@open-mercato/core 0.4.2-canary-19353c5970 → 0.4.2-canary-ad4e7882e9

package/src/modules/auth/frontend/login.tsx

@@ -1,14 +1,39 @@
 "use client"
-import { useState } from 'react'
+import { useEffect, useState } from 'react'
 import Image from 'next/image'
 import Link from 'next/link'
 import { useRouter, useSearchParams } from 'next/navigation'
-import { Card, CardContent, CardHeader, CardTitle, CardDescription } from '@open-mercato/ui/primitives/card'
+import { Card, CardContent, CardHeader, CardDescription } from '@open-mercato/ui/primitives/card'
 import { Input } from '@open-mercato/ui/primitives/input'
 import { Label } from '@open-mercato/ui/primitives/label'
+import { Button } from '@open-mercato/ui/primitives/button'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
 import { translateWithFallback } from '@open-mercato/shared/lib/i18n/translate'
 import { clearAllOperations } from '@open-mercato/ui/backend/operations/store'
+import { apiCall } from '@open-mercato/ui/backend/utils/apiCall'
+
+const loginTenantKey = 'om_login_tenant'
+const loginTenantCookieMaxAge = 60 * 60 * 24 * 14
+
+function readTenantCookie() {
+  if (typeof document === 'undefined') return null
+  const entries = document.cookie.split(';')
+  for (const entry of entries) {
+    const [name, ...rest] = entry.trim().split('=')
+    if (name === loginTenantKey) return decodeURIComponent(rest.join('='))
+  }
+  return null
+}
+
+function setTenantCookie(value: string) {
+  if (typeof document === 'undefined') return
+  document.cookie = `${loginTenantKey}=${encodeURIComponent(value)}; path=/; max-age=${loginTenantCookieMaxAge}; samesite=lax`
+}
+
+function clearTenantCookie() {
+  if (typeof document === 'undefined') return
+  document.cookie = `${loginTenantKey}=; path=/; max-age=0; samesite=lax`
+}
 
 function extractErrorMessage(payload: unknown): string | null {
   if (!payload) return null
@@ -56,6 +81,68 @@ export default function LoginPage() {
   const translatedFeatures = requiredFeatures.map((feature) => translate(`features.${feature}`, feature))
   const [error, setError] = useState<string | null>(null)
   const [submitting, setSubmitting] = useState(false)
+  const [tenantId, setTenantId] = useState<string | null>(null)
+  const [tenantName, setTenantName] = useState<string | null>(null)
+  const [tenantLoading, setTenantLoading] = useState(false)
+
+  useEffect(() => {
+    const tenantParam = (searchParams.get('tenant') || '').trim()
+    if (tenantParam) {
+      setTenantId(tenantParam)
+      window.localStorage.setItem(loginTenantKey, tenantParam)
+      setTenantCookie(tenantParam)
+      return
+    }
+    const storedTenant = window.localStorage.getItem(loginTenantKey) || readTenantCookie()
+    if (storedTenant) {
+      setTenantId(storedTenant)
+    }
+  }, [searchParams])
+
+  useEffect(() => {
+    if (!tenantId) {
+      setTenantName(null)
+      return
+    }
+    let active = true
+    setTenantLoading(true)
+    apiCall<{ ok: boolean; tenant?: { id: string; name: string }; error?: string }>(
+      `/api/directory/tenants/lookup?tenantId=${encodeURIComponent(tenantId)}`,
+    )
+      .then(({ result }) => {
+        if (!active) return
+        if (result?.ok && result.tenant) {
+          setTenantName(result.tenant.name)
+          return
+        }
+        const message = translate('auth.login.errors.tenantInvalid', 'Tenant not found. Clear the tenant selection and try again.')
+        setTenantName(null)
+        setError(message)
+      })
+      .catch(() => {
+        if (!active) return
+        setTenantName(null)
+        setError(translate('auth.login.errors.tenantInvalid', 'Tenant not found. Clear the tenant selection and try again.'))
+      })
+      .finally(() => {
+        if (active) setTenantLoading(false)
+      })
+    return () => {
+      active = false
+    }
+  }, [tenantId, translate])
+
+  function handleClearTenant() {
+    window.localStorage.removeItem(loginTenantKey)
+    clearTenantCookie()
+    setTenantId(null)
+    setTenantName(null)
+    const params = new URLSearchParams(searchParams)
+    params.delete('tenant')
+    setError(null)
+    const query = params.toString()
+    router.replace(query ? `/login?${query}` : '/login')
+  }
 
   async function onSubmit(e: React.FormEvent<HTMLFormElement>) {
     e.preventDefault()
@@ -141,6 +228,9 @@ export default function LoginPage() {
         </CardHeader>
         <CardContent>
           <form className="grid gap-3" onSubmit={onSubmit} noValidate>
+            {tenantId ? (
+              <input type="hidden" name="tenantId" value={tenantId} />
+            ) : null}
             {!!translatedRoles.length && (
               <div className="rounded-md border border-blue-200 bg-blue-50 px-3 py-2 text-center text-xs text-blue-900">
                 {translate(
@@ -159,6 +249,20 @@ export default function LoginPage() {
                 })}
               </div>
             )}
+            {tenantId && (
+              <div className="rounded-md border border-emerald-200 bg-emerald-50 px-3 py-2 text-center text-xs text-emerald-900">
+                <div className="font-medium">
+                  {tenantLoading
+                    ? translate('auth.login.tenantLoading', 'Loading tenant details...')
+                    : translate('auth.login.tenantBanner', "You're logging in to {tenant} tenant.", {
+                        tenant: tenantName || tenantId,
+                      })}
+                </div>
+                <Button type="button" variant="ghost" size="sm" className="mt-2 text-emerald-900" onClick={handleClearTenant}>
+                  {translate('auth.login.tenantClear', 'Clear')}
+                </Button>
+              </div>
+            )}
             {error && (
               <div className="rounded-md border border-red-200 bg-red-50 px-3 py-2 text-center text-sm text-red-700" role="alert" aria-live="polite">
                 {error}

package/src/modules/auth/i18n/de.json

@@ -20,6 +20,8 @@
   "auth.manageAuthSettings": "Verwalte die Authentifizierungseinstellungen.",
   "auth.login.errors.permissionDenied": "Du hast keine Berechtigung, auf diesen Bereich zuzugreifen. Bitte wende dich an deine Administration.",
   "auth.login.errors.invalidCredentials": "Ungültige E-Mail oder ungültiges Passwort",
+  "auth.login.errors.tenantRequired": "Nutze den Login-Link aus deiner Tenant-Aktivierung, um fortzufahren.",
+  "auth.login.errors.tenantInvalid": "Tenant nicht gefunden. Entferne die Tenant-Auswahl und versuche es erneut.",
   "auth.login.errors.generic": "Es ist ein Fehler aufgetreten. Bitte versuche es erneut.",
   "auth.login.logoAlt": "Open Mercato Logo",
   "auth.login.brandName": "Open Mercato",
@@ -27,6 +29,9 @@
   "auth.login.requireRoleMessage": "Für den Zugriff ist die folgende Rolle erforderlich: {roles}",
   "auth.login.requireRolesMessage": "Für den Zugriff ist eine der folgenden Rollen erforderlich: {roles}",
   "auth.login.featureDenied": "Du hast keinen Zugriff auf diese Funktion ({feature}). Bitte wende dich an deine Administration.",
+  "auth.login.tenantBanner": "Du meldest dich beim Tenant {tenant} an.",
+  "auth.login.tenantLoading": "Tenant-Daten werden geladen...",
+  "auth.login.tenantClear": "Zurücksetzen",
   "auth.login.rememberMe": "Angemeldet bleiben",
   "auth.login.loading": "Wird geladen ...",
   "auth.login.forgotPassword": "Passwort vergessen?",

package/src/modules/auth/i18n/en.json

@@ -20,6 +20,8 @@
   "auth.manageAuthSettings": "Manage authentication settings.",
   "auth.login.errors.permissionDenied": "You do not have permission to access this area. Please contact your administrator.",
   "auth.login.errors.invalidCredentials": "Invalid email or password",
+  "auth.login.errors.tenantRequired": "Use the login link provided with your tenant activation to continue.",
+  "auth.login.errors.tenantInvalid": "Tenant not found. Clear the tenant selection and try again.",
   "auth.login.errors.generic": "An error occurred. Please try again.",
   "auth.login.logoAlt": "Open Mercato logo",
   "auth.login.brandName": "Open Mercato",
@@ -27,6 +29,9 @@
   "auth.login.requireRoleMessage": "Access requires role: {roles}",
   "auth.login.requireRolesMessage": "Access requires one of the following roles: {roles}",
   "auth.login.featureDenied": "You don't have access to this feature ({feature}). Please contact your administrator.",
+  "auth.login.tenantBanner": "You're logging in to {tenant} tenant.",
+  "auth.login.tenantLoading": "Loading tenant details...",
+  "auth.login.tenantClear": "Clear",
   "auth.login.rememberMe": "Remember me",
   "auth.login.loading": "Loading...",
   "auth.login.forgotPassword": "Forgot password?",

package/src/modules/auth/i18n/es.json

@@ -20,6 +20,8 @@
   "auth.manageAuthSettings": "Administra la configuración de autenticación.",
   "auth.login.errors.permissionDenied": "No tienes permiso para acceder a esta área. Ponte en contacto con tu administrador.",
   "auth.login.errors.invalidCredentials": "Correo electrónico o contraseña no válidos",
+  "auth.login.errors.tenantRequired": "Usa el enlace de inicio de sesión proporcionado con la activación de tu inquilino para continuar.",
+  "auth.login.errors.tenantInvalid": "No se encontró el inquilino. Borra la selección e inténtalo de nuevo.",
   "auth.login.errors.generic": "Se produjo un error. Inténtalo de nuevo.",
   "auth.login.logoAlt": "Logotipo de Open Mercato",
   "auth.login.brandName": "Open Mercato",
@@ -27,6 +29,9 @@
   "auth.login.requireRoleMessage": "El acceso requiere el rol: {roles}",
   "auth.login.requireRolesMessage": "El acceso requiere uno de los siguientes roles: {roles}",
   "auth.login.featureDenied": "No tienes acceso a esta funcionalidad ({feature}). Ponte en contacto con tu administrador.",
+  "auth.login.tenantBanner": "Estás iniciando sesión en el inquilino {tenant}.",
+  "auth.login.tenantLoading": "Cargando detalles del inquilino...",
+  "auth.login.tenantClear": "Borrar",
   "auth.login.rememberMe": "Recordarme",
   "auth.login.loading": "Cargando...",
   "auth.login.forgotPassword": "¿Olvidaste tu contraseña?",

package/src/modules/auth/i18n/pl.json

@@ -20,6 +20,8 @@
   "auth.manageAuthSettings": "Zarządzaj ustawieniami uwierzytelniania.",
   "auth.login.errors.permissionDenied": "Nie masz uprawnień do tego obszaru. Skontaktuj się z administratorem.",
   "auth.login.errors.invalidCredentials": "Nieprawidłowy email lub hasło",
+  "auth.login.errors.tenantRequired": "Użyj linku logowania z aktywacji najemcy, aby kontynuować.",
+  "auth.login.errors.tenantInvalid": "Nie znaleziono najemcy. Wyczyść wybór i spróbuj ponownie.",
   "auth.login.errors.generic": "Wystąpił błąd. Spróbuj ponownie.",
   "auth.login.logoAlt": "Logo Open Mercato",
   "auth.login.brandName": "Open Mercato",
@@ -27,6 +29,9 @@
   "auth.login.requireRoleMessage": "Dostęp wymaga roli: {roles}",
   "auth.login.requireRolesMessage": "Dostęp wymaga jednej z następujących ról: {roles}",
   "auth.login.featureDenied": "Nie masz dostępu do tej funkcji ({feature}). Skontaktuj się z administratorem.",
+  "auth.login.tenantBanner": "Logujesz się do najemcy {tenant}.",
+  "auth.login.tenantLoading": "Ładowanie szczegółów najemcy...",
+  "auth.login.tenantClear": "Wyczyść",
   "auth.login.rememberMe": "Zapamiętaj mnie",
   "auth.login.loading": "Ładowanie...",
   "auth.login.forgotPassword": "Nie pamiętasz hasła?",

package/src/modules/auth/lib/setup-app.ts

@@ -16,6 +16,7 @@ import { DEFAULT_ENCRYPTION_MAPS } from '@open-mercato/core/modules/entities/lib
 import { createKmsService } from '@open-mercato/shared/lib/encryption/kms'
 import { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'
 import { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { parseBooleanToken } from '@open-mercato/shared/lib/boolean'
 
 const DEFAULT_ROLE_NAMES = ['employee', 'admin', 'superadmin'] as const
 const DEMO_SUPERADMIN_EMAIL = 'superadmin@acme.com'
@@ -175,20 +176,28 @@ export async function setupInitialTenant(
   })
 
   if (!existingUser) {
-    const baseUsers: Array<{ email: string; roles: string[]; name?: string | null }> = [
+    const baseUsers: Array<{
+      email: string
+      roles: string[]
+      name?: string | null
+      passwordHash?: string | null
+    }> = [
       { email: primaryUser.email, roles: primaryRoles, name: resolvePrimaryName(primaryUser) },
     ]
     if (includeDerivedUsers) {
-      const [local, domain] = String(primaryUser.email).split('@')
-      const isSuperadminLocal = (local || '').toLowerCase() === 'superadmin' && !!domain
-      if (isSuperadminLocal) {
-        const adminOverride = readEnvValue(DERIVED_EMAIL_ENV.admin)
-        const employeeOverride = readEnvValue(DERIVED_EMAIL_ENV.employee)
-        const adminEmail = adminOverride ?? `admin@${domain}`
-        const employeeEmail = employeeOverride ?? `employee@${domain}`
-        addUniqueBaseUser(baseUsers, { email: adminEmail, roles: ['admin'] })
-        addUniqueBaseUser(baseUsers, { email: employeeEmail, roles: ['employee'] })
-      }
+      const [, domain] = String(primaryUser.email).split('@')
+      const adminOverride = readEnvValue(DERIVED_EMAIL_ENV.admin)
+      const employeeOverride = readEnvValue(DERIVED_EMAIL_ENV.employee)
+      const adminEmail = adminOverride ?? (domain ? `admin@${domain}` : '')
+      const employeeEmail = employeeOverride ?? (domain ? `employee@${domain}` : '')
+      const adminPassword = readEnvValue('OM_INIT_ADMIN_PASSWORD')
+      const employeePassword = readEnvValue('OM_INIT_EMPLOYEE_PASSWORD')
+      const adminPasswordHash = adminPassword ? await resolvePasswordHash({ email: adminEmail, password: adminPassword }) : null
+      const employeePasswordHash = employeePassword
+        ? await resolvePasswordHash({ email: employeeEmail, password: employeePassword })
+        : null
+      addUniqueBaseUser(baseUsers, { email: adminEmail, roles: ['admin'], passwordHash: adminPasswordHash })
+      addUniqueBaseUser(baseUsers, { email: employeeEmail, roles: ['employee'], passwordHash: employeePasswordHash })
     }
     const passwordHash = await resolvePasswordHash(primaryUser)
 
@@ -280,13 +289,14 @@ export async function setupInitialTenant(
       }
 
       for (const base of baseUsers) {
+        const resolvedPasswordHash = base.passwordHash ?? passwordHash
         let user = await tem.findOne(User, { email: base.email })
         const confirm = primaryUser.confirm ?? true
         const encryptedPayload = encryptionService
           ? await encryptionService.encryptEntityPayload('auth:user', { email: base.email }, tenantId, organizationId)
           : { email: base.email, emailHash: computeEmailHash(base.email) }
         if (user) {
-          user.passwordHash = passwordHash
+          user.passwordHash = resolvedPasswordHash
           user.organizationId = organizationId
           user.tenantId = tenantId
           if (isTenantDataEncryptionEnabled()) {
@@ -301,7 +311,7 @@ export async function setupInitialTenant(
           user = tem.create(User, {
             email: (encryptedPayload as any).email ?? base.email,
             emailHash: isTenantDataEncryptionEnabled() ? (encryptedPayload as any).emailHash ?? computeEmailHash(base.email) : undefined,
-            passwordHash,
+            passwordHash: resolvedPasswordHash,
             organizationId,
             tenantId,
             name: base.name ?? undefined,
@@ -357,8 +367,8 @@ function readEnvValue(key: string): string | undefined {
 }
 
 function addUniqueBaseUser(
-  baseUsers: Array<{ email: string; roles: string[]; name?: string | null }>,
-  entry: { email: string; roles: string[]; name?: string | null },
+  baseUsers: Array<{ email: string; roles: string[]; name?: string | null; passwordHash?: string | null }>,
+  entry: { email: string; roles: string[]; name?: string | null; passwordHash?: string | null },
 ) {
   if (!entry.email) return
   const normalized = entry.email.toLowerCase()
@@ -366,6 +376,17 @@ function addUniqueBaseUser(
   baseUsers.push(entry)
 }
 
+function isDemoModeEnabled(): boolean {
+  const parsed = parseBooleanToken(process.env.DEMO_MODE ?? '')
+  return parsed === false ? false : true
+}
+
+function shouldKeepDemoSuperadminDuringInit(): boolean {
+  if (process.env.OM_INIT_FLOW !== 'true') return false
+  if (!readEnvValue('OM_INIT_SUPERADMIN_EMAIL')) return false
+  return isDemoModeEnabled()
+}
+
 async function resolvePasswordHash(input: PrimaryUserInput): Promise<string | null> {
   if (typeof input.hashedPassword === 'string') return input.hashedPassword
   if (input.password) return hash(input.password, 10)
@@ -514,6 +535,7 @@ async function ensureRoleAclFor(
 
 async function deactivateDemoSuperAdminIfSelfOnboardingEnabled(em: EntityManager) {
   if (process.env.SELF_SERVICE_ONBOARDING_ENABLED !== 'true') return
+  if (shouldKeepDemoSuperadminDuringInit()) return
   try {
     const user = await em.findOne(User, { email: DEMO_SUPERADMIN_EMAIL })
     if (!user) return

package/src/modules/auth/services/authService.ts

@@ -18,6 +18,29 @@ export class AuthService {
     } as any)
   }
 
+  async findUsersByEmail(email: string) {
+    const emailHash = computeEmailHash(email)
+    return this.em.find(User, {
+      deletedAt: null,
+      $or: [
+        { email },
+        { emailHash },
+      ],
+    } as any)
+  }
+
+  async findUserByEmailAndTenant(email: string, tenantId: string) {
+    const emailHash = computeEmailHash(email)
+    return this.em.findOne(User, {
+      tenantId,
+      deletedAt: null,
+      $or: [
+        { email },
+        { emailHash },
+      ],
+    } as any)
+  }
+
   async verifyPassword(user: User, password: string) {
     if (!user.passwordHash) return false
     return compare(password, user.passwordHash)

package/src/modules/business_rules/cli.ts

@@ -44,6 +44,7 @@ const seedGuardRules: ModuleCli = {
       const rulesPath = path.join(__dirname, '../workflows/examples', 'guard-rules-example.json')
       const rulesData = JSON.parse(fs.readFileSync(rulesPath, 'utf8'))
 
+      console.log('🧠 Seeding guard rules...')
       let seededCount = 0
       let skippedCount = 0
 
@@ -73,7 +74,7 @@ const seedGuardRules: ModuleCli = {
         seededCount++
       }
 
-      console.log(`\n✓ Guard rules seeding complete:`)
+      console.log(`\n✅ Guard rules seeding complete:`)
       console.log(`  - Seeded: ${seededCount}`)
       console.log(`  - Skipped (existing): ${skippedCount}`)
       console.log(`  - Total: ${rulesData.length}`)

package/src/modules/directory/api/get/tenants/lookup.ts

@@ -0,0 +1,75 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { Tenant } from '@open-mercato/core/modules/directory/data/entities'
+import type { OpenApiMethodDoc, OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+
+export const metadata = {
+  GET: {
+    requireAuth: false,
+  },
+}
+
+const tenantLookupQuerySchema = z.object({
+  tenantId: z.string().uuid(),
+})
+
+export async function GET(req: Request) {
+  const url = new URL(req.url)
+  const tenantId = url.searchParams.get('tenantId') || url.searchParams.get('tenant') || ''
+  const parsed = tenantLookupQuerySchema.safeParse({ tenantId })
+  if (!parsed.success) {
+    return NextResponse.json({ ok: false, error: 'Invalid tenant id.' }, { status: 400 })
+  }
+
+  const container = await createRequestContainer()
+  const em = (container.resolve('em') as EntityManager)
+  const tenant = await em.findOne(Tenant, { id: parsed.data.tenantId, deletedAt: null })
+  if (!tenant) {
+    return NextResponse.json({ ok: false, error: 'Tenant not found.' }, { status: 404 })
+  }
+  return NextResponse.json({
+    ok: true,
+    tenant: { id: String(tenant.id), name: tenant.name },
+  })
+}
+
+const lookupTag = 'Directory'
+
+const tenantLookupSuccessSchema = z.object({
+  ok: z.literal(true),
+  tenant: z.object({
+    id: z.string().uuid(),
+    name: z.string(),
+  }),
+})
+
+const tenantLookupErrorSchema = z.object({
+  ok: z.literal(false),
+  error: z.string(),
+})
+
+const tenantLookupDoc: OpenApiMethodDoc = {
+  summary: 'Public tenant lookup',
+  description: 'Resolves tenant metadata for login/activation flows.',
+  tags: [lookupTag],
+  query: tenantLookupQuerySchema,
+  responses: [
+    { status: 200, description: 'Tenant resolved.', schema: tenantLookupSuccessSchema },
+  ],
+  errors: [
+    { status: 400, description: 'Invalid tenant id', schema: tenantLookupErrorSchema },
+    { status: 404, description: 'Tenant not found', schema: tenantLookupErrorSchema },
+  ],
+}
+
+export const openApi: OpenApiRouteDoc = {
+  tag: lookupTag,
+  summary: 'Public tenant lookup',
+  methods: {
+    GET: tenantLookupDoc,
+  },
+}
+
+export default GET

package/src/modules/notifications/migrations/.snapshot-open-mercato.json

@@ -34,6 +34,42 @@
           "nullable": false,
           "mappedType": "text"
         },
+        "title_key": {
+          "name": "title_key",
+          "type": "text",
+          "unsigned": false,
+          "autoincrement": false,
+          "primary": false,
+          "nullable": true,
+          "mappedType": "text"
+        },
+        "body_key": {
+          "name": "body_key",
+          "type": "text",
+          "unsigned": false,
+          "autoincrement": false,
+          "primary": false,
+          "nullable": true,
+          "mappedType": "text"
+        },
+        "title_variables": {
+          "name": "title_variables",
+          "type": "jsonb",
+          "unsigned": false,
+          "autoincrement": false,
+          "primary": false,
+          "nullable": true,
+          "mappedType": "json"
+        },
+        "body_variables": {
+          "name": "body_variables",
+          "type": "jsonb",
+          "unsigned": false,
+          "autoincrement": false,
+          "primary": false,
+          "nullable": true,
+          "mappedType": "json"
+        },
         "title": {
           "name": "title",
           "type": "text",

package/src/modules/notifications/migrations/Migration20260129082610.ts

@@ -0,0 +1,13 @@
+import { Migration } from '@mikro-orm/migrations';
+
+export class Migration20260129082610 extends Migration {
+
+  override async up(): Promise<void> {
+    this.addSql(`alter table "notifications" add column if not exists "title_key" text null, add column if not exists "body_key" text null, add column if not exists "title_variables" jsonb null, add column if not exists "body_variables" jsonb null;`);
+  }
+
+  override async down(): Promise<void> {
+    this.addSql(`alter table "notifications" drop column if exists "title_key", drop column if exists "body_key", drop column if exists "title_variables", drop column if exists "body_variables";`);
+  }
+
+}