@open-mercato/core 0.4.2-canary-da2b080494 → 0.4.2-canary-19353c5970

package/dist/modules/auth/cli.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/modules/auth/cli.ts"],
-  "sourcesContent": ["import type { ModuleCli } from '@open-mercato/shared/modules/registry'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { hash } from 'bcryptjs'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { User, Role, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { Tenant, Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { rebuildHierarchyForTenant } from '@open-mercato/core/modules/directory/lib/hierarchy'\nimport { ensureRoles, setupInitialTenant } from './lib/setup-app'\nimport { normalizeTenantId } from './lib/tenantAccess'\nimport { computeEmailHash } from './lib/emailHash'\nimport { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { isTenantDataEncryptionEnabled } from '@open-mercato/shared/lib/encryption/toggles'\nimport { createKmsService } from '@open-mercato/shared/lib/encryption/kms'\nimport { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'\nimport { decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'\nimport { env } from 'process'\nimport type { KmsService, TenantDek } from '@open-mercato/shared/lib/encryption/kms'\nimport crypto from 'node:crypto'\n\nconst addUser: ModuleCli = {\n  command: 'add-user',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    const email = args.email\n    const password = args.password\n    const organizationId = String(args.organizationId ?? args.orgId ?? args.org)\n    const rolesCsv = (args.roles ?? '').trim()\n    if (!email || !password || !organizationId) {\n      console.error('Usage: mercato auth add-user --email <email> --password <password> --organizationId <id> [--roles customer,employee]')\n      return\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const org =\n      (await findOneWithDecryption(\n        em,\n        Organization,\n        { id: organizationId },\n        { populate: ['tenant'] },\n        { tenantId: null, organizationId },\n      )) ?? null\n    if (!org) throw new Error('Organization not found')\n    const orgTenantId = org.tenant?.id ? String(org.tenant.id) : null\n    const normalizedTenantId = normalizeTenantId(orgTenantId ?? null) ?? null\n    const u = em.create(User, {\n      email,\n      emailHash: computeEmailHash(email),\n      passwordHash: await hash(password, 10),\n      isConfirmed: true,\n      organizationId: org.id,\n      tenantId: org.tenant.id,\n    })\n    await em.persistAndFlush(u)\n    if (rolesCsv) {\n      const names = rolesCsv.split(',').map(s => s.trim()).filter(Boolean)\n      for (const name of names) {\n        let role = await em.findOne(Role, { name, tenantId: normalizedTenantId })\n        if (!role && normalizedTenantId !== null) {\n          role = await em.findOne(Role, { name, tenantId: null })\n        }\n        if (!role) {\n        role = em.create(Role, { name, tenantId: normalizedTenantId, createdAt: new Date() })\n          await em.persistAndFlush(role)\n        } else if (normalizedTenantId !== null && role.tenantId !== normalizedTenantId) {\n          role.tenantId = normalizedTenantId\n          await em.persistAndFlush(role)\n        }\n        const link = em.create(UserRole, { user: u, role })\n        await em.persistAndFlush(link)\n      }\n    }\n    console.log('User created with id', u.id)\n  },\n}\n\nfunction parseArgs(rest: string[]) {\n  const args: Record<string, string | boolean> = {}\n  for (let i = 0; i < rest.length; i++) {\n    const a = rest[i]\n    if (!a) continue\n    if (a.startsWith('--')) {\n      const [k, v] = a.replace(/^--/, '').split('=')\n      if (v !== undefined) args[k] = v\n      else if (rest[i + 1] && !rest[i + 1]!.startsWith('--')) { args[k] = rest[i + 1]!; i++ }\n      else args[k] = true\n    }\n  }\n  return args\n}\n\nfunction normalizeKeyInput(value: string): string {\n  return value.trim().replace(/^['\"]|['\"]$/g, '')\n}\n\nfunction hashSecret(value: string | null | undefined): string | null {\n  if (!value) return null\n  return crypto.createHash('sha256').update(normalizeKeyInput(value)).digest('hex').slice(0, 12)\n}\n\nasync function withEncryptionDebugDisabled<T>(fn: () => Promise<T>): Promise<T> {\n  const previous = process.env.TENANT_DATA_ENCRYPTION_DEBUG\n  process.env.TENANT_DATA_ENCRYPTION_DEBUG = 'no'\n  try {\n    return await fn()\n  } finally {\n    if (previous === undefined) {\n      delete process.env.TENANT_DATA_ENCRYPTION_DEBUG\n    } else {\n      process.env.TENANT_DATA_ENCRYPTION_DEBUG = previous\n    }\n  }\n}\n\nclass DerivedKeyKmsService implements KmsService {\n  private root: Buffer\n  constructor(secret: string) {\n    this.root = crypto.createHash('sha256').update(normalizeKeyInput(secret)).digest()\n  }\n\n  isHealthy(): boolean {\n    return true\n  }\n\n  private deriveKey(tenantId: string): string {\n    const iterations = 310_000\n    const keyLength = 32\n    const derived = crypto.pbkdf2Sync(this.root, tenantId, iterations, keyLength, 'sha512')\n    return derived.toString('base64')\n  }\n\n  async getTenantDek(tenantId: string): Promise<TenantDek | null> {\n    if (!tenantId) return null\n    return { tenantId, key: this.deriveKey(tenantId), fetchedAt: Date.now() }\n  }\n\n  async createTenantDek(tenantId: string): Promise<TenantDek | null> {\n    return this.getTenantDek(tenantId)\n  }\n}\n\nfunction fingerprintDek(dek: TenantDek | null): string | null {\n  if (!dek?.key) return null\n  return crypto.createHash('sha256').update(dek.key).digest('hex').slice(0, 12)\n}\n\nfunction decryptWithOldKey(\n  payload: string,\n  dek: TenantDek | null,\n): string | null {\n  if (!dek?.key) return null\n  return decryptWithAesGcm(payload, dek.key)\n}\n\nconst seedRoles: ModuleCli = {\n  command: 'seed-roles',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const key = rest[i]?.replace(/^--/, '')\n      if (!key) continue\n      const value = rest[i + 1]\n      if (value) args[key] = value\n    }\n    const tenantId = args.tenantId ?? args.tenant ?? args.tenant_id ?? null\n    const { resolve } = await createRequestContainer()\n    const em = resolve<EntityManager>('em')\n    if (tenantId) {\n      await ensureRoles(em, { tenantId })\n      console.log('\uD83D\uDEE1\uFE0F Roles ensured for tenant', tenantId)\n      return\n    }\n    const tenants = await em.find(Tenant, {})\n    if (!tenants.length) {\n      console.log('No tenants found; nothing to seed.')\n      return\n    }\n    for (const tenant of tenants) {\n      const id = tenant.id ? String(tenant.id) : null\n      if (!id) continue\n      await ensureRoles(em, { tenantId: id })\n      console.log('\uD83D\uDEE1\uFE0F Roles ensured for tenant', id)\n    }\n  },\n}\n\nconst rotateEncryptionKey: ModuleCli = {\n  command: 'rotate-encryption-key',\n  async run(rest) {\n    const args = parseArgs(rest)\n    const tenantId = (args.tenantId as string) ?? (args.tenant as string) ?? (args.tenant_id as string) ?? null\n    const organizationId = (args.organizationId as string) ?? (args.orgId as string) ?? (args.org as string) ?? null\n    const oldKey = (args['old-key'] as string) ?? (args.oldKey as string) ?? null\n    const dryRun = Boolean(args['dry-run'] || args.dry)\n    const debug = Boolean(args.debug)\n    const rotate = Boolean(oldKey)\n    if (rotate && !tenantId) {\n      console.warn(\n        '\u26A0\uFE0F  Rotating with --old-key across all tenants. A single old key should normally target one tenant; consider --tenant.',\n      )\n    }\n    if (!isTenantDataEncryptionEnabled()) {\n      console.error('TENANT_DATA_ENCRYPTION is disabled; aborting.')\n      return\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve<EntityManager>('em')\n    const encryptionService = new TenantDataEncryptionService(em as any, { kms: createKmsService() })\n    const oldKms = rotate && oldKey ? new DerivedKeyKmsService(oldKey) : null\n    if (debug) {\n      console.log('[rotate-encryption-key]', {\n        hasOldKey: Boolean(oldKey),\n        rotate,\n        tenantId: tenantId ?? null,\n        organizationId: organizationId ?? null,\n      })\n      console.log('[rotate-encryption-key] key fingerprints', {\n        oldKey: hashSecret(oldKey),\n        currentKey: hashSecret(process.env.TENANT_DATA_ENCRYPTION_FALLBACK_KEY),\n      })\n    }\n    if (!encryptionService.isEnabled()) {\n      console.error('Encryption service is not enabled (KMS unhealthy or no DEK). Aborting.')\n      return\n    }\n    const conn: any = (em as any).getConnection?.()\n    if (!conn || typeof conn.execute !== 'function') {\n      console.error('Unable to access raw connection; aborting.')\n      return\n    }\n    const meta = (em as any)?.getMetadata?.()?.get?.(User)\n    const tableName = meta?.tableName || 'users'\n    const schema = meta?.schema\n    const qualifiedTable = schema ? `\"${schema}\".\"${tableName}\"` : `\"${tableName}\"`\n    const isEncryptedPayload = (value: unknown): boolean => {\n      if (typeof value !== 'string') return false\n      const parts = value.split(':')\n      return parts.length === 4 && parts[3] === 'v1'\n    }\n    const printedDek = new Set<string>()\n    const oldDekCache = new Map<string, TenantDek | null>()\n    const processScope = async (scopeTenantId: string, scopeOrganizationId: string): Promise<number> => {\n      if (debug && !printedDek.has(scopeTenantId)) {\n        printedDek.add(scopeTenantId)\n        const [oldDek, newDek] = await Promise.all([\n          oldKms?.getTenantDek(scopeTenantId) ?? Promise.resolve(null),\n          encryptionService.getDek(scopeTenantId),\n        ])\n        console.log('[rotate-encryption-key] dek fingerprints', {\n          tenantId: scopeTenantId,\n          oldKey: fingerprintDek(oldDek),\n          currentKey: fingerprintDek(newDek),\n        })\n      }\n      const rawRows = await conn.execute(\n        `select id, email, email_hash from ${qualifiedTable} where tenant_id = ? and organization_id = ?`,\n        [scopeTenantId, scopeOrganizationId],\n      )\n      const rows = Array.isArray(rawRows) ? rawRows : []\n      const pending = rotate\n        ? rows\n        : rows.filter((row: any) => !isEncryptedPayload(row?.email))\n      if (!pending.length) return 0\n      console.log(\n        `Found ${pending.length} auth user records to process for org=${scopeOrganizationId}${dryRun ? ' (dry-run)' : ''}.`\n      )\n      if (dryRun) return 0\n      const ids = pending.map((row: any) => String(row.id))\n      const users = rotate\n        ? await em.find(\n            User,\n            { id: { $in: ids }, tenantId: scopeTenantId, organizationId: scopeOrganizationId },\n          )\n        : await findWithDecryption(\n            em,\n            User,\n            { id: { $in: ids }, tenantId: scopeTenantId, organizationId: scopeOrganizationId },\n            {},\n            { tenantId: scopeTenantId, organizationId: scopeOrganizationId, encryptionService },\n          )\n      const usersById = new Map(users.map((user) => [String(user.id), user]))\n      let updated = 0\n      for (const row of pending) {\n        const user = usersById.get(String(row.id))\n        if (!user) continue\n        const rawEmail = typeof row.email === 'string' ? row.email : String(row.email ?? '')\n        if (!rawEmail) continue\n        if (rotate && (!isEncryptedPayload(rawEmail) || !oldKms)) {\n          continue\n        }\n        let plainEmail = rawEmail\n        if (rotate && isEncryptedPayload(rawEmail) && oldKms) {\n          if (debug) {\n            console.log('[rotate-encryption-key] decrypting', {\n              userId: row.id,\n              tenantId: scopeTenantId,\n              organizationId: scopeOrganizationId,\n            })\n          }\n          let oldDek = oldDekCache.get(scopeTenantId) ?? null\n          if (!oldDekCache.has(scopeTenantId)) {\n            oldDek = await oldKms.getTenantDek(scopeTenantId)\n            oldDekCache.set(scopeTenantId, oldDek)\n          }\n          const maybeEmail = decryptWithOldKey(rawEmail, oldDek)\n          if (typeof maybeEmail !== 'string' || isEncryptedPayload(maybeEmail)) continue\n          plainEmail = maybeEmail\n        }\n        if (!plainEmail) continue\n        const encrypted = await encryptionService.encryptEntityPayload(\n          'auth:user',\n          { email: plainEmail },\n          scopeTenantId,\n          scopeOrganizationId,\n        )\n        const nextEmail = encrypted.email as string | undefined\n        if (nextEmail && nextEmail !== user.email) {\n          user.email = nextEmail as any\n          user.emailHash = (encrypted as any).emailHash ?? computeEmailHash(plainEmail)\n          em.persist(user)\n          updated += 1\n        }\n      }\n      if (updated > 0) {\n        await em.flush()\n      }\n      return updated\n    }\n\n    if (tenantId && organizationId) {\n      const updated = await processScope(String(tenantId), String(organizationId))\n      if (!updated) {\n        console.log('All auth user emails already encrypted for the selected scope.')\n      } else {\n        console.log(`Encrypted ${updated} auth user email(s).`)\n      }\n      return\n    }\n\n    const organizations = await em.find(Organization, {})\n    if (!organizations.length) {\n      console.log('No organizations found; nothing to encrypt.')\n      return\n    }\n    let total = 0\n    for (const org of organizations) {\n      const scopeTenantId = org.tenant?.id ? String(org.tenant.id) : org.tenant.id ? String(org.tenant.id) : null\n      const scopeOrganizationId = org.id ? String(org.id) : null\n      if (!scopeTenantId || !scopeOrganizationId) continue\n      total += await processScope(scopeTenantId, scopeOrganizationId)\n    }\n    if (total > 0) {\n      console.log(`Encrypted ${total} auth user email(s) across all organizations.`)\n    } else {\n      console.log('All auth user emails already encrypted across all organizations.')\n    }\n  },\n}\n\n// will be exported at the bottom with all commands\n\nconst addOrganization: ModuleCli = {\n  command: 'add-org',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    const name = args.name || args.orgName\n    if (!name) {\n      console.error('Usage: mercato auth add-org --name <organization name>')\n      return\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    // Create tenant implicitly for simplicity\n    const tenant = em.create(Tenant, { name: `${name} Tenant` })\n    await em.persistAndFlush(tenant)\n    const org = em.create(Organization, { name, tenant })\n    await em.persistAndFlush(org)\n    await rebuildHierarchyForTenant(em, String(tenant.id))\n    console.log('Organization created with id', org.id, 'in tenant', tenant.id)\n  },\n}\n\nconst setupApp: ModuleCli = {\n  command: 'setup',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    const orgName = args.orgName || args.name\n    const email = args.email\n    const password = args.password\n    const rolesCsv = (args.roles ?? 'superadmin,admin,employee').trim()\n    if (!orgName || !email || !password) {\n      console.error('Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee]')\n      return\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve<EntityManager>('em')\n    const roleNames = rolesCsv\n      ? rolesCsv.split(',').map((s) => s.trim()).filter(Boolean)\n      : undefined\n\n    try {\n      const result = await setupInitialTenant(em, {\n        orgName,\n        roleNames,\n        primaryUser: { email, password, confirm: true },\n        includeDerivedUsers: true,\n      })\n\n      if (result.reusedExistingUser) {\n        console.log('\u26A0\uFE0F  Existing initial user detected during setup.')\n        console.log(`\u26A0\uFE0F  Email: ${email}`)\n        console.log('\u26A0\uFE0F  Updated roles if missing and reused tenant/organization.')\n      }\n\n      if(env.NODE_ENV !== 'test') { \n        for (const snapshot of result.users) {\n          if (snapshot.created) {\n            if (snapshot.user.email === email && password) {\n              console.log('\uD83C\uDF89 Created user', snapshot.user.email, 'password:', password)\n            } else {\n              console.log('\uD83C\uDF89 Created user', snapshot.user.email)\n            }\n          } else {\n            console.log(`Updated user ${snapshot.user.email}`)\n          }\n        }\n      }\n\n      if(env.NODE_ENV !== 'test')   console.log('\u2705 Setup complete:', { tenantId: result.tenantId, organizationId: result.organizationId })\n    } catch (err) {\n      if (err instanceof Error && err.message === 'USER_EXISTS') {\n        console.error('Setup aborted: user already exists with the provided email.')\n        return\n      }\n      throw err\n    }\n  },\n}\n\nconst listOrganizations: ModuleCli = {\n  command: 'list-orgs',\n  async run() {\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const orgs = await findWithDecryption(\n      em,\n      Organization,\n      {},\n      { populate: ['tenant'] },\n      { tenantId: null, organizationId: null },\n    )\n    \n    if (orgs.length === 0) {\n      console.log('No organizations found')\n      return\n    }\n    \n    console.log(`Found ${orgs.length} organization(s):`)\n    console.log('')\n    console.log('ID                                   | Name                    | Tenant ID                            | Created')\n    console.log('-------------------------------------|-------------------------|-------------------------------------|-------------------')\n    \n    for (const org of orgs) {\n      const created = org.createdAt ? new Date(org.createdAt).toLocaleDateString() : 'N/A'\n      const id = org.id || 'N/A'\n      const tenantId = org.tenant?.id || 'N/A'\n      const name = (org.name || 'Unnamed').padEnd(23)\n      console.log(`${id.padEnd(35)} | ${name} | ${tenantId.padEnd(35)} | ${created}`)\n    }\n  },\n}\n\nconst listTenants: ModuleCli = {\n  command: 'list-tenants',\n  async run() {\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const tenants = await em.find(Tenant, {})\n    \n    if (tenants.length === 0) {\n      console.log('No tenants found')\n      return\n    }\n    \n    console.log(`Found ${tenants.length} tenant(s):`)\n    console.log('')\n    console.log('ID                                   | Name                    | Created')\n    console.log('-------------------------------------|-------------------------|-------------------')\n    \n    for (const tenant of tenants) {\n      const created = tenant.createdAt ? new Date(tenant.createdAt).toLocaleDateString() : 'N/A'\n      const id = tenant.id || 'N/A'\n      const name = (tenant.name || 'Unnamed').padEnd(23)\n      console.log(`${id.padEnd(35)} | ${name} | ${created}`)\n    }\n  },\n}\n\nconst listUsers: ModuleCli = {\n  command: 'list-users',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    \n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    \n    // Build query with optional filters\n    const where: any = {}\n    if (args.organizationId || args.orgId || args.org) {\n      where.organizationId = args.organizationId || args.orgId || args.org\n    }\n    if (args.tenantId || args.tenant) {\n      where.tenantId = args.tenantId || args.tenant\n    }\n    \n    const users = await em.find(User, where)\n    \n    if (users.length === 0) {\n      console.log('No users found')\n      return\n    }\n    \n    console.log(`Found ${users.length} user(s):`)\n    console.log('')\n    console.log('ID                                   | Email                   | Name                    | Organization ID      | Tenant ID            | Roles')\n    console.log('-------------------------------------|-------------------------|-------------------------|---------------------|---------------------|-------------------')\n    \n    for (const user of users) {\n      // Get user roles separately\n      const userRoles = await findWithDecryption(\n        em,\n        UserRole,\n        { user: user.id },\n        { populate: ['role'] },\n        { tenantId: user.tenantId ?? null, organizationId: user.organizationId ?? null },\n      )\n      const roles = userRoles.map((ur: any) => ur.role?.name).filter(Boolean).join(', ') || 'None'\n      \n      // Get organization and tenant names if IDs exist\n      let orgName = 'N/A'\n      let tenantName = 'N/A'\n      \n      if (user.organizationId) {\n        const org = await em.findOne(Organization, { id: user.organizationId })\n        orgName = org?.name?.substring(0, 19) + '...' || user.organizationId.substring(0, 8) + '...'\n      }\n      \n      if (user.tenantId) {\n        const tenant = await em.findOne(Tenant, { id: user.tenantId })\n        tenantName = tenant?.name?.substring(0, 19) + '...' || user.tenantId.substring(0, 8) + '...'\n      }\n      \n      const id = user.id || 'N/A'\n      const email = (user.email || 'N/A').padEnd(23)\n      const name = (user.name || 'Unnamed').padEnd(23)\n      \n      console.log(`${id.padEnd(35)} | ${email} | ${name} | ${orgName.padEnd(19)} | ${tenantName.padEnd(19)} | ${roles}`)\n    }\n  },\n}\n\nconst setPassword: ModuleCli = {\n  command: 'set-password',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    \n    const email = args.email\n    const password = args.password\n    \n    if (!email || !password) {\n      console.error('Usage: mercato auth set-password --email <email> --password <newPassword>')\n      return\n    }\n    \n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const emailHash = computeEmailHash(email)\n    const user = await em.findOne(User, { $or: [{ email }, { emailHash }] })\n    \n    if (!user) {\n      console.error(`User with email \"${email}\" not found`)\n      return\n    }\n    \n    user.passwordHash = await hash(password, 10)\n    await em.persistAndFlush(user)\n    \n    console.log(`\u2705 Password updated successfully for user: ${email}`)\n  },\n}\n\n// Export the full CLI list\nexport default [addUser, seedRoles, rotateEncryptionKey, addOrganization, setupApp, listOrganizations, listTenants, listUsers, setPassword]\n"],
-  "mappings": "AACA,SAAS,8BAA8B;AACvC,SAAS,YAAY;AAErB,SAAS,MAAM,MAAM,gBAAgB;AACrC,SAAS,QAAQ,oBAAoB;AACrC,SAAS,iCAAiC;AAC1C,SAAS,aAAa,0BAA0B;AAChD,SAAS,yBAAyB;AAClC,SAAS,wBAAwB;AACjC,SAAS,oBAAoB,6BAA6B;AAC1D,SAAS,qCAAqC;AAC9C,SAAS,wBAAwB;AACjC,SAAS,mCAAmC;AAC5C,SAAS,yBAAyB;AAClC,SAAS,WAAW;AAEpB,OAAO,YAAY;AAEnB,MAAM,UAAqB;AAAA,EACzB,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AACA,UAAM,QAAQ,KAAK;AACnB,UAAM,WAAW,KAAK;AACtB,UAAM,iBAAiB,OAAO,KAAK,kBAAkB,KAAK,SAAS,KAAK,GAAG;AAC3E,UAAM,YAAY,KAAK,SAAS,IAAI,KAAK;AACzC,QAAI,CAAC,SAAS,CAAC,YAAY,CAAC,gBAAgB;AAC1C,cAAQ,MAAM,sHAAsH;AACpI;AAAA,IACF;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,MACH,MAAM;AAAA,MACL;AAAA,MACA;AAAA,MACA,EAAE,IAAI,eAAe;AAAA,MACrB,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,eAAe;AAAA,IACnC,KAAM;AACR,QAAI,CAAC,IAAK,OAAM,IAAI,MAAM,wBAAwB;AAClD,UAAM,cAAc,IAAI,QAAQ,KAAK,OAAO,IAAI,OAAO,EAAE,IAAI;AAC7D,UAAM,qBAAqB,kBAAkB,eAAe,IAAI,KAAK;AACrE,UAAM,IAAI,GAAG,OAAO,MAAM;AAAA,MACxB;AAAA,MACA,WAAW,iBAAiB,KAAK;AAAA,MACjC,cAAc,MAAM,KAAK,UAAU,EAAE;AAAA,MACrC,aAAa;AAAA,MACb,gBAAgB,IAAI;AAAA,MACpB,UAAU,IAAI,OAAO;AAAA,IACvB,CAAC;AACD,UAAM,GAAG,gBAAgB,CAAC;AAC1B,QAAI,UAAU;AACZ,YAAM,QAAQ,SAAS,MAAM,GAAG,EAAE,IAAI,OAAK,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AACnE,iBAAW,QAAQ,OAAO;AACxB,YAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,mBAAmB,CAAC;AACxE,YAAI,CAAC,QAAQ,uBAAuB,MAAM;AACxC,iBAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAAA,QACxD;AACA,YAAI,CAAC,MAAM;AACX,iBAAO,GAAG,OAAO,MAAM,EAAE,MAAM,UAAU,oBAAoB,WAAW,oBAAI,KAAK,EAAE,CAAC;AAClF,gBAAM,GAAG,gBAAgB,IAAI;AAAA,QAC/B,WAAW,uBAAuB,QAAQ,KAAK,aAAa,oBAAoB;AAC9E,eAAK,WAAW;AAChB,gBAAM,GAAG,gBAAgB,IAAI;AAAA,QAC/B;AACA,cAAM,OAAO,GAAG,OAAO,UAAU,EAAE,MAAM,GAAG,KAAK,CAAC;AAClD,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B;AAAA,IACF;AACA,YAAQ,IAAI,wBAAwB,EAAE,EAAE;AAAA,EAC1C;AACF;AAEA,SAAS,UAAU,MAAgB;AACjC,QAAM,OAAyC,CAAC;AAChD,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,UAAM,IAAI,KAAK,CAAC;AAChB,QAAI,CAAC,EAAG;AACR,QAAI,EAAE,WAAW,IAAI,GAAG;AACtB,YAAM,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,OAAO,EAAE,EAAE,MAAM,GAAG;AAC7C,UAAI,MAAM,OAAW,MAAK,CAAC,IAAI;AAAA,eACtB,KAAK,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,EAAG,WAAW,IAAI,GAAG;AAAE,aAAK,CAAC,IAAI,KAAK,IAAI,CAAC;AAAI;AAAA,MAAI,MACjF,MAAK,CAAC,IAAI;AAAA,IACjB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,kBAAkB,OAAuB;AAChD,SAAO,MAAM,KAAK,EAAE,QAAQ,gBAAgB,EAAE;AAChD;AAEA,SAAS,WAAW,OAAiD;AACnE,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,kBAAkB,KAAK,CAAC,EAAE,OAAO,KAAK,EAAE,MAAM,GAAG,EAAE;AAC/F;AAEA,eAAe,4BAA+B,IAAkC;AAC9E,QAAM,WAAW,QAAQ,IAAI;AAC7B,UAAQ,IAAI,+BAA+B;AAC3C,MAAI;AACF,WAAO,MAAM,GAAG;AAAA,EAClB,UAAE;AACA,QAAI,aAAa,QAAW;AAC1B,aAAO,QAAQ,IAAI;AAAA,IACrB,OAAO;AACL,cAAQ,IAAI,+BAA+B;AAAA,IAC7C;AAAA,EACF;AACF;AAEA,MAAM,qBAA2C;AAAA,EAE/C,YAAY,QAAgB;AAC1B,SAAK,OAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,kBAAkB,MAAM,CAAC,EAAE,OAAO;AAAA,EACnF;AAAA,EAEA,YAAqB;AACnB,WAAO;AAAA,EACT;AAAA,EAEQ,UAAU,UAA0B;AAC1C,UAAM,aAAa;AACnB,UAAM,YAAY;AAClB,UAAM,UAAU,OAAO,WAAW,KAAK,MAAM,UAAU,YAAY,WAAW,QAAQ;AACtF,WAAO,QAAQ,SAAS,QAAQ;AAAA,EAClC;AAAA,EAEA,MAAM,aAAa,UAA6C;AAC9D,QAAI,CAAC,SAAU,QAAO;AACtB,WAAO,EAAE,UAAU,KAAK,KAAK,UAAU,QAAQ,GAAG,WAAW,KAAK,IAAI,EAAE;AAAA,EAC1E;AAAA,EAEA,MAAM,gBAAgB,UAA6C;AACjE,WAAO,KAAK,aAAa,QAAQ;AAAA,EACnC;AACF;AAEA,SAAS,eAAe,KAAsC;AAC5D,MAAI,CAAC,KAAK,IAAK,QAAO;AACtB,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,IAAI,GAAG,EAAE,OAAO,KAAK,EAAE,MAAM,GAAG,EAAE;AAC9E;AAEA,SAAS,kBACP,SACA,KACe;AACf,MAAI,CAAC,KAAK,IAAK,QAAO;AACtB,SAAO,kBAAkB,SAAS,IAAI,GAAG;AAC3C;AAEA,MAAM,YAAuB;AAAA,EAC3B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,MAAM,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACtC,UAAI,CAAC,IAAK;AACV,YAAM,QAAQ,KAAK,IAAI,CAAC;AACxB,UAAI,MAAO,MAAK,GAAG,IAAI;AAAA,IACzB;AACA,UAAM,WAAW,KAAK,YAAY,KAAK,UAAU,KAAK,aAAa;AACnE,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAuB,IAAI;AACtC,QAAI,UAAU;AACZ,YAAM,YAAY,IAAI,EAAE,SAAS,CAAC;AAClC,cAAQ,IAAI,4CAAgC,QAAQ;AACpD;AAAA,IACF;AACA,UAAM,UAAU,MAAM,GAAG,KAAK,QAAQ,CAAC,CAAC;AACxC,QAAI,CAAC,QAAQ,QAAQ;AACnB,cAAQ,IAAI,oCAAoC;AAChD;AAAA,IACF;AACA,eAAW,UAAU,SAAS;AAC5B,YAAM,KAAK,OAAO,KAAK,OAAO,OAAO,EAAE,IAAI;AAC3C,UAAI,CAAC,GAAI;AACT,YAAM,YAAY,IAAI,EAAE,UAAU,GAAG,CAAC;AACtC,cAAQ,IAAI,4CAAgC,EAAE;AAAA,IAChD;AAAA,EACF;AACF;AAEA,MAAM,sBAAiC;AAAA,EACrC,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAAO,UAAU,IAAI;AAC3B,UAAM,WAAY,KAAK,YAAwB,KAAK,UAAsB,KAAK,aAAwB;AACvG,UAAM,iBAAkB,KAAK,kBAA8B,KAAK,SAAqB,KAAK,OAAkB;AAC5G,UAAM,SAAU,KAAK,SAAS,KAAiB,KAAK,UAAqB;AACzE,UAAM,SAAS,QAAQ,KAAK,SAAS,KAAK,KAAK,GAAG;AAClD,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,SAAS,QAAQ,MAAM;AAC7B,QAAI,UAAU,CAAC,UAAU;AACvB,cAAQ;AAAA,QACN;AAAA,MACF;AAAA,IACF;AACA,QAAI,CAAC,8BAA8B,GAAG;AACpC,cAAQ,MAAM,+CAA+C;AAC7D;AAAA,IACF;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAuB,IAAI;AACtC,UAAM,oBAAoB,IAAI,4BAA4B,IAAW,EAAE,KAAK,iBAAiB,EAAE,CAAC;AAChG,UAAM,SAAS,UAAU,SAAS,IAAI,qBAAqB,MAAM,IAAI;AACrE,QAAI,OAAO;AACT,cAAQ,IAAI,2BAA2B;AAAA,QACrC,WAAW,QAAQ,MAAM;AAAA,QACzB;AAAA,QACA,UAAU,YAAY;AAAA,QACtB,gBAAgB,kBAAkB;AAAA,MACpC,CAAC;AACD,cAAQ,IAAI,4CAA4C;AAAA,QACtD,QAAQ,WAAW,MAAM;AAAA,QACzB,YAAY,WAAW,QAAQ,IAAI,mCAAmC;AAAA,MACxE,CAAC;AAAA,IACH;AACA,QAAI,CAAC,kBAAkB,UAAU,GAAG;AAClC,cAAQ,MAAM,wEAAwE;AACtF;AAAA,IACF;AACA,UAAM,OAAa,GAAW,gBAAgB;AAC9C,QAAI,CAAC,QAAQ,OAAO,KAAK,YAAY,YAAY;AAC/C,cAAQ,MAAM,4CAA4C;AAC1D;AAAA,IACF;AACA,UAAM,OAAQ,IAAY,cAAc,GAAG,MAAM,IAAI;AACrD,UAAM,YAAY,MAAM,aAAa;AACrC,UAAM,SAAS,MAAM;AACrB,UAAM,iBAAiB,SAAS,IAAI,MAAM,MAAM,SAAS,MAAM,IAAI,SAAS;AAC5E,UAAM,qBAAqB,CAAC,UAA4B;AACtD,UAAI,OAAO,UAAU,SAAU,QAAO;AACtC,YAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,aAAO,MAAM,WAAW,KAAK,MAAM,CAAC,MAAM;AAAA,IAC5C;AACA,UAAM,aAAa,oBAAI,IAAY;AACnC,UAAM,cAAc,oBAAI,IAA8B;AACtD,UAAM,eAAe,OAAO,eAAuB,wBAAiD;AAClG,UAAI,SAAS,CAAC,WAAW,IAAI,aAAa,GAAG;AAC3C,mBAAW,IAAI,aAAa;AAC5B,cAAM,CAAC,QAAQ,MAAM,IAAI,MAAM,QAAQ,IAAI;AAAA,UACzC,QAAQ,aAAa,aAAa,KAAK,QAAQ,QAAQ,IAAI;AAAA,UAC3D,kBAAkB,OAAO,aAAa;AAAA,QACxC,CAAC;AACD,gBAAQ,IAAI,4CAA4C;AAAA,UACtD,UAAU;AAAA,UACV,QAAQ,eAAe,MAAM;AAAA,UAC7B,YAAY,eAAe,MAAM;AAAA,QACnC,CAAC;AAAA,MACH;AACA,YAAM,UAAU,MAAM,KAAK;AAAA,QACzB,qCAAqC,cAAc;AAAA,QACnD,CAAC,eAAe,mBAAmB;AAAA,MACrC;AACA,YAAM,OAAO,MAAM,QAAQ,OAAO,IAAI,UAAU,CAAC;AACjD,YAAM,UAAU,SACZ,OACA,KAAK,OAAO,CAAC,QAAa,CAAC,mBAAmB,KAAK,KAAK,CAAC;AAC7D,UAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,cAAQ;AAAA,QACN,SAAS,QAAQ,MAAM,yCAAyC,mBAAmB,GAAG,SAAS,eAAe,EAAE;AAAA,MAClH;AACA,UAAI,OAAQ,QAAO;AACnB,YAAM,MAAM,QAAQ,IAAI,CAAC,QAAa,OAAO,IAAI,EAAE,CAAC;AACpD,YAAM,QAAQ,SACV,MAAM,GAAG;AAAA,QACP;AAAA,QACA,EAAE,IAAI,EAAE,KAAK,IAAI,GAAG,UAAU,eAAe,gBAAgB,oBAAoB;AAAA,MACnF,IACA,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA,EAAE,IAAI,EAAE,KAAK,IAAI,GAAG,UAAU,eAAe,gBAAgB,oBAAoB;AAAA,QACjF,CAAC;AAAA,QACD,EAAE,UAAU,eAAe,gBAAgB,qBAAqB,kBAAkB;AAAA,MACpF;AACJ,YAAM,YAAY,IAAI,IAAI,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC;AACtE,UAAI,UAAU;AACd,iBAAW,OAAO,SAAS;AACzB,cAAM,OAAO,UAAU,IAAI,OAAO,IAAI,EAAE,CAAC;AACzC,YAAI,CAAC,KAAM;AACX,cAAM,WAAW,OAAO,IAAI,UAAU,WAAW,IAAI,QAAQ,OAAO,IAAI,SAAS,EAAE;AACnF,YAAI,CAAC,SAAU;AACf,YAAI,WAAW,CAAC,mBAAmB,QAAQ,KAAK,CAAC,SAAS;AACxD;AAAA,QACF;AACA,YAAI,aAAa;AACjB,YAAI,UAAU,mBAAmB,QAAQ,KAAK,QAAQ;AACpD,cAAI,OAAO;AACT,oBAAQ,IAAI,sCAAsC;AAAA,cAChD,QAAQ,IAAI;AAAA,cACZ,UAAU;AAAA,cACV,gBAAgB;AAAA,YAClB,CAAC;AAAA,UACH;AACA,cAAI,SAAS,YAAY,IAAI,aAAa,KAAK;AAC/C,cAAI,CAAC,YAAY,IAAI,aAAa,GAAG;AACnC,qBAAS,MAAM,OAAO,aAAa,aAAa;AAChD,wBAAY,IAAI,eAAe,MAAM;AAAA,UACvC;AACA,gBAAM,aAAa,kBAAkB,UAAU,MAAM;AACrD,cAAI,OAAO,eAAe,YAAY,mBAAmB,UAAU,EAAG;AACtE,uBAAa;AAAA,QACf;AACA,YAAI,CAAC,WAAY;AACjB,cAAM,YAAY,MAAM,kBAAkB;AAAA,UACxC;AAAA,UACA,EAAE,OAAO,WAAW;AAAA,UACpB;AAAA,UACA;AAAA,QACF;AACA,cAAM,YAAY,UAAU;AAC5B,YAAI,aAAa,cAAc,KAAK,OAAO;AACzC,eAAK,QAAQ;AACb,eAAK,YAAa,UAAkB,aAAa,iBAAiB,UAAU;AAC5E,aAAG,QAAQ,IAAI;AACf,qBAAW;AAAA,QACb;AAAA,MACF;AACA,UAAI,UAAU,GAAG;AACf,cAAM,GAAG,MAAM;AAAA,MACjB;AACA,aAAO;AAAA,IACT;AAEA,QAAI,YAAY,gBAAgB;AAC9B,YAAM,UAAU,MAAM,aAAa,OAAO,QAAQ,GAAG,OAAO,cAAc,CAAC;AAC3E,UAAI,CAAC,SAAS;AACZ,gBAAQ,IAAI,gEAAgE;AAAA,MAC9E,OAAO;AACL,gBAAQ,IAAI,aAAa,OAAO,sBAAsB;AAAA,MACxD;AACA;AAAA,IACF;AAEA,UAAM,gBAAgB,MAAM,GAAG,KAAK,cAAc,CAAC,CAAC;AACpD,QAAI,CAAC,cAAc,QAAQ;AACzB,cAAQ,IAAI,6CAA6C;AACzD;AAAA,IACF;AACA,QAAI,QAAQ;AACZ,eAAW,OAAO,eAAe;AAC/B,YAAM,gBAAgB,IAAI,QAAQ,KAAK,OAAO,IAAI,OAAO,EAAE,IAAI,IAAI,OAAO,KAAK,OAAO,IAAI,OAAO,EAAE,IAAI;AACvG,YAAM,sBAAsB,IAAI,KAAK,OAAO,IAAI,EAAE,IAAI;AACtD,UAAI,CAAC,iBAAiB,CAAC,oBAAqB;AAC5C,eAAS,MAAM,aAAa,eAAe,mBAAmB;AAAA,IAChE;AACA,QAAI,QAAQ,GAAG;AACb,cAAQ,IAAI,aAAa,KAAK,+CAA+C;AAAA,IAC/E,OAAO;AACL,cAAQ,IAAI,kEAAkE;AAAA,IAChF;AAAA,EACF;AACF;AAIA,MAAM,kBAA6B;AAAA,EACjC,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AACA,UAAM,OAAO,KAAK,QAAQ,KAAK;AAC/B,QAAI,CAAC,MAAM;AACT,cAAQ,MAAM,wDAAwD;AACtE;AAAA,IACF;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AAEvB,UAAM,SAAS,GAAG,OAAO,QAAQ,EAAE,MAAM,GAAG,IAAI,UAAU,CAAC;AAC3D,UAAM,GAAG,gBAAgB,MAAM;AAC/B,UAAM,MAAM,GAAG,OAAO,cAAc,EAAE,MAAM,OAAO,CAAC;AACpD,UAAM,GAAG,gBAAgB,GAAG;AAC5B,UAAM,0BAA0B,IAAI,OAAO,OAAO,EAAE,CAAC;AACrD,YAAQ,IAAI,gCAAgC,IAAI,IAAI,aAAa,OAAO,EAAE;AAAA,EAC5E;AACF;AAEA,MAAM,WAAsB;AAAA,EAC1B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AACA,UAAM,UAAU,KAAK,WAAW,KAAK;AACrC,UAAM,QAAQ,KAAK;AACnB,UAAM,WAAW,KAAK;AACtB,UAAM,YAAY,KAAK,SAAS,6BAA6B,KAAK;AAClE,QAAI,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU;AACnC,cAAQ,MAAM,sHAAsH;AACpI;AAAA,IACF;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAuB,IAAI;AACtC,UAAM,YAAY,WACd,SAAS,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,IACvD;AAEJ,QAAI;AACF,YAAM,SAAS,MAAM,mBAAmB,IAAI;AAAA,QAC1C;AAAA,QACA;AAAA,QACA,aAAa,EAAE,OAAO,UAAU,SAAS,KAAK;AAAA,QAC9C,qBAAqB;AAAA,MACvB,CAAC;AAED,UAAI,OAAO,oBAAoB;AAC7B,gBAAQ,IAAI,4DAAkD;AAC9D,gBAAQ,IAAI,wBAAc,KAAK,EAAE;AACjC,gBAAQ,IAAI,wEAA8D;AAAA,MAC5E;AAEA,UAAG,IAAI,aAAa,QAAQ;AAC1B,mBAAW,YAAY,OAAO,OAAO;AACnC,cAAI,SAAS,SAAS;AACpB,gBAAI,SAAS,KAAK,UAAU,SAAS,UAAU;AAC7C,sBAAQ,IAAI,0BAAmB,SAAS,KAAK,OAAO,aAAa,QAAQ;AAAA,YAC3E,OAAO;AACL,sBAAQ,IAAI,0BAAmB,SAAS,KAAK,KAAK;AAAA,YACpD;AAAA,UACF,OAAO;AACL,oBAAQ,IAAI,gBAAgB,SAAS,KAAK,KAAK,EAAE;AAAA,UACnD;AAAA,QACF;AAAA,MACF;AAEA,UAAG,IAAI,aAAa,OAAU,SAAQ,IAAI,0BAAqB,EAAE,UAAU,OAAO,UAAU,gBAAgB,OAAO,eAAe,CAAC;AAAA,IACrI,SAAS,KAAK;AACZ,UAAI,eAAe,SAAS,IAAI,YAAY,eAAe;AACzD,gBAAQ,MAAM,6DAA6D;AAC3E;AAAA,MACF;AACA,YAAM;AAAA,IACR;AAAA,EACF;AACF;AAEA,MAAM,oBAA+B;AAAA,EACnC,SAAS;AAAA,EACT,MAAM,MAAM;AACV,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,OAAO,MAAM;AAAA,MACjB;AAAA,MACA;AAAA,MACA,CAAC;AAAA,MACD,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,IACzC;AAEA,QAAI,KAAK,WAAW,GAAG;AACrB,cAAQ,IAAI,wBAAwB;AACpC;AAAA,IACF;AAEA,YAAQ,IAAI,SAAS,KAAK,MAAM,mBAAmB;AACnD,YAAQ,IAAI,EAAE;AACd,YAAQ,IAAI,iHAAiH;AAC7H,YAAQ,IAAI,2HAA2H;AAEvI,eAAW,OAAO,MAAM;AACtB,YAAM,UAAU,IAAI,YAAY,IAAI,KAAK,IAAI,SAAS,EAAE,mBAAmB,IAAI;AAC/E,YAAM,KAAK,IAAI,MAAM;AACrB,YAAM,WAAW,IAAI,QAAQ,MAAM;AACnC,YAAM,QAAQ,IAAI,QAAQ,WAAW,OAAO,EAAE;AAC9C,cAAQ,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC,MAAM,IAAI,MAAM,SAAS,OAAO,EAAE,CAAC,MAAM,OAAO,EAAE;AAAA,IAChF;AAAA,EACF;AACF;AAEA,MAAM,cAAyB;AAAA,EAC7B,SAAS;AAAA,EACT,MAAM,MAAM;AACV,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,UAAU,MAAM,GAAG,KAAK,QAAQ,CAAC,CAAC;AAExC,QAAI,QAAQ,WAAW,GAAG;AACxB,cAAQ,IAAI,kBAAkB;AAC9B;AAAA,IACF;AAEA,YAAQ,IAAI,SAAS,QAAQ,MAAM,aAAa;AAChD,YAAQ,IAAI,EAAE;AACd,YAAQ,IAAI,0EAA0E;AACtF,YAAQ,IAAI,qFAAqF;AAEjG,eAAW,UAAU,SAAS;AAC5B,YAAM,UAAU,OAAO,YAAY,IAAI,KAAK,OAAO,SAAS,EAAE,mBAAmB,IAAI;AACrF,YAAM,KAAK,OAAO,MAAM;AACxB,YAAM,QAAQ,OAAO,QAAQ,WAAW,OAAO,EAAE;AACjD,cAAQ,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC,MAAM,IAAI,MAAM,OAAO,EAAE;AAAA,IACvD;AAAA,EACF;AACF;AAEA,MAAM,YAAuB;AAAA,EAC3B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AAEA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AAGvB,UAAM,QAAa,CAAC;AACpB,QAAI,KAAK,kBAAkB,KAAK,SAAS,KAAK,KAAK;AACjD,YAAM,iBAAiB,KAAK,kBAAkB,KAAK,SAAS,KAAK;AAAA,IACnE;AACA,QAAI,KAAK,YAAY,KAAK,QAAQ;AAChC,YAAM,WAAW,KAAK,YAAY,KAAK;AAAA,IACzC;AAEA,UAAM,QAAQ,MAAM,GAAG,KAAK,MAAM,KAAK;AAEvC,QAAI,MAAM,WAAW,GAAG;AACtB,cAAQ,IAAI,gBAAgB;AAC5B;AAAA,IACF;AAEA,YAAQ,IAAI,SAAS,MAAM,MAAM,WAAW;AAC5C,YAAQ,IAAI,EAAE;AACd,YAAQ,IAAI,gJAAgJ;AAC5J,YAAQ,IAAI,2JAA2J;AAEvK,eAAW,QAAQ,OAAO;AAExB,YAAM,YAAY,MAAM;AAAA,QACtB;AAAA,QACA;AAAA,QACA,EAAE,MAAM,KAAK,GAAG;AAAA,QAChB,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,QACrB,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,kBAAkB,KAAK;AAAA,MACjF;AACA,YAAM,QAAQ,UAAU,IAAI,CAAC,OAAY,GAAG,MAAM,IAAI,EAAE,OAAO,OAAO,EAAE,KAAK,IAAI,KAAK;AAGtF,UAAI,UAAU;AACd,UAAI,aAAa;AAEjB,UAAI,KAAK,gBAAgB;AACvB,cAAM,MAAM,MAAM,GAAG,QAAQ,cAAc,EAAE,IAAI,KAAK,eAAe,CAAC;AACtE,kBAAU,KAAK,MAAM,UAAU,GAAG,EAAE,IAAI,SAAS,KAAK,eAAe,UAAU,GAAG,CAAC,IAAI;AAAA,MACzF;AAEA,UAAI,KAAK,UAAU;AACjB,cAAM,SAAS,MAAM,GAAG,QAAQ,QAAQ,EAAE,IAAI,KAAK,SAAS,CAAC;AAC7D,qBAAa,QAAQ,MAAM,UAAU,GAAG,EAAE,IAAI,SAAS,KAAK,SAAS,UAAU,GAAG,CAAC,IAAI;AAAA,MACzF;AAEA,YAAM,KAAK,KAAK,MAAM;AACtB,YAAM,SAAS,KAAK,SAAS,OAAO,OAAO,EAAE;AAC7C,YAAM,QAAQ,KAAK,QAAQ,WAAW,OAAO,EAAE;AAE/C,cAAQ,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,QAAQ,OAAO,EAAE,CAAC,MAAM,WAAW,OAAO,EAAE,CAAC,MAAM,KAAK,EAAE;AAAA,IACnH;AAAA,EACF;AACF;AAEA,MAAM,cAAyB;AAAA,EAC7B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AAEA,UAAM,QAAQ,KAAK;AACnB,UAAM,WAAW,KAAK;AAEtB,QAAI,CAAC,SAAS,CAAC,UAAU;AACvB,cAAQ,MAAM,2EAA2E;AACzF;AAAA,IACF;AAEA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,YAAY,iBAAiB,KAAK;AACxC,UAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,EAAE,UAAU,CAAC,EAAE,CAAC;AAEvE,QAAI,CAAC,MAAM;AACT,cAAQ,MAAM,oBAAoB,KAAK,aAAa;AACpD;AAAA,IACF;AAEA,SAAK,eAAe,MAAM,KAAK,UAAU,EAAE;AAC3C,UAAM,GAAG,gBAAgB,IAAI;AAE7B,YAAQ,IAAI,kDAA6C,KAAK,EAAE;AAAA,EAClE;AACF;AAGA,IAAO,cAAQ,CAAC,SAAS,WAAW,qBAAqB,iBAAiB,UAAU,mBAAmB,aAAa,WAAW,WAAW;",
+  "sourcesContent": ["import type { ModuleCli } from '@open-mercato/shared/modules/registry'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { hash } from 'bcryptjs'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { User, Role, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { Tenant, Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { rebuildHierarchyForTenant } from '@open-mercato/core/modules/directory/lib/hierarchy'\nimport { ensureRoles, setupInitialTenant } from './lib/setup-app'\nimport { normalizeTenantId } from './lib/tenantAccess'\nimport { computeEmailHash } from './lib/emailHash'\nimport { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { isTenantDataEncryptionEnabled } from '@open-mercato/shared/lib/encryption/toggles'\nimport { createKmsService } from '@open-mercato/shared/lib/encryption/kms'\nimport { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'\nimport { decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'\nimport { env } from 'process'\nimport type { KmsService, TenantDek } from '@open-mercato/shared/lib/encryption/kms'\nimport crypto from 'node:crypto'\nimport { formatPasswordRequirements, getPasswordPolicy, validatePassword } from '@open-mercato/shared/lib/auth/passwordPolicy'\nimport { parseBooleanToken } from '@open-mercato/shared/lib/boolean'\n\nconst addUser: ModuleCli = {\n  command: 'add-user',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    const email = args.email\n    const password = args.password\n    const organizationId = String(args.organizationId ?? args.orgId ?? args.org)\n    const rolesCsv = (args.roles ?? '').trim()\n    if (!email || !password || !organizationId) {\n      console.error('Usage: mercato auth add-user --email <email> --password <password> --organizationId <id> [--roles customer,employee]')\n      return\n    }\n    if (!ensurePasswordPolicy(password)) return\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const org =\n      (await findOneWithDecryption(\n        em,\n        Organization,\n        { id: organizationId },\n        { populate: ['tenant'] },\n        { tenantId: null, organizationId },\n      )) ?? null\n    if (!org) throw new Error('Organization not found')\n    const orgTenantId = org.tenant?.id ? String(org.tenant.id) : null\n    const normalizedTenantId = normalizeTenantId(orgTenantId ?? null) ?? null\n    const u = em.create(User, {\n      email,\n      emailHash: computeEmailHash(email),\n      passwordHash: await hash(password, 10),\n      isConfirmed: true,\n      organizationId: org.id,\n      tenantId: org.tenant.id,\n    })\n    await em.persistAndFlush(u)\n    if (rolesCsv) {\n      const names = rolesCsv.split(',').map(s => s.trim()).filter(Boolean)\n      for (const name of names) {\n        let role = await em.findOne(Role, { name, tenantId: normalizedTenantId })\n        if (!role && normalizedTenantId !== null) {\n          role = await em.findOne(Role, { name, tenantId: null })\n        }\n        if (!role) {\n        role = em.create(Role, { name, tenantId: normalizedTenantId, createdAt: new Date() })\n          await em.persistAndFlush(role)\n        } else if (normalizedTenantId !== null && role.tenantId !== normalizedTenantId) {\n          role.tenantId = normalizedTenantId\n          await em.persistAndFlush(role)\n        }\n        const link = em.create(UserRole, { user: u, role })\n        await em.persistAndFlush(link)\n      }\n    }\n    console.log('User created with id', u.id)\n  },\n}\n\nfunction parseArgs(rest: string[]) {\n  const args: Record<string, string | boolean> = {}\n  for (let i = 0; i < rest.length; i++) {\n    const a = rest[i]\n    if (!a) continue\n    if (a.startsWith('--')) {\n      const [k, v] = a.replace(/^--/, '').split('=')\n      if (v !== undefined) args[k] = v\n      else if (rest[i + 1] && !rest[i + 1]!.startsWith('--')) { args[k] = rest[i + 1]!; i++ }\n      else args[k] = true\n    }\n  }\n  return args\n}\n\nfunction normalizeKeyInput(value: string): string {\n  return value.trim().replace(/^['\"]|['\"]$/g, '')\n}\n\nfunction hashSecret(value: string | null | undefined): string | null {\n  if (!value) return null\n  return crypto.createHash('sha256').update(normalizeKeyInput(value)).digest('hex').slice(0, 12)\n}\n\nfunction ensurePasswordPolicy(password: string): boolean {\n  const policy = getPasswordPolicy()\n  const result = validatePassword(password, policy)\n  if (result.ok) return true\n  const requirements = formatPasswordRequirements(policy, (_key, fallback) => fallback)\n  const suffix = requirements ? `: ${requirements}` : ''\n  console.error(`Password does not meet the requirements${suffix}.`)\n  return false\n}\n\nasync function withEncryptionDebugDisabled<T>(fn: () => Promise<T>): Promise<T> {\n  const previous = process.env.TENANT_DATA_ENCRYPTION_DEBUG\n  process.env.TENANT_DATA_ENCRYPTION_DEBUG = 'no'\n  try {\n    return await fn()\n  } finally {\n    if (previous === undefined) {\n      delete process.env.TENANT_DATA_ENCRYPTION_DEBUG\n    } else {\n      process.env.TENANT_DATA_ENCRYPTION_DEBUG = previous\n    }\n  }\n}\n\nclass DerivedKeyKmsService implements KmsService {\n  private root: Buffer\n  constructor(secret: string) {\n    this.root = crypto.createHash('sha256').update(normalizeKeyInput(secret)).digest()\n  }\n\n  isHealthy(): boolean {\n    return true\n  }\n\n  private deriveKey(tenantId: string): string {\n    const iterations = 310_000\n    const keyLength = 32\n    const derived = crypto.pbkdf2Sync(this.root, tenantId, iterations, keyLength, 'sha512')\n    return derived.toString('base64')\n  }\n\n  async getTenantDek(tenantId: string): Promise<TenantDek | null> {\n    if (!tenantId) return null\n    return { tenantId, key: this.deriveKey(tenantId), fetchedAt: Date.now() }\n  }\n\n  async createTenantDek(tenantId: string): Promise<TenantDek | null> {\n    return this.getTenantDek(tenantId)\n  }\n}\n\nfunction fingerprintDek(dek: TenantDek | null): string | null {\n  if (!dek?.key) return null\n  return crypto.createHash('sha256').update(dek.key).digest('hex').slice(0, 12)\n}\n\nfunction decryptWithOldKey(\n  payload: string,\n  dek: TenantDek | null,\n): string | null {\n  if (!dek?.key) return null\n  return decryptWithAesGcm(payload, dek.key)\n}\n\nconst seedRoles: ModuleCli = {\n  command: 'seed-roles',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const key = rest[i]?.replace(/^--/, '')\n      if (!key) continue\n      const value = rest[i + 1]\n      if (value) args[key] = value\n    }\n    const tenantId = args.tenantId ?? args.tenant ?? args.tenant_id ?? null\n    const { resolve } = await createRequestContainer()\n    const em = resolve<EntityManager>('em')\n    if (tenantId) {\n      await ensureRoles(em, { tenantId })\n      console.log('\uD83D\uDEE1\uFE0F Roles ensured for tenant', tenantId)\n      return\n    }\n    const tenants = await em.find(Tenant, {})\n    if (!tenants.length) {\n      console.log('No tenants found; nothing to seed.')\n      return\n    }\n    for (const tenant of tenants) {\n      const id = tenant.id ? String(tenant.id) : null\n      if (!id) continue\n      await ensureRoles(em, { tenantId: id })\n      console.log('\uD83D\uDEE1\uFE0F Roles ensured for tenant', id)\n    }\n  },\n}\n\nconst rotateEncryptionKey: ModuleCli = {\n  command: 'rotate-encryption-key',\n  async run(rest) {\n    const args = parseArgs(rest)\n    const tenantId = (args.tenantId as string) ?? (args.tenant as string) ?? (args.tenant_id as string) ?? null\n    const organizationId = (args.organizationId as string) ?? (args.orgId as string) ?? (args.org as string) ?? null\n    const oldKey = (args['old-key'] as string) ?? (args.oldKey as string) ?? null\n    const dryRun = Boolean(args['dry-run'] || args.dry)\n    const debug = Boolean(args.debug)\n    const rotate = Boolean(oldKey)\n    if (rotate && !tenantId) {\n      console.warn(\n        '\u26A0\uFE0F  Rotating with --old-key across all tenants. A single old key should normally target one tenant; consider --tenant.',\n      )\n    }\n    if (!isTenantDataEncryptionEnabled()) {\n      console.error('TENANT_DATA_ENCRYPTION is disabled; aborting.')\n      return\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve<EntityManager>('em')\n    const encryptionService = new TenantDataEncryptionService(em as any, { kms: createKmsService() })\n    const oldKms = rotate && oldKey ? new DerivedKeyKmsService(oldKey) : null\n    if (debug) {\n      console.log('[rotate-encryption-key]', {\n        hasOldKey: Boolean(oldKey),\n        rotate,\n        tenantId: tenantId ?? null,\n        organizationId: organizationId ?? null,\n      })\n      console.log('[rotate-encryption-key] key fingerprints', {\n        oldKey: hashSecret(oldKey),\n        currentKey: hashSecret(process.env.TENANT_DATA_ENCRYPTION_FALLBACK_KEY),\n      })\n    }\n    if (!encryptionService.isEnabled()) {\n      console.error('Encryption service is not enabled (KMS unhealthy or no DEK). Aborting.')\n      return\n    }\n    const conn: any = (em as any).getConnection?.()\n    if (!conn || typeof conn.execute !== 'function') {\n      console.error('Unable to access raw connection; aborting.')\n      return\n    }\n    const meta = (em as any)?.getMetadata?.()?.get?.(User)\n    const tableName = meta?.tableName || 'users'\n    const schema = meta?.schema\n    const qualifiedTable = schema ? `\"${schema}\".\"${tableName}\"` : `\"${tableName}\"`\n    const isEncryptedPayload = (value: unknown): boolean => {\n      if (typeof value !== 'string') return false\n      const parts = value.split(':')\n      return parts.length === 4 && parts[3] === 'v1'\n    }\n    const printedDek = new Set<string>()\n    const oldDekCache = new Map<string, TenantDek | null>()\n    const processScope = async (scopeTenantId: string, scopeOrganizationId: string): Promise<number> => {\n      if (debug && !printedDek.has(scopeTenantId)) {\n        printedDek.add(scopeTenantId)\n        const [oldDek, newDek] = await Promise.all([\n          oldKms?.getTenantDek(scopeTenantId) ?? Promise.resolve(null),\n          encryptionService.getDek(scopeTenantId),\n        ])\n        console.log('[rotate-encryption-key] dek fingerprints', {\n          tenantId: scopeTenantId,\n          oldKey: fingerprintDek(oldDek),\n          currentKey: fingerprintDek(newDek),\n        })\n      }\n      const rawRows = await conn.execute(\n        `select id, email, email_hash from ${qualifiedTable} where tenant_id = ? and organization_id = ?`,\n        [scopeTenantId, scopeOrganizationId],\n      )\n      const rows = Array.isArray(rawRows) ? rawRows : []\n      const pending = rotate\n        ? rows\n        : rows.filter((row: any) => !isEncryptedPayload(row?.email))\n      if (!pending.length) return 0\n      console.log(\n        `Found ${pending.length} auth user records to process for org=${scopeOrganizationId}${dryRun ? ' (dry-run)' : ''}.`\n      )\n      if (dryRun) return 0\n      const ids = pending.map((row: any) => String(row.id))\n      const users = rotate\n        ? await em.find(\n            User,\n            { id: { $in: ids }, tenantId: scopeTenantId, organizationId: scopeOrganizationId },\n          )\n        : await findWithDecryption(\n            em,\n            User,\n            { id: { $in: ids }, tenantId: scopeTenantId, organizationId: scopeOrganizationId },\n            {},\n            { tenantId: scopeTenantId, organizationId: scopeOrganizationId, encryptionService },\n          )\n      const usersById = new Map(users.map((user) => [String(user.id), user]))\n      let updated = 0\n      for (const row of pending) {\n        const user = usersById.get(String(row.id))\n        if (!user) continue\n        const rawEmail = typeof row.email === 'string' ? row.email : String(row.email ?? '')\n        if (!rawEmail) continue\n        if (rotate && (!isEncryptedPayload(rawEmail) || !oldKms)) {\n          continue\n        }\n        let plainEmail = rawEmail\n        if (rotate && isEncryptedPayload(rawEmail) && oldKms) {\n          if (debug) {\n            console.log('[rotate-encryption-key] decrypting', {\n              userId: row.id,\n              tenantId: scopeTenantId,\n              organizationId: scopeOrganizationId,\n            })\n          }\n          let oldDek = oldDekCache.get(scopeTenantId) ?? null\n          if (!oldDekCache.has(scopeTenantId)) {\n            oldDek = await oldKms.getTenantDek(scopeTenantId)\n            oldDekCache.set(scopeTenantId, oldDek)\n          }\n          const maybeEmail = decryptWithOldKey(rawEmail, oldDek)\n          if (typeof maybeEmail !== 'string' || isEncryptedPayload(maybeEmail)) continue\n          plainEmail = maybeEmail\n        }\n        if (!plainEmail) continue\n        const encrypted = await encryptionService.encryptEntityPayload(\n          'auth:user',\n          { email: plainEmail },\n          scopeTenantId,\n          scopeOrganizationId,\n        )\n        const nextEmail = encrypted.email as string | undefined\n        if (nextEmail && nextEmail !== user.email) {\n          user.email = nextEmail as any\n          user.emailHash = (encrypted as any).emailHash ?? computeEmailHash(plainEmail)\n          em.persist(user)\n          updated += 1\n        }\n      }\n      if (updated > 0) {\n        await em.flush()\n      }\n      return updated\n    }\n\n    if (tenantId && organizationId) {\n      const updated = await processScope(String(tenantId), String(organizationId))\n      if (!updated) {\n        console.log('All auth user emails already encrypted for the selected scope.')\n      } else {\n        console.log(`Encrypted ${updated} auth user email(s).`)\n      }\n      return\n    }\n\n    const organizations = await em.find(Organization, {})\n    if (!organizations.length) {\n      console.log('No organizations found; nothing to encrypt.')\n      return\n    }\n    let total = 0\n    for (const org of organizations) {\n      const scopeTenantId = org.tenant?.id ? String(org.tenant.id) : org.tenant.id ? String(org.tenant.id) : null\n      const scopeOrganizationId = org.id ? String(org.id) : null\n      if (!scopeTenantId || !scopeOrganizationId) continue\n      total += await processScope(scopeTenantId, scopeOrganizationId)\n    }\n    if (total > 0) {\n      console.log(`Encrypted ${total} auth user email(s) across all organizations.`)\n    } else {\n      console.log('All auth user emails already encrypted across all organizations.')\n    }\n  },\n}\n\n// will be exported at the bottom with all commands\n\nconst addOrganization: ModuleCli = {\n  command: 'add-org',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    const name = args.name || args.orgName\n    if (!name) {\n      console.error('Usage: mercato auth add-org --name <organization name>')\n      return\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    // Create tenant implicitly for simplicity\n    const tenant = em.create(Tenant, { name: `${name} Tenant` })\n    await em.persistAndFlush(tenant)\n    const org = em.create(Organization, { name, tenant })\n    await em.persistAndFlush(org)\n    await rebuildHierarchyForTenant(em, String(tenant.id))\n    console.log('Organization created with id', org.id, 'in tenant', tenant.id)\n  },\n}\n\nconst setupApp: ModuleCli = {\n  command: 'setup',\n  async run(rest) {\n    const args = parseArgs(rest)\n    const orgName = typeof args.orgName === 'string'\n      ? args.orgName\n      : typeof args.name === 'string'\n        ? args.name\n        : undefined\n    const email = typeof args.email === 'string' ? args.email : undefined\n    const password = typeof args.password === 'string' ? args.password : undefined\n    const rolesCsv = typeof args.roles === 'string'\n      ? args.roles.trim()\n      : 'superadmin,admin,employee'\n    const skipPasswordPolicyRaw =\n      args['skip-password-policy'] ??\n      args.skipPasswordPolicy ??\n      args['allow-weak-password'] ??\n      args.allowWeakPassword\n    const skipPasswordPolicy = typeof skipPasswordPolicyRaw === 'boolean'\n      ? skipPasswordPolicyRaw\n      : parseBooleanToken(typeof skipPasswordPolicyRaw === 'string' ? skipPasswordPolicyRaw : null) ?? false\n    if (!orgName || !email || !password) {\n      console.error('Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee] [--skip-password-policy]')\n      return\n    }\n    if (!skipPasswordPolicy && !ensurePasswordPolicy(password)) return\n    if (skipPasswordPolicy) {\n      console.warn('\u26A0\uFE0F  Password policy validation skipped for setup.')\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve<EntityManager>('em')\n    const roleNames = rolesCsv\n      ? rolesCsv.split(',').map((s) => s.trim()).filter(Boolean)\n      : undefined\n\n    try {\n      const result = await setupInitialTenant(em, {\n        orgName,\n        roleNames,\n        primaryUser: { email, password, confirm: true },\n        includeDerivedUsers: true,\n      })\n\n      if (result.reusedExistingUser) {\n        console.log('\u26A0\uFE0F  Existing initial user detected during setup.')\n        console.log(`\u26A0\uFE0F  Email: ${email}`)\n        console.log('\u26A0\uFE0F  Updated roles if missing and reused tenant/organization.')\n      }\n\n      if(env.NODE_ENV !== 'test') { \n        for (const snapshot of result.users) {\n          if (snapshot.created) {\n            if (snapshot.user.email === email && password) {\n              console.log('\uD83C\uDF89 Created user', snapshot.user.email, 'password:', password)\n            } else {\n              console.log('\uD83C\uDF89 Created user', snapshot.user.email)\n            }\n          } else {\n            console.log(`Updated user ${snapshot.user.email}`)\n          }\n        }\n      }\n\n      if(env.NODE_ENV !== 'test')   console.log('\u2705 Setup complete:', { tenantId: result.tenantId, organizationId: result.organizationId })\n    } catch (err) {\n      if (err instanceof Error && err.message === 'USER_EXISTS') {\n        console.error('Setup aborted: user already exists with the provided email.')\n        return\n      }\n      throw err\n    }\n  },\n}\n\nconst listOrganizations: ModuleCli = {\n  command: 'list-orgs',\n  async run() {\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const orgs = await findWithDecryption(\n      em,\n      Organization,\n      {},\n      { populate: ['tenant'] },\n      { tenantId: null, organizationId: null },\n    )\n    \n    if (orgs.length === 0) {\n      console.log('No organizations found')\n      return\n    }\n    \n    console.log(`Found ${orgs.length} organization(s):`)\n    console.log('')\n    console.log('ID                                   | Name                    | Tenant ID                            | Created')\n    console.log('-------------------------------------|-------------------------|-------------------------------------|-------------------')\n    \n    for (const org of orgs) {\n      const created = org.createdAt ? new Date(org.createdAt).toLocaleDateString() : 'N/A'\n      const id = org.id || 'N/A'\n      const tenantId = org.tenant?.id || 'N/A'\n      const name = (org.name || 'Unnamed').padEnd(23)\n      console.log(`${id.padEnd(35)} | ${name} | ${tenantId.padEnd(35)} | ${created}`)\n    }\n  },\n}\n\nconst listTenants: ModuleCli = {\n  command: 'list-tenants',\n  async run() {\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const tenants = await em.find(Tenant, {})\n    \n    if (tenants.length === 0) {\n      console.log('No tenants found')\n      return\n    }\n    \n    console.log(`Found ${tenants.length} tenant(s):`)\n    console.log('')\n    console.log('ID                                   | Name                    | Created')\n    console.log('-------------------------------------|-------------------------|-------------------')\n    \n    for (const tenant of tenants) {\n      const created = tenant.createdAt ? new Date(tenant.createdAt).toLocaleDateString() : 'N/A'\n      const id = tenant.id || 'N/A'\n      const name = (tenant.name || 'Unnamed').padEnd(23)\n      console.log(`${id.padEnd(35)} | ${name} | ${created}`)\n    }\n  },\n}\n\nconst listUsers: ModuleCli = {\n  command: 'list-users',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    \n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    \n    // Build query with optional filters\n    const where: any = {}\n    if (args.organizationId || args.orgId || args.org) {\n      where.organizationId = args.organizationId || args.orgId || args.org\n    }\n    if (args.tenantId || args.tenant) {\n      where.tenantId = args.tenantId || args.tenant\n    }\n    \n    const users = await em.find(User, where)\n    \n    if (users.length === 0) {\n      console.log('No users found')\n      return\n    }\n    \n    console.log(`Found ${users.length} user(s):`)\n    console.log('')\n    console.log('ID                                   | Email                   | Name                    | Organization ID      | Tenant ID            | Roles')\n    console.log('-------------------------------------|-------------------------|-------------------------|---------------------|---------------------|-------------------')\n    \n    for (const user of users) {\n      // Get user roles separately\n      const userRoles = await findWithDecryption(\n        em,\n        UserRole,\n        { user: user.id },\n        { populate: ['role'] },\n        { tenantId: user.tenantId ?? null, organizationId: user.organizationId ?? null },\n      )\n      const roles = userRoles.map((ur: any) => ur.role?.name).filter(Boolean).join(', ') || 'None'\n      \n      // Get organization and tenant names if IDs exist\n      let orgName = 'N/A'\n      let tenantName = 'N/A'\n      \n      if (user.organizationId) {\n        const org = await em.findOne(Organization, { id: user.organizationId })\n        orgName = org?.name?.substring(0, 19) + '...' || user.organizationId.substring(0, 8) + '...'\n      }\n      \n      if (user.tenantId) {\n        const tenant = await em.findOne(Tenant, { id: user.tenantId })\n        tenantName = tenant?.name?.substring(0, 19) + '...' || user.tenantId.substring(0, 8) + '...'\n      }\n      \n      const id = user.id || 'N/A'\n      const email = (user.email || 'N/A').padEnd(23)\n      const name = (user.name || 'Unnamed').padEnd(23)\n      \n      console.log(`${id.padEnd(35)} | ${email} | ${name} | ${orgName.padEnd(19)} | ${tenantName.padEnd(19)} | ${roles}`)\n    }\n  },\n}\n\nconst setPassword: ModuleCli = {\n  command: 'set-password',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    \n    const email = args.email\n    const password = args.password\n    \n    if (!email || !password) {\n      console.error('Usage: mercato auth set-password --email <email> --password <newPassword>')\n      return\n    }\n    if (!ensurePasswordPolicy(password)) return\n    \n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const emailHash = computeEmailHash(email)\n    const user = await em.findOne(User, { $or: [{ email }, { emailHash }] })\n    \n    if (!user) {\n      console.error(`User with email \"${email}\" not found`)\n      return\n    }\n    \n    user.passwordHash = await hash(password, 10)\n    await em.persistAndFlush(user)\n    \n    console.log(`\u2705 Password updated successfully for user: ${email}`)\n  },\n}\n\n// Export the full CLI list\nexport default [addUser, seedRoles, rotateEncryptionKey, addOrganization, setupApp, listOrganizations, listTenants, listUsers, setPassword]\n"],
+  "mappings": "AACA,SAAS,8BAA8B;AACvC,SAAS,YAAY;AAErB,SAAS,MAAM,MAAM,gBAAgB;AACrC,SAAS,QAAQ,oBAAoB;AACrC,SAAS,iCAAiC;AAC1C,SAAS,aAAa,0BAA0B;AAChD,SAAS,yBAAyB;AAClC,SAAS,wBAAwB;AACjC,SAAS,oBAAoB,6BAA6B;AAC1D,SAAS,qCAAqC;AAC9C,SAAS,wBAAwB;AACjC,SAAS,mCAAmC;AAC5C,SAAS,yBAAyB;AAClC,SAAS,WAAW;AAEpB,OAAO,YAAY;AACnB,SAAS,4BAA4B,mBAAmB,wBAAwB;AAChF,SAAS,yBAAyB;AAElC,MAAM,UAAqB;AAAA,EACzB,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AACA,UAAM,QAAQ,KAAK;AACnB,UAAM,WAAW,KAAK;AACtB,UAAM,iBAAiB,OAAO,KAAK,kBAAkB,KAAK,SAAS,KAAK,GAAG;AAC3E,UAAM,YAAY,KAAK,SAAS,IAAI,KAAK;AACzC,QAAI,CAAC,SAAS,CAAC,YAAY,CAAC,gBAAgB;AAC1C,cAAQ,MAAM,sHAAsH;AACpI;AAAA,IACF;AACA,QAAI,CAAC,qBAAqB,QAAQ,EAAG;AACrC,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,MACH,MAAM;AAAA,MACL;AAAA,MACA;AAAA,MACA,EAAE,IAAI,eAAe;AAAA,MACrB,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,eAAe;AAAA,IACnC,KAAM;AACR,QAAI,CAAC,IAAK,OAAM,IAAI,MAAM,wBAAwB;AAClD,UAAM,cAAc,IAAI,QAAQ,KAAK,OAAO,IAAI,OAAO,EAAE,IAAI;AAC7D,UAAM,qBAAqB,kBAAkB,eAAe,IAAI,KAAK;AACrE,UAAM,IAAI,GAAG,OAAO,MAAM;AAAA,MACxB;AAAA,MACA,WAAW,iBAAiB,KAAK;AAAA,MACjC,cAAc,MAAM,KAAK,UAAU,EAAE;AAAA,MACrC,aAAa;AAAA,MACb,gBAAgB,IAAI;AAAA,MACpB,UAAU,IAAI,OAAO;AAAA,IACvB,CAAC;AACD,UAAM,GAAG,gBAAgB,CAAC;AAC1B,QAAI,UAAU;AACZ,YAAM,QAAQ,SAAS,MAAM,GAAG,EAAE,IAAI,OAAK,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AACnE,iBAAW,QAAQ,OAAO;AACxB,YAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,mBAAmB,CAAC;AACxE,YAAI,CAAC,QAAQ,uBAAuB,MAAM;AACxC,iBAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAAA,QACxD;AACA,YAAI,CAAC,MAAM;AACX,iBAAO,GAAG,OAAO,MAAM,EAAE,MAAM,UAAU,oBAAoB,WAAW,oBAAI,KAAK,EAAE,CAAC;AAClF,gBAAM,GAAG,gBAAgB,IAAI;AAAA,QAC/B,WAAW,uBAAuB,QAAQ,KAAK,aAAa,oBAAoB;AAC9E,eAAK,WAAW;AAChB,gBAAM,GAAG,gBAAgB,IAAI;AAAA,QAC/B;AACA,cAAM,OAAO,GAAG,OAAO,UAAU,EAAE,MAAM,GAAG,KAAK,CAAC;AAClD,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B;AAAA,IACF;AACA,YAAQ,IAAI,wBAAwB,EAAE,EAAE;AAAA,EAC1C;AACF;AAEA,SAAS,UAAU,MAAgB;AACjC,QAAM,OAAyC,CAAC;AAChD,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,UAAM,IAAI,KAAK,CAAC;AAChB,QAAI,CAAC,EAAG;AACR,QAAI,EAAE,WAAW,IAAI,GAAG;AACtB,YAAM,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,OAAO,EAAE,EAAE,MAAM,GAAG;AAC7C,UAAI,MAAM,OAAW,MAAK,CAAC,IAAI;AAAA,eACtB,KAAK,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,EAAG,WAAW,IAAI,GAAG;AAAE,aAAK,CAAC,IAAI,KAAK,IAAI,CAAC;AAAI;AAAA,MAAI,MACjF,MAAK,CAAC,IAAI;AAAA,IACjB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,kBAAkB,OAAuB;AAChD,SAAO,MAAM,KAAK,EAAE,QAAQ,gBAAgB,EAAE;AAChD;AAEA,SAAS,WAAW,OAAiD;AACnE,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,kBAAkB,KAAK,CAAC,EAAE,OAAO,KAAK,EAAE,MAAM,GAAG,EAAE;AAC/F;AAEA,SAAS,qBAAqB,UAA2B;AACvD,QAAM,SAAS,kBAAkB;AACjC,QAAM,SAAS,iBAAiB,UAAU,MAAM;AAChD,MAAI,OAAO,GAAI,QAAO;AACtB,QAAM,eAAe,2BAA2B,QAAQ,CAAC,MAAM,aAAa,QAAQ;AACpF,QAAM,SAAS,eAAe,KAAK,YAAY,KAAK;AACpD,UAAQ,MAAM,0CAA0C,MAAM,GAAG;AACjE,SAAO;AACT;AAEA,eAAe,4BAA+B,IAAkC;AAC9E,QAAM,WAAW,QAAQ,IAAI;AAC7B,UAAQ,IAAI,+BAA+B;AAC3C,MAAI;AACF,WAAO,MAAM,GAAG;AAAA,EAClB,UAAE;AACA,QAAI,aAAa,QAAW;AAC1B,aAAO,QAAQ,IAAI;AAAA,IACrB,OAAO;AACL,cAAQ,IAAI,+BAA+B;AAAA,IAC7C;AAAA,EACF;AACF;AAEA,MAAM,qBAA2C;AAAA,EAE/C,YAAY,QAAgB;AAC1B,SAAK,OAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,kBAAkB,MAAM,CAAC,EAAE,OAAO;AAAA,EACnF;AAAA,EAEA,YAAqB;AACnB,WAAO;AAAA,EACT;AAAA,EAEQ,UAAU,UAA0B;AAC1C,UAAM,aAAa;AACnB,UAAM,YAAY;AAClB,UAAM,UAAU,OAAO,WAAW,KAAK,MAAM,UAAU,YAAY,WAAW,QAAQ;AACtF,WAAO,QAAQ,SAAS,QAAQ;AAAA,EAClC;AAAA,EAEA,MAAM,aAAa,UAA6C;AAC9D,QAAI,CAAC,SAAU,QAAO;AACtB,WAAO,EAAE,UAAU,KAAK,KAAK,UAAU,QAAQ,GAAG,WAAW,KAAK,IAAI,EAAE;AAAA,EAC1E;AAAA,EAEA,MAAM,gBAAgB,UAA6C;AACjE,WAAO,KAAK,aAAa,QAAQ;AAAA,EACnC;AACF;AAEA,SAAS,eAAe,KAAsC;AAC5D,MAAI,CAAC,KAAK,IAAK,QAAO;AACtB,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,IAAI,GAAG,EAAE,OAAO,KAAK,EAAE,MAAM,GAAG,EAAE;AAC9E;AAEA,SAAS,kBACP,SACA,KACe;AACf,MAAI,CAAC,KAAK,IAAK,QAAO;AACtB,SAAO,kBAAkB,SAAS,IAAI,GAAG;AAC3C;AAEA,MAAM,YAAuB;AAAA,EAC3B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,MAAM,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACtC,UAAI,CAAC,IAAK;AACV,YAAM,QAAQ,KAAK,IAAI,CAAC;AACxB,UAAI,MAAO,MAAK,GAAG,IAAI;AAAA,IACzB;AACA,UAAM,WAAW,KAAK,YAAY,KAAK,UAAU,KAAK,aAAa;AACnE,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAuB,IAAI;AACtC,QAAI,UAAU;AACZ,YAAM,YAAY,IAAI,EAAE,SAAS,CAAC;AAClC,cAAQ,IAAI,4CAAgC,QAAQ;AACpD;AAAA,IACF;AACA,UAAM,UAAU,MAAM,GAAG,KAAK,QAAQ,CAAC,CAAC;AACxC,QAAI,CAAC,QAAQ,QAAQ;AACnB,cAAQ,IAAI,oCAAoC;AAChD;AAAA,IACF;AACA,eAAW,UAAU,SAAS;AAC5B,YAAM,KAAK,OAAO,KAAK,OAAO,OAAO,EAAE,IAAI;AAC3C,UAAI,CAAC,GAAI;AACT,YAAM,YAAY,IAAI,EAAE,UAAU,GAAG,CAAC;AACtC,cAAQ,IAAI,4CAAgC,EAAE;AAAA,IAChD;AAAA,EACF;AACF;AAEA,MAAM,sBAAiC;AAAA,EACrC,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAAO,UAAU,IAAI;AAC3B,UAAM,WAAY,KAAK,YAAwB,KAAK,UAAsB,KAAK,aAAwB;AACvG,UAAM,iBAAkB,KAAK,kBAA8B,KAAK,SAAqB,KAAK,OAAkB;AAC5G,UAAM,SAAU,KAAK,SAAS,KAAiB,KAAK,UAAqB;AACzE,UAAM,SAAS,QAAQ,KAAK,SAAS,KAAK,KAAK,GAAG;AAClD,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,SAAS,QAAQ,MAAM;AAC7B,QAAI,UAAU,CAAC,UAAU;AACvB,cAAQ;AAAA,QACN;AAAA,MACF;AAAA,IACF;AACA,QAAI,CAAC,8BAA8B,GAAG;AACpC,cAAQ,MAAM,+CAA+C;AAC7D;AAAA,IACF;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAuB,IAAI;AACtC,UAAM,oBAAoB,IAAI,4BAA4B,IAAW,EAAE,KAAK,iBAAiB,EAAE,CAAC;AAChG,UAAM,SAAS,UAAU,SAAS,IAAI,qBAAqB,MAAM,IAAI;AACrE,QAAI,OAAO;AACT,cAAQ,IAAI,2BAA2B;AAAA,QACrC,WAAW,QAAQ,MAAM;AAAA,QACzB;AAAA,QACA,UAAU,YAAY;AAAA,QACtB,gBAAgB,kBAAkB;AAAA,MACpC,CAAC;AACD,cAAQ,IAAI,4CAA4C;AAAA,QACtD,QAAQ,WAAW,MAAM;AAAA,QACzB,YAAY,WAAW,QAAQ,IAAI,mCAAmC;AAAA,MACxE,CAAC;AAAA,IACH;AACA,QAAI,CAAC,kBAAkB,UAAU,GAAG;AAClC,cAAQ,MAAM,wEAAwE;AACtF;AAAA,IACF;AACA,UAAM,OAAa,GAAW,gBAAgB;AAC9C,QAAI,CAAC,QAAQ,OAAO,KAAK,YAAY,YAAY;AAC/C,cAAQ,MAAM,4CAA4C;AAC1D;AAAA,IACF;AACA,UAAM,OAAQ,IAAY,cAAc,GAAG,MAAM,IAAI;AACrD,UAAM,YAAY,MAAM,aAAa;AACrC,UAAM,SAAS,MAAM;AACrB,UAAM,iBAAiB,SAAS,IAAI,MAAM,MAAM,SAAS,MAAM,IAAI,SAAS;AAC5E,UAAM,qBAAqB,CAAC,UAA4B;AACtD,UAAI,OAAO,UAAU,SAAU,QAAO;AACtC,YAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,aAAO,MAAM,WAAW,KAAK,MAAM,CAAC,MAAM;AAAA,IAC5C;AACA,UAAM,aAAa,oBAAI,IAAY;AACnC,UAAM,cAAc,oBAAI,IAA8B;AACtD,UAAM,eAAe,OAAO,eAAuB,wBAAiD;AAClG,UAAI,SAAS,CAAC,WAAW,IAAI,aAAa,GAAG;AAC3C,mBAAW,IAAI,aAAa;AAC5B,cAAM,CAAC,QAAQ,MAAM,IAAI,MAAM,QAAQ,IAAI;AAAA,UACzC,QAAQ,aAAa,aAAa,KAAK,QAAQ,QAAQ,IAAI;AAAA,UAC3D,kBAAkB,OAAO,aAAa;AAAA,QACxC,CAAC;AACD,gBAAQ,IAAI,4CAA4C;AAAA,UACtD,UAAU;AAAA,UACV,QAAQ,eAAe,MAAM;AAAA,UAC7B,YAAY,eAAe,MAAM;AAAA,QACnC,CAAC;AAAA,MACH;AACA,YAAM,UAAU,MAAM,KAAK;AAAA,QACzB,qCAAqC,cAAc;AAAA,QACnD,CAAC,eAAe,mBAAmB;AAAA,MACrC;AACA,YAAM,OAAO,MAAM,QAAQ,OAAO,IAAI,UAAU,CAAC;AACjD,YAAM,UAAU,SACZ,OACA,KAAK,OAAO,CAAC,QAAa,CAAC,mBAAmB,KAAK,KAAK,CAAC;AAC7D,UAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,cAAQ;AAAA,QACN,SAAS,QAAQ,MAAM,yCAAyC,mBAAmB,GAAG,SAAS,eAAe,EAAE;AAAA,MAClH;AACA,UAAI,OAAQ,QAAO;AACnB,YAAM,MAAM,QAAQ,IAAI,CAAC,QAAa,OAAO,IAAI,EAAE,CAAC;AACpD,YAAM,QAAQ,SACV,MAAM,GAAG;AAAA,QACP;AAAA,QACA,EAAE,IAAI,EAAE,KAAK,IAAI,GAAG,UAAU,eAAe,gBAAgB,oBAAoB;AAAA,MACnF,IACA,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA,EAAE,IAAI,EAAE,KAAK,IAAI,GAAG,UAAU,eAAe,gBAAgB,oBAAoB;AAAA,QACjF,CAAC;AAAA,QACD,EAAE,UAAU,eAAe,gBAAgB,qBAAqB,kBAAkB;AAAA,MACpF;AACJ,YAAM,YAAY,IAAI,IAAI,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC;AACtE,UAAI,UAAU;AACd,iBAAW,OAAO,SAAS;AACzB,cAAM,OAAO,UAAU,IAAI,OAAO,IAAI,EAAE,CAAC;AACzC,YAAI,CAAC,KAAM;AACX,cAAM,WAAW,OAAO,IAAI,UAAU,WAAW,IAAI,QAAQ,OAAO,IAAI,SAAS,EAAE;AACnF,YAAI,CAAC,SAAU;AACf,YAAI,WAAW,CAAC,mBAAmB,QAAQ,KAAK,CAAC,SAAS;AACxD;AAAA,QACF;AACA,YAAI,aAAa;AACjB,YAAI,UAAU,mBAAmB,QAAQ,KAAK,QAAQ;AACpD,cAAI,OAAO;AACT,oBAAQ,IAAI,sCAAsC;AAAA,cAChD,QAAQ,IAAI;AAAA,cACZ,UAAU;AAAA,cACV,gBAAgB;AAAA,YAClB,CAAC;AAAA,UACH;AACA,cAAI,SAAS,YAAY,IAAI,aAAa,KAAK;AAC/C,cAAI,CAAC,YAAY,IAAI,aAAa,GAAG;AACnC,qBAAS,MAAM,OAAO,aAAa,aAAa;AAChD,wBAAY,IAAI,eAAe,MAAM;AAAA,UACvC;AACA,gBAAM,aAAa,kBAAkB,UAAU,MAAM;AACrD,cAAI,OAAO,eAAe,YAAY,mBAAmB,UAAU,EAAG;AACtE,uBAAa;AAAA,QACf;AACA,YAAI,CAAC,WAAY;AACjB,cAAM,YAAY,MAAM,kBAAkB;AAAA,UACxC;AAAA,UACA,EAAE,OAAO,WAAW;AAAA,UACpB;AAAA,UACA;AAAA,QACF;AACA,cAAM,YAAY,UAAU;AAC5B,YAAI,aAAa,cAAc,KAAK,OAAO;AACzC,eAAK,QAAQ;AACb,eAAK,YAAa,UAAkB,aAAa,iBAAiB,UAAU;AAC5E,aAAG,QAAQ,IAAI;AACf,qBAAW;AAAA,QACb;AAAA,MACF;AACA,UAAI,UAAU,GAAG;AACf,cAAM,GAAG,MAAM;AAAA,MACjB;AACA,aAAO;AAAA,IACT;AAEA,QAAI,YAAY,gBAAgB;AAC9B,YAAM,UAAU,MAAM,aAAa,OAAO,QAAQ,GAAG,OAAO,cAAc,CAAC;AAC3E,UAAI,CAAC,SAAS;AACZ,gBAAQ,IAAI,gEAAgE;AAAA,MAC9E,OAAO;AACL,gBAAQ,IAAI,aAAa,OAAO,sBAAsB;AAAA,MACxD;AACA;AAAA,IACF;AAEA,UAAM,gBAAgB,MAAM,GAAG,KAAK,cAAc,CAAC,CAAC;AACpD,QAAI,CAAC,cAAc,QAAQ;AACzB,cAAQ,IAAI,6CAA6C;AACzD;AAAA,IACF;AACA,QAAI,QAAQ;AACZ,eAAW,OAAO,eAAe;AAC/B,YAAM,gBAAgB,IAAI,QAAQ,KAAK,OAAO,IAAI,OAAO,EAAE,IAAI,IAAI,OAAO,KAAK,OAAO,IAAI,OAAO,EAAE,IAAI;AACvG,YAAM,sBAAsB,IAAI,KAAK,OAAO,IAAI,EAAE,IAAI;AACtD,UAAI,CAAC,iBAAiB,CAAC,oBAAqB;AAC5C,eAAS,MAAM,aAAa,eAAe,mBAAmB;AAAA,IAChE;AACA,QAAI,QAAQ,GAAG;AACb,cAAQ,IAAI,aAAa,KAAK,+CAA+C;AAAA,IAC/E,OAAO;AACL,cAAQ,IAAI,kEAAkE;AAAA,IAChF;AAAA,EACF;AACF;AAIA,MAAM,kBAA6B;AAAA,EACjC,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AACA,UAAM,OAAO,KAAK,QAAQ,KAAK;AAC/B,QAAI,CAAC,MAAM;AACT,cAAQ,MAAM,wDAAwD;AACtE;AAAA,IACF;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AAEvB,UAAM,SAAS,GAAG,OAAO,QAAQ,EAAE,MAAM,GAAG,IAAI,UAAU,CAAC;AAC3D,UAAM,GAAG,gBAAgB,MAAM;AAC/B,UAAM,MAAM,GAAG,OAAO,cAAc,EAAE,MAAM,OAAO,CAAC;AACpD,UAAM,GAAG,gBAAgB,GAAG;AAC5B,UAAM,0BAA0B,IAAI,OAAO,OAAO,EAAE,CAAC;AACrD,YAAQ,IAAI,gCAAgC,IAAI,IAAI,aAAa,OAAO,EAAE;AAAA,EAC5E;AACF;AAEA,MAAM,WAAsB;AAAA,EAC1B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAAO,UAAU,IAAI;AAC3B,UAAM,UAAU,OAAO,KAAK,YAAY,WACpC,KAAK,UACL,OAAO,KAAK,SAAS,WACnB,KAAK,OACL;AACN,UAAM,QAAQ,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ;AAC5D,UAAM,WAAW,OAAO,KAAK,aAAa,WAAW,KAAK,WAAW;AACrE,UAAM,WAAW,OAAO,KAAK,UAAU,WACnC,KAAK,MAAM,KAAK,IAChB;AACJ,UAAM,wBACJ,KAAK,sBAAsB,KAC3B,KAAK,sBACL,KAAK,qBAAqB,KAC1B,KAAK;AACP,UAAM,qBAAqB,OAAO,0BAA0B,YACxD,wBACA,kBAAkB,OAAO,0BAA0B,WAAW,wBAAwB,IAAI,KAAK;AACnG,QAAI,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU;AACnC,cAAQ,MAAM,+IAA+I;AAC7J;AAAA,IACF;AACA,QAAI,CAAC,sBAAsB,CAAC,qBAAqB,QAAQ,EAAG;AAC5D,QAAI,oBAAoB;AACtB,cAAQ,KAAK,6DAAmD;AAAA,IAClE;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAuB,IAAI;AACtC,UAAM,YAAY,WACd,SAAS,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,IACvD;AAEJ,QAAI;AACF,YAAM,SAAS,MAAM,mBAAmB,IAAI;AAAA,QAC1C;AAAA,QACA;AAAA,QACA,aAAa,EAAE,OAAO,UAAU,SAAS,KAAK;AAAA,QAC9C,qBAAqB;AAAA,MACvB,CAAC;AAED,UAAI,OAAO,oBAAoB;AAC7B,gBAAQ,IAAI,4DAAkD;AAC9D,gBAAQ,IAAI,wBAAc,KAAK,EAAE;AACjC,gBAAQ,IAAI,wEAA8D;AAAA,MAC5E;AAEA,UAAG,IAAI,aAAa,QAAQ;AAC1B,mBAAW,YAAY,OAAO,OAAO;AACnC,cAAI,SAAS,SAAS;AACpB,gBAAI,SAAS,KAAK,UAAU,SAAS,UAAU;AAC7C,sBAAQ,IAAI,0BAAmB,SAAS,KAAK,OAAO,aAAa,QAAQ;AAAA,YAC3E,OAAO;AACL,sBAAQ,IAAI,0BAAmB,SAAS,KAAK,KAAK;AAAA,YACpD;AAAA,UACF,OAAO;AACL,oBAAQ,IAAI,gBAAgB,SAAS,KAAK,KAAK,EAAE;AAAA,UACnD;AAAA,QACF;AAAA,MACF;AAEA,UAAG,IAAI,aAAa,OAAU,SAAQ,IAAI,0BAAqB,EAAE,UAAU,OAAO,UAAU,gBAAgB,OAAO,eAAe,CAAC;AAAA,IACrI,SAAS,KAAK;AACZ,UAAI,eAAe,SAAS,IAAI,YAAY,eAAe;AACzD,gBAAQ,MAAM,6DAA6D;AAC3E;AAAA,MACF;AACA,YAAM;AAAA,IACR;AAAA,EACF;AACF;AAEA,MAAM,oBAA+B;AAAA,EACnC,SAAS;AAAA,EACT,MAAM,MAAM;AACV,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,OAAO,MAAM;AAAA,MACjB;AAAA,MACA;AAAA,MACA,CAAC;AAAA,MACD,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,IACzC;AAEA,QAAI,KAAK,WAAW,GAAG;AACrB,cAAQ,IAAI,wBAAwB;AACpC;AAAA,IACF;AAEA,YAAQ,IAAI,SAAS,KAAK,MAAM,mBAAmB;AACnD,YAAQ,IAAI,EAAE;AACd,YAAQ,IAAI,iHAAiH;AAC7H,YAAQ,IAAI,2HAA2H;AAEvI,eAAW,OAAO,MAAM;AACtB,YAAM,UAAU,IAAI,YAAY,IAAI,KAAK,IAAI,SAAS,EAAE,mBAAmB,IAAI;AAC/E,YAAM,KAAK,IAAI,MAAM;AACrB,YAAM,WAAW,IAAI,QAAQ,MAAM;AACnC,YAAM,QAAQ,IAAI,QAAQ,WAAW,OAAO,EAAE;AAC9C,cAAQ,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC,MAAM,IAAI,MAAM,SAAS,OAAO,EAAE,CAAC,MAAM,OAAO,EAAE;AAAA,IAChF;AAAA,EACF;AACF;AAEA,MAAM,cAAyB;AAAA,EAC7B,SAAS;AAAA,EACT,MAAM,MAAM;AACV,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,UAAU,MAAM,GAAG,KAAK,QAAQ,CAAC,CAAC;AAExC,QAAI,QAAQ,WAAW,GAAG;AACxB,cAAQ,IAAI,kBAAkB;AAC9B;AAAA,IACF;AAEA,YAAQ,IAAI,SAAS,QAAQ,MAAM,aAAa;AAChD,YAAQ,IAAI,EAAE;AACd,YAAQ,IAAI,0EAA0E;AACtF,YAAQ,IAAI,qFAAqF;AAEjG,eAAW,UAAU,SAAS;AAC5B,YAAM,UAAU,OAAO,YAAY,IAAI,KAAK,OAAO,SAAS,EAAE,mBAAmB,IAAI;AACrF,YAAM,KAAK,OAAO,MAAM;AACxB,YAAM,QAAQ,OAAO,QAAQ,WAAW,OAAO,EAAE;AACjD,cAAQ,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC,MAAM,IAAI,MAAM,OAAO,EAAE;AAAA,IACvD;AAAA,EACF;AACF;AAEA,MAAM,YAAuB;AAAA,EAC3B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AAEA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AAGvB,UAAM,QAAa,CAAC;AACpB,QAAI,KAAK,kBAAkB,KAAK,SAAS,KAAK,KAAK;AACjD,YAAM,iBAAiB,KAAK,kBAAkB,KAAK,SAAS,KAAK;AAAA,IACnE;AACA,QAAI,KAAK,YAAY,KAAK,QAAQ;AAChC,YAAM,WAAW,KAAK,YAAY,KAAK;AAAA,IACzC;AAEA,UAAM,QAAQ,MAAM,GAAG,KAAK,MAAM,KAAK;AAEvC,QAAI,MAAM,WAAW,GAAG;AACtB,cAAQ,IAAI,gBAAgB;AAC5B;AAAA,IACF;AAEA,YAAQ,IAAI,SAAS,MAAM,MAAM,WAAW;AAC5C,YAAQ,IAAI,EAAE;AACd,YAAQ,IAAI,gJAAgJ;AAC5J,YAAQ,IAAI,2JAA2J;AAEvK,eAAW,QAAQ,OAAO;AAExB,YAAM,YAAY,MAAM;AAAA,QACtB;AAAA,QACA;AAAA,QACA,EAAE,MAAM,KAAK,GAAG;AAAA,QAChB,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,QACrB,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,kBAAkB,KAAK;AAAA,MACjF;AACA,YAAM,QAAQ,UAAU,IAAI,CAAC,OAAY,GAAG,MAAM,IAAI,EAAE,OAAO,OAAO,EAAE,KAAK,IAAI,KAAK;AAGtF,UAAI,UAAU;AACd,UAAI,aAAa;AAEjB,UAAI,KAAK,gBAAgB;AACvB,cAAM,MAAM,MAAM,GAAG,QAAQ,cAAc,EAAE,IAAI,KAAK,eAAe,CAAC;AACtE,kBAAU,KAAK,MAAM,UAAU,GAAG,EAAE,IAAI,SAAS,KAAK,eAAe,UAAU,GAAG,CAAC,IAAI;AAAA,MACzF;AAEA,UAAI,KAAK,UAAU;AACjB,cAAM,SAAS,MAAM,GAAG,QAAQ,QAAQ,EAAE,IAAI,KAAK,SAAS,CAAC;AAC7D,qBAAa,QAAQ,MAAM,UAAU,GAAG,EAAE,IAAI,SAAS,KAAK,SAAS,UAAU,GAAG,CAAC,IAAI;AAAA,MACzF;AAEA,YAAM,KAAK,KAAK,MAAM;AACtB,YAAM,SAAS,KAAK,SAAS,OAAO,OAAO,EAAE;AAC7C,YAAM,QAAQ,KAAK,QAAQ,WAAW,OAAO,EAAE;AAE/C,cAAQ,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,QAAQ,OAAO,EAAE,CAAC,MAAM,WAAW,OAAO,EAAE,CAAC,MAAM,KAAK,EAAE;AAAA,IACnH;AAAA,EACF;AACF;AAEA,MAAM,cAAyB;AAAA,EAC7B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AAEA,UAAM,QAAQ,KAAK;AACnB,UAAM,WAAW,KAAK;AAEtB,QAAI,CAAC,SAAS,CAAC,UAAU;AACvB,cAAQ,MAAM,2EAA2E;AACzF;AAAA,IACF;AACA,QAAI,CAAC,qBAAqB,QAAQ,EAAG;AAErC,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,YAAY,iBAAiB,KAAK;AACxC,UAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,EAAE,UAAU,CAAC,EAAE,CAAC;AAEvE,QAAI,CAAC,MAAM;AACT,cAAQ,MAAM,oBAAoB,KAAK,aAAa;AACpD;AAAA,IACF;AAEA,SAAK,eAAe,MAAM,KAAK,UAAU,EAAE;AAC3C,UAAM,GAAG,gBAAgB,IAAI;AAE7B,YAAQ,IAAI,kDAA6C,KAAK,EAAE;AAAA,EAClE;AACF;AAGA,IAAO,cAAQ,CAAC,SAAS,WAAW,qBAAqB,iBAAiB,UAAU,mBAAmB,aAAa,WAAW,WAAW;",
   "names": []
 }

package/dist/modules/auth/commands/users.js

@@ -22,16 +22,21 @@ import {
 import { normalizeTenantId } from "@open-mercato/core/modules/auth/lib/tenantAccess";
 import { computeEmailHash } from "@open-mercato/core/modules/auth/lib/emailHash";
 import { findOneWithDecryption, findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { buildNotificationFromType } from "@open-mercato/core/modules/notifications/lib/notificationBuilder";
+import { resolveNotificationService } from "@open-mercato/core/modules/notifications/lib/notificationService";
+import notificationTypes from "@open-mercato/core/modules/auth/notifications";
+import { buildPasswordSchema } from "@open-mercato/shared/lib/auth/passwordPolicy";
+const passwordSchema = buildPasswordSchema();
 const createSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   organizationId: z.string().uuid(),
   roles: z.array(z.string()).optional()
 });
 const updateSchema = z.object({
   id: z.string().uuid(),
   email: z.string().email().optional(),
-  password: z.string().min(6).optional(),
+  password: passwordSchema.optional(),
   organizationId: z.string().uuid().optional(),
   roles: z.array(z.string()).optional()
 });
@@ -60,6 +65,38 @@ const userCrudIndexer = {
     tenantId: ctx.identifiers.tenantId
   })
 };
+async function notifyRoleChanges(ctx, user, assignedRoles, revokedRoles) {
+  const tenantId = user.tenantId ? String(user.tenantId) : null;
+  if (!tenantId) return;
+  const organizationId = user.organizationId ? String(user.organizationId) : null;
+  try {
+    const notificationService = resolveNotificationService(ctx.container);
+    if (assignedRoles.length) {
+      const assignedType = notificationTypes.find((type) => type.type === "auth.role.assigned");
+      if (assignedType) {
+        const notificationInput = buildNotificationFromType(assignedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: "auth:user",
+          sourceEntityId: String(user.id)
+        });
+        await notificationService.create(notificationInput, { tenantId, organizationId });
+      }
+    }
+    if (revokedRoles.length) {
+      const revokedType = notificationTypes.find((type) => type.type === "auth.role.revoked");
+      if (revokedType) {
+        const notificationInput = buildNotificationFromType(revokedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: "auth:user",
+          sourceEntityId: String(user.id)
+        });
+        await notificationService.create(notificationInput, { tenantId, organizationId });
+      }
+    }
+  } catch (err) {
+    console.error("[auth.users.roles] Failed to create notification:", err);
+  }
+}
 const createUserCommand = {
   id: "auth.users.create",
   async execute(rawInput, ctx) {
@@ -97,8 +134,10 @@ const createUserCommand = {
       if (isUniqueViolation(error)) await throwDuplicateEmailError();
       throw error;
     }
+    let assignedRoles = [];
     if (Array.isArray(parsed.roles) && parsed.roles.length) {
       await syncUserRoles(em, user, parsed.roles, tenantId);
+      assignedRoles = await loadUserRoleNames(em, String(user.id));
     }
     await setCustomFieldsIfAny({
       dataEngine: de,
@@ -120,6 +159,9 @@ const createUserCommand = {
       events: userCrudEvents,
       indexer: userCrudIndexer
     });
+    if (assignedRoles.length) {
+      await notifyRoleChanges(ctx, user, assignedRoles, []);
+    }
     return user;
   },
   captureAfter: async (_input, result, ctx) => {
@@ -230,6 +272,7 @@ const updateUserCommand = {
   async execute(rawInput, ctx) {
     const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput);
     const em = ctx.container.resolve("em");
+    const rolesBefore = Array.isArray(parsed.roles) ? await loadUserRoleNames(em, parsed.id) : null;
     if (parsed.email !== void 0) {
       const emailHash2 = computeEmailHash(parsed.email);
       const duplicate = await em.findOne(
@@ -310,6 +353,13 @@ const updateUserCommand = {
       events: userCrudEvents,
       indexer: userCrudIndexer
     });
+    if (Array.isArray(parsed.roles) && rolesBefore) {
+      const rolesAfter = await loadUserRoleNames(em, String(user.id));
+      const { assigned, revoked } = diffRoleChanges(rolesBefore, rolesAfter);
+      if (assigned.length || revoked.length) {
+        await notifyRoleChanges(ctx, user, assigned, revoked);
+      }
+    }
     await invalidateUserCache(ctx, parsed.id);
     return user;
   },
@@ -656,6 +706,13 @@ async function invalidateUserCache(ctx, userId) {
   } catch {
   }
 }
+function diffRoleChanges(before, after) {
+  const beforeSet = new Set(before);
+  const afterSet = new Set(after);
+  const assigned = after.filter((role) => !beforeSet.has(role));
+  const revoked = before.filter((role) => !afterSet.has(role));
+  return { assigned, revoked };
+}
 function arrayEquals(left, right) {
   if (!left) return false;
   if (left.length !== right.length) return false;

package/dist/modules/auth/commands/users.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/commands/users.ts"],
-  "sourcesContent": ["import type { CommandHandler } from '@open-mercato/shared/lib/commands'\nimport { registerCommand } from '@open-mercato/shared/lib/commands'\nimport {\n  parseWithCustomFields,\n  setCustomFieldsIfAny,\n  emitCrudSideEffects,\n  emitCrudUndoSideEffects,\n  buildChanges,\n  requireId,\n} from '@open-mercato/shared/lib/commands/helpers'\nimport { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport type { CrudEventsConfig, CrudIndexerConfig } from '@open-mercato/shared/lib/crud/types'\nimport type { DataEngine } from '@open-mercato/shared/lib/data/engine'\nimport type { CommandRuntimeContext } from '@open-mercato/shared/lib/commands'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { UniqueConstraintViolationException } from '@mikro-orm/core'\nimport type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'\nimport { User, UserRole, Role, UserAcl, Session, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport { Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { E } from '#generated/entities.ids.generated'\nimport { z } from 'zod'\nimport {\n  loadCustomFieldSnapshot,\n  buildCustomFieldResetMap,\n  diffCustomFieldChanges,\n} from '@open-mercato/shared/lib/commands/customFieldSnapshots'\nimport { normalizeTenantId } from '@open-mercato/core/modules/auth/lib/tenantAccess'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\ntype SerializedUser = {\n  email: string\n  organizationId: string | null\n  tenantId: string | null\n  roles: string[]\n  name: string | null\n  isConfirmed: boolean\n  custom?: Record<string, unknown>\n}\n\ntype UserAclSnapshot = {\n  tenantId: string\n  features: string[] | null\n  isSuperAdmin: boolean\n  organizations: string[] | null\n}\n\ntype UserUndoSnapshot = {\n  id: string\n  email: string\n  organizationId: string | null\n  tenantId: string | null\n  passwordHash: string | null\n  name: string | null\n  isConfirmed: boolean\n  roles: string[]\n  acls: UserAclSnapshot[]\n  custom?: Record<string, unknown>\n}\n\ntype UserSnapshots = {\n  view: SerializedUser\n  undo: UserUndoSnapshot\n}\n\nconst createSchema = z.object({\n  email: z.string().email(),\n  password: z.string().min(6),\n  organizationId: z.string().uuid(),\n  roles: z.array(z.string()).optional(),\n})\n\nconst updateSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string().email().optional(),\n  password: z.string().min(6).optional(),\n  organizationId: z.string().uuid().optional(),\n  roles: z.array(z.string()).optional(),\n})\n\nexport const userCrudEvents: CrudEventsConfig = {\n  module: 'auth',\n  entity: 'user',\n  persistent: true,\n  buildPayload: (ctx) => ({\n    id: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n}\n\nexport const userCrudIndexer: CrudIndexerConfig = {\n  entityType: E.auth.user,\n  buildUpsertPayload: (ctx) => ({\n    entityType: E.auth.user,\n    recordId: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n  buildDeletePayload: (ctx) => ({\n    entityType: E.auth.user,\n    recordId: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n}\n\nconst createUserCommand: CommandHandler<Record<string, unknown>, User> = {\n  id: 'auth.users.create',\n  async execute(rawInput, ctx) {\n    const { parsed, custom } = parseWithCustomFields(createSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    const organization = await findOneWithDecryption(\n      em,\n      Organization,\n      { id: parsed.organizationId },\n      { populate: ['tenant'] },\n      { tenantId: null, organizationId: parsed.organizationId },\n    )\n    if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })\n\n    const emailHash = computeEmailHash(parsed.email)\n    const duplicate = await em.findOne(User, { $or: [{ email: parsed.email }, { emailHash }], deletedAt: null } as any)\n    if (duplicate) await throwDuplicateEmailError()\n\n    const { hash } = await import('bcryptjs')\n    const passwordHash = await hash(parsed.password, 10)\n    const tenantId = organization.tenant?.id ? String(organization.tenant.id) : null\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    let user: User\n    try {\n      user = await de.createOrmEntity({\n        entity: User,\n        data: {\n          email: parsed.email,\n          emailHash,\n          passwordHash,\n          isConfirmed: true,\n          organizationId: parsed.organizationId,\n          tenantId,\n        },\n      })\n    } catch (error) {\n      if (isUniqueViolation(error)) await throwDuplicateEmailError()\n      throw error\n    }\n\n    if (Array.isArray(parsed.roles) && parsed.roles.length) {\n      await syncUserRoles(em, user, parsed.roles, tenantId)\n    }\n\n    await setCustomFieldsIfAny({\n      dataEngine: de,\n      entityId: E.auth.user,\n      recordId: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: tenantId,\n      values: custom,\n    })\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'created',\n      entity: user,\n      identifiers: {\n        id: String(user.id),\n        organizationId: user.organizationId ? String(user.organizationId) : null,\n        tenantId,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    return user\n  },\n  captureAfter: async (_input, result, ctx) => {\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    return serializeUser(result, roles, custom)\n  },\n  buildLog: async ({ result, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    const snapshot = captureUserSnapshots(result, roles, undefined, custom)\n    return {\n      actionLabel: translate('auth.audit.users.create', 'Create user'),\n      resourceKind: 'auth.user',\n      resourceId: String(result.id),\n      tenantId: result.tenantId ? String(result.tenantId) : null,\n      snapshotAfter: snapshot.view,\n      payload: {\n        undo: {\n          after: snapshot.undo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const userId = typeof logEntry?.resourceId === 'string' ? logEntry.resourceId : null\n    if (!userId) return\n    const snapshot = logEntry?.snapshotAfter as SerializedUser | undefined\n    const em = (ctx.container.resolve('em') as EntityManager)\n    await em.nativeDelete(UserAcl, { user: userId })\n    await em.nativeDelete(UserRole, { user: userId })\n    await em.nativeDelete(Session, { user: userId })\n    await em.nativeDelete(PasswordReset, { user: userId })\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    if (snapshot?.custom && Object.keys(snapshot.custom).length) {\n      const reset = buildCustomFieldResetMap(undefined, snapshot.custom)\n      if (Object.keys(reset).length) {\n        await setCustomFieldsIfAny({\n          dataEngine: de,\n          entityId: E.auth.user,\n          recordId: userId,\n          organizationId: snapshot.organizationId,\n          tenantId: snapshot.tenantId,\n          values: reset,\n          notify: false,\n        })\n      }\n    }\n    const removed = await de.deleteOrmEntity({\n      entity: User,\n      where: { id: userId, deletedAt: null } as FilterQuery<User>,\n      soft: false,\n    })\n\n    await emitCrudUndoSideEffects({\n      dataEngine: de,\n      action: 'deleted',\n      entity: removed,\n      identifiers: {\n        id: userId,\n        organizationId: snapshot?.organizationId ?? null,\n        tenantId: snapshot?.tenantId ?? null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, userId)\n  },\n}\n\nfunction isUniqueViolation(error: unknown): boolean {\n  if (error instanceof UniqueConstraintViolationException) return true\n  if (!error || typeof error !== 'object') return false\n  const code = (error as { code?: string }).code\n  if (code === '23505') return true\n  const messageRaw = (error as { message?: string })?.message\n  const message = typeof messageRaw === 'string' ? messageRaw : ''\n  return message.toLowerCase().includes('duplicate key')\n}\n\nconst updateUserCommand: CommandHandler<Record<string, unknown>, User> = {\n  id: 'auth.users.update',\n  async prepare(rawInput, ctx) {\n    const { parsed } = parseWithCustomFields(updateSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const existing = await em.findOne(User, { id: parsed.id, deletedAt: null })\n    if (!existing) throw new CrudHttpError(404, { error: 'User not found' })\n    const roles = await loadUserRoleNames(em, parsed.id)\n    const acls = await loadUserAclSnapshots(em, parsed.id)\n    const custom = await loadUserCustomSnapshot(\n      em,\n      parsed.id,\n      existing.tenantId ? String(existing.tenantId) : null,\n      existing.organizationId ? String(existing.organizationId) : null\n    )\n    return { before: captureUserSnapshots(existing, roles, acls, custom) }\n  },\n  async execute(rawInput, ctx) {\n    const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    if (parsed.email !== undefined) {\n      const emailHash = computeEmailHash(parsed.email)\n      const duplicate = await em.findOne(\n        User,\n        {\n          $or: [{ email: parsed.email }, { emailHash }],\n          deletedAt: null,\n          id: { $ne: parsed.id } as any,\n        } as FilterQuery<User>,\n      )\n      if (duplicate) await throwDuplicateEmailError()\n    }\n\n    let hashed: string | null = null\n    let emailHash: string | null = null\n    if (parsed.password) {\n      const { hash } = await import('bcryptjs')\n      hashed = await hash(parsed.password, 10)\n    }\n    if (parsed.email !== undefined) {\n      emailHash = computeEmailHash(parsed.email)\n    }\n\n    let tenantId: string | null | undefined\n    if (parsed.organizationId !== undefined) {\n      const organization = await findOneWithDecryption(\n        em,\n        Organization,\n        { id: parsed.organizationId },\n        { populate: ['tenant'] },\n        { tenantId: null, organizationId: parsed.organizationId ?? null },\n      )\n      if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })\n      tenantId = organization.tenant?.id ? String(organization.tenant.id) : null\n    }\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    let user: User | null\n    try {\n      user = await de.updateOrmEntity({\n        entity: User,\n        where: { id: parsed.id, deletedAt: null } as FilterQuery<User>,\n        apply: (entity) => {\n          if (parsed.email !== undefined) {\n            entity.email = parsed.email\n            entity.emailHash = emailHash\n          }\n          if (parsed.organizationId !== undefined) {\n            entity.organizationId = parsed.organizationId\n            entity.tenantId = tenantId ?? null\n          }\n          if (hashed) entity.passwordHash = hashed\n        },\n      })\n    } catch (error) {\n      if (isUniqueViolation(error)) await throwDuplicateEmailError()\n      throw error\n    }\n    if (!user) throw new CrudHttpError(404, { error: 'User not found' })\n\n    if (Array.isArray(parsed.roles)) {\n      await syncUserRoles(em, user, parsed.roles, user.tenantId ? String(user.tenantId) : tenantId ?? null)\n    }\n\n    await setCustomFieldsIfAny({\n      dataEngine: de,\n      entityId: E.auth.user,\n      recordId: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : tenantId ?? null,\n      values: custom,\n    })\n\n    const identifiers = {\n      id: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : tenantId ?? null,\n    }\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'updated',\n      entity: user,\n      identifiers,\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, parsed.id)\n\n    return user\n  },\n  captureAfter: async (_input, result, ctx) => {\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    return serializeUser(result, roles, custom)\n  },\n  buildLog: async ({ result, snapshots, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const beforeSnapshots = snapshots.before as UserSnapshots | undefined\n    const before = beforeSnapshots?.view\n    const beforeUndo = beforeSnapshots?.undo ?? null\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const afterRoles = await loadUserRoleNames(em, String(result.id))\n    const afterCustom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    const afterSnapshots = captureUserSnapshots(result, afterRoles, undefined, afterCustom)\n    const after = afterSnapshots.view\n    const changes = buildChanges(before ?? null, after as Record<string, unknown>, ['email', 'organizationId', 'tenantId', 'name', 'isConfirmed'])\n    if (before && !arrayEquals(before.roles, afterRoles)) {\n      changes.roles = { from: before.roles, to: afterRoles }\n    }\n    const customDiff = diffCustomFieldChanges(before?.custom, afterCustom)\n    for (const [key, diff] of Object.entries(customDiff)) {\n      changes[`cf_${key}`] = diff\n    }\n    return {\n      actionLabel: translate('auth.audit.users.update', 'Update user'),\n      resourceKind: 'auth.user',\n      resourceId: String(result.id),\n      tenantId: result.tenantId ? String(result.tenantId) : null,\n      changes,\n      snapshotBefore: before ?? null,\n      snapshotAfter: after,\n      payload: {\n        undo: {\n          before: beforeUndo,\n          after: afterSnapshots.undo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const payload = extractUndoPayload(logEntry)\n    const before = payload?.before\n    const after = payload?.after\n    if (!before) return\n    const userId = before.id\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    const updated = await de.updateOrmEntity({\n      entity: User,\n      where: { id: userId, deletedAt: null } as FilterQuery<User>,\n      apply: (entity) => {\n        entity.email = before.email\n        entity.organizationId = before.organizationId ?? null\n        entity.tenantId = before.tenantId ?? null\n        entity.passwordHash = before.passwordHash ?? null\n        entity.name = before.name ?? undefined\n        entity.isConfirmed = before.isConfirmed\n      },\n    })\n\n    if (updated) {\n      await syncUserRoles(em, updated, before.roles, before.tenantId)\n      await em.flush()\n    }\n\n    const reset = buildCustomFieldResetMap(before.custom, after?.custom)\n    if (Object.keys(reset).length) {\n      await setCustomFieldsIfAny({\n        dataEngine: de,\n        entityId: E.auth.user,\n        recordId: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n        values: reset,\n        notify: false,\n      })\n    }\n\n    await emitCrudUndoSideEffects({\n      dataEngine: de,\n      action: 'updated',\n      entity: updated,\n      identifiers: {\n        id: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, userId)\n  },\n}\n\nconst deleteUserCommand: CommandHandler<{ body?: Record<string, unknown>; query?: Record<string, unknown> }, User> = {\n  id: 'auth.users.delete',\n  async prepare(input, ctx) {\n    const id = requireId(input, 'User id required')\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const existing = await em.findOne(User, { id, deletedAt: null })\n    if (!existing) return {}\n    const roles = await loadUserRoleNames(em, id)\n    const acls = await loadUserAclSnapshots(em, id)\n    const custom = await loadUserCustomSnapshot(\n      em,\n      id,\n      existing.tenantId ? String(existing.tenantId) : null,\n      existing.organizationId ? String(existing.organizationId) : null\n    )\n    return { before: captureUserSnapshots(existing, roles, acls, custom) }\n  },\n  async execute(input, ctx) {\n    const id = requireId(input, 'User id required')\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    await em.nativeDelete(UserAcl, { user: id })\n    await em.nativeDelete(UserRole, { user: id })\n    await em.nativeDelete(Session, { user: id })\n    await em.nativeDelete(PasswordReset, { user: id })\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    const user = await de.deleteOrmEntity({\n      entity: User,\n      where: { id, deletedAt: null } as FilterQuery<User>,\n      soft: false,\n    })\n    if (!user) throw new CrudHttpError(404, { error: 'User not found' })\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'deleted',\n      entity: user,\n      identifiers: {\n        id: String(id),\n        organizationId: user.organizationId ? String(user.organizationId) : null,\n        tenantId: user.tenantId ? String(user.tenantId) : null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, id)\n\n    return user\n  },\n  buildLog: async ({ snapshots, input, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const beforeSnapshots = snapshots.before as UserSnapshots | undefined\n    const before = beforeSnapshots?.view\n    const beforeUndo = beforeSnapshots?.undo ?? null\n    const id = requireId(input, 'User id required')\n    return {\n      actionLabel: translate('auth.audit.users.delete', 'Delete user'),\n      resourceKind: 'auth.user',\n      resourceId: id,\n      snapshotBefore: before ?? null,\n      tenantId: before?.tenantId ?? null,\n      payload: {\n        undo: {\n          before: beforeUndo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const payload = extractUndoPayload(logEntry)\n    const before = payload?.before\n    if (!before) return\n    const em = (ctx.container.resolve('em') as EntityManager)\n    let user = await em.findOne(User, { id: before.id })\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n\n    if (user) {\n      if (user.deletedAt) {\n        user.deletedAt = null\n      }\n      user.email = before.email\n      user.organizationId = before.organizationId ?? null\n      user.tenantId = before.tenantId ?? null\n      user.passwordHash = before.passwordHash ?? null\n      user.name = before.name ?? undefined\n      user.isConfirmed = before.isConfirmed\n      await em.flush()\n    } else {\n      user = await de.createOrmEntity({\n        entity: User,\n        data: {\n          id: before.id,\n          email: before.email,\n          organizationId: before.organizationId ?? null,\n          tenantId: before.tenantId ?? null,\n          passwordHash: before.passwordHash ?? null,\n          name: before.name ?? null,\n          isConfirmed: before.isConfirmed,\n        },\n      })\n    }\n\n    if (!user) return\n\n    await em.nativeDelete(UserRole, { user: before.id })\n    await syncUserRoles(em, user, before.roles, before.tenantId)\n\n    await restoreUserAcls(em, user, before.acls)\n\n    const reset = buildCustomFieldResetMap(before.custom, undefined)\n    if (Object.keys(reset).length) {\n      await setCustomFieldsIfAny({\n        dataEngine: de,\n        entityId: E.auth.user,\n        recordId: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n        values: reset,\n        notify: false,\n      })\n    }\n\n    await invalidateUserCache(ctx, before.id)\n  },\n}\n\nregisterCommand(createUserCommand)\nregisterCommand(updateUserCommand)\nregisterCommand(deleteUserCommand)\n\nasync function syncUserRoles(em: EntityManager, user: User, desiredRoles: string[], tenantId: string | null) {\n  const unique = Array.from(new Set(desiredRoles.map((role) => role.trim()).filter(Boolean)))\n  const currentLinks = await em.find(UserRole, { user })\n  const currentNames = new Map(\n    currentLinks.map((link) => {\n      const roleEntity = link.role\n      const name = roleEntity?.name ?? ''\n      return [name, link] as const\n    }),\n  )\n\n  for (const [name, link] of currentNames.entries()) {\n    if (!unique.includes(name) && link) {\n      em.remove(link)\n    }\n  }\n\n  const normalizedTenantId = normalizeTenantId(tenantId ?? null) ?? null\n\n  for (const name of unique) {\n    if (!currentNames.has(name)) {\n      let role = await em.findOne(Role, { name, tenantId: normalizedTenantId })\n      if (!role && normalizedTenantId !== null) {\n        role = await em.findOne(Role, { name, tenantId: null })\n      }\n      if (!role) {\n        role = em.create(Role, { name, tenantId: normalizedTenantId, createdAt: new Date() })\n        await em.persistAndFlush(role)\n      } else if (normalizedTenantId !== null && role.tenantId !== normalizedTenantId) {\n        role.tenantId = normalizedTenantId\n        await em.persistAndFlush(role)\n      }\n      em.persist(em.create(UserRole, { user, role, createdAt: new Date() }))\n    }\n  }\n\n  await em.flush()\n}\n\nasync function loadUserRoleNames(em: EntityManager, userId: string): Promise<string[]> {\n  const links = await findWithDecryption(\n    em,\n    UserRole,\n    { user: userId as unknown as User },\n    { populate: ['role'] },\n    { tenantId: null, organizationId: null },\n  )\n  const names = links\n    .map((link) => link.role?.name ?? '')\n    .filter((name): name is string => !!name)\n  return Array.from(new Set(names)).sort()\n}\n\nfunction serializeUser(user: User, roles: string[], custom?: Record<string, unknown> | null): SerializedUser {\n  const payload: SerializedUser = {\n    email: String(user.email ?? ''),\n    organizationId: user.organizationId ? String(user.organizationId) : null,\n    tenantId: user.tenantId ? String(user.tenantId) : null,\n    roles,\n    name: user.name ? String(user.name) : null,\n    isConfirmed: Boolean(user.isConfirmed),\n  }\n  if (custom && Object.keys(custom).length) payload.custom = custom\n  return payload\n}\n\nfunction captureUserSnapshots(\n  user: User,\n  roles: string[],\n  acls: UserAclSnapshot[] = [],\n  custom?: Record<string, unknown> | null\n): UserSnapshots {\n  return {\n    view: serializeUser(user, roles, custom),\n    undo: {\n      id: String(user.id),\n      email: String(user.email ?? ''),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : null,\n      passwordHash: user.passwordHash ? String(user.passwordHash) : null,\n      name: user.name ? String(user.name) : null,\n      isConfirmed: Boolean(user.isConfirmed),\n      roles: [...roles],\n      acls,\n      ...(custom && Object.keys(custom).length ? { custom } : {}),\n    },\n  }\n}\n\nasync function loadUserAclSnapshots(em: EntityManager, userId: string): Promise<UserAclSnapshot[]> {\n  const list = await em.find(UserAcl, { user: userId as unknown as User })\n  return list.map((acl) => ({\n    tenantId: String(acl.tenantId),\n    features: Array.isArray(acl.featuresJson) ? [...acl.featuresJson] : null,\n    isSuperAdmin: Boolean(acl.isSuperAdmin),\n    organizations: Array.isArray(acl.organizationsJson) ? [...acl.organizationsJson] : null,\n  }))\n}\n\nasync function restoreUserAcls(em: EntityManager, user: User, acls: UserAclSnapshot[]) {\n  await em.nativeDelete(UserAcl, { user: String(user.id) })\n  for (const acl of acls) {\n    const entity = em.create(UserAcl, {\n      user,\n      tenantId: acl.tenantId,\n      featuresJson: acl.features ?? null,\n      isSuperAdmin: acl.isSuperAdmin,\n      organizationsJson: acl.organizations ?? null,\n      createdAt: new Date(),\n    })\n    em.persist(entity)\n  }\n  await em.flush()\n}\n\ntype UndoPayload = { undo?: { before?: UserUndoSnapshot | null; after?: UserUndoSnapshot | null } }\n\nfunction extractUndoPayload(logEntry: { commandPayload?: unknown }): { before?: UserUndoSnapshot | null; after?: UserUndoSnapshot | null } | null {\n  const payload = logEntry?.commandPayload as UndoPayload | undefined\n  if (!payload || typeof payload !== 'object') return null\n  return payload.undo ?? null\n}\n\nasync function loadUserCustomSnapshot(\n  em: EntityManager,\n  id: string,\n  tenantId: string | null,\n  organizationId: string | null\n): Promise<Record<string, unknown>> {\n  return await loadCustomFieldSnapshot(em, {\n    entityId: E.auth.user,\n    recordId: id,\n    tenantId,\n    organizationId,\n  })\n}\n\nasync function invalidateUserCache(ctx: CommandRuntimeContext, userId: string) {\n  try {\n    const rbacService = ctx.container.resolve('rbacService') as { invalidateUserCache: (uid: string) => Promise<void> }\n    await rbacService.invalidateUserCache(userId)\n  } catch {\n    // RBAC not available\n  }\n\n  try {\n    const cache = ctx.container.resolve('cache') as { deleteByTags?: (tags: string[]) => Promise<void> }\n    if (cache?.deleteByTags) await cache.deleteByTags([`rbac:user:${userId}`])\n  } catch {\n    // cache not available\n  }\n}\n\nfunction arrayEquals(left: string[] | undefined, right: string[]): boolean {\n  if (!left) return false\n  if (left.length !== right.length) return false\n  return left.every((value, idx) => value === right[idx])\n}\n\nasync function throwDuplicateEmailError(): Promise<never> {\n  const { translate } = await resolveTranslations()\n  const message = translate('auth.users.errors.emailExists', 'Email already in use')\n  throw new CrudHttpError(400, {\n    error: message,\n    fieldErrors: { email: message },\n    details: [{ path: ['email'], message, code: 'duplicate', origin: 'validation' }],\n  })\n}\n"],
-  "mappings": "AACA,SAAS,uBAAuB;AAChC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,qBAAqB;AAI9B,SAAS,2BAA2B;AACpC,SAAS,0CAA0C;AAEnD,SAAS,MAAM,UAAU,MAAM,SAAS,SAAS,qBAAqB;AACtE,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAClB,SAAS,SAAS;AAClB;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,yBAAyB;AAClC,SAAS,wBAAwB;AACjC,SAAS,uBAAuB,0BAA0B;AAqC1D,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAED,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AAAA,EACnC,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACrC,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAEM,MAAM,iBAAmC;AAAA,EAC9C,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,YAAY;AAAA,EACZ,cAAc,CAAC,SAAS;AAAA,IACtB,IAAI,IAAI,YAAY;AAAA,IACpB,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AACF;AAEO,MAAM,kBAAqC;AAAA,EAChD,YAAY,EAAE,KAAK;AAAA,EACnB,oBAAoB,CAAC,SAAS;AAAA,IAC5B,YAAY,EAAE,KAAK;AAAA,IACnB,UAAU,IAAI,YAAY;AAAA,IAC1B,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AAAA,EACA,oBAAoB,CAAC,SAAS;AAAA,IAC5B,YAAY,EAAE,KAAK;AAAA,IACnB,UAAU,IAAI,YAAY;AAAA,IAC1B,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AACF;AAEA,MAAM,oBAAmE;AAAA,EACvE,IAAI;AAAA,EACJ,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,QAAQ,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AACvE,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,UAAM,eAAe,MAAM;AAAA,MACzB;AAAA,MACA;AAAA,MACA,EAAE,IAAI,OAAO,eAAe;AAAA,MAC5B,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,gBAAgB,OAAO,eAAe;AAAA,IAC1D;AACA,QAAI,CAAC,aAAc,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,yBAAyB,CAAC;AAEnF,UAAM,YAAY,iBAAiB,OAAO,KAAK;AAC/C,UAAM,YAAY,MAAM,GAAG,QAAQ,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,MAAM,GAAG,EAAE,UAAU,CAAC,GAAG,WAAW,KAAK,CAAQ;AAClH,QAAI,UAAW,OAAM,yBAAyB;AAE9C,UAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU;AACxC,UAAM,eAAe,MAAM,KAAK,OAAO,UAAU,EAAE;AACnD,UAAM,WAAW,aAAa,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAE5E,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI;AACJ,QAAI;AACF,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,OAAO,OAAO;AAAA,UACd;AAAA,UACA;AAAA,UACA,aAAa;AAAA,UACb,gBAAgB,OAAO;AAAA,UACvB;AAAA,QACF;AAAA,MACF,CAAC;AAAA,IACH,SAAS,OAAO;AACd,UAAI,kBAAkB,KAAK,EAAG,OAAM,yBAAyB;AAC7D,YAAM;AAAA,IACR;AAEA,QAAI,MAAM,QAAQ,OAAO,KAAK,KAAK,OAAO,MAAM,QAAQ;AACtD,YAAM,cAAc,IAAI,MAAM,OAAO,OAAO,QAAQ;AAAA,IACtD;AAEA,UAAM,qBAAqB;AAAA,MACzB,YAAY;AAAA,MACZ,UAAU,EAAE,KAAK;AAAA,MACjB,UAAU,OAAO,KAAK,EAAE;AAAA,MACxB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO,KAAK,EAAE;AAAA,QAClB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACpE;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,WAAO;AAAA,EACT;AAAA,EACA,cAAc,OAAO,QAAQ,QAAQ,QAAQ;AAC3C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,WAAO,cAAc,QAAQ,OAAO,MAAM;AAAA,EAC5C;AAAA,EACA,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,UAAM,WAAW,qBAAqB,QAAQ,OAAO,QAAW,MAAM;AACtE,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY,OAAO,OAAO,EAAE;AAAA,MAC5B,UAAU,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MACtD,eAAe,SAAS;AAAA,MACxB,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,OAAO,SAAS;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,SAAS,OAAO,UAAU,eAAe,WAAW,SAAS,aAAa;AAChF,QAAI,CAAC,OAAQ;AACb,UAAM,WAAW,UAAU;AAC3B,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,OAAO,CAAC;AAChD,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,UAAM,GAAG,aAAa,eAAe,EAAE,MAAM,OAAO,CAAC;AAErD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI,UAAU,UAAU,OAAO,KAAK,SAAS,MAAM,EAAE,QAAQ;AAC3D,YAAM,QAAQ,yBAAyB,QAAW,SAAS,MAAM;AACjE,UAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,cAAM,qBAAqB;AAAA,UACzB,YAAY;AAAA,UACZ,UAAU,EAAE,KAAK;AAAA,UACjB,UAAU;AAAA,UACV,gBAAgB,SAAS;AAAA,UACzB,UAAU,SAAS;AAAA,UACnB,QAAQ;AAAA,UACR,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AACA,UAAM,UAAU,MAAM,GAAG,gBAAgB;AAAA,MACvC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MACrC,MAAM;AAAA,IACR,CAAC;AAED,UAAM,wBAAwB;AAAA,MAC5B,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI;AAAA,QACJ,gBAAgB,UAAU,kBAAkB;AAAA,QAC5C,UAAU,UAAU,YAAY;AAAA,MAClC;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,MAAM;AAAA,EACvC;AACF;AAEA,SAAS,kBAAkB,OAAyB;AAClD,MAAI,iBAAiB,mCAAoC,QAAO;AAChE,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAM,OAAQ,MAA4B;AAC1C,MAAI,SAAS,QAAS,QAAO;AAC7B,QAAM,aAAc,OAAgC;AACpD,QAAM,UAAU,OAAO,eAAe,WAAW,aAAa;AAC9D,SAAO,QAAQ,YAAY,EAAE,SAAS,eAAe;AACvD;AAEA,MAAM,oBAAmE;AAAA,EACvE,IAAI;AAAA,EACJ,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AAC/D,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,IAAI,WAAW,KAAK,CAAC;AAC1E,QAAI,CAAC,SAAU,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AACvE,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,EAAE;AACnD,UAAM,OAAO,MAAM,qBAAqB,IAAI,OAAO,EAAE;AACrD,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO;AAAA,MACP,SAAS,WAAW,OAAO,SAAS,QAAQ,IAAI;AAAA,MAChD,SAAS,iBAAiB,OAAO,SAAS,cAAc,IAAI;AAAA,IAC9D;AACA,WAAO,EAAE,QAAQ,qBAAqB,UAAU,OAAO,MAAM,MAAM,EAAE;AAAA,EACvE;AAAA,EACA,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,QAAQ,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AACvE,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,QAAI,OAAO,UAAU,QAAW;AAC9B,YAAMA,aAAY,iBAAiB,OAAO,KAAK;AAC/C,YAAM,YAAY,MAAM,GAAG;AAAA,QACzB;AAAA,QACA;AAAA,UACE,KAAK,CAAC,EAAE,OAAO,OAAO,MAAM,GAAG,EAAE,WAAAA,WAAU,CAAC;AAAA,UAC5C,WAAW;AAAA,UACX,IAAI,EAAE,KAAK,OAAO,GAAG;AAAA,QACvB;AAAA,MACF;AACA,UAAI,UAAW,OAAM,yBAAyB;AAAA,IAChD;AAEA,QAAI,SAAwB;AAC5B,QAAI,YAA2B;AAC/B,QAAI,OAAO,UAAU;AACnB,YAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU;AACxC,eAAS,MAAM,KAAK,OAAO,UAAU,EAAE;AAAA,IACzC;AACA,QAAI,OAAO,UAAU,QAAW;AAC9B,kBAAY,iBAAiB,OAAO,KAAK;AAAA,IAC3C;AAEA,QAAI;AACJ,QAAI,OAAO,mBAAmB,QAAW;AACvC,YAAM,eAAe,MAAM;AAAA,QACzB;AAAA,QACA;AAAA,QACA,EAAE,IAAI,OAAO,eAAe;AAAA,QAC5B,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,QACvB,EAAE,UAAU,MAAM,gBAAgB,OAAO,kBAAkB,KAAK;AAAA,MAClE;AACA,UAAI,CAAC,aAAc,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,yBAAyB,CAAC;AACnF,iBAAW,aAAa,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAAA,IACxE;AAEA,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI;AACJ,QAAI;AACF,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,OAAO,EAAE,IAAI,OAAO,IAAI,WAAW,KAAK;AAAA,QACxC,OAAO,CAAC,WAAW;AACjB,cAAI,OAAO,UAAU,QAAW;AAC9B,mBAAO,QAAQ,OAAO;AACtB,mBAAO,YAAY;AAAA,UACrB;AACA,cAAI,OAAO,mBAAmB,QAAW;AACvC,mBAAO,iBAAiB,OAAO;AAC/B,mBAAO,WAAW,YAAY;AAAA,UAChC;AACA,cAAI,OAAQ,QAAO,eAAe;AAAA,QACpC;AAAA,MACF,CAAC;AAAA,IACH,SAAS,OAAO;AACd,UAAI,kBAAkB,KAAK,EAAG,OAAM,yBAAyB;AAC7D,YAAM;AAAA,IACR;AACA,QAAI,CAAC,KAAM,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAEnE,QAAI,MAAM,QAAQ,OAAO,KAAK,GAAG;AAC/B,YAAM,cAAc,IAAI,MAAM,OAAO,OAAO,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY,IAAI;AAAA,IACtG;AAEA,UAAM,qBAAqB;AAAA,MACzB,YAAY;AAAA,MACZ,UAAU,EAAE,KAAK;AAAA,MACjB,UAAU,OAAO,KAAK,EAAE;AAAA,MACxB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY;AAAA,MAC9D,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,cAAc;AAAA,MAClB,IAAI,OAAO,KAAK,EAAE;AAAA,MAClB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY;AAAA,IAChE;AAEA,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,OAAO,EAAE;AAExC,WAAO;AAAA,EACT;AAAA,EACA,cAAc,OAAO,QAAQ,QAAQ,QAAQ;AAC3C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,WAAO,cAAc,QAAQ,OAAO,MAAM;AAAA,EAC5C;AAAA,EACA,UAAU,OAAO,EAAE,QAAQ,WAAW,IAAI,MAAM;AAC9C,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,kBAAkB,UAAU;AAClC,UAAM,SAAS,iBAAiB;AAChC,UAAM,aAAa,iBAAiB,QAAQ;AAC5C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,aAAa,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAChE,UAAM,cAAc,MAAM;AAAA,MACxB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,UAAM,iBAAiB,qBAAqB,QAAQ,YAAY,QAAW,WAAW;AACtF,UAAM,QAAQ,eAAe;AAC7B,UAAM,UAAU,aAAa,UAAU,MAAM,OAAkC,CAAC,SAAS,kBAAkB,YAAY,QAAQ,aAAa,CAAC;AAC7I,QAAI,UAAU,CAAC,YAAY,OAAO,OAAO,UAAU,GAAG;AACpD,cAAQ,QAAQ,EAAE,MAAM,OAAO,OAAO,IAAI,WAAW;AAAA,IACvD;AACA,UAAM,aAAa,uBAAuB,QAAQ,QAAQ,WAAW;AACrE,eAAW,CAAC,KAAK,IAAI,KAAK,OAAO,QAAQ,UAAU,GAAG;AACpD,cAAQ,MAAM,GAAG,EAAE,IAAI;AAAA,IACzB;AACA,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY,OAAO,OAAO,EAAE;AAAA,MAC5B,UAAU,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MACtD;AAAA,MACA,gBAAgB,UAAU;AAAA,MAC1B,eAAe;AAAA,MACf,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,QAAQ;AAAA,UACR,OAAO,eAAe;AAAA,QACxB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,UAAU,mBAAmB,QAAQ;AAC3C,UAAM,SAAS,SAAS;AACxB,UAAM,QAAQ,SAAS;AACvB,QAAI,CAAC,OAAQ;AACb,UAAM,SAAS,OAAO;AACtB,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,UAAM,UAAU,MAAM,GAAG,gBAAgB;AAAA,MACvC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MACrC,OAAO,CAAC,WAAW;AACjB,eAAO,QAAQ,OAAO;AACtB,eAAO,iBAAiB,OAAO,kBAAkB;AACjD,eAAO,WAAW,OAAO,YAAY;AACrC,eAAO,eAAe,OAAO,gBAAgB;AAC7C,eAAO,OAAO,OAAO,QAAQ;AAC7B,eAAO,cAAc,OAAO;AAAA,MAC9B;AAAA,IACF,CAAC;AAED,QAAI,SAAS;AACX,YAAM,cAAc,IAAI,SAAS,OAAO,OAAO,OAAO,QAAQ;AAC9D,YAAM,GAAG,MAAM;AAAA,IACjB;AAEA,UAAM,QAAQ,yBAAyB,OAAO,QAAQ,OAAO,MAAM;AACnE,QAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,YAAM,qBAAqB;AAAA,QACzB,YAAY;AAAA,QACZ,UAAU,EAAE,KAAK;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,QAC7B,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAEA,UAAM,wBAAwB;AAAA,MAC5B,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO;AAAA,QACX,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,MAC/B;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,MAAM;AAAA,EACvC;AACF;AAEA,MAAM,oBAA+G;AAAA,EACnH,IAAI;AAAA,EACJ,MAAM,QAAQ,OAAO,KAAK;AACxB,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,WAAW,KAAK,CAAC;AAC/D,QAAI,CAAC,SAAU,QAAO,CAAC;AACvB,UAAM,QAAQ,MAAM,kBAAkB,IAAI,EAAE;AAC5C,UAAM,OAAO,MAAM,qBAAqB,IAAI,EAAE;AAC9C,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA;AAAA,MACA,SAAS,WAAW,OAAO,SAAS,QAAQ,IAAI;AAAA,MAChD,SAAS,iBAAiB,OAAO,SAAS,cAAc,IAAI;AAAA,IAC9D;AACA,WAAO,EAAE,QAAQ,qBAAqB,UAAU,OAAO,MAAM,MAAM,EAAE;AAAA,EACvE;AAAA,EACA,MAAM,QAAQ,OAAO,KAAK;AACxB,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,GAAG,CAAC;AAC3C,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,GAAG,CAAC;AAC5C,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,GAAG,CAAC;AAC3C,UAAM,GAAG,aAAa,eAAe,EAAE,MAAM,GAAG,CAAC;AAEjD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,UAAM,OAAO,MAAM,GAAG,gBAAgB;AAAA,MACpC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,WAAW,KAAK;AAAA,MAC7B,MAAM;AAAA,IACR,CAAC;AACD,QAAI,CAAC,KAAM,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAEnE,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO,EAAE;AAAA,QACb,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,MACpD;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,EAAE;AAEjC,WAAO;AAAA,EACT;AAAA,EACA,UAAU,OAAO,EAAE,WAAW,OAAO,IAAI,MAAM;AAC7C,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,kBAAkB,UAAU;AAClC,UAAM,SAAS,iBAAiB;AAChC,UAAM,aAAa,iBAAiB,QAAQ;AAC5C,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,gBAAgB,UAAU;AAAA,MAC1B,UAAU,QAAQ,YAAY;AAAA,MAC9B,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,UAAU,mBAAmB,QAAQ;AAC3C,UAAM,SAAS,SAAS;AACxB,QAAI,CAAC,OAAQ;AACb,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,QAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,GAAG,CAAC;AACnD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAE9C,QAAI,MAAM;AACR,UAAI,KAAK,WAAW;AAClB,aAAK,YAAY;AAAA,MACnB;AACA,WAAK,QAAQ,OAAO;AACpB,WAAK,iBAAiB,OAAO,kBAAkB;AAC/C,WAAK,WAAW,OAAO,YAAY;AACnC,WAAK,eAAe,OAAO,gBAAgB;AAC3C,WAAK,OAAO,OAAO,QAAQ;AAC3B,WAAK,cAAc,OAAO;AAC1B,YAAM,GAAG,MAAM;AAAA,IACjB,OAAO;AACL,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,IAAI,OAAO;AAAA,UACX,OAAO,OAAO;AAAA,UACd,gBAAgB,OAAO,kBAAkB;AAAA,UACzC,UAAU,OAAO,YAAY;AAAA,UAC7B,cAAc,OAAO,gBAAgB;AAAA,UACrC,MAAM,OAAO,QAAQ;AAAA,UACrB,aAAa,OAAO;AAAA,QACtB;AAAA,MACF,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,KAAM;AAEX,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,OAAO,GAAG,CAAC;AACnD,UAAM,cAAc,IAAI,MAAM,OAAO,OAAO,OAAO,QAAQ;AAE3D,UAAM,gBAAgB,IAAI,MAAM,OAAO,IAAI;AAE3C,UAAM,QAAQ,yBAAyB,OAAO,QAAQ,MAAS;AAC/D,QAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,YAAM,qBAAqB;AAAA,QACzB,YAAY;AAAA,QACZ,UAAU,EAAE,KAAK;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,QAC7B,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAEA,UAAM,oBAAoB,KAAK,OAAO,EAAE;AAAA,EAC1C;AACF;AAEA,gBAAgB,iBAAiB;AACjC,gBAAgB,iBAAiB;AACjC,gBAAgB,iBAAiB;AAEjC,eAAe,cAAc,IAAmB,MAAY,cAAwB,UAAyB;AAC3G,QAAM,SAAS,MAAM,KAAK,IAAI,IAAI,aAAa,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC;AAC1F,QAAM,eAAe,MAAM,GAAG,KAAK,UAAU,EAAE,KAAK,CAAC;AACrD,QAAM,eAAe,IAAI;AAAA,IACvB,aAAa,IAAI,CAAC,SAAS;AACzB,YAAM,aAAa,KAAK;AACxB,YAAM,OAAO,YAAY,QAAQ;AACjC,aAAO,CAAC,MAAM,IAAI;AAAA,IACpB,CAAC;AAAA,EACH;AAEA,aAAW,CAAC,MAAM,IAAI,KAAK,aAAa,QAAQ,GAAG;AACjD,QAAI,CAAC,OAAO,SAAS,IAAI,KAAK,MAAM;AAClC,SAAG,OAAO,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,qBAAqB,kBAAkB,YAAY,IAAI,KAAK;AAElE,aAAW,QAAQ,QAAQ;AACzB,QAAI,CAAC,aAAa,IAAI,IAAI,GAAG;AAC3B,UAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,mBAAmB,CAAC;AACxE,UAAI,CAAC,QAAQ,uBAAuB,MAAM;AACxC,eAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAAA,MACxD;AACA,UAAI,CAAC,MAAM;AACT,eAAO,GAAG,OAAO,MAAM,EAAE,MAAM,UAAU,oBAAoB,WAAW,oBAAI,KAAK,EAAE,CAAC;AACpF,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B,WAAW,uBAAuB,QAAQ,KAAK,aAAa,oBAAoB;AAC9E,aAAK,WAAW;AAChB,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B;AACA,SAAG,QAAQ,GAAG,OAAO,UAAU,EAAE,MAAM,MAAM,WAAW,oBAAI,KAAK,EAAE,CAAC,CAAC;AAAA,IACvE;AAAA,EACF;AAEA,QAAM,GAAG,MAAM;AACjB;AAEA,eAAe,kBAAkB,IAAmB,QAAmC;AACrF,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,OAA0B;AAAA,IAClC,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,EACzC;AACA,QAAM,QAAQ,MACX,IAAI,CAAC,SAAS,KAAK,MAAM,QAAQ,EAAE,EACnC,OAAO,CAAC,SAAyB,CAAC,CAAC,IAAI;AAC1C,SAAO,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,EAAE,KAAK;AACzC;AAEA,SAAS,cAAc,MAAY,OAAiB,QAAyD;AAC3G,QAAM,UAA0B;AAAA,IAC9B,OAAO,OAAO,KAAK,SAAS,EAAE;AAAA,IAC9B,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,IACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,IAClD;AAAA,IACA,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,IAAI;AAAA,IACtC,aAAa,QAAQ,KAAK,WAAW;AAAA,EACvC;AACA,MAAI,UAAU,OAAO,KAAK,MAAM,EAAE,OAAQ,SAAQ,SAAS;AAC3D,SAAO;AACT;AAEA,SAAS,qBACP,MACA,OACA,OAA0B,CAAC,GAC3B,QACe;AACf,SAAO;AAAA,IACL,MAAM,cAAc,MAAM,OAAO,MAAM;AAAA,IACvC,MAAM;AAAA,MACJ,IAAI,OAAO,KAAK,EAAE;AAAA,MAClB,OAAO,OAAO,KAAK,SAAS,EAAE;AAAA,MAC9B,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,MAClD,cAAc,KAAK,eAAe,OAAO,KAAK,YAAY,IAAI;AAAA,MAC9D,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,IAAI;AAAA,MACtC,aAAa,QAAQ,KAAK,WAAW;AAAA,MACrC,OAAO,CAAC,GAAG,KAAK;AAAA,MAChB;AAAA,MACA,GAAI,UAAU,OAAO,KAAK,MAAM,EAAE,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3D;AAAA,EACF;AACF;AAEA,eAAe,qBAAqB,IAAmB,QAA4C;AACjG,QAAM,OAAO,MAAM,GAAG,KAAK,SAAS,EAAE,MAAM,OAA0B,CAAC;AACvE,SAAO,KAAK,IAAI,CAAC,SAAS;AAAA,IACxB,UAAU,OAAO,IAAI,QAAQ;AAAA,IAC7B,UAAU,MAAM,QAAQ,IAAI,YAAY,IAAI,CAAC,GAAG,IAAI,YAAY,IAAI;AAAA,IACpE,cAAc,QAAQ,IAAI,YAAY;AAAA,IACtC,eAAe,MAAM,QAAQ,IAAI,iBAAiB,IAAI,CAAC,GAAG,IAAI,iBAAiB,IAAI;AAAA,EACrF,EAAE;AACJ;AAEA,eAAe,gBAAgB,IAAmB,MAAY,MAAyB;AACrF,QAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,KAAK,EAAE,EAAE,CAAC;AACxD,aAAW,OAAO,MAAM;AACtB,UAAM,SAAS,GAAG,OAAO,SAAS;AAAA,MAChC;AAAA,MACA,UAAU,IAAI;AAAA,MACd,cAAc,IAAI,YAAY;AAAA,MAC9B,cAAc,IAAI;AAAA,MAClB,mBAAmB,IAAI,iBAAiB;AAAA,MACxC,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AACD,OAAG,QAAQ,MAAM;AAAA,EACnB;AACA,QAAM,GAAG,MAAM;AACjB;AAIA,SAAS,mBAAmB,UAAsH;AAChJ,QAAM,UAAU,UAAU;AAC1B,MAAI,CAAC,WAAW,OAAO,YAAY,SAAU,QAAO;AACpD,SAAO,QAAQ,QAAQ;AACzB;AAEA,eAAe,uBACb,IACA,IACA,UACA,gBACkC;AAClC,SAAO,MAAM,wBAAwB,IAAI;AAAA,IACvC,UAAU,EAAE,KAAK;AAAA,IACjB,UAAU;AAAA,IACV;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,eAAe,oBAAoB,KAA4B,QAAgB;AAC7E,MAAI;AACF,UAAM,cAAc,IAAI,UAAU,QAAQ,aAAa;AACvD,UAAM,YAAY,oBAAoB,MAAM;AAAA,EAC9C,QAAQ;AAAA,EAER;AAEA,MAAI;AACF,UAAM,QAAQ,IAAI,UAAU,QAAQ,OAAO;AAC3C,QAAI,OAAO,aAAc,OAAM,MAAM,aAAa,CAAC,aAAa,MAAM,EAAE,CAAC;AAAA,EAC3E,QAAQ;AAAA,EAER;AACF;AAEA,SAAS,YAAY,MAA4B,OAA0B;AACzE,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,KAAK,WAAW,MAAM,OAAQ,QAAO;AACzC,SAAO,KAAK,MAAM,CAAC,OAAO,QAAQ,UAAU,MAAM,GAAG,CAAC;AACxD;AAEA,eAAe,2BAA2C;AACxD,QAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,QAAM,UAAU,UAAU,iCAAiC,sBAAsB;AACjF,QAAM,IAAI,cAAc,KAAK;AAAA,IAC3B,OAAO;AAAA,IACP,aAAa,EAAE,OAAO,QAAQ;AAAA,IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC,OAAO,GAAG,SAAS,MAAM,aAAa,QAAQ,aAAa,CAAC;AAAA,EACjF,CAAC;AACH;",
+  "sourcesContent": ["import type { CommandHandler } from '@open-mercato/shared/lib/commands'\nimport { registerCommand } from '@open-mercato/shared/lib/commands'\nimport {\n  parseWithCustomFields,\n  setCustomFieldsIfAny,\n  emitCrudSideEffects,\n  emitCrudUndoSideEffects,\n  buildChanges,\n  requireId,\n} from '@open-mercato/shared/lib/commands/helpers'\nimport { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport type { CrudEventsConfig, CrudIndexerConfig } from '@open-mercato/shared/lib/crud/types'\nimport type { DataEngine } from '@open-mercato/shared/lib/data/engine'\nimport type { CommandRuntimeContext } from '@open-mercato/shared/lib/commands'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { UniqueConstraintViolationException } from '@mikro-orm/core'\nimport type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'\nimport { User, UserRole, Role, UserAcl, Session, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport { Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { E } from '#generated/entities.ids.generated'\nimport { z } from 'zod'\nimport {\n  loadCustomFieldSnapshot,\n  buildCustomFieldResetMap,\n  diffCustomFieldChanges,\n} from '@open-mercato/shared/lib/commands/customFieldSnapshots'\nimport { normalizeTenantId } from '@open-mercato/core/modules/auth/lib/tenantAccess'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'\nimport { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'\nimport notificationTypes from '@open-mercato/core/modules/auth/notifications'\nimport { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'\n\ntype SerializedUser = {\n  email: string\n  organizationId: string | null\n  tenantId: string | null\n  roles: string[]\n  name: string | null\n  isConfirmed: boolean\n  custom?: Record<string, unknown>\n}\n\ntype UserAclSnapshot = {\n  tenantId: string\n  features: string[] | null\n  isSuperAdmin: boolean\n  organizations: string[] | null\n}\n\ntype UserUndoSnapshot = {\n  id: string\n  email: string\n  organizationId: string | null\n  tenantId: string | null\n  passwordHash: string | null\n  name: string | null\n  isConfirmed: boolean\n  roles: string[]\n  acls: UserAclSnapshot[]\n  custom?: Record<string, unknown>\n}\n\ntype UserSnapshots = {\n  view: SerializedUser\n  undo: UserUndoSnapshot\n}\n\nconst passwordSchema = buildPasswordSchema()\n\nconst createSchema = z.object({\n  email: z.string().email(),\n  password: passwordSchema,\n  organizationId: z.string().uuid(),\n  roles: z.array(z.string()).optional(),\n})\n\nconst updateSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string().email().optional(),\n  password: passwordSchema.optional(),\n  organizationId: z.string().uuid().optional(),\n  roles: z.array(z.string()).optional(),\n})\n\nexport const userCrudEvents: CrudEventsConfig = {\n  module: 'auth',\n  entity: 'user',\n  persistent: true,\n  buildPayload: (ctx) => ({\n    id: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n}\n\nexport const userCrudIndexer: CrudIndexerConfig = {\n  entityType: E.auth.user,\n  buildUpsertPayload: (ctx) => ({\n    entityType: E.auth.user,\n    recordId: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n  buildDeletePayload: (ctx) => ({\n    entityType: E.auth.user,\n    recordId: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n}\n\nasync function notifyRoleChanges(\n  ctx: CommandRuntimeContext,\n  user: User,\n  assignedRoles: string[],\n  revokedRoles: string[],\n): Promise<void> {\n  const tenantId = user.tenantId ? String(user.tenantId) : null\n  if (!tenantId) return\n  const organizationId = user.organizationId ? String(user.organizationId) : null\n\n  try {\n    const notificationService = resolveNotificationService(ctx.container)\n    if (assignedRoles.length) {\n      const assignedType = notificationTypes.find((type) => type.type === 'auth.role.assigned')\n      if (assignedType) {\n        const notificationInput = buildNotificationFromType(assignedType, {\n          recipientUserId: String(user.id),\n          sourceEntityType: 'auth:user',\n          sourceEntityId: String(user.id),\n        })\n        await notificationService.create(notificationInput, { tenantId, organizationId })\n      }\n    }\n\n    if (revokedRoles.length) {\n      const revokedType = notificationTypes.find((type) => type.type === 'auth.role.revoked')\n      if (revokedType) {\n        const notificationInput = buildNotificationFromType(revokedType, {\n          recipientUserId: String(user.id),\n          sourceEntityType: 'auth:user',\n          sourceEntityId: String(user.id),\n        })\n        await notificationService.create(notificationInput, { tenantId, organizationId })\n      }\n    }\n  } catch (err) {\n    console.error('[auth.users.roles] Failed to create notification:', err)\n  }\n}\n\nconst createUserCommand: CommandHandler<Record<string, unknown>, User> = {\n  id: 'auth.users.create',\n  async execute(rawInput, ctx) {\n    const { parsed, custom } = parseWithCustomFields(createSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    const organization = await findOneWithDecryption(\n      em,\n      Organization,\n      { id: parsed.organizationId },\n      { populate: ['tenant'] },\n      { tenantId: null, organizationId: parsed.organizationId },\n    )\n    if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })\n\n    const emailHash = computeEmailHash(parsed.email)\n    const duplicate = await em.findOne(User, { $or: [{ email: parsed.email }, { emailHash }], deletedAt: null } as any)\n    if (duplicate) await throwDuplicateEmailError()\n\n    const { hash } = await import('bcryptjs')\n    const passwordHash = await hash(parsed.password, 10)\n    const tenantId = organization.tenant?.id ? String(organization.tenant.id) : null\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    let user: User\n    try {\n      user = await de.createOrmEntity({\n        entity: User,\n        data: {\n          email: parsed.email,\n          emailHash,\n          passwordHash,\n          isConfirmed: true,\n          organizationId: parsed.organizationId,\n          tenantId,\n        },\n      })\n    } catch (error) {\n      if (isUniqueViolation(error)) await throwDuplicateEmailError()\n      throw error\n    }\n\n    let assignedRoles: string[] = []\n    if (Array.isArray(parsed.roles) && parsed.roles.length) {\n      await syncUserRoles(em, user, parsed.roles, tenantId)\n      assignedRoles = await loadUserRoleNames(em, String(user.id))\n    }\n\n    await setCustomFieldsIfAny({\n      dataEngine: de,\n      entityId: E.auth.user,\n      recordId: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: tenantId,\n      values: custom,\n    })\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'created',\n      entity: user,\n      identifiers: {\n        id: String(user.id),\n        organizationId: user.organizationId ? String(user.organizationId) : null,\n        tenantId,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    if (assignedRoles.length) {\n      await notifyRoleChanges(ctx, user, assignedRoles, [])\n    }\n\n    return user\n  },\n  captureAfter: async (_input, result, ctx) => {\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    return serializeUser(result, roles, custom)\n  },\n  buildLog: async ({ result, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    const snapshot = captureUserSnapshots(result, roles, undefined, custom)\n    return {\n      actionLabel: translate('auth.audit.users.create', 'Create user'),\n      resourceKind: 'auth.user',\n      resourceId: String(result.id),\n      tenantId: result.tenantId ? String(result.tenantId) : null,\n      snapshotAfter: snapshot.view,\n      payload: {\n        undo: {\n          after: snapshot.undo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const userId = typeof logEntry?.resourceId === 'string' ? logEntry.resourceId : null\n    if (!userId) return\n    const snapshot = logEntry?.snapshotAfter as SerializedUser | undefined\n    const em = (ctx.container.resolve('em') as EntityManager)\n    await em.nativeDelete(UserAcl, { user: userId })\n    await em.nativeDelete(UserRole, { user: userId })\n    await em.nativeDelete(Session, { user: userId })\n    await em.nativeDelete(PasswordReset, { user: userId })\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    if (snapshot?.custom && Object.keys(snapshot.custom).length) {\n      const reset = buildCustomFieldResetMap(undefined, snapshot.custom)\n      if (Object.keys(reset).length) {\n        await setCustomFieldsIfAny({\n          dataEngine: de,\n          entityId: E.auth.user,\n          recordId: userId,\n          organizationId: snapshot.organizationId,\n          tenantId: snapshot.tenantId,\n          values: reset,\n          notify: false,\n        })\n      }\n    }\n    const removed = await de.deleteOrmEntity({\n      entity: User,\n      where: { id: userId, deletedAt: null } as FilterQuery<User>,\n      soft: false,\n    })\n\n    await emitCrudUndoSideEffects({\n      dataEngine: de,\n      action: 'deleted',\n      entity: removed,\n      identifiers: {\n        id: userId,\n        organizationId: snapshot?.organizationId ?? null,\n        tenantId: snapshot?.tenantId ?? null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, userId)\n  },\n}\n\nfunction isUniqueViolation(error: unknown): boolean {\n  if (error instanceof UniqueConstraintViolationException) return true\n  if (!error || typeof error !== 'object') return false\n  const code = (error as { code?: string }).code\n  if (code === '23505') return true\n  const messageRaw = (error as { message?: string })?.message\n  const message = typeof messageRaw === 'string' ? messageRaw : ''\n  return message.toLowerCase().includes('duplicate key')\n}\n\nconst updateUserCommand: CommandHandler<Record<string, unknown>, User> = {\n  id: 'auth.users.update',\n  async prepare(rawInput, ctx) {\n    const { parsed } = parseWithCustomFields(updateSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const existing = await em.findOne(User, { id: parsed.id, deletedAt: null })\n    if (!existing) throw new CrudHttpError(404, { error: 'User not found' })\n    const roles = await loadUserRoleNames(em, parsed.id)\n    const acls = await loadUserAclSnapshots(em, parsed.id)\n    const custom = await loadUserCustomSnapshot(\n      em,\n      parsed.id,\n      existing.tenantId ? String(existing.tenantId) : null,\n      existing.organizationId ? String(existing.organizationId) : null\n    )\n    return { before: captureUserSnapshots(existing, roles, acls, custom) }\n  },\n  async execute(rawInput, ctx) {\n    const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const rolesBefore = Array.isArray(parsed.roles)\n      ? await loadUserRoleNames(em, parsed.id)\n      : null\n\n    if (parsed.email !== undefined) {\n      const emailHash = computeEmailHash(parsed.email)\n      const duplicate = await em.findOne(\n        User,\n        {\n          $or: [{ email: parsed.email }, { emailHash }],\n          deletedAt: null,\n          id: { $ne: parsed.id } as any,\n        } as FilterQuery<User>,\n      )\n      if (duplicate) await throwDuplicateEmailError()\n    }\n\n    let hashed: string | null = null\n    let emailHash: string | null = null\n    if (parsed.password) {\n      const { hash } = await import('bcryptjs')\n      hashed = await hash(parsed.password, 10)\n    }\n    if (parsed.email !== undefined) {\n      emailHash = computeEmailHash(parsed.email)\n    }\n\n    let tenantId: string | null | undefined\n    if (parsed.organizationId !== undefined) {\n      const organization = await findOneWithDecryption(\n        em,\n        Organization,\n        { id: parsed.organizationId },\n        { populate: ['tenant'] },\n        { tenantId: null, organizationId: parsed.organizationId ?? null },\n      )\n      if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })\n      tenantId = organization.tenant?.id ? String(organization.tenant.id) : null\n    }\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    let user: User | null\n    try {\n      user = await de.updateOrmEntity({\n        entity: User,\n        where: { id: parsed.id, deletedAt: null } as FilterQuery<User>,\n        apply: (entity) => {\n          if (parsed.email !== undefined) {\n            entity.email = parsed.email\n            entity.emailHash = emailHash\n          }\n          if (parsed.organizationId !== undefined) {\n            entity.organizationId = parsed.organizationId\n            entity.tenantId = tenantId ?? null\n          }\n          if (hashed) entity.passwordHash = hashed\n        },\n      })\n    } catch (error) {\n      if (isUniqueViolation(error)) await throwDuplicateEmailError()\n      throw error\n    }\n    if (!user) throw new CrudHttpError(404, { error: 'User not found' })\n\n    if (Array.isArray(parsed.roles)) {\n      await syncUserRoles(em, user, parsed.roles, user.tenantId ? String(user.tenantId) : tenantId ?? null)\n    }\n\n    await setCustomFieldsIfAny({\n      dataEngine: de,\n      entityId: E.auth.user,\n      recordId: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : tenantId ?? null,\n      values: custom,\n    })\n\n    const identifiers = {\n      id: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : tenantId ?? null,\n    }\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'updated',\n      entity: user,\n      identifiers,\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    if (Array.isArray(parsed.roles) && rolesBefore) {\n      const rolesAfter = await loadUserRoleNames(em, String(user.id))\n      const { assigned, revoked } = diffRoleChanges(rolesBefore, rolesAfter)\n      if (assigned.length || revoked.length) {\n        await notifyRoleChanges(ctx, user, assigned, revoked)\n      }\n    }\n\n    await invalidateUserCache(ctx, parsed.id)\n\n    return user\n  },\n  captureAfter: async (_input, result, ctx) => {\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    return serializeUser(result, roles, custom)\n  },\n  buildLog: async ({ result, snapshots, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const beforeSnapshots = snapshots.before as UserSnapshots | undefined\n    const before = beforeSnapshots?.view\n    const beforeUndo = beforeSnapshots?.undo ?? null\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const afterRoles = await loadUserRoleNames(em, String(result.id))\n    const afterCustom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    const afterSnapshots = captureUserSnapshots(result, afterRoles, undefined, afterCustom)\n    const after = afterSnapshots.view\n    const changes = buildChanges(before ?? null, after as Record<string, unknown>, ['email', 'organizationId', 'tenantId', 'name', 'isConfirmed'])\n    if (before && !arrayEquals(before.roles, afterRoles)) {\n      changes.roles = { from: before.roles, to: afterRoles }\n    }\n    const customDiff = diffCustomFieldChanges(before?.custom, afterCustom)\n    for (const [key, diff] of Object.entries(customDiff)) {\n      changes[`cf_${key}`] = diff\n    }\n    return {\n      actionLabel: translate('auth.audit.users.update', 'Update user'),\n      resourceKind: 'auth.user',\n      resourceId: String(result.id),\n      tenantId: result.tenantId ? String(result.tenantId) : null,\n      changes,\n      snapshotBefore: before ?? null,\n      snapshotAfter: after,\n      payload: {\n        undo: {\n          before: beforeUndo,\n          after: afterSnapshots.undo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const payload = extractUndoPayload(logEntry)\n    const before = payload?.before\n    const after = payload?.after\n    if (!before) return\n    const userId = before.id\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    const updated = await de.updateOrmEntity({\n      entity: User,\n      where: { id: userId, deletedAt: null } as FilterQuery<User>,\n      apply: (entity) => {\n        entity.email = before.email\n        entity.organizationId = before.organizationId ?? null\n        entity.tenantId = before.tenantId ?? null\n        entity.passwordHash = before.passwordHash ?? null\n        entity.name = before.name ?? undefined\n        entity.isConfirmed = before.isConfirmed\n      },\n    })\n\n    if (updated) {\n      await syncUserRoles(em, updated, before.roles, before.tenantId)\n      await em.flush()\n    }\n\n    const reset = buildCustomFieldResetMap(before.custom, after?.custom)\n    if (Object.keys(reset).length) {\n      await setCustomFieldsIfAny({\n        dataEngine: de,\n        entityId: E.auth.user,\n        recordId: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n        values: reset,\n        notify: false,\n      })\n    }\n\n    await emitCrudUndoSideEffects({\n      dataEngine: de,\n      action: 'updated',\n      entity: updated,\n      identifiers: {\n        id: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, userId)\n  },\n}\n\nconst deleteUserCommand: CommandHandler<{ body?: Record<string, unknown>; query?: Record<string, unknown> }, User> = {\n  id: 'auth.users.delete',\n  async prepare(input, ctx) {\n    const id = requireId(input, 'User id required')\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const existing = await em.findOne(User, { id, deletedAt: null })\n    if (!existing) return {}\n    const roles = await loadUserRoleNames(em, id)\n    const acls = await loadUserAclSnapshots(em, id)\n    const custom = await loadUserCustomSnapshot(\n      em,\n      id,\n      existing.tenantId ? String(existing.tenantId) : null,\n      existing.organizationId ? String(existing.organizationId) : null\n    )\n    return { before: captureUserSnapshots(existing, roles, acls, custom) }\n  },\n  async execute(input, ctx) {\n    const id = requireId(input, 'User id required')\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    await em.nativeDelete(UserAcl, { user: id })\n    await em.nativeDelete(UserRole, { user: id })\n    await em.nativeDelete(Session, { user: id })\n    await em.nativeDelete(PasswordReset, { user: id })\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    const user = await de.deleteOrmEntity({\n      entity: User,\n      where: { id, deletedAt: null } as FilterQuery<User>,\n      soft: false,\n    })\n    if (!user) throw new CrudHttpError(404, { error: 'User not found' })\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'deleted',\n      entity: user,\n      identifiers: {\n        id: String(id),\n        organizationId: user.organizationId ? String(user.organizationId) : null,\n        tenantId: user.tenantId ? String(user.tenantId) : null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, id)\n\n    return user\n  },\n  buildLog: async ({ snapshots, input, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const beforeSnapshots = snapshots.before as UserSnapshots | undefined\n    const before = beforeSnapshots?.view\n    const beforeUndo = beforeSnapshots?.undo ?? null\n    const id = requireId(input, 'User id required')\n    return {\n      actionLabel: translate('auth.audit.users.delete', 'Delete user'),\n      resourceKind: 'auth.user',\n      resourceId: id,\n      snapshotBefore: before ?? null,\n      tenantId: before?.tenantId ?? null,\n      payload: {\n        undo: {\n          before: beforeUndo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const payload = extractUndoPayload(logEntry)\n    const before = payload?.before\n    if (!before) return\n    const em = (ctx.container.resolve('em') as EntityManager)\n    let user = await em.findOne(User, { id: before.id })\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n\n    if (user) {\n      if (user.deletedAt) {\n        user.deletedAt = null\n      }\n      user.email = before.email\n      user.organizationId = before.organizationId ?? null\n      user.tenantId = before.tenantId ?? null\n      user.passwordHash = before.passwordHash ?? null\n      user.name = before.name ?? undefined\n      user.isConfirmed = before.isConfirmed\n      await em.flush()\n    } else {\n      user = await de.createOrmEntity({\n        entity: User,\n        data: {\n          id: before.id,\n          email: before.email,\n          organizationId: before.organizationId ?? null,\n          tenantId: before.tenantId ?? null,\n          passwordHash: before.passwordHash ?? null,\n          name: before.name ?? null,\n          isConfirmed: before.isConfirmed,\n        },\n      })\n    }\n\n    if (!user) return\n\n    await em.nativeDelete(UserRole, { user: before.id })\n    await syncUserRoles(em, user, before.roles, before.tenantId)\n\n    await restoreUserAcls(em, user, before.acls)\n\n    const reset = buildCustomFieldResetMap(before.custom, undefined)\n    if (Object.keys(reset).length) {\n      await setCustomFieldsIfAny({\n        dataEngine: de,\n        entityId: E.auth.user,\n        recordId: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n        values: reset,\n        notify: false,\n      })\n    }\n\n    await invalidateUserCache(ctx, before.id)\n  },\n}\n\nregisterCommand(createUserCommand)\nregisterCommand(updateUserCommand)\nregisterCommand(deleteUserCommand)\n\nasync function syncUserRoles(em: EntityManager, user: User, desiredRoles: string[], tenantId: string | null) {\n  const unique = Array.from(new Set(desiredRoles.map((role) => role.trim()).filter(Boolean)))\n  const currentLinks = await em.find(UserRole, { user })\n  const currentNames = new Map(\n    currentLinks.map((link) => {\n      const roleEntity = link.role\n      const name = roleEntity?.name ?? ''\n      return [name, link] as const\n    }),\n  )\n\n  for (const [name, link] of currentNames.entries()) {\n    if (!unique.includes(name) && link) {\n      em.remove(link)\n    }\n  }\n\n  const normalizedTenantId = normalizeTenantId(tenantId ?? null) ?? null\n\n  for (const name of unique) {\n    if (!currentNames.has(name)) {\n      let role = await em.findOne(Role, { name, tenantId: normalizedTenantId })\n      if (!role && normalizedTenantId !== null) {\n        role = await em.findOne(Role, { name, tenantId: null })\n      }\n      if (!role) {\n        role = em.create(Role, { name, tenantId: normalizedTenantId, createdAt: new Date() })\n        await em.persistAndFlush(role)\n      } else if (normalizedTenantId !== null && role.tenantId !== normalizedTenantId) {\n        role.tenantId = normalizedTenantId\n        await em.persistAndFlush(role)\n      }\n      em.persist(em.create(UserRole, { user, role, createdAt: new Date() }))\n    }\n  }\n\n  await em.flush()\n}\n\nasync function loadUserRoleNames(em: EntityManager, userId: string): Promise<string[]> {\n  const links = await findWithDecryption(\n    em,\n    UserRole,\n    { user: userId as unknown as User },\n    { populate: ['role'] },\n    { tenantId: null, organizationId: null },\n  )\n  const names = links\n    .map((link) => link.role?.name ?? '')\n    .filter((name): name is string => !!name)\n  return Array.from(new Set(names)).sort()\n}\n\nfunction serializeUser(user: User, roles: string[], custom?: Record<string, unknown> | null): SerializedUser {\n  const payload: SerializedUser = {\n    email: String(user.email ?? ''),\n    organizationId: user.organizationId ? String(user.organizationId) : null,\n    tenantId: user.tenantId ? String(user.tenantId) : null,\n    roles,\n    name: user.name ? String(user.name) : null,\n    isConfirmed: Boolean(user.isConfirmed),\n  }\n  if (custom && Object.keys(custom).length) payload.custom = custom\n  return payload\n}\n\nfunction captureUserSnapshots(\n  user: User,\n  roles: string[],\n  acls: UserAclSnapshot[] = [],\n  custom?: Record<string, unknown> | null\n): UserSnapshots {\n  return {\n    view: serializeUser(user, roles, custom),\n    undo: {\n      id: String(user.id),\n      email: String(user.email ?? ''),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : null,\n      passwordHash: user.passwordHash ? String(user.passwordHash) : null,\n      name: user.name ? String(user.name) : null,\n      isConfirmed: Boolean(user.isConfirmed),\n      roles: [...roles],\n      acls,\n      ...(custom && Object.keys(custom).length ? { custom } : {}),\n    },\n  }\n}\n\nasync function loadUserAclSnapshots(em: EntityManager, userId: string): Promise<UserAclSnapshot[]> {\n  const list = await em.find(UserAcl, { user: userId as unknown as User })\n  return list.map((acl) => ({\n    tenantId: String(acl.tenantId),\n    features: Array.isArray(acl.featuresJson) ? [...acl.featuresJson] : null,\n    isSuperAdmin: Boolean(acl.isSuperAdmin),\n    organizations: Array.isArray(acl.organizationsJson) ? [...acl.organizationsJson] : null,\n  }))\n}\n\nasync function restoreUserAcls(em: EntityManager, user: User, acls: UserAclSnapshot[]) {\n  await em.nativeDelete(UserAcl, { user: String(user.id) })\n  for (const acl of acls) {\n    const entity = em.create(UserAcl, {\n      user,\n      tenantId: acl.tenantId,\n      featuresJson: acl.features ?? null,\n      isSuperAdmin: acl.isSuperAdmin,\n      organizationsJson: acl.organizations ?? null,\n      createdAt: new Date(),\n    })\n    em.persist(entity)\n  }\n  await em.flush()\n}\n\ntype UndoPayload = { undo?: { before?: UserUndoSnapshot | null; after?: UserUndoSnapshot | null } }\n\nfunction extractUndoPayload(logEntry: { commandPayload?: unknown }): { before?: UserUndoSnapshot | null; after?: UserUndoSnapshot | null } | null {\n  const payload = logEntry?.commandPayload as UndoPayload | undefined\n  if (!payload || typeof payload !== 'object') return null\n  return payload.undo ?? null\n}\n\nasync function loadUserCustomSnapshot(\n  em: EntityManager,\n  id: string,\n  tenantId: string | null,\n  organizationId: string | null\n): Promise<Record<string, unknown>> {\n  return await loadCustomFieldSnapshot(em, {\n    entityId: E.auth.user,\n    recordId: id,\n    tenantId,\n    organizationId,\n  })\n}\n\nasync function invalidateUserCache(ctx: CommandRuntimeContext, userId: string) {\n  try {\n    const rbacService = ctx.container.resolve('rbacService') as { invalidateUserCache: (uid: string) => Promise<void> }\n    await rbacService.invalidateUserCache(userId)\n  } catch {\n    // RBAC not available\n  }\n\n  try {\n    const cache = ctx.container.resolve('cache') as { deleteByTags?: (tags: string[]) => Promise<void> }\n    if (cache?.deleteByTags) await cache.deleteByTags([`rbac:user:${userId}`])\n  } catch {\n    // cache not available\n  }\n}\n\nfunction diffRoleChanges(before: string[], after: string[]) {\n  const beforeSet = new Set(before)\n  const afterSet = new Set(after)\n  const assigned = after.filter((role) => !beforeSet.has(role))\n  const revoked = before.filter((role) => !afterSet.has(role))\n  return { assigned, revoked }\n}\n\nfunction arrayEquals(left: string[] | undefined, right: string[]): boolean {\n  if (!left) return false\n  if (left.length !== right.length) return false\n  return left.every((value, idx) => value === right[idx])\n}\n\nasync function throwDuplicateEmailError(): Promise<never> {\n  const { translate } = await resolveTranslations()\n  const message = translate('auth.users.errors.emailExists', 'Email already in use')\n  throw new CrudHttpError(400, {\n    error: message,\n    fieldErrors: { email: message },\n    details: [{ path: ['email'], message, code: 'duplicate', origin: 'validation' }],\n  })\n}\n"],
+  "mappings": "AACA,SAAS,uBAAuB;AAChC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,qBAAqB;AAI9B,SAAS,2BAA2B;AACpC,SAAS,0CAA0C;AAEnD,SAAS,MAAM,UAAU,MAAM,SAAS,SAAS,qBAAqB;AACtE,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAClB,SAAS,SAAS;AAClB;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,yBAAyB;AAClC,SAAS,wBAAwB;AACjC,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,iCAAiC;AAC1C,SAAS,kCAAkC;AAC3C,OAAO,uBAAuB;AAC9B,SAAS,2BAA2B;AAqCpC,MAAM,iBAAiB,oBAAoB;AAE3C,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU;AAAA,EACV,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAED,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AAAA,EACnC,UAAU,eAAe,SAAS;AAAA,EAClC,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAEM,MAAM,iBAAmC;AAAA,EAC9C,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,YAAY;AAAA,EACZ,cAAc,CAAC,SAAS;AAAA,IACtB,IAAI,IAAI,YAAY;AAAA,IACpB,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AACF;AAEO,MAAM,kBAAqC;AAAA,EAChD,YAAY,EAAE,KAAK;AAAA,EACnB,oBAAoB,CAAC,SAAS;AAAA,IAC5B,YAAY,EAAE,KAAK;AAAA,IACnB,UAAU,IAAI,YAAY;AAAA,IAC1B,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AAAA,EACA,oBAAoB,CAAC,SAAS;AAAA,IAC5B,YAAY,EAAE,KAAK;AAAA,IACnB,UAAU,IAAI,YAAY;AAAA,IAC1B,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AACF;AAEA,eAAe,kBACb,KACA,MACA,eACA,cACe;AACf,QAAM,WAAW,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AACzD,MAAI,CAAC,SAAU;AACf,QAAM,iBAAiB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAE3E,MAAI;AACF,UAAM,sBAAsB,2BAA2B,IAAI,SAAS;AACpE,QAAI,cAAc,QAAQ;AACxB,YAAM,eAAe,kBAAkB,KAAK,CAAC,SAAS,KAAK,SAAS,oBAAoB;AACxF,UAAI,cAAc;AAChB,cAAM,oBAAoB,0BAA0B,cAAc;AAAA,UAChE,iBAAiB,OAAO,KAAK,EAAE;AAAA,UAC/B,kBAAkB;AAAA,UAClB,gBAAgB,OAAO,KAAK,EAAE;AAAA,QAChC,CAAC;AACD,cAAM,oBAAoB,OAAO,mBAAmB,EAAE,UAAU,eAAe,CAAC;AAAA,MAClF;AAAA,IACF;AAEA,QAAI,aAAa,QAAQ;AACvB,YAAM,cAAc,kBAAkB,KAAK,CAAC,SAAS,KAAK,SAAS,mBAAmB;AACtF,UAAI,aAAa;AACf,cAAM,oBAAoB,0BAA0B,aAAa;AAAA,UAC/D,iBAAiB,OAAO,KAAK,EAAE;AAAA,UAC/B,kBAAkB;AAAA,UAClB,gBAAgB,OAAO,KAAK,EAAE;AAAA,QAChC,CAAC;AACD,cAAM,oBAAoB,OAAO,mBAAmB,EAAE,UAAU,eAAe,CAAC;AAAA,MAClF;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,qDAAqD,GAAG;AAAA,EACxE;AACF;AAEA,MAAM,oBAAmE;AAAA,EACvE,IAAI;AAAA,EACJ,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,QAAQ,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AACvE,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,UAAM,eAAe,MAAM;AAAA,MACzB;AAAA,MACA;AAAA,MACA,EAAE,IAAI,OAAO,eAAe;AAAA,MAC5B,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,gBAAgB,OAAO,eAAe;AAAA,IAC1D;AACA,QAAI,CAAC,aAAc,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,yBAAyB,CAAC;AAEnF,UAAM,YAAY,iBAAiB,OAAO,KAAK;AAC/C,UAAM,YAAY,MAAM,GAAG,QAAQ,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,MAAM,GAAG,EAAE,UAAU,CAAC,GAAG,WAAW,KAAK,CAAQ;AAClH,QAAI,UAAW,OAAM,yBAAyB;AAE9C,UAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU;AACxC,UAAM,eAAe,MAAM,KAAK,OAAO,UAAU,EAAE;AACnD,UAAM,WAAW,aAAa,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAE5E,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI;AACJ,QAAI;AACF,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,OAAO,OAAO;AAAA,UACd;AAAA,UACA;AAAA,UACA,aAAa;AAAA,UACb,gBAAgB,OAAO;AAAA,UACvB;AAAA,QACF;AAAA,MACF,CAAC;AAAA,IACH,SAAS,OAAO;AACd,UAAI,kBAAkB,KAAK,EAAG,OAAM,yBAAyB;AAC7D,YAAM;AAAA,IACR;AAEA,QAAI,gBAA0B,CAAC;AAC/B,QAAI,MAAM,QAAQ,OAAO,KAAK,KAAK,OAAO,MAAM,QAAQ;AACtD,YAAM,cAAc,IAAI,MAAM,OAAO,OAAO,QAAQ;AACpD,sBAAgB,MAAM,kBAAkB,IAAI,OAAO,KAAK,EAAE,CAAC;AAAA,IAC7D;AAEA,UAAM,qBAAqB;AAAA,MACzB,YAAY;AAAA,MACZ,UAAU,EAAE,KAAK;AAAA,MACjB,UAAU,OAAO,KAAK,EAAE;AAAA,MACxB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO,KAAK,EAAE;AAAA,QAClB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACpE;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,QAAI,cAAc,QAAQ;AACxB,YAAM,kBAAkB,KAAK,MAAM,eAAe,CAAC,CAAC;AAAA,IACtD;AAEA,WAAO;AAAA,EACT;AAAA,EACA,cAAc,OAAO,QAAQ,QAAQ,QAAQ;AAC3C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,WAAO,cAAc,QAAQ,OAAO,MAAM;AAAA,EAC5C;AAAA,EACA,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,UAAM,WAAW,qBAAqB,QAAQ,OAAO,QAAW,MAAM;AACtE,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY,OAAO,OAAO,EAAE;AAAA,MAC5B,UAAU,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MACtD,eAAe,SAAS;AAAA,MACxB,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,OAAO,SAAS;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,SAAS,OAAO,UAAU,eAAe,WAAW,SAAS,aAAa;AAChF,QAAI,CAAC,OAAQ;AACb,UAAM,WAAW,UAAU;AAC3B,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,OAAO,CAAC;AAChD,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,UAAM,GAAG,aAAa,eAAe,EAAE,MAAM,OAAO,CAAC;AAErD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI,UAAU,UAAU,OAAO,KAAK,SAAS,MAAM,EAAE,QAAQ;AAC3D,YAAM,QAAQ,yBAAyB,QAAW,SAAS,MAAM;AACjE,UAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,cAAM,qBAAqB;AAAA,UACzB,YAAY;AAAA,UACZ,UAAU,EAAE,KAAK;AAAA,UACjB,UAAU;AAAA,UACV,gBAAgB,SAAS;AAAA,UACzB,UAAU,SAAS;AAAA,UACnB,QAAQ;AAAA,UACR,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AACA,UAAM,UAAU,MAAM,GAAG,gBAAgB;AAAA,MACvC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MACrC,MAAM;AAAA,IACR,CAAC;AAED,UAAM,wBAAwB;AAAA,MAC5B,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI;AAAA,QACJ,gBAAgB,UAAU,kBAAkB;AAAA,QAC5C,UAAU,UAAU,YAAY;AAAA,MAClC;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,MAAM;AAAA,EACvC;AACF;AAEA,SAAS,kBAAkB,OAAyB;AAClD,MAAI,iBAAiB,mCAAoC,QAAO;AAChE,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAM,OAAQ,MAA4B;AAC1C,MAAI,SAAS,QAAS,QAAO;AAC7B,QAAM,aAAc,OAAgC;AACpD,QAAM,UAAU,OAAO,eAAe,WAAW,aAAa;AAC9D,SAAO,QAAQ,YAAY,EAAE,SAAS,eAAe;AACvD;AAEA,MAAM,oBAAmE;AAAA,EACvE,IAAI;AAAA,EACJ,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AAC/D,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,IAAI,WAAW,KAAK,CAAC;AAC1E,QAAI,CAAC,SAAU,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AACvE,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,EAAE;AACnD,UAAM,OAAO,MAAM,qBAAqB,IAAI,OAAO,EAAE;AACrD,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO;AAAA,MACP,SAAS,WAAW,OAAO,SAAS,QAAQ,IAAI;AAAA,MAChD,SAAS,iBAAiB,OAAO,SAAS,cAAc,IAAI;AAAA,IAC9D;AACA,WAAO,EAAE,QAAQ,qBAAqB,UAAU,OAAO,MAAM,MAAM,EAAE;AAAA,EACvE;AAAA,EACA,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,QAAQ,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AACvE,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,cAAc,MAAM,QAAQ,OAAO,KAAK,IAC1C,MAAM,kBAAkB,IAAI,OAAO,EAAE,IACrC;AAEJ,QAAI,OAAO,UAAU,QAAW;AAC9B,YAAMA,aAAY,iBAAiB,OAAO,KAAK;AAC/C,YAAM,YAAY,MAAM,GAAG;AAAA,QACzB;AAAA,QACA;AAAA,UACE,KAAK,CAAC,EAAE,OAAO,OAAO,MAAM,GAAG,EAAE,WAAAA,WAAU,CAAC;AAAA,UAC5C,WAAW;AAAA,UACX,IAAI,EAAE,KAAK,OAAO,GAAG;AAAA,QACvB;AAAA,MACF;AACA,UAAI,UAAW,OAAM,yBAAyB;AAAA,IAChD;AAEA,QAAI,SAAwB;AAC5B,QAAI,YAA2B;AAC/B,QAAI,OAAO,UAAU;AACnB,YAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU;AACxC,eAAS,MAAM,KAAK,OAAO,UAAU,EAAE;AAAA,IACzC;AACA,QAAI,OAAO,UAAU,QAAW;AAC9B,kBAAY,iBAAiB,OAAO,KAAK;AAAA,IAC3C;AAEA,QAAI;AACJ,QAAI,OAAO,mBAAmB,QAAW;AACvC,YAAM,eAAe,MAAM;AAAA,QACzB;AAAA,QACA;AAAA,QACA,EAAE,IAAI,OAAO,eAAe;AAAA,QAC5B,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,QACvB,EAAE,UAAU,MAAM,gBAAgB,OAAO,kBAAkB,KAAK;AAAA,MAClE;AACA,UAAI,CAAC,aAAc,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,yBAAyB,CAAC;AACnF,iBAAW,aAAa,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAAA,IACxE;AAEA,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI;AACJ,QAAI;AACF,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,OAAO,EAAE,IAAI,OAAO,IAAI,WAAW,KAAK;AAAA,QACxC,OAAO,CAAC,WAAW;AACjB,cAAI,OAAO,UAAU,QAAW;AAC9B,mBAAO,QAAQ,OAAO;AACtB,mBAAO,YAAY;AAAA,UACrB;AACA,cAAI,OAAO,mBAAmB,QAAW;AACvC,mBAAO,iBAAiB,OAAO;AAC/B,mBAAO,WAAW,YAAY;AAAA,UAChC;AACA,cAAI,OAAQ,QAAO,eAAe;AAAA,QACpC;AAAA,MACF,CAAC;AAAA,IACH,SAAS,OAAO;AACd,UAAI,kBAAkB,KAAK,EAAG,OAAM,yBAAyB;AAC7D,YAAM;AAAA,IACR;AACA,QAAI,CAAC,KAAM,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAEnE,QAAI,MAAM,QAAQ,OAAO,KAAK,GAAG;AAC/B,YAAM,cAAc,IAAI,MAAM,OAAO,OAAO,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY,IAAI;AAAA,IACtG;AAEA,UAAM,qBAAqB;AAAA,MACzB,YAAY;AAAA,MACZ,UAAU,EAAE,KAAK;AAAA,MACjB,UAAU,OAAO,KAAK,EAAE;AAAA,MACxB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY;AAAA,MAC9D,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,cAAc;AAAA,MAClB,IAAI,OAAO,KAAK,EAAE;AAAA,MAClB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY;AAAA,IAChE;AAEA,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,QAAI,MAAM,QAAQ,OAAO,KAAK,KAAK,aAAa;AAC9C,YAAM,aAAa,MAAM,kBAAkB,IAAI,OAAO,KAAK,EAAE,CAAC;AAC9D,YAAM,EAAE,UAAU,QAAQ,IAAI,gBAAgB,aAAa,UAAU;AACrE,UAAI,SAAS,UAAU,QAAQ,QAAQ;AACrC,cAAM,kBAAkB,KAAK,MAAM,UAAU,OAAO;AAAA,MACtD;AAAA,IACF;AAEA,UAAM,oBAAoB,KAAK,OAAO,EAAE;AAExC,WAAO;AAAA,EACT;AAAA,EACA,cAAc,OAAO,QAAQ,QAAQ,QAAQ;AAC3C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,WAAO,cAAc,QAAQ,OAAO,MAAM;AAAA,EAC5C;AAAA,EACA,UAAU,OAAO,EAAE,QAAQ,WAAW,IAAI,MAAM;AAC9C,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,kBAAkB,UAAU;AAClC,UAAM,SAAS,iBAAiB;AAChC,UAAM,aAAa,iBAAiB,QAAQ;AAC5C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,aAAa,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAChE,UAAM,cAAc,MAAM;AAAA,MACxB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,UAAM,iBAAiB,qBAAqB,QAAQ,YAAY,QAAW,WAAW;AACtF,UAAM,QAAQ,eAAe;AAC7B,UAAM,UAAU,aAAa,UAAU,MAAM,OAAkC,CAAC,SAAS,kBAAkB,YAAY,QAAQ,aAAa,CAAC;AAC7I,QAAI,UAAU,CAAC,YAAY,OAAO,OAAO,UAAU,GAAG;AACpD,cAAQ,QAAQ,EAAE,MAAM,OAAO,OAAO,IAAI,WAAW;AAAA,IACvD;AACA,UAAM,aAAa,uBAAuB,QAAQ,QAAQ,WAAW;AACrE,eAAW,CAAC,KAAK,IAAI,KAAK,OAAO,QAAQ,UAAU,GAAG;AACpD,cAAQ,MAAM,GAAG,EAAE,IAAI;AAAA,IACzB;AACA,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY,OAAO,OAAO,EAAE;AAAA,MAC5B,UAAU,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MACtD;AAAA,MACA,gBAAgB,UAAU;AAAA,MAC1B,eAAe;AAAA,MACf,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,QAAQ;AAAA,UACR,OAAO,eAAe;AAAA,QACxB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,UAAU,mBAAmB,QAAQ;AAC3C,UAAM,SAAS,SAAS;AACxB,UAAM,QAAQ,SAAS;AACvB,QAAI,CAAC,OAAQ;AACb,UAAM,SAAS,OAAO;AACtB,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,UAAM,UAAU,MAAM,GAAG,gBAAgB;AAAA,MACvC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MACrC,OAAO,CAAC,WAAW;AACjB,eAAO,QAAQ,OAAO;AACtB,eAAO,iBAAiB,OAAO,kBAAkB;AACjD,eAAO,WAAW,OAAO,YAAY;AACrC,eAAO,eAAe,OAAO,gBAAgB;AAC7C,eAAO,OAAO,OAAO,QAAQ;AAC7B,eAAO,cAAc,OAAO;AAAA,MAC9B;AAAA,IACF,CAAC;AAED,QAAI,SAAS;AACX,YAAM,cAAc,IAAI,SAAS,OAAO,OAAO,OAAO,QAAQ;AAC9D,YAAM,GAAG,MAAM;AAAA,IACjB;AAEA,UAAM,QAAQ,yBAAyB,OAAO,QAAQ,OAAO,MAAM;AACnE,QAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,YAAM,qBAAqB;AAAA,QACzB,YAAY;AAAA,QACZ,UAAU,EAAE,KAAK;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,QAC7B,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAEA,UAAM,wBAAwB;AAAA,MAC5B,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO;AAAA,QACX,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,MAC/B;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,MAAM;AAAA,EACvC;AACF;AAEA,MAAM,oBAA+G;AAAA,EACnH,IAAI;AAAA,EACJ,MAAM,QAAQ,OAAO,KAAK;AACxB,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,WAAW,KAAK,CAAC;AAC/D,QAAI,CAAC,SAAU,QAAO,CAAC;AACvB,UAAM,QAAQ,MAAM,kBAAkB,IAAI,EAAE;AAC5C,UAAM,OAAO,MAAM,qBAAqB,IAAI,EAAE;AAC9C,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA;AAAA,MACA,SAAS,WAAW,OAAO,SAAS,QAAQ,IAAI;AAAA,MAChD,SAAS,iBAAiB,OAAO,SAAS,cAAc,IAAI;AAAA,IAC9D;AACA,WAAO,EAAE,QAAQ,qBAAqB,UAAU,OAAO,MAAM,MAAM,EAAE;AAAA,EACvE;AAAA,EACA,MAAM,QAAQ,OAAO,KAAK;AACxB,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,GAAG,CAAC;AAC3C,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,GAAG,CAAC;AAC5C,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,GAAG,CAAC;AAC3C,UAAM,GAAG,aAAa,eAAe,EAAE,MAAM,GAAG,CAAC;AAEjD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,UAAM,OAAO,MAAM,GAAG,gBAAgB;AAAA,MACpC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,WAAW,KAAK;AAAA,MAC7B,MAAM;AAAA,IACR,CAAC;AACD,QAAI,CAAC,KAAM,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAEnE,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO,EAAE;AAAA,QACb,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,MACpD;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,EAAE;AAEjC,WAAO;AAAA,EACT;AAAA,EACA,UAAU,OAAO,EAAE,WAAW,OAAO,IAAI,MAAM;AAC7C,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,kBAAkB,UAAU;AAClC,UAAM,SAAS,iBAAiB;AAChC,UAAM,aAAa,iBAAiB,QAAQ;AAC5C,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,gBAAgB,UAAU;AAAA,MAC1B,UAAU,QAAQ,YAAY;AAAA,MAC9B,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,UAAU,mBAAmB,QAAQ;AAC3C,UAAM,SAAS,SAAS;AACxB,QAAI,CAAC,OAAQ;AACb,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,QAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,GAAG,CAAC;AACnD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAE9C,QAAI,MAAM;AACR,UAAI,KAAK,WAAW;AAClB,aAAK,YAAY;AAAA,MACnB;AACA,WAAK,QAAQ,OAAO;AACpB,WAAK,iBAAiB,OAAO,kBAAkB;AAC/C,WAAK,WAAW,OAAO,YAAY;AACnC,WAAK,eAAe,OAAO,gBAAgB;AAC3C,WAAK,OAAO,OAAO,QAAQ;AAC3B,WAAK,cAAc,OAAO;AAC1B,YAAM,GAAG,MAAM;AAAA,IACjB,OAAO;AACL,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,IAAI,OAAO;AAAA,UACX,OAAO,OAAO;AAAA,UACd,gBAAgB,OAAO,kBAAkB;AAAA,UACzC,UAAU,OAAO,YAAY;AAAA,UAC7B,cAAc,OAAO,gBAAgB;AAAA,UACrC,MAAM,OAAO,QAAQ;AAAA,UACrB,aAAa,OAAO;AAAA,QACtB;AAAA,MACF,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,KAAM;AAEX,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,OAAO,GAAG,CAAC;AACnD,UAAM,cAAc,IAAI,MAAM,OAAO,OAAO,OAAO,QAAQ;AAE3D,UAAM,gBAAgB,IAAI,MAAM,OAAO,IAAI;AAE3C,UAAM,QAAQ,yBAAyB,OAAO,QAAQ,MAAS;AAC/D,QAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,YAAM,qBAAqB;AAAA,QACzB,YAAY;AAAA,QACZ,UAAU,EAAE,KAAK;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,QAC7B,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAEA,UAAM,oBAAoB,KAAK,OAAO,EAAE;AAAA,EAC1C;AACF;AAEA,gBAAgB,iBAAiB;AACjC,gBAAgB,iBAAiB;AACjC,gBAAgB,iBAAiB;AAEjC,eAAe,cAAc,IAAmB,MAAY,cAAwB,UAAyB;AAC3G,QAAM,SAAS,MAAM,KAAK,IAAI,IAAI,aAAa,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC;AAC1F,QAAM,eAAe,MAAM,GAAG,KAAK,UAAU,EAAE,KAAK,CAAC;AACrD,QAAM,eAAe,IAAI;AAAA,IACvB,aAAa,IAAI,CAAC,SAAS;AACzB,YAAM,aAAa,KAAK;AACxB,YAAM,OAAO,YAAY,QAAQ;AACjC,aAAO,CAAC,MAAM,IAAI;AAAA,IACpB,CAAC;AAAA,EACH;AAEA,aAAW,CAAC,MAAM,IAAI,KAAK,aAAa,QAAQ,GAAG;AACjD,QAAI,CAAC,OAAO,SAAS,IAAI,KAAK,MAAM;AAClC,SAAG,OAAO,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,qBAAqB,kBAAkB,YAAY,IAAI,KAAK;AAElE,aAAW,QAAQ,QAAQ;AACzB,QAAI,CAAC,aAAa,IAAI,IAAI,GAAG;AAC3B,UAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,mBAAmB,CAAC;AACxE,UAAI,CAAC,QAAQ,uBAAuB,MAAM;AACxC,eAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAAA,MACxD;AACA,UAAI,CAAC,MAAM;AACT,eAAO,GAAG,OAAO,MAAM,EAAE,MAAM,UAAU,oBAAoB,WAAW,oBAAI,KAAK,EAAE,CAAC;AACpF,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B,WAAW,uBAAuB,QAAQ,KAAK,aAAa,oBAAoB;AAC9E,aAAK,WAAW;AAChB,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B;AACA,SAAG,QAAQ,GAAG,OAAO,UAAU,EAAE,MAAM,MAAM,WAAW,oBAAI,KAAK,EAAE,CAAC,CAAC;AAAA,IACvE;AAAA,EACF;AAEA,QAAM,GAAG,MAAM;AACjB;AAEA,eAAe,kBAAkB,IAAmB,QAAmC;AACrF,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,OAA0B;AAAA,IAClC,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,EACzC;AACA,QAAM,QAAQ,MACX,IAAI,CAAC,SAAS,KAAK,MAAM,QAAQ,EAAE,EACnC,OAAO,CAAC,SAAyB,CAAC,CAAC,IAAI;AAC1C,SAAO,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,EAAE,KAAK;AACzC;AAEA,SAAS,cAAc,MAAY,OAAiB,QAAyD;AAC3G,QAAM,UAA0B;AAAA,IAC9B,OAAO,OAAO,KAAK,SAAS,EAAE;AAAA,IAC9B,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,IACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,IAClD;AAAA,IACA,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,IAAI;AAAA,IACtC,aAAa,QAAQ,KAAK,WAAW;AAAA,EACvC;AACA,MAAI,UAAU,OAAO,KAAK,MAAM,EAAE,OAAQ,SAAQ,SAAS;AAC3D,SAAO;AACT;AAEA,SAAS,qBACP,MACA,OACA,OAA0B,CAAC,GAC3B,QACe;AACf,SAAO;AAAA,IACL,MAAM,cAAc,MAAM,OAAO,MAAM;AAAA,IACvC,MAAM;AAAA,MACJ,IAAI,OAAO,KAAK,EAAE;AAAA,MAClB,OAAO,OAAO,KAAK,SAAS,EAAE;AAAA,MAC9B,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,MAClD,cAAc,KAAK,eAAe,OAAO,KAAK,YAAY,IAAI;AAAA,MAC9D,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,IAAI;AAAA,MACtC,aAAa,QAAQ,KAAK,WAAW;AAAA,MACrC,OAAO,CAAC,GAAG,KAAK;AAAA,MAChB;AAAA,MACA,GAAI,UAAU,OAAO,KAAK,MAAM,EAAE,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3D;AAAA,EACF;AACF;AAEA,eAAe,qBAAqB,IAAmB,QAA4C;AACjG,QAAM,OAAO,MAAM,GAAG,KAAK,SAAS,EAAE,MAAM,OAA0B,CAAC;AACvE,SAAO,KAAK,IAAI,CAAC,SAAS;AAAA,IACxB,UAAU,OAAO,IAAI,QAAQ;AAAA,IAC7B,UAAU,MAAM,QAAQ,IAAI,YAAY,IAAI,CAAC,GAAG,IAAI,YAAY,IAAI;AAAA,IACpE,cAAc,QAAQ,IAAI,YAAY;AAAA,IACtC,eAAe,MAAM,QAAQ,IAAI,iBAAiB,IAAI,CAAC,GAAG,IAAI,iBAAiB,IAAI;AAAA,EACrF,EAAE;AACJ;AAEA,eAAe,gBAAgB,IAAmB,MAAY,MAAyB;AACrF,QAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,KAAK,EAAE,EAAE,CAAC;AACxD,aAAW,OAAO,MAAM;AACtB,UAAM,SAAS,GAAG,OAAO,SAAS;AAAA,MAChC;AAAA,MACA,UAAU,IAAI;AAAA,MACd,cAAc,IAAI,YAAY;AAAA,MAC9B,cAAc,IAAI;AAAA,MAClB,mBAAmB,IAAI,iBAAiB;AAAA,MACxC,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AACD,OAAG,QAAQ,MAAM;AAAA,EACnB;AACA,QAAM,GAAG,MAAM;AACjB;AAIA,SAAS,mBAAmB,UAAsH;AAChJ,QAAM,UAAU,UAAU;AAC1B,MAAI,CAAC,WAAW,OAAO,YAAY,SAAU,QAAO;AACpD,SAAO,QAAQ,QAAQ;AACzB;AAEA,eAAe,uBACb,IACA,IACA,UACA,gBACkC;AAClC,SAAO,MAAM,wBAAwB,IAAI;AAAA,IACvC,UAAU,EAAE,KAAK;AAAA,IACjB,UAAU;AAAA,IACV;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,eAAe,oBAAoB,KAA4B,QAAgB;AAC7E,MAAI;AACF,UAAM,cAAc,IAAI,UAAU,QAAQ,aAAa;AACvD,UAAM,YAAY,oBAAoB,MAAM;AAAA,EAC9C,QAAQ;AAAA,EAER;AAEA,MAAI;AACF,UAAM,QAAQ,IAAI,UAAU,QAAQ,OAAO;AAC3C,QAAI,OAAO,aAAc,OAAM,MAAM,aAAa,CAAC,aAAa,MAAM,EAAE,CAAC;AAAA,EAC3E,QAAQ;AAAA,EAER;AACF;AAEA,SAAS,gBAAgB,QAAkB,OAAiB;AAC1D,QAAM,YAAY,IAAI,IAAI,MAAM;AAChC,QAAM,WAAW,IAAI,IAAI,KAAK;AAC9B,QAAM,WAAW,MAAM,OAAO,CAAC,SAAS,CAAC,UAAU,IAAI,IAAI,CAAC;AAC5D,QAAM,UAAU,OAAO,OAAO,CAAC,SAAS,CAAC,SAAS,IAAI,IAAI,CAAC;AAC3D,SAAO,EAAE,UAAU,QAAQ;AAC7B;AAEA,SAAS,YAAY,MAA4B,OAA0B;AACzE,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,KAAK,WAAW,MAAM,OAAQ,QAAO;AACzC,SAAO,KAAK,MAAM,CAAC,OAAO,QAAQ,UAAU,MAAM,GAAG,CAAC;AACxD;AAEA,eAAe,2BAA2C;AACxD,QAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,QAAM,UAAU,UAAU,iCAAiC,sBAAsB;AACjF,QAAM,IAAI,cAAc,KAAK;AAAA,IAC3B,OAAO;AAAA,IACP,aAAa,EAAE,OAAO,QAAQ;AAAA,IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC,OAAO,GAAG,SAAS,MAAM,aAAa,QAAQ,aAAa,CAAC;AAAA,EACjF,CAAC;AACH;",
   "names": ["emailHash"]
 }

package/dist/modules/auth/data/validators.js

@@ -1,4 +1,6 @@
 import { z } from "zod";
+import { buildPasswordSchema } from "@open-mercato/shared/lib/auth/passwordPolicy";
+const passwordSchema = buildPasswordSchema();
 const userLoginSchema = z.object({
   email: z.string().email(),
   password: z.string().min(6),
@@ -9,7 +11,7 @@ const requestPasswordResetSchema = z.object({
 });
 const confirmPasswordResetSchema = z.object({
   token: z.string().min(10),
-  password: z.string().min(6)
+  password: passwordSchema
 });
 const sidebarPreferencesInputSchema = z.object({
   version: z.number().int().positive().optional(),
@@ -22,7 +24,7 @@ const sidebarPreferencesInputSchema = z.object({
 });
 const userCreateSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   tenantId: z.string().uuid().optional(),
   organizationId: z.string().uuid(),
   rolesCsv: z.string().optional()

package/dist/modules/auth/data/validators.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/data/validators.ts"],
-  "sourcesContent": ["import { z } from 'zod'\n\n// Core auth validators\nexport const userLoginSchema = z.object({\n  email: z.string().email(),\n  password: z.string().min(6),\n  requireRole: z.string().optional(),\n})\n\nexport const requestPasswordResetSchema = z.object({\n  email: z.string().email(),\n})\n\nexport const confirmPasswordResetSchema = z.object({\n  token: z.string().min(10),\n  password: z.string().min(6),\n})\n\nexport const sidebarPreferencesInputSchema = z.object({\n  version: z.number().int().positive().optional(),\n  groupOrder: z.array(z.string().min(1)).max(200).optional(),\n  groupLabels: z.record(z.string().min(1), z.string().min(1).max(120)).optional(),\n  itemLabels: z.record(z.string().min(1), z.string().min(1).max(120)).optional(),\n  hiddenItems: z.array(z.string().min(1)).max(500).optional(),\n  applyToRoles: z.array(z.string().uuid()).optional(),\n  clearRoleIds: z.array(z.string().uuid()).optional(),\n})\n\n// Optional helpers for CLI or admin forms\nexport const userCreateSchema = z.object({\n  email: z.string().email(),\n  password: z.string().min(6),\n  tenantId: z.string().uuid().optional(),\n  organizationId: z.string().uuid(),\n  rolesCsv: z.string().optional(),\n})\n\nexport type UserLoginInput = z.infer<typeof userLoginSchema>\nexport type RequestPasswordResetInput = z.infer<typeof requestPasswordResetSchema>\nexport type ConfirmPasswordResetInput = z.infer<typeof confirmPasswordResetSchema>\nexport type SidebarPreferencesInput = z.infer<typeof sidebarPreferencesInputSchema>\nexport type UserCreateInput = z.infer<typeof userCreateSchema>\n"],
-  "mappings": "AAAA,SAAS,SAAS;AAGX,MAAM,kBAAkB,EAAE,OAAO;AAAA,EACtC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,aAAa,EAAE,OAAO,EAAE,SAAS;AACnC,CAAC;AAEM,MAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,OAAO,EAAE,OAAO,EAAE,MAAM;AAC1B,CAAC;AAEM,MAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAC5B,CAAC;AAEM,MAAM,gCAAgC,EAAE,OAAO;AAAA,EACpD,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EAC9C,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EACzD,aAAa,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,EAC9E,YAAY,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,EAC7E,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EAC1D,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAAA,EAClD,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AACpD,CAAC;AAGM,MAAM,mBAAmB,EAAE,OAAO;AAAA,EACvC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EACrC,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,UAAU,EAAE,OAAO,EAAE,SAAS;AAChC,CAAC;",
+  "sourcesContent": ["import { z } from 'zod'\nimport { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'\n\nconst passwordSchema = buildPasswordSchema()\n\n// Core auth validators\nexport const userLoginSchema = z.object({\n  email: z.string().email(),\n  password: z.string().min(6),\n  requireRole: z.string().optional(),\n})\n\nexport const requestPasswordResetSchema = z.object({\n  email: z.string().email(),\n})\n\nexport const confirmPasswordResetSchema = z.object({\n  token: z.string().min(10),\n  password: passwordSchema,\n})\n\nexport const sidebarPreferencesInputSchema = z.object({\n  version: z.number().int().positive().optional(),\n  groupOrder: z.array(z.string().min(1)).max(200).optional(),\n  groupLabels: z.record(z.string().min(1), z.string().min(1).max(120)).optional(),\n  itemLabels: z.record(z.string().min(1), z.string().min(1).max(120)).optional(),\n  hiddenItems: z.array(z.string().min(1)).max(500).optional(),\n  applyToRoles: z.array(z.string().uuid()).optional(),\n  clearRoleIds: z.array(z.string().uuid()).optional(),\n})\n\n// Optional helpers for CLI or admin forms\nexport const userCreateSchema = z.object({\n  email: z.string().email(),\n  password: passwordSchema,\n  tenantId: z.string().uuid().optional(),\n  organizationId: z.string().uuid(),\n  rolesCsv: z.string().optional(),\n})\n\nexport type UserLoginInput = z.infer<typeof userLoginSchema>\nexport type RequestPasswordResetInput = z.infer<typeof requestPasswordResetSchema>\nexport type ConfirmPasswordResetInput = z.infer<typeof confirmPasswordResetSchema>\nexport type SidebarPreferencesInput = z.infer<typeof sidebarPreferencesInputSchema>\nexport type UserCreateInput = z.infer<typeof userCreateSchema>\n"],
+  "mappings": "AAAA,SAAS,SAAS;AAClB,SAAS,2BAA2B;AAEpC,MAAM,iBAAiB,oBAAoB;AAGpC,MAAM,kBAAkB,EAAE,OAAO;AAAA,EACtC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,aAAa,EAAE,OAAO,EAAE,SAAS;AACnC,CAAC;AAEM,MAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,OAAO,EAAE,OAAO,EAAE,MAAM;AAC1B,CAAC;AAEM,MAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE;AAAA,EACxB,UAAU;AACZ,CAAC;AAEM,MAAM,gCAAgC,EAAE,OAAO;AAAA,EACpD,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EAC9C,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EACzD,aAAa,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,EAC9E,YAAY,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,EAC7E,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EAC1D,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAAA,EAClD,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AACpD,CAAC;AAGM,MAAM,mBAAmB,EAAE,OAAO;AAAA,EACvC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU;AAAA,EACV,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EACrC,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,UAAU,EAAE,OAAO,EAAE,SAAS;AAChC,CAAC;",
   "names": []
 }