@open-mercato/core 0.4.2-canary-ba1d84349b → 0.4.2-canary-07dbc98202

package/dist/modules/auth/lib/setup-app.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/lib/setup-app.ts"],
-  "sourcesContent": ["import { hash } from 'bcryptjs'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { Role, RoleAcl, User, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { Tenant, Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { rebuildHierarchyForTenant } from '@open-mercato/core/modules/directory/lib/hierarchy'\nimport { normalizeTenantId } from './tenantAccess'\nimport { SalesSettings, SalesDocumentSequence } from '@open-mercato/core/modules/sales/data/entities'\nimport {\n  DEFAULT_ORDER_NUMBER_FORMAT,\n  DEFAULT_QUOTE_NUMBER_FORMAT,\n} from '@open-mercato/core/modules/sales/lib/documentNumberTokens'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { isEncryptionDebugEnabled, isTenantDataEncryptionEnabled } from '@open-mercato/shared/lib/encryption/toggles'\nimport { EncryptionMap } from '@open-mercato/core/modules/entities/data/entities'\nimport { DEFAULT_ENCRYPTION_MAPS } from '@open-mercato/core/modules/entities/lib/encryptionDefaults'\nimport { createKmsService } from '@open-mercato/shared/lib/encryption/kms'\nimport { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\nconst DEFAULT_ROLE_NAMES = ['employee', 'admin', 'superadmin'] as const\nconst DEMO_SUPERADMIN_EMAIL = 'superadmin@acme.com'\n\nexport type EnsureRolesOptions = {\n  roleNames?: string[]\n  tenantId?: string | null\n}\n\nasync function ensureRolesInContext(\n  em: EntityManager,\n  roleNames: string[],\n  tenantId: string | null,\n) {\n  for (const name of roleNames) {\n    const existing = await em.findOne(Role, { name, tenantId })\n    if (existing) continue\n    if (tenantId !== null) {\n      const globalRole = await em.findOne(Role, { name, tenantId: null })\n      if (globalRole) {\n        globalRole.tenantId = tenantId\n        em.persist(globalRole)\n        continue\n      }\n    }\n    em.persist(em.create(Role, { name, tenantId, createdAt: new Date() }))\n  }\n}\n\nexport async function ensureRoles(em: EntityManager, options: EnsureRolesOptions = {}) {\n  const roleNames = options.roleNames ?? [...DEFAULT_ROLE_NAMES]\n  const tenantId = normalizeTenantId(options.tenantId ?? null) ?? null\n  await em.transactional(async (tem) => {\n    await ensureRolesInContext(tem, roleNames, tenantId)\n    await tem.flush()\n  })\n}\n\nasync function findRoleByName(\n  em: EntityManager,\n  name: string,\n  tenantId: string | null,\n): Promise<Role | null> {\n  const normalizedTenant = normalizeTenantId(tenantId ?? null) ?? null\n  let role = await em.findOne(Role, { name, tenantId: normalizedTenant })\n  if (!role && normalizedTenant !== null) {\n    role = await em.findOne(Role, { name, tenantId: null })\n  }\n  return role\n}\n\nasync function findRoleByNameOrFail(\n  em: EntityManager,\n  name: string,\n  tenantId: string | null,\n): Promise<Role> {\n  const role = await findRoleByName(em, name, tenantId)\n  if (!role) throw new Error(`ROLE_NOT_FOUND:${name}`)\n  return role\n}\n\ntype PrimaryUserInput = {\n  email: string\n  password?: string\n  hashedPassword?: string | null\n  firstName?: string | null\n  lastName?: string | null\n  displayName?: string | null\n  confirm?: boolean\n}\n\nexport type SetupInitialTenantOptions = {\n  orgName: string\n  primaryUser: PrimaryUserInput\n  roleNames?: string[]\n  includeDerivedUsers?: boolean\n  failIfUserExists?: boolean\n  primaryUserRoles?: string[]\n  includeSuperadminRole?: boolean\n}\n\nexport type SetupInitialTenantResult = {\n  tenantId: string\n  organizationId: string\n  users: Array<{ user: User; roles: string[]; created: boolean }>\n  reusedExistingUser: boolean\n}\n\nexport async function setupInitialTenant(\n  em: EntityManager,\n  options: SetupInitialTenantOptions,\n): Promise<SetupInitialTenantResult> {\n  const {\n    primaryUser,\n    includeDerivedUsers = true,\n    failIfUserExists = false,\n    primaryUserRoles,\n    includeSuperadminRole = true,\n  } = options\n  const primaryRolesInput = primaryUserRoles && primaryUserRoles.length ? primaryUserRoles : ['superadmin']\n  const primaryRoles = includeSuperadminRole\n    ? primaryRolesInput\n    : primaryRolesInput.filter((role) => role !== 'superadmin')\n  if (primaryRoles.length === 0) {\n    throw new Error('PRIMARY_ROLES_REQUIRED')\n  }\n  const defaultRoleNames = options.roleNames ?? [...DEFAULT_ROLE_NAMES]\n  const resolvedRoleNames = includeSuperadminRole\n    ? defaultRoleNames\n    : defaultRoleNames.filter((role) => role !== 'superadmin')\n  const roleNames = Array.from(new Set([...resolvedRoleNames, ...primaryRoles]))\n\n  const mainEmail = primaryUser.email\n  const existingUser = await em.findOne(User, { email: mainEmail })\n  if (existingUser && failIfUserExists) {\n    throw new Error('USER_EXISTS')\n  }\n\n  let tenantId: string | undefined\n  let organizationId: string | undefined\n  let reusedExistingUser = false\n  const userSnapshots: Array<{ user: User; roles: string[]; created: boolean }> = []\n\n  await em.transactional(async (tem) => {\n    if (!existingUser) return\n    reusedExistingUser = true\n    tenantId = existingUser.tenantId ? String(existingUser.tenantId) : undefined\n    organizationId = existingUser.organizationId ? String(existingUser.organizationId) : undefined\n    const roleTenantId = normalizeTenantId(existingUser.tenantId ?? null) ?? null\n\n    await ensureRolesInContext(tem, roleNames, roleTenantId)\n    await tem.flush()\n\n    const requiredRoleSet = new Set([...roleNames, ...primaryRoles])\n    const links = await findWithDecryption(\n      tem,\n      UserRole,\n      { user: existingUser },\n      { populate: ['role'] },\n      { tenantId: roleTenantId, organizationId: null },\n    )\n    const currentRoles = new Set(links.map((link) => link.role.name))\n    for (const roleName of requiredRoleSet) {\n      if (!currentRoles.has(roleName)) {\n        const role = await findRoleByNameOrFail(tem, roleName, roleTenantId)\n        tem.persist(tem.create(UserRole, { user: existingUser, role, createdAt: new Date() }))\n      }\n    }\n    await tem.flush()\n    const roles = Array.from(new Set([...currentRoles, ...roleNames]))\n    userSnapshots.push({ user: existingUser, roles, created: false })\n  })\n\n  if (!existingUser) {\n    const baseUsers: Array<{ email: string; roles: string[]; name?: string | null }> = [\n      { email: primaryUser.email, roles: primaryRoles, name: resolvePrimaryName(primaryUser) },\n    ]\n    if (includeDerivedUsers) {\n      const [local, domain] = String(primaryUser.email).split('@')\n      const isSuperadminLocal = (local || '').toLowerCase() === 'superadmin' && !!domain\n      if (isSuperadminLocal) {\n        baseUsers.push({ email: `admin@${domain}`, roles: ['admin'] })\n        baseUsers.push({ email: `employee@${domain}`, roles: ['employee'] })\n      }\n    }\n    const passwordHash = await resolvePasswordHash(primaryUser)\n\n    await em.transactional(async (tem) => {\n      const tenant = tem.create(Tenant, {\n        name: `${options.orgName} Tenant`,\n        isActive: true,\n        createdAt: new Date(),\n        updatedAt: new Date(),\n      })\n      tem.persist(tenant)\n      await tem.flush()\n\n      const organization = tem.create(Organization, {\n        name: options.orgName,\n        tenant,\n        isActive: true,\n        depth: 0,\n        ancestorIds: [],\n        childIds: [],\n        descendantIds: [],\n        createdAt: new Date(),\n        updatedAt: new Date(),\n      })\n      tem.persist(organization)\n      await tem.flush()\n\n      tenantId = String(tenant.id)\n      organizationId = String(organization.id)\n      const roleTenantId = tenantId\n\n      if (isTenantDataEncryptionEnabled()) {\n        try {\n          const kms = createKmsService()\n          if (kms.isHealthy()) {\n            if (isEncryptionDebugEnabled()) {\n              console.info('\uD83D\uDD11 [encryption][setup] provisioning tenant DEK', { tenantId: String(tenant.id) })\n            }\n            await kms.createTenantDek(String(tenant.id))\n            if (isEncryptionDebugEnabled()) {\n              console.info('\uD83D\uDD11 [encryption][setup] created tenant DEK during setup', { tenantId: String(tenant.id) })\n            }\n          } else {\n            if (isEncryptionDebugEnabled()) {\n              console.warn('\u26A0\uFE0F [encryption][setup] KMS not healthy, skipping tenant DEK creation', { tenantId: String(tenant.id) })\n            }\n          }\n        } catch (err) {\n          if (isEncryptionDebugEnabled()) {\n            console.warn('\u26A0\uFE0F [encryption][setup] Failed to create tenant DEK', err)\n          }\n        }\n      }\n\n      await ensureRolesInContext(tem, roleNames, roleTenantId)\n      await tem.flush()\n\n      if (isTenantDataEncryptionEnabled()) {\n        for (const spec of DEFAULT_ENCRYPTION_MAPS) {\n          const existing = await tem.findOne(EncryptionMap, { entityId: spec.entityId, tenantId: tenant.id, organizationId: organization.id, deletedAt: null })\n          if (!existing) {\n            tem.persist(tem.create(EncryptionMap, {\n              entityId: spec.entityId,\n              tenantId: tenant.id,\n              organizationId: organization.id,\n              fieldsJson: spec.fields,\n              isActive: true,\n              createdAt: new Date(),\n              updatedAt: new Date(),\n            }))\n          } else {\n            existing.fieldsJson = spec.fields\n            existing.isActive = true\n          }\n        }\n        await tem.flush()\n      }\n    })\n\n    await em.transactional(async (tem) => {\n      if (!tenantId || !organizationId) return\n      const roleTenantId = tenantId\n      const encryptionService = isTenantDataEncryptionEnabled()\n        ? new TenantDataEncryptionService(tem as any, { kms: createKmsService() })\n        : null\n      if (encryptionService) {\n        await encryptionService.invalidateMap('auth:user', String(tenantId), String(organizationId))\n        await encryptionService.invalidateMap('auth:user', String(tenantId), null)\n      }\n\n      for (const base of baseUsers) {\n        let user = await tem.findOne(User, { email: base.email })\n        const confirm = primaryUser.confirm ?? true\n        const encryptedPayload = encryptionService\n          ? await encryptionService.encryptEntityPayload('auth:user', { email: base.email }, tenantId, organizationId)\n          : { email: base.email, emailHash: computeEmailHash(base.email) }\n        if (user) {\n          user.passwordHash = passwordHash\n          user.organizationId = organizationId\n          user.tenantId = tenantId\n          if (isTenantDataEncryptionEnabled()) {\n            user.email = encryptedPayload.email as any\n            user.emailHash = (encryptedPayload as any).emailHash ?? computeEmailHash(base.email)\n          }\n          if (base.name) user.name = base.name\n          if (confirm) user.isConfirmed = true\n          tem.persist(user)\n          userSnapshots.push({ user, roles: base.roles, created: false })\n        } else {\n          user = tem.create(User, {\n            email: (encryptedPayload as any).email ?? base.email,\n            emailHash: isTenantDataEncryptionEnabled() ? (encryptedPayload as any).emailHash ?? computeEmailHash(base.email) : undefined,\n            passwordHash,\n            organizationId,\n            tenantId,\n            name: base.name ?? undefined,\n            isConfirmed: confirm,\n            createdAt: new Date(),\n          })\n          tem.persist(user)\n          userSnapshots.push({ user, roles: base.roles, created: true })\n        }\n        await tem.flush()\n        for (const roleName of base.roles) {\n          const role = await findRoleByNameOrFail(tem, roleName, roleTenantId)\n          const existingLink = await tem.findOne(UserRole, { user, role })\n          if (!existingLink) tem.persist(tem.create(UserRole, { user, role, createdAt: new Date() }))\n        }\n        await tem.flush()\n      }\n    })\n  }\n\n  if (!tenantId || !organizationId) {\n    throw new Error('SETUP_FAILED')\n  }\n\n  if (!reusedExistingUser) {\n    await rebuildHierarchyForTenant(em, tenantId)\n  }\n\n  await ensureDefaultRoleAcls(em, tenantId, { includeSuperadminRole })\n  await deactivateDemoSuperAdminIfSelfOnboardingEnabled(em)\n  await ensureSalesNumberingDefaults(em, { tenantId, organizationId })\n\n  return {\n    tenantId,\n    organizationId,\n    users: userSnapshots,\n    reusedExistingUser,\n  }\n}\n\nfunction resolvePrimaryName(input: PrimaryUserInput): string | null {\n  if (input.displayName && input.displayName.trim()) return input.displayName.trim()\n  const parts = [input.firstName, input.lastName].map((value) => value?.trim()).filter(Boolean)\n  if (parts.length) return parts.join(' ')\n  return null\n}\n\nasync function resolvePasswordHash(input: PrimaryUserInput): Promise<string | null> {\n  if (typeof input.hashedPassword === 'string') return input.hashedPassword\n  if (input.password) return hash(input.password, 10)\n  return null\n}\n\nasync function ensureDefaultRoleAcls(\n  em: EntityManager,\n  tenantId: string,\n  options: { includeSuperadminRole?: boolean } = {},\n) {\n  const includeSuperadminRole = options.includeSuperadminRole ?? true\n  const roleTenantId = normalizeTenantId(tenantId) ?? null\n  const superadminRole = includeSuperadminRole ? await findRoleByName(em, 'superadmin', roleTenantId) : null\n  const adminRole = await findRoleByName(em, 'admin', roleTenantId)\n  const employeeRole = await findRoleByName(em, 'employee', roleTenantId)\n\n  if (includeSuperadminRole && superadminRole) {\n    await ensureRoleAclFor(em, superadminRole, tenantId, ['directory.tenants.*'], { isSuperAdmin: true })\n  }\n  if (adminRole) {\n    const adminFeatures = [\n      'auth.*',\n      'entities.*',\n      'attachments.*',\n      'attachments.view',\n      'attachments.manage',\n      'query_index.*',\n      'search.*',\n      'vector.*',\n      'feature_toggles.*',\n      'configs.system_status.view',\n      'configs.cache.view',\n      'configs.cache.manage',\n      'configs.manage',\n      'catalog.*',\n      'catalog.variants.manage',\n      'catalog.pricing.manage',\n      'sales.*',\n      'audit_logs.*',\n      'directory.organizations.view',\n      'directory.organizations.manage',\n      'customers.*',\n      'customers.people.view',\n      'customers.people.manage',\n      'customers.companies.view',\n      'customers.companies.manage',\n      'customers.deals.view',\n      'customers.deals.manage',\n      'dictionaries.view',\n      'dictionaries.manage',\n      'example.*',\n      'dashboards.*',\n      'dashboards.admin.assign-widgets',\n      'api_keys.*',\n      'perspectives.use',\n      'perspectives.role_defaults',\n      'business_rules.*',\n      'workflows.*',\n      'currencies.*',\n      'staff.*',\n      'staff.leave_requests.manage',\n      'resources.*',\n      'planner.*',\n    ]\n    await ensureRoleAclFor(em, adminRole, tenantId, adminFeatures, { remove: ['directory.organizations.*', 'directory.tenants.*'] })\n  }\n  if (employeeRole) {\n    await ensureRoleAclFor(em, employeeRole, tenantId, [\n      'customers.*',\n      'customers.people.view',\n      'customers.people.manage',\n      'customers.companies.view',\n      'customers.companies.manage',\n      'vector.*',\n      'catalog.*',\n      'catalog.variants.manage',\n      'catalog.pricing.manage',\n      'sales.*',\n      'dictionaries.view',\n      'example.*',\n      'example.widgets.*',\n      'dashboards.view',\n      'dashboards.configure',\n      'audit_logs.undo_self',\n      'perspectives.use',\n      'staff.leave_requests.send',\n      'staff.my_availability.view',\n      'staff.my_availability.manage',\n      'staff.my_leave_requests.view',\n      'staff.my_leave_requests.send',\n      'planner.view',\n    ])\n  }\n}\n\nasync function ensureRoleAclFor(\n  em: EntityManager,\n  role: Role,\n  tenantId: string,\n  features: string[],\n  options: { isSuperAdmin?: boolean; remove?: string[] } = {},\n) {\n  const existing = await em.findOne(RoleAcl, { role, tenantId })\n  if (!existing) {\n    const acl = em.create(RoleAcl, {\n      role,\n      tenantId,\n      featuresJson: features,\n      isSuperAdmin: !!options.isSuperAdmin,\n      createdAt: new Date(),\n    })\n    await em.persistAndFlush(acl)\n    return\n  }\n  const currentFeatures = Array.isArray(existing.featuresJson) ? existing.featuresJson : []\n  const merged = Array.from(new Set([...currentFeatures, ...features]))\n  const removeSet = new Set(options.remove ?? [])\n  const sanitized =\n    removeSet.size\n      ? merged.filter((value) => {\n        if (removeSet.has(value)) return false\n        for (const entry of removeSet) {\n          if (entry.endsWith('.*')) {\n            const prefix = entry.slice(0, -1) // keep trailing dot\n            if (value === entry || value.startsWith(prefix)) return false\n          }\n        }\n        return true\n      })\n      : merged\n  const changed =\n    sanitized.length !== currentFeatures.length ||\n    sanitized.some((value, index) => value !== currentFeatures[index])\n  if (changed) existing.featuresJson = sanitized\n  if (options.isSuperAdmin && !existing.isSuperAdmin) {\n    existing.isSuperAdmin = true\n  }\n  if (changed || options.isSuperAdmin) {\n    await em.persistAndFlush(existing)\n  }\n}\n\nasync function deactivateDemoSuperAdminIfSelfOnboardingEnabled(em: EntityManager) {\n  if (process.env.SELF_SERVICE_ONBOARDING_ENABLED !== 'true') return\n  try {\n    const user = await em.findOne(User, { email: DEMO_SUPERADMIN_EMAIL })\n    if (!user) return\n    let dirty = false\n    if (user.passwordHash) {\n      user.passwordHash = null\n      dirty = true\n    }\n    if (user.isConfirmed !== false) {\n      user.isConfirmed = false\n      dirty = true\n    }\n    if (dirty) {\n      await em.persistAndFlush(user)\n    }\n  } catch (error) {\n    console.error('[auth.setup] failed to deactivate demo superadmin user', error)\n  }\n}\n\nasync function ensureSalesNumberingDefaults(\n  em: EntityManager,\n  scope: { tenantId: string; organizationId: string },\n) {\n  const repo = (em as any).getRepository?.(SalesSettings)\n  const findSettings = async () =>\n    repo?.findOne({\n      tenantId: scope.tenantId,\n      organizationId: scope.organizationId,\n    }) ??\n    (em as any).findOne?.(SalesSettings, {\n      tenantId: scope.tenantId,\n      organizationId: scope.organizationId,\n    })\n\n  const exists = await findSettings()\n  if (!exists) {\n    const settings =\n      repo?.create?.({\n        tenantId: scope.tenantId,\n        organizationId: scope.organizationId,\n        orderNumberFormat: DEFAULT_ORDER_NUMBER_FORMAT,\n        quoteNumberFormat: DEFAULT_QUOTE_NUMBER_FORMAT,\n        createdAt: new Date(),\n        updatedAt: new Date(),\n      }) ??\n      (em as any).create?.(SalesSettings, {\n        tenantId: scope.tenantId,\n        organizationId: scope.organizationId,\n        orderNumberFormat: DEFAULT_ORDER_NUMBER_FORMAT,\n        quoteNumberFormat: DEFAULT_QUOTE_NUMBER_FORMAT,\n        createdAt: new Date(),\n        updatedAt: new Date(),\n      })\n    if (settings && (em as any).persist) {\n      em.persist(settings)\n    }\n  }\n\n  const sequenceRepo = (em as any).getRepository?.(SalesDocumentSequence)\n  const kinds: Array<'order' | 'quote'> = ['order', 'quote']\n  for (const kind of kinds) {\n    const seq =\n      sequenceRepo?.findOne({\n        tenantId: scope.tenantId,\n        organizationId: scope.organizationId,\n        documentKind: kind,\n      }) ??\n      (em as any).findOne?.(SalesDocumentSequence, {\n        tenantId: scope.tenantId,\n        organizationId: scope.organizationId,\n        documentKind: kind,\n      })\n    if (!seq) {\n      const entry =\n        sequenceRepo?.create?.({\n          tenantId: scope.tenantId,\n          organizationId: scope.organizationId,\n          documentKind: kind,\n          currentValue: 0,\n          createdAt: new Date(),\n          updatedAt: new Date(),\n        }) ??\n        (em as any).create?.(SalesDocumentSequence, {\n          tenantId: scope.tenantId,\n          organizationId: scope.organizationId,\n          documentKind: kind,\n          currentValue: 0,\n          createdAt: new Date(),\n          updatedAt: new Date(),\n        })\n      if (entry && (em as any).persist) {\n        em.persist(entry)\n      }\n    }\n  }\n\n  if ((em as any).flush) {\n    await em.flush()\n  }\n}\n"],
-  "mappings": "AAAA,SAAS,YAAY;AAErB,SAAS,MAAM,SAAS,MAAM,gBAAgB;AAC9C,SAAS,QAAQ,oBAAoB;AACrC,SAAS,iCAAiC;AAC1C,SAAS,yBAAyB;AAClC,SAAS,eAAe,6BAA6B;AACrD;AAAA,EACE;AAAA,EACA;AAAA,OACK;AACP,SAAS,wBAAwB;AACjC,SAAS,0BAA0B,qCAAqC;AACxE,SAAS,qBAAqB;AAC9B,SAAS,+BAA+B;AACxC,SAAS,wBAAwB;AACjC,SAAS,mCAAmC;AAC5C,SAAS,0BAA0B;AAEnC,MAAM,qBAAqB,CAAC,YAAY,SAAS,YAAY;AAC7D,MAAM,wBAAwB;AAO9B,eAAe,qBACb,IACA,WACA,UACA;AACA,aAAW,QAAQ,WAAW;AAC5B,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,SAAS,CAAC;AAC1D,QAAI,SAAU;AACd,QAAI,aAAa,MAAM;AACrB,YAAM,aAAa,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAClE,UAAI,YAAY;AACd,mBAAW,WAAW;AACtB,WAAG,QAAQ,UAAU;AACrB;AAAA,MACF;AAAA,IACF;AACA,OAAG,QAAQ,GAAG,OAAO,MAAM,EAAE,MAAM,UAAU,WAAW,oBAAI,KAAK,EAAE,CAAC,CAAC;AAAA,EACvE;AACF;AAEA,eAAsB,YAAY,IAAmB,UAA8B,CAAC,GAAG;AACrF,QAAM,YAAY,QAAQ,aAAa,CAAC,GAAG,kBAAkB;AAC7D,QAAM,WAAW,kBAAkB,QAAQ,YAAY,IAAI,KAAK;AAChE,QAAM,GAAG,cAAc,OAAO,QAAQ;AACpC,UAAM,qBAAqB,KAAK,WAAW,QAAQ;AACnD,UAAM,IAAI,MAAM;AAAA,EAClB,CAAC;AACH;AAEA,eAAe,eACb,IACA,MACA,UACsB;AACtB,QAAM,mBAAmB,kBAAkB,YAAY,IAAI,KAAK;AAChE,MAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,iBAAiB,CAAC;AACtE,MAAI,CAAC,QAAQ,qBAAqB,MAAM;AACtC,WAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAAA,EACxD;AACA,SAAO;AACT;AAEA,eAAe,qBACb,IACA,MACA,UACe;AACf,QAAM,OAAO,MAAM,eAAe,IAAI,MAAM,QAAQ;AACpD,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM,kBAAkB,IAAI,EAAE;AACnD,SAAO;AACT;AA6BA,eAAsB,mBACpB,IACA,SACmC;AACnC,QAAM;AAAA,IACJ;AAAA,IACA,sBAAsB;AAAA,IACtB,mBAAmB;AAAA,IACnB;AAAA,IACA,wBAAwB;AAAA,EAC1B,IAAI;AACJ,QAAM,oBAAoB,oBAAoB,iBAAiB,SAAS,mBAAmB,CAAC,YAAY;AACxG,QAAM,eAAe,wBACjB,oBACA,kBAAkB,OAAO,CAAC,SAAS,SAAS,YAAY;AAC5D,MAAI,aAAa,WAAW,GAAG;AAC7B,UAAM,IAAI,MAAM,wBAAwB;AAAA,EAC1C;AACA,QAAM,mBAAmB,QAAQ,aAAa,CAAC,GAAG,kBAAkB;AACpE,QAAM,oBAAoB,wBACtB,mBACA,iBAAiB,OAAO,CAAC,SAAS,SAAS,YAAY;AAC3D,QAAM,YAAY,MAAM,KAAK,oBAAI,IAAI,CAAC,GAAG,mBAAmB,GAAG,YAAY,CAAC,CAAC;AAE7E,QAAM,YAAY,YAAY;AAC9B,QAAM,eAAe,MAAM,GAAG,QAAQ,MAAM,EAAE,OAAO,UAAU,CAAC;AAChE,MAAI,gBAAgB,kBAAkB;AACpC,UAAM,IAAI,MAAM,aAAa;AAAA,EAC/B;AAEA,MAAI;AACJ,MAAI;AACJ,MAAI,qBAAqB;AACzB,QAAM,gBAA0E,CAAC;AAEjF,QAAM,GAAG,cAAc,OAAO,QAAQ;AACpC,QAAI,CAAC,aAAc;AACnB,yBAAqB;AACrB,eAAW,aAAa,WAAW,OAAO,aAAa,QAAQ,IAAI;AACnE,qBAAiB,aAAa,iBAAiB,OAAO,aAAa,cAAc,IAAI;AACrF,UAAM,eAAe,kBAAkB,aAAa,YAAY,IAAI,KAAK;AAEzE,UAAM,qBAAqB,KAAK,WAAW,YAAY;AACvD,UAAM,IAAI,MAAM;AAEhB,UAAM,kBAAkB,oBAAI,IAAI,CAAC,GAAG,WAAW,GAAG,YAAY,CAAC;AAC/D,UAAM,QAAQ,MAAM;AAAA,MAClB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,aAAa;AAAA,MACrB,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,MACrB,EAAE,UAAU,cAAc,gBAAgB,KAAK;AAAA,IACjD;AACA,UAAM,eAAe,IAAI,IAAI,MAAM,IAAI,CAAC,SAAS,KAAK,KAAK,IAAI,CAAC;AAChE,eAAW,YAAY,iBAAiB;AACtC,UAAI,CAAC,aAAa,IAAI,QAAQ,GAAG;AAC/B,cAAM,OAAO,MAAM,qBAAqB,KAAK,UAAU,YAAY;AACnE,YAAI,QAAQ,IAAI,OAAO,UAAU,EAAE,MAAM,cAAc,MAAM,WAAW,oBAAI,KAAK,EAAE,CAAC,CAAC;AAAA,MACvF;AAAA,IACF;AACA,UAAM,IAAI,MAAM;AAChB,UAAM,QAAQ,MAAM,KAAK,oBAAI,IAAI,CAAC,GAAG,cAAc,GAAG,SAAS,CAAC,CAAC;AACjE,kBAAc,KAAK,EAAE,MAAM,cAAc,OAAO,SAAS,MAAM,CAAC;AAAA,EAClE,CAAC;AAED,MAAI,CAAC,cAAc;AACjB,UAAM,YAA6E;AAAA,MACjF,EAAE,OAAO,YAAY,OAAO,OAAO,cAAc,MAAM,mBAAmB,WAAW,EAAE;AAAA,IACzF;AACA,QAAI,qBAAqB;AACvB,YAAM,CAAC,OAAO,MAAM,IAAI,OAAO,YAAY,KAAK,EAAE,MAAM,GAAG;AAC3D,YAAM,qBAAqB,SAAS,IAAI,YAAY,MAAM,gBAAgB,CAAC,CAAC;AAC5E,UAAI,mBAAmB;AACrB,kBAAU,KAAK,EAAE,OAAO,SAAS,MAAM,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;AAC7D,kBAAU,KAAK,EAAE,OAAO,YAAY,MAAM,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;AAAA,MACrE;AAAA,IACF;AACA,UAAM,eAAe,MAAM,oBAAoB,WAAW;AAE1D,UAAM,GAAG,cAAc,OAAO,QAAQ;AACpC,YAAM,SAAS,IAAI,OAAO,QAAQ;AAAA,QAChC,MAAM,GAAG,QAAQ,OAAO;AAAA,QACxB,UAAU;AAAA,QACV,WAAW,oBAAI,KAAK;AAAA,QACpB,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC;AACD,UAAI,QAAQ,MAAM;AAClB,YAAM,IAAI,MAAM;AAEhB,YAAM,eAAe,IAAI,OAAO,cAAc;AAAA,QAC5C,MAAM,QAAQ;AAAA,QACd;AAAA,QACA,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa,CAAC;AAAA,QACd,UAAU,CAAC;AAAA,QACX,eAAe,CAAC;AAAA,QAChB,WAAW,oBAAI,KAAK;AAAA,QACpB,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC;AACD,UAAI,QAAQ,YAAY;AACxB,YAAM,IAAI,MAAM;AAEhB,iBAAW,OAAO,OAAO,EAAE;AAC3B,uBAAiB,OAAO,aAAa,EAAE;AACvC,YAAM,eAAe;AAErB,UAAI,8BAA8B,GAAG;AACnC,YAAI;AACF,gBAAM,MAAM,iBAAiB;AAC7B,cAAI,IAAI,UAAU,GAAG;AACnB,gBAAI,yBAAyB,GAAG;AAC9B,sBAAQ,KAAK,yDAAkD,EAAE,UAAU,OAAO,OAAO,EAAE,EAAE,CAAC;AAAA,YAChG;AACA,kBAAM,IAAI,gBAAgB,OAAO,OAAO,EAAE,CAAC;AAC3C,gBAAI,yBAAyB,GAAG;AAC9B,sBAAQ,KAAK,iEAA0D,EAAE,UAAU,OAAO,OAAO,EAAE,EAAE,CAAC;AAAA,YACxG;AAAA,UACF,OAAO;AACL,gBAAI,yBAAyB,GAAG;AAC9B,sBAAQ,KAAK,kFAAwE,EAAE,UAAU,OAAO,OAAO,EAAE,EAAE,CAAC;AAAA,YACtH;AAAA,UACF;AAAA,QACF,SAAS,KAAK;AACZ,cAAI,yBAAyB,GAAG;AAC9B,oBAAQ,KAAK,gEAAsD,GAAG;AAAA,UACxE;AAAA,QACF;AAAA,MACF;AAEA,YAAM,qBAAqB,KAAK,WAAW,YAAY;AACvD,YAAM,IAAI,MAAM;AAEhB,UAAI,8BAA8B,GAAG;AACnC,mBAAW,QAAQ,yBAAyB;AAC1C,gBAAM,WAAW,MAAM,IAAI,QAAQ,eAAe,EAAE,UAAU,KAAK,UAAU,UAAU,OAAO,IAAI,gBAAgB,aAAa,IAAI,WAAW,KAAK,CAAC;AACpJ,cAAI,CAAC,UAAU;AACb,gBAAI,QAAQ,IAAI,OAAO,eAAe;AAAA,cACpC,UAAU,KAAK;AAAA,cACf,UAAU,OAAO;AAAA,cACjB,gBAAgB,aAAa;AAAA,cAC7B,YAAY,KAAK;AAAA,cACjB,UAAU;AAAA,cACV,WAAW,oBAAI,KAAK;AAAA,cACpB,WAAW,oBAAI,KAAK;AAAA,YACtB,CAAC,CAAC;AAAA,UACJ,OAAO;AACL,qBAAS,aAAa,KAAK;AAC3B,qBAAS,WAAW;AAAA,UACtB;AAAA,QACF;AACA,cAAM,IAAI,MAAM;AAAA,MAClB;AAAA,IACF,CAAC;AAED,UAAM,GAAG,cAAc,OAAO,QAAQ;AACpC,UAAI,CAAC,YAAY,CAAC,eAAgB;AAClC,YAAM,eAAe;AACrB,YAAM,oBAAoB,8BAA8B,IACpD,IAAI,4BAA4B,KAAY,EAAE,KAAK,iBAAiB,EAAE,CAAC,IACvE;AACJ,UAAI,mBAAmB;AACrB,cAAM,kBAAkB,cAAc,aAAa,OAAO,QAAQ,GAAG,OAAO,cAAc,CAAC;AAC3F,cAAM,kBAAkB,cAAc,aAAa,OAAO,QAAQ,GAAG,IAAI;AAAA,MAC3E;AAEA,iBAAW,QAAQ,WAAW;AAC5B,YAAI,OAAO,MAAM,IAAI,QAAQ,MAAM,EAAE,OAAO,KAAK,MAAM,CAAC;AACxD,cAAM,UAAU,YAAY,WAAW;AACvC,cAAM,mBAAmB,oBACrB,MAAM,kBAAkB,qBAAqB,aAAa,EAAE,OAAO,KAAK,MAAM,GAAG,UAAU,cAAc,IACzG,EAAE,OAAO,KAAK,OAAO,WAAW,iBAAiB,KAAK,KAAK,EAAE;AACjE,YAAI,MAAM;AACR,eAAK,eAAe;AACpB,eAAK,iBAAiB;AACtB,eAAK,WAAW;AAChB,cAAI,8BAA8B,GAAG;AACnC,iBAAK,QAAQ,iBAAiB;AAC9B,iBAAK,YAAa,iBAAyB,aAAa,iBAAiB,KAAK,KAAK;AAAA,UACrF;AACA,cAAI,KAAK,KAAM,MAAK,OAAO,KAAK;AAChC,cAAI,QAAS,MAAK,cAAc;AAChC,cAAI,QAAQ,IAAI;AAChB,wBAAc,KAAK,EAAE,MAAM,OAAO,KAAK,OAAO,SAAS,MAAM,CAAC;AAAA,QAChE,OAAO;AACL,iBAAO,IAAI,OAAO,MAAM;AAAA,YACtB,OAAQ,iBAAyB,SAAS,KAAK;AAAA,YAC/C,WAAW,8BAA8B,IAAK,iBAAyB,aAAa,iBAAiB,KAAK,KAAK,IAAI;AAAA,YACnH;AAAA,YACA;AAAA,YACA;AAAA,YACA,MAAM,KAAK,QAAQ;AAAA,YACnB,aAAa;AAAA,YACb,WAAW,oBAAI,KAAK;AAAA,UACtB,CAAC;AACD,cAAI,QAAQ,IAAI;AAChB,wBAAc,KAAK,EAAE,MAAM,OAAO,KAAK,OAAO,SAAS,KAAK,CAAC;AAAA,QAC/D;AACA,cAAM,IAAI,MAAM;AAChB,mBAAW,YAAY,KAAK,OAAO;AACjC,gBAAM,OAAO,MAAM,qBAAqB,KAAK,UAAU,YAAY;AACnE,gBAAM,eAAe,MAAM,IAAI,QAAQ,UAAU,EAAE,MAAM,KAAK,CAAC;AAC/D,cAAI,CAAC,aAAc,KAAI,QAAQ,IAAI,OAAO,UAAU,EAAE,MAAM,MAAM,WAAW,oBAAI,KAAK,EAAE,CAAC,CAAC;AAAA,QAC5F;AACA,cAAM,IAAI,MAAM;AAAA,MAClB;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,YAAY,CAAC,gBAAgB;AAChC,UAAM,IAAI,MAAM,cAAc;AAAA,EAChC;AAEA,MAAI,CAAC,oBAAoB;AACvB,UAAM,0BAA0B,IAAI,QAAQ;AAAA,EAC9C;AAEA,QAAM,sBAAsB,IAAI,UAAU,EAAE,sBAAsB,CAAC;AACnE,QAAM,gDAAgD,EAAE;AACxD,QAAM,6BAA6B,IAAI,EAAE,UAAU,eAAe,CAAC;AAEnE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP;AAAA,EACF;AACF;AAEA,SAAS,mBAAmB,OAAwC;AAClE,MAAI,MAAM,eAAe,MAAM,YAAY,KAAK,EAAG,QAAO,MAAM,YAAY,KAAK;AACjF,QAAM,QAAQ,CAAC,MAAM,WAAW,MAAM,QAAQ,EAAE,IAAI,CAAC,UAAU,OAAO,KAAK,CAAC,EAAE,OAAO,OAAO;AAC5F,MAAI,MAAM,OAAQ,QAAO,MAAM,KAAK,GAAG;AACvC,SAAO;AACT;AAEA,eAAe,oBAAoB,OAAiD;AAClF,MAAI,OAAO,MAAM,mBAAmB,SAAU,QAAO,MAAM;AAC3D,MAAI,MAAM,SAAU,QAAO,KAAK,MAAM,UAAU,EAAE;AAClD,SAAO;AACT;AAEA,eAAe,sBACb,IACA,UACA,UAA+C,CAAC,GAChD;AACA,QAAM,wBAAwB,QAAQ,yBAAyB;AAC/D,QAAM,eAAe,kBAAkB,QAAQ,KAAK;AACpD,QAAM,iBAAiB,wBAAwB,MAAM,eAAe,IAAI,cAAc,YAAY,IAAI;AACtG,QAAM,YAAY,MAAM,eAAe,IAAI,SAAS,YAAY;AAChE,QAAM,eAAe,MAAM,eAAe,IAAI,YAAY,YAAY;AAEtE,MAAI,yBAAyB,gBAAgB;AAC3C,UAAM,iBAAiB,IAAI,gBAAgB,UAAU,CAAC,qBAAqB,GAAG,EAAE,cAAc,KAAK,CAAC;AAAA,EACtG;AACA,MAAI,WAAW;AACb,UAAM,gBAAgB;AAAA,MACpB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,UAAM,iBAAiB,IAAI,WAAW,UAAU,eAAe,EAAE,QAAQ,CAAC,6BAA6B,qBAAqB,EAAE,CAAC;AAAA,EACjI;AACA,MAAI,cAAc;AAChB,UAAM,iBAAiB,IAAI,cAAc,UAAU;AAAA,MACjD;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AACF;AAEA,eAAe,iBACb,IACA,MACA,UACA,UACA,UAAyD,CAAC,GAC1D;AACA,QAAM,WAAW,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7D,MAAI,CAAC,UAAU;AACb,UAAM,MAAM,GAAG,OAAO,SAAS;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,cAAc;AAAA,MACd,cAAc,CAAC,CAAC,QAAQ;AAAA,MACxB,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AACD,UAAM,GAAG,gBAAgB,GAAG;AAC5B;AAAA,EACF;AACA,QAAM,kBAAkB,MAAM,QAAQ,SAAS,YAAY,IAAI,SAAS,eAAe,CAAC;AACxF,QAAM,SAAS,MAAM,KAAK,oBAAI,IAAI,CAAC,GAAG,iBAAiB,GAAG,QAAQ,CAAC,CAAC;AACpE,QAAM,YAAY,IAAI,IAAI,QAAQ,UAAU,CAAC,CAAC;AAC9C,QAAM,YACJ,UAAU,OACN,OAAO,OAAO,CAAC,UAAU;AACzB,QAAI,UAAU,IAAI,KAAK,EAAG,QAAO;AACjC,eAAW,SAAS,WAAW;AAC7B,UAAI,MAAM,SAAS,IAAI,GAAG;AACxB,cAAM,SAAS,MAAM,MAAM,GAAG,EAAE;AAChC,YAAI,UAAU,SAAS,MAAM,WAAW,MAAM,EAAG,QAAO;AAAA,MAC1D;AAAA,IACF;AACA,WAAO;AAAA,EACT,CAAC,IACC;AACN,QAAM,UACJ,UAAU,WAAW,gBAAgB,UACrC,UAAU,KAAK,CAAC,OAAO,UAAU,UAAU,gBAAgB,KAAK,CAAC;AACnE,MAAI,QAAS,UAAS,eAAe;AACrC,MAAI,QAAQ,gBAAgB,CAAC,SAAS,cAAc;AAClD,aAAS,eAAe;AAAA,EAC1B;AACA,MAAI,WAAW,QAAQ,cAAc;AACnC,UAAM,GAAG,gBAAgB,QAAQ;AAAA,EACnC;AACF;AAEA,eAAe,gDAAgD,IAAmB;AAChF,MAAI,QAAQ,IAAI,oCAAoC,OAAQ;AAC5D,MAAI;AACF,UAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,OAAO,sBAAsB,CAAC;AACpE,QAAI,CAAC,KAAM;AACX,QAAI,QAAQ;AACZ,QAAI,KAAK,cAAc;AACrB,WAAK,eAAe;AACpB,cAAQ;AAAA,IACV;AACA,QAAI,KAAK,gBAAgB,OAAO;AAC9B,WAAK,cAAc;AACnB,cAAQ;AAAA,IACV;AACA,QAAI,OAAO;AACT,YAAM,GAAG,gBAAgB,IAAI;AAAA,IAC/B;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,0DAA0D,KAAK;AAAA,EAC/E;AACF;AAEA,eAAe,6BACb,IACA,OACA;AACA,QAAM,OAAQ,GAAW,gBAAgB,aAAa;AACtD,QAAM,eAAe,YACnB,MAAM,QAAQ;AAAA,IACZ,UAAU,MAAM;AAAA,IAChB,gBAAgB,MAAM;AAAA,EACxB,CAAC,KACA,GAAW,UAAU,eAAe;AAAA,IACnC,UAAU,MAAM;AAAA,IAChB,gBAAgB,MAAM;AAAA,EACxB,CAAC;AAEH,QAAM,SAAS,MAAM,aAAa;AAClC,MAAI,CAAC,QAAQ;AACX,UAAM,WACJ,MAAM,SAAS;AAAA,MACb,UAAU,MAAM;AAAA,MAChB,gBAAgB,MAAM;AAAA,MACtB,mBAAmB;AAAA,MACnB,mBAAmB;AAAA,MACnB,WAAW,oBAAI,KAAK;AAAA,MACpB,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC,KACA,GAAW,SAAS,eAAe;AAAA,MAClC,UAAU,MAAM;AAAA,MAChB,gBAAgB,MAAM;AAAA,MACtB,mBAAmB;AAAA,MACnB,mBAAmB;AAAA,MACnB,WAAW,oBAAI,KAAK;AAAA,MACpB,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AACH,QAAI,YAAa,GAAW,SAAS;AACnC,SAAG,QAAQ,QAAQ;AAAA,IACrB;AAAA,EACF;AAEA,QAAM,eAAgB,GAAW,gBAAgB,qBAAqB;AACtE,QAAM,QAAkC,CAAC,SAAS,OAAO;AACzD,aAAW,QAAQ,OAAO;AACxB,UAAM,MACJ,cAAc,QAAQ;AAAA,MACpB,UAAU,MAAM;AAAA,MAChB,gBAAgB,MAAM;AAAA,MACtB,cAAc;AAAA,IAChB,CAAC,KACA,GAAW,UAAU,uBAAuB;AAAA,MAC3C,UAAU,MAAM;AAAA,MAChB,gBAAgB,MAAM;AAAA,MACtB,cAAc;AAAA,IAChB,CAAC;AACH,QAAI,CAAC,KAAK;AACR,YAAM,QACJ,cAAc,SAAS;AAAA,QACrB,UAAU,MAAM;AAAA,QAChB,gBAAgB,MAAM;AAAA,QACtB,cAAc;AAAA,QACd,cAAc;AAAA,QACd,WAAW,oBAAI,KAAK;AAAA,QACpB,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC,KACA,GAAW,SAAS,uBAAuB;AAAA,QAC1C,UAAU,MAAM;AAAA,QAChB,gBAAgB,MAAM;AAAA,QACtB,cAAc;AAAA,QACd,cAAc;AAAA,QACd,WAAW,oBAAI,KAAK;AAAA,QACpB,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC;AACH,UAAI,SAAU,GAAW,SAAS;AAChC,WAAG,QAAQ,KAAK;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAEA,MAAK,GAAW,OAAO;AACrB,UAAM,GAAG,MAAM;AAAA,EACjB;AACF;",
+  "sourcesContent": ["import { hash } from 'bcryptjs'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { Role, RoleAcl, User, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { Tenant, Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { rebuildHierarchyForTenant } from '@open-mercato/core/modules/directory/lib/hierarchy'\nimport { normalizeTenantId } from './tenantAccess'\nimport { SalesSettings, SalesDocumentSequence } from '@open-mercato/core/modules/sales/data/entities'\nimport {\n  DEFAULT_ORDER_NUMBER_FORMAT,\n  DEFAULT_QUOTE_NUMBER_FORMAT,\n} from '@open-mercato/core/modules/sales/lib/documentNumberTokens'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { isEncryptionDebugEnabled, isTenantDataEncryptionEnabled } from '@open-mercato/shared/lib/encryption/toggles'\nimport { EncryptionMap } from '@open-mercato/core/modules/entities/data/entities'\nimport { DEFAULT_ENCRYPTION_MAPS } from '@open-mercato/core/modules/entities/lib/encryptionDefaults'\nimport { createKmsService } from '@open-mercato/shared/lib/encryption/kms'\nimport { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\nconst DEFAULT_ROLE_NAMES = ['employee', 'admin', 'superadmin'] as const\nconst DEMO_SUPERADMIN_EMAIL = 'superadmin@acme.com'\n\nexport type EnsureRolesOptions = {\n  roleNames?: string[]\n  tenantId?: string | null\n}\n\nasync function ensureRolesInContext(\n  em: EntityManager,\n  roleNames: string[],\n  tenantId: string | null,\n) {\n  for (const name of roleNames) {\n    const existing = await em.findOne(Role, { name, tenantId })\n    if (existing) continue\n    if (tenantId !== null) {\n      const globalRole = await em.findOne(Role, { name, tenantId: null })\n      if (globalRole) {\n        globalRole.tenantId = tenantId\n        em.persist(globalRole)\n        continue\n      }\n    }\n    em.persist(em.create(Role, { name, tenantId, createdAt: new Date() }))\n  }\n}\n\nexport async function ensureRoles(em: EntityManager, options: EnsureRolesOptions = {}) {\n  const roleNames = options.roleNames ?? [...DEFAULT_ROLE_NAMES]\n  const tenantId = normalizeTenantId(options.tenantId ?? null) ?? null\n  await em.transactional(async (tem) => {\n    await ensureRolesInContext(tem, roleNames, tenantId)\n    await tem.flush()\n  })\n}\n\nasync function findRoleByName(\n  em: EntityManager,\n  name: string,\n  tenantId: string | null,\n): Promise<Role | null> {\n  const normalizedTenant = normalizeTenantId(tenantId ?? null) ?? null\n  let role = await em.findOne(Role, { name, tenantId: normalizedTenant })\n  if (!role && normalizedTenant !== null) {\n    role = await em.findOne(Role, { name, tenantId: null })\n  }\n  return role\n}\n\nasync function findRoleByNameOrFail(\n  em: EntityManager,\n  name: string,\n  tenantId: string | null,\n): Promise<Role> {\n  const role = await findRoleByName(em, name, tenantId)\n  if (!role) throw new Error(`ROLE_NOT_FOUND:${name}`)\n  return role\n}\n\ntype PrimaryUserInput = {\n  email: string\n  password?: string\n  hashedPassword?: string | null\n  firstName?: string | null\n  lastName?: string | null\n  displayName?: string | null\n  confirm?: boolean\n}\n\nexport type SetupInitialTenantOptions = {\n  orgName: string\n  primaryUser: PrimaryUserInput\n  roleNames?: string[]\n  includeDerivedUsers?: boolean\n  failIfUserExists?: boolean\n  primaryUserRoles?: string[]\n  includeSuperadminRole?: boolean\n}\n\nexport type SetupInitialTenantResult = {\n  tenantId: string\n  organizationId: string\n  users: Array<{ user: User; roles: string[]; created: boolean }>\n  reusedExistingUser: boolean\n}\n\nexport async function setupInitialTenant(\n  em: EntityManager,\n  options: SetupInitialTenantOptions,\n): Promise<SetupInitialTenantResult> {\n  const {\n    primaryUser,\n    includeDerivedUsers = true,\n    failIfUserExists = false,\n    primaryUserRoles,\n    includeSuperadminRole = true,\n  } = options\n  const primaryRolesInput = primaryUserRoles && primaryUserRoles.length ? primaryUserRoles : ['superadmin']\n  const primaryRoles = includeSuperadminRole\n    ? primaryRolesInput\n    : primaryRolesInput.filter((role) => role !== 'superadmin')\n  if (primaryRoles.length === 0) {\n    throw new Error('PRIMARY_ROLES_REQUIRED')\n  }\n  const defaultRoleNames = options.roleNames ?? [...DEFAULT_ROLE_NAMES]\n  const resolvedRoleNames = includeSuperadminRole\n    ? defaultRoleNames\n    : defaultRoleNames.filter((role) => role !== 'superadmin')\n  const roleNames = Array.from(new Set([...resolvedRoleNames, ...primaryRoles]))\n\n  const mainEmail = primaryUser.email\n  const existingUser = await em.findOne(User, { email: mainEmail })\n  if (existingUser && failIfUserExists) {\n    throw new Error('USER_EXISTS')\n  }\n\n  let tenantId: string | undefined\n  let organizationId: string | undefined\n  let reusedExistingUser = false\n  const userSnapshots: Array<{ user: User; roles: string[]; created: boolean }> = []\n\n  await em.transactional(async (tem) => {\n    if (!existingUser) return\n    reusedExistingUser = true\n    tenantId = existingUser.tenantId ? String(existingUser.tenantId) : undefined\n    organizationId = existingUser.organizationId ? String(existingUser.organizationId) : undefined\n    const roleTenantId = normalizeTenantId(existingUser.tenantId ?? null) ?? null\n\n    await ensureRolesInContext(tem, roleNames, roleTenantId)\n    await tem.flush()\n\n    const requiredRoleSet = new Set([...roleNames, ...primaryRoles])\n    const links = await findWithDecryption(\n      tem,\n      UserRole,\n      { user: existingUser },\n      { populate: ['role'] },\n      { tenantId: roleTenantId, organizationId: null },\n    )\n    const currentRoles = new Set(links.map((link) => link.role.name))\n    for (const roleName of requiredRoleSet) {\n      if (!currentRoles.has(roleName)) {\n        const role = await findRoleByNameOrFail(tem, roleName, roleTenantId)\n        tem.persist(tem.create(UserRole, { user: existingUser, role, createdAt: new Date() }))\n      }\n    }\n    await tem.flush()\n    const roles = Array.from(new Set([...currentRoles, ...roleNames]))\n    userSnapshots.push({ user: existingUser, roles, created: false })\n  })\n\n  if (!existingUser) {\n    const baseUsers: Array<{ email: string; roles: string[]; name?: string | null }> = [\n      { email: primaryUser.email, roles: primaryRoles, name: resolvePrimaryName(primaryUser) },\n    ]\n    if (includeDerivedUsers) {\n      const [local, domain] = String(primaryUser.email).split('@')\n      const isSuperadminLocal = (local || '').toLowerCase() === 'superadmin' && !!domain\n      if (isSuperadminLocal) {\n        baseUsers.push({ email: `admin@${domain}`, roles: ['admin'] })\n        baseUsers.push({ email: `employee@${domain}`, roles: ['employee'] })\n      }\n    }\n    const passwordHash = await resolvePasswordHash(primaryUser)\n\n    await em.transactional(async (tem) => {\n      const tenant = tem.create(Tenant, {\n        name: `${options.orgName} Tenant`,\n        isActive: true,\n        createdAt: new Date(),\n        updatedAt: new Date(),\n      })\n      tem.persist(tenant)\n      await tem.flush()\n\n      const organization = tem.create(Organization, {\n        name: options.orgName,\n        tenant,\n        isActive: true,\n        depth: 0,\n        ancestorIds: [],\n        childIds: [],\n        descendantIds: [],\n        createdAt: new Date(),\n        updatedAt: new Date(),\n      })\n      tem.persist(organization)\n      await tem.flush()\n\n      tenantId = String(tenant.id)\n      organizationId = String(organization.id)\n      const roleTenantId = tenantId\n\n      if (isTenantDataEncryptionEnabled()) {\n        try {\n          const kms = createKmsService()\n          if (kms.isHealthy()) {\n            if (isEncryptionDebugEnabled()) {\n              console.info('\uD83D\uDD11 [encryption][setup] provisioning tenant DEK', { tenantId: String(tenant.id) })\n            }\n            await kms.createTenantDek(String(tenant.id))\n            if (isEncryptionDebugEnabled()) {\n              console.info('\uD83D\uDD11 [encryption][setup] created tenant DEK during setup', { tenantId: String(tenant.id) })\n            }\n          } else {\n            if (isEncryptionDebugEnabled()) {\n              console.warn('\u26A0\uFE0F [encryption][setup] KMS not healthy, skipping tenant DEK creation', { tenantId: String(tenant.id) })\n            }\n          }\n        } catch (err) {\n          if (isEncryptionDebugEnabled()) {\n            console.warn('\u26A0\uFE0F [encryption][setup] Failed to create tenant DEK', err)\n          }\n        }\n      }\n\n      await ensureRolesInContext(tem, roleNames, roleTenantId)\n      await tem.flush()\n\n      if (isTenantDataEncryptionEnabled()) {\n        for (const spec of DEFAULT_ENCRYPTION_MAPS) {\n          const existing = await tem.findOne(EncryptionMap, { entityId: spec.entityId, tenantId: tenant.id, organizationId: organization.id, deletedAt: null })\n          if (!existing) {\n            tem.persist(tem.create(EncryptionMap, {\n              entityId: spec.entityId,\n              tenantId: tenant.id,\n              organizationId: organization.id,\n              fieldsJson: spec.fields,\n              isActive: true,\n              createdAt: new Date(),\n              updatedAt: new Date(),\n            }))\n          } else {\n            existing.fieldsJson = spec.fields\n            existing.isActive = true\n          }\n        }\n        await tem.flush()\n      }\n    })\n\n    await em.transactional(async (tem) => {\n      if (!tenantId || !organizationId) return\n      const roleTenantId = tenantId\n      const encryptionService = isTenantDataEncryptionEnabled()\n        ? new TenantDataEncryptionService(tem as any, { kms: createKmsService() })\n        : null\n      if (encryptionService) {\n        await encryptionService.invalidateMap('auth:user', String(tenantId), String(organizationId))\n        await encryptionService.invalidateMap('auth:user', String(tenantId), null)\n      }\n\n      for (const base of baseUsers) {\n        let user = await tem.findOne(User, { email: base.email })\n        const confirm = primaryUser.confirm ?? true\n        const encryptedPayload = encryptionService\n          ? await encryptionService.encryptEntityPayload('auth:user', { email: base.email }, tenantId, organizationId)\n          : { email: base.email, emailHash: computeEmailHash(base.email) }\n        if (user) {\n          user.passwordHash = passwordHash\n          user.organizationId = organizationId\n          user.tenantId = tenantId\n          if (isTenantDataEncryptionEnabled()) {\n            user.email = encryptedPayload.email as any\n            user.emailHash = (encryptedPayload as any).emailHash ?? computeEmailHash(base.email)\n          }\n          if (base.name) user.name = base.name\n          if (confirm) user.isConfirmed = true\n          tem.persist(user)\n          userSnapshots.push({ user, roles: base.roles, created: false })\n        } else {\n          user = tem.create(User, {\n            email: (encryptedPayload as any).email ?? base.email,\n            emailHash: isTenantDataEncryptionEnabled() ? (encryptedPayload as any).emailHash ?? computeEmailHash(base.email) : undefined,\n            passwordHash,\n            organizationId,\n            tenantId,\n            name: base.name ?? undefined,\n            isConfirmed: confirm,\n            createdAt: new Date(),\n          })\n          tem.persist(user)\n          userSnapshots.push({ user, roles: base.roles, created: true })\n        }\n        await tem.flush()\n        for (const roleName of base.roles) {\n          const role = await findRoleByNameOrFail(tem, roleName, roleTenantId)\n          const existingLink = await tem.findOne(UserRole, { user, role })\n          if (!existingLink) tem.persist(tem.create(UserRole, { user, role, createdAt: new Date() }))\n        }\n        await tem.flush()\n      }\n    })\n  }\n\n  if (!tenantId || !organizationId) {\n    throw new Error('SETUP_FAILED')\n  }\n\n  if (!reusedExistingUser) {\n    await rebuildHierarchyForTenant(em, tenantId)\n  }\n\n  await ensureDefaultRoleAcls(em, tenantId, { includeSuperadminRole })\n  await deactivateDemoSuperAdminIfSelfOnboardingEnabled(em)\n  await ensureSalesNumberingDefaults(em, { tenantId, organizationId })\n\n  return {\n    tenantId,\n    organizationId,\n    users: userSnapshots,\n    reusedExistingUser,\n  }\n}\n\nfunction resolvePrimaryName(input: PrimaryUserInput): string | null {\n  if (input.displayName && input.displayName.trim()) return input.displayName.trim()\n  const parts = [input.firstName, input.lastName].map((value) => value?.trim()).filter(Boolean)\n  if (parts.length) return parts.join(' ')\n  return null\n}\n\nasync function resolvePasswordHash(input: PrimaryUserInput): Promise<string | null> {\n  if (typeof input.hashedPassword === 'string') return input.hashedPassword\n  if (input.password) return hash(input.password, 10)\n  return null\n}\n\nasync function ensureDefaultRoleAcls(\n  em: EntityManager,\n  tenantId: string,\n  options: { includeSuperadminRole?: boolean } = {},\n) {\n  const includeSuperadminRole = options.includeSuperadminRole ?? true\n  const roleTenantId = normalizeTenantId(tenantId) ?? null\n  const superadminRole = includeSuperadminRole ? await findRoleByName(em, 'superadmin', roleTenantId) : null\n  const adminRole = await findRoleByName(em, 'admin', roleTenantId)\n  const employeeRole = await findRoleByName(em, 'employee', roleTenantId)\n\n  if (includeSuperadminRole && superadminRole) {\n    await ensureRoleAclFor(em, superadminRole, tenantId, ['directory.tenants.*'], { isSuperAdmin: true })\n  }\n  if (adminRole) {\n    const adminFeatures = [\n      'auth.*',\n      'entities.*',\n      'attachments.*',\n      'attachments.view',\n      'attachments.manage',\n      'query_index.*',\n      'search.*',\n      'vector.*',\n      'feature_toggles.*',\n      'configs.system_status.view',\n      'configs.cache.view',\n      'configs.cache.manage',\n      'configs.manage',\n      'catalog.*',\n      'catalog.variants.manage',\n      'catalog.pricing.manage',\n      'sales.*',\n      'audit_logs.*',\n      'directory.organizations.view',\n      'directory.organizations.manage',\n      'customers.*',\n      'customers.people.view',\n      'customers.people.manage',\n      'customers.companies.view',\n      'customers.companies.manage',\n      'customers.deals.view',\n      'customers.deals.manage',\n      'dictionaries.view',\n      'dictionaries.manage',\n      'example.*',\n      'dashboards.*',\n      'dashboards.admin.assign-widgets',\n      'api_keys.*',\n      'notifications.manage',\n      'perspectives.use',\n      'perspectives.role_defaults',\n      'business_rules.*',\n      'workflows.*',\n      'currencies.*',\n      'staff.*',\n      'staff.leave_requests.manage',\n      'resources.*',\n      'planner.*',\n    ]\n    await ensureRoleAclFor(em, adminRole, tenantId, adminFeatures, { remove: ['directory.organizations.*', 'directory.tenants.*'] })\n  }\n  if (employeeRole) {\n    await ensureRoleAclFor(em, employeeRole, tenantId, [\n      'customers.*',\n      'customers.people.view',\n      'customers.people.manage',\n      'customers.companies.view',\n      'customers.companies.manage',\n      'vector.*',\n      'catalog.*',\n      'catalog.variants.manage',\n      'catalog.pricing.manage',\n      'sales.*',\n      'dictionaries.view',\n      'example.*',\n      'example.widgets.*',\n      'dashboards.view',\n      'dashboards.configure',\n      'audit_logs.undo_self',\n      'perspectives.use',\n      'staff.leave_requests.send',\n      'staff.my_availability.view',\n      'staff.my_availability.manage',\n      'staff.my_leave_requests.view',\n      'staff.my_leave_requests.send',\n      'planner.view',\n    ])\n  }\n}\n\nasync function ensureRoleAclFor(\n  em: EntityManager,\n  role: Role,\n  tenantId: string,\n  features: string[],\n  options: { isSuperAdmin?: boolean; remove?: string[] } = {},\n) {\n  const existing = await em.findOne(RoleAcl, { role, tenantId })\n  if (!existing) {\n    const acl = em.create(RoleAcl, {\n      role,\n      tenantId,\n      featuresJson: features,\n      isSuperAdmin: !!options.isSuperAdmin,\n      createdAt: new Date(),\n    })\n    await em.persistAndFlush(acl)\n    return\n  }\n  const currentFeatures = Array.isArray(existing.featuresJson) ? existing.featuresJson : []\n  const merged = Array.from(new Set([...currentFeatures, ...features]))\n  const removeSet = new Set(options.remove ?? [])\n  const sanitized =\n    removeSet.size\n      ? merged.filter((value) => {\n        if (removeSet.has(value)) return false\n        for (const entry of removeSet) {\n          if (entry.endsWith('.*')) {\n            const prefix = entry.slice(0, -1) // keep trailing dot\n            if (value === entry || value.startsWith(prefix)) return false\n          }\n        }\n        return true\n      })\n      : merged\n  const changed =\n    sanitized.length !== currentFeatures.length ||\n    sanitized.some((value, index) => value !== currentFeatures[index])\n  if (changed) existing.featuresJson = sanitized\n  if (options.isSuperAdmin && !existing.isSuperAdmin) {\n    existing.isSuperAdmin = true\n  }\n  if (changed || options.isSuperAdmin) {\n    await em.persistAndFlush(existing)\n  }\n}\n\nasync function deactivateDemoSuperAdminIfSelfOnboardingEnabled(em: EntityManager) {\n  if (process.env.SELF_SERVICE_ONBOARDING_ENABLED !== 'true') return\n  try {\n    const user = await em.findOne(User, { email: DEMO_SUPERADMIN_EMAIL })\n    if (!user) return\n    let dirty = false\n    if (user.passwordHash) {\n      user.passwordHash = null\n      dirty = true\n    }\n    if (user.isConfirmed !== false) {\n      user.isConfirmed = false\n      dirty = true\n    }\n    if (dirty) {\n      await em.persistAndFlush(user)\n    }\n  } catch (error) {\n    console.error('[auth.setup] failed to deactivate demo superadmin user', error)\n  }\n}\n\nasync function ensureSalesNumberingDefaults(\n  em: EntityManager,\n  scope: { tenantId: string; organizationId: string },\n) {\n  const repo = (em as any).getRepository?.(SalesSettings)\n  const findSettings = async () =>\n    repo?.findOne({\n      tenantId: scope.tenantId,\n      organizationId: scope.organizationId,\n    }) ??\n    (em as any).findOne?.(SalesSettings, {\n      tenantId: scope.tenantId,\n      organizationId: scope.organizationId,\n    })\n\n  const exists = await findSettings()\n  if (!exists) {\n    const settings =\n      repo?.create?.({\n        tenantId: scope.tenantId,\n        organizationId: scope.organizationId,\n        orderNumberFormat: DEFAULT_ORDER_NUMBER_FORMAT,\n        quoteNumberFormat: DEFAULT_QUOTE_NUMBER_FORMAT,\n        createdAt: new Date(),\n        updatedAt: new Date(),\n      }) ??\n      (em as any).create?.(SalesSettings, {\n        tenantId: scope.tenantId,\n        organizationId: scope.organizationId,\n        orderNumberFormat: DEFAULT_ORDER_NUMBER_FORMAT,\n        quoteNumberFormat: DEFAULT_QUOTE_NUMBER_FORMAT,\n        createdAt: new Date(),\n        updatedAt: new Date(),\n      })\n    if (settings && (em as any).persist) {\n      em.persist(settings)\n    }\n  }\n\n  const sequenceRepo = (em as any).getRepository?.(SalesDocumentSequence)\n  const kinds: Array<'order' | 'quote'> = ['order', 'quote']\n  for (const kind of kinds) {\n    const seq =\n      sequenceRepo?.findOne({\n        tenantId: scope.tenantId,\n        organizationId: scope.organizationId,\n        documentKind: kind,\n      }) ??\n      (em as any).findOne?.(SalesDocumentSequence, {\n        tenantId: scope.tenantId,\n        organizationId: scope.organizationId,\n        documentKind: kind,\n      })\n    if (!seq) {\n      const entry =\n        sequenceRepo?.create?.({\n          tenantId: scope.tenantId,\n          organizationId: scope.organizationId,\n          documentKind: kind,\n          currentValue: 0,\n          createdAt: new Date(),\n          updatedAt: new Date(),\n        }) ??\n        (em as any).create?.(SalesDocumentSequence, {\n          tenantId: scope.tenantId,\n          organizationId: scope.organizationId,\n          documentKind: kind,\n          currentValue: 0,\n          createdAt: new Date(),\n          updatedAt: new Date(),\n        })\n      if (entry && (em as any).persist) {\n        em.persist(entry)\n      }\n    }\n  }\n\n  if ((em as any).flush) {\n    await em.flush()\n  }\n}\n"],
+  "mappings": "AAAA,SAAS,YAAY;AAErB,SAAS,MAAM,SAAS,MAAM,gBAAgB;AAC9C,SAAS,QAAQ,oBAAoB;AACrC,SAAS,iCAAiC;AAC1C,SAAS,yBAAyB;AAClC,SAAS,eAAe,6BAA6B;AACrD;AAAA,EACE;AAAA,EACA;AAAA,OACK;AACP,SAAS,wBAAwB;AACjC,SAAS,0BAA0B,qCAAqC;AACxE,SAAS,qBAAqB;AAC9B,SAAS,+BAA+B;AACxC,SAAS,wBAAwB;AACjC,SAAS,mCAAmC;AAC5C,SAAS,0BAA0B;AAEnC,MAAM,qBAAqB,CAAC,YAAY,SAAS,YAAY;AAC7D,MAAM,wBAAwB;AAO9B,eAAe,qBACb,IACA,WACA,UACA;AACA,aAAW,QAAQ,WAAW;AAC5B,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,SAAS,CAAC;AAC1D,QAAI,SAAU;AACd,QAAI,aAAa,MAAM;AACrB,YAAM,aAAa,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAClE,UAAI,YAAY;AACd,mBAAW,WAAW;AACtB,WAAG,QAAQ,UAAU;AACrB;AAAA,MACF;AAAA,IACF;AACA,OAAG,QAAQ,GAAG,OAAO,MAAM,EAAE,MAAM,UAAU,WAAW,oBAAI,KAAK,EAAE,CAAC,CAAC;AAAA,EACvE;AACF;AAEA,eAAsB,YAAY,IAAmB,UAA8B,CAAC,GAAG;AACrF,QAAM,YAAY,QAAQ,aAAa,CAAC,GAAG,kBAAkB;AAC7D,QAAM,WAAW,kBAAkB,QAAQ,YAAY,IAAI,KAAK;AAChE,QAAM,GAAG,cAAc,OAAO,QAAQ;AACpC,UAAM,qBAAqB,KAAK,WAAW,QAAQ;AACnD,UAAM,IAAI,MAAM;AAAA,EAClB,CAAC;AACH;AAEA,eAAe,eACb,IACA,MACA,UACsB;AACtB,QAAM,mBAAmB,kBAAkB,YAAY,IAAI,KAAK;AAChE,MAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,iBAAiB,CAAC;AACtE,MAAI,CAAC,QAAQ,qBAAqB,MAAM;AACtC,WAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAAA,EACxD;AACA,SAAO;AACT;AAEA,eAAe,qBACb,IACA,MACA,UACe;AACf,QAAM,OAAO,MAAM,eAAe,IAAI,MAAM,QAAQ;AACpD,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM,kBAAkB,IAAI,EAAE;AACnD,SAAO;AACT;AA6BA,eAAsB,mBACpB,IACA,SACmC;AACnC,QAAM;AAAA,IACJ;AAAA,IACA,sBAAsB;AAAA,IACtB,mBAAmB;AAAA,IACnB;AAAA,IACA,wBAAwB;AAAA,EAC1B,IAAI;AACJ,QAAM,oBAAoB,oBAAoB,iBAAiB,SAAS,mBAAmB,CAAC,YAAY;AACxG,QAAM,eAAe,wBACjB,oBACA,kBAAkB,OAAO,CAAC,SAAS,SAAS,YAAY;AAC5D,MAAI,aAAa,WAAW,GAAG;AAC7B,UAAM,IAAI,MAAM,wBAAwB;AAAA,EAC1C;AACA,QAAM,mBAAmB,QAAQ,aAAa,CAAC,GAAG,kBAAkB;AACpE,QAAM,oBAAoB,wBACtB,mBACA,iBAAiB,OAAO,CAAC,SAAS,SAAS,YAAY;AAC3D,QAAM,YAAY,MAAM,KAAK,oBAAI,IAAI,CAAC,GAAG,mBAAmB,GAAG,YAAY,CAAC,CAAC;AAE7E,QAAM,YAAY,YAAY;AAC9B,QAAM,eAAe,MAAM,GAAG,QAAQ,MAAM,EAAE,OAAO,UAAU,CAAC;AAChE,MAAI,gBAAgB,kBAAkB;AACpC,UAAM,IAAI,MAAM,aAAa;AAAA,EAC/B;AAEA,MAAI;AACJ,MAAI;AACJ,MAAI,qBAAqB;AACzB,QAAM,gBAA0E,CAAC;AAEjF,QAAM,GAAG,cAAc,OAAO,QAAQ;AACpC,QAAI,CAAC,aAAc;AACnB,yBAAqB;AACrB,eAAW,aAAa,WAAW,OAAO,aAAa,QAAQ,IAAI;AACnE,qBAAiB,aAAa,iBAAiB,OAAO,aAAa,cAAc,IAAI;AACrF,UAAM,eAAe,kBAAkB,aAAa,YAAY,IAAI,KAAK;AAEzE,UAAM,qBAAqB,KAAK,WAAW,YAAY;AACvD,UAAM,IAAI,MAAM;AAEhB,UAAM,kBAAkB,oBAAI,IAAI,CAAC,GAAG,WAAW,GAAG,YAAY,CAAC;AAC/D,UAAM,QAAQ,MAAM;AAAA,MAClB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,aAAa;AAAA,MACrB,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,MACrB,EAAE,UAAU,cAAc,gBAAgB,KAAK;AAAA,IACjD;AACA,UAAM,eAAe,IAAI,IAAI,MAAM,IAAI,CAAC,SAAS,KAAK,KAAK,IAAI,CAAC;AAChE,eAAW,YAAY,iBAAiB;AACtC,UAAI,CAAC,aAAa,IAAI,QAAQ,GAAG;AAC/B,cAAM,OAAO,MAAM,qBAAqB,KAAK,UAAU,YAAY;AACnE,YAAI,QAAQ,IAAI,OAAO,UAAU,EAAE,MAAM,cAAc,MAAM,WAAW,oBAAI,KAAK,EAAE,CAAC,CAAC;AAAA,MACvF;AAAA,IACF;AACA,UAAM,IAAI,MAAM;AAChB,UAAM,QAAQ,MAAM,KAAK,oBAAI,IAAI,CAAC,GAAG,cAAc,GAAG,SAAS,CAAC,CAAC;AACjE,kBAAc,KAAK,EAAE,MAAM,cAAc,OAAO,SAAS,MAAM,CAAC;AAAA,EAClE,CAAC;AAED,MAAI,CAAC,cAAc;AACjB,UAAM,YAA6E;AAAA,MACjF,EAAE,OAAO,YAAY,OAAO,OAAO,cAAc,MAAM,mBAAmB,WAAW,EAAE;AAAA,IACzF;AACA,QAAI,qBAAqB;AACvB,YAAM,CAAC,OAAO,MAAM,IAAI,OAAO,YAAY,KAAK,EAAE,MAAM,GAAG;AAC3D,YAAM,qBAAqB,SAAS,IAAI,YAAY,MAAM,gBAAgB,CAAC,CAAC;AAC5E,UAAI,mBAAmB;AACrB,kBAAU,KAAK,EAAE,OAAO,SAAS,MAAM,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;AAC7D,kBAAU,KAAK,EAAE,OAAO,YAAY,MAAM,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;AAAA,MACrE;AAAA,IACF;AACA,UAAM,eAAe,MAAM,oBAAoB,WAAW;AAE1D,UAAM,GAAG,cAAc,OAAO,QAAQ;AACpC,YAAM,SAAS,IAAI,OAAO,QAAQ;AAAA,QAChC,MAAM,GAAG,QAAQ,OAAO;AAAA,QACxB,UAAU;AAAA,QACV,WAAW,oBAAI,KAAK;AAAA,QACpB,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC;AACD,UAAI,QAAQ,MAAM;AAClB,YAAM,IAAI,MAAM;AAEhB,YAAM,eAAe,IAAI,OAAO,cAAc;AAAA,QAC5C,MAAM,QAAQ;AAAA,QACd;AAAA,QACA,UAAU;AAAA,QACV,OAAO;AAAA,QACP,aAAa,CAAC;AAAA,QACd,UAAU,CAAC;AAAA,QACX,eAAe,CAAC;AAAA,QAChB,WAAW,oBAAI,KAAK;AAAA,QACpB,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC;AACD,UAAI,QAAQ,YAAY;AACxB,YAAM,IAAI,MAAM;AAEhB,iBAAW,OAAO,OAAO,EAAE;AAC3B,uBAAiB,OAAO,aAAa,EAAE;AACvC,YAAM,eAAe;AAErB,UAAI,8BAA8B,GAAG;AACnC,YAAI;AACF,gBAAM,MAAM,iBAAiB;AAC7B,cAAI,IAAI,UAAU,GAAG;AACnB,gBAAI,yBAAyB,GAAG;AAC9B,sBAAQ,KAAK,yDAAkD,EAAE,UAAU,OAAO,OAAO,EAAE,EAAE,CAAC;AAAA,YAChG;AACA,kBAAM,IAAI,gBAAgB,OAAO,OAAO,EAAE,CAAC;AAC3C,gBAAI,yBAAyB,GAAG;AAC9B,sBAAQ,KAAK,iEAA0D,EAAE,UAAU,OAAO,OAAO,EAAE,EAAE,CAAC;AAAA,YACxG;AAAA,UACF,OAAO;AACL,gBAAI,yBAAyB,GAAG;AAC9B,sBAAQ,KAAK,kFAAwE,EAAE,UAAU,OAAO,OAAO,EAAE,EAAE,CAAC;AAAA,YACtH;AAAA,UACF;AAAA,QACF,SAAS,KAAK;AACZ,cAAI,yBAAyB,GAAG;AAC9B,oBAAQ,KAAK,gEAAsD,GAAG;AAAA,UACxE;AAAA,QACF;AAAA,MACF;AAEA,YAAM,qBAAqB,KAAK,WAAW,YAAY;AACvD,YAAM,IAAI,MAAM;AAEhB,UAAI,8BAA8B,GAAG;AACnC,mBAAW,QAAQ,yBAAyB;AAC1C,gBAAM,WAAW,MAAM,IAAI,QAAQ,eAAe,EAAE,UAAU,KAAK,UAAU,UAAU,OAAO,IAAI,gBAAgB,aAAa,IAAI,WAAW,KAAK,CAAC;AACpJ,cAAI,CAAC,UAAU;AACb,gBAAI,QAAQ,IAAI,OAAO,eAAe;AAAA,cACpC,UAAU,KAAK;AAAA,cACf,UAAU,OAAO;AAAA,cACjB,gBAAgB,aAAa;AAAA,cAC7B,YAAY,KAAK;AAAA,cACjB,UAAU;AAAA,cACV,WAAW,oBAAI,KAAK;AAAA,cACpB,WAAW,oBAAI,KAAK;AAAA,YACtB,CAAC,CAAC;AAAA,UACJ,OAAO;AACL,qBAAS,aAAa,KAAK;AAC3B,qBAAS,WAAW;AAAA,UACtB;AAAA,QACF;AACA,cAAM,IAAI,MAAM;AAAA,MAClB;AAAA,IACF,CAAC;AAED,UAAM,GAAG,cAAc,OAAO,QAAQ;AACpC,UAAI,CAAC,YAAY,CAAC,eAAgB;AAClC,YAAM,eAAe;AACrB,YAAM,oBAAoB,8BAA8B,IACpD,IAAI,4BAA4B,KAAY,EAAE,KAAK,iBAAiB,EAAE,CAAC,IACvE;AACJ,UAAI,mBAAmB;AACrB,cAAM,kBAAkB,cAAc,aAAa,OAAO,QAAQ,GAAG,OAAO,cAAc,CAAC;AAC3F,cAAM,kBAAkB,cAAc,aAAa,OAAO,QAAQ,GAAG,IAAI;AAAA,MAC3E;AAEA,iBAAW,QAAQ,WAAW;AAC5B,YAAI,OAAO,MAAM,IAAI,QAAQ,MAAM,EAAE,OAAO,KAAK,MAAM,CAAC;AACxD,cAAM,UAAU,YAAY,WAAW;AACvC,cAAM,mBAAmB,oBACrB,MAAM,kBAAkB,qBAAqB,aAAa,EAAE,OAAO,KAAK,MAAM,GAAG,UAAU,cAAc,IACzG,EAAE,OAAO,KAAK,OAAO,WAAW,iBAAiB,KAAK,KAAK,EAAE;AACjE,YAAI,MAAM;AACR,eAAK,eAAe;AACpB,eAAK,iBAAiB;AACtB,eAAK,WAAW;AAChB,cAAI,8BAA8B,GAAG;AACnC,iBAAK,QAAQ,iBAAiB;AAC9B,iBAAK,YAAa,iBAAyB,aAAa,iBAAiB,KAAK,KAAK;AAAA,UACrF;AACA,cAAI,KAAK,KAAM,MAAK,OAAO,KAAK;AAChC,cAAI,QAAS,MAAK,cAAc;AAChC,cAAI,QAAQ,IAAI;AAChB,wBAAc,KAAK,EAAE,MAAM,OAAO,KAAK,OAAO,SAAS,MAAM,CAAC;AAAA,QAChE,OAAO;AACL,iBAAO,IAAI,OAAO,MAAM;AAAA,YACtB,OAAQ,iBAAyB,SAAS,KAAK;AAAA,YAC/C,WAAW,8BAA8B,IAAK,iBAAyB,aAAa,iBAAiB,KAAK,KAAK,IAAI;AAAA,YACnH;AAAA,YACA;AAAA,YACA;AAAA,YACA,MAAM,KAAK,QAAQ;AAAA,YACnB,aAAa;AAAA,YACb,WAAW,oBAAI,KAAK;AAAA,UACtB,CAAC;AACD,cAAI,QAAQ,IAAI;AAChB,wBAAc,KAAK,EAAE,MAAM,OAAO,KAAK,OAAO,SAAS,KAAK,CAAC;AAAA,QAC/D;AACA,cAAM,IAAI,MAAM;AAChB,mBAAW,YAAY,KAAK,OAAO;AACjC,gBAAM,OAAO,MAAM,qBAAqB,KAAK,UAAU,YAAY;AACnE,gBAAM,eAAe,MAAM,IAAI,QAAQ,UAAU,EAAE,MAAM,KAAK,CAAC;AAC/D,cAAI,CAAC,aAAc,KAAI,QAAQ,IAAI,OAAO,UAAU,EAAE,MAAM,MAAM,WAAW,oBAAI,KAAK,EAAE,CAAC,CAAC;AAAA,QAC5F;AACA,cAAM,IAAI,MAAM;AAAA,MAClB;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,YAAY,CAAC,gBAAgB;AAChC,UAAM,IAAI,MAAM,cAAc;AAAA,EAChC;AAEA,MAAI,CAAC,oBAAoB;AACvB,UAAM,0BAA0B,IAAI,QAAQ;AAAA,EAC9C;AAEA,QAAM,sBAAsB,IAAI,UAAU,EAAE,sBAAsB,CAAC;AACnE,QAAM,gDAAgD,EAAE;AACxD,QAAM,6BAA6B,IAAI,EAAE,UAAU,eAAe,CAAC;AAEnE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP;AAAA,EACF;AACF;AAEA,SAAS,mBAAmB,OAAwC;AAClE,MAAI,MAAM,eAAe,MAAM,YAAY,KAAK,EAAG,QAAO,MAAM,YAAY,KAAK;AACjF,QAAM,QAAQ,CAAC,MAAM,WAAW,MAAM,QAAQ,EAAE,IAAI,CAAC,UAAU,OAAO,KAAK,CAAC,EAAE,OAAO,OAAO;AAC5F,MAAI,MAAM,OAAQ,QAAO,MAAM,KAAK,GAAG;AACvC,SAAO;AACT;AAEA,eAAe,oBAAoB,OAAiD;AAClF,MAAI,OAAO,MAAM,mBAAmB,SAAU,QAAO,MAAM;AAC3D,MAAI,MAAM,SAAU,QAAO,KAAK,MAAM,UAAU,EAAE;AAClD,SAAO;AACT;AAEA,eAAe,sBACb,IACA,UACA,UAA+C,CAAC,GAChD;AACA,QAAM,wBAAwB,QAAQ,yBAAyB;AAC/D,QAAM,eAAe,kBAAkB,QAAQ,KAAK;AACpD,QAAM,iBAAiB,wBAAwB,MAAM,eAAe,IAAI,cAAc,YAAY,IAAI;AACtG,QAAM,YAAY,MAAM,eAAe,IAAI,SAAS,YAAY;AAChE,QAAM,eAAe,MAAM,eAAe,IAAI,YAAY,YAAY;AAEtE,MAAI,yBAAyB,gBAAgB;AAC3C,UAAM,iBAAiB,IAAI,gBAAgB,UAAU,CAAC,qBAAqB,GAAG,EAAE,cAAc,KAAK,CAAC;AAAA,EACtG;AACA,MAAI,WAAW;AACb,UAAM,gBAAgB;AAAA,MACpB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,UAAM,iBAAiB,IAAI,WAAW,UAAU,eAAe,EAAE,QAAQ,CAAC,6BAA6B,qBAAqB,EAAE,CAAC;AAAA,EACjI;AACA,MAAI,cAAc;AAChB,UAAM,iBAAiB,IAAI,cAAc,UAAU;AAAA,MACjD;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AACF;AAEA,eAAe,iBACb,IACA,MACA,UACA,UACA,UAAyD,CAAC,GAC1D;AACA,QAAM,WAAW,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7D,MAAI,CAAC,UAAU;AACb,UAAM,MAAM,GAAG,OAAO,SAAS;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,cAAc;AAAA,MACd,cAAc,CAAC,CAAC,QAAQ;AAAA,MACxB,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AACD,UAAM,GAAG,gBAAgB,GAAG;AAC5B;AAAA,EACF;AACA,QAAM,kBAAkB,MAAM,QAAQ,SAAS,YAAY,IAAI,SAAS,eAAe,CAAC;AACxF,QAAM,SAAS,MAAM,KAAK,oBAAI,IAAI,CAAC,GAAG,iBAAiB,GAAG,QAAQ,CAAC,CAAC;AACpE,QAAM,YAAY,IAAI,IAAI,QAAQ,UAAU,CAAC,CAAC;AAC9C,QAAM,YACJ,UAAU,OACN,OAAO,OAAO,CAAC,UAAU;AACzB,QAAI,UAAU,IAAI,KAAK,EAAG,QAAO;AACjC,eAAW,SAAS,WAAW;AAC7B,UAAI,MAAM,SAAS,IAAI,GAAG;AACxB,cAAM,SAAS,MAAM,MAAM,GAAG,EAAE;AAChC,YAAI,UAAU,SAAS,MAAM,WAAW,MAAM,EAAG,QAAO;AAAA,MAC1D;AAAA,IACF;AACA,WAAO;AAAA,EACT,CAAC,IACC;AACN,QAAM,UACJ,UAAU,WAAW,gBAAgB,UACrC,UAAU,KAAK,CAAC,OAAO,UAAU,UAAU,gBAAgB,KAAK,CAAC;AACnE,MAAI,QAAS,UAAS,eAAe;AACrC,MAAI,QAAQ,gBAAgB,CAAC,SAAS,cAAc;AAClD,aAAS,eAAe;AAAA,EAC1B;AACA,MAAI,WAAW,QAAQ,cAAc;AACnC,UAAM,GAAG,gBAAgB,QAAQ;AAAA,EACnC;AACF;AAEA,eAAe,gDAAgD,IAAmB;AAChF,MAAI,QAAQ,IAAI,oCAAoC,OAAQ;AAC5D,MAAI;AACF,UAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,OAAO,sBAAsB,CAAC;AACpE,QAAI,CAAC,KAAM;AACX,QAAI,QAAQ;AACZ,QAAI,KAAK,cAAc;AACrB,WAAK,eAAe;AACpB,cAAQ;AAAA,IACV;AACA,QAAI,KAAK,gBAAgB,OAAO;AAC9B,WAAK,cAAc;AACnB,cAAQ;AAAA,IACV;AACA,QAAI,OAAO;AACT,YAAM,GAAG,gBAAgB,IAAI;AAAA,IAC/B;AAAA,EACF,SAAS,OAAO;AACd,YAAQ,MAAM,0DAA0D,KAAK;AAAA,EAC/E;AACF;AAEA,eAAe,6BACb,IACA,OACA;AACA,QAAM,OAAQ,GAAW,gBAAgB,aAAa;AACtD,QAAM,eAAe,YACnB,MAAM,QAAQ;AAAA,IACZ,UAAU,MAAM;AAAA,IAChB,gBAAgB,MAAM;AAAA,EACxB,CAAC,KACA,GAAW,UAAU,eAAe;AAAA,IACnC,UAAU,MAAM;AAAA,IAChB,gBAAgB,MAAM;AAAA,EACxB,CAAC;AAEH,QAAM,SAAS,MAAM,aAAa;AAClC,MAAI,CAAC,QAAQ;AACX,UAAM,WACJ,MAAM,SAAS;AAAA,MACb,UAAU,MAAM;AAAA,MAChB,gBAAgB,MAAM;AAAA,MACtB,mBAAmB;AAAA,MACnB,mBAAmB;AAAA,MACnB,WAAW,oBAAI,KAAK;AAAA,MACpB,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC,KACA,GAAW,SAAS,eAAe;AAAA,MAClC,UAAU,MAAM;AAAA,MAChB,gBAAgB,MAAM;AAAA,MACtB,mBAAmB;AAAA,MACnB,mBAAmB;AAAA,MACnB,WAAW,oBAAI,KAAK;AAAA,MACpB,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AACH,QAAI,YAAa,GAAW,SAAS;AACnC,SAAG,QAAQ,QAAQ;AAAA,IACrB;AAAA,EACF;AAEA,QAAM,eAAgB,GAAW,gBAAgB,qBAAqB;AACtE,QAAM,QAAkC,CAAC,SAAS,OAAO;AACzD,aAAW,QAAQ,OAAO;AACxB,UAAM,MACJ,cAAc,QAAQ;AAAA,MACpB,UAAU,MAAM;AAAA,MAChB,gBAAgB,MAAM;AAAA,MACtB,cAAc;AAAA,IAChB,CAAC,KACA,GAAW,UAAU,uBAAuB;AAAA,MAC3C,UAAU,MAAM;AAAA,MAChB,gBAAgB,MAAM;AAAA,MACtB,cAAc;AAAA,IAChB,CAAC;AACH,QAAI,CAAC,KAAK;AACR,YAAM,QACJ,cAAc,SAAS;AAAA,QACrB,UAAU,MAAM;AAAA,QAChB,gBAAgB,MAAM;AAAA,QACtB,cAAc;AAAA,QACd,cAAc;AAAA,QACd,WAAW,oBAAI,KAAK;AAAA,QACpB,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC,KACA,GAAW,SAAS,uBAAuB;AAAA,QAC1C,UAAU,MAAM;AAAA,QAChB,gBAAgB,MAAM;AAAA,QACtB,cAAc;AAAA,QACd,cAAc;AAAA,QACd,WAAW,oBAAI,KAAK;AAAA,QACpB,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC;AACH,UAAI,SAAU,GAAW,SAAS;AAChC,WAAG,QAAQ,KAAK;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAEA,MAAK,GAAW,OAAO;AACrB,UAAM,GAAG,MAAM;AAAA,EACjB;AACF;",
   "names": []
 }

package/dist/modules/auth/notifications.js

@@ -0,0 +1,112 @@
+const notificationTypes = [
+  {
+    type: "auth.password_reset.requested",
+    module: "auth",
+    titleKey: "auth.notifications.passwordReset.requested.title",
+    bodyKey: "auth.notifications.passwordReset.requested.body",
+    icon: "key",
+    severity: "info",
+    actions: [
+      {
+        id: "view",
+        labelKey: "common.view",
+        variant: "outline",
+        href: "/backend/auth/profile",
+        icon: "external-link"
+      }
+    ],
+    linkHref: "/backend/auth/profile",
+    expiresAfterHours: 24
+  },
+  {
+    type: "auth.password_reset.completed",
+    module: "auth",
+    titleKey: "auth.notifications.passwordReset.completed.title",
+    bodyKey: "auth.notifications.passwordReset.completed.body",
+    icon: "check-circle",
+    severity: "success",
+    actions: [],
+    expiresAfterHours: 72
+  },
+  {
+    type: "auth.account.locked",
+    module: "auth",
+    titleKey: "auth.notifications.account.locked.title",
+    bodyKey: "auth.notifications.account.locked.body",
+    icon: "lock",
+    severity: "warning",
+    actions: [
+      {
+        id: "contact_support",
+        labelKey: "auth.actions.contactSupport",
+        variant: "default",
+        href: "/backend/support",
+        icon: "mail"
+      }
+    ],
+    linkHref: "/backend/support"
+  },
+  {
+    type: "auth.login.new_device",
+    module: "auth",
+    titleKey: "auth.notifications.login.newDevice.title",
+    bodyKey: "auth.notifications.login.newDevice.body",
+    icon: "smartphone",
+    severity: "info",
+    actions: [
+      {
+        id: "view_sessions",
+        labelKey: "auth.actions.viewSessions",
+        variant: "outline",
+        href: "/backend/auth/sessions",
+        icon: "list"
+      }
+    ],
+    linkHref: "/backend/auth/sessions",
+    expiresAfterHours: 168
+    // 7 days
+  },
+  {
+    type: "auth.role.assigned",
+    module: "auth",
+    titleKey: "auth.notifications.role.assigned.title",
+    bodyKey: "auth.notifications.role.assigned.body",
+    icon: "user-plus",
+    severity: "success",
+    actions: [
+      {
+        id: "view_permissions",
+        labelKey: "auth.actions.viewPermissions",
+        variant: "outline",
+        href: "/backend/auth/profile",
+        icon: "shield"
+      }
+    ],
+    linkHref: "/backend/auth/profile",
+    expiresAfterHours: 168
+  },
+  {
+    type: "auth.role.revoked",
+    module: "auth",
+    titleKey: "auth.notifications.role.revoked.title",
+    bodyKey: "auth.notifications.role.revoked.body",
+    icon: "user-minus",
+    severity: "warning",
+    actions: [
+      {
+        id: "view_profile",
+        labelKey: "common.view",
+        variant: "outline",
+        href: "/backend/auth/profile"
+      }
+    ],
+    linkHref: "/backend/auth/profile",
+    expiresAfterHours: 168
+  }
+];
+var notifications_default = notificationTypes;
+export {
+  notifications_default as default,
+  notificationTypes
+};
+//# sourceMappingURL=notifications.js.map

package/dist/modules/auth/notifications.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/modules/auth/notifications.ts"],
+  "sourcesContent": ["import type { NotificationTypeDefinition } from '@open-mercato/shared/modules/notifications/types'\n\nexport const notificationTypes: NotificationTypeDefinition[] = [\n  {\n    type: 'auth.password_reset.requested',\n    module: 'auth',\n    titleKey: 'auth.notifications.passwordReset.requested.title',\n    bodyKey: 'auth.notifications.passwordReset.requested.body',\n    icon: 'key',\n    severity: 'info',\n    actions: [\n      {\n        id: 'view',\n        labelKey: 'common.view',\n        variant: 'outline',\n        href: '/backend/auth/profile',\n        icon: 'external-link',\n      },\n    ],\n    linkHref: '/backend/auth/profile',\n    expiresAfterHours: 24,\n  },\n  {\n    type: 'auth.password_reset.completed',\n    module: 'auth',\n    titleKey: 'auth.notifications.passwordReset.completed.title',\n    bodyKey: 'auth.notifications.passwordReset.completed.body',\n    icon: 'check-circle',\n    severity: 'success',\n    actions: [],\n    expiresAfterHours: 72,\n  },\n  {\n    type: 'auth.account.locked',\n    module: 'auth',\n    titleKey: 'auth.notifications.account.locked.title',\n    bodyKey: 'auth.notifications.account.locked.body',\n    icon: 'lock',\n    severity: 'warning',\n    actions: [\n      {\n        id: 'contact_support',\n        labelKey: 'auth.actions.contactSupport',\n        variant: 'default',\n        href: '/backend/support',\n        icon: 'mail',\n      },\n    ],\n    linkHref: '/backend/support',\n  },\n  {\n    type: 'auth.login.new_device',\n    module: 'auth',\n    titleKey: 'auth.notifications.login.newDevice.title',\n    bodyKey: 'auth.notifications.login.newDevice.body',\n    icon: 'smartphone',\n    severity: 'info',\n    actions: [\n      {\n        id: 'view_sessions',\n        labelKey: 'auth.actions.viewSessions',\n        variant: 'outline',\n        href: '/backend/auth/sessions',\n        icon: 'list',\n      },\n    ],\n    linkHref: '/backend/auth/sessions',\n    expiresAfterHours: 168, // 7 days\n  },\n  {\n    type: 'auth.role.assigned',\n    module: 'auth',\n    titleKey: 'auth.notifications.role.assigned.title',\n    bodyKey: 'auth.notifications.role.assigned.body',\n    icon: 'user-plus',\n    severity: 'success',\n    actions: [\n      {\n        id: 'view_permissions',\n        labelKey: 'auth.actions.viewPermissions',\n        variant: 'outline',\n        href: '/backend/auth/profile',\n        icon: 'shield',\n      },\n    ],\n    linkHref: '/backend/auth/profile',\n    expiresAfterHours: 168,\n  },\n  {\n    type: 'auth.role.revoked',\n    module: 'auth',\n    titleKey: 'auth.notifications.role.revoked.title',\n    bodyKey: 'auth.notifications.role.revoked.body',\n    icon: 'user-minus',\n    severity: 'warning',\n    actions: [\n      {\n        id: 'view_profile',\n        labelKey: 'common.view',\n        variant: 'outline',\n        href: '/backend/auth/profile',\n      },\n    ],\n    linkHref: '/backend/auth/profile',\n    expiresAfterHours: 168,\n  },\n]\n\nexport default notificationTypes\n"],
+  "mappings": "AAEO,MAAM,oBAAkD;AAAA,EAC7D;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,MACP;AAAA,QACE,IAAI;AAAA,QACJ,UAAU;AAAA,QACV,SAAS;AAAA,QACT,MAAM;AAAA,QACN,MAAM;AAAA,MACR;AAAA,IACF;AAAA,IACA,UAAU;AAAA,IACV,mBAAmB;AAAA,EACrB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS,CAAC;AAAA,IACV,mBAAmB;AAAA,EACrB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,MACP;AAAA,QACE,IAAI;AAAA,QACJ,UAAU;AAAA,QACV,SAAS;AAAA,QACT,MAAM;AAAA,QACN,MAAM;AAAA,MACR;AAAA,IACF;AAAA,IACA,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,MACP;AAAA,QACE,IAAI;AAAA,QACJ,UAAU;AAAA,QACV,SAAS;AAAA,QACT,MAAM;AAAA,QACN,MAAM;AAAA,MACR;AAAA,IACF;AAAA,IACA,UAAU;AAAA,IACV,mBAAmB;AAAA;AAAA,EACrB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,MACP;AAAA,QACE,IAAI;AAAA,QACJ,UAAU;AAAA,QACV,SAAS;AAAA,QACT,MAAM;AAAA,QACN,MAAM;AAAA,MACR;AAAA,IACF;AAAA,IACA,UAAU;AAAA,IACV,mBAAmB;AAAA,EACrB;AAAA,EACA;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,MACP;AAAA,QACE,IAAI;AAAA,QACJ,UAAU;AAAA,QACV,SAAS;AAAA,QACT,MAAM;AAAA,MACR;AAAA,IACF;AAAA,IACA,UAAU;AAAA,IACV,mBAAmB;AAAA,EACrB;AACF;AAEA,IAAO,wBAAQ;",
+  "names": []
+}

package/dist/modules/auth/services/authService.js

@@ -67,13 +67,13 @@ class AuthService {
   async confirmPasswordReset(token, newPassword) {
     const now = /* @__PURE__ */ new Date();
     const row = await this.em.findOne(PasswordReset, { token });
-    if (!row || row.usedAt && row.usedAt <= now || row.expiresAt <= now) return false;
+    if (!row || row.usedAt && row.usedAt <= now || row.expiresAt <= now) return null;
     const user = await this.em.findOne(User, { id: row.user.id });
-    if (!user) return false;
+    if (!user) return null;
     user.passwordHash = await hash(newPassword, 10);
     row.usedAt = /* @__PURE__ */ new Date();
     await this.em.flush();
-    return true;
+    return user;
   }
 }
 export {

package/dist/modules/auth/services/authService.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/services/authService.ts"],
-  "sourcesContent": ["import { EntityManager } from '@mikro-orm/postgresql'\nimport { compare, hash } from 'bcryptjs'\nimport { User, Role, UserRole, Session, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport crypto from 'node:crypto'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\nexport class AuthService {\n  constructor(private em: EntityManager) {}\n\n  async findUserByEmail(email: string) {\n    const emailHash = computeEmailHash(email)\n    return this.em.findOne(User, {\n      $or: [\n        { email },\n        { emailHash },\n      ],\n    } as any)\n  }\n\n  async verifyPassword(user: User, password: string) {\n    if (!user.passwordHash) return false\n    return compare(password, user.passwordHash)\n  }\n\n  async updateLastLoginAt(user: User) {\n    const now = new Date()\n    // Use native update to avoid flushing unrelated entities that might be pending in this EM\n    await this.em.nativeUpdate(User, { id: user.id }, { lastLoginAt: now })\n    user.lastLoginAt = now\n  }\n\n  async getUserRoles(user: User, tenantId?: string | null): Promise<string[]> {\n    const resolvedTenantId = tenantId ?? user.tenantId ?? null\n    if (!resolvedTenantId) return []\n    const links = await findWithDecryption(\n      this.em,\n      UserRole,\n      { user, role: { tenantId: resolvedTenantId } as any },\n      { populate: ['role'] },\n      { tenantId: resolvedTenantId, organizationId: user.organizationId ?? null },\n    )\n    return links.map((l) => l.role.name)\n  }\n\n\n  async createSession(user: User, expiresAt: Date): Promise<Session> {\n    const token = crypto.randomBytes(32).toString('hex')\n    const sess = this.em.create(Session as any, { user, token, expiresAt, createdAt: new Date() } as any)\n    await this.em.persistAndFlush(sess)\n    return sess as Session\n  }\n\n  async deleteSessionByToken(token: string) {\n    await this.em.nativeDelete(Session, { token })\n  }\n\n  async refreshFromSessionToken(token: string) {\n    const now = new Date()\n    const sess = await this.em.findOne(Session, { token })\n    if (!sess || sess.expiresAt <= now) return null\n    const user = await this.em.findOne(User, { id: sess.user.id })\n    if (!user) return null\n    const roles = await this.getUserRoles(user, user.tenantId ?? null)\n    return { user, roles }\n  }\n\n  async requestPasswordReset(email: string) {\n    const user = await this.findUserByEmail(email)\n    if (!user) return null\n    const token = crypto.randomBytes(32).toString('hex')\n    const expiresAt = new Date(Date.now() + 60 * 60 * 1000)\n    const row = this.em.create(PasswordReset as any, { user, token, expiresAt, createdAt: new Date() } as any)\n    await this.em.persistAndFlush(row)\n    return { user, token }\n  }\n\n  async confirmPasswordReset(token: string, newPassword: string) {\n    const now = new Date()\n    const row = await this.em.findOne(PasswordReset, { token })\n    if (!row || (row.usedAt && row.usedAt <= now) || row.expiresAt <= now) return false\n    const user = await this.em.findOne(User, { id: row.user.id })\n    if (!user) return false\n    user.passwordHash = await hash(newPassword, 10)\n    row.usedAt = new Date()\n    await this.em.flush()\n    return true\n  }\n}\n"],
-  "mappings": "AACA,SAAS,SAAS,YAAY;AAC9B,SAAS,MAAY,UAAU,SAAS,qBAAqB;AAC7D,OAAO,YAAY;AACnB,SAAS,wBAAwB;AACjC,SAAS,0BAA0B;AAE5B,MAAM,YAAY;AAAA,EACvB,YAAoB,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAExC,MAAM,gBAAgB,OAAe;AACnC,UAAM,YAAY,iBAAiB,KAAK;AACxC,WAAO,KAAK,GAAG,QAAQ,MAAM;AAAA,MAC3B,KAAK;AAAA,QACH,EAAE,MAAM;AAAA,QACR,EAAE,UAAU;AAAA,MACd;AAAA,IACF,CAAQ;AAAA,EACV;AAAA,EAEA,MAAM,eAAe,MAAY,UAAkB;AACjD,QAAI,CAAC,KAAK,aAAc,QAAO;AAC/B,WAAO,QAAQ,UAAU,KAAK,YAAY;AAAA,EAC5C;AAAA,EAEA,MAAM,kBAAkB,MAAY;AAClC,UAAM,MAAM,oBAAI,KAAK;AAErB,UAAM,KAAK,GAAG,aAAa,MAAM,EAAE,IAAI,KAAK,GAAG,GAAG,EAAE,aAAa,IAAI,CAAC;AACtE,SAAK,cAAc;AAAA,EACrB;AAAA,EAEA,MAAM,aAAa,MAAY,UAA6C;AAC1E,UAAM,mBAAmB,YAAY,KAAK,YAAY;AACtD,QAAI,CAAC,iBAAkB,QAAO,CAAC;AAC/B,UAAM,QAAQ,MAAM;AAAA,MAClB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,MAAM,MAAM,EAAE,UAAU,iBAAiB,EAAS;AAAA,MACpD,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,MACrB,EAAE,UAAU,kBAAkB,gBAAgB,KAAK,kBAAkB,KAAK;AAAA,IAC5E;AACA,WAAO,MAAM,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI;AAAA,EACrC;AAAA,EAGA,MAAM,cAAc,MAAY,WAAmC;AACjE,UAAM,QAAQ,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AACnD,UAAM,OAAO,KAAK,GAAG,OAAO,SAAgB,EAAE,MAAM,OAAO,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAQ;AACpG,UAAM,KAAK,GAAG,gBAAgB,IAAI;AAClC,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,qBAAqB,OAAe;AACxC,UAAM,KAAK,GAAG,aAAa,SAAS,EAAE,MAAM,CAAC;AAAA,EAC/C;AAAA,EAEA,MAAM,wBAAwB,OAAe;AAC3C,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,OAAO,MAAM,KAAK,GAAG,QAAQ,SAAS,EAAE,MAAM,CAAC;AACrD,QAAI,CAAC,QAAQ,KAAK,aAAa,IAAK,QAAO;AAC3C,UAAM,OAAO,MAAM,KAAK,GAAG,QAAQ,MAAM,EAAE,IAAI,KAAK,KAAK,GAAG,CAAC;AAC7D,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,QAAQ,MAAM,KAAK,aAAa,MAAM,KAAK,YAAY,IAAI;AACjE,WAAO,EAAE,MAAM,MAAM;AAAA,EACvB;AAAA,EAEA,MAAM,qBAAqB,OAAe;AACxC,UAAM,OAAO,MAAM,KAAK,gBAAgB,KAAK;AAC7C,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,QAAQ,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AACnD,UAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,GAAI;AACtD,UAAM,MAAM,KAAK,GAAG,OAAO,eAAsB,EAAE,MAAM,OAAO,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAQ;AACzG,UAAM,KAAK,GAAG,gBAAgB,GAAG;AACjC,WAAO,EAAE,MAAM,MAAM;AAAA,EACvB;AAAA,EAEA,MAAM,qBAAqB,OAAe,aAAqB;AAC7D,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,MAAM,MAAM,KAAK,GAAG,QAAQ,eAAe,EAAE,MAAM,CAAC;AAC1D,QAAI,CAAC,OAAQ,IAAI,UAAU,IAAI,UAAU,OAAQ,IAAI,aAAa,IAAK,QAAO;AAC9E,UAAM,OAAO,MAAM,KAAK,GAAG,QAAQ,MAAM,EAAE,IAAI,IAAI,KAAK,GAAG,CAAC;AAC5D,QAAI,CAAC,KAAM,QAAO;AAClB,SAAK,eAAe,MAAM,KAAK,aAAa,EAAE;AAC9C,QAAI,SAAS,oBAAI,KAAK;AACtB,UAAM,KAAK,GAAG,MAAM;AACpB,WAAO;AAAA,EACT;AACF;",
+  "sourcesContent": ["import { EntityManager } from '@mikro-orm/postgresql'\nimport { compare, hash } from 'bcryptjs'\nimport { User, Role, UserRole, Session, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport crypto from 'node:crypto'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\nexport class AuthService {\n  constructor(private em: EntityManager) {}\n\n  async findUserByEmail(email: string) {\n    const emailHash = computeEmailHash(email)\n    return this.em.findOne(User, {\n      $or: [\n        { email },\n        { emailHash },\n      ],\n    } as any)\n  }\n\n  async verifyPassword(user: User, password: string) {\n    if (!user.passwordHash) return false\n    return compare(password, user.passwordHash)\n  }\n\n  async updateLastLoginAt(user: User) {\n    const now = new Date()\n    // Use native update to avoid flushing unrelated entities that might be pending in this EM\n    await this.em.nativeUpdate(User, { id: user.id }, { lastLoginAt: now })\n    user.lastLoginAt = now\n  }\n\n  async getUserRoles(user: User, tenantId?: string | null): Promise<string[]> {\n    const resolvedTenantId = tenantId ?? user.tenantId ?? null\n    if (!resolvedTenantId) return []\n    const links = await findWithDecryption(\n      this.em,\n      UserRole,\n      { user, role: { tenantId: resolvedTenantId } as any },\n      { populate: ['role'] },\n      { tenantId: resolvedTenantId, organizationId: user.organizationId ?? null },\n    )\n    return links.map((l) => l.role.name)\n  }\n\n\n  async createSession(user: User, expiresAt: Date): Promise<Session> {\n    const token = crypto.randomBytes(32).toString('hex')\n    const sess = this.em.create(Session as any, { user, token, expiresAt, createdAt: new Date() } as any)\n    await this.em.persistAndFlush(sess)\n    return sess as Session\n  }\n\n  async deleteSessionByToken(token: string) {\n    await this.em.nativeDelete(Session, { token })\n  }\n\n  async refreshFromSessionToken(token: string) {\n    const now = new Date()\n    const sess = await this.em.findOne(Session, { token })\n    if (!sess || sess.expiresAt <= now) return null\n    const user = await this.em.findOne(User, { id: sess.user.id })\n    if (!user) return null\n    const roles = await this.getUserRoles(user, user.tenantId ?? null)\n    return { user, roles }\n  }\n\n  async requestPasswordReset(email: string) {\n    const user = await this.findUserByEmail(email)\n    if (!user) return null\n    const token = crypto.randomBytes(32).toString('hex')\n    const expiresAt = new Date(Date.now() + 60 * 60 * 1000)\n    const row = this.em.create(PasswordReset as any, { user, token, expiresAt, createdAt: new Date() } as any)\n    await this.em.persistAndFlush(row)\n    return { user, token }\n  }\n\n  async confirmPasswordReset(token: string, newPassword: string): Promise<User | null> {\n    const now = new Date()\n    const row = await this.em.findOne(PasswordReset, { token })\n    if (!row || (row.usedAt && row.usedAt <= now) || row.expiresAt <= now) return null\n    const user = await this.em.findOne(User, { id: row.user.id })\n    if (!user) return null\n    user.passwordHash = await hash(newPassword, 10)\n    row.usedAt = new Date()\n    await this.em.flush()\n    return user\n  }\n}\n"],
+  "mappings": "AACA,SAAS,SAAS,YAAY;AAC9B,SAAS,MAAY,UAAU,SAAS,qBAAqB;AAC7D,OAAO,YAAY;AACnB,SAAS,wBAAwB;AACjC,SAAS,0BAA0B;AAE5B,MAAM,YAAY;AAAA,EACvB,YAAoB,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAExC,MAAM,gBAAgB,OAAe;AACnC,UAAM,YAAY,iBAAiB,KAAK;AACxC,WAAO,KAAK,GAAG,QAAQ,MAAM;AAAA,MAC3B,KAAK;AAAA,QACH,EAAE,MAAM;AAAA,QACR,EAAE,UAAU;AAAA,MACd;AAAA,IACF,CAAQ;AAAA,EACV;AAAA,EAEA,MAAM,eAAe,MAAY,UAAkB;AACjD,QAAI,CAAC,KAAK,aAAc,QAAO;AAC/B,WAAO,QAAQ,UAAU,KAAK,YAAY;AAAA,EAC5C;AAAA,EAEA,MAAM,kBAAkB,MAAY;AAClC,UAAM,MAAM,oBAAI,KAAK;AAErB,UAAM,KAAK,GAAG,aAAa,MAAM,EAAE,IAAI,KAAK,GAAG,GAAG,EAAE,aAAa,IAAI,CAAC;AACtE,SAAK,cAAc;AAAA,EACrB;AAAA,EAEA,MAAM,aAAa,MAAY,UAA6C;AAC1E,UAAM,mBAAmB,YAAY,KAAK,YAAY;AACtD,QAAI,CAAC,iBAAkB,QAAO,CAAC;AAC/B,UAAM,QAAQ,MAAM;AAAA,MAClB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,MAAM,MAAM,EAAE,UAAU,iBAAiB,EAAS;AAAA,MACpD,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,MACrB,EAAE,UAAU,kBAAkB,gBAAgB,KAAK,kBAAkB,KAAK;AAAA,IAC5E;AACA,WAAO,MAAM,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI;AAAA,EACrC;AAAA,EAGA,MAAM,cAAc,MAAY,WAAmC;AACjE,UAAM,QAAQ,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AACnD,UAAM,OAAO,KAAK,GAAG,OAAO,SAAgB,EAAE,MAAM,OAAO,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAQ;AACpG,UAAM,KAAK,GAAG,gBAAgB,IAAI;AAClC,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,qBAAqB,OAAe;AACxC,UAAM,KAAK,GAAG,aAAa,SAAS,EAAE,MAAM,CAAC;AAAA,EAC/C;AAAA,EAEA,MAAM,wBAAwB,OAAe;AAC3C,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,OAAO,MAAM,KAAK,GAAG,QAAQ,SAAS,EAAE,MAAM,CAAC;AACrD,QAAI,CAAC,QAAQ,KAAK,aAAa,IAAK,QAAO;AAC3C,UAAM,OAAO,MAAM,KAAK,GAAG,QAAQ,MAAM,EAAE,IAAI,KAAK,KAAK,GAAG,CAAC;AAC7D,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,QAAQ,MAAM,KAAK,aAAa,MAAM,KAAK,YAAY,IAAI;AACjE,WAAO,EAAE,MAAM,MAAM;AAAA,EACvB;AAAA,EAEA,MAAM,qBAAqB,OAAe;AACxC,UAAM,OAAO,MAAM,KAAK,gBAAgB,KAAK;AAC7C,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,QAAQ,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AACnD,UAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,GAAI;AACtD,UAAM,MAAM,KAAK,GAAG,OAAO,eAAsB,EAAE,MAAM,OAAO,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAQ;AACzG,UAAM,KAAK,GAAG,gBAAgB,GAAG;AACjC,WAAO,EAAE,MAAM,MAAM;AAAA,EACvB;AAAA,EAEA,MAAM,qBAAqB,OAAe,aAA2C;AACnF,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,MAAM,MAAM,KAAK,GAAG,QAAQ,eAAe,EAAE,MAAM,CAAC;AAC1D,QAAI,CAAC,OAAQ,IAAI,UAAU,IAAI,UAAU,OAAQ,IAAI,aAAa,IAAK,QAAO;AAC9E,UAAM,OAAO,MAAM,KAAK,GAAG,QAAQ,MAAM,EAAE,IAAI,IAAI,KAAK,GAAG,CAAC;AAC5D,QAAI,CAAC,KAAM,QAAO;AAClB,SAAK,eAAe,MAAM,KAAK,aAAa,EAAE;AAC9C,QAAI,SAAS,oBAAI,KAAK;AACtB,UAAM,KAAK,GAAG,MAAM;AACpB,WAAO;AAAA,EACT;AACF;",
   "names": []
 }

package/dist/modules/business_rules/notifications.js

@@ -0,0 +1,28 @@
+const notificationTypes = [
+  {
+    type: "business_rules.rule.execution_failed",
+    module: "business_rules",
+    titleKey: "businessRules.notifications.rule.executionFailed.title",
+    bodyKey: "businessRules.notifications.rule.executionFailed.body",
+    icon: "alert-triangle",
+    severity: "error",
+    actions: [
+      {
+        id: "view",
+        labelKey: "common.view",
+        variant: "outline",
+        href: "/backend/business-rules/{sourceEntityId}",
+        icon: "external-link"
+      }
+    ],
+    linkHref: "/backend/business-rules/{sourceEntityId}",
+    expiresAfterHours: 168
+    // 7 days
+  }
+];
+var notifications_default = notificationTypes;
+export {
+  notifications_default as default,
+  notificationTypes
+};
+//# sourceMappingURL=notifications.js.map

package/dist/modules/business_rules/notifications.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/modules/business_rules/notifications.ts"],
+  "sourcesContent": ["import type { NotificationTypeDefinition } from '@open-mercato/shared/modules/notifications/types'\n\nexport const notificationTypes: NotificationTypeDefinition[] = [\n  {\n    type: 'business_rules.rule.execution_failed',\n    module: 'business_rules',\n    titleKey: 'businessRules.notifications.rule.executionFailed.title',\n    bodyKey: 'businessRules.notifications.rule.executionFailed.body',\n    icon: 'alert-triangle',\n    severity: 'error',\n    actions: [\n      {\n        id: 'view',\n        labelKey: 'common.view',\n        variant: 'outline',\n        href: '/backend/business-rules/{sourceEntityId}',\n        icon: 'external-link',\n      },\n    ],\n    linkHref: '/backend/business-rules/{sourceEntityId}',\n    expiresAfterHours: 168, // 7 days\n  },\n]\n\nexport default notificationTypes\n"],
+  "mappings": "AAEO,MAAM,oBAAkD;AAAA,EAC7D;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,MACP;AAAA,QACE,IAAI;AAAA,QACJ,UAAU;AAAA,QACV,SAAS;AAAA,QACT,MAAM;AAAA,QACN,MAAM;AAAA,MACR;AAAA,IACF;AAAA,IACA,UAAU;AAAA,IACV,mBAAmB;AAAA;AAAA,EACrB;AACF;AAEA,IAAO,wBAAQ;",
+  "names": []
+}

package/dist/modules/business_rules/subscribers/rule-execution-failed-notification.js

@@ -0,0 +1,37 @@
+import { resolveNotificationService } from "../../notifications/lib/notificationService.js";
+import { buildFeatureNotificationFromType } from "../../notifications/lib/notificationBuilder.js";
+import { notificationTypes } from "../notifications.js";
+const metadata = {
+  event: "business_rules.rule.execution_failed",
+  persistent: true,
+  id: "business_rules:rule-execution-failed-notification"
+};
+async function handle(payload, ctx) {
+  try {
+    const notificationService = resolveNotificationService(ctx);
+    const typeDef = notificationTypes.find((type) => type.type === "business_rules.rule.execution_failed");
+    if (!typeDef) return;
+    const notificationInput = buildFeatureNotificationFromType(typeDef, {
+      requiredFeature: "business_rules.manage",
+      bodyVariables: {
+        ruleName: payload.ruleName,
+        entityType: payload.entityType ?? "",
+        errorMessage: payload.errorMessage ?? "Unknown error"
+      },
+      sourceEntityType: "business_rules:rule",
+      sourceEntityId: payload.ruleId,
+      linkHref: `/backend/business-rules/${payload.ruleId}`
+    });
+    await notificationService.createForFeature(notificationInput, {
+      tenantId: payload.tenantId,
+      organizationId: payload.organizationId ?? null
+    });
+  } catch (err) {
+    console.error("[business_rules:rule-execution-failed-notification] Failed to create notification:", err);
+  }
+}
+export {
+  handle as default,
+  metadata
+};
+//# sourceMappingURL=rule-execution-failed-notification.js.map

package/dist/modules/business_rules/subscribers/rule-execution-failed-notification.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/business_rules/subscribers/rule-execution-failed-notification.ts"],
+  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport { resolveNotificationService } from '../../notifications/lib/notificationService'\nimport { buildFeatureNotificationFromType } from '../../notifications/lib/notificationBuilder'\nimport { notificationTypes } from '../notifications'\n\nexport const metadata = {\n  event: 'business_rules.rule.execution_failed',\n  persistent: true,\n  id: 'business_rules:rule-execution-failed-notification',\n}\n\ntype RuleExecutionFailedPayload = {\n  ruleId: string\n  ruleName: string\n  entityType?: string | null\n  errorMessage?: string | null\n  tenantId: string\n  organizationId?: string | null\n}\n\ntype ResolverContext = {\n  resolve: <T = unknown>(name: string) => T\n}\n\nexport default async function handle(payload: RuleExecutionFailedPayload, ctx: ResolverContext) {\n  try {\n    const notificationService = resolveNotificationService(ctx)\n    const typeDef = notificationTypes.find((type) => type.type === 'business_rules.rule.execution_failed')\n    if (!typeDef) return\n\n    const notificationInput = buildFeatureNotificationFromType(typeDef, {\n      requiredFeature: 'business_rules.manage',\n      bodyVariables: {\n        ruleName: payload.ruleName,\n        entityType: payload.entityType ?? '',\n        errorMessage: payload.errorMessage ?? 'Unknown error',\n      },\n      sourceEntityType: 'business_rules:rule',\n      sourceEntityId: payload.ruleId,\n      linkHref: `/backend/business-rules/${payload.ruleId}`,\n    })\n\n    await notificationService.createForFeature(notificationInput, {\n      tenantId: payload.tenantId,\n      organizationId: payload.organizationId ?? null,\n    })\n  } catch (err) {\n    console.error('[business_rules:rule-execution-failed-notification] Failed to create notification:', err)\n  }\n}\n"],
+  "mappings": "AACA,SAAS,kCAAkC;AAC3C,SAAS,wCAAwC;AACjD,SAAS,yBAAyB;AAE3B,MAAM,WAAW;AAAA,EACtB,OAAO;AAAA,EACP,YAAY;AAAA,EACZ,IAAI;AACN;AAeA,eAAO,OAA8B,SAAqC,KAAsB;AAC9F,MAAI;AACF,UAAM,sBAAsB,2BAA2B,GAAG;AAC1D,UAAM,UAAU,kBAAkB,KAAK,CAAC,SAAS,KAAK,SAAS,sCAAsC;AACrG,QAAI,CAAC,QAAS;AAEd,UAAM,oBAAoB,iCAAiC,SAAS;AAAA,MAClE,iBAAiB;AAAA,MACjB,eAAe;AAAA,QACb,UAAU,QAAQ;AAAA,QAClB,YAAY,QAAQ,cAAc;AAAA,QAClC,cAAc,QAAQ,gBAAgB;AAAA,MACxC;AAAA,MACA,kBAAkB;AAAA,MAClB,gBAAgB,QAAQ;AAAA,MACxB,UAAU,2BAA2B,QAAQ,MAAM;AAAA,IACrD,CAAC;AAED,UAAM,oBAAoB,iBAAiB,mBAAmB;AAAA,MAC5D,UAAU,QAAQ;AAAA,MAClB,gBAAgB,QAAQ,kBAAkB;AAAA,IAC5C,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,YAAQ,MAAM,sFAAsF,GAAG;AAAA,EACzG;AACF;",
+  "names": []
+}

package/dist/modules/catalog/notifications.js

@@ -0,0 +1,28 @@
+const notificationTypes = [
+  {
+    type: "catalog.product.low_stock",
+    module: "catalog",
+    titleKey: "catalog.notifications.product.lowStock.title",
+    bodyKey: "catalog.notifications.product.lowStock.body",
+    icon: "package-x",
+    severity: "warning",
+    actions: [
+      {
+        id: "view",
+        labelKey: "common.view",
+        variant: "outline",
+        href: "/backend/catalog/products/{sourceEntityId}",
+        icon: "external-link"
+      }
+    ],
+    linkHref: "/backend/catalog/products/{sourceEntityId}",
+    expiresAfterHours: 72
+    // 3 days
+  }
+];
+var notifications_default = notificationTypes;
+export {
+  notifications_default as default,
+  notificationTypes
+};
+//# sourceMappingURL=notifications.js.map

package/dist/modules/catalog/notifications.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/modules/catalog/notifications.ts"],
+  "sourcesContent": ["import type { NotificationTypeDefinition } from '@open-mercato/shared/modules/notifications/types'\n\nexport const notificationTypes: NotificationTypeDefinition[] = [\n  {\n    type: 'catalog.product.low_stock',\n    module: 'catalog',\n    titleKey: 'catalog.notifications.product.lowStock.title',\n    bodyKey: 'catalog.notifications.product.lowStock.body',\n    icon: 'package-x',\n    severity: 'warning',\n    actions: [\n      {\n        id: 'view',\n        labelKey: 'common.view',\n        variant: 'outline',\n        href: '/backend/catalog/products/{sourceEntityId}',\n        icon: 'external-link',\n      },\n    ],\n    linkHref: '/backend/catalog/products/{sourceEntityId}',\n    expiresAfterHours: 72, // 3 days\n  },\n]\n\nexport default notificationTypes\n"],
+  "mappings": "AAEO,MAAM,oBAAkD;AAAA,EAC7D;AAAA,IACE,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,IACV,SAAS;AAAA,MACP;AAAA,QACE,IAAI;AAAA,QACJ,UAAU;AAAA,QACV,SAAS;AAAA,QACT,MAAM;AAAA,QACN,MAAM;AAAA,MACR;AAAA,IACF;AAAA,IACA,UAAU;AAAA,IACV,mBAAmB;AAAA;AAAA,EACrB;AACF;AAEA,IAAO,wBAAQ;",
+  "names": []
+}

package/dist/modules/catalog/subscribers/low-stock-notification.js

@@ -0,0 +1,38 @@
+import { resolveNotificationService } from "../../notifications/lib/notificationService.js";
+import { buildFeatureNotificationFromType } from "../../notifications/lib/notificationBuilder.js";
+import { notificationTypes } from "../notifications.js";
+const metadata = {
+  event: "catalog.product.stock_low",
+  persistent: true,
+  id: "catalog:low-stock-notification"
+};
+async function handle(payload, ctx) {
+  try {
+    const notificationService = resolveNotificationService(ctx);
+    const typeDef = notificationTypes.find((type) => type.type === "catalog.product.low_stock");
+    if (!typeDef) return;
+    const notificationInput = buildFeatureNotificationFromType(typeDef, {
+      requiredFeature: "catalog.products.manage",
+      bodyVariables: {
+        productName: payload.productName,
+        sku: payload.sku ?? "",
+        currentStock: String(payload.currentStock),
+        threshold: String(payload.threshold)
+      },
+      sourceEntityType: "catalog:product",
+      sourceEntityId: payload.productId,
+      linkHref: `/backend/catalog/products/${payload.productId}`
+    });
+    await notificationService.createForFeature(notificationInput, {
+      tenantId: payload.tenantId,
+      organizationId: payload.organizationId ?? null
+    });
+  } catch (err) {
+    console.error("[catalog:low-stock-notification] Failed to create notification:", err);
+  }
+}
+export {
+  handle as default,
+  metadata
+};
+//# sourceMappingURL=low-stock-notification.js.map

package/dist/modules/catalog/subscribers/low-stock-notification.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/catalog/subscribers/low-stock-notification.ts"],
+  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport { resolveNotificationService } from '../../notifications/lib/notificationService'\nimport { buildFeatureNotificationFromType } from '../../notifications/lib/notificationBuilder'\nimport { notificationTypes } from '../notifications'\n\nexport const metadata = {\n  event: 'catalog.product.stock_low',\n  persistent: true,\n  id: 'catalog:low-stock-notification',\n}\n\ntype LowStockPayload = {\n  productId: string\n  productName: string\n  sku?: string | null\n  currentStock: number\n  threshold: number\n  tenantId: string\n  organizationId?: string | null\n}\n\ntype ResolverContext = {\n  resolve: <T = unknown>(name: string) => T\n}\n\nexport default async function handle(payload: LowStockPayload, ctx: ResolverContext) {\n  try {\n    const notificationService = resolveNotificationService(ctx)\n    const typeDef = notificationTypes.find((type) => type.type === 'catalog.product.low_stock')\n    if (!typeDef) return\n\n    const notificationInput = buildFeatureNotificationFromType(typeDef, {\n      requiredFeature: 'catalog.products.manage',\n      bodyVariables: {\n        productName: payload.productName,\n        sku: payload.sku ?? '',\n        currentStock: String(payload.currentStock),\n        threshold: String(payload.threshold),\n      },\n      sourceEntityType: 'catalog:product',\n      sourceEntityId: payload.productId,\n      linkHref: `/backend/catalog/products/${payload.productId}`,\n    })\n\n    await notificationService.createForFeature(notificationInput, {\n      tenantId: payload.tenantId,\n      organizationId: payload.organizationId ?? null,\n    })\n  } catch (err) {\n    console.error('[catalog:low-stock-notification] Failed to create notification:', err)\n  }\n}\n"],
+  "mappings": "AACA,SAAS,kCAAkC;AAC3C,SAAS,wCAAwC;AACjD,SAAS,yBAAyB;AAE3B,MAAM,WAAW;AAAA,EACtB,OAAO;AAAA,EACP,YAAY;AAAA,EACZ,IAAI;AACN;AAgBA,eAAO,OAA8B,SAA0B,KAAsB;AACnF,MAAI;AACF,UAAM,sBAAsB,2BAA2B,GAAG;AAC1D,UAAM,UAAU,kBAAkB,KAAK,CAAC,SAAS,KAAK,SAAS,2BAA2B;AAC1F,QAAI,CAAC,QAAS;AAEd,UAAM,oBAAoB,iCAAiC,SAAS;AAAA,MAClE,iBAAiB;AAAA,MACjB,eAAe;AAAA,QACb,aAAa,QAAQ;AAAA,QACrB,KAAK,QAAQ,OAAO;AAAA,QACpB,cAAc,OAAO,QAAQ,YAAY;AAAA,QACzC,WAAW,OAAO,QAAQ,SAAS;AAAA,MACrC;AAAA,MACA,kBAAkB;AAAA,MAClB,gBAAgB,QAAQ;AAAA,MACxB,UAAU,6BAA6B,QAAQ,SAAS;AAAA,IAC1D,CAAC;AAED,UAAM,oBAAoB,iBAAiB,mBAAmB;AAAA,MAC5D,UAAU,QAAQ;AAAA,MAClB,gBAAgB,QAAQ,kBAAkB;AAAA,IAC5C,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,YAAQ,MAAM,mEAAmE,GAAG;AAAA,EACtF;AACF;",
+  "names": []
+}

package/dist/modules/configs/cli.js

@@ -1,5 +1,6 @@
 import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
 import { parseBooleanToken } from "@open-mercato/shared/lib/boolean";
+import { DEFAULT_NOTIFICATION_DELIVERY_CONFIG, NOTIFICATIONS_DELIVERY_CONFIG_KEY } from "../notifications/lib/deliveryConfig.js";
 function envDisablesAutoIndexing() {
   const raw = process.env.DISABLE_VECTOR_SEARCH_AUTOINDEXING;
   if (!raw) return false;
@@ -25,6 +26,11 @@ const restoreDefaults = {
             moduleId: "vector",
             name: "auto_index_enabled",
             value: defaultEnabled
+          },
+          {
+            moduleId: "notifications",
+            name: NOTIFICATIONS_DELIVERY_CONFIG_KEY,
+            value: DEFAULT_NOTIFICATION_DELIVERY_CONFIG
           }
         ],
         { force: true }

package/dist/modules/configs/cli.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/modules/configs/cli.ts"],
-  "sourcesContent": ["import type { ModuleCli } from '@open-mercato/shared/modules/registry'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { ModuleConfigService } from './lib/module-config-service'\nimport { parseBooleanToken } from '@open-mercato/shared/lib/boolean'\n\nfunction envDisablesAutoIndexing(): boolean {\n  const raw = process.env.DISABLE_VECTOR_SEARCH_AUTOINDEXING\n  if (!raw) return false\n  return parseBooleanToken(raw) === true\n}\n\nconst restoreDefaults: ModuleCli = {\n  command: 'restore-defaults',\n  async run() {\n    const container = await createRequestContainer()\n    try {\n      let service: ModuleConfigService\n      try {\n        service = (container.resolve('moduleConfigService') as ModuleConfigService)\n      } catch {\n        console.error('[configs] moduleConfigService is not registered in the container.')\n        return\n      }\n\n      const disabledByEnv = envDisablesAutoIndexing()\n      const defaultEnabled = !disabledByEnv\n      await service.restoreDefaults(\n        [\n          {\n            moduleId: 'vector',\n            name: 'auto_index_enabled',\n            value: defaultEnabled,\n          },\n        ],\n        { force: true },\n      )\n      console.log(\n        `[configs] Vector auto-indexing default set to ${defaultEnabled ? 'enabled' : 'disabled'}${\n          disabledByEnv ? ' (forced by DISABLE_VECTOR_SEARCH_AUTOINDEXING)' : ''\n        }.`,\n      )\n    } finally {\n      const disposable = container as unknown as { dispose?: () => Promise<void> }\n      if (typeof disposable.dispose === 'function') {\n        await disposable.dispose()\n      }\n    }\n  },\n}\n\nconst help: ModuleCli = {\n  command: 'help',\n  async run() {\n    console.log('Usage: yarn mercato configs restore-defaults')\n    console.log('  Ensures global module configuration defaults exist.')\n  },\n}\n\nexport default [restoreDefaults, help]\n"],
-  "mappings": "AACA,SAAS,8BAA8B;AAEvC,SAAS,yBAAyB;AAElC,SAAS,0BAAmC;AAC1C,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,CAAC,IAAK,QAAO;AACjB,SAAO,kBAAkB,GAAG,MAAM;AACpC;AAEA,MAAM,kBAA6B;AAAA,EACjC,SAAS;AAAA,EACT,MAAM,MAAM;AACV,UAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAI;AACF,UAAI;AACJ,UAAI;AACF,kBAAW,UAAU,QAAQ,qBAAqB;AAAA,MACpD,QAAQ;AACN,gBAAQ,MAAM,mEAAmE;AACjF;AAAA,MACF;AAEA,YAAM,gBAAgB,wBAAwB;AAC9C,YAAM,iBAAiB,CAAC;AACxB,YAAM,QAAQ;AAAA,QACZ;AAAA,UACE;AAAA,YACE,UAAU;AAAA,YACV,MAAM;AAAA,YACN,OAAO;AAAA,UACT;AAAA,QACF;AAAA,QACA,EAAE,OAAO,KAAK;AAAA,MAChB;AACA,cAAQ;AAAA,QACN,iDAAiD,iBAAiB,YAAY,UAAU,GACtF,gBAAgB,oDAAoD,EACtE;AAAA,MACF;AAAA,IACF,UAAE;AACA,YAAM,aAAa;AACnB,UAAI,OAAO,WAAW,YAAY,YAAY;AAC5C,cAAM,WAAW,QAAQ;AAAA,MAC3B;AAAA,IACF;AAAA,EACF;AACF;AAEA,MAAM,OAAkB;AAAA,EACtB,SAAS;AAAA,EACT,MAAM,MAAM;AACV,YAAQ,IAAI,8CAA8C;AAC1D,YAAQ,IAAI,uDAAuD;AAAA,EACrE;AACF;AAEA,IAAO,cAAQ,CAAC,iBAAiB,IAAI;",
+  "sourcesContent": ["import type { ModuleCli } from '@open-mercato/shared/modules/registry'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { ModuleConfigService } from './lib/module-config-service'\nimport { parseBooleanToken } from '@open-mercato/shared/lib/boolean'\nimport { DEFAULT_NOTIFICATION_DELIVERY_CONFIG, NOTIFICATIONS_DELIVERY_CONFIG_KEY } from '../notifications/lib/deliveryConfig'\n\nfunction envDisablesAutoIndexing(): boolean {\n  const raw = process.env.DISABLE_VECTOR_SEARCH_AUTOINDEXING\n  if (!raw) return false\n  return parseBooleanToken(raw) === true\n}\n\nconst restoreDefaults: ModuleCli = {\n  command: 'restore-defaults',\n  async run() {\n    const container = await createRequestContainer()\n    try {\n      let service: ModuleConfigService\n      try {\n        service = (container.resolve('moduleConfigService') as ModuleConfigService)\n      } catch {\n        console.error('[configs] moduleConfigService is not registered in the container.')\n        return\n      }\n\n      const disabledByEnv = envDisablesAutoIndexing()\n      const defaultEnabled = !disabledByEnv\n      await service.restoreDefaults(\n        [\n          {\n            moduleId: 'vector',\n            name: 'auto_index_enabled',\n            value: defaultEnabled,\n          },\n          {\n            moduleId: 'notifications',\n            name: NOTIFICATIONS_DELIVERY_CONFIG_KEY,\n            value: DEFAULT_NOTIFICATION_DELIVERY_CONFIG,\n          },\n        ],\n        { force: true },\n      )\n      console.log(\n        `[configs] Vector auto-indexing default set to ${defaultEnabled ? 'enabled' : 'disabled'}${\n          disabledByEnv ? ' (forced by DISABLE_VECTOR_SEARCH_AUTOINDEXING)' : ''\n        }.`,\n      )\n    } finally {\n      const disposable = container as unknown as { dispose?: () => Promise<void> }\n      if (typeof disposable.dispose === 'function') {\n        await disposable.dispose()\n      }\n    }\n  },\n}\n\nconst help: ModuleCli = {\n  command: 'help',\n  async run() {\n    console.log('Usage: yarn mercato configs restore-defaults')\n    console.log('  Ensures global module configuration defaults exist.')\n  },\n}\n\nexport default [restoreDefaults, help]\n"],
+  "mappings": "AACA,SAAS,8BAA8B;AAEvC,SAAS,yBAAyB;AAClC,SAAS,sCAAsC,yCAAyC;AAExF,SAAS,0BAAmC;AAC1C,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,CAAC,IAAK,QAAO;AACjB,SAAO,kBAAkB,GAAG,MAAM;AACpC;AAEA,MAAM,kBAA6B;AAAA,EACjC,SAAS;AAAA,EACT,MAAM,MAAM;AACV,UAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAI;AACF,UAAI;AACJ,UAAI;AACF,kBAAW,UAAU,QAAQ,qBAAqB;AAAA,MACpD,QAAQ;AACN,gBAAQ,MAAM,mEAAmE;AACjF;AAAA,MACF;AAEA,YAAM,gBAAgB,wBAAwB;AAC9C,YAAM,iBAAiB,CAAC;AACxB,YAAM,QAAQ;AAAA,QACZ;AAAA,UACE;AAAA,YACE,UAAU;AAAA,YACV,MAAM;AAAA,YACN,OAAO;AAAA,UACT;AAAA,UACA;AAAA,YACE,UAAU;AAAA,YACV,MAAM;AAAA,YACN,OAAO;AAAA,UACT;AAAA,QACF;AAAA,QACA,EAAE,OAAO,KAAK;AAAA,MAChB;AACA,cAAQ;AAAA,QACN,iDAAiD,iBAAiB,YAAY,UAAU,GACtF,gBAAgB,oDAAoD,EACtE;AAAA,MACF;AAAA,IACF,UAAE;AACA,YAAM,aAAa;AACnB,UAAI,OAAO,WAAW,YAAY,YAAY;AAC5C,cAAM,WAAW,QAAQ;AAAA,MAC3B;AAAA,IACF;AAAA,EACF;AACF;AAEA,MAAM,OAAkB;AAAA,EACtB,SAAS;AAAA,EACT,MAAM,MAAM;AACV,YAAQ,IAAI,8CAA8C;AAC1D,YAAQ,IAAI,uDAAuD;AAAA,EACrE;AACF;AAEA,IAAO,cAAQ,CAAC,iBAAiB,IAAI;",
   "names": []
 }

package/dist/modules/customers/commands/deals.js

@@ -28,6 +28,9 @@ import {
 import { CrudHttpError } from "@open-mercato/shared/lib/crud/errors";
 import { E } from "../../../generated/entities.ids.generated.js";
 import { findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { resolveNotificationService } from "../../notifications/lib/notificationService.js";
+import { buildNotificationFromType } from "../../notifications/lib/notificationBuilder.js";
+import { notificationTypes } from "../notifications.js";
 const DEAL_ENTITY_ID = "customers:customer_deal";
 const dealCrudIndexer = {
   entityType: E.customers.customer_deal
@@ -222,6 +225,7 @@ const updateDealCommand = {
     if (!record) throw new CrudHttpError(404, { error: "Deal not found" });
     ensureTenantScope(ctx, record.tenantId);
     ensureOrganizationScope(ctx, record.organizationId);
+    const previousStatus = record.status;
     if (parsed.title !== void 0) record.title = parsed.title;
     if (parsed.description !== void 0) record.description = parsed.description ?? null;
     if (parsed.status !== void 0) record.status = parsed.status ?? record.status;
@@ -256,6 +260,33 @@ const updateDealCommand = {
       },
       indexer: dealCrudIndexer
     });
+    const newStatus = record.status;
+    const normalizedStatus = newStatus === "win" ? "won" : newStatus === "loose" ? "lost" : newStatus;
+    if (previousStatus !== newStatus && (normalizedStatus === "won" || normalizedStatus === "lost") && record.ownerUserId) {
+      try {
+        const notificationService = resolveNotificationService(ctx.container);
+        const notificationType = normalizedStatus === "won" ? "customers.deal.won" : "customers.deal.lost";
+        const typeDef = notificationTypes.find((type) => type.type === notificationType);
+        if (typeDef) {
+          const valueDisplay = record.valueAmount && record.valueCurrency ? `${record.valueCurrency} ${record.valueAmount}` : "";
+          const notificationInput = buildNotificationFromType(typeDef, {
+            recipientUserId: record.ownerUserId,
+            bodyVariables: {
+              dealTitle: record.title,
+              dealValue: valueDisplay
+            },
+            sourceEntityType: "customers:customer_deal",
+            sourceEntityId: record.id,
+            linkHref: `/backend/customers/deals/${record.id}`
+          });
+          await notificationService.create(notificationInput, {
+            tenantId: record.tenantId,
+            organizationId: record.organizationId
+          });
+        }
+      } catch {
+      }
+    }
     return { dealId: record.id };
   },
   buildLog: async ({ snapshots, ctx }) => {