npm - @open-mercato/core - Versions diffs - 0.4.2-canary-ed15f2e753 → 0.4.2-canary-e2aeb1a7bf - Mend

@open-mercato/core 0.4.2-canary-ed15f2e753 → 0.4.2-canary-e2aeb1a7bf

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (711) hide show

package/dist/modules/auth/commands/users.js CHANGED Viewed

@@ -22,16 +22,21 @@ import {
 import { normalizeTenantId } from "@open-mercato/core/modules/auth/lib/tenantAccess";
 import { computeEmailHash } from "@open-mercato/core/modules/auth/lib/emailHash";
 import { findOneWithDecryption, findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { buildNotificationFromType } from "@open-mercato/core/modules/notifications/lib/notificationBuilder";
+import { resolveNotificationService } from "@open-mercato/core/modules/notifications/lib/notificationService";
+import notificationTypes from "@open-mercato/core/modules/auth/notifications";
+import { buildPasswordSchema } from "@open-mercato/shared/lib/auth/passwordPolicy";
+const passwordSchema = buildPasswordSchema();
 const createSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   organizationId: z.string().uuid(),
   roles: z.array(z.string()).optional()
 });
 const updateSchema = z.object({
   id: z.string().uuid(),
   email: z.string().email().optional(),
-  password: z.string().min(6).optional(),
+  password: passwordSchema.optional(),
   organizationId: z.string().uuid().optional(),
   roles: z.array(z.string()).optional()
 });
@@ -60,6 +65,38 @@ const userCrudIndexer = {
     tenantId: ctx.identifiers.tenantId
   })
 };
+async function notifyRoleChanges(ctx, user, assignedRoles, revokedRoles) {
+  const tenantId = user.tenantId ? String(user.tenantId) : null;
+  if (!tenantId) return;
+  const organizationId = user.organizationId ? String(user.organizationId) : null;
+  try {
+    const notificationService = resolveNotificationService(ctx.container);
+    if (assignedRoles.length) {
+      const assignedType = notificationTypes.find((type) => type.type === "auth.role.assigned");
+      if (assignedType) {
+        const notificationInput = buildNotificationFromType(assignedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: "auth:user",
+          sourceEntityId: String(user.id)
+        });
+        await notificationService.create(notificationInput, { tenantId, organizationId });
+      }
+    }
+    if (revokedRoles.length) {
+      const revokedType = notificationTypes.find((type) => type.type === "auth.role.revoked");
+      if (revokedType) {
+        const notificationInput = buildNotificationFromType(revokedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: "auth:user",
+          sourceEntityId: String(user.id)
+        });
+        await notificationService.create(notificationInput, { tenantId, organizationId });
+      }
+    }
+  } catch (err) {
+    console.error("[auth.users.roles] Failed to create notification:", err);
+  }
+}
 const createUserCommand = {
   id: "auth.users.create",
   async execute(rawInput, ctx) {
@@ -97,8 +134,10 @@ const createUserCommand = {
       if (isUniqueViolation(error)) await throwDuplicateEmailError();
       throw error;
     }
+    let assignedRoles = [];
     if (Array.isArray(parsed.roles) && parsed.roles.length) {
       await syncUserRoles(em, user, parsed.roles, tenantId);
+      assignedRoles = await loadUserRoleNames(em, String(user.id));
     }
     await setCustomFieldsIfAny({
       dataEngine: de,
@@ -120,6 +159,9 @@ const createUserCommand = {
       events: userCrudEvents,
       indexer: userCrudIndexer
     });
+    if (assignedRoles.length) {
+      await notifyRoleChanges(ctx, user, assignedRoles, []);
+    }
     return user;
   },
   captureAfter: async (_input, result, ctx) => {
@@ -230,6 +272,7 @@ const updateUserCommand = {
   async execute(rawInput, ctx) {
     const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput);
     const em = ctx.container.resolve("em");
+    const rolesBefore = Array.isArray(parsed.roles) ? await loadUserRoleNames(em, parsed.id) : null;
     if (parsed.email !== void 0) {
       const emailHash2 = computeEmailHash(parsed.email);
       const duplicate = await em.findOne(
@@ -310,6 +353,13 @@ const updateUserCommand = {
       events: userCrudEvents,
       indexer: userCrudIndexer
     });
+    if (Array.isArray(parsed.roles) && rolesBefore) {
+      const rolesAfter = await loadUserRoleNames(em, String(user.id));
+      const { assigned, revoked } = diffRoleChanges(rolesBefore, rolesAfter);
+      if (assigned.length || revoked.length) {
+        await notifyRoleChanges(ctx, user, assigned, revoked);
+      }
+    }
     await invalidateUserCache(ctx, parsed.id);
     return user;
   },
@@ -656,6 +706,13 @@ async function invalidateUserCache(ctx, userId) {
   } catch {
   }
 }
+function diffRoleChanges(before, after) {
+  const beforeSet = new Set(before);
+  const afterSet = new Set(after);
+  const assigned = after.filter((role) => !beforeSet.has(role));
+  const revoked = before.filter((role) => !afterSet.has(role));
+  return { assigned, revoked };
+}
 function arrayEquals(left, right) {
   if (!left) return false;
   if (left.length !== right.length) return false;

package/dist/modules/auth/commands/users.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/commands/users.ts"],
-  "sourcesContent": ["import type { CommandHandler } from '@open-mercato/shared/lib/commands'\nimport { registerCommand } from '@open-mercato/shared/lib/commands'\nimport {\n  parseWithCustomFields,\n  setCustomFieldsIfAny,\n  emitCrudSideEffects,\n  emitCrudUndoSideEffects,\n  buildChanges,\n  requireId,\n} from '@open-mercato/shared/lib/commands/helpers'\nimport { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport type { CrudEventsConfig, CrudIndexerConfig } from '@open-mercato/shared/lib/crud/types'\nimport type { DataEngine } from '@open-mercato/shared/lib/data/engine'\nimport type { CommandRuntimeContext } from '@open-mercato/shared/lib/commands'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { UniqueConstraintViolationException } from '@mikro-orm/core'\nimport type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'\nimport { User, UserRole, Role, UserAcl, Session, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport { Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { E } from '#generated/entities.ids.generated'\nimport { z } from 'zod'\nimport {\n  loadCustomFieldSnapshot,\n  buildCustomFieldResetMap,\n  diffCustomFieldChanges,\n} from '@open-mercato/shared/lib/commands/customFieldSnapshots'\nimport { normalizeTenantId } from '@open-mercato/core/modules/auth/lib/tenantAccess'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\ntype SerializedUser = {\n  email: string\n  organizationId: string | null\n  tenantId: string | null\n  roles: string[]\n  name: string | null\n  isConfirmed: boolean\n  custom?: Record<string, unknown>\n}\n\ntype UserAclSnapshot = {\n  tenantId: string\n  features: string[] | null\n  isSuperAdmin: boolean\n  organizations: string[] | null\n}\n\ntype UserUndoSnapshot = {\n  id: string\n  email: string\n  organizationId: string | null\n  tenantId: string | null\n  passwordHash: string | null\n  name: string | null\n  isConfirmed: boolean\n  roles: string[]\n  acls: UserAclSnapshot[]\n  custom?: Record<string, unknown>\n}\n\ntype UserSnapshots = {\n  view: SerializedUser\n  undo: UserUndoSnapshot\n}\n\nconst createSchema = z.object({\n  email: z.string().email(),\n  password: z.string().min(6),\n  organizationId: z.string().uuid(),\n  roles: z.array(z.string()).optional(),\n})\n\nconst updateSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string().email().optional(),\n  password: z.string().min(6).optional(),\n  organizationId: z.string().uuid().optional(),\n  roles: z.array(z.string()).optional(),\n})\n\nexport const userCrudEvents: CrudEventsConfig = {\n  module: 'auth',\n  entity: 'user',\n  persistent: true,\n  buildPayload: (ctx) => ({\n    id: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n}\n\nexport const userCrudIndexer: CrudIndexerConfig = {\n  entityType: E.auth.user,\n  buildUpsertPayload: (ctx) => ({\n    entityType: E.auth.user,\n    recordId: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n  buildDeletePayload: (ctx) => ({\n    entityType: E.auth.user,\n    recordId: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n}\n\nconst createUserCommand: CommandHandler<Record<string, unknown>, User> = {\n  id: 'auth.users.create',\n  async execute(rawInput, ctx) {\n    const { parsed, custom } = parseWithCustomFields(createSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    const organization = await findOneWithDecryption(\n      em,\n      Organization,\n      { id: parsed.organizationId },\n      { populate: ['tenant'] },\n      { tenantId: null, organizationId: parsed.organizationId },\n    )\n    if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })\n\n    const emailHash = computeEmailHash(parsed.email)\n    const duplicate = await em.findOne(User, { $or: [{ email: parsed.email }, { emailHash }], deletedAt: null } as any)\n    if (duplicate) await throwDuplicateEmailError()\n\n    const { hash } = await import('bcryptjs')\n    const passwordHash = await hash(parsed.password, 10)\n    const tenantId = organization.tenant?.id ? String(organization.tenant.id) : null\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    let user: User\n    try {\n      user = await de.createOrmEntity({\n        entity: User,\n        data: {\n          email: parsed.email,\n          emailHash,\n          passwordHash,\n          isConfirmed: true,\n          organizationId: parsed.organizationId,\n          tenantId,\n        },\n      })\n    } catch (error) {\n      if (isUniqueViolation(error)) await throwDuplicateEmailError()\n      throw error\n    }\n\n    if (Array.isArray(parsed.roles) && parsed.roles.length) {\n      await syncUserRoles(em, user, parsed.roles, tenantId)\n    }\n\n    await setCustomFieldsIfAny({\n      dataEngine: de,\n      entityId: E.auth.user,\n      recordId: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: tenantId,\n      values: custom,\n    })\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'created',\n      entity: user,\n      identifiers: {\n        id: String(user.id),\n        organizationId: user.organizationId ? String(user.organizationId) : null,\n        tenantId,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    return user\n  },\n  captureAfter: async (_input, result, ctx) => {\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    return serializeUser(result, roles, custom)\n  },\n  buildLog: async ({ result, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    const snapshot = captureUserSnapshots(result, roles, undefined, custom)\n    return {\n      actionLabel: translate('auth.audit.users.create', 'Create user'),\n      resourceKind: 'auth.user',\n      resourceId: String(result.id),\n      tenantId: result.tenantId ? String(result.tenantId) : null,\n      snapshotAfter: snapshot.view,\n      payload: {\n        undo: {\n          after: snapshot.undo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const userId = typeof logEntry?.resourceId === 'string' ? logEntry.resourceId : null\n    if (!userId) return\n    const snapshot = logEntry?.snapshotAfter as SerializedUser | undefined\n    const em = (ctx.container.resolve('em') as EntityManager)\n    await em.nativeDelete(UserAcl, { user: userId })\n    await em.nativeDelete(UserRole, { user: userId })\n    await em.nativeDelete(Session, { user: userId })\n    await em.nativeDelete(PasswordReset, { user: userId })\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    if (snapshot?.custom && Object.keys(snapshot.custom).length) {\n      const reset = buildCustomFieldResetMap(undefined, snapshot.custom)\n      if (Object.keys(reset).length) {\n        await setCustomFieldsIfAny({\n          dataEngine: de,\n          entityId: E.auth.user,\n          recordId: userId,\n          organizationId: snapshot.organizationId,\n          tenantId: snapshot.tenantId,\n          values: reset,\n          notify: false,\n        })\n      }\n    }\n    const removed = await de.deleteOrmEntity({\n      entity: User,\n      where: { id: userId, deletedAt: null } as FilterQuery<User>,\n      soft: false,\n    })\n\n    await emitCrudUndoSideEffects({\n      dataEngine: de,\n      action: 'deleted',\n      entity: removed,\n      identifiers: {\n        id: userId,\n        organizationId: snapshot?.organizationId ?? null,\n        tenantId: snapshot?.tenantId ?? null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, userId)\n  },\n}\n\nfunction isUniqueViolation(error: unknown): boolean {\n  if (error instanceof UniqueConstraintViolationException) return true\n  if (!error || typeof error !== 'object') return false\n  const code = (error as { code?: string }).code\n  if (code === '23505') return true\n  const messageRaw = (error as { message?: string })?.message\n  const message = typeof messageRaw === 'string' ? messageRaw : ''\n  return message.toLowerCase().includes('duplicate key')\n}\n\nconst updateUserCommand: CommandHandler<Record<string, unknown>, User> = {\n  id: 'auth.users.update',\n  async prepare(rawInput, ctx) {\n    const { parsed } = parseWithCustomFields(updateSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const existing = await em.findOne(User, { id: parsed.id, deletedAt: null })\n    if (!existing) throw new CrudHttpError(404, { error: 'User not found' })\n    const roles = await loadUserRoleNames(em, parsed.id)\n    const acls = await loadUserAclSnapshots(em, parsed.id)\n    const custom = await loadUserCustomSnapshot(\n      em,\n      parsed.id,\n      existing.tenantId ? String(existing.tenantId) : null,\n      existing.organizationId ? String(existing.organizationId) : null\n    )\n    return { before: captureUserSnapshots(existing, roles, acls, custom) }\n  },\n  async execute(rawInput, ctx) {\n    const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    if (parsed.email !== undefined) {\n      const emailHash = computeEmailHash(parsed.email)\n      const duplicate = await em.findOne(\n        User,\n        {\n          $or: [{ email: parsed.email }, { emailHash }],\n          deletedAt: null,\n          id: { $ne: parsed.id } as any,\n        } as FilterQuery<User>,\n      )\n      if (duplicate) await throwDuplicateEmailError()\n    }\n\n    let hashed: string | null = null\n    let emailHash: string | null = null\n    if (parsed.password) {\n      const { hash } = await import('bcryptjs')\n      hashed = await hash(parsed.password, 10)\n    }\n    if (parsed.email !== undefined) {\n      emailHash = computeEmailHash(parsed.email)\n    }\n\n    let tenantId: string | null | undefined\n    if (parsed.organizationId !== undefined) {\n      const organization = await findOneWithDecryption(\n        em,\n        Organization,\n        { id: parsed.organizationId },\n        { populate: ['tenant'] },\n        { tenantId: null, organizationId: parsed.organizationId ?? null },\n      )\n      if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })\n      tenantId = organization.tenant?.id ? String(organization.tenant.id) : null\n    }\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    let user: User | null\n    try {\n      user = await de.updateOrmEntity({\n        entity: User,\n        where: { id: parsed.id, deletedAt: null } as FilterQuery<User>,\n        apply: (entity) => {\n          if (parsed.email !== undefined) {\n            entity.email = parsed.email\n            entity.emailHash = emailHash\n          }\n          if (parsed.organizationId !== undefined) {\n            entity.organizationId = parsed.organizationId\n            entity.tenantId = tenantId ?? null\n          }\n          if (hashed) entity.passwordHash = hashed\n        },\n      })\n    } catch (error) {\n      if (isUniqueViolation(error)) await throwDuplicateEmailError()\n      throw error\n    }\n    if (!user) throw new CrudHttpError(404, { error: 'User not found' })\n\n    if (Array.isArray(parsed.roles)) {\n      await syncUserRoles(em, user, parsed.roles, user.tenantId ? String(user.tenantId) : tenantId ?? null)\n    }\n\n    await setCustomFieldsIfAny({\n      dataEngine: de,\n      entityId: E.auth.user,\n      recordId: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : tenantId ?? null,\n      values: custom,\n    })\n\n    const identifiers = {\n      id: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : tenantId ?? null,\n    }\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'updated',\n      entity: user,\n      identifiers,\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, parsed.id)\n\n    return user\n  },\n  captureAfter: async (_input, result, ctx) => {\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    return serializeUser(result, roles, custom)\n  },\n  buildLog: async ({ result, snapshots, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const beforeSnapshots = snapshots.before as UserSnapshots | undefined\n    const before = beforeSnapshots?.view\n    const beforeUndo = beforeSnapshots?.undo ?? null\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const afterRoles = await loadUserRoleNames(em, String(result.id))\n    const afterCustom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    const afterSnapshots = captureUserSnapshots(result, afterRoles, undefined, afterCustom)\n    const after = afterSnapshots.view\n    const changes = buildChanges(before ?? null, after as Record<string, unknown>, ['email', 'organizationId', 'tenantId', 'name', 'isConfirmed'])\n    if (before && !arrayEquals(before.roles, afterRoles)) {\n      changes.roles = { from: before.roles, to: afterRoles }\n    }\n    const customDiff = diffCustomFieldChanges(before?.custom, afterCustom)\n    for (const [key, diff] of Object.entries(customDiff)) {\n      changes[`cf_${key}`] = diff\n    }\n    return {\n      actionLabel: translate('auth.audit.users.update', 'Update user'),\n      resourceKind: 'auth.user',\n      resourceId: String(result.id),\n      tenantId: result.tenantId ? String(result.tenantId) : null,\n      changes,\n      snapshotBefore: before ?? null,\n      snapshotAfter: after,\n      payload: {\n        undo: {\n          before: beforeUndo,\n          after: afterSnapshots.undo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const payload = extractUndoPayload(logEntry)\n    const before = payload?.before\n    const after = payload?.after\n    if (!before) return\n    const userId = before.id\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    const updated = await de.updateOrmEntity({\n      entity: User,\n      where: { id: userId, deletedAt: null } as FilterQuery<User>,\n      apply: (entity) => {\n        entity.email = before.email\n        entity.organizationId = before.organizationId ?? null\n        entity.tenantId = before.tenantId ?? null\n        entity.passwordHash = before.passwordHash ?? null\n        entity.name = before.name ?? undefined\n        entity.isConfirmed = before.isConfirmed\n      },\n    })\n\n    if (updated) {\n      await syncUserRoles(em, updated, before.roles, before.tenantId)\n      await em.flush()\n    }\n\n    const reset = buildCustomFieldResetMap(before.custom, after?.custom)\n    if (Object.keys(reset).length) {\n      await setCustomFieldsIfAny({\n        dataEngine: de,\n        entityId: E.auth.user,\n        recordId: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n        values: reset,\n        notify: false,\n      })\n    }\n\n    await emitCrudUndoSideEffects({\n      dataEngine: de,\n      action: 'updated',\n      entity: updated,\n      identifiers: {\n        id: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, userId)\n  },\n}\n\nconst deleteUserCommand: CommandHandler<{ body?: Record<string, unknown>; query?: Record<string, unknown> }, User> = {\n  id: 'auth.users.delete',\n  async prepare(input, ctx) {\n    const id = requireId(input, 'User id required')\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const existing = await em.findOne(User, { id, deletedAt: null })\n    if (!existing) return {}\n    const roles = await loadUserRoleNames(em, id)\n    const acls = await loadUserAclSnapshots(em, id)\n    const custom = await loadUserCustomSnapshot(\n      em,\n      id,\n      existing.tenantId ? String(existing.tenantId) : null,\n      existing.organizationId ? String(existing.organizationId) : null\n    )\n    return { before: captureUserSnapshots(existing, roles, acls, custom) }\n  },\n  async execute(input, ctx) {\n    const id = requireId(input, 'User id required')\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    await em.nativeDelete(UserAcl, { user: id })\n    await em.nativeDelete(UserRole, { user: id })\n    await em.nativeDelete(Session, { user: id })\n    await em.nativeDelete(PasswordReset, { user: id })\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    const user = await de.deleteOrmEntity({\n      entity: User,\n      where: { id, deletedAt: null } as FilterQuery<User>,\n      soft: false,\n    })\n    if (!user) throw new CrudHttpError(404, { error: 'User not found' })\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'deleted',\n      entity: user,\n      identifiers: {\n        id: String(id),\n        organizationId: user.organizationId ? String(user.organizationId) : null,\n        tenantId: user.tenantId ? String(user.tenantId) : null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, id)\n\n    return user\n  },\n  buildLog: async ({ snapshots, input, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const beforeSnapshots = snapshots.before as UserSnapshots | undefined\n    const before = beforeSnapshots?.view\n    const beforeUndo = beforeSnapshots?.undo ?? null\n    const id = requireId(input, 'User id required')\n    return {\n      actionLabel: translate('auth.audit.users.delete', 'Delete user'),\n      resourceKind: 'auth.user',\n      resourceId: id,\n      snapshotBefore: before ?? null,\n      tenantId: before?.tenantId ?? null,\n      payload: {\n        undo: {\n          before: beforeUndo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const payload = extractUndoPayload(logEntry)\n    const before = payload?.before\n    if (!before) return\n    const em = (ctx.container.resolve('em') as EntityManager)\n    let user = await em.findOne(User, { id: before.id })\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n\n    if (user) {\n      if (user.deletedAt) {\n        user.deletedAt = null\n      }\n      user.email = before.email\n      user.organizationId = before.organizationId ?? null\n      user.tenantId = before.tenantId ?? null\n      user.passwordHash = before.passwordHash ?? null\n      user.name = before.name ?? undefined\n      user.isConfirmed = before.isConfirmed\n      await em.flush()\n    } else {\n      user = await de.createOrmEntity({\n        entity: User,\n        data: {\n          id: before.id,\n          email: before.email,\n          organizationId: before.organizationId ?? null,\n          tenantId: before.tenantId ?? null,\n          passwordHash: before.passwordHash ?? null,\n          name: before.name ?? null,\n          isConfirmed: before.isConfirmed,\n        },\n      })\n    }\n\n    if (!user) return\n\n    await em.nativeDelete(UserRole, { user: before.id })\n    await syncUserRoles(em, user, before.roles, before.tenantId)\n\n    await restoreUserAcls(em, user, before.acls)\n\n    const reset = buildCustomFieldResetMap(before.custom, undefined)\n    if (Object.keys(reset).length) {\n      await setCustomFieldsIfAny({\n        dataEngine: de,\n        entityId: E.auth.user,\n        recordId: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n        values: reset,\n        notify: false,\n      })\n    }\n\n    await invalidateUserCache(ctx, before.id)\n  },\n}\n\nregisterCommand(createUserCommand)\nregisterCommand(updateUserCommand)\nregisterCommand(deleteUserCommand)\n\nasync function syncUserRoles(em: EntityManager, user: User, desiredRoles: string[], tenantId: string | null) {\n  const unique = Array.from(new Set(desiredRoles.map((role) => role.trim()).filter(Boolean)))\n  const currentLinks = await em.find(UserRole, { user })\n  const currentNames = new Map(\n    currentLinks.map((link) => {\n      const roleEntity = link.role\n      const name = roleEntity?.name ?? ''\n      return [name, link] as const\n    }),\n  )\n\n  for (const [name, link] of currentNames.entries()) {\n    if (!unique.includes(name) && link) {\n      em.remove(link)\n    }\n  }\n\n  const normalizedTenantId = normalizeTenantId(tenantId ?? null) ?? null\n\n  for (const name of unique) {\n    if (!currentNames.has(name)) {\n      let role = await em.findOne(Role, { name, tenantId: normalizedTenantId })\n      if (!role && normalizedTenantId !== null) {\n        role = await em.findOne(Role, { name, tenantId: null })\n      }\n      if (!role) {\n        role = em.create(Role, { name, tenantId: normalizedTenantId, createdAt: new Date() })\n        await em.persistAndFlush(role)\n      } else if (normalizedTenantId !== null && role.tenantId !== normalizedTenantId) {\n        role.tenantId = normalizedTenantId\n        await em.persistAndFlush(role)\n      }\n      em.persist(em.create(UserRole, { user, role, createdAt: new Date() }))\n    }\n  }\n\n  await em.flush()\n}\n\nasync function loadUserRoleNames(em: EntityManager, userId: string): Promise<string[]> {\n  const links = await findWithDecryption(\n    em,\n    UserRole,\n    { user: userId as unknown as User },\n    { populate: ['role'] },\n    { tenantId: null, organizationId: null },\n  )\n  const names = links\n    .map((link) => link.role?.name ?? '')\n    .filter((name): name is string => !!name)\n  return Array.from(new Set(names)).sort()\n}\n\nfunction serializeUser(user: User, roles: string[], custom?: Record<string, unknown> | null): SerializedUser {\n  const payload: SerializedUser = {\n    email: String(user.email ?? ''),\n    organizationId: user.organizationId ? String(user.organizationId) : null,\n    tenantId: user.tenantId ? String(user.tenantId) : null,\n    roles,\n    name: user.name ? String(user.name) : null,\n    isConfirmed: Boolean(user.isConfirmed),\n  }\n  if (custom && Object.keys(custom).length) payload.custom = custom\n  return payload\n}\n\nfunction captureUserSnapshots(\n  user: User,\n  roles: string[],\n  acls: UserAclSnapshot[] = [],\n  custom?: Record<string, unknown> | null\n): UserSnapshots {\n  return {\n    view: serializeUser(user, roles, custom),\n    undo: {\n      id: String(user.id),\n      email: String(user.email ?? ''),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : null,\n      passwordHash: user.passwordHash ? String(user.passwordHash) : null,\n      name: user.name ? String(user.name) : null,\n      isConfirmed: Boolean(user.isConfirmed),\n      roles: [...roles],\n      acls,\n      ...(custom && Object.keys(custom).length ? { custom } : {}),\n    },\n  }\n}\n\nasync function loadUserAclSnapshots(em: EntityManager, userId: string): Promise<UserAclSnapshot[]> {\n  const list = await em.find(UserAcl, { user: userId as unknown as User })\n  return list.map((acl) => ({\n    tenantId: String(acl.tenantId),\n    features: Array.isArray(acl.featuresJson) ? [...acl.featuresJson] : null,\n    isSuperAdmin: Boolean(acl.isSuperAdmin),\n    organizations: Array.isArray(acl.organizationsJson) ? [...acl.organizationsJson] : null,\n  }))\n}\n\nasync function restoreUserAcls(em: EntityManager, user: User, acls: UserAclSnapshot[]) {\n  await em.nativeDelete(UserAcl, { user: String(user.id) })\n  for (const acl of acls) {\n    const entity = em.create(UserAcl, {\n      user,\n      tenantId: acl.tenantId,\n      featuresJson: acl.features ?? null,\n      isSuperAdmin: acl.isSuperAdmin,\n      organizationsJson: acl.organizations ?? null,\n      createdAt: new Date(),\n    })\n    em.persist(entity)\n  }\n  await em.flush()\n}\n\ntype UndoPayload = { undo?: { before?: UserUndoSnapshot | null; after?: UserUndoSnapshot | null } }\n\nfunction extractUndoPayload(logEntry: { commandPayload?: unknown }): { before?: UserUndoSnapshot | null; after?: UserUndoSnapshot | null } | null {\n  const payload = logEntry?.commandPayload as UndoPayload | undefined\n  if (!payload || typeof payload !== 'object') return null\n  return payload.undo ?? null\n}\n\nasync function loadUserCustomSnapshot(\n  em: EntityManager,\n  id: string,\n  tenantId: string | null,\n  organizationId: string | null\n): Promise<Record<string, unknown>> {\n  return await loadCustomFieldSnapshot(em, {\n    entityId: E.auth.user,\n    recordId: id,\n    tenantId,\n    organizationId,\n  })\n}\n\nasync function invalidateUserCache(ctx: CommandRuntimeContext, userId: string) {\n  try {\n    const rbacService = ctx.container.resolve('rbacService') as { invalidateUserCache: (uid: string) => Promise<void> }\n    await rbacService.invalidateUserCache(userId)\n  } catch {\n    // RBAC not available\n  }\n\n  try {\n    const cache = ctx.container.resolve('cache') as { deleteByTags?: (tags: string[]) => Promise<void> }\n    if (cache?.deleteByTags) await cache.deleteByTags([`rbac:user:${userId}`])\n  } catch {\n    // cache not available\n  }\n}\n\nfunction arrayEquals(left: string[] | undefined, right: string[]): boolean {\n  if (!left) return false\n  if (left.length !== right.length) return false\n  return left.every((value, idx) => value === right[idx])\n}\n\nasync function throwDuplicateEmailError(): Promise<never> {\n  const { translate } = await resolveTranslations()\n  const message = translate('auth.users.errors.emailExists', 'Email already in use')\n  throw new CrudHttpError(400, {\n    error: message,\n    fieldErrors: { email: message },\n    details: [{ path: ['email'], message, code: 'duplicate', origin: 'validation' }],\n  })\n}\n"],
-  "mappings": "AACA,SAAS,uBAAuB;AAChC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,qBAAqB;AAI9B,SAAS,2BAA2B;AACpC,SAAS,0CAA0C;AAEnD,SAAS,MAAM,UAAU,MAAM,SAAS,SAAS,qBAAqB;AACtE,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAClB,SAAS,SAAS;AAClB;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,yBAAyB;AAClC,SAAS,wBAAwB;AACjC,SAAS,uBAAuB,0BAA0B;AAqC1D,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAED,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AAAA,EACnC,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACrC,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAEM,MAAM,iBAAmC;AAAA,EAC9C,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,YAAY;AAAA,EACZ,cAAc,CAAC,SAAS;AAAA,IACtB,IAAI,IAAI,YAAY;AAAA,IACpB,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AACF;AAEO,MAAM,kBAAqC;AAAA,EAChD,YAAY,EAAE,KAAK;AAAA,EACnB,oBAAoB,CAAC,SAAS;AAAA,IAC5B,YAAY,EAAE,KAAK;AAAA,IACnB,UAAU,IAAI,YAAY;AAAA,IAC1B,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AAAA,EACA,oBAAoB,CAAC,SAAS;AAAA,IAC5B,YAAY,EAAE,KAAK;AAAA,IACnB,UAAU,IAAI,YAAY;AAAA,IAC1B,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AACF;AAEA,MAAM,oBAAmE;AAAA,EACvE,IAAI;AAAA,EACJ,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,QAAQ,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AACvE,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,UAAM,eAAe,MAAM;AAAA,MACzB;AAAA,MACA;AAAA,MACA,EAAE,IAAI,OAAO,eAAe;AAAA,MAC5B,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,gBAAgB,OAAO,eAAe;AAAA,IAC1D;AACA,QAAI,CAAC,aAAc,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,yBAAyB,CAAC;AAEnF,UAAM,YAAY,iBAAiB,OAAO,KAAK;AAC/C,UAAM,YAAY,MAAM,GAAG,QAAQ,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,MAAM,GAAG,EAAE,UAAU,CAAC,GAAG,WAAW,KAAK,CAAQ;AAClH,QAAI,UAAW,OAAM,yBAAyB;AAE9C,UAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU;AACxC,UAAM,eAAe,MAAM,KAAK,OAAO,UAAU,EAAE;AACnD,UAAM,WAAW,aAAa,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAE5E,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI;AACJ,QAAI;AACF,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,OAAO,OAAO;AAAA,UACd;AAAA,UACA;AAAA,UACA,aAAa;AAAA,UACb,gBAAgB,OAAO;AAAA,UACvB;AAAA,QACF;AAAA,MACF,CAAC;AAAA,IACH,SAAS,OAAO;AACd,UAAI,kBAAkB,KAAK,EAAG,OAAM,yBAAyB;AAC7D,YAAM;AAAA,IACR;AAEA,QAAI,MAAM,QAAQ,OAAO,KAAK,KAAK,OAAO,MAAM,QAAQ;AACtD,YAAM,cAAc,IAAI,MAAM,OAAO,OAAO,QAAQ;AAAA,IACtD;AAEA,UAAM,qBAAqB;AAAA,MACzB,YAAY;AAAA,MACZ,UAAU,EAAE,KAAK;AAAA,MACjB,UAAU,OAAO,KAAK,EAAE;AAAA,MACxB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO,KAAK,EAAE;AAAA,QAClB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACpE;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,WAAO;AAAA,EACT;AAAA,EACA,cAAc,OAAO,QAAQ,QAAQ,QAAQ;AAC3C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,WAAO,cAAc,QAAQ,OAAO,MAAM;AAAA,EAC5C;AAAA,EACA,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,UAAM,WAAW,qBAAqB,QAAQ,OAAO,QAAW,MAAM;AACtE,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY,OAAO,OAAO,EAAE;AAAA,MAC5B,UAAU,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MACtD,eAAe,SAAS;AAAA,MACxB,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,OAAO,SAAS;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,SAAS,OAAO,UAAU,eAAe,WAAW,SAAS,aAAa;AAChF,QAAI,CAAC,OAAQ;AACb,UAAM,WAAW,UAAU;AAC3B,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,OAAO,CAAC;AAChD,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,UAAM,GAAG,aAAa,eAAe,EAAE,MAAM,OAAO,CAAC;AAErD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI,UAAU,UAAU,OAAO,KAAK,SAAS,MAAM,EAAE,QAAQ;AAC3D,YAAM,QAAQ,yBAAyB,QAAW,SAAS,MAAM;AACjE,UAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,cAAM,qBAAqB;AAAA,UACzB,YAAY;AAAA,UACZ,UAAU,EAAE,KAAK;AAAA,UACjB,UAAU;AAAA,UACV,gBAAgB,SAAS;AAAA,UACzB,UAAU,SAAS;AAAA,UACnB,QAAQ;AAAA,UACR,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AACA,UAAM,UAAU,MAAM,GAAG,gBAAgB;AAAA,MACvC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MACrC,MAAM;AAAA,IACR,CAAC;AAED,UAAM,wBAAwB;AAAA,MAC5B,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI;AAAA,QACJ,gBAAgB,UAAU,kBAAkB;AAAA,QAC5C,UAAU,UAAU,YAAY;AAAA,MAClC;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,MAAM;AAAA,EACvC;AACF;AAEA,SAAS,kBAAkB,OAAyB;AAClD,MAAI,iBAAiB,mCAAoC,QAAO;AAChE,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAM,OAAQ,MAA4B;AAC1C,MAAI,SAAS,QAAS,QAAO;AAC7B,QAAM,aAAc,OAAgC;AACpD,QAAM,UAAU,OAAO,eAAe,WAAW,aAAa;AAC9D,SAAO,QAAQ,YAAY,EAAE,SAAS,eAAe;AACvD;AAEA,MAAM,oBAAmE;AAAA,EACvE,IAAI;AAAA,EACJ,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AAC/D,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,IAAI,WAAW,KAAK,CAAC;AAC1E,QAAI,CAAC,SAAU,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AACvE,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,EAAE;AACnD,UAAM,OAAO,MAAM,qBAAqB,IAAI,OAAO,EAAE;AACrD,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO;AAAA,MACP,SAAS,WAAW,OAAO,SAAS,QAAQ,IAAI;AAAA,MAChD,SAAS,iBAAiB,OAAO,SAAS,cAAc,IAAI;AAAA,IAC9D;AACA,WAAO,EAAE,QAAQ,qBAAqB,UAAU,OAAO,MAAM,MAAM,EAAE;AAAA,EACvE;AAAA,EACA,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,QAAQ,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AACvE,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,QAAI,OAAO,UAAU,QAAW;AAC9B,YAAMA,aAAY,iBAAiB,OAAO,KAAK;AAC/C,YAAM,YAAY,MAAM,GAAG;AAAA,QACzB;AAAA,QACA;AAAA,UACE,KAAK,CAAC,EAAE,OAAO,OAAO,MAAM,GAAG,EAAE,WAAAA,WAAU,CAAC;AAAA,UAC5C,WAAW;AAAA,UACX,IAAI,EAAE,KAAK,OAAO,GAAG;AAAA,QACvB;AAAA,MACF;AACA,UAAI,UAAW,OAAM,yBAAyB;AAAA,IAChD;AAEA,QAAI,SAAwB;AAC5B,QAAI,YAA2B;AAC/B,QAAI,OAAO,UAAU;AACnB,YAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU;AACxC,eAAS,MAAM,KAAK,OAAO,UAAU,EAAE;AAAA,IACzC;AACA,QAAI,OAAO,UAAU,QAAW;AAC9B,kBAAY,iBAAiB,OAAO,KAAK;AAAA,IAC3C;AAEA,QAAI;AACJ,QAAI,OAAO,mBAAmB,QAAW;AACvC,YAAM,eAAe,MAAM;AAAA,QACzB;AAAA,QACA;AAAA,QACA,EAAE,IAAI,OAAO,eAAe;AAAA,QAC5B,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,QACvB,EAAE,UAAU,MAAM,gBAAgB,OAAO,kBAAkB,KAAK;AAAA,MAClE;AACA,UAAI,CAAC,aAAc,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,yBAAyB,CAAC;AACnF,iBAAW,aAAa,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAAA,IACxE;AAEA,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI;AACJ,QAAI;AACF,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,OAAO,EAAE,IAAI,OAAO,IAAI,WAAW,KAAK;AAAA,QACxC,OAAO,CAAC,WAAW;AACjB,cAAI,OAAO,UAAU,QAAW;AAC9B,mBAAO,QAAQ,OAAO;AACtB,mBAAO,YAAY;AAAA,UACrB;AACA,cAAI,OAAO,mBAAmB,QAAW;AACvC,mBAAO,iBAAiB,OAAO;AAC/B,mBAAO,WAAW,YAAY;AAAA,UAChC;AACA,cAAI,OAAQ,QAAO,eAAe;AAAA,QACpC;AAAA,MACF,CAAC;AAAA,IACH,SAAS,OAAO;AACd,UAAI,kBAAkB,KAAK,EAAG,OAAM,yBAAyB;AAC7D,YAAM;AAAA,IACR;AACA,QAAI,CAAC,KAAM,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAEnE,QAAI,MAAM,QAAQ,OAAO,KAAK,GAAG;AAC/B,YAAM,cAAc,IAAI,MAAM,OAAO,OAAO,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY,IAAI;AAAA,IACtG;AAEA,UAAM,qBAAqB;AAAA,MACzB,YAAY;AAAA,MACZ,UAAU,EAAE,KAAK;AAAA,MACjB,UAAU,OAAO,KAAK,EAAE;AAAA,MACxB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY;AAAA,MAC9D,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,cAAc;AAAA,MAClB,IAAI,OAAO,KAAK,EAAE;AAAA,MAClB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY;AAAA,IAChE;AAEA,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,OAAO,EAAE;AAExC,WAAO;AAAA,EACT;AAAA,EACA,cAAc,OAAO,QAAQ,QAAQ,QAAQ;AAC3C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,WAAO,cAAc,QAAQ,OAAO,MAAM;AAAA,EAC5C;AAAA,EACA,UAAU,OAAO,EAAE,QAAQ,WAAW,IAAI,MAAM;AAC9C,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,kBAAkB,UAAU;AAClC,UAAM,SAAS,iBAAiB;AAChC,UAAM,aAAa,iBAAiB,QAAQ;AAC5C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,aAAa,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAChE,UAAM,cAAc,MAAM;AAAA,MACxB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,UAAM,iBAAiB,qBAAqB,QAAQ,YAAY,QAAW,WAAW;AACtF,UAAM,QAAQ,eAAe;AAC7B,UAAM,UAAU,aAAa,UAAU,MAAM,OAAkC,CAAC,SAAS,kBAAkB,YAAY,QAAQ,aAAa,CAAC;AAC7I,QAAI,UAAU,CAAC,YAAY,OAAO,OAAO,UAAU,GAAG;AACpD,cAAQ,QAAQ,EAAE,MAAM,OAAO,OAAO,IAAI,WAAW;AAAA,IACvD;AACA,UAAM,aAAa,uBAAuB,QAAQ,QAAQ,WAAW;AACrE,eAAW,CAAC,KAAK,IAAI,KAAK,OAAO,QAAQ,UAAU,GAAG;AACpD,cAAQ,MAAM,GAAG,EAAE,IAAI;AAAA,IACzB;AACA,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY,OAAO,OAAO,EAAE;AAAA,MAC5B,UAAU,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MACtD;AAAA,MACA,gBAAgB,UAAU;AAAA,MAC1B,eAAe;AAAA,MACf,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,QAAQ;AAAA,UACR,OAAO,eAAe;AAAA,QACxB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,UAAU,mBAAmB,QAAQ;AAC3C,UAAM,SAAS,SAAS;AACxB,UAAM,QAAQ,SAAS;AACvB,QAAI,CAAC,OAAQ;AACb,UAAM,SAAS,OAAO;AACtB,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,UAAM,UAAU,MAAM,GAAG,gBAAgB;AAAA,MACvC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MACrC,OAAO,CAAC,WAAW;AACjB,eAAO,QAAQ,OAAO;AACtB,eAAO,iBAAiB,OAAO,kBAAkB;AACjD,eAAO,WAAW,OAAO,YAAY;AACrC,eAAO,eAAe,OAAO,gBAAgB;AAC7C,eAAO,OAAO,OAAO,QAAQ;AAC7B,eAAO,cAAc,OAAO;AAAA,MAC9B;AAAA,IACF,CAAC;AAED,QAAI,SAAS;AACX,YAAM,cAAc,IAAI,SAAS,OAAO,OAAO,OAAO,QAAQ;AAC9D,YAAM,GAAG,MAAM;AAAA,IACjB;AAEA,UAAM,QAAQ,yBAAyB,OAAO,QAAQ,OAAO,MAAM;AACnE,QAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,YAAM,qBAAqB;AAAA,QACzB,YAAY;AAAA,QACZ,UAAU,EAAE,KAAK;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,QAC7B,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAEA,UAAM,wBAAwB;AAAA,MAC5B,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO;AAAA,QACX,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,MAC/B;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,MAAM;AAAA,EACvC;AACF;AAEA,MAAM,oBAA+G;AAAA,EACnH,IAAI;AAAA,EACJ,MAAM,QAAQ,OAAO,KAAK;AACxB,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,WAAW,KAAK,CAAC;AAC/D,QAAI,CAAC,SAAU,QAAO,CAAC;AACvB,UAAM,QAAQ,MAAM,kBAAkB,IAAI,EAAE;AAC5C,UAAM,OAAO,MAAM,qBAAqB,IAAI,EAAE;AAC9C,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA;AAAA,MACA,SAAS,WAAW,OAAO,SAAS,QAAQ,IAAI;AAAA,MAChD,SAAS,iBAAiB,OAAO,SAAS,cAAc,IAAI;AAAA,IAC9D;AACA,WAAO,EAAE,QAAQ,qBAAqB,UAAU,OAAO,MAAM,MAAM,EAAE;AAAA,EACvE;AAAA,EACA,MAAM,QAAQ,OAAO,KAAK;AACxB,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,GAAG,CAAC;AAC3C,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,GAAG,CAAC;AAC5C,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,GAAG,CAAC;AAC3C,UAAM,GAAG,aAAa,eAAe,EAAE,MAAM,GAAG,CAAC;AAEjD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,UAAM,OAAO,MAAM,GAAG,gBAAgB;AAAA,MACpC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,WAAW,KAAK;AAAA,MAC7B,MAAM;AAAA,IACR,CAAC;AACD,QAAI,CAAC,KAAM,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAEnE,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO,EAAE;AAAA,QACb,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,MACpD;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,EAAE;AAEjC,WAAO;AAAA,EACT;AAAA,EACA,UAAU,OAAO,EAAE,WAAW,OAAO,IAAI,MAAM;AAC7C,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,kBAAkB,UAAU;AAClC,UAAM,SAAS,iBAAiB;AAChC,UAAM,aAAa,iBAAiB,QAAQ;AAC5C,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,gBAAgB,UAAU;AAAA,MAC1B,UAAU,QAAQ,YAAY;AAAA,MAC9B,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,UAAU,mBAAmB,QAAQ;AAC3C,UAAM,SAAS,SAAS;AACxB,QAAI,CAAC,OAAQ;AACb,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,QAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,GAAG,CAAC;AACnD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAE9C,QAAI,MAAM;AACR,UAAI,KAAK,WAAW;AAClB,aAAK,YAAY;AAAA,MACnB;AACA,WAAK,QAAQ,OAAO;AACpB,WAAK,iBAAiB,OAAO,kBAAkB;AAC/C,WAAK,WAAW,OAAO,YAAY;AACnC,WAAK,eAAe,OAAO,gBAAgB;AAC3C,WAAK,OAAO,OAAO,QAAQ;AAC3B,WAAK,cAAc,OAAO;AAC1B,YAAM,GAAG,MAAM;AAAA,IACjB,OAAO;AACL,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,IAAI,OAAO;AAAA,UACX,OAAO,OAAO;AAAA,UACd,gBAAgB,OAAO,kBAAkB;AAAA,UACzC,UAAU,OAAO,YAAY;AAAA,UAC7B,cAAc,OAAO,gBAAgB;AAAA,UACrC,MAAM,OAAO,QAAQ;AAAA,UACrB,aAAa,OAAO;AAAA,QACtB;AAAA,MACF,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,KAAM;AAEX,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,OAAO,GAAG,CAAC;AACnD,UAAM,cAAc,IAAI,MAAM,OAAO,OAAO,OAAO,QAAQ;AAE3D,UAAM,gBAAgB,IAAI,MAAM,OAAO,IAAI;AAE3C,UAAM,QAAQ,yBAAyB,OAAO,QAAQ,MAAS;AAC/D,QAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,YAAM,qBAAqB;AAAA,QACzB,YAAY;AAAA,QACZ,UAAU,EAAE,KAAK;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,QAC7B,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAEA,UAAM,oBAAoB,KAAK,OAAO,EAAE;AAAA,EAC1C;AACF;AAEA,gBAAgB,iBAAiB;AACjC,gBAAgB,iBAAiB;AACjC,gBAAgB,iBAAiB;AAEjC,eAAe,cAAc,IAAmB,MAAY,cAAwB,UAAyB;AAC3G,QAAM,SAAS,MAAM,KAAK,IAAI,IAAI,aAAa,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC;AAC1F,QAAM,eAAe,MAAM,GAAG,KAAK,UAAU,EAAE,KAAK,CAAC;AACrD,QAAM,eAAe,IAAI;AAAA,IACvB,aAAa,IAAI,CAAC,SAAS;AACzB,YAAM,aAAa,KAAK;AACxB,YAAM,OAAO,YAAY,QAAQ;AACjC,aAAO,CAAC,MAAM,IAAI;AAAA,IACpB,CAAC;AAAA,EACH;AAEA,aAAW,CAAC,MAAM,IAAI,KAAK,aAAa,QAAQ,GAAG;AACjD,QAAI,CAAC,OAAO,SAAS,IAAI,KAAK,MAAM;AAClC,SAAG,OAAO,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,qBAAqB,kBAAkB,YAAY,IAAI,KAAK;AAElE,aAAW,QAAQ,QAAQ;AACzB,QAAI,CAAC,aAAa,IAAI,IAAI,GAAG;AAC3B,UAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,mBAAmB,CAAC;AACxE,UAAI,CAAC,QAAQ,uBAAuB,MAAM;AACxC,eAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAAA,MACxD;AACA,UAAI,CAAC,MAAM;AACT,eAAO,GAAG,OAAO,MAAM,EAAE,MAAM,UAAU,oBAAoB,WAAW,oBAAI,KAAK,EAAE,CAAC;AACpF,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B,WAAW,uBAAuB,QAAQ,KAAK,aAAa,oBAAoB;AAC9E,aAAK,WAAW;AAChB,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B;AACA,SAAG,QAAQ,GAAG,OAAO,UAAU,EAAE,MAAM,MAAM,WAAW,oBAAI,KAAK,EAAE,CAAC,CAAC;AAAA,IACvE;AAAA,EACF;AAEA,QAAM,GAAG,MAAM;AACjB;AAEA,eAAe,kBAAkB,IAAmB,QAAmC;AACrF,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,OAA0B;AAAA,IAClC,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,EACzC;AACA,QAAM,QAAQ,MACX,IAAI,CAAC,SAAS,KAAK,MAAM,QAAQ,EAAE,EACnC,OAAO,CAAC,SAAyB,CAAC,CAAC,IAAI;AAC1C,SAAO,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,EAAE,KAAK;AACzC;AAEA,SAAS,cAAc,MAAY,OAAiB,QAAyD;AAC3G,QAAM,UAA0B;AAAA,IAC9B,OAAO,OAAO,KAAK,SAAS,EAAE;AAAA,IAC9B,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,IACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,IAClD;AAAA,IACA,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,IAAI;AAAA,IACtC,aAAa,QAAQ,KAAK,WAAW;AAAA,EACvC;AACA,MAAI,UAAU,OAAO,KAAK,MAAM,EAAE,OAAQ,SAAQ,SAAS;AAC3D,SAAO;AACT;AAEA,SAAS,qBACP,MACA,OACA,OAA0B,CAAC,GAC3B,QACe;AACf,SAAO;AAAA,IACL,MAAM,cAAc,MAAM,OAAO,MAAM;AAAA,IACvC,MAAM;AAAA,MACJ,IAAI,OAAO,KAAK,EAAE;AAAA,MAClB,OAAO,OAAO,KAAK,SAAS,EAAE;AAAA,MAC9B,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,MAClD,cAAc,KAAK,eAAe,OAAO,KAAK,YAAY,IAAI;AAAA,MAC9D,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,IAAI;AAAA,MACtC,aAAa,QAAQ,KAAK,WAAW;AAAA,MACrC,OAAO,CAAC,GAAG,KAAK;AAAA,MAChB;AAAA,MACA,GAAI,UAAU,OAAO,KAAK,MAAM,EAAE,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3D;AAAA,EACF;AACF;AAEA,eAAe,qBAAqB,IAAmB,QAA4C;AACjG,QAAM,OAAO,MAAM,GAAG,KAAK,SAAS,EAAE,MAAM,OAA0B,CAAC;AACvE,SAAO,KAAK,IAAI,CAAC,SAAS;AAAA,IACxB,UAAU,OAAO,IAAI,QAAQ;AAAA,IAC7B,UAAU,MAAM,QAAQ,IAAI,YAAY,IAAI,CAAC,GAAG,IAAI,YAAY,IAAI;AAAA,IACpE,cAAc,QAAQ,IAAI,YAAY;AAAA,IACtC,eAAe,MAAM,QAAQ,IAAI,iBAAiB,IAAI,CAAC,GAAG,IAAI,iBAAiB,IAAI;AAAA,EACrF,EAAE;AACJ;AAEA,eAAe,gBAAgB,IAAmB,MAAY,MAAyB;AACrF,QAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,KAAK,EAAE,EAAE,CAAC;AACxD,aAAW,OAAO,MAAM;AACtB,UAAM,SAAS,GAAG,OAAO,SAAS;AAAA,MAChC;AAAA,MACA,UAAU,IAAI;AAAA,MACd,cAAc,IAAI,YAAY;AAAA,MAC9B,cAAc,IAAI;AAAA,MAClB,mBAAmB,IAAI,iBAAiB;AAAA,MACxC,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AACD,OAAG,QAAQ,MAAM;AAAA,EACnB;AACA,QAAM,GAAG,MAAM;AACjB;AAIA,SAAS,mBAAmB,UAAsH;AAChJ,QAAM,UAAU,UAAU;AAC1B,MAAI,CAAC,WAAW,OAAO,YAAY,SAAU,QAAO;AACpD,SAAO,QAAQ,QAAQ;AACzB;AAEA,eAAe,uBACb,IACA,IACA,UACA,gBACkC;AAClC,SAAO,MAAM,wBAAwB,IAAI;AAAA,IACvC,UAAU,EAAE,KAAK;AAAA,IACjB,UAAU;AAAA,IACV;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,eAAe,oBAAoB,KAA4B,QAAgB;AAC7E,MAAI;AACF,UAAM,cAAc,IAAI,UAAU,QAAQ,aAAa;AACvD,UAAM,YAAY,oBAAoB,MAAM;AAAA,EAC9C,QAAQ;AAAA,EAER;AAEA,MAAI;AACF,UAAM,QAAQ,IAAI,UAAU,QAAQ,OAAO;AAC3C,QAAI,OAAO,aAAc,OAAM,MAAM,aAAa,CAAC,aAAa,MAAM,EAAE,CAAC;AAAA,EAC3E,QAAQ;AAAA,EAER;AACF;AAEA,SAAS,YAAY,MAA4B,OAA0B;AACzE,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,KAAK,WAAW,MAAM,OAAQ,QAAO;AACzC,SAAO,KAAK,MAAM,CAAC,OAAO,QAAQ,UAAU,MAAM,GAAG,CAAC;AACxD;AAEA,eAAe,2BAA2C;AACxD,QAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,QAAM,UAAU,UAAU,iCAAiC,sBAAsB;AACjF,QAAM,IAAI,cAAc,KAAK;AAAA,IAC3B,OAAO;AAAA,IACP,aAAa,EAAE,OAAO,QAAQ;AAAA,IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC,OAAO,GAAG,SAAS,MAAM,aAAa,QAAQ,aAAa,CAAC;AAAA,EACjF,CAAC;AACH;",
+  "sourcesContent": ["import type { CommandHandler } from '@open-mercato/shared/lib/commands'\nimport { registerCommand } from '@open-mercato/shared/lib/commands'\nimport {\n  parseWithCustomFields,\n  setCustomFieldsIfAny,\n  emitCrudSideEffects,\n  emitCrudUndoSideEffects,\n  buildChanges,\n  requireId,\n} from '@open-mercato/shared/lib/commands/helpers'\nimport { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport type { CrudEventsConfig, CrudIndexerConfig } from '@open-mercato/shared/lib/crud/types'\nimport type { DataEngine } from '@open-mercato/shared/lib/data/engine'\nimport type { CommandRuntimeContext } from '@open-mercato/shared/lib/commands'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { UniqueConstraintViolationException } from '@mikro-orm/core'\nimport type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'\nimport { User, UserRole, Role, UserAcl, Session, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport { Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { E } from '#generated/entities.ids.generated'\nimport { z } from 'zod'\nimport {\n  loadCustomFieldSnapshot,\n  buildCustomFieldResetMap,\n  diffCustomFieldChanges,\n} from '@open-mercato/shared/lib/commands/customFieldSnapshots'\nimport { normalizeTenantId } from '@open-mercato/core/modules/auth/lib/tenantAccess'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'\nimport { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'\nimport notificationTypes from '@open-mercato/core/modules/auth/notifications'\nimport { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'\n\ntype SerializedUser = {\n  email: string\n  organizationId: string | null\n  tenantId: string | null\n  roles: string[]\n  name: string | null\n  isConfirmed: boolean\n  custom?: Record<string, unknown>\n}\n\ntype UserAclSnapshot = {\n  tenantId: string\n  features: string[] | null\n  isSuperAdmin: boolean\n  organizations: string[] | null\n}\n\ntype UserUndoSnapshot = {\n  id: string\n  email: string\n  organizationId: string | null\n  tenantId: string | null\n  passwordHash: string | null\n  name: string | null\n  isConfirmed: boolean\n  roles: string[]\n  acls: UserAclSnapshot[]\n  custom?: Record<string, unknown>\n}\n\ntype UserSnapshots = {\n  view: SerializedUser\n  undo: UserUndoSnapshot\n}\n\nconst passwordSchema = buildPasswordSchema()\n\nconst createSchema = z.object({\n  email: z.string().email(),\n  password: passwordSchema,\n  organizationId: z.string().uuid(),\n  roles: z.array(z.string()).optional(),\n})\n\nconst updateSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string().email().optional(),\n  password: passwordSchema.optional(),\n  organizationId: z.string().uuid().optional(),\n  roles: z.array(z.string()).optional(),\n})\n\nexport const userCrudEvents: CrudEventsConfig = {\n  module: 'auth',\n  entity: 'user',\n  persistent: true,\n  buildPayload: (ctx) => ({\n    id: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n}\n\nexport const userCrudIndexer: CrudIndexerConfig = {\n  entityType: E.auth.user,\n  buildUpsertPayload: (ctx) => ({\n    entityType: E.auth.user,\n    recordId: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n  buildDeletePayload: (ctx) => ({\n    entityType: E.auth.user,\n    recordId: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n}\n\nasync function notifyRoleChanges(\n  ctx: CommandRuntimeContext,\n  user: User,\n  assignedRoles: string[],\n  revokedRoles: string[],\n): Promise<void> {\n  const tenantId = user.tenantId ? String(user.tenantId) : null\n  if (!tenantId) return\n  const organizationId = user.organizationId ? String(user.organizationId) : null\n\n  try {\n    const notificationService = resolveNotificationService(ctx.container)\n    if (assignedRoles.length) {\n      const assignedType = notificationTypes.find((type) => type.type === 'auth.role.assigned')\n      if (assignedType) {\n        const notificationInput = buildNotificationFromType(assignedType, {\n          recipientUserId: String(user.id),\n          sourceEntityType: 'auth:user',\n          sourceEntityId: String(user.id),\n        })\n        await notificationService.create(notificationInput, { tenantId, organizationId })\n      }\n    }\n\n    if (revokedRoles.length) {\n      const revokedType = notificationTypes.find((type) => type.type === 'auth.role.revoked')\n      if (revokedType) {\n        const notificationInput = buildNotificationFromType(revokedType, {\n          recipientUserId: String(user.id),\n          sourceEntityType: 'auth:user',\n          sourceEntityId: String(user.id),\n        })\n        await notificationService.create(notificationInput, { tenantId, organizationId })\n      }\n    }\n  } catch (err) {\n    console.error('[auth.users.roles] Failed to create notification:', err)\n  }\n}\n\nconst createUserCommand: CommandHandler<Record<string, unknown>, User> = {\n  id: 'auth.users.create',\n  async execute(rawInput, ctx) {\n    const { parsed, custom } = parseWithCustomFields(createSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    const organization = await findOneWithDecryption(\n      em,\n      Organization,\n      { id: parsed.organizationId },\n      { populate: ['tenant'] },\n      { tenantId: null, organizationId: parsed.organizationId },\n    )\n    if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })\n\n    const emailHash = computeEmailHash(parsed.email)\n    const duplicate = await em.findOne(User, { $or: [{ email: parsed.email }, { emailHash }], deletedAt: null } as any)\n    if (duplicate) await throwDuplicateEmailError()\n\n    const { hash } = await import('bcryptjs')\n    const passwordHash = await hash(parsed.password, 10)\n    const tenantId = organization.tenant?.id ? String(organization.tenant.id) : null\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    let user: User\n    try {\n      user = await de.createOrmEntity({\n        entity: User,\n        data: {\n          email: parsed.email,\n          emailHash,\n          passwordHash,\n          isConfirmed: true,\n          organizationId: parsed.organizationId,\n          tenantId,\n        },\n      })\n    } catch (error) {\n      if (isUniqueViolation(error)) await throwDuplicateEmailError()\n      throw error\n    }\n\n    let assignedRoles: string[] = []\n    if (Array.isArray(parsed.roles) && parsed.roles.length) {\n      await syncUserRoles(em, user, parsed.roles, tenantId)\n      assignedRoles = await loadUserRoleNames(em, String(user.id))\n    }\n\n    await setCustomFieldsIfAny({\n      dataEngine: de,\n      entityId: E.auth.user,\n      recordId: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: tenantId,\n      values: custom,\n    })\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'created',\n      entity: user,\n      identifiers: {\n        id: String(user.id),\n        organizationId: user.organizationId ? String(user.organizationId) : null,\n        tenantId,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    if (assignedRoles.length) {\n      await notifyRoleChanges(ctx, user, assignedRoles, [])\n    }\n\n    return user\n  },\n  captureAfter: async (_input, result, ctx) => {\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    return serializeUser(result, roles, custom)\n  },\n  buildLog: async ({ result, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    const snapshot = captureUserSnapshots(result, roles, undefined, custom)\n    return {\n      actionLabel: translate('auth.audit.users.create', 'Create user'),\n      resourceKind: 'auth.user',\n      resourceId: String(result.id),\n      tenantId: result.tenantId ? String(result.tenantId) : null,\n      snapshotAfter: snapshot.view,\n      payload: {\n        undo: {\n          after: snapshot.undo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const userId = typeof logEntry?.resourceId === 'string' ? logEntry.resourceId : null\n    if (!userId) return\n    const snapshot = logEntry?.snapshotAfter as SerializedUser | undefined\n    const em = (ctx.container.resolve('em') as EntityManager)\n    await em.nativeDelete(UserAcl, { user: userId })\n    await em.nativeDelete(UserRole, { user: userId })\n    await em.nativeDelete(Session, { user: userId })\n    await em.nativeDelete(PasswordReset, { user: userId })\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    if (snapshot?.custom && Object.keys(snapshot.custom).length) {\n      const reset = buildCustomFieldResetMap(undefined, snapshot.custom)\n      if (Object.keys(reset).length) {\n        await setCustomFieldsIfAny({\n          dataEngine: de,\n          entityId: E.auth.user,\n          recordId: userId,\n          organizationId: snapshot.organizationId,\n          tenantId: snapshot.tenantId,\n          values: reset,\n          notify: false,\n        })\n      }\n    }\n    const removed = await de.deleteOrmEntity({\n      entity: User,\n      where: { id: userId, deletedAt: null } as FilterQuery<User>,\n      soft: false,\n    })\n\n    await emitCrudUndoSideEffects({\n      dataEngine: de,\n      action: 'deleted',\n      entity: removed,\n      identifiers: {\n        id: userId,\n        organizationId: snapshot?.organizationId ?? null,\n        tenantId: snapshot?.tenantId ?? null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, userId)\n  },\n}\n\nfunction isUniqueViolation(error: unknown): boolean {\n  if (error instanceof UniqueConstraintViolationException) return true\n  if (!error || typeof error !== 'object') return false\n  const code = (error as { code?: string }).code\n  if (code === '23505') return true\n  const messageRaw = (error as { message?: string })?.message\n  const message = typeof messageRaw === 'string' ? messageRaw : ''\n  return message.toLowerCase().includes('duplicate key')\n}\n\nconst updateUserCommand: CommandHandler<Record<string, unknown>, User> = {\n  id: 'auth.users.update',\n  async prepare(rawInput, ctx) {\n    const { parsed } = parseWithCustomFields(updateSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const existing = await em.findOne(User, { id: parsed.id, deletedAt: null })\n    if (!existing) throw new CrudHttpError(404, { error: 'User not found' })\n    const roles = await loadUserRoleNames(em, parsed.id)\n    const acls = await loadUserAclSnapshots(em, parsed.id)\n    const custom = await loadUserCustomSnapshot(\n      em,\n      parsed.id,\n      existing.tenantId ? String(existing.tenantId) : null,\n      existing.organizationId ? String(existing.organizationId) : null\n    )\n    return { before: captureUserSnapshots(existing, roles, acls, custom) }\n  },\n  async execute(rawInput, ctx) {\n    const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const rolesBefore = Array.isArray(parsed.roles)\n      ? await loadUserRoleNames(em, parsed.id)\n      : null\n\n    if (parsed.email !== undefined) {\n      const emailHash = computeEmailHash(parsed.email)\n      const duplicate = await em.findOne(\n        User,\n        {\n          $or: [{ email: parsed.email }, { emailHash }],\n          deletedAt: null,\n          id: { $ne: parsed.id } as any,\n        } as FilterQuery<User>,\n      )\n      if (duplicate) await throwDuplicateEmailError()\n    }\n\n    let hashed: string | null = null\n    let emailHash: string | null = null\n    if (parsed.password) {\n      const { hash } = await import('bcryptjs')\n      hashed = await hash(parsed.password, 10)\n    }\n    if (parsed.email !== undefined) {\n      emailHash = computeEmailHash(parsed.email)\n    }\n\n    let tenantId: string | null | undefined\n    if (parsed.organizationId !== undefined) {\n      const organization = await findOneWithDecryption(\n        em,\n        Organization,\n        { id: parsed.organizationId },\n        { populate: ['tenant'] },\n        { tenantId: null, organizationId: parsed.organizationId ?? null },\n      )\n      if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })\n      tenantId = organization.tenant?.id ? String(organization.tenant.id) : null\n    }\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    let user: User | null\n    try {\n      user = await de.updateOrmEntity({\n        entity: User,\n        where: { id: parsed.id, deletedAt: null } as FilterQuery<User>,\n        apply: (entity) => {\n          if (parsed.email !== undefined) {\n            entity.email = parsed.email\n            entity.emailHash = emailHash\n          }\n          if (parsed.organizationId !== undefined) {\n            entity.organizationId = parsed.organizationId\n            entity.tenantId = tenantId ?? null\n          }\n          if (hashed) entity.passwordHash = hashed\n        },\n      })\n    } catch (error) {\n      if (isUniqueViolation(error)) await throwDuplicateEmailError()\n      throw error\n    }\n    if (!user) throw new CrudHttpError(404, { error: 'User not found' })\n\n    if (Array.isArray(parsed.roles)) {\n      await syncUserRoles(em, user, parsed.roles, user.tenantId ? String(user.tenantId) : tenantId ?? null)\n    }\n\n    await setCustomFieldsIfAny({\n      dataEngine: de,\n      entityId: E.auth.user,\n      recordId: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : tenantId ?? null,\n      values: custom,\n    })\n\n    const identifiers = {\n      id: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : tenantId ?? null,\n    }\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'updated',\n      entity: user,\n      identifiers,\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    if (Array.isArray(parsed.roles) && rolesBefore) {\n      const rolesAfter = await loadUserRoleNames(em, String(user.id))\n      const { assigned, revoked } = diffRoleChanges(rolesBefore, rolesAfter)\n      if (assigned.length || revoked.length) {\n        await notifyRoleChanges(ctx, user, assigned, revoked)\n      }\n    }\n\n    await invalidateUserCache(ctx, parsed.id)\n\n    return user\n  },\n  captureAfter: async (_input, result, ctx) => {\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    return serializeUser(result, roles, custom)\n  },\n  buildLog: async ({ result, snapshots, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const beforeSnapshots = snapshots.before as UserSnapshots | undefined\n    const before = beforeSnapshots?.view\n    const beforeUndo = beforeSnapshots?.undo ?? null\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const afterRoles = await loadUserRoleNames(em, String(result.id))\n    const afterCustom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    const afterSnapshots = captureUserSnapshots(result, afterRoles, undefined, afterCustom)\n    const after = afterSnapshots.view\n    const changes = buildChanges(before ?? null, after as Record<string, unknown>, ['email', 'organizationId', 'tenantId', 'name', 'isConfirmed'])\n    if (before && !arrayEquals(before.roles, afterRoles)) {\n      changes.roles = { from: before.roles, to: afterRoles }\n    }\n    const customDiff = diffCustomFieldChanges(before?.custom, afterCustom)\n    for (const [key, diff] of Object.entries(customDiff)) {\n      changes[`cf_${key}`] = diff\n    }\n    return {\n      actionLabel: translate('auth.audit.users.update', 'Update user'),\n      resourceKind: 'auth.user',\n      resourceId: String(result.id),\n      tenantId: result.tenantId ? String(result.tenantId) : null,\n      changes,\n      snapshotBefore: before ?? null,\n      snapshotAfter: after,\n      payload: {\n        undo: {\n          before: beforeUndo,\n          after: afterSnapshots.undo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const payload = extractUndoPayload(logEntry)\n    const before = payload?.before\n    const after = payload?.after\n    if (!before) return\n    const userId = before.id\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    const updated = await de.updateOrmEntity({\n      entity: User,\n      where: { id: userId, deletedAt: null } as FilterQuery<User>,\n      apply: (entity) => {\n        entity.email = before.email\n        entity.organizationId = before.organizationId ?? null\n        entity.tenantId = before.tenantId ?? null\n        entity.passwordHash = before.passwordHash ?? null\n        entity.name = before.name ?? undefined\n        entity.isConfirmed = before.isConfirmed\n      },\n    })\n\n    if (updated) {\n      await syncUserRoles(em, updated, before.roles, before.tenantId)\n      await em.flush()\n    }\n\n    const reset = buildCustomFieldResetMap(before.custom, after?.custom)\n    if (Object.keys(reset).length) {\n      await setCustomFieldsIfAny({\n        dataEngine: de,\n        entityId: E.auth.user,\n        recordId: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n        values: reset,\n        notify: false,\n      })\n    }\n\n    await emitCrudUndoSideEffects({\n      dataEngine: de,\n      action: 'updated',\n      entity: updated,\n      identifiers: {\n        id: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, userId)\n  },\n}\n\nconst deleteUserCommand: CommandHandler<{ body?: Record<string, unknown>; query?: Record<string, unknown> }, User> = {\n  id: 'auth.users.delete',\n  async prepare(input, ctx) {\n    const id = requireId(input, 'User id required')\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const existing = await em.findOne(User, { id, deletedAt: null })\n    if (!existing) return {}\n    const roles = await loadUserRoleNames(em, id)\n    const acls = await loadUserAclSnapshots(em, id)\n    const custom = await loadUserCustomSnapshot(\n      em,\n      id,\n      existing.tenantId ? String(existing.tenantId) : null,\n      existing.organizationId ? String(existing.organizationId) : null\n    )\n    return { before: captureUserSnapshots(existing, roles, acls, custom) }\n  },\n  async execute(input, ctx) {\n    const id = requireId(input, 'User id required')\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    await em.nativeDelete(UserAcl, { user: id })\n    await em.nativeDelete(UserRole, { user: id })\n    await em.nativeDelete(Session, { user: id })\n    await em.nativeDelete(PasswordReset, { user: id })\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    const user = await de.deleteOrmEntity({\n      entity: User,\n      where: { id, deletedAt: null } as FilterQuery<User>,\n      soft: false,\n    })\n    if (!user) throw new CrudHttpError(404, { error: 'User not found' })\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'deleted',\n      entity: user,\n      identifiers: {\n        id: String(id),\n        organizationId: user.organizationId ? String(user.organizationId) : null,\n        tenantId: user.tenantId ? String(user.tenantId) : null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, id)\n\n    return user\n  },\n  buildLog: async ({ snapshots, input, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const beforeSnapshots = snapshots.before as UserSnapshots | undefined\n    const before = beforeSnapshots?.view\n    const beforeUndo = beforeSnapshots?.undo ?? null\n    const id = requireId(input, 'User id required')\n    return {\n      actionLabel: translate('auth.audit.users.delete', 'Delete user'),\n      resourceKind: 'auth.user',\n      resourceId: id,\n      snapshotBefore: before ?? null,\n      tenantId: before?.tenantId ?? null,\n      payload: {\n        undo: {\n          before: beforeUndo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const payload = extractUndoPayload(logEntry)\n    const before = payload?.before\n    if (!before) return\n    const em = (ctx.container.resolve('em') as EntityManager)\n    let user = await em.findOne(User, { id: before.id })\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n\n    if (user) {\n      if (user.deletedAt) {\n        user.deletedAt = null\n      }\n      user.email = before.email\n      user.organizationId = before.organizationId ?? null\n      user.tenantId = before.tenantId ?? null\n      user.passwordHash = before.passwordHash ?? null\n      user.name = before.name ?? undefined\n      user.isConfirmed = before.isConfirmed\n      await em.flush()\n    } else {\n      user = await de.createOrmEntity({\n        entity: User,\n        data: {\n          id: before.id,\n          email: before.email,\n          organizationId: before.organizationId ?? null,\n          tenantId: before.tenantId ?? null,\n          passwordHash: before.passwordHash ?? null,\n          name: before.name ?? null,\n          isConfirmed: before.isConfirmed,\n        },\n      })\n    }\n\n    if (!user) return\n\n    await em.nativeDelete(UserRole, { user: before.id })\n    await syncUserRoles(em, user, before.roles, before.tenantId)\n\n    await restoreUserAcls(em, user, before.acls)\n\n    const reset = buildCustomFieldResetMap(before.custom, undefined)\n    if (Object.keys(reset).length) {\n      await setCustomFieldsIfAny({\n        dataEngine: de,\n        entityId: E.auth.user,\n        recordId: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n        values: reset,\n        notify: false,\n      })\n    }\n\n    await invalidateUserCache(ctx, before.id)\n  },\n}\n\nregisterCommand(createUserCommand)\nregisterCommand(updateUserCommand)\nregisterCommand(deleteUserCommand)\n\nasync function syncUserRoles(em: EntityManager, user: User, desiredRoles: string[], tenantId: string | null) {\n  const unique = Array.from(new Set(desiredRoles.map((role) => role.trim()).filter(Boolean)))\n  const currentLinks = await em.find(UserRole, { user })\n  const currentNames = new Map(\n    currentLinks.map((link) => {\n      const roleEntity = link.role\n      const name = roleEntity?.name ?? ''\n      return [name, link] as const\n    }),\n  )\n\n  for (const [name, link] of currentNames.entries()) {\n    if (!unique.includes(name) && link) {\n      em.remove(link)\n    }\n  }\n\n  const normalizedTenantId = normalizeTenantId(tenantId ?? null) ?? null\n\n  for (const name of unique) {\n    if (!currentNames.has(name)) {\n      let role = await em.findOne(Role, { name, tenantId: normalizedTenantId })\n      if (!role && normalizedTenantId !== null) {\n        role = await em.findOne(Role, { name, tenantId: null })\n      }\n      if (!role) {\n        role = em.create(Role, { name, tenantId: normalizedTenantId, createdAt: new Date() })\n        await em.persistAndFlush(role)\n      } else if (normalizedTenantId !== null && role.tenantId !== normalizedTenantId) {\n        role.tenantId = normalizedTenantId\n        await em.persistAndFlush(role)\n      }\n      em.persist(em.create(UserRole, { user, role, createdAt: new Date() }))\n    }\n  }\n\n  await em.flush()\n}\n\nasync function loadUserRoleNames(em: EntityManager, userId: string): Promise<string[]> {\n  const links = await findWithDecryption(\n    em,\n    UserRole,\n    { user: userId as unknown as User },\n    { populate: ['role'] },\n    { tenantId: null, organizationId: null },\n  )\n  const names = links\n    .map((link) => link.role?.name ?? '')\n    .filter((name): name is string => !!name)\n  return Array.from(new Set(names)).sort()\n}\n\nfunction serializeUser(user: User, roles: string[], custom?: Record<string, unknown> | null): SerializedUser {\n  const payload: SerializedUser = {\n    email: String(user.email ?? ''),\n    organizationId: user.organizationId ? String(user.organizationId) : null,\n    tenantId: user.tenantId ? String(user.tenantId) : null,\n    roles,\n    name: user.name ? String(user.name) : null,\n    isConfirmed: Boolean(user.isConfirmed),\n  }\n  if (custom && Object.keys(custom).length) payload.custom = custom\n  return payload\n}\n\nfunction captureUserSnapshots(\n  user: User,\n  roles: string[],\n  acls: UserAclSnapshot[] = [],\n  custom?: Record<string, unknown> | null\n): UserSnapshots {\n  return {\n    view: serializeUser(user, roles, custom),\n    undo: {\n      id: String(user.id),\n      email: String(user.email ?? ''),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : null,\n      passwordHash: user.passwordHash ? String(user.passwordHash) : null,\n      name: user.name ? String(user.name) : null,\n      isConfirmed: Boolean(user.isConfirmed),\n      roles: [...roles],\n      acls,\n      ...(custom && Object.keys(custom).length ? { custom } : {}),\n    },\n  }\n}\n\nasync function loadUserAclSnapshots(em: EntityManager, userId: string): Promise<UserAclSnapshot[]> {\n  const list = await em.find(UserAcl, { user: userId as unknown as User })\n  return list.map((acl) => ({\n    tenantId: String(acl.tenantId),\n    features: Array.isArray(acl.featuresJson) ? [...acl.featuresJson] : null,\n    isSuperAdmin: Boolean(acl.isSuperAdmin),\n    organizations: Array.isArray(acl.organizationsJson) ? [...acl.organizationsJson] : null,\n  }))\n}\n\nasync function restoreUserAcls(em: EntityManager, user: User, acls: UserAclSnapshot[]) {\n  await em.nativeDelete(UserAcl, { user: String(user.id) })\n  for (const acl of acls) {\n    const entity = em.create(UserAcl, {\n      user,\n      tenantId: acl.tenantId,\n      featuresJson: acl.features ?? null,\n      isSuperAdmin: acl.isSuperAdmin,\n      organizationsJson: acl.organizations ?? null,\n      createdAt: new Date(),\n    })\n    em.persist(entity)\n  }\n  await em.flush()\n}\n\ntype UndoPayload = { undo?: { before?: UserUndoSnapshot | null; after?: UserUndoSnapshot | null } }\n\nfunction extractUndoPayload(logEntry: { commandPayload?: unknown }): { before?: UserUndoSnapshot | null; after?: UserUndoSnapshot | null } | null {\n  const payload = logEntry?.commandPayload as UndoPayload | undefined\n  if (!payload || typeof payload !== 'object') return null\n  return payload.undo ?? null\n}\n\nasync function loadUserCustomSnapshot(\n  em: EntityManager,\n  id: string,\n  tenantId: string | null,\n  organizationId: string | null\n): Promise<Record<string, unknown>> {\n  return await loadCustomFieldSnapshot(em, {\n    entityId: E.auth.user,\n    recordId: id,\n    tenantId,\n    organizationId,\n  })\n}\n\nasync function invalidateUserCache(ctx: CommandRuntimeContext, userId: string) {\n  try {\n    const rbacService = ctx.container.resolve('rbacService') as { invalidateUserCache: (uid: string) => Promise<void> }\n    await rbacService.invalidateUserCache(userId)\n  } catch {\n    // RBAC not available\n  }\n\n  try {\n    const cache = ctx.container.resolve('cache') as { deleteByTags?: (tags: string[]) => Promise<void> }\n    if (cache?.deleteByTags) await cache.deleteByTags([`rbac:user:${userId}`])\n  } catch {\n    // cache not available\n  }\n}\n\nfunction diffRoleChanges(before: string[], after: string[]) {\n  const beforeSet = new Set(before)\n  const afterSet = new Set(after)\n  const assigned = after.filter((role) => !beforeSet.has(role))\n  const revoked = before.filter((role) => !afterSet.has(role))\n  return { assigned, revoked }\n}\n\nfunction arrayEquals(left: string[] | undefined, right: string[]): boolean {\n  if (!left) return false\n  if (left.length !== right.length) return false\n  return left.every((value, idx) => value === right[idx])\n}\n\nasync function throwDuplicateEmailError(): Promise<never> {\n  const { translate } = await resolveTranslations()\n  const message = translate('auth.users.errors.emailExists', 'Email already in use')\n  throw new CrudHttpError(400, {\n    error: message,\n    fieldErrors: { email: message },\n    details: [{ path: ['email'], message, code: 'duplicate', origin: 'validation' }],\n  })\n}\n"],
+  "mappings": "AACA,SAAS,uBAAuB;AAChC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,qBAAqB;AAI9B,SAAS,2BAA2B;AACpC,SAAS,0CAA0C;AAEnD,SAAS,MAAM,UAAU,MAAM,SAAS,SAAS,qBAAqB;AACtE,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAClB,SAAS,SAAS;AAClB;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,yBAAyB;AAClC,SAAS,wBAAwB;AACjC,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,iCAAiC;AAC1C,SAAS,kCAAkC;AAC3C,OAAO,uBAAuB;AAC9B,SAAS,2BAA2B;AAqCpC,MAAM,iBAAiB,oBAAoB;AAE3C,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU;AAAA,EACV,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAED,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AAAA,EACnC,UAAU,eAAe,SAAS;AAAA,EAClC,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAEM,MAAM,iBAAmC;AAAA,EAC9C,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,YAAY;AAAA,EACZ,cAAc,CAAC,SAAS;AAAA,IACtB,IAAI,IAAI,YAAY;AAAA,IACpB,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AACF;AAEO,MAAM,kBAAqC;AAAA,EAChD,YAAY,EAAE,KAAK;AAAA,EACnB,oBAAoB,CAAC,SAAS;AAAA,IAC5B,YAAY,EAAE,KAAK;AAAA,IACnB,UAAU,IAAI,YAAY;AAAA,IAC1B,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AAAA,EACA,oBAAoB,CAAC,SAAS;AAAA,IAC5B,YAAY,EAAE,KAAK;AAAA,IACnB,UAAU,IAAI,YAAY;AAAA,IAC1B,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AACF;AAEA,eAAe,kBACb,KACA,MACA,eACA,cACe;AACf,QAAM,WAAW,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AACzD,MAAI,CAAC,SAAU;AACf,QAAM,iBAAiB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAE3E,MAAI;AACF,UAAM,sBAAsB,2BAA2B,IAAI,SAAS;AACpE,QAAI,cAAc,QAAQ;AACxB,YAAM,eAAe,kBAAkB,KAAK,CAAC,SAAS,KAAK,SAAS,oBAAoB;AACxF,UAAI,cAAc;AAChB,cAAM,oBAAoB,0BAA0B,cAAc;AAAA,UAChE,iBAAiB,OAAO,KAAK,EAAE;AAAA,UAC/B,kBAAkB;AAAA,UAClB,gBAAgB,OAAO,KAAK,EAAE;AAAA,QAChC,CAAC;AACD,cAAM,oBAAoB,OAAO,mBAAmB,EAAE,UAAU,eAAe,CAAC;AAAA,MAClF;AAAA,IACF;AAEA,QAAI,aAAa,QAAQ;AACvB,YAAM,cAAc,kBAAkB,KAAK,CAAC,SAAS,KAAK,SAAS,mBAAmB;AACtF,UAAI,aAAa;AACf,cAAM,oBAAoB,0BAA0B,aAAa;AAAA,UAC/D,iBAAiB,OAAO,KAAK,EAAE;AAAA,UAC/B,kBAAkB;AAAA,UAClB,gBAAgB,OAAO,KAAK,EAAE;AAAA,QAChC,CAAC;AACD,cAAM,oBAAoB,OAAO,mBAAmB,EAAE,UAAU,eAAe,CAAC;AAAA,MAClF;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,qDAAqD,GAAG;AAAA,EACxE;AACF;AAEA,MAAM,oBAAmE;AAAA,EACvE,IAAI;AAAA,EACJ,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,QAAQ,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AACvE,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,UAAM,eAAe,MAAM;AAAA,MACzB;AAAA,MACA;AAAA,MACA,EAAE,IAAI,OAAO,eAAe;AAAA,MAC5B,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,gBAAgB,OAAO,eAAe;AAAA,IAC1D;AACA,QAAI,CAAC,aAAc,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,yBAAyB,CAAC;AAEnF,UAAM,YAAY,iBAAiB,OAAO,KAAK;AAC/C,UAAM,YAAY,MAAM,GAAG,QAAQ,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,MAAM,GAAG,EAAE,UAAU,CAAC,GAAG,WAAW,KAAK,CAAQ;AAClH,QAAI,UAAW,OAAM,yBAAyB;AAE9C,UAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU;AACxC,UAAM,eAAe,MAAM,KAAK,OAAO,UAAU,EAAE;AACnD,UAAM,WAAW,aAAa,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAE5E,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI;AACJ,QAAI;AACF,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,OAAO,OAAO;AAAA,UACd;AAAA,UACA;AAAA,UACA,aAAa;AAAA,UACb,gBAAgB,OAAO;AAAA,UACvB;AAAA,QACF;AAAA,MACF,CAAC;AAAA,IACH,SAAS,OAAO;AACd,UAAI,kBAAkB,KAAK,EAAG,OAAM,yBAAyB;AAC7D,YAAM;AAAA,IACR;AAEA,QAAI,gBAA0B,CAAC;AAC/B,QAAI,MAAM,QAAQ,OAAO,KAAK,KAAK,OAAO,MAAM,QAAQ;AACtD,YAAM,cAAc,IAAI,MAAM,OAAO,OAAO,QAAQ;AACpD,sBAAgB,MAAM,kBAAkB,IAAI,OAAO,KAAK,EAAE,CAAC;AAAA,IAC7D;AAEA,UAAM,qBAAqB;AAAA,MACzB,YAAY;AAAA,MACZ,UAAU,EAAE,KAAK;AAAA,MACjB,UAAU,OAAO,KAAK,EAAE;AAAA,MACxB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO,KAAK,EAAE;AAAA,QAClB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACpE;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,QAAI,cAAc,QAAQ;AACxB,YAAM,kBAAkB,KAAK,MAAM,eAAe,CAAC,CAAC;AAAA,IACtD;AAEA,WAAO;AAAA,EACT;AAAA,EACA,cAAc,OAAO,QAAQ,QAAQ,QAAQ;AAC3C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,WAAO,cAAc,QAAQ,OAAO,MAAM;AAAA,EAC5C;AAAA,EACA,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,UAAM,WAAW,qBAAqB,QAAQ,OAAO,QAAW,MAAM;AACtE,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY,OAAO,OAAO,EAAE;AAAA,MAC5B,UAAU,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MACtD,eAAe,SAAS;AAAA,MACxB,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,OAAO,SAAS;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,SAAS,OAAO,UAAU,eAAe,WAAW,SAAS,aAAa;AAChF,QAAI,CAAC,OAAQ;AACb,UAAM,WAAW,UAAU;AAC3B,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,OAAO,CAAC;AAChD,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,UAAM,GAAG,aAAa,eAAe,EAAE,MAAM,OAAO,CAAC;AAErD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI,UAAU,UAAU,OAAO,KAAK,SAAS,MAAM,EAAE,QAAQ;AAC3D,YAAM,QAAQ,yBAAyB,QAAW,SAAS,MAAM;AACjE,UAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,cAAM,qBAAqB;AAAA,UACzB,YAAY;AAAA,UACZ,UAAU,EAAE,KAAK;AAAA,UACjB,UAAU;AAAA,UACV,gBAAgB,SAAS;AAAA,UACzB,UAAU,SAAS;AAAA,UACnB,QAAQ;AAAA,UACR,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AACA,UAAM,UAAU,MAAM,GAAG,gBAAgB;AAAA,MACvC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MACrC,MAAM;AAAA,IACR,CAAC;AAED,UAAM,wBAAwB;AAAA,MAC5B,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI;AAAA,QACJ,gBAAgB,UAAU,kBAAkB;AAAA,QAC5C,UAAU,UAAU,YAAY;AAAA,MAClC;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,MAAM;AAAA,EACvC;AACF;AAEA,SAAS,kBAAkB,OAAyB;AAClD,MAAI,iBAAiB,mCAAoC,QAAO;AAChE,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAM,OAAQ,MAA4B;AAC1C,MAAI,SAAS,QAAS,QAAO;AAC7B,QAAM,aAAc,OAAgC;AACpD,QAAM,UAAU,OAAO,eAAe,WAAW,aAAa;AAC9D,SAAO,QAAQ,YAAY,EAAE,SAAS,eAAe;AACvD;AAEA,MAAM,oBAAmE;AAAA,EACvE,IAAI;AAAA,EACJ,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AAC/D,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,IAAI,WAAW,KAAK,CAAC;AAC1E,QAAI,CAAC,SAAU,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AACvE,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,EAAE;AACnD,UAAM,OAAO,MAAM,qBAAqB,IAAI,OAAO,EAAE;AACrD,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO;AAAA,MACP,SAAS,WAAW,OAAO,SAAS,QAAQ,IAAI;AAAA,MAChD,SAAS,iBAAiB,OAAO,SAAS,cAAc,IAAI;AAAA,IAC9D;AACA,WAAO,EAAE,QAAQ,qBAAqB,UAAU,OAAO,MAAM,MAAM,EAAE;AAAA,EACvE;AAAA,EACA,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,QAAQ,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AACvE,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,cAAc,MAAM,QAAQ,OAAO,KAAK,IAC1C,MAAM,kBAAkB,IAAI,OAAO,EAAE,IACrC;AAEJ,QAAI,OAAO,UAAU,QAAW;AAC9B,YAAMA,aAAY,iBAAiB,OAAO,KAAK;AAC/C,YAAM,YAAY,MAAM,GAAG;AAAA,QACzB;AAAA,QACA;AAAA,UACE,KAAK,CAAC,EAAE,OAAO,OAAO,MAAM,GAAG,EAAE,WAAAA,WAAU,CAAC;AAAA,UAC5C,WAAW;AAAA,UACX,IAAI,EAAE,KAAK,OAAO,GAAG;AAAA,QACvB;AAAA,MACF;AACA,UAAI,UAAW,OAAM,yBAAyB;AAAA,IAChD;AAEA,QAAI,SAAwB;AAC5B,QAAI,YAA2B;AAC/B,QAAI,OAAO,UAAU;AACnB,YAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU;AACxC,eAAS,MAAM,KAAK,OAAO,UAAU,EAAE;AAAA,IACzC;AACA,QAAI,OAAO,UAAU,QAAW;AAC9B,kBAAY,iBAAiB,OAAO,KAAK;AAAA,IAC3C;AAEA,QAAI;AACJ,QAAI,OAAO,mBAAmB,QAAW;AACvC,YAAM,eAAe,MAAM;AAAA,QACzB;AAAA,QACA;AAAA,QACA,EAAE,IAAI,OAAO,eAAe;AAAA,QAC5B,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,QACvB,EAAE,UAAU,MAAM,gBAAgB,OAAO,kBAAkB,KAAK;AAAA,MAClE;AACA,UAAI,CAAC,aAAc,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,yBAAyB,CAAC;AACnF,iBAAW,aAAa,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAAA,IACxE;AAEA,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI;AACJ,QAAI;AACF,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,OAAO,EAAE,IAAI,OAAO,IAAI,WAAW,KAAK;AAAA,QACxC,OAAO,CAAC,WAAW;AACjB,cAAI,OAAO,UAAU,QAAW;AAC9B,mBAAO,QAAQ,OAAO;AACtB,mBAAO,YAAY;AAAA,UACrB;AACA,cAAI,OAAO,mBAAmB,QAAW;AACvC,mBAAO,iBAAiB,OAAO;AAC/B,mBAAO,WAAW,YAAY;AAAA,UAChC;AACA,cAAI,OAAQ,QAAO,eAAe;AAAA,QACpC;AAAA,MACF,CAAC;AAAA,IACH,SAAS,OAAO;AACd,UAAI,kBAAkB,KAAK,EAAG,OAAM,yBAAyB;AAC7D,YAAM;AAAA,IACR;AACA,QAAI,CAAC,KAAM,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAEnE,QAAI,MAAM,QAAQ,OAAO,KAAK,GAAG;AAC/B,YAAM,cAAc,IAAI,MAAM,OAAO,OAAO,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY,IAAI;AAAA,IACtG;AAEA,UAAM,qBAAqB;AAAA,MACzB,YAAY;AAAA,MACZ,UAAU,EAAE,KAAK;AAAA,MACjB,UAAU,OAAO,KAAK,EAAE;AAAA,MACxB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY;AAAA,MAC9D,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,cAAc;AAAA,MAClB,IAAI,OAAO,KAAK,EAAE;AAAA,MAClB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY;AAAA,IAChE;AAEA,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,QAAI,MAAM,QAAQ,OAAO,KAAK,KAAK,aAAa;AAC9C,YAAM,aAAa,MAAM,kBAAkB,IAAI,OAAO,KAAK,EAAE,CAAC;AAC9D,YAAM,EAAE,UAAU,QAAQ,IAAI,gBAAgB,aAAa,UAAU;AACrE,UAAI,SAAS,UAAU,QAAQ,QAAQ;AACrC,cAAM,kBAAkB,KAAK,MAAM,UAAU,OAAO;AAAA,MACtD;AAAA,IACF;AAEA,UAAM,oBAAoB,KAAK,OAAO,EAAE;AAExC,WAAO;AAAA,EACT;AAAA,EACA,cAAc,OAAO,QAAQ,QAAQ,QAAQ;AAC3C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,WAAO,cAAc,QAAQ,OAAO,MAAM;AAAA,EAC5C;AAAA,EACA,UAAU,OAAO,EAAE,QAAQ,WAAW,IAAI,MAAM;AAC9C,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,kBAAkB,UAAU;AAClC,UAAM,SAAS,iBAAiB;AAChC,UAAM,aAAa,iBAAiB,QAAQ;AAC5C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,aAAa,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAChE,UAAM,cAAc,MAAM;AAAA,MACxB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,UAAM,iBAAiB,qBAAqB,QAAQ,YAAY,QAAW,WAAW;AACtF,UAAM,QAAQ,eAAe;AAC7B,UAAM,UAAU,aAAa,UAAU,MAAM,OAAkC,CAAC,SAAS,kBAAkB,YAAY,QAAQ,aAAa,CAAC;AAC7I,QAAI,UAAU,CAAC,YAAY,OAAO,OAAO,UAAU,GAAG;AACpD,cAAQ,QAAQ,EAAE,MAAM,OAAO,OAAO,IAAI,WAAW;AAAA,IACvD;AACA,UAAM,aAAa,uBAAuB,QAAQ,QAAQ,WAAW;AACrE,eAAW,CAAC,KAAK,IAAI,KAAK,OAAO,QAAQ,UAAU,GAAG;AACpD,cAAQ,MAAM,GAAG,EAAE,IAAI;AAAA,IACzB;AACA,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY,OAAO,OAAO,EAAE;AAAA,MAC5B,UAAU,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MACtD;AAAA,MACA,gBAAgB,UAAU;AAAA,MAC1B,eAAe;AAAA,MACf,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,QAAQ;AAAA,UACR,OAAO,eAAe;AAAA,QACxB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,UAAU,mBAAmB,QAAQ;AAC3C,UAAM,SAAS,SAAS;AACxB,UAAM,QAAQ,SAAS;AACvB,QAAI,CAAC,OAAQ;AACb,UAAM,SAAS,OAAO;AACtB,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,UAAM,UAAU,MAAM,GAAG,gBAAgB;AAAA,MACvC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MACrC,OAAO,CAAC,WAAW;AACjB,eAAO,QAAQ,OAAO;AACtB,eAAO,iBAAiB,OAAO,kBAAkB;AACjD,eAAO,WAAW,OAAO,YAAY;AACrC,eAAO,eAAe,OAAO,gBAAgB;AAC7C,eAAO,OAAO,OAAO,QAAQ;AAC7B,eAAO,cAAc,OAAO;AAAA,MAC9B;AAAA,IACF,CAAC;AAED,QAAI,SAAS;AACX,YAAM,cAAc,IAAI,SAAS,OAAO,OAAO,OAAO,QAAQ;AAC9D,YAAM,GAAG,MAAM;AAAA,IACjB;AAEA,UAAM,QAAQ,yBAAyB,OAAO,QAAQ,OAAO,MAAM;AACnE,QAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,YAAM,qBAAqB;AAAA,QACzB,YAAY;AAAA,QACZ,UAAU,EAAE,KAAK;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,QAC7B,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAEA,UAAM,wBAAwB;AAAA,MAC5B,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO;AAAA,QACX,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,MAC/B;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,MAAM;AAAA,EACvC;AACF;AAEA,MAAM,oBAA+G;AAAA,EACnH,IAAI;AAAA,EACJ,MAAM,QAAQ,OAAO,KAAK;AACxB,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,WAAW,KAAK,CAAC;AAC/D,QAAI,CAAC,SAAU,QAAO,CAAC;AACvB,UAAM,QAAQ,MAAM,kBAAkB,IAAI,EAAE;AAC5C,UAAM,OAAO,MAAM,qBAAqB,IAAI,EAAE;AAC9C,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA;AAAA,MACA,SAAS,WAAW,OAAO,SAAS,QAAQ,IAAI;AAAA,MAChD,SAAS,iBAAiB,OAAO,SAAS,cAAc,IAAI;AAAA,IAC9D;AACA,WAAO,EAAE,QAAQ,qBAAqB,UAAU,OAAO,MAAM,MAAM,EAAE;AAAA,EACvE;AAAA,EACA,MAAM,QAAQ,OAAO,KAAK;AACxB,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,GAAG,CAAC;AAC3C,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,GAAG,CAAC;AAC5C,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,GAAG,CAAC;AAC3C,UAAM,GAAG,aAAa,eAAe,EAAE,MAAM,GAAG,CAAC;AAEjD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,UAAM,OAAO,MAAM,GAAG,gBAAgB;AAAA,MACpC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,WAAW,KAAK;AAAA,MAC7B,MAAM;AAAA,IACR,CAAC;AACD,QAAI,CAAC,KAAM,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAEnE,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO,EAAE;AAAA,QACb,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,MACpD;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,EAAE;AAEjC,WAAO;AAAA,EACT;AAAA,EACA,UAAU,OAAO,EAAE,WAAW,OAAO,IAAI,MAAM;AAC7C,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,kBAAkB,UAAU;AAClC,UAAM,SAAS,iBAAiB;AAChC,UAAM,aAAa,iBAAiB,QAAQ;AAC5C,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,gBAAgB,UAAU;AAAA,MAC1B,UAAU,QAAQ,YAAY;AAAA,MAC9B,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,UAAU,mBAAmB,QAAQ;AAC3C,UAAM,SAAS,SAAS;AACxB,QAAI,CAAC,OAAQ;AACb,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,QAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,GAAG,CAAC;AACnD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAE9C,QAAI,MAAM;AACR,UAAI,KAAK,WAAW;AAClB,aAAK,YAAY;AAAA,MACnB;AACA,WAAK,QAAQ,OAAO;AACpB,WAAK,iBAAiB,OAAO,kBAAkB;AAC/C,WAAK,WAAW,OAAO,YAAY;AACnC,WAAK,eAAe,OAAO,gBAAgB;AAC3C,WAAK,OAAO,OAAO,QAAQ;AAC3B,WAAK,cAAc,OAAO;AAC1B,YAAM,GAAG,MAAM;AAAA,IACjB,OAAO;AACL,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,IAAI,OAAO;AAAA,UACX,OAAO,OAAO;AAAA,UACd,gBAAgB,OAAO,kBAAkB;AAAA,UACzC,UAAU,OAAO,YAAY;AAAA,UAC7B,cAAc,OAAO,gBAAgB;AAAA,UACrC,MAAM,OAAO,QAAQ;AAAA,UACrB,aAAa,OAAO;AAAA,QACtB;AAAA,MACF,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,KAAM;AAEX,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,OAAO,GAAG,CAAC;AACnD,UAAM,cAAc,IAAI,MAAM,OAAO,OAAO,OAAO,QAAQ;AAE3D,UAAM,gBAAgB,IAAI,MAAM,OAAO,IAAI;AAE3C,UAAM,QAAQ,yBAAyB,OAAO,QAAQ,MAAS;AAC/D,QAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,YAAM,qBAAqB;AAAA,QACzB,YAAY;AAAA,QACZ,UAAU,EAAE,KAAK;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,QAC7B,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAEA,UAAM,oBAAoB,KAAK,OAAO,EAAE;AAAA,EAC1C;AACF;AAEA,gBAAgB,iBAAiB;AACjC,gBAAgB,iBAAiB;AACjC,gBAAgB,iBAAiB;AAEjC,eAAe,cAAc,IAAmB,MAAY,cAAwB,UAAyB;AAC3G,QAAM,SAAS,MAAM,KAAK,IAAI,IAAI,aAAa,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC;AAC1F,QAAM,eAAe,MAAM,GAAG,KAAK,UAAU,EAAE,KAAK,CAAC;AACrD,QAAM,eAAe,IAAI;AAAA,IACvB,aAAa,IAAI,CAAC,SAAS;AACzB,YAAM,aAAa,KAAK;AACxB,YAAM,OAAO,YAAY,QAAQ;AACjC,aAAO,CAAC,MAAM,IAAI;AAAA,IACpB,CAAC;AAAA,EACH;AAEA,aAAW,CAAC,MAAM,IAAI,KAAK,aAAa,QAAQ,GAAG;AACjD,QAAI,CAAC,OAAO,SAAS,IAAI,KAAK,MAAM;AAClC,SAAG,OAAO,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,qBAAqB,kBAAkB,YAAY,IAAI,KAAK;AAElE,aAAW,QAAQ,QAAQ;AACzB,QAAI,CAAC,aAAa,IAAI,IAAI,GAAG;AAC3B,UAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,mBAAmB,CAAC;AACxE,UAAI,CAAC,QAAQ,uBAAuB,MAAM;AACxC,eAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAAA,MACxD;AACA,UAAI,CAAC,MAAM;AACT,eAAO,GAAG,OAAO,MAAM,EAAE,MAAM,UAAU,oBAAoB,WAAW,oBAAI,KAAK,EAAE,CAAC;AACpF,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B,WAAW,uBAAuB,QAAQ,KAAK,aAAa,oBAAoB;AAC9E,aAAK,WAAW;AAChB,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B;AACA,SAAG,QAAQ,GAAG,OAAO,UAAU,EAAE,MAAM,MAAM,WAAW,oBAAI,KAAK,EAAE,CAAC,CAAC;AAAA,IACvE;AAAA,EACF;AAEA,QAAM,GAAG,MAAM;AACjB;AAEA,eAAe,kBAAkB,IAAmB,QAAmC;AACrF,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,OAA0B;AAAA,IAClC,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,EACzC;AACA,QAAM,QAAQ,MACX,IAAI,CAAC,SAAS,KAAK,MAAM,QAAQ,EAAE,EACnC,OAAO,CAAC,SAAyB,CAAC,CAAC,IAAI;AAC1C,SAAO,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,EAAE,KAAK;AACzC;AAEA,SAAS,cAAc,MAAY,OAAiB,QAAyD;AAC3G,QAAM,UAA0B;AAAA,IAC9B,OAAO,OAAO,KAAK,SAAS,EAAE;AAAA,IAC9B,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,IACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,IAClD;AAAA,IACA,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,IAAI;AAAA,IACtC,aAAa,QAAQ,KAAK,WAAW;AAAA,EACvC;AACA,MAAI,UAAU,OAAO,KAAK,MAAM,EAAE,OAAQ,SAAQ,SAAS;AAC3D,SAAO;AACT;AAEA,SAAS,qBACP,MACA,OACA,OAA0B,CAAC,GAC3B,QACe;AACf,SAAO;AAAA,IACL,MAAM,cAAc,MAAM,OAAO,MAAM;AAAA,IACvC,MAAM;AAAA,MACJ,IAAI,OAAO,KAAK,EAAE;AAAA,MAClB,OAAO,OAAO,KAAK,SAAS,EAAE;AAAA,MAC9B,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,MAClD,cAAc,KAAK,eAAe,OAAO,KAAK,YAAY,IAAI;AAAA,MAC9D,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,IAAI;AAAA,MACtC,aAAa,QAAQ,KAAK,WAAW;AAAA,MACrC,OAAO,CAAC,GAAG,KAAK;AAAA,MAChB;AAAA,MACA,GAAI,UAAU,OAAO,KAAK,MAAM,EAAE,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3D;AAAA,EACF;AACF;AAEA,eAAe,qBAAqB,IAAmB,QAA4C;AACjG,QAAM,OAAO,MAAM,GAAG,KAAK,SAAS,EAAE,MAAM,OAA0B,CAAC;AACvE,SAAO,KAAK,IAAI,CAAC,SAAS;AAAA,IACxB,UAAU,OAAO,IAAI,QAAQ;AAAA,IAC7B,UAAU,MAAM,QAAQ,IAAI,YAAY,IAAI,CAAC,GAAG,IAAI,YAAY,IAAI;AAAA,IACpE,cAAc,QAAQ,IAAI,YAAY;AAAA,IACtC,eAAe,MAAM,QAAQ,IAAI,iBAAiB,IAAI,CAAC,GAAG,IAAI,iBAAiB,IAAI;AAAA,EACrF,EAAE;AACJ;AAEA,eAAe,gBAAgB,IAAmB,MAAY,MAAyB;AACrF,QAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,KAAK,EAAE,EAAE,CAAC;AACxD,aAAW,OAAO,MAAM;AACtB,UAAM,SAAS,GAAG,OAAO,SAAS;AAAA,MAChC;AAAA,MACA,UAAU,IAAI;AAAA,MACd,cAAc,IAAI,YAAY;AAAA,MAC9B,cAAc,IAAI;AAAA,MAClB,mBAAmB,IAAI,iBAAiB;AAAA,MACxC,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AACD,OAAG,QAAQ,MAAM;AAAA,EACnB;AACA,QAAM,GAAG,MAAM;AACjB;AAIA,SAAS,mBAAmB,UAAsH;AAChJ,QAAM,UAAU,UAAU;AAC1B,MAAI,CAAC,WAAW,OAAO,YAAY,SAAU,QAAO;AACpD,SAAO,QAAQ,QAAQ;AACzB;AAEA,eAAe,uBACb,IACA,IACA,UACA,gBACkC;AAClC,SAAO,MAAM,wBAAwB,IAAI;AAAA,IACvC,UAAU,EAAE,KAAK;AAAA,IACjB,UAAU;AAAA,IACV;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,eAAe,oBAAoB,KAA4B,QAAgB;AAC7E,MAAI;AACF,UAAM,cAAc,IAAI,UAAU,QAAQ,aAAa;AACvD,UAAM,YAAY,oBAAoB,MAAM;AAAA,EAC9C,QAAQ;AAAA,EAER;AAEA,MAAI;AACF,UAAM,QAAQ,IAAI,UAAU,QAAQ,OAAO;AAC3C,QAAI,OAAO,aAAc,OAAM,MAAM,aAAa,CAAC,aAAa,MAAM,EAAE,CAAC;AAAA,EAC3E,QAAQ;AAAA,EAER;AACF;AAEA,SAAS,gBAAgB,QAAkB,OAAiB;AAC1D,QAAM,YAAY,IAAI,IAAI,MAAM;AAChC,QAAM,WAAW,IAAI,IAAI,KAAK;AAC9B,QAAM,WAAW,MAAM,OAAO,CAAC,SAAS,CAAC,UAAU,IAAI,IAAI,CAAC;AAC5D,QAAM,UAAU,OAAO,OAAO,CAAC,SAAS,CAAC,SAAS,IAAI,IAAI,CAAC;AAC3D,SAAO,EAAE,UAAU,QAAQ;AAC7B;AAEA,SAAS,YAAY,MAA4B,OAA0B;AACzE,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,KAAK,WAAW,MAAM,OAAQ,QAAO;AACzC,SAAO,KAAK,MAAM,CAAC,OAAO,QAAQ,UAAU,MAAM,GAAG,CAAC;AACxD;AAEA,eAAe,2BAA2C;AACxD,QAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,QAAM,UAAU,UAAU,iCAAiC,sBAAsB;AACjF,QAAM,IAAI,cAAc,KAAK;AAAA,IAC3B,OAAO;AAAA,IACP,aAAa,EAAE,OAAO,QAAQ;AAAA,IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC,OAAO,GAAG,SAAS,MAAM,aAAa,QAAQ,aAAa,CAAC;AAAA,EACjF,CAAC;AACH;",
   "names": ["emailHash"]
 }

package/dist/modules/auth/data/validators.js CHANGED Viewed

@@ -1,15 +1,18 @@
 import { z } from "zod";
+import { buildPasswordSchema } from "@open-mercato/shared/lib/auth/passwordPolicy";
+const passwordSchema = buildPasswordSchema();
 const userLoginSchema = z.object({
   email: z.string().email(),
   password: z.string().min(6),
-  requireRole: z.string().optional()
+  requireRole: z.string().optional(),
+  tenantId: z.string().uuid().optional()
 });
 const requestPasswordResetSchema = z.object({
   email: z.string().email()
 });
 const confirmPasswordResetSchema = z.object({
   token: z.string().min(10),
-  password: z.string().min(6)
+  password: passwordSchema
 });
 const sidebarPreferencesInputSchema = z.object({
   version: z.number().int().positive().optional(),
@@ -22,7 +25,7 @@ const sidebarPreferencesInputSchema = z.object({
 });
 const userCreateSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   tenantId: z.string().uuid().optional(),
   organizationId: z.string().uuid(),
   rolesCsv: z.string().optional()

package/dist/modules/auth/data/validators.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/data/validators.ts"],
-  "sourcesContent": ["import { z } from 'zod'\n\n// Core auth validators\nexport const userLoginSchema = z.object({\n  email: z.string().email(),\n  password: z.string().min(6),\n  requireRole: z.string().optional(),\n})\n\nexport const requestPasswordResetSchema = z.object({\n  email: z.string().email(),\n})\n\nexport const confirmPasswordResetSchema = z.object({\n  token: z.string().min(10),\n  password: z.string().min(6),\n})\n\nexport const sidebarPreferencesInputSchema = z.object({\n  version: z.number().int().positive().optional(),\n  groupOrder: z.array(z.string().min(1)).max(200).optional(),\n  groupLabels: z.record(z.string().min(1), z.string().min(1).max(120)).optional(),\n  itemLabels: z.record(z.string().min(1), z.string().min(1).max(120)).optional(),\n  hiddenItems: z.array(z.string().min(1)).max(500).optional(),\n  applyToRoles: z.array(z.string().uuid()).optional(),\n  clearRoleIds: z.array(z.string().uuid()).optional(),\n})\n\n// Optional helpers for CLI or admin forms\nexport const userCreateSchema = z.object({\n  email: z.string().email(),\n  password: z.string().min(6),\n  tenantId: z.string().uuid().optional(),\n  organizationId: z.string().uuid(),\n  rolesCsv: z.string().optional(),\n})\n\nexport type UserLoginInput = z.infer<typeof userLoginSchema>\nexport type RequestPasswordResetInput = z.infer<typeof requestPasswordResetSchema>\nexport type ConfirmPasswordResetInput = z.infer<typeof confirmPasswordResetSchema>\nexport type SidebarPreferencesInput = z.infer<typeof sidebarPreferencesInputSchema>\nexport type UserCreateInput = z.infer<typeof userCreateSchema>\n"],
-  "mappings": "AAAA,SAAS,SAAS;AAGX,MAAM,kBAAkB,EAAE,OAAO;AAAA,EACtC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,aAAa,EAAE,OAAO,EAAE,SAAS;AACnC,CAAC;AAEM,MAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,OAAO,EAAE,OAAO,EAAE,MAAM;AAC1B,CAAC;AAEM,MAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAC5B,CAAC;AAEM,MAAM,gCAAgC,EAAE,OAAO;AAAA,EACpD,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EAC9C,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EACzD,aAAa,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,EAC9E,YAAY,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,EAC7E,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EAC1D,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAAA,EAClD,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AACpD,CAAC;AAGM,MAAM,mBAAmB,EAAE,OAAO;AAAA,EACvC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EACrC,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,UAAU,EAAE,OAAO,EAAE,SAAS;AAChC,CAAC;",
+  "sourcesContent": ["import { z } from 'zod'\nimport { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'\n\nconst passwordSchema = buildPasswordSchema()\n\n// Core auth validators\nexport const userLoginSchema = z.object({\n  email: z.string().email(),\n  password: z.string().min(6),\n  requireRole: z.string().optional(),\n  tenantId: z.string().uuid().optional(),\n})\n\nexport const requestPasswordResetSchema = z.object({\n  email: z.string().email(),\n})\n\nexport const confirmPasswordResetSchema = z.object({\n  token: z.string().min(10),\n  password: passwordSchema,\n})\n\nexport const sidebarPreferencesInputSchema = z.object({\n  version: z.number().int().positive().optional(),\n  groupOrder: z.array(z.string().min(1)).max(200).optional(),\n  groupLabels: z.record(z.string().min(1), z.string().min(1).max(120)).optional(),\n  itemLabels: z.record(z.string().min(1), z.string().min(1).max(120)).optional(),\n  hiddenItems: z.array(z.string().min(1)).max(500).optional(),\n  applyToRoles: z.array(z.string().uuid()).optional(),\n  clearRoleIds: z.array(z.string().uuid()).optional(),\n})\n\n// Optional helpers for CLI or admin forms\nexport const userCreateSchema = z.object({\n  email: z.string().email(),\n  password: passwordSchema,\n  tenantId: z.string().uuid().optional(),\n  organizationId: z.string().uuid(),\n  rolesCsv: z.string().optional(),\n})\n\nexport type UserLoginInput = z.infer<typeof userLoginSchema>\nexport type RequestPasswordResetInput = z.infer<typeof requestPasswordResetSchema>\nexport type ConfirmPasswordResetInput = z.infer<typeof confirmPasswordResetSchema>\nexport type SidebarPreferencesInput = z.infer<typeof sidebarPreferencesInputSchema>\nexport type UserCreateInput = z.infer<typeof userCreateSchema>\n"],
+  "mappings": "AAAA,SAAS,SAAS;AAClB,SAAS,2BAA2B;AAEpC,MAAM,iBAAiB,oBAAoB;AAGpC,MAAM,kBAAkB,EAAE,OAAO;AAAA,EACtC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AACvC,CAAC;AAEM,MAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,OAAO,EAAE,OAAO,EAAE,MAAM;AAC1B,CAAC;AAEM,MAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE;AAAA,EACxB,UAAU;AACZ,CAAC;AAEM,MAAM,gCAAgC,EAAE,OAAO;AAAA,EACpD,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EAC9C,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EACzD,aAAa,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,EAC9E,YAAY,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,EAC7E,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EAC1D,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAAA,EAClD,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AACpD,CAAC;AAGM,MAAM,mBAAmB,EAAE,OAAO;AAAA,EACvC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU;AAAA,EACV,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EACrC,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,UAAU,EAAE,OAAO,EAAE,SAAS;AAChC,CAAC;",
   "names": []
 }

package/dist/modules/auth/frontend/login.js CHANGED Viewed

@@ -1,15 +1,37 @@
 "use client";
 import { jsx, jsxs } from "react/jsx-runtime";
-import { useState } from "react";
+import { useCallback, useEffect, useState } from "react";
 import Image from "next/image";
 import Link from "next/link";
 import { useRouter, useSearchParams } from "next/navigation";
 import { Card, CardContent, CardHeader, CardDescription } from "@open-mercato/ui/primitives/card";
 import { Input } from "@open-mercato/ui/primitives/input";
 import { Label } from "@open-mercato/ui/primitives/label";
+import { Button } from "@open-mercato/ui/primitives/button";
 import { useT } from "@open-mercato/shared/lib/i18n/context";
 import { translateWithFallback } from "@open-mercato/shared/lib/i18n/translate";
 import { clearAllOperations } from "@open-mercato/ui/backend/operations/store";
+import { apiCall } from "@open-mercato/ui/backend/utils/apiCall";
+import { X } from "lucide-react";
+const loginTenantKey = "om_login_tenant";
+const loginTenantCookieMaxAge = 60 * 60 * 24 * 14;
+function readTenantCookie() {
+  if (typeof document === "undefined") return null;
+  const entries = document.cookie.split(";");
+  for (const entry of entries) {
+    const [name, ...rest] = entry.trim().split("=");
+    if (name === loginTenantKey) return decodeURIComponent(rest.join("="));
+  }
+  return null;
+}
+function setTenantCookie(value) {
+  if (typeof document === "undefined") return;
+  document.cookie = `${loginTenantKey}=${encodeURIComponent(value)}; path=/; max-age=${loginTenantCookieMaxAge}; samesite=lax`;
+}
+function clearTenantCookie() {
+  if (typeof document === "undefined") return;
+  document.cookie = `${loginTenantKey}=; path=/; max-age=0; samesite=lax`;
+}
 function extractErrorMessage(payload) {
   if (!payload) return null;
   if (typeof payload === "string") return payload;
@@ -42,7 +64,10 @@ function looksLikeJsonString(value) {
 }
 function LoginPage() {
   const t = useT();
-  const translate = (key, fallback, params) => translateWithFallback(t, key, fallback, params);
+  const translate = useCallback(
+    (key, fallback, params) => translateWithFallback(t, key, fallback, params),
+    [t]
+  );
   const router = useRouter();
   const searchParams = useSearchParams();
   const requireRole = (searchParams.get("requireRole") || searchParams.get("role") || "").trim();
@@ -53,6 +78,74 @@ function LoginPage() {
   const translatedFeatures = requiredFeatures.map((feature) => translate(`features.${feature}`, feature));
   const [error, setError] = useState(null);
   const [submitting, setSubmitting] = useState(false);
+  const [tenantId, setTenantId] = useState(null);
+  const [tenantName, setTenantName] = useState(null);
+  const [tenantLoading, setTenantLoading] = useState(false);
+  const [tenantInvalid, setTenantInvalid] = useState(null);
+  const showTenantInvalid = tenantId != null && tenantInvalid === tenantId;
+  useEffect(() => {
+    const tenantParam = (searchParams.get("tenant") || "").trim();
+    if (tenantParam) {
+      setTenantId(tenantParam);
+      window.localStorage.setItem(loginTenantKey, tenantParam);
+      setTenantCookie(tenantParam);
+      return;
+    }
+    const storedTenant = window.localStorage.getItem(loginTenantKey) || readTenantCookie();
+    if (storedTenant) {
+      setTenantId(storedTenant);
+    }
+  }, [searchParams]);
+  useEffect(() => {
+    if (!tenantId) {
+      setTenantName(null);
+      setTenantInvalid(null);
+      return;
+    }
+    if (tenantInvalid === tenantId) {
+      setTenantName(null);
+      setTenantLoading(false);
+      return;
+    }
+    let active = true;
+    setTenantLoading(true);
+    setTenantInvalid(null);
+    apiCall(
+      `/api/directory/tenants/lookup?tenantId=${encodeURIComponent(tenantId)}`
+    ).then(({ result }) => {
+      if (!active) return;
+      if (result?.ok && result.tenant) {
+        setTenantName(result.tenant.name);
+        return;
+      }
+      const message = translate("auth.login.errors.tenantInvalid", "Tenant not found. Clear the tenant selection and try again.");
+      setTenantName(null);
+      setTenantInvalid(tenantId);
+      setError(null);
+    }).catch(() => {
+      if (!active) return;
+      setTenantName(null);
+      setTenantInvalid(tenantId);
+      setError(null);
+    }).finally(() => {
+      if (active) setTenantLoading(false);
+    });
+    return () => {
+      active = false;
+    };
+  }, [tenantId, translate]);
+  function handleClearTenant() {
+    window.localStorage.removeItem(loginTenantKey);
+    clearTenantCookie();
+    setTenantId(null);
+    setTenantName(null);
+    setTenantInvalid(null);
+    const params = new URLSearchParams(searchParams);
+    params.delete("tenant");
+    setError(null);
+    const query = params.toString();
+    router.replace(query ? `/login?${query}` : "/login");
+  }
   async function onSubmit(e) {
     e.preventDefault();
     setError(null);
@@ -130,6 +223,7 @@ function LoginPage() {
       /* @__PURE__ */ jsx(CardDescription, { children: translate("auth.login.subtitle", "Access your workspace") })
     ] }),
     /* @__PURE__ */ jsx(CardContent, { children: /* @__PURE__ */ jsxs("form", { className: "grid gap-3", onSubmit, noValidate: true, children: [
+      tenantId ? /* @__PURE__ */ jsx("input", { type: "hidden", name: "tenantId", value: tenantId }) : null,
       !!translatedRoles.length && /* @__PURE__ */ jsx("div", { className: "rounded-md border border-blue-200 bg-blue-50 px-3 py-2 text-center text-xs text-blue-900", children: translate(
         translatedRoles.length > 1 ? "auth.login.requireRolesMessage" : "auth.login.requireRoleMessage",
         translatedRoles.length > 1 ? "Access requires one of the following roles: {roles}" : "Access requires role: {roles}",
@@ -138,7 +232,22 @@ function LoginPage() {
       !!translatedFeatures.length && /* @__PURE__ */ jsx("div", { className: "rounded-md border border-blue-200 bg-blue-50 px-3 py-2 text-center text-xs text-blue-900", children: translate("auth.login.featureDenied", "You don't have access to this feature ({feature}). Please contact your administrator.", {
         feature: translatedFeatures.join(", ")
       }) }),
-      error && /* @__PURE__ */ jsx("div", { className: "rounded-md border border-red-200 bg-red-50 px-3 py-2 text-center text-sm text-red-700", role: "alert", "aria-live": "polite", children: error }),
+      showTenantInvalid ? /* @__PURE__ */ jsxs("div", { className: "rounded-md border border-red-200 bg-red-50 px-3 py-2 text-center text-xs text-red-700", children: [
+        /* @__PURE__ */ jsx("div", { className: "font-medium", children: translate("auth.login.errors.tenantInvalid", "Tenant not found. Clear the tenant selection and try again.") }),
+        /* @__PURE__ */ jsxs(Button, { type: "button", variant: "outline", size: "sm", className: "mt-2 border-red-300 text-red-700", onClick: handleClearTenant, children: [
+          /* @__PURE__ */ jsx(X, { className: "mr-2 size-4", "aria-hidden": "true" }),
+          translate("auth.login.tenantClear", "Clear")
+        ] })
+      ] }) : tenantId ? /* @__PURE__ */ jsxs("div", { className: "rounded-md border border-emerald-200 bg-emerald-50 px-3 py-2 text-center text-xs text-emerald-900", children: [
+        /* @__PURE__ */ jsx("div", { className: "font-medium", children: tenantLoading ? translate("auth.login.tenantLoading", "Loading tenant details...") : translate("auth.login.tenantBanner", "You're logging in to {tenant} tenant.", {
+          tenant: tenantName || tenantId
+        }) }),
+        /* @__PURE__ */ jsxs(Button, { type: "button", variant: "outline", size: "sm", className: "mt-2 border-emerald-300 text-emerald-900", onClick: handleClearTenant, children: [
+          /* @__PURE__ */ jsx(X, { className: "mr-2 size-4", "aria-hidden": "true" }),
+          translate("auth.login.tenantClear", "Clear")
+        ] })
+      ] }) : null,
+      error && !showTenantInvalid && /* @__PURE__ */ jsx("div", { className: "rounded-md border border-red-200 bg-red-50 px-3 py-2 text-center text-sm text-red-700", role: "alert", "aria-live": "polite", children: error }),
       /* @__PURE__ */ jsxs("div", { className: "grid gap-1", children: [
         /* @__PURE__ */ jsx(Label, { htmlFor: "email", children: t("auth.email") }),
         /* @__PURE__ */ jsx(Input, { id: "email", name: "email", type: "email", required: true, "aria-invalid": !!error })