+    }
+
     return user
   },
   captureAfter: async (_input, result, ctx) => {
@@ -288,6 +340,9 @@ const updateUserCommand: CommandHandler<Record<string, unknown>, User> = {
   async execute(rawInput, ctx) {
     const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput)
     const em = (ctx.container.resolve('em') as EntityManager)
+    const rolesBefore = Array.isArray(parsed.roles)
+      ? await loadUserRoleNames(em, parsed.id)
+      : null
 
     if (parsed.email !== undefined) {
       const emailHash = computeEmailHash(parsed.email)
@@ -377,6 +432,14 @@ const updateUserCommand: CommandHandler<Record<string, unknown>, User> = {
       indexer: userCrudIndexer,
     })
 
+    if (Array.isArray(parsed.roles) && rolesBefore) {
+      const rolesAfter = await loadUserRoleNames(em, String(user.id))
+      const { assigned, revoked } = diffRoleChanges(rolesBefore, rolesAfter)
+      if (assigned.length || revoked.length) {
+        await notifyRoleChanges(ctx, user, assigned, revoked)
+      }
+    }
+
     await invalidateUserCache(ctx, parsed.id)
 
     return user
@@ -772,6 +835,14 @@ async function invalidateUserCache(ctx: CommandRuntimeContext, userId: string) {
   }
 }
 
+function diffRoleChanges(before: string[], after: string[]) {
+  const beforeSet = new Set(before)
+  const afterSet = new Set(after)
+  const assigned = after.filter((role) => !beforeSet.has(role))
+  const revoked = before.filter((role) => !afterSet.has(role))
+  return { assigned, revoked }
+}
+
 function arrayEquals(left: string[] | undefined, right: string[]): boolean {
   if (!left) return false
   if (left.length !== right.length) return false

package/src/modules/auth/data/validators.ts

@@ -1,4 +1,7 @@
 import { z } from 'zod'
+import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'
+
+const passwordSchema = buildPasswordSchema()
 
 // Core auth validators
 export const userLoginSchema = z.object({
@@ -13,7 +16,7 @@ export const requestPasswordResetSchema = z.object({
 
 export const confirmPasswordResetSchema = z.object({
   token: z.string().min(10),
-  password: z.string().min(6),
+  password: passwordSchema,
 })
 
 export const sidebarPreferencesInputSchema = z.object({
@@ -29,7 +32,7 @@ export const sidebarPreferencesInputSchema = z.object({
 // Optional helpers for CLI or admin forms
 export const userCreateSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   tenantId: z.string().uuid().optional(),
   organizationId: z.string().uuid(),
   rolesCsv: z.string().optional(),