@open-mercato/core 0.4.2-canary-36ab8921da → 0.4.2-canary-07dbc98202

package/generated/entities.ids.generated.ts

@@ -21,7 +21,8 @@ export const M = {
   "currencies": "currencies",
   "planner": "planner",
   "resources": "resources",
-  "staff": "staff"
+  "staff": "staff",
+  "notifications": "notifications"
 } as const
 export const E = {
   "dashboards": {
@@ -30,34 +31,34 @@ export const E = {
     "dashboard_user_widgets": "dashboards:dashboard_user_widgets"
   },
   "auth": {
-    "user": "auth:user",
+    "password_reset": "auth:password_reset",
     "role": "auth:role",
-    "user_sidebar_preference": "auth:user_sidebar_preference",
+    "role_acl": "auth:role_acl",
     "role_sidebar_preference": "auth:role_sidebar_preference",
-    "user_role": "auth:user_role",
     "session": "auth:session",
-    "password_reset": "auth:password_reset",
-    "role_acl": "auth:role_acl",
-    "user_acl": "auth:user_acl"
+    "user": "auth:user",
+    "user_acl": "auth:user_acl",
+    "user_role": "auth:user_role",
+    "user_sidebar_preference": "auth:user_sidebar_preference"
   },
   "directory": {
-    "tenant": "directory:tenant",
-    "organization": "directory:organization"
+    "organization": "directory:organization",
+    "tenant": "directory:tenant"
   },
   "customers": {
-    "customer_entity": "customers:customer_entity",
-    "customer_person_profile": "customers:customer_person_profile",
+    "customer_activity": "customers:customer_activity",
+    "customer_address": "customers:customer_address",
+    "customer_comment": "customers:customer_comment",
     "customer_company_profile": "customers:customer_company_profile",
     "customer_deal": "customers:customer_deal",
-    "customer_deal_person_link": "customers:customer_deal_person_link",
     "customer_deal_company_link": "customers:customer_deal_company_link",
-    "customer_activity": "customers:customer_activity",
-    "customer_comment": "customers:customer_comment",
-    "customer_address": "customers:customer_address",
+    "customer_deal_person_link": "customers:customer_deal_person_link",
+    "customer_dictionary_entry": "customers:customer_dictionary_entry",
+    "customer_entity": "customers:customer_entity",
+    "customer_person_profile": "customers:customer_person_profile",
     "customer_settings": "customers:customer_settings",
     "customer_tag": "customers:customer_tag",
     "customer_tag_assignment": "customers:customer_tag_assignment",
-    "customer_dictionary_entry": "customers:customer_dictionary_entry",
     "customer_todo_link": "customers:customer_todo_link"
   },
   "perspectives": {
@@ -65,10 +66,10 @@ export const E = {
     "role_perspective": "perspectives:role_perspective"
   },
   "entities": {
-    "custom_field_def": "entities:custom_field_def",
-    "custom_field_entity_config": "entities:custom_field_entity_config",
     "custom_entity": "entities:custom_entity",
     "custom_entity_storage": "entities:custom_entity_storage",
+    "custom_field_def": "entities:custom_field_def",
+    "custom_field_entity_config": "entities:custom_field_entity_config",
     "custom_field_value": "entities:custom_field_value",
     "encryption_map": "entities:encryption_map"
   },
@@ -77,60 +78,60 @@ export const E = {
     "upgrade_action_run": "configs:upgrade_action_run"
   },
   "query_index": {
-    "entity_index_row": "query_index:entity_index_row",
-    "entity_index_job": "query_index:entity_index_job",
     "entity_index_coverage": "query_index:entity_index_coverage",
+    "entity_index_job": "query_index:entity_index_job",
+    "entity_index_row": "query_index:entity_index_row",
     "indexer_error_log": "query_index:indexer_error_log",
     "indexer_status_log": "query_index:indexer_status_log",
     "search_token": "query_index:search_token"
   },
   "audit_logs": {
-    "action_log": "audit_logs:action_log",
-    "access_log": "audit_logs:access_log"
+    "access_log": "audit_logs:access_log",
+    "action_log": "audit_logs:action_log"
   },
   "attachments": {
-    "attachment_partition": "attachments:attachment_partition",
-    "attachment": "attachments:attachment"
+    "attachment": "attachments:attachment",
+    "attachment_partition": "attachments:attachment_partition"
   },
   "catalog": {
+    "catalog_offer": "catalog:catalog_offer",
     "catalog_option_schema_template": "catalog:catalog_option_schema_template",
+    "catalog_price_kind": "catalog:catalog_price_kind",
     "catalog_product": "catalog:catalog_product",
     "catalog_product_category": "catalog:catalog_product_category",
     "catalog_product_category_assignment": "catalog:catalog_product_category_assignment",
+    "catalog_product_price": "catalog:catalog_product_price",
     "catalog_product_tag": "catalog:catalog_product_tag",
     "catalog_product_tag_assignment": "catalog:catalog_product_tag_assignment",
-    "catalog_offer": "catalog:catalog_offer",
     "catalog_product_variant": "catalog:catalog_product_variant",
-    "catalog_product_variant_relation": "catalog:catalog_product_variant_relation",
-    "catalog_price_kind": "catalog:catalog_price_kind",
-    "catalog_product_price": "catalog:catalog_product_price"
+    "catalog_product_variant_relation": "catalog:catalog_product_variant_relation"
   },
   "sales": {
     "sales_channel": "sales:sales_channel",
-    "sales_shipping_method": "sales:sales_shipping_method",
+    "sales_credit_memo": "sales:sales_credit_memo",
+    "sales_credit_memo_line": "sales:sales_credit_memo_line",
     "sales_delivery_window": "sales:sales_delivery_window",
-    "sales_payment_method": "sales:sales_payment_method",
-    "sales_tax_rate": "sales:sales_tax_rate",
+    "sales_document_address": "sales:sales_document_address",
+    "sales_document_sequence": "sales:sales_document_sequence",
+    "sales_document_tag": "sales:sales_document_tag",
+    "sales_document_tag_assignment": "sales:sales_document_tag_assignment",
+    "sales_invoice": "sales:sales_invoice",
+    "sales_invoice_line": "sales:sales_invoice_line",
+    "sales_note": "sales:sales_note",
     "sales_order": "sales:sales_order",
-    "sales_order_line": "sales:sales_order_line",
     "sales_order_adjustment": "sales:sales_order_adjustment",
-    "sales_settings": "sales:sales_settings",
-    "sales_document_sequence": "sales:sales_document_sequence",
+    "sales_order_line": "sales:sales_order_line",
+    "sales_payment": "sales:sales_payment",
+    "sales_payment_allocation": "sales:sales_payment_allocation",
+    "sales_payment_method": "sales:sales_payment_method",
     "sales_quote": "sales:sales_quote",
-    "sales_quote_line": "sales:sales_quote_line",
     "sales_quote_adjustment": "sales:sales_quote_adjustment",
+    "sales_quote_line": "sales:sales_quote_line",
+    "sales_settings": "sales:sales_settings",
     "sales_shipment": "sales:sales_shipment",
     "sales_shipment_item": "sales:sales_shipment_item",
-    "sales_invoice": "sales:sales_invoice",
-    "sales_invoice_line": "sales:sales_invoice_line",
-    "sales_credit_memo": "sales:sales_credit_memo",
-    "sales_credit_memo_line": "sales:sales_credit_memo_line",
-    "sales_payment": "sales:sales_payment",
-    "sales_payment_allocation": "sales:sales_payment_allocation",
-    "sales_note": "sales:sales_note",
-    "sales_document_address": "sales:sales_document_address",
-    "sales_document_tag": "sales:sales_document_tag",
-    "sales_document_tag_assignment": "sales:sales_document_tag_assignment"
+    "sales_shipping_method": "sales:sales_shipping_method",
+    "sales_tax_rate": "sales:sales_tax_rate"
   },
   "api_keys": {
     "api_key": "api_keys:api_key"
@@ -150,38 +151,41 @@ export const E = {
     "feature_toggle_override": "feature_toggles:feature_toggle_override"
   },
   "workflows": {
-    "workflow_definition": "workflows:workflow_definition",
-    "workflow_instance": "workflows:workflow_instance",
     "step_instance": "workflows:step_instance",
     "user_task": "workflows:user_task",
-    "workflow_event": "workflows:workflow_event"
+    "workflow_definition": "workflows:workflow_definition",
+    "workflow_event": "workflows:workflow_event",
+    "workflow_instance": "workflows:workflow_instance"
   },
   "currencies": {
     "currency": "currencies:currency",
-    "exchange_rate": "currencies:exchange_rate",
-    "currency_fetch_config": "currencies:currency_fetch_config"
+    "currency_fetch_config": "currencies:currency_fetch_config",
+    "exchange_rate": "currencies:exchange_rate"
   },
   "planner": {
-    "planner_availability_rule_set": "planner:planner_availability_rule_set",
-    "planner_availability_rule": "planner:planner_availability_rule"
+    "planner_availability_rule": "planner:planner_availability_rule",
+    "planner_availability_rule_set": "planner:planner_availability_rule_set"
   },
   "resources": {
-    "resources_resource_type": "resources:resources_resource_type",
     "resources_resource": "resources:resources_resource",
-    "resources_resource_comment": "resources:resources_resource_comment",
     "resources_resource_activity": "resources:resources_resource_activity",
+    "resources_resource_comment": "resources:resources_resource_comment",
     "resources_resource_tag": "resources:resources_resource_tag",
-    "resources_resource_tag_assignment": "resources:resources_resource_tag_assignment"
+    "resources_resource_tag_assignment": "resources:resources_resource_tag_assignment",
+    "resources_resource_type": "resources:resources_resource_type"
   },
   "staff": {
+    "staff_leave_request": "staff:staff_leave_request",
     "staff_team": "staff:staff_team",
-    "staff_team_role": "staff:staff_team_role",
     "staff_team_member": "staff:staff_team_member",
-    "staff_leave_request": "staff:staff_leave_request",
-    "staff_team_member_comment": "staff:staff_team_member_comment",
     "staff_team_member_activity": "staff:staff_team_member_activity",
+    "staff_team_member_address": "staff:staff_team_member_address",
+    "staff_team_member_comment": "staff:staff_team_member_comment",
     "staff_team_member_job_history": "staff:staff_team_member_job_history",
-    "staff_team_member_address": "staff:staff_team_member_address"
+    "staff_team_role": "staff:staff_team_role"
+  },
+  "notifications": {
+    "notification": "notifications:notification"
   }
 } as const
 export type KnownModuleId = keyof typeof M

package/generated/entity-fields-registry.ts

@@ -53,6 +53,7 @@ import * as feature_toggle_override from './entities/feature_toggle_override/ind
 import * as indexer_error_log from './entities/indexer_error_log/index'
 import * as indexer_status_log from './entities/indexer_status_log/index'
 import * as module_config from './entities/module_config/index'
+import * as notification from './entities/notification/index'
 import * as organization from './entities/organization/index'
 import * as password_reset from './entities/password_reset/index'
 import * as perspective from './entities/perspective/index'
@@ -172,6 +173,7 @@ export const entityFieldsRegistry: Record<string, Record<string, string>> = {
   indexer_error_log,
   indexer_status_log,
   module_config,
+  notification,
   organization,
   password_reset,
   perspective,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/core",
-  "version": "0.4.2-canary-36ab8921da",
+  "version": "0.4.2-canary-07dbc98202",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -207,7 +207,7 @@
     }
   },
   "dependencies": {
-    "@open-mercato/shared": "0.4.2-canary-36ab8921da",
+    "@open-mercato/shared": "0.4.2-canary-07dbc98202",
     "@xyflow/react": "^12.6.0",
     "date-fns": "^4.1.0",
     "date-fns-tz": "^3.2.0"

package/src/modules/api_docs/frontend/docs/api/page.tsx

@@ -2,6 +2,7 @@ import ApiDocsExplorer from './Explorer'
 import { getModules } from '@open-mercato/shared/lib/i18n/server'
 import { buildOpenApiDocument } from '@open-mercato/shared/lib/openapi'
 import { resolveApiDocsBaseUrl } from '@open-mercato/core/modules/api_docs/lib/resources'
+import { APP_VERSION } from '@open-mercato/shared/lib/version'
 
 type ExplorerOperation = {
   id: string
@@ -54,7 +55,7 @@ export default async function ApiDocsViewerPage() {
   const modules = getModules()
   const doc = buildOpenApiDocument(modules, {
     title: 'Open Mercato API',
-    version: '1.0.0',
+    version: APP_VERSION,
     description: 'Auto-generated OpenAPI definition for all enabled modules.',
     servers: [{ url: baseUrl, description: 'Default environment' }],
     baseUrlForExamples: baseUrl,
@@ -67,7 +68,7 @@ export default async function ApiDocsViewerPage() {
   return (
     <ApiDocsExplorer
       title={doc.info?.title ?? 'Open Mercato API'}
-      version={doc.info?.version ?? '1.0.0'}
+      version={doc.info?.version ?? APP_VERSION}
       description={doc.info?.description}
       operations={operations}
       tagOrder={tagOrder}

package/src/modules/auth/api/admin/nav.ts

@@ -297,12 +297,16 @@ export async function GET(req: Request) {
   const groupsWithRole = rolePreference ? applySidebarPreference(groups, rolePreference) : groups
   const baseForUser = adoptSidebarDefaults(groupsWithRole)
 
-  const preference = await loadSidebarPreference(em, {
-    userId: auth.sub,
-    tenantId: auth.tenantId ?? null,
-    organizationId: auth.orgId ?? null,
-    locale,
-  })
+  // For API key auth, use userId (the actual user) if available; otherwise skip user preferences
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
+  const preference = effectiveUserId
+    ? await loadSidebarPreference(em, {
+        userId: effectiveUserId,
+        tenantId: auth.tenantId ?? null,
+        organizationId: auth.orgId ?? null,
+        locale,
+      })
+    : null
 
   const withPreference = applySidebarPreference(baseForUser, preference)
 

package/src/modules/auth/api/profile/route.ts

@@ -0,0 +1,160 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import type { CommandBus, CommandRuntimeContext } from '@open-mercato/shared/lib/commands'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { signJwt } from '@open-mercato/shared/lib/auth/jwt'
+import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
+import { AuthService } from '@open-mercato/core/modules/auth/services/authService'
+import { User } from '@open-mercato/core/modules/auth/data/entities'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+
+const profileResponseSchema = z.object({
+  email: z.string().email(),
+})
+
+const updateSchema = z.object({
+  email: z.string().email().optional(),
+  password: z.string().min(6).optional(),
+}).refine((data) => Boolean(data.email || data.password), {
+  message: 'Provide an email or password.',
+  path: ['email'],
+})
+
+const profileUpdateResponseSchema = z.object({
+  ok: z.literal(true),
+  email: z.string().email(),
+})
+
+export const metadata = {
+  GET: { requireAuth: true },
+  PUT: { requireAuth: true },
+}
+
+function buildCommandContext(container: Awaited<ReturnType<typeof createRequestContainer>>, auth: NonNullable<Awaited<ReturnType<typeof getAuthFromRequest>>>, req: Request): CommandRuntimeContext {
+  return {
+    container,
+    auth,
+    organizationScope: null,
+    selectedOrganizationId: auth.orgId ?? null,
+    organizationIds: auth.orgId ? [auth.orgId] : null,
+    request: req,
+  }
+}
+
+export async function GET(req: Request) {
+  const { translate } = await resolveTranslations()
+  const auth = await getAuthFromRequest(req)
+  if (!auth?.sub) {
+    return NextResponse.json({ error: translate('api.errors.unauthorized', 'Unauthorized') }, { status: 401 })
+  }
+  try {
+    const container = await createRequestContainer()
+    const em = (container.resolve('em') as EntityManager)
+    const user = await findOneWithDecryption(
+      em,
+      User,
+      { id: auth.sub, deletedAt: null },
+      undefined,
+      { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },
+    )
+    if (!user) {
+      return NextResponse.json({ error: translate('auth.users.form.errors.notFound', 'User not found') }, { status: 404 })
+    }
+    return NextResponse.json({ email: String(user.email) })
+  } catch (err) {
+    console.error('auth.profile.load failed', err)
+    return NextResponse.json({ error: translate('auth.profile.form.errors.load', 'Failed to load profile.') }, { status: 400 })
+  }
+}
+
+export async function PUT(req: Request) {
+  const { translate } = await resolveTranslations()
+  const auth = await getAuthFromRequest(req)
+  if (!auth?.sub) {
+    return NextResponse.json({ error: translate('api.errors.unauthorized', 'Unauthorized') }, { status: 401 })
+  }
+  try {
+    const body = await req.json().catch(() => ({}))
+    const parsed = updateSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json(
+        {
+          error: translate('auth.profile.form.errors.invalid', 'Invalid profile update.'),
+          issues: parsed.error.issues,
+        },
+        { status: 400 },
+      )
+    }
+    const container = await createRequestContainer()
+    const commandBus = (container.resolve('commandBus') as CommandBus)
+    const ctx = buildCommandContext(container, auth, req)
+    const { result } = await commandBus.execute<{ id: string; email?: string; password?: string }, User>(
+      'auth.users.update',
+      {
+        input: {
+          id: auth.sub,
+          email: parsed.data.email,
+          password: parsed.data.password,
+        },
+        ctx,
+      },
+    )
+    const authService = container.resolve('authService') as AuthService
+    const roles = await authService.getUserRoles(result, result.tenantId ? String(result.tenantId) : null)
+    const jwt = signJwt({
+      sub: String(result.id),
+      tenantId: result.tenantId ? String(result.tenantId) : null,
+      orgId: result.organizationId ? String(result.organizationId) : null,
+      email: result.email,
+      roles,
+    })
+    const res = NextResponse.json({ ok: true, email: String(result.email) })
+    res.cookies.set('auth_token', jwt, {
+      httpOnly: true,
+      path: '/',
+      sameSite: 'lax',
+      secure: process.env.NODE_ENV === 'production',
+      maxAge: 60 * 60 * 8,
+    })
+    return res
+  } catch (err) {
+    if (err instanceof CrudHttpError) {
+      return NextResponse.json(err.body, { status: err.status })
+    }
+    console.error('auth.profile.update failed', err)
+    return NextResponse.json({ error: translate('auth.profile.form.errors.save', 'Failed to update profile.') }, { status: 400 })
+  }
+}
+
+export const openApi: OpenApiRouteDoc = {
+  tag: 'Authentication & Accounts',
+  summary: 'Profile settings',
+  methods: {
+    GET: {
+      summary: 'Get current profile',
+      description: 'Returns the email address for the signed-in user.',
+      responses: [
+        { status: 200, description: 'Profile payload', schema: profileResponseSchema },
+        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },
+        { status: 404, description: 'User not found', schema: z.object({ error: z.string() }) },
+      ],
+    },
+    PUT: {
+      summary: 'Update current profile',
+      description: 'Updates the email address or password for the signed-in user.',
+      requestBody: {
+        contentType: 'application/json',
+        schema: updateSchema,
+      },
+      responses: [
+        { status: 200, description: 'Profile updated', schema: profileUpdateResponseSchema },
+        { status: 400, description: 'Invalid payload', schema: z.object({ error: z.string() }) },
+        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },
+      ],
+    },
+  },
+}

package/src/modules/auth/api/reset/confirm.ts

@@ -3,6 +3,9 @@ import { NextResponse } from 'next/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { AuthService } from '@open-mercato/core/modules/auth/services/authService'
+import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
+import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
+import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 import { z } from 'zod'
 
 // validation via confirmPasswordResetSchema
@@ -15,8 +18,28 @@ export async function POST(req: Request) {
   if (!parsed.success) return NextResponse.json({ ok: false, error: 'Invalid request' }, { status: 400 })
   const c = await createRequestContainer()
   const auth = c.resolve<AuthService>('authService')
-  const ok = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)
-  if (!ok) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })
+  const user = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)
+  if (!user) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })
+  try {
+    const tenantId = user.tenantId ? String(user.tenantId) : null
+    if (tenantId) {
+      const notificationService = resolveNotificationService(c)
+      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.completed')
+      if (typeDef) {
+        const notificationInput = buildNotificationFromType(typeDef, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, {
+          tenantId,
+          organizationId: user.organizationId ? String(user.organizationId) : null,
+        })
+      }
+    }
+  } catch (err) {
+    console.error('[auth.reset.confirm] Failed to create notification:', err)
+  }
   return NextResponse.json({ ok: true, redirect: '/login' })
 }
 

package/src/modules/auth/api/reset.ts

@@ -6,6 +6,9 @@ import { AuthService } from '@open-mercato/core/modules/auth/services/authServic
 import { sendEmail } from '@open-mercato/shared/lib/email/send'
 import ResetPasswordEmail from '@open-mercato/core/modules/auth/emails/ResetPasswordEmail'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
+import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
+import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 import { z } from 'zod'
 
 // validation via requestPasswordResetSchema
@@ -35,6 +38,26 @@ export async function POST(req: Request) {
   }
 
   await sendEmail({ to: user.email, subject, react: ResetPasswordEmail({ resetUrl, copy }) })
+  try {
+    const tenantId = user.tenantId ? String(user.tenantId) : null
+    if (tenantId) {
+      const notificationService = resolveNotificationService(c)
+      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.requested')
+      if (typeDef) {
+        const notificationInput = buildNotificationFromType(typeDef, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, {
+          tenantId,
+          organizationId: user.organizationId ? String(user.organizationId) : null,
+        })
+      }
+    }
+  } catch (err) {
+    console.error('[auth.reset] Failed to create notification:', err)
+  }
   return NextResponse.json({ ok: true })
 }
 

package/src/modules/auth/api/sidebar/preferences/route.ts

@@ -64,12 +64,16 @@ export async function GET(req: Request) {
     { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },
   ) ?? false
 
-  const settings = await loadSidebarPreference(em, {
-    userId: auth.sub,
-    tenantId: auth.tenantId ?? null,
-    organizationId: auth.orgId ?? null,
-    locale,
-  })
+  // For API key auth, use userId (the actual user) if available
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
+  const settings = effectiveUserId
+    ? await loadSidebarPreference(em, {
+        userId: effectiveUserId,
+        tenantId: auth.tenantId ?? null,
+        organizationId: auth.orgId ?? null,
+        locale,
+      })
+    : null
 
   let rolesPayload: Array<{ id: string; name: string; hasPreference: boolean }> = []
   if (canApplyToRoles) {
@@ -92,11 +96,11 @@ export async function GET(req: Request) {
   return NextResponse.json({
     locale,
     settings: {
-      version: settings.version ?? SIDEBAR_PREFERENCES_VERSION,
-      groupOrder: settings.groupOrder ?? [],
-      groupLabels: settings.groupLabels ?? {},
-      itemLabels: settings.itemLabels ?? {},
-      hiddenItems: settings.hiddenItems ?? [],
+      version: settings?.version ?? SIDEBAR_PREFERENCES_VERSION,
+      groupOrder: settings?.groupOrder ?? [],
+      groupLabels: settings?.groupLabels ?? {},
+      itemLabels: settings?.itemLabels ?? {},
+      hiddenItems: settings?.hiddenItems ?? [],
     },
     canApplyToRoles,
     roles: rolesPayload,
@@ -106,6 +110,11 @@ export async function GET(req: Request) {
 export async function PUT(req: Request) {
   const auth = await getAuthFromRequest(req)
   if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  // For API key auth, use userId (the actual user) if available
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
+  if (!effectiveUserId) {
+    return NextResponse.json({ error: 'Cannot save preferences: no user associated with this API key' }, { status: 403 })
+  }
 
   let parsedBody: unknown
   try {
@@ -182,7 +191,7 @@ export async function PUT(req: Request) {
   }
 
   const settings = await saveSidebarPreference(em, {
-    userId: auth.sub,
+    userId: effectiveUserId,
     tenantId: auth.tenantId ?? null,
     organizationId: auth.orgId ?? null,
     locale,

package/src/modules/auth/backend/auth/profile/page.meta.ts

@@ -0,0 +1,8 @@
+export const metadata = {
+  requireAuth: true,
+  pageTitle: 'Profile',
+  pageTitleKey: 'auth.profile.title',
+  breadcrumb: [
+    { label: 'Profile', labelKey: 'auth.profile.title' },
+  ],
+}