@open-mercato/core 0.4.2-canary-c71ef83148 → 0.4.2-canary-f821f89ef6

package/src/modules/auth/api/__tests__/login.test.ts

@@ -15,8 +15,6 @@ jest.mock('@open-mercato/shared/lib/di/container', () => ({
   createRequestContainer: async () => ({
     resolve: (_: string) => ({
       findUserByEmail: async (email: string) => ({ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }),
-      findUsersByEmail: async (email: string) => ([{ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }]),
-      findUserByEmailAndTenant: async (email: string) => ({ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }),
       verifyPassword: async () => true,
       getUserRoles: async (_user: any, _tenant: string | null | undefined) => ['admin'],
       updateLastLoginAt: async () => undefined,

package/src/modules/auth/api/admin/nav.ts

@@ -297,16 +297,12 @@ export async function GET(req: Request) {
   const groupsWithRole = rolePreference ? applySidebarPreference(groups, rolePreference) : groups
   const baseForUser = adoptSidebarDefaults(groupsWithRole)
 
-  // For API key auth, use userId (the actual user) if available; otherwise skip user preferences
-  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
-  const preference = effectiveUserId
-    ? await loadSidebarPreference(em, {
-        userId: effectiveUserId,
-        tenantId: auth.tenantId ?? null,
-        organizationId: auth.orgId ?? null,
-        locale,
-      })
-    : null
+  const preference = await loadSidebarPreference(em, {
+    userId: auth.sub,
+    tenantId: auth.tenantId ?? null,
+    organizationId: auth.orgId ?? null,
+    locale,
+  })
 
   const withPreference = applySidebarPreference(baseForUser, preference)
 

package/src/modules/auth/api/login.ts

@@ -17,33 +17,15 @@ export async function POST(req: Request) {
   const email = String(form.get('email') ?? '')
   const password = String(form.get('password') ?? '')
   const remember = parseBooleanToken(form.get('remember')?.toString()) === true
-  const tenantIdRaw = String(form.get('tenantId') ?? form.get('tenant') ?? '').trim()
   const requireRoleRaw = (String(form.get('requireRole') ?? form.get('role') ?? '')).trim()
   const requiredRoles = requireRoleRaw ? requireRoleRaw.split(',').map((s) => s.trim()).filter(Boolean) : []
-  const parsed = userLoginSchema.pick({ email: true, password: true, tenantId: true }).safeParse({
-    email,
-    password,
-    tenantId: tenantIdRaw || undefined,
-  })
+  const parsed = userLoginSchema.pick({ email: true, password: true }).safeParse({ email, password })
   if (!parsed.success) {
     return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid credentials') }, { status: 400 })
   }
   const container = await createRequestContainer()
   const auth = (container.resolve('authService') as AuthService)
-  const tenantId = parsed.data.tenantId ?? null
-  let user = null
-  if (tenantId) {
-    user = await auth.findUserByEmailAndTenant(parsed.data.email, tenantId)
-  } else {
-    const users = await auth.findUsersByEmail(parsed.data.email)
-    if (users.length > 1) {
-      return NextResponse.json({
-        ok: false,
-        error: translate('auth.login.errors.tenantRequired', 'Use the login link provided with your tenant activation to continue.'),
-      }, { status: 400 })
-    }
-    user = users[0] ?? null
-  }
+  const user = await auth.findUserByEmail(parsed.data.email)
   if (!user || !user.passwordHash) {
     return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid email or password') }, { status: 401 })
   }
@@ -53,27 +35,26 @@ export async function POST(req: Request) {
   }
   // Optional role requirement
   if (requiredRoles.length) {
-    const userRoleNames = await auth.getUserRoles(user, tenantId ?? (user.tenantId ? String(user.tenantId) : null))
+    const userRoleNames = await auth.getUserRoles(user, user.tenantId ? String(user.tenantId) : null)
     const authorized = requiredRoles.some(r => userRoleNames.includes(r))
     if (!authorized) {
       return NextResponse.json({ ok: false, error: translate('auth.login.errors.permissionDenied', 'Not authorized for this area') }, { status: 403 })
     }
   }
   await auth.updateLastLoginAt(user)
-  const resolvedTenantId = tenantId ?? (user.tenantId ? String(user.tenantId) : null)
-  const userRoleNames = await auth.getUserRoles(user, resolvedTenantId)
+  const userRoleNames = await auth.getUserRoles(user, user.tenantId ? String(user.tenantId) : null)
   try {
     const eventBus = (container.resolve('eventBus') as EventBus)
     void eventBus.emitEvent('query_index.coverage.warmup', {
-      tenantId: resolvedTenantId,
+      tenantId: user.tenantId ? String(user.tenantId) : null,
     }).catch(() => undefined)
   } catch {
     // optional warmup
   }
   const token = signJwt({ 
     sub: String(user.id), 
-    tenantId: resolvedTenantId, 
-    orgId: user.organizationId ? String(user.organizationId) : null,
+    tenantId: user.tenantId ? String(user.tenantId) : null, 
+    orgId: user.organizationId ? String(user.organizationId) : null, 
     email: user.email, 
     roles: userRoleNames 
   })

package/src/modules/auth/api/reset/confirm.ts

@@ -3,9 +3,6 @@ import { NextResponse } from 'next/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { AuthService } from '@open-mercato/core/modules/auth/services/authService'
-import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
-import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
-import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 import { z } from 'zod'
 
 // validation via confirmPasswordResetSchema
@@ -18,28 +15,8 @@ export async function POST(req: Request) {
   if (!parsed.success) return NextResponse.json({ ok: false, error: 'Invalid request' }, { status: 400 })
   const c = await createRequestContainer()
   const auth = c.resolve<AuthService>('authService')
-  const user = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)
-  if (!user) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })
-  try {
-    const tenantId = user.tenantId ? String(user.tenantId) : null
-    if (tenantId) {
-      const notificationService = resolveNotificationService(c)
-      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.completed')
-      if (typeDef) {
-        const notificationInput = buildNotificationFromType(typeDef, {
-          recipientUserId: String(user.id),
-          sourceEntityType: 'auth:user',
-          sourceEntityId: String(user.id),
-        })
-        await notificationService.create(notificationInput, {
-          tenantId,
-          organizationId: user.organizationId ? String(user.organizationId) : null,
-        })
-      }
-    }
-  } catch (err) {
-    console.error('[auth.reset.confirm] Failed to create notification:', err)
-  }
+  const ok = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)
+  if (!ok) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })
   return NextResponse.json({ ok: true, redirect: '/login' })
 }
 

package/src/modules/auth/api/reset.ts

@@ -6,9 +6,6 @@ import { AuthService } from '@open-mercato/core/modules/auth/services/authServic
 import { sendEmail } from '@open-mercato/shared/lib/email/send'
 import ResetPasswordEmail from '@open-mercato/core/modules/auth/emails/ResetPasswordEmail'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
-import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
-import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
-import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 import { z } from 'zod'
 
 // validation via requestPasswordResetSchema
@@ -38,26 +35,6 @@ export async function POST(req: Request) {
   }
 
   await sendEmail({ to: user.email, subject, react: ResetPasswordEmail({ resetUrl, copy }) })
-  try {
-    const tenantId = user.tenantId ? String(user.tenantId) : null
-    if (tenantId) {
-      const notificationService = resolveNotificationService(c)
-      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.requested')
-      if (typeDef) {
-        const notificationInput = buildNotificationFromType(typeDef, {
-          recipientUserId: String(user.id),
-          sourceEntityType: 'auth:user',
-          sourceEntityId: String(user.id),
-        })
-        await notificationService.create(notificationInput, {
-          tenantId,
-          organizationId: user.organizationId ? String(user.organizationId) : null,
-        })
-      }
-    }
-  } catch (err) {
-    console.error('[auth.reset] Failed to create notification:', err)
-  }
   return NextResponse.json({ ok: true })
 }
 

package/src/modules/auth/api/sidebar/preferences/route.ts

@@ -64,16 +64,12 @@ export async function GET(req: Request) {
     { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },
   ) ?? false
 
-  // For API key auth, use userId (the actual user) if available
-  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
-  const settings = effectiveUserId
-    ? await loadSidebarPreference(em, {
-        userId: effectiveUserId,
-        tenantId: auth.tenantId ?? null,
-        organizationId: auth.orgId ?? null,
-        locale,
-      })
-    : null
+  const settings = await loadSidebarPreference(em, {
+    userId: auth.sub,
+    tenantId: auth.tenantId ?? null,
+    organizationId: auth.orgId ?? null,
+    locale,
+  })
 
   let rolesPayload: Array<{ id: string; name: string; hasPreference: boolean }> = []
   if (canApplyToRoles) {
@@ -96,11 +92,11 @@ export async function GET(req: Request) {
   return NextResponse.json({
     locale,
     settings: {
-      version: settings?.version ?? SIDEBAR_PREFERENCES_VERSION,
-      groupOrder: settings?.groupOrder ?? [],
-      groupLabels: settings?.groupLabels ?? {},
-      itemLabels: settings?.itemLabels ?? {},
-      hiddenItems: settings?.hiddenItems ?? [],
+      version: settings.version ?? SIDEBAR_PREFERENCES_VERSION,
+      groupOrder: settings.groupOrder ?? [],
+      groupLabels: settings.groupLabels ?? {},
+      itemLabels: settings.itemLabels ?? {},
+      hiddenItems: settings.hiddenItems ?? [],
     },
     canApplyToRoles,
     roles: rolesPayload,
@@ -110,11 +106,6 @@ export async function GET(req: Request) {
 export async function PUT(req: Request) {
   const auth = await getAuthFromRequest(req)
   if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  // For API key auth, use userId (the actual user) if available
-  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
-  if (!effectiveUserId) {
-    return NextResponse.json({ error: 'Cannot save preferences: no user associated with this API key' }, { status: 403 })
-  }
 
   let parsedBody: unknown
   try {
@@ -191,7 +182,7 @@ export async function PUT(req: Request) {
   }
 
   const settings = await saveSidebarPreference(em, {
-    userId: effectiveUserId,
+    userId: auth.sub,
     tenantId: auth.tenantId ?? null,
     organizationId: auth.orgId ?? null,
     locale,

package/src/modules/auth/api/users/route.ts

@@ -15,7 +15,6 @@ import type { EntityManager } from '@mikro-orm/postgresql'
 import { userCrudEvents, userCrudIndexer } from '@open-mercato/core/modules/auth/commands/users'
 import { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'
-import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 const querySchema = z.object({
   id: z.string().uuid().optional(),
@@ -28,11 +27,9 @@ const querySchema = z.object({
 
 const rawBodySchema = z.object({}).passthrough()
 
-const passwordSchema = buildPasswordSchema()
-
 const userCreateSchema = z.object({
   email: z.string().email(),
-  password: passwordSchema,
+  password: z.string().min(6),
   organizationId: z.string().uuid(),
   roles: z.array(z.string()).optional(),
 })
@@ -40,7 +37,7 @@ const userCreateSchema = z.object({
 const userUpdateSchema = z.object({
   id: z.string().uuid(),
   email: z.string().email().optional(),
-  password: passwordSchema.optional(),
+  password: z.string().min(6).optional(),
   organizationId: z.string().uuid().optional(),
   roles: z.array(z.string()).optional(),
 })

package/src/modules/auth/backend/roles/[id]/edit/page.tsx

@@ -6,7 +6,7 @@ import { apiCall } from '@open-mercato/ui/backend/utils/apiCall'
 import { deleteCrud, updateCrud } from '@open-mercato/ui/backend/utils/crud'
 import { collectCustomFieldValues } from '@open-mercato/ui/backend/utils/customFieldValues'
 import { AclEditor, type AclData } from '@open-mercato/core/modules/auth/components/AclEditor'
-import { WidgetVisibilityEditor, type WidgetVisibilityEditorHandle } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
+import { WidgetVisibilityEditor } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
 import { E } from '#generated/entities.ids.generated'
 import { TenantSelect } from '@open-mercato/core/modules/directory/components/TenantSelect'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
@@ -37,7 +37,6 @@ export default function EditRolePage({ params }: { params?: { id?: string } }) {
   const [aclData, setAclData] = React.useState<AclData>({ isSuperAdmin: false, features: [], organizations: null })
   const [actorIsSuperAdmin, setActorIsSuperAdmin] = React.useState(false)
   const [selectedTenantId, setSelectedTenantId] = React.useState<string | null>(null)
-  const widgetEditorRef = React.useRef<WidgetVisibilityEditorHandle | null>(null)
 
   React.useEffect(() => {
     if (!id) return
@@ -154,7 +153,6 @@ export default function EditRolePage({ params }: { params?: { id?: string } }) {
             kind="role"
             targetId={String(id)}
             tenantId={selectedTenantId ?? (initial?.tenantId ?? null)}
-            ref={widgetEditorRef}
           />
         )
         : null),
@@ -193,7 +191,6 @@ export default function EditRolePage({ params }: { params?: { id?: string } }) {
             await updateCrud('auth/roles/acl', { roleId: id, tenantId: effectiveTenantId, ...aclData }, {
               errorMessage: t('auth.roles.form.errors.aclUpdate', 'Failed to update role access control'),
             })
-            await widgetEditorRef.current?.save()
             try { window.dispatchEvent(new Event('om:refresh-sidebar')) } catch {}
           }}
           onDelete={async () => {

package/src/modules/auth/backend/roles/page.tsx

@@ -117,9 +117,9 @@ export default function RolesListPage() {
           onSearchChange={(v) => { setSearch(v); setPage(1) }}
           rowActions={(row) => (
             <RowActions items={[
-              { id: 'edit', label: t('common.edit', 'Edit'), href: `/backend/roles/${row.id}/edit` },
-              { id: 'show-users', label: t('auth.roles.list.actions.showUsers', 'Show users'), href: `/backend/users?roleId=${encodeURIComponent(row.id)}` },
-              { id: 'delete', label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
+              { label: t('common.edit', 'Edit'), href: `/backend/roles/${row.id}/edit` },
+              { label: t('auth.roles.list.actions.showUsers', 'Show users'), href: `/backend/users?roleId=${encodeURIComponent(row.id)}` },
+              { label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
             ]} />
           )}
           sortable

package/src/modules/auth/backend/users/[id]/edit/page.tsx

@@ -10,9 +10,8 @@ import { AclEditor, type AclData } from '@open-mercato/core/modules/auth/compone
 import { OrganizationSelect } from '@open-mercato/core/modules/directory/components/OrganizationSelect'
 import { TenantSelect } from '@open-mercato/core/modules/directory/components/TenantSelect'
 import { fetchRoleOptions } from '@open-mercato/core/modules/auth/backend/users/roleOptions'
-import { WidgetVisibilityEditor, type WidgetVisibilityEditorHandle } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
+import { WidgetVisibilityEditor } from '@open-mercato/core/modules/dashboards/components/WidgetVisibilityEditor'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
-import { formatPasswordRequirements, getPasswordPolicy } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 type EditUserFormValues = {
   email: string
@@ -109,17 +108,6 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
   const [aclData, setAclData] = React.useState<AclData>({ isSuperAdmin: false, features: [], organizations: null })
   const [customFieldValues, setCustomFieldValues] = React.useState<Record<string, unknown>>({})
   const [actorIsSuperAdmin, setActorIsSuperAdmin] = React.useState(false)
-  const widgetEditorRef = React.useRef<WidgetVisibilityEditorHandle | null>(null)
-  const passwordPolicy = React.useMemo(() => getPasswordPolicy(), [])
-  const passwordRequirements = React.useMemo(
-    () => formatPasswordRequirements(passwordPolicy, t),
-    [passwordPolicy, t],
-  )
-  const passwordDescription = React.useMemo(() => (
-    passwordRequirements
-      ? t('auth.password.requirements.help', 'Password requirements: {requirements}', { requirements: passwordRequirements })
-      : undefined
-  ), [passwordRequirements, t])
 
   React.useEffect(() => {
     if (!id) {
@@ -213,12 +201,7 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
   const fields: CrudField[] = React.useMemo(() => {
     const items: CrudField[] = [
       { id: 'email', label: t('auth.users.form.field.email', 'Email'), type: 'text', required: true },
-      {
-        id: 'password',
-        label: t('auth.users.form.field.password', 'Password'),
-        type: 'text',
-        description: passwordDescription,
-      },
+      { id: 'password', label: t('auth.users.form.field.password', 'Password'), type: 'text' },
     ]
     if (actorIsSuperAdmin) {
       items.push({
@@ -268,7 +251,7 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
     })
     items.push({ id: 'roles', label: t('auth.users.form.field.roles', 'Roles'), type: 'tags', loadOptions: loadRoleOptions })
     return items
-  }, [actorIsSuperAdmin, loadRoleOptions, passwordDescription, preloadedTenants, selectedOrgId, selectedTenantId, t])
+  }, [actorIsSuperAdmin, loadRoleOptions, preloadedTenants, selectedOrgId, selectedTenantId, t])
 
   const detailFieldIds = React.useMemo(() => {
     const base: string[] = ['email', 'password', 'organizationId', 'roles']
@@ -309,7 +292,6 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
             targetId={String(id)}
             tenantId={selectedTenantId ?? null}
             organizationId={initialUser?.organizationId ?? null}
-            ref={widgetEditorRef}
           />
         ) : null
       ),
@@ -372,7 +354,6 @@ export default function EditUserPage({ params }: { params?: { id?: string } }) {
             await updateCrud('auth/users/acl', { userId: id, ...aclData }, {
               errorMessage: t('auth.users.form.errors.aclUpdate', 'Failed to update user access control'),
             })
-            await widgetEditorRef.current?.save()
             try { window.dispatchEvent(new Event('om:refresh-sidebar')) } catch {}
           }}
           onDelete={async () => {

package/src/modules/auth/backend/users/create/page.tsx

@@ -11,7 +11,6 @@ import { TenantSelect } from '@open-mercato/core/modules/directory/components/Te
 import { fetchRoleOptions } from '@open-mercato/core/modules/auth/backend/users/roleOptions'
 import { Spinner } from '@open-mercato/ui/primitives/spinner'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
-import { formatPasswordRequirements, getPasswordPolicy } from '@open-mercato/shared/lib/auth/passwordPolicy'
 
 type CreateUserFormValues = {
   email: string
@@ -85,16 +84,6 @@ export default function CreateUserPage() {
   const [selectedWidgets, setSelectedWidgets] = React.useState<string[]>([])
   const [selectedTenantId, setSelectedTenantId] = React.useState<string | null>(null)
   const [actorIsSuperAdmin, setActorIsSuperAdmin] = React.useState(false)
-  const passwordPolicy = React.useMemo(() => getPasswordPolicy(), [])
-  const passwordRequirements = React.useMemo(
-    () => formatPasswordRequirements(passwordPolicy, t),
-    [passwordPolicy, t],
-  )
-  const passwordDescription = React.useMemo(() => (
-    passwordRequirements
-      ? t('auth.password.requirements.help', 'Password requirements: {requirements}', { requirements: passwordRequirements })
-      : undefined
-  ), [passwordRequirements, t])
 
   React.useEffect(() => {
     let cancelled = false
@@ -167,13 +156,7 @@ export default function CreateUserPage() {
   const fields: CrudField[] = React.useMemo(() => {
     const items: CrudField[] = [
       { id: 'email', label: t('auth.users.form.field.email', 'Email'), type: 'text', required: true },
-      {
-        id: 'password',
-        label: t('auth.users.form.field.password', 'Password'),
-        type: 'text',
-        required: true,
-        description: passwordDescription,
-      },
+      { id: 'password', label: t('auth.users.form.field.password', 'Password'), type: 'text', required: true },
     ]
     if (actorIsSuperAdmin) {
       items.push({
@@ -220,7 +203,7 @@ export default function CreateUserPage() {
     })
     items.push({ id: 'roles', label: t('auth.users.form.field.roles', 'Roles'), type: 'tags', loadOptions: loadRoleOptions })
     return items
-  }, [actorIsSuperAdmin, loadRoleOptions, passwordDescription, selectedTenantId, t])
+  }, [actorIsSuperAdmin, loadRoleOptions, selectedTenantId, t])
 
   const detailFieldIds = React.useMemo(() => {
     const base: string[] = ['email', 'password', 'organizationId', 'roles']

package/src/modules/auth/backend/users/page.tsx

@@ -383,9 +383,9 @@ export default function UsersListPage() {
           perspective={{ tableId: 'auth.users.list' }}
           rowActions={(row) => (
             <RowActions items={[
-              { id: 'edit', label: t('common.edit', 'Edit'), href: `/backend/users/${row.id}/edit` },
-              { id: 'show-roles', label: t('auth.users.list.actions.showRoles', 'Show roles'), href: `/backend/roles?userId=${encodeURIComponent(row.id)}` },
-              { id: 'delete', label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
+              { label: t('common.edit', 'Edit'), href: `/backend/users/${row.id}/edit` },
+              { label: t('auth.users.list.actions.showRoles', 'Show roles'), href: `/backend/roles?userId=${encodeURIComponent(row.id)}` },
+              { label: t('common.delete', 'Delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
             ]} />
           )}
           pagination={{ page, pageSize: 50, total, totalPages, onPageChange: setPage }}

package/src/modules/auth/cli.ts

@@ -16,8 +16,6 @@ import { decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'
 import { env } from 'process'
 import type { KmsService, TenantDek } from '@open-mercato/shared/lib/encryption/kms'
 import crypto from 'node:crypto'
-import { formatPasswordRequirements, getPasswordPolicy, validatePassword } from '@open-mercato/shared/lib/auth/passwordPolicy'
-import { parseBooleanToken } from '@open-mercato/shared/lib/boolean'
 
 const addUser: ModuleCli = {
   command: 'add-user',
@@ -36,7 +34,6 @@ const addUser: ModuleCli = {
       console.error('Usage: mercato auth add-user --email <email> --password <password> --organizationId <id> [--roles customer,employee]')
       return
     }
-    if (!ensurePasswordPolicy(password)) return
     const { resolve } = await createRequestContainer()
     const em = resolve('em') as any
     const org =
@@ -105,16 +102,6 @@ function hashSecret(value: string | null | undefined): string | null {
   return crypto.createHash('sha256').update(normalizeKeyInput(value)).digest('hex').slice(0, 12)
 }
 
-function ensurePasswordPolicy(password: string): boolean {
-  const policy = getPasswordPolicy()
-  const result = validatePassword(password, policy)
-  if (result.ok) return true
-  const requirements = formatPasswordRequirements(policy, (_key, fallback) => fallback)
-  const suffix = requirements ? `: ${requirements}` : ''
-  console.error(`Password does not meet the requirements${suffix}.`)
-  return false
-}
-
 async function withEncryptionDebugDisabled<T>(fn: () => Promise<T>): Promise<T> {
   const previous = process.env.TENANT_DATA_ENCRYPTION_DEBUG
   process.env.TENANT_DATA_ENCRYPTION_DEBUG = 'no'
@@ -405,33 +392,20 @@ const addOrganization: ModuleCli = {
 const setupApp: ModuleCli = {
   command: 'setup',
   async run(rest) {
-    const args = parseArgs(rest)
-    const orgName = typeof args.orgName === 'string'
-      ? args.orgName
-      : typeof args.name === 'string'
-        ? args.name
-        : undefined
-    const email = typeof args.email === 'string' ? args.email : undefined
-    const password = typeof args.password === 'string' ? args.password : undefined
-    const rolesCsv = typeof args.roles === 'string'
-      ? args.roles.trim()
-      : 'superadmin,admin,employee'
-    const skipPasswordPolicyRaw =
-      args['skip-password-policy'] ??
-      args.skipPasswordPolicy ??
-      args['allow-weak-password'] ??
-      args.allowWeakPassword
-    const skipPasswordPolicy = typeof skipPasswordPolicyRaw === 'boolean'
-      ? skipPasswordPolicyRaw
-      : parseBooleanToken(typeof skipPasswordPolicyRaw === 'string' ? skipPasswordPolicyRaw : null) ?? false
+    const args: Record<string, string> = {}
+    for (let i = 0; i < rest.length; i += 2) {
+      const k = rest[i]?.replace(/^--/, '')
+      const v = rest[i + 1]
+      if (k) args[k] = v
+    }
+    const orgName = args.orgName || args.name
+    const email = args.email
+    const password = args.password
+    const rolesCsv = (args.roles ?? 'superadmin,admin,employee').trim()
     if (!orgName || !email || !password) {
-      console.error('Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee] [--skip-password-policy]')
+      console.error('Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee]')
       return
     }
-    if (!skipPasswordPolicy && !ensurePasswordPolicy(password)) return
-    if (skipPasswordPolicy) {
-      console.warn('⚠️  Password policy validation skipped for setup.')
-    }
     const { resolve } = await createRequestContainer()
     const em = resolve<EntityManager>('em')
     const roleNames = rolesCsv
@@ -621,7 +595,6 @@ const setPassword: ModuleCli = {
       console.error('Usage: mercato auth set-password --email <email> --password <newPassword>')
       return
     }
-    if (!ensurePasswordPolicy(password)) return
     
     const { resolve } = await createRequestContainer()
     const em = resolve('em') as any