@open-mercato/core 0.4.2-canary-49d47ff90e → 0.4.2-canary-0ba39cdeb6

package/src/modules/auth/backend/roles/[id]/edit/page.tsx

@@ -6,7 +6,7 @@ import { apiCall } from '@open-mercato/ui/backend/utils/apiCall'
 import { deleteCrud, updateCrud } from '@open-mercato/ui/backend/utils/crud'
 import { collectCustomFieldValues } from '@open-mercato/ui/backend/utils/customFieldValues'
 import { AclEditor, type AclData } from '@open-mercato/core/modules/auth/components/AclEditor'
-import { WidgetVisibilityEditor } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
+import { WidgetVisibilityEditor, type WidgetVisibilityEditorHandle } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
 import { E } from '#generated/entities.ids.generated'
 import { TenantSelect } from '@open-mercato/core/modules/directory/components/TenantSelect'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
@@ -37,6 +37,7 @@ export default function EditRolePage({ params }: { params?: { id?: string } }) {
   const [aclData, setAclData] = React.useState<AclData>({ isSuperAdmin: false, features: [], organizations: null })
   const [actorIsSuperAdmin, setActorIsSuperAdmin] = React.useState(false)
   const [selectedTenantId, setSelectedTenantId] = React.useState<string | null>(null)
+  const widgetEditorRef = React.useRef<WidgetVisibilityEditorHandle | null>(null)
 
   React.useEffect(() => {
     if (!id) return
@@ -153,6 +154,7 @@ export default function EditRolePage({ params }: { params?: { id?: string } }) {
             kind="role"
             targetId={String(id)}
             tenantId={selectedTenantId ?? (initial?.tenantId ?? null)}
+            ref={widgetEditorRef}
           />
         )
         : null),
@@ -191,6 +193,7 @@ export default function EditRolePage({ params }: { params?: { id?: string } }) {
             await updateCrud('auth/roles/acl', { roleId: id, tenantId: effectiveTenantId, ...aclData }, {
               errorMessage: t('auth.roles.form.errors.aclUpdate', 'Failed to update role access control'),
             })
+            await widgetEditorRef.current?.save()
             try { window.dispatchEvent(new Event('om:refresh-sidebar')) } catch {}
           }}
           onDelete={async () => {

package/src/modules/auth/backend/users/[id]/edit/page.tsx

@@ -10,7 +10,7 @@ import { AclEditor, type AclData } from '@open-mercato/core/modules/auth/compone
 import { OrganizationSelect } from '@open-mercato/core/modules/directory/components/OrganizationSelect'
 import { TenantSelect } from '@open-mercato/core/modules/directory/components/TenantSelect'
 import { fetchRoleOptions } from '@open-mercato/core/modules/auth/backend/users/roleOptions'
-import { WidgetVisibilityEditor } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
+import { WidgetVisibilityEditor, type WidgetVisibilityEditorHandle } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
 import { formatPasswordRequirements, getPasswordPolicy } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
@@ -109,6 +109,7 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
   const [aclData, setAclData] = React.useState<AclData>({ isSuperAdmin: false, features: [], organizations: null })
   const [customFieldValues, setCustomFieldValues] = React.useState<Record<string, unknown>>({})
   const [actorIsSuperAdmin, setActorIsSuperAdmin] = React.useState(false)
+  const widgetEditorRef = React.useRef<WidgetVisibilityEditorHandle | null>(null)
   const passwordPolicy = React.useMemo(() => getPasswordPolicy(), [])
   const passwordRequirements = React.useMemo(
     () => formatPasswordRequirements(passwordPolicy, t),
@@ -308,6 +309,7 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
             targetId={String(id)}
             tenantId={selectedTenantId ?? null}
             organizationId={initialUser?.organizationId ?? null}
+            ref={widgetEditorRef}
           />
         ) : null
       ),
@@ -370,6 +372,7 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
             await updateCrud('auth/users/acl', { userId: id, ...aclData }, {
               errorMessage: t('auth.users.form.errors.aclUpdate', 'Failed to update user access control'),
             })
+            await widgetEditorRef.current?.save()
             try { window.dispatchEvent(new Event('om:refresh-sidebar')) } catch {}
           }}
           onDelete={async () => {

package/src/modules/auth/cli.ts

@@ -17,6 +17,7 @@ import { env } from 'process'
 import type { KmsService, TenantDek } from '@open-mercato/shared/lib/encryption/kms'
 import crypto from 'node:crypto'
 import { formatPasswordRequirements, getPasswordPolicy, validatePassword } from '@open-mercato/shared/lib/auth/passwordPolicy'
+import { parseBooleanToken } from '@open-mercato/shared/lib/boolean'
 
 const addUser: ModuleCli = {
   command: 'add-user',
@@ -404,21 +405,33 @@ const addOrganization: ModuleCli = {
 const setupApp: ModuleCli = {
   command: 'setup',
   async run(rest) {
-    const args: Record<string, string> = {}
-    for (let i = 0; i < rest.length; i += 2) {
-      const k = rest[i]?.replace(/^--/, '')
-      const v = rest[i + 1]
-      if (k) args[k] = v
-    }
-    const orgName = args.orgName || args.name
-    const email = args.email
-    const password = args.password
-    const rolesCsv = (args.roles ?? 'superadmin,admin,employee').trim()
+    const args = parseArgs(rest)
+    const orgName = typeof args.orgName === 'string'
+      ? args.orgName
+      : typeof args.name === 'string'
+        ? args.name
+        : undefined
+    const email = typeof args.email === 'string' ? args.email : undefined
+    const password = typeof args.password === 'string' ? args.password : undefined
+    const rolesCsv = typeof args.roles === 'string'
+      ? args.roles.trim()
+      : 'superadmin,admin,employee'
+    const skipPasswordPolicyRaw =
+      args['skip-password-policy'] ??
+      args.skipPasswordPolicy ??
+      args['allow-weak-password'] ??
+      args.allowWeakPassword
+    const skipPasswordPolicy = typeof skipPasswordPolicyRaw === 'boolean'
+      ? skipPasswordPolicyRaw
+      : parseBooleanToken(typeof skipPasswordPolicyRaw === 'string' ? skipPasswordPolicyRaw : null) ?? false
     if (!orgName || !email || !password) {
-      console.error('Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee]')
+      console.error('Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee] [--skip-password-policy]')
       return
     }
-    if (!ensurePasswordPolicy(password)) return
+    if (!skipPasswordPolicy && !ensurePasswordPolicy(password)) return
+    if (skipPasswordPolicy) {
+      console.warn('⚠️  Password policy validation skipped for setup.')
+    }
     const { resolve } = await createRequestContainer()
     const em = resolve<EntityManager>('em')
     const roleNames = rolesCsv

package/src/modules/business_rules/api/execute/route.ts

@@ -4,6 +4,7 @@ import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import type { EntityManager } from '@mikro-orm/postgresql'
+import type { EventBus } from '@open-mercato/events'
 import { ruleEngineContextSchema } from '../../data/validators'
 import * as ruleEngine from '../../lib/rule-engine'
 
@@ -46,6 +47,12 @@ export async function POST(req: Request) {
 
   const container = await createRequestContainer()
   const em = container.resolve('em') as EntityManager
+  let eventBus: EventBus | null = null
+  try {
+    eventBus = container.resolve('eventBus') as EventBus
+  } catch {
+    eventBus = null
+  }
 
   let body: any
   try {
@@ -85,7 +92,7 @@ export async function POST(req: Request) {
   }
 
   try {
-    const result = await ruleEngine.executeRules(em, context)
+    const result = await ruleEngine.executeRules(em, context, { eventBus })
 
     const response = {
       allowed: result.allowed,

package/src/modules/business_rules/lib/__tests__/rule-engine.test.ts

@@ -654,6 +654,57 @@ describe('Rule Engine (Unit Tests)', () => {
       expect(result.errors).toBeDefined()
       expect(result.errors![0]).toContain('Rule count limit exceeded')
     })
+
+    test('should emit execution_failed event when rule evaluation fails', async () => {
+      const mockRule: Partial<BusinessRule> = {
+        id: 'rule-1',
+        ruleId: 'TEST-001',
+        ruleName: 'Test Rule',
+        ruleType: 'ACTION',
+        entityType: 'WorkOrder',
+        conditionExpression: { field: 'status', operator: '=', value: 'RELEASED' },
+        enabled: true,
+        tenantId: testTenantId,
+        organizationId: testOrgId,
+      }
+
+      mockEm.find.mockResolvedValue([mockRule as BusinessRule])
+      mockEm.create.mockReturnValue({ id: 'log-1' } as any)
+      mockEm.persistAndFlush.mockResolvedValue(undefined)
+
+      jest.mocked(ruleEvaluator.evaluateSingleRule).mockResolvedValue({
+        rule: mockRule as BusinessRule,
+        conditionsPassed: false,
+        evaluationCompleted: false,
+        evaluationTime: 1,
+        error: 'Evaluation error',
+      })
+
+      const eventBus = { emitEvent: jest.fn().mockResolvedValue(undefined) }
+
+      const context: RuleEngineContext = {
+        entityType: 'WorkOrder',
+        entityId: testEntityId,
+        data: { status: 'RELEASED' },
+        tenantId: testTenantId,
+        organizationId: testOrgId,
+        dryRun: false,
+      }
+
+      await ruleEngine.executeRules(mockEm, context, { eventBus })
+
+      expect(eventBus.emitEvent).toHaveBeenCalledWith(
+        'business_rules.rule.execution_failed',
+        expect.objectContaining({
+          ruleId: 'TEST-001',
+          ruleName: 'Test Rule',
+          entityType: 'WorkOrder',
+          errorMessage: 'Evaluation error',
+          tenantId: testTenantId,
+          organizationId: testOrgId,
+        })
+      )
+    })
   })
 
   describe('logRuleExecution', () => {

package/src/modules/business_rules/lib/rule-engine.ts

@@ -1,4 +1,5 @@
 import type { EntityManager } from '@mikro-orm/core'
+import type { EventBus } from '@open-mercato/events'
 import { BusinessRule, RuleExecutionLog, type RuleType } from '../data/entities'
 import * as ruleEvaluator from './rule-evaluator'
 import * as actionExecutor from './action-executor'
@@ -85,6 +86,19 @@ export interface RuleDiscoveryOptions {
   ruleType?: RuleType
 }
 
+export type RuleEngineExecutionOptions = {
+  eventBus?: Pick<EventBus, 'emitEvent'> | null
+}
+
+type RuleExecutionFailedPayload = {
+  ruleId: string
+  ruleName: string
+  entityType?: string | null
+  errorMessage?: string | null
+  tenantId: string
+  organizationId?: string | null
+}
+
 /**
  * Execute a function with a timeout
  */
@@ -113,7 +127,8 @@ async function withTimeout<T>(
  */
 export async function executeRules(
   em: EntityManager,
-  context: RuleEngineContext
+  context: RuleEngineContext,
+  options: RuleEngineExecutionOptions = {}
 ): Promise<RuleEngineResult> {
   // Validate input
   const validation = ruleEngineContextSchema.safeParse(context)
@@ -159,7 +174,7 @@ export async function executeRules(
     const executionPromise = (async () => {
       for (const rule of rules) {
       try {
-        const ruleResult = await executeSingleRule(em, rule, context)
+        const ruleResult = await executeSingleRule(em, rule, context, options)
         executedRules.push(ruleResult)
 
         if (ruleResult.logId) {
@@ -177,6 +192,17 @@ export async function executeRules(
           `Unexpected error in rule execution [ruleId=${rule.ruleId}, type=${rule.ruleType}]: ${errorMessage}`
         )
 
+        if (!context.dryRun) {
+          await emitRuleExecutionFailed(options.eventBus, {
+            ruleId: rule.ruleId,
+            ruleName: rule.ruleName,
+            entityType: context.entityType ?? null,
+            errorMessage,
+            tenantId: context.tenantId,
+            organizationId: context.organizationId ?? null,
+          })
+        }
+
         executedRules.push({
           rule,
           conditionResult: false,
@@ -233,7 +259,8 @@ export async function executeRules(
 export async function executeSingleRule(
   em: EntityManager,
   rule: BusinessRule,
-  context: RuleEngineContext
+  context: RuleEngineContext,
+  options: RuleEngineExecutionOptions = {}
 ): Promise<RuleExecutionResult> {
   const startTime = Date.now()
 
@@ -269,6 +296,15 @@ export async function executeSingleRule(
             executionTime,
             error: result.error,
           })
+
+          await emitRuleExecutionFailed(options.eventBus, {
+            ruleId: rule.ruleId,
+            ruleName: rule.ruleName,
+            entityType: context.entityType ?? null,
+            errorMessage: result.error ?? null,
+            tenantId: context.tenantId,
+            organizationId: context.organizationId ?? null,
+          })
         }
 
         return {
@@ -346,6 +382,15 @@ export async function executeSingleRule(
         executionTime,
         error: enhancedError,
       })
+
+      await emitRuleExecutionFailed(options.eventBus, {
+        ruleId: rule.ruleId,
+        ruleName: rule.ruleName,
+        entityType: context.entityType ?? null,
+        errorMessage: enhancedError,
+        tenantId: context.tenantId,
+        organizationId: context.organizationId ?? null,
+      })
     }
 
     return {
@@ -544,3 +589,12 @@ export async function logRuleExecution(
 
   return log.id
 }
+
+async function emitRuleExecutionFailed(
+  eventBus: Pick<EventBus, 'emitEvent'> | null | undefined,
+  payload: RuleExecutionFailedPayload
+): Promise<void> {
+  if (!eventBus?.emitEvent) return
+
+  await eventBus.emitEvent('business_rules.rule.execution_failed', payload).catch(() => undefined)
+}

package/src/modules/configs/components/CachePanel.tsx

@@ -194,7 +194,7 @@ export function CachePanel() {
         <header className="space-y-1">
           <h2 className="text-lg font-semibold">{t('configs.cache.title', 'Cache overview')}</h2>
           <p className="text-sm text-muted-foreground">
-            {t('configs.cache.description', 'Inspect cached CRUD responses and clear segments when necessary.')}
+            {t('configs.cache.description', 'Inspect cached responses and clear segments when necessary.')}
           </p>
         </header>
         <div className="flex items-center gap-2 text-sm text-muted-foreground">
@@ -211,7 +211,7 @@ export function CachePanel() {
         <header className="space-y-1">
           <h2 className="text-lg font-semibold">{t('configs.cache.title', 'Cache overview')}</h2>
           <p className="text-sm text-muted-foreground">
-            {t('configs.cache.description', 'Inspect cached CRUD responses and clear segments when necessary.')}
+            {t('configs.cache.description', 'Inspect cached responses and clear segments when necessary.')}
           </p>
         </header>
         <div className="rounded border border-red-200 bg-red-50 p-3 text-sm text-red-700">
@@ -235,7 +235,7 @@ export function CachePanel() {
         <div className="space-y-1">
           <h2 className="text-lg font-semibold">{t('configs.cache.title', 'Cache overview')}</h2>
           <p className="text-sm text-muted-foreground">
-            {t('configs.cache.description', 'Inspect cached CRUD responses and clear segments when necessary.')}
+            {t('configs.cache.description', 'Inspect cached responses and clear segments when necessary.')}
           </p>
           {stats ? (
             <>
@@ -342,7 +342,7 @@ export function CachePanel() {
           </div>
         ) : (
           <p className="text-sm text-muted-foreground">
-            {t('configs.cache.empty', 'No cached CRUD responses for this tenant.')}
+            {t('configs.cache.empty', 'No cached responses for this tenant.')}
           </p>
         )}
       </div>

package/src/modules/configs/i18n/en.json

@@ -35,14 +35,14 @@
   "configs.systemStatus.actions.purgeCacheUnavailable": "Cache service is unavailable.",
   "configs.config.nav.cache": "Cache",
   "configs.cache.title": "Cache overview",
-  "configs.cache.description": "Inspect cached CRUD responses and clear segments when necessary.",
+  "configs.cache.description": "Inspect cached responses and clear segments when necessary.",
   "configs.cache.loading": "Loading cache statistics…",
   "configs.cache.loadError": "Failed to load cache statistics.",
   "configs.cache.retry": "Retry",
   "configs.cache.refresh": "Refresh",
   "configs.cache.generatedAt": "Stats generated {{timestamp}}",
   "configs.cache.totalEntries": "{{count}} cached entries",
-  "configs.cache.empty": "No cached CRUD responses for this tenant.",
+  "configs.cache.empty": "No cached responses for this tenant.",
   "configs.cache.purgeAll": "Purge all cache",
   "configs.cache.purgeAllLoading": "Purging…",
   "configs.cache.purgeAllConfirm": "Purge all cached entries for this tenant?",
@@ -64,6 +64,8 @@
   "configs.systemStatus.categories.profilingDescription": "Flags that control request and query profiling outputs.",
   "configs.systemStatus.categories.logging": "Logging",
   "configs.systemStatus.categories.loggingDescription": "Tune verbosity and SQL logging for diagnostics.",
+  "configs.systemStatus.categories.security": "Security",
+  "configs.systemStatus.categories.securityDescription": "Password policy requirements enforced at login and user creation.",
   "configs.systemStatus.categories.caching": "Caching",
   "configs.systemStatus.categories.cachingDescription": "Cache providers and TTL controls for backend responses.",
   "configs.systemStatus.categories.queryIndex": "Query index",
@@ -84,6 +86,14 @@
   "configs.systemStatus.variables.logVerbosity.description": "Overrides structured log verbosity such as debug or trace.",
   "configs.systemStatus.variables.logLevel.label": "Log level",
   "configs.systemStatus.variables.logLevel.description": "Fallback log level applied when verbosity is not set.",
+  "configs.systemStatus.variables.passwordMinLength.label": "Password min length",
+  "configs.systemStatus.variables.passwordMinLength.description": "Minimum number of characters required for passwords.",
+  "configs.systemStatus.variables.passwordRequireDigit.label": "Password requires digit",
+  "configs.systemStatus.variables.passwordRequireDigit.description": "Require at least one numeric character.",
+  "configs.systemStatus.variables.passwordRequireUppercase.label": "Password requires uppercase",
+  "configs.systemStatus.variables.passwordRequireUppercase.description": "Require at least one uppercase letter.",
+  "configs.systemStatus.variables.passwordRequireSpecial.label": "Password requires special",
+  "configs.systemStatus.variables.passwordRequireSpecial.description": "Require at least one special character.",
   "configs.systemStatus.variables.enableCrudApiCache.label": "CRUD API cache",
   "configs.systemStatus.variables.enableCrudApiCache.description": "Enable the CRUD API response cache layer.",
   "configs.systemStatus.variables.cacheStrategy.label": "Cache strategy",

package/src/modules/configs/i18n/pl.json

@@ -35,14 +35,14 @@
   "configs.systemStatus.actions.purgeCacheUnavailable": "Usługa pamięci podręcznej jest niedostępna.",
   "configs.config.nav.cache": "Pamięć podręczna",
   "configs.cache.title": "Podgląd pamięci podręcznej",
-  "configs.cache.description": "Przeglądaj zapisane odpowiedzi CRUD i czyść segmenty w razie potrzeby.",
+  "configs.cache.description": "Przeglądaj zapisane odpowiedzi i czyść segmenty w razie potrzeby.",
   "configs.cache.loading": "Ładowanie statystyk pamięci podręcznej…",
   "configs.cache.loadError": "Nie udało się wczytać statystyk pamięci podręcznej.",
   "configs.cache.retry": "Spróbuj ponownie",
   "configs.cache.refresh": "Odśwież",
   "configs.cache.generatedAt": "Statystyki z {{timestamp}}",
   "configs.cache.totalEntries": "{{count}} wpisów w pamięci podręcznej",
-  "configs.cache.empty": "Brak zapisanych odpowiedzi CRUD dla tego tenanta.",
+  "configs.cache.empty": "Brak zapisanych odpowiedzi dla tego tenanta.",
   "configs.cache.purgeAll": "Wyczyść całą pamięć",
   "configs.cache.purgeAllLoading": "Czyszczenie…",
   "configs.cache.purgeAllConfirm": "Wyczyścić wszystkie wpisy pamięci podręcznej dla tego tenanta?",
@@ -64,6 +64,8 @@
   "configs.systemStatus.categories.profilingDescription": "Flagi sterujące generowaniem danych z profilowania zapytań i żądań.",
   "configs.systemStatus.categories.logging": "Logowanie",
   "configs.systemStatus.categories.loggingDescription": "Dostosuj poziom logowania i zapisywanie zapytań SQL na potrzeby diagnostyki.",
+  "configs.systemStatus.categories.security": "Bezpieczeństwo",
+  "configs.systemStatus.categories.securityDescription": "Wymagania polityki haseł stosowane przy logowaniu i tworzeniu użytkowników.",
   "configs.systemStatus.categories.caching": "Buforowanie",
   "configs.systemStatus.categories.cachingDescription": "Mechanizmy cache oraz kontrola czasu życia odpowiedzi backendu.",
   "configs.systemStatus.categories.queryIndex": "Indeks zapytań",
@@ -84,6 +86,14 @@
   "configs.systemStatus.variables.logVerbosity.description": "Nadpisuje poziom szczegółowości logów, np. debug lub trace.",
   "configs.systemStatus.variables.logLevel.label": "Poziom logowania",
   "configs.systemStatus.variables.logLevel.description": "Domyślny poziom logowania używany, gdy nie ustawiono szczegółowości.",
+  "configs.systemStatus.variables.passwordMinLength.label": "Minimalna długość hasła",
+  "configs.systemStatus.variables.passwordMinLength.description": "Minimalna liczba znaków wymagana w haśle.",
+  "configs.systemStatus.variables.passwordRequireDigit.label": "Hasło wymaga cyfry",
+  "configs.systemStatus.variables.passwordRequireDigit.description": "Wymagaj co najmniej jednej cyfry.",
+  "configs.systemStatus.variables.passwordRequireUppercase.label": "Hasło wymaga wielkiej litery",
+  "configs.systemStatus.variables.passwordRequireUppercase.description": "Wymagaj co najmniej jednej wielkiej litery.",
+  "configs.systemStatus.variables.passwordRequireSpecial.label": "Hasło wymaga znaku specjalnego",
+  "configs.systemStatus.variables.passwordRequireSpecial.description": "Wymagaj co najmniej jednego znaku specjalnego.",
   "configs.systemStatus.variables.enableCrudApiCache.label": "Cache API CRUD",
   "configs.systemStatus.variables.enableCrudApiCache.description": "Włącza warstwę buforowania odpowiedzi API CRUD.",
   "configs.systemStatus.variables.cacheStrategy.label": "Strategia cache",

package/src/modules/configs/lib/system-status.ts

@@ -19,7 +19,14 @@ type SystemStatusVariableDefinition = {
   defaultValue: string | null
 }
 
-const CATEGORY_ORDER: SystemStatusCategoryKey[] = ['profiling', 'logging', 'caching', 'query_index', 'entities']
+const CATEGORY_ORDER: SystemStatusCategoryKey[] = [
+  'profiling',
+  'logging',
+  'security',
+  'caching',
+  'query_index',
+  'entities',
+]
 
 const CATEGORY_METADATA: Record<
   SystemStatusCategoryKey,
@@ -33,6 +40,10 @@ const CATEGORY_METADATA: Record<
     labelKey: 'configs.systemStatus.categories.logging',
     descriptionKey: 'configs.systemStatus.categories.loggingDescription',
   },
+  security: {
+    labelKey: 'configs.systemStatus.categories.security',
+    descriptionKey: 'configs.systemStatus.categories.securityDescription',
+  },
   caching: {
     labelKey: 'configs.systemStatus.categories.caching',
     descriptionKey: 'configs.systemStatus.categories.cachingDescription',
@@ -113,6 +124,42 @@ export const SYSTEM_STATUS_VARIABLES: SystemStatusVariableDefinition[] = [
     docUrl: `${SYSTEM_STATUS_DOC_BASE}#log_level`,
     defaultValue: '',
   },
+  {
+    key: 'OM_PASSWORD_MIN_LENGTH',
+    category: 'security',
+    kind: 'string',
+    labelKey: 'configs.systemStatus.variables.passwordMinLength.label',
+    descriptionKey: 'configs.systemStatus.variables.passwordMinLength.description',
+    docUrl: `${SYSTEM_STATUS_DOC_BASE}#om_password_min_length`,
+    defaultValue: '6',
+  },
+  {
+    key: 'OM_PASSWORD_REQUIRE_DIGIT',
+    category: 'security',
+    kind: 'boolean',
+    labelKey: 'configs.systemStatus.variables.passwordRequireDigit.label',
+    descriptionKey: 'configs.systemStatus.variables.passwordRequireDigit.description',
+    docUrl: `${SYSTEM_STATUS_DOC_BASE}#om_password_require_digit`,
+    defaultValue: 'true',
+  },
+  {
+    key: 'OM_PASSWORD_REQUIRE_UPPERCASE',
+    category: 'security',
+    kind: 'boolean',
+    labelKey: 'configs.systemStatus.variables.passwordRequireUppercase.label',
+    descriptionKey: 'configs.systemStatus.variables.passwordRequireUppercase.description',
+    docUrl: `${SYSTEM_STATUS_DOC_BASE}#om_password_require_uppercase`,
+    defaultValue: 'true',
+  },
+  {
+    key: 'OM_PASSWORD_REQUIRE_SPECIAL',
+    category: 'security',
+    kind: 'boolean',
+    labelKey: 'configs.systemStatus.variables.passwordRequireSpecial.label',
+    descriptionKey: 'configs.systemStatus.variables.passwordRequireSpecial.description',
+    docUrl: `${SYSTEM_STATUS_DOC_BASE}#om_password_require_special`,
+    defaultValue: 'true',
+  },
   {
     key: 'ENABLE_CRUD_API_CACHE',
     category: 'caching',

package/src/modules/configs/lib/system-status.types.ts

@@ -1,6 +1,7 @@
 export type SystemStatusCategoryKey =
   | 'profiling'
   | 'logging'
+  | 'security'
   | 'caching'
   | 'query_index'
   | 'entities'

package/src/modules/dashboards/cli.ts

@@ -42,15 +42,25 @@ export async function seedDashboardDefaultsForTenant(
   const widgetMap = new Map(widgets.map((widget) => [widget.metadata.id, widget]))
   const resolvedWidgetIds = widgetIds && widgetIds.length
     ? widgetIds.filter((id) => widgetMap.has(id))
-    : widgets.filter((widget) => widget.metadata.defaultEnabled).map((widget) => widget.metadata.id)
+    : null
+  const defaultWidgetIds = widgets
+    .filter((widget) => widget.metadata.defaultEnabled)
+    .map((widget) => widget.metadata.id)
+  const allWidgetIds = widgets.map((widget) => widget.metadata.id)
 
-  if (!resolvedWidgetIds.length) {
+  if (resolvedWidgetIds && resolvedWidgetIds.length === 0) {
     log('No widgets resolved for dashboard seeding.')
     return false
   }
 
   await em.transactional(async (tem) => {
     for (const roleName of roleNames) {
+      const isAdminRole = roleName === 'admin' || roleName === 'superadmin'
+      const roleWidgetIds = resolvedWidgetIds ?? (isAdminRole ? allWidgetIds : defaultWidgetIds)
+      if (!roleWidgetIds.length) {
+        log(`No widgets resolved for role "${roleName}".`)
+        continue
+      }
       const role = await tem.findOne(Role, { name: roleName })
       if (!role) {
         log(`Skipping role "${roleName}" (not found)`)
@@ -63,7 +73,7 @@ export async function seedDashboardDefaultsForTenant(
         deletedAt: null,
       })
       if (existing) {
-        existing.widgetIdsJson = resolvedWidgetIds
+        existing.widgetIdsJson = roleWidgetIds
         tem.persist(existing)
         log(`Updated dashboard widgets for role "${roleName}"`)
       } else {
@@ -71,7 +81,7 @@ export async function seedDashboardDefaultsForTenant(
           roleId: String(role.id),
           tenantId,
           organizationId,
-          widgetIdsJson: resolvedWidgetIds,
+          widgetIdsJson: roleWidgetIds,
           createdAt: new Date(),
           updatedAt: null,
           deletedAt: null,

package/src/modules/dashboards/components/WidgetVisibilityEditor.tsx

@@ -44,9 +44,13 @@ type UserProps = BaseProps & {
 
 type WidgetVisibilityEditorProps = RoleProps | UserProps
 
+export type WidgetVisibilityEditorHandle = {
+  save: () => Promise<void>
+}
+
 const EMPTY: string[] = []
 
-export function WidgetVisibilityEditor(props: WidgetVisibilityEditorProps) {
+export const WidgetVisibilityEditor = React.forwardRef<WidgetVisibilityEditorHandle, WidgetVisibilityEditorProps>(function WidgetVisibilityEditor(props, ref) {
   const t = useT()
   const { kind, targetId, tenantId, organizationId } = props
   const [catalog, setCatalog] = React.useState<WidgetCatalogItem[]>([])
@@ -60,6 +64,15 @@ export function WidgetVisibilityEditor(props: WidgetVisibilityEditorProps) {
   const [originalMode, setOriginalMode] = React.useState<'inherit' | 'override'>('inherit')
   const [effective, setEffective] = React.useState<string[]>(EMPTY)
 
+  const dirty = React.useMemo(() => {
+    if (kind === 'user') {
+      if (mode !== originalMode) return true
+      if (mode === 'override') return selected.join('|') !== original.join('|')
+      return false
+    }
+    return selected.join('|') !== original.join('|')
+  }, [kind, mode, original, originalMode, selected])
+
   const loadCatalog = React.useCallback(async () => {
     const data = await readApiResultOrThrow<{ items?: unknown[] }>(
       '/api/dashboards/widgets/catalog',
@@ -149,6 +162,9 @@ export function WidgetVisibilityEditor(props: WidgetVisibilityEditorProps) {
   }, [original, originalMode])
 
   const save = React.useCallback(async () => {
+    if (loading) return
+    if (error && catalog.length === 0) return
+    if (!dirty) return
     setSaving(true)
     setError(null)
     try {
@@ -202,16 +218,9 @@ export function WidgetVisibilityEditor(props: WidgetVisibilityEditorProps) {
     } finally {
       setSaving(false)
     }
-  }, [kind, mode, organizationId, selected, t, targetId, tenantId])
+  }, [catalog.length, dirty, error, kind, loading, mode, organizationId, selected, t, targetId, tenantId])
 
-  const dirty = React.useMemo(() => {
-    if (kind === 'user') {
-      if (mode !== originalMode) return true
-      if (mode === 'override') return selected.join('|') !== original.join('|')
-      return false
-    }
-    return selected.join('|') !== original.join('|')
-  }, [kind, mode, original, originalMode, selected])
+  React.useImperativeHandle(ref, () => ({ save }), [save])
 
   if (loading) {
     return (
@@ -297,4 +306,6 @@ export function WidgetVisibilityEditor(props: WidgetVisibilityEditorProps) {
       </div>
     </div>
   )
-}
+})
+
+WidgetVisibilityEditor.displayName = 'WidgetVisibilityEditor'