@open-mercato/core 0.4.2-canary-da2b080494 → 0.4.2-canary-19703ca707

package/dist/modules/workflows/subscribers/task-assigned-notification.js

@@ -0,0 +1,38 @@
+import { resolveNotificationService } from "../../notifications/lib/notificationService.js";
+import { buildNotificationFromType } from "../../notifications/lib/notificationBuilder.js";
+import { notificationTypes } from "../notifications.js";
+const metadata = {
+  event: "workflows.task.assigned",
+  persistent: true,
+  id: "workflows:task-assigned-notification"
+};
+async function handle(payload, ctx) {
+  if (!payload.assignedUserId) return;
+  try {
+    const notificationService = resolveNotificationService(ctx);
+    const typeDef = notificationTypes.find((type) => type.type === "workflows.task.assigned");
+    if (!typeDef) return;
+    const notificationInput = buildNotificationFromType(typeDef, {
+      recipientUserId: payload.assignedUserId,
+      bodyVariables: {
+        taskName: payload.taskName,
+        workflowName: payload.workflowName,
+        dueDate: payload.dueDate ?? ""
+      },
+      sourceEntityType: "workflows:user_task",
+      sourceEntityId: payload.taskId,
+      linkHref: `/backend/workflows/tasks/${payload.taskId}`
+    });
+    await notificationService.create(notificationInput, {
+      tenantId: payload.tenantId,
+      organizationId: payload.organizationId ?? null
+    });
+  } catch (err) {
+    console.error("[workflows:task-assigned-notification] Failed to create notification:", err);
+  }
+}
+export {
+  handle as default,
+  metadata
+};
+//# sourceMappingURL=task-assigned-notification.js.map

package/dist/modules/workflows/subscribers/task-assigned-notification.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/workflows/subscribers/task-assigned-notification.ts"],
+  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport { resolveNotificationService } from '../../notifications/lib/notificationService'\nimport { buildNotificationFromType } from '../../notifications/lib/notificationBuilder'\nimport { notificationTypes } from '../notifications'\n\nexport const metadata = {\n  event: 'workflows.task.assigned',\n  persistent: true,\n  id: 'workflows:task-assigned-notification',\n}\n\ntype TaskAssignedPayload = {\n  taskId: string\n  taskName: string\n  workflowName: string\n  assignedUserId: string\n  dueDate?: string | null\n  tenantId: string\n  organizationId?: string | null\n}\n\ntype ResolverContext = {\n  resolve: <T = unknown>(name: string) => T\n}\n\nexport default async function handle(payload: TaskAssignedPayload, ctx: ResolverContext) {\n  if (!payload.assignedUserId) return\n\n  try {\n    const notificationService = resolveNotificationService(ctx)\n    const typeDef = notificationTypes.find((type) => type.type === 'workflows.task.assigned')\n    if (!typeDef) return\n\n    const notificationInput = buildNotificationFromType(typeDef, {\n      recipientUserId: payload.assignedUserId,\n      bodyVariables: {\n        taskName: payload.taskName,\n        workflowName: payload.workflowName,\n        dueDate: payload.dueDate ?? '',\n      },\n      sourceEntityType: 'workflows:user_task',\n      sourceEntityId: payload.taskId,\n      linkHref: `/backend/workflows/tasks/${payload.taskId}`,\n    })\n\n    await notificationService.create(notificationInput, {\n      tenantId: payload.tenantId,\n      organizationId: payload.organizationId ?? null,\n    })\n  } catch (err) {\n    console.error('[workflows:task-assigned-notification] Failed to create notification:', err)\n  }\n}\n"],
+  "mappings": "AACA,SAAS,kCAAkC;AAC3C,SAAS,iCAAiC;AAC1C,SAAS,yBAAyB;AAE3B,MAAM,WAAW;AAAA,EACtB,OAAO;AAAA,EACP,YAAY;AAAA,EACZ,IAAI;AACN;AAgBA,eAAO,OAA8B,SAA8B,KAAsB;AACvF,MAAI,CAAC,QAAQ,eAAgB;AAE7B,MAAI;AACF,UAAM,sBAAsB,2BAA2B,GAAG;AAC1D,UAAM,UAAU,kBAAkB,KAAK,CAAC,SAAS,KAAK,SAAS,yBAAyB;AACxF,QAAI,CAAC,QAAS;AAEd,UAAM,oBAAoB,0BAA0B,SAAS;AAAA,MAC3D,iBAAiB,QAAQ;AAAA,MACzB,eAAe;AAAA,QACb,UAAU,QAAQ;AAAA,QAClB,cAAc,QAAQ;AAAA,QACtB,SAAS,QAAQ,WAAW;AAAA,MAC9B;AAAA,MACA,kBAAkB;AAAA,MAClB,gBAAgB,QAAQ;AAAA,MACxB,UAAU,4BAA4B,QAAQ,MAAM;AAAA,IACtD,CAAC;AAED,UAAM,oBAAoB,OAAO,mBAAmB;AAAA,MAClD,UAAU,QAAQ;AAAA,MAClB,gBAAgB,QAAQ,kBAAkB;AAAA,IAC5C,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,YAAQ,MAAM,yEAAyE,GAAG;AAAA,EAC5F;AACF;",
+  "names": []
+}

package/generated/entities/notification/index.ts

@@ -0,0 +1,27 @@
+export const id = 'id'
+export const recipient_user_id = 'recipient_user_id'
+export const type = 'type'
+export const title_key = 'title_key'
+export const body_key = 'body_key'
+export const title_variables = 'title_variables'
+export const body_variables = 'body_variables'
+export const title = 'title'
+export const body = 'body'
+export const icon = 'icon'
+export const severity = 'severity'
+export const status = 'status'
+export const action_data = 'action_data'
+export const action_result = 'action_result'
+export const action_taken = 'action_taken'
+export const source_module = 'source_module'
+export const source_entity_type = 'source_entity_type'
+export const source_entity_id = 'source_entity_id'
+export const link_href = 'link_href'
+export const group_key = 'group_key'
+export const created_at = 'created_at'
+export const read_at = 'read_at'
+export const actioned_at = 'actioned_at'
+export const dismissed_at = 'dismissed_at'
+export const expires_at = 'expires_at'
+export const tenant_id = 'tenant_id'
+export const organization_id = 'organization_id'

package/generated/entities.ids.generated.ts

@@ -21,7 +21,8 @@ export const M = {
   "currencies": "currencies",
   "planner": "planner",
   "resources": "resources",
-  "staff": "staff"
+  "staff": "staff",
+  "notifications": "notifications"
 } as const
 export const E = {
   "dashboards": {
@@ -182,6 +183,9 @@ export const E = {
     "staff_team_member_comment": "staff:staff_team_member_comment",
     "staff_team_member_job_history": "staff:staff_team_member_job_history",
     "staff_team_role": "staff:staff_team_role"
+  },
+  "notifications": {
+    "notification": "notifications:notification"
   }
 } as const
 export type KnownModuleId = keyof typeof M

package/generated/entity-fields-registry.ts

@@ -53,6 +53,7 @@ import * as feature_toggle_override from './entities/feature_toggle_override/ind
 import * as indexer_error_log from './entities/indexer_error_log/index'
 import * as indexer_status_log from './entities/indexer_status_log/index'
 import * as module_config from './entities/module_config/index'
+import * as notification from './entities/notification/index'
 import * as organization from './entities/organization/index'
 import * as password_reset from './entities/password_reset/index'
 import * as perspective from './entities/perspective/index'
@@ -172,6 +173,7 @@ export const entityFieldsRegistry: Record<string, Record<string, string>> = {
   indexer_error_log,
   indexer_status_log,
   module_config,
+  notification,
   organization,
   password_reset,
   perspective,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/core",
-  "version": "0.4.2-canary-da2b080494",
+  "version": "0.4.2-canary-19703ca707",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -207,7 +207,7 @@
     }
   },
   "dependencies": {
-    "@open-mercato/shared": "0.4.2-canary-da2b080494",
+    "@open-mercato/shared": "0.4.2-canary-19703ca707",
     "@xyflow/react": "^12.6.0",
     "date-fns": "^4.1.0",
     "date-fns-tz": "^3.2.0"

package/src/modules/api_docs/frontend/docs/api/page.tsx

@@ -2,6 +2,7 @@ import ApiDocsExplorer from './Explorer'
 import { getModules } from '@open-mercato/shared/lib/i18n/server'
 import { buildOpenApiDocument } from '@open-mercato/shared/lib/openapi'
 import { resolveApiDocsBaseUrl } from '@open-mercato/core/modules/api_docs/lib/resources'
+import { APP_VERSION } from '@open-mercato/shared/lib/version'
 
 type ExplorerOperation = {
   id: string
@@ -54,7 +55,7 @@ export default async function ApiDocsViewerPage() {
   const modules = getModules()
   const doc = buildOpenApiDocument(modules, {
     title: 'Open Mercato API',
-    version: '1.0.0',
+    version: APP_VERSION,
     description: 'Auto-generated OpenAPI definition for all enabled modules.',
     servers: [{ url: baseUrl, description: 'Default environment' }],
     baseUrlForExamples: baseUrl,
@@ -67,7 +68,7 @@ export default async function ApiDocsViewerPage() {
   return (
     <ApiDocsExplorer
       title={doc.info?.title ?? 'Open Mercato API'}
-      version={doc.info?.version ?? '1.0.0'}
+      version={doc.info?.version ?? APP_VERSION}
       description={doc.info?.description}
       operations={operations}
       tagOrder={tagOrder}

package/src/modules/api_keys/backend/api-keys/page.tsx

@@ -175,7 +175,7 @@ export default function ApiKeysListPage() {
           perspective={{ tableId: 'api_keys.list' }}
           rowActions={(row) => (
             <RowActions items={[
-              { label: t('common.delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
+              { id: 'delete', label: t('common.delete'), destructive: true, onSelect: () => { void handleDelete(row) } },
             ]} />
           )}
           pagination={{ page, pageSize: 20, total, totalPages, onPageChange: setPage }}

package/src/modules/attachments/components/AttachmentLibrary.tsx

@@ -1056,6 +1056,7 @@ export function AttachmentLibrary() {
           <RowActions
             items={[
               {
+                id: 'open',
                 label: t('attachments.library.actions.open', 'Open'),
                 onSelect: () => {
                   if (!row.url) return
@@ -1063,10 +1064,12 @@ export function AttachmentLibrary() {
                 },
               },
               {
+                id: 'edit',
                 label: t('attachments.library.actions.edit', 'Edit metadata'),
                 onSelect: () => openMetadataDialog(row),
               },
               {
+                id: 'copy-url',
                 label: t('attachments.library.actions.copyUrl', 'Copy URL'),
                 onSelect: () => {
                   if (!row.url) {
@@ -1091,6 +1094,7 @@ export function AttachmentLibrary() {
                 },
               },
               {
+                id: 'delete',
                 label: t('attachments.library.actions.delete', 'Delete'),
                 destructive: true,
                 onSelect: () => openDeleteDialog(row),

package/src/modules/attachments/components/AttachmentPartitionSettings.tsx

@@ -305,10 +305,12 @@ export function AttachmentPartitionSettings() {
           <RowActions
             items={[
               {
+                id: 'edit',
                 label: t('attachments.partitions.actions.edit', 'Edit'),
                 onSelect: () => openDialog({ mode: 'edit', entry }),
               },
               {
+                id: 'delete',
                 label: t('attachments.partitions.actions.delete', 'Delete'),
                 destructive: true,
                 onSelect: () => { void handleDelete(entry) },

package/src/modules/auth/README.md

@@ -8,7 +8,7 @@ Features:
   - `mercato auth add-user --email <e> --password <p> --organizationId <id> [--roles r1,r2]`
   - `mercato auth seed-roles`
   - `mercato auth add-org --name <org>`
-  - `mercato auth setup --orgName <org> --email <e> --password <p> [--roles superadmin,admin]`
+  - `mercato auth setup --orgName <org> --email <e> --password <p> [--roles superadmin,admin] [--skip-password-policy]`
 
 DB entities used (defined in root schema):
 - `users` with: `email`, `password_hash`, `is_confirmed`, `last_login_at`, `organization_id`, timestamps.

package/src/modules/auth/__tests__/cli-setup-acl.test.ts

@@ -46,7 +46,7 @@ describe('auth CLI setup seeds ACLs', () => {
     findOneOrFail.mockImplementation(async (_: any, where: any) => ({ id: 'role-' + where.name, name: where.name }))
 
     // Act
-    await setup.run(['--orgName', 'Acme', '--email', 'root@acme.com', '--password', 'secret'])
+    await setup.run(['--orgName', 'Acme', '--email', 'root@acme.com', '--password', 'secret', '--skip-password-policy'])
 
     // Assert: persistAndFlush was called to create three RoleAcl rows with expected flags/features
     const calls = persistAndFlush.mock.calls.map((c) => c[0])

package/src/modules/auth/api/__tests__/login.test.ts

@@ -15,6 +15,8 @@ jest.mock('@open-mercato/shared/lib/di/container', () => ({
   createRequestContainer: async () => ({
     resolve: (_: string) => ({
       findUserByEmail: async (email: string) => ({ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }),
+      findUsersByEmail: async (email: string) => ([{ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }]),
+      findUserByEmailAndTenant: async (email: string) => ({ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }),
       verifyPassword: async () => true,
       getUserRoles: async (_user: any, _tenant: string | null | undefined) => ['admin'],
       updateLastLoginAt: async () => undefined,

package/src/modules/auth/api/admin/nav.ts

@@ -297,12 +297,16 @@ export async function GET(req: Request) {
   const groupsWithRole = rolePreference ? applySidebarPreference(groups, rolePreference) : groups
   const baseForUser = adoptSidebarDefaults(groupsWithRole)
 
-  const preference = await loadSidebarPreference(em, {
-    userId: auth.sub,
-    tenantId: auth.tenantId ?? null,
-    organizationId: auth.orgId ?? null,
-    locale,
-  })
+  // For API key auth, use userId (the actual user) if available; otherwise skip user preferences
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
+  const preference = effectiveUserId
+    ? await loadSidebarPreference(em, {
+        userId: effectiveUserId,
+        tenantId: auth.tenantId ?? null,
+        organizationId: auth.orgId ?? null,
+        locale,
+      })
+    : null
 
   const withPreference = applySidebarPreference(baseForUser, preference)
 

package/src/modules/auth/api/login.ts

@@ -17,15 +17,33 @@ export async function POST(req: Request) {
   const email = String(form.get('email') ?? '')
   const password = String(form.get('password') ?? '')
   const remember = parseBooleanToken(form.get('remember')?.toString()) === true
+  const tenantIdRaw = String(form.get('tenantId') ?? form.get('tenant') ?? '').trim()
   const requireRoleRaw = (String(form.get('requireRole') ?? form.get('role') ?? '')).trim()
   const requiredRoles = requireRoleRaw ? requireRoleRaw.split(',').map((s) => s.trim()).filter(Boolean) : []
-  const parsed = userLoginSchema.pick({ email: true, password: true }).safeParse({ email, password })
+  const parsed = userLoginSchema.pick({ email: true, password: true, tenantId: true }).safeParse({
+    email,
+    password,
+    tenantId: tenantIdRaw || undefined,
+  })
   if (!parsed.success) {
     return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid credentials') }, { status: 400 })
   }
   const container = await createRequestContainer()
   const auth = (container.resolve('authService') as AuthService)
-  const user = await auth.findUserByEmail(parsed.data.email)
+  const tenantId = parsed.data.tenantId ?? null
+  let user = null
+  if (tenantId) {
+    user = await auth.findUserByEmailAndTenant(parsed.data.email, tenantId)
+  } else {
+    const users = await auth.findUsersByEmail(parsed.data.email)
+    if (users.length > 1) {
+      return NextResponse.json({
+        ok: false,
+        error: translate('auth.login.errors.tenantRequired', 'Use the login link provided with your tenant activation to continue.'),
+      }, { status: 400 })
+    }
+    user = users[0] ?? null
+  }
   if (!user || !user.passwordHash) {
     return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid email or password') }, { status: 401 })
   }
@@ -35,26 +53,27 @@ export async function POST(req: Request) {
   }
   // Optional role requirement
   if (requiredRoles.length) {
-    const userRoleNames = await auth.getUserRoles(user, user.tenantId ? String(user.tenantId) : null)
+    const userRoleNames = await auth.getUserRoles(user, tenantId ?? (user.tenantId ? String(user.tenantId) : null))
     const authorized = requiredRoles.some(r => userRoleNames.includes(r))
     if (!authorized) {
       return NextResponse.json({ ok: false, error: translate('auth.login.errors.permissionDenied', 'Not authorized for this area') }, { status: 403 })
     }
   }
   await auth.updateLastLoginAt(user)
-  const userRoleNames = await auth.getUserRoles(user, user.tenantId ? String(user.tenantId) : null)
+  const resolvedTenantId = tenantId ?? (user.tenantId ? String(user.tenantId) : null)
+  const userRoleNames = await auth.getUserRoles(user, resolvedTenantId)
   try {
     const eventBus = (container.resolve('eventBus') as EventBus)
     void eventBus.emitEvent('query_index.coverage.warmup', {
-      tenantId: user.tenantId ? String(user.tenantId) : null,
+      tenantId: resolvedTenantId,
     }).catch(() => undefined)
   } catch {
     // optional warmup
   }
   const token = signJwt({ 
     sub: String(user.id), 
-    tenantId: user.tenantId ? String(user.tenantId) : null, 
-    orgId: user.organizationId ? String(user.organizationId) : null, 
+    tenantId: resolvedTenantId, 
+    orgId: user.organizationId ? String(user.organizationId) : null,
     email: user.email, 
     roles: userRoleNames 
   })

package/src/modules/auth/api/profile/route.ts

@@ -0,0 +1,163 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import type { CommandBus, CommandRuntimeContext } from '@open-mercato/shared/lib/commands'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { signJwt } from '@open-mercato/shared/lib/auth/jwt'
+import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
+import { AuthService } from '@open-mercato/core/modules/auth/services/authService'
+import { User } from '@open-mercato/core/modules/auth/data/entities'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'
+
+const profileResponseSchema = z.object({
+  email: z.string().email(),
+})
+
+const passwordSchema = buildPasswordSchema()
+
+const updateSchema = z.object({
+  email: z.string().email().optional(),
+  password: passwordSchema.optional(),
+}).refine((data) => Boolean(data.email || data.password), {
+  message: 'Provide an email or password.',
+  path: ['email'],
+})
+
+const profileUpdateResponseSchema = z.object({
+  ok: z.literal(true),
+  email: z.string().email(),
+})
+
+export const metadata = {
+  GET: { requireAuth: true },
+  PUT: { requireAuth: true },
+}
+
+function buildCommandContext(container: Awaited<ReturnType<typeof createRequestContainer>>, auth: NonNullable<Awaited<ReturnType<typeof getAuthFromRequest>>>, req: Request): CommandRuntimeContext {
+  return {
+    container,
+    auth,
+    organizationScope: null,
+    selectedOrganizationId: auth.orgId ?? null,
+    organizationIds: auth.orgId ? [auth.orgId] : null,
+    request: req,
+  }
+}
+
+export async function GET(req: Request) {
+  const { translate } = await resolveTranslations()
+  const auth = await getAuthFromRequest(req)
+  if (!auth?.sub) {
+    return NextResponse.json({ error: translate('api.errors.unauthorized', 'Unauthorized') }, { status: 401 })
+  }
+  try {
+    const container = await createRequestContainer()
+    const em = (container.resolve('em') as EntityManager)
+    const user = await findOneWithDecryption(
+      em,
+      User,
+      { id: auth.sub, deletedAt: null },
+      undefined,
+      { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },
+    )
+    if (!user) {
+      return NextResponse.json({ error: translate('auth.users.form.errors.notFound', 'User not found') }, { status: 404 })
+    }
+    return NextResponse.json({ email: String(user.email) })
+  } catch (err) {
+    console.error('auth.profile.load failed', err)
+    return NextResponse.json({ error: translate('auth.profile.form.errors.load', 'Failed to load profile.') }, { status: 400 })
+  }
+}
+
+export async function PUT(req: Request) {
+  const { translate } = await resolveTranslations()
+  const auth = await getAuthFromRequest(req)
+  if (!auth?.sub) {
+    return NextResponse.json({ error: translate('api.errors.unauthorized', 'Unauthorized') }, { status: 401 })
+  }
+  try {
+    const body = await req.json().catch(() => ({}))
+    const parsed = updateSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json(
+        {
+          error: translate('auth.profile.form.errors.invalid', 'Invalid profile update.'),
+          issues: parsed.error.issues,
+        },
+        { status: 400 },
+      )
+    }
+    const container = await createRequestContainer()
+    const commandBus = (container.resolve('commandBus') as CommandBus)
+    const ctx = buildCommandContext(container, auth, req)
+    const { result } = await commandBus.execute<{ id: string; email?: string; password?: string }, User>(
+      'auth.users.update',
+      {
+        input: {
+          id: auth.sub,
+          email: parsed.data.email,
+          password: parsed.data.password,
+        },
+        ctx,
+      },
+    )
+    const authService = container.resolve('authService') as AuthService
+    const roles = await authService.getUserRoles(result, result.tenantId ? String(result.tenantId) : null)
+    const jwt = signJwt({
+      sub: String(result.id),
+      tenantId: result.tenantId ? String(result.tenantId) : null,
+      orgId: result.organizationId ? String(result.organizationId) : null,
+      email: result.email,
+      roles,
+    })
+    const res = NextResponse.json({ ok: true, email: String(result.email) })
+    res.cookies.set('auth_token', jwt, {
+      httpOnly: true,
+      path: '/',
+      sameSite: 'lax',
+      secure: process.env.NODE_ENV === 'production',
+      maxAge: 60 * 60 * 8,
+    })
+    return res
+  } catch (err) {
+    if (err instanceof CrudHttpError) {
+      return NextResponse.json(err.body, { status: err.status })
+    }
+    console.error('auth.profile.update failed', err)
+    return NextResponse.json({ error: translate('auth.profile.form.errors.save', 'Failed to update profile.') }, { status: 400 })
+  }
+}
+
+export const openApi: OpenApiRouteDoc = {
+  tag: 'Authentication & Accounts',
+  summary: 'Profile settings',
+  methods: {
+    GET: {
+      summary: 'Get current profile',
+      description: 'Returns the email address for the signed-in user.',
+      responses: [
+        { status: 200, description: 'Profile payload', schema: profileResponseSchema },
+        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },
+        { status: 404, description: 'User not found', schema: z.object({ error: z.string() }) },
+      ],
+    },
+    PUT: {
+      summary: 'Update current profile',
+      description: 'Updates the email address or password for the signed-in user.',
+      requestBody: {
+        contentType: 'application/json',
+        schema: updateSchema,
+      },
+      responses: [
+        { status: 200, description: 'Profile updated', schema: profileUpdateResponseSchema },
+        { status: 400, description: 'Invalid payload', schema: z.object({ error: z.string() }) },
+        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },
+      ],
+    },
+  },
+}

package/src/modules/auth/api/reset/confirm.ts

@@ -3,6 +3,9 @@ import { NextResponse } from 'next/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { AuthService } from '@open-mercato/core/modules/auth/services/authService'
+import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
+import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
+import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 import { z } from 'zod'
 
 // validation via confirmPasswordResetSchema
@@ -15,8 +18,28 @@ export async function POST(req: Request) {
   if (!parsed.success) return NextResponse.json({ ok: false, error: 'Invalid request' }, { status: 400 })
   const c = await createRequestContainer()
   const auth = c.resolve<AuthService>('authService')
-  const ok = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)
-  if (!ok) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })
+  const user = await auth.confirmPasswordReset(parsed.data.token, parsed.data.password)
+  if (!user) return NextResponse.json({ ok: false, error: 'Invalid or expired token' }, { status: 400 })
+  try {
+    const tenantId = user.tenantId ? String(user.tenantId) : null
+    if (tenantId) {
+      const notificationService = resolveNotificationService(c)
+      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.completed')
+      if (typeDef) {
+        const notificationInput = buildNotificationFromType(typeDef, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, {
+          tenantId,
+          organizationId: user.organizationId ? String(user.organizationId) : null,
+        })
+      }
+    }
+  } catch (err) {
+    console.error('[auth.reset.confirm] Failed to create notification:', err)
+  }
   return NextResponse.json({ ok: true, redirect: '/login' })
 }
 

package/src/modules/auth/api/reset.ts

@@ -6,6 +6,9 @@ import { AuthService } from '@open-mercato/core/modules/auth/services/authServic
 import { sendEmail } from '@open-mercato/shared/lib/email/send'
 import ResetPasswordEmail from '@open-mercato/core/modules/auth/emails/ResetPasswordEmail'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'
+import { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'
+import notificationTypes from '@open-mercato/core/modules/auth/notifications'
 import { z } from 'zod'
 
 // validation via requestPasswordResetSchema
@@ -35,6 +38,26 @@ export async function POST(req: Request) {
   }
 
   await sendEmail({ to: user.email, subject, react: ResetPasswordEmail({ resetUrl, copy }) })
+  try {
+    const tenantId = user.tenantId ? String(user.tenantId) : null
+    if (tenantId) {
+      const notificationService = resolveNotificationService(c)
+      const typeDef = notificationTypes.find((type) => type.type === 'auth.password_reset.requested')
+      if (typeDef) {
+        const notificationInput = buildNotificationFromType(typeDef, {
+          recipientUserId: String(user.id),
+          sourceEntityType: 'auth:user',
+          sourceEntityId: String(user.id),
+        })
+        await notificationService.create(notificationInput, {
+          tenantId,
+          organizationId: user.organizationId ? String(user.organizationId) : null,
+        })
+      }
+    }
+  } catch (err) {
+    console.error('[auth.reset] Failed to create notification:', err)
+  }
   return NextResponse.json({ ok: true })
 }
 

package/src/modules/auth/api/sidebar/preferences/route.ts

@@ -64,12 +64,16 @@ export async function GET(req: Request) {
     { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },
   ) ?? false
 
-  const settings = await loadSidebarPreference(em, {
-    userId: auth.sub,
-    tenantId: auth.tenantId ?? null,
-    organizationId: auth.orgId ?? null,
-    locale,
-  })
+  // For API key auth, use userId (the actual user) if available
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
+  const settings = effectiveUserId
+    ? await loadSidebarPreference(em, {
+        userId: effectiveUserId,
+        tenantId: auth.tenantId ?? null,
+        organizationId: auth.orgId ?? null,
+        locale,
+      })
+    : null
 
   let rolesPayload: Array<{ id: string; name: string; hasPreference: boolean }> = []
   if (canApplyToRoles) {
@@ -92,11 +96,11 @@ export async function GET(req: Request) {
   return NextResponse.json({
     locale,
     settings: {
-      version: settings.version ?? SIDEBAR_PREFERENCES_VERSION,
-      groupOrder: settings.groupOrder ?? [],
-      groupLabels: settings.groupLabels ?? {},
-      itemLabels: settings.itemLabels ?? {},
-      hiddenItems: settings.hiddenItems ?? [],
+      version: settings?.version ?? SIDEBAR_PREFERENCES_VERSION,
+      groupOrder: settings?.groupOrder ?? [],
+      groupLabels: settings?.groupLabels ?? {},
+      itemLabels: settings?.itemLabels ?? {},
+      hiddenItems: settings?.hiddenItems ?? [],
     },
     canApplyToRoles,
     roles: rolesPayload,
@@ -106,6 +110,11 @@ export async function GET(req: Request) {
 export async function PUT(req: Request) {
   const auth = await getAuthFromRequest(req)
   if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  // For API key auth, use userId (the actual user) if available
+  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub
+  if (!effectiveUserId) {
+    return NextResponse.json({ error: 'Cannot save preferences: no user associated with this API key' }, { status: 403 })
+  }
 
   let parsedBody: unknown
   try {
@@ -182,7 +191,7 @@ export async function PUT(req: Request) {
   }
 
   const settings = await saveSidebarPreference(em, {
-    userId: auth.sub,
+    userId: effectiveUserId,
     tenantId: auth.tenantId ?? null,
     organizationId: auth.orgId ?? null,
     locale,