@open-mercato/core 0.4.2-canary-c71ef83148 → 0.4.2-canary-f821f89ef6

package/src/modules/auth/i18n/es.json

@@ -2,26 +2,12 @@
   "auth.signIn": "Iniciar sesión",
   "auth.email": "Correo electrónico",
   "auth.password": "Contraseña",
-  "auth.password.requirements.help": "Requisitos de la contraseña: {requirements}",
-  "auth.password.requirements.minLength": "Al menos {min} caracteres",
-  "auth.password.requirements.digit": "Un número",
-  "auth.password.requirements.uppercase": "Una letra mayúscula",
-  "auth.password.requirements.special": "Un carácter especial",
-  "auth.password.requirements.separator": ", ",
   "auth.sendResetLink": "Enviar enlace de restablecimiento",
   "auth.resetPassword": "Restablecer contraseña",
-  "auth.reset.title": "Establecer una nueva contraseña",
-  "auth.reset.subtitle": "Elige una contraseña segura para tu cuenta.",
-  "auth.reset.form.password": "Nueva contraseña",
-  "auth.reset.form.loading": "...",
-  "auth.reset.form.submit": "Actualizar contraseña",
-  "auth.reset.errors.failed": "No se pudo restablecer la contraseña",
   "auth.usersRoles": "Usuarios y roles",
   "auth.manageAuthSettings": "Administra la configuración de autenticación.",
   "auth.login.errors.permissionDenied": "No tienes permiso para acceder a esta área. Ponte en contacto con tu administrador.",
   "auth.login.errors.invalidCredentials": "Correo electrónico o contraseña no válidos",
-  "auth.login.errors.tenantRequired": "Usa el enlace de inicio de sesión proporcionado con la activación de tu inquilino para continuar.",
-  "auth.login.errors.tenantInvalid": "No se encontró el inquilino. Borra la selección e inténtalo de nuevo.",
   "auth.login.errors.generic": "Se produjo un error. Inténtalo de nuevo.",
   "auth.login.logoAlt": "Logotipo de Open Mercato",
   "auth.login.brandName": "Open Mercato",
@@ -29,9 +15,6 @@
   "auth.login.requireRoleMessage": "El acceso requiere el rol: {roles}",
   "auth.login.requireRolesMessage": "El acceso requiere uno de los siguientes roles: {roles}",
   "auth.login.featureDenied": "No tienes acceso a esta funcionalidad ({feature}). Ponte en contacto con tu administrador.",
-  "auth.login.tenantBanner": "Estás iniciando sesión en el inquilino {tenant}.",
-  "auth.login.tenantLoading": "Cargando detalles del inquilino...",
-  "auth.login.tenantClear": "Borrar",
   "auth.login.rememberMe": "Recordarme",
   "auth.login.loading": "Cargando...",
   "auth.login.forgotPassword": "¿Olvidaste tu contraseña?",
@@ -97,21 +80,6 @@
   "auth.users.form.errors.load": "No se pudieron cargar los datos del usuario",
   "auth.users.form.errors.aclUpdate": "No se pudo actualizar el control de acceso del usuario",
   "auth.users.form.errors.delete": "No se pudo eliminar el usuario",
-  "auth.profile.title": "Perfil",
-  "auth.profile.subtitle": "Cambiar contraseña",
-  "auth.profile.form.email": "Correo electrónico",
-  "auth.profile.form.password": "Nueva contraseña",
-  "auth.profile.form.confirmPassword": "Confirmar nueva contraseña",
-  "auth.profile.form.save": "Guardar cambios",
-  "auth.profile.form.loading": "Cargando perfil...",
-  "auth.profile.form.errors.load": "No se pudo cargar el perfil.",
-  "auth.profile.form.errors.save": "No se pudo actualizar el perfil.",
-  "auth.profile.form.errors.invalid": "Actualización de perfil inválida.",
-  "auth.profile.form.errors.passwordMismatch": "Las contraseñas no coinciden.",
-  "auth.profile.form.errors.passwordRequirements": "La contraseña debe cumplir los requisitos.",
-  "auth.profile.form.errors.noChanges": "No hay cambios para guardar.",
-  "auth.profile.form.errors.emailRequired": "El correo electrónico es obligatorio.",
-  "auth.profile.form.success": "Perfil actualizado.",
   "auth.users.list.error.load": "No se pudieron cargar los usuarios",
   "auth.users.list.error.delete": "No se pudo eliminar el usuario",
   "auth.users.flash.created": "Usuario creado",
@@ -127,20 +95,5 @@
   "auth.email.resetPassword.title": "Restablecer tu contraseña",
   "auth.email.resetPassword.body": "Haz clic en el siguiente enlace para establecer una nueva contraseña. Este enlace caducará en 60 minutos.",
   "auth.email.resetPassword.cta": "Establecer nueva contraseña",
-  "auth.email.resetPassword.hint": "Si no solicitaste esto, puedes ignorar este correo de forma segura.",
-  "auth.notifications.passwordReset.requested.title": "Solicitud de restablecimiento de contraseña",
-  "auth.notifications.passwordReset.requested.body": "Se ha enviado un enlace de restablecimiento de contraseña a tu correo electrónico",
-  "auth.notifications.passwordReset.completed.title": "Contraseña cambiada correctamente",
-  "auth.notifications.passwordReset.completed.body": "Tu contraseña se actualizó correctamente",
-  "auth.notifications.account.locked.title": "Cuenta bloqueada",
-  "auth.notifications.account.locked.body": "Tu cuenta ha sido bloqueada por razones de seguridad. Ponte en contacto con soporte.",
-  "auth.notifications.login.newDevice.title": "Nuevo inicio de sesión detectado",
-  "auth.notifications.login.newDevice.body": "Se detectó un inicio de sesión desde un dispositivo no reconocido en tu cuenta",
-  "auth.notifications.role.assigned.title": "Nuevo rol asignado",
-  "auth.notifications.role.assigned.body": "Se te ha asignado un nuevo rol con permisos adicionales",
-  "auth.notifications.role.revoked.title": "Rol eliminado",
-  "auth.notifications.role.revoked.body": "Se ha eliminado un rol de tu cuenta",
-  "auth.actions.contactSupport": "Contactar soporte",
-  "auth.actions.viewSessions": "Ver sesiones",
-  "auth.actions.viewPermissions": "Ver permisos"
+  "auth.email.resetPassword.hint": "Si no solicitaste esto, puedes ignorar este correo de forma segura."
 }

package/src/modules/auth/i18n/pl.json

@@ -2,26 +2,12 @@
   "auth.signIn": "Zaloguj się",
   "auth.email": "Email",
   "auth.password": "Hasło",
-  "auth.password.requirements.help": "Wymagania hasła: {requirements}",
-  "auth.password.requirements.minLength": "Co najmniej {min} znaków",
-  "auth.password.requirements.digit": "Jedna cyfra",
-  "auth.password.requirements.uppercase": "Jedna wielka litera",
-  "auth.password.requirements.special": "Jeden znak specjalny",
-  "auth.password.requirements.separator": ", ",
   "auth.sendResetLink": "Wyślij link resetujący",
   "auth.resetPassword": "Resetuj hasło",
-  "auth.reset.title": "Ustaw nowe hasło",
-  "auth.reset.subtitle": "Wybierz silne hasło dla swojego konta.",
-  "auth.reset.form.password": "Nowe hasło",
-  "auth.reset.form.loading": "...",
-  "auth.reset.form.submit": "Zaktualizuj hasło",
-  "auth.reset.errors.failed": "Nie udało się zresetować hasła",
   "auth.usersRoles": "Użytkownicy i role",
   "auth.manageAuthSettings": "Zarządzaj ustawieniami uwierzytelniania.",
   "auth.login.errors.permissionDenied": "Nie masz uprawnień do tego obszaru. Skontaktuj się z administratorem.",
   "auth.login.errors.invalidCredentials": "Nieprawidłowy email lub hasło",
-  "auth.login.errors.tenantRequired": "Użyj linku logowania z aktywacji najemcy, aby kontynuować.",
-  "auth.login.errors.tenantInvalid": "Nie znaleziono najemcy. Wyczyść wybór i spróbuj ponownie.",
   "auth.login.errors.generic": "Wystąpił błąd. Spróbuj ponownie.",
   "auth.login.logoAlt": "Logo Open Mercato",
   "auth.login.brandName": "Open Mercato",
@@ -29,9 +15,6 @@
   "auth.login.requireRoleMessage": "Dostęp wymaga roli: {roles}",
   "auth.login.requireRolesMessage": "Dostęp wymaga jednej z następujących ról: {roles}",
   "auth.login.featureDenied": "Nie masz dostępu do tej funkcji ({feature}). Skontaktuj się z administratorem.",
-  "auth.login.tenantBanner": "Logujesz się do najemcy {tenant}.",
-  "auth.login.tenantLoading": "Ładowanie szczegółów najemcy...",
-  "auth.login.tenantClear": "Wyczyść",
   "auth.login.rememberMe": "Zapamiętaj mnie",
   "auth.login.loading": "Ładowanie...",
   "auth.login.forgotPassword": "Nie pamiętasz hasła?",
@@ -97,21 +80,6 @@
   "auth.users.form.errors.load": "Nie udało się wczytać danych użytkownika",
   "auth.users.form.errors.aclUpdate": "Nie udało się zaktualizować uprawnień użytkownika",
   "auth.users.form.errors.delete": "Nie udało się usunąć użytkownika",
-  "auth.profile.title": "Profil",
-  "auth.profile.subtitle": "Zmiana hasła",
-  "auth.profile.form.email": "Email",
-  "auth.profile.form.password": "Nowe hasło",
-  "auth.profile.form.confirmPassword": "Potwierdź nowe hasło",
-  "auth.profile.form.save": "Zapisz zmiany",
-  "auth.profile.form.loading": "Ładowanie profilu...",
-  "auth.profile.form.errors.load": "Nie udało się wczytać profilu.",
-  "auth.profile.form.errors.save": "Nie udało się zaktualizować profilu.",
-  "auth.profile.form.errors.invalid": "Nieprawidłowa aktualizacja profilu.",
-  "auth.profile.form.errors.passwordMismatch": "Hasła nie są zgodne.",
-  "auth.profile.form.errors.passwordRequirements": "Hasło musi spełniać wymagania.",
-  "auth.profile.form.errors.noChanges": "Brak zmian do zapisania.",
-  "auth.profile.form.errors.emailRequired": "Email jest wymagany.",
-  "auth.profile.form.success": "Profil zaktualizowany.",
   "auth.users.list.error.load": "Nie udało się wczytać użytkowników",
   "auth.users.list.error.delete": "Nie udało się usunąć użytkownika",
   "auth.users.flash.created": "Użytkownik utworzony",
@@ -127,20 +95,5 @@
   "auth.email.resetPassword.title": "Zresetuj swoje hasło",
   "auth.email.resetPassword.body": "Kliknij poniższy link, aby ustawić nowe hasło. Link wygaśnie za 60 minut.",
   "auth.email.resetPassword.cta": "Ustaw nowe hasło",
-  "auth.email.resetPassword.hint": "Jeśli nie prosiłeś o tę wiadomość, możesz ją bezpiecznie zignorować.",
-  "auth.notifications.passwordReset.requested.title": "Żądanie resetu hasła",
-  "auth.notifications.passwordReset.requested.body": "Link do resetu hasła został wysłany na Twój adres e-mail",
-  "auth.notifications.passwordReset.completed.title": "Hasło zmienione pomyślnie",
-  "auth.notifications.passwordReset.completed.body": "Twoje hasło zostało pomyślnie zaktualizowane",
-  "auth.notifications.account.locked.title": "Konto zablokowane",
-  "auth.notifications.account.locked.body": "Twoje konto zostało zablokowane z powodów bezpieczeństwa. Skontaktuj się z pomocą techniczną.",
-  "auth.notifications.login.newDevice.title": "Wykryto logowanie z nowego urządzenia",
-  "auth.notifications.login.newDevice.body": "Wykryto logowanie z nieznanego urządzenia na Twoim koncie",
-  "auth.notifications.role.assigned.title": "Przypisano nową rolę",
-  "auth.notifications.role.assigned.body": "Przypisano Ci nową rolę z dodatkowymi uprawnieniami",
-  "auth.notifications.role.revoked.title": "Rola usunięta",
-  "auth.notifications.role.revoked.body": "Z Twojego konta usunięto rolę",
-  "auth.actions.contactSupport": "Skontaktuj się z pomocą",
-  "auth.actions.viewSessions": "Zobacz sesje",
-  "auth.actions.viewPermissions": "Zobacz uprawnienia"
+  "auth.email.resetPassword.hint": "Jeśli nie prosiłeś o tę wiadomość, możesz ją bezpiecznie zignorować."
 }

package/src/modules/auth/lib/setup-app.ts

@@ -16,7 +16,6 @@ import { DEFAULT_ENCRYPTION_MAPS } from '@open-mercato/core/modules/entities/lib
 import { createKmsService } from '@open-mercato/shared/lib/encryption/kms'
 import { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'
 import { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
-import { parseBooleanToken } from '@open-mercato/shared/lib/boolean'
 
 const DEFAULT_ROLE_NAMES = ['employee', 'admin', 'superadmin'] as const
 const DEMO_SUPERADMIN_EMAIL = 'superadmin@acme.com'
@@ -88,11 +87,6 @@ type PrimaryUserInput = {
   confirm?: boolean
 }
 
-const DERIVED_EMAIL_ENV = {
-  admin: 'OM_INIT_ADMIN_EMAIL',
-  employee: 'OM_INIT_EMPLOYEE_EMAIL',
-} as const
-
 export type SetupInitialTenantOptions = {
   orgName: string
   primaryUser: PrimaryUserInput
@@ -176,28 +170,16 @@ export async function setupInitialTenant(
   })
 
   if (!existingUser) {
-    const baseUsers: Array<{
-      email: string
-      roles: string[]
-      name?: string | null
-      passwordHash?: string | null
-    }> = [
+    const baseUsers: Array<{ email: string; roles: string[]; name?: string | null }> = [
       { email: primaryUser.email, roles: primaryRoles, name: resolvePrimaryName(primaryUser) },
     ]
     if (includeDerivedUsers) {
-      const [, domain] = String(primaryUser.email).split('@')
-      const adminOverride = readEnvValue(DERIVED_EMAIL_ENV.admin)
-      const employeeOverride = readEnvValue(DERIVED_EMAIL_ENV.employee)
-      const adminEmail = adminOverride ?? (domain ? `admin@${domain}` : '')
-      const employeeEmail = employeeOverride ?? (domain ? `employee@${domain}` : '')
-      const adminPassword = readEnvValue('OM_INIT_ADMIN_PASSWORD')
-      const employeePassword = readEnvValue('OM_INIT_EMPLOYEE_PASSWORD')
-      const adminPasswordHash = adminPassword ? await resolvePasswordHash({ email: adminEmail, password: adminPassword }) : null
-      const employeePasswordHash = employeePassword
-        ? await resolvePasswordHash({ email: employeeEmail, password: employeePassword })
-        : null
-      addUniqueBaseUser(baseUsers, { email: adminEmail, roles: ['admin'], passwordHash: adminPasswordHash })
-      addUniqueBaseUser(baseUsers, { email: employeeEmail, roles: ['employee'], passwordHash: employeePasswordHash })
+      const [local, domain] = String(primaryUser.email).split('@')
+      const isSuperadminLocal = (local || '').toLowerCase() === 'superadmin' && !!domain
+      if (isSuperadminLocal) {
+        baseUsers.push({ email: `admin@${domain}`, roles: ['admin'] })
+        baseUsers.push({ email: `employee@${domain}`, roles: ['employee'] })
+      }
     }
     const passwordHash = await resolvePasswordHash(primaryUser)
 
@@ -289,14 +271,13 @@ export async function setupInitialTenant(
       }
 
       for (const base of baseUsers) {
-        const resolvedPasswordHash = base.passwordHash ?? passwordHash
         let user = await tem.findOne(User, { email: base.email })
         const confirm = primaryUser.confirm ?? true
         const encryptedPayload = encryptionService
           ? await encryptionService.encryptEntityPayload('auth:user', { email: base.email }, tenantId, organizationId)
           : { email: base.email, emailHash: computeEmailHash(base.email) }
         if (user) {
-          user.passwordHash = resolvedPasswordHash
+          user.passwordHash = passwordHash
           user.organizationId = organizationId
           user.tenantId = tenantId
           if (isTenantDataEncryptionEnabled()) {
@@ -311,7 +292,7 @@ export async function setupInitialTenant(
           user = tem.create(User, {
             email: (encryptedPayload as any).email ?? base.email,
             emailHash: isTenantDataEncryptionEnabled() ? (encryptedPayload as any).emailHash ?? computeEmailHash(base.email) : undefined,
-            passwordHash: resolvedPasswordHash,
+            passwordHash,
             organizationId,
             tenantId,
             name: base.name ?? undefined,
@@ -359,34 +340,6 @@ function resolvePrimaryName(input: PrimaryUserInput): string | null {
   return null
 }
 
-function readEnvValue(key: string): string | undefined {
-  const value = process.env[key]
-  if (typeof value !== 'string') return undefined
-  const trimmed = value.trim()
-  return trimmed.length > 0 ? trimmed : undefined
-}
-
-function addUniqueBaseUser(
-  baseUsers: Array<{ email: string; roles: string[]; name?: string | null; passwordHash?: string | null }>,
-  entry: { email: string; roles: string[]; name?: string | null; passwordHash?: string | null },
-) {
-  if (!entry.email) return
-  const normalized = entry.email.toLowerCase()
-  if (baseUsers.some((user) => user.email.toLowerCase() === normalized)) return
-  baseUsers.push(entry)
-}
-
-function isDemoModeEnabled(): boolean {
-  const parsed = parseBooleanToken(process.env.DEMO_MODE ?? '')
-  return parsed === false ? false : true
-}
-
-function shouldKeepDemoSuperadminDuringInit(): boolean {
-  if (process.env.OM_INIT_FLOW !== 'true') return false
-  if (!readEnvValue('OM_INIT_SUPERADMIN_EMAIL')) return false
-  return isDemoModeEnabled()
-}
-
 async function resolvePasswordHash(input: PrimaryUserInput): Promise<string | null> {
   if (typeof input.hashedPassword === 'string') return input.hashedPassword
   if (input.password) return hash(input.password, 10)
@@ -443,7 +396,6 @@ async function ensureDefaultRoleAcls(
       'dashboards.admin.assign-widgets',
       'analytics.view',
       'api_keys.*',
-      'notifications.manage',
       'perspectives.use',
       'perspectives.role_defaults',
       'business_rules.*',
@@ -535,7 +487,6 @@ async function ensureRoleAclFor(
 
 async function deactivateDemoSuperAdminIfSelfOnboardingEnabled(em: EntityManager) {
   if (process.env.SELF_SERVICE_ONBOARDING_ENABLED !== 'true') return
-  if (shouldKeepDemoSuperadminDuringInit()) return
   try {
     const user = await em.findOne(User, { email: DEMO_SUPERADMIN_EMAIL })
     if (!user) return

package/src/modules/auth/services/authService.ts

@@ -18,29 +18,6 @@ export class AuthService {
     } as any)
   }
 
-  async findUsersByEmail(email: string) {
-    const emailHash = computeEmailHash(email)
-    return this.em.find(User, {
-      deletedAt: null,
-      $or: [
-        { email },
-        { emailHash },
-      ],
-    } as any)
-  }
-
-  async findUserByEmailAndTenant(email: string, tenantId: string) {
-    const emailHash = computeEmailHash(email)
-    return this.em.findOne(User, {
-      tenantId,
-      deletedAt: null,
-      $or: [
-        { email },
-        { emailHash },
-      ],
-    } as any)
-  }
-
   async verifyPassword(user: User, password: string) {
     if (!user.passwordHash) return false
     return compare(password, user.passwordHash)
@@ -98,15 +75,15 @@ export class AuthService {
     return { user, token }
   }
 
-  async confirmPasswordReset(token: string, newPassword: string): Promise<User | null> {
+  async confirmPasswordReset(token: string, newPassword: string) {
     const now = new Date()
     const row = await this.em.findOne(PasswordReset, { token })
-    if (!row || (row.usedAt && row.usedAt <= now) || row.expiresAt <= now) return null
+    if (!row || (row.usedAt && row.usedAt <= now) || row.expiresAt <= now) return false
     const user = await this.em.findOne(User, { id: row.user.id })
-    if (!user) return null
+    if (!user) return false
     user.passwordHash = await hash(newPassword, 10)
     row.usedAt = new Date()
     await this.em.flush()
-    return user
+    return true
   }
 }

package/src/modules/business_rules/api/execute/[ruleId]/route.ts

@@ -0,0 +1,163 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import * as ruleEngine from '../../../lib/rule-engine'
+
+const executeByIdRequestSchema = z.object({
+  data: z.any(),
+  dryRun: z.boolean().optional().default(false),
+  entityType: z.string().optional(),
+  entityId: z.string().optional(),
+  eventType: z.string().optional(),
+})
+
+const executeByIdResponseSchema = z.object({
+  success: z.boolean(),
+  ruleId: z.string(),
+  ruleName: z.string(),
+  conditionResult: z.boolean(),
+  actionsExecuted: z.object({
+    success: z.boolean(),
+    results: z.array(z.object({
+      type: z.string(),
+      success: z.boolean(),
+      error: z.string().optional(),
+    })),
+  }).nullable(),
+  executionTime: z.number(),
+  error: z.string().optional(),
+  logId: z.string().optional(),
+})
+
+const errorResponseSchema = z.object({
+  error: z.string(),
+})
+
+const routeMetadata = {
+  POST: { requireAuth: true, requireFeatures: ['business_rules.execute'] },
+}
+
+export const metadata = routeMetadata
+
+interface RouteContext {
+  params: Promise<{ ruleId: string }>
+}
+
+export async function POST(req: Request, context: RouteContext) {
+  const auth = await getAuthFromRequest(req)
+  if (!auth) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const params = await context.params
+  const ruleId = params.ruleId
+
+  if (!ruleId || !z.uuid().safeParse(ruleId).success) {
+    return NextResponse.json({ error: 'Invalid rule ID' }, { status: 400 })
+  }
+
+  const container = await createRequestContainer()
+  const em = container.resolve('em') as EntityManager
+
+  let body: any
+  try {
+    body = await req.json()
+  } catch {
+    return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 })
+  }
+
+  const parsed = executeByIdRequestSchema.safeParse(body)
+  if (!parsed.success) {
+    const errors = parsed.error.issues.map(e => `${e.path.join('.')}: ${e.message}`)
+    return NextResponse.json({ error: `Validation failed: ${errors.join(', ')}` }, { status: 400 })
+  }
+
+  const { data, dryRun, entityType, entityId, eventType } = parsed.data
+
+  const execContext: ruleEngine.DirectRuleExecutionContext = {
+    ruleId,
+    data,
+    user: {
+      id: auth.sub,
+      email: auth.email,
+      role: (auth.role as string) ?? undefined,
+    },
+    tenantId: auth.tenantId ?? '',
+    organizationId: auth.orgId ?? '',
+    executedBy: auth.sub ?? auth.email ?? undefined,
+    dryRun,
+    entityType,
+    entityId,
+    eventType,
+  }
+
+  try {
+    const result = await ruleEngine.executeRuleById(em, execContext)
+
+    const response = {
+      success: result.success,
+      ruleId: result.ruleId,
+      ruleName: result.ruleName,
+      conditionResult: result.conditionResult,
+      actionsExecuted: result.actionsExecuted ? {
+        success: result.actionsExecuted.success,
+        results: result.actionsExecuted.results.map(ar => ({
+          type: ar.action.type,
+          success: ar.success,
+          error: ar.error,
+        })),
+      } : null,
+      executionTime: result.executionTime,
+      error: result.error,
+      logId: result.logId,
+    }
+
+    // Return appropriate status based on result
+    const status = result.success ? 200 : (result.error === 'Rule not found' ? 404 : 200)
+    return NextResponse.json(response, { status })
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error)
+    return NextResponse.json(
+      { error: `Rule execution failed: ${errorMessage}` },
+      { status: 500 }
+    )
+  }
+}
+
+export const openApi: OpenApiRouteDoc = {
+  tag: 'Business Rules',
+  summary: 'Execute a specific business rule by ID',
+  methods: {
+    POST: {
+      summary: 'Execute a specific rule by its database UUID',
+      description: 'Directly executes a specific business rule identified by its UUID, bypassing the normal entityType/eventType discovery mechanism. Useful for workflows and targeted rule execution.',
+      pathParams: z.object({
+        ruleId: z.string().uuid().describe('The database UUID of the business rule to execute'),
+      }),
+      requestBody: {
+        contentType: 'application/json',
+        schema: executeByIdRequestSchema,
+      },
+      responses: [
+        {
+          status: 200,
+          description: 'Rule executed successfully',
+          schema: executeByIdResponseSchema,
+        },
+        {
+          status: 404,
+          description: 'Rule not found',
+          schema: errorResponseSchema,
+        },
+      ],
+      errors: [
+        { status: 400, description: 'Invalid request payload or rule ID', schema: errorResponseSchema },
+        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },
+        { status: 500, description: 'Execution error', schema: errorResponseSchema },
+      ],
+    },
+  },
+}

package/src/modules/business_rules/api/execute/route.ts

@@ -4,7 +4,6 @@ import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import type { EntityManager } from '@mikro-orm/postgresql'
-import type { EventBus } from '@open-mercato/events'
 import { ruleEngineContextSchema } from '../../data/validators'
 import * as ruleEngine from '../../lib/rule-engine'
 
@@ -47,12 +46,6 @@ export async function POST(req: Request) {
 
   const container = await createRequestContainer()
   const em = container.resolve('em') as EntityManager
-  let eventBus: EventBus | null = null
-  try {
-    eventBus = container.resolve('eventBus') as EventBus
-  } catch {
-    eventBus = null
-  }
 
   let body: any
   try {
@@ -92,7 +85,7 @@ export async function POST(req: Request) {
   }
 
   try {
-    const result = await ruleEngine.executeRules(em, context, { eventBus })
+    const result = await ruleEngine.executeRules(em, context)
 
     const response = {
       allowed: result.allowed,

package/src/modules/business_rules/backend/rules/page.tsx

@@ -264,17 +264,14 @@ export default function RulesListPage() {
         <RowActions
           items={[
             {
-              id: 'edit',
               label: t('common.edit'),
               href: `/backend/rules/${row.original.id}`,
             },
             {
-              id: row.original.enabled ? 'disable' : 'enable',
               label: row.original.enabled ? t('common.disable') : t('common.enable'),
               onSelect: () => handleToggleEnabled(row.original.id, row.original.enabled),
             },
             {
-              id: 'duplicate',
               label: t('common.duplicate'),
               onSelect: () => {
                 // TODO: Implement duplicate functionality in Step 5.2
@@ -282,7 +279,6 @@ export default function RulesListPage() {
               },
             },
             {
-              id: 'delete',
               label: t('common.delete'),
               onSelect: () => handleDelete(row.original.id, row.original.ruleName),
               destructive: true,

package/src/modules/business_rules/backend/sets/page.tsx

@@ -196,17 +196,14 @@ export default function RuleSetsListPage() {
         <RowActions
           items={[
             {
-              id: 'edit',
               label: t('common.edit'),
               href: `/backend/sets/${row.original.id}`,
             },
             {
-              id: row.original.enabled ? 'disable' : 'enable',
               label: row.original.enabled ? t('common.disable') : t('common.enable'),
               onSelect: () => handleToggleEnabled(row.original.id, row.original.enabled),
             },
             {
-              id: 'delete',
               label: t('common.delete'),
               onSelect: () => handleDelete(row.original.id, row.original.setName),
               destructive: true,

package/src/modules/business_rules/cli.ts

@@ -44,7 +44,6 @@ const seedGuardRules: ModuleCli = {
       const rulesPath = path.join(__dirname, '../workflows/examples', 'guard-rules-example.json')
       const rulesData = JSON.parse(fs.readFileSync(rulesPath, 'utf8'))
 
-      console.log('🧠 Seeding guard rules...')
       let seededCount = 0
       let skippedCount = 0
 
@@ -74,7 +73,7 @@ const seedGuardRules: ModuleCli = {
         seededCount++
       }
 
-      console.log(`\n✅ Guard rules seeding complete:`)
+      console.log(`\n✓ Guard rules seeding complete:`)
       console.log(`  - Seeded: ${seededCount}`)
       console.log(`  - Skipped (existing): ${skippedCount}`)
       console.log(`  - Total: ${rulesData.length}`)

package/src/modules/business_rules/data/validators.ts

@@ -287,3 +287,43 @@ export const ruleDiscoveryOptionsSchema = z.object({
 })
 
 export type RuleDiscoveryOptionsInput = z.infer<typeof ruleDiscoveryOptionsSchema>
+
+// Direct Rule Execution Context Schema (for executing a specific rule by ID)
+export const directRuleExecutionContextSchema = z.object({
+  ruleId: z.uuid('ruleId must be a valid UUID'),
+  data: z.any(),
+  user: z.looseObject({
+    id: z.string().optional(),
+    email: z.string().optional(),
+    role: z.string().optional(),
+  }).optional(),
+  tenantId: z.uuid('tenantId must be a valid UUID'),
+  organizationId: z.uuid('organizationId must be a valid UUID'),
+  executedBy: z.string().optional(),
+  dryRun: z.boolean().optional(),
+  entityType: z.string().optional(),
+  entityId: z.string().optional(),
+  eventType: z.string().optional(),
+})
+
+export type DirectRuleExecutionContextInput = z.infer<typeof directRuleExecutionContextSchema>
+
+// Rule ID Execution Context Schema (for executing a specific rule by its string rule_id identifier)
+export const ruleIdExecutionContextSchema = z.object({
+  ruleId: z.string().min(1, 'ruleId must be a non-empty string').max(50),
+  data: z.any(),
+  user: z.looseObject({
+    id: z.string().optional(),
+    email: z.string().optional(),
+    role: z.string().optional(),
+  }).optional(),
+  tenantId: z.uuid('tenantId must be a valid UUID'),
+  organizationId: z.uuid('organizationId must be a valid UUID'),
+  executedBy: z.string().optional(),
+  dryRun: z.boolean().optional(),
+  entityType: z.string().optional(),
+  entityId: z.string().optional(),
+  eventType: z.string().optional(),
+})
+
+export type RuleIdExecutionContextInput = z.infer<typeof ruleIdExecutionContextSchema>

package/src/modules/business_rules/i18n/en.json

@@ -367,7 +367,5 @@
   "business_rules.components.conditionRow.field.comparisonPlaceholder": "e.g., user.role",
   "business_rules.components.conditionRow.value.help": "Use JSON for arrays: [\"a\",\"b\"]",
   "business_rules.components.conditionRow.field.comparisonHelp": "Field path to compare with",
-  "business_rules.components.conditionRow.deleteCondition": "Delete condition",
-  "businessRules.notifications.rule.executionFailed.title": "Business Rule Failed",
-  "businessRules.notifications.rule.executionFailed.body": "Rule \"{ruleName}\" failed to execute{entityType, select, other { on {entityType}}}: {errorMessage}"
+  "business_rules.components.conditionRow.deleteCondition": "Delete condition"
 }