npm - @open-mercato/core - Versions diffs - 0.5.1-develop.2652.0276e72e45 → 0.5.1-develop.2663.2c29774b5b - Mend

@open-mercato/core 0.5.1-develop.2652.0276e72e45 → 0.5.1-develop.2663.2c29774b5b

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (58) hide show

package/src/modules/directory/backend/directory/organizations/[id]/edit/page.tsx CHANGED Viewed

@@ -24,6 +24,7 @@ type OrganizationResponse = {
   items: Array<{
     id: string
     name: string
+    slug?: string | null
     tenantId: string
     tenantName?: string | null
     parentId: string | null
@@ -131,6 +132,7 @@ export default function EditOrganizationPage({ params }: { params?: { id?: strin
         setInitialValues({
           id: record.id,
           name: record.name,
+          slug: record.slug ?? '',
           parentId: record.parentId || '',
           isActive: record.isActive,
           tenantId: resolvedTenantId,
@@ -194,6 +196,12 @@ export default function EditOrganizationPage({ params }: { params?: { id?: strin
       } as CrudField,
     ] : []),
     { id: 'name', label: t('directory.organizations.form.field.name', 'Name'), type: 'text', required: true },
+    {
+      id: 'slug',
+      label: t('directory.organizations.form.field.slug', 'Slug'),
+      type: 'text',
+      description: t('directory.organizations.form.field.slug.description', 'URL-safe identifier used for the customer portal (lowercase letters, numbers, hyphens, underscores).'),
+    },
     {
       id: 'parentId',
       label: t('directory.organizations.form.field.parent', 'Parent'),
@@ -237,8 +245,8 @@ export default function EditOrganizationPage({ params }: { params?: { id?: strin
   const detailFields = React.useMemo(() => (
     actorIsSuperAdmin
-      ? ['tenantId', 'name', 'parentId', 'childrenInfo', 'isActive']
-      : ['name', 'parentId', 'childrenInfo', 'isActive']
+      ? ['tenantId', 'name', 'slug', 'parentId', 'childrenInfo', 'isActive']
+      : ['name', 'slug', 'parentId', 'childrenInfo', 'isActive']
   ), [actorIsSuperAdmin])
   const groups: CrudFormGroup[] = React.useMemo(() => ([
@@ -278,7 +286,7 @@ export default function EditOrganizationPage({ params }: { params?: { id?: strin
           fields={fields}
           groups={groups}
           entityId={E.directory.organization}
-          initialValues={initialValues ?? { id: orgId, tenantId: tenantId ?? null, name: '', parentId: '', isActive: true, childIds: [] }}
+          initialValues={initialValues ?? { id: orgId, tenantId: tenantId ?? null, name: '', slug: '', parentId: '', isActive: true, childIds: [] }}
           isLoading={loading}
           loadingMessage={t('directory.organizations.form.loading', 'Loading organization...')}
           submitLabel={t('directory.organizations.form.action.save', 'Save')}
@@ -315,6 +323,7 @@ export default function EditOrganizationPage({ params }: { params?: { id?: strin
 type UpdateOrganizationPayload = {
   id: string
   name: string
+  slug?: string | null
   isActive: boolean
   parentId: string | null
   childIds: string[]
@@ -371,6 +380,11 @@ export async function submitUpdateOrganization(options: {
     childIds: originalChildIds,
   }
+  if (typeof values.slug === 'string') {
+    const trimmedSlug = values.slug.trim()
+    payload.slug = trimmedSlug.length ? trimmedSlug : null
+  }
   if (submittedTenantId !== undefined && submittedTenantId !== null) {
     payload.tenantId = submittedTenantId
   }

package/src/modules/directory/backend/directory/organizations/create/page.tsx CHANGED Viewed

@@ -132,6 +132,12 @@ export default function CreateOrganizationPage() {
       } as CrudField,
     ] : []),
     { id: 'name', label: t('directory.organizations.form.field.name', 'Name'), type: 'text', required: true },
+    {
+      id: 'slug',
+      label: t('directory.organizations.form.field.slug', 'Slug'),
+      type: 'text',
+      description: t('directory.organizations.form.field.slug.description', 'URL-safe identifier used for the customer portal (lowercase letters, numbers, hyphens, underscores). Generated from the name when left blank.'),
+    },
     {
       id: 'parentId',
       label: t('directory.organizations.form.field.parent', 'Parent'),
@@ -166,8 +172,8 @@ export default function CreateOrganizationPage() {
   const detailFields = React.useMemo(() => (
     actorIsSuperAdmin
-      ? ['tenantId', 'name', 'parentId', 'childIds', 'isActive']
-      : ['name', 'parentId', 'childIds', 'isActive']
+      ? ['tenantId', 'name', 'slug', 'parentId', 'childIds', 'isActive']
+      : ['name', 'slug', 'parentId', 'childIds', 'isActive']
   ), [actorIsSuperAdmin])
   const groups: CrudFormGroup[] = React.useMemo(() => ([
@@ -186,7 +192,7 @@ export default function CreateOrganizationPage() {
           fields={fields}
           groups={groups}
           entityId={E.directory.organization}
-          initialValues={{ tenantId: selectedTenantId ?? null, name: '', parentId: '', childIds: [], isActive: true }}
+          initialValues={{ tenantId: selectedTenantId ?? null, name: '', slug: '', parentId: '', childIds: [], isActive: true }}
           submitLabel={t('directory.organizations.form.action.create', 'Create')}
           cancelHref="/backend/directory/organizations"
           successRedirect={`/backend/directory/organizations?flash=${successMessage}&type=success`}
@@ -208,6 +214,7 @@ export default function CreateOrganizationPage() {
 type CreateOrganizationPayload = {
   name: string
+  slug?: string | null
   isActive: boolean
   parentId: string | null
   childIds: string[]
@@ -261,6 +268,11 @@ export async function submitCreateOrganization(options: {
     childIds: Array.isArray(values.childIds) ? values.childIds.filter((id): id is string => typeof id === 'string') : [],
   }
+  if (typeof values.slug === 'string') {
+    const trimmedSlug = values.slug.trim()
+    if (trimmedSlug.length) payload.slug = trimmedSlug
+  }
   if (tenantValue) payload.tenantId = tenantValue
   if (Object.keys(customFields).length > 0) payload.customFields = customFields

package/src/modules/directory/i18n/de.json CHANGED Viewed

@@ -27,6 +27,8 @@
   "directory.organizations.form.field.isActive": "Aktiv",
   "directory.organizations.form.field.name": "Name",
   "directory.organizations.form.field.parent": "Übergeordnete Organisation",
+  "directory.organizations.form.field.slug": "Slug",
+  "directory.organizations.form.field.slug.description": "URL-sicherer Bezeichner für das Kundenportal (Kleinbuchstaben, Zahlen, Bindestriche, Unterstriche).",
   "directory.organizations.form.field.tenant": "Mandant",
   "directory.organizations.form.group.customFields": "Benutzerdefinierte Daten",
   "directory.organizations.form.group.details": "Details",

package/src/modules/directory/i18n/en.json CHANGED Viewed

@@ -27,6 +27,8 @@
   "directory.organizations.form.field.isActive": "Active",
   "directory.organizations.form.field.name": "Name",
   "directory.organizations.form.field.parent": "Parent",
+  "directory.organizations.form.field.slug": "Slug",
+  "directory.organizations.form.field.slug.description": "URL-safe identifier used for the customer portal (lowercase letters, numbers, hyphens, underscores).",
   "directory.organizations.form.field.tenant": "Tenant",
   "directory.organizations.form.group.customFields": "Custom Data",
   "directory.organizations.form.group.details": "Details",

package/src/modules/directory/i18n/es.json CHANGED Viewed

@@ -27,6 +27,8 @@
   "directory.organizations.form.field.isActive": "Activo",
   "directory.organizations.form.field.name": "Nombre",
   "directory.organizations.form.field.parent": "Padre",
+  "directory.organizations.form.field.slug": "Slug",
+  "directory.organizations.form.field.slug.description": "Identificador seguro para URL usado en el portal de clientes (minúsculas, números, guiones, guiones bajos).",
   "directory.organizations.form.field.tenant": "Inquilino",
   "directory.organizations.form.group.customFields": "Datos personalizados",
   "directory.organizations.form.group.details": "Detalles",

package/src/modules/directory/i18n/pl.json CHANGED Viewed

@@ -27,6 +27,8 @@
   "directory.organizations.form.field.isActive": "Aktywna",
   "directory.organizations.form.field.name": "Nazwa",
   "directory.organizations.form.field.parent": "Organizacja nadrzędna",
+  "directory.organizations.form.field.slug": "Identyfikator URL",
+  "directory.organizations.form.field.slug.description": "Identyfikator używany w adresie portalu klienta (małe litery, cyfry, myślniki, podkreślenia).",
   "directory.organizations.form.field.tenant": "Najemca",
   "directory.organizations.form.group.customFields": "Dane niestandardowe",
   "directory.organizations.form.group.details": "Szczegóły",

package/src/modules/messages/components/message-detail/hooks/useMessageDetails.ts CHANGED Viewed

@@ -23,8 +23,9 @@ export function useMessageDetails(id: string) {
     queryClient,
   })
-  const invalidateDetailQueries = React.useCallback(
+  const invalidateMessageQueries = React.useCallback(
     (payload: Record<string, unknown>) => {
+      void queryClient.invalidateQueries({ queryKey: ['messages', 'list'] })
       void queryClient.invalidateQueries({ queryKey: ['messages', 'detail', id] })
       const messageId = typeof payload.messageId === 'string' ? payload.messageId : null
       if (messageId && messageId !== id) {
@@ -37,9 +38,9 @@ export function useMessageDetails(id: string) {
   useAppEvent(
     'messages.message.*',
     (evt) => {
-      invalidateDetailQueries((evt.payload ?? {}) as Record<string, unknown>)
+      invalidateMessageQueries((evt.payload ?? {}) as Record<string, unknown>)
     },
-    [invalidateDetailQueries],
+    [invalidateMessageQueries],
   )
   useAppEvent(

package/src/modules/portal/frontend/[orgSlug]/portal/dashboard/page.meta.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { PageMetadata } from '@open-mercato/shared/modules/registry'
+export const metadata: PageMetadata = {
+  requireCustomerAuth: true,
+  titleKey: 'portal.dashboard.title',
+  title: 'Dashboard',
+  nav: {
+    label: 'Dashboard',
+    labelKey: 'portal.nav.dashboard',
+    group: 'main',
+    order: 10,
+  },
+}
+export default metadata

package/src/modules/portal/frontend/[orgSlug]/portal/login/page.meta.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { PageMetadata } from '@open-mercato/shared/modules/registry'
+export const metadata: PageMetadata = {
+  titleKey: 'portal.nav.login',
+  title: 'Log In',
+  navHidden: true,
+}
+export default metadata

package/src/modules/portal/frontend/[orgSlug]/portal/page.meta.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { PageMetadata } from '@open-mercato/shared/modules/registry'
+export const metadata: PageMetadata = {
+  titleKey: 'portal.title',
+  title: 'Customer Portal',
+  navHidden: true,
+}
+export default metadata

package/src/modules/portal/frontend/[orgSlug]/portal/profile/page.meta.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { PageMetadata } from '@open-mercato/shared/modules/registry'
+export const metadata: PageMetadata = {
+  requireCustomerAuth: true,
+  titleKey: 'portal.nav.profile',
+  title: 'Profile',
+  nav: {
+    label: 'Profile',
+    labelKey: 'portal.nav.profile',
+    group: 'account',
+    order: 10,
+  },
+}
+export default metadata

package/src/modules/portal/frontend/[orgSlug]/portal/signup/page.meta.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { PageMetadata } from '@open-mercato/shared/modules/registry'
+export const metadata: PageMetadata = {
+  titleKey: 'portal.nav.signup',
+  title: 'Sign Up',
+  navHidden: true,
+}
+export default metadata

package/src/modules/portal/frontend/[orgSlug]/portal/verify/page.meta.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { PageMetadata } from '@open-mercato/shared/modules/registry'
+export const metadata: PageMetadata = {
+  titleKey: 'portal.title',
+  title: 'Verify Email',
+  navHidden: true,
+}
+export default metadata

package/src/modules/workflows/lib/activity-executor.ts CHANGED Viewed

@@ -28,7 +28,18 @@ import { logWorkflowEvent } from './event-logger'
 export { isPrivateUrl } from '@open-mercato/shared/lib/network'
 function isAllowPrivateWorkflowWebhookUrlsEnabled(): boolean {
-  return parseBooleanWithDefault(process.env.OM_WORKFLOWS_ALLOW_PRIVATE_URLS, false)
+  if (parseBooleanWithDefault(process.env.OM_WORKFLOWS_ALLOW_PRIVATE_URLS, false)) {
+    return true
+  }
+  if (parseBooleanWithDefault(process.env.WORKFLOW_WEBHOOK_ALLOW_PRIVATE_URLS, false)) {
+    console.warn(
+      '[CALL_WEBHOOK] WORKFLOW_WEBHOOK_ALLOW_PRIVATE_URLS is deprecated. Use OM_WORKFLOWS_ALLOW_PRIVATE_URLS instead. SSRF protection is bypassed.'
+    )
+    return true
+  }
+  return false
 }
 // ============================================================================
@@ -788,10 +799,13 @@ export async function executeCallApi(
   //   SECURITY.md changelog entry for this fix.
   //
   //   The resolution strategy is:
-  //     1. Use the workflow instance's `createdBy` user (whoever manually
-  //        started the instance), when available.
-  //     2. Fall back to the workflow definition's `createdBy` (author) when
-  //        the instance was started by an event trigger with no user.
+  //     1. Use the workflow instance's `metadata.initiatedBy` user (whoever
+  //        manually started the instance), when available. Only this user's
+  //        current active roles are used — we never fall back to the author
+  //        when the initiator is known, because that would escalate the
+  //        initiator's privileges.
+  //     2. Fall back to the workflow definition's `createdBy` (author) only
+  //        when the instance was started by an event trigger with no user.
   //     3. If no traceable principal exists, the activity refuses to run —
   //        there is no "system" fallback that bypasses RBAC.
   const resolvedRoleIds = await resolveCallApiRoleIds(apiKeyEm, context.workflowInstance)
@@ -885,38 +899,28 @@ export type CallApiInstanceLike = {
   tenantId: string
   organizationId: string
   definitionId: string
+  metadata?: { initiatedBy?: string | null } | null
 }
-export async function resolveCallApiRoleIds(
+async function resolveActiveRoleIdsForUser(
   em: any,
-  instance: CallApiInstanceLike
+  userId: string,
+  scope: { tenantId: string; organizationId: string },
 ): Promise<string[]> {
-  if (!instance.definitionId) return []
   const { findOneWithDecryption, findWithDecryption } = await import('@open-mercato/shared/lib/encryption/find')
   const { User, UserRole, Role } = await import('../../auth/data/entities')
-  const { WorkflowDefinition } = await import('../data/entities')
-  const scope = { tenantId: instance.tenantId, organizationId: instance.organizationId }
-  const definition = await findOneWithDecryption(em, WorkflowDefinition, {
-    id: instance.definitionId,
-    tenantId: instance.tenantId,
-  }, {}, scope)
-  const authorUserId = definition?.createdBy
-  if (!authorUserId) return []
-  const author = await findOneWithDecryption(em, User, {
-    id: authorUserId,
-    tenantId: instance.tenantId,
+  const user = await findOneWithDecryption(em, User, {
+    id: userId,
+    tenantId: scope.tenantId,
     deletedAt: null,
   }, {}, scope)
-  if (!author) return []
+  if (!user) return []
   const userRoles = await findWithDecryption(
     em,
     UserRole,
-    { user: author.id, deletedAt: null },
+    { user: user.id, deletedAt: null },
     { populate: ['role'] },
     scope,
   )
@@ -928,12 +932,47 @@ export async function resolveCallApiRoleIds(
   const scopedRoles = await findWithDecryption(em, Role, {
     id: { $in: roleIds },
-    tenantId: instance.tenantId,
+    tenantId: scope.tenantId,
     deletedAt: null,
   }, {}, scope)
   return scopedRoles.map((r: any) => r.id as string)
 }
+export async function resolveCallApiRoleIds(
+  em: any,
+  instance: CallApiInstanceLike
+): Promise<string[]> {
+  if (!instance.definitionId) return []
+  const { findOneWithDecryption } = await import('@open-mercato/shared/lib/encryption/find')
+  const { WorkflowDefinition } = await import('../data/entities')
+  const scope = { tenantId: instance.tenantId, organizationId: instance.organizationId }
+  // 1. Prefer the triggering user (whoever manually started this instance).
+  //    WorkflowInstance.metadata.initiatedBy is the canonical record of that
+  //    principal for user-started instances; use their current role set so
+  //    CALL_API never exceeds the initiator's permissions. Refuse if the
+  //    initiator has no active scoped roles — do not fall back to the
+  //    definition author, which would escalate the initiator's privileges.
+  const initiatorUserId = instance.metadata?.initiatedBy ?? null
+  if (initiatorUserId) {
+    return resolveActiveRoleIdsForUser(em, initiatorUserId, scope)
+  }
+  // 2. Event-triggered instance with no human initiator: fall back to the
+  //    definition author. Soft-deleted definitions must not mint keys.
+  const definition = await findOneWithDecryption(em, WorkflowDefinition, {
+    id: instance.definitionId,
+    tenantId: instance.tenantId,
+    deletedAt: null,
+  }, {}, scope)
+  const authorUserId = definition?.createdBy
+  if (!authorUserId) return []
+  return resolveActiveRoleIdsForUser(em, authorUserId, scope)
+}
 /**
  * Build full API URL from endpoint
  * - Relative paths (/api/...) → prepend APP_URL