npm - @open-mercato/core - Versions diffs - 0.4.2-canary-f821f89ef6 → 0.4.2-canary-3b5064ce72 - Mend

@open-mercato/core 0.4.2-canary-f821f89ef6 → 0.4.2-canary-3b5064ce72

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (632) hide show

package/dist/modules/auth/cli.js CHANGED Viewed

@@ -13,6 +13,8 @@ import { TenantDataEncryptionService } from "@open-mercato/shared/lib/encryption
 import { decryptWithAesGcm } from "@open-mercato/shared/lib/encryption/aes";
 import { env } from "process";
 import crypto from "node:crypto";
+import { formatPasswordRequirements, getPasswordPolicy, validatePassword } from "@open-mercato/shared/lib/auth/passwordPolicy";
+import { parseBooleanToken } from "@open-mercato/shared/lib/boolean";
 const addUser = {
   command: "add-user",
   async run(rest) {
@@ -30,6 +32,7 @@ const addUser = {
       console.error("Usage: mercato auth add-user --email <email> --password <password> --organizationId <id> [--roles customer,employee]");
       return;
     }
+    if (!ensurePasswordPolicy(password)) return;
     const { resolve } = await createRequestContainer();
     const em = resolve("em");
     const org = await findOneWithDecryption(
@@ -95,6 +98,15 @@ function hashSecret(value) {
   if (!value) return null;
   return crypto.createHash("sha256").update(normalizeKeyInput(value)).digest("hex").slice(0, 12);
 }
+function ensurePasswordPolicy(password) {
+  const policy = getPasswordPolicy();
+  const result = validatePassword(password, policy);
+  if (result.ok) return true;
+  const requirements = formatPasswordRequirements(policy, (_key, fallback) => fallback);
+  const suffix = requirements ? `: ${requirements}` : "";
+  console.error(`Password does not meet the requirements${suffix}.`);
+  return false;
+}
 async function withEncryptionDebugDisabled(fn) {
   const previous = process.env.TENANT_DATA_ENCRYPTION_DEBUG;
   process.env.TENANT_DATA_ENCRYPTION_DEBUG = "no";
@@ -361,20 +373,21 @@ const addOrganization = {
 const setupApp = {
   command: "setup",
   async run(rest) {
-    const args = {};
-    for (let i = 0; i < rest.length; i += 2) {
-      const k = rest[i]?.replace(/^--/, "");
-      const v = rest[i + 1];
-      if (k) args[k] = v;
-    }
-    const orgName = args.orgName || args.name;
-    const email = args.email;
-    const password = args.password;
-    const rolesCsv = (args.roles ?? "superadmin,admin,employee").trim();
+    const args = parseArgs(rest);
+    const orgName = typeof args.orgName === "string" ? args.orgName : typeof args.name === "string" ? args.name : void 0;
+    const email = typeof args.email === "string" ? args.email : void 0;
+    const password = typeof args.password === "string" ? args.password : void 0;
+    const rolesCsv = typeof args.roles === "string" ? args.roles.trim() : "superadmin,admin,employee";
+    const skipPasswordPolicyRaw = args["skip-password-policy"] ?? args.skipPasswordPolicy ?? args["allow-weak-password"] ?? args.allowWeakPassword;
+    const skipPasswordPolicy = typeof skipPasswordPolicyRaw === "boolean" ? skipPasswordPolicyRaw : parseBooleanToken(typeof skipPasswordPolicyRaw === "string" ? skipPasswordPolicyRaw : null) ?? false;
     if (!orgName || !email || !password) {
-      console.error("Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee]");
+      console.error("Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee] [--skip-password-policy]");
       return;
     }
+    if (!skipPasswordPolicy && !ensurePasswordPolicy(password)) return;
+    if (skipPasswordPolicy) {
+      console.warn("\u26A0\uFE0F  Password policy validation skipped for setup.");
+    }
     const { resolve } = await createRequestContainer();
     const em = resolve("em");
     const roleNames = rolesCsv ? rolesCsv.split(",").map((s) => s.trim()).filter(Boolean) : void 0;
@@ -532,6 +545,7 @@ const setPassword = {
       console.error("Usage: mercato auth set-password --email <email> --password <newPassword>");
       return;
     }
+    if (!ensurePasswordPolicy(password)) return;
     const { resolve } = await createRequestContainer();
     const em = resolve("em");
     const emailHash = computeEmailHash(email);

package/dist/modules/auth/cli.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/modules/auth/cli.ts"],
-  "sourcesContent": ["import type { ModuleCli } from '@open-mercato/shared/modules/registry'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { hash } from 'bcryptjs'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { User, Role, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { Tenant, Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { rebuildHierarchyForTenant } from '@open-mercato/core/modules/directory/lib/hierarchy'\nimport { ensureRoles, setupInitialTenant } from './lib/setup-app'\nimport { normalizeTenantId } from './lib/tenantAccess'\nimport { computeEmailHash } from './lib/emailHash'\nimport { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { isTenantDataEncryptionEnabled } from '@open-mercato/shared/lib/encryption/toggles'\nimport { createKmsService } from '@open-mercato/shared/lib/encryption/kms'\nimport { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'\nimport { decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'\nimport { env } from 'process'\nimport type { KmsService, TenantDek } from '@open-mercato/shared/lib/encryption/kms'\nimport crypto from 'node:crypto'\n\nconst addUser: ModuleCli = {\n  command: 'add-user',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    const email = args.email\n    const password = args.password\n    const organizationId = String(args.organizationId ?? args.orgId ?? args.org)\n    const rolesCsv = (args.roles ?? '').trim()\n    if (!email || !password || !organizationId) {\n      console.error('Usage: mercato auth add-user --email <email> --password <password> --organizationId <id> [--roles customer,employee]')\n      return\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const org =\n      (await findOneWithDecryption(\n        em,\n        Organization,\n        { id: organizationId },\n        { populate: ['tenant'] },\n        { tenantId: null, organizationId },\n      )) ?? null\n    if (!org) throw new Error('Organization not found')\n    const orgTenantId = org.tenant?.id ? String(org.tenant.id) : null\n    const normalizedTenantId = normalizeTenantId(orgTenantId ?? null) ?? null\n    const u = em.create(User, {\n      email,\n      emailHash: computeEmailHash(email),\n      passwordHash: await hash(password, 10),\n      isConfirmed: true,\n      organizationId: org.id,\n      tenantId: org.tenant.id,\n    })\n    await em.persistAndFlush(u)\n    if (rolesCsv) {\n      const names = rolesCsv.split(',').map(s => s.trim()).filter(Boolean)\n      for (const name of names) {\n        let role = await em.findOne(Role, { name, tenantId: normalizedTenantId })\n        if (!role && normalizedTenantId !== null) {\n          role = await em.findOne(Role, { name, tenantId: null })\n        }\n        if (!role) {\n        role = em.create(Role, { name, tenantId: normalizedTenantId, createdAt: new Date() })\n          await em.persistAndFlush(role)\n        } else if (normalizedTenantId !== null && role.tenantId !== normalizedTenantId) {\n          role.tenantId = normalizedTenantId\n          await em.persistAndFlush(role)\n        }\n        const link = em.create(UserRole, { user: u, role })\n        await em.persistAndFlush(link)\n      }\n    }\n    console.log('User created with id', u.id)\n  },\n}\n\nfunction parseArgs(rest: string[]) {\n  const args: Record<string, string | boolean> = {}\n  for (let i = 0; i < rest.length; i++) {\n    const a = rest[i]\n    if (!a) continue\n    if (a.startsWith('--')) {\n      const [k, v] = a.replace(/^--/, '').split('=')\n      if (v !== undefined) args[k] = v\n      else if (rest[i + 1] && !rest[i + 1]!.startsWith('--')) { args[k] = rest[i + 1]!; i++ }\n      else args[k] = true\n    }\n  }\n  return args\n}\n\nfunction normalizeKeyInput(value: string): string {\n  return value.trim().replace(/^['\"]|['\"]$/g, '')\n}\n\nfunction hashSecret(value: string | null | undefined): string | null {\n  if (!value) return null\n  return crypto.createHash('sha256').update(normalizeKeyInput(value)).digest('hex').slice(0, 12)\n}\n\nasync function withEncryptionDebugDisabled<T>(fn: () => Promise<T>): Promise<T> {\n  const previous = process.env.TENANT_DATA_ENCRYPTION_DEBUG\n  process.env.TENANT_DATA_ENCRYPTION_DEBUG = 'no'\n  try {\n    return await fn()\n  } finally {\n    if (previous === undefined) {\n      delete process.env.TENANT_DATA_ENCRYPTION_DEBUG\n    } else {\n      process.env.TENANT_DATA_ENCRYPTION_DEBUG = previous\n    }\n  }\n}\n\nclass DerivedKeyKmsService implements KmsService {\n  private root: Buffer\n  constructor(secret: string) {\n    this.root = crypto.createHash('sha256').update(normalizeKeyInput(secret)).digest()\n  }\n\n  isHealthy(): boolean {\n    return true\n  }\n\n  private deriveKey(tenantId: string): string {\n    const iterations = 310_000\n    const keyLength = 32\n    const derived = crypto.pbkdf2Sync(this.root, tenantId, iterations, keyLength, 'sha512')\n    return derived.toString('base64')\n  }\n\n  async getTenantDek(tenantId: string): Promise<TenantDek | null> {\n    if (!tenantId) return null\n    return { tenantId, key: this.deriveKey(tenantId), fetchedAt: Date.now() }\n  }\n\n  async createTenantDek(tenantId: string): Promise<TenantDek | null> {\n    return this.getTenantDek(tenantId)\n  }\n}\n\nfunction fingerprintDek(dek: TenantDek | null): string | null {\n  if (!dek?.key) return null\n  return crypto.createHash('sha256').update(dek.key).digest('hex').slice(0, 12)\n}\n\nfunction decryptWithOldKey(\n  payload: string,\n  dek: TenantDek | null,\n): string | null {\n  if (!dek?.key) return null\n  return decryptWithAesGcm(payload, dek.key)\n}\n\nconst seedRoles: ModuleCli = {\n  command: 'seed-roles',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const key = rest[i]?.replace(/^--/, '')\n      if (!key) continue\n      const value = rest[i + 1]\n      if (value) args[key] = value\n    }\n    const tenantId = args.tenantId ?? args.tenant ?? args.tenant_id ?? null\n    const { resolve } = await createRequestContainer()\n    const em = resolve<EntityManager>('em')\n    if (tenantId) {\n      await ensureRoles(em, { tenantId })\n      console.log('\uD83D\uDEE1\uFE0F Roles ensured for tenant', tenantId)\n      return\n    }\n    const tenants = await em.find(Tenant, {})\n    if (!tenants.length) {\n      console.log('No tenants found; nothing to seed.')\n      return\n    }\n    for (const tenant of tenants) {\n      const id = tenant.id ? String(tenant.id) : null\n      if (!id) continue\n      await ensureRoles(em, { tenantId: id })\n      console.log('\uD83D\uDEE1\uFE0F Roles ensured for tenant', id)\n    }\n  },\n}\n\nconst rotateEncryptionKey: ModuleCli = {\n  command: 'rotate-encryption-key',\n  async run(rest) {\n    const args = parseArgs(rest)\n    const tenantId = (args.tenantId as string) ?? (args.tenant as string) ?? (args.tenant_id as string) ?? null\n    const organizationId = (args.organizationId as string) ?? (args.orgId as string) ?? (args.org as string) ?? null\n    const oldKey = (args['old-key'] as string) ?? (args.oldKey as string) ?? null\n    const dryRun = Boolean(args['dry-run'] || args.dry)\n    const debug = Boolean(args.debug)\n    const rotate = Boolean(oldKey)\n    if (rotate && !tenantId) {\n      console.warn(\n        '\u26A0\uFE0F  Rotating with --old-key across all tenants. A single old key should normally target one tenant; consider --tenant.',\n      )\n    }\n    if (!isTenantDataEncryptionEnabled()) {\n      console.error('TENANT_DATA_ENCRYPTION is disabled; aborting.')\n      return\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve<EntityManager>('em')\n    const encryptionService = new TenantDataEncryptionService(em as any, { kms: createKmsService() })\n    const oldKms = rotate && oldKey ? new DerivedKeyKmsService(oldKey) : null\n    if (debug) {\n      console.log('[rotate-encryption-key]', {\n        hasOldKey: Boolean(oldKey),\n        rotate,\n        tenantId: tenantId ?? null,\n        organizationId: organizationId ?? null,\n      })\n      console.log('[rotate-encryption-key] key fingerprints', {\n        oldKey: hashSecret(oldKey),\n        currentKey: hashSecret(process.env.TENANT_DATA_ENCRYPTION_FALLBACK_KEY),\n      })\n    }\n    if (!encryptionService.isEnabled()) {\n      console.error('Encryption service is not enabled (KMS unhealthy or no DEK). Aborting.')\n      return\n    }\n    const conn: any = (em as any).getConnection?.()\n    if (!conn || typeof conn.execute !== 'function') {\n      console.error('Unable to access raw connection; aborting.')\n      return\n    }\n    const meta = (em as any)?.getMetadata?.()?.get?.(User)\n    const tableName = meta?.tableName || 'users'\n    const schema = meta?.schema\n    const qualifiedTable = schema ? `\"${schema}\".\"${tableName}\"` : `\"${tableName}\"`\n    const isEncryptedPayload = (value: unknown): boolean => {\n      if (typeof value !== 'string') return false\n      const parts = value.split(':')\n      return parts.length === 4 && parts[3] === 'v1'\n    }\n    const printedDek = new Set<string>()\n    const oldDekCache = new Map<string, TenantDek | null>()\n    const processScope = async (scopeTenantId: string, scopeOrganizationId: string): Promise<number> => {\n      if (debug && !printedDek.has(scopeTenantId)) {\n        printedDek.add(scopeTenantId)\n        const [oldDek, newDek] = await Promise.all([\n          oldKms?.getTenantDek(scopeTenantId) ?? Promise.resolve(null),\n          encryptionService.getDek(scopeTenantId),\n        ])\n        console.log('[rotate-encryption-key] dek fingerprints', {\n          tenantId: scopeTenantId,\n          oldKey: fingerprintDek(oldDek),\n          currentKey: fingerprintDek(newDek),\n        })\n      }\n      const rawRows = await conn.execute(\n        `select id, email, email_hash from ${qualifiedTable} where tenant_id = ? and organization_id = ?`,\n        [scopeTenantId, scopeOrganizationId],\n      )\n      const rows = Array.isArray(rawRows) ? rawRows : []\n      const pending = rotate\n        ? rows\n        : rows.filter((row: any) => !isEncryptedPayload(row?.email))\n      if (!pending.length) return 0\n      console.log(\n        `Found ${pending.length} auth user records to process for org=${scopeOrganizationId}${dryRun ? ' (dry-run)' : ''}.`\n      )\n      if (dryRun) return 0\n      const ids = pending.map((row: any) => String(row.id))\n      const users = rotate\n        ? await em.find(\n            User,\n            { id: { $in: ids }, tenantId: scopeTenantId, organizationId: scopeOrganizationId },\n          )\n        : await findWithDecryption(\n            em,\n            User,\n            { id: { $in: ids }, tenantId: scopeTenantId, organizationId: scopeOrganizationId },\n            {},\n            { tenantId: scopeTenantId, organizationId: scopeOrganizationId, encryptionService },\n          )\n      const usersById = new Map(users.map((user) => [String(user.id), user]))\n      let updated = 0\n      for (const row of pending) {\n        const user = usersById.get(String(row.id))\n        if (!user) continue\n        const rawEmail = typeof row.email === 'string' ? row.email : String(row.email ?? '')\n        if (!rawEmail) continue\n        if (rotate && (!isEncryptedPayload(rawEmail) || !oldKms)) {\n          continue\n        }\n        let plainEmail = rawEmail\n        if (rotate && isEncryptedPayload(rawEmail) && oldKms) {\n          if (debug) {\n            console.log('[rotate-encryption-key] decrypting', {\n              userId: row.id,\n              tenantId: scopeTenantId,\n              organizationId: scopeOrganizationId,\n            })\n          }\n          let oldDek = oldDekCache.get(scopeTenantId) ?? null\n          if (!oldDekCache.has(scopeTenantId)) {\n            oldDek = await oldKms.getTenantDek(scopeTenantId)\n            oldDekCache.set(scopeTenantId, oldDek)\n          }\n          const maybeEmail = decryptWithOldKey(rawEmail, oldDek)\n          if (typeof maybeEmail !== 'string' || isEncryptedPayload(maybeEmail)) continue\n          plainEmail = maybeEmail\n        }\n        if (!plainEmail) continue\n        const encrypted = await encryptionService.encryptEntityPayload(\n          'auth:user',\n          { email: plainEmail },\n          scopeTenantId,\n          scopeOrganizationId,\n        )\n        const nextEmail = encrypted.email as string | undefined\n        if (nextEmail && nextEmail !== user.email) {\n          user.email = nextEmail as any\n          user.emailHash = (encrypted as any).emailHash ?? computeEmailHash(plainEmail)\n          em.persist(user)\n          updated += 1\n        }\n      }\n      if (updated > 0) {\n        await em.flush()\n      }\n      return updated\n    }\n\n    if (tenantId && organizationId) {\n      const updated = await processScope(String(tenantId), String(organizationId))\n      if (!updated) {\n        console.log('All auth user emails already encrypted for the selected scope.')\n      } else {\n        console.log(`Encrypted ${updated} auth user email(s).`)\n      }\n      return\n    }\n\n    const organizations = await em.find(Organization, {})\n    if (!organizations.length) {\n      console.log('No organizations found; nothing to encrypt.')\n      return\n    }\n    let total = 0\n    for (const org of organizations) {\n      const scopeTenantId = org.tenant?.id ? String(org.tenant.id) : org.tenant.id ? String(org.tenant.id) : null\n      const scopeOrganizationId = org.id ? String(org.id) : null\n      if (!scopeTenantId || !scopeOrganizationId) continue\n      total += await processScope(scopeTenantId, scopeOrganizationId)\n    }\n    if (total > 0) {\n      console.log(`Encrypted ${total} auth user email(s) across all organizations.`)\n    } else {\n      console.log('All auth user emails already encrypted across all organizations.')\n    }\n  },\n}\n\n// will be exported at the bottom with all commands\n\nconst addOrganization: ModuleCli = {\n  command: 'add-org',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    const name = args.name || args.orgName\n    if (!name) {\n      console.error('Usage: mercato auth add-org --name <organization name>')\n      return\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    // Create tenant implicitly for simplicity\n    const tenant = em.create(Tenant, { name: `${name} Tenant` })\n    await em.persistAndFlush(tenant)\n    const org = em.create(Organization, { name, tenant })\n    await em.persistAndFlush(org)\n    await rebuildHierarchyForTenant(em, String(tenant.id))\n    console.log('Organization created with id', org.id, 'in tenant', tenant.id)\n  },\n}\n\nconst setupApp: ModuleCli = {\n  command: 'setup',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    const orgName = args.orgName || args.name\n    const email = args.email\n    const password = args.password\n    const rolesCsv = (args.roles ?? 'superadmin,admin,employee').trim()\n    if (!orgName || !email || !password) {\n      console.error('Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee]')\n      return\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve<EntityManager>('em')\n    const roleNames = rolesCsv\n      ? rolesCsv.split(',').map((s) => s.trim()).filter(Boolean)\n      : undefined\n\n    try {\n      const result = await setupInitialTenant(em, {\n        orgName,\n        roleNames,\n        primaryUser: { email, password, confirm: true },\n        includeDerivedUsers: true,\n      })\n\n      if (result.reusedExistingUser) {\n        console.log('\u26A0\uFE0F  Existing initial user detected during setup.')\n        console.log(`\u26A0\uFE0F  Email: ${email}`)\n        console.log('\u26A0\uFE0F  Updated roles if missing and reused tenant/organization.')\n      }\n\n      if(env.NODE_ENV !== 'test') { \n        for (const snapshot of result.users) {\n          if (snapshot.created) {\n            if (snapshot.user.email === email && password) {\n              console.log('\uD83C\uDF89 Created user', snapshot.user.email, 'password:', password)\n            } else {\n              console.log('\uD83C\uDF89 Created user', snapshot.user.email)\n            }\n          } else {\n            console.log(`Updated user ${snapshot.user.email}`)\n          }\n        }\n      }\n\n      if(env.NODE_ENV !== 'test')   console.log('\u2705 Setup complete:', { tenantId: result.tenantId, organizationId: result.organizationId })\n    } catch (err) {\n      if (err instanceof Error && err.message === 'USER_EXISTS') {\n        console.error('Setup aborted: user already exists with the provided email.')\n        return\n      }\n      throw err\n    }\n  },\n}\n\nconst listOrganizations: ModuleCli = {\n  command: 'list-orgs',\n  async run() {\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const orgs = await findWithDecryption(\n      em,\n      Organization,\n      {},\n      { populate: ['tenant'] },\n      { tenantId: null, organizationId: null },\n    )\n    \n    if (orgs.length === 0) {\n      console.log('No organizations found')\n      return\n    }\n    \n    console.log(`Found ${orgs.length} organization(s):`)\n    console.log('')\n    console.log('ID                                   | Name                    | Tenant ID                            | Created')\n    console.log('-------------------------------------|-------------------------|-------------------------------------|-------------------')\n    \n    for (const org of orgs) {\n      const created = org.createdAt ? new Date(org.createdAt).toLocaleDateString() : 'N/A'\n      const id = org.id || 'N/A'\n      const tenantId = org.tenant?.id || 'N/A'\n      const name = (org.name || 'Unnamed').padEnd(23)\n      console.log(`${id.padEnd(35)} | ${name} | ${tenantId.padEnd(35)} | ${created}`)\n    }\n  },\n}\n\nconst listTenants: ModuleCli = {\n  command: 'list-tenants',\n  async run() {\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const tenants = await em.find(Tenant, {})\n    \n    if (tenants.length === 0) {\n      console.log('No tenants found')\n      return\n    }\n    \n    console.log(`Found ${tenants.length} tenant(s):`)\n    console.log('')\n    console.log('ID                                   | Name                    | Created')\n    console.log('-------------------------------------|-------------------------|-------------------')\n    \n    for (const tenant of tenants) {\n      const created = tenant.createdAt ? new Date(tenant.createdAt).toLocaleDateString() : 'N/A'\n      const id = tenant.id || 'N/A'\n      const name = (tenant.name || 'Unnamed').padEnd(23)\n      console.log(`${id.padEnd(35)} | ${name} | ${created}`)\n    }\n  },\n}\n\nconst listUsers: ModuleCli = {\n  command: 'list-users',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    \n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    \n    // Build query with optional filters\n    const where: any = {}\n    if (args.organizationId || args.orgId || args.org) {\n      where.organizationId = args.organizationId || args.orgId || args.org\n    }\n    if (args.tenantId || args.tenant) {\n      where.tenantId = args.tenantId || args.tenant\n    }\n    \n    const users = await em.find(User, where)\n    \n    if (users.length === 0) {\n      console.log('No users found')\n      return\n    }\n    \n    console.log(`Found ${users.length} user(s):`)\n    console.log('')\n    console.log('ID                                   | Email                   | Name                    | Organization ID      | Tenant ID            | Roles')\n    console.log('-------------------------------------|-------------------------|-------------------------|---------------------|---------------------|-------------------')\n    \n    for (const user of users) {\n      // Get user roles separately\n      const userRoles = await findWithDecryption(\n        em,\n        UserRole,\n        { user: user.id },\n        { populate: ['role'] },\n        { tenantId: user.tenantId ?? null, organizationId: user.organizationId ?? null },\n      )\n      const roles = userRoles.map((ur: any) => ur.role?.name).filter(Boolean).join(', ') || 'None'\n      \n      // Get organization and tenant names if IDs exist\n      let orgName = 'N/A'\n      let tenantName = 'N/A'\n      \n      if (user.organizationId) {\n        const org = await em.findOne(Organization, { id: user.organizationId })\n        orgName = org?.name?.substring(0, 19) + '...' || user.organizationId.substring(0, 8) + '...'\n      }\n      \n      if (user.tenantId) {\n        const tenant = await em.findOne(Tenant, { id: user.tenantId })\n        tenantName = tenant?.name?.substring(0, 19) + '...' || user.tenantId.substring(0, 8) + '...'\n      }\n      \n      const id = user.id || 'N/A'\n      const email = (user.email || 'N/A').padEnd(23)\n      const name = (user.name || 'Unnamed').padEnd(23)\n      \n      console.log(`${id.padEnd(35)} | ${email} | ${name} | ${orgName.padEnd(19)} | ${tenantName.padEnd(19)} | ${roles}`)\n    }\n  },\n}\n\nconst setPassword: ModuleCli = {\n  command: 'set-password',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    \n    const email = args.email\n    const password = args.password\n    \n    if (!email || !password) {\n      console.error('Usage: mercato auth set-password --email <email> --password <newPassword>')\n      return\n    }\n    \n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const emailHash = computeEmailHash(email)\n    const user = await em.findOne(User, { $or: [{ email }, { emailHash }] })\n    \n    if (!user) {\n      console.error(`User with email \"${email}\" not found`)\n      return\n    }\n    \n    user.passwordHash = await hash(password, 10)\n    await em.persistAndFlush(user)\n    \n    console.log(`\u2705 Password updated successfully for user: ${email}`)\n  },\n}\n\n// Export the full CLI list\nexport default [addUser, seedRoles, rotateEncryptionKey, addOrganization, setupApp, listOrganizations, listTenants, listUsers, setPassword]\n"],
-  "mappings": "AACA,SAAS,8BAA8B;AACvC,SAAS,YAAY;AAErB,SAAS,MAAM,MAAM,gBAAgB;AACrC,SAAS,QAAQ,oBAAoB;AACrC,SAAS,iCAAiC;AAC1C,SAAS,aAAa,0BAA0B;AAChD,SAAS,yBAAyB;AAClC,SAAS,wBAAwB;AACjC,SAAS,oBAAoB,6BAA6B;AAC1D,SAAS,qCAAqC;AAC9C,SAAS,wBAAwB;AACjC,SAAS,mCAAmC;AAC5C,SAAS,yBAAyB;AAClC,SAAS,WAAW;AAEpB,OAAO,YAAY;AAEnB,MAAM,UAAqB;AAAA,EACzB,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AACA,UAAM,QAAQ,KAAK;AACnB,UAAM,WAAW,KAAK;AACtB,UAAM,iBAAiB,OAAO,KAAK,kBAAkB,KAAK,SAAS,KAAK,GAAG;AAC3E,UAAM,YAAY,KAAK,SAAS,IAAI,KAAK;AACzC,QAAI,CAAC,SAAS,CAAC,YAAY,CAAC,gBAAgB;AAC1C,cAAQ,MAAM,sHAAsH;AACpI;AAAA,IACF;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,MACH,MAAM;AAAA,MACL;AAAA,MACA;AAAA,MACA,EAAE,IAAI,eAAe;AAAA,MACrB,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,eAAe;AAAA,IACnC,KAAM;AACR,QAAI,CAAC,IAAK,OAAM,IAAI,MAAM,wBAAwB;AAClD,UAAM,cAAc,IAAI,QAAQ,KAAK,OAAO,IAAI,OAAO,EAAE,IAAI;AAC7D,UAAM,qBAAqB,kBAAkB,eAAe,IAAI,KAAK;AACrE,UAAM,IAAI,GAAG,OAAO,MAAM;AAAA,MACxB;AAAA,MACA,WAAW,iBAAiB,KAAK;AAAA,MACjC,cAAc,MAAM,KAAK,UAAU,EAAE;AAAA,MACrC,aAAa;AAAA,MACb,gBAAgB,IAAI;AAAA,MACpB,UAAU,IAAI,OAAO;AAAA,IACvB,CAAC;AACD,UAAM,GAAG,gBAAgB,CAAC;AAC1B,QAAI,UAAU;AACZ,YAAM,QAAQ,SAAS,MAAM,GAAG,EAAE,IAAI,OAAK,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AACnE,iBAAW,QAAQ,OAAO;AACxB,YAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,mBAAmB,CAAC;AACxE,YAAI,CAAC,QAAQ,uBAAuB,MAAM;AACxC,iBAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAAA,QACxD;AACA,YAAI,CAAC,MAAM;AACX,iBAAO,GAAG,OAAO,MAAM,EAAE,MAAM,UAAU,oBAAoB,WAAW,oBAAI,KAAK,EAAE,CAAC;AAClF,gBAAM,GAAG,gBAAgB,IAAI;AAAA,QAC/B,WAAW,uBAAuB,QAAQ,KAAK,aAAa,oBAAoB;AAC9E,eAAK,WAAW;AAChB,gBAAM,GAAG,gBAAgB,IAAI;AAAA,QAC/B;AACA,cAAM,OAAO,GAAG,OAAO,UAAU,EAAE,MAAM,GAAG,KAAK,CAAC;AAClD,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B;AAAA,IACF;AACA,YAAQ,IAAI,wBAAwB,EAAE,EAAE;AAAA,EAC1C;AACF;AAEA,SAAS,UAAU,MAAgB;AACjC,QAAM,OAAyC,CAAC;AAChD,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,UAAM,IAAI,KAAK,CAAC;AAChB,QAAI,CAAC,EAAG;AACR,QAAI,EAAE,WAAW,IAAI,GAAG;AACtB,YAAM,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,OAAO,EAAE,EAAE,MAAM,GAAG;AAC7C,UAAI,MAAM,OAAW,MAAK,CAAC,IAAI;AAAA,eACtB,KAAK,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,EAAG,WAAW,IAAI,GAAG;AAAE,aAAK,CAAC,IAAI,KAAK,IAAI,CAAC;AAAI;AAAA,MAAI,MACjF,MAAK,CAAC,IAAI;AAAA,IACjB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,kBAAkB,OAAuB;AAChD,SAAO,MAAM,KAAK,EAAE,QAAQ,gBAAgB,EAAE;AAChD;AAEA,SAAS,WAAW,OAAiD;AACnE,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,kBAAkB,KAAK,CAAC,EAAE,OAAO,KAAK,EAAE,MAAM,GAAG,EAAE;AAC/F;AAEA,eAAe,4BAA+B,IAAkC;AAC9E,QAAM,WAAW,QAAQ,IAAI;AAC7B,UAAQ,IAAI,+BAA+B;AAC3C,MAAI;AACF,WAAO,MAAM,GAAG;AAAA,EAClB,UAAE;AACA,QAAI,aAAa,QAAW;AAC1B,aAAO,QAAQ,IAAI;AAAA,IACrB,OAAO;AACL,cAAQ,IAAI,+BAA+B;AAAA,IAC7C;AAAA,EACF;AACF;AAEA,MAAM,qBAA2C;AAAA,EAE/C,YAAY,QAAgB;AAC1B,SAAK,OAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,kBAAkB,MAAM,CAAC,EAAE,OAAO;AAAA,EACnF;AAAA,EAEA,YAAqB;AACnB,WAAO;AAAA,EACT;AAAA,EAEQ,UAAU,UAA0B;AAC1C,UAAM,aAAa;AACnB,UAAM,YAAY;AAClB,UAAM,UAAU,OAAO,WAAW,KAAK,MAAM,UAAU,YAAY,WAAW,QAAQ;AACtF,WAAO,QAAQ,SAAS,QAAQ;AAAA,EAClC;AAAA,EAEA,MAAM,aAAa,UAA6C;AAC9D,QAAI,CAAC,SAAU,QAAO;AACtB,WAAO,EAAE,UAAU,KAAK,KAAK,UAAU,QAAQ,GAAG,WAAW,KAAK,IAAI,EAAE;AAAA,EAC1E;AAAA,EAEA,MAAM,gBAAgB,UAA6C;AACjE,WAAO,KAAK,aAAa,QAAQ;AAAA,EACnC;AACF;AAEA,SAAS,eAAe,KAAsC;AAC5D,MAAI,CAAC,KAAK,IAAK,QAAO;AACtB,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,IAAI,GAAG,EAAE,OAAO,KAAK,EAAE,MAAM,GAAG,EAAE;AAC9E;AAEA,SAAS,kBACP,SACA,KACe;AACf,MAAI,CAAC,KAAK,IAAK,QAAO;AACtB,SAAO,kBAAkB,SAAS,IAAI,GAAG;AAC3C;AAEA,MAAM,YAAuB;AAAA,EAC3B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,MAAM,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACtC,UAAI,CAAC,IAAK;AACV,YAAM,QAAQ,KAAK,IAAI,CAAC;AACxB,UAAI,MAAO,MAAK,GAAG,IAAI;AAAA,IACzB;AACA,UAAM,WAAW,KAAK,YAAY,KAAK,UAAU,KAAK,aAAa;AACnE,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAuB,IAAI;AACtC,QAAI,UAAU;AACZ,YAAM,YAAY,IAAI,EAAE,SAAS,CAAC;AAClC,cAAQ,IAAI,4CAAgC,QAAQ;AACpD;AAAA,IACF;AACA,UAAM,UAAU,MAAM,GAAG,KAAK,QAAQ,CAAC,CAAC;AACxC,QAAI,CAAC,QAAQ,QAAQ;AACnB,cAAQ,IAAI,oCAAoC;AAChD;AAAA,IACF;AACA,eAAW,UAAU,SAAS;AAC5B,YAAM,KAAK,OAAO,KAAK,OAAO,OAAO,EAAE,IAAI;AAC3C,UAAI,CAAC,GAAI;AACT,YAAM,YAAY,IAAI,EAAE,UAAU,GAAG,CAAC;AACtC,cAAQ,IAAI,4CAAgC,EAAE;AAAA,IAChD;AAAA,EACF;AACF;AAEA,MAAM,sBAAiC;AAAA,EACrC,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAAO,UAAU,IAAI;AAC3B,UAAM,WAAY,KAAK,YAAwB,KAAK,UAAsB,KAAK,aAAwB;AACvG,UAAM,iBAAkB,KAAK,kBAA8B,KAAK,SAAqB,KAAK,OAAkB;AAC5G,UAAM,SAAU,KAAK,SAAS,KAAiB,KAAK,UAAqB;AACzE,UAAM,SAAS,QAAQ,KAAK,SAAS,KAAK,KAAK,GAAG;AAClD,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,SAAS,QAAQ,MAAM;AAC7B,QAAI,UAAU,CAAC,UAAU;AACvB,cAAQ;AAAA,QACN;AAAA,MACF;AAAA,IACF;AACA,QAAI,CAAC,8BAA8B,GAAG;AACpC,cAAQ,MAAM,+CAA+C;AAC7D;AAAA,IACF;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAuB,IAAI;AACtC,UAAM,oBAAoB,IAAI,4BAA4B,IAAW,EAAE,KAAK,iBAAiB,EAAE,CAAC;AAChG,UAAM,SAAS,UAAU,SAAS,IAAI,qBAAqB,MAAM,IAAI;AACrE,QAAI,OAAO;AACT,cAAQ,IAAI,2BAA2B;AAAA,QACrC,WAAW,QAAQ,MAAM;AAAA,QACzB;AAAA,QACA,UAAU,YAAY;AAAA,QACtB,gBAAgB,kBAAkB;AAAA,MACpC,CAAC;AACD,cAAQ,IAAI,4CAA4C;AAAA,QACtD,QAAQ,WAAW,MAAM;AAAA,QACzB,YAAY,WAAW,QAAQ,IAAI,mCAAmC;AAAA,MACxE,CAAC;AAAA,IACH;AACA,QAAI,CAAC,kBAAkB,UAAU,GAAG;AAClC,cAAQ,MAAM,wEAAwE;AACtF;AAAA,IACF;AACA,UAAM,OAAa,GAAW,gBAAgB;AAC9C,QAAI,CAAC,QAAQ,OAAO,KAAK,YAAY,YAAY;AAC/C,cAAQ,MAAM,4CAA4C;AAC1D;AAAA,IACF;AACA,UAAM,OAAQ,IAAY,cAAc,GAAG,MAAM,IAAI;AACrD,UAAM,YAAY,MAAM,aAAa;AACrC,UAAM,SAAS,MAAM;AACrB,UAAM,iBAAiB,SAAS,IAAI,MAAM,MAAM,SAAS,MAAM,IAAI,SAAS;AAC5E,UAAM,qBAAqB,CAAC,UAA4B;AACtD,UAAI,OAAO,UAAU,SAAU,QAAO;AACtC,YAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,aAAO,MAAM,WAAW,KAAK,MAAM,CAAC,MAAM;AAAA,IAC5C;AACA,UAAM,aAAa,oBAAI,IAAY;AACnC,UAAM,cAAc,oBAAI,IAA8B;AACtD,UAAM,eAAe,OAAO,eAAuB,wBAAiD;AAClG,UAAI,SAAS,CAAC,WAAW,IAAI,aAAa,GAAG;AAC3C,mBAAW,IAAI,aAAa;AAC5B,cAAM,CAAC,QAAQ,MAAM,IAAI,MAAM,QAAQ,IAAI;AAAA,UACzC,QAAQ,aAAa,aAAa,KAAK,QAAQ,QAAQ,IAAI;AAAA,UAC3D,kBAAkB,OAAO,aAAa;AAAA,QACxC,CAAC;AACD,gBAAQ,IAAI,4CAA4C;AAAA,UACtD,UAAU;AAAA,UACV,QAAQ,eAAe,MAAM;AAAA,UAC7B,YAAY,eAAe,MAAM;AAAA,QACnC,CAAC;AAAA,MACH;AACA,YAAM,UAAU,MAAM,KAAK;AAAA,QACzB,qCAAqC,cAAc;AAAA,QACnD,CAAC,eAAe,mBAAmB;AAAA,MACrC;AACA,YAAM,OAAO,MAAM,QAAQ,OAAO,IAAI,UAAU,CAAC;AACjD,YAAM,UAAU,SACZ,OACA,KAAK,OAAO,CAAC,QAAa,CAAC,mBAAmB,KAAK,KAAK,CAAC;AAC7D,UAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,cAAQ;AAAA,QACN,SAAS,QAAQ,MAAM,yCAAyC,mBAAmB,GAAG,SAAS,eAAe,EAAE;AAAA,MAClH;AACA,UAAI,OAAQ,QAAO;AACnB,YAAM,MAAM,QAAQ,IAAI,CAAC,QAAa,OAAO,IAAI,EAAE,CAAC;AACpD,YAAM,QAAQ,SACV,MAAM,GAAG;AAAA,QACP;AAAA,QACA,EAAE,IAAI,EAAE,KAAK,IAAI,GAAG,UAAU,eAAe,gBAAgB,oBAAoB;AAAA,MACnF,IACA,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA,EAAE,IAAI,EAAE,KAAK,IAAI,GAAG,UAAU,eAAe,gBAAgB,oBAAoB;AAAA,QACjF,CAAC;AAAA,QACD,EAAE,UAAU,eAAe,gBAAgB,qBAAqB,kBAAkB;AAAA,MACpF;AACJ,YAAM,YAAY,IAAI,IAAI,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC;AACtE,UAAI,UAAU;AACd,iBAAW,OAAO,SAAS;AACzB,cAAM,OAAO,UAAU,IAAI,OAAO,IAAI,EAAE,CAAC;AACzC,YAAI,CAAC,KAAM;AACX,cAAM,WAAW,OAAO,IAAI,UAAU,WAAW,IAAI,QAAQ,OAAO,IAAI,SAAS,EAAE;AACnF,YAAI,CAAC,SAAU;AACf,YAAI,WAAW,CAAC,mBAAmB,QAAQ,KAAK,CAAC,SAAS;AACxD;AAAA,QACF;AACA,YAAI,aAAa;AACjB,YAAI,UAAU,mBAAmB,QAAQ,KAAK,QAAQ;AACpD,cAAI,OAAO;AACT,oBAAQ,IAAI,sCAAsC;AAAA,cAChD,QAAQ,IAAI;AAAA,cACZ,UAAU;AAAA,cACV,gBAAgB;AAAA,YAClB,CAAC;AAAA,UACH;AACA,cAAI,SAAS,YAAY,IAAI,aAAa,KAAK;AAC/C,cAAI,CAAC,YAAY,IAAI,aAAa,GAAG;AACnC,qBAAS,MAAM,OAAO,aAAa,aAAa;AAChD,wBAAY,IAAI,eAAe,MAAM;AAAA,UACvC;AACA,gBAAM,aAAa,kBAAkB,UAAU,MAAM;AACrD,cAAI,OAAO,eAAe,YAAY,mBAAmB,UAAU,EAAG;AACtE,uBAAa;AAAA,QACf;AACA,YAAI,CAAC,WAAY;AACjB,cAAM,YAAY,MAAM,kBAAkB;AAAA,UACxC;AAAA,UACA,EAAE,OAAO,WAAW;AAAA,UACpB;AAAA,UACA;AAAA,QACF;AACA,cAAM,YAAY,UAAU;AAC5B,YAAI,aAAa,cAAc,KAAK,OAAO;AACzC,eAAK,QAAQ;AACb,eAAK,YAAa,UAAkB,aAAa,iBAAiB,UAAU;AAC5E,aAAG,QAAQ,IAAI;AACf,qBAAW;AAAA,QACb;AAAA,MACF;AACA,UAAI,UAAU,GAAG;AACf,cAAM,GAAG,MAAM;AAAA,MACjB;AACA,aAAO;AAAA,IACT;AAEA,QAAI,YAAY,gBAAgB;AAC9B,YAAM,UAAU,MAAM,aAAa,OAAO,QAAQ,GAAG,OAAO,cAAc,CAAC;AAC3E,UAAI,CAAC,SAAS;AACZ,gBAAQ,IAAI,gEAAgE;AAAA,MAC9E,OAAO;AACL,gBAAQ,IAAI,aAAa,OAAO,sBAAsB;AAAA,MACxD;AACA;AAAA,IACF;AAEA,UAAM,gBAAgB,MAAM,GAAG,KAAK,cAAc,CAAC,CAAC;AACpD,QAAI,CAAC,cAAc,QAAQ;AACzB,cAAQ,IAAI,6CAA6C;AACzD;AAAA,IACF;AACA,QAAI,QAAQ;AACZ,eAAW,OAAO,eAAe;AAC/B,YAAM,gBAAgB,IAAI,QAAQ,KAAK,OAAO,IAAI,OAAO,EAAE,IAAI,IAAI,OAAO,KAAK,OAAO,IAAI,OAAO,EAAE,IAAI;AACvG,YAAM,sBAAsB,IAAI,KAAK,OAAO,IAAI,EAAE,IAAI;AACtD,UAAI,CAAC,iBAAiB,CAAC,oBAAqB;AAC5C,eAAS,MAAM,aAAa,eAAe,mBAAmB;AAAA,IAChE;AACA,QAAI,QAAQ,GAAG;AACb,cAAQ,IAAI,aAAa,KAAK,+CAA+C;AAAA,IAC/E,OAAO;AACL,cAAQ,IAAI,kEAAkE;AAAA,IAChF;AAAA,EACF;AACF;AAIA,MAAM,kBAA6B;AAAA,EACjC,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AACA,UAAM,OAAO,KAAK,QAAQ,KAAK;AAC/B,QAAI,CAAC,MAAM;AACT,cAAQ,MAAM,wDAAwD;AACtE;AAAA,IACF;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AAEvB,UAAM,SAAS,GAAG,OAAO,QAAQ,EAAE,MAAM,GAAG,IAAI,UAAU,CAAC;AAC3D,UAAM,GAAG,gBAAgB,MAAM;AAC/B,UAAM,MAAM,GAAG,OAAO,cAAc,EAAE,MAAM,OAAO,CAAC;AACpD,UAAM,GAAG,gBAAgB,GAAG;AAC5B,UAAM,0BAA0B,IAAI,OAAO,OAAO,EAAE,CAAC;AACrD,YAAQ,IAAI,gCAAgC,IAAI,IAAI,aAAa,OAAO,EAAE;AAAA,EAC5E;AACF;AAEA,MAAM,WAAsB;AAAA,EAC1B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AACA,UAAM,UAAU,KAAK,WAAW,KAAK;AACrC,UAAM,QAAQ,KAAK;AACnB,UAAM,WAAW,KAAK;AACtB,UAAM,YAAY,KAAK,SAAS,6BAA6B,KAAK;AAClE,QAAI,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU;AACnC,cAAQ,MAAM,sHAAsH;AACpI;AAAA,IACF;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAuB,IAAI;AACtC,UAAM,YAAY,WACd,SAAS,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,IACvD;AAEJ,QAAI;AACF,YAAM,SAAS,MAAM,mBAAmB,IAAI;AAAA,QAC1C;AAAA,QACA;AAAA,QACA,aAAa,EAAE,OAAO,UAAU,SAAS,KAAK;AAAA,QAC9C,qBAAqB;AAAA,MACvB,CAAC;AAED,UAAI,OAAO,oBAAoB;AAC7B,gBAAQ,IAAI,4DAAkD;AAC9D,gBAAQ,IAAI,wBAAc,KAAK,EAAE;AACjC,gBAAQ,IAAI,wEAA8D;AAAA,MAC5E;AAEA,UAAG,IAAI,aAAa,QAAQ;AAC1B,mBAAW,YAAY,OAAO,OAAO;AACnC,cAAI,SAAS,SAAS;AACpB,gBAAI,SAAS,KAAK,UAAU,SAAS,UAAU;AAC7C,sBAAQ,IAAI,0BAAmB,SAAS,KAAK,OAAO,aAAa,QAAQ;AAAA,YAC3E,OAAO;AACL,sBAAQ,IAAI,0BAAmB,SAAS,KAAK,KAAK;AAAA,YACpD;AAAA,UACF,OAAO;AACL,oBAAQ,IAAI,gBAAgB,SAAS,KAAK,KAAK,EAAE;AAAA,UACnD;AAAA,QACF;AAAA,MACF;AAEA,UAAG,IAAI,aAAa,OAAU,SAAQ,IAAI,0BAAqB,EAAE,UAAU,OAAO,UAAU,gBAAgB,OAAO,eAAe,CAAC;AAAA,IACrI,SAAS,KAAK;AACZ,UAAI,eAAe,SAAS,IAAI,YAAY,eAAe;AACzD,gBAAQ,MAAM,6DAA6D;AAC3E;AAAA,MACF;AACA,YAAM;AAAA,IACR;AAAA,EACF;AACF;AAEA,MAAM,oBAA+B;AAAA,EACnC,SAAS;AAAA,EACT,MAAM,MAAM;AACV,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,OAAO,MAAM;AAAA,MACjB;AAAA,MACA;AAAA,MACA,CAAC;AAAA,MACD,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,IACzC;AAEA,QAAI,KAAK,WAAW,GAAG;AACrB,cAAQ,IAAI,wBAAwB;AACpC;AAAA,IACF;AAEA,YAAQ,IAAI,SAAS,KAAK,MAAM,mBAAmB;AACnD,YAAQ,IAAI,EAAE;AACd,YAAQ,IAAI,iHAAiH;AAC7H,YAAQ,IAAI,2HAA2H;AAEvI,eAAW,OAAO,MAAM;AACtB,YAAM,UAAU,IAAI,YAAY,IAAI,KAAK,IAAI,SAAS,EAAE,mBAAmB,IAAI;AAC/E,YAAM,KAAK,IAAI,MAAM;AACrB,YAAM,WAAW,IAAI,QAAQ,MAAM;AACnC,YAAM,QAAQ,IAAI,QAAQ,WAAW,OAAO,EAAE;AAC9C,cAAQ,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC,MAAM,IAAI,MAAM,SAAS,OAAO,EAAE,CAAC,MAAM,OAAO,EAAE;AAAA,IAChF;AAAA,EACF;AACF;AAEA,MAAM,cAAyB;AAAA,EAC7B,SAAS;AAAA,EACT,MAAM,MAAM;AACV,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,UAAU,MAAM,GAAG,KAAK,QAAQ,CAAC,CAAC;AAExC,QAAI,QAAQ,WAAW,GAAG;AACxB,cAAQ,IAAI,kBAAkB;AAC9B;AAAA,IACF;AAEA,YAAQ,IAAI,SAAS,QAAQ,MAAM,aAAa;AAChD,YAAQ,IAAI,EAAE;AACd,YAAQ,IAAI,0EAA0E;AACtF,YAAQ,IAAI,qFAAqF;AAEjG,eAAW,UAAU,SAAS;AAC5B,YAAM,UAAU,OAAO,YAAY,IAAI,KAAK,OAAO,SAAS,EAAE,mBAAmB,IAAI;AACrF,YAAM,KAAK,OAAO,MAAM;AACxB,YAAM,QAAQ,OAAO,QAAQ,WAAW,OAAO,EAAE;AACjD,cAAQ,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC,MAAM,IAAI,MAAM,OAAO,EAAE;AAAA,IACvD;AAAA,EACF;AACF;AAEA,MAAM,YAAuB;AAAA,EAC3B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AAEA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AAGvB,UAAM,QAAa,CAAC;AACpB,QAAI,KAAK,kBAAkB,KAAK,SAAS,KAAK,KAAK;AACjD,YAAM,iBAAiB,KAAK,kBAAkB,KAAK,SAAS,KAAK;AAAA,IACnE;AACA,QAAI,KAAK,YAAY,KAAK,QAAQ;AAChC,YAAM,WAAW,KAAK,YAAY,KAAK;AAAA,IACzC;AAEA,UAAM,QAAQ,MAAM,GAAG,KAAK,MAAM,KAAK;AAEvC,QAAI,MAAM,WAAW,GAAG;AACtB,cAAQ,IAAI,gBAAgB;AAC5B;AAAA,IACF;AAEA,YAAQ,IAAI,SAAS,MAAM,MAAM,WAAW;AAC5C,YAAQ,IAAI,EAAE;AACd,YAAQ,IAAI,gJAAgJ;AAC5J,YAAQ,IAAI,2JAA2J;AAEvK,eAAW,QAAQ,OAAO;AAExB,YAAM,YAAY,MAAM;AAAA,QACtB;AAAA,QACA;AAAA,QACA,EAAE,MAAM,KAAK,GAAG;AAAA,QAChB,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,QACrB,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,kBAAkB,KAAK;AAAA,MACjF;AACA,YAAM,QAAQ,UAAU,IAAI,CAAC,OAAY,GAAG,MAAM,IAAI,EAAE,OAAO,OAAO,EAAE,KAAK,IAAI,KAAK;AAGtF,UAAI,UAAU;AACd,UAAI,aAAa;AAEjB,UAAI,KAAK,gBAAgB;AACvB,cAAM,MAAM,MAAM,GAAG,QAAQ,cAAc,EAAE,IAAI,KAAK,eAAe,CAAC;AACtE,kBAAU,KAAK,MAAM,UAAU,GAAG,EAAE,IAAI,SAAS,KAAK,eAAe,UAAU,GAAG,CAAC,IAAI;AAAA,MACzF;AAEA,UAAI,KAAK,UAAU;AACjB,cAAM,SAAS,MAAM,GAAG,QAAQ,QAAQ,EAAE,IAAI,KAAK,SAAS,CAAC;AAC7D,qBAAa,QAAQ,MAAM,UAAU,GAAG,EAAE,IAAI,SAAS,KAAK,SAAS,UAAU,GAAG,CAAC,IAAI;AAAA,MACzF;AAEA,YAAM,KAAK,KAAK,MAAM;AACtB,YAAM,SAAS,KAAK,SAAS,OAAO,OAAO,EAAE;AAC7C,YAAM,QAAQ,KAAK,QAAQ,WAAW,OAAO,EAAE;AAE/C,cAAQ,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,QAAQ,OAAO,EAAE,CAAC,MAAM,WAAW,OAAO,EAAE,CAAC,MAAM,KAAK,EAAE;AAAA,IACnH;AAAA,EACF;AACF;AAEA,MAAM,cAAyB;AAAA,EAC7B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AAEA,UAAM,QAAQ,KAAK;AACnB,UAAM,WAAW,KAAK;AAEtB,QAAI,CAAC,SAAS,CAAC,UAAU;AACvB,cAAQ,MAAM,2EAA2E;AACzF;AAAA,IACF;AAEA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,YAAY,iBAAiB,KAAK;AACxC,UAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,EAAE,UAAU,CAAC,EAAE,CAAC;AAEvE,QAAI,CAAC,MAAM;AACT,cAAQ,MAAM,oBAAoB,KAAK,aAAa;AACpD;AAAA,IACF;AAEA,SAAK,eAAe,MAAM,KAAK,UAAU,EAAE;AAC3C,UAAM,GAAG,gBAAgB,IAAI;AAE7B,YAAQ,IAAI,kDAA6C,KAAK,EAAE;AAAA,EAClE;AACF;AAGA,IAAO,cAAQ,CAAC,SAAS,WAAW,qBAAqB,iBAAiB,UAAU,mBAAmB,aAAa,WAAW,WAAW;",
+  "sourcesContent": ["import type { ModuleCli } from '@open-mercato/shared/modules/registry'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { hash } from 'bcryptjs'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { User, Role, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { Tenant, Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { rebuildHierarchyForTenant } from '@open-mercato/core/modules/directory/lib/hierarchy'\nimport { ensureRoles, setupInitialTenant } from './lib/setup-app'\nimport { normalizeTenantId } from './lib/tenantAccess'\nimport { computeEmailHash } from './lib/emailHash'\nimport { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { isTenantDataEncryptionEnabled } from '@open-mercato/shared/lib/encryption/toggles'\nimport { createKmsService } from '@open-mercato/shared/lib/encryption/kms'\nimport { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'\nimport { decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'\nimport { env } from 'process'\nimport type { KmsService, TenantDek } from '@open-mercato/shared/lib/encryption/kms'\nimport crypto from 'node:crypto'\nimport { formatPasswordRequirements, getPasswordPolicy, validatePassword } from '@open-mercato/shared/lib/auth/passwordPolicy'\nimport { parseBooleanToken } from '@open-mercato/shared/lib/boolean'\n\nconst addUser: ModuleCli = {\n  command: 'add-user',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    const email = args.email\n    const password = args.password\n    const organizationId = String(args.organizationId ?? args.orgId ?? args.org)\n    const rolesCsv = (args.roles ?? '').trim()\n    if (!email || !password || !organizationId) {\n      console.error('Usage: mercato auth add-user --email <email> --password <password> --organizationId <id> [--roles customer,employee]')\n      return\n    }\n    if (!ensurePasswordPolicy(password)) return\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const org =\n      (await findOneWithDecryption(\n        em,\n        Organization,\n        { id: organizationId },\n        { populate: ['tenant'] },\n        { tenantId: null, organizationId },\n      )) ?? null\n    if (!org) throw new Error('Organization not found')\n    const orgTenantId = org.tenant?.id ? String(org.tenant.id) : null\n    const normalizedTenantId = normalizeTenantId(orgTenantId ?? null) ?? null\n    const u = em.create(User, {\n      email,\n      emailHash: computeEmailHash(email),\n      passwordHash: await hash(password, 10),\n      isConfirmed: true,\n      organizationId: org.id,\n      tenantId: org.tenant.id,\n    })\n    await em.persistAndFlush(u)\n    if (rolesCsv) {\n      const names = rolesCsv.split(',').map(s => s.trim()).filter(Boolean)\n      for (const name of names) {\n        let role = await em.findOne(Role, { name, tenantId: normalizedTenantId })\n        if (!role && normalizedTenantId !== null) {\n          role = await em.findOne(Role, { name, tenantId: null })\n        }\n        if (!role) {\n        role = em.create(Role, { name, tenantId: normalizedTenantId, createdAt: new Date() })\n          await em.persistAndFlush(role)\n        } else if (normalizedTenantId !== null && role.tenantId !== normalizedTenantId) {\n          role.tenantId = normalizedTenantId\n          await em.persistAndFlush(role)\n        }\n        const link = em.create(UserRole, { user: u, role })\n        await em.persistAndFlush(link)\n      }\n    }\n    console.log('User created with id', u.id)\n  },\n}\n\nfunction parseArgs(rest: string[]) {\n  const args: Record<string, string | boolean> = {}\n  for (let i = 0; i < rest.length; i++) {\n    const a = rest[i]\n    if (!a) continue\n    if (a.startsWith('--')) {\n      const [k, v] = a.replace(/^--/, '').split('=')\n      if (v !== undefined) args[k] = v\n      else if (rest[i + 1] && !rest[i + 1]!.startsWith('--')) { args[k] = rest[i + 1]!; i++ }\n      else args[k] = true\n    }\n  }\n  return args\n}\n\nfunction normalizeKeyInput(value: string): string {\n  return value.trim().replace(/^['\"]|['\"]$/g, '')\n}\n\nfunction hashSecret(value: string | null | undefined): string | null {\n  if (!value) return null\n  return crypto.createHash('sha256').update(normalizeKeyInput(value)).digest('hex').slice(0, 12)\n}\n\nfunction ensurePasswordPolicy(password: string): boolean {\n  const policy = getPasswordPolicy()\n  const result = validatePassword(password, policy)\n  if (result.ok) return true\n  const requirements = formatPasswordRequirements(policy, (_key, fallback) => fallback)\n  const suffix = requirements ? `: ${requirements}` : ''\n  console.error(`Password does not meet the requirements${suffix}.`)\n  return false\n}\n\nasync function withEncryptionDebugDisabled<T>(fn: () => Promise<T>): Promise<T> {\n  const previous = process.env.TENANT_DATA_ENCRYPTION_DEBUG\n  process.env.TENANT_DATA_ENCRYPTION_DEBUG = 'no'\n  try {\n    return await fn()\n  } finally {\n    if (previous === undefined) {\n      delete process.env.TENANT_DATA_ENCRYPTION_DEBUG\n    } else {\n      process.env.TENANT_DATA_ENCRYPTION_DEBUG = previous\n    }\n  }\n}\n\nclass DerivedKeyKmsService implements KmsService {\n  private root: Buffer\n  constructor(secret: string) {\n    this.root = crypto.createHash('sha256').update(normalizeKeyInput(secret)).digest()\n  }\n\n  isHealthy(): boolean {\n    return true\n  }\n\n  private deriveKey(tenantId: string): string {\n    const iterations = 310_000\n    const keyLength = 32\n    const derived = crypto.pbkdf2Sync(this.root, tenantId, iterations, keyLength, 'sha512')\n    return derived.toString('base64')\n  }\n\n  async getTenantDek(tenantId: string): Promise<TenantDek | null> {\n    if (!tenantId) return null\n    return { tenantId, key: this.deriveKey(tenantId), fetchedAt: Date.now() }\n  }\n\n  async createTenantDek(tenantId: string): Promise<TenantDek | null> {\n    return this.getTenantDek(tenantId)\n  }\n}\n\nfunction fingerprintDek(dek: TenantDek | null): string | null {\n  if (!dek?.key) return null\n  return crypto.createHash('sha256').update(dek.key).digest('hex').slice(0, 12)\n}\n\nfunction decryptWithOldKey(\n  payload: string,\n  dek: TenantDek | null,\n): string | null {\n  if (!dek?.key) return null\n  return decryptWithAesGcm(payload, dek.key)\n}\n\nconst seedRoles: ModuleCli = {\n  command: 'seed-roles',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const key = rest[i]?.replace(/^--/, '')\n      if (!key) continue\n      const value = rest[i + 1]\n      if (value) args[key] = value\n    }\n    const tenantId = args.tenantId ?? args.tenant ?? args.tenant_id ?? null\n    const { resolve } = await createRequestContainer()\n    const em = resolve<EntityManager>('em')\n    if (tenantId) {\n      await ensureRoles(em, { tenantId })\n      console.log('\uD83D\uDEE1\uFE0F Roles ensured for tenant', tenantId)\n      return\n    }\n    const tenants = await em.find(Tenant, {})\n    if (!tenants.length) {\n      console.log('No tenants found; nothing to seed.')\n      return\n    }\n    for (const tenant of tenants) {\n      const id = tenant.id ? String(tenant.id) : null\n      if (!id) continue\n      await ensureRoles(em, { tenantId: id })\n      console.log('\uD83D\uDEE1\uFE0F Roles ensured for tenant', id)\n    }\n  },\n}\n\nconst rotateEncryptionKey: ModuleCli = {\n  command: 'rotate-encryption-key',\n  async run(rest) {\n    const args = parseArgs(rest)\n    const tenantId = (args.tenantId as string) ?? (args.tenant as string) ?? (args.tenant_id as string) ?? null\n    const organizationId = (args.organizationId as string) ?? (args.orgId as string) ?? (args.org as string) ?? null\n    const oldKey = (args['old-key'] as string) ?? (args.oldKey as string) ?? null\n    const dryRun = Boolean(args['dry-run'] || args.dry)\n    const debug = Boolean(args.debug)\n    const rotate = Boolean(oldKey)\n    if (rotate && !tenantId) {\n      console.warn(\n        '\u26A0\uFE0F  Rotating with --old-key across all tenants. A single old key should normally target one tenant; consider --tenant.',\n      )\n    }\n    if (!isTenantDataEncryptionEnabled()) {\n      console.error('TENANT_DATA_ENCRYPTION is disabled; aborting.')\n      return\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve<EntityManager>('em')\n    const encryptionService = new TenantDataEncryptionService(em as any, { kms: createKmsService() })\n    const oldKms = rotate && oldKey ? new DerivedKeyKmsService(oldKey) : null\n    if (debug) {\n      console.log('[rotate-encryption-key]', {\n        hasOldKey: Boolean(oldKey),\n        rotate,\n        tenantId: tenantId ?? null,\n        organizationId: organizationId ?? null,\n      })\n      console.log('[rotate-encryption-key] key fingerprints', {\n        oldKey: hashSecret(oldKey),\n        currentKey: hashSecret(process.env.TENANT_DATA_ENCRYPTION_FALLBACK_KEY),\n      })\n    }\n    if (!encryptionService.isEnabled()) {\n      console.error('Encryption service is not enabled (KMS unhealthy or no DEK). Aborting.')\n      return\n    }\n    const conn: any = (em as any).getConnection?.()\n    if (!conn || typeof conn.execute !== 'function') {\n      console.error('Unable to access raw connection; aborting.')\n      return\n    }\n    const meta = (em as any)?.getMetadata?.()?.get?.(User)\n    const tableName = meta?.tableName || 'users'\n    const schema = meta?.schema\n    const qualifiedTable = schema ? `\"${schema}\".\"${tableName}\"` : `\"${tableName}\"`\n    const isEncryptedPayload = (value: unknown): boolean => {\n      if (typeof value !== 'string') return false\n      const parts = value.split(':')\n      return parts.length === 4 && parts[3] === 'v1'\n    }\n    const printedDek = new Set<string>()\n    const oldDekCache = new Map<string, TenantDek | null>()\n    const processScope = async (scopeTenantId: string, scopeOrganizationId: string): Promise<number> => {\n      if (debug && !printedDek.has(scopeTenantId)) {\n        printedDek.add(scopeTenantId)\n        const [oldDek, newDek] = await Promise.all([\n          oldKms?.getTenantDek(scopeTenantId) ?? Promise.resolve(null),\n          encryptionService.getDek(scopeTenantId),\n        ])\n        console.log('[rotate-encryption-key] dek fingerprints', {\n          tenantId: scopeTenantId,\n          oldKey: fingerprintDek(oldDek),\n          currentKey: fingerprintDek(newDek),\n        })\n      }\n      const rawRows = await conn.execute(\n        `select id, email, email_hash from ${qualifiedTable} where tenant_id = ? and organization_id = ?`,\n        [scopeTenantId, scopeOrganizationId],\n      )\n      const rows = Array.isArray(rawRows) ? rawRows : []\n      const pending = rotate\n        ? rows\n        : rows.filter((row: any) => !isEncryptedPayload(row?.email))\n      if (!pending.length) return 0\n      console.log(\n        `Found ${pending.length} auth user records to process for org=${scopeOrganizationId}${dryRun ? ' (dry-run)' : ''}.`\n      )\n      if (dryRun) return 0\n      const ids = pending.map((row: any) => String(row.id))\n      const users = rotate\n        ? await em.find(\n            User,\n            { id: { $in: ids }, tenantId: scopeTenantId, organizationId: scopeOrganizationId },\n          )\n        : await findWithDecryption(\n            em,\n            User,\n            { id: { $in: ids }, tenantId: scopeTenantId, organizationId: scopeOrganizationId },\n            {},\n            { tenantId: scopeTenantId, organizationId: scopeOrganizationId, encryptionService },\n          )\n      const usersById = new Map(users.map((user) => [String(user.id), user]))\n      let updated = 0\n      for (const row of pending) {\n        const user = usersById.get(String(row.id))\n        if (!user) continue\n        const rawEmail = typeof row.email === 'string' ? row.email : String(row.email ?? '')\n        if (!rawEmail) continue\n        if (rotate && (!isEncryptedPayload(rawEmail) || !oldKms)) {\n          continue\n        }\n        let plainEmail = rawEmail\n        if (rotate && isEncryptedPayload(rawEmail) && oldKms) {\n          if (debug) {\n            console.log('[rotate-encryption-key] decrypting', {\n              userId: row.id,\n              tenantId: scopeTenantId,\n              organizationId: scopeOrganizationId,\n            })\n          }\n          let oldDek = oldDekCache.get(scopeTenantId) ?? null\n          if (!oldDekCache.has(scopeTenantId)) {\n            oldDek = await oldKms.getTenantDek(scopeTenantId)\n            oldDekCache.set(scopeTenantId, oldDek)\n          }\n          const maybeEmail = decryptWithOldKey(rawEmail, oldDek)\n          if (typeof maybeEmail !== 'string' || isEncryptedPayload(maybeEmail)) continue\n          plainEmail = maybeEmail\n        }\n        if (!plainEmail) continue\n        const encrypted = await encryptionService.encryptEntityPayload(\n          'auth:user',\n          { email: plainEmail },\n          scopeTenantId,\n          scopeOrganizationId,\n        )\n        const nextEmail = encrypted.email as string | undefined\n        if (nextEmail && nextEmail !== user.email) {\n          user.email = nextEmail as any\n          user.emailHash = (encrypted as any).emailHash ?? computeEmailHash(plainEmail)\n          em.persist(user)\n          updated += 1\n        }\n      }\n      if (updated > 0) {\n        await em.flush()\n      }\n      return updated\n    }\n\n    if (tenantId && organizationId) {\n      const updated = await processScope(String(tenantId), String(organizationId))\n      if (!updated) {\n        console.log('All auth user emails already encrypted for the selected scope.')\n      } else {\n        console.log(`Encrypted ${updated} auth user email(s).`)\n      }\n      return\n    }\n\n    const organizations = await em.find(Organization, {})\n    if (!organizations.length) {\n      console.log('No organizations found; nothing to encrypt.')\n      return\n    }\n    let total = 0\n    for (const org of organizations) {\n      const scopeTenantId = org.tenant?.id ? String(org.tenant.id) : org.tenant.id ? String(org.tenant.id) : null\n      const scopeOrganizationId = org.id ? String(org.id) : null\n      if (!scopeTenantId || !scopeOrganizationId) continue\n      total += await processScope(scopeTenantId, scopeOrganizationId)\n    }\n    if (total > 0) {\n      console.log(`Encrypted ${total} auth user email(s) across all organizations.`)\n    } else {\n      console.log('All auth user emails already encrypted across all organizations.')\n    }\n  },\n}\n\n// will be exported at the bottom with all commands\n\nconst addOrganization: ModuleCli = {\n  command: 'add-org',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    const name = args.name || args.orgName\n    if (!name) {\n      console.error('Usage: mercato auth add-org --name <organization name>')\n      return\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    // Create tenant implicitly for simplicity\n    const tenant = em.create(Tenant, { name: `${name} Tenant` })\n    await em.persistAndFlush(tenant)\n    const org = em.create(Organization, { name, tenant })\n    await em.persistAndFlush(org)\n    await rebuildHierarchyForTenant(em, String(tenant.id))\n    console.log('Organization created with id', org.id, 'in tenant', tenant.id)\n  },\n}\n\nconst setupApp: ModuleCli = {\n  command: 'setup',\n  async run(rest) {\n    const args = parseArgs(rest)\n    const orgName = typeof args.orgName === 'string'\n      ? args.orgName\n      : typeof args.name === 'string'\n        ? args.name\n        : undefined\n    const email = typeof args.email === 'string' ? args.email : undefined\n    const password = typeof args.password === 'string' ? args.password : undefined\n    const rolesCsv = typeof args.roles === 'string'\n      ? args.roles.trim()\n      : 'superadmin,admin,employee'\n    const skipPasswordPolicyRaw =\n      args['skip-password-policy'] ??\n      args.skipPasswordPolicy ??\n      args['allow-weak-password'] ??\n      args.allowWeakPassword\n    const skipPasswordPolicy = typeof skipPasswordPolicyRaw === 'boolean'\n      ? skipPasswordPolicyRaw\n      : parseBooleanToken(typeof skipPasswordPolicyRaw === 'string' ? skipPasswordPolicyRaw : null) ?? false\n    if (!orgName || !email || !password) {\n      console.error('Usage: mercato auth setup --orgName <name> --email <email> --password <password> [--roles superadmin,admin,employee] [--skip-password-policy]')\n      return\n    }\n    if (!skipPasswordPolicy && !ensurePasswordPolicy(password)) return\n    if (skipPasswordPolicy) {\n      console.warn('\u26A0\uFE0F  Password policy validation skipped for setup.')\n    }\n    const { resolve } = await createRequestContainer()\n    const em = resolve<EntityManager>('em')\n    const roleNames = rolesCsv\n      ? rolesCsv.split(',').map((s) => s.trim()).filter(Boolean)\n      : undefined\n\n    try {\n      const result = await setupInitialTenant(em, {\n        orgName,\n        roleNames,\n        primaryUser: { email, password, confirm: true },\n        includeDerivedUsers: true,\n      })\n\n      if (result.reusedExistingUser) {\n        console.log('\u26A0\uFE0F  Existing initial user detected during setup.')\n        console.log(`\u26A0\uFE0F  Email: ${email}`)\n        console.log('\u26A0\uFE0F  Updated roles if missing and reused tenant/organization.')\n      }\n\n      if(env.NODE_ENV !== 'test') { \n        for (const snapshot of result.users) {\n          if (snapshot.created) {\n            if (snapshot.user.email === email && password) {\n              console.log('\uD83C\uDF89 Created user', snapshot.user.email, 'password:', password)\n            } else {\n              console.log('\uD83C\uDF89 Created user', snapshot.user.email)\n            }\n          } else {\n            console.log(`Updated user ${snapshot.user.email}`)\n          }\n        }\n      }\n\n      if(env.NODE_ENV !== 'test')   console.log('\u2705 Setup complete:', { tenantId: result.tenantId, organizationId: result.organizationId })\n    } catch (err) {\n      if (err instanceof Error && err.message === 'USER_EXISTS') {\n        console.error('Setup aborted: user already exists with the provided email.')\n        return\n      }\n      throw err\n    }\n  },\n}\n\nconst listOrganizations: ModuleCli = {\n  command: 'list-orgs',\n  async run() {\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const orgs = await findWithDecryption(\n      em,\n      Organization,\n      {},\n      { populate: ['tenant'] },\n      { tenantId: null, organizationId: null },\n    )\n    \n    if (orgs.length === 0) {\n      console.log('No organizations found')\n      return\n    }\n    \n    console.log(`Found ${orgs.length} organization(s):`)\n    console.log('')\n    console.log('ID                                   | Name                    | Tenant ID                            | Created')\n    console.log('-------------------------------------|-------------------------|-------------------------------------|-------------------')\n    \n    for (const org of orgs) {\n      const created = org.createdAt ? new Date(org.createdAt).toLocaleDateString() : 'N/A'\n      const id = org.id || 'N/A'\n      const tenantId = org.tenant?.id || 'N/A'\n      const name = (org.name || 'Unnamed').padEnd(23)\n      console.log(`${id.padEnd(35)} | ${name} | ${tenantId.padEnd(35)} | ${created}`)\n    }\n  },\n}\n\nconst listTenants: ModuleCli = {\n  command: 'list-tenants',\n  async run() {\n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const tenants = await em.find(Tenant, {})\n    \n    if (tenants.length === 0) {\n      console.log('No tenants found')\n      return\n    }\n    \n    console.log(`Found ${tenants.length} tenant(s):`)\n    console.log('')\n    console.log('ID                                   | Name                    | Created')\n    console.log('-------------------------------------|-------------------------|-------------------')\n    \n    for (const tenant of tenants) {\n      const created = tenant.createdAt ? new Date(tenant.createdAt).toLocaleDateString() : 'N/A'\n      const id = tenant.id || 'N/A'\n      const name = (tenant.name || 'Unnamed').padEnd(23)\n      console.log(`${id.padEnd(35)} | ${name} | ${created}`)\n    }\n  },\n}\n\nconst listUsers: ModuleCli = {\n  command: 'list-users',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    \n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    \n    // Build query with optional filters\n    const where: any = {}\n    if (args.organizationId || args.orgId || args.org) {\n      where.organizationId = args.organizationId || args.orgId || args.org\n    }\n    if (args.tenantId || args.tenant) {\n      where.tenantId = args.tenantId || args.tenant\n    }\n    \n    const users = await em.find(User, where)\n    \n    if (users.length === 0) {\n      console.log('No users found')\n      return\n    }\n    \n    console.log(`Found ${users.length} user(s):`)\n    console.log('')\n    console.log('ID                                   | Email                   | Name                    | Organization ID      | Tenant ID            | Roles')\n    console.log('-------------------------------------|-------------------------|-------------------------|---------------------|---------------------|-------------------')\n    \n    for (const user of users) {\n      // Get user roles separately\n      const userRoles = await findWithDecryption(\n        em,\n        UserRole,\n        { user: user.id },\n        { populate: ['role'] },\n        { tenantId: user.tenantId ?? null, organizationId: user.organizationId ?? null },\n      )\n      const roles = userRoles.map((ur: any) => ur.role?.name).filter(Boolean).join(', ') || 'None'\n      \n      // Get organization and tenant names if IDs exist\n      let orgName = 'N/A'\n      let tenantName = 'N/A'\n      \n      if (user.organizationId) {\n        const org = await em.findOne(Organization, { id: user.organizationId })\n        orgName = org?.name?.substring(0, 19) + '...' || user.organizationId.substring(0, 8) + '...'\n      }\n      \n      if (user.tenantId) {\n        const tenant = await em.findOne(Tenant, { id: user.tenantId })\n        tenantName = tenant?.name?.substring(0, 19) + '...' || user.tenantId.substring(0, 8) + '...'\n      }\n      \n      const id = user.id || 'N/A'\n      const email = (user.email || 'N/A').padEnd(23)\n      const name = (user.name || 'Unnamed').padEnd(23)\n      \n      console.log(`${id.padEnd(35)} | ${email} | ${name} | ${orgName.padEnd(19)} | ${tenantName.padEnd(19)} | ${roles}`)\n    }\n  },\n}\n\nconst setPassword: ModuleCli = {\n  command: 'set-password',\n  async run(rest) {\n    const args: Record<string, string> = {}\n    for (let i = 0; i < rest.length; i += 2) {\n      const k = rest[i]?.replace(/^--/, '')\n      const v = rest[i + 1]\n      if (k) args[k] = v\n    }\n    \n    const email = args.email\n    const password = args.password\n    \n    if (!email || !password) {\n      console.error('Usage: mercato auth set-password --email <email> --password <newPassword>')\n      return\n    }\n    if (!ensurePasswordPolicy(password)) return\n    \n    const { resolve } = await createRequestContainer()\n    const em = resolve('em') as any\n    const emailHash = computeEmailHash(email)\n    const user = await em.findOne(User, { $or: [{ email }, { emailHash }] })\n    \n    if (!user) {\n      console.error(`User with email \"${email}\" not found`)\n      return\n    }\n    \n    user.passwordHash = await hash(password, 10)\n    await em.persistAndFlush(user)\n    \n    console.log(`\u2705 Password updated successfully for user: ${email}`)\n  },\n}\n\n// Export the full CLI list\nexport default [addUser, seedRoles, rotateEncryptionKey, addOrganization, setupApp, listOrganizations, listTenants, listUsers, setPassword]\n"],
+  "mappings": "AACA,SAAS,8BAA8B;AACvC,SAAS,YAAY;AAErB,SAAS,MAAM,MAAM,gBAAgB;AACrC,SAAS,QAAQ,oBAAoB;AACrC,SAAS,iCAAiC;AAC1C,SAAS,aAAa,0BAA0B;AAChD,SAAS,yBAAyB;AAClC,SAAS,wBAAwB;AACjC,SAAS,oBAAoB,6BAA6B;AAC1D,SAAS,qCAAqC;AAC9C,SAAS,wBAAwB;AACjC,SAAS,mCAAmC;AAC5C,SAAS,yBAAyB;AAClC,SAAS,WAAW;AAEpB,OAAO,YAAY;AACnB,SAAS,4BAA4B,mBAAmB,wBAAwB;AAChF,SAAS,yBAAyB;AAElC,MAAM,UAAqB;AAAA,EACzB,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AACA,UAAM,QAAQ,KAAK;AACnB,UAAM,WAAW,KAAK;AACtB,UAAM,iBAAiB,OAAO,KAAK,kBAAkB,KAAK,SAAS,KAAK,GAAG;AAC3E,UAAM,YAAY,KAAK,SAAS,IAAI,KAAK;AACzC,QAAI,CAAC,SAAS,CAAC,YAAY,CAAC,gBAAgB;AAC1C,cAAQ,MAAM,sHAAsH;AACpI;AAAA,IACF;AACA,QAAI,CAAC,qBAAqB,QAAQ,EAAG;AACrC,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,MACH,MAAM;AAAA,MACL;AAAA,MACA;AAAA,MACA,EAAE,IAAI,eAAe;AAAA,MACrB,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,eAAe;AAAA,IACnC,KAAM;AACR,QAAI,CAAC,IAAK,OAAM,IAAI,MAAM,wBAAwB;AAClD,UAAM,cAAc,IAAI,QAAQ,KAAK,OAAO,IAAI,OAAO,EAAE,IAAI;AAC7D,UAAM,qBAAqB,kBAAkB,eAAe,IAAI,KAAK;AACrE,UAAM,IAAI,GAAG,OAAO,MAAM;AAAA,MACxB;AAAA,MACA,WAAW,iBAAiB,KAAK;AAAA,MACjC,cAAc,MAAM,KAAK,UAAU,EAAE;AAAA,MACrC,aAAa;AAAA,MACb,gBAAgB,IAAI;AAAA,MACpB,UAAU,IAAI,OAAO;AAAA,IACvB,CAAC;AACD,UAAM,GAAG,gBAAgB,CAAC;AAC1B,QAAI,UAAU;AACZ,YAAM,QAAQ,SAAS,MAAM,GAAG,EAAE,IAAI,OAAK,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AACnE,iBAAW,QAAQ,OAAO;AACxB,YAAI,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,mBAAmB,CAAC;AACxE,YAAI,CAAC,QAAQ,uBAAuB,MAAM;AACxC,iBAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,MAAM,UAAU,KAAK,CAAC;AAAA,QACxD;AACA,YAAI,CAAC,MAAM;AACX,iBAAO,GAAG,OAAO,MAAM,EAAE,MAAM,UAAU,oBAAoB,WAAW,oBAAI,KAAK,EAAE,CAAC;AAClF,gBAAM,GAAG,gBAAgB,IAAI;AAAA,QAC/B,WAAW,uBAAuB,QAAQ,KAAK,aAAa,oBAAoB;AAC9E,eAAK,WAAW;AAChB,gBAAM,GAAG,gBAAgB,IAAI;AAAA,QAC/B;AACA,cAAM,OAAO,GAAG,OAAO,UAAU,EAAE,MAAM,GAAG,KAAK,CAAC;AAClD,cAAM,GAAG,gBAAgB,IAAI;AAAA,MAC/B;AAAA,IACF;AACA,YAAQ,IAAI,wBAAwB,EAAE,EAAE;AAAA,EAC1C;AACF;AAEA,SAAS,UAAU,MAAgB;AACjC,QAAM,OAAyC,CAAC;AAChD,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,UAAM,IAAI,KAAK,CAAC;AAChB,QAAI,CAAC,EAAG;AACR,QAAI,EAAE,WAAW,IAAI,GAAG;AACtB,YAAM,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,OAAO,EAAE,EAAE,MAAM,GAAG;AAC7C,UAAI,MAAM,OAAW,MAAK,CAAC,IAAI;AAAA,eACtB,KAAK,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,EAAG,WAAW,IAAI,GAAG;AAAE,aAAK,CAAC,IAAI,KAAK,IAAI,CAAC;AAAI;AAAA,MAAI,MACjF,MAAK,CAAC,IAAI;AAAA,IACjB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,kBAAkB,OAAuB;AAChD,SAAO,MAAM,KAAK,EAAE,QAAQ,gBAAgB,EAAE;AAChD;AAEA,SAAS,WAAW,OAAiD;AACnE,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,kBAAkB,KAAK,CAAC,EAAE,OAAO,KAAK,EAAE,MAAM,GAAG,EAAE;AAC/F;AAEA,SAAS,qBAAqB,UAA2B;AACvD,QAAM,SAAS,kBAAkB;AACjC,QAAM,SAAS,iBAAiB,UAAU,MAAM;AAChD,MAAI,OAAO,GAAI,QAAO;AACtB,QAAM,eAAe,2BAA2B,QAAQ,CAAC,MAAM,aAAa,QAAQ;AACpF,QAAM,SAAS,eAAe,KAAK,YAAY,KAAK;AACpD,UAAQ,MAAM,0CAA0C,MAAM,GAAG;AACjE,SAAO;AACT;AAEA,eAAe,4BAA+B,IAAkC;AAC9E,QAAM,WAAW,QAAQ,IAAI;AAC7B,UAAQ,IAAI,+BAA+B;AAC3C,MAAI;AACF,WAAO,MAAM,GAAG;AAAA,EAClB,UAAE;AACA,QAAI,aAAa,QAAW;AAC1B,aAAO,QAAQ,IAAI;AAAA,IACrB,OAAO;AACL,cAAQ,IAAI,+BAA+B;AAAA,IAC7C;AAAA,EACF;AACF;AAEA,MAAM,qBAA2C;AAAA,EAE/C,YAAY,QAAgB;AAC1B,SAAK,OAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,kBAAkB,MAAM,CAAC,EAAE,OAAO;AAAA,EACnF;AAAA,EAEA,YAAqB;AACnB,WAAO;AAAA,EACT;AAAA,EAEQ,UAAU,UAA0B;AAC1C,UAAM,aAAa;AACnB,UAAM,YAAY;AAClB,UAAM,UAAU,OAAO,WAAW,KAAK,MAAM,UAAU,YAAY,WAAW,QAAQ;AACtF,WAAO,QAAQ,SAAS,QAAQ;AAAA,EAClC;AAAA,EAEA,MAAM,aAAa,UAA6C;AAC9D,QAAI,CAAC,SAAU,QAAO;AACtB,WAAO,EAAE,UAAU,KAAK,KAAK,UAAU,QAAQ,GAAG,WAAW,KAAK,IAAI,EAAE;AAAA,EAC1E;AAAA,EAEA,MAAM,gBAAgB,UAA6C;AACjE,WAAO,KAAK,aAAa,QAAQ;AAAA,EACnC;AACF;AAEA,SAAS,eAAe,KAAsC;AAC5D,MAAI,CAAC,KAAK,IAAK,QAAO;AACtB,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,IAAI,GAAG,EAAE,OAAO,KAAK,EAAE,MAAM,GAAG,EAAE;AAC9E;AAEA,SAAS,kBACP,SACA,KACe;AACf,MAAI,CAAC,KAAK,IAAK,QAAO;AACtB,SAAO,kBAAkB,SAAS,IAAI,GAAG;AAC3C;AAEA,MAAM,YAAuB;AAAA,EAC3B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,MAAM,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACtC,UAAI,CAAC,IAAK;AACV,YAAM,QAAQ,KAAK,IAAI,CAAC;AACxB,UAAI,MAAO,MAAK,GAAG,IAAI;AAAA,IACzB;AACA,UAAM,WAAW,KAAK,YAAY,KAAK,UAAU,KAAK,aAAa;AACnE,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAuB,IAAI;AACtC,QAAI,UAAU;AACZ,YAAM,YAAY,IAAI,EAAE,SAAS,CAAC;AAClC,cAAQ,IAAI,4CAAgC,QAAQ;AACpD;AAAA,IACF;AACA,UAAM,UAAU,MAAM,GAAG,KAAK,QAAQ,CAAC,CAAC;AACxC,QAAI,CAAC,QAAQ,QAAQ;AACnB,cAAQ,IAAI,oCAAoC;AAChD;AAAA,IACF;AACA,eAAW,UAAU,SAAS;AAC5B,YAAM,KAAK,OAAO,KAAK,OAAO,OAAO,EAAE,IAAI;AAC3C,UAAI,CAAC,GAAI;AACT,YAAM,YAAY,IAAI,EAAE,UAAU,GAAG,CAAC;AACtC,cAAQ,IAAI,4CAAgC,EAAE;AAAA,IAChD;AAAA,EACF;AACF;AAEA,MAAM,sBAAiC;AAAA,EACrC,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAAO,UAAU,IAAI;AAC3B,UAAM,WAAY,KAAK,YAAwB,KAAK,UAAsB,KAAK,aAAwB;AACvG,UAAM,iBAAkB,KAAK,kBAA8B,KAAK,SAAqB,KAAK,OAAkB;AAC5G,UAAM,SAAU,KAAK,SAAS,KAAiB,KAAK,UAAqB;AACzE,UAAM,SAAS,QAAQ,KAAK,SAAS,KAAK,KAAK,GAAG;AAClD,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,SAAS,QAAQ,MAAM;AAC7B,QAAI,UAAU,CAAC,UAAU;AACvB,cAAQ;AAAA,QACN;AAAA,MACF;AAAA,IACF;AACA,QAAI,CAAC,8BAA8B,GAAG;AACpC,cAAQ,MAAM,+CAA+C;AAC7D;AAAA,IACF;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAuB,IAAI;AACtC,UAAM,oBAAoB,IAAI,4BAA4B,IAAW,EAAE,KAAK,iBAAiB,EAAE,CAAC;AAChG,UAAM,SAAS,UAAU,SAAS,IAAI,qBAAqB,MAAM,IAAI;AACrE,QAAI,OAAO;AACT,cAAQ,IAAI,2BAA2B;AAAA,QACrC,WAAW,QAAQ,MAAM;AAAA,QACzB;AAAA,QACA,UAAU,YAAY;AAAA,QACtB,gBAAgB,kBAAkB;AAAA,MACpC,CAAC;AACD,cAAQ,IAAI,4CAA4C;AAAA,QACtD,QAAQ,WAAW,MAAM;AAAA,QACzB,YAAY,WAAW,QAAQ,IAAI,mCAAmC;AAAA,MACxE,CAAC;AAAA,IACH;AACA,QAAI,CAAC,kBAAkB,UAAU,GAAG;AAClC,cAAQ,MAAM,wEAAwE;AACtF;AAAA,IACF;AACA,UAAM,OAAa,GAAW,gBAAgB;AAC9C,QAAI,CAAC,QAAQ,OAAO,KAAK,YAAY,YAAY;AAC/C,cAAQ,MAAM,4CAA4C;AAC1D;AAAA,IACF;AACA,UAAM,OAAQ,IAAY,cAAc,GAAG,MAAM,IAAI;AACrD,UAAM,YAAY,MAAM,aAAa;AACrC,UAAM,SAAS,MAAM;AACrB,UAAM,iBAAiB,SAAS,IAAI,MAAM,MAAM,SAAS,MAAM,IAAI,SAAS;AAC5E,UAAM,qBAAqB,CAAC,UAA4B;AACtD,UAAI,OAAO,UAAU,SAAU,QAAO;AACtC,YAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,aAAO,MAAM,WAAW,KAAK,MAAM,CAAC,MAAM;AAAA,IAC5C;AACA,UAAM,aAAa,oBAAI,IAAY;AACnC,UAAM,cAAc,oBAAI,IAA8B;AACtD,UAAM,eAAe,OAAO,eAAuB,wBAAiD;AAClG,UAAI,SAAS,CAAC,WAAW,IAAI,aAAa,GAAG;AAC3C,mBAAW,IAAI,aAAa;AAC5B,cAAM,CAAC,QAAQ,MAAM,IAAI,MAAM,QAAQ,IAAI;AAAA,UACzC,QAAQ,aAAa,aAAa,KAAK,QAAQ,QAAQ,IAAI;AAAA,UAC3D,kBAAkB,OAAO,aAAa;AAAA,QACxC,CAAC;AACD,gBAAQ,IAAI,4CAA4C;AAAA,UACtD,UAAU;AAAA,UACV,QAAQ,eAAe,MAAM;AAAA,UAC7B,YAAY,eAAe,MAAM;AAAA,QACnC,CAAC;AAAA,MACH;AACA,YAAM,UAAU,MAAM,KAAK;AAAA,QACzB,qCAAqC,cAAc;AAAA,QACnD,CAAC,eAAe,mBAAmB;AAAA,MACrC;AACA,YAAM,OAAO,MAAM,QAAQ,OAAO,IAAI,UAAU,CAAC;AACjD,YAAM,UAAU,SACZ,OACA,KAAK,OAAO,CAAC,QAAa,CAAC,mBAAmB,KAAK,KAAK,CAAC;AAC7D,UAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,cAAQ;AAAA,QACN,SAAS,QAAQ,MAAM,yCAAyC,mBAAmB,GAAG,SAAS,eAAe,EAAE;AAAA,MAClH;AACA,UAAI,OAAQ,QAAO;AACnB,YAAM,MAAM,QAAQ,IAAI,CAAC,QAAa,OAAO,IAAI,EAAE,CAAC;AACpD,YAAM,QAAQ,SACV,MAAM,GAAG;AAAA,QACP;AAAA,QACA,EAAE,IAAI,EAAE,KAAK,IAAI,GAAG,UAAU,eAAe,gBAAgB,oBAAoB;AAAA,MACnF,IACA,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA,EAAE,IAAI,EAAE,KAAK,IAAI,GAAG,UAAU,eAAe,gBAAgB,oBAAoB;AAAA,QACjF,CAAC;AAAA,QACD,EAAE,UAAU,eAAe,gBAAgB,qBAAqB,kBAAkB;AAAA,MACpF;AACJ,YAAM,YAAY,IAAI,IAAI,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC;AACtE,UAAI,UAAU;AACd,iBAAW,OAAO,SAAS;AACzB,cAAM,OAAO,UAAU,IAAI,OAAO,IAAI,EAAE,CAAC;AACzC,YAAI,CAAC,KAAM;AACX,cAAM,WAAW,OAAO,IAAI,UAAU,WAAW,IAAI,QAAQ,OAAO,IAAI,SAAS,EAAE;AACnF,YAAI,CAAC,SAAU;AACf,YAAI,WAAW,CAAC,mBAAmB,QAAQ,KAAK,CAAC,SAAS;AACxD;AAAA,QACF;AACA,YAAI,aAAa;AACjB,YAAI,UAAU,mBAAmB,QAAQ,KAAK,QAAQ;AACpD,cAAI,OAAO;AACT,oBAAQ,IAAI,sCAAsC;AAAA,cAChD,QAAQ,IAAI;AAAA,cACZ,UAAU;AAAA,cACV,gBAAgB;AAAA,YAClB,CAAC;AAAA,UACH;AACA,cAAI,SAAS,YAAY,IAAI,aAAa,KAAK;AAC/C,cAAI,CAAC,YAAY,IAAI,aAAa,GAAG;AACnC,qBAAS,MAAM,OAAO,aAAa,aAAa;AAChD,wBAAY,IAAI,eAAe,MAAM;AAAA,UACvC;AACA,gBAAM,aAAa,kBAAkB,UAAU,MAAM;AACrD,cAAI,OAAO,eAAe,YAAY,mBAAmB,UAAU,EAAG;AACtE,uBAAa;AAAA,QACf;AACA,YAAI,CAAC,WAAY;AACjB,cAAM,YAAY,MAAM,kBAAkB;AAAA,UACxC;AAAA,UACA,EAAE,OAAO,WAAW;AAAA,UACpB;AAAA,UACA;AAAA,QACF;AACA,cAAM,YAAY,UAAU;AAC5B,YAAI,aAAa,cAAc,KAAK,OAAO;AACzC,eAAK,QAAQ;AACb,eAAK,YAAa,UAAkB,aAAa,iBAAiB,UAAU;AAC5E,aAAG,QAAQ,IAAI;AACf,qBAAW;AAAA,QACb;AAAA,MACF;AACA,UAAI,UAAU,GAAG;AACf,cAAM,GAAG,MAAM;AAAA,MACjB;AACA,aAAO;AAAA,IACT;AAEA,QAAI,YAAY,gBAAgB;AAC9B,YAAM,UAAU,MAAM,aAAa,OAAO,QAAQ,GAAG,OAAO,cAAc,CAAC;AAC3E,UAAI,CAAC,SAAS;AACZ,gBAAQ,IAAI,gEAAgE;AAAA,MAC9E,OAAO;AACL,gBAAQ,IAAI,aAAa,OAAO,sBAAsB;AAAA,MACxD;AACA;AAAA,IACF;AAEA,UAAM,gBAAgB,MAAM,GAAG,KAAK,cAAc,CAAC,CAAC;AACpD,QAAI,CAAC,cAAc,QAAQ;AACzB,cAAQ,IAAI,6CAA6C;AACzD;AAAA,IACF;AACA,QAAI,QAAQ;AACZ,eAAW,OAAO,eAAe;AAC/B,YAAM,gBAAgB,IAAI,QAAQ,KAAK,OAAO,IAAI,OAAO,EAAE,IAAI,IAAI,OAAO,KAAK,OAAO,IAAI,OAAO,EAAE,IAAI;AACvG,YAAM,sBAAsB,IAAI,KAAK,OAAO,IAAI,EAAE,IAAI;AACtD,UAAI,CAAC,iBAAiB,CAAC,oBAAqB;AAC5C,eAAS,MAAM,aAAa,eAAe,mBAAmB;AAAA,IAChE;AACA,QAAI,QAAQ,GAAG;AACb,cAAQ,IAAI,aAAa,KAAK,+CAA+C;AAAA,IAC/E,OAAO;AACL,cAAQ,IAAI,kEAAkE;AAAA,IAChF;AAAA,EACF;AACF;AAIA,MAAM,kBAA6B;AAAA,EACjC,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AACA,UAAM,OAAO,KAAK,QAAQ,KAAK;AAC/B,QAAI,CAAC,MAAM;AACT,cAAQ,MAAM,wDAAwD;AACtE;AAAA,IACF;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AAEvB,UAAM,SAAS,GAAG,OAAO,QAAQ,EAAE,MAAM,GAAG,IAAI,UAAU,CAAC;AAC3D,UAAM,GAAG,gBAAgB,MAAM;AAC/B,UAAM,MAAM,GAAG,OAAO,cAAc,EAAE,MAAM,OAAO,CAAC;AACpD,UAAM,GAAG,gBAAgB,GAAG;AAC5B,UAAM,0BAA0B,IAAI,OAAO,OAAO,EAAE,CAAC;AACrD,YAAQ,IAAI,gCAAgC,IAAI,IAAI,aAAa,OAAO,EAAE;AAAA,EAC5E;AACF;AAEA,MAAM,WAAsB;AAAA,EAC1B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAAO,UAAU,IAAI;AAC3B,UAAM,UAAU,OAAO,KAAK,YAAY,WACpC,KAAK,UACL,OAAO,KAAK,SAAS,WACnB,KAAK,OACL;AACN,UAAM,QAAQ,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ;AAC5D,UAAM,WAAW,OAAO,KAAK,aAAa,WAAW,KAAK,WAAW;AACrE,UAAM,WAAW,OAAO,KAAK,UAAU,WACnC,KAAK,MAAM,KAAK,IAChB;AACJ,UAAM,wBACJ,KAAK,sBAAsB,KAC3B,KAAK,sBACL,KAAK,qBAAqB,KAC1B,KAAK;AACP,UAAM,qBAAqB,OAAO,0BAA0B,YACxD,wBACA,kBAAkB,OAAO,0BAA0B,WAAW,wBAAwB,IAAI,KAAK;AACnG,QAAI,CAAC,WAAW,CAAC,SAAS,CAAC,UAAU;AACnC,cAAQ,MAAM,+IAA+I;AAC7J;AAAA,IACF;AACA,QAAI,CAAC,sBAAsB,CAAC,qBAAqB,QAAQ,EAAG;AAC5D,QAAI,oBAAoB;AACtB,cAAQ,KAAK,6DAAmD;AAAA,IAClE;AACA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAuB,IAAI;AACtC,UAAM,YAAY,WACd,SAAS,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,IACvD;AAEJ,QAAI;AACF,YAAM,SAAS,MAAM,mBAAmB,IAAI;AAAA,QAC1C;AAAA,QACA;AAAA,QACA,aAAa,EAAE,OAAO,UAAU,SAAS,KAAK;AAAA,QAC9C,qBAAqB;AAAA,MACvB,CAAC;AAED,UAAI,OAAO,oBAAoB;AAC7B,gBAAQ,IAAI,4DAAkD;AAC9D,gBAAQ,IAAI,wBAAc,KAAK,EAAE;AACjC,gBAAQ,IAAI,wEAA8D;AAAA,MAC5E;AAEA,UAAG,IAAI,aAAa,QAAQ;AAC1B,mBAAW,YAAY,OAAO,OAAO;AACnC,cAAI,SAAS,SAAS;AACpB,gBAAI,SAAS,KAAK,UAAU,SAAS,UAAU;AAC7C,sBAAQ,IAAI,0BAAmB,SAAS,KAAK,OAAO,aAAa,QAAQ;AAAA,YAC3E,OAAO;AACL,sBAAQ,IAAI,0BAAmB,SAAS,KAAK,KAAK;AAAA,YACpD;AAAA,UACF,OAAO;AACL,oBAAQ,IAAI,gBAAgB,SAAS,KAAK,KAAK,EAAE;AAAA,UACnD;AAAA,QACF;AAAA,MACF;AAEA,UAAG,IAAI,aAAa,OAAU,SAAQ,IAAI,0BAAqB,EAAE,UAAU,OAAO,UAAU,gBAAgB,OAAO,eAAe,CAAC;AAAA,IACrI,SAAS,KAAK;AACZ,UAAI,eAAe,SAAS,IAAI,YAAY,eAAe;AACzD,gBAAQ,MAAM,6DAA6D;AAC3E;AAAA,MACF;AACA,YAAM;AAAA,IACR;AAAA,EACF;AACF;AAEA,MAAM,oBAA+B;AAAA,EACnC,SAAS;AAAA,EACT,MAAM,MAAM;AACV,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,OAAO,MAAM;AAAA,MACjB;AAAA,MACA;AAAA,MACA,CAAC;AAAA,MACD,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,IACzC;AAEA,QAAI,KAAK,WAAW,GAAG;AACrB,cAAQ,IAAI,wBAAwB;AACpC;AAAA,IACF;AAEA,YAAQ,IAAI,SAAS,KAAK,MAAM,mBAAmB;AACnD,YAAQ,IAAI,EAAE;AACd,YAAQ,IAAI,iHAAiH;AAC7H,YAAQ,IAAI,2HAA2H;AAEvI,eAAW,OAAO,MAAM;AACtB,YAAM,UAAU,IAAI,YAAY,IAAI,KAAK,IAAI,SAAS,EAAE,mBAAmB,IAAI;AAC/E,YAAM,KAAK,IAAI,MAAM;AACrB,YAAM,WAAW,IAAI,QAAQ,MAAM;AACnC,YAAM,QAAQ,IAAI,QAAQ,WAAW,OAAO,EAAE;AAC9C,cAAQ,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC,MAAM,IAAI,MAAM,SAAS,OAAO,EAAE,CAAC,MAAM,OAAO,EAAE;AAAA,IAChF;AAAA,EACF;AACF;AAEA,MAAM,cAAyB;AAAA,EAC7B,SAAS;AAAA,EACT,MAAM,MAAM;AACV,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,UAAU,MAAM,GAAG,KAAK,QAAQ,CAAC,CAAC;AAExC,QAAI,QAAQ,WAAW,GAAG;AACxB,cAAQ,IAAI,kBAAkB;AAC9B;AAAA,IACF;AAEA,YAAQ,IAAI,SAAS,QAAQ,MAAM,aAAa;AAChD,YAAQ,IAAI,EAAE;AACd,YAAQ,IAAI,0EAA0E;AACtF,YAAQ,IAAI,qFAAqF;AAEjG,eAAW,UAAU,SAAS;AAC5B,YAAM,UAAU,OAAO,YAAY,IAAI,KAAK,OAAO,SAAS,EAAE,mBAAmB,IAAI;AACrF,YAAM,KAAK,OAAO,MAAM;AACxB,YAAM,QAAQ,OAAO,QAAQ,WAAW,OAAO,EAAE;AACjD,cAAQ,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC,MAAM,IAAI,MAAM,OAAO,EAAE;AAAA,IACvD;AAAA,EACF;AACF;AAEA,MAAM,YAAuB;AAAA,EAC3B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AAEA,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AAGvB,UAAM,QAAa,CAAC;AACpB,QAAI,KAAK,kBAAkB,KAAK,SAAS,KAAK,KAAK;AACjD,YAAM,iBAAiB,KAAK,kBAAkB,KAAK,SAAS,KAAK;AAAA,IACnE;AACA,QAAI,KAAK,YAAY,KAAK,QAAQ;AAChC,YAAM,WAAW,KAAK,YAAY,KAAK;AAAA,IACzC;AAEA,UAAM,QAAQ,MAAM,GAAG,KAAK,MAAM,KAAK;AAEvC,QAAI,MAAM,WAAW,GAAG;AACtB,cAAQ,IAAI,gBAAgB;AAC5B;AAAA,IACF;AAEA,YAAQ,IAAI,SAAS,MAAM,MAAM,WAAW;AAC5C,YAAQ,IAAI,EAAE;AACd,YAAQ,IAAI,gJAAgJ;AAC5J,YAAQ,IAAI,2JAA2J;AAEvK,eAAW,QAAQ,OAAO;AAExB,YAAM,YAAY,MAAM;AAAA,QACtB;AAAA,QACA;AAAA,QACA,EAAE,MAAM,KAAK,GAAG;AAAA,QAChB,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,QACrB,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,kBAAkB,KAAK;AAAA,MACjF;AACA,YAAM,QAAQ,UAAU,IAAI,CAAC,OAAY,GAAG,MAAM,IAAI,EAAE,OAAO,OAAO,EAAE,KAAK,IAAI,KAAK;AAGtF,UAAI,UAAU;AACd,UAAI,aAAa;AAEjB,UAAI,KAAK,gBAAgB;AACvB,cAAM,MAAM,MAAM,GAAG,QAAQ,cAAc,EAAE,IAAI,KAAK,eAAe,CAAC;AACtE,kBAAU,KAAK,MAAM,UAAU,GAAG,EAAE,IAAI,SAAS,KAAK,eAAe,UAAU,GAAG,CAAC,IAAI;AAAA,MACzF;AAEA,UAAI,KAAK,UAAU;AACjB,cAAM,SAAS,MAAM,GAAG,QAAQ,QAAQ,EAAE,IAAI,KAAK,SAAS,CAAC;AAC7D,qBAAa,QAAQ,MAAM,UAAU,GAAG,EAAE,IAAI,SAAS,KAAK,SAAS,UAAU,GAAG,CAAC,IAAI;AAAA,MACzF;AAEA,YAAM,KAAK,KAAK,MAAM;AACtB,YAAM,SAAS,KAAK,SAAS,OAAO,OAAO,EAAE;AAC7C,YAAM,QAAQ,KAAK,QAAQ,WAAW,OAAO,EAAE;AAE/C,cAAQ,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,QAAQ,OAAO,EAAE,CAAC,MAAM,WAAW,OAAO,EAAE,CAAC,MAAM,KAAK,EAAE;AAAA,IACnH;AAAA,EACF;AACF;AAEA,MAAM,cAAyB;AAAA,EAC7B,SAAS;AAAA,EACT,MAAM,IAAI,MAAM;AACd,UAAM,OAA+B,CAAC;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG;AACvC,YAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,OAAO,EAAE;AACpC,YAAM,IAAI,KAAK,IAAI,CAAC;AACpB,UAAI,EAAG,MAAK,CAAC,IAAI;AAAA,IACnB;AAEA,UAAM,QAAQ,KAAK;AACnB,UAAM,WAAW,KAAK;AAEtB,QAAI,CAAC,SAAS,CAAC,UAAU;AACvB,cAAQ,MAAM,2EAA2E;AACzF;AAAA,IACF;AACA,QAAI,CAAC,qBAAqB,QAAQ,EAAG;AAErC,UAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,UAAM,KAAK,QAAQ,IAAI;AACvB,UAAM,YAAY,iBAAiB,KAAK;AACxC,UAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,EAAE,UAAU,CAAC,EAAE,CAAC;AAEvE,QAAI,CAAC,MAAM;AACT,cAAQ,MAAM,oBAAoB,KAAK,aAAa;AACpD;AAAA,IACF;AAEA,SAAK,eAAe,MAAM,KAAK,UAAU,EAAE;AAC3C,UAAM,GAAG,gBAAgB,IAAI;AAE7B,YAAQ,IAAI,kDAA6C,KAAK,EAAE;AAAA,EAClE;AACF;AAGA,IAAO,cAAQ,CAAC,SAAS,WAAW,qBAAqB,iBAAiB,UAAU,mBAAmB,aAAa,WAAW,WAAW;",
   "names": []
 }

package/dist/modules/auth/commands/users.js CHANGED Viewed

@@ -22,16 +22,21 @@ import {
 import { normalizeTenantId } from "@open-mercato/core/modules/auth/lib/tenantAccess";
 import { computeEmailHash } from "@open-mercato/core/modules/auth/lib/emailHash";
 import { findOneWithDecryption, findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { buildNotificationFromType } from "@open-mercato/core/modules/notifications/lib/notificationBuilder";
+import { resolveNotificationService } from "@open-mercato/core/modules/notifications/lib/notificationService";
+import notificationTypes from "@open-mercato/core/modules/auth/notifications";
+import { buildPasswordSchema } from "@open-mercato/shared/lib/auth/passwordPolicy";
+const passwordSchema = buildPasswordSchema();
 const createSchema = z.object({
   email: z.string().email(),
-  password: z.string().min(6),
+  password: passwordSchema,
   organizationId: z.string().uuid(),
   roles: z.array(z.string()).optional()
 });
 const updateSchema = z.object({
   id: z.string().uuid(),
   email: z.string().email().optional(),
-  password: z.string().min(6).optional(),
+  password: passwordSchema.optional(),
   organizationId: z.string().uuid().optional(),
   roles: z.array(z.string()).optional()
 });
@@ -60,6 +65,38 @@ const userCrudIndexer = {
     tenantId: ctx.identifiers.tenantId
   })
 };
+async function notifyRoleChanges(ctx, user, assignedRoles, revokedRoles) {
+  const tenantId = user.tenantId ? String(user.tenantId) : null;
+  if (!tenantId) return;
+  const organizationId = user.organizationId ? String(user.organizationId) : null;
+  try {
+    const notificationService = resolveNotificationService(ctx.container);
+    if (assignedRoles.length) {
+      const assignedType = notificationTypes.find((type) => type.type === "auth.role.assigned");
+      if (assignedType) {
+        const notificationInput = buildNotificationFromType(assignedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: "auth:user",
+          sourceEntityId: String(user.id)
+        });
+        await notificationService.create(notificationInput, { tenantId, organizationId });
+      }
+    }
+    if (revokedRoles.length) {
+      const revokedType = notificationTypes.find((type) => type.type === "auth.role.revoked");
+      if (revokedType) {
+        const notificationInput = buildNotificationFromType(revokedType, {
+          recipientUserId: String(user.id),
+          sourceEntityType: "auth:user",
+          sourceEntityId: String(user.id)
+        });
+        await notificationService.create(notificationInput, { tenantId, organizationId });
+      }
+    }
+  } catch (err) {
+    console.error("[auth.users.roles] Failed to create notification:", err);
+  }
+}
 const createUserCommand = {
   id: "auth.users.create",
   async execute(rawInput, ctx) {
@@ -97,8 +134,10 @@ const createUserCommand = {
       if (isUniqueViolation(error)) await throwDuplicateEmailError();
       throw error;
     }
+    let assignedRoles = [];
     if (Array.isArray(parsed.roles) && parsed.roles.length) {
       await syncUserRoles(em, user, parsed.roles, tenantId);
+      assignedRoles = await loadUserRoleNames(em, String(user.id));
     }
     await setCustomFieldsIfAny({
       dataEngine: de,
@@ -120,6 +159,9 @@ const createUserCommand = {
       events: userCrudEvents,
       indexer: userCrudIndexer
     });
+    if (assignedRoles.length) {
+      await notifyRoleChanges(ctx, user, assignedRoles, []);
+    }
     return user;
   },
   captureAfter: async (_input, result, ctx) => {
@@ -230,6 +272,7 @@ const updateUserCommand = {
   async execute(rawInput, ctx) {
     const { parsed, custom } = parseWithCustomFields(updateSchema, rawInput);
     const em = ctx.container.resolve("em");
+    const rolesBefore = Array.isArray(parsed.roles) ? await loadUserRoleNames(em, parsed.id) : null;
     if (parsed.email !== void 0) {
       const emailHash2 = computeEmailHash(parsed.email);
       const duplicate = await em.findOne(
@@ -310,6 +353,13 @@ const updateUserCommand = {
       events: userCrudEvents,
       indexer: userCrudIndexer
     });
+    if (Array.isArray(parsed.roles) && rolesBefore) {
+      const rolesAfter = await loadUserRoleNames(em, String(user.id));
+      const { assigned, revoked } = diffRoleChanges(rolesBefore, rolesAfter);
+      if (assigned.length || revoked.length) {
+        await notifyRoleChanges(ctx, user, assigned, revoked);
+      }
+    }
     await invalidateUserCache(ctx, parsed.id);
     return user;
   },
@@ -656,6 +706,13 @@ async function invalidateUserCache(ctx, userId) {
   } catch {
   }
 }
+function diffRoleChanges(before, after) {
+  const beforeSet = new Set(before);
+  const afterSet = new Set(after);
+  const assigned = after.filter((role) => !beforeSet.has(role));
+  const revoked = before.filter((role) => !afterSet.has(role));
+  return { assigned, revoked };
+}
 function arrayEquals(left, right) {
   if (!left) return false;
   if (left.length !== right.length) return false;