@open-mercato/core 0.4.5-develop-2e9903a57a → 0.4.5-develop-eeccf7adf4

package/src/modules/auth/__integration__/TC-AUTH-012.spec.ts

@@ -1,36 +0,0 @@
-import { expect, test } from '@playwright/test';
-import { login } from '@open-mercato/core/modules/core/__integration__/helpers/auth';
-import { apiRequest, getAuthToken } from '@open-mercato/core/modules/core/__integration__/helpers/api';
-
-/**
- * TC-AUTH-012: Create New Role
- * Source: .ai/qa/scenarios/TC-AUTH-012-role-creation.md
- */
-test.describe('TC-AUTH-012: Create New Role', () => {
-  test('should create a role and show it in roles list', async ({ page, request }) => {
-    const roleName = `qa-auth-role-${Date.now()}`;
-    let token: string | null = null;
-    let roleId: string | null = null;
-
-    try {
-      token = await getAuthToken(request);
-      await login(page, 'admin');
-      await page.goto('/backend/roles/create');
-      await expect(page.getByText('Create Role')).toBeVisible();
-
-      await page.getByRole('textbox').first().fill(roleName);
-      await page.getByRole('button', { name: 'Create' }).first().click();
-
-      await expect(page).toHaveURL(/\/backend\/roles(?:\?.*)?$/);
-      await page.getByRole('textbox', { name: 'Search' }).fill(roleName);
-      await expect(page.getByRole('row', { name: new RegExp(roleName, 'i') })).toBeVisible();
-      await page.getByRole('row', { name: new RegExp(roleName, 'i') }).click();
-      await expect(page).toHaveURL(/\/backend\/roles\/[0-9a-f-]{36}\/edit$/i);
-      roleId = page.url().match(/\/backend\/roles\/([0-9a-f-]{36})\/edit$/i)?.[1] ?? null;
-    } finally {
-      if (token && roleId) {
-        await apiRequest(request, 'DELETE', `/api/auth/roles?id=${encodeURIComponent(roleId)}`, { token }).catch(() => {});
-      }
-    }
-  });
-});

package/src/modules/auth/__integration__/TC-AUTH-013.spec.ts

@@ -1,48 +0,0 @@
-import { expect, test } from '@playwright/test';
-import { login } from '@open-mercato/core/modules/core/__integration__/helpers/auth';
-import { apiRequest, getAuthToken } from '@open-mercato/core/modules/core/__integration__/helpers/api';
-
-/**
- * TC-AUTH-013: Configure Role ACL and Permissions
- * Source: .ai/qa/scenarios/TC-AUTH-013-role-acl-configuration.md
- */
-test.describe('TC-AUTH-013: Configure Role ACL and Permissions', () => {
-  test('should persist ACL checkbox changes for a role', async ({ page, request }) => {
-    const roleName = `qa-auth-acl-${Date.now()}`;
-    let token: string | null = null;
-    let roleId: string | null = null;
-
-    try {
-      token = await getAuthToken(request);
-      await login(page, 'admin');
-      await page.goto('/backend/roles/create');
-      await page.getByRole('textbox').first().fill(roleName);
-      await page.getByRole('button', { name: 'Create' }).first().click();
-      await expect(page).toHaveURL(/\/backend\/roles(?:\?.*)?$/);
-
-      await page.getByRole('textbox', { name: 'Search' }).fill(roleName);
-      await page.getByRole('row', { name: new RegExp(roleName, 'i') }).click();
-      await expect(page).toHaveURL(/\/backend\/roles\/[0-9a-f-]{36}\/edit$/i);
-      roleId = page.url().match(/\/backend\/roles\/([0-9a-f-]{36})\/edit$/i)?.[1] ?? null;
-
-      const featureCheckbox = page.getByRole('checkbox', { name: /view api keys \(api_keys\.view\)/i }).first();
-      if ((await featureCheckbox.count()) === 0 || !(await featureCheckbox.isVisible().catch(() => false))) {
-        test.skip(true, 'Target ACL checkbox is not visible for this role.');
-      }
-      if (!(await featureCheckbox.isChecked())) {
-        await featureCheckbox.check();
-      }
-      await expect(featureCheckbox).toBeChecked();
-      await page.getByRole('button', { name: 'Save' }).first().click();
-
-      await expect(page).toHaveURL(/\/backend\/roles(?:\?.*)?$/);
-      await page.getByRole('textbox', { name: 'Search' }).fill(roleName);
-      await page.getByRole('row', { name: new RegExp(roleName, 'i') }).click();
-      await expect(featureCheckbox).toBeChecked();
-    } finally {
-      if (token && roleId) {
-        await apiRequest(request, 'DELETE', `/api/auth/roles?id=${encodeURIComponent(roleId)}`, { token }).catch(() => {});
-      }
-    }
-  });
-});

package/src/modules/auth/__integration__/TC-AUTH-014.spec.ts

@@ -1,31 +0,0 @@
-import { expect, test } from '@playwright/test';
-import { login } from '@open-mercato/core/modules/core/__integration__/helpers/auth';
-
-/**
- * TC-AUTH-014: Organization Switching
- * Source: .ai/qa/scenarios/TC-AUTH-014-organization-switching.md
- */
-test.describe('TC-AUTH-014: Organization Switching', () => {
-  test('should allow switching organization context from the header selector', async ({ page }) => {
-    await login(page, 'admin');
-    await page.goto('/backend/users');
-
-    const orgSelect = page.getByRole('combobox').first();
-    await expect(orgSelect).toBeVisible();
-    await orgSelect.selectOption({ label: 'All organizations' });
-    await expect(orgSelect).toHaveValue('');
-
-    const orgValue = await orgSelect.evaluate((element) => {
-      const select = element as HTMLSelectElement;
-      for (const option of Array.from(select.options)) {
-        if (option.value && option.value.trim().length > 0) return option.value;
-      }
-      return '';
-    });
-    if (!orgValue) {
-      test.skip(true, 'No scoped organizations available to switch to.');
-    }
-    await orgSelect.selectOption(orgValue);
-    await expect(orgSelect).toHaveValue(orgValue);
-  });
-});

package/src/modules/auth/__integration__/TC-AUTH-015.spec.ts

@@ -1,28 +0,0 @@
-import { expect, test } from '@playwright/test';
-import { login } from '@open-mercato/core/modules/core/__integration__/helpers/auth';
-
-/**
- * TC-AUTH-015: Access Denied for Missing Permissions
- * Source: .ai/qa/scenarios/TC-AUTH-015-access-denied.md
- */
-test.describe('TC-AUTH-015: Access Denied for Missing Permissions', () => {
-  test('should deny employee access to users administration page', async ({ page }) => {
-    await login(page, 'employee');
-    await page.goto('/backend/users');
-
-    const url = page.url();
-    const deniedText = page.getByText(/don't have access|permission|forbidden|not authorized|access denied/i).first();
-    const usersHeadingVisible = await page.getByRole('heading', { name: 'Users' }).isVisible().catch(() => false);
-
-    if (usersHeadingVisible) {
-      test.skip(true, 'Users page is accessible for employee in this environment.');
-    }
-
-    if (/\/login/.test(url)) {
-      await expect(page).toHaveURL(/\/login/);
-      return;
-    }
-
-    await expect(deniedText).toBeVisible();
-  });
-});

package/src/modules/auth/__integration__/TC-AUTH-016.spec.ts

@@ -1,109 +0,0 @@
-import { test, expect } from '@playwright/test';
-import { postForm } from '@open-mercato/core/modules/core/__integration__/helpers/api';
-import { DEFAULT_CREDENTIALS } from '@open-mercato/core/modules/core/__integration__/helpers/auth';
-
-/**
- * TC-AUTH-016: Rate Limiting on Authentication Endpoints
- *
- * API tests verifying that auth endpoints enforce rate limits and return
- * proper 429 responses with rate-limit headers when limits are exceeded.
- *
- * Default compound limits: login = 5 pts/60s, reset = 3 pts/60s.
- * Each test uses a unique email to avoid cross-test compound key pollution.
- */
-test.describe('TC-AUTH-016: Rate Limiting on Authentication Endpoints', () => {
-  const rateLimitHeaders = { 'x-om-test-rate-limit': 'on' };
-
-  test('login rate limit — returns 429 after exceeding compound limit', async ({ request }) => {
-    const email = `ratelimit-login-${Date.now()}@test.invalid`;
-    const attempts = 6; // compound limit is 5
-    let lastResponse;
-
-    for (let i = 0; i < attempts; i++) {
-      lastResponse = await postForm(request, '/api/auth/login', {
-        email,
-        password: 'wrong-password',
-      }, { headers: rateLimitHeaders });
-    }
-
-    expect(lastResponse!.status()).toBe(429);
-
-    const headers = lastResponse!.headers();
-    expect(headers['retry-after']).toBeDefined();
-    expect(headers['x-ratelimit-limit']).toBe('5');
-    expect(headers['x-ratelimit-remaining']).toBe('0');
-
-    const body = await lastResponse!.json();
-    expect(body).toHaveProperty('error');
-  });
-
-  test('login rate limit — different emails get independent limits', async ({ request }) => {
-    const emailA = `ratelimit-indep-a-${Date.now()}@test.invalid`;
-    const emailB = `ratelimit-indep-b-${Date.now()}@test.invalid`;
-
-    // Exhaust 5 attempts for email-A (at the compound limit)
-    for (let i = 0; i < 5; i++) {
-      await postForm(request, '/api/auth/login', {
-        email: emailA,
-        password: 'wrong-password',
-      }, { headers: rateLimitHeaders });
-    }
-
-    // email-B should still be allowed (its own compound bucket is fresh)
-    const responseB = await postForm(request, '/api/auth/login', {
-      email: emailB,
-      password: 'wrong-password',
-    }, { headers: rateLimitHeaders });
-
-    // email-B should get 401 (invalid credentials), not 429
-    expect(responseB.status()).not.toBe(429);
-  });
-
-  test('password reset rate limit — returns 429 after exceeding compound limit', async ({ request }) => {
-    const email = `ratelimit-reset-${Date.now()}@test.invalid`;
-    const attempts = 4; // compound limit is 3
-    let lastResponse;
-
-    for (let i = 0; i < attempts; i++) {
-      lastResponse = await postForm(request, '/api/auth/reset', {
-        email,
-      }, { headers: rateLimitHeaders });
-    }
-
-    expect(lastResponse!.status()).toBe(429);
-
-    const headers = lastResponse!.headers();
-    expect(headers['retry-after']).toBeDefined();
-    expect(headers['x-ratelimit-limit']).toBe('3');
-    expect(headers['x-ratelimit-remaining']).toBe('0');
-
-    const body = await lastResponse!.json();
-    expect(body).toHaveProperty('error');
-  });
-
-  test('login — successful login resets compound counter', async ({ request }) => {
-    const { email, password } = DEFAULT_CREDENTIALS.admin;
-
-    // Send 4 failed attempts (under the compound limit of 5)
-    for (let i = 0; i < 4; i++) {
-      await postForm(request, '/api/auth/login', {
-        email,
-        password: 'wrong-password',
-      }, { headers: rateLimitHeaders });
-    }
-
-    // Successful login should reset the compound counter
-    const successResponse = await postForm(request, '/api/auth/login', {
-      email,
-      password,
-    }, { headers: rateLimitHeaders });
-    expect(successResponse.status()).toBe(200);
-
-    // After reset, another failed attempt should NOT be 429
-    const postResetResponse = await postForm(request, '/api/auth/login', {
-      email,
-      password: 'wrong-password',
-    }, { headers: rateLimitHeaders });
-    expect(postResetResponse.status()).not.toBe(429);
-  });
-});

package/src/modules/auth/__tests__/cli-rotate-encryption.test.ts

@@ -1,97 +0,0 @@
-/** @jest-environment node */
-import cli from '@open-mercato/core/modules/auth/cli'
-import { User } from '@open-mercato/core/modules/auth/data/entities'
-import { Organization } from '@open-mercato/core/modules/directory/data/entities'
-import { decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'
-import { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
-
-const persist = jest.fn()
-const flush = jest.fn()
-const execute = jest.fn()
-const find = jest.fn()
-
-jest.mock('@open-mercato/shared/lib/encryption/aes', () => ({
-  decryptWithAesGcm: jest.fn(),
-}))
-
-jest.mock('@open-mercato/shared/lib/encryption/find', () => ({
-  findWithDecryption: jest.fn(),
-}))
-
-jest.mock('@open-mercato/shared/lib/encryption/tenantDataEncryptionService', () => ({
-  TenantDataEncryptionService: jest.fn().mockImplementation(() => ({
-    isEnabled: () => true,
-    getDek: jest.fn(async (tenantId: string) => ({ tenantId, key: 'new-key', fetchedAt: 0 })),
-    encryptEntityPayload: jest.fn(async (_entityId: string, payload: Record<string, unknown>) => ({
-      ...payload,
-      email: `enc:${payload.email}`,
-      emailHash: 'hash',
-    })),
-  })),
-}))
-
-jest.mock('@open-mercato/shared/lib/di/container', () => ({
-  createRequestContainer: async () => ({
-    resolve: () => ({
-      getConnection: () => ({ execute }),
-      getMetadata: () => ({ get: () => ({ tableName: 'users' }) }),
-      find: (...args: any[]) => find(...args),
-      persist,
-      flush,
-    }),
-  }),
-}))
-
-describe('auth rotate-encryption-key CLI', () => {
-  beforeEach(() => {
-    jest.clearAllMocks()
-    process.env.TENANT_DATA_ENCRYPTION = 'yes'
-  })
-
-  it('rotates encrypted emails with old key and uses raw find', async () => {
-    const rotate = cli.find((c: any) => c.command === 'rotate-encryption-key')!
-    const encryptedValue = 'iv:cipher:tag:v1'
-
-    find.mockImplementation(async (entity: any) => {
-      if (entity === Organization) {
-        return [{ id: 'org-1', tenant: { id: 'tenant-1' } }]
-      }
-      if (entity === User) {
-        return [{ id: 'user-1', email: encryptedValue, emailHash: null }]
-      }
-      return []
-    })
-
-    execute.mockResolvedValue([{ id: 'user-1', email: encryptedValue, email_hash: null }])
-    ;(decryptWithAesGcm as jest.Mock).mockReturnValueOnce('user@example.com')
-
-    await rotate.run(['--old-key', 'old-secret'])
-
-    expect(findWithDecryption).not.toHaveBeenCalled()
-    expect(decryptWithAesGcm).toHaveBeenCalled()
-    expect(persist).toHaveBeenCalledWith(expect.objectContaining({ email: 'enc:user@example.com' }))
-    expect(flush).toHaveBeenCalled()
-  })
-
-  it('encrypts plaintext emails without old key using findWithDecryption', async () => {
-    const rotate = cli.find((c: any) => c.command === 'rotate-encryption-key')!
-    const plaintextEmail = 'user@example.com'
-
-    find.mockImplementation(async (entity: any) => {
-      if (entity === Organization) {
-        return [{ id: 'org-1', tenant: { id: 'tenant-1' } }]
-      }
-      return []
-    })
-
-    execute.mockResolvedValue([{ id: 'user-1', email: plaintextEmail, email_hash: null }])
-    ;(findWithDecryption as jest.Mock).mockResolvedValue([
-      { id: 'user-1', email: plaintextEmail, emailHash: null },
-    ])
-
-    await rotate.run([])
-
-    expect(findWithDecryption).toHaveBeenCalled()
-    expect(persist).toHaveBeenCalledWith(expect.objectContaining({ email: 'enc:user@example.com' }))
-  })
-})

package/src/modules/auth/__tests__/cli-setup-acl.test.ts

@@ -1,148 +0,0 @@
-/** @jest-environment node */
-import { registerModules } from '@open-mercato/shared/lib/modules/registry'
-import { registerCliModules } from '@open-mercato/shared/modules/registry'
-import type { Module } from '@open-mercato/shared/modules/registry'
-import cli from '@open-mercato/core/modules/auth/cli'
-
-// Register modules so that ensureDefaultRoleAcls can read defaultRoleFeatures
-const testModules: Module[] = [
-  { id: 'auth', setup: { defaultRoleFeatures: { admin: ['auth.*'] } } },
-  { id: 'entities', setup: { defaultRoleFeatures: { admin: ['entities.*'] } } },
-  { id: 'attachments', setup: { defaultRoleFeatures: { admin: ['attachments.*', 'attachments.view', 'attachments.manage'] } } },
-  { id: 'query_index', setup: { defaultRoleFeatures: { admin: ['query_index.*'] } } },
-  { id: 'configs', setup: { defaultRoleFeatures: { admin: ['configs.system_status.view', 'configs.cache.view', 'configs.cache.manage', 'configs.manage'] } } },
-  { id: 'directory', setup: { defaultRoleFeatures: { superadmin: ['directory.tenants.*'], admin: ['directory.organizations.view', 'directory.organizations.manage'] } } },
-  { id: 'customers', setup: { defaultRoleFeatures: { admin: ['customers.*', 'customers.people.view', 'customers.people.manage', 'customers.companies.view', 'customers.companies.manage', 'customers.deals.view', 'customers.deals.manage'], employee: ['customers.*', 'customers.people.view', 'customers.people.manage', 'customers.companies.view', 'customers.companies.manage'] } } },
-  { id: 'catalog', setup: { defaultRoleFeatures: { admin: ['catalog.*', 'catalog.variants.manage', 'catalog.pricing.manage'], employee: ['catalog.*', 'catalog.variants.manage', 'catalog.pricing.manage'] } } },
-  { id: 'sales', setup: { defaultRoleFeatures: { admin: ['sales.*'], employee: ['sales.*'] } } },
-  { id: 'dictionaries', setup: { defaultRoleFeatures: { admin: ['dictionaries.view', 'dictionaries.manage'], employee: ['dictionaries.view'] } } },
-  { id: 'audit_logs', setup: { defaultRoleFeatures: { admin: ['audit_logs.*'], employee: ['audit_logs.undo_self'] } } },
-  { id: 'dashboards', setup: { defaultRoleFeatures: { admin: ['dashboards.*', 'dashboards.admin.assign-widgets'], employee: ['dashboards.view', 'dashboards.configure'] } } },
-  { id: 'api_keys', setup: { defaultRoleFeatures: { admin: ['api_keys.*'] } } },
-  { id: 'perspectives', setup: { defaultRoleFeatures: { admin: ['perspectives.use', 'perspectives.role_defaults'], employee: ['perspectives.use'] } } },
-  { id: 'feature_toggles', setup: { defaultRoleFeatures: { admin: ['feature_toggles.*'] } } },
-  { id: 'business_rules', setup: { defaultRoleFeatures: { admin: ['business_rules.*'] } } },
-  { id: 'workflows', setup: { defaultRoleFeatures: { admin: ['workflows.*'] } } },
-  { id: 'search', setup: { defaultRoleFeatures: { admin: ['search.*', 'vector.*'], employee: ['vector.*'] } } },
-  { id: 'currencies', setup: { defaultRoleFeatures: { admin: ['currencies.*'] } } },
-  { id: 'planner', setup: { defaultRoleFeatures: { admin: ['planner.*'], employee: ['planner.view'] } } },
-  { id: 'resources', setup: { defaultRoleFeatures: { admin: ['resources.*'] } } },
-  { id: 'staff', setup: { defaultRoleFeatures: { admin: ['staff.*', 'staff.leave_requests.manage'], employee: ['staff.leave_requests.send', 'staff.my_availability.view', 'staff.my_availability.manage', 'staff.my_leave_requests.view', 'staff.my_leave_requests.send'] } } },
-  { id: 'translations', setup: { defaultRoleFeatures: { admin: ['translations.*'], employee: ['translations.view', 'translations.manage'] } } },
-  { id: 'example', setup: { defaultRoleFeatures: { admin: ['example.*'], employee: ['example.*', 'example.widgets.*'] } } },
-]
-registerModules(testModules)
-registerCliModules(testModules)
-
-// Mock DI container and EM
-const persistAndFlush = jest.fn()
-const findOne = jest.fn()
-const findOneOrFail = jest.fn()
-const create = jest.fn((entity: any, data: any) => {
-  if (entity?.name === 'Tenant') return { id: 'tenant-1', ...data }
-  if (entity?.name === 'Organization') return { id: 'org-1', ...data }
-  return { ...data }
-})
-const find = jest.fn(async () => [])
-const persist = jest.fn()
-const flush = jest.fn()
-
-jest.mock('@open-mercato/shared/lib/di/container', () => ({
-  createRequestContainer: async () => ({ resolve: (_: string) => {
-    const baseEm = { persistAndFlush, findOne, findOneOrFail, create, find, persist, flush }
-    return {
-      ...baseEm,
-      transactional: async (cb: (tem: any) => any) => {
-        // Provide a transactional EM with persist/flush methods
-        const tem = { ...baseEm }
-        return await cb(tem)
-      },
-    }
-  } }),
-}))
-
-describe('auth CLI setup seeds ACLs', () => {
-  beforeEach(() => {
-    jest.clearAllMocks()
-  })
-
-  it('creates role ACL rows for superadmin/admin/employee', async () => {
-    const setup = cli.find((c: any) => c.command === 'setup')!
-
-    // Arrange mocks: roles exist
-    findOne.mockImplementation(async (Entity: any, where: any) => {
-      if (where?.name === 'superadmin') return { id: 'r-superadmin', name: 'superadmin' }
-      if (where?.name === 'admin') return { id: 'r-admin', name: 'admin' }
-      if (where?.name === 'employee') return { id: 'r-employee', name: 'employee' }
-      return null
-    })
-    findOneOrFail.mockImplementation(async (_: any, where: any) => ({ id: 'role-' + where.name, name: where.name }))
-
-    // Act
-    await setup.run(['--orgName', 'Acme', '--email', 'root@acme.com', '--password', 'secret', '--skip-password-policy'])
-
-    // Assert: persistAndFlush was called to create three RoleAcl rows with expected flags/features
-    const calls = persistAndFlush.mock.calls.map((c) => c[0])
-    const roleAclCreates = calls.filter((row) => 'tenantId' in row && ('isSuperAdmin' in row || Array.isArray(row.featuresJson)))
-    const superadminAcl = roleAclCreates.find((row) => row.isSuperAdmin === true)
-    expect(superadminAcl).toBeDefined()
-    expect(Array.isArray(superadminAcl?.featuresJson)).toBe(true)
-    expect(superadminAcl?.featuresJson).toEqual(expect.arrayContaining(['directory.tenants.*']))
-
-    const adminAcl = roleAclCreates.find((row) => Array.isArray(row.featuresJson) && row.featuresJson.includes('directory.organizations.manage'))
-    expect(adminAcl).toBeDefined()
-    expect(adminAcl?.featuresJson).toEqual(expect.arrayContaining([
-      'auth.*',
-      'entities.*',
-      'attachments.*',
-      'query_index.*',
-      'vector.*',
-      'catalog.*',
-      'sales.*',
-      'configs.system_status.view',
-      'configs.cache.view',
-      'configs.cache.manage',
-      'configs.manage',
-      'directory.organizations.manage',
-      'directory.organizations.view',
-      'customers.*',
-      'customers.people.view',
-      'customers.people.manage',
-      'customers.companies.view',
-      'customers.companies.manage',
-      'dictionaries.view',
-      'dictionaries.manage',
-      'example.*',
-      'audit_logs.*',
-      'dashboards.*',
-      'dashboards.admin.assign-widgets',
-      'api_keys.*',
-      'perspectives.use',
-      'perspectives.role_defaults',
-      'translations.*',
-    ]))
-    expect(adminAcl?.featuresJson).not.toContain('directory.organizations.*')
-
-    const employeeAcl = roleAclCreates.find((row) => Array.isArray(row.featuresJson) && row.featuresJson.includes('example.widgets.*'))
-    expect(employeeAcl).toBeDefined()
-    expect(employeeAcl?.featuresJson).toEqual(expect.arrayContaining([
-      'customers.*',
-      'customers.people.view',
-      'customers.people.manage',
-      'customers.companies.view',
-      'customers.companies.manage',
-      'vector.*',
-      'catalog.*',
-      'sales.*',
-      'dictionaries.view',
-      'example.*',
-      'example.widgets.*',
-      'dashboards.view',
-      'dashboards.configure',
-      'audit_logs.undo_self',
-      'perspectives.use',
-      'translations.view',
-      'translations.manage',
-    ]))
-  }, 20000)
-})

package/src/modules/auth/api/__tests__/feature-check.test.ts

@@ -1,65 +0,0 @@
-/** @jest-environment node */
-import { POST } from '@open-mercato/core/modules/auth/api/feature-check'
-
-// Mock auth
-jest.mock('@open-mercato/shared/lib/auth/server', () => ({
-  getAuthFromRequest: jest.fn(),
-}))
-
-// Mock DI
-const mockRbac = { userHasAllFeatures: jest.fn() }
-jest.mock('@open-mercato/shared/lib/di/container', () => ({
-  createRequestContainer: async () => ({ resolve: (k: string) => (k === 'rbacService' ? mockRbac : null) }),
-}))
-
-function makeReq(body: any) {
-  return new Request('http://localhost/api/auth/feature-check', {
-    method: 'POST',
-    headers: { 'content-type': 'application/json' },
-    body: JSON.stringify(body),
-  })
-}
-
-describe('POST /api/auth/feature-check', () => {
-  beforeEach(() => {
-    jest.clearAllMocks()
-    mockRbac.userHasAllFeatures.mockResolvedValue(true)
-  })
-
-  it('returns 401 when not authenticated', async () => {
-    const { getAuthFromRequest } = await import('@open-mercato/shared/lib/auth/server')
-    ;(getAuthFromRequest as jest.Mock).mockReturnValue(null)
-    const res = await POST(makeReq({ features: ['x.y'] }))
-    expect(res.status).toBe(401)
-  })
-
-  it('returns ok true when no features passed', async () => {
-    const { getAuthFromRequest } = await import('@open-mercato/shared/lib/auth/server')
-    ;(getAuthFromRequest as jest.Mock).mockReturnValue({ sub: 'u1', tenantId: 't1', orgId: 'o1' })
-    const res = await POST(makeReq({ features: [] }))
-    expect(res.status).toBe(200)
-    await expect(res.json()).resolves.toEqual({ ok: true, granted: [], userId: 'u1' })
-  })
-
-  it('returns ok true when RBAC grants all features', async () => {
-    const { getAuthFromRequest } = await import('@open-mercato/shared/lib/auth/server')
-    ;(getAuthFromRequest as jest.Mock).mockReturnValue({ sub: 'u1', tenantId: 't1', orgId: 'o1' })
-    mockRbac.userHasAllFeatures.mockResolvedValueOnce(true)
-    const res = await POST(makeReq({ features: ['a.b'] }))
-    expect(res.status).toBe(200)
-    await expect(res.json()).resolves.toEqual({ ok: true, granted: ['a.b'], userId: 'u1' })
-  })
-
-  it('returns ok false when RBAC denies features', async () => {
-    const { getAuthFromRequest } = await import('@open-mercato/shared/lib/auth/server')
-    ;(getAuthFromRequest as jest.Mock).mockReturnValue({ sub: 'u1', tenantId: 't1', orgId: 'o1' })
-    mockRbac.userHasAllFeatures.mockResolvedValueOnce(false)
-    const res = await POST(makeReq({ features: ['a.b'] }))
-    expect(res.status).toBe(200)
-    const data = await res.json()
-    expect(data.ok).toBe(false)
-    expect(Array.isArray(data.granted)).toBe(true)
-  })
-})
-
-

package/src/modules/auth/api/__tests__/login.test.ts

@@ -1,47 +0,0 @@
-/** @jest-environment node */
-import { POST } from '@open-mercato/core/modules/auth/api/login'
-import { randomUUID } from 'crypto'
-
-const tenantId = randomUUID()
-const orgId = randomUUID()
-
-jest.mock('@open-mercato/shared/lib/i18n/server', () => ({
-  resolveTranslations: async () => ({
-    translate: (_key: string, fallback?: string) => fallback ?? '',
-  }),
-}))
-
-jest.mock('@open-mercato/shared/lib/di/container', () => ({
-  createRequestContainer: async () => ({
-    resolve: (_: string) => ({
-      findUserByEmail: async (email: string) => ({ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }),
-      findUsersByEmail: async (email: string) => ([{ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }]),
-      findUserByEmailAndTenant: async (email: string) => ({ id: 1, email, passwordHash: 'hash', tenantId: tenantId, organizationId: orgId }),
-      verifyPassword: async () => true,
-      getUserRoles: async (_user: any, _tenant: string | null | undefined) => ['admin'],
-      updateLastLoginAt: async () => undefined,
-      createSession: async (_user: any, _exp: Date) => ({ token: 'session-token' }),
-    }),
-  }),
-}))
-
-jest.mock('@open-mercato/shared/lib/auth/jwt', () => ({ signJwt: () => 'jwt-token' }))
-
-function makeFormData(data: Record<string, string>) {
-  const fd = new FormData()
-  for (const [k, v] of Object.entries(data)) fd.append(k, v)
-  return fd
-}
-
-describe('POST /api/auth/login', () => {
-  it('returns token and sets cookies on success', async () => {
-    const req = new Request('http://localhost/api/auth/login', { method: 'POST', body: makeFormData({ email: 'user@example.com', password: 'secret', remember: '1' }) })
-    const res = await POST(req)
-    expect(res.status).toBe(200)
-    const text = await res.text()
-    expect(text).toContain('"ok":true')
-    expect(text).toContain('"token":"jwt-token"')
-    const setCookie = res.headers.get('set-cookie') || ''
-    expect(setCookie).toContain('auth_token=')
-  })
-})