npm - @open-mercato/core - Versions diffs - 0.4.2-canary-f075c3eb92 → 0.4.2-canary-8a04af8836 - Mend

@open-mercato/core 0.4.2-canary-f075c3eb92 → 0.4.2-canary-8a04af8836

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (507) hide show

package/dist/modules/auth/commands/users.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/commands/users.ts"],
-  "sourcesContent": ["import type { CommandHandler } from '@open-mercato/shared/lib/commands'\nimport { registerCommand } from '@open-mercato/shared/lib/commands'\nimport {\n  parseWithCustomFields,\n  setCustomFieldsIfAny,\n  emitCrudSideEffects,\n  emitCrudUndoSideEffects,\n  buildChanges,\n  requireId,\n} from '@open-mercato/shared/lib/commands/helpers'\nimport { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport type { CrudEventsConfig, CrudIndexerConfig } from '@open-mercato/shared/lib/crud/types'\nimport type { DataEngine } from '@open-mercato/shared/lib/data/engine'\nimport type { CommandRuntimeContext } from '@open-mercato/shared/lib/commands'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { UniqueConstraintViolationException } from '@mikro-orm/core'\nimport type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'\nimport { User, UserRole, Role, UserAcl, Session, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport { Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { E } from '#generated/entities.ids.generated'\nimport { z } from 'zod'\nimport {\n  loadCustomFieldSnapshot,\n  buildCustomFieldResetMap,\n  diffCustomFieldChanges,\n} from '@open-mercato/shared/lib/commands/customFieldSnapshots'\nimport { normalizeTenantId } from '@open-mercato/core/modules/auth/lib/tenantAccess'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\ntype SerializedUser = {\n  email: string\n  organizationId: string | null\n  tenantId: string | null\n  roles: string[]\n  name: string | null\n  isConfirmed: boolean\n  custom?: Record<string, unknown>\n}\n\ntype UserAclSnapshot = {\n  tenantId: string\n  features: string[] | null\n  isSuperAdmin: boolean\n  organizations: string[] | null\n}\n\ntype UserUndoSnapshot = {\n  id: string\n  email: string\n  organizationId: string | null\n  tenantId: string | null\n  passwordHash: string | null\n  name: string | null\n  isConfirmed: boolean\n  roles: string[]\n  acls: UserAclSnapshot[]\n  custom?: Record<string, unknown>\n}\n\ntype UserSnapshots = {\n  view: SerializedUser\n  undo: UserUndoSnapshot\n}\n\nconst createSchema = z.object({\n  email: z.string().email(),\n  password: z.string().min(6),\n  organizationId: z.string().uuid(),\n  roles: z.array(z.string()).optional(),\n})\n\nconst updateSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string().email().optional(),\n  password: z.string().min(6).optional(),\n  organizationId: z.string().uuid().optional(),\n  roles: z.array(z.string()).optional(),\n})\n\nexport const userCrudEvents: CrudEventsConfig = {\n  module: 'auth',\n  entity: 'user',\n  persistent: true,\n  buildPayload: (ctx) => ({\n    id: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n}\n\nexport const userCrudIndexer: CrudIndexerConfig = {\n  entityType: E.auth.user,\n  buildUpsertPayload: (ctx) => ({\n    entityType: E.auth.user,\n    recordId: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n  buildDeletePayload: (ctx) => ({\n    entityType: E.auth.user,\n    recordId: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n}\n\nconst createUserCommand: CommandHandler<Record<string, unknown>, User> = {\n  id: 'auth.users.create',\n  async execute(rawInput, ctx) {\n    const { parsed, custom } = parseWithCustomFields(createSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    const organization = await findOneWithDecryption(\n      em,\n      Organization,\n      { id: parsed.organizationId },\n      { populate: ['tenant'] },\n      { tenantId: null, organizationId: parsed.organizationId },\n    )\n    if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })\n\n    const emailHash = computeEmailHash(parsed.email)\n    const duplicate = await em.findOne(User, { $or: [{ email: parsed.email }, { emailHash }], deletedAt: null } as any)\n    if (duplicate) await throwDuplicateEmailError()\n\n    const { hash } = await import('bcryptjs')\n    const passwordHash = await hash(parsed.password, 10)\n    const tenantId = organization.tenant?.id ? String(organization.tenant.id) : null\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    let user: User\n    try {\n      user = await de.createOrmEntity({\n        entity: User,\n        data: {\n          email: parsed.email,\n          emailHash,\n          passwordHash,\n          isConfirmed: true,\n          organizationId: parsed.organizationId,\n          tenantId,\n        },\n      })\n    } catch (error) {\n      if (isUniqueViolation(error)) await throwDuplicateEmailError()\n      throw error\n    }\n\n    if (Array.isArray(parsed.roles) && parsed.roles.length) {\n      await syncUserRoles(em, user, parsed.roles, tenantId)\n    }\n\n    await setCustomFieldsIfAny({\n      dataEngine: de,\n      entityId: E.auth.user,\n      recordId: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: tenantId,\n      values: custom,\n    })\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'created',\n      entity: user,\n      identifiers: {\n        id: String(user.id),\n        organizationId: user.organizationId ? String(user.organizationId) : null,\n        tenantId,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    return user\n  },\n  captureAfter: async (_input, result, ctx) => {\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    return serializeUser(result, roles, custom)\n  },\n  buildLog: async ({ result, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    const snapshot = captureUserSnapshots(result, roles, undefined, custom)\n    return {\n      actionLabel: translate('auth.audit.users.create', 'Create user'),\n      resourceKind: 'auth.user',\n      resourceId: String(result.id),\n      tenantId: result.tenantId ? String(result.tenantId) : null,\n      snapshotAfter: snapshot.view,\n      payload: {\n        undo: {\n          after: snapshot.undo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const userId = typeof logEntry?.resourceId === 'string' ? logEntry.resourceId : null\n    if (!userId) return\n    const snapshot = logEntry?.snapshotAfter as SerializedUser | undefined\n    const em = (ctx.container.resolve('em') as EntityManager)\n    await em.nativeDelete(UserAcl, { user: userId })\n    await em.nativeDelete(UserRole, { user: userId })\n    await em.nativeDelete(Session, { user: userId })\n    await em.nativeDelete(PasswordReset, { user: userId })\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    if (snapshot?.custom && Object.keys(snapshot.custom).length) {\n      const reset = buildCustomFieldResetMap(undefined, snapshot.custom)\n      if (Object.keys(reset).length) {\n        await setCustomFieldsIfAny({\n          dataEngine: de,\n          entityId: E.auth.user,\n          recordId: userId,\n          organizationId: snapshot.organizationId,\n          tenantId: snapshot.tenantId,\n          values: reset,\n          notify: false,\n        })\n      }\n    }\n    const removed = await de.deleteOrmEntity({\n      entity: User,\n      where: { id: userId, deletedAt: null } as FilterQuery<User>,\n      soft: false,\n    })\n\n    await emitCrudUndoSideEffects({\n      dataEngine: de,\n      action: 'deleted',\n      entity: removed,\n      identifiers: {\n        id: userId,\n        organizationId: snapshot?.organizationId ?? null,\n        tenantId: snapshot?.tenantId ?? null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, userId)\n  },\n}\n\nfunction isUniqueViolation(error: unknown): boolean {\n  if (error instanceof UniqueConstraintViolationException) return true\n  if (!error || typeof error !== 'object') return false\n  const code = (error as { code?: string }).code\n  if (code === '23505') return true\n  const messageRaw = (error as { message?: string })?.message\n  const message = typeof messageRaw === 'string' ? messageRaw : ''\n  return message.toLowerCase().includes('duplicate key')\n}\n\nconst updateUserCommand: CommandHandler<Record<string, unknown>, User> = {\n  id: 'auth.users.update',\n  async prepare(rawInput, ctx) {\n    const { parsed } = parseWithCustomFields(updateSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const existing = await em.findOne(User, { id: parsed.id, deletedAt: null })\n    if (!existing) throw new CrudHttpError(404, { error: 'User not found' })\n    const roles = await loadUserRoleNames(em, parsed.id)\n    const acls = await loadUserAclSnapshots(em, parsed.id)\n    const custom = await loadUserCustomSnapshot(\n      em,\n      parsed.id,\n      existing.tenantId ? String(existing.tenantId) : null,\n      existing.organizationId ? String(existing.organizationId) : null\n    )\n    return { before: captureUserSnapshots(existing, roles, acls, custom) }\n  },\n  async execute(rawInput, ctx) {\n    const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    if (parsed.email !== undefined) {\n      const emailHash = computeEmailHash(parsed.email)\n      const duplicate = await em.findOne(\n        User,\n        {\n          $or: [{ email: parsed.email }, { emailHash }],\n          deletedAt: null,\n          id: { $ne: parsed.id } as any,\n        } as FilterQuery<User>,\n      )\n      if (duplicate) await throwDuplicateEmailError()\n    }\n\n    let hashed: string | null = null\n    let emailHash: string | null = null\n    if (parsed.password) {\n      const { hash } = await import('bcryptjs')\n      hashed = await hash(parsed.password, 10)\n    }\n    if (parsed.email !== undefined) {\n      emailHash = computeEmailHash(parsed.email)\n    }\n\n    let tenantId: string | null | undefined\n    if (parsed.organizationId !== undefined) {\n      const organization = await findOneWithDecryption(\n        em,\n        Organization,\n        { id: parsed.organizationId },\n        { populate: ['tenant'] },\n        { tenantId: null, organizationId: parsed.organizationId ?? null },\n      )\n      if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })\n      tenantId = organization.tenant?.id ? String(organization.tenant.id) : null\n    }\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    let user: User | null\n    try {\n      user = await de.updateOrmEntity({\n        entity: User,\n        where: { id: parsed.id, deletedAt: null } as FilterQuery<User>,\n        apply: (entity) => {\n          if (parsed.email !== undefined) {\n            entity.email = parsed.email\n            entity.emailHash = emailHash\n          }\n          if (parsed.organizationId !== undefined) {\n            entity.organizationId = parsed.organizationId\n            entity.tenantId = tenantId ?? null\n          }\n          if (hashed) entity.passwordHash = hashed\n        },\n      })\n    } catch (error) {\n      if (isUniqueViolation(error)) await throwDuplicateEmailError()\n      throw error\n    }\n    if (!user) throw new CrudHttpError(404, { error: 'User not found' })\n\n    if (Array.isArray(parsed.roles)) {\n      await syncUserRoles(em, user, parsed.roles, user.tenantId ? String(user.tenantId) : tenantId ?? null)\n    }\n\n    await setCustomFieldsIfAny({\n      dataEngine: de,\n      entityId: E.auth.user,\n      recordId: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : tenantId ?? null,\n      values: custom,\n    })\n\n    const identifiers = {\n      id: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : tenantId ?? null,\n    }\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'updated',\n      entity: user,\n      identifiers,\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, parsed.id)\n\n    return user\n  },\n  captureAfter: async (_input, result, ctx) => {\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    return serializeUser(result, roles, custom)\n  },\n  buildLog: async ({ result, snapshots, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const beforeSnapshots = snapshots.before as UserSnapshots | undefined\n    const before = beforeSnapshots?.view\n    const beforeUndo = beforeSnapshots?.undo ?? null\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const afterRoles = await loadUserRoleNames(em, String(result.id))\n    const afterCustom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    const afterSnapshots = captureUserSnapshots(result, afterRoles, undefined, afterCustom)\n    const after = afterSnapshots.view\n    const changes = buildChanges(before ?? null, after as Record<string, unknown>, ['email', 'organizationId', 'tenantId', 'name', 'isConfirmed'])\n    if (before && !arrayEquals(before.roles, afterRoles)) {\n      changes.roles = { from: before.roles, to: afterRoles }\n    }\n    const customDiff = diffCustomFieldChanges(before?.custom, afterCustom)\n    for (const [key, diff] of Object.entries(customDiff)) {\n      changes[`cf_${key}`] = diff\n    }\n    return {\n      actionLabel: translate('auth.audit.users.update', 'Update user'),\n      resourceKind: 'auth.user',\n      resourceId: String(result.id),\n      tenantId: result.tenantId ? String(result.tenantId) : null,\n      changes,\n      snapshotBefore: before ?? null,\n      snapshotAfter: after,\n      payload: {\n        undo: {\n          before: beforeUndo,\n          after: afterSnapshots.undo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const payload = extractUndoPayload(logEntry)\n    const before = payload?.before\n    const after = payload?.after\n    if (!before) return\n    const userId = before.id\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    const updated = await de.updateOrmEntity({\n      entity: User,\n      where: { id: userId, deletedAt: null } as FilterQuery<User>,\n      apply: (entity) => {\n        entity.email = before.email\n        entity.organizationId = before.organizationId ?? null\n        entity.tenantId = before.tenantId ?? null\n        entity.passwordHash = before.passwordHash ?? null\n        entity.name = before.name ?? undefined\n        entity.isConfirmed = before.isConfirmed\n      },\n    })\n\n    if (updated) {\n      await syncUserRoles(em, updated, before.roles, before.tenantId)\n      await em.flush()\n    }\n\n    const reset = buildCustomFieldResetMap(before.custom, after?.custom)\n    if (Object.keys(reset).length) {\n      await setCustomFieldsIfAny({\n        dataEngine: de,\n        entityId: E.auth.user,\n        recordId: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n        values: reset,\n        notify: false,\n      })\n    }\n\n    await emitCrudUndoSideEffects({\n      dataEngine: de,\n      action: 'updated',\n      entity: updated,\n      identifiers: {\n        id: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, userId)\n  },\n}\n\nconst deleteUserCommand: CommandHandler<{ body?: Record<string, unknown>; query?: Record<string, unknown> }, User> = {\n  id: 'auth.users.delete',\n  async prepare(input, ctx) {\n    const id = requireId(input, 'User id required')\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const existing = await em.findOne(User, { id, deletedAt: null })\n    if (!existing) return {}\n    const roles = await loadUserRoleNames(em, id)\n    const acls = await loadUserAclSnapshots(em, id)\n    const custom = await loadUserCustomSnapshot(\n      em,\n      id,\n      existing.tenantId ? String(existing.tenantId) : null,\n      existing.organizationId ? String(existing.organizationId) : null\n    )\n    return { before: captureUserSnapshots(existing, roles, acls, custom) }\n  },\n  async execute(input, ctx) {\n    const id = requireId(input, 'User id required')\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    await em.nativeDelete(UserAcl, { user: id })\n    await em.nativeDelete(UserRole, { user: id })\n    await em.nativeDelete(Session, { user: id })\n    await em.nativeDelete(PasswordReset, { user: id })\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    const user = await de.deleteOrmEntity({\n      entity: User,\n      where: { id, deletedAt: null } as FilterQuery<User>,\n      soft: false,\n    })\n    if (!user) throw new CrudHttpError(404, { error: 'User not found' })\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'deleted',\n      entity: user,\n      identifiers: {\n        id: String(id),\n        organizationId: user.organizationId ? String(user.organizationId) : null,\n        tenantId: user.tenantId ? String(user.tenantId) : null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, id)\n\n    return user\n  },\n  buildLog: async ({ snapshots, input, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const beforeSnapshots = snapshots.before as UserSnapshots | undefined\n    const before = beforeSnapshots?.view\n    const beforeUndo = beforeSnapshots?.undo ?? null\n    const id = requireId(input, 'User id required')\n    return {\n      actionLabel: translate('auth.audit.users.delete', 'Delete user'),\n      resourceKind: 'auth.user',\n      resourceId: id,\n      snapshotBefore: before ?? null,\n      tenantId: before?.tenantId ?? null,\n      payload: {\n        undo: {\n          before: beforeUndo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const payload = extractUndoPayload(logEntry)\n    const before = payload?.before\n    if (!before) return\n    const em = (ctx.container.resolve('em') as EntityManager)\n    let user = await em.findOne(User, { id: before.id })\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n\n    if (user) {\n      if (user.deletedAt) {\n        user.deletedAt = null\n      }\n      user.email = before.email\n      user.organizationId = before.organizationId ?? null\n      user.tenantId = before.tenantId ?? null\n      user.passwordHash = before.passwordHash ?? null\n      user.name = before.name ?? undefined\n      user.isConfirmed = before.isConfirmed\n      await em.flush()\n    } else {\n      user = await de.createOrmEntity({\n        entity: User,\n        data: {\n          id: before.id,\n          email: before.email,\n          organizationId: before.organizationId ?? null,\n          tenantId: before.tenantId ?? null,\n          passwordHash: before.passwordHash ?? null,\n          name: before.name ?? null,\n          isConfirmed: before.isConfirmed,\n        },\n      })\n    }\n\n    if (!user) return\n\n    await em.nativeDelete(UserRole, { user: before.id })\n    await syncUserRoles(em, user, before.roles, before.tenantId)\n\n    await restoreUserAcls(em, user, before.acls)\n\n    const reset = buildCustomFieldResetMap(before.custom, undefined)\n    if (Object.keys(reset).length) {\n      await setCustomFieldsIfAny({\n        dataEngine: de,\n        entityId: E.auth.user,\n        recordId: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n        values: reset,\n        notify: false,\n      })\n    }\n\n    await invalidateUserCache(ctx, before.id)\n  },\n}\n\nregisterCommand(createUserCommand)\nregisterCommand(updateUserCommand)\nregisterCommand(deleteUserCommand)\n\nasync function syncUserRoles(em: EntityManager, user: User, desiredRoles: string[], tenantId: string | null) {\n  const unique = Array.from(new Set(desiredRoles.map((role) => role.trim()).filter(Boolean)))\n  const currentLinks = await em.find(UserRole, { user })\n  const currentNames = new Map(\n    currentLinks.map((link) => {\n      const roleEntity = link.role\n      const name = roleEntity?.name ?? ''\n      return [name, link] as const\n    }),\n  )\n\n  for (const [name, link] of currentNames.entries()) {\n    if (!unique.includes(name) && link) {\n      em.remove(link)\n    }\n  }\n\n  const normalizedTenantId = normalizeTenantId(tenantId ?? null) ?? null\n\n  for (const name of unique) {\n    if (!currentNames.has(name)) {\n      let role = await em.findOne(Role, { name, tenantId: normalizedTenantId })\n      if (!role && normalizedTenantId !== null) {\n        role = await em.findOne(Role, { name, tenantId: null })\n      }\n      if (!role) {\n        role = em.create(Role, { name, tenantId: normalizedTenantId, createdAt: new Date() })\n        await em.persistAndFlush(role)\n      } else if (normalizedTenantId !== null && role.tenantId !== normalizedTenantId) {\n        role.tenantId = normalizedTenantId\n        await em.persistAndFlush(role)\n      }\n      em.persist(em.create(UserRole, { user, role, createdAt: new Date() }))\n    }\n  }\n\n  await em.flush()\n}\n\nasync function loadUserRoleNames(em: EntityManager, userId: string): Promise<string[]> {\n  const links = await findWithDecryption(\n    em,\n    UserRole,\n    { user: userId as unknown as User },\n    { populate: ['role'] },\n    { tenantId: null, organizationId: null },\n  )\n  const names = links\n    .map((link) => link.role?.name ?? '')\n    .filter((name): name is string => !!name)\n  return Array.from(new Set(names)).sort()\n}\n\nfunction serializeUser(user: User, roles: string[], custom?: Record<string, unknown> | null): SerializedUser {\n  const payload: SerializedUser = {\n    email: String(user.email ?? ''),\n    organizationId: user.organizationId ? String(user.organizationId) : null,\n    tenantId: user.tenantId ? String(user.tenantId) : null,\n    roles,\n    name: user.name ? String(user.name) : null,\n    isConfirmed: Boolean(user.isConfirmed),\n  }\n  if (custom && Object.keys(custom).length) payload.custom = custom\n  return payload\n}\n\nfunction captureUserSnapshots(\n  user: User,\n  roles: string[],\n  acls: UserAclSnapshot[] = [],\n  custom?: Record<string, unknown> | null\n): UserSnapshots {\n  return {\n    view: serializeUser(user, roles, custom),\n    undo: {\n      id: String(user.id),\n      email: String(user.email ?? ''),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : null,\n      passwordHash: user.passwordHash ? String(user.passwordHash) : null,\n      name: user.name ? String(user.name) : null,\n      isConfirmed: Boolean(user.isConfirmed),\n      roles: [...roles],\n      acls,\n      ...(custom && Object.keys(custom).length ? { custom } : {}),\n    },\n  }\n}\n\nasync function loadUserAclSnapshots(em: EntityManager, userId: string): Promise<UserAclSnapshot[]> {\n  const list = await em.find(UserAcl, { user: userId as unknown as User })\n  return list.map((acl) => ({\n    tenantId: String(acl.tenantId),\n    features: Array.isArray(acl.featuresJson) ? [...acl.featuresJson] : null,\n    isSuperAdmin: Boolean(acl.isSuperAdmin),\n    organizations: Array.isArray(acl.organizationsJson) ? [...acl.organizationsJson] : null,\n  }))\n}\n\nasync function restoreUserAcls(em: EntityManager, user: User, acls: UserAclSnapshot[]) {\n  await em.nativeDelete(UserAcl, { user: String(user.id) })\n  for (const acl of acls) {\n    const entity = em.create(UserAcl, {\n      user,\n      tenantId: acl.tenantId,\n      featuresJson: acl.features ?? null,\n      isSuperAdmin: acl.isSuperAdmin,\n      organizationsJson: acl.organizations ?? null,\n      createdAt: new Date(),\n    })\n    em.persist(entity)\n  }\n  await em.flush()\n}\n\ntype UndoPayload = { undo?: { before?: UserUndoSnapshot | null; after?: UserUndoSnapshot | null } }\n\nfunction extractUndoPayload(logEntry: { commandPayload?: unknown }): { before?: UserUndoSnapshot | null; after?: UserUndoSnapshot | null } | null {\n  const payload = logEntry?.commandPayload as UndoPayload | undefined\n  if (!payload || typeof payload !== 'object') return null\n  return payload.undo ?? null\n}\n\nasync function loadUserCustomSnapshot(\n  em: EntityManager,\n  id: string,\n  tenantId: string | null,\n  organizationId: string | null\n): Promise<Record<string, unknown>> {\n  return await loadCustomFieldSnapshot(em, {\n    entityId: E.auth.user,\n    recordId: id,\n    tenantId,\n    organizationId,\n  })\n}\n\nasync function invalidateUserCache(ctx: CommandRuntimeContext, userId: string) {\n  try {\n    const rbacService = ctx.container.resolve('rbacService') as { invalidateUserCache: (uid: string) => Promise<void> }\n    await rbacService.invalidateUserCache(userId)\n  } catch {\n    // RBAC not available\n  }\n\n  try {\n    const cache = ctx.container.resolve('cache') as { deleteByTags?: (tags: string[]) => Promise<void> }\n    if (cache?.deleteByTags) await cache.deleteByTags([`rbac:user:${userId}`])\n  } catch {\n    // cache not available\n  }\n}\n\nfunction arrayEquals(left: string[] | undefined, right: string[]): boolean {\n  if (!left) return false\n  if (left.length !== right.length) return false\n  return left.every((value, idx) => value === right[idx])\n}\n\nasync function throwDuplicateEmailError(): Promise<never> {\n  const { translate } = await resolveTranslations()\n  const message = translate('auth.users.errors.emailExists', 'Email already in use')\n  throw new CrudHttpError(400, {\n    error: message,\n    fieldErrors: { email: message },\n    details: [{ path: ['email'], message, code: 'duplicate', origin: 'validation' }],\n  })\n}\n"],
-  "mappings": "AACA,SAAS,uBAAuB;AAChC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,qBAAqB;AAI9B,SAAS,2BAA2B;AACpC,SAAS,0CAA0C;AAEnD,SAAS,MAAM,UAAU,MAAM,SAAS,SAAS,qBAAqB;AACtE,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAClB,SAAS,SAAS;AAClB;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,yBAAyB;AAClC,SAAS,wBAAwB;AACjC,SAAS,uBAAuB,0BAA0B;AAqC1D,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAED,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AAAA,EACnC,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EACrC,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAEM,MAAM,iBAAmC;AAAA,EAC9C,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,YAAY;AAAA,EACZ,cAAc,CAAC,SAAS;AAAA,IACtB,IAAI,IAAI,YAAY;AAAA,IACpB,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AACF;AAEO,MAAM,kBAAqC;AAAA,EAChD,YAAY,EAAE,KAAK;AAAA,EACnB,oBAAoB,CAAC,SAAS;AAAA,IAC5B,YAAY,EAAE,KAAK;AAAA,IACnB,UAAU,IAAI,YAAY;AAAA,IAC1B,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AAAA,EACA,oBAAoB,CAAC,SAAS;AAAA,IAC5B,YAAY,EAAE,KAAK;AAAA,IACnB,UAAU,IAAI,YAAY;AAAA,IAC1B,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AACF;AAEA,MAAM,oBAAmE;AAAA,EACvE,IAAI;AAAA,EACJ,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,QAAQ,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AACvE,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,UAAM,eAAe,MAAM;AAAA,MACzB;AAAA,MACA;AAAA,MACA,EAAE,IAAI,OAAO,eAAe;AAAA,MAC5B,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,gBAAgB,OAAO,eAAe;AAAA,IAC1D;AACA,QAAI,CAAC,aAAc,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,yBAAyB,CAAC;AAEnF,UAAM,YAAY,iBAAiB,OAAO,KAAK;AAC/C,UAAM,YAAY,MAAM,GAAG,QAAQ,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,MAAM,GAAG,EAAE,UAAU,CAAC,GAAG,WAAW,KAAK,CAAQ;AAClH,QAAI,UAAW,OAAM,yBAAyB;AAE9C,UAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU;AACxC,UAAM,eAAe,MAAM,KAAK,OAAO,UAAU,EAAE;AACnD,UAAM,WAAW,aAAa,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAE5E,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI;AACJ,QAAI;AACF,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,OAAO,OAAO;AAAA,UACd;AAAA,UACA;AAAA,UACA,aAAa;AAAA,UACb,gBAAgB,OAAO;AAAA,UACvB;AAAA,QACF;AAAA,MACF,CAAC;AAAA,IACH,SAAS,OAAO;AACd,UAAI,kBAAkB,KAAK,EAAG,OAAM,yBAAyB;AAC7D,YAAM;AAAA,IACR;AAEA,QAAI,MAAM,QAAQ,OAAO,KAAK,KAAK,OAAO,MAAM,QAAQ;AACtD,YAAM,cAAc,IAAI,MAAM,OAAO,OAAO,QAAQ;AAAA,IACtD;AAEA,UAAM,qBAAqB;AAAA,MACzB,YAAY;AAAA,MACZ,UAAU,EAAE,KAAK;AAAA,MACjB,UAAU,OAAO,KAAK,EAAE;AAAA,MACxB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO,KAAK,EAAE;AAAA,QAClB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACpE;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,WAAO;AAAA,EACT;AAAA,EACA,cAAc,OAAO,QAAQ,QAAQ,QAAQ;AAC3C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,WAAO,cAAc,QAAQ,OAAO,MAAM;AAAA,EAC5C;AAAA,EACA,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,UAAM,WAAW,qBAAqB,QAAQ,OAAO,QAAW,MAAM;AACtE,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY,OAAO,OAAO,EAAE;AAAA,MAC5B,UAAU,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MACtD,eAAe,SAAS;AAAA,MACxB,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,OAAO,SAAS;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,SAAS,OAAO,UAAU,eAAe,WAAW,SAAS,aAAa;AAChF,QAAI,CAAC,OAAQ;AACb,UAAM,WAAW,UAAU;AAC3B,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,OAAO,CAAC;AAChD,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,UAAM,GAAG,aAAa,eAAe,EAAE,MAAM,OAAO,CAAC;AAErD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI,UAAU,UAAU,OAAO,KAAK,SAAS,MAAM,EAAE,QAAQ;AAC3D,YAAM,QAAQ,yBAAyB,QAAW,SAAS,MAAM;AACjE,UAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,cAAM,qBAAqB;AAAA,UACzB,YAAY;AAAA,UACZ,UAAU,EAAE,KAAK;AAAA,UACjB,UAAU;AAAA,UACV,gBAAgB,SAAS;AAAA,UACzB,UAAU,SAAS;AAAA,UACnB,QAAQ;AAAA,UACR,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AACA,UAAM,UAAU,MAAM,GAAG,gBAAgB;AAAA,MACvC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MACrC,MAAM;AAAA,IACR,CAAC;AAED,UAAM,wBAAwB;AAAA,MAC5B,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI;AAAA,QACJ,gBAAgB,UAAU,kBAAkB;AAAA,QAC5C,UAAU,UAAU,YAAY;AAAA,MAClC;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,MAAM;AAAA,EACvC;AACF;AAEA,SAAS,kBAAkB,OAAyB;AAClD,MAAI,iBAAiB,mCAAoC,QAAO;AAChE,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAM,OAAQ,MAA4B;AAC1C,MAAI,SAAS,QAAS,QAAO;AAC7B,QAAM,aAAc,OAAgC;AACpD,QAAM,UAAU,OAAO,eAAe,WAAW,aAAa;AAC9D,SAAO,QAAQ,YAAY,EAAE,SAAS,eAAe;AACvD;AAEA,MAAM,oBAAmE;AAAA,EACvE,IAAI;AAAA,EACJ,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AAC/D,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,IAAI,WAAW,KAAK,CAAC;AAC1E,QAAI,CAAC,SAAU,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AACvE,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,EAAE;AACnD,UAAM,OAAO,MAAM,qBAAqB,IAAI,OAAO,EAAE;AACrD,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO;AAAA,MACP,SAAS,WAAW,OAAO,SAAS,QAAQ,IAAI;AAAA,MAChD,SAAS,iBAAiB,OAAO,SAAS,cAAc,IAAI;AAAA,IAC9D;AACA,WAAO,EAAE,QAAQ,qBAAqB,UAAU,OAAO,MAAM,MAAM,EAAE;AAAA,EACvE;AAAA,EACA,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,QAAQ,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AACvE,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,QAAI,OAAO,UAAU,QAAW;AAC9B,YAAMA,aAAY,iBAAiB,OAAO,KAAK;AAC/C,YAAM,YAAY,MAAM,GAAG;AAAA,QACzB;AAAA,QACA;AAAA,UACE,KAAK,CAAC,EAAE,OAAO,OAAO,MAAM,GAAG,EAAE,WAAAA,WAAU,CAAC;AAAA,UAC5C,WAAW;AAAA,UACX,IAAI,EAAE,KAAK,OAAO,GAAG;AAAA,QACvB;AAAA,MACF;AACA,UAAI,UAAW,OAAM,yBAAyB;AAAA,IAChD;AAEA,QAAI,SAAwB;AAC5B,QAAI,YAA2B;AAC/B,QAAI,OAAO,UAAU;AACnB,YAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU;AACxC,eAAS,MAAM,KAAK,OAAO,UAAU,EAAE;AAAA,IACzC;AACA,QAAI,OAAO,UAAU,QAAW;AAC9B,kBAAY,iBAAiB,OAAO,KAAK;AAAA,IAC3C;AAEA,QAAI;AACJ,QAAI,OAAO,mBAAmB,QAAW;AACvC,YAAM,eAAe,MAAM;AAAA,QACzB;AAAA,QACA;AAAA,QACA,EAAE,IAAI,OAAO,eAAe;AAAA,QAC5B,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,QACvB,EAAE,UAAU,MAAM,gBAAgB,OAAO,kBAAkB,KAAK;AAAA,MAClE;AACA,UAAI,CAAC,aAAc,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,yBAAyB,CAAC;AACnF,iBAAW,aAAa,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAAA,IACxE;AAEA,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI;AACJ,QAAI;AACF,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,OAAO,EAAE,IAAI,OAAO,IAAI,WAAW,KAAK;AAAA,QACxC,OAAO,CAAC,WAAW;AACjB,cAAI,OAAO,UAAU,QAAW;AAC9B,mBAAO,QAAQ,OAAO;AACtB,mBAAO,YAAY;AAAA,UACrB;AACA,cAAI,OAAO,mBAAmB,QAAW;AACvC,mBAAO,iBAAiB,OAAO;AAC/B,mBAAO,WAAW,YAAY;AAAA,UAChC;AACA,cAAI,OAAQ,QAAO,eAAe;AAAA,QACpC;AAAA,MACF,CAAC;AAAA,IACH,SAAS,OAAO;AACd,UAAI,kBAAkB,KAAK,EAAG,OAAM,yBAAyB;AAC7D,YAAM;AAAA,IACR;AACA,QAAI,CAAC,KAAM,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAEnE,QAAI,MAAM,QAAQ,OAAO,KAAK,GAAG;AAC/B,YAAM,cAAc,IAAI,MAAM,OAAO,OAAO,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY,IAAI;AAAA,IACtG;AAEA,UAAM,qBAAqB;AAAA,MACzB,YAAY;AAAA,MACZ,UAAU,EAAE,KAAK;AAAA,MACjB,UAAU,OAAO,KAAK,EAAE;AAAA,MACxB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY;AAAA,MAC9D,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,cAAc;AAAA,MAClB,IAAI,OAAO,KAAK,EAAE;AAAA,MAClB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY;AAAA,IAChE;AAEA,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,OAAO,EAAE;AAExC,WAAO;AAAA,EACT;AAAA,EACA,cAAc,OAAO,QAAQ,QAAQ,QAAQ;AAC3C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,WAAO,cAAc,QAAQ,OAAO,MAAM;AAAA,EAC5C;AAAA,EACA,UAAU,OAAO,EAAE,QAAQ,WAAW,IAAI,MAAM;AAC9C,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,kBAAkB,UAAU;AAClC,UAAM,SAAS,iBAAiB;AAChC,UAAM,aAAa,iBAAiB,QAAQ;AAC5C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,aAAa,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAChE,UAAM,cAAc,MAAM;AAAA,MACxB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,UAAM,iBAAiB,qBAAqB,QAAQ,YAAY,QAAW,WAAW;AACtF,UAAM,QAAQ,eAAe;AAC7B,UAAM,UAAU,aAAa,UAAU,MAAM,OAAkC,CAAC,SAAS,kBAAkB,YAAY,QAAQ,aAAa,CAAC;AAC7I,QAAI,UAAU,CAAC,YAAY,OAAO,OAAO,UAAU,GAAG;AACpD,cAAQ,QAAQ,EAAE,MAAM,OAAO,OAAO,IAAI,WAAW;AAAA,IACvD;AACA,UAAM,aAAa,uBAAuB,QAAQ,QAAQ,WAAW;AACrE,eAAW,CAAC,KAAK,IAAI,KAAK,OAAO,QAAQ,UAAU,GAAG;AACpD,cAAQ,MAAM,GAAG,EAAE,IAAI;AAAA,IACzB;AACA,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY,OAAO,OAAO,EAAE;AAAA,MAC5B,UAAU,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MACtD;AAAA,MACA,gBAAgB,UAAU;AAAA,MAC1B,eAAe;AAAA,MACf,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,QAAQ;AAAA,UACR,OAAO,eAAe;AAAA,QACxB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,UAAU,mBAAmB,QAAQ;AAC3C,UAAM,SAAS,SAAS;AACxB,UAAM,QAAQ,SAAS;AACvB,QAAI,CAAC,OAAQ;AACb,UAAM,SAAS,OAAO;AACtB,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,UAAM,UAAU,MAAM,GAAG,gBAAgB;AAAA,MACvC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MACrC,OAAO,CAAC,WAAW;AACjB,eAAO,QAAQ,OAAO;AACtB,eAAO,iBAAiB,OAAO,kBAAkB;AACjD,eAAO,WAAW,OAAO,YAAY;AACrC,eAAO,eAAe,OAAO,gBAAgB;AAC7C,eAAO,OAAO,OAAO,QAAQ;AAC7B,eAAO,cAAc,OAAO;AAAA,MAC9B;AAAA,IACF,CAAC;AAED,QAAI,SAAS;AACX,YAAM,cAAc,IAAI,SAAS,OAAO,OAAO,OAAO,QAAQ;AAC9D,YAAM,GAAG,MAAM;AAAA,IACjB;AAEA,UAAM,QAAQ,yBAAyB,OAAO,QAAQ,OAAO,MAAM;AACnE,QAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,YAAM,qBAAqB;AAAA,QACzB,YAAY;AAAA,QACZ,UAAU,EAAE,KAAK;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,QAC7B,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAEA,UAAM,wBAAwB;AAAA,MAC5B,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO;AAAA,QACX,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,MAC/B;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,MAAM;AAAA,EACvC;AACF;AAEA,MAAM,oBAA+G;AAAA,EACnH,IAAI;AAAA,EACJ,MAAM,QAAQ,OAAO,KAAK;AACxB,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,WAAW,KAAK,CAAC;AAC/D,QAAI,CAAC,SAAU,QAAO,CAAC;AACvB,UAAM,QAAQ,MAAM,kBAAkB,IAAI,EAAE;AAC5C,UAAM,OAAO,MAAM,qBAAqB,IAAI,EAAE;AAC9C,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA;AAAA,MACA,SAAS,WAAW,OAAO,SAAS,QAAQ,IAAI;AAAA,MAChD,SAAS,iBAAiB,OAAO,SAAS,cAAc,IAAI;AAAA,IAC9D;AACA,WAAO,EAAE,QAAQ,qBAAqB,UAAU,OAAO,MAAM,MAAM,EAAE;AAAA,EACvE;AAAA,EACA,MAAM,QAAQ,OAAO,KAAK;AACxB,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,GAAG,CAAC;AAC3C,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,GAAG,CAAC;AAC5C,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,GAAG,CAAC;AAC3C,UAAM,GAAG,aAAa,eAAe,EAAE,MAAM,GAAG,CAAC;AAEjD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,UAAM,OAAO,MAAM,GAAG,gBAAgB;AAAA,MACpC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,WAAW,KAAK;AAAA,MAC7B,MAAM;AAAA,IACR,CAAC;AACD,QAAI,CAAC,KAAM,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAEnE,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO,EAAE;AAAA,QACb,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,MACpD;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,EAAE;AAEjC,WAAO;AAAA,EACT;AAAA,EACA,UAAU,OAAO,EAAE,WAAW,OAAO,IAAI,MAAM;AAC7C,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,kBAAkB,UAAU;AAClC,UAAM,SAAS,iBAAiB;AAChC,UAAM,aAAa,iBAAiB,QAAQ;AAC5C,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,gBAAgB,UAAU;AAAA,MAC1B,UAAU,QAAQ,YAAY;AAAA,MAC9B,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,UAAU,mBAAmB,QAAQ;AAC3C,UAAM,SAAS,SAAS;AACxB,QAAI,CAAC,OAAQ;AACb,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,QAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,GAAG,CAAC;AACnD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAE9C,QAAI,MAAM;AACR,UAAI,KAAK,WAAW;AAClB,aAAK,YAAY;AAAA,MACnB;AACA,WAAK,QAAQ,OAAO;AACpB,WAAK,iBAAiB,OAAO,kBAAkB;AAC/C,WAAK,WAAW,OAAO,YAAY;AACnC,WAAK,eAAe,OAAO,gBAAgB;AAC3C,WAAK,OAAO,OAAO,QAAQ;AAC3B,WAAK,cAAc,OAAO;AAC1B,YAAM,GAAG,MAAM;AAAA,IACjB,OAAO;AACL,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,IAAI,OAAO;AAAA,UACX,OAAO,OAAO;AAAA,UACd,gBAAgB,OAAO,kBAAkB;AAAA,UACzC,UAAU,OAAO,YAAY;AAAA,UAC7B,cAAc,OAAO,gBAAgB;AAAA,UACrC,MAAM,OAAO,QAAQ;AAAA,UACrB,aAAa,OAAO;AAAA,QACtB;AAAA,MACF,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,KAAM;AAEX,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,OAAO,GAAG,CAAC;AACnD,UAAM,cAAc,IAAI,MAAM,OAAO,OAAO,OAAO,QAAQ;AAE3D,UAAM,gBAAgB,IAAI,MAAM,OAAO,IAAI;AAE3C,UAAM,QAAQ,yBAAyB,OAAO,QAAQ,MAAS;AAC/D,QAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,YAAM,qBAAqB;AAAA,QACzB,YAAY;AAAA,QACZ,UAAU,EAAE,KAAK;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,QAC7B,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAEA,UAAM,oBAAoB,KAAK,OAAO,EAAE;AAAA,EAC1C;AACF;AAEA,gBAAgB,iBAAiB;AACjC,gBAAgB,iBAAiB;AACjC,gBAAgB,iBAAiB;AAEjC,eAAe,cAAc,IAAmB,MAAY,cAAwB,UAAyB;AAC3G,QAAM,SAAS,MAAM,KAAK,IAAI,IAAI,aAAa,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC;AAC1F,QAAM,eAAe,MAAM,GAAG,KAAK,UAAU,EAAE,KAAK,CAAC;AACrD,QAAM,eAAe,IAAI;AAAA,IACvB,aAAa,IAAI,CAAC,SAAS;AACzB,YAAM,aAAa,KAAK;AACxB,YAAM,OAAO,YAAY,QAAQ;AACjC,aAAO,CAAC,MAAM,IAAI;AAAA,IACpB,CAAC;AAAA,EACH;AAEA,aAAW,CAAC,MAAM,IAAI,KAAK,aAAa,QAAQ,GAAG;AACjD,QAAI,CAAC,OAAO,SAAS,IAAI,KAAK,MAAM;AAClC,SAAG,OAAO,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,qBAAqB,kBAAkB,YAAY,IAAI,KAAK;AAElE,aAAW,QAAQ,QAAQ;AACzB,QAAI,CAAC,aAAa,IAAI,IAAI,GAAG;AAC3B,UAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,mBAAmB,CAAC;AACxE,UAAI,CAAC,QAAQ,uBAAuB,MAAM;AACxC,eAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAAA,MACxD;AACA,UAAI,CAAC,MAAM;AACT,eAAO,GAAG,OAAO,MAAM,EAAE,MAAM,UAAU,oBAAoB,WAAW,oBAAI,KAAK,EAAE,CAAC;AACpF,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B,WAAW,uBAAuB,QAAQ,KAAK,aAAa,oBAAoB;AAC9E,aAAK,WAAW;AAChB,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B;AACA,SAAG,QAAQ,GAAG,OAAO,UAAU,EAAE,MAAM,MAAM,WAAW,oBAAI,KAAK,EAAE,CAAC,CAAC;AAAA,IACvE;AAAA,EACF;AAEA,QAAM,GAAG,MAAM;AACjB;AAEA,eAAe,kBAAkB,IAAmB,QAAmC;AACrF,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,OAA0B;AAAA,IAClC,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,EACzC;AACA,QAAM,QAAQ,MACX,IAAI,CAAC,SAAS,KAAK,MAAM,QAAQ,EAAE,EACnC,OAAO,CAAC,SAAyB,CAAC,CAAC,IAAI;AAC1C,SAAO,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,EAAE,KAAK;AACzC;AAEA,SAAS,cAAc,MAAY,OAAiB,QAAyD;AAC3G,QAAM,UAA0B;AAAA,IAC9B,OAAO,OAAO,KAAK,SAAS,EAAE;AAAA,IAC9B,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,IACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,IAClD;AAAA,IACA,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,IAAI;AAAA,IACtC,aAAa,QAAQ,KAAK,WAAW;AAAA,EACvC;AACA,MAAI,UAAU,OAAO,KAAK,MAAM,EAAE,OAAQ,SAAQ,SAAS;AAC3D,SAAO;AACT;AAEA,SAAS,qBACP,MACA,OACA,OAA0B,CAAC,GAC3B,QACe;AACf,SAAO;AAAA,IACL,MAAM,cAAc,MAAM,OAAO,MAAM;AAAA,IACvC,MAAM;AAAA,MACJ,IAAI,OAAO,KAAK,EAAE;AAAA,MAClB,OAAO,OAAO,KAAK,SAAS,EAAE;AAAA,MAC9B,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,MAClD,cAAc,KAAK,eAAe,OAAO,KAAK,YAAY,IAAI;AAAA,MAC9D,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,IAAI;AAAA,MACtC,aAAa,QAAQ,KAAK,WAAW;AAAA,MACrC,OAAO,CAAC,GAAG,KAAK;AAAA,MAChB;AAAA,MACA,GAAI,UAAU,OAAO,KAAK,MAAM,EAAE,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3D;AAAA,EACF;AACF;AAEA,eAAe,qBAAqB,IAAmB,QAA4C;AACjG,QAAM,OAAO,MAAM,GAAG,KAAK,SAAS,EAAE,MAAM,OAA0B,CAAC;AACvE,SAAO,KAAK,IAAI,CAAC,SAAS;AAAA,IACxB,UAAU,OAAO,IAAI,QAAQ;AAAA,IAC7B,UAAU,MAAM,QAAQ,IAAI,YAAY,IAAI,CAAC,GAAG,IAAI,YAAY,IAAI;AAAA,IACpE,cAAc,QAAQ,IAAI,YAAY;AAAA,IACtC,eAAe,MAAM,QAAQ,IAAI,iBAAiB,IAAI,CAAC,GAAG,IAAI,iBAAiB,IAAI;AAAA,EACrF,EAAE;AACJ;AAEA,eAAe,gBAAgB,IAAmB,MAAY,MAAyB;AACrF,QAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,KAAK,EAAE,EAAE,CAAC;AACxD,aAAW,OAAO,MAAM;AACtB,UAAM,SAAS,GAAG,OAAO,SAAS;AAAA,MAChC;AAAA,MACA,UAAU,IAAI;AAAA,MACd,cAAc,IAAI,YAAY;AAAA,MAC9B,cAAc,IAAI;AAAA,MAClB,mBAAmB,IAAI,iBAAiB;AAAA,MACxC,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AACD,OAAG,QAAQ,MAAM;AAAA,EACnB;AACA,QAAM,GAAG,MAAM;AACjB;AAIA,SAAS,mBAAmB,UAAsH;AAChJ,QAAM,UAAU,UAAU;AAC1B,MAAI,CAAC,WAAW,OAAO,YAAY,SAAU,QAAO;AACpD,SAAO,QAAQ,QAAQ;AACzB;AAEA,eAAe,uBACb,IACA,IACA,UACA,gBACkC;AAClC,SAAO,MAAM,wBAAwB,IAAI;AAAA,IACvC,UAAU,EAAE,KAAK;AAAA,IACjB,UAAU;AAAA,IACV;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,eAAe,oBAAoB,KAA4B,QAAgB;AAC7E,MAAI;AACF,UAAM,cAAc,IAAI,UAAU,QAAQ,aAAa;AACvD,UAAM,YAAY,oBAAoB,MAAM;AAAA,EAC9C,QAAQ;AAAA,EAER;AAEA,MAAI;AACF,UAAM,QAAQ,IAAI,UAAU,QAAQ,OAAO;AAC3C,QAAI,OAAO,aAAc,OAAM,MAAM,aAAa,CAAC,aAAa,MAAM,EAAE,CAAC;AAAA,EAC3E,QAAQ;AAAA,EAER;AACF;AAEA,SAAS,YAAY,MAA4B,OAA0B;AACzE,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,KAAK,WAAW,MAAM,OAAQ,QAAO;AACzC,SAAO,KAAK,MAAM,CAAC,OAAO,QAAQ,UAAU,MAAM,GAAG,CAAC;AACxD;AAEA,eAAe,2BAA2C;AACxD,QAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,QAAM,UAAU,UAAU,iCAAiC,sBAAsB;AACjF,QAAM,IAAI,cAAc,KAAK;AAAA,IAC3B,OAAO;AAAA,IACP,aAAa,EAAE,OAAO,QAAQ;AAAA,IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC,OAAO,GAAG,SAAS,MAAM,aAAa,QAAQ,aAAa,CAAC;AAAA,EACjF,CAAC;AACH;",
+  "sourcesContent": ["import type { CommandHandler } from '@open-mercato/shared/lib/commands'\nimport { registerCommand } from '@open-mercato/shared/lib/commands'\nimport {\n  parseWithCustomFields,\n  setCustomFieldsIfAny,\n  emitCrudSideEffects,\n  emitCrudUndoSideEffects,\n  buildChanges,\n  requireId,\n} from '@open-mercato/shared/lib/commands/helpers'\nimport { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport type { CrudEventsConfig, CrudIndexerConfig } from '@open-mercato/shared/lib/crud/types'\nimport type { DataEngine } from '@open-mercato/shared/lib/data/engine'\nimport type { CommandRuntimeContext } from '@open-mercato/shared/lib/commands'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { UniqueConstraintViolationException } from '@mikro-orm/core'\nimport type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'\nimport { User, UserRole, Role, UserAcl, Session, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport { Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { E } from '#generated/entities.ids.generated'\nimport { z } from 'zod'\nimport {\n  loadCustomFieldSnapshot,\n  buildCustomFieldResetMap,\n  diffCustomFieldChanges,\n} from '@open-mercato/shared/lib/commands/customFieldSnapshots'\nimport { normalizeTenantId } from '@open-mercato/core/modules/auth/lib/tenantAccess'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { buildNotificationFromType } from '@open-mercato/core/modules/notifications/lib/notificationBuilder'\nimport { resolveNotificationService } from '@open-mercato/core/modules/notifications/lib/notificationService'\nimport notificationTypes from '@open-mercato/core/modules/auth/notifications'\nimport { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'\n\ntype SerializedUser = {\n  email: string\n  organizationId: string | null\n  tenantId: string | null\n  roles: string[]\n  name: string | null\n  isConfirmed: boolean\n  custom?: Record<string, unknown>\n}\n\ntype UserAclSnapshot = {\n  tenantId: string\n  features: string[] | null\n  isSuperAdmin: boolean\n  organizations: string[] | null\n}\n\ntype UserUndoSnapshot = {\n  id: string\n  email: string\n  organizationId: string | null\n  tenantId: string | null\n  passwordHash: string | null\n  name: string | null\n  isConfirmed: boolean\n  roles: string[]\n  acls: UserAclSnapshot[]\n  custom?: Record<string, unknown>\n}\n\ntype UserSnapshots = {\n  view: SerializedUser\n  undo: UserUndoSnapshot\n}\n\nconst passwordSchema = buildPasswordSchema()\n\nconst createSchema = z.object({\n  email: z.string().email(),\n  password: passwordSchema,\n  organizationId: z.string().uuid(),\n  roles: z.array(z.string()).optional(),\n})\n\nconst updateSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string().email().optional(),\n  password: passwordSchema.optional(),\n  organizationId: z.string().uuid().optional(),\n  roles: z.array(z.string()).optional(),\n})\n\nexport const userCrudEvents: CrudEventsConfig = {\n  module: 'auth',\n  entity: 'user',\n  persistent: true,\n  buildPayload: (ctx) => ({\n    id: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n}\n\nexport const userCrudIndexer: CrudIndexerConfig = {\n  entityType: E.auth.user,\n  buildUpsertPayload: (ctx) => ({\n    entityType: E.auth.user,\n    recordId: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n  buildDeletePayload: (ctx) => ({\n    entityType: E.auth.user,\n    recordId: ctx.identifiers.id,\n    organizationId: ctx.identifiers.organizationId,\n    tenantId: ctx.identifiers.tenantId,\n  }),\n}\n\nasync function notifyRoleChanges(\n  ctx: CommandRuntimeContext,\n  user: User,\n  assignedRoles: string[],\n  revokedRoles: string[],\n): Promise<void> {\n  const tenantId = user.tenantId ? String(user.tenantId) : null\n  if (!tenantId) return\n  const organizationId = user.organizationId ? String(user.organizationId) : null\n\n  try {\n    const notificationService = resolveNotificationService(ctx.container)\n    if (assignedRoles.length) {\n      const assignedType = notificationTypes.find((type) => type.type === 'auth.role.assigned')\n      if (assignedType) {\n        const notificationInput = buildNotificationFromType(assignedType, {\n          recipientUserId: String(user.id),\n          sourceEntityType: 'auth:user',\n          sourceEntityId: String(user.id),\n        })\n        await notificationService.create(notificationInput, { tenantId, organizationId })\n      }\n    }\n\n    if (revokedRoles.length) {\n      const revokedType = notificationTypes.find((type) => type.type === 'auth.role.revoked')\n      if (revokedType) {\n        const notificationInput = buildNotificationFromType(revokedType, {\n          recipientUserId: String(user.id),\n          sourceEntityType: 'auth:user',\n          sourceEntityId: String(user.id),\n        })\n        await notificationService.create(notificationInput, { tenantId, organizationId })\n      }\n    }\n  } catch (err) {\n    console.error('[auth.users.roles] Failed to create notification:', err)\n  }\n}\n\nconst createUserCommand: CommandHandler<Record<string, unknown>, User> = {\n  id: 'auth.users.create',\n  async execute(rawInput, ctx) {\n    const { parsed, custom } = parseWithCustomFields(createSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    const organization = await findOneWithDecryption(\n      em,\n      Organization,\n      { id: parsed.organizationId },\n      { populate: ['tenant'] },\n      { tenantId: null, organizationId: parsed.organizationId },\n    )\n    if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })\n\n    const emailHash = computeEmailHash(parsed.email)\n    const duplicate = await em.findOne(User, { $or: [{ email: parsed.email }, { emailHash }], deletedAt: null } as any)\n    if (duplicate) await throwDuplicateEmailError()\n\n    const { hash } = await import('bcryptjs')\n    const passwordHash = await hash(parsed.password, 10)\n    const tenantId = organization.tenant?.id ? String(organization.tenant.id) : null\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    let user: User\n    try {\n      user = await de.createOrmEntity({\n        entity: User,\n        data: {\n          email: parsed.email,\n          emailHash,\n          passwordHash,\n          isConfirmed: true,\n          organizationId: parsed.organizationId,\n          tenantId,\n        },\n      })\n    } catch (error) {\n      if (isUniqueViolation(error)) await throwDuplicateEmailError()\n      throw error\n    }\n\n    let assignedRoles: string[] = []\n    if (Array.isArray(parsed.roles) && parsed.roles.length) {\n      await syncUserRoles(em, user, parsed.roles, tenantId)\n      assignedRoles = await loadUserRoleNames(em, String(user.id))\n    }\n\n    await setCustomFieldsIfAny({\n      dataEngine: de,\n      entityId: E.auth.user,\n      recordId: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: tenantId,\n      values: custom,\n    })\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'created',\n      entity: user,\n      identifiers: {\n        id: String(user.id),\n        organizationId: user.organizationId ? String(user.organizationId) : null,\n        tenantId,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    if (assignedRoles.length) {\n      await notifyRoleChanges(ctx, user, assignedRoles, [])\n    }\n\n    return user\n  },\n  captureAfter: async (_input, result, ctx) => {\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    return serializeUser(result, roles, custom)\n  },\n  buildLog: async ({ result, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    const snapshot = captureUserSnapshots(result, roles, undefined, custom)\n    return {\n      actionLabel: translate('auth.audit.users.create', 'Create user'),\n      resourceKind: 'auth.user',\n      resourceId: String(result.id),\n      tenantId: result.tenantId ? String(result.tenantId) : null,\n      snapshotAfter: snapshot.view,\n      payload: {\n        undo: {\n          after: snapshot.undo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const userId = typeof logEntry?.resourceId === 'string' ? logEntry.resourceId : null\n    if (!userId) return\n    const snapshot = logEntry?.snapshotAfter as SerializedUser | undefined\n    const em = (ctx.container.resolve('em') as EntityManager)\n    await em.nativeDelete(UserAcl, { user: userId })\n    await em.nativeDelete(UserRole, { user: userId })\n    await em.nativeDelete(Session, { user: userId })\n    await em.nativeDelete(PasswordReset, { user: userId })\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    if (snapshot?.custom && Object.keys(snapshot.custom).length) {\n      const reset = buildCustomFieldResetMap(undefined, snapshot.custom)\n      if (Object.keys(reset).length) {\n        await setCustomFieldsIfAny({\n          dataEngine: de,\n          entityId: E.auth.user,\n          recordId: userId,\n          organizationId: snapshot.organizationId,\n          tenantId: snapshot.tenantId,\n          values: reset,\n          notify: false,\n        })\n      }\n    }\n    const removed = await de.deleteOrmEntity({\n      entity: User,\n      where: { id: userId, deletedAt: null } as FilterQuery<User>,\n      soft: false,\n    })\n\n    await emitCrudUndoSideEffects({\n      dataEngine: de,\n      action: 'deleted',\n      entity: removed,\n      identifiers: {\n        id: userId,\n        organizationId: snapshot?.organizationId ?? null,\n        tenantId: snapshot?.tenantId ?? null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, userId)\n  },\n}\n\nfunction isUniqueViolation(error: unknown): boolean {\n  if (error instanceof UniqueConstraintViolationException) return true\n  if (!error || typeof error !== 'object') return false\n  const code = (error as { code?: string }).code\n  if (code === '23505') return true\n  const messageRaw = (error as { message?: string })?.message\n  const message = typeof messageRaw === 'string' ? messageRaw : ''\n  return message.toLowerCase().includes('duplicate key')\n}\n\nconst updateUserCommand: CommandHandler<Record<string, unknown>, User> = {\n  id: 'auth.users.update',\n  async prepare(rawInput, ctx) {\n    const { parsed } = parseWithCustomFields(updateSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const existing = await em.findOne(User, { id: parsed.id, deletedAt: null })\n    if (!existing) throw new CrudHttpError(404, { error: 'User not found' })\n    const roles = await loadUserRoleNames(em, parsed.id)\n    const acls = await loadUserAclSnapshots(em, parsed.id)\n    const custom = await loadUserCustomSnapshot(\n      em,\n      parsed.id,\n      existing.tenantId ? String(existing.tenantId) : null,\n      existing.organizationId ? String(existing.organizationId) : null\n    )\n    return { before: captureUserSnapshots(existing, roles, acls, custom) }\n  },\n  async execute(rawInput, ctx) {\n    const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput)\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const rolesBefore = Array.isArray(parsed.roles)\n      ? await loadUserRoleNames(em, parsed.id)\n      : null\n\n    if (parsed.email !== undefined) {\n      const emailHash = computeEmailHash(parsed.email)\n      const duplicate = await em.findOne(\n        User,\n        {\n          $or: [{ email: parsed.email }, { emailHash }],\n          deletedAt: null,\n          id: { $ne: parsed.id } as any,\n        } as FilterQuery<User>,\n      )\n      if (duplicate) await throwDuplicateEmailError()\n    }\n\n    let hashed: string | null = null\n    let emailHash: string | null = null\n    if (parsed.password) {\n      const { hash } = await import('bcryptjs')\n      hashed = await hash(parsed.password, 10)\n    }\n    if (parsed.email !== undefined) {\n      emailHash = computeEmailHash(parsed.email)\n    }\n\n    let tenantId: string | null | undefined\n    if (parsed.organizationId !== undefined) {\n      const organization = await findOneWithDecryption(\n        em,\n        Organization,\n        { id: parsed.organizationId },\n        { populate: ['tenant'] },\n        { tenantId: null, organizationId: parsed.organizationId ?? null },\n      )\n      if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })\n      tenantId = organization.tenant?.id ? String(organization.tenant.id) : null\n    }\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    let user: User | null\n    try {\n      user = await de.updateOrmEntity({\n        entity: User,\n        where: { id: parsed.id, deletedAt: null } as FilterQuery<User>,\n        apply: (entity) => {\n          if (parsed.email !== undefined) {\n            entity.email = parsed.email\n            entity.emailHash = emailHash\n          }\n          if (parsed.organizationId !== undefined) {\n            entity.organizationId = parsed.organizationId\n            entity.tenantId = tenantId ?? null\n          }\n          if (hashed) entity.passwordHash = hashed\n        },\n      })\n    } catch (error) {\n      if (isUniqueViolation(error)) await throwDuplicateEmailError()\n      throw error\n    }\n    if (!user) throw new CrudHttpError(404, { error: 'User not found' })\n\n    if (Array.isArray(parsed.roles)) {\n      await syncUserRoles(em, user, parsed.roles, user.tenantId ? String(user.tenantId) : tenantId ?? null)\n    }\n\n    await setCustomFieldsIfAny({\n      dataEngine: de,\n      entityId: E.auth.user,\n      recordId: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : tenantId ?? null,\n      values: custom,\n    })\n\n    const identifiers = {\n      id: String(user.id),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : tenantId ?? null,\n    }\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'updated',\n      entity: user,\n      identifiers,\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    if (Array.isArray(parsed.roles) && rolesBefore) {\n      const rolesAfter = await loadUserRoleNames(em, String(user.id))\n      const { assigned, revoked } = diffRoleChanges(rolesBefore, rolesAfter)\n      if (assigned.length || revoked.length) {\n        await notifyRoleChanges(ctx, user, assigned, revoked)\n      }\n    }\n\n    await invalidateUserCache(ctx, parsed.id)\n\n    return user\n  },\n  captureAfter: async (_input, result, ctx) => {\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const roles = await loadUserRoleNames(em, String(result.id))\n    const custom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    return serializeUser(result, roles, custom)\n  },\n  buildLog: async ({ result, snapshots, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const beforeSnapshots = snapshots.before as UserSnapshots | undefined\n    const before = beforeSnapshots?.view\n    const beforeUndo = beforeSnapshots?.undo ?? null\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const afterRoles = await loadUserRoleNames(em, String(result.id))\n    const afterCustom = await loadUserCustomSnapshot(\n      em,\n      String(result.id),\n      result.tenantId ? String(result.tenantId) : null,\n      result.organizationId ? String(result.organizationId) : null\n    )\n    const afterSnapshots = captureUserSnapshots(result, afterRoles, undefined, afterCustom)\n    const after = afterSnapshots.view\n    const changes = buildChanges(before ?? null, after as Record<string, unknown>, ['email', 'organizationId', 'tenantId', 'name', 'isConfirmed'])\n    if (before && !arrayEquals(before.roles, afterRoles)) {\n      changes.roles = { from: before.roles, to: afterRoles }\n    }\n    const customDiff = diffCustomFieldChanges(before?.custom, afterCustom)\n    for (const [key, diff] of Object.entries(customDiff)) {\n      changes[`cf_${key}`] = diff\n    }\n    return {\n      actionLabel: translate('auth.audit.users.update', 'Update user'),\n      resourceKind: 'auth.user',\n      resourceId: String(result.id),\n      tenantId: result.tenantId ? String(result.tenantId) : null,\n      changes,\n      snapshotBefore: before ?? null,\n      snapshotAfter: after,\n      payload: {\n        undo: {\n          before: beforeUndo,\n          after: afterSnapshots.undo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const payload = extractUndoPayload(logEntry)\n    const before = payload?.before\n    const after = payload?.after\n    if (!before) return\n    const userId = before.id\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    const updated = await de.updateOrmEntity({\n      entity: User,\n      where: { id: userId, deletedAt: null } as FilterQuery<User>,\n      apply: (entity) => {\n        entity.email = before.email\n        entity.organizationId = before.organizationId ?? null\n        entity.tenantId = before.tenantId ?? null\n        entity.passwordHash = before.passwordHash ?? null\n        entity.name = before.name ?? undefined\n        entity.isConfirmed = before.isConfirmed\n      },\n    })\n\n    if (updated) {\n      await syncUserRoles(em, updated, before.roles, before.tenantId)\n      await em.flush()\n    }\n\n    const reset = buildCustomFieldResetMap(before.custom, after?.custom)\n    if (Object.keys(reset).length) {\n      await setCustomFieldsIfAny({\n        dataEngine: de,\n        entityId: E.auth.user,\n        recordId: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n        values: reset,\n        notify: false,\n      })\n    }\n\n    await emitCrudUndoSideEffects({\n      dataEngine: de,\n      action: 'updated',\n      entity: updated,\n      identifiers: {\n        id: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, userId)\n  },\n}\n\nconst deleteUserCommand: CommandHandler<{ body?: Record<string, unknown>; query?: Record<string, unknown> }, User> = {\n  id: 'auth.users.delete',\n  async prepare(input, ctx) {\n    const id = requireId(input, 'User id required')\n    const em = (ctx.container.resolve('em') as EntityManager)\n    const existing = await em.findOne(User, { id, deletedAt: null })\n    if (!existing) return {}\n    const roles = await loadUserRoleNames(em, id)\n    const acls = await loadUserAclSnapshots(em, id)\n    const custom = await loadUserCustomSnapshot(\n      em,\n      id,\n      existing.tenantId ? String(existing.tenantId) : null,\n      existing.organizationId ? String(existing.organizationId) : null\n    )\n    return { before: captureUserSnapshots(existing, roles, acls, custom) }\n  },\n  async execute(input, ctx) {\n    const id = requireId(input, 'User id required')\n    const em = (ctx.container.resolve('em') as EntityManager)\n\n    await em.nativeDelete(UserAcl, { user: id })\n    await em.nativeDelete(UserRole, { user: id })\n    await em.nativeDelete(Session, { user: id })\n    await em.nativeDelete(PasswordReset, { user: id })\n\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n    const user = await de.deleteOrmEntity({\n      entity: User,\n      where: { id, deletedAt: null } as FilterQuery<User>,\n      soft: false,\n    })\n    if (!user) throw new CrudHttpError(404, { error: 'User not found' })\n\n    await emitCrudSideEffects({\n      dataEngine: de,\n      action: 'deleted',\n      entity: user,\n      identifiers: {\n        id: String(id),\n        organizationId: user.organizationId ? String(user.organizationId) : null,\n        tenantId: user.tenantId ? String(user.tenantId) : null,\n      },\n      events: userCrudEvents,\n      indexer: userCrudIndexer,\n    })\n\n    await invalidateUserCache(ctx, id)\n\n    return user\n  },\n  buildLog: async ({ snapshots, input, ctx }) => {\n    const { translate } = await resolveTranslations()\n    const beforeSnapshots = snapshots.before as UserSnapshots | undefined\n    const before = beforeSnapshots?.view\n    const beforeUndo = beforeSnapshots?.undo ?? null\n    const id = requireId(input, 'User id required')\n    return {\n      actionLabel: translate('auth.audit.users.delete', 'Delete user'),\n      resourceKind: 'auth.user',\n      resourceId: id,\n      snapshotBefore: before ?? null,\n      tenantId: before?.tenantId ?? null,\n      payload: {\n        undo: {\n          before: beforeUndo,\n        },\n      },\n    }\n  },\n  undo: async ({ logEntry, ctx }) => {\n    const payload = extractUndoPayload(logEntry)\n    const before = payload?.before\n    if (!before) return\n    const em = (ctx.container.resolve('em') as EntityManager)\n    let user = await em.findOne(User, { id: before.id })\n    const de = (ctx.container.resolve('dataEngine') as DataEngine)\n\n    if (user) {\n      if (user.deletedAt) {\n        user.deletedAt = null\n      }\n      user.email = before.email\n      user.organizationId = before.organizationId ?? null\n      user.tenantId = before.tenantId ?? null\n      user.passwordHash = before.passwordHash ?? null\n      user.name = before.name ?? undefined\n      user.isConfirmed = before.isConfirmed\n      await em.flush()\n    } else {\n      user = await de.createOrmEntity({\n        entity: User,\n        data: {\n          id: before.id,\n          email: before.email,\n          organizationId: before.organizationId ?? null,\n          tenantId: before.tenantId ?? null,\n          passwordHash: before.passwordHash ?? null,\n          name: before.name ?? null,\n          isConfirmed: before.isConfirmed,\n        },\n      })\n    }\n\n    if (!user) return\n\n    await em.nativeDelete(UserRole, { user: before.id })\n    await syncUserRoles(em, user, before.roles, before.tenantId)\n\n    await restoreUserAcls(em, user, before.acls)\n\n    const reset = buildCustomFieldResetMap(before.custom, undefined)\n    if (Object.keys(reset).length) {\n      await setCustomFieldsIfAny({\n        dataEngine: de,\n        entityId: E.auth.user,\n        recordId: before.id,\n        organizationId: before.organizationId ?? null,\n        tenantId: before.tenantId ?? null,\n        values: reset,\n        notify: false,\n      })\n    }\n\n    await invalidateUserCache(ctx, before.id)\n  },\n}\n\nregisterCommand(createUserCommand)\nregisterCommand(updateUserCommand)\nregisterCommand(deleteUserCommand)\n\nasync function syncUserRoles(em: EntityManager, user: User, desiredRoles: string[], tenantId: string | null) {\n  const unique = Array.from(new Set(desiredRoles.map((role) => role.trim()).filter(Boolean)))\n  const currentLinks = await em.find(UserRole, { user })\n  const currentNames = new Map(\n    currentLinks.map((link) => {\n      const roleEntity = link.role\n      const name = roleEntity?.name ?? ''\n      return [name, link] as const\n    }),\n  )\n\n  for (const [name, link] of currentNames.entries()) {\n    if (!unique.includes(name) && link) {\n      em.remove(link)\n    }\n  }\n\n  const normalizedTenantId = normalizeTenantId(tenantId ?? null) ?? null\n\n  for (const name of unique) {\n    if (!currentNames.has(name)) {\n      let role = await em.findOne(Role, { name, tenantId: normalizedTenantId })\n      if (!role && normalizedTenantId !== null) {\n        role = await em.findOne(Role, { name, tenantId: null })\n      }\n      if (!role) {\n        role = em.create(Role, { name, tenantId: normalizedTenantId, createdAt: new Date() })\n        await em.persistAndFlush(role)\n      } else if (normalizedTenantId !== null && role.tenantId !== normalizedTenantId) {\n        role.tenantId = normalizedTenantId\n        await em.persistAndFlush(role)\n      }\n      em.persist(em.create(UserRole, { user, role, createdAt: new Date() }))\n    }\n  }\n\n  await em.flush()\n}\n\nasync function loadUserRoleNames(em: EntityManager, userId: string): Promise<string[]> {\n  const links = await findWithDecryption(\n    em,\n    UserRole,\n    { user: userId as unknown as User },\n    { populate: ['role'] },\n    { tenantId: null, organizationId: null },\n  )\n  const names = links\n    .map((link) => link.role?.name ?? '')\n    .filter((name): name is string => !!name)\n  return Array.from(new Set(names)).sort()\n}\n\nfunction serializeUser(user: User, roles: string[], custom?: Record<string, unknown> | null): SerializedUser {\n  const payload: SerializedUser = {\n    email: String(user.email ?? ''),\n    organizationId: user.organizationId ? String(user.organizationId) : null,\n    tenantId: user.tenantId ? String(user.tenantId) : null,\n    roles,\n    name: user.name ? String(user.name) : null,\n    isConfirmed: Boolean(user.isConfirmed),\n  }\n  if (custom && Object.keys(custom).length) payload.custom = custom\n  return payload\n}\n\nfunction captureUserSnapshots(\n  user: User,\n  roles: string[],\n  acls: UserAclSnapshot[] = [],\n  custom?: Record<string, unknown> | null\n): UserSnapshots {\n  return {\n    view: serializeUser(user, roles, custom),\n    undo: {\n      id: String(user.id),\n      email: String(user.email ?? ''),\n      organizationId: user.organizationId ? String(user.organizationId) : null,\n      tenantId: user.tenantId ? String(user.tenantId) : null,\n      passwordHash: user.passwordHash ? String(user.passwordHash) : null,\n      name: user.name ? String(user.name) : null,\n      isConfirmed: Boolean(user.isConfirmed),\n      roles: [...roles],\n      acls,\n      ...(custom && Object.keys(custom).length ? { custom } : {}),\n    },\n  }\n}\n\nasync function loadUserAclSnapshots(em: EntityManager, userId: string): Promise<UserAclSnapshot[]> {\n  const list = await em.find(UserAcl, { user: userId as unknown as User })\n  return list.map((acl) => ({\n    tenantId: String(acl.tenantId),\n    features: Array.isArray(acl.featuresJson) ? [...acl.featuresJson] : null,\n    isSuperAdmin: Boolean(acl.isSuperAdmin),\n    organizations: Array.isArray(acl.organizationsJson) ? [...acl.organizationsJson] : null,\n  }))\n}\n\nasync function restoreUserAcls(em: EntityManager, user: User, acls: UserAclSnapshot[]) {\n  await em.nativeDelete(UserAcl, { user: String(user.id) })\n  for (const acl of acls) {\n    const entity = em.create(UserAcl, {\n      user,\n      tenantId: acl.tenantId,\n      featuresJson: acl.features ?? null,\n      isSuperAdmin: acl.isSuperAdmin,\n      organizationsJson: acl.organizations ?? null,\n      createdAt: new Date(),\n    })\n    em.persist(entity)\n  }\n  await em.flush()\n}\n\ntype UndoPayload = { undo?: { before?: UserUndoSnapshot | null; after?: UserUndoSnapshot | null } }\n\nfunction extractUndoPayload(logEntry: { commandPayload?: unknown }): { before?: UserUndoSnapshot | null; after?: UserUndoSnapshot | null } | null {\n  const payload = logEntry?.commandPayload as UndoPayload | undefined\n  if (!payload || typeof payload !== 'object') return null\n  return payload.undo ?? null\n}\n\nasync function loadUserCustomSnapshot(\n  em: EntityManager,\n  id: string,\n  tenantId: string | null,\n  organizationId: string | null\n): Promise<Record<string, unknown>> {\n  return await loadCustomFieldSnapshot(em, {\n    entityId: E.auth.user,\n    recordId: id,\n    tenantId,\n    organizationId,\n  })\n}\n\nasync function invalidateUserCache(ctx: CommandRuntimeContext, userId: string) {\n  try {\n    const rbacService = ctx.container.resolve('rbacService') as { invalidateUserCache: (uid: string) => Promise<void> }\n    await rbacService.invalidateUserCache(userId)\n  } catch {\n    // RBAC not available\n  }\n\n  try {\n    const cache = ctx.container.resolve('cache') as { deleteByTags?: (tags: string[]) => Promise<void> }\n    if (cache?.deleteByTags) await cache.deleteByTags([`rbac:user:${userId}`])\n  } catch {\n    // cache not available\n  }\n}\n\nfunction diffRoleChanges(before: string[], after: string[]) {\n  const beforeSet = new Set(before)\n  const afterSet = new Set(after)\n  const assigned = after.filter((role) => !beforeSet.has(role))\n  const revoked = before.filter((role) => !afterSet.has(role))\n  return { assigned, revoked }\n}\n\nfunction arrayEquals(left: string[] | undefined, right: string[]): boolean {\n  if (!left) return false\n  if (left.length !== right.length) return false\n  return left.every((value, idx) => value === right[idx])\n}\n\nasync function throwDuplicateEmailError(): Promise<never> {\n  const { translate } = await resolveTranslations()\n  const message = translate('auth.users.errors.emailExists', 'Email already in use')\n  throw new CrudHttpError(400, {\n    error: message,\n    fieldErrors: { email: message },\n    details: [{ path: ['email'], message, code: 'duplicate', origin: 'validation' }],\n  })\n}\n"],
+  "mappings": "AACA,SAAS,uBAAuB;AAChC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,qBAAqB;AAI9B,SAAS,2BAA2B;AACpC,SAAS,0CAA0C;AAEnD,SAAS,MAAM,UAAU,MAAM,SAAS,SAAS,qBAAqB;AACtE,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAClB,SAAS,SAAS;AAClB;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,yBAAyB;AAClC,SAAS,wBAAwB;AACjC,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,iCAAiC;AAC1C,SAAS,kCAAkC;AAC3C,OAAO,uBAAuB;AAC9B,SAAS,2BAA2B;AAqCpC,MAAM,iBAAiB,oBAAoB;AAE3C,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU;AAAA,EACV,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAED,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AAAA,EACnC,UAAU,eAAe,SAAS;AAAA,EAClC,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAEM,MAAM,iBAAmC;AAAA,EAC9C,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,YAAY;AAAA,EACZ,cAAc,CAAC,SAAS;AAAA,IACtB,IAAI,IAAI,YAAY;AAAA,IACpB,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AACF;AAEO,MAAM,kBAAqC;AAAA,EAChD,YAAY,EAAE,KAAK;AAAA,EACnB,oBAAoB,CAAC,SAAS;AAAA,IAC5B,YAAY,EAAE,KAAK;AAAA,IACnB,UAAU,IAAI,YAAY;AAAA,IAC1B,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AAAA,EACA,oBAAoB,CAAC,SAAS;AAAA,IAC5B,YAAY,EAAE,KAAK;AAAA,IACnB,UAAU,IAAI,YAAY;AAAA,IAC1B,gBAAgB,IAAI,YAAY;AAAA,IAChC,UAAU,IAAI,YAAY;AAAA,EAC5B;AACF;AAEA,eAAe,kBACb,KACA,MACA,eACA,cACe;AACf,QAAM,WAAW,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AACzD,MAAI,CAAC,SAAU;AACf,QAAM,iBAAiB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAE3E,MAAI;AACF,UAAM,sBAAsB,2BAA2B,IAAI,SAAS;AACpE,QAAI,cAAc,QAAQ;AACxB,YAAM,eAAe,kBAAkB,KAAK,CAAC,SAAS,KAAK,SAAS,oBAAoB;AACxF,UAAI,cAAc;AAChB,cAAM,oBAAoB,0BAA0B,cAAc;AAAA,UAChE,iBAAiB,OAAO,KAAK,EAAE;AAAA,UAC/B,kBAAkB;AAAA,UAClB,gBAAgB,OAAO,KAAK,EAAE;AAAA,QAChC,CAAC;AACD,cAAM,oBAAoB,OAAO,mBAAmB,EAAE,UAAU,eAAe,CAAC;AAAA,MAClF;AAAA,IACF;AAEA,QAAI,aAAa,QAAQ;AACvB,YAAM,cAAc,kBAAkB,KAAK,CAAC,SAAS,KAAK,SAAS,mBAAmB;AACtF,UAAI,aAAa;AACf,cAAM,oBAAoB,0BAA0B,aAAa;AAAA,UAC/D,iBAAiB,OAAO,KAAK,EAAE;AAAA,UAC/B,kBAAkB;AAAA,UAClB,gBAAgB,OAAO,KAAK,EAAE;AAAA,QAChC,CAAC;AACD,cAAM,oBAAoB,OAAO,mBAAmB,EAAE,UAAU,eAAe,CAAC;AAAA,MAClF;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,qDAAqD,GAAG;AAAA,EACxE;AACF;AAEA,MAAM,oBAAmE;AAAA,EACvE,IAAI;AAAA,EACJ,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,QAAQ,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AACvE,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,UAAM,eAAe,MAAM;AAAA,MACzB;AAAA,MACA;AAAA,MACA,EAAE,IAAI,OAAO,eAAe;AAAA,MAC5B,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,gBAAgB,OAAO,eAAe;AAAA,IAC1D;AACA,QAAI,CAAC,aAAc,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,yBAAyB,CAAC;AAEnF,UAAM,YAAY,iBAAiB,OAAO,KAAK;AAC/C,UAAM,YAAY,MAAM,GAAG,QAAQ,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,MAAM,GAAG,EAAE,UAAU,CAAC,GAAG,WAAW,KAAK,CAAQ;AAClH,QAAI,UAAW,OAAM,yBAAyB;AAE9C,UAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU;AACxC,UAAM,eAAe,MAAM,KAAK,OAAO,UAAU,EAAE;AACnD,UAAM,WAAW,aAAa,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAE5E,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI;AACJ,QAAI;AACF,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,OAAO,OAAO;AAAA,UACd;AAAA,UACA;AAAA,UACA,aAAa;AAAA,UACb,gBAAgB,OAAO;AAAA,UACvB;AAAA,QACF;AAAA,MACF,CAAC;AAAA,IACH,SAAS,OAAO;AACd,UAAI,kBAAkB,KAAK,EAAG,OAAM,yBAAyB;AAC7D,YAAM;AAAA,IACR;AAEA,QAAI,gBAA0B,CAAC;AAC/B,QAAI,MAAM,QAAQ,OAAO,KAAK,KAAK,OAAO,MAAM,QAAQ;AACtD,YAAM,cAAc,IAAI,MAAM,OAAO,OAAO,QAAQ;AACpD,sBAAgB,MAAM,kBAAkB,IAAI,OAAO,KAAK,EAAE,CAAC;AAAA,IAC7D;AAEA,UAAM,qBAAqB;AAAA,MACzB,YAAY;AAAA,MACZ,UAAU,EAAE,KAAK;AAAA,MACjB,UAAU,OAAO,KAAK,EAAE;AAAA,MACxB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE;AAAA,MACA,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO,KAAK,EAAE;AAAA,QAClB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACpE;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,QAAI,cAAc,QAAQ;AACxB,YAAM,kBAAkB,KAAK,MAAM,eAAe,CAAC,CAAC;AAAA,IACtD;AAEA,WAAO;AAAA,EACT;AAAA,EACA,cAAc,OAAO,QAAQ,QAAQ,QAAQ;AAC3C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,WAAO,cAAc,QAAQ,OAAO,MAAM;AAAA,EAC5C;AAAA,EACA,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,UAAM,WAAW,qBAAqB,QAAQ,OAAO,QAAW,MAAM;AACtE,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY,OAAO,OAAO,EAAE;AAAA,MAC5B,UAAU,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MACtD,eAAe,SAAS;AAAA,MACxB,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,OAAO,SAAS;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,SAAS,OAAO,UAAU,eAAe,WAAW,SAAS,aAAa;AAChF,QAAI,CAAC,OAAQ;AACb,UAAM,WAAW,UAAU;AAC3B,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,OAAO,CAAC;AAChD,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,UAAM,GAAG,aAAa,eAAe,EAAE,MAAM,OAAO,CAAC;AAErD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI,UAAU,UAAU,OAAO,KAAK,SAAS,MAAM,EAAE,QAAQ;AAC3D,YAAM,QAAQ,yBAAyB,QAAW,SAAS,MAAM;AACjE,UAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,cAAM,qBAAqB;AAAA,UACzB,YAAY;AAAA,UACZ,UAAU,EAAE,KAAK;AAAA,UACjB,UAAU;AAAA,UACV,gBAAgB,SAAS;AAAA,UACzB,UAAU,SAAS;AAAA,UACnB,QAAQ;AAAA,UACR,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AACA,UAAM,UAAU,MAAM,GAAG,gBAAgB;AAAA,MACvC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MACrC,MAAM;AAAA,IACR,CAAC;AAED,UAAM,wBAAwB;AAAA,MAC5B,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI;AAAA,QACJ,gBAAgB,UAAU,kBAAkB;AAAA,QAC5C,UAAU,UAAU,YAAY;AAAA,MAClC;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,MAAM;AAAA,EACvC;AACF;AAEA,SAAS,kBAAkB,OAAyB;AAClD,MAAI,iBAAiB,mCAAoC,QAAO;AAChE,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAM,OAAQ,MAA4B;AAC1C,MAAI,SAAS,QAAS,QAAO;AAC7B,QAAM,aAAc,OAAgC;AACpD,QAAM,UAAU,OAAO,eAAe,WAAW,aAAa;AAC9D,SAAO,QAAQ,YAAY,EAAE,SAAS,eAAe;AACvD;AAEA,MAAM,oBAAmE;AAAA,EACvE,IAAI;AAAA,EACJ,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AAC/D,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,IAAI,WAAW,KAAK,CAAC;AAC1E,QAAI,CAAC,SAAU,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AACvE,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,EAAE;AACnD,UAAM,OAAO,MAAM,qBAAqB,IAAI,OAAO,EAAE;AACrD,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO;AAAA,MACP,SAAS,WAAW,OAAO,SAAS,QAAQ,IAAI;AAAA,MAChD,SAAS,iBAAiB,OAAO,SAAS,cAAc,IAAI;AAAA,IAC9D;AACA,WAAO,EAAE,QAAQ,qBAAqB,UAAU,OAAO,MAAM,MAAM,EAAE;AAAA,EACvE;AAAA,EACA,MAAM,QAAQ,UAAU,KAAK;AAC3B,UAAM,EAAE,QAAQ,OAAO,IAAI,sBAAsB,cAAc,QAAQ;AACvE,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,cAAc,MAAM,QAAQ,OAAO,KAAK,IAC1C,MAAM,kBAAkB,IAAI,OAAO,EAAE,IACrC;AAEJ,QAAI,OAAO,UAAU,QAAW;AAC9B,YAAMA,aAAY,iBAAiB,OAAO,KAAK;AAC/C,YAAM,YAAY,MAAM,GAAG;AAAA,QACzB;AAAA,QACA;AAAA,UACE,KAAK,CAAC,EAAE,OAAO,OAAO,MAAM,GAAG,EAAE,WAAAA,WAAU,CAAC;AAAA,UAC5C,WAAW;AAAA,UACX,IAAI,EAAE,KAAK,OAAO,GAAG;AAAA,QACvB;AAAA,MACF;AACA,UAAI,UAAW,OAAM,yBAAyB;AAAA,IAChD;AAEA,QAAI,SAAwB;AAC5B,QAAI,YAA2B;AAC/B,QAAI,OAAO,UAAU;AACnB,YAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU;AACxC,eAAS,MAAM,KAAK,OAAO,UAAU,EAAE;AAAA,IACzC;AACA,QAAI,OAAO,UAAU,QAAW;AAC9B,kBAAY,iBAAiB,OAAO,KAAK;AAAA,IAC3C;AAEA,QAAI;AACJ,QAAI,OAAO,mBAAmB,QAAW;AACvC,YAAM,eAAe,MAAM;AAAA,QACzB;AAAA,QACA;AAAA,QACA,EAAE,IAAI,OAAO,eAAe;AAAA,QAC5B,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,QACvB,EAAE,UAAU,MAAM,gBAAgB,OAAO,kBAAkB,KAAK;AAAA,MAClE;AACA,UAAI,CAAC,aAAc,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,yBAAyB,CAAC;AACnF,iBAAW,aAAa,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAAA,IACxE;AAEA,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,QAAI;AACJ,QAAI;AACF,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,OAAO,EAAE,IAAI,OAAO,IAAI,WAAW,KAAK;AAAA,QACxC,OAAO,CAAC,WAAW;AACjB,cAAI,OAAO,UAAU,QAAW;AAC9B,mBAAO,QAAQ,OAAO;AACtB,mBAAO,YAAY;AAAA,UACrB;AACA,cAAI,OAAO,mBAAmB,QAAW;AACvC,mBAAO,iBAAiB,OAAO;AAC/B,mBAAO,WAAW,YAAY;AAAA,UAChC;AACA,cAAI,OAAQ,QAAO,eAAe;AAAA,QACpC;AAAA,MACF,CAAC;AAAA,IACH,SAAS,OAAO;AACd,UAAI,kBAAkB,KAAK,EAAG,OAAM,yBAAyB;AAC7D,YAAM;AAAA,IACR;AACA,QAAI,CAAC,KAAM,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAEnE,QAAI,MAAM,QAAQ,OAAO,KAAK,GAAG;AAC/B,YAAM,cAAc,IAAI,MAAM,OAAO,OAAO,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY,IAAI;AAAA,IACtG;AAEA,UAAM,qBAAqB;AAAA,MACzB,YAAY;AAAA,MACZ,UAAU,EAAE,KAAK;AAAA,MACjB,UAAU,OAAO,KAAK,EAAE;AAAA,MACxB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY;AAAA,MAC9D,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,cAAc;AAAA,MAClB,IAAI,OAAO,KAAK,EAAE;AAAA,MAClB,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,YAAY;AAAA,IAChE;AAEA,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,QAAI,MAAM,QAAQ,OAAO,KAAK,KAAK,aAAa;AAC9C,YAAM,aAAa,MAAM,kBAAkB,IAAI,OAAO,KAAK,EAAE,CAAC;AAC9D,YAAM,EAAE,UAAU,QAAQ,IAAI,gBAAgB,aAAa,UAAU;AACrE,UAAI,SAAS,UAAU,QAAQ,QAAQ;AACrC,cAAM,kBAAkB,KAAK,MAAM,UAAU,OAAO;AAAA,MACtD;AAAA,IACF;AAEA,UAAM,oBAAoB,KAAK,OAAO,EAAE;AAExC,WAAO;AAAA,EACT;AAAA,EACA,cAAc,OAAO,QAAQ,QAAQ,QAAQ;AAC3C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,QAAQ,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAC3D,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,WAAO,cAAc,QAAQ,OAAO,MAAM;AAAA,EAC5C;AAAA,EACA,UAAU,OAAO,EAAE,QAAQ,WAAW,IAAI,MAAM;AAC9C,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,kBAAkB,UAAU;AAClC,UAAM,SAAS,iBAAiB;AAChC,UAAM,aAAa,iBAAiB,QAAQ;AAC5C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,aAAa,MAAM,kBAAkB,IAAI,OAAO,OAAO,EAAE,CAAC;AAChE,UAAM,cAAc,MAAM;AAAA,MACxB;AAAA,MACA,OAAO,OAAO,EAAE;AAAA,MAChB,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MAC5C,OAAO,iBAAiB,OAAO,OAAO,cAAc,IAAI;AAAA,IAC1D;AACA,UAAM,iBAAiB,qBAAqB,QAAQ,YAAY,QAAW,WAAW;AACtF,UAAM,QAAQ,eAAe;AAC7B,UAAM,UAAU,aAAa,UAAU,MAAM,OAAkC,CAAC,SAAS,kBAAkB,YAAY,QAAQ,aAAa,CAAC;AAC7I,QAAI,UAAU,CAAC,YAAY,OAAO,OAAO,UAAU,GAAG;AACpD,cAAQ,QAAQ,EAAE,MAAM,OAAO,OAAO,IAAI,WAAW;AAAA,IACvD;AACA,UAAM,aAAa,uBAAuB,QAAQ,QAAQ,WAAW;AACrE,eAAW,CAAC,KAAK,IAAI,KAAK,OAAO,QAAQ,UAAU,GAAG;AACpD,cAAQ,MAAM,GAAG,EAAE,IAAI;AAAA,IACzB;AACA,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY,OAAO,OAAO,EAAE;AAAA,MAC5B,UAAU,OAAO,WAAW,OAAO,OAAO,QAAQ,IAAI;AAAA,MACtD;AAAA,MACA,gBAAgB,UAAU;AAAA,MAC1B,eAAe;AAAA,MACf,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,QAAQ;AAAA,UACR,OAAO,eAAe;AAAA,QACxB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,UAAU,mBAAmB,QAAQ;AAC3C,UAAM,SAAS,SAAS;AACxB,UAAM,QAAQ,SAAS;AACvB,QAAI,CAAC,OAAQ;AACb,UAAM,SAAS,OAAO;AACtB,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,UAAM,UAAU,MAAM,GAAG,gBAAgB;AAAA,MACvC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MACrC,OAAO,CAAC,WAAW;AACjB,eAAO,QAAQ,OAAO;AACtB,eAAO,iBAAiB,OAAO,kBAAkB;AACjD,eAAO,WAAW,OAAO,YAAY;AACrC,eAAO,eAAe,OAAO,gBAAgB;AAC7C,eAAO,OAAO,OAAO,QAAQ;AAC7B,eAAO,cAAc,OAAO;AAAA,MAC9B;AAAA,IACF,CAAC;AAED,QAAI,SAAS;AACX,YAAM,cAAc,IAAI,SAAS,OAAO,OAAO,OAAO,QAAQ;AAC9D,YAAM,GAAG,MAAM;AAAA,IACjB;AAEA,UAAM,QAAQ,yBAAyB,OAAO,QAAQ,OAAO,MAAM;AACnE,QAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,YAAM,qBAAqB;AAAA,QACzB,YAAY;AAAA,QACZ,UAAU,EAAE,KAAK;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,QAC7B,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAEA,UAAM,wBAAwB;AAAA,MAC5B,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO;AAAA,QACX,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,MAC/B;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,MAAM;AAAA,EACvC;AACF;AAEA,MAAM,oBAA+G;AAAA,EACnH,IAAI;AAAA,EACJ,MAAM,QAAQ,OAAO,KAAK;AACxB,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,UAAM,WAAW,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,WAAW,KAAK,CAAC;AAC/D,QAAI,CAAC,SAAU,QAAO,CAAC;AACvB,UAAM,QAAQ,MAAM,kBAAkB,IAAI,EAAE;AAC5C,UAAM,OAAO,MAAM,qBAAqB,IAAI,EAAE;AAC9C,UAAM,SAAS,MAAM;AAAA,MACnB;AAAA,MACA;AAAA,MACA,SAAS,WAAW,OAAO,SAAS,QAAQ,IAAI;AAAA,MAChD,SAAS,iBAAiB,OAAO,SAAS,cAAc,IAAI;AAAA,IAC9D;AACA,WAAO,EAAE,QAAQ,qBAAqB,UAAU,OAAO,MAAM,MAAM,EAAE;AAAA,EACvE;AAAA,EACA,MAAM,QAAQ,OAAO,KAAK;AACxB,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AAEtC,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,GAAG,CAAC;AAC3C,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,GAAG,CAAC;AAC5C,UAAM,GAAG,aAAa,SAAS,EAAE,MAAM,GAAG,CAAC;AAC3C,UAAM,GAAG,aAAa,eAAe,EAAE,MAAM,GAAG,CAAC;AAEjD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAC9C,UAAM,OAAO,MAAM,GAAG,gBAAgB;AAAA,MACpC,QAAQ;AAAA,MACR,OAAO,EAAE,IAAI,WAAW,KAAK;AAAA,MAC7B,MAAM;AAAA,IACR,CAAC;AACD,QAAI,CAAC,KAAM,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAEnE,UAAM,oBAAoB;AAAA,MACxB,YAAY;AAAA,MACZ,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO,EAAE;AAAA,QACb,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,QACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,MACpD;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,UAAM,oBAAoB,KAAK,EAAE;AAEjC,WAAO;AAAA,EACT;AAAA,EACA,UAAU,OAAO,EAAE,WAAW,OAAO,IAAI,MAAM;AAC7C,UAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,UAAM,kBAAkB,UAAU;AAClC,UAAM,SAAS,iBAAiB;AAChC,UAAM,aAAa,iBAAiB,QAAQ;AAC5C,UAAM,KAAK,UAAU,OAAO,kBAAkB;AAC9C,WAAO;AAAA,MACL,aAAa,UAAU,2BAA2B,aAAa;AAAA,MAC/D,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,gBAAgB,UAAU;AAAA,MAC1B,UAAU,QAAQ,YAAY;AAAA,MAC9B,SAAS;AAAA,QACP,MAAM;AAAA,UACJ,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,MAAM,OAAO,EAAE,UAAU,IAAI,MAAM;AACjC,UAAM,UAAU,mBAAmB,QAAQ;AAC3C,UAAM,SAAS,SAAS;AACxB,QAAI,CAAC,OAAQ;AACb,UAAM,KAAM,IAAI,UAAU,QAAQ,IAAI;AACtC,QAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,GAAG,CAAC;AACnD,UAAM,KAAM,IAAI,UAAU,QAAQ,YAAY;AAE9C,QAAI,MAAM;AACR,UAAI,KAAK,WAAW;AAClB,aAAK,YAAY;AAAA,MACnB;AACA,WAAK,QAAQ,OAAO;AACpB,WAAK,iBAAiB,OAAO,kBAAkB;AAC/C,WAAK,WAAW,OAAO,YAAY;AACnC,WAAK,eAAe,OAAO,gBAAgB;AAC3C,WAAK,OAAO,OAAO,QAAQ;AAC3B,WAAK,cAAc,OAAO;AAC1B,YAAM,GAAG,MAAM;AAAA,IACjB,OAAO;AACL,aAAO,MAAM,GAAG,gBAAgB;AAAA,QAC9B,QAAQ;AAAA,QACR,MAAM;AAAA,UACJ,IAAI,OAAO;AAAA,UACX,OAAO,OAAO;AAAA,UACd,gBAAgB,OAAO,kBAAkB;AAAA,UACzC,UAAU,OAAO,YAAY;AAAA,UAC7B,cAAc,OAAO,gBAAgB;AAAA,UACrC,MAAM,OAAO,QAAQ;AAAA,UACrB,aAAa,OAAO;AAAA,QACtB;AAAA,MACF,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,KAAM;AAEX,UAAM,GAAG,aAAa,UAAU,EAAE,MAAM,OAAO,GAAG,CAAC;AACnD,UAAM,cAAc,IAAI,MAAM,OAAO,OAAO,OAAO,QAAQ;AAE3D,UAAM,gBAAgB,IAAI,MAAM,OAAO,IAAI;AAE3C,UAAM,QAAQ,yBAAyB,OAAO,QAAQ,MAAS;AAC/D,QAAI,OAAO,KAAK,KAAK,EAAE,QAAQ;AAC7B,YAAM,qBAAqB;AAAA,QACzB,YAAY;AAAA,QACZ,UAAU,EAAE,KAAK;AAAA,QACjB,UAAU,OAAO;AAAA,QACjB,gBAAgB,OAAO,kBAAkB;AAAA,QACzC,UAAU,OAAO,YAAY;AAAA,QAC7B,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AAAA,IACH;AAEA,UAAM,oBAAoB,KAAK,OAAO,EAAE;AAAA,EAC1C;AACF;AAEA,gBAAgB,iBAAiB;AACjC,gBAAgB,iBAAiB;AACjC,gBAAgB,iBAAiB;AAEjC,eAAe,cAAc,IAAmB,MAAY,cAAwB,UAAyB;AAC3G,QAAM,SAAS,MAAM,KAAK,IAAI,IAAI,aAAa,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC;AAC1F,QAAM,eAAe,MAAM,GAAG,KAAK,UAAU,EAAE,KAAK,CAAC;AACrD,QAAM,eAAe,IAAI;AAAA,IACvB,aAAa,IAAI,CAAC,SAAS;AACzB,YAAM,aAAa,KAAK;AACxB,YAAM,OAAO,YAAY,QAAQ;AACjC,aAAO,CAAC,MAAM,IAAI;AAAA,IACpB,CAAC;AAAA,EACH;AAEA,aAAW,CAAC,MAAM,IAAI,KAAK,aAAa,QAAQ,GAAG;AACjD,QAAI,CAAC,OAAO,SAAS,IAAI,KAAK,MAAM;AAClC,SAAG,OAAO,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,qBAAqB,kBAAkB,YAAY,IAAI,KAAK;AAElE,aAAW,QAAQ,QAAQ;AACzB,QAAI,CAAC,aAAa,IAAI,IAAI,GAAG;AAC3B,UAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,mBAAmB,CAAC;AACxE,UAAI,CAAC,QAAQ,uBAAuB,MAAM;AACxC,eAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAAA,MACxD;AACA,UAAI,CAAC,MAAM;AACT,eAAO,GAAG,OAAO,MAAM,EAAE,MAAM,UAAU,oBAAoB,WAAW,oBAAI,KAAK,EAAE,CAAC;AACpF,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B,WAAW,uBAAuB,QAAQ,KAAK,aAAa,oBAAoB;AAC9E,aAAK,WAAW;AAChB,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B;AACA,SAAG,QAAQ,GAAG,OAAO,UAAU,EAAE,MAAM,MAAM,WAAW,oBAAI,KAAK,EAAE,CAAC,CAAC;AAAA,IACvE;AAAA,EACF;AAEA,QAAM,GAAG,MAAM;AACjB;AAEA,eAAe,kBAAkB,IAAmB,QAAmC;AACrF,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,OAA0B;AAAA,IAClC,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,EACzC;AACA,QAAM,QAAQ,MACX,IAAI,CAAC,SAAS,KAAK,MAAM,QAAQ,EAAE,EACnC,OAAO,CAAC,SAAyB,CAAC,CAAC,IAAI;AAC1C,SAAO,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,EAAE,KAAK;AACzC;AAEA,SAAS,cAAc,MAAY,OAAiB,QAAyD;AAC3G,QAAM,UAA0B;AAAA,IAC9B,OAAO,OAAO,KAAK,SAAS,EAAE;AAAA,IAC9B,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,IACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,IAClD;AAAA,IACA,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,IAAI;AAAA,IACtC,aAAa,QAAQ,KAAK,WAAW;AAAA,EACvC;AACA,MAAI,UAAU,OAAO,KAAK,MAAM,EAAE,OAAQ,SAAQ,SAAS;AAC3D,SAAO;AACT;AAEA,SAAS,qBACP,MACA,OACA,OAA0B,CAAC,GAC3B,QACe;AACf,SAAO;AAAA,IACL,MAAM,cAAc,MAAM,OAAO,MAAM;AAAA,IACvC,MAAM;AAAA,MACJ,IAAI,OAAO,KAAK,EAAE;AAAA,MAClB,OAAO,OAAO,KAAK,SAAS,EAAE;AAAA,MAC9B,gBAAgB,KAAK,iBAAiB,OAAO,KAAK,cAAc,IAAI;AAAA,MACpE,UAAU,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,MAClD,cAAc,KAAK,eAAe,OAAO,KAAK,YAAY,IAAI;AAAA,MAC9D,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,IAAI;AAAA,MACtC,aAAa,QAAQ,KAAK,WAAW;AAAA,MACrC,OAAO,CAAC,GAAG,KAAK;AAAA,MAChB;AAAA,MACA,GAAI,UAAU,OAAO,KAAK,MAAM,EAAE,SAAS,EAAE,OAAO,IAAI,CAAC;AAAA,IAC3D;AAAA,EACF;AACF;AAEA,eAAe,qBAAqB,IAAmB,QAA4C;AACjG,QAAM,OAAO,MAAM,GAAG,KAAK,SAAS,EAAE,MAAM,OAA0B,CAAC;AACvE,SAAO,KAAK,IAAI,CAAC,SAAS;AAAA,IACxB,UAAU,OAAO,IAAI,QAAQ;AAAA,IAC7B,UAAU,MAAM,QAAQ,IAAI,YAAY,IAAI,CAAC,GAAG,IAAI,YAAY,IAAI;AAAA,IACpE,cAAc,QAAQ,IAAI,YAAY;AAAA,IACtC,eAAe,MAAM,QAAQ,IAAI,iBAAiB,IAAI,CAAC,GAAG,IAAI,iBAAiB,IAAI;AAAA,EACrF,EAAE;AACJ;AAEA,eAAe,gBAAgB,IAAmB,MAAY,MAAyB;AACrF,QAAM,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,KAAK,EAAE,EAAE,CAAC;AACxD,aAAW,OAAO,MAAM;AACtB,UAAM,SAAS,GAAG,OAAO,SAAS;AAAA,MAChC;AAAA,MACA,UAAU,IAAI;AAAA,MACd,cAAc,IAAI,YAAY;AAAA,MAC9B,cAAc,IAAI;AAAA,MAClB,mBAAmB,IAAI,iBAAiB;AAAA,MACxC,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AACD,OAAG,QAAQ,MAAM;AAAA,EACnB;AACA,QAAM,GAAG,MAAM;AACjB;AAIA,SAAS,mBAAmB,UAAsH;AAChJ,QAAM,UAAU,UAAU;AAC1B,MAAI,CAAC,WAAW,OAAO,YAAY,SAAU,QAAO;AACpD,SAAO,QAAQ,QAAQ;AACzB;AAEA,eAAe,uBACb,IACA,IACA,UACA,gBACkC;AAClC,SAAO,MAAM,wBAAwB,IAAI;AAAA,IACvC,UAAU,EAAE,KAAK;AAAA,IACjB,UAAU;AAAA,IACV;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,eAAe,oBAAoB,KAA4B,QAAgB;AAC7E,MAAI;AACF,UAAM,cAAc,IAAI,UAAU,QAAQ,aAAa;AACvD,UAAM,YAAY,oBAAoB,MAAM;AAAA,EAC9C,QAAQ;AAAA,EAER;AAEA,MAAI;AACF,UAAM,QAAQ,IAAI,UAAU,QAAQ,OAAO;AAC3C,QAAI,OAAO,aAAc,OAAM,MAAM,aAAa,CAAC,aAAa,MAAM,EAAE,CAAC;AAAA,EAC3E,QAAQ;AAAA,EAER;AACF;AAEA,SAAS,gBAAgB,QAAkB,OAAiB;AAC1D,QAAM,YAAY,IAAI,IAAI,MAAM;AAChC,QAAM,WAAW,IAAI,IAAI,KAAK;AAC9B,QAAM,WAAW,MAAM,OAAO,CAAC,SAAS,CAAC,UAAU,IAAI,IAAI,CAAC;AAC5D,QAAM,UAAU,OAAO,OAAO,CAAC,SAAS,CAAC,SAAS,IAAI,IAAI,CAAC;AAC3D,SAAO,EAAE,UAAU,QAAQ;AAC7B;AAEA,SAAS,YAAY,MAA4B,OAA0B;AACzE,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,KAAK,WAAW,MAAM,OAAQ,QAAO;AACzC,SAAO,KAAK,MAAM,CAAC,OAAO,QAAQ,UAAU,MAAM,GAAG,CAAC;AACxD;AAEA,eAAe,2BAA2C;AACxD,QAAM,EAAE,UAAU,IAAI,MAAM,oBAAoB;AAChD,QAAM,UAAU,UAAU,iCAAiC,sBAAsB;AACjF,QAAM,IAAI,cAAc,KAAK;AAAA,IAC3B,OAAO;AAAA,IACP,aAAa,EAAE,OAAO,QAAQ;AAAA,IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC,OAAO,GAAG,SAAS,MAAM,aAAa,QAAQ,aAAa,CAAC;AAAA,EACjF,CAAC;AACH;",
   "names": ["emailHash"]
 }

package/dist/modules/auth/data/validators.js CHANGED Viewed

@@ -1,15 +1,18 @@
 import { z } from "zod";
+import { buildPasswordSchema } from "@open-mercato/shared/lib/auth/passwordPolicy";
+const passwordSchema = buildPasswordSchema();
 const userLoginSchema = z.object({
   email: z.string().email(),
   password: z.string().min(6),
-  requireRole: z.string().optional()
+  requireRole: z.string().optional(),
+  tenantId: z.string().uuid().optional()
 });
 const requestPasswordResetSchema = z.object({
   email: z.string().email()
 });
 const confirmPasswordResetSchema = z.object({
   token: z.string().min(10),
-  password: z.string().min(6)
+  password: passwordSchema
 });
 const sidebarPreferencesInputSchema = z.object({
   version: z.number().int().positive().optional(),
@@ -22,7 +25,7 @@ const sidebarPreferencesInputSchema = z.object({
 });
 const userCreateSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   tenantId: z.string().uuid().optional(),
   organizationId: z.string().uuid(),
   rolesCsv: z.string().optional()

package/dist/modules/auth/data/validators.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/data/validators.ts"],
-  "sourcesContent": ["import { z } from 'zod'\n\n// Core auth validators\nexport const userLoginSchema = z.object({\n  email: z.string().email(),\n  password: z.string().min(6),\n  requireRole: z.string().optional(),\n})\n\nexport const requestPasswordResetSchema = z.object({\n  email: z.string().email(),\n})\n\nexport const confirmPasswordResetSchema = z.object({\n  token: z.string().min(10),\n  password: z.string().min(6),\n})\n\nexport const sidebarPreferencesInputSchema = z.object({\n  version: z.number().int().positive().optional(),\n  groupOrder: z.array(z.string().min(1)).max(200).optional(),\n  groupLabels: z.record(z.string().min(1), z.string().min(1).max(120)).optional(),\n  itemLabels: z.record(z.string().min(1), z.string().min(1).max(120)).optional(),\n  hiddenItems: z.array(z.string().min(1)).max(500).optional(),\n  applyToRoles: z.array(z.string().uuid()).optional(),\n  clearRoleIds: z.array(z.string().uuid()).optional(),\n})\n\n// Optional helpers for CLI or admin forms\nexport const userCreateSchema = z.object({\n  email: z.string().email(),\n  password: z.string().min(6),\n  tenantId: z.string().uuid().optional(),\n  organizationId: z.string().uuid(),\n  rolesCsv: z.string().optional(),\n})\n\nexport type UserLoginInput = z.infer<typeof userLoginSchema>\nexport type RequestPasswordResetInput = z.infer<typeof requestPasswordResetSchema>\nexport type ConfirmPasswordResetInput = z.infer<typeof confirmPasswordResetSchema>\nexport type SidebarPreferencesInput = z.infer<typeof sidebarPreferencesInputSchema>\nexport type UserCreateInput = z.infer<typeof userCreateSchema>\n"],
-  "mappings": "AAAA,SAAS,SAAS;AAGX,MAAM,kBAAkB,EAAE,OAAO;AAAA,EACtC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,aAAa,EAAE,OAAO,EAAE,SAAS;AACnC,CAAC;AAEM,MAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,OAAO,EAAE,OAAO,EAAE,MAAM;AAC1B,CAAC;AAEM,MAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAC5B,CAAC;AAEM,MAAM,gCAAgC,EAAE,OAAO;AAAA,EACpD,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EAC9C,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EACzD,aAAa,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,EAC9E,YAAY,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,EAC7E,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EAC1D,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAAA,EAClD,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AACpD,CAAC;AAGM,MAAM,mBAAmB,EAAE,OAAO;AAAA,EACvC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EACrC,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,UAAU,EAAE,OAAO,EAAE,SAAS;AAChC,CAAC;",
+  "sourcesContent": ["import { z } from 'zod'\nimport { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'\n\nconst passwordSchema = buildPasswordSchema()\n\n// Core auth validators\nexport const userLoginSchema = z.object({\n  email: z.string().email(),\n  password: z.string().min(6),\n  requireRole: z.string().optional(),\n  tenantId: z.string().uuid().optional(),\n})\n\nexport const requestPasswordResetSchema = z.object({\n  email: z.string().email(),\n})\n\nexport const confirmPasswordResetSchema = z.object({\n  token: z.string().min(10),\n  password: passwordSchema,\n})\n\nexport const sidebarPreferencesInputSchema = z.object({\n  version: z.number().int().positive().optional(),\n  groupOrder: z.array(z.string().min(1)).max(200).optional(),\n  groupLabels: z.record(z.string().min(1), z.string().min(1).max(120)).optional(),\n  itemLabels: z.record(z.string().min(1), z.string().min(1).max(120)).optional(),\n  hiddenItems: z.array(z.string().min(1)).max(500).optional(),\n  applyToRoles: z.array(z.string().uuid()).optional(),\n  clearRoleIds: z.array(z.string().uuid()).optional(),\n})\n\n// Optional helpers for CLI or admin forms\nexport const userCreateSchema = z.object({\n  email: z.string().email(),\n  password: passwordSchema,\n  tenantId: z.string().uuid().optional(),\n  organizationId: z.string().uuid(),\n  rolesCsv: z.string().optional(),\n})\n\nexport type UserLoginInput = z.infer<typeof userLoginSchema>\nexport type RequestPasswordResetInput = z.infer<typeof requestPasswordResetSchema>\nexport type ConfirmPasswordResetInput = z.infer<typeof confirmPasswordResetSchema>\nexport type SidebarPreferencesInput = z.infer<typeof sidebarPreferencesInputSchema>\nexport type UserCreateInput = z.infer<typeof userCreateSchema>\n"],
+  "mappings": "AAAA,SAAS,SAAS;AAClB,SAAS,2BAA2B;AAEpC,MAAM,iBAAiB,oBAAoB;AAGpC,MAAM,kBAAkB,EAAE,OAAO;AAAA,EACtC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC1B,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AACvC,CAAC;AAEM,MAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,OAAO,EAAE,OAAO,EAAE,MAAM;AAC1B,CAAC;AAEM,MAAM,6BAA6B,EAAE,OAAO;AAAA,EACjD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE;AAAA,EACxB,UAAU;AACZ,CAAC;AAEM,MAAM,gCAAgC,EAAE,OAAO;AAAA,EACpD,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,EAC9C,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EACzD,aAAa,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,EAC9E,YAAY,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,EAC7E,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EAC1D,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAAA,EAClD,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AACpD,CAAC;AAGM,MAAM,mBAAmB,EAAE,OAAO;AAAA,EACvC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU;AAAA,EACV,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EACrC,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,UAAU,EAAE,OAAO,EAAE,SAAS;AAChC,CAAC;",
   "names": []
 }

package/dist/modules/auth/frontend/login.js CHANGED Viewed

@@ -1,15 +1,37 @@
 "use client";
 import { jsx, jsxs } from "react/jsx-runtime";
-import { useState } from "react";
+import { useCallback, useEffect, useState } from "react";
 import Image from "next/image";
 import Link from "next/link";
 import { useRouter, useSearchParams } from "next/navigation";
 import { Card, CardContent, CardHeader, CardDescription } from "@open-mercato/ui/primitives/card";
 import { Input } from "@open-mercato/ui/primitives/input";
 import { Label } from "@open-mercato/ui/primitives/label";
+import { Button } from "@open-mercato/ui/primitives/button";
 import { useT } from "@open-mercato/shared/lib/i18n/context";
 import { translateWithFallback } from "@open-mercato/shared/lib/i18n/translate";
 import { clearAllOperations } from "@open-mercato/ui/backend/operations/store";
+import { apiCall } from "@open-mercato/ui/backend/utils/apiCall";
+import { X } from "lucide-react";
+const loginTenantKey = "om_login_tenant";
+const loginTenantCookieMaxAge = 60 * 60 * 24 * 14;
+function readTenantCookie() {
+  if (typeof document === "undefined") return null;
+  const entries = document.cookie.split(";");
+  for (const entry of entries) {
+    const [name, ...rest] = entry.trim().split("=");
+    if (name === loginTenantKey) return decodeURIComponent(rest.join("="));
+  }
+  return null;
+}
+function setTenantCookie(value) {
+  if (typeof document === "undefined") return;
+  document.cookie = `${loginTenantKey}=${encodeURIComponent(value)}; path=/; max-age=${loginTenantCookieMaxAge}; samesite=lax`;
+}
+function clearTenantCookie() {
+  if (typeof document === "undefined") return;
+  document.cookie = `${loginTenantKey}=; path=/; max-age=0; samesite=lax`;
+}
 function extractErrorMessage(payload) {
   if (!payload) return null;
   if (typeof payload === "string") return payload;
@@ -42,7 +64,10 @@ function looksLikeJsonString(value) {
 }
 function LoginPage() {
   const t = useT();
-  const translate = (key, fallback, params) => translateWithFallback(t, key, fallback, params);
+  const translate = useCallback(
+    (key, fallback, params) => translateWithFallback(t, key, fallback, params),
+    [t]
+  );
   const router = useRouter();
   const searchParams = useSearchParams();
   const requireRole = (searchParams.get("requireRole") || searchParams.get("role") || "").trim();
@@ -53,6 +78,74 @@ function LoginPage() {
   const translatedFeatures = requiredFeatures.map((feature) => translate(`features.${feature}`, feature));
   const [error, setError] = useState(null);
   const [submitting, setSubmitting] = useState(false);
+  const [tenantId, setTenantId] = useState(null);
+  const [tenantName, setTenantName] = useState(null);
+  const [tenantLoading, setTenantLoading] = useState(false);
+  const [tenantInvalid, setTenantInvalid] = useState(null);
+  const showTenantInvalid = tenantId != null && tenantInvalid === tenantId;
+  useEffect(() => {
+    const tenantParam = (searchParams.get("tenant") || "").trim();
+    if (tenantParam) {
+      setTenantId(tenantParam);
+      window.localStorage.setItem(loginTenantKey, tenantParam);
+      setTenantCookie(tenantParam);
+      return;
+    }
+    const storedTenant = window.localStorage.getItem(loginTenantKey) || readTenantCookie();
+    if (storedTenant) {
+      setTenantId(storedTenant);
+    }
+  }, [searchParams]);
+  useEffect(() => {
+    if (!tenantId) {
+      setTenantName(null);
+      setTenantInvalid(null);
+      return;
+    }
+    if (tenantInvalid === tenantId) {
+      setTenantName(null);
+      setTenantLoading(false);
+      return;
+    }
+    let active = true;
+    setTenantLoading(true);
+    setTenantInvalid(null);
+    apiCall(
+      `/api/directory/tenants/lookup?tenantId=${encodeURIComponent(tenantId)}`
+    ).then(({ result }) => {
+      if (!active) return;
+      if (result?.ok && result.tenant) {
+        setTenantName(result.tenant.name);
+        return;
+      }
+      const message = translate("auth.login.errors.tenantInvalid", "Tenant not found. Clear the tenant selection and try again.");
+      setTenantName(null);
+      setTenantInvalid(tenantId);
+      setError(null);
+    }).catch(() => {
+      if (!active) return;
+      setTenantName(null);
+      setTenantInvalid(tenantId);
+      setError(null);
+    }).finally(() => {
+      if (active) setTenantLoading(false);
+    });
+    return () => {
+      active = false;
+    };
+  }, [tenantId, translate]);
+  function handleClearTenant() {
+    window.localStorage.removeItem(loginTenantKey);
+    clearTenantCookie();
+    setTenantId(null);
+    setTenantName(null);
+    setTenantInvalid(null);
+    const params = new URLSearchParams(searchParams);
+    params.delete("tenant");
+    setError(null);
+    const query = params.toString();
+    router.replace(query ? `/login?${query}` : "/login");
+  }
   async function onSubmit(e) {
     e.preventDefault();
     setError(null);
@@ -130,6 +223,7 @@ function LoginPage() {
       /* @__PURE__ */ jsx(CardDescription, { children: translate("auth.login.subtitle", "Access your workspace") })
     ] }),
     /* @__PURE__ */ jsx(CardContent, { children: /* @__PURE__ */ jsxs("form", { className: "grid gap-3", onSubmit, noValidate: true, children: [
+      tenantId ? /* @__PURE__ */ jsx("input", { type: "hidden", name: "tenantId", value: tenantId }) : null,
       !!translatedRoles.length && /* @__PURE__ */ jsx("div", { className: "rounded-md border border-blue-200 bg-blue-50 px-3 py-2 text-center text-xs text-blue-900", children: translate(
         translatedRoles.length > 1 ? "auth.login.requireRolesMessage" : "auth.login.requireRoleMessage",
         translatedRoles.length > 1 ? "Access requires one of the following roles: {roles}" : "Access requires role: {roles}",
@@ -138,7 +232,22 @@ function LoginPage() {
       !!translatedFeatures.length && /* @__PURE__ */ jsx("div", { className: "rounded-md border border-blue-200 bg-blue-50 px-3 py-2 text-center text-xs text-blue-900", children: translate("auth.login.featureDenied", "You don't have access to this feature ({feature}). Please contact your administrator.", {
         feature: translatedFeatures.join(", ")
       }) }),
-      error && /* @__PURE__ */ jsx("div", { className: "rounded-md border border-red-200 bg-red-50 px-3 py-2 text-center text-sm text-red-700", role: "alert", "aria-live": "polite", children: error }),
+      showTenantInvalid ? /* @__PURE__ */ jsxs("div", { className: "rounded-md border border-red-200 bg-red-50 px-3 py-2 text-center text-xs text-red-700", children: [
+        /* @__PURE__ */ jsx("div", { className: "font-medium", children: translate("auth.login.errors.tenantInvalid", "Tenant not found. Clear the tenant selection and try again.") }),
+        /* @__PURE__ */ jsxs(Button, { type: "button", variant: "outline", size: "sm", className: "mt-2 border-red-300 text-red-700", onClick: handleClearTenant, children: [
+          /* @__PURE__ */ jsx(X, { className: "mr-2 size-4", "aria-hidden": "true" }),
+          translate("auth.login.tenantClear", "Clear")
+        ] })
+      ] }) : tenantId ? /* @__PURE__ */ jsxs("div", { className: "rounded-md border border-emerald-200 bg-emerald-50 px-3 py-2 text-center text-xs text-emerald-900", children: [
+        /* @__PURE__ */ jsx("div", { className: "font-medium", children: tenantLoading ? translate("auth.login.tenantLoading", "Loading tenant details...") : translate("auth.login.tenantBanner", "You're logging in to {tenant} tenant.", {
+          tenant: tenantName || tenantId
+        }) }),
+        /* @__PURE__ */ jsxs(Button, { type: "button", variant: "outline", size: "sm", className: "mt-2 border-emerald-300 text-emerald-900", onClick: handleClearTenant, children: [
+          /* @__PURE__ */ jsx(X, { className: "mr-2 size-4", "aria-hidden": "true" }),
+          translate("auth.login.tenantClear", "Clear")
+        ] })
+      ] }) : null,
+      error && !showTenantInvalid && /* @__PURE__ */ jsx("div", { className: "rounded-md border border-red-200 bg-red-50 px-3 py-2 text-center text-sm text-red-700", role: "alert", "aria-live": "polite", children: error }),
       /* @__PURE__ */ jsxs("div", { className: "grid gap-1", children: [
         /* @__PURE__ */ jsx(Label, { htmlFor: "email", children: t("auth.email") }),
         /* @__PURE__ */ jsx(Input, { id: "email", name: "email", type: "email", required: true, "aria-invalid": !!error })

package/dist/modules/auth/frontend/login.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/frontend/login.tsx"],
-  "sourcesContent": ["\"use client\"\nimport { useState } from 'react'\nimport Image from 'next/image'\nimport Link from 'next/link'\nimport { useRouter, useSearchParams } from 'next/navigation'\nimport { Card, CardContent, CardHeader, CardTitle, CardDescription } from '@open-mercato/ui/primitives/card'\nimport { Input } from '@open-mercato/ui/primitives/input'\nimport { Label } from '@open-mercato/ui/primitives/label'\nimport { useT } from '@open-mercato/shared/lib/i18n/context'\nimport { translateWithFallback } from '@open-mercato/shared/lib/i18n/translate'\nimport { clearAllOperations } from '@open-mercato/ui/backend/operations/store'\n\nfunction extractErrorMessage(payload: unknown): string | null {\n  if (!payload) return null\n  if (typeof payload === 'string') return payload\n  if (Array.isArray(payload)) {\n    for (const entry of payload) {\n      const resolved = extractErrorMessage(entry)\n      if (resolved) return resolved\n    }\n    return null\n  }\n  if (typeof payload === 'object') {\n    const record = payload as Record<string, unknown>\n    const candidates: unknown[] = [\n      record.error,\n      record.message,\n      record.detail,\n      record.details,\n      record.description,\n    ]\n    for (const candidate of candidates) {\n      const resolved = extractErrorMessage(candidate)\n      if (resolved) return resolved\n    }\n  }\n  return null\n}\n\nfunction looksLikeJsonString(value: string): boolean {\n  const trimmed = value.trim()\n  return trimmed.startsWith('{') || trimmed.startsWith('[')\n}\n\nexport default function LoginPage() {\n  const t = useT()\n  const translate = (key: string, fallback: string, params?: Record<string, string | number>) =>\n    translateWithFallback(t, key, fallback, params)\n  const router = useRouter()\n  const searchParams = useSearchParams()\n  const requireRole = (searchParams.get('requireRole') || searchParams.get('role') || '').trim()\n  const requireFeature = (searchParams.get('requireFeature') || '').trim()\n  const requiredRoles = requireRole ? requireRole.split(',').map((value) => value.trim()).filter(Boolean) : []\n  const requiredFeatures = requireFeature ? requireFeature.split(',').map((value) => value.trim()).filter(Boolean) : []\n  const translatedRoles = requiredRoles.map((role) => translate(`auth.roles.${role}`, role))\n  const translatedFeatures = requiredFeatures.map((feature) => translate(`features.${feature}`, feature))\n  const [error, setError] = useState<string | null>(null)\n  const [submitting, setSubmitting] = useState(false)\n\n  async function onSubmit(e: React.FormEvent<HTMLFormElement>) {\n    e.preventDefault()\n    setError(null)\n    setSubmitting(true)\n    try {\n      const form = new FormData(e.currentTarget)\n      if (requiredRoles.length) form.set('requireRole', requiredRoles.join(','))\n      const res = await fetch('/api/auth/login', { method: 'POST', body: form })\n      if (res.redirected) {\n        clearAllOperations()\n        // NextResponse.redirect from API\n        router.replace(res.url)\n        return\n      }\n      if (!res.ok) {\n        const fallback = (() => {\n          if (res.status === 403) {\n            return translate(\n              'auth.login.errors.permissionDenied',\n              'You do not have permission to access this area. Please contact your administrator.',\n            )\n          }\n          if (res.status === 401 || res.status === 400) {\n            return translate('auth.login.errors.invalidCredentials', 'Invalid email or password')\n          }\n          return translate('auth.login.errors.generic', 'An error occurred. Please try again.')\n        })()\n        const cloned = res.clone()\n        let errorMessage = ''\n        const contentType = res.headers.get('content-type') || ''\n        if (contentType.includes('application/json')) {\n          try {\n            const data = await res.json()\n            errorMessage = extractErrorMessage(data) || ''\n          } catch {\n            try {\n              const text = await cloned.text()\n              const trimmed = text.trim()\n              if (trimmed && !looksLikeJsonString(trimmed)) {\n                errorMessage = trimmed\n              }\n            } catch {\n              errorMessage = ''\n            }\n          }\n        } else {\n          try {\n            const text = await res.text()\n            const trimmed = text.trim()\n            if (trimmed && !looksLikeJsonString(trimmed)) {\n              errorMessage = trimmed\n            }\n          } catch {\n            errorMessage = ''\n          }\n        }\n        setError(errorMessage || fallback)\n        return\n      }\n      // In case API returns 200 with JSON\n      const data = await res.json().catch(() => null)\n      clearAllOperations()\n      if (data && data.redirect) {\n        router.replace(data.redirect)\n      }\n    } catch (err: unknown) {\n      // Handle any errors thrown (e.g., network errors or thrown exceptions)\n      const message = err instanceof Error ? err.message : ''\n      setError(message || translate('auth.login.errors.generic', 'An error occurred. Please try again.'))\n    } finally {\n      setSubmitting(false)\n    }\n  }\n\n  return (\n    <div className=\"min-h-svh flex items-center justify-center p-4\">\n      <Card className=\"w-full max-w-sm\">\n        <CardHeader className=\"flex flex-col items-center gap-4 text-center p-10\">\n          <Image alt={translate('auth.login.logoAlt', 'Open Mercato logo')} src=\"/open-mercato.svg\" width={150} height={150} priority />\n          <h1 className=\"text-2xl font-semibold\">{translate('auth.login.brandName', 'Open Mercato')}</h1>\n          <CardDescription>{translate('auth.login.subtitle', 'Access your workspace')}</CardDescription>\n        </CardHeader>\n        <CardContent>\n          <form className=\"grid gap-3\" onSubmit={onSubmit} noValidate>\n            {!!translatedRoles.length && (\n              <div className=\"rounded-md border border-blue-200 bg-blue-50 px-3 py-2 text-center text-xs text-blue-900\">\n                {translate(\n                  translatedRoles.length > 1 ? 'auth.login.requireRolesMessage' : 'auth.login.requireRoleMessage',\n                  translatedRoles.length > 1\n                    ? 'Access requires one of the following roles: {roles}'\n                    : 'Access requires role: {roles}',\n                  { roles: translatedRoles.join(', ') },\n                )}\n              </div>\n            )}\n            {!!translatedFeatures.length && (\n              <div className=\"rounded-md border border-blue-200 bg-blue-50 px-3 py-2 text-center text-xs text-blue-900\">\n                {translate('auth.login.featureDenied', \"You don't have access to this feature ({feature}). Please contact your administrator.\", {\n                  feature: translatedFeatures.join(', '),\n                })}\n              </div>\n            )}\n            {error && (\n              <div className=\"rounded-md border border-red-200 bg-red-50 px-3 py-2 text-center text-sm text-red-700\" role=\"alert\" aria-live=\"polite\">\n                {error}\n              </div>\n            )}\n            <div className=\"grid gap-1\">\n              <Label htmlFor=\"email\">{t('auth.email')}</Label>\n              <Input id=\"email\" name=\"email\" type=\"email\" required aria-invalid={!!error} />\n            </div>\n            <div className=\"grid gap-1\">\n              <Label htmlFor=\"password\">{t('auth.password')}</Label>\n              <Input id=\"password\" name=\"password\" type=\"password\" required aria-invalid={!!error} />\n            </div>\n            <label className=\"flex items-center gap-2 text-xs text-muted-foreground\">\n              <input type=\"checkbox\" name=\"remember\" className=\"accent-foreground\" />\n              <span>{translate('auth.login.rememberMe', 'Remember me')}</span>\n            </label>\n            <button disabled={submitting} className=\"h-10 rounded-md bg-foreground text-background mt-2 hover:opacity-90 transition disabled:opacity-60\">\n              {submitting ? translate('auth.login.loading', 'Loading...') : translate('auth.signIn', 'Sign in')}\n            </button>\n            <div className=\"text-xs text-muted-foreground mt-2\">\n              <Link className=\"underline\" href=\"/reset\">\n                {translate('auth.login.forgotPassword', 'Forgot password?')}\n              </Link>\n            </div>\n          </form>\n        </CardContent>\n      </Card>\n    </div>\n  )\n}\n"],
-  "mappings": ";AAwIQ,SACE,KADF;AAvIR,SAAS,gBAAgB;AACzB,OAAO,WAAW;AAClB,OAAO,UAAU;AACjB,SAAS,WAAW,uBAAuB;AAC3C,SAAS,MAAM,aAAa,YAAuB,uBAAuB;AAC1E,SAAS,aAAa;AACtB,SAAS,aAAa;AACtB,SAAS,YAAY;AACrB,SAAS,6BAA6B;AACtC,SAAS,0BAA0B;AAEnC,SAAS,oBAAoB,SAAiC;AAC5D,MAAI,CAAC,QAAS,QAAO;AACrB,MAAI,OAAO,YAAY,SAAU,QAAO;AACxC,MAAI,MAAM,QAAQ,OAAO,GAAG;AAC1B,eAAW,SAAS,SAAS;AAC3B,YAAM,WAAW,oBAAoB,KAAK;AAC1C,UAAI,SAAU,QAAO;AAAA,IACvB;AACA,WAAO;AAAA,EACT;AACA,MAAI,OAAO,YAAY,UAAU;AAC/B,UAAM,SAAS;AACf,UAAM,aAAwB;AAAA,MAC5B,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,eAAW,aAAa,YAAY;AAClC,YAAM,WAAW,oBAAoB,SAAS;AAC9C,UAAI,SAAU,QAAO;AAAA,IACvB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,oBAAoB,OAAwB;AACnD,QAAM,UAAU,MAAM,KAAK;AAC3B,SAAO,QAAQ,WAAW,GAAG,KAAK,QAAQ,WAAW,GAAG;AAC1D;AAEe,SAAR,YAA6B;AAClC,QAAM,IAAI,KAAK;AACf,QAAM,YAAY,CAAC,KAAa,UAAkB,WAChD,sBAAsB,GAAG,KAAK,UAAU,MAAM;AAChD,QAAM,SAAS,UAAU;AACzB,QAAM,eAAe,gBAAgB;AACrC,QAAM,eAAe,aAAa,IAAI,aAAa,KAAK,aAAa,IAAI,MAAM,KAAK,IAAI,KAAK;AAC7F,QAAM,kBAAkB,aAAa,IAAI,gBAAgB,KAAK,IAAI,KAAK;AACvE,QAAM,gBAAgB,cAAc,YAAY,MAAM,GAAG,EAAE,IAAI,CAAC,UAAU,MAAM,KAAK,CAAC,EAAE,OAAO,OAAO,IAAI,CAAC;AAC3G,QAAM,mBAAmB,iBAAiB,eAAe,MAAM,GAAG,EAAE,IAAI,CAAC,UAAU,MAAM,KAAK,CAAC,EAAE,OAAO,OAAO,IAAI,CAAC;AACpH,QAAM,kBAAkB,cAAc,IAAI,CAAC,SAAS,UAAU,cAAc,IAAI,IAAI,IAAI,CAAC;AACzF,QAAM,qBAAqB,iBAAiB,IAAI,CAAC,YAAY,UAAU,YAAY,OAAO,IAAI,OAAO,CAAC;AACtG,QAAM,CAAC,OAAO,QAAQ,IAAI,SAAwB,IAAI;AACtD,QAAM,CAAC,YAAY,aAAa,IAAI,SAAS,KAAK;AAElD,iBAAe,SAAS,GAAqC;AAC3D,MAAE,eAAe;AACjB,aAAS,IAAI;AACb,kBAAc,IAAI;AAClB,QAAI;AACF,YAAM,OAAO,IAAI,SAAS,EAAE,aAAa;AACzC,UAAI,cAAc,OAAQ,MAAK,IAAI,eAAe,cAAc,KAAK,GAAG,CAAC;AACzE,YAAM,MAAM,MAAM,MAAM,mBAAmB,EAAE,QAAQ,QAAQ,MAAM,KAAK,CAAC;AACzE,UAAI,IAAI,YAAY;AAClB,2BAAmB;AAEnB,eAAO,QAAQ,IAAI,GAAG;AACtB;AAAA,MACF;AACA,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,YAAY,MAAM;AACtB,cAAI,IAAI,WAAW,KAAK;AACtB,mBAAO;AAAA,cACL;AAAA,cACA;AAAA,YACF;AAAA,UACF;AACA,cAAI,IAAI,WAAW,OAAO,IAAI,WAAW,KAAK;AAC5C,mBAAO,UAAU,wCAAwC,2BAA2B;AAAA,UACtF;AACA,iBAAO,UAAU,6BAA6B,sCAAsC;AAAA,QACtF,GAAG;AACH,cAAM,SAAS,IAAI,MAAM;AACzB,YAAI,eAAe;AACnB,cAAM,cAAc,IAAI,QAAQ,IAAI,cAAc,KAAK;AACvD,YAAI,YAAY,SAAS,kBAAkB,GAAG;AAC5C,cAAI;AACF,kBAAMA,QAAO,MAAM,IAAI,KAAK;AAC5B,2BAAe,oBAAoBA,KAAI,KAAK;AAAA,UAC9C,QAAQ;AACN,gBAAI;AACF,oBAAM,OAAO,MAAM,OAAO,KAAK;AAC/B,oBAAM,UAAU,KAAK,KAAK;AAC1B,kBAAI,WAAW,CAAC,oBAAoB,OAAO,GAAG;AAC5C,+BAAe;AAAA,cACjB;AAAA,YACF,QAAQ;AACN,6BAAe;AAAA,YACjB;AAAA,UACF;AAAA,QACF,OAAO;AACL,cAAI;AACF,kBAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,kBAAM,UAAU,KAAK,KAAK;AAC1B,gBAAI,WAAW,CAAC,oBAAoB,OAAO,GAAG;AAC5C,6BAAe;AAAA,YACjB;AAAA,UACF,QAAQ;AACN,2BAAe;AAAA,UACjB;AAAA,QACF;AACA,iBAAS,gBAAgB,QAAQ;AACjC;AAAA,MACF;AAEA,YAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,IAAI;AAC9C,yBAAmB;AACnB,UAAI,QAAQ,KAAK,UAAU;AACzB,eAAO,QAAQ,KAAK,QAAQ;AAAA,MAC9B;AAAA,IACF,SAAS,KAAc;AAErB,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,eAAS,WAAW,UAAU,6BAA6B,sCAAsC,CAAC;AAAA,IACpG,UAAE;AACA,oBAAc,KAAK;AAAA,IACrB;AAAA,EACF;AAEA,SACE,oBAAC,SAAI,WAAU,kDACb,+BAAC,QAAK,WAAU,mBACd;AAAA,yBAAC,cAAW,WAAU,qDACpB;AAAA,0BAAC,SAAM,KAAK,UAAU,sBAAsB,mBAAmB,GAAG,KAAI,qBAAoB,OAAO,KAAK,QAAQ,KAAK,UAAQ,MAAC;AAAA,MAC5H,oBAAC,QAAG,WAAU,0BAA0B,oBAAU,wBAAwB,cAAc,GAAE;AAAA,MAC1F,oBAAC,mBAAiB,oBAAU,uBAAuB,uBAAuB,GAAE;AAAA,OAC9E;AAAA,IACA,oBAAC,eACC,+BAAC,UAAK,WAAU,cAAa,UAAoB,YAAU,MACxD;AAAA,OAAC,CAAC,gBAAgB,UACjB,oBAAC,SAAI,WAAU,4FACZ;AAAA,QACC,gBAAgB,SAAS,IAAI,mCAAmC;AAAA,QAChE,gBAAgB,SAAS,IACrB,wDACA;AAAA,QACJ,EAAE,OAAO,gBAAgB,KAAK,IAAI,EAAE;AAAA,MACtC,GACF;AAAA,MAED,CAAC,CAAC,mBAAmB,UACpB,oBAAC,SAAI,WAAU,4FACZ,oBAAU,4BAA4B,yFAAyF;AAAA,QAC9H,SAAS,mBAAmB,KAAK,IAAI;AAAA,MACvC,CAAC,GACH;AAAA,MAED,SACC,oBAAC,SAAI,WAAU,yFAAwF,MAAK,SAAQ,aAAU,UAC3H,iBACH;AAAA,MAEF,qBAAC,SAAI,WAAU,cACb;AAAA,4BAAC,SAAM,SAAQ,SAAS,YAAE,YAAY,GAAE;AAAA,QACxC,oBAAC,SAAM,IAAG,SAAQ,MAAK,SAAQ,MAAK,SAAQ,UAAQ,MAAC,gBAAc,CAAC,CAAC,OAAO;AAAA,SAC9E;AAAA,MACA,qBAAC,SAAI,WAAU,cACb;AAAA,4BAAC,SAAM,SAAQ,YAAY,YAAE,eAAe,GAAE;AAAA,QAC9C,oBAAC,SAAM,IAAG,YAAW,MAAK,YAAW,MAAK,YAAW,UAAQ,MAAC,gBAAc,CAAC,CAAC,OAAO;AAAA,SACvF;AAAA,MACA,qBAAC,WAAM,WAAU,yDACf;AAAA,4BAAC,WAAM,MAAK,YAAW,MAAK,YAAW,WAAU,qBAAoB;AAAA,QACrE,oBAAC,UAAM,oBAAU,yBAAyB,aAAa,GAAE;AAAA,SAC3D;AAAA,MACA,oBAAC,YAAO,UAAU,YAAY,WAAU,sGACrC,uBAAa,UAAU,sBAAsB,YAAY,IAAI,UAAU,eAAe,SAAS,GAClG;AAAA,MACA,oBAAC,SAAI,WAAU,sCACb,8BAAC,QAAK,WAAU,aAAY,MAAK,UAC9B,oBAAU,6BAA6B,kBAAkB,GAC5D,GACF;AAAA,OACF,GACF;AAAA,KACF,GACF;AAEJ;",
+  "sourcesContent": ["\"use client\"\nimport { useCallback, useEffect, useState } from 'react'\nimport Image from 'next/image'\nimport Link from 'next/link'\nimport { useRouter, useSearchParams } from 'next/navigation'\nimport { Card, CardContent, CardHeader, CardDescription } from '@open-mercato/ui/primitives/card'\nimport { Input } from '@open-mercato/ui/primitives/input'\nimport { Label } from '@open-mercato/ui/primitives/label'\nimport { Button } from '@open-mercato/ui/primitives/button'\nimport { useT } from '@open-mercato/shared/lib/i18n/context'\nimport { translateWithFallback } from '@open-mercato/shared/lib/i18n/translate'\nimport { clearAllOperations } from '@open-mercato/ui/backend/operations/store'\nimport { apiCall } from '@open-mercato/ui/backend/utils/apiCall'\nimport { X } from 'lucide-react'\n\nconst loginTenantKey = 'om_login_tenant'\nconst loginTenantCookieMaxAge = 60 * 60 * 24 * 14\n\nfunction readTenantCookie() {\n  if (typeof document === 'undefined') return null\n  const entries = document.cookie.split(';')\n  for (const entry of entries) {\n    const [name, ...rest] = entry.trim().split('=')\n    if (name === loginTenantKey) return decodeURIComponent(rest.join('='))\n  }\n  return null\n}\n\nfunction setTenantCookie(value: string) {\n  if (typeof document === 'undefined') return\n  document.cookie = `${loginTenantKey}=${encodeURIComponent(value)}; path=/; max-age=${loginTenantCookieMaxAge}; samesite=lax`\n}\n\nfunction clearTenantCookie() {\n  if (typeof document === 'undefined') return\n  document.cookie = `${loginTenantKey}=; path=/; max-age=0; samesite=lax`\n}\n\nfunction extractErrorMessage(payload: unknown): string | null {\n  if (!payload) return null\n  if (typeof payload === 'string') return payload\n  if (Array.isArray(payload)) {\n    for (const entry of payload) {\n      const resolved = extractErrorMessage(entry)\n      if (resolved) return resolved\n    }\n    return null\n  }\n  if (typeof payload === 'object') {\n    const record = payload as Record<string, unknown>\n    const candidates: unknown[] = [\n      record.error,\n      record.message,\n      record.detail,\n      record.details,\n      record.description,\n    ]\n    for (const candidate of candidates) {\n      const resolved = extractErrorMessage(candidate)\n      if (resolved) return resolved\n    }\n  }\n  return null\n}\n\nfunction looksLikeJsonString(value: string): boolean {\n  const trimmed = value.trim()\n  return trimmed.startsWith('{') || trimmed.startsWith('[')\n}\n\nexport default function LoginPage() {\n  const t = useT()\n  const translate = useCallback(\n    (key: string, fallback: string, params?: Record<string, string | number>) =>\n      translateWithFallback(t, key, fallback, params),\n    [t],\n  )\n  const router = useRouter()\n  const searchParams = useSearchParams()\n  const requireRole = (searchParams.get('requireRole') || searchParams.get('role') || '').trim()\n  const requireFeature = (searchParams.get('requireFeature') || '').trim()\n  const requiredRoles = requireRole ? requireRole.split(',').map((value) => value.trim()).filter(Boolean) : []\n  const requiredFeatures = requireFeature ? requireFeature.split(',').map((value) => value.trim()).filter(Boolean) : []\n  const translatedRoles = requiredRoles.map((role) => translate(`auth.roles.${role}`, role))\n  const translatedFeatures = requiredFeatures.map((feature) => translate(`features.${feature}`, feature))\n  const [error, setError] = useState<string | null>(null)\n  const [submitting, setSubmitting] = useState(false)\n  const [tenantId, setTenantId] = useState<string | null>(null)\n  const [tenantName, setTenantName] = useState<string | null>(null)\n  const [tenantLoading, setTenantLoading] = useState(false)\n  const [tenantInvalid, setTenantInvalid] = useState<string | null>(null)\n  const showTenantInvalid = tenantId != null && tenantInvalid === tenantId\n\n  useEffect(() => {\n    const tenantParam = (searchParams.get('tenant') || '').trim()\n    if (tenantParam) {\n      setTenantId(tenantParam)\n      window.localStorage.setItem(loginTenantKey, tenantParam)\n      setTenantCookie(tenantParam)\n      return\n    }\n    const storedTenant = window.localStorage.getItem(loginTenantKey) || readTenantCookie()\n    if (storedTenant) {\n      setTenantId(storedTenant)\n    }\n  }, [searchParams])\n\n  useEffect(() => {\n    if (!tenantId) {\n      setTenantName(null)\n      setTenantInvalid(null)\n      return\n    }\n    if (tenantInvalid === tenantId) {\n      setTenantName(null)\n      setTenantLoading(false)\n      return\n    }\n    let active = true\n    setTenantLoading(true)\n    setTenantInvalid(null)\n    apiCall<{ ok: boolean; tenant?: { id: string; name: string }; error?: string }>(\n      `/api/directory/tenants/lookup?tenantId=${encodeURIComponent(tenantId)}`,\n    )\n      .then(({ result }) => {\n        if (!active) return\n        if (result?.ok && result.tenant) {\n          setTenantName(result.tenant.name)\n          return\n        }\n        const message = translate('auth.login.errors.tenantInvalid', 'Tenant not found. Clear the tenant selection and try again.')\n        setTenantName(null)\n        setTenantInvalid(tenantId)\n        setError(null)\n      })\n      .catch(() => {\n        if (!active) return\n        setTenantName(null)\n        setTenantInvalid(tenantId)\n        setError(null)\n      })\n      .finally(() => {\n        if (active) setTenantLoading(false)\n      })\n    return () => {\n      active = false\n    }\n  }, [tenantId, translate])\n\n  function handleClearTenant() {\n    window.localStorage.removeItem(loginTenantKey)\n    clearTenantCookie()\n    setTenantId(null)\n    setTenantName(null)\n    setTenantInvalid(null)\n    const params = new URLSearchParams(searchParams)\n    params.delete('tenant')\n    setError(null)\n    const query = params.toString()\n    router.replace(query ? `/login?${query}` : '/login')\n  }\n\n  async function onSubmit(e: React.FormEvent<HTMLFormElement>) {\n    e.preventDefault()\n    setError(null)\n    setSubmitting(true)\n    try {\n      const form = new FormData(e.currentTarget)\n      if (requiredRoles.length) form.set('requireRole', requiredRoles.join(','))\n      const res = await fetch('/api/auth/login', { method: 'POST', body: form })\n      if (res.redirected) {\n        clearAllOperations()\n        // NextResponse.redirect from API\n        router.replace(res.url)\n        return\n      }\n      if (!res.ok) {\n        const fallback = (() => {\n          if (res.status === 403) {\n            return translate(\n              'auth.login.errors.permissionDenied',\n              'You do not have permission to access this area. Please contact your administrator.',\n            )\n          }\n          if (res.status === 401 || res.status === 400) {\n            return translate('auth.login.errors.invalidCredentials', 'Invalid email or password')\n          }\n          return translate('auth.login.errors.generic', 'An error occurred. Please try again.')\n        })()\n        const cloned = res.clone()\n        let errorMessage = ''\n        const contentType = res.headers.get('content-type') || ''\n        if (contentType.includes('application/json')) {\n          try {\n            const data = await res.json()\n            errorMessage = extractErrorMessage(data) || ''\n          } catch {\n            try {\n              const text = await cloned.text()\n              const trimmed = text.trim()\n              if (trimmed && !looksLikeJsonString(trimmed)) {\n                errorMessage = trimmed\n              }\n            } catch {\n              errorMessage = ''\n            }\n          }\n        } else {\n          try {\n            const text = await res.text()\n            const trimmed = text.trim()\n            if (trimmed && !looksLikeJsonString(trimmed)) {\n              errorMessage = trimmed\n            }\n          } catch {\n            errorMessage = ''\n          }\n        }\n        setError(errorMessage || fallback)\n        return\n      }\n      // In case API returns 200 with JSON\n      const data = await res.json().catch(() => null)\n      clearAllOperations()\n      if (data && data.redirect) {\n        router.replace(data.redirect)\n      }\n    } catch (err: unknown) {\n      // Handle any errors thrown (e.g., network errors or thrown exceptions)\n      const message = err instanceof Error ? err.message : ''\n      setError(message || translate('auth.login.errors.generic', 'An error occurred. Please try again.'))\n    } finally {\n      setSubmitting(false)\n    }\n  }\n\n  return (\n    <div className=\"min-h-svh flex items-center justify-center p-4\">\n      <Card className=\"w-full max-w-sm\">\n        <CardHeader className=\"flex flex-col items-center gap-4 text-center p-10\">\n          <Image alt={translate('auth.login.logoAlt', 'Open Mercato logo')} src=\"/open-mercato.svg\" width={150} height={150} priority />\n          <h1 className=\"text-2xl font-semibold\">{translate('auth.login.brandName', 'Open Mercato')}</h1>\n          <CardDescription>{translate('auth.login.subtitle', 'Access your workspace')}</CardDescription>\n        </CardHeader>\n        <CardContent>\n          <form className=\"grid gap-3\" onSubmit={onSubmit} noValidate>\n            {tenantId ? (\n              <input type=\"hidden\" name=\"tenantId\" value={tenantId} />\n            ) : null}\n            {!!translatedRoles.length && (\n              <div className=\"rounded-md border border-blue-200 bg-blue-50 px-3 py-2 text-center text-xs text-blue-900\">\n                {translate(\n                  translatedRoles.length > 1 ? 'auth.login.requireRolesMessage' : 'auth.login.requireRoleMessage',\n                  translatedRoles.length > 1\n                    ? 'Access requires one of the following roles: {roles}'\n                    : 'Access requires role: {roles}',\n                  { roles: translatedRoles.join(', ') },\n                )}\n              </div>\n            )}\n            {!!translatedFeatures.length && (\n              <div className=\"rounded-md border border-blue-200 bg-blue-50 px-3 py-2 text-center text-xs text-blue-900\">\n                {translate('auth.login.featureDenied', \"You don't have access to this feature ({feature}). Please contact your administrator.\", {\n                  feature: translatedFeatures.join(', '),\n                })}\n              </div>\n            )}\n            {showTenantInvalid ? (\n              <div className=\"rounded-md border border-red-200 bg-red-50 px-3 py-2 text-center text-xs text-red-700\">\n                <div className=\"font-medium\">{translate('auth.login.errors.tenantInvalid', 'Tenant not found. Clear the tenant selection and try again.')}</div>\n                <Button type=\"button\" variant=\"outline\" size=\"sm\" className=\"mt-2 border-red-300 text-red-700\" onClick={handleClearTenant}>\n                  <X className=\"mr-2 size-4\" aria-hidden=\"true\" />\n                  {translate('auth.login.tenantClear', 'Clear')}\n                </Button>\n              </div>\n            ) : tenantId ? (\n              <div className=\"rounded-md border border-emerald-200 bg-emerald-50 px-3 py-2 text-center text-xs text-emerald-900\">\n                <div className=\"font-medium\">\n                  {tenantLoading\n                    ? translate('auth.login.tenantLoading', 'Loading tenant details...')\n                    : translate('auth.login.tenantBanner', \"You're logging in to {tenant} tenant.\", {\n                        tenant: tenantName || tenantId,\n                      })}\n                </div>\n                <Button type=\"button\" variant=\"outline\" size=\"sm\" className=\"mt-2 border-emerald-300 text-emerald-900\" onClick={handleClearTenant}>\n                  <X className=\"mr-2 size-4\" aria-hidden=\"true\" />\n                  {translate('auth.login.tenantClear', 'Clear')}\n                </Button>\n              </div>\n            ) : null}\n            {error && !showTenantInvalid && (\n              <div className=\"rounded-md border border-red-200 bg-red-50 px-3 py-2 text-center text-sm text-red-700\" role=\"alert\" aria-live=\"polite\">\n                {error}\n              </div>\n            )}\n            <div className=\"grid gap-1\">\n              <Label htmlFor=\"email\">{t('auth.email')}</Label>\n              <Input id=\"email\" name=\"email\" type=\"email\" required aria-invalid={!!error} />\n            </div>\n            <div className=\"grid gap-1\">\n              <Label htmlFor=\"password\">{t('auth.password')}</Label>\n              <Input id=\"password\" name=\"password\" type=\"password\" required aria-invalid={!!error} />\n            </div>\n            <label className=\"flex items-center gap-2 text-xs text-muted-foreground\">\n              <input type=\"checkbox\" name=\"remember\" className=\"accent-foreground\" />\n              <span>{translate('auth.login.rememberMe', 'Remember me')}</span>\n            </label>\n            <button disabled={submitting} className=\"h-10 rounded-md bg-foreground text-background mt-2 hover:opacity-90 transition disabled:opacity-60\">\n              {submitting ? translate('auth.login.loading', 'Loading...') : translate('auth.signIn', 'Sign in')}\n            </button>\n            <div className=\"text-xs text-muted-foreground mt-2\">\n              <Link className=\"underline\" href=\"/reset\">\n                {translate('auth.login.forgotPassword', 'Forgot password?')}\n              </Link>\n            </div>\n          </form>\n        </CardContent>\n      </Card>\n    </div>\n  )\n}\n"],
+  "mappings": ";AA+OQ,SACE,KADF;AA9OR,SAAS,aAAa,WAAW,gBAAgB;AACjD,OAAO,WAAW;AAClB,OAAO,UAAU;AACjB,SAAS,WAAW,uBAAuB;AAC3C,SAAS,MAAM,aAAa,YAAY,uBAAuB;AAC/D,SAAS,aAAa;AACtB,SAAS,aAAa;AACtB,SAAS,cAAc;AACvB,SAAS,YAAY;AACrB,SAAS,6BAA6B;AACtC,SAAS,0BAA0B;AACnC,SAAS,eAAe;AACxB,SAAS,SAAS;AAElB,MAAM,iBAAiB;AACvB,MAAM,0BAA0B,KAAK,KAAK,KAAK;AAE/C,SAAS,mBAAmB;AAC1B,MAAI,OAAO,aAAa,YAAa,QAAO;AAC5C,QAAM,UAAU,SAAS,OAAO,MAAM,GAAG;AACzC,aAAW,SAAS,SAAS;AAC3B,UAAM,CAAC,MAAM,GAAG,IAAI,IAAI,MAAM,KAAK,EAAE,MAAM,GAAG;AAC9C,QAAI,SAAS,eAAgB,QAAO,mBAAmB,KAAK,KAAK,GAAG,CAAC;AAAA,EACvE;AACA,SAAO;AACT;AAEA,SAAS,gBAAgB,OAAe;AACtC,MAAI,OAAO,aAAa,YAAa;AACrC,WAAS,SAAS,GAAG,cAAc,IAAI,mBAAmB,KAAK,CAAC,qBAAqB,uBAAuB;AAC9G;AAEA,SAAS,oBAAoB;AAC3B,MAAI,OAAO,aAAa,YAAa;AACrC,WAAS,SAAS,GAAG,cAAc;AACrC;AAEA,SAAS,oBAAoB,SAAiC;AAC5D,MAAI,CAAC,QAAS,QAAO;AACrB,MAAI,OAAO,YAAY,SAAU,QAAO;AACxC,MAAI,MAAM,QAAQ,OAAO,GAAG;AAC1B,eAAW,SAAS,SAAS;AAC3B,YAAM,WAAW,oBAAoB,KAAK;AAC1C,UAAI,SAAU,QAAO;AAAA,IACvB;AACA,WAAO;AAAA,EACT;AACA,MAAI,OAAO,YAAY,UAAU;AAC/B,UAAM,SAAS;AACf,UAAM,aAAwB;AAAA,MAC5B,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,eAAW,aAAa,YAAY;AAClC,YAAM,WAAW,oBAAoB,SAAS;AAC9C,UAAI,SAAU,QAAO;AAAA,IACvB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,oBAAoB,OAAwB;AACnD,QAAM,UAAU,MAAM,KAAK;AAC3B,SAAO,QAAQ,WAAW,GAAG,KAAK,QAAQ,WAAW,GAAG;AAC1D;AAEe,SAAR,YAA6B;AAClC,QAAM,IAAI,KAAK;AACf,QAAM,YAAY;AAAA,IAChB,CAAC,KAAa,UAAkB,WAC9B,sBAAsB,GAAG,KAAK,UAAU,MAAM;AAAA,IAChD,CAAC,CAAC;AAAA,EACJ;AACA,QAAM,SAAS,UAAU;AACzB,QAAM,eAAe,gBAAgB;AACrC,QAAM,eAAe,aAAa,IAAI,aAAa,KAAK,aAAa,IAAI,MAAM,KAAK,IAAI,KAAK;AAC7F,QAAM,kBAAkB,aAAa,IAAI,gBAAgB,KAAK,IAAI,KAAK;AACvE,QAAM,gBAAgB,cAAc,YAAY,MAAM,GAAG,EAAE,IAAI,CAAC,UAAU,MAAM,KAAK,CAAC,EAAE,OAAO,OAAO,IAAI,CAAC;AAC3G,QAAM,mBAAmB,iBAAiB,eAAe,MAAM,GAAG,EAAE,IAAI,CAAC,UAAU,MAAM,KAAK,CAAC,EAAE,OAAO,OAAO,IAAI,CAAC;AACpH,QAAM,kBAAkB,cAAc,IAAI,CAAC,SAAS,UAAU,cAAc,IAAI,IAAI,IAAI,CAAC;AACzF,QAAM,qBAAqB,iBAAiB,IAAI,CAAC,YAAY,UAAU,YAAY,OAAO,IAAI,OAAO,CAAC;AACtG,QAAM,CAAC,OAAO,QAAQ,IAAI,SAAwB,IAAI;AACtD,QAAM,CAAC,YAAY,aAAa,IAAI,SAAS,KAAK;AAClD,QAAM,CAAC,UAAU,WAAW,IAAI,SAAwB,IAAI;AAC5D,QAAM,CAAC,YAAY,aAAa,IAAI,SAAwB,IAAI;AAChE,QAAM,CAAC,eAAe,gBAAgB,IAAI,SAAS,KAAK;AACxD,QAAM,CAAC,eAAe,gBAAgB,IAAI,SAAwB,IAAI;AACtE,QAAM,oBAAoB,YAAY,QAAQ,kBAAkB;AAEhE,YAAU,MAAM;AACd,UAAM,eAAe,aAAa,IAAI,QAAQ,KAAK,IAAI,KAAK;AAC5D,QAAI,aAAa;AACf,kBAAY,WAAW;AACvB,aAAO,aAAa,QAAQ,gBAAgB,WAAW;AACvD,sBAAgB,WAAW;AAC3B;AAAA,IACF;AACA,UAAM,eAAe,OAAO,aAAa,QAAQ,cAAc,KAAK,iBAAiB;AACrF,QAAI,cAAc;AAChB,kBAAY,YAAY;AAAA,IAC1B;AAAA,EACF,GAAG,CAAC,YAAY,CAAC;AAEjB,YAAU,MAAM;AACd,QAAI,CAAC,UAAU;AACb,oBAAc,IAAI;AAClB,uBAAiB,IAAI;AACrB;AAAA,IACF;AACA,QAAI,kBAAkB,UAAU;AAC9B,oBAAc,IAAI;AAClB,uBAAiB,KAAK;AACtB;AAAA,IACF;AACA,QAAI,SAAS;AACb,qBAAiB,IAAI;AACrB,qBAAiB,IAAI;AACrB;AAAA,MACE,0CAA0C,mBAAmB,QAAQ,CAAC;AAAA,IACxE,EACG,KAAK,CAAC,EAAE,OAAO,MAAM;AACpB,UAAI,CAAC,OAAQ;AACb,UAAI,QAAQ,MAAM,OAAO,QAAQ;AAC/B,sBAAc,OAAO,OAAO,IAAI;AAChC;AAAA,MACF;AACA,YAAM,UAAU,UAAU,mCAAmC,6DAA6D;AAC1H,oBAAc,IAAI;AAClB,uBAAiB,QAAQ;AACzB,eAAS,IAAI;AAAA,IACf,CAAC,EACA,MAAM,MAAM;AACX,UAAI,CAAC,OAAQ;AACb,oBAAc,IAAI;AAClB,uBAAiB,QAAQ;AACzB,eAAS,IAAI;AAAA,IACf,CAAC,EACA,QAAQ,MAAM;AACb,UAAI,OAAQ,kBAAiB,KAAK;AAAA,IACpC,CAAC;AACH,WAAO,MAAM;AACX,eAAS;AAAA,IACX;AAAA,EACF,GAAG,CAAC,UAAU,SAAS,CAAC;AAExB,WAAS,oBAAoB;AAC3B,WAAO,aAAa,WAAW,cAAc;AAC7C,sBAAkB;AAClB,gBAAY,IAAI;AAChB,kBAAc,IAAI;AAClB,qBAAiB,IAAI;AACrB,UAAM,SAAS,IAAI,gBAAgB,YAAY;AAC/C,WAAO,OAAO,QAAQ;AACtB,aAAS,IAAI;AACb,UAAM,QAAQ,OAAO,SAAS;AAC9B,WAAO,QAAQ,QAAQ,UAAU,KAAK,KAAK,QAAQ;AAAA,EACrD;AAEA,iBAAe,SAAS,GAAqC;AAC3D,MAAE,eAAe;AACjB,aAAS,IAAI;AACb,kBAAc,IAAI;AAClB,QAAI;AACF,YAAM,OAAO,IAAI,SAAS,EAAE,aAAa;AACzC,UAAI,cAAc,OAAQ,MAAK,IAAI,eAAe,cAAc,KAAK,GAAG,CAAC;AACzE,YAAM,MAAM,MAAM,MAAM,mBAAmB,EAAE,QAAQ,QAAQ,MAAM,KAAK,CAAC;AACzE,UAAI,IAAI,YAAY;AAClB,2BAAmB;AAEnB,eAAO,QAAQ,IAAI,GAAG;AACtB;AAAA,MACF;AACA,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,YAAY,MAAM;AACtB,cAAI,IAAI,WAAW,KAAK;AACtB,mBAAO;AAAA,cACL;AAAA,cACA;AAAA,YACF;AAAA,UACF;AACA,cAAI,IAAI,WAAW,OAAO,IAAI,WAAW,KAAK;AAC5C,mBAAO,UAAU,wCAAwC,2BAA2B;AAAA,UACtF;AACA,iBAAO,UAAU,6BAA6B,sCAAsC;AAAA,QACtF,GAAG;AACH,cAAM,SAAS,IAAI,MAAM;AACzB,YAAI,eAAe;AACnB,cAAM,cAAc,IAAI,QAAQ,IAAI,cAAc,KAAK;AACvD,YAAI,YAAY,SAAS,kBAAkB,GAAG;AAC5C,cAAI;AACF,kBAAMA,QAAO,MAAM,IAAI,KAAK;AAC5B,2BAAe,oBAAoBA,KAAI,KAAK;AAAA,UAC9C,QAAQ;AACN,gBAAI;AACF,oBAAM,OAAO,MAAM,OAAO,KAAK;AAC/B,oBAAM,UAAU,KAAK,KAAK;AAC1B,kBAAI,WAAW,CAAC,oBAAoB,OAAO,GAAG;AAC5C,+BAAe;AAAA,cACjB;AAAA,YACF,QAAQ;AACN,6BAAe;AAAA,YACjB;AAAA,UACF;AAAA,QACF,OAAO;AACL,cAAI;AACF,kBAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,kBAAM,UAAU,KAAK,KAAK;AAC1B,gBAAI,WAAW,CAAC,oBAAoB,OAAO,GAAG;AAC5C,6BAAe;AAAA,YACjB;AAAA,UACF,QAAQ;AACN,2BAAe;AAAA,UACjB;AAAA,QACF;AACA,iBAAS,gBAAgB,QAAQ;AACjC;AAAA,MACF;AAEA,YAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,IAAI;AAC9C,yBAAmB;AACnB,UAAI,QAAQ,KAAK,UAAU;AACzB,eAAO,QAAQ,KAAK,QAAQ;AAAA,MAC9B;AAAA,IACF,SAAS,KAAc;AAErB,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,eAAS,WAAW,UAAU,6BAA6B,sCAAsC,CAAC;AAAA,IACpG,UAAE;AACA,oBAAc,KAAK;AAAA,IACrB;AAAA,EACF;AAEA,SACE,oBAAC,SAAI,WAAU,kDACb,+BAAC,QAAK,WAAU,mBACd;AAAA,yBAAC,cAAW,WAAU,qDACpB;AAAA,0BAAC,SAAM,KAAK,UAAU,sBAAsB,mBAAmB,GAAG,KAAI,qBAAoB,OAAO,KAAK,QAAQ,KAAK,UAAQ,MAAC;AAAA,MAC5H,oBAAC,QAAG,WAAU,0BAA0B,oBAAU,wBAAwB,cAAc,GAAE;AAAA,MAC1F,oBAAC,mBAAiB,oBAAU,uBAAuB,uBAAuB,GAAE;AAAA,OAC9E;AAAA,IACA,oBAAC,eACC,+BAAC,UAAK,WAAU,cAAa,UAAoB,YAAU,MACxD;AAAA,iBACC,oBAAC,WAAM,MAAK,UAAS,MAAK,YAAW,OAAO,UAAU,IACpD;AAAA,MACH,CAAC,CAAC,gBAAgB,UACjB,oBAAC,SAAI,WAAU,4FACZ;AAAA,QACC,gBAAgB,SAAS,IAAI,mCAAmC;AAAA,QAChE,gBAAgB,SAAS,IACrB,wDACA;AAAA,QACJ,EAAE,OAAO,gBAAgB,KAAK,IAAI,EAAE;AAAA,MACtC,GACF;AAAA,MAED,CAAC,CAAC,mBAAmB,UACpB,oBAAC,SAAI,WAAU,4FACZ,oBAAU,4BAA4B,yFAAyF;AAAA,QAC9H,SAAS,mBAAmB,KAAK,IAAI;AAAA,MACvC,CAAC,GACH;AAAA,MAED,oBACC,qBAAC,SAAI,WAAU,yFACb;AAAA,4BAAC,SAAI,WAAU,eAAe,oBAAU,mCAAmC,6DAA6D,GAAE;AAAA,QAC1I,qBAAC,UAAO,MAAK,UAAS,SAAQ,WAAU,MAAK,MAAK,WAAU,oCAAmC,SAAS,mBACtG;AAAA,8BAAC,KAAE,WAAU,eAAc,eAAY,QAAO;AAAA,UAC7C,UAAU,0BAA0B,OAAO;AAAA,WAC9C;AAAA,SACF,IACE,WACF,qBAAC,SAAI,WAAU,qGACb;AAAA,4BAAC,SAAI,WAAU,eACZ,0BACG,UAAU,4BAA4B,2BAA2B,IACjE,UAAU,2BAA2B,yCAAyC;AAAA,UAC5E,QAAQ,cAAc;AAAA,QACxB,CAAC,GACP;AAAA,QACA,qBAAC,UAAO,MAAK,UAAS,SAAQ,WAAU,MAAK,MAAK,WAAU,4CAA2C,SAAS,mBAC9G;AAAA,8BAAC,KAAE,WAAU,eAAc,eAAY,QAAO;AAAA,UAC7C,UAAU,0BAA0B,OAAO;AAAA,WAC9C;AAAA,SACF,IACE;AAAA,MACH,SAAS,CAAC,qBACT,oBAAC,SAAI,WAAU,yFAAwF,MAAK,SAAQ,aAAU,UAC3H,iBACH;AAAA,MAEF,qBAAC,SAAI,WAAU,cACb;AAAA,4BAAC,SAAM,SAAQ,SAAS,YAAE,YAAY,GAAE;AAAA,QACxC,oBAAC,SAAM,IAAG,SAAQ,MAAK,SAAQ,MAAK,SAAQ,UAAQ,MAAC,gBAAc,CAAC,CAAC,OAAO;AAAA,SAC9E;AAAA,MACA,qBAAC,SAAI,WAAU,cACb;AAAA,4BAAC,SAAM,SAAQ,YAAY,YAAE,eAAe,GAAE;AAAA,QAC9C,oBAAC,SAAM,IAAG,YAAW,MAAK,YAAW,MAAK,YAAW,UAAQ,MAAC,gBAAc,CAAC,CAAC,OAAO;AAAA,SACvF;AAAA,MACA,qBAAC,WAAM,WAAU,yDACf;AAAA,4BAAC,WAAM,MAAK,YAAW,MAAK,YAAW,WAAU,qBAAoB;AAAA,QACrE,oBAAC,UAAM,oBAAU,yBAAyB,aAAa,GAAE;AAAA,SAC3D;AAAA,MACA,oBAAC,YAAO,UAAU,YAAY,WAAU,sGACrC,uBAAa,UAAU,sBAAsB,YAAY,IAAI,UAAU,eAAe,SAAS,GAClG;AAAA,MACA,oBAAC,SAAI,WAAU,sCACb,8BAAC,QAAK,WAAU,aAAY,MAAK,UAC9B,oBAAU,6BAA6B,kBAAkB,GAC5D,GACF;AAAA,OACF,GACF;AAAA,KACF,GACF;AAEJ;",
   "names": ["data"]
 }

package/dist/modules/auth/frontend/reset/[token]/page.js CHANGED Viewed

@@ -5,10 +5,17 @@ import { Input } from "@open-mercato/ui/primitives/input";
 import { Label } from "@open-mercato/ui/primitives/label";
 import { useState } from "react";
 import { useRouter } from "next/navigation";
+import { apiCall } from "@open-mercato/ui/backend/utils/apiCall";
+import { useT } from "@open-mercato/shared/lib/i18n/context";
+import { formatPasswordRequirements, getPasswordPolicy } from "@open-mercato/shared/lib/auth/passwordPolicy";
 function ResetWithTokenPage({ params }) {
   const router = useRouter();
+  const t = useT();
   const [error, setError] = useState(null);
   const [submitting, setSubmitting] = useState(false);
+  const passwordPolicy = getPasswordPolicy();
+  const passwordRequirements = formatPasswordRequirements(passwordPolicy, t);
+  const passwordDescription = passwordRequirements ? t("auth.password.requirements.help", "Password requirements: {requirements}", { requirements: passwordRequirements }) : "";
   async function onSubmit(e) {
     e.preventDefault();
     setError(null);
@@ -16,29 +23,32 @@ function ResetWithTokenPage({ params }) {
     try {
       const form = new FormData(e.currentTarget);
       form.set("token", params.token);
-      const res = await fetch("/api/auth/reset/confirm", { method: "POST", body: form });
-      const data = await res.json().catch(() => null);
-      if (!res.ok) {
-        setError(data?.error || "Unable to reset password");
+      const { ok, result } = await apiCall(
+        "/api/auth/reset/confirm",
+        { method: "POST", body: form }
+      );
+      if (!ok || result?.ok === false) {
+        setError(result?.error || t("auth.reset.errors.failed", "Unable to reset password"));
         return;
       }
-      router.replace(data?.redirect || "/login");
+      router.replace(result?.redirect || "/login");
     } finally {
       setSubmitting(false);
     }
   }
   return /* @__PURE__ */ jsx("div", { className: "min-h-svh flex items-center justify-center p-4", children: /* @__PURE__ */ jsxs(Card, { className: "w-full max-w-sm", children: [
     /* @__PURE__ */ jsxs(CardHeader, { children: [
-      /* @__PURE__ */ jsx(CardTitle, { children: "Set a new password" }),
-      /* @__PURE__ */ jsx(CardDescription, { children: "Choose a strong password for your account." })
+      /* @__PURE__ */ jsx(CardTitle, { children: t("auth.reset.title", "Set a new password") }),
+      /* @__PURE__ */ jsx(CardDescription, { children: t("auth.reset.subtitle", "Choose a strong password for your account.") })
     ] }),
     /* @__PURE__ */ jsx(CardContent, { children: /* @__PURE__ */ jsxs("form", { className: "grid gap-3", onSubmit, children: [
       error && /* @__PURE__ */ jsx("div", { className: "text-sm text-red-600", children: error }),
       /* @__PURE__ */ jsxs("div", { className: "grid gap-1", children: [
-        /* @__PURE__ */ jsx(Label, { htmlFor: "password", children: "New password" }),
-        /* @__PURE__ */ jsx(Input, { id: "password", name: "password", type: "password", required: true, minLength: 6 })
+        /* @__PURE__ */ jsx(Label, { htmlFor: "password", children: t("auth.reset.form.password", "New password") }),
+        /* @__PURE__ */ jsx(Input, { id: "password", name: "password", type: "password", required: true, minLength: passwordPolicy.minLength }),
+        passwordDescription ? /* @__PURE__ */ jsx("p", { className: "text-xs text-muted-foreground", children: passwordDescription }) : null
       ] }),
-      /* @__PURE__ */ jsx("button", { disabled: submitting, className: "h-10 rounded-md bg-foreground text-background mt-2 hover:opacity-90 transition disabled:opacity-60", children: submitting ? "..." : "Update password" })
+      /* @__PURE__ */ jsx("button", { disabled: submitting, className: "h-10 rounded-md bg-foreground text-background mt-2 hover:opacity-90 transition disabled:opacity-60", children: submitting ? t("auth.reset.form.loading", "...") : t("auth.reset.form.submit", "Update password") })
     ] }) })
   ] }) });
 }