@open-mercato/core 0.4.2-canary-7c76659938 → 0.4.2-canary-70c8402224

package/dist/modules/auth/api/profile/route.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../src/modules/auth/api/profile/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport type { CommandBus, CommandRuntimeContext } from '@open-mercato/shared/lib/commands'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { signJwt } from '@open-mercato/shared/lib/auth/jwt'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { AuthService } from '@open-mercato/core/modules/auth/services/authService'\nimport { User } from '@open-mercato/core/modules/auth/data/entities'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\nconst profileResponseSchema = z.object({\n  email: z.string().email(),\n})\n\nconst updateSchema = z.object({\n  email: z.string().email().optional(),\n  password: z.string().min(6).optional(),\n}).refine((data) => Boolean(data.email || data.password), {\n  message: 'Provide an email or password.',\n  path: ['email'],\n})\n\nconst profileUpdateResponseSchema = z.object({\n  ok: z.literal(true),\n  email: z.string().email(),\n})\n\nexport const metadata = {\n  GET: { requireAuth: true },\n  PUT: { requireAuth: true },\n}\n\nfunction buildCommandContext(container: Awaited<ReturnType<typeof createRequestContainer>>, auth: NonNullable<Awaited<ReturnType<typeof getAuthFromRequest>>>, req: Request): CommandRuntimeContext {\n  return {\n    container,\n    auth,\n    organizationScope: null,\n    selectedOrganizationId: auth.orgId ?? null,\n    organizationIds: auth.orgId ? [auth.orgId] : null,\n    request: req,\n  }\n}\n\nexport async function GET(req: Request) {\n  const { translate } = await resolveTranslations()\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) {\n    return NextResponse.json({ error: translate('api.errors.unauthorized', 'Unauthorized') }, { status: 401 })\n  }\n  try {\n    const container = await createRequestContainer()\n    const em = (container.resolve('em') as EntityManager)\n    const user = await findOneWithDecryption(\n      em,\n      User,\n      { id: auth.sub, deletedAt: null },\n      undefined,\n      { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },\n    )\n    if (!user) {\n      return NextResponse.json({ error: translate('auth.users.form.errors.notFound', 'User not found') }, { status: 404 })\n    }\n    return NextResponse.json({ email: String(user.email) })\n  } catch (err) {\n    console.error('auth.profile.load failed', err)\n    return NextResponse.json({ error: translate('auth.profile.form.errors.load', 'Failed to load profile.') }, { status: 400 })\n  }\n}\n\nexport async function PUT(req: Request) {\n  const { translate } = await resolveTranslations()\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) {\n    return NextResponse.json({ error: translate('api.errors.unauthorized', 'Unauthorized') }, { status: 401 })\n  }\n  try {\n    const body = await req.json().catch(() => ({}))\n    const parsed = updateSchema.safeParse(body)\n    if (!parsed.success) {\n      return NextResponse.json(\n        {\n          error: translate('auth.profile.form.errors.invalid', 'Invalid profile update.'),\n          issues: parsed.error.issues,\n        },\n        { status: 400 },\n      )\n    }\n    const container = await createRequestContainer()\n    const commandBus = (container.resolve('commandBus') as CommandBus)\n    const ctx = buildCommandContext(container, auth, req)\n    const { result } = await commandBus.execute<{ id: string; email?: string; password?: string }, User>(\n      'auth.users.update',\n      {\n        input: {\n          id: auth.sub,\n          email: parsed.data.email,\n          password: parsed.data.password,\n        },\n        ctx,\n      },\n    )\n    const authService = container.resolve('authService') as AuthService\n    const roles = await authService.getUserRoles(result, result.tenantId ? String(result.tenantId) : null)\n    const jwt = signJwt({\n      sub: String(result.id),\n      tenantId: result.tenantId ? String(result.tenantId) : null,\n      orgId: result.organizationId ? String(result.organizationId) : null,\n      email: result.email,\n      roles,\n    })\n    const res = NextResponse.json({ ok: true, email: String(result.email) })\n    res.cookies.set('auth_token', jwt, {\n      httpOnly: true,\n      path: '/',\n      sameSite: 'lax',\n      secure: process.env.NODE_ENV === 'production',\n      maxAge: 60 * 60 * 8,\n    })\n    return res\n  } catch (err) {\n    if (err instanceof CrudHttpError) {\n      return NextResponse.json(err.body, { status: err.status })\n    }\n    console.error('auth.profile.update failed', err)\n    return NextResponse.json({ error: translate('auth.profile.form.errors.save', 'Failed to update profile.') }, { status: 400 })\n  }\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Profile settings',\n  methods: {\n    GET: {\n      summary: 'Get current profile',\n      description: 'Returns the email address for the signed-in user.',\n      responses: [\n        { status: 200, description: 'Profile payload', schema: profileResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },\n        { status: 404, description: 'User not found', schema: z.object({ error: z.string() }) },\n      ],\n    },\n    PUT: {\n      summary: 'Update current profile',\n      description: 'Updates the email address or password for the signed-in user.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: updateSchema,\n      },\n      responses: [\n        { status: 200, description: 'Profile updated', schema: profileUpdateResponseSchema },\n        { status: 400, description: 'Invalid payload', schema: z.object({ error: z.string() }) },\n        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAGlB,SAAS,8BAA8B;AACvC,SAAS,0BAA0B;AACnC,SAAS,eAAe;AACxB,SAAS,2BAA2B;AACpC,SAAS,qBAAqB;AAE9B,SAAS,YAAY;AAErB,SAAS,6BAA6B;AAEtC,MAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,OAAO,EAAE,OAAO,EAAE,MAAM;AAC1B,CAAC;AAED,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AAAA,EACnC,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS;AACvC,CAAC,EAAE,OAAO,CAAC,SAAS,QAAQ,KAAK,SAAS,KAAK,QAAQ,GAAG;AAAA,EACxD,SAAS;AAAA,EACT,MAAM,CAAC,OAAO;AAChB,CAAC;AAED,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,OAAO,EAAE,OAAO,EAAE,MAAM;AAC1B,CAAC;AAEM,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,KAAK;AAAA,EACzB,KAAK,EAAE,aAAa,KAAK;AAC3B;AAEA,SAAS,oBAAoB,WAA+D,MAAmE,KAAqC;AAClM,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,mBAAmB;AAAA,IACnB,wBAAwB,KAAK,SAAS;AAAA,IACtC,iBAAiB,KAAK,QAAQ,CAAC,KAAK,KAAK,IAAI;AAAA,IAC7C,SAAS;AAAA,EACX;AACF;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,KAAK;AACd,WAAO,aAAa,KAAK,EAAE,OAAO,UAAU,2BAA2B,cAAc,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3G;AACA,MAAI;AACF,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,KAAM,UAAU,QAAQ,IAAI;AAClC,UAAM,OAAO,MAAM;AAAA,MACjB;AAAA,MACA;AAAA,MACA,EAAE,IAAI,KAAK,KAAK,WAAW,KAAK;AAAA,MAChC;AAAA,MACA,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK;AAAA,IACxE;AACA,QAAI,CAAC,MAAM;AACT,aAAO,aAAa,KAAK,EAAE,OAAO,UAAU,mCAAmC,gBAAgB,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACrH;AACA,WAAO,aAAa,KAAK,EAAE,OAAO,OAAO,KAAK,KAAK,EAAE,CAAC;AAAA,EACxD,SAAS,KAAK;AACZ,YAAQ,MAAM,4BAA4B,GAAG;AAC7C,WAAO,aAAa,KAAK,EAAE,OAAO,UAAU,iCAAiC,yBAAyB,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5H;AACF;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,KAAK;AACd,WAAO,aAAa,KAAK,EAAE,OAAO,UAAU,2BAA2B,cAAc,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3G;AACA,MAAI;AACF,UAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AAC9C,UAAM,SAAS,aAAa,UAAU,IAAI;AAC1C,QAAI,CAAC,OAAO,SAAS;AACnB,aAAO,aAAa;AAAA,QAClB;AAAA,UACE,OAAO,UAAU,oCAAoC,yBAAyB;AAAA,UAC9E,QAAQ,OAAO,MAAM;AAAA,QACvB;AAAA,QACA,EAAE,QAAQ,IAAI;AAAA,MAChB;AAAA,IACF;AACA,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,aAAc,UAAU,QAAQ,YAAY;AAClD,UAAM,MAAM,oBAAoB,WAAW,MAAM,GAAG;AACpD,UAAM,EAAE,OAAO,IAAI,MAAM,WAAW;AAAA,MAClC;AAAA,MACA;AAAA,QACE,OAAO;AAAA,UACL,IAAI,KAAK;AAAA,UACT,OAAO,OAAO,KAAK;AAAA,UACnB,UAAU,OAAO,KAAK;AAAA,QACxB;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,UAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,UAAM,QAAQ,MAAM,YAAY,aAAa,QAAQ,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI,IAAI;AACrG,UAAM,MAAM,QAAQ;AAAA,MAClB,KAAK,OAAO,OAAO,EAAE;AAAA,MACrB,UAAU,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MACtD,OAAO,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,MAC/D,OAAO,OAAO;AAAA,MACd;AAAA,IACF,CAAC;AACD,UAAM,MAAM,aAAa,KAAK,EAAE,IAAI,MAAM,OAAO,OAAO,OAAO,KAAK,EAAE,CAAC;AACvE,QAAI,QAAQ,IAAI,cAAc,KAAK;AAAA,MACjC,UAAU;AAAA,MACV,MAAM;AAAA,MACN,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,QAAQ,KAAK,KAAK;AAAA,IACpB,CAAC;AACD,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,QAAI,eAAe,eAAe;AAChC,aAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AAAA,IAC3D;AACA,YAAQ,MAAM,8BAA8B,GAAG;AAC/C,WAAO,aAAa,KAAK,EAAE,OAAO,UAAU,iCAAiC,2BAA2B,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC9H;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,sBAAsB;AAAA,QAC7E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,QACpF,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,MACxF;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,4BAA4B;AAAA,QACnF,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,QACvF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,MACtF;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/auth/api/reset/confirm.js

@@ -1,6 +1,9 @@
 import { confirmPasswordResetSchema } from "@open-mercato/core/modules/auth/data/validators";
 import { NextResponse } from "next/server";
 import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { buildNotificationFromType } from "@open-mercato/core/modules/notifications/lib/notificationBuilder";
+import { resolveNotificationService } from "@open-mercato/core/modules/notifications/lib/notificationService";
+import notificationTypes from "@open-mercato/core/modules/auth/notifications";
 import { z } from "zod";
 async function POST(req) {
   const form = await req.formData();
@@ -10,8 +13,28 @@ async function POST(req) {
   if (!parsed.success) return NextResponse.json({ ok: false, error: "Invalid request" }, { status: 400 });
   const c = await createRequestContainer();
   const auth = c.resolve("authService");
-  const ok = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password);
-  if (!ok) return NextResponse.json({ ok: false, error: "Invalid or expired token" }, { status: 400 });
+  const user = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password);
+  if (!user) return NextResponse.json({ ok: false, error: "Invalid or expired token" }, { status: 400 });
+  try {
+    const tenantId = user.tenantId ? String(user.tenantId) : null;
+    if (tenantId) {
+      const notificationService = resolveNotificationService(c);
+      const typeDef = notificationTypes.find((type) => type.type === "auth.password_reset.completed");
+      if (typeDef) {
+        const notificationInput = buildNotificationFromType(typeDef, {
+          recipientUserId: String(user.id),
+          sourceEntityType: "auth:user",
+          sourceEntityId: String(user.id)
+        });
+        await notificationService.create(notificationInput, {
+          tenantId,
+          organizationId: user.organizationId ? String(user.organizationId) : null
+        });
+      }
+    }
+  } catch (err) {
+    console.error("[auth.reset.confirm] Failed to create notification:", err);
+  }
   return NextResponse.json({ ok: true, redirect: "/login" });
 }
 const metadata = {

package/dist/modules/auth/api/reset/confirm.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../src/modules/auth/api/reset/confirm.ts"],
-  "sourcesContent": ["import { confirmPasswordResetSchema } from '@open-mercato/core/modules/auth/data/validators'\nimport { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { AuthService } from '@open-mercato/core/modules/auth/services/authService'\nimport { z } from 'zod'\n\n// validation via confirmPasswordResetSchema\n\nexport async function POST(req: Request) {\n  const form = await req.formData()\n  const token = String(form.get('token') ?? '')\n  const password = String(form.get('password') ?? '')\n  const parsed = confirmPasswordResetSchema.safeParse({ token, password })\n  if (!parsed.success) return NextResponse.json({ ok: false, error: 'Invalid request' }, { status: 400 })\n  const c = await createRequestContainer()\n  const auth = c.resolve<AuthService>('authService')\n  const ok = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)\n  if (!ok) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })\n  return NextResponse.json({ ok: true, redirect: '/login' })\n}\n\nexport const metadata = {\n  POST: {},\n}\n\nconst passwordResetConfirmResponseSchema = z.object({\n  ok: z.literal(true),\n  redirect: z.string(),\n})\n\nconst passwordResetErrorSchema = z.object({\n  ok: z.literal(false),\n  error: z.string(),\n})\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Confirm password reset',\n  methods: {\n    POST: {\n      summary: 'Complete password reset',\n      description: 'Validates the reset token and updates the user password.',\n      requestBody: {\n        contentType: 'application/x-www-form-urlencoded',\n        schema: confirmPasswordResetSchema,\n      },\n      responses: [\n        { status: 200, description: 'Password reset succeeded', schema: passwordResetConfirmResponseSchema },\n        { status: 400, description: 'Invalid token or payload', schema: passwordResetErrorSchema },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,kCAAkC;AAC3C,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAEvC,SAAS,SAAS;AAIlB,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,IAAI,SAAS;AAChC,QAAM,QAAQ,OAAO,KAAK,IAAI,OAAO,KAAK,EAAE;AAC5C,QAAM,WAAW,OAAO,KAAK,IAAI,UAAU,KAAK,EAAE;AAClD,QAAM,SAAS,2BAA2B,UAAU,EAAE,OAAO,SAAS,CAAC;AACvE,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACtG,QAAM,IAAI,MAAM,uBAAuB;AACvC,QAAM,OAAO,EAAE,QAAqB,aAAa;AACjD,QAAM,KAAK,MAAM,KAAK,qBAAqB,OAAO,KAAK,OAAO,OAAO,KAAK,QAAQ;AAClF,MAAI,CAAC,GAAI,QAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AACnG,SAAO,aAAa,KAAK,EAAE,IAAI,MAAM,UAAU,SAAS,CAAC;AAC3D;AAEO,MAAM,WAAW;AAAA,EACtB,MAAM,CAAC;AACT;AAEA,MAAM,qCAAqC,EAAE,OAAO;AAAA,EAClD,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,UAAU,EAAE,OAAO;AACrB,CAAC;AAED,MAAM,2BAA2B,EAAE,OAAO;AAAA,EACxC,IAAI,EAAE,QAAQ,KAAK;AAAA,EACnB,OAAO,EAAE,OAAO;AAClB,CAAC;AAEM,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,mCAAmC;AAAA,QACnG,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,yBAAyB;AAAA,MAC3F;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { confirmPasswordResetSchema } from '@open-mercato/core/modules/auth/data/validators'\nimport { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { AuthService } from '@open-mercato/core/modules/auth/services/authService'\nimport { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'\nimport { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'\nimport notificationTypes from '@open-mercato/core/modules/auth/notifications'\nimport { z } from 'zod'\n\n// validation via confirmPasswordResetSchema\n\nexport async function POST(req: Request) {\n  const form = await req.formData()\n  const token = String(form.get('token') ?? '')\n  const password = String(form.get('password') ?? '')\n  const parsed = confirmPasswordResetSchema.safeParse({ token, password })\n  if (!parsed.success) return NextResponse.json({ ok: false, error: 'Invalid request' }, { status: 400 })\n  const c = await createRequestContainer()\n  const auth = c.resolve<AuthService>('authService')\n  const user = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)\n  if (!user) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })\n  try {\n    const tenantId = user.tenantId ? String(user.tenantId) : null\n    if (tenantId) {\n      const notificationService = resolveNotificationService(c)\n      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.completed')\n      if (typeDef) {\n        const notificationInput = buildNotificationFromType(typeDef, {\n          recipientUserId: String(user.id),\n          sourceEntityType: 'auth:user',\n          sourceEntityId: String(user.id),\n        })\n        await notificationService.create(notificationInput, {\n          tenantId,\n          organizationId: user.organizationId ? String(user.organizationId) : null,\n        })\n      }\n    }\n  } catch (err) {\n    console.error('[auth.reset.confirm] Failed to create notification:', err)\n  }\n  return NextResponse.json({ ok: true, redirect: '/login' })\n}\n\nexport const metadata = {\n  POST: {},\n}\n\nconst passwordResetConfirmResponseSchema = z.object({\n  ok: z.literal(true),\n  redirect: z.string(),\n})\n\nconst passwordResetErrorSchema = z.object({\n  ok: z.literal(false),\n  error: z.string(),\n})\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Confirm password reset',\n  methods: {\n    POST: {\n      summary: 'Complete password reset',\n      description: 'Validates the reset token and updates the user password.',\n      requestBody: {\n        contentType: 'application/x-www-form-urlencoded',\n        schema: confirmPasswordResetSchema,\n      },\n      responses: [\n        { status: 200, description: 'Password reset succeeded', schema: passwordResetConfirmResponseSchema },\n        { status: 400, description: 'Invalid token or payload', schema: passwordResetErrorSchema },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,kCAAkC;AAC3C,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAEvC,SAAS,iCAAiC;AAC1C,SAAS,kCAAkC;AAC3C,OAAO,uBAAuB;AAC9B,SAAS,SAAS;AAIlB,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,IAAI,SAAS;AAChC,QAAM,QAAQ,OAAO,KAAK,IAAI,OAAO,KAAK,EAAE;AAC5C,QAAM,WAAW,OAAO,KAAK,IAAI,UAAU,KAAK,EAAE;AAClD,QAAM,SAAS,2BAA2B,UAAU,EAAE,OAAO,SAAS,CAAC;AACvE,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACtG,QAAM,IAAI,MAAM,uBAAuB;AACvC,QAAM,OAAO,EAAE,QAAqB,aAAa;AACjD,QAAM,OAAO,MAAM,KAAK,qBAAqB,OAAO,KAAK,OAAO,OAAO,KAAK,QAAQ;AACpF,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AACrG,MAAI;AACF,UAAM,WAAW,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AACzD,QAAI,UAAU;AACZ,YAAM,sBAAsB,2BAA2B,CAAC;AACxD,YAAM,UAAU,kBAAkB,KAAK,CAAC,SAAS,KAAK,SAAS,+BAA+B;AAC9F,UAAI,SAAS;AACX,cAAM,oBAAoB,0BAA0B,SAAS;AAAA,UAC3D,iBAAiB,OAAO,KAAK,EAAE;AAAA,UAC/B,kBAAkB;AAAA,UAClB,gBAAgB,OAAO,KAAK,EAAE;AAAA,QAChC,CAAC;AACD,cAAM,oBAAoB,OAAO,mBAAmB;AAAA,UAClD;AAAA,UACA,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACtE,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,uDAAuD,GAAG;AAAA,EAC1E;AACA,SAAO,aAAa,KAAK,EAAE,IAAI,MAAM,UAAU,SAAS,CAAC;AAC3D;AAEO,MAAM,WAAW;AAAA,EACtB,MAAM,CAAC;AACT;AAEA,MAAM,qCAAqC,EAAE,OAAO;AAAA,EAClD,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,UAAU,EAAE,OAAO;AACrB,CAAC;AAED,MAAM,2BAA2B,EAAE,OAAO;AAAA,EACxC,IAAI,EAAE,QAAQ,KAAK;AAAA,EACnB,OAAO,EAAE,OAAO;AAClB,CAAC;AAEM,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,mCAAmC;AAAA,QACnG,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,yBAAyB;AAAA,MAC3F;AAAA,IACF;AAAA,EACF;AACF;",
   "names": []
 }

package/dist/modules/auth/api/reset.js

@@ -4,6 +4,9 @@ import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
 import { sendEmail } from "@open-mercato/shared/lib/email/send";
 import ResetPasswordEmail from "@open-mercato/core/modules/auth/emails/ResetPasswordEmail";
 import { resolveTranslations } from "@open-mercato/shared/lib/i18n/server";
+import { buildNotificationFromType } from "@open-mercato/core/modules/notifications/lib/notificationBuilder";
+import { resolveNotificationService } from "@open-mercato/core/modules/notifications/lib/notificationService";
+import notificationTypes from "@open-mercato/core/modules/auth/notifications";
 import { z } from "zod";
 async function POST(req) {
   const form = await req.formData();
@@ -28,6 +31,26 @@ async function POST(req) {
     hint: translate("auth.email.resetPassword.hint", "If you didn't request this, you can safely ignore this email.")
   };
   await sendEmail({ to: user.email, subject, react: ResetPasswordEmail({ resetUrl, copy }) });
+  try {
+    const tenantId = user.tenantId ? String(user.tenantId) : null;
+    if (tenantId) {
+      const notificationService = resolveNotificationService(c);
+      const typeDef = notificationTypes.find((type) => type.type === "auth.password_reset.requested");
+      if (typeDef) {
+        const notificationInput = buildNotificationFromType(typeDef, {
+          recipientUserId: String(user.id),
+          sourceEntityType: "auth:user",
+          sourceEntityId: String(user.id)
+        });
+        await notificationService.create(notificationInput, {
+          tenantId,
+          organizationId: user.organizationId ? String(user.organizationId) : null
+        });
+      }
+    }
+  } catch (err) {
+    console.error("[auth.reset] Failed to create notification:", err);
+  }
   return NextResponse.json({ ok: true });
 }
 const metadata = {

package/dist/modules/auth/api/reset.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/api/reset.ts"],
-  "sourcesContent": ["import { requestPasswordResetSchema } from '@open-mercato/core/modules/auth/data/validators'\nimport { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { AuthService } from '@open-mercato/core/modules/auth/services/authService'\nimport { sendEmail } from '@open-mercato/shared/lib/email/send'\nimport ResetPasswordEmail from '@open-mercato/core/modules/auth/emails/ResetPasswordEmail'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { z } from 'zod'\n\n// validation via requestPasswordResetSchema\n\nexport async function POST(req: Request) {\n  const form = await req.formData()\n  const email = String(form.get('email') ?? '')\n  const parsed = requestPasswordResetSchema.safeParse({ email })\n  if (!parsed.success) return NextResponse.json({ ok: true }) // do not reveal\n  const c = await createRequestContainer()\n  const auth = c.resolve<AuthService>('authService')\n  const resReq = await auth.requestPasswordReset(parsed.data.email)\n  if (!resReq) return NextResponse.json({ ok: true })\n  const { user, token } = resReq\n  const url = new URL(req.url)\n  const base = process.env.APP_URL || `${url.protocol}//${url.host}`\n  const resetUrl = `${base}/reset/${token}`\n\n  const { translate } = await resolveTranslations()\n  const subject = translate('auth.email.resetPassword.subject', 'Reset your password')\n  const copy = {\n    preview: translate('auth.email.resetPassword.preview', 'Reset your password'),\n    title: translate('auth.email.resetPassword.title', 'Reset your password'),\n    body: translate('auth.email.resetPassword.body', 'Click the link below to set a new password. This link will expire in 60 minutes.'),\n    cta: translate('auth.email.resetPassword.cta', 'Set a new password'),\n    hint: translate('auth.email.resetPassword.hint', \"If you didn't request this, you can safely ignore this email.\"),\n  }\n\n  await sendEmail({ to: user.email, subject, react: ResetPasswordEmail({ resetUrl, copy }) })\n  return NextResponse.json({ ok: true })\n}\n\nexport const metadata = {\n  POST: {},\n}\n\nconst passwordResetRequestSchema = z.object({\n  email: z.string().email(),\n})\n\nconst passwordResetResponseSchema = z.object({\n  ok: z.literal(true),\n})\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Request password reset',\n  methods: {\n    POST: {\n      summary: 'Send reset email',\n      description: 'Requests a password reset email for the given account. The endpoint always returns `ok: true` to avoid leaking account existence.',\n      requestBody: {\n        contentType: 'application/x-www-form-urlencoded',\n        schema: passwordResetRequestSchema,\n      },\n      responses: [\n        { status: 200, description: 'Reset email dispatched (or ignored for unknown accounts)', schema: passwordResetResponseSchema },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,kCAAkC;AAC3C,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAEvC,SAAS,iBAAiB;AAC1B,OAAO,wBAAwB;AAC/B,SAAS,2BAA2B;AACpC,SAAS,SAAS;AAIlB,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,IAAI,SAAS;AAChC,QAAM,QAAQ,OAAO,KAAK,IAAI,OAAO,KAAK,EAAE;AAC5C,QAAM,SAAS,2BAA2B,UAAU,EAAE,MAAM,CAAC;AAC7D,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAC1D,QAAM,IAAI,MAAM,uBAAuB;AACvC,QAAM,OAAO,EAAE,QAAqB,aAAa;AACjD,QAAM,SAAS,MAAM,KAAK,qBAAqB,OAAO,KAAK,KAAK;AAChE,MAAI,CAAC,OAAQ,QAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAClD,QAAM,EAAE,MAAM,MAAM,IAAI;AACxB,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,OAAO,QAAQ,IAAI,WAAW,GAAG,IAAI,QAAQ,KAAK,IAAI,IAAI;AAChE,QAAM,WAAW,GAAG,IAAI,UAAU,KAAK;AAEvC,QAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,QAAM,UAAU,UAAU,oCAAoC,qBAAqB;AACnF,QAAM,OAAO;AAAA,IACX,SAAS,UAAU,oCAAoC,qBAAqB;AAAA,IAC5E,OAAO,UAAU,kCAAkC,qBAAqB;AAAA,IACxE,MAAM,UAAU,iCAAiC,kFAAkF;AAAA,IACnI,KAAK,UAAU,gCAAgC,oBAAoB;AAAA,IACnE,MAAM,UAAU,iCAAiC,+DAA+D;AAAA,EAClH;AAEA,QAAM,UAAU,EAAE,IAAI,KAAK,OAAO,SAAS,OAAO,mBAAmB,EAAE,UAAU,KAAK,CAAC,EAAE,CAAC;AAC1F,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEO,MAAM,WAAW;AAAA,EACtB,MAAM,CAAC;AACT;AAEA,MAAM,6BAA6B,EAAE,OAAO;AAAA,EAC1C,OAAO,EAAE,OAAO,EAAE,MAAM;AAC1B,CAAC;AAED,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,IAAI,EAAE,QAAQ,IAAI;AACpB,CAAC;AAEM,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,4DAA4D,QAAQ,4BAA4B;AAAA,MAC9H;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { requestPasswordResetSchema } from '@open-mercato/core/modules/auth/data/validators'\nimport { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { AuthService } from '@open-mercato/core/modules/auth/services/authService'\nimport { sendEmail } from '@open-mercato/shared/lib/email/send'\nimport ResetPasswordEmail from '@open-mercato/core/modules/auth/emails/ResetPasswordEmail'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'\nimport { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'\nimport notificationTypes from '@open-mercato/core/modules/auth/notifications'\nimport { z } from 'zod'\n\n// validation via requestPasswordResetSchema\n\nexport async function POST(req: Request) {\n  const form = await req.formData()\n  const email = String(form.get('email') ?? '')\n  const parsed = requestPasswordResetSchema.safeParse({ email })\n  if (!parsed.success) return NextResponse.json({ ok: true }) // do not reveal\n  const c = await createRequestContainer()\n  const auth = c.resolve<AuthService>('authService')\n  const resReq = await auth.requestPasswordReset(parsed.data.email)\n  if (!resReq) return NextResponse.json({ ok: true })\n  const { user, token } = resReq\n  const url = new URL(req.url)\n  const base = process.env.APP_URL || `${url.protocol}//${url.host}`\n  const resetUrl = `${base}/reset/${token}`\n\n  const { translate } = await resolveTranslations()\n  const subject = translate('auth.email.resetPassword.subject', 'Reset your password')\n  const copy = {\n    preview: translate('auth.email.resetPassword.preview', 'Reset your password'),\n    title: translate('auth.email.resetPassword.title', 'Reset your password'),\n    body: translate('auth.email.resetPassword.body', 'Click the link below to set a new password. This link will expire in 60 minutes.'),\n    cta: translate('auth.email.resetPassword.cta', 'Set a new password'),\n    hint: translate('auth.email.resetPassword.hint', \"If you didn't request this, you can safely ignore this email.\"),\n  }\n\n  await sendEmail({ to: user.email, subject, react: ResetPasswordEmail({ resetUrl, copy }) })\n  try {\n    const tenantId = user.tenantId ? String(user.tenantId) : null\n    if (tenantId) {\n      const notificationService = resolveNotificationService(c)\n      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.requested')\n      if (typeDef) {\n        const notificationInput = buildNotificationFromType(typeDef, {\n          recipientUserId: String(user.id),\n          sourceEntityType: 'auth:user',\n          sourceEntityId: String(user.id),\n        })\n        await notificationService.create(notificationInput, {\n          tenantId,\n          organizationId: user.organizationId ? String(user.organizationId) : null,\n        })\n      }\n    }\n  } catch (err) {\n    console.error('[auth.reset] Failed to create notification:', err)\n  }\n  return NextResponse.json({ ok: true })\n}\n\nexport const metadata = {\n  POST: {},\n}\n\nconst passwordResetRequestSchema = z.object({\n  email: z.string().email(),\n})\n\nconst passwordResetResponseSchema = z.object({\n  ok: z.literal(true),\n})\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Request password reset',\n  methods: {\n    POST: {\n      summary: 'Send reset email',\n      description: 'Requests a password reset email for the given account. The endpoint always returns `ok: true` to avoid leaking account existence.',\n      requestBody: {\n        contentType: 'application/x-www-form-urlencoded',\n        schema: passwordResetRequestSchema,\n      },\n      responses: [\n        { status: 200, description: 'Reset email dispatched (or ignored for unknown accounts)', schema: passwordResetResponseSchema },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,kCAAkC;AAC3C,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAEvC,SAAS,iBAAiB;AAC1B,OAAO,wBAAwB;AAC/B,SAAS,2BAA2B;AACpC,SAAS,iCAAiC;AAC1C,SAAS,kCAAkC;AAC3C,OAAO,uBAAuB;AAC9B,SAAS,SAAS;AAIlB,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,IAAI,SAAS;AAChC,QAAM,QAAQ,OAAO,KAAK,IAAI,OAAO,KAAK,EAAE;AAC5C,QAAM,SAAS,2BAA2B,UAAU,EAAE,MAAM,CAAC;AAC7D,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAC1D,QAAM,IAAI,MAAM,uBAAuB;AACvC,QAAM,OAAO,EAAE,QAAqB,aAAa;AACjD,QAAM,SAAS,MAAM,KAAK,qBAAqB,OAAO,KAAK,KAAK;AAChE,MAAI,CAAC,OAAQ,QAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAClD,QAAM,EAAE,MAAM,MAAM,IAAI;AACxB,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,OAAO,QAAQ,IAAI,WAAW,GAAG,IAAI,QAAQ,KAAK,IAAI,IAAI;AAChE,QAAM,WAAW,GAAG,IAAI,UAAU,KAAK;AAEvC,QAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,QAAM,UAAU,UAAU,oCAAoC,qBAAqB;AACnF,QAAM,OAAO;AAAA,IACX,SAAS,UAAU,oCAAoC,qBAAqB;AAAA,IAC5E,OAAO,UAAU,kCAAkC,qBAAqB;AAAA,IACxE,MAAM,UAAU,iCAAiC,kFAAkF;AAAA,IACnI,KAAK,UAAU,gCAAgC,oBAAoB;AAAA,IACnE,MAAM,UAAU,iCAAiC,+DAA+D;AAAA,EAClH;AAEA,QAAM,UAAU,EAAE,IAAI,KAAK,OAAO,SAAS,OAAO,mBAAmB,EAAE,UAAU,KAAK,CAAC,EAAE,CAAC;AAC1F,MAAI;AACF,UAAM,WAAW,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AACzD,QAAI,UAAU;AACZ,YAAM,sBAAsB,2BAA2B,CAAC;AACxD,YAAM,UAAU,kBAAkB,KAAK,CAAC,SAAS,KAAK,SAAS,+BAA+B;AAC9F,UAAI,SAAS;AACX,cAAM,oBAAoB,0BAA0B,SAAS;AAAA,UAC3D,iBAAiB,OAAO,KAAK,EAAE;AAAA,UAC/B,kBAAkB;AAAA,UAClB,gBAAgB,OAAO,KAAK,EAAE;AAAA,QAChC,CAAC;AACD,cAAM,oBAAoB,OAAO,mBAAmB;AAAA,UAClD;AAAA,UACA,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACtE,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,+CAA+C,GAAG;AAAA,EAClE;AACA,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEO,MAAM,WAAW;AAAA,EACtB,MAAM,CAAC;AACT;AAEA,MAAM,6BAA6B,EAAE,OAAO;AAAA,EAC1C,OAAO,EAAE,OAAO,EAAE,MAAM;AAC1B,CAAC;AAED,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,IAAI,EAAE,QAAQ,IAAI;AACpB,CAAC;AAEM,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,4DAA4D,QAAQ,4BAA4B;AAAA,MAC9H;AAAA,IACF;AAAA,EACF;AACF;",
   "names": []
 }

package/dist/modules/auth/api/sidebar/preferences/route.js

@@ -53,12 +53,13 @@ async function GET(req) {
     ["auth.sidebar.manage"],
     { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null }
   ) ?? false;
-  const settings = await loadSidebarPreference(em, {
-    userId: auth.sub,
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub;
+  const settings = effectiveUserId ? await loadSidebarPreference(em, {
+    userId: effectiveUserId,
     tenantId: auth.tenantId ?? null,
     organizationId: auth.orgId ?? null,
     locale
-  });
+  }) : null;
   let rolesPayload = [];
   if (canApplyToRoles) {
     const roleScope = auth.tenantId ? { $or: [{ tenantId: auth.tenantId }, { tenantId: null }] } : { tenantId: null };
@@ -77,11 +78,11 @@ async function GET(req) {
   return NextResponse.json({
     locale,
     settings: {
-      version: settings.version ?? SIDEBAR_PREFERENCES_VERSION,
-      groupOrder: settings.groupOrder ?? [],
-      groupLabels: settings.groupLabels ?? {},
-      itemLabels: settings.itemLabels ?? {},
-      hiddenItems: settings.hiddenItems ?? []
+      version: settings?.version ?? SIDEBAR_PREFERENCES_VERSION,
+      groupOrder: settings?.groupOrder ?? [],
+      groupLabels: settings?.groupLabels ?? {},
+      itemLabels: settings?.itemLabels ?? {},
+      hiddenItems: settings?.hiddenItems ?? []
     },
     canApplyToRoles,
     roles: rolesPayload
@@ -90,6 +91,10 @@ async function GET(req) {
 async function PUT(req) {
   const auth = await getAuthFromRequest(req);
   if (!auth) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub;
+  if (!effectiveUserId) {
+    return NextResponse.json({ error: "Cannot save preferences: no user associated with this API key" }, { status: 403 });
+  }
   let parsedBody;
   try {
     parsedBody = await req.json();
@@ -156,7 +161,7 @@ async function PUT(req) {
     return NextResponse.json({ error: "Forbidden", requiredFeatures: ["auth.sidebar.manage"] }, { status: 403 });
   }
   const settings = await saveSidebarPreference(em, {
-    userId: auth.sub,
+    userId: effectiveUserId,
     tenantId: auth.tenantId ?? null,
     organizationId: auth.orgId ?? null,
     locale

package/dist/modules/auth/api/sidebar/preferences/route.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../../src/modules/auth/api/sidebar/preferences/route.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { sidebarPreferencesInputSchema } from '../../../data/validators'\nimport {\n  loadRoleSidebarPreferences,\n  loadSidebarPreference,\n  saveRoleSidebarPreference,\n  saveSidebarPreference,\n} from '../../../services/sidebarPreferencesService'\nimport { SIDEBAR_PREFERENCES_VERSION } from '@open-mercato/shared/modules/navigation/sidebarPreferences'\nimport { Role, RoleSidebarPreference } from '../../../data/entities'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { z } from 'zod'\n\nexport const metadata = {\n  GET: { requireAuth: true },\n  PUT: { requireAuth: true },\n}\n\nconst sidebarSettingsSchema = z.object({\n  version: z.number().int().positive(),\n  groupOrder: z.array(z.string()),\n  groupLabels: z.record(z.string(), z.string()),\n  itemLabels: z.record(z.string(), z.string()),\n  hiddenItems: z.array(z.string()),\n})\n\nconst sidebarRoleEntrySchema = z.object({\n  id: z.string().uuid(),\n  name: z.string(),\n  hasPreference: z.boolean(),\n})\n\nconst sidebarPreferencesResponseSchema = z.object({\n  locale: z.string(),\n  settings: sidebarSettingsSchema,\n  canApplyToRoles: z.boolean(),\n  roles: z.array(sidebarRoleEntrySchema),\n})\n\nconst sidebarPreferencesUpdateResponseSchema = sidebarPreferencesResponseSchema.extend({\n  appliedRoles: z.array(z.string().uuid()),\n  clearedRoles: z.array(z.string().uuid()),\n})\n\nconst sidebarErrorSchema = z.object({\n  error: z.string(),\n})\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n\n  const { locale } = await resolveTranslations()\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as any\n  const rbac = resolve('rbacService') as any\n\n  const canApplyToRoles = await rbac.userHasAllFeatures?.(\n    auth.sub,\n    ['auth.sidebar.manage'],\n    { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },\n  ) ?? false\n\n  const settings = await loadSidebarPreference(em, {\n    userId: auth.sub,\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    locale,\n  })\n\n  let rolesPayload: Array<{ id: string; name: string; hasPreference: boolean }> = []\n  if (canApplyToRoles) {\n    const roleScope = auth.tenantId\n      ? { $or: [{ tenantId: auth.tenantId }, { tenantId: null }] }\n      : { tenantId: null }\n    const roles = await em.find(Role, roleScope as any, { orderBy: { name: 'asc' } })\n    const rolePrefs = await loadRoleSidebarPreferences(em, {\n      roleIds: roles.map((r: Role) => r.id),\n      tenantId: auth.tenantId ?? null,\n      locale,\n    })\n    rolesPayload = roles.map((role: Role) => ({\n      id: role.id,\n      name: role.name,\n      hasPreference: rolePrefs.has(role.id),\n    }))\n  }\n\n  return NextResponse.json({\n    locale,\n    settings: {\n      version: settings.version ?? SIDEBAR_PREFERENCES_VERSION,\n      groupOrder: settings.groupOrder ?? [],\n      groupLabels: settings.groupLabels ?? {},\n      itemLabels: settings.itemLabels ?? {},\n      hiddenItems: settings.hiddenItems ?? [],\n    },\n    canApplyToRoles,\n    roles: rolesPayload,\n  })\n}\n\nexport async function PUT(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n\n  let parsedBody: unknown\n  try {\n    parsedBody = await req.json()\n  } catch {\n    return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 })\n  }\n\n  const parsed = sidebarPreferencesInputSchema.safeParse(parsedBody)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid payload', details: parsed.error.flatten() }, { status: 400 })\n  }\n\n  const sanitizeRecord = (record?: Record<string, string>) => {\n    if (!record) return {}\n    const result: Record<string, string> = {}\n    for (const [key, value] of Object.entries(record)) {\n      const trimmedKey = key.trim()\n      const trimmedValue = value.trim()\n      if (!trimmedKey || !trimmedValue) continue\n      result[trimmedKey] = trimmedValue\n    }\n    return result\n  }\n\n  const groupOrderSource = parsed.data.groupOrder ?? []\n  const seen = new Set<string>()\n  const groupOrder: string[] = []\n  for (const id of groupOrderSource) {\n    const trimmed = id.trim()\n    if (!trimmed || seen.has(trimmed)) continue\n    seen.add(trimmed)\n    groupOrder.push(trimmed)\n  }\n\n  const payload = {\n    version: parsed.data.version ?? SIDEBAR_PREFERENCES_VERSION,\n    groupOrder,\n    groupLabels: sanitizeRecord(parsed.data.groupLabels),\n    itemLabels: sanitizeRecord(parsed.data.itemLabels),\n    hiddenItems: (() => {\n      const source = parsed.data.hiddenItems ?? []\n      const seenHidden = new Set<string>()\n      const values: string[] = []\n      for (const href of source) {\n        const trimmed = href.trim()\n        if (!trimmed || seenHidden.has(trimmed)) continue\n        seenHidden.add(trimmed)\n        values.push(trimmed)\n      }\n      return values\n    })(),\n  }\n\n  const { locale } = await resolveTranslations()\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as any\n  const rbac = container.resolve('rbacService') as any\n  const cache = container.resolve('cache') as { deleteByTags?: (tags: string[]) => Promise<unknown> } | undefined\n\n  const applyToRolesSource = parsed.data.applyToRoles ?? []\n  const applyToRoles = Array.from(new Set(applyToRolesSource.map((id) => id.trim()).filter((id) => id.length > 0)))\n  const clearRoleIdsSource = parsed.data.clearRoleIds ?? []\n  const clearRoleIds = Array.from(new Set(clearRoleIdsSource.map((id) => id.trim()).filter((id) => id.length > 0)))\n\n  const canApplyToRoles = await rbac.userHasAllFeatures?.(\n    auth.sub,\n    ['auth.sidebar.manage'],\n    { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },\n  ) ?? false\n\n  if ((applyToRoles.length > 0 || clearRoleIds.length > 0) && !canApplyToRoles) {\n    return NextResponse.json({ error: 'Forbidden', requiredFeatures: ['auth.sidebar.manage'] }, { status: 403 })\n  }\n\n  const settings = await saveSidebarPreference(em, {\n    userId: auth.sub,\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    locale,\n  }, payload)\n\n  const roleScope = auth.tenantId\n    ? { $or: [{ tenantId: auth.tenantId }, { tenantId: null }] }\n    : { tenantId: null }\n  const availableRoles = canApplyToRoles\n    ? await em.find(Role, roleScope as any, { orderBy: { name: 'asc' } })\n    : []\n  const roleMap = new Map<string, Role>(availableRoles.map((role: Role) => [String(role.id), role]))\n\n  let updatedRoleIds: string[] = []\n  if (applyToRoles.length > 0) {\n    const missing = applyToRoles.filter((id) => !roleMap.has(id))\n    if (missing.length) {\n      return NextResponse.json({ error: 'Invalid roles', missing }, { status: 400 })\n    }\n    for (const roleId of applyToRoles) {\n      const role = roleMap.get(roleId)!\n      await saveRoleSidebarPreference(em, {\n        roleId: role.id,\n        tenantId: auth.tenantId ?? null,\n        locale,\n      }, payload)\n      updatedRoleIds.push(role.id)\n    }\n  }\n\n  const filteredClearRoleIds = clearRoleIds.filter((id) => !updatedRoleIds.includes(id) && !applyToRoles.includes(id))\n\n  if (filteredClearRoleIds.length > 0) {\n    await em.nativeDelete(RoleSidebarPreference, {\n      role: { $in: filteredClearRoleIds },\n      locale,\n      tenantId: auth.tenantId ?? null,\n    })\n    if (cache?.deleteByTags) {\n      try {\n        await cache.deleteByTags(filteredClearRoleIds.map((roleId) => `nav:sidebar:role:${roleId}`))\n      } catch {}\n    }\n  }\n\n  if (cache?.deleteByTags) {\n    const tags = [\n      `nav:sidebar:user:${auth.sub}`,\n      `nav:sidebar:scope:${auth.sub}:${auth.tenantId ?? 'null'}:${auth.orgId ?? 'null'}:${locale}`,\n      ...updatedRoleIds.map((roleId) => `nav:sidebar:role:${roleId}`),\n    ]\n    try {\n      await cache.deleteByTags(tags)\n    } catch {}\n  }\n\n  let rolesPayload: Array<{ id: string; name: string; hasPreference: boolean }> = []\n  if (canApplyToRoles) {\n    const rolePrefs = await loadRoleSidebarPreferences(em, {\n      roleIds: availableRoles.map((role: Role) => role.id),\n      tenantId: auth.tenantId ?? null,\n      locale,\n    })\n    rolesPayload = availableRoles.map((role: Role) => ({\n      id: role.id,\n      name: role.name,\n      hasPreference: rolePrefs.has(role.id),\n    }))\n  }\n\n  return NextResponse.json({\n    locale,\n    settings,\n    canApplyToRoles,\n    roles: rolesPayload,\n    appliedRoles: updatedRoleIds,\n    clearedRoles: filteredClearRoleIds,\n  })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Sidebar preferences',\n  methods: {\n    GET: {\n      summary: 'Get sidebar preferences',\n      description: 'Returns personal sidebar customization and any role-level preferences the user can manage.',\n      responses: [\n        { status: 200, description: 'Current sidebar configuration', schema: sidebarPreferencesResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: sidebarErrorSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update sidebar preferences',\n      description: 'Updates personal sidebar configuration and, optionally, applies the same settings to selected roles.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: sidebarPreferencesInputSchema,\n      },\n      responses: [\n        { status: 200, description: 'Preferences saved', schema: sidebarPreferencesUpdateResponseSchema },\n        { status: 400, description: 'Invalid payload', schema: sidebarErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: sidebarErrorSchema },\n        { status: 403, description: 'Missing features for role-wide updates', schema: sidebarErrorSchema },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,0BAA0B;AACnC,SAAS,2BAA2B;AACpC,SAAS,8BAA8B;AACvC,SAAS,qCAAqC;AAC9C;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,mCAAmC;AAC5C,SAAS,MAAM,6BAA6B;AAE5C,SAAS,SAAS;AAEX,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,KAAK;AAAA,EACzB,KAAK,EAAE,aAAa,KAAK;AAC3B;AAEA,MAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACnC,YAAY,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC9B,aAAa,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC;AAAA,EAC5C,YAAY,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC;AAAA,EAC3C,aAAa,EAAE,MAAM,EAAE,OAAO,CAAC;AACjC,CAAC;AAED,MAAM,yBAAyB,EAAE,OAAO;AAAA,EACtC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,eAAe,EAAE,QAAQ;AAC3B,CAAC;AAED,MAAM,mCAAmC,EAAE,OAAO;AAAA,EAChD,QAAQ,EAAE,OAAO;AAAA,EACjB,UAAU;AAAA,EACV,iBAAiB,EAAE,QAAQ;AAAA,EAC3B,OAAO,EAAE,MAAM,sBAAsB;AACvC,CAAC;AAED,MAAM,yCAAyC,iCAAiC,OAAO;AAAA,EACrF,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC;AAAA,EACvC,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC;AACzC,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,OAAO,EAAE,OAAO;AAClB,CAAC;AAED,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE9E,QAAM,EAAE,OAAO,IAAI,MAAM,oBAAoB;AAC7C,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AACvB,QAAM,OAAO,QAAQ,aAAa;AAElC,QAAM,kBAAkB,MAAM,KAAK;AAAA,IACjC,KAAK;AAAA,IACL,CAAC,qBAAqB;AAAA,IACtB,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK;AAAA,EACxE,KAAK;AAEL,QAAM,WAAW,MAAM,sBAAsB,IAAI;AAAA,IAC/C,QAAQ,KAAK;AAAA,IACb,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,CAAC;AAED,MAAI,eAA4E,CAAC;AACjF,MAAI,iBAAiB;AACnB,UAAM,YAAY,KAAK,WACnB,EAAE,KAAK,CAAC,EAAE,UAAU,KAAK,SAAS,GAAG,EAAE,UAAU,KAAK,CAAC,EAAE,IACzD,EAAE,UAAU,KAAK;AACrB,UAAM,QAAQ,MAAM,GAAG,KAAK,MAAM,WAAkB,EAAE,SAAS,EAAE,MAAM,MAAM,EAAE,CAAC;AAChF,UAAM,YAAY,MAAM,2BAA2B,IAAI;AAAA,MACrD,SAAS,MAAM,IAAI,CAAC,MAAY,EAAE,EAAE;AAAA,MACpC,UAAU,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF,CAAC;AACD,mBAAe,MAAM,IAAI,CAAC,UAAgB;AAAA,MACxC,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,eAAe,UAAU,IAAI,KAAK,EAAE;AAAA,IACtC,EAAE;AAAA,EACJ;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB;AAAA,IACA,UAAU;AAAA,MACR,SAAS,SAAS,WAAW;AAAA,MAC7B,YAAY,SAAS,cAAc,CAAC;AAAA,MACpC,aAAa,SAAS,eAAe,CAAC;AAAA,MACtC,YAAY,SAAS,cAAc,CAAC;AAAA,MACpC,aAAa,SAAS,eAAe,CAAC;AAAA,IACxC;AAAA,IACA;AAAA,IACA,OAAO;AAAA,EACT,CAAC;AACH;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE9E,MAAI;AACJ,MAAI;AACF,iBAAa,MAAM,IAAI,KAAK;AAAA,EAC9B,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,SAAS,8BAA8B,UAAU,UAAU;AACjE,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,mBAAmB,SAAS,OAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzG;AAEA,QAAM,iBAAiB,CAAC,WAAoC;AAC1D,QAAI,CAAC,OAAQ,QAAO,CAAC;AACrB,UAAM,SAAiC,CAAC;AACxC,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,MAAM,GAAG;AACjD,YAAM,aAAa,IAAI,KAAK;AAC5B,YAAM,eAAe,MAAM,KAAK;AAChC,UAAI,CAAC,cAAc,CAAC,aAAc;AAClC,aAAO,UAAU,IAAI;AAAA,IACvB;AACA,WAAO;AAAA,EACT;AAEA,QAAM,mBAAmB,OAAO,KAAK,cAAc,CAAC;AACpD,QAAM,OAAO,oBAAI,IAAY;AAC7B,QAAM,aAAuB,CAAC;AAC9B,aAAW,MAAM,kBAAkB;AACjC,UAAM,UAAU,GAAG,KAAK;AACxB,QAAI,CAAC,WAAW,KAAK,IAAI,OAAO,EAAG;AACnC,SAAK,IAAI,OAAO;AAChB,eAAW,KAAK,OAAO;AAAA,EACzB;AAEA,QAAM,UAAU;AAAA,IACd,SAAS,OAAO,KAAK,WAAW;AAAA,IAChC;AAAA,IACA,aAAa,eAAe,OAAO,KAAK,WAAW;AAAA,IACnD,YAAY,eAAe,OAAO,KAAK,UAAU;AAAA,IACjD,cAAc,MAAM;AAClB,YAAM,SAAS,OAAO,KAAK,eAAe,CAAC;AAC3C,YAAM,aAAa,oBAAI,IAAY;AACnC,YAAM,SAAmB,CAAC;AAC1B,iBAAW,QAAQ,QAAQ;AACzB,cAAM,UAAU,KAAK,KAAK;AAC1B,YAAI,CAAC,WAAW,WAAW,IAAI,OAAO,EAAG;AACzC,mBAAW,IAAI,OAAO;AACtB,eAAO,KAAK,OAAO;AAAA,MACrB;AACA,aAAO;AAAA,IACT,GAAG;AAAA,EACL;AAEA,QAAM,EAAE,OAAO,IAAI,MAAM,oBAAoB;AAC7C,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,OAAO,UAAU,QAAQ,aAAa;AAC5C,QAAM,QAAQ,UAAU,QAAQ,OAAO;AAEvC,QAAM,qBAAqB,OAAO,KAAK,gBAAgB,CAAC;AACxD,QAAM,eAAe,MAAM,KAAK,IAAI,IAAI,mBAAmB,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,EAAE,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC;AAChH,QAAM,qBAAqB,OAAO,KAAK,gBAAgB,CAAC;AACxD,QAAM,eAAe,MAAM,KAAK,IAAI,IAAI,mBAAmB,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,EAAE,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC;AAEhH,QAAM,kBAAkB,MAAM,KAAK;AAAA,IACjC,KAAK;AAAA,IACL,CAAC,qBAAqB;AAAA,IACtB,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK;AAAA,EACxE,KAAK;AAEL,OAAK,aAAa,SAAS,KAAK,aAAa,SAAS,MAAM,CAAC,iBAAiB;AAC5E,WAAO,aAAa,KAAK,EAAE,OAAO,aAAa,kBAAkB,CAAC,qBAAqB,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC7G;AAEA,QAAM,WAAW,MAAM,sBAAsB,IAAI;AAAA,IAC/C,QAAQ,KAAK;AAAA,IACb,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,GAAG,OAAO;AAEV,QAAM,YAAY,KAAK,WACnB,EAAE,KAAK,CAAC,EAAE,UAAU,KAAK,SAAS,GAAG,EAAE,UAAU,KAAK,CAAC,EAAE,IACzD,EAAE,UAAU,KAAK;AACrB,QAAM,iBAAiB,kBACnB,MAAM,GAAG,KAAK,MAAM,WAAkB,EAAE,SAAS,EAAE,MAAM,MAAM,EAAE,CAAC,IAClE,CAAC;AACL,QAAM,UAAU,IAAI,IAAkB,eAAe,IAAI,CAAC,SAAe,CAAC,OAAO,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC;AAEjG,MAAI,iBAA2B,CAAC;AAChC,MAAI,aAAa,SAAS,GAAG;AAC3B,UAAM,UAAU,aAAa,OAAO,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;AAC5D,QAAI,QAAQ,QAAQ;AAClB,aAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,QAAQ,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC/E;AACA,eAAW,UAAU,cAAc;AACjC,YAAM,OAAO,QAAQ,IAAI,MAAM;AAC/B,YAAM,0BAA0B,IAAI;AAAA,QAClC,QAAQ,KAAK;AAAA,QACb,UAAU,KAAK,YAAY;AAAA,QAC3B;AAAA,MACF,GAAG,OAAO;AACV,qBAAe,KAAK,KAAK,EAAE;AAAA,IAC7B;AAAA,EACF;AAEA,QAAM,uBAAuB,aAAa,OAAO,CAAC,OAAO,CAAC,eAAe,SAAS,EAAE,KAAK,CAAC,aAAa,SAAS,EAAE,CAAC;AAEnH,MAAI,qBAAqB,SAAS,GAAG;AACnC,UAAM,GAAG,aAAa,uBAAuB;AAAA,MAC3C,MAAM,EAAE,KAAK,qBAAqB;AAAA,MAClC;AAAA,MACA,UAAU,KAAK,YAAY;AAAA,IAC7B,CAAC;AACD,QAAI,OAAO,cAAc;AACvB,UAAI;AACF,cAAM,MAAM,aAAa,qBAAqB,IAAI,CAAC,WAAW,oBAAoB,MAAM,EAAE,CAAC;AAAA,MAC7F,QAAQ;AAAA,MAAC;AAAA,IACX;AAAA,EACF;AAEA,MAAI,OAAO,cAAc;AACvB,UAAM,OAAO;AAAA,MACX,oBAAoB,KAAK,GAAG;AAAA,MAC5B,qBAAqB,KAAK,GAAG,IAAI,KAAK,YAAY,MAAM,IAAI,KAAK,SAAS,MAAM,IAAI,MAAM;AAAA,MAC1F,GAAG,eAAe,IAAI,CAAC,WAAW,oBAAoB,MAAM,EAAE;AAAA,IAChE;AACA,QAAI;AACF,YAAM,MAAM,aAAa,IAAI;AAAA,IAC/B,QAAQ;AAAA,IAAC;AAAA,EACX;AAEA,MAAI,eAA4E,CAAC;AACjF,MAAI,iBAAiB;AACnB,UAAM,YAAY,MAAM,2BAA2B,IAAI;AAAA,MACrD,SAAS,eAAe,IAAI,CAAC,SAAe,KAAK,EAAE;AAAA,MACnD,UAAU,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF,CAAC;AACD,mBAAe,eAAe,IAAI,CAAC,UAAgB;AAAA,MACjD,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,eAAe,UAAU,IAAI,KAAK,EAAE;AAAA,IACtC,EAAE;AAAA,EACJ;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP,cAAc;AAAA,IACd,cAAc;AAAA,EAChB,CAAC;AACH;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,iCAAiC,QAAQ,iCAAiC;AAAA,QACtG,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,MACzE;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,uCAAuC;AAAA,QAChG,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,0CAA0C,QAAQ,mBAAmB;AAAA,MACnG;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { sidebarPreferencesInputSchema } from '../../../data/validators'\nimport {\n  loadRoleSidebarPreferences,\n  loadSidebarPreference,\n  saveRoleSidebarPreference,\n  saveSidebarPreference,\n} from '../../../services/sidebarPreferencesService'\nimport { SIDEBAR_PREFERENCES_VERSION } from '@open-mercato/shared/modules/navigation/sidebarPreferences'\nimport { Role, RoleSidebarPreference } from '../../../data/entities'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { z } from 'zod'\n\nexport const metadata = {\n  GET: { requireAuth: true },\n  PUT: { requireAuth: true },\n}\n\nconst sidebarSettingsSchema = z.object({\n  version: z.number().int().positive(),\n  groupOrder: z.array(z.string()),\n  groupLabels: z.record(z.string(), z.string()),\n  itemLabels: z.record(z.string(), z.string()),\n  hiddenItems: z.array(z.string()),\n})\n\nconst sidebarRoleEntrySchema = z.object({\n  id: z.string().uuid(),\n  name: z.string(),\n  hasPreference: z.boolean(),\n})\n\nconst sidebarPreferencesResponseSchema = z.object({\n  locale: z.string(),\n  settings: sidebarSettingsSchema,\n  canApplyToRoles: z.boolean(),\n  roles: z.array(sidebarRoleEntrySchema),\n})\n\nconst sidebarPreferencesUpdateResponseSchema = sidebarPreferencesResponseSchema.extend({\n  appliedRoles: z.array(z.string().uuid()),\n  clearedRoles: z.array(z.string().uuid()),\n})\n\nconst sidebarErrorSchema = z.object({\n  error: z.string(),\n})\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n\n  const { locale } = await resolveTranslations()\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as any\n  const rbac = resolve('rbacService') as any\n\n  const canApplyToRoles = await rbac.userHasAllFeatures?.(\n    auth.sub,\n    ['auth.sidebar.manage'],\n    { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },\n  ) ?? false\n\n  // For API key auth, use userId (the actual user) if available\n  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub\n  const settings = effectiveUserId\n    ? await loadSidebarPreference(em, {\n        userId: effectiveUserId,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        locale,\n      })\n    : null\n\n  let rolesPayload: Array<{ id: string; name: string; hasPreference: boolean }> = []\n  if (canApplyToRoles) {\n    const roleScope = auth.tenantId\n      ? { $or: [{ tenantId: auth.tenantId }, { tenantId: null }] }\n      : { tenantId: null }\n    const roles = await em.find(Role, roleScope as any, { orderBy: { name: 'asc' } })\n    const rolePrefs = await loadRoleSidebarPreferences(em, {\n      roleIds: roles.map((r: Role) => r.id),\n      tenantId: auth.tenantId ?? null,\n      locale,\n    })\n    rolesPayload = roles.map((role: Role) => ({\n      id: role.id,\n      name: role.name,\n      hasPreference: rolePrefs.has(role.id),\n    }))\n  }\n\n  return NextResponse.json({\n    locale,\n    settings: {\n      version: settings?.version ?? SIDEBAR_PREFERENCES_VERSION,\n      groupOrder: settings?.groupOrder ?? [],\n      groupLabels: settings?.groupLabels ?? {},\n      itemLabels: settings?.itemLabels ?? {},\n      hiddenItems: settings?.hiddenItems ?? [],\n    },\n    canApplyToRoles,\n    roles: rolesPayload,\n  })\n}\n\nexport async function PUT(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  // For API key auth, use userId (the actual user) if available\n  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub\n  if (!effectiveUserId) {\n    return NextResponse.json({ error: 'Cannot save preferences: no user associated with this API key' }, { status: 403 })\n  }\n\n  let parsedBody: unknown\n  try {\n    parsedBody = await req.json()\n  } catch {\n    return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 })\n  }\n\n  const parsed = sidebarPreferencesInputSchema.safeParse(parsedBody)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid payload', details: parsed.error.flatten() }, { status: 400 })\n  }\n\n  const sanitizeRecord = (record?: Record<string, string>) => {\n    if (!record) return {}\n    const result: Record<string, string> = {}\n    for (const [key, value] of Object.entries(record)) {\n      const trimmedKey = key.trim()\n      const trimmedValue = value.trim()\n      if (!trimmedKey || !trimmedValue) continue\n      result[trimmedKey] = trimmedValue\n    }\n    return result\n  }\n\n  const groupOrderSource = parsed.data.groupOrder ?? []\n  const seen = new Set<string>()\n  const groupOrder: string[] = []\n  for (const id of groupOrderSource) {\n    const trimmed = id.trim()\n    if (!trimmed || seen.has(trimmed)) continue\n    seen.add(trimmed)\n    groupOrder.push(trimmed)\n  }\n\n  const payload = {\n    version: parsed.data.version ?? SIDEBAR_PREFERENCES_VERSION,\n    groupOrder,\n    groupLabels: sanitizeRecord(parsed.data.groupLabels),\n    itemLabels: sanitizeRecord(parsed.data.itemLabels),\n    hiddenItems: (() => {\n      const source = parsed.data.hiddenItems ?? []\n      const seenHidden = new Set<string>()\n      const values: string[] = []\n      for (const href of source) {\n        const trimmed = href.trim()\n        if (!trimmed || seenHidden.has(trimmed)) continue\n        seenHidden.add(trimmed)\n        values.push(trimmed)\n      }\n      return values\n    })(),\n  }\n\n  const { locale } = await resolveTranslations()\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as any\n  const rbac = container.resolve('rbacService') as any\n  const cache = container.resolve('cache') as { deleteByTags?: (tags: string[]) => Promise<unknown> } | undefined\n\n  const applyToRolesSource = parsed.data.applyToRoles ?? []\n  const applyToRoles = Array.from(new Set(applyToRolesSource.map((id) => id.trim()).filter((id) => id.length > 0)))\n  const clearRoleIdsSource = parsed.data.clearRoleIds ?? []\n  const clearRoleIds = Array.from(new Set(clearRoleIdsSource.map((id) => id.trim()).filter((id) => id.length > 0)))\n\n  const canApplyToRoles = await rbac.userHasAllFeatures?.(\n    auth.sub,\n    ['auth.sidebar.manage'],\n    { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },\n  ) ?? false\n\n  if ((applyToRoles.length > 0 || clearRoleIds.length > 0) && !canApplyToRoles) {\n    return NextResponse.json({ error: 'Forbidden', requiredFeatures: ['auth.sidebar.manage'] }, { status: 403 })\n  }\n\n  const settings = await saveSidebarPreference(em, {\n    userId: effectiveUserId,\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    locale,\n  }, payload)\n\n  const roleScope = auth.tenantId\n    ? { $or: [{ tenantId: auth.tenantId }, { tenantId: null }] }\n    : { tenantId: null }\n  const availableRoles = canApplyToRoles\n    ? await em.find(Role, roleScope as any, { orderBy: { name: 'asc' } })\n    : []\n  const roleMap = new Map<string, Role>(availableRoles.map((role: Role) => [String(role.id), role]))\n\n  let updatedRoleIds: string[] = []\n  if (applyToRoles.length > 0) {\n    const missing = applyToRoles.filter((id) => !roleMap.has(id))\n    if (missing.length) {\n      return NextResponse.json({ error: 'Invalid roles', missing }, { status: 400 })\n    }\n    for (const roleId of applyToRoles) {\n      const role = roleMap.get(roleId)!\n      await saveRoleSidebarPreference(em, {\n        roleId: role.id,\n        tenantId: auth.tenantId ?? null,\n        locale,\n      }, payload)\n      updatedRoleIds.push(role.id)\n    }\n  }\n\n  const filteredClearRoleIds = clearRoleIds.filter((id) => !updatedRoleIds.includes(id) && !applyToRoles.includes(id))\n\n  if (filteredClearRoleIds.length > 0) {\n    await em.nativeDelete(RoleSidebarPreference, {\n      role: { $in: filteredClearRoleIds },\n      locale,\n      tenantId: auth.tenantId ?? null,\n    })\n    if (cache?.deleteByTags) {\n      try {\n        await cache.deleteByTags(filteredClearRoleIds.map((roleId) => `nav:sidebar:role:${roleId}`))\n      } catch {}\n    }\n  }\n\n  if (cache?.deleteByTags) {\n    const tags = [\n      `nav:sidebar:user:${auth.sub}`,\n      `nav:sidebar:scope:${auth.sub}:${auth.tenantId ?? 'null'}:${auth.orgId ?? 'null'}:${locale}`,\n      ...updatedRoleIds.map((roleId) => `nav:sidebar:role:${roleId}`),\n    ]\n    try {\n      await cache.deleteByTags(tags)\n    } catch {}\n  }\n\n  let rolesPayload: Array<{ id: string; name: string; hasPreference: boolean }> = []\n  if (canApplyToRoles) {\n    const rolePrefs = await loadRoleSidebarPreferences(em, {\n      roleIds: availableRoles.map((role: Role) => role.id),\n      tenantId: auth.tenantId ?? null,\n      locale,\n    })\n    rolesPayload = availableRoles.map((role: Role) => ({\n      id: role.id,\n      name: role.name,\n      hasPreference: rolePrefs.has(role.id),\n    }))\n  }\n\n  return NextResponse.json({\n    locale,\n    settings,\n    canApplyToRoles,\n    roles: rolesPayload,\n    appliedRoles: updatedRoleIds,\n    clearedRoles: filteredClearRoleIds,\n  })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Sidebar preferences',\n  methods: {\n    GET: {\n      summary: 'Get sidebar preferences',\n      description: 'Returns personal sidebar customization and any role-level preferences the user can manage.',\n      responses: [\n        { status: 200, description: 'Current sidebar configuration', schema: sidebarPreferencesResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: sidebarErrorSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update sidebar preferences',\n      description: 'Updates personal sidebar configuration and, optionally, applies the same settings to selected roles.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: sidebarPreferencesInputSchema,\n      },\n      responses: [\n        { status: 200, description: 'Preferences saved', schema: sidebarPreferencesUpdateResponseSchema },\n        { status: 400, description: 'Invalid payload', schema: sidebarErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: sidebarErrorSchema },\n        { status: 403, description: 'Missing features for role-wide updates', schema: sidebarErrorSchema },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,0BAA0B;AACnC,SAAS,2BAA2B;AACpC,SAAS,8BAA8B;AACvC,SAAS,qCAAqC;AAC9C;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,mCAAmC;AAC5C,SAAS,MAAM,6BAA6B;AAE5C,SAAS,SAAS;AAEX,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,KAAK;AAAA,EACzB,KAAK,EAAE,aAAa,KAAK;AAC3B;AAEA,MAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACnC,YAAY,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC9B,aAAa,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC;AAAA,EAC5C,YAAY,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC;AAAA,EAC3C,aAAa,EAAE,MAAM,EAAE,OAAO,CAAC;AACjC,CAAC;AAED,MAAM,yBAAyB,EAAE,OAAO;AAAA,EACtC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,eAAe,EAAE,QAAQ;AAC3B,CAAC;AAED,MAAM,mCAAmC,EAAE,OAAO;AAAA,EAChD,QAAQ,EAAE,OAAO;AAAA,EACjB,UAAU;AAAA,EACV,iBAAiB,EAAE,QAAQ;AAAA,EAC3B,OAAO,EAAE,MAAM,sBAAsB;AACvC,CAAC;AAED,MAAM,yCAAyC,iCAAiC,OAAO;AAAA,EACrF,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC;AAAA,EACvC,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC;AACzC,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,OAAO,EAAE,OAAO;AAClB,CAAC;AAED,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE9E,QAAM,EAAE,OAAO,IAAI,MAAM,oBAAoB;AAC7C,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AACvB,QAAM,OAAO,QAAQ,aAAa;AAElC,QAAM,kBAAkB,MAAM,KAAK;AAAA,IACjC,KAAK;AAAA,IACL,CAAC,qBAAqB;AAAA,IACtB,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK;AAAA,EACxE,KAAK;AAGL,QAAM,kBAAkB,KAAK,WAAW,KAAK,SAAS,KAAK;AAC3D,QAAM,WAAW,kBACb,MAAM,sBAAsB,IAAI;AAAA,IAC9B,QAAQ;AAAA,IACR,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,CAAC,IACD;AAEJ,MAAI,eAA4E,CAAC;AACjF,MAAI,iBAAiB;AACnB,UAAM,YAAY,KAAK,WACnB,EAAE,KAAK,CAAC,EAAE,UAAU,KAAK,SAAS,GAAG,EAAE,UAAU,KAAK,CAAC,EAAE,IACzD,EAAE,UAAU,KAAK;AACrB,UAAM,QAAQ,MAAM,GAAG,KAAK,MAAM,WAAkB,EAAE,SAAS,EAAE,MAAM,MAAM,EAAE,CAAC;AAChF,UAAM,YAAY,MAAM,2BAA2B,IAAI;AAAA,MACrD,SAAS,MAAM,IAAI,CAAC,MAAY,EAAE,EAAE;AAAA,MACpC,UAAU,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF,CAAC;AACD,mBAAe,MAAM,IAAI,CAAC,UAAgB;AAAA,MACxC,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,eAAe,UAAU,IAAI,KAAK,EAAE;AAAA,IACtC,EAAE;AAAA,EACJ;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB;AAAA,IACA,UAAU;AAAA,MACR,SAAS,UAAU,WAAW;AAAA,MAC9B,YAAY,UAAU,cAAc,CAAC;AAAA,MACrC,aAAa,UAAU,eAAe,CAAC;AAAA,MACvC,YAAY,UAAU,cAAc,CAAC;AAAA,MACrC,aAAa,UAAU,eAAe,CAAC;AAAA,IACzC;AAAA,IACA;AAAA,IACA,OAAO;AAAA,EACT,CAAC;AACH;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE9E,QAAM,kBAAkB,KAAK,WAAW,KAAK,SAAS,KAAK;AAC3D,MAAI,CAAC,iBAAiB;AACpB,WAAO,aAAa,KAAK,EAAE,OAAO,gEAAgE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACtH;AAEA,MAAI;AACJ,MAAI;AACF,iBAAa,MAAM,IAAI,KAAK;AAAA,EAC9B,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,SAAS,8BAA8B,UAAU,UAAU;AACjE,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,mBAAmB,SAAS,OAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzG;AAEA,QAAM,iBAAiB,CAAC,WAAoC;AAC1D,QAAI,CAAC,OAAQ,QAAO,CAAC;AACrB,UAAM,SAAiC,CAAC;AACxC,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,MAAM,GAAG;AACjD,YAAM,aAAa,IAAI,KAAK;AAC5B,YAAM,eAAe,MAAM,KAAK;AAChC,UAAI,CAAC,cAAc,CAAC,aAAc;AAClC,aAAO,UAAU,IAAI;AAAA,IACvB;AACA,WAAO;AAAA,EACT;AAEA,QAAM,mBAAmB,OAAO,KAAK,cAAc,CAAC;AACpD,QAAM,OAAO,oBAAI,IAAY;AAC7B,QAAM,aAAuB,CAAC;AAC9B,aAAW,MAAM,kBAAkB;AACjC,UAAM,UAAU,GAAG,KAAK;AACxB,QAAI,CAAC,WAAW,KAAK,IAAI,OAAO,EAAG;AACnC,SAAK,IAAI,OAAO;AAChB,eAAW,KAAK,OAAO;AAAA,EACzB;AAEA,QAAM,UAAU;AAAA,IACd,SAAS,OAAO,KAAK,WAAW;AAAA,IAChC;AAAA,IACA,aAAa,eAAe,OAAO,KAAK,WAAW;AAAA,IACnD,YAAY,eAAe,OAAO,KAAK,UAAU;AAAA,IACjD,cAAc,MAAM;AAClB,YAAM,SAAS,OAAO,KAAK,eAAe,CAAC;AAC3C,YAAM,aAAa,oBAAI,IAAY;AACnC,YAAM,SAAmB,CAAC;AAC1B,iBAAW,QAAQ,QAAQ;AACzB,cAAM,UAAU,KAAK,KAAK;AAC1B,YAAI,CAAC,WAAW,WAAW,IAAI,OAAO,EAAG;AACzC,mBAAW,IAAI,OAAO;AACtB,eAAO,KAAK,OAAO;AAAA,MACrB;AACA,aAAO;AAAA,IACT,GAAG;AAAA,EACL;AAEA,QAAM,EAAE,OAAO,IAAI,MAAM,oBAAoB;AAC7C,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,OAAO,UAAU,QAAQ,aAAa;AAC5C,QAAM,QAAQ,UAAU,QAAQ,OAAO;AAEvC,QAAM,qBAAqB,OAAO,KAAK,gBAAgB,CAAC;AACxD,QAAM,eAAe,MAAM,KAAK,IAAI,IAAI,mBAAmB,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,EAAE,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC;AAChH,QAAM,qBAAqB,OAAO,KAAK,gBAAgB,CAAC;AACxD,QAAM,eAAe,MAAM,KAAK,IAAI,IAAI,mBAAmB,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,EAAE,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC;AAEhH,QAAM,kBAAkB,MAAM,KAAK;AAAA,IACjC,KAAK;AAAA,IACL,CAAC,qBAAqB;AAAA,IACtB,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK;AAAA,EACxE,KAAK;AAEL,OAAK,aAAa,SAAS,KAAK,aAAa,SAAS,MAAM,CAAC,iBAAiB;AAC5E,WAAO,aAAa,KAAK,EAAE,OAAO,aAAa,kBAAkB,CAAC,qBAAqB,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC7G;AAEA,QAAM,WAAW,MAAM,sBAAsB,IAAI;AAAA,IAC/C,QAAQ;AAAA,IACR,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,GAAG,OAAO;AAEV,QAAM,YAAY,KAAK,WACnB,EAAE,KAAK,CAAC,EAAE,UAAU,KAAK,SAAS,GAAG,EAAE,UAAU,KAAK,CAAC,EAAE,IACzD,EAAE,UAAU,KAAK;AACrB,QAAM,iBAAiB,kBACnB,MAAM,GAAG,KAAK,MAAM,WAAkB,EAAE,SAAS,EAAE,MAAM,MAAM,EAAE,CAAC,IAClE,CAAC;AACL,QAAM,UAAU,IAAI,IAAkB,eAAe,IAAI,CAAC,SAAe,CAAC,OAAO,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC;AAEjG,MAAI,iBAA2B,CAAC;AAChC,MAAI,aAAa,SAAS,GAAG;AAC3B,UAAM,UAAU,aAAa,OAAO,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;AAC5D,QAAI,QAAQ,QAAQ;AAClB,aAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,QAAQ,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC/E;AACA,eAAW,UAAU,cAAc;AACjC,YAAM,OAAO,QAAQ,IAAI,MAAM;AAC/B,YAAM,0BAA0B,IAAI;AAAA,QAClC,QAAQ,KAAK;AAAA,QACb,UAAU,KAAK,YAAY;AAAA,QAC3B;AAAA,MACF,GAAG,OAAO;AACV,qBAAe,KAAK,KAAK,EAAE;AAAA,IAC7B;AAAA,EACF;AAEA,QAAM,uBAAuB,aAAa,OAAO,CAAC,OAAO,CAAC,eAAe,SAAS,EAAE,KAAK,CAAC,aAAa,SAAS,EAAE,CAAC;AAEnH,MAAI,qBAAqB,SAAS,GAAG;AACnC,UAAM,GAAG,aAAa,uBAAuB;AAAA,MAC3C,MAAM,EAAE,KAAK,qBAAqB;AAAA,MAClC;AAAA,MACA,UAAU,KAAK,YAAY;AAAA,IAC7B,CAAC;AACD,QAAI,OAAO,cAAc;AACvB,UAAI;AACF,cAAM,MAAM,aAAa,qBAAqB,IAAI,CAAC,WAAW,oBAAoB,MAAM,EAAE,CAAC;AAAA,MAC7F,QAAQ;AAAA,MAAC;AAAA,IACX;AAAA,EACF;AAEA,MAAI,OAAO,cAAc;AACvB,UAAM,OAAO;AAAA,MACX,oBAAoB,KAAK,GAAG;AAAA,MAC5B,qBAAqB,KAAK,GAAG,IAAI,KAAK,YAAY,MAAM,IAAI,KAAK,SAAS,MAAM,IAAI,MAAM;AAAA,MAC1F,GAAG,eAAe,IAAI,CAAC,WAAW,oBAAoB,MAAM,EAAE;AAAA,IAChE;AACA,QAAI;AACF,YAAM,MAAM,aAAa,IAAI;AAAA,IAC/B,QAAQ;AAAA,IAAC;AAAA,EACX;AAEA,MAAI,eAA4E,CAAC;AACjF,MAAI,iBAAiB;AACnB,UAAM,YAAY,MAAM,2BAA2B,IAAI;AAAA,MACrD,SAAS,eAAe,IAAI,CAAC,SAAe,KAAK,EAAE;AAAA,MACnD,UAAU,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF,CAAC;AACD,mBAAe,eAAe,IAAI,CAAC,UAAgB;AAAA,MACjD,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,eAAe,UAAU,IAAI,KAAK,EAAE;AAAA,IACtC,EAAE;AAAA,EACJ;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP,cAAc;AAAA,IACd,cAAc;AAAA,EAChB,CAAC;AACH;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,iCAAiC,QAAQ,iCAAiC;AAAA,QACtG,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,MACzE;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,uCAAuC;AAAA,QAChG,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,0CAA0C,QAAQ,mBAAmB;AAAA,MACnG;AAAA,IACF;AAAA,EACF;AACF;",
   "names": []
 }

package/dist/modules/auth/backend/auth/profile/page.js

@@ -0,0 +1,99 @@
+"use client";
+import { jsx } from "react/jsx-runtime";
+import * as React from "react";
+import { useRouter } from "next/navigation";
+import { Page, PageBody } from "@open-mercato/ui/backend/Page";
+import { CrudForm } from "@open-mercato/ui/backend/CrudForm";
+import { apiCall, readApiResultOrThrow } from "@open-mercato/ui/backend/utils/apiCall";
+import { createCrudFormError } from "@open-mercato/ui/backend/utils/serverErrors";
+import { flash } from "@open-mercato/ui/backend/FlashMessages";
+import { LoadingMessage, ErrorMessage } from "@open-mercato/ui/backend/detail";
+import { useT } from "@open-mercato/shared/lib/i18n/context";
+function AuthProfilePage() {
+  const t = useT();
+  const router = useRouter();
+  const [loading, setLoading] = React.useState(true);
+  const [error, setError] = React.useState(null);
+  const [email, setEmail] = React.useState("");
+  const [formKey, setFormKey] = React.useState(0);
+  React.useEffect(() => {
+    let cancelled = false;
+    async function load() {
+      setLoading(true);
+      setError(null);
+      try {
+        const { ok, result } = await apiCall("/api/auth/profile");
+        if (!ok) throw new Error("load_failed");
+        const resolvedEmail = typeof result?.email === "string" ? result.email : "";
+        if (!cancelled) setEmail(resolvedEmail);
+      } catch (err) {
+        console.error("Failed to load auth profile", err);
+        if (!cancelled) setError(t("auth.profile.form.errors.load", "Failed to load profile."));
+      } finally {
+        if (!cancelled) setLoading(false);
+      }
+    }
+    load();
+    return () => {
+      cancelled = true;
+    };
+  }, [t]);
+  const fields = React.useMemo(() => [
+    { id: "email", label: t("auth.profile.form.email", "Email"), type: "text", required: true },
+    { id: "password", label: t("auth.profile.form.password", "New password"), type: "text" },
+    { id: "confirmPassword", label: t("auth.profile.form.confirmPassword", "Confirm new password"), type: "text" }
+  ], [t]);
+  const handleSubmit = React.useCallback(async (values) => {
+    const nextEmail = values.email?.trim() ?? "";
+    const password = values.password?.trim() ?? "";
+    const confirmPassword = values.confirmPassword?.trim() ?? "";
+    if (!nextEmail) {
+      const message = t("auth.profile.form.errors.emailRequired", "Email is required.");
+      throw createCrudFormError(message, { email: message });
+    }
+    if (password || confirmPassword) {
+      if (password !== confirmPassword) {
+        const message = t("auth.profile.form.errors.passwordMismatch", "Passwords do not match.");
+        throw createCrudFormError(message, { confirmPassword: message });
+      }
+    }
+    if (!password && nextEmail === email) {
+      throw createCrudFormError(t("auth.profile.form.errors.noChanges", "No changes to save."));
+    }
+    const payload = { email: nextEmail };
+    if (password) payload.password = password;
+    const result = await readApiResultOrThrow(
+      "/api/auth/profile",
+      {
+        method: "PUT",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify(payload)
+      },
+      { errorMessage: t("auth.profile.form.errors.save", "Failed to update profile.") }
+    );
+    const resolvedEmail = typeof result?.email === "string" ? result.email : nextEmail;
+    setEmail(resolvedEmail);
+    setFormKey((prev) => prev + 1);
+    flash(t("auth.profile.form.success", "Profile updated."), "success");
+    router.refresh();
+  }, [email, router, t]);
+  return /* @__PURE__ */ jsx(Page, { children: /* @__PURE__ */ jsx(PageBody, { children: loading ? /* @__PURE__ */ jsx(LoadingMessage, { label: t("auth.profile.form.loading", "Loading profile...") }) : error ? /* @__PURE__ */ jsx(ErrorMessage, { label: error }) : /* @__PURE__ */ jsx(
+    CrudForm,
+    {
+      title: t("auth.profile.title", "Profile"),
+      fields,
+      initialValues: {
+        email,
+        password: "",
+        confirmPassword: ""
+      },
+      submitLabel: t("auth.profile.form.save", "Save changes"),
+      onSubmit: handleSubmit
+    },
+    formKey
+  ) }) });
+}
+export {
+  AuthProfilePage as default
+};
+//# sourceMappingURL=page.js.map

package/dist/modules/auth/backend/auth/profile/page.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../src/modules/auth/backend/auth/profile/page.tsx"],
+  "sourcesContent": ["\"use client\"\nimport * as React from 'react'\nimport { useRouter } from 'next/navigation'\nimport { Page, PageBody } from '@open-mercato/ui/backend/Page'\nimport { CrudForm, type CrudField } from '@open-mercato/ui/backend/CrudForm'\nimport { apiCall, readApiResultOrThrow } from '@open-mercato/ui/backend/utils/apiCall'\nimport { createCrudFormError } from '@open-mercato/ui/backend/utils/serverErrors'\nimport { flash } from '@open-mercato/ui/backend/FlashMessages'\nimport { LoadingMessage, ErrorMessage } from '@open-mercato/ui/backend/detail'\nimport { useT } from '@open-mercato/shared/lib/i18n/context'\n\ntype ProfileResponse = {\n  email?: string | null\n}\n\ntype ProfileUpdateResponse = {\n  ok?: boolean\n  email?: string | null\n}\n\ntype ProfileFormValues = {\n  email: string\n  password: string\n  confirmPassword: string\n}\n\nexport default function AuthProfilePage() {\n  const t = useT()\n  const router = useRouter()\n  const [loading, setLoading] = React.useState(true)\n  const [error, setError] = React.useState<string | null>(null)\n  const [email, setEmail] = React.useState('')\n  const [formKey, setFormKey] = React.useState(0)\n\n  React.useEffect(() => {\n    let cancelled = false\n    async function load() {\n      setLoading(true)\n      setError(null)\n      try {\n        const { ok, result } = await apiCall<ProfileResponse>('/api/auth/profile')\n        if (!ok) throw new Error('load_failed')\n        const resolvedEmail = typeof result?.email === 'string' ? result.email : ''\n        if (!cancelled) setEmail(resolvedEmail)\n      } catch (err) {\n        console.error('Failed to load auth profile', err)\n        if (!cancelled) setError(t('auth.profile.form.errors.load', 'Failed to load profile.'))\n      } finally {\n        if (!cancelled) setLoading(false)\n      }\n    }\n    load()\n    return () => { cancelled = true }\n  }, [t])\n\n  const fields = React.useMemo<CrudField[]>(() => [\n    { id: 'email', label: t('auth.profile.form.email', 'Email'), type: 'text', required: true },\n    { id: 'password', label: t('auth.profile.form.password', 'New password'), type: 'text' },\n    { id: 'confirmPassword', label: t('auth.profile.form.confirmPassword', 'Confirm new password'), type: 'text' },\n  ], [t])\n\n  const handleSubmit = React.useCallback(async (values: ProfileFormValues) => {\n    const nextEmail = values.email?.trim() ?? ''\n    const password = values.password?.trim() ?? ''\n    const confirmPassword = values.confirmPassword?.trim() ?? ''\n\n    if (!nextEmail) {\n      const message = t('auth.profile.form.errors.emailRequired', 'Email is required.')\n      throw createCrudFormError(message, { email: message })\n    }\n\n    if (password || confirmPassword) {\n      if (password !== confirmPassword) {\n        const message = t('auth.profile.form.errors.passwordMismatch', 'Passwords do not match.')\n        throw createCrudFormError(message, { confirmPassword: message })\n      }\n    }\n\n    if (!password && nextEmail === email) {\n      throw createCrudFormError(t('auth.profile.form.errors.noChanges', 'No changes to save.'))\n    }\n\n    const payload: { email: string; password?: string } = { email: nextEmail }\n    if (password) payload.password = password\n\n    const result = await readApiResultOrThrow<ProfileUpdateResponse>(\n      '/api/auth/profile',\n      {\n        method: 'PUT',\n        headers: { 'content-type': 'application/json' },\n        body: JSON.stringify(payload),\n      },\n      { errorMessage: t('auth.profile.form.errors.save', 'Failed to update profile.') },\n    )\n\n    const resolvedEmail = typeof result?.email === 'string' ? result.email : nextEmail\n    setEmail(resolvedEmail)\n    setFormKey((prev) => prev + 1)\n    flash(t('auth.profile.form.success', 'Profile updated.'), 'success')\n    router.refresh()\n  }, [email, router, t])\n\n  return (\n    <Page>\n      <PageBody>\n        {loading ? (\n          <LoadingMessage label={t('auth.profile.form.loading', 'Loading profile...')} />\n        ) : error ? (\n          <ErrorMessage label={error} />\n        ) : (\n          <CrudForm<ProfileFormValues>\n            key={formKey}\n            title={t('auth.profile.title', 'Profile')}\n            fields={fields}\n            initialValues={{\n              email,\n              password: '',\n              confirmPassword: '',\n            }}\n            submitLabel={t('auth.profile.form.save', 'Save changes')}\n            onSubmit={handleSubmit}\n          />\n        )}\n      </PageBody>\n    </Page>\n  )\n}\n"],
+  "mappings": ";AA0GU;AAzGV,YAAY,WAAW;AACvB,SAAS,iBAAiB;AAC1B,SAAS,MAAM,gBAAgB;AAC/B,SAAS,gBAAgC;AACzC,SAAS,SAAS,4BAA4B;AAC9C,SAAS,2BAA2B;AACpC,SAAS,aAAa;AACtB,SAAS,gBAAgB,oBAAoB;AAC7C,SAAS,YAAY;AAiBN,SAAR,kBAAmC;AACxC,QAAM,IAAI,KAAK;AACf,QAAM,SAAS,UAAU;AACzB,QAAM,CAAC,SAAS,UAAU,IAAI,MAAM,SAAS,IAAI;AACjD,QAAM,CAAC,OAAO,QAAQ,IAAI,MAAM,SAAwB,IAAI;AAC5D,QAAM,CAAC,OAAO,QAAQ,IAAI,MAAM,SAAS,EAAE;AAC3C,QAAM,CAAC,SAAS,UAAU,IAAI,MAAM,SAAS,CAAC;AAE9C,QAAM,UAAU,MAAM;AACpB,QAAI,YAAY;AAChB,mBAAe,OAAO;AACpB,iBAAW,IAAI;AACf,eAAS,IAAI;AACb,UAAI;AACF,cAAM,EAAE,IAAI,OAAO,IAAI,MAAM,QAAyB,mBAAmB;AACzE,YAAI,CAAC,GAAI,OAAM,IAAI,MAAM,aAAa;AACtC,cAAM,gBAAgB,OAAO,QAAQ,UAAU,WAAW,OAAO,QAAQ;AACzE,YAAI,CAAC,UAAW,UAAS,aAAa;AAAA,MACxC,SAAS,KAAK;AACZ,gBAAQ,MAAM,+BAA+B,GAAG;AAChD,YAAI,CAAC,UAAW,UAAS,EAAE,iCAAiC,yBAAyB,CAAC;AAAA,MACxF,UAAE;AACA,YAAI,CAAC,UAAW,YAAW,KAAK;AAAA,MAClC;AAAA,IACF;AACA,SAAK;AACL,WAAO,MAAM;AAAE,kBAAY;AAAA,IAAK;AAAA,EAClC,GAAG,CAAC,CAAC,CAAC;AAEN,QAAM,SAAS,MAAM,QAAqB,MAAM;AAAA,IAC9C,EAAE,IAAI,SAAS,OAAO,EAAE,2BAA2B,OAAO,GAAG,MAAM,QAAQ,UAAU,KAAK;AAAA,IAC1F,EAAE,IAAI,YAAY,OAAO,EAAE,8BAA8B,cAAc,GAAG,MAAM,OAAO;AAAA,IACvF,EAAE,IAAI,mBAAmB,OAAO,EAAE,qCAAqC,sBAAsB,GAAG,MAAM,OAAO;AAAA,EAC/G,GAAG,CAAC,CAAC,CAAC;AAEN,QAAM,eAAe,MAAM,YAAY,OAAO,WAA8B;AAC1E,UAAM,YAAY,OAAO,OAAO,KAAK,KAAK;AAC1C,UAAM,WAAW,OAAO,UAAU,KAAK,KAAK;AAC5C,UAAM,kBAAkB,OAAO,iBAAiB,KAAK,KAAK;AAE1D,QAAI,CAAC,WAAW;AACd,YAAM,UAAU,EAAE,0CAA0C,oBAAoB;AAChF,YAAM,oBAAoB,SAAS,EAAE,OAAO,QAAQ,CAAC;AAAA,IACvD;AAEA,QAAI,YAAY,iBAAiB;AAC/B,UAAI,aAAa,iBAAiB;AAChC,cAAM,UAAU,EAAE,6CAA6C,yBAAyB;AACxF,cAAM,oBAAoB,SAAS,EAAE,iBAAiB,QAAQ,CAAC;AAAA,MACjE;AAAA,IACF;AAEA,QAAI,CAAC,YAAY,cAAc,OAAO;AACpC,YAAM,oBAAoB,EAAE,sCAAsC,qBAAqB,CAAC;AAAA,IAC1F;AAEA,UAAM,UAAgD,EAAE,OAAO,UAAU;AACzE,QAAI,SAAU,SAAQ,WAAW;AAEjC,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA;AAAA,QACE,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,QAC9C,MAAM,KAAK,UAAU,OAAO;AAAA,MAC9B;AAAA,MACA,EAAE,cAAc,EAAE,iCAAiC,2BAA2B,EAAE;AAAA,IAClF;AAEA,UAAM,gBAAgB,OAAO,QAAQ,UAAU,WAAW,OAAO,QAAQ;AACzE,aAAS,aAAa;AACtB,eAAW,CAAC,SAAS,OAAO,CAAC;AAC7B,UAAM,EAAE,6BAA6B,kBAAkB,GAAG,SAAS;AACnE,WAAO,QAAQ;AAAA,EACjB,GAAG,CAAC,OAAO,QAAQ,CAAC,CAAC;AAErB,SACE,oBAAC,QACC,8BAAC,YACE,oBACC,oBAAC,kBAAe,OAAO,EAAE,6BAA6B,oBAAoB,GAAG,IAC3E,QACF,oBAAC,gBAAa,OAAO,OAAO,IAE5B;AAAA,IAAC;AAAA;AAAA,MAEC,OAAO,EAAE,sBAAsB,SAAS;AAAA,MACxC;AAAA,MACA,eAAe;AAAA,QACb;AAAA,QACA,UAAU;AAAA,QACV,iBAAiB;AAAA,MACnB;AAAA,MACA,aAAa,EAAE,0BAA0B,cAAc;AAAA,MACvD,UAAU;AAAA;AAAA,IATL;AAAA,EAUP,GAEJ,GACF;AAEJ;",
+  "names": []
+}

package/dist/modules/auth/backend/auth/profile/page.meta.js

@@ -0,0 +1,12 @@
+const metadata = {
+  requireAuth: true,
+  pageTitle: "Profile",
+  pageTitleKey: "auth.profile.title",
+  breadcrumb: [
+    { label: "Profile", labelKey: "auth.profile.title" }
+  ]
+};
+export {
+  metadata
+};
+//# sourceMappingURL=page.meta.js.map

package/dist/modules/auth/backend/auth/profile/page.meta.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../src/modules/auth/backend/auth/profile/page.meta.ts"],
+  "sourcesContent": ["export const metadata = {\n  requireAuth: true,\n  pageTitle: 'Profile',\n  pageTitleKey: 'auth.profile.title',\n  breadcrumb: [\n    { label: 'Profile', labelKey: 'auth.profile.title' },\n  ],\n}\n"],
+  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB,aAAa;AAAA,EACb,WAAW;AAAA,EACX,cAAc;AAAA,EACd,YAAY;AAAA,IACV,EAAE,OAAO,WAAW,UAAU,qBAAqB;AAAA,EACrD;AACF;",
+  "names": []
+}

package/dist/modules/auth/commands/users.js

@@ -22,6 +22,9 @@ import {
 import { normalizeTenantId } from "@open-mercato/core/modules/auth/lib/tenantAccess";
 import { computeEmailHash } from "@open-mercato/core/modules/auth/lib/emailHash";
 import { findOneWithDecryption, findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { buildNotificationFromType } from "@open-mercato/core/modules/notifications/lib/notificationBuilder";
+import { resolveNotificationService } from "@open-mercato/core/modules/notifications/lib/notificationService";
+import notificationTypes from "@open-mercato/core/modules/auth/notifications";
 const createSchema = z.object({
   email: z.string().email(),
   password: z.string().min(6),
@@ -60,6 +63,38 @@ const userCrudIndexer = {
     tenantId: ctx.identifiers.tenantId
   })
 };
+async function notifyRoleChanges(ctx, user, assignedRoles, revokedRoles) {
+  const tenantId = user.tenantId ? String(user.tenantId) : null;
+  if (!tenantId) return;
+  const organizationId = user.organizationId ? String(user.organizationId) : null;
+  try {
+    const notificationService = resolveNotificationService(ctx.container);
+    if (assignedRoles.length) {
+      const assignedType = notificationTypes.find((type) => type.type === "auth.role.assigned");
+      if (assignedType) {
+        const notificationInput = buildNotificationFromType(assignedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: "auth:user",
+          sourceEntityId: String(user.id)
+        });
+        await notificationService.create(notificationInput, { tenantId, organizationId });
+      }
+    }
+    if (revokedRoles.length) {
+      const revokedType = notificationTypes.find((type) => type.type === "auth.role.revoked");
+      if (revokedType) {
+        const notificationInput = buildNotificationFromType(revokedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: "auth:user",
+          sourceEntityId: String(user.id)
+        });
+        await notificationService.create(notificationInput, { tenantId, organizationId });
+      }
+    }
+  } catch (err) {
+    console.error("[auth.users.roles] Failed to create notification:", err);
+  }
+}
 const createUserCommand = {
   id: "auth.users.create",
   async execute(rawInput, ctx) {
@@ -97,8 +132,10 @@ const createUserCommand = {
       if (isUniqueViolation(error)) await throwDuplicateEmailError();
       throw error;
     }
+    let assignedRoles = [];
     if (Array.isArray(parsed.roles) && parsed.roles.length) {
       await syncUserRoles(em, user, parsed.roles, tenantId);
+      assignedRoles = await loadUserRoleNames(em, String(user.id));
     }
     await setCustomFieldsIfAny({
       dataEngine: de,
@@ -120,6 +157,9 @@ const createUserCommand = {
       events: userCrudEvents,
       indexer: userCrudIndexer
     });
+    if (assignedRoles.length) {
+      await notifyRoleChanges(ctx, user, assignedRoles, []);
+    }
     return user;
   },
   captureAfter: async (_input, result, ctx) => {
@@ -230,6 +270,7 @@ const updateUserCommand = {
   async execute(rawInput, ctx) {
     const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput);
     const em = ctx.container.resolve("em");
+    const rolesBefore = Array.isArray(parsed.roles) ? await loadUserRoleNames(em, parsed.id) : null;
     if (parsed.email !== void 0) {
       const emailHash2 = computeEmailHash(parsed.email);
       const duplicate = await em.findOne(
@@ -310,6 +351,13 @@ const updateUserCommand = {
       events: userCrudEvents,
       indexer: userCrudIndexer
     });
+    if (Array.isArray(parsed.roles) && rolesBefore) {
+      const rolesAfter = await loadUserRoleNames(em, String(user.id));
+      const { assigned, revoked } = diffRoleChanges(rolesBefore, rolesAfter);
+      if (assigned.length || revoked.length) {
+        await notifyRoleChanges(ctx, user, assigned, revoked);
+      }
+    }
     await invalidateUserCache(ctx, parsed.id);
     return user;
   },
@@ -656,6 +704,13 @@ async function invalidateUserCache(ctx, userId) {
   } catch {
   }
 }
+function diffRoleChanges(before, after) {
+  const beforeSet = new Set(before);
+  const afterSet = new Set(after);
+  const assigned = after.filter((role) => !beforeSet.has(role));
+  const revoked = before.filter((role) => !afterSet.has(role));
+  return { assigned, revoked };
+}
 function arrayEquals(left, right) {
   if (!left) return false;
   if (left.length !== right.length) return false;