@open-mercato/core 0.4.2-canary-19353c5970 → 0.4.2-canary-19703ca707

package/src/modules/auth/api/__tests__/login.test.ts

@@ -15,6 +15,8 @@ jest.mock('@open-mercato/shared/lib/di/container', () => ({
   createRequestContainer: async () => ({
     resolve: (_: string) => ({
       findUserByEmail: async (email: string) => ({ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }),
+      findUsersByEmail: async (email: string) => ([{ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }]),
+      findUserByEmailAndTenant: async (email: string) => ({ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }),
       verifyPassword: async () => true,
       getUserRoles: async (_user: any, _tenant: string | null | undefined) => ['admin'],
       updateLastLoginAt: async () => undefined,

package/src/modules/auth/api/login.ts

@@ -17,15 +17,33 @@ export async function POST(req: Request) {
   const email = String(form.get('email') ?? '')
   const password = String(form.get('password') ?? '')
   const remember = parseBooleanToken(form.get('remember')?.toString()) === true
+  const tenantIdRaw = String(form.get('tenantId') ?? form.get('tenant') ?? '').trim()
   const requireRoleRaw = (String(form.get('requireRole') ?? form.get('role') ?? '')).trim()
   const requiredRoles = requireRoleRaw ? requireRoleRaw.split(',').map((s) => s.trim()).filter(Boolean) : []
-  const parsed = userLoginSchema.pick({ email: true, password: true }).safeParse({ email, password })
+  const parsed = userLoginSchema.pick({ email: true, password: true, tenantId: true }).safeParse({
+    email,
+    password,
+    tenantId: tenantIdRaw || undefined,
+  })
   if (!parsed.success) {
     return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid credentials') }, { status: 400 })
   }
   const container = await createRequestContainer()
   const auth = (container.resolve('authService') as AuthService)
-  const user = await auth.findUserByEmail(parsed.data.email)
+  const tenantId = parsed.data.tenantId ?? null
+  let user = null
+  if (tenantId) {
+    user = await auth.findUserByEmailAndTenant(parsed.data.email, tenantId)
+  } else {
+    const users = await auth.findUsersByEmail(parsed.data.email)
+    if (users.length > 1) {
+      return NextResponse.json({
+        ok: false,
+        error: translate('auth.login.errors.tenantRequired', 'Use the login link provided with your tenant activation to continue.'),
+      }, { status: 400 })
+    }
+    user = users[0] ?? null
+  }
   if (!user || !user.passwordHash) {
     return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid email or password') }, { status: 401 })
   }
@@ -35,26 +53,27 @@ export async function POST(req: Request) {
   }
   // Optional role requirement
   if (requiredRoles.length) {
-    const userRoleNames = await auth.getUserRoles(user, user.tenantId ? String(user.tenantId) : null)
+    const userRoleNames = await auth.getUserRoles(user, tenantId ?? (user.tenantId ? String(user.tenantId) : null))
     const authorized = requiredRoles.some(r => userRoleNames.includes(r))
     if (!authorized) {
       return NextResponse.json({ ok: false, error: translate('auth.login.errors.permissionDenied', 'Not authorized for this area') }, { status: 403 })
     }
   }
   await auth.updateLastLoginAt(user)
-  const userRoleNames = await auth.getUserRoles(user, user.tenantId ? String(user.tenantId) : null)
+  const resolvedTenantId = tenantId ?? (user.tenantId ? String(user.tenantId) : null)
+  const userRoleNames = await auth.getUserRoles(user, resolvedTenantId)
   try {
     const eventBus = (container.resolve('eventBus') as EventBus)
     void eventBus.emitEvent('query_index.coverage.warmup', {
-      tenantId: user.tenantId ? String(user.tenantId) : null,
+      tenantId: resolvedTenantId,
     }).catch(() => undefined)
   } catch {
     // optional warmup
   }
   const token = signJwt({ 
     sub: String(user.id), 
-    tenantId: user.tenantId ? String(user.tenantId) : null, 
-    orgId: user.organizationId ? String(user.organizationId) : null, 
+    tenantId: resolvedTenantId, 
+    orgId: user.organizationId ? String(user.organizationId) : null,
     email: user.email, 
     roles: userRoleNames 
   })

package/src/modules/auth/data/validators.ts

@@ -8,6 +8,7 @@ export const userLoginSchema = z.object({
   email: z.string().email(),
   password: z.string().min(6),
   requireRole: z.string().optional(),
+  tenantId: z.string().uuid().optional(),
 })
 
 export const requestPasswordResetSchema = z.object({

package/src/modules/auth/frontend/login.tsx

@@ -1,14 +1,39 @@
 "use client"
-import { useState } from 'react'
+import { useEffect, useState } from 'react'
 import Image from 'next/image'
 import Link from 'next/link'
 import { useRouter, useSearchParams } from 'next/navigation'
-import { Card, CardContent, CardHeader, CardTitle, CardDescription } from '@open-mercato/ui/primitives/card'
+import { Card, CardContent, CardHeader, CardDescription } from '@open-mercato/ui/primitives/card'
 import { Input } from '@open-mercato/ui/primitives/input'
 import { Label } from '@open-mercato/ui/primitives/label'
+import { Button } from '@open-mercato/ui/primitives/button'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
 import { translateWithFallback } from '@open-mercato/shared/lib/i18n/translate'
 import { clearAllOperations } from '@open-mercato/ui/backend/operations/store'
+import { apiCall } from '@open-mercato/ui/backend/utils/apiCall'
+
+const loginTenantKey = 'om_login_tenant'
+const loginTenantCookieMaxAge = 60 * 60 * 24 * 14
+
+function readTenantCookie() {
+  if (typeof document === 'undefined') return null
+  const entries = document.cookie.split(';')
+  for (const entry of entries) {
+    const [name, ...rest] = entry.trim().split('=')
+    if (name === loginTenantKey) return decodeURIComponent(rest.join('='))
+  }
+  return null
+}
+
+function setTenantCookie(value: string) {
+  if (typeof document === 'undefined') return
+  document.cookie = `${loginTenantKey}=${encodeURIComponent(value)}; path=/; max-age=${loginTenantCookieMaxAge}; samesite=lax`
+}
+
+function clearTenantCookie() {
+  if (typeof document === 'undefined') return
+  document.cookie = `${loginTenantKey}=; path=/; max-age=0; samesite=lax`
+}
 
 function extractErrorMessage(payload: unknown): string | null {
   if (!payload) return null
@@ -56,6 +81,68 @@ export default function LoginPage() {
   const translatedFeatures = requiredFeatures.map((feature) => translate(`features.${feature}`, feature))
   const [error, setError] = useState<string | null>(null)
   const [submitting, setSubmitting] = useState(false)
+  const [tenantId, setTenantId] = useState<string | null>(null)
+  const [tenantName, setTenantName] = useState<string | null>(null)
+  const [tenantLoading, setTenantLoading] = useState(false)
+
+  useEffect(() => {
+    const tenantParam = (searchParams.get('tenant') || '').trim()
+    if (tenantParam) {
+      setTenantId(tenantParam)
+      window.localStorage.setItem(loginTenantKey, tenantParam)
+      setTenantCookie(tenantParam)
+      return
+    }
+    const storedTenant = window.localStorage.getItem(loginTenantKey) || readTenantCookie()
+    if (storedTenant) {
+      setTenantId(storedTenant)
+    }
+  }, [searchParams])
+
+  useEffect(() => {
+    if (!tenantId) {
+      setTenantName(null)
+      return
+    }
+    let active = true
+    setTenantLoading(true)
+    apiCall<{ ok: boolean; tenant?: { id: string; name: string }; error?: string }>(
+      `/api/directory/tenants/lookup?tenantId=${encodeURIComponent(tenantId)}`,
+    )
+      .then(({ result }) => {
+        if (!active) return
+        if (result?.ok && result.tenant) {
+          setTenantName(result.tenant.name)
+          return
+        }
+        const message = translate('auth.login.errors.tenantInvalid', 'Tenant not found. Clear the tenant selection and try again.')
+        setTenantName(null)
+        setError(message)
+      })
+      .catch(() => {
+        if (!active) return
+        setTenantName(null)
+        setError(translate('auth.login.errors.tenantInvalid', 'Tenant not found. Clear the tenant selection and try again.'))
+      })
+      .finally(() => {
+        if (active) setTenantLoading(false)
+      })
+    return () => {
+      active = false
+    }
+  }, [tenantId, translate])
+
+  function handleClearTenant() {
+    window.localStorage.removeItem(loginTenantKey)
+    clearTenantCookie()
+    setTenantId(null)
+    setTenantName(null)
+    const params = new URLSearchParams(searchParams)
+    params.delete('tenant')
+    setError(null)
+    const query = params.toString()
+    router.replace(query ? `/login?${query}` : '/login')
+  }
 
   async function onSubmit(e: React.FormEvent<HTMLFormElement>) {
     e.preventDefault()
@@ -141,6 +228,9 @@ export default function LoginPage() {
         </CardHeader>
         <CardContent>
           <form className="grid gap-3" onSubmit={onSubmit} noValidate>
+            {tenantId ? (
+              <input type="hidden" name="tenantId" value={tenantId} />
+            ) : null}
             {!!translatedRoles.length && (
               <div className="rounded-md border border-blue-200 bg-blue-50 px-3 py-2 text-center text-xs text-blue-900">
                 {translate(
@@ -159,6 +249,20 @@ export default function LoginPage() {
                 })}
               </div>
             )}
+            {tenantId && (
+              <div className="rounded-md border border-emerald-200 bg-emerald-50 px-3 py-2 text-center text-xs text-emerald-900">
+                <div className="font-medium">
+                  {tenantLoading
+                    ? translate('auth.login.tenantLoading', 'Loading tenant details...')
+                    : translate('auth.login.tenantBanner', "You're logging in to {tenant} tenant.", {
+                        tenant: tenantName || tenantId,
+                      })}
+                </div>
+                <Button type="button" variant="ghost" size="sm" className="mt-2 text-emerald-900" onClick={handleClearTenant}>
+                  {translate('auth.login.tenantClear', 'Clear')}
+                </Button>
+              </div>
+            )}
             {error && (
               <div className="rounded-md border border-red-200 bg-red-50 px-3 py-2 text-center text-sm text-red-700" role="alert" aria-live="polite">
                 {error}

package/src/modules/auth/i18n/de.json

@@ -20,6 +20,8 @@
   "auth.manageAuthSettings": "Verwalte die Authentifizierungseinstellungen.",
   "auth.login.errors.permissionDenied": "Du hast keine Berechtigung, auf diesen Bereich zuzugreifen. Bitte wende dich an deine Administration.",
   "auth.login.errors.invalidCredentials": "Ungültige E-Mail oder ungültiges Passwort",
+  "auth.login.errors.tenantRequired": "Nutze den Login-Link aus deiner Tenant-Aktivierung, um fortzufahren.",
+  "auth.login.errors.tenantInvalid": "Tenant nicht gefunden. Entferne die Tenant-Auswahl und versuche es erneut.",
   "auth.login.errors.generic": "Es ist ein Fehler aufgetreten. Bitte versuche es erneut.",
   "auth.login.logoAlt": "Open Mercato Logo",
   "auth.login.brandName": "Open Mercato",
@@ -27,6 +29,9 @@
   "auth.login.requireRoleMessage": "Für den Zugriff ist die folgende Rolle erforderlich: {roles}",
   "auth.login.requireRolesMessage": "Für den Zugriff ist eine der folgenden Rollen erforderlich: {roles}",
   "auth.login.featureDenied": "Du hast keinen Zugriff auf diese Funktion ({feature}). Bitte wende dich an deine Administration.",
+  "auth.login.tenantBanner": "Du meldest dich beim Tenant {tenant} an.",
+  "auth.login.tenantLoading": "Tenant-Daten werden geladen...",
+  "auth.login.tenantClear": "Zurücksetzen",
   "auth.login.rememberMe": "Angemeldet bleiben",
   "auth.login.loading": "Wird geladen ...",
   "auth.login.forgotPassword": "Passwort vergessen?",

package/src/modules/auth/i18n/en.json

@@ -20,6 +20,8 @@
   "auth.manageAuthSettings": "Manage authentication settings.",
   "auth.login.errors.permissionDenied": "You do not have permission to access this area. Please contact your administrator.",
   "auth.login.errors.invalidCredentials": "Invalid email or password",
+  "auth.login.errors.tenantRequired": "Use the login link provided with your tenant activation to continue.",
+  "auth.login.errors.tenantInvalid": "Tenant not found. Clear the tenant selection and try again.",
   "auth.login.errors.generic": "An error occurred. Please try again.",
   "auth.login.logoAlt": "Open Mercato logo",
   "auth.login.brandName": "Open Mercato",
@@ -27,6 +29,9 @@
   "auth.login.requireRoleMessage": "Access requires role: {roles}",
   "auth.login.requireRolesMessage": "Access requires one of the following roles: {roles}",
   "auth.login.featureDenied": "You don't have access to this feature ({feature}). Please contact your administrator.",
+  "auth.login.tenantBanner": "You're logging in to {tenant} tenant.",
+  "auth.login.tenantLoading": "Loading tenant details...",
+  "auth.login.tenantClear": "Clear",
   "auth.login.rememberMe": "Remember me",
   "auth.login.loading": "Loading...",
   "auth.login.forgotPassword": "Forgot password?",

package/src/modules/auth/i18n/es.json

@@ -20,6 +20,8 @@
   "auth.manageAuthSettings": "Administra la configuración de autenticación.",
   "auth.login.errors.permissionDenied": "No tienes permiso para acceder a esta área. Ponte en contacto con tu administrador.",
   "auth.login.errors.invalidCredentials": "Correo electrónico o contraseña no válidos",
+  "auth.login.errors.tenantRequired": "Usa el enlace de inicio de sesión proporcionado con la activación de tu inquilino para continuar.",
+  "auth.login.errors.tenantInvalid": "No se encontró el inquilino. Borra la selección e inténtalo de nuevo.",
   "auth.login.errors.generic": "Se produjo un error. Inténtalo de nuevo.",
   "auth.login.logoAlt": "Logotipo de Open Mercato",
   "auth.login.brandName": "Open Mercato",
@@ -27,6 +29,9 @@
   "auth.login.requireRoleMessage": "El acceso requiere el rol: {roles}",
   "auth.login.requireRolesMessage": "El acceso requiere uno de los siguientes roles: {roles}",
   "auth.login.featureDenied": "No tienes acceso a esta funcionalidad ({feature}). Ponte en contacto con tu administrador.",
+  "auth.login.tenantBanner": "Estás iniciando sesión en el inquilino {tenant}.",
+  "auth.login.tenantLoading": "Cargando detalles del inquilino...",
+  "auth.login.tenantClear": "Borrar",
   "auth.login.rememberMe": "Recordarme",
   "auth.login.loading": "Cargando...",
   "auth.login.forgotPassword": "¿Olvidaste tu contraseña?",

package/src/modules/auth/i18n/pl.json

@@ -20,6 +20,8 @@
   "auth.manageAuthSettings": "Zarządzaj ustawieniami uwierzytelniania.",
   "auth.login.errors.permissionDenied": "Nie masz uprawnień do tego obszaru. Skontaktuj się z administratorem.",
   "auth.login.errors.invalidCredentials": "Nieprawidłowy email lub hasło",
+  "auth.login.errors.tenantRequired": "Użyj linku logowania z aktywacji najemcy, aby kontynuować.",
+  "auth.login.errors.tenantInvalid": "Nie znaleziono najemcy. Wyczyść wybór i spróbuj ponownie.",
   "auth.login.errors.generic": "Wystąpił błąd. Spróbuj ponownie.",
   "auth.login.logoAlt": "Logo Open Mercato",
   "auth.login.brandName": "Open Mercato",
@@ -27,6 +29,9 @@
   "auth.login.requireRoleMessage": "Dostęp wymaga roli: {roles}",
   "auth.login.requireRolesMessage": "Dostęp wymaga jednej z następujących ról: {roles}",
   "auth.login.featureDenied": "Nie masz dostępu do tej funkcji ({feature}). Skontaktuj się z administratorem.",
+  "auth.login.tenantBanner": "Logujesz się do najemcy {tenant}.",
+  "auth.login.tenantLoading": "Ładowanie szczegółów najemcy...",
+  "auth.login.tenantClear": "Wyczyść",
   "auth.login.rememberMe": "Zapamiętaj mnie",
   "auth.login.loading": "Ładowanie...",
   "auth.login.forgotPassword": "Nie pamiętasz hasła?",

package/src/modules/auth/lib/setup-app.ts

@@ -16,6 +16,7 @@ import { DEFAULT_ENCRYPTION_MAPS } from '@open-mercato/core/modules/entities/lib
 import { createKmsService } from '@open-mercato/shared/lib/encryption/kms'
 import { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'
 import { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { parseBooleanToken } from '@open-mercato/shared/lib/boolean'
 
 const DEFAULT_ROLE_NAMES = ['employee', 'admin', 'superadmin'] as const
 const DEMO_SUPERADMIN_EMAIL = 'superadmin@acme.com'
@@ -175,20 +176,28 @@ export async function setupInitialTenant(
   })
 
   if (!existingUser) {
-    const baseUsers: Array<{ email: string; roles: string[]; name?: string | null }> = [
+    const baseUsers: Array<{
+      email: string
+      roles: string[]
+      name?: string | null
+      passwordHash?: string | null
+    }> = [
       { email: primaryUser.email, roles: primaryRoles, name: resolvePrimaryName(primaryUser) },
     ]
     if (includeDerivedUsers) {
-      const [local, domain] = String(primaryUser.email).split('@')
-      const isSuperadminLocal = (local || '').toLowerCase() === 'superadmin' && !!domain
-      if (isSuperadminLocal) {
-        const adminOverride = readEnvValue(DERIVED_EMAIL_ENV.admin)
-        const employeeOverride = readEnvValue(DERIVED_EMAIL_ENV.employee)
-        const adminEmail = adminOverride ?? `admin@${domain}`
-        const employeeEmail = employeeOverride ?? `employee@${domain}`
-        addUniqueBaseUser(baseUsers, { email: adminEmail, roles: ['admin'] })
-        addUniqueBaseUser(baseUsers, { email: employeeEmail, roles: ['employee'] })
-      }
+      const [, domain] = String(primaryUser.email).split('@')
+      const adminOverride = readEnvValue(DERIVED_EMAIL_ENV.admin)
+      const employeeOverride = readEnvValue(DERIVED_EMAIL_ENV.employee)
+      const adminEmail = adminOverride ?? (domain ? `admin@${domain}` : '')
+      const employeeEmail = employeeOverride ?? (domain ? `employee@${domain}` : '')
+      const adminPassword = readEnvValue('OM_INIT_ADMIN_PASSWORD')
+      const employeePassword = readEnvValue('OM_INIT_EMPLOYEE_PASSWORD')
+      const adminPasswordHash = adminPassword ? await resolvePasswordHash({ email: adminEmail, password: adminPassword }) : null
+      const employeePasswordHash = employeePassword
+        ? await resolvePasswordHash({ email: employeeEmail, password: employeePassword })
+        : null
+      addUniqueBaseUser(baseUsers, { email: adminEmail, roles: ['admin'], passwordHash: adminPasswordHash })
+      addUniqueBaseUser(baseUsers, { email: employeeEmail, roles: ['employee'], passwordHash: employeePasswordHash })
     }
     const passwordHash = await resolvePasswordHash(primaryUser)
 
@@ -280,13 +289,14 @@ export async function setupInitialTenant(
       }
 
       for (const base of baseUsers) {
+        const resolvedPasswordHash = base.passwordHash ?? passwordHash
         let user = await tem.findOne(User, { email: base.email })
         const confirm = primaryUser.confirm ?? true
         const encryptedPayload = encryptionService
           ? await encryptionService.encryptEntityPayload('auth:user', { email: base.email }, tenantId, organizationId)
           : { email: base.email, emailHash: computeEmailHash(base.email) }
         if (user) {
-          user.passwordHash = passwordHash
+          user.passwordHash = resolvedPasswordHash
           user.organizationId = organizationId
           user.tenantId = tenantId
           if (isTenantDataEncryptionEnabled()) {
@@ -301,7 +311,7 @@ export async function setupInitialTenant(
           user = tem.create(User, {
             email: (encryptedPayload as any).email ?? base.email,
             emailHash: isTenantDataEncryptionEnabled() ? (encryptedPayload as any).emailHash ?? computeEmailHash(base.email) : undefined,
-            passwordHash,
+            passwordHash: resolvedPasswordHash,
             organizationId,
             tenantId,
             name: base.name ?? undefined,
@@ -357,8 +367,8 @@ function readEnvValue(key: string): string | undefined {
 }
 
 function addUniqueBaseUser(
-  baseUsers: Array<{ email: string; roles: string[]; name?: string | null }>,
-  entry: { email: string; roles: string[]; name?: string | null },
+  baseUsers: Array<{ email: string; roles: string[]; name?: string | null; passwordHash?: string | null }>,
+  entry: { email: string; roles: string[]; name?: string | null; passwordHash?: string | null },
 ) {
   if (!entry.email) return
   const normalized = entry.email.toLowerCase()
@@ -366,6 +376,17 @@ function addUniqueBaseUser(
   baseUsers.push(entry)
 }
 
+function isDemoModeEnabled(): boolean {
+  const parsed = parseBooleanToken(process.env.DEMO_MODE ?? '')
+  return parsed === false ? false : true
+}
+
+function shouldKeepDemoSuperadminDuringInit(): boolean {
+  if (process.env.OM_INIT_FLOW !== 'true') return false
+  if (!readEnvValue('OM_INIT_SUPERADMIN_EMAIL')) return false
+  return isDemoModeEnabled()
+}
+
 async function resolvePasswordHash(input: PrimaryUserInput): Promise<string | null> {
   if (typeof input.hashedPassword === 'string') return input.hashedPassword
   if (input.password) return hash(input.password, 10)
@@ -514,6 +535,7 @@ async function ensureRoleAclFor(
 
 async function deactivateDemoSuperAdminIfSelfOnboardingEnabled(em: EntityManager) {
   if (process.env.SELF_SERVICE_ONBOARDING_ENABLED !== 'true') return
+  if (shouldKeepDemoSuperadminDuringInit()) return
   try {
     const user = await em.findOne(User, { email: DEMO_SUPERADMIN_EMAIL })
     if (!user) return

package/src/modules/auth/services/authService.ts

@@ -18,6 +18,29 @@ export class AuthService {
     } as any)
   }
 
+  async findUsersByEmail(email: string) {
+    const emailHash = computeEmailHash(email)
+    return this.em.find(User, {
+      deletedAt: null,
+      $or: [
+        { email },
+        { emailHash },
+      ],
+    } as any)
+  }
+
+  async findUserByEmailAndTenant(email: string, tenantId: string) {
+    const emailHash = computeEmailHash(email)
+    return this.em.findOne(User, {
+      tenantId,
+      deletedAt: null,
+      $or: [
+        { email },
+        { emailHash },
+      ],
+    } as any)
+  }
+
   async verifyPassword(user: User, password: string) {
     if (!user.passwordHash) return false
     return compare(password, user.passwordHash)

package/src/modules/business_rules/cli.ts

@@ -44,6 +44,7 @@ const seedGuardRules: ModuleCli = {
       const rulesPath = path.join(__dirname, '../workflows/examples', 'guard-rules-example.json')
       const rulesData = JSON.parse(fs.readFileSync(rulesPath, 'utf8'))
 
+      console.log('🧠 Seeding guard rules...')
       let seededCount = 0
       let skippedCount = 0
 
@@ -73,7 +74,7 @@ const seedGuardRules: ModuleCli = {
         seededCount++
       }
 
-      console.log(`\n✓ Guard rules seeding complete:`)
+      console.log(`\n✅ Guard rules seeding complete:`)
       console.log(`  - Seeded: ${seededCount}`)
       console.log(`  - Skipped (existing): ${skippedCount}`)
       console.log(`  - Total: ${rulesData.length}`)

package/src/modules/directory/api/get/tenants/lookup.ts

@@ -0,0 +1,73 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { Tenant } from '@open-mercato/core/modules/directory/data/entities'
+import type { OpenApiMethodDoc, OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+
+export const metadata = {
+  GET: {
+    requireAuth: false,
+  },
+}
+
+const tenantLookupQuerySchema = z.object({
+  tenantId: z.string().uuid(),
+})
+
+export async function GET(req: Request) {
+  const url = new URL(req.url)
+  const tenantId = url.searchParams.get('tenantId') || url.searchParams.get('tenant') || ''
+  const parsed = tenantLookupQuerySchema.safeParse({ tenantId })
+  if (!parsed.success) {
+    return NextResponse.json({ ok: false, error: 'Invalid tenant id.' }, { status: 400 })
+  }
+
+  const container = await createRequestContainer()
+  const em = (container.resolve('em') as EntityManager)
+  const tenant = await em.findOne(Tenant, { id: parsed.data.tenantId, deletedAt: null })
+  if (!tenant) {
+    return NextResponse.json({ ok: false, error: 'Tenant not found.' }, { status: 404 })
+  }
+  return NextResponse.json({
+    ok: true,
+    tenant: { id: String(tenant.id), name: tenant.name },
+  })
+}
+
+const lookupTag = 'Directory'
+
+const tenantLookupSuccessSchema = z.object({
+  ok: z.literal(true),
+  tenant: z.object({
+    id: z.string().uuid(),
+    name: z.string(),
+  }),
+})
+
+const tenantLookupErrorSchema = z.object({
+  ok: z.literal(false),
+  error: z.string(),
+})
+
+const tenantLookupDoc: OpenApiMethodDoc = {
+  summary: 'Public tenant lookup',
+  description: 'Resolves tenant metadata for login/activation flows.',
+  tags: [lookupTag],
+  query: tenantLookupQuerySchema,
+  responses: [
+    { status: 200, description: 'Tenant resolved.', schema: tenantLookupSuccessSchema },
+  ],
+  errors: [
+    { status: 400, description: 'Invalid tenant id', schema: tenantLookupErrorSchema },
+    { status: 404, description: 'Tenant not found', schema: tenantLookupErrorSchema },
+  ],
+}
+
+export const openApi: OpenApiRouteDoc = {
+  tag: lookupTag,
+  summary: 'Public tenant lookup',
+  methods: {
+    GET: tenantLookupDoc,
+  },
+}

package/src/modules/workflows/cli.ts

@@ -56,7 +56,7 @@ const seedDemo: ModuleCli = {
       })
 
       if (existing) {
-        console.log(`✓ Demo workflow '${demoData.workflowId}' already exists (ID: ${existing.id})`)
+        console.log(`ℹ️  Demo workflow '${demoData.workflowId}' already exists (ID: ${existing.id})`)
         return
       }
 
@@ -69,7 +69,7 @@ const seedDemo: ModuleCli = {
 
       await em.persistAndFlush(workflow)
 
-      console.log(`✓ Seeded demo workflow: ${workflow.workflowName}`)
+      console.log(`✅ Seeded demo workflow: ${workflow.workflowName}`)
       console.log(`  - ID: ${workflow.id}`)
       console.log(`  - Workflow ID: ${workflow.workflowId}`)
       console.log(`  - Version: ${workflow.version}`)
@@ -107,15 +107,15 @@ const seedDemoWithRules: ModuleCli = {
       return
     }
 
-    console.log('Seeding demo workflow with guard rules...\n')
+      console.log('🧩 Seeding demo workflow with guard rules...\n')
 
     try {
       // Seed the workflow definition
-      console.log('1. Seeding demo workflow...')
+      console.log('1. 🧩 Seeding demo workflow...')
       await seedDemo.run(rest)
 
       // Seed the guard rules
-      console.log('\n2. Seeding guard rules...')
+      console.log('\n2. 🧠 Seeding guard rules...')
       const { resolve } = await createRequestContainer()
       const em = resolve<EntityManager>('em')
 
@@ -153,7 +153,7 @@ const seedDemoWithRules: ModuleCli = {
         seededCount++
       }
 
-      console.log(`\n✓ Demo workflow with guard rules seeded successfully!`)
+      console.log(`\n✅ Demo workflow with guard rules seeded successfully!`)
       console.log(`  - Workflow: checkout_simple_v1`)
       console.log(`  - Guard rules seeded: ${seededCount}`)
       console.log(`  - Guard rules skipped: ${skippedCount}`)
@@ -195,7 +195,7 @@ const seedSalesPipeline: ModuleCli = {
       })
 
       if (existing) {
-        console.log(`✓ Sales pipeline workflow '${pipelineData.workflowId}' already exists (ID: ${existing.id})`)
+        console.log(`ℹ️  Sales pipeline workflow '${pipelineData.workflowId}' already exists (ID: ${existing.id})`)
         return
       }
 
@@ -208,7 +208,7 @@ const seedSalesPipeline: ModuleCli = {
 
       await em.persistAndFlush(workflow)
 
-      console.log(`✓ Seeded sales pipeline workflow: ${workflow.workflowName}`)
+      console.log(`✅ Seeded sales pipeline workflow: ${workflow.workflowName}`)
       console.log(`  - ID: ${workflow.id}`)
       console.log(`  - Workflow ID: ${workflow.workflowId}`)
       console.log(`  - Version: ${workflow.version}`)
@@ -255,7 +255,7 @@ const seedSimpleApproval: ModuleCli = {
       })
 
       if (existing) {
-        console.log(`✓ Simple approval workflow '${approvalData.workflowId}' already exists (ID: ${existing.id})`)
+        console.log(`ℹ️  Simple approval workflow '${approvalData.workflowId}' already exists (ID: ${existing.id})`)
         return
       }
 
@@ -268,7 +268,7 @@ const seedSimpleApproval: ModuleCli = {
 
       await em.persistAndFlush(workflow)
 
-      console.log(`✓ Seeded simple approval workflow: ${workflow.workflowName}`)
+      console.log(`✅ Seeded simple approval workflow: ${workflow.workflowName}`)
       console.log(`  - ID: ${workflow.id}`)
       console.log(`  - Workflow ID: ${workflow.workflowId}`)
       console.log(`  - Version: ${workflow.version}`)
@@ -351,7 +351,7 @@ const seedAll: ModuleCli = {
       return
     }
 
-    console.log('Seeding all example workflows...\n')
+    console.log('🧩 Seeding all example workflows...\n')
 
     try {
       // Seed demo checkout with rules
@@ -366,7 +366,7 @@ const seedAll: ModuleCli = {
       await seedSimpleApproval.run(rest)
       console.log('')
 
-      console.log('✓ All example workflows seeded successfully!')
+      console.log('✅ All example workflows seeded successfully!')
     } catch (error) {
       console.error('Error seeding workflows:', error)
       throw error