@open-mercato/core 0.4.2-canary-ba1d84349b → 0.4.2-canary-07dbc98202

package/src/modules/auth/backend/auth/profile/page.tsx

@@ -0,0 +1,127 @@
+"use client"
+import * as React from 'react'
+import { useRouter } from 'next/navigation'
+import { Page, PageBody } from '@open-mercato/ui/backend/Page'
+import { CrudForm, type CrudField } from '@open-mercato/ui/backend/CrudForm'
+import { apiCall, readApiResultOrThrow } from '@open-mercato/ui/backend/utils/apiCall'
+import { createCrudFormError } from '@open-mercato/ui/backend/utils/serverErrors'
+import { flash } from '@open-mercato/ui/backend/FlashMessages'
+import { LoadingMessage, ErrorMessage } from '@open-mercato/ui/backend/detail'
+import { useT } from '@open-mercato/shared/lib/i18n/context'
+
+type ProfileResponse = {
+  email?: string | null
+}
+
+type ProfileUpdateResponse = {
+  ok?: boolean
+  email?: string | null
+}
+
+type ProfileFormValues = {
+  email: string
+  password: string
+  confirmPassword: string
+}
+
+export default function AuthProfilePage() {
+  const t = useT()
+  const router = useRouter()
+  const [loading, setLoading] = React.useState(true)
+  const [error, setError] = React.useState<string | null>(null)
+  const [email, setEmail] = React.useState('')
+  const [formKey, setFormKey] = React.useState(0)
+
+  React.useEffect(() => {
+    let cancelled = false
+    async function load() {
+      setLoading(true)
+      setError(null)
+      try {
+        const { ok, result } = await apiCall<ProfileResponse>('/api/auth/profile')
+        if (!ok) throw new Error('load_failed')
+        const resolvedEmail = typeof result?.email === 'string' ? result.email : ''
+        if (!cancelled) setEmail(resolvedEmail)
+      } catch (err) {
+        console.error('Failed to load auth profile', err)
+        if (!cancelled) setError(t('auth.profile.form.errors.load', 'Failed to load profile.'))
+      } finally {
+        if (!cancelled) setLoading(false)
+      }
+    }
+    load()
+    return () => { cancelled = true }
+  }, [t])
+
+  const fields = React.useMemo<CrudField[]>(() => [
+    { id: 'email', label: t('auth.profile.form.email', 'Email'), type: 'text', required: true },
+    { id: 'password', label: t('auth.profile.form.password', 'New password'), type: 'text' },
+    { id: 'confirmPassword', label: t('auth.profile.form.confirmPassword', 'Confirm new password'), type: 'text' },
+  ], [t])
+
+  const handleSubmit = React.useCallback(async (values: ProfileFormValues) => {
+    const nextEmail = values.email?.trim() ?? ''
+    const password = values.password?.trim() ?? ''
+    const confirmPassword = values.confirmPassword?.trim() ?? ''
+
+    if (!nextEmail) {
+      const message = t('auth.profile.form.errors.emailRequired', 'Email is required.')
+      throw createCrudFormError(message, { email: message })
+    }
+
+    if (password || confirmPassword) {
+      if (password !== confirmPassword) {
+        const message = t('auth.profile.form.errors.passwordMismatch', 'Passwords do not match.')
+        throw createCrudFormError(message, { confirmPassword: message })
+      }
+    }
+
+    if (!password && nextEmail === email) {
+      throw createCrudFormError(t('auth.profile.form.errors.noChanges', 'No changes to save.'))
+    }
+
+    const payload: { email: string; password?: string } = { email: nextEmail }
+    if (password) payload.password = password
+
+    const result = await readApiResultOrThrow<ProfileUpdateResponse>(
+      '/api/auth/profile',
+      {
+        method: 'PUT',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify(payload),
+      },
+      { errorMessage: t('auth.profile.form.errors.save', 'Failed to update profile.') },
+    )
+
+    const resolvedEmail = typeof result?.email === 'string' ? result.email : nextEmail
+    setEmail(resolvedEmail)
+    setFormKey((prev) => prev + 1)
+    flash(t('auth.profile.form.success', 'Profile updated.'), 'success')
+    router.refresh()
+  }, [email, router, t])
+
+  return (
+    <Page>
+      <PageBody>
+        {loading ? (
+          <LoadingMessage label={t('auth.profile.form.loading', 'Loading profile...')} />
+        ) : error ? (
+          <ErrorMessage label={error} />
+        ) : (
+          <CrudForm<ProfileFormValues>
+            key={formKey}
+            title={t('auth.profile.title', 'Profile')}
+            fields={fields}
+            initialValues={{
+              email,
+              password: '',
+              confirmPassword: '',
+            }}
+            submitLabel={t('auth.profile.form.save', 'Save changes')}
+            onSubmit={handleSubmit}
+          />
+        )}
+      </PageBody>
+    </Page>
+  )
+}

package/src/modules/auth/commands/users.ts

@@ -27,6 +27,9 @@ import {
 import { normalizeTenantId } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'
 import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
+import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
+import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 
 type SerializedUser = {
   email: string
@@ -105,6 +108,46 @@ export const userCrudIndexer: CrudIndexerConfig = {
   }),
 }
 
+async function notifyRoleChanges(
+  ctx: CommandRuntimeContext,
+  user: User,
+  assignedRoles: string[],
+  revokedRoles: string[],
+): Promise<void> {
+  const tenantId = user.tenantId ? String(user.tenantId) : null
+  if (!tenantId) return
+  const organizationId = user.organizationId ? String(user.organizationId) : null
+
+  try {
+    const notificationService = resolveNotificationService(ctx.container)
+    if (assignedRoles.length) {
+      const assignedType = notificationTypes.find((type) => type.type === 'auth.role.assigned')
+      if (assignedType) {
+        const notificationInput = buildNotificationFromType(assignedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, { tenantId, organizationId })
+      }
+    }
+
+    if (revokedRoles.length) {
+      const revokedType = notificationTypes.find((type) => type.type === 'auth.role.revoked')
+      if (revokedType) {
+        const notificationInput = buildNotificationFromType(revokedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, { tenantId, organizationId })
+      }
+    }
+  } catch (err) {
+    console.error('[auth.users.roles] Failed to create notification:', err)
+  }
+}
+
 const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
   id: 'auth.users.create',
   async execute(rawInput, ctx) {
@@ -147,8 +190,10 @@ const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
       throw error
     }
 
+    let assignedRoles: string[] = []
     if (Array.isArray(parsed.roles) && parsed.roles.length) {
       await syncUserRoles(em, user, parsed.roles, tenantId)
+      assignedRoles = await loadUserRoleNames(em, String(user.id))
     }
 
     await setCustomFieldsIfAny({
@@ -173,6 +218,10 @@ const createUserCommand: CommandHandler<Record<string, unknown>, User> = {
       indexer: userCrudIndexer,
     })
 
+    if (assignedRoles.length) {
+      await notifyRoleChanges(ctx, user, assignedRoles, [])
+    }
+
     return user
   },
   captureAfter: async (_input, result, ctx) => {
@@ -288,6 +337,9 @@ const updateUserCommand: CommandHandler<Record<string, unknown>, User> = {
   async execute(rawInput, ctx) {
     const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput)
     const em = (ctx.container.resolve('em') as EntityManager)
+    const rolesBefore = Array.isArray(parsed.roles)
+      ? await loadUserRoleNames(em, parsed.id)
+      : null
 
     if (parsed.email !== undefined) {
       const emailHash = computeEmailHash(parsed.email)
@@ -377,6 +429,14 @@ const updateUserCommand: CommandHandler<Record<string, unknown>, User> = {
       indexer: userCrudIndexer,
     })
 
+    if (Array.isArray(parsed.roles) && rolesBefore) {
+      const rolesAfter = await loadUserRoleNames(em, String(user.id))
+      const { assigned, revoked } = diffRoleChanges(rolesBefore, rolesAfter)
+      if (assigned.length || revoked.length) {
+        await notifyRoleChanges(ctx, user, assigned, revoked)
+      }
+    }
+
     await invalidateUserCache(ctx, parsed.id)
 
     return user
@@ -772,6 +832,14 @@ async function invalidateUserCache(ctx: CommandRuntimeContext, userId: string) {
   }
 }
 
+function diffRoleChanges(before: string[], after: string[]) {
+  const beforeSet = new Set(before)
+  const afterSet = new Set(after)
+  const assigned = after.filter((role) => !beforeSet.has(role))
+  const revoked = before.filter((role) => !afterSet.has(role))
+  return { assigned, revoked }
+}
+
 function arrayEquals(left: string[] | undefined, right: string[]): boolean {
   if (!left) return false
   if (left.length !== right.length) return false

package/src/modules/auth/i18n/de.json

@@ -80,6 +80,19 @@
   "auth.users.form.errors.load": "Benutzerdaten konnten nicht geladen werden",
   "auth.users.form.errors.aclUpdate": "Aktualisierung der Benutzerberechtigungen fehlgeschlagen",
   "auth.users.form.errors.delete": "Benutzer konnte nicht gelöscht werden",
+  "auth.profile.title": "Profil",
+  "auth.profile.form.email": "E-Mail",
+  "auth.profile.form.password": "Neues Passwort",
+  "auth.profile.form.confirmPassword": "Neues Passwort bestätigen",
+  "auth.profile.form.save": "Änderungen speichern",
+  "auth.profile.form.loading": "Profil wird geladen...",
+  "auth.profile.form.errors.load": "Profil konnte nicht geladen werden.",
+  "auth.profile.form.errors.save": "Profil konnte nicht aktualisiert werden.",
+  "auth.profile.form.errors.invalid": "Ungültige Profilaktualisierung.",
+  "auth.profile.form.errors.passwordMismatch": "Die Passwörter stimmen nicht überein.",
+  "auth.profile.form.errors.noChanges": "Keine Änderungen zu speichern.",
+  "auth.profile.form.errors.emailRequired": "E-Mail ist erforderlich.",
+  "auth.profile.form.success": "Profil aktualisiert.",
   "auth.users.list.error.load": "Benutzer konnten nicht geladen werden",
   "auth.users.list.error.delete": "Benutzer konnte nicht gelöscht werden",
   "auth.users.flash.created": "Benutzer erstellt",
@@ -95,5 +108,20 @@
   "auth.email.resetPassword.title": "Passwort zurücksetzen",
   "auth.email.resetPassword.body": "Klicken Sie auf den Link unten, um ein neues Passwort festzulegen. Dieser Link läuft in 60 Minuten ab.",
   "auth.email.resetPassword.cta": "Neues Passwort festlegen",
-  "auth.email.resetPassword.hint": "Wenn Sie dies nicht angefordert haben, können Sie diese E-Mail ignorieren."
+  "auth.email.resetPassword.hint": "Wenn Sie dies nicht angefordert haben, können Sie diese E-Mail ignorieren.",
+  "auth.notifications.passwordReset.requested.title": "Passwort-Zurücksetzung angefordert",
+  "auth.notifications.passwordReset.requested.body": "Ein Link zum Zurücksetzen des Passworts wurde an Ihre E-Mail gesendet",
+  "auth.notifications.passwordReset.completed.title": "Passwort erfolgreich geändert",
+  "auth.notifications.passwordReset.completed.body": "Ihr Passwort wurde erfolgreich aktualisiert",
+  "auth.notifications.account.locked.title": "Konto gesperrt",
+  "auth.notifications.account.locked.body": "Ihr Konto wurde aus Sicherheitsgründen gesperrt. Bitte wenden Sie sich an den Support.",
+  "auth.notifications.login.newDevice.title": "Neues Gerät erkannt",
+  "auth.notifications.login.newDevice.body": "Es wurde eine Anmeldung von einem unbekannten Gerät für Ihr Konto erkannt",
+  "auth.notifications.role.assigned.title": "Neue Rolle zugewiesen",
+  "auth.notifications.role.assigned.body": "Ihnen wurde eine neue Rolle mit zusätzlichen Berechtigungen zugewiesen",
+  "auth.notifications.role.revoked.title": "Rolle entfernt",
+  "auth.notifications.role.revoked.body": "Eine Rolle wurde von Ihrem Konto entfernt",
+  "auth.actions.contactSupport": "Support kontaktieren",
+  "auth.actions.viewSessions": "Sitzungen anzeigen",
+  "auth.actions.viewPermissions": "Berechtigungen anzeigen"
 }

package/src/modules/auth/i18n/en.json

@@ -80,6 +80,19 @@
   "auth.users.form.errors.load": "Failed to load user data",
   "auth.users.form.errors.aclUpdate": "Failed to update user access control",
   "auth.users.form.errors.delete": "Failed to delete user",
+  "auth.profile.title": "Profile",
+  "auth.profile.form.email": "Email",
+  "auth.profile.form.password": "New password",
+  "auth.profile.form.confirmPassword": "Confirm new password",
+  "auth.profile.form.save": "Save changes",
+  "auth.profile.form.loading": "Loading profile...",
+  "auth.profile.form.errors.load": "Failed to load profile.",
+  "auth.profile.form.errors.save": "Failed to update profile.",
+  "auth.profile.form.errors.invalid": "Invalid profile update.",
+  "auth.profile.form.errors.passwordMismatch": "Passwords do not match.",
+  "auth.profile.form.errors.noChanges": "No changes to save.",
+  "auth.profile.form.errors.emailRequired": "Email is required.",
+  "auth.profile.form.success": "Profile updated.",
   "auth.users.list.error.load": "Failed to load users",
   "auth.users.list.error.delete": "Failed to delete user",
   "auth.users.flash.created": "User created",
@@ -95,5 +108,20 @@
   "auth.email.resetPassword.title": "Reset your password",
   "auth.email.resetPassword.body": "Click the link below to set a new password. This link will expire in 60 minutes.",
   "auth.email.resetPassword.cta": "Set a new password",
-  "auth.email.resetPassword.hint": "If you didn't request this, you can safely ignore this email."
+  "auth.email.resetPassword.hint": "If you didn't request this, you can safely ignore this email.",
+  "auth.notifications.passwordReset.requested.title": "Password reset requested",
+  "auth.notifications.passwordReset.requested.body": "A password reset link has been sent to your email",
+  "auth.notifications.passwordReset.completed.title": "Password successfully changed",
+  "auth.notifications.passwordReset.completed.body": "Your password has been updated successfully",
+  "auth.notifications.account.locked.title": "Account locked",
+  "auth.notifications.account.locked.body": "Your account has been locked due to security reasons. Please contact support.",
+  "auth.notifications.login.newDevice.title": "New device login detected",
+  "auth.notifications.login.newDevice.body": "A new login from an unrecognized device was detected on your account",
+  "auth.notifications.role.assigned.title": "New role assigned",
+  "auth.notifications.role.assigned.body": "You have been assigned a new role with additional permissions",
+  "auth.notifications.role.revoked.title": "Role removed",
+  "auth.notifications.role.revoked.body": "A role has been removed from your account",
+  "auth.actions.contactSupport": "Contact Support",
+  "auth.actions.viewSessions": "View Sessions",
+  "auth.actions.viewPermissions": "View Permissions"
 }

package/src/modules/auth/i18n/es.json

@@ -80,6 +80,19 @@
   "auth.users.form.errors.load": "No se pudieron cargar los datos del usuario",
   "auth.users.form.errors.aclUpdate": "No se pudo actualizar el control de acceso del usuario",
   "auth.users.form.errors.delete": "No se pudo eliminar el usuario",
+  "auth.profile.title": "Perfil",
+  "auth.profile.form.email": "Correo electrónico",
+  "auth.profile.form.password": "Nueva contraseña",
+  "auth.profile.form.confirmPassword": "Confirmar nueva contraseña",
+  "auth.profile.form.save": "Guardar cambios",
+  "auth.profile.form.loading": "Cargando perfil...",
+  "auth.profile.form.errors.load": "No se pudo cargar el perfil.",
+  "auth.profile.form.errors.save": "No se pudo actualizar el perfil.",
+  "auth.profile.form.errors.invalid": "Actualización de perfil inválida.",
+  "auth.profile.form.errors.passwordMismatch": "Las contraseñas no coinciden.",
+  "auth.profile.form.errors.noChanges": "No hay cambios para guardar.",
+  "auth.profile.form.errors.emailRequired": "El correo electrónico es obligatorio.",
+  "auth.profile.form.success": "Perfil actualizado.",
   "auth.users.list.error.load": "No se pudieron cargar los usuarios",
   "auth.users.list.error.delete": "No se pudo eliminar el usuario",
   "auth.users.flash.created": "Usuario creado",
@@ -95,5 +108,20 @@
   "auth.email.resetPassword.title": "Restablecer tu contraseña",
   "auth.email.resetPassword.body": "Haz clic en el siguiente enlace para establecer una nueva contraseña. Este enlace caducará en 60 minutos.",
   "auth.email.resetPassword.cta": "Establecer nueva contraseña",
-  "auth.email.resetPassword.hint": "Si no solicitaste esto, puedes ignorar este correo de forma segura."
+  "auth.email.resetPassword.hint": "Si no solicitaste esto, puedes ignorar este correo de forma segura.",
+  "auth.notifications.passwordReset.requested.title": "Solicitud de restablecimiento de contraseña",
+  "auth.notifications.passwordReset.requested.body": "Se ha enviado un enlace de restablecimiento de contraseña a tu correo electrónico",
+  "auth.notifications.passwordReset.completed.title": "Contraseña cambiada correctamente",
+  "auth.notifications.passwordReset.completed.body": "Tu contraseña se actualizó correctamente",
+  "auth.notifications.account.locked.title": "Cuenta bloqueada",
+  "auth.notifications.account.locked.body": "Tu cuenta ha sido bloqueada por razones de seguridad. Ponte en contacto con soporte.",
+  "auth.notifications.login.newDevice.title": "Nuevo inicio de sesión detectado",
+  "auth.notifications.login.newDevice.body": "Se detectó un inicio de sesión desde un dispositivo no reconocido en tu cuenta",
+  "auth.notifications.role.assigned.title": "Nuevo rol asignado",
+  "auth.notifications.role.assigned.body": "Se te ha asignado un nuevo rol con permisos adicionales",
+  "auth.notifications.role.revoked.title": "Rol eliminado",
+  "auth.notifications.role.revoked.body": "Se ha eliminado un rol de tu cuenta",
+  "auth.actions.contactSupport": "Contactar soporte",
+  "auth.actions.viewSessions": "Ver sesiones",
+  "auth.actions.viewPermissions": "Ver permisos"
 }

package/src/modules/auth/i18n/pl.json

@@ -80,6 +80,19 @@
   "auth.users.form.errors.load": "Nie udało się wczytać danych użytkownika",
   "auth.users.form.errors.aclUpdate": "Nie udało się zaktualizować uprawnień użytkownika",
   "auth.users.form.errors.delete": "Nie udało się usunąć użytkownika",
+  "auth.profile.title": "Profil",
+  "auth.profile.form.email": "Email",
+  "auth.profile.form.password": "Nowe hasło",
+  "auth.profile.form.confirmPassword": "Potwierdź nowe hasło",
+  "auth.profile.form.save": "Zapisz zmiany",
+  "auth.profile.form.loading": "Ładowanie profilu...",
+  "auth.profile.form.errors.load": "Nie udało się wczytać profilu.",
+  "auth.profile.form.errors.save": "Nie udało się zaktualizować profilu.",
+  "auth.profile.form.errors.invalid": "Nieprawidłowa aktualizacja profilu.",
+  "auth.profile.form.errors.passwordMismatch": "Hasła nie są zgodne.",
+  "auth.profile.form.errors.noChanges": "Brak zmian do zapisania.",
+  "auth.profile.form.errors.emailRequired": "Email jest wymagany.",
+  "auth.profile.form.success": "Profil zaktualizowany.",
   "auth.users.list.error.load": "Nie udało się wczytać użytkowników",
   "auth.users.list.error.delete": "Nie udało się usunąć użytkownika",
   "auth.users.flash.created": "Użytkownik utworzony",
@@ -95,5 +108,20 @@
   "auth.email.resetPassword.title": "Zresetuj swoje hasło",
   "auth.email.resetPassword.body": "Kliknij poniższy link, aby ustawić nowe hasło. Link wygaśnie za 60 minut.",
   "auth.email.resetPassword.cta": "Ustaw nowe hasło",
-  "auth.email.resetPassword.hint": "Jeśli nie prosiłeś o tę wiadomość, możesz ją bezpiecznie zignorować."
+  "auth.email.resetPassword.hint": "Jeśli nie prosiłeś o tę wiadomość, możesz ją bezpiecznie zignorować.",
+  "auth.notifications.passwordReset.requested.title": "Żądanie resetu hasła",
+  "auth.notifications.passwordReset.requested.body": "Link do resetu hasła został wysłany na Twój adres e-mail",
+  "auth.notifications.passwordReset.completed.title": "Hasło zmienione pomyślnie",
+  "auth.notifications.passwordReset.completed.body": "Twoje hasło zostało pomyślnie zaktualizowane",
+  "auth.notifications.account.locked.title": "Konto zablokowane",
+  "auth.notifications.account.locked.body": "Twoje konto zostało zablokowane z powodów bezpieczeństwa. Skontaktuj się z pomocą techniczną.",
+  "auth.notifications.login.newDevice.title": "Wykryto logowanie z nowego urządzenia",
+  "auth.notifications.login.newDevice.body": "Wykryto logowanie z nieznanego urządzenia na Twoim koncie",
+  "auth.notifications.role.assigned.title": "Przypisano nową rolę",
+  "auth.notifications.role.assigned.body": "Przypisano Ci nową rolę z dodatkowymi uprawnieniami",
+  "auth.notifications.role.revoked.title": "Rola usunięta",
+  "auth.notifications.role.revoked.body": "Z Twojego konta usunięto rolę",
+  "auth.actions.contactSupport": "Skontaktuj się z pomocą",
+  "auth.actions.viewSessions": "Zobacz sesje",
+  "auth.actions.viewPermissions": "Zobacz uprawnienia"
 }

package/src/modules/auth/lib/setup-app.ts

@@ -395,6 +395,7 @@ async function ensureDefaultRoleAcls(
       'dashboards.*',
       'dashboards.admin.assign-widgets',
       'api_keys.*',
+      'notifications.manage',
       'perspectives.use',
       'perspectives.role_defaults',
       'business_rules.*',

package/src/modules/auth/notifications.ts

@@ -0,0 +1,109 @@
+import type { NotificationTypeDefinition } from '@open-mercato/shared/modules/notifications/types'
+
+export const notificationTypes: NotificationTypeDefinition[] = [
+  {
+    type: 'auth.password_reset.requested',
+    module: 'auth',
+    titleKey: 'auth.notifications.passwordReset.requested.title',
+    bodyKey: 'auth.notifications.passwordReset.requested.body',
+    icon: 'key',
+    severity: 'info',
+    actions: [
+      {
+        id: 'view',
+        labelKey: 'common.view',
+        variant: 'outline',
+        href: '/backend/auth/profile',
+        icon: 'external-link',
+      },
+    ],
+    linkHref: '/backend/auth/profile',
+    expiresAfterHours: 24,
+  },
+  {
+    type: 'auth.password_reset.completed',
+    module: 'auth',
+    titleKey: 'auth.notifications.passwordReset.completed.title',
+    bodyKey: 'auth.notifications.passwordReset.completed.body',
+    icon: 'check-circle',
+    severity: 'success',
+    actions: [],
+    expiresAfterHours: 72,
+  },
+  {
+    type: 'auth.account.locked',
+    module: 'auth',
+    titleKey: 'auth.notifications.account.locked.title',
+    bodyKey: 'auth.notifications.account.locked.body',
+    icon: 'lock',
+    severity: 'warning',
+    actions: [
+      {
+        id: 'contact_support',
+        labelKey: 'auth.actions.contactSupport',
+        variant: 'default',
+        href: '/backend/support',
+        icon: 'mail',
+      },
+    ],
+    linkHref: '/backend/support',
+  },
+  {
+    type: 'auth.login.new_device',
+    module: 'auth',
+    titleKey: 'auth.notifications.login.newDevice.title',
+    bodyKey: 'auth.notifications.login.newDevice.body',
+    icon: 'smartphone',
+    severity: 'info',
+    actions: [
+      {
+        id: 'view_sessions',
+        labelKey: 'auth.actions.viewSessions',
+        variant: 'outline',
+        href: '/backend/auth/sessions',
+        icon: 'list',
+      },
+    ],
+    linkHref: '/backend/auth/sessions',
+    expiresAfterHours: 168, // 7 days
+  },
+  {
+    type: 'auth.role.assigned',
+    module: 'auth',
+    titleKey: 'auth.notifications.role.assigned.title',
+    bodyKey: 'auth.notifications.role.assigned.body',
+    icon: 'user-plus',
+    severity: 'success',
+    actions: [
+      {
+        id: 'view_permissions',
+        labelKey: 'auth.actions.viewPermissions',
+        variant: 'outline',
+        href: '/backend/auth/profile',
+        icon: 'shield',
+      },
+    ],
+    linkHref: '/backend/auth/profile',
+    expiresAfterHours: 168,
+  },
+  {
+    type: 'auth.role.revoked',
+    module: 'auth',
+    titleKey: 'auth.notifications.role.revoked.title',
+    bodyKey: 'auth.notifications.role.revoked.body',
+    icon: 'user-minus',
+    severity: 'warning',
+    actions: [
+      {
+        id: 'view_profile',
+        labelKey: 'common.view',
+        variant: 'outline',
+        href: '/backend/auth/profile',
+      },
+    ],
+    linkHref: '/backend/auth/profile',
+    expiresAfterHours: 168,
+  },
+]
+
+export default notificationTypes

package/src/modules/auth/services/authService.ts

@@ -75,15 +75,15 @@ export class AuthService {
     return { user, token }
   }
 
-  async confirmPasswordReset(token: string, newPassword: string) {
+  async confirmPasswordReset(token: string, newPassword: string): Promise<User | null> {
     const now = new Date()
     const row = await this.em.findOne(PasswordReset, { token })
-    if (!row || (row.usedAt && row.usedAt <= now) || row.expiresAt <= now) return false
+    if (!row || (row.usedAt && row.usedAt <= now) || row.expiresAt <= now) return null
     const user = await this.em.findOne(User, { id: row.user.id })
-    if (!user) return false
+    if (!user) return null
     user.passwordHash = await hash(newPassword, 10)
     row.usedAt = new Date()
     await this.em.flush()
-    return true
+    return user
   }
 }

package/src/modules/business_rules/i18n/en.json

@@ -367,5 +367,7 @@
   "business_rules.components.conditionRow.field.comparisonPlaceholder": "e.g., user.role",
   "business_rules.components.conditionRow.value.help": "Use JSON for arrays: [\"a\",\"b\"]",
   "business_rules.components.conditionRow.field.comparisonHelp": "Field path to compare with",
-  "business_rules.components.conditionRow.deleteCondition": "Delete condition"
+  "business_rules.components.conditionRow.deleteCondition": "Delete condition",
+  "businessRules.notifications.rule.executionFailed.title": "Business Rule Failed",
+  "businessRules.notifications.rule.executionFailed.body": "Rule \"{ruleName}\" failed to execute{entityType, select, other { on {entityType}}}: {errorMessage}"
 }

package/src/modules/business_rules/notifications.ts

@@ -0,0 +1,25 @@
+import type { NotificationTypeDefinition } from '@open-mercato/shared/modules/notifications/types'
+
+export const notificationTypes: NotificationTypeDefinition[] = [
+  {
+    type: 'business_rules.rule.execution_failed',
+    module: 'business_rules',
+    titleKey: 'businessRules.notifications.rule.executionFailed.title',
+    bodyKey: 'businessRules.notifications.rule.executionFailed.body',
+    icon: 'alert-triangle',
+    severity: 'error',
+    actions: [
+      {
+        id: 'view',
+        labelKey: 'common.view',
+        variant: 'outline',
+        href: '/backend/business-rules/{sourceEntityId}',
+        icon: 'external-link',
+      },
+    ],
+    linkHref: '/backend/business-rules/{sourceEntityId}',
+    expiresAfterHours: 168, // 7 days
+  },
+]
+
+export default notificationTypes

package/src/modules/business_rules/subscribers/rule-execution-failed-notification.ts

@@ -0,0 +1,50 @@
+import type { EntityManager } from '@mikro-orm/postgresql'
+import { resolveNotificationService } from '../../notifications/lib/notificationService'
+import { buildFeatureNotificationFromType } from '../../notifications/lib/notificationBuilder'
+import { notificationTypes } from '../notifications'
+
+export const metadata = {
+  event: 'business_rules.rule.execution_failed',
+  persistent: true,
+  id: 'business_rules:rule-execution-failed-notification',
+}
+
+type RuleExecutionFailedPayload = {
+  ruleId: string
+  ruleName: string
+  entityType?: string | null
+  errorMessage?: string | null
+  tenantId: string
+  organizationId?: string | null
+}
+
+type ResolverContext = {
+  resolve: <T = unknown>(name: string) => T
+}
+
+export default async function handle(payload: RuleExecutionFailedPayload, ctx: ResolverContext) {
+  try {
+    const notificationService = resolveNotificationService(ctx)
+    const typeDef = notificationTypes.find((type) => type.type === 'business_rules.rule.execution_failed')
+    if (!typeDef) return
+
+    const notificationInput = buildFeatureNotificationFromType(typeDef, {
+      requiredFeature: 'business_rules.manage',
+      bodyVariables: {
+        ruleName: payload.ruleName,
+        entityType: payload.entityType ?? '',
+        errorMessage: payload.errorMessage ?? 'Unknown error',
+      },
+      sourceEntityType: 'business_rules:rule',
+      sourceEntityId: payload.ruleId,
+      linkHref: `/backend/business-rules/${payload.ruleId}`,
+    })
+
+    await notificationService.createForFeature(notificationInput, {
+      tenantId: payload.tenantId,
+      organizationId: payload.organizationId ?? null,
+    })
+  } catch (err) {
+    console.error('[business_rules:rule-execution-failed-notification] Failed to create notification:', err)
+  }
+}

package/src/modules/catalog/i18n/en.json

@@ -681,5 +681,7 @@
         "deleteError": "Failed to delete variant."
       }
     }
-  }
+  },
+  "catalog.notifications.product.lowStock.title": "Low Stock Alert",
+  "catalog.notifications.product.lowStock.body": "{productName}{sku, select, other { ({sku})}} is running low on stock ({currentStock} remaining, threshold: {threshold})"
 }