npm - @open-mercato/core - Versions diffs - 0.4.2-canary-7732371765 → 0.4.2-canary-ed15f2e753 - Mend

@open-mercato/core 0.4.2-canary-7732371765 → 0.4.2-canary-ed15f2e753

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (173) hide show

package/src/modules/api_keys/services/apiKeyService.ts CHANGED Viewed

@@ -4,9 +4,60 @@ import { hash, compare } from 'bcryptjs'
 import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
 import { Role } from '@open-mercato/core/modules/auth/data/entities'
 import { ApiKey } from '../data/entities'
+import { createKmsService } from '@open-mercato/shared/lib/encryption/kms'
+import { encryptWithAesGcm, decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'
 const BCRYPT_COST = 10
+// =============================================================================
+// Session Secret Encryption Helpers
+// =============================================================================
+/**
+ * Encrypt an API key secret for storage.
+ * Uses tenant-specific DEK if available, otherwise returns null.
+ */
+async function encryptSessionSecret(
+  secret: string,
+  tenantId: string | null
+): Promise<string | null> {
+  if (!tenantId) return null
+  const kms = createKmsService()
+  if (!kms.isHealthy()) return null
+  const dek = await kms.getTenantDek(tenantId)
+  if (!dek) {
+    // Try to create a DEK if one doesn't exist
+    const created = await kms.createTenantDek(tenantId)
+    if (!created) return null
+    const encrypted = encryptWithAesGcm(secret, created.key)
+    return encrypted.value
+  }
+  const encrypted = encryptWithAesGcm(secret, dek.key)
+  return encrypted.value
+}
+/**
+ * Decrypt an API key secret from storage.
+ * Returns null if decryption fails or no DEK available.
+ */
+async function decryptSessionSecret(
+  encrypted: string,
+  tenantId: string | null
+): Promise<string | null> {
+  if (!tenantId || !encrypted) return null
+  const kms = createKmsService()
+  if (!kms.isHealthy()) return null
+  const dek = await kms.getTenantDek(tenantId)
+  if (!dek) return null
+  return decryptWithAesGcm(encrypted, dek.key)
+}
 export type CreateApiKeyInput = {
   name: string
   description?: string | null
@@ -117,6 +168,7 @@ export function generateSessionToken(): string {
 /**
  * Create an ephemeral API key scoped to a chat session.
  * The key inherits the user's roles and expires after ttlMinutes (default 30).
+ * The API key secret is encrypted and stored so it can be recovered for API calls.
  */
 export async function createSessionApiKey(
   em: EntityManager,
@@ -127,6 +179,9 @@ export async function createSessionApiKey(
   const expiresAt = new Date(Date.now() + ttl * 60 * 1000)
   const keyHash = await hashApiKey(secret)
+  // Encrypt the secret for later retrieval (used by MCP server for API calls)
+  const encryptedSecret = await encryptSessionSecret(secret, input.tenantId ?? null)
   const record = em.create(ApiKey, {
     name: `__session_${input.sessionToken}__`,
     description: 'Ephemeral session API key for AI chat',
@@ -138,6 +193,7 @@ export async function createSessionApiKey(
     createdBy: input.userId,
     sessionToken: input.sessionToken,
     sessionUserId: input.userId,
+    sessionSecretEncrypted: encryptedSecret,
     expiresAt,
     createdAt: new Date(),
   })
@@ -172,6 +228,35 @@ export async function findApiKeyBySessionToken(
   return record
 }
+/**
+ * Find a session API key with its decrypted secret.
+ * Returns null if not found, expired, deleted, or decryption fails.
+ * This is used by the MCP server to recover the API key secret for making
+ * authenticated API calls on behalf of the user.
+ */
+export async function findSessionApiKeyWithSecret(
+  em: EntityManager,
+  sessionToken: string
+): Promise<{ key: ApiKey; secret: string } | null> {
+  const record = await findApiKeyBySessionToken(em, sessionToken)
+  if (!record) return null
+  // If no encrypted secret stored, cannot recover
+  if (!record.sessionSecretEncrypted) {
+    console.warn('[ApiKeyService] Session key has no encrypted secret:', sessionToken.slice(0, 12))
+    return null
+  }
+  // Decrypt the secret
+  const secret = await decryptSessionSecret(record.sessionSecretEncrypted, record.tenantId ?? null)
+  if (!secret) {
+    console.warn('[ApiKeyService] Failed to decrypt session secret:', sessionToken.slice(0, 12))
+    return null
+  }
+  return { key: record, secret }
+}
 /**
  * Delete an ephemeral API key by its session token.
  */

package/src/modules/auth/events.ts ADDED Viewed

@@ -0,0 +1,39 @@
+import { createModuleEvents } from '@open-mercato/shared/modules/events'
+/**
+ * Auth Module Events
+ *
+ * Declares all events that can be emitted by the auth module.
+ */
+const events = [
+  // Users
+  { id: 'auth.users.created', label: 'User Created', entity: 'users', category: 'crud' },
+  { id: 'auth.users.updated', label: 'User Updated', entity: 'users', category: 'crud' },
+  { id: 'auth.users.deleted', label: 'User Deleted', entity: 'users', category: 'crud' },
+  // Roles
+  { id: 'auth.roles.created', label: 'Role Created', entity: 'roles', category: 'crud' },
+  { id: 'auth.roles.updated', label: 'Role Updated', entity: 'roles', category: 'crud' },
+  { id: 'auth.roles.deleted', label: 'Role Deleted', entity: 'roles', category: 'crud' },
+  // Authentication events
+  { id: 'auth.login.success', label: 'Login Successful', category: 'lifecycle' },
+  { id: 'auth.login.failed', label: 'Login Failed', category: 'lifecycle' },
+  { id: 'auth.logout', label: 'User Logged Out', category: 'lifecycle' },
+  { id: 'auth.password.changed', label: 'Password Changed', category: 'lifecycle' },
+  { id: 'auth.password.reset.requested', label: 'Password Reset Requested', category: 'lifecycle' },
+  { id: 'auth.password.reset.completed', label: 'Password Reset Completed', category: 'lifecycle' },
+] as const
+export const eventsConfig = createModuleEvents({
+  moduleId: 'auth',
+  events,
+})
+/** Type-safe event emitter for auth module */
+export const emitAuthEvent = eventsConfig.emit
+/** Event IDs that can be emitted by the auth module */
+export type AuthEventId = typeof events[number]['id']
+export default eventsConfig

package/src/modules/auth/services/rbacService.ts CHANGED Viewed

@@ -69,7 +69,7 @@ export class RbacService {
     return granted === required
   }
-  private hasAllFeatures(required: string[], granted: string[]): boolean {
+  public hasAllFeatures(required: string[], granted: string[]): boolean {
     if (!required.length) return true
     if (!granted.length) return false
     return required.every((req) => granted.some((g) => this.matchFeature(req, g)))

package/src/modules/business_rules/api/execute/[ruleId]/route.ts ADDED Viewed

@@ -0,0 +1,163 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import * as ruleEngine from '../../../lib/rule-engine'
+const executeByIdRequestSchema = z.object({
+  data: z.any(),
+  dryRun: z.boolean().optional().default(false),
+  entityType: z.string().optional(),
+  entityId: z.string().optional(),
+  eventType: z.string().optional(),
+})
+const executeByIdResponseSchema = z.object({
+  success: z.boolean(),
+  ruleId: z.string(),
+  ruleName: z.string(),
+  conditionResult: z.boolean(),
+  actionsExecuted: z.object({
+    success: z.boolean(),
+    results: z.array(z.object({
+      type: z.string(),
+      success: z.boolean(),
+      error: z.string().optional(),
+    })),
+  }).nullable(),
+  executionTime: z.number(),
+  error: z.string().optional(),
+  logId: z.string().optional(),
+})
+const errorResponseSchema = z.object({
+  error: z.string(),
+})
+const routeMetadata = {
+  POST: { requireAuth: true, requireFeatures: ['business_rules.execute'] },
+}
+export const metadata = routeMetadata
+interface RouteContext {
+  params: Promise<{ ruleId: string }>
+}
+export async function POST(req: Request, context: RouteContext) {
+  const auth = await getAuthFromRequest(req)
+  if (!auth) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+  const params = await context.params
+  const ruleId = params.ruleId
+  if (!ruleId || !z.uuid().safeParse(ruleId).success) {
+    return NextResponse.json({ error: 'Invalid rule ID' }, { status: 400 })
+  }
+  const container = await createRequestContainer()
+  const em = container.resolve('em') as EntityManager
+  let body: any
+  try {
+    body = await req.json()
+  } catch {
+    return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 })
+  }
+  const parsed = executeByIdRequestSchema.safeParse(body)
+  if (!parsed.success) {
+    const errors = parsed.error.issues.map(e => `${e.path.join('.')}: ${e.message}`)
+    return NextResponse.json({ error: `Validation failed: ${errors.join(', ')}` }, { status: 400 })
+  }
+  const { data, dryRun, entityType, entityId, eventType } = parsed.data
+  const execContext: ruleEngine.DirectRuleExecutionContext = {
+    ruleId,
+    data,
+    user: {
+      id: auth.sub,
+      email: auth.email,
+      role: (auth.role as string) ?? undefined,
+    },
+    tenantId: auth.tenantId ?? '',
+    organizationId: auth.orgId ?? '',
+    executedBy: auth.sub ?? auth.email ?? undefined,
+    dryRun,
+    entityType,
+    entityId,
+    eventType,
+  }
+  try {
+    const result = await ruleEngine.executeRuleById(em, execContext)
+    const response = {
+      success: result.success,
+      ruleId: result.ruleId,
+      ruleName: result.ruleName,
+      conditionResult: result.conditionResult,
+      actionsExecuted: result.actionsExecuted ? {
+        success: result.actionsExecuted.success,
+        results: result.actionsExecuted.results.map(ar => ({
+          type: ar.action.type,
+          success: ar.success,
+          error: ar.error,
+        })),
+      } : null,
+      executionTime: result.executionTime,
+      error: result.error,
+      logId: result.logId,
+    }
+    // Return appropriate status based on result
+    const status = result.success ? 200 : (result.error === 'Rule not found' ? 404 : 200)
+    return NextResponse.json(response, { status })
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error)
+    return NextResponse.json(
+      { error: `Rule execution failed: ${errorMessage}` },
+      { status: 500 }
+    )
+  }
+}
+export const openApi: OpenApiRouteDoc = {
+  tag: 'Business Rules',
+  summary: 'Execute a specific business rule by ID',
+  methods: {
+    POST: {
+      summary: 'Execute a specific rule by its database UUID',
+      description: 'Directly executes a specific business rule identified by its UUID, bypassing the normal entityType/eventType discovery mechanism. Useful for workflows and targeted rule execution.',
+      pathParams: z.object({
+        ruleId: z.string().uuid().describe('The database UUID of the business rule to execute'),
+      }),
+      requestBody: {
+        contentType: 'application/json',
+        schema: executeByIdRequestSchema,
+      },
+      responses: [
+        {
+          status: 200,
+          description: 'Rule executed successfully',
+          schema: executeByIdResponseSchema,
+        },
+        {
+          status: 404,
+          description: 'Rule not found',
+          schema: errorResponseSchema,
+        },
+      ],
+      errors: [
+        { status: 400, description: 'Invalid request payload or rule ID', schema: errorResponseSchema },
+        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },
+        { status: 500, description: 'Execution error', schema: errorResponseSchema },
+      ],
+    },
+  },
+}

package/src/modules/business_rules/data/validators.ts CHANGED Viewed

@@ -287,3 +287,43 @@ export const ruleDiscoveryOptionsSchema = z.object({
 })
 export type RuleDiscoveryOptionsInput = z.infer<typeof ruleDiscoveryOptionsSchema>
+// Direct Rule Execution Context Schema (for executing a specific rule by ID)
+export const directRuleExecutionContextSchema = z.object({
+  ruleId: z.uuid('ruleId must be a valid UUID'),
+  data: z.any(),
+  user: z.looseObject({
+    id: z.string().optional(),
+    email: z.string().optional(),
+    role: z.string().optional(),
+  }).optional(),
+  tenantId: z.uuid('tenantId must be a valid UUID'),
+  organizationId: z.uuid('organizationId must be a valid UUID'),
+  executedBy: z.string().optional(),
+  dryRun: z.boolean().optional(),
+  entityType: z.string().optional(),
+  entityId: z.string().optional(),
+  eventType: z.string().optional(),
+})
+export type DirectRuleExecutionContextInput = z.infer<typeof directRuleExecutionContextSchema>
+// Rule ID Execution Context Schema (for executing a specific rule by its string rule_id identifier)
+export const ruleIdExecutionContextSchema = z.object({
+  ruleId: z.string().min(1, 'ruleId must be a non-empty string').max(50),
+  data: z.any(),
+  user: z.looseObject({
+    id: z.string().optional(),
+    email: z.string().optional(),
+    role: z.string().optional(),
+  }).optional(),
+  tenantId: z.uuid('tenantId must be a valid UUID'),
+  organizationId: z.uuid('organizationId must be a valid UUID'),
+  executedBy: z.string().optional(),
+  dryRun: z.boolean().optional(),
+  entityType: z.string().optional(),
+  entityId: z.string().optional(),
+  eventType: z.string().optional(),
+})
+export type RuleIdExecutionContextInput = z.infer<typeof ruleIdExecutionContextSchema>

package/src/modules/business_rules/index.ts CHANGED Viewed

@@ -8,3 +8,28 @@ export const metadata: ModuleInfo = {
   author: 'Patryk Lewczuk',
   license: 'Proprietary',
 }
+// Export rule engine types and functions for programmatic usage
+export {
+  executeRules,
+  executeRuleById,
+  executeRuleByRuleId,
+  executeSingleRule,
+  findApplicableRules,
+  logRuleExecution,
+  type RuleEngineContext,
+  type RuleEngineResult,
+  type RuleExecutionResult,
+  type RuleDiscoveryOptions,
+  type DirectRuleExecutionContext,
+  type DirectRuleExecutionResult,
+  type RuleIdExecutionContext,
+} from './lib/rule-engine'
+// Export validator schemas
+export {
+  directRuleExecutionContextSchema,
+  ruleIdExecutionContextSchema,
+  type DirectRuleExecutionContextInput,
+  type RuleIdExecutionContextInput,
+} from './data/validators'