@open-mercato/core 0.4.2-canary-3b5064ce72 → 0.4.2-canary-15e78de280

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/core",
-  "version": "0.4.2-canary-3b5064ce72",
+  "version": "0.4.2-canary-15e78de280",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -207,7 +207,7 @@
     }
   },
   "dependencies": {
-    "@open-mercato/shared": "0.4.2-canary-3b5064ce72",
+    "@open-mercato/shared": "0.4.2-canary-15e78de280",
     "@xyflow/react": "^12.6.0",
     "date-fns": "^4.1.0",
     "date-fns-tz": "^3.2.0"

package/src/modules/api_docs/frontend/docs/api/page.tsx

@@ -2,7 +2,6 @@ import ApiDocsExplorer from './Explorer'
 import { getModules } from '@open-mercato/shared/lib/i18n/server'
 import { buildOpenApiDocument } from '@open-mercato/shared/lib/openapi'
 import { resolveApiDocsBaseUrl } from '@open-mercato/core/modules/api_docs/lib/resources'
-import { APP_VERSION } from '@open-mercato/shared/lib/version'
 
 type ExplorerOperation = {
   id: string
@@ -55,7 +54,7 @@ export default async function ApiDocsViewerPage() {
   const modules = getModules()
   const doc = buildOpenApiDocument(modules, {
     title: 'Open Mercato API',
-    version: APP_VERSION,
+    version: '1.0.0',
     description: 'Auto-generated OpenAPI definition for all enabled modules.',
     servers: [{ url: baseUrl, description: 'Default environment' }],
     baseUrlForExamples: baseUrl,
@@ -68,7 +67,7 @@ export default async function ApiDocsViewerPage() {
   return (
     <ApiDocsExplorer
       title={doc.info?.title ?? 'Open Mercato API'}
-      version={doc.info?.version ?? APP_VERSION}
+      version={doc.info?.version ?? '1.0.0'}
       description={doc.info?.description}
       operations={operations}
       tagOrder={tagOrder}

package/src/modules/api_keys/backend/api-keys/page.tsx

@@ -175,7 +175,7 @@ export default function ApiKeysListPage() {
           perspective={{ tableId: 'api_keys.list' }}
           rowActions={(row) => (
             <RowActions items={[
-              { id: 'delete', label: t('common.delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
+              { label: t('common.delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
             ]} />
           )}
           pagination={{ page, pageSize: 20, total, totalPages, onPageChange: setPage }}

package/src/modules/api_keys/data/entities.ts

@@ -38,6 +38,10 @@ export class ApiKey {
   @Property({ name: 'session_user_id', type: 'uuid', nullable: true })
   sessionUserId?: string | null
 
+  /** Encrypted API key secret for session keys (recoverable for API calls) */
+  @Property({ name: 'session_secret_encrypted', type: 'text', nullable: true })
+  sessionSecretEncrypted?: string | null
+
   @Property({ name: 'last_used_at', type: Date, nullable: true })
   lastUsedAt?: Date | null
 

package/src/modules/api_keys/migrations/.snapshot-open-mercato.json

@@ -106,6 +106,15 @@
           "nullable": true,
           "mappedType": "uuid"
         },
+        "session_secret_encrypted": {
+          "name": "session_secret_encrypted",
+          "type": "text",
+          "unsigned": false,
+          "autoincrement": false,
+          "primary": false,
+          "nullable": true,
+          "mappedType": "text"
+        },
         "last_used_at": {
           "name": "last_used_at",
           "type": "timestamptz",

package/src/modules/api_keys/migrations/Migration20260125204102.ts

@@ -0,0 +1,13 @@
+import { Migration } from '@mikro-orm/migrations';
+
+export class Migration20260125204102 extends Migration {
+
+  override async up(): Promise<void> {
+    this.addSql(`alter table "api_keys" add column "session_secret_encrypted" text null;`);
+  }
+
+  override async down(): Promise<void> {
+    this.addSql(`alter table "api_keys" drop column "session_secret_encrypted";`);
+  }
+
+}

package/src/modules/api_keys/services/apiKeyService.ts

@@ -4,9 +4,60 @@ import { hash, compare } from 'bcryptjs'
 import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
 import { Role } from '@open-mercato/core/modules/auth/data/entities'
 import { ApiKey } from '../data/entities'
+import { createKmsService } from '@open-mercato/shared/lib/encryption/kms'
+import { encryptWithAesGcm, decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'
 
 const BCRYPT_COST = 10
 
+// =============================================================================
+// Session Secret Encryption Helpers
+// =============================================================================
+
+/**
+ * Encrypt an API key secret for storage.
+ * Uses tenant-specific DEK if available, otherwise returns null.
+ */
+async function encryptSessionSecret(
+  secret: string,
+  tenantId: string | null
+): Promise<string | null> {
+  if (!tenantId) return null
+
+  const kms = createKmsService()
+  if (!kms.isHealthy()) return null
+
+  const dek = await kms.getTenantDek(tenantId)
+  if (!dek) {
+    // Try to create a DEK if one doesn't exist
+    const created = await kms.createTenantDek(tenantId)
+    if (!created) return null
+    const encrypted = encryptWithAesGcm(secret, created.key)
+    return encrypted.value
+  }
+
+  const encrypted = encryptWithAesGcm(secret, dek.key)
+  return encrypted.value
+}
+
+/**
+ * Decrypt an API key secret from storage.
+ * Returns null if decryption fails or no DEK available.
+ */
+async function decryptSessionSecret(
+  encrypted: string,
+  tenantId: string | null
+): Promise<string | null> {
+  if (!tenantId || !encrypted) return null
+
+  const kms = createKmsService()
+  if (!kms.isHealthy()) return null
+
+  const dek = await kms.getTenantDek(tenantId)
+  if (!dek) return null
+
+  return decryptWithAesGcm(encrypted, dek.key)
+}
+
 export type CreateApiKeyInput = {
   name: string
   description?: string | null
@@ -117,6 +168,7 @@ export function generateSessionToken(): string {
 /**
  * Create an ephemeral API key scoped to a chat session.
  * The key inherits the user's roles and expires after ttlMinutes (default 30).
+ * The API key secret is encrypted and stored so it can be recovered for API calls.
  */
 export async function createSessionApiKey(
   em: EntityManager,
@@ -127,6 +179,9 @@ export async function createSessionApiKey(
   const expiresAt = new Date(Date.now() + ttl * 60 * 1000)
   const keyHash = await hashApiKey(secret)
 
+  // Encrypt the secret for later retrieval (used by MCP server for API calls)
+  const encryptedSecret = await encryptSessionSecret(secret, input.tenantId ?? null)
+
   const record = em.create(ApiKey, {
     name: `__session_${input.sessionToken}__`,
     description: 'Ephemeral session API key for AI chat',
@@ -138,6 +193,7 @@ export async function createSessionApiKey(
     createdBy: input.userId,
     sessionToken: input.sessionToken,
     sessionUserId: input.userId,
+    sessionSecretEncrypted: encryptedSecret,
     expiresAt,
     createdAt: new Date(),
   })
@@ -172,6 +228,35 @@ export async function findApiKeyBySessionToken(
   return record
 }
 
+/**
+ * Find a session API key with its decrypted secret.
+ * Returns null if not found, expired, deleted, or decryption fails.
+ * This is used by the MCP server to recover the API key secret for making
+ * authenticated API calls on behalf of the user.
+ */
+export async function findSessionApiKeyWithSecret(
+  em: EntityManager,
+  sessionToken: string
+): Promise<{ key: ApiKey; secret: string } | null> {
+  const record = await findApiKeyBySessionToken(em, sessionToken)
+  if (!record) return null
+
+  // If no encrypted secret stored, cannot recover
+  if (!record.sessionSecretEncrypted) {
+    console.warn('[ApiKeyService] Session key has no encrypted secret:', sessionToken.slice(0, 12))
+    return null
+  }
+
+  // Decrypt the secret
+  const secret = await decryptSessionSecret(record.sessionSecretEncrypted, record.tenantId ?? null)
+  if (!secret) {
+    console.warn('[ApiKeyService] Failed to decrypt session secret:', sessionToken.slice(0, 12))
+    return null
+  }
+
+  return { key: record, secret }
+}
+
 /**
  * Delete an ephemeral API key by its session token.
  */

package/src/modules/attachments/components/AttachmentLibrary.tsx

@@ -1056,7 +1056,6 @@ export function AttachmentLibrary() {
           <RowActions
             items={[
               {
-                id: 'open',
                 label: t('attachments.library.actions.open', 'Open'),
                 onSelect: () => {
                   if (!row.url) return
@@ -1064,12 +1063,10 @@ export function AttachmentLibrary() {
                 },
               },
               {
-                id: 'edit',
                 label: t('attachments.library.actions.edit', 'Edit metadata'),
                 onSelect: () => openMetadataDialog(row),
               },
               {
-                id: 'copy-url',
                 label: t('attachments.library.actions.copyUrl', 'Copy URL'),
                 onSelect: () => {
                   if (!row.url) {
@@ -1094,7 +1091,6 @@ export function AttachmentLibrary() {
                 },
               },
               {
-                id: 'delete',
                 label: t('attachments.library.actions.delete', 'Delete'),
                 destructive: true,
                 onSelect: () => openDeleteDialog(row),

package/src/modules/attachments/components/AttachmentPartitionSettings.tsx

@@ -305,12 +305,10 @@ export function AttachmentPartitionSettings() {
           <RowActions
             items={[
               {
-                id: 'edit',
                 label: t('attachments.partitions.actions.edit', 'Edit'),
                 onSelect: () => openDialog({ mode: 'edit', entry }),
               },
               {
-                id: 'delete',
                 label: t('attachments.partitions.actions.delete', 'Delete'),
                 destructive: true,
                 onSelect: () => { void handleDelete(entry) },

package/src/modules/auth/README.md

@@ -8,7 +8,7 @@ Features:
   - `mercato auth add-user --email <e> --password <p> --organizationId <id> [--roles r1,r2]`
   - `mercato auth seed-roles`
   - `mercato auth add-org --name <org>`
-  - `mercato auth setup --orgName <org> --email <e> --password <p> [--roles superadmin,admin] [--skip-password-policy]`
+  - `mercato auth setup --orgName <org> --email <e> --password <p> [--roles superadmin,admin]`
 
 DB entities used (defined in root schema):
 - `users` with: `email`, `password_hash`, `is_confirmed`, `last_login_at`, `organization_id`, timestamps.

package/src/modules/auth/__tests__/cli-setup-acl.test.ts

@@ -46,7 +46,7 @@ describe('auth CLI setup seeds ACLs', () => {
     findOneOrFail.mockImplementation(async (_: any, where: any) => ({ id: 'role-' + where.name, name: where.name }))
 
     // Act
-    await setup.run(['--orgName', 'Acme', '--email', 'root@acme.com', '--password', 'secret', '--skip-password-policy'])
+    await setup.run(['--orgName', 'Acme', '--email', 'root@acme.com', '--password', 'secret'])
 
     // Assert: persistAndFlush was called to create three RoleAcl rows with expected flags/features
     const calls = persistAndFlush.mock.calls.map((c) => c[0])

package/src/modules/auth/api/__tests__/login.test.ts

@@ -15,8 +15,6 @@ jest.mock('@open-mercato/shared/lib/di/container', () => ({
   createRequestContainer: async () => ({
     resolve: (_: string) => ({
       findUserByEmail: async (email: string) => ({ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }),
-      findUsersByEmail: async (email: string) => ([{ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }]),
-      findUserByEmailAndTenant: async (email: string) => ({ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }),
       verifyPassword: async () => true,
       getUserRoles: async (_user: any, _tenant: string | null | undefined) => ['admin'],
       updateLastLoginAt: async () => undefined,

package/src/modules/auth/api/admin/nav.ts

@@ -297,16 +297,12 @@ export async function GET(req: Request) {
   const groupsWithRole = rolePreference ? applySidebarPreference(groups, rolePreference) : groups
   const baseForUser = adoptSidebarDefaults(groupsWithRole)
 
-  // For API key auth, use userId (the actual user) if available; otherwise skip user preferences
-  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
-  const preference = effectiveUserId
-    ? await loadSidebarPreference(em, {
-        userId: effectiveUserId,
-        tenantId: auth.tenantId ?? null,
-        organizationId: auth.orgId ?? null,
-        locale,
-      })
-    : null
+  const preference = await loadSidebarPreference(em, {
+    userId: auth.sub,
+    tenantId: auth.tenantId ?? null,
+    organizationId: auth.orgId ?? null,
+    locale,
+  })
 
   const withPreference = applySidebarPreference(baseForUser, preference)
 

package/src/modules/auth/api/login.ts

@@ -17,33 +17,15 @@ export async function POST(req: Request) {
   const email = String(form.get('email') ?? '')
   const password = String(form.get('password') ?? '')
   const remember = parseBooleanToken(form.get('remember')?.toString()) === true
-  const tenantIdRaw = String(form.get('tenantId') ?? form.get('tenant') ?? '').trim()
   const requireRoleRaw = (String(form.get('requireRole') ?? form.get('role') ?? '')).trim()
   const requiredRoles = requireRoleRaw ? requireRoleRaw.split(',').map((s) => s.trim()).filter(Boolean) : []
-  const parsed = userLoginSchema.pick({ email: true, password: true, tenantId: true }).safeParse({
-    email,
-    password,
-    tenantId: tenantIdRaw || undefined,
-  })
+  const parsed = userLoginSchema.pick({ email: true, password: true }).safeParse({ email, password })
   if (!parsed.success) {
     return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid credentials') }, { status: 400 })
   }
   const container = await createRequestContainer()
   const auth = (container.resolve('authService') as AuthService)
-  const tenantId = parsed.data.tenantId ?? null
-  let user = null
-  if (tenantId) {
-    user = await auth.findUserByEmailAndTenant(parsed.data.email, tenantId)
-  } else {
-    const users = await auth.findUsersByEmail(parsed.data.email)
-    if (users.length > 1) {
-      return NextResponse.json({
-        ok: false,
-        error: translate('auth.login.errors.tenantRequired', 'Use the login link provided with your tenant activation to continue.'),
-      }, { status: 400 })
-    }
-    user = users[0] ?? null
-  }
+  const user = await auth.findUserByEmail(parsed.data.email)
   if (!user || !user.passwordHash) {
     return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid email or password') }, { status: 401 })
   }
@@ -53,27 +35,26 @@ export async function POST(req: Request) {
   }
   // Optional role requirement
   if (requiredRoles.length) {
-    const userRoleNames = await auth.getUserRoles(user, tenantId ?? (user.tenantId ? String(user.tenantId) : null))
+    const userRoleNames = await auth.getUserRoles(user, user.tenantId ? String(user.tenantId) : null)
     const authorized = requiredRoles.some(r => userRoleNames.includes(r))
     if (!authorized) {
       return NextResponse.json({ ok: false, error: translate('auth.login.errors.permissionDenied', 'Not authorized for this area') }, { status: 403 })
     }
   }
   await auth.updateLastLoginAt(user)
-  const resolvedTenantId = tenantId ?? (user.tenantId ? String(user.tenantId) : null)
-  const userRoleNames = await auth.getUserRoles(user, resolvedTenantId)
+  const userRoleNames = await auth.getUserRoles(user, user.tenantId ? String(user.tenantId) : null)
   try {
     const eventBus = (container.resolve('eventBus') as EventBus)
     void eventBus.emitEvent('query_index.coverage.warmup', {
-      tenantId: resolvedTenantId,
+      tenantId: user.tenantId ? String(user.tenantId) : null,
     }).catch(() => undefined)
   } catch {
     // optional warmup
   }
   const token = signJwt({ 
     sub: String(user.id), 
-    tenantId: resolvedTenantId, 
-    orgId: user.organizationId ? String(user.organizationId) : null,
+    tenantId: user.tenantId ? String(user.tenantId) : null, 
+    orgId: user.organizationId ? String(user.organizationId) : null, 
     email: user.email, 
     roles: userRoleNames 
   })

package/src/modules/auth/api/reset/confirm.ts

@@ -3,9 +3,6 @@ import { NextResponse } from 'next/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { AuthService } from '@open-mercato/core/modules/auth/services/authService'
-import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
-import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
-import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 import { z } from 'zod'
 
 // validation via confirmPasswordResetSchema
@@ -18,28 +15,8 @@ export async function POST(req: Request) {
   if (!parsed.success) return NextResponse.json({ ok: false, error: 'Invalid request' }, { status: 400 })
   const c = await createRequestContainer()
   const auth = c.resolve<AuthService>('authService')
-  const user = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)
-  if (!user) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })
-  try {
-    const tenantId = user.tenantId ? String(user.tenantId) : null
-    if (tenantId) {
-      const notificationService = resolveNotificationService(c)
-      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.completed')
-      if (typeDef) {
-        const notificationInput = buildNotificationFromType(typeDef, {
-          recipientUserId: String(user.id),
-          sourceEntityType: 'auth:user',
-          sourceEntityId: String(user.id),
-        })
-        await notificationService.create(notificationInput, {
-          tenantId,
-          organizationId: user.organizationId ? String(user.organizationId) : null,
-        })
-      }
-    }
-  } catch (err) {
-    console.error('[auth.reset.confirm] Failed to create notification:', err)
-  }
+  const ok = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)
+  if (!ok) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })
   return NextResponse.json({ ok: true, redirect: '/login' })
 }
 

package/src/modules/auth/api/reset.ts

@@ -6,9 +6,6 @@ import { AuthService } from '@open-mercato/core/modules/auth/services/authServic
 import { sendEmail } from '@open-mercato/shared/lib/email/send'
 import ResetPasswordEmail from '@open-mercato/core/modules/auth/emails/ResetPasswordEmail'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
-import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
-import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
-import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 import { z } from 'zod'
 
 // validation via requestPasswordResetSchema
@@ -38,26 +35,6 @@ export async function POST(req: Request) {
   }
 
   await sendEmail({ to: user.email, subject, react: ResetPasswordEmail({ resetUrl, copy }) })
-  try {
-    const tenantId = user.tenantId ? String(user.tenantId) : null
-    if (tenantId) {
-      const notificationService = resolveNotificationService(c)
-      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.requested')
-      if (typeDef) {
-        const notificationInput = buildNotificationFromType(typeDef, {
-          recipientUserId: String(user.id),
-          sourceEntityType: 'auth:user',
-          sourceEntityId: String(user.id),
-        })
-        await notificationService.create(notificationInput, {
-          tenantId,
-          organizationId: user.organizationId ? String(user.organizationId) : null,
-        })
-      }
-    }
-  } catch (err) {
-    console.error('[auth.reset] Failed to create notification:', err)
-  }
   return NextResponse.json({ ok: true })
 }
 

package/src/modules/auth/api/sidebar/preferences/route.ts

@@ -64,16 +64,12 @@ export async function GET(req: Request) {
     { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },
   ) ?? false
 
-  // For API key auth, use userId (the actual user) if available
-  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
-  const settings = effectiveUserId
-    ? await loadSidebarPreference(em, {
-        userId: effectiveUserId,
-        tenantId: auth.tenantId ?? null,
-        organizationId: auth.orgId ?? null,
-        locale,
-      })
-    : null
+  const settings = await loadSidebarPreference(em, {
+    userId: auth.sub,
+    tenantId: auth.tenantId ?? null,
+    organizationId: auth.orgId ?? null,
+    locale,
+  })
 
   let rolesPayload: Array<{ id: string; name: string; hasPreference: boolean }> = []
   if (canApplyToRoles) {
@@ -96,11 +92,11 @@ export async function GET(req: Request) {
   return NextResponse.json({
     locale,
     settings: {
-      version: settings?.version ?? SIDEBAR_PREFERENCES_VERSION,
-      groupOrder: settings?.groupOrder ?? [],
-      groupLabels: settings?.groupLabels ?? {},
-      itemLabels: settings?.itemLabels ?? {},
-      hiddenItems: settings?.hiddenItems ?? [],
+      version: settings.version ?? SIDEBAR_PREFERENCES_VERSION,
+      groupOrder: settings.groupOrder ?? [],
+      groupLabels: settings.groupLabels ?? {},
+      itemLabels: settings.itemLabels ?? {},
+      hiddenItems: settings.hiddenItems ?? [],
     },
     canApplyToRoles,
     roles: rolesPayload,
@@ -110,11 +106,6 @@ export async function GET(req: Request) {
 export async function PUT(req: Request) {
   const auth = await getAuthFromRequest(req)
   if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  // For API key auth, use userId (the actual user) if available
-  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
-  if (!effectiveUserId) {
-    return NextResponse.json({ error: 'Cannot save preferences: no user associated with this API key' }, { status: 403 })
-  }
 
   let parsedBody: unknown
   try {
@@ -191,7 +182,7 @@ export async function PUT(req: Request) {
   }
 
   const settings = await saveSidebarPreference(em, {
-    userId: effectiveUserId,
+    userId: auth.sub,
     tenantId: auth.tenantId ?? null,
     organizationId: auth.orgId ?? null,
     locale,

package/src/modules/auth/api/users/route.ts

@@ -15,7 +15,6 @@ import type { EntityManager } from '@mikro-orm/postgresql'
 import { userCrudEvents, userCrudIndexer } from '@open-mercato/core/modules/auth/commands/users'
 import { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'
-import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 const querySchema = z.object({
   id: z.string().uuid().optional(),
@@ -28,11 +27,9 @@ const querySchema = z.object({
 
 const rawBodySchema = z.object({}).passthrough()
 
-const passwordSchema = buildPasswordSchema()
-
 const userCreateSchema = z.object({
   email: z.string().email(),
-  password: passwordSchema,
+  password: z.string().min(6),
   organizationId: z.string().uuid(),
   roles: z.array(z.string()).optional(),
 })
@@ -40,7 +37,7 @@ const userCreateSchema = z.object({
 const userUpdateSchema = z.object({
   id: z.string().uuid(),
   email: z.string().email().optional(),
-  password: passwordSchema.optional(),
+  password: z.string().min(6).optional(),
   organizationId: z.string().uuid().optional(),
   roles: z.array(z.string()).optional(),
 })

package/src/modules/auth/backend/roles/[id]/edit/page.tsx

@@ -6,7 +6,7 @@ import { apiCall } from '@open-mercato/ui/backend/utils/apiCall'
 import { deleteCrud, updateCrud } from '@open-mercato/ui/backend/utils/crud'
 import { collectCustomFieldValues } from '@open-mercato/ui/backend/utils/customFieldValues'
 import { AclEditor, type AclData } from '@open-mercato/core/modules/auth/components/AclEditor'
-import { WidgetVisibilityEditor, type WidgetVisibilityEditorHandle } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
+import { WidgetVisibilityEditor } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
 import { E } from '#generated/entities.ids.generated'
 import { TenantSelect } from '@open-mercato/core/modules/directory/components/TenantSelect'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
@@ -37,7 +37,6 @@ export default function EditRolePage({ params }: { params?: { id?: string } }) {
   const [aclData, setAclData] = React.useState<AclData>({ isSuperAdmin: false, features: [], organizations: null })
   const [actorIsSuperAdmin, setActorIsSuperAdmin] = React.useState(false)
   const [selectedTenantId, setSelectedTenantId] = React.useState<string | null>(null)
-  const widgetEditorRef = React.useRef<WidgetVisibilityEditorHandle | null>(null)
 
   React.useEffect(() => {
     if (!id) return
@@ -154,7 +153,6 @@ export default function EditRolePage({ params }: { params?: { id?: string } }) {
             kind="role"
             targetId={String(id)}
             tenantId={selectedTenantId ?? (initial?.tenantId ?? null)}
-            ref={widgetEditorRef}
           />
         )
         : null),
@@ -193,7 +191,6 @@ export default function EditRolePage({ params }: { params?: { id?: string } }) {
             await updateCrud('auth/roles/acl', { roleId: id, tenantId: effectiveTenantId, ...aclData }, {
               errorMessage: t('auth.roles.form.errors.aclUpdate', 'Failed to update role access control'),
             })
-            await widgetEditorRef.current?.save()
             try { window.dispatchEvent(new Event('om:refresh-sidebar')) } catch {}
           }}
           onDelete={async () => {

package/src/modules/auth/backend/roles/page.tsx

@@ -117,9 +117,9 @@ export default function RolesListPage() {
           onSearchChange={(v) => { setSearch(v); setPage(1) }}
           rowActions={(row) => (
             <RowActions items={[
-              { id: 'edit', label: t('common.edit', 'Edit'), href: `/backend/roles/${row.id}/edit` },
-              { id: 'show-users', label: t('auth.roles.list.actions.showUsers', 'Show users'), href: `/backend/users?roleId=${encodeURIComponent(row.id)}` },
-              { id: 'delete', label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
+              { label: t('common.edit', 'Edit'), href: `/backend/roles/${row.id}/edit` },
+              { label: t('auth.roles.list.actions.showUsers', 'Show users'), href: `/backend/users?roleId=${encodeURIComponent(row.id)}` },
+              { label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
             ]} />
           )}
           sortable