@open-mercato/core 0.5.1-develop.2691.d8a0934b37 → 0.5.1-develop.2694.732417c5ec

package/dist/modules/api_keys/data/entities.js

@@ -8,7 +8,7 @@ var __decorateClass = (decorators, target, key, kind) => {
   if (kind && result) __defProp(target, key, result);
   return result;
 };
-import { Entity, PrimaryKey, Property, Unique } from "@mikro-orm/core";
+import { Entity, PrimaryKey, Property, Unique } from "@mikro-orm/decorators/legacy";
 let ApiKey = class {
   constructor() {
     this.createdAt = /* @__PURE__ */ new Date();

package/dist/modules/api_keys/data/entities.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/api_keys/data/entities.ts"],
-  "sourcesContent": ["import { Entity, PrimaryKey, Property, Unique } from '@mikro-orm/core'\n\n@Entity({ tableName: 'api_keys' })\n@Unique({ properties: ['keyPrefix'] })\nexport class ApiKey {\n  @PrimaryKey({ type: 'uuid', defaultRaw: 'gen_random_uuid()' })\n  id!: string\n\n  @Property({ type: 'text' })\n  name!: string\n\n  @Property({ name: 'description', type: 'text', nullable: true })\n  description?: string | null\n\n  @Property({ name: 'tenant_id', type: 'uuid', nullable: true })\n  tenantId?: string | null\n\n  @Property({ name: 'organization_id', type: 'uuid', nullable: true })\n  organizationId?: string | null\n\n  @Property({ name: 'key_hash', type: 'text' })\n  keyHash!: string\n\n  @Property({ name: 'key_prefix', type: 'text' })\n  keyPrefix!: string\n\n  @Property({ name: 'roles_json', type: 'json', nullable: true })\n  rolesJson?: string[] | null\n\n  @Property({ name: 'created_by', type: 'uuid', nullable: true })\n  createdBy?: string | null\n\n  /** Session token for ephemeral session-scoped keys (used by AI chat) */\n  @Property({ name: 'session_token', type: 'text', nullable: true })\n  sessionToken?: string | null\n\n  /** User ID who owns this session (for ephemeral keys) */\n  @Property({ name: 'session_user_id', type: 'uuid', nullable: true })\n  sessionUserId?: string | null\n\n  /** Encrypted API key secret for session keys (recoverable for API calls) */\n  @Property({ name: 'session_secret_encrypted', type: 'text', nullable: true })\n  sessionSecretEncrypted?: string | null\n\n  @Property({ name: 'last_used_at', type: Date, nullable: true })\n  lastUsedAt?: Date | null\n\n  @Property({ name: 'expires_at', type: Date, nullable: true })\n  expiresAt?: Date | null\n\n  @Property({ name: 'created_at', type: Date, onCreate: () => new Date() })\n  createdAt: Date = new Date()\n\n  @Property({ name: 'updated_at', type: Date, onUpdate: () => new Date(), nullable: true })\n  updatedAt?: Date\n\n  @Property({ name: 'deleted_at', type: Date, nullable: true })\n  deletedAt?: Date | null\n}\n"],
+  "sourcesContent": ["import { Entity, PrimaryKey, Property, Unique } from '@mikro-orm/decorators/legacy'\n\n@Entity({ tableName: 'api_keys' })\n@Unique({ properties: ['keyPrefix'] })\nexport class ApiKey {\n  @PrimaryKey({ type: 'uuid', defaultRaw: 'gen_random_uuid()' })\n  id!: string\n\n  @Property({ type: 'text' })\n  name!: string\n\n  @Property({ name: 'description', type: 'text', nullable: true })\n  description?: string | null\n\n  @Property({ name: 'tenant_id', type: 'uuid', nullable: true })\n  tenantId?: string | null\n\n  @Property({ name: 'organization_id', type: 'uuid', nullable: true })\n  organizationId?: string | null\n\n  @Property({ name: 'key_hash', type: 'text' })\n  keyHash!: string\n\n  @Property({ name: 'key_prefix', type: 'text' })\n  keyPrefix!: string\n\n  @Property({ name: 'roles_json', type: 'json', nullable: true })\n  rolesJson?: string[] | null\n\n  @Property({ name: 'created_by', type: 'uuid', nullable: true })\n  createdBy?: string | null\n\n  /** Session token for ephemeral session-scoped keys (used by AI chat) */\n  @Property({ name: 'session_token', type: 'text', nullable: true })\n  sessionToken?: string | null\n\n  /** User ID who owns this session (for ephemeral keys) */\n  @Property({ name: 'session_user_id', type: 'uuid', nullable: true })\n  sessionUserId?: string | null\n\n  /** Encrypted API key secret for session keys (recoverable for API calls) */\n  @Property({ name: 'session_secret_encrypted', type: 'text', nullable: true })\n  sessionSecretEncrypted?: string | null\n\n  @Property({ name: 'last_used_at', type: Date, nullable: true })\n  lastUsedAt?: Date | null\n\n  @Property({ name: 'expires_at', type: Date, nullable: true })\n  expiresAt?: Date | null\n\n  @Property({ name: 'created_at', type: Date, onCreate: () => new Date() })\n  createdAt: Date = new Date()\n\n  @Property({ name: 'updated_at', type: Date, onUpdate: () => new Date(), nullable: true })\n  updatedAt?: Date\n\n  @Property({ name: 'deleted_at', type: Date, nullable: true })\n  deletedAt?: Date | null\n}\n"],
   "mappings": ";;;;;;;;;;AAAA,SAAS,QAAQ,YAAY,UAAU,cAAc;AAI9C,IAAM,SAAN,MAAa;AAAA,EAAb;AA+CL,qBAAkB,oBAAI,KAAK;AAAA;AAO7B;AApDE;AAAA,EADC,WAAW,EAAE,MAAM,QAAQ,YAAY,oBAAoB,CAAC;AAAA,GADlD,OAEX;AAGA;AAAA,EADC,SAAS,EAAE,MAAM,OAAO,CAAC;AAAA,GAJf,OAKX;AAGA;AAAA,EADC,SAAS,EAAE,MAAM,eAAe,MAAM,QAAQ,UAAU,KAAK,CAAC;AAAA,GAPpD,OAQX;AAGA;AAAA,EADC,SAAS,EAAE,MAAM,aAAa,MAAM,QAAQ,UAAU,KAAK,CAAC;AAAA,GAVlD,OAWX;AAGA;AAAA,EADC,SAAS,EAAE,MAAM,mBAAmB,MAAM,QAAQ,UAAU,KAAK,CAAC;AAAA,GAbxD,OAcX;AAGA;AAAA,EADC,SAAS,EAAE,MAAM,YAAY,MAAM,OAAO,CAAC;AAAA,GAhBjC,OAiBX;AAGA;AAAA,EADC,SAAS,EAAE,MAAM,cAAc,MAAM,OAAO,CAAC;AAAA,GAnBnC,OAoBX;AAGA;AAAA,EADC,SAAS,EAAE,MAAM,cAAc,MAAM,QAAQ,UAAU,KAAK,CAAC;AAAA,GAtBnD,OAuBX;AAGA;AAAA,EADC,SAAS,EAAE,MAAM,cAAc,MAAM,QAAQ,UAAU,KAAK,CAAC;AAAA,GAzBnD,OA0BX;AAIA;AAAA,EADC,SAAS,EAAE,MAAM,iBAAiB,MAAM,QAAQ,UAAU,KAAK,CAAC;AAAA,GA7BtD,OA8BX;AAIA;AAAA,EADC,SAAS,EAAE,MAAM,mBAAmB,MAAM,QAAQ,UAAU,KAAK,CAAC;AAAA,GAjCxD,OAkCX;AAIA;AAAA,EADC,SAAS,EAAE,MAAM,4BAA4B,MAAM,QAAQ,UAAU,KAAK,CAAC;AAAA,GArCjE,OAsCX;AAGA;AAAA,EADC,SAAS,EAAE,MAAM,gBAAgB,MAAM,MAAM,UAAU,KAAK,CAAC;AAAA,GAxCnD,OAyCX;AAGA;AAAA,EADC,SAAS,EAAE,MAAM,cAAc,MAAM,MAAM,UAAU,KAAK,CAAC;AAAA,GA3CjD,OA4CX;AAGA;AAAA,EADC,SAAS,EAAE,MAAM,cAAc,MAAM,MAAM,UAAU,MAAM,oBAAI,KAAK,EAAE,CAAC;AAAA,GA9C7D,OA+CX;AAGA;AAAA,EADC,SAAS,EAAE,MAAM,cAAc,MAAM,MAAM,UAAU,MAAM,oBAAI,KAAK,GAAG,UAAU,KAAK,CAAC;AAAA,GAjD7E,OAkDX;AAGA;AAAA,EADC,SAAS,EAAE,MAAM,cAAc,MAAM,MAAM,UAAU,KAAK,CAAC;AAAA,GApDjD,OAqDX;AArDW,SAAN;AAAA,EAFN,OAAO,EAAE,WAAW,WAAW,CAAC;AAAA,EAChC,OAAO,EAAE,YAAY,CAAC,WAAW,EAAE,CAAC;AAAA,GACxB;",
   "names": []
 }

package/dist/modules/api_keys/services/apiKeyService.js

@@ -55,7 +55,7 @@ async function createApiKey(em, input, opts = {}) {
     expiresAt: input.expiresAt ?? null,
     createdAt: /* @__PURE__ */ new Date()
   });
-  await em.persistAndFlush(record);
+  await em.persist(record).flush();
   if (opts.rbac) {
     await opts.rbac.invalidateUserCache(`api_key:${record.id}`);
   }
@@ -65,7 +65,7 @@ async function deleteApiKey(em, id, opts = {}) {
   const record = await em.findOne(ApiKey, { id });
   if (!record) return;
   record.deletedAt = /* @__PURE__ */ new Date();
-  await em.persistAndFlush(record);
+  await em.persist(record).flush();
   getSharedApiKeyAuthCache().invalidateByKeyId(record.id);
   if (opts.rbac) {
     await opts.rbac.invalidateUserCache(`api_key:${record.id}`);
@@ -106,7 +106,7 @@ async function createSessionApiKey(em, input) {
     expiresAt,
     createdAt: /* @__PURE__ */ new Date()
   });
-  await em.persistAndFlush(record);
+  await em.persist(record).flush();
   return {
     keyId: record.id,
     secret,
@@ -141,7 +141,7 @@ async function deleteSessionApiKey(em, sessionToken) {
   const record = await em.findOne(ApiKey, { sessionToken, deletedAt: null });
   if (!record) return;
   record.deletedAt = /* @__PURE__ */ new Date();
-  await em.persistAndFlush(record);
+  await em.persist(record).flush();
   getSharedApiKeyAuthCache().invalidateByKeyId(record.id);
 }
 const ONETIME_KEY_MAX_TTL_MS = 5 * 60 * 1e3;
@@ -160,7 +160,7 @@ async function withOnetimeApiKey(em, input, fn) {
   } finally {
     try {
       record.deletedAt = /* @__PURE__ */ new Date();
-      await em.persistAndFlush(record);
+      await em.persist(record).flush();
       getSharedApiKeyAuthCache().invalidateByKeyId(record.id);
     } catch (error) {
       console.error("[withOnetimeApiKey] Failed to soft-delete one-time API key:", error);

package/dist/modules/api_keys/services/apiKeyService.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/api_keys/services/apiKeyService.ts"],
-  "sourcesContent": ["import { randomBytes } from 'node:crypto'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { hash, compare } from 'bcryptjs'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { Role } from '@open-mercato/core/modules/auth/data/entities'\nimport { ApiKey } from '../data/entities'\nimport { createKmsService } from '@open-mercato/shared/lib/encryption/kms'\nimport { encryptWithAesGcm, decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'\nimport { getSharedApiKeyAuthCache } from '@open-mercato/shared/lib/auth/apiKeyAuthCache'\n\nconst BCRYPT_COST = 10\n\n// =============================================================================\n// Session Secret Encryption Helpers\n// =============================================================================\n\n/**\n * Encrypt an API key secret for storage.\n * Uses tenant-specific DEK if available, otherwise returns null.\n */\nasync function encryptSessionSecret(\n  secret: string,\n  tenantId: string | null\n): Promise<string | null> {\n  if (!tenantId) return null\n\n  const kms = createKmsService()\n  if (!kms.isHealthy()) return null\n\n  const dek = await kms.getTenantDek(tenantId)\n  if (!dek) {\n    // Try to create a DEK if one doesn't exist\n    const created = await kms.createTenantDek(tenantId)\n    if (!created) return null\n    const encrypted = encryptWithAesGcm(secret, created.key)\n    return encrypted.value\n  }\n\n  const encrypted = encryptWithAesGcm(secret, dek.key)\n  return encrypted.value\n}\n\n/**\n * Decrypt an API key secret from storage.\n * Returns null if decryption fails or no DEK available.\n */\nasync function decryptSessionSecret(\n  encrypted: string,\n  tenantId: string | null\n): Promise<string | null> {\n  if (!tenantId || !encrypted) return null\n\n  const kms = createKmsService()\n  if (!kms.isHealthy()) return null\n\n  const dek = await kms.getTenantDek(tenantId)\n  if (!dek) return null\n\n  return decryptWithAesGcm(encrypted, dek.key)\n}\n\nexport type CreateApiKeyInput = {\n  name: string\n  description?: string | null\n  tenantId?: string | null\n  organizationId?: string | null\n  roles?: string[]\n  expiresAt?: Date | null\n  createdBy?: string | null\n}\n\nexport type ApiKeyWithSecret = {\n  record: ApiKey\n  secret: string\n}\n\nexport function generateApiKeySecret(): { secret: string; prefix: string } {\n  const short = randomBytes(4).toString('hex')\n  const body = randomBytes(24).toString('hex')\n  const secret = `omk_${short}.${body}`\n  const prefix = secret.slice(0, 12)\n  return { secret, prefix }\n}\n\nexport async function hashApiKey(secret: string): Promise<string> {\n  return hash(secret, BCRYPT_COST)\n}\n\nexport async function verifyApiKey(secret: string, keyHash: string): Promise<boolean> {\n  return compare(secret, keyHash)\n}\n\nexport async function createApiKey(\n  em: EntityManager,\n  input: CreateApiKeyInput,\n  opts: { rbac?: RbacService } = {},\n): Promise<ApiKeyWithSecret> {\n  const { secret, prefix } = generateApiKeySecret()\n  const keyHash = await hashApiKey(secret)\n  const record = em.create(ApiKey, {\n    name: input.name,\n    description: input.description ?? null,\n    tenantId: input.tenantId ?? null,\n    organizationId: input.organizationId ?? null,\n    keyHash,\n    keyPrefix: prefix,\n    rolesJson: Array.isArray(input.roles) ? input.roles : [],\n    createdBy: input.createdBy ?? null,\n    expiresAt: input.expiresAt ?? null,\n    createdAt: new Date(),\n  })\n  await em.persistAndFlush(record)\n  if (opts.rbac) {\n    await opts.rbac.invalidateUserCache(`api_key:${record.id}`)\n  }\n  return { record, secret }\n}\n\nexport async function deleteApiKey(\n  em: EntityManager,\n  id: string,\n  opts: { rbac?: RbacService } = {},\n): Promise<void> {\n  const record = await em.findOne(ApiKey, { id })\n  if (!record) return\n  record.deletedAt = new Date()\n  await em.persistAndFlush(record)\n  getSharedApiKeyAuthCache().invalidateByKeyId(record.id)\n  if (opts.rbac) {\n    await opts.rbac.invalidateUserCache(`api_key:${record.id}`)\n  }\n}\n\nexport async function findApiKeyBySecret(em: EntityManager, secret: string): Promise<ApiKey | null> {\n  if (!secret) return null\n  // Extract prefix from the secret for fast candidate lookup\n  const prefix = secret.slice(0, 12)\n  // Find candidates by prefix (fast index lookup)\n  const candidates = await em.find(ApiKey, { keyPrefix: prefix, deletedAt: null })\n  // Verify each candidate with bcrypt until we find a match\n  for (const candidate of candidates) {\n    if (candidate.expiresAt && candidate.expiresAt.getTime() < Date.now()) continue\n    const isValid = await verifyApiKey(secret, candidate.keyHash)\n    if (isValid) return candidate\n  }\n  return null\n}\n\n// =============================================================================\n// Session-scoped API Keys (for AI Chat ephemeral authorization)\n// =============================================================================\n\nexport type CreateSessionApiKeyInput = {\n  sessionToken: string\n  userId: string\n  userRoles: string[]\n  tenantId?: string | null\n  organizationId?: string | null\n  ttlMinutes?: number\n}\n\n/**\n * Generate a unique session token for ephemeral API keys.\n * Format: sess_{32 hex chars}\n */\nexport function generateSessionToken(): string {\n  return `sess_${randomBytes(16).toString('hex')}`\n}\n\n/**\n * Create an ephemeral API key scoped to a chat session.\n * The key inherits the user's roles and expires after ttlMinutes (default 30).\n * The API key secret is encrypted and stored so it can be recovered for API calls.\n */\nexport async function createSessionApiKey(\n  em: EntityManager,\n  input: CreateSessionApiKeyInput\n): Promise<{ keyId: string; secret: string; sessionToken: string }> {\n  const { secret, prefix } = generateApiKeySecret()\n  const ttl = input.ttlMinutes ?? 30\n  const expiresAt = new Date(Date.now() + ttl * 60 * 1000)\n  const keyHash = await hashApiKey(secret)\n\n  // Encrypt the secret for later retrieval (used by MCP server for API calls)\n  const encryptedSecret = await encryptSessionSecret(secret, input.tenantId ?? null)\n\n  const record = em.create(ApiKey, {\n    name: `__session_${input.sessionToken}__`,\n    description: 'Ephemeral session API key for AI chat',\n    tenantId: input.tenantId ?? null,\n    organizationId: input.organizationId ?? null,\n    keyHash,\n    keyPrefix: prefix,\n    rolesJson: input.userRoles,\n    createdBy: input.userId,\n    sessionToken: input.sessionToken,\n    sessionUserId: input.userId,\n    sessionSecretEncrypted: encryptedSecret,\n    expiresAt,\n    createdAt: new Date(),\n  })\n\n  await em.persistAndFlush(record)\n\n  return {\n    keyId: record.id,\n    secret,\n    sessionToken: input.sessionToken,\n  }\n}\n\n/**\n * Find an API key by its session token.\n * Returns null if not found, expired, or deleted.\n */\nexport async function findApiKeyBySessionToken(\n  em: EntityManager,\n  sessionToken: string\n): Promise<ApiKey | null> {\n  if (!sessionToken) return null\n\n  const record = await em.findOne(ApiKey, {\n    sessionToken,\n    deletedAt: null,\n  })\n\n  if (!record) return null\n  if (record.expiresAt && record.expiresAt.getTime() < Date.now()) return null\n\n  return record\n}\n\n/**\n * Find a session API key with its decrypted secret.\n * Returns null if not found, expired, deleted, or decryption fails.\n * This is used by the MCP server to recover the API key secret for making\n * authenticated API calls on behalf of the user.\n */\nexport async function findSessionApiKeyWithSecret(\n  em: EntityManager,\n  sessionToken: string\n): Promise<{ key: ApiKey; secret: string } | null> {\n  const record = await findApiKeyBySessionToken(em, sessionToken)\n  if (!record) return null\n\n  // If no encrypted secret stored, cannot recover\n  if (!record.sessionSecretEncrypted) {\n    console.warn('[ApiKeyService] Session key has no encrypted secret:', sessionToken.slice(0, 12))\n    return null\n  }\n\n  // Decrypt the secret\n  const secret = await decryptSessionSecret(record.sessionSecretEncrypted, record.tenantId ?? null)\n  if (!secret) {\n    console.warn('[ApiKeyService] Failed to decrypt session secret:', sessionToken.slice(0, 12))\n    return null\n  }\n\n  return { key: record, secret }\n}\n\n/**\n * Delete an ephemeral API key by its session token.\n */\nexport async function deleteSessionApiKey(\n  em: EntityManager,\n  sessionToken: string\n): Promise<void> {\n  const record = await em.findOne(ApiKey, { sessionToken, deletedAt: null })\n  if (!record) return\n\n  record.deletedAt = new Date()\n  await em.persistAndFlush(record)\n  getSharedApiKeyAuthCache().invalidateByKeyId(record.id)\n}\n\n/**\n * Execute a function with a one-time API key\n *\n * Creates a temporary API key, executes the function, and deletes the key.\n * Perfect for workflow activities that need authenticated access without\n * storing long-lived credentials.\n *\n * @param em - Entity manager\n * @param input - API key configuration\n * @param fn - Function to execute with the API key secret\n * @returns Result of the function\n */\nconst ONETIME_KEY_MAX_TTL_MS = 5 * 60 * 1000\n\nexport async function withOnetimeApiKey<T>(\n  em: EntityManager,\n  input: CreateApiKeyInput,\n  fn: (secret: string) => Promise<T>\n): Promise<T> {\n  const maxExpiresAt = new Date(Date.now() + ONETIME_KEY_MAX_TTL_MS)\n  const safeExpiresAt = input.expiresAt && input.expiresAt < maxExpiresAt\n    ? input.expiresAt\n    : maxExpiresAt\n\n  const { record, secret } = await createApiKey(em, {\n    ...input,\n    name: input.name || '__onetime__',\n    description: input.description || 'One-time API key',\n    expiresAt: safeExpiresAt,\n  })\n\n  try {\n    const result = await fn(secret)\n    return result\n  } finally {\n    try {\n      record.deletedAt = new Date()\n      await em.persistAndFlush(record)\n      getSharedApiKeyAuthCache().invalidateByKeyId(record.id)\n    } catch (error) {\n      console.error('[withOnetimeApiKey] Failed to soft-delete one-time API key:', error)\n    }\n  }\n}\n"],
-  "mappings": "AAAA,SAAS,mBAAmB;AAE5B,SAAS,MAAM,eAAe;AAG9B,SAAS,cAAc;AACvB,SAAS,wBAAwB;AACjC,SAAS,mBAAmB,yBAAyB;AACrD,SAAS,gCAAgC;AAEzC,MAAM,cAAc;AAUpB,eAAe,qBACb,QACA,UACwB;AACxB,MAAI,CAAC,SAAU,QAAO;AAEtB,QAAM,MAAM,iBAAiB;AAC7B,MAAI,CAAC,IAAI,UAAU,EAAG,QAAO;AAE7B,QAAM,MAAM,MAAM,IAAI,aAAa,QAAQ;AAC3C,MAAI,CAAC,KAAK;AAER,UAAM,UAAU,MAAM,IAAI,gBAAgB,QAAQ;AAClD,QAAI,CAAC,QAAS,QAAO;AACrB,UAAMA,aAAY,kBAAkB,QAAQ,QAAQ,GAAG;AACvD,WAAOA,WAAU;AAAA,EACnB;AAEA,QAAM,YAAY,kBAAkB,QAAQ,IAAI,GAAG;AACnD,SAAO,UAAU;AACnB;AAMA,eAAe,qBACb,WACA,UACwB;AACxB,MAAI,CAAC,YAAY,CAAC,UAAW,QAAO;AAEpC,QAAM,MAAM,iBAAiB;AAC7B,MAAI,CAAC,IAAI,UAAU,EAAG,QAAO;AAE7B,QAAM,MAAM,MAAM,IAAI,aAAa,QAAQ;AAC3C,MAAI,CAAC,IAAK,QAAO;AAEjB,SAAO,kBAAkB,WAAW,IAAI,GAAG;AAC7C;AAiBO,SAAS,uBAA2D;AACzE,QAAM,QAAQ,YAAY,CAAC,EAAE,SAAS,KAAK;AAC3C,QAAM,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAC3C,QAAM,SAAS,OAAO,KAAK,IAAI,IAAI;AACnC,QAAM,SAAS,OAAO,MAAM,GAAG,EAAE;AACjC,SAAO,EAAE,QAAQ,OAAO;AAC1B;AAEA,eAAsB,WAAW,QAAiC;AAChE,SAAO,KAAK,QAAQ,WAAW;AACjC;AAEA,eAAsB,aAAa,QAAgB,SAAmC;AACpF,SAAO,QAAQ,QAAQ,OAAO;AAChC;AAEA,eAAsB,aACpB,IACA,OACA,OAA+B,CAAC,GACL;AAC3B,QAAM,EAAE,QAAQ,OAAO,IAAI,qBAAqB;AAChD,QAAM,UAAU,MAAM,WAAW,MAAM;AACvC,QAAM,SAAS,GAAG,OAAO,QAAQ;AAAA,IAC/B,MAAM,MAAM;AAAA,IACZ,aAAa,MAAM,eAAe;AAAA,IAClC,UAAU,MAAM,YAAY;AAAA,IAC5B,gBAAgB,MAAM,kBAAkB;AAAA,IACxC;AAAA,IACA,WAAW;AAAA,IACX,WAAW,MAAM,QAAQ,MAAM,KAAK,IAAI,MAAM,QAAQ,CAAC;AAAA,IACvD,WAAW,MAAM,aAAa;AAAA,IAC9B,WAAW,MAAM,aAAa;AAAA,IAC9B,WAAW,oBAAI,KAAK;AAAA,EACtB,CAAC;AACD,QAAM,GAAG,gBAAgB,MAAM;AAC/B,MAAI,KAAK,MAAM;AACb,UAAM,KAAK,KAAK,oBAAoB,WAAW,OAAO,EAAE,EAAE;AAAA,EAC5D;AACA,SAAO,EAAE,QAAQ,OAAO;AAC1B;AAEA,eAAsB,aACpB,IACA,IACA,OAA+B,CAAC,GACjB;AACf,QAAM,SAAS,MAAM,GAAG,QAAQ,QAAQ,EAAE,GAAG,CAAC;AAC9C,MAAI,CAAC,OAAQ;AACb,SAAO,YAAY,oBAAI,KAAK;AAC5B,QAAM,GAAG,gBAAgB,MAAM;AAC/B,2BAAyB,EAAE,kBAAkB,OAAO,EAAE;AACtD,MAAI,KAAK,MAAM;AACb,UAAM,KAAK,KAAK,oBAAoB,WAAW,OAAO,EAAE,EAAE;AAAA,EAC5D;AACF;AAEA,eAAsB,mBAAmB,IAAmB,QAAwC;AAClG,MAAI,CAAC,OAAQ,QAAO;AAEpB,QAAM,SAAS,OAAO,MAAM,GAAG,EAAE;AAEjC,QAAM,aAAa,MAAM,GAAG,KAAK,QAAQ,EAAE,WAAW,QAAQ,WAAW,KAAK,CAAC;AAE/E,aAAW,aAAa,YAAY;AAClC,QAAI,UAAU,aAAa,UAAU,UAAU,QAAQ,IAAI,KAAK,IAAI,EAAG;AACvE,UAAM,UAAU,MAAM,aAAa,QAAQ,UAAU,OAAO;AAC5D,QAAI,QAAS,QAAO;AAAA,EACtB;AACA,SAAO;AACT;AAmBO,SAAS,uBAA+B;AAC7C,SAAO,QAAQ,YAAY,EAAE,EAAE,SAAS,KAAK,CAAC;AAChD;AAOA,eAAsB,oBACpB,IACA,OACkE;AAClE,QAAM,EAAE,QAAQ,OAAO,IAAI,qBAAqB;AAChD,QAAM,MAAM,MAAM,cAAc;AAChC,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,MAAM,KAAK,GAAI;AACvD,QAAM,UAAU,MAAM,WAAW,MAAM;AAGvC,QAAM,kBAAkB,MAAM,qBAAqB,QAAQ,MAAM,YAAY,IAAI;AAEjF,QAAM,SAAS,GAAG,OAAO,QAAQ;AAAA,IAC/B,MAAM,aAAa,MAAM,YAAY;AAAA,IACrC,aAAa;AAAA,IACb,UAAU,MAAM,YAAY;AAAA,IAC5B,gBAAgB,MAAM,kBAAkB;AAAA,IACxC;AAAA,IACA,WAAW;AAAA,IACX,WAAW,MAAM;AAAA,IACjB,WAAW,MAAM;AAAA,IACjB,cAAc,MAAM;AAAA,IACpB,eAAe,MAAM;AAAA,IACrB,wBAAwB;AAAA,IACxB;AAAA,IACA,WAAW,oBAAI,KAAK;AAAA,EACtB,CAAC;AAED,QAAM,GAAG,gBAAgB,MAAM;AAE/B,SAAO;AAAA,IACL,OAAO,OAAO;AAAA,IACd;AAAA,IACA,cAAc,MAAM;AAAA,EACtB;AACF;AAMA,eAAsB,yBACpB,IACA,cACwB;AACxB,MAAI,CAAC,aAAc,QAAO;AAE1B,QAAM,SAAS,MAAM,GAAG,QAAQ,QAAQ;AAAA,IACtC;AAAA,IACA,WAAW;AAAA,EACb,CAAC;AAED,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI,OAAO,aAAa,OAAO,UAAU,QAAQ,IAAI,KAAK,IAAI,EAAG,QAAO;AAExE,SAAO;AACT;AAQA,eAAsB,4BACpB,IACA,cACiD;AACjD,QAAM,SAAS,MAAM,yBAAyB,IAAI,YAAY;AAC9D,MAAI,CAAC,OAAQ,QAAO;AAGpB,MAAI,CAAC,OAAO,wBAAwB;AAClC,YAAQ,KAAK,wDAAwD,aAAa,MAAM,GAAG,EAAE,CAAC;AAC9F,WAAO;AAAA,EACT;AAGA,QAAM,SAAS,MAAM,qBAAqB,OAAO,wBAAwB,OAAO,YAAY,IAAI;AAChG,MAAI,CAAC,QAAQ;AACX,YAAQ,KAAK,qDAAqD,aAAa,MAAM,GAAG,EAAE,CAAC;AAC3F,WAAO;AAAA,EACT;AAEA,SAAO,EAAE,KAAK,QAAQ,OAAO;AAC/B;AAKA,eAAsB,oBACpB,IACA,cACe;AACf,QAAM,SAAS,MAAM,GAAG,QAAQ,QAAQ,EAAE,cAAc,WAAW,KAAK,CAAC;AACzE,MAAI,CAAC,OAAQ;AAEb,SAAO,YAAY,oBAAI,KAAK;AAC5B,QAAM,GAAG,gBAAgB,MAAM;AAC/B,2BAAyB,EAAE,kBAAkB,OAAO,EAAE;AACxD;AAcA,MAAM,yBAAyB,IAAI,KAAK;AAExC,eAAsB,kBACpB,IACA,OACA,IACY;AACZ,QAAM,eAAe,IAAI,KAAK,KAAK,IAAI,IAAI,sBAAsB;AACjE,QAAM,gBAAgB,MAAM,aAAa,MAAM,YAAY,eACvD,MAAM,YACN;AAEJ,QAAM,EAAE,QAAQ,OAAO,IAAI,MAAM,aAAa,IAAI;AAAA,IAChD,GAAG;AAAA,IACH,MAAM,MAAM,QAAQ;AAAA,IACpB,aAAa,MAAM,eAAe;AAAA,IAClC,WAAW;AAAA,EACb,CAAC;AAED,MAAI;AACF,UAAM,SAAS,MAAM,GAAG,MAAM;AAC9B,WAAO;AAAA,EACT,UAAE;AACA,QAAI;AACF,aAAO,YAAY,oBAAI,KAAK;AAC5B,YAAM,GAAG,gBAAgB,MAAM;AAC/B,+BAAyB,EAAE,kBAAkB,OAAO,EAAE;AAAA,IACxD,SAAS,OAAO;AACd,cAAQ,MAAM,+DAA+D,KAAK;AAAA,IACpF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { randomBytes } from 'node:crypto'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { hash, compare } from 'bcryptjs'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { Role } from '@open-mercato/core/modules/auth/data/entities'\nimport { ApiKey } from '../data/entities'\nimport { createKmsService } from '@open-mercato/shared/lib/encryption/kms'\nimport { encryptWithAesGcm, decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'\nimport { getSharedApiKeyAuthCache } from '@open-mercato/shared/lib/auth/apiKeyAuthCache'\n\nconst BCRYPT_COST = 10\n\n// =============================================================================\n// Session Secret Encryption Helpers\n// =============================================================================\n\n/**\n * Encrypt an API key secret for storage.\n * Uses tenant-specific DEK if available, otherwise returns null.\n */\nasync function encryptSessionSecret(\n  secret: string,\n  tenantId: string | null\n): Promise<string | null> {\n  if (!tenantId) return null\n\n  const kms = createKmsService()\n  if (!kms.isHealthy()) return null\n\n  const dek = await kms.getTenantDek(tenantId)\n  if (!dek) {\n    // Try to create a DEK if one doesn't exist\n    const created = await kms.createTenantDek(tenantId)\n    if (!created) return null\n    const encrypted = encryptWithAesGcm(secret, created.key)\n    return encrypted.value\n  }\n\n  const encrypted = encryptWithAesGcm(secret, dek.key)\n  return encrypted.value\n}\n\n/**\n * Decrypt an API key secret from storage.\n * Returns null if decryption fails or no DEK available.\n */\nasync function decryptSessionSecret(\n  encrypted: string,\n  tenantId: string | null\n): Promise<string | null> {\n  if (!tenantId || !encrypted) return null\n\n  const kms = createKmsService()\n  if (!kms.isHealthy()) return null\n\n  const dek = await kms.getTenantDek(tenantId)\n  if (!dek) return null\n\n  return decryptWithAesGcm(encrypted, dek.key)\n}\n\nexport type CreateApiKeyInput = {\n  name: string\n  description?: string | null\n  tenantId?: string | null\n  organizationId?: string | null\n  roles?: string[]\n  expiresAt?: Date | null\n  createdBy?: string | null\n}\n\nexport type ApiKeyWithSecret = {\n  record: ApiKey\n  secret: string\n}\n\nexport function generateApiKeySecret(): { secret: string; prefix: string } {\n  const short = randomBytes(4).toString('hex')\n  const body = randomBytes(24).toString('hex')\n  const secret = `omk_${short}.${body}`\n  const prefix = secret.slice(0, 12)\n  return { secret, prefix }\n}\n\nexport async function hashApiKey(secret: string): Promise<string> {\n  return hash(secret, BCRYPT_COST)\n}\n\nexport async function verifyApiKey(secret: string, keyHash: string): Promise<boolean> {\n  return compare(secret, keyHash)\n}\n\nexport async function createApiKey(\n  em: EntityManager,\n  input: CreateApiKeyInput,\n  opts: { rbac?: RbacService } = {},\n): Promise<ApiKeyWithSecret> {\n  const { secret, prefix } = generateApiKeySecret()\n  const keyHash = await hashApiKey(secret)\n  const record = em.create(ApiKey, {\n    name: input.name,\n    description: input.description ?? null,\n    tenantId: input.tenantId ?? null,\n    organizationId: input.organizationId ?? null,\n    keyHash,\n    keyPrefix: prefix,\n    rolesJson: Array.isArray(input.roles) ? input.roles : [],\n    createdBy: input.createdBy ?? null,\n    expiresAt: input.expiresAt ?? null,\n    createdAt: new Date(),\n  })\n  await em.persist(record).flush()\n  if (opts.rbac) {\n    await opts.rbac.invalidateUserCache(`api_key:${record.id}`)\n  }\n  return { record, secret }\n}\n\nexport async function deleteApiKey(\n  em: EntityManager,\n  id: string,\n  opts: { rbac?: RbacService } = {},\n): Promise<void> {\n  const record = await em.findOne(ApiKey, { id })\n  if (!record) return\n  record.deletedAt = new Date()\n  await em.persist(record).flush()\n  getSharedApiKeyAuthCache().invalidateByKeyId(record.id)\n  if (opts.rbac) {\n    await opts.rbac.invalidateUserCache(`api_key:${record.id}`)\n  }\n}\n\nexport async function findApiKeyBySecret(em: EntityManager, secret: string): Promise<ApiKey | null> {\n  if (!secret) return null\n  // Extract prefix from the secret for fast candidate lookup\n  const prefix = secret.slice(0, 12)\n  // Find candidates by prefix (fast index lookup)\n  const candidates = await em.find(ApiKey, { keyPrefix: prefix, deletedAt: null })\n  // Verify each candidate with bcrypt until we find a match\n  for (const candidate of candidates) {\n    if (candidate.expiresAt && candidate.expiresAt.getTime() < Date.now()) continue\n    const isValid = await verifyApiKey(secret, candidate.keyHash)\n    if (isValid) return candidate\n  }\n  return null\n}\n\n// =============================================================================\n// Session-scoped API Keys (for AI Chat ephemeral authorization)\n// =============================================================================\n\nexport type CreateSessionApiKeyInput = {\n  sessionToken: string\n  userId: string\n  userRoles: string[]\n  tenantId?: string | null\n  organizationId?: string | null\n  ttlMinutes?: number\n}\n\n/**\n * Generate a unique session token for ephemeral API keys.\n * Format: sess_{32 hex chars}\n */\nexport function generateSessionToken(): string {\n  return `sess_${randomBytes(16).toString('hex')}`\n}\n\n/**\n * Create an ephemeral API key scoped to a chat session.\n * The key inherits the user's roles and expires after ttlMinutes (default 30).\n * The API key secret is encrypted and stored so it can be recovered for API calls.\n */\nexport async function createSessionApiKey(\n  em: EntityManager,\n  input: CreateSessionApiKeyInput\n): Promise<{ keyId: string; secret: string; sessionToken: string }> {\n  const { secret, prefix } = generateApiKeySecret()\n  const ttl = input.ttlMinutes ?? 30\n  const expiresAt = new Date(Date.now() + ttl * 60 * 1000)\n  const keyHash = await hashApiKey(secret)\n\n  // Encrypt the secret for later retrieval (used by MCP server for API calls)\n  const encryptedSecret = await encryptSessionSecret(secret, input.tenantId ?? null)\n\n  const record = em.create(ApiKey, {\n    name: `__session_${input.sessionToken}__`,\n    description: 'Ephemeral session API key for AI chat',\n    tenantId: input.tenantId ?? null,\n    organizationId: input.organizationId ?? null,\n    keyHash,\n    keyPrefix: prefix,\n    rolesJson: input.userRoles,\n    createdBy: input.userId,\n    sessionToken: input.sessionToken,\n    sessionUserId: input.userId,\n    sessionSecretEncrypted: encryptedSecret,\n    expiresAt,\n    createdAt: new Date(),\n  })\n\n  await em.persist(record).flush()\n\n  return {\n    keyId: record.id,\n    secret,\n    sessionToken: input.sessionToken,\n  }\n}\n\n/**\n * Find an API key by its session token.\n * Returns null if not found, expired, or deleted.\n */\nexport async function findApiKeyBySessionToken(\n  em: EntityManager,\n  sessionToken: string\n): Promise<ApiKey | null> {\n  if (!sessionToken) return null\n\n  const record = await em.findOne(ApiKey, {\n    sessionToken,\n    deletedAt: null,\n  })\n\n  if (!record) return null\n  if (record.expiresAt && record.expiresAt.getTime() < Date.now()) return null\n\n  return record\n}\n\n/**\n * Find a session API key with its decrypted secret.\n * Returns null if not found, expired, deleted, or decryption fails.\n * This is used by the MCP server to recover the API key secret for making\n * authenticated API calls on behalf of the user.\n */\nexport async function findSessionApiKeyWithSecret(\n  em: EntityManager,\n  sessionToken: string\n): Promise<{ key: ApiKey; secret: string } | null> {\n  const record = await findApiKeyBySessionToken(em, sessionToken)\n  if (!record) return null\n\n  // If no encrypted secret stored, cannot recover\n  if (!record.sessionSecretEncrypted) {\n    console.warn('[ApiKeyService] Session key has no encrypted secret:', sessionToken.slice(0, 12))\n    return null\n  }\n\n  // Decrypt the secret\n  const secret = await decryptSessionSecret(record.sessionSecretEncrypted, record.tenantId ?? null)\n  if (!secret) {\n    console.warn('[ApiKeyService] Failed to decrypt session secret:', sessionToken.slice(0, 12))\n    return null\n  }\n\n  return { key: record, secret }\n}\n\n/**\n * Delete an ephemeral API key by its session token.\n */\nexport async function deleteSessionApiKey(\n  em: EntityManager,\n  sessionToken: string\n): Promise<void> {\n  const record = await em.findOne(ApiKey, { sessionToken, deletedAt: null })\n  if (!record) return\n\n  record.deletedAt = new Date()\n  await em.persist(record).flush()\n  getSharedApiKeyAuthCache().invalidateByKeyId(record.id)\n}\n\n/**\n * Execute a function with a one-time API key\n *\n * Creates a temporary API key, executes the function, and deletes the key.\n * Perfect for workflow activities that need authenticated access without\n * storing long-lived credentials.\n *\n * @param em - Entity manager\n * @param input - API key configuration\n * @param fn - Function to execute with the API key secret\n * @returns Result of the function\n */\nconst ONETIME_KEY_MAX_TTL_MS = 5 * 60 * 1000\n\nexport async function withOnetimeApiKey<T>(\n  em: EntityManager,\n  input: CreateApiKeyInput,\n  fn: (secret: string) => Promise<T>\n): Promise<T> {\n  const maxExpiresAt = new Date(Date.now() + ONETIME_KEY_MAX_TTL_MS)\n  const safeExpiresAt = input.expiresAt && input.expiresAt < maxExpiresAt\n    ? input.expiresAt\n    : maxExpiresAt\n\n  const { record, secret } = await createApiKey(em, {\n    ...input,\n    name: input.name || '__onetime__',\n    description: input.description || 'One-time API key',\n    expiresAt: safeExpiresAt,\n  })\n\n  try {\n    const result = await fn(secret)\n    return result\n  } finally {\n    try {\n      record.deletedAt = new Date()\n      await em.persist(record).flush()\n      getSharedApiKeyAuthCache().invalidateByKeyId(record.id)\n    } catch (error) {\n      console.error('[withOnetimeApiKey] Failed to soft-delete one-time API key:', error)\n    }\n  }\n}\n"],
+  "mappings": "AAAA,SAAS,mBAAmB;AAE5B,SAAS,MAAM,eAAe;AAG9B,SAAS,cAAc;AACvB,SAAS,wBAAwB;AACjC,SAAS,mBAAmB,yBAAyB;AACrD,SAAS,gCAAgC;AAEzC,MAAM,cAAc;AAUpB,eAAe,qBACb,QACA,UACwB;AACxB,MAAI,CAAC,SAAU,QAAO;AAEtB,QAAM,MAAM,iBAAiB;AAC7B,MAAI,CAAC,IAAI,UAAU,EAAG,QAAO;AAE7B,QAAM,MAAM,MAAM,IAAI,aAAa,QAAQ;AAC3C,MAAI,CAAC,KAAK;AAER,UAAM,UAAU,MAAM,IAAI,gBAAgB,QAAQ;AAClD,QAAI,CAAC,QAAS,QAAO;AACrB,UAAMA,aAAY,kBAAkB,QAAQ,QAAQ,GAAG;AACvD,WAAOA,WAAU;AAAA,EACnB;AAEA,QAAM,YAAY,kBAAkB,QAAQ,IAAI,GAAG;AACnD,SAAO,UAAU;AACnB;AAMA,eAAe,qBACb,WACA,UACwB;AACxB,MAAI,CAAC,YAAY,CAAC,UAAW,QAAO;AAEpC,QAAM,MAAM,iBAAiB;AAC7B,MAAI,CAAC,IAAI,UAAU,EAAG,QAAO;AAE7B,QAAM,MAAM,MAAM,IAAI,aAAa,QAAQ;AAC3C,MAAI,CAAC,IAAK,QAAO;AAEjB,SAAO,kBAAkB,WAAW,IAAI,GAAG;AAC7C;AAiBO,SAAS,uBAA2D;AACzE,QAAM,QAAQ,YAAY,CAAC,EAAE,SAAS,KAAK;AAC3C,QAAM,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAC3C,QAAM,SAAS,OAAO,KAAK,IAAI,IAAI;AACnC,QAAM,SAAS,OAAO,MAAM,GAAG,EAAE;AACjC,SAAO,EAAE,QAAQ,OAAO;AAC1B;AAEA,eAAsB,WAAW,QAAiC;AAChE,SAAO,KAAK,QAAQ,WAAW;AACjC;AAEA,eAAsB,aAAa,QAAgB,SAAmC;AACpF,SAAO,QAAQ,QAAQ,OAAO;AAChC;AAEA,eAAsB,aACpB,IACA,OACA,OAA+B,CAAC,GACL;AAC3B,QAAM,EAAE,QAAQ,OAAO,IAAI,qBAAqB;AAChD,QAAM,UAAU,MAAM,WAAW,MAAM;AACvC,QAAM,SAAS,GAAG,OAAO,QAAQ;AAAA,IAC/B,MAAM,MAAM;AAAA,IACZ,aAAa,MAAM,eAAe;AAAA,IAClC,UAAU,MAAM,YAAY;AAAA,IAC5B,gBAAgB,MAAM,kBAAkB;AAAA,IACxC;AAAA,IACA,WAAW;AAAA,IACX,WAAW,MAAM,QAAQ,MAAM,KAAK,IAAI,MAAM,QAAQ,CAAC;AAAA,IACvD,WAAW,MAAM,aAAa;AAAA,IAC9B,WAAW,MAAM,aAAa;AAAA,IAC9B,WAAW,oBAAI,KAAK;AAAA,EACtB,CAAC;AACD,QAAM,GAAG,QAAQ,MAAM,EAAE,MAAM;AAC/B,MAAI,KAAK,MAAM;AACb,UAAM,KAAK,KAAK,oBAAoB,WAAW,OAAO,EAAE,EAAE;AAAA,EAC5D;AACA,SAAO,EAAE,QAAQ,OAAO;AAC1B;AAEA,eAAsB,aACpB,IACA,IACA,OAA+B,CAAC,GACjB;AACf,QAAM,SAAS,MAAM,GAAG,QAAQ,QAAQ,EAAE,GAAG,CAAC;AAC9C,MAAI,CAAC,OAAQ;AACb,SAAO,YAAY,oBAAI,KAAK;AAC5B,QAAM,GAAG,QAAQ,MAAM,EAAE,MAAM;AAC/B,2BAAyB,EAAE,kBAAkB,OAAO,EAAE;AACtD,MAAI,KAAK,MAAM;AACb,UAAM,KAAK,KAAK,oBAAoB,WAAW,OAAO,EAAE,EAAE;AAAA,EAC5D;AACF;AAEA,eAAsB,mBAAmB,IAAmB,QAAwC;AAClG,MAAI,CAAC,OAAQ,QAAO;AAEpB,QAAM,SAAS,OAAO,MAAM,GAAG,EAAE;AAEjC,QAAM,aAAa,MAAM,GAAG,KAAK,QAAQ,EAAE,WAAW,QAAQ,WAAW,KAAK,CAAC;AAE/E,aAAW,aAAa,YAAY;AAClC,QAAI,UAAU,aAAa,UAAU,UAAU,QAAQ,IAAI,KAAK,IAAI,EAAG;AACvE,UAAM,UAAU,MAAM,aAAa,QAAQ,UAAU,OAAO;AAC5D,QAAI,QAAS,QAAO;AAAA,EACtB;AACA,SAAO;AACT;AAmBO,SAAS,uBAA+B;AAC7C,SAAO,QAAQ,YAAY,EAAE,EAAE,SAAS,KAAK,CAAC;AAChD;AAOA,eAAsB,oBACpB,IACA,OACkE;AAClE,QAAM,EAAE,QAAQ,OAAO,IAAI,qBAAqB;AAChD,QAAM,MAAM,MAAM,cAAc;AAChC,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,MAAM,KAAK,GAAI;AACvD,QAAM,UAAU,MAAM,WAAW,MAAM;AAGvC,QAAM,kBAAkB,MAAM,qBAAqB,QAAQ,MAAM,YAAY,IAAI;AAEjF,QAAM,SAAS,GAAG,OAAO,QAAQ;AAAA,IAC/B,MAAM,aAAa,MAAM,YAAY;AAAA,IACrC,aAAa;AAAA,IACb,UAAU,MAAM,YAAY;AAAA,IAC5B,gBAAgB,MAAM,kBAAkB;AAAA,IACxC;AAAA,IACA,WAAW;AAAA,IACX,WAAW,MAAM;AAAA,IACjB,WAAW,MAAM;AAAA,IACjB,cAAc,MAAM;AAAA,IACpB,eAAe,MAAM;AAAA,IACrB,wBAAwB;AAAA,IACxB;AAAA,IACA,WAAW,oBAAI,KAAK;AAAA,EACtB,CAAC;AAED,QAAM,GAAG,QAAQ,MAAM,EAAE,MAAM;AAE/B,SAAO;AAAA,IACL,OAAO,OAAO;AAAA,IACd;AAAA,IACA,cAAc,MAAM;AAAA,EACtB;AACF;AAMA,eAAsB,yBACpB,IACA,cACwB;AACxB,MAAI,CAAC,aAAc,QAAO;AAE1B,QAAM,SAAS,MAAM,GAAG,QAAQ,QAAQ;AAAA,IACtC;AAAA,IACA,WAAW;AAAA,EACb,CAAC;AAED,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI,OAAO,aAAa,OAAO,UAAU,QAAQ,IAAI,KAAK,IAAI,EAAG,QAAO;AAExE,SAAO;AACT;AAQA,eAAsB,4BACpB,IACA,cACiD;AACjD,QAAM,SAAS,MAAM,yBAAyB,IAAI,YAAY;AAC9D,MAAI,CAAC,OAAQ,QAAO;AAGpB,MAAI,CAAC,OAAO,wBAAwB;AAClC,YAAQ,KAAK,wDAAwD,aAAa,MAAM,GAAG,EAAE,CAAC;AAC9F,WAAO;AAAA,EACT;AAGA,QAAM,SAAS,MAAM,qBAAqB,OAAO,wBAAwB,OAAO,YAAY,IAAI;AAChG,MAAI,CAAC,QAAQ;AACX,YAAQ,KAAK,qDAAqD,aAAa,MAAM,GAAG,EAAE,CAAC;AAC3F,WAAO;AAAA,EACT;AAEA,SAAO,EAAE,KAAK,QAAQ,OAAO;AAC/B;AAKA,eAAsB,oBACpB,IACA,cACe;AACf,QAAM,SAAS,MAAM,GAAG,QAAQ,QAAQ,EAAE,cAAc,WAAW,KAAK,CAAC;AACzE,MAAI,CAAC,OAAQ;AAEb,SAAO,YAAY,oBAAI,KAAK;AAC5B,QAAM,GAAG,QAAQ,MAAM,EAAE,MAAM;AAC/B,2BAAyB,EAAE,kBAAkB,OAAO,EAAE;AACxD;AAcA,MAAM,yBAAyB,IAAI,KAAK;AAExC,eAAsB,kBACpB,IACA,OACA,IACY;AACZ,QAAM,eAAe,IAAI,KAAK,KAAK,IAAI,IAAI,sBAAsB;AACjE,QAAM,gBAAgB,MAAM,aAAa,MAAM,YAAY,eACvD,MAAM,YACN;AAEJ,QAAM,EAAE,QAAQ,OAAO,IAAI,MAAM,aAAa,IAAI;AAAA,IAChD,GAAG;AAAA,IACH,MAAM,MAAM,QAAQ;AAAA,IACpB,aAAa,MAAM,eAAe;AAAA,IAClC,WAAW;AAAA,EACb,CAAC;AAED,MAAI;AACF,UAAM,SAAS,MAAM,GAAG,MAAM;AAC9B,WAAO;AAAA,EACT,UAAE;AACA,QAAI;AACF,aAAO,YAAY,oBAAI,KAAK;AAC5B,YAAM,GAAG,QAAQ,MAAM,EAAE,MAAM;AAC/B,+BAAyB,EAAE,kBAAkB,OAAO,EAAE;AAAA,IACxD,SAAS,OAAO;AACd,cAAQ,MAAM,+DAA+D,KAAK;AAAA,IACpF;AAAA,EACF;AACF;",
   "names": ["encrypted"]
 }

package/dist/modules/attachments/api/library/[id]/route.js

@@ -218,7 +218,7 @@ async function DELETE(req, ctx) {
     return NextResponse.json({ error: "Attachment not found" }, { status: 404 });
   }
   await deletePartitionFile(record.partitionCode, record.storagePath, record.storageDriver);
-  await em.removeAndFlush(record);
+  await em.remove(record).flush();
   if (dataEngine) {
     await emitCrudSideEffects({
       dataEngine,

package/dist/modules/attachments/api/library/[id]/route.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../../src/modules/attachments/api/library/%5Bid%5D/route.ts"],
-  "sourcesContent": ["import { NextRequest, NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { Attachment, AttachmentPartition } from '../../../data/entities'\nimport {\n  mergeAttachmentMetadata,\n  normalizeAttachmentAssignments,\n  normalizeAttachmentTags,\n  readAttachmentMetadata,\n} from '../../../lib/metadata'\nimport { deletePartitionFile } from '../../../lib/storage'\nimport { splitCustomFieldPayload, loadCustomFieldValues } from '@open-mercato/shared/lib/crud/custom-fields'\nimport { emitCrudSideEffects, setCustomFieldsIfAny } from '@open-mercato/shared/lib/commands/helpers'\nimport { normalizeCustomFieldResponse } from '@open-mercato/shared/lib/custom-fields/normalize'\nimport { E } from '#generated/entities.ids.generated'\nimport type { QueryEngine } from '@open-mercato/shared/lib/query/types'\nimport type { DataEngine } from '@open-mercato/shared/lib/data/engine'\nimport { attachmentCrudEvents, attachmentCrudIndexer } from '../../../lib/crud'\nimport { applyAssignmentEnrichments, resolveAssignmentEnrichments } from '../../../lib/assignmentDetails'\nimport {\n  attachmentsTag,\n  attachmentDetailResponseSchema,\n  attachmentErrorSchema,\n} from '../../openapi'\n\nconst updateSchema = z.object({\n  tags: z.array(z.string()).optional(),\n  assignments: z\n    .array(\n      z.object({\n        type: z.string().min(1),\n        id: z.string().min(1),\n        href: z.string().nullable().optional(),\n        label: z.string().nullable().optional(),\n      }),\n    )\n    .optional(),\n})\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['attachments.view'] },\n  PATCH: { requireAuth: true, requireFeatures: ['attachments.manage'] },\n  DELETE: { requireAuth: true, requireFeatures: ['attachments.manage'] },\n}\n\ntype RouteParams = { id: string }\ntype RouteContext = { params: Promise<RouteParams> }\n\nasync function resolveAttachmentId(ctx: RouteContext): Promise<string | null> {\n  const params = ctx?.params\n  try {\n    const { id } = await params\n    if (typeof id === 'string' && id.trim().length) {\n      return id\n    }\n    return null\n  } catch {\n    return null\n  }\n}\n\nexport async function GET(req: NextRequest, ctx: RouteContext) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.tenantId || (!auth.orgId && !auth.isSuperAdmin)) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  const attachmentId = await resolveAttachmentId(ctx)\n  if (!attachmentId) {\n    return NextResponse.json({ error: 'Attachment id is required' }, { status: 400 })\n  }\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as EntityManager\n  let queryEngine: QueryEngine | null = null\n  try {\n    queryEngine = resolve('queryEngine') as QueryEngine\n  } catch {\n    queryEngine = null\n  }\n  const findFilter: Record<string, unknown> = {\n    id: attachmentId,\n    tenantId: auth.tenantId,\n  }\n  if (auth.orgId) {\n    findFilter.organizationId = auth.orgId\n  }\n  const record = await em.findOne(Attachment, findFilter)\n  if (!record) {\n    return NextResponse.json({ error: 'Attachment not found' }, { status: 404 })\n  }\n  const metadata = readAttachmentMetadata(record.storageMetadata)\n  const partition = record.partitionCode\n    ? await em.findOne(AttachmentPartition, { code: record.partitionCode })\n    : null\n  const customFieldValues = await loadCustomFieldValues({\n    em,\n    entityId: E.attachments.attachment,\n    recordIds: [record.id],\n    tenantIdByRecord: { [record.id]: record.tenantId ?? auth.tenantId ?? null },\n    organizationIdByRecord: { [record.id]: record.organizationId ?? auth.orgId ?? null },\n    tenantFallbacks: [auth.tenantId ?? null].filter((value): value is string => !!value),\n  })\n  const customFields = normalizeCustomFieldResponse(customFieldValues[record.id])\n  const assignments = metadata.assignments ?? []\n  const enrichments = await resolveAssignmentEnrichments(assignments, {\n    queryEngine,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  })\n  const enrichedAssignments = applyAssignmentEnrichments(assignments, enrichments)\n  return NextResponse.json({\n    item: {\n      id: record.id,\n      fileName: record.fileName,\n      fileSize: record.fileSize,\n      mimeType: record.mimeType,\n      partitionCode: record.partitionCode,\n      partitionTitle: partition?.title ?? null,\n      tags: metadata.tags ?? [],\n      assignments: enrichedAssignments,\n      content: record.content && record.content.trim() ? record.content : null,\n      customFields,\n    },\n  })\n}\n\nexport async function PATCH(req: NextRequest, ctx: RouteContext) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.tenantId || !auth.orgId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  const attachmentId = await resolveAttachmentId(ctx)\n  if (!attachmentId) {\n    return NextResponse.json({ error: 'Attachment id is required' }, { status: 400 })\n  }\n  const rawBody = await req.json().catch(() => null)\n  const { base, custom } = splitCustomFieldPayload(rawBody)\n  const parsed = updateSchema.safeParse(base)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid payload' }, { status: 400 })\n  }\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as EntityManager\n  let queryEngine: QueryEngine | null = null\n  try {\n    queryEngine = resolve('queryEngine') as QueryEngine\n  } catch {\n    queryEngine = null\n  }\n  const dataEngine = resolve('dataEngine') as DataEngine\n  const patchFilter: Record<string, unknown> = {\n    id: attachmentId,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  }\n  const record = await em.findOne(Attachment, patchFilter)\n  if (!record) {\n    return NextResponse.json({ error: 'Attachment not found' }, { status: 404 })\n  }\n  const patch: Record<string, unknown> = {}\n  if (parsed.data.tags) patch.tags = normalizeAttachmentTags(parsed.data.tags)\n  if (parsed.data.assignments) patch.assignments = normalizeAttachmentAssignments(parsed.data.assignments)\n  record.storageMetadata = mergeAttachmentMetadata(record.storageMetadata, patch)\n  await em.flush()\n\n  if (dataEngine && custom && Object.keys(custom).length) {\n    try {\n      await setCustomFieldsIfAny({\n        dataEngine,\n        entityId: E.attachments.attachment,\n        recordId: record.id,\n        tenantId: record.tenantId ?? auth.tenantId ?? null,\n        organizationId: record.organizationId ?? auth.orgId ?? null,\n        values: custom,\n      })\n    } catch (error) {\n      console.error('[attachments] failed to persist custom attributes', error)\n      return NextResponse.json({ error: 'Failed to save attachment attributes.' }, { status: 500 })\n    }\n  }\n\n  if (dataEngine) {\n    await emitCrudSideEffects({\n      dataEngine,\n      action: 'updated',\n      entity: record,\n      identifiers: {\n        id: record.id,\n        organizationId: record.organizationId ?? auth.orgId ?? null,\n        tenantId: record.tenantId ?? auth.tenantId ?? null,\n      },\n      events: attachmentCrudEvents,\n      indexer: attachmentCrudIndexer,\n    })\n    await dataEngine.flushOrmEntityChanges()\n  }\n\n  const metadata = readAttachmentMetadata(record.storageMetadata)\n  const assignments = metadata.assignments ?? []\n  const enrichments = await resolveAssignmentEnrichments(assignments, {\n    queryEngine,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  })\n  const enrichedAssignments = applyAssignmentEnrichments(assignments, enrichments)\n  return NextResponse.json({\n    ok: true,\n    item: {\n      id: record.id,\n      tags: metadata.tags ?? [],\n      assignments: enrichedAssignments,\n      customFields: normalizeCustomFieldResponse(custom ?? null),\n    },\n  })\n}\n\nexport async function DELETE(req: NextRequest, ctx: RouteContext) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.tenantId || !auth.orgId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  const attachmentId = await resolveAttachmentId(ctx)\n  if (!attachmentId) {\n    return NextResponse.json({ error: 'Attachment id is required' }, { status: 400 })\n  }\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as EntityManager\n  const dataEngine = resolve('dataEngine') as DataEngine\n  const deleteFilter: Record<string, unknown> = {\n    id: attachmentId,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  }\n  const record = await em.findOne(Attachment, deleteFilter)\n  if (!record) {\n    return NextResponse.json({ error: 'Attachment not found' }, { status: 404 })\n  }\n\n  await deletePartitionFile(record.partitionCode, record.storagePath, record.storageDriver)\n  await em.removeAndFlush(record)\n\n  if (dataEngine) {\n    await emitCrudSideEffects({\n      dataEngine,\n      action: 'deleted',\n      entity: record,\n      identifiers: {\n        id: record.id,\n        organizationId: record.organizationId ?? auth.orgId ?? null,\n        tenantId: record.tenantId ?? auth.tenantId ?? null,\n      },\n      events: attachmentCrudEvents,\n      indexer: attachmentCrudIndexer,\n    })\n    await dataEngine.flushOrmEntityChanges()\n  }\n\n  return NextResponse.json({ ok: true })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: attachmentsTag,\n  summary: 'Attachment detail management',\n  methods: {\n    GET: {\n      summary: 'Get attachment details',\n      description: 'Returns complete details of an attachment including metadata, tags, assignments, and custom fields.',\n      responses: [\n        { status: 200, description: 'Attachment details', schema: attachmentDetailResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid attachment ID', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n        { status: 404, description: 'Attachment not found', schema: attachmentErrorSchema },\n      ],\n    },\n    PATCH: {\n      summary: 'Update attachment metadata',\n      description: 'Updates attachment tags, assignments, and custom fields. Emits CRUD side effects for indexing and events.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: updateSchema,\n      },\n      responses: [\n        { status: 200, description: 'Attachment updated successfully', schema: z.object({ ok: z.literal(true), item: z.any() }) },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload or attachment ID', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n        { status: 404, description: 'Attachment not found', schema: attachmentErrorSchema },\n        { status: 500, description: 'Failed to save attributes', schema: attachmentErrorSchema },\n      ],\n    },\n    DELETE: {\n      summary: 'Delete attachment',\n      description: 'Permanently deletes an attachment file from storage and database. Emits CRUD side effects.',\n      responses: [\n        { status: 200, description: 'Attachment deleted successfully', schema: z.object({ ok: z.literal(true) }) },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid attachment ID', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n        { status: 404, description: 'Attachment not found', schema: attachmentErrorSchema },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AAAA,SAAsB,oBAAoB;AAC1C,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,YAAY,2BAA2B;AAChD;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,2BAA2B;AACpC,SAAS,yBAAyB,6BAA6B;AAC/D,SAAS,qBAAqB,4BAA4B;AAC1D,SAAS,oCAAoC;AAC7C,SAAS,SAAS;AAGlB,SAAS,sBAAsB,6BAA6B;AAC5D,SAAS,4BAA4B,oCAAoC;AACzE;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAEP,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACnC,aAAa,EACV;AAAA,IACC,EAAE,OAAO;AAAA,MACP,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,MACtB,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,MACpB,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,MACrC,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,IACxC,CAAC;AAAA,EACH,EACC,SAAS;AACd,CAAC;AAEM,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,kBAAkB,EAAE;AAAA,EAChE,OAAO,EAAE,aAAa,MAAM,iBAAiB,CAAC,oBAAoB,EAAE;AAAA,EACpE,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,oBAAoB,EAAE;AACvE;AAKA,eAAe,oBAAoB,KAA2C;AAC5E,QAAM,SAAS,KAAK;AACpB,MAAI;AACF,UAAM,EAAE,GAAG,IAAI,MAAM;AACrB,QAAI,OAAO,OAAO,YAAY,GAAG,KAAK,EAAE,QAAQ;AAC9C,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,IAAI,KAAkB,KAAmB;AAC7D,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,YAAa,CAAC,KAAK,SAAS,CAAC,KAAK,cAAe;AAClE,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,QAAM,eAAe,MAAM,oBAAoB,GAAG;AAClD,MAAI,CAAC,cAAc;AACjB,WAAO,aAAa,KAAK,EAAE,OAAO,4BAA4B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AACA,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AACvB,MAAI,cAAkC;AACtC,MAAI;AACF,kBAAc,QAAQ,aAAa;AAAA,EACrC,QAAQ;AACN,kBAAc;AAAA,EAChB;AACA,QAAM,aAAsC;AAAA,IAC1C,IAAI;AAAA,IACJ,UAAU,KAAK;AAAA,EACjB;AACA,MAAI,KAAK,OAAO;AACd,eAAW,iBAAiB,KAAK;AAAA,EACnC;AACA,QAAM,SAAS,MAAM,GAAG,QAAQ,YAAY,UAAU;AACtD,MAAI,CAAC,QAAQ;AACX,WAAO,aAAa,KAAK,EAAE,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC7E;AACA,QAAMA,YAAW,uBAAuB,OAAO,eAAe;AAC9D,QAAM,YAAY,OAAO,gBACrB,MAAM,GAAG,QAAQ,qBAAqB,EAAE,MAAM,OAAO,cAAc,CAAC,IACpE;AACJ,QAAM,oBAAoB,MAAM,sBAAsB;AAAA,IACpD;AAAA,IACA,UAAU,EAAE,YAAY;AAAA,IACxB,WAAW,CAAC,OAAO,EAAE;AAAA,IACrB,kBAAkB,EAAE,CAAC,OAAO,EAAE,GAAG,OAAO,YAAY,KAAK,YAAY,KAAK;AAAA,IAC1E,wBAAwB,EAAE,CAAC,OAAO,EAAE,GAAG,OAAO,kBAAkB,KAAK,SAAS,KAAK;AAAA,IACnF,iBAAiB,CAAC,KAAK,YAAY,IAAI,EAAE,OAAO,CAAC,UAA2B,CAAC,CAAC,KAAK;AAAA,EACrF,CAAC;AACD,QAAM,eAAe,6BAA6B,kBAAkB,OAAO,EAAE,CAAC;AAC9E,QAAM,cAAcA,UAAS,eAAe,CAAC;AAC7C,QAAM,cAAc,MAAM,6BAA6B,aAAa;AAAA,IAClE;AAAA,IACA,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC;AACD,QAAM,sBAAsB,2BAA2B,aAAa,WAAW;AAC/E,SAAO,aAAa,KAAK;AAAA,IACvB,MAAM;AAAA,MACJ,IAAI,OAAO;AAAA,MACX,UAAU,OAAO;AAAA,MACjB,UAAU,OAAO;AAAA,MACjB,UAAU,OAAO;AAAA,MACjB,eAAe,OAAO;AAAA,MACtB,gBAAgB,WAAW,SAAS;AAAA,MACpC,MAAMA,UAAS,QAAQ,CAAC;AAAA,MACxB,aAAa;AAAA,MACb,SAAS,OAAO,WAAW,OAAO,QAAQ,KAAK,IAAI,OAAO,UAAU;AAAA,MACpE;AAAA,IACF;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,MAAM,KAAkB,KAAmB;AAC/D,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,YAAY,CAAC,KAAK,OAAO;AAC1C,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,QAAM,eAAe,MAAM,oBAAoB,GAAG;AAClD,MAAI,CAAC,cAAc;AACjB,WAAO,aAAa,KAAK,EAAE,OAAO,4BAA4B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AACA,QAAM,UAAU,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,IAAI;AACjD,QAAM,EAAE,MAAM,OAAO,IAAI,wBAAwB,OAAO;AACxD,QAAM,SAAS,aAAa,UAAU,IAAI;AAC1C,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxE;AACA,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AACvB,MAAI,cAAkC;AACtC,MAAI;AACF,kBAAc,QAAQ,aAAa;AAAA,EACrC,QAAQ;AACN,kBAAc;AAAA,EAChB;AACA,QAAM,aAAa,QAAQ,YAAY;AACvC,QAAM,cAAuC;AAAA,IAC3C,IAAI;AAAA,IACJ,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB;AACA,QAAM,SAAS,MAAM,GAAG,QAAQ,YAAY,WAAW;AACvD,MAAI,CAAC,QAAQ;AACX,WAAO,aAAa,KAAK,EAAE,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC7E;AACA,QAAM,QAAiC,CAAC;AACxC,MAAI,OAAO,KAAK,KAAM,OAAM,OAAO,wBAAwB,OAAO,KAAK,IAAI;AAC3E,MAAI,OAAO,KAAK,YAAa,OAAM,cAAc,+BAA+B,OAAO,KAAK,WAAW;AACvG,SAAO,kBAAkB,wBAAwB,OAAO,iBAAiB,KAAK;AAC9E,QAAM,GAAG,MAAM;AAEf,MAAI,cAAc,UAAU,OAAO,KAAK,MAAM,EAAE,QAAQ;AACtD,QAAI;AACF,YAAM,qBAAqB;AAAA,QACzB;AAAA,QACA,UAAU,EAAE,YAAY;AAAA,QACxB,UAAU,OAAO;AAAA,QACjB,UAAU,OAAO,YAAY,KAAK,YAAY;AAAA,QAC9C,gBAAgB,OAAO,kBAAkB,KAAK,SAAS;AAAA,QACvD,QAAQ;AAAA,MACV,CAAC;AAAA,IACH,SAAS,OAAO;AACd,cAAQ,MAAM,qDAAqD,KAAK;AACxE,aAAO,aAAa,KAAK,EAAE,OAAO,wCAAwC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC9F;AAAA,EACF;AAEA,MAAI,YAAY;AACd,UAAM,oBAAoB;AAAA,MACxB;AAAA,MACA,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO;AAAA,QACX,gBAAgB,OAAO,kBAAkB,KAAK,SAAS;AAAA,QACvD,UAAU,OAAO,YAAY,KAAK,YAAY;AAAA,MAChD;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AACD,UAAM,WAAW,sBAAsB;AAAA,EACzC;AAEA,QAAMA,YAAW,uBAAuB,OAAO,eAAe;AAC9D,QAAM,cAAcA,UAAS,eAAe,CAAC;AAC7C,QAAM,cAAc,MAAM,6BAA6B,aAAa;AAAA,IAClE;AAAA,IACA,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC;AACD,QAAM,sBAAsB,2BAA2B,aAAa,WAAW;AAC/E,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,MAAM;AAAA,MACJ,IAAI,OAAO;AAAA,MACX,MAAMA,UAAS,QAAQ,CAAC;AAAA,MACxB,aAAa;AAAA,MACb,cAAc,6BAA6B,UAAU,IAAI;AAAA,IAC3D;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,OAAO,KAAkB,KAAmB;AAChE,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,YAAY,CAAC,KAAK,OAAO;AAC1C,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,QAAM,eAAe,MAAM,oBAAoB,GAAG;AAClD,MAAI,CAAC,cAAc;AACjB,WAAO,aAAa,KAAK,EAAE,OAAO,4BAA4B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AACA,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AACvB,QAAM,aAAa,QAAQ,YAAY;AACvC,QAAM,eAAwC;AAAA,IAC5C,IAAI;AAAA,IACJ,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB;AACA,QAAM,SAAS,MAAM,GAAG,QAAQ,YAAY,YAAY;AACxD,MAAI,CAAC,QAAQ;AACX,WAAO,aAAa,KAAK,EAAE,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC7E;AAEA,QAAM,oBAAoB,OAAO,eAAe,OAAO,aAAa,OAAO,aAAa;AACxF,QAAM,GAAG,eAAe,MAAM;AAE9B,MAAI,YAAY;AACd,UAAM,oBAAoB;AAAA,MACxB;AAAA,MACA,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO;AAAA,QACX,gBAAgB,OAAO,kBAAkB,KAAK,SAAS;AAAA,QACvD,UAAU,OAAO,YAAY,KAAK,YAAY;AAAA,MAChD;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AACD,UAAM,WAAW,sBAAsB;AAAA,EACzC;AAEA,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,sBAAsB,QAAQ,+BAA+B;AAAA,MAC3F;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,yBAAyB,QAAQ,sBAAsB;AAAA,QACnF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,wBAAwB,QAAQ,sBAAsB;AAAA,MACpF;AAAA,IACF;AAAA,IACA,OAAO;AAAA,MACL,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,mCAAmC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE;AAAA,MAC1H;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,oCAAoC,QAAQ,sBAAsB;AAAA,QAC9F,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,wBAAwB,QAAQ,sBAAsB;AAAA,QAClF,EAAE,QAAQ,KAAK,aAAa,6BAA6B,QAAQ,sBAAsB;AAAA,MACzF;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,mCAAmC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC,EAAE;AAAA,MAC3G;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,yBAAyB,QAAQ,sBAAsB;AAAA,QACnF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,wBAAwB,QAAQ,sBAAsB;AAAA,MACpF;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { NextRequest, NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { Attachment, AttachmentPartition } from '../../../data/entities'\nimport {\n  mergeAttachmentMetadata,\n  normalizeAttachmentAssignments,\n  normalizeAttachmentTags,\n  readAttachmentMetadata,\n} from '../../../lib/metadata'\nimport { deletePartitionFile } from '../../../lib/storage'\nimport { splitCustomFieldPayload, loadCustomFieldValues } from '@open-mercato/shared/lib/crud/custom-fields'\nimport { emitCrudSideEffects, setCustomFieldsIfAny } from '@open-mercato/shared/lib/commands/helpers'\nimport { normalizeCustomFieldResponse } from '@open-mercato/shared/lib/custom-fields/normalize'\nimport { E } from '#generated/entities.ids.generated'\nimport type { QueryEngine } from '@open-mercato/shared/lib/query/types'\nimport type { DataEngine } from '@open-mercato/shared/lib/data/engine'\nimport { attachmentCrudEvents, attachmentCrudIndexer } from '../../../lib/crud'\nimport { applyAssignmentEnrichments, resolveAssignmentEnrichments } from '../../../lib/assignmentDetails'\nimport {\n  attachmentsTag,\n  attachmentDetailResponseSchema,\n  attachmentErrorSchema,\n} from '../../openapi'\n\nconst updateSchema = z.object({\n  tags: z.array(z.string()).optional(),\n  assignments: z\n    .array(\n      z.object({\n        type: z.string().min(1),\n        id: z.string().min(1),\n        href: z.string().nullable().optional(),\n        label: z.string().nullable().optional(),\n      }),\n    )\n    .optional(),\n})\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['attachments.view'] },\n  PATCH: { requireAuth: true, requireFeatures: ['attachments.manage'] },\n  DELETE: { requireAuth: true, requireFeatures: ['attachments.manage'] },\n}\n\ntype RouteParams = { id: string }\ntype RouteContext = { params: Promise<RouteParams> }\n\nasync function resolveAttachmentId(ctx: RouteContext): Promise<string | null> {\n  const params = ctx?.params\n  try {\n    const { id } = await params\n    if (typeof id === 'string' && id.trim().length) {\n      return id\n    }\n    return null\n  } catch {\n    return null\n  }\n}\n\nexport async function GET(req: NextRequest, ctx: RouteContext) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.tenantId || (!auth.orgId && !auth.isSuperAdmin)) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  const attachmentId = await resolveAttachmentId(ctx)\n  if (!attachmentId) {\n    return NextResponse.json({ error: 'Attachment id is required' }, { status: 400 })\n  }\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as EntityManager\n  let queryEngine: QueryEngine | null = null\n  try {\n    queryEngine = resolve('queryEngine') as QueryEngine\n  } catch {\n    queryEngine = null\n  }\n  const findFilter: Record<string, unknown> = {\n    id: attachmentId,\n    tenantId: auth.tenantId,\n  }\n  if (auth.orgId) {\n    findFilter.organizationId = auth.orgId\n  }\n  const record = await em.findOne(Attachment, findFilter)\n  if (!record) {\n    return NextResponse.json({ error: 'Attachment not found' }, { status: 404 })\n  }\n  const metadata = readAttachmentMetadata(record.storageMetadata)\n  const partition = record.partitionCode\n    ? await em.findOne(AttachmentPartition, { code: record.partitionCode })\n    : null\n  const customFieldValues = await loadCustomFieldValues({\n    em,\n    entityId: E.attachments.attachment,\n    recordIds: [record.id],\n    tenantIdByRecord: { [record.id]: record.tenantId ?? auth.tenantId ?? null },\n    organizationIdByRecord: { [record.id]: record.organizationId ?? auth.orgId ?? null },\n    tenantFallbacks: [auth.tenantId ?? null].filter((value): value is string => !!value),\n  })\n  const customFields = normalizeCustomFieldResponse(customFieldValues[record.id])\n  const assignments = metadata.assignments ?? []\n  const enrichments = await resolveAssignmentEnrichments(assignments, {\n    queryEngine,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  })\n  const enrichedAssignments = applyAssignmentEnrichments(assignments, enrichments)\n  return NextResponse.json({\n    item: {\n      id: record.id,\n      fileName: record.fileName,\n      fileSize: record.fileSize,\n      mimeType: record.mimeType,\n      partitionCode: record.partitionCode,\n      partitionTitle: partition?.title ?? null,\n      tags: metadata.tags ?? [],\n      assignments: enrichedAssignments,\n      content: record.content && record.content.trim() ? record.content : null,\n      customFields,\n    },\n  })\n}\n\nexport async function PATCH(req: NextRequest, ctx: RouteContext) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.tenantId || !auth.orgId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  const attachmentId = await resolveAttachmentId(ctx)\n  if (!attachmentId) {\n    return NextResponse.json({ error: 'Attachment id is required' }, { status: 400 })\n  }\n  const rawBody = await req.json().catch(() => null)\n  const { base, custom } = splitCustomFieldPayload(rawBody)\n  const parsed = updateSchema.safeParse(base)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid payload' }, { status: 400 })\n  }\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as EntityManager\n  let queryEngine: QueryEngine | null = null\n  try {\n    queryEngine = resolve('queryEngine') as QueryEngine\n  } catch {\n    queryEngine = null\n  }\n  const dataEngine = resolve('dataEngine') as DataEngine\n  const patchFilter: Record<string, unknown> = {\n    id: attachmentId,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  }\n  const record = await em.findOne(Attachment, patchFilter)\n  if (!record) {\n    return NextResponse.json({ error: 'Attachment not found' }, { status: 404 })\n  }\n  const patch: Record<string, unknown> = {}\n  if (parsed.data.tags) patch.tags = normalizeAttachmentTags(parsed.data.tags)\n  if (parsed.data.assignments) patch.assignments = normalizeAttachmentAssignments(parsed.data.assignments)\n  record.storageMetadata = mergeAttachmentMetadata(record.storageMetadata, patch)\n  await em.flush()\n\n  if (dataEngine && custom && Object.keys(custom).length) {\n    try {\n      await setCustomFieldsIfAny({\n        dataEngine,\n        entityId: E.attachments.attachment,\n        recordId: record.id,\n        tenantId: record.tenantId ?? auth.tenantId ?? null,\n        organizationId: record.organizationId ?? auth.orgId ?? null,\n        values: custom,\n      })\n    } catch (error) {\n      console.error('[attachments] failed to persist custom attributes', error)\n      return NextResponse.json({ error: 'Failed to save attachment attributes.' }, { status: 500 })\n    }\n  }\n\n  if (dataEngine) {\n    await emitCrudSideEffects({\n      dataEngine,\n      action: 'updated',\n      entity: record,\n      identifiers: {\n        id: record.id,\n        organizationId: record.organizationId ?? auth.orgId ?? null,\n        tenantId: record.tenantId ?? auth.tenantId ?? null,\n      },\n      events: attachmentCrudEvents,\n      indexer: attachmentCrudIndexer,\n    })\n    await dataEngine.flushOrmEntityChanges()\n  }\n\n  const metadata = readAttachmentMetadata(record.storageMetadata)\n  const assignments = metadata.assignments ?? []\n  const enrichments = await resolveAssignmentEnrichments(assignments, {\n    queryEngine,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  })\n  const enrichedAssignments = applyAssignmentEnrichments(assignments, enrichments)\n  return NextResponse.json({\n    ok: true,\n    item: {\n      id: record.id,\n      tags: metadata.tags ?? [],\n      assignments: enrichedAssignments,\n      customFields: normalizeCustomFieldResponse(custom ?? null),\n    },\n  })\n}\n\nexport async function DELETE(req: NextRequest, ctx: RouteContext) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.tenantId || !auth.orgId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  const attachmentId = await resolveAttachmentId(ctx)\n  if (!attachmentId) {\n    return NextResponse.json({ error: 'Attachment id is required' }, { status: 400 })\n  }\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as EntityManager\n  const dataEngine = resolve('dataEngine') as DataEngine\n  const deleteFilter: Record<string, unknown> = {\n    id: attachmentId,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  }\n  const record = await em.findOne(Attachment, deleteFilter)\n  if (!record) {\n    return NextResponse.json({ error: 'Attachment not found' }, { status: 404 })\n  }\n\n  await deletePartitionFile(record.partitionCode, record.storagePath, record.storageDriver)\n  await em.remove(record).flush()\n\n  if (dataEngine) {\n    await emitCrudSideEffects({\n      dataEngine,\n      action: 'deleted',\n      entity: record,\n      identifiers: {\n        id: record.id,\n        organizationId: record.organizationId ?? auth.orgId ?? null,\n        tenantId: record.tenantId ?? auth.tenantId ?? null,\n      },\n      events: attachmentCrudEvents,\n      indexer: attachmentCrudIndexer,\n    })\n    await dataEngine.flushOrmEntityChanges()\n  }\n\n  return NextResponse.json({ ok: true })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: attachmentsTag,\n  summary: 'Attachment detail management',\n  methods: {\n    GET: {\n      summary: 'Get attachment details',\n      description: 'Returns complete details of an attachment including metadata, tags, assignments, and custom fields.',\n      responses: [\n        { status: 200, description: 'Attachment details', schema: attachmentDetailResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid attachment ID', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n        { status: 404, description: 'Attachment not found', schema: attachmentErrorSchema },\n      ],\n    },\n    PATCH: {\n      summary: 'Update attachment metadata',\n      description: 'Updates attachment tags, assignments, and custom fields. Emits CRUD side effects for indexing and events.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: updateSchema,\n      },\n      responses: [\n        { status: 200, description: 'Attachment updated successfully', schema: z.object({ ok: z.literal(true), item: z.any() }) },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload or attachment ID', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n        { status: 404, description: 'Attachment not found', schema: attachmentErrorSchema },\n        { status: 500, description: 'Failed to save attributes', schema: attachmentErrorSchema },\n      ],\n    },\n    DELETE: {\n      summary: 'Delete attachment',\n      description: 'Permanently deletes an attachment file from storage and database. Emits CRUD side effects.',\n      responses: [\n        { status: 200, description: 'Attachment deleted successfully', schema: z.object({ ok: z.literal(true) }) },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid attachment ID', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n        { status: 404, description: 'Attachment not found', schema: attachmentErrorSchema },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAsB,oBAAoB;AAC1C,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,YAAY,2BAA2B;AAChD;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,2BAA2B;AACpC,SAAS,yBAAyB,6BAA6B;AAC/D,SAAS,qBAAqB,4BAA4B;AAC1D,SAAS,oCAAoC;AAC7C,SAAS,SAAS;AAGlB,SAAS,sBAAsB,6BAA6B;AAC5D,SAAS,4BAA4B,oCAAoC;AACzE;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAEP,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACnC,aAAa,EACV;AAAA,IACC,EAAE,OAAO;AAAA,MACP,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,MACtB,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,MACpB,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,MACrC,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,IACxC,CAAC;AAAA,EACH,EACC,SAAS;AACd,CAAC;AAEM,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,kBAAkB,EAAE;AAAA,EAChE,OAAO,EAAE,aAAa,MAAM,iBAAiB,CAAC,oBAAoB,EAAE;AAAA,EACpE,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,oBAAoB,EAAE;AACvE;AAKA,eAAe,oBAAoB,KAA2C;AAC5E,QAAM,SAAS,KAAK;AACpB,MAAI;AACF,UAAM,EAAE,GAAG,IAAI,MAAM;AACrB,QAAI,OAAO,OAAO,YAAY,GAAG,KAAK,EAAE,QAAQ;AAC9C,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,IAAI,KAAkB,KAAmB;AAC7D,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,YAAa,CAAC,KAAK,SAAS,CAAC,KAAK,cAAe;AAClE,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,QAAM,eAAe,MAAM,oBAAoB,GAAG;AAClD,MAAI,CAAC,cAAc;AACjB,WAAO,aAAa,KAAK,EAAE,OAAO,4BAA4B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AACA,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AACvB,MAAI,cAAkC;AACtC,MAAI;AACF,kBAAc,QAAQ,aAAa;AAAA,EACrC,QAAQ;AACN,kBAAc;AAAA,EAChB;AACA,QAAM,aAAsC;AAAA,IAC1C,IAAI;AAAA,IACJ,UAAU,KAAK;AAAA,EACjB;AACA,MAAI,KAAK,OAAO;AACd,eAAW,iBAAiB,KAAK;AAAA,EACnC;AACA,QAAM,SAAS,MAAM,GAAG,QAAQ,YAAY,UAAU;AACtD,MAAI,CAAC,QAAQ;AACX,WAAO,aAAa,KAAK,EAAE,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC7E;AACA,QAAMA,YAAW,uBAAuB,OAAO,eAAe;AAC9D,QAAM,YAAY,OAAO,gBACrB,MAAM,GAAG,QAAQ,qBAAqB,EAAE,MAAM,OAAO,cAAc,CAAC,IACpE;AACJ,QAAM,oBAAoB,MAAM,sBAAsB;AAAA,IACpD;AAAA,IACA,UAAU,EAAE,YAAY;AAAA,IACxB,WAAW,CAAC,OAAO,EAAE;AAAA,IACrB,kBAAkB,EAAE,CAAC,OAAO,EAAE,GAAG,OAAO,YAAY,KAAK,YAAY,KAAK;AAAA,IAC1E,wBAAwB,EAAE,CAAC,OAAO,EAAE,GAAG,OAAO,kBAAkB,KAAK,SAAS,KAAK;AAAA,IACnF,iBAAiB,CAAC,KAAK,YAAY,IAAI,EAAE,OAAO,CAAC,UAA2B,CAAC,CAAC,KAAK;AAAA,EACrF,CAAC;AACD,QAAM,eAAe,6BAA6B,kBAAkB,OAAO,EAAE,CAAC;AAC9E,QAAM,cAAcA,UAAS,eAAe,CAAC;AAC7C,QAAM,cAAc,MAAM,6BAA6B,aAAa;AAAA,IAClE;AAAA,IACA,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC;AACD,QAAM,sBAAsB,2BAA2B,aAAa,WAAW;AAC/E,SAAO,aAAa,KAAK;AAAA,IACvB,MAAM;AAAA,MACJ,IAAI,OAAO;AAAA,MACX,UAAU,OAAO;AAAA,MACjB,UAAU,OAAO;AAAA,MACjB,UAAU,OAAO;AAAA,MACjB,eAAe,OAAO;AAAA,MACtB,gBAAgB,WAAW,SAAS;AAAA,MACpC,MAAMA,UAAS,QAAQ,CAAC;AAAA,MACxB,aAAa;AAAA,MACb,SAAS,OAAO,WAAW,OAAO,QAAQ,KAAK,IAAI,OAAO,UAAU;AAAA,MACpE;AAAA,IACF;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,MAAM,KAAkB,KAAmB;AAC/D,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,YAAY,CAAC,KAAK,OAAO;AAC1C,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,QAAM,eAAe,MAAM,oBAAoB,GAAG;AAClD,MAAI,CAAC,cAAc;AACjB,WAAO,aAAa,KAAK,EAAE,OAAO,4BAA4B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AACA,QAAM,UAAU,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,IAAI;AACjD,QAAM,EAAE,MAAM,OAAO,IAAI,wBAAwB,OAAO;AACxD,QAAM,SAAS,aAAa,UAAU,IAAI;AAC1C,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxE;AACA,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AACvB,MAAI,cAAkC;AACtC,MAAI;AACF,kBAAc,QAAQ,aAAa;AAAA,EACrC,QAAQ;AACN,kBAAc;AAAA,EAChB;AACA,QAAM,aAAa,QAAQ,YAAY;AACvC,QAAM,cAAuC;AAAA,IAC3C,IAAI;AAAA,IACJ,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB;AACA,QAAM,SAAS,MAAM,GAAG,QAAQ,YAAY,WAAW;AACvD,MAAI,CAAC,QAAQ;AACX,WAAO,aAAa,KAAK,EAAE,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC7E;AACA,QAAM,QAAiC,CAAC;AACxC,MAAI,OAAO,KAAK,KAAM,OAAM,OAAO,wBAAwB,OAAO,KAAK,IAAI;AAC3E,MAAI,OAAO,KAAK,YAAa,OAAM,cAAc,+BAA+B,OAAO,KAAK,WAAW;AACvG,SAAO,kBAAkB,wBAAwB,OAAO,iBAAiB,KAAK;AAC9E,QAAM,GAAG,MAAM;AAEf,MAAI,cAAc,UAAU,OAAO,KAAK,MAAM,EAAE,QAAQ;AACtD,QAAI;AACF,YAAM,qBAAqB;AAAA,QACzB;AAAA,QACA,UAAU,EAAE,YAAY;AAAA,QACxB,UAAU,OAAO;AAAA,QACjB,UAAU,OAAO,YAAY,KAAK,YAAY;AAAA,QAC9C,gBAAgB,OAAO,kBAAkB,KAAK,SAAS;AAAA,QACvD,QAAQ;AAAA,MACV,CAAC;AAAA,IACH,SAAS,OAAO;AACd,cAAQ,MAAM,qDAAqD,KAAK;AACxE,aAAO,aAAa,KAAK,EAAE,OAAO,wCAAwC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC9F;AAAA,EACF;AAEA,MAAI,YAAY;AACd,UAAM,oBAAoB;AAAA,MACxB;AAAA,MACA,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO;AAAA,QACX,gBAAgB,OAAO,kBAAkB,KAAK,SAAS;AAAA,QACvD,UAAU,OAAO,YAAY,KAAK,YAAY;AAAA,MAChD;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AACD,UAAM,WAAW,sBAAsB;AAAA,EACzC;AAEA,QAAMA,YAAW,uBAAuB,OAAO,eAAe;AAC9D,QAAM,cAAcA,UAAS,eAAe,CAAC;AAC7C,QAAM,cAAc,MAAM,6BAA6B,aAAa;AAAA,IAClE;AAAA,IACA,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC;AACD,QAAM,sBAAsB,2BAA2B,aAAa,WAAW;AAC/E,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,MAAM;AAAA,MACJ,IAAI,OAAO;AAAA,MACX,MAAMA,UAAS,QAAQ,CAAC;AAAA,MACxB,aAAa;AAAA,MACb,cAAc,6BAA6B,UAAU,IAAI;AAAA,IAC3D;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,OAAO,KAAkB,KAAmB;AAChE,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,YAAY,CAAC,KAAK,OAAO;AAC1C,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,QAAM,eAAe,MAAM,oBAAoB,GAAG;AAClD,MAAI,CAAC,cAAc;AACjB,WAAO,aAAa,KAAK,EAAE,OAAO,4BAA4B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AACA,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AACvB,QAAM,aAAa,QAAQ,YAAY;AACvC,QAAM,eAAwC;AAAA,IAC5C,IAAI;AAAA,IACJ,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB;AACA,QAAM,SAAS,MAAM,GAAG,QAAQ,YAAY,YAAY;AACxD,MAAI,CAAC,QAAQ;AACX,WAAO,aAAa,KAAK,EAAE,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC7E;AAEA,QAAM,oBAAoB,OAAO,eAAe,OAAO,aAAa,OAAO,aAAa;AACxF,QAAM,GAAG,OAAO,MAAM,EAAE,MAAM;AAE9B,MAAI,YAAY;AACd,UAAM,oBAAoB;AAAA,MACxB;AAAA,MACA,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,aAAa;AAAA,QACX,IAAI,OAAO;AAAA,QACX,gBAAgB,OAAO,kBAAkB,KAAK,SAAS;AAAA,QACvD,UAAU,OAAO,YAAY,KAAK,YAAY;AAAA,MAChD;AAAA,MACA,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AACD,UAAM,WAAW,sBAAsB;AAAA,EACzC;AAEA,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,sBAAsB,QAAQ,+BAA+B;AAAA,MAC3F;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,yBAAyB,QAAQ,sBAAsB;AAAA,QACnF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,wBAAwB,QAAQ,sBAAsB;AAAA,MACpF;AAAA,IACF;AAAA,IACA,OAAO;AAAA,MACL,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,mCAAmC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE;AAAA,MAC1H;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,oCAAoC,QAAQ,sBAAsB;AAAA,QAC9F,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,wBAAwB,QAAQ,sBAAsB;AAAA,QAClF,EAAE,QAAQ,KAAK,aAAa,6BAA6B,QAAQ,sBAAsB;AAAA,MACzF;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,mCAAmC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC,EAAE;AAAA,MAC3G;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,yBAAyB,QAAQ,sBAAsB;AAAA,QACnF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,wBAAwB,QAAQ,sBAAsB;AAAA,MACpF;AAAA,IACF;AAAA,EACF;AACF;",
   "names": ["metadata"]
 }

package/dist/modules/attachments/api/library/route.js

@@ -2,6 +2,7 @@ import { NextResponse } from "next/server";
 import { z } from "zod";
 import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
 import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { sql } from "kysely";
 import { Attachment, AttachmentPartition } from "../../data/entities.js";
 import { buildAttachmentImageUrl, slugifyAttachmentFileName } from "../../lib/imageUrls.js";
 import { readAttachmentMetadata } from "../../lib/metadata.js";
@@ -92,7 +93,7 @@ async function GET(req) {
     {},
     { orderBy: { title: "asc" }, fields: ["code", "title", "description"] }
   );
-  const [records, total, partitions] = await Promise.all([qb.getResultList(), countQb.count("a.id", true), partitionsPromise]);
+  const [records, total, partitions] = await Promise.all([qb.getResultList(), countQb.getCount("a.id", true), partitionsPromise]);
   const partitionTitleByCode = partitions.reduce((acc, entry) => {
     if (entry.code) acc[entry.code] = entry.title ?? entry.code;
     return acc;
@@ -131,16 +132,13 @@ async function GET(req) {
     ...item,
     assignments: applyAssignmentEnrichments(item.assignments ?? [], enrichments)
   })) : items;
-  const totalPages = Math.max(1, Math.ceil(total / pageSize));
-  const knex = em.getConnection().getKnex();
-  const tagQuery = knex.select(
-    knex.raw(`distinct jsonb_array_elements_text(coalesce(storage_metadata->'tags', '[]'::jsonb)) as tag`)
-  ).from("attachments").where("tenant_id", auth.tenantId);
+  const totalPages = Math.max(1, Math.ceil(Number(total) / pageSize));
+  const db = em.getKysely();
+  let tagQuery = db.selectFrom("attachments").select(sql`distinct jsonb_array_elements_text(coalesce(storage_metadata->'tags', '[]'::jsonb))`.as("tag")).where("tenant_id", "=", auth.tenantId);
   if (auth.orgId) {
-    tagQuery.andWhere("organization_id", auth.orgId);
+    tagQuery = tagQuery.where("organization_id", "=", auth.orgId);
   }
-  tagQuery.orderBy("tag", "asc");
-  const tagRows = await tagQuery;
+  const tagRows = await tagQuery.orderBy("tag", "asc").execute();
   const availableTags = tagRows.map((row) => typeof row.tag === "string" ? row.tag.trim() : "").filter((tag) => tag.length > 0);
   return NextResponse.json({
     items: enrichedItems,

package/dist/modules/attachments/api/library/route.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../src/modules/attachments/api/library/route.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { Attachment, AttachmentPartition } from '../../data/entities'\nimport { buildAttachmentImageUrl, slugifyAttachmentFileName } from '../../lib/imageUrls'\nimport { readAttachmentMetadata } from '../../lib/metadata'\nimport type { QueryEngine } from '@open-mercato/shared/lib/query/types'\nimport { applyAssignmentEnrichments, resolveAssignmentEnrichments } from '../../lib/assignmentDetails'\nimport { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'\nimport {\n  attachmentsTag,\n  attachmentListQuerySchema as openApiListQuerySchema,\n  attachmentListResponseSchema,\n  attachmentErrorSchema,\n} from '../openapi'\n\nconst listQuerySchema = z.object({\n  page: z.coerce.number().min(1).default(1),\n  pageSize: z.coerce.number().min(1).max(100).default(25),\n  search: z.string().optional(),\n  partition: z.string().optional(),\n  tags: z.string().optional(),\n  sortField: z.enum(['fileName', 'fileSize', 'createdAt']).optional(),\n  sortDir: z.enum(['asc', 'desc']).optional(),\n})\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['attachments.view'] },\n}\n\nfunction buildTagFilter(raw?: string): string[] {\n  if (!raw) return []\n  return raw\n    .split(',')\n    .map((tag) => tag.trim())\n    .filter((tag) => tag.length > 0)\n}\n\nfunction formatDateValue(value: unknown): string {\n  const toDate = (): Date => {\n    if (value instanceof Date) return value\n    if (typeof value === 'string') {\n      const parsed = new Date(value)\n      if (!Number.isNaN(parsed.getTime())) return parsed\n    }\n    const fallback = new Date(value as any)\n    if (!Number.isNaN(fallback.getTime())) return fallback\n    return new Date()\n  }\n  return toDate().toISOString()\n}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.tenantId || (!auth.orgId && !auth.isSuperAdmin)) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  const url = new URL(req.url)\n  const parsed = listQuerySchema.safeParse(Object.fromEntries(url.searchParams.entries()))\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid query' }, { status: 400 })\n  }\n\n  const { page, pageSize, search, partition, tags, sortField, sortDir } = parsed.data\n  const tagList = buildTagFilter(tags)\n  const offset = (page - 1) * pageSize\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as EntityManager\n  let queryEngine: QueryEngine | null = null\n  try {\n    queryEngine = resolve('queryEngine') as QueryEngine\n  } catch {\n    queryEngine = null\n  }\n  const qb = em.createQueryBuilder(Attachment, 'a')\n  const baseFilter: Record<string, unknown> = { tenantId: auth.tenantId }\n  if (auth.orgId) {\n    baseFilter.organizationId = auth.orgId\n  }\n  qb.where(baseFilter)\n  if (search && search.trim().length > 0) {\n    qb.andWhere({ fileName: { $ilike: `%${escapeLikePattern(search.trim())}%` } })\n  }\n  if (partition && partition.trim().length > 0) {\n    qb.andWhere({ partitionCode: partition.trim() })\n  }\n  if (tagList.length > 0) {\n    qb.andWhere(`coalesce(a.storage_metadata->'tags', '[]'::jsonb) @> ?::jsonb`, [JSON.stringify(tagList)])\n  }\n  const countQb = qb.clone()\n  const orderMap: Record<string, string> = {\n    fileName: 'a.file_name',\n    fileSize: 'a.file_size',\n    createdAt: 'a.created_at',\n  }\n  const orderColumn = orderMap[sortField ?? 'createdAt'] ?? 'a.created_at'\n  qb.orderBy({ [orderColumn]: sortDir === 'asc' ? 'asc' : 'desc' })\n  qb.limit(pageSize).offset(offset)\n\n  const partitionsPromise = em.find(\n    AttachmentPartition,\n    {},\n    { orderBy: { title: 'asc' }, fields: ['code', 'title', 'description'] as any },\n  )\n  const [records, total, partitions] = await Promise.all([qb.getResultList(), countQb.count('a.id', true), partitionsPromise])\n  const partitionTitleByCode = partitions.reduce<Record<string, string>>((acc, entry) => {\n    if (entry.code) acc[entry.code] = entry.title ?? entry.code\n    return acc\n  }, {})\n  const items = records.map((record) => {\n    const metadata = readAttachmentMetadata(record.storageMetadata)\n    const fileName = record.fileName || ''\n    const isImage = typeof record.mimeType === 'string' && record.mimeType.toLowerCase().startsWith('image/')\n    const thumbnailUrl = isImage\n      ? buildAttachmentImageUrl(record.id, {\n          width: 200,\n          height: 200,\n          slug: slugifyAttachmentFileName(fileName),\n        })\n      : undefined\n    return {\n      id: record.id,\n      fileName,\n      fileSize: record.fileSize,\n      mimeType: record.mimeType,\n      partitionCode: record.partitionCode,\n      partitionTitle: partitionTitleByCode[record.partitionCode] ?? null,\n      url: record.url,\n      createdAt: formatDateValue(record.createdAt),\n      tags: metadata.tags ?? [],\n      assignments: metadata.assignments ?? [],\n      thumbnailUrl,\n      content: record.content && record.content.trim() ? record.content : null,\n    }\n  })\n\n  const allAssignments = items.flatMap((item) => item.assignments ?? [])\n  const enrichments = await resolveAssignmentEnrichments(allAssignments, {\n    queryEngine,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  })\n  const enrichedItems = enrichments.size\n    ? items.map((item) => ({\n        ...item,\n        assignments: applyAssignmentEnrichments(item.assignments ?? [], enrichments),\n      }))\n    : items\n\n  const totalPages = Math.max(1, Math.ceil(total / pageSize))\n  const knex = (em as any).getConnection().getKnex()\n  const tagQuery = knex\n    .select(\n      knex.raw(`distinct jsonb_array_elements_text(coalesce(storage_metadata->'tags', '[]'::jsonb)) as tag`),\n    )\n    .from('attachments')\n    .where('tenant_id', auth.tenantId)\n  if (auth.orgId) {\n    tagQuery.andWhere('organization_id', auth.orgId)\n  }\n  tagQuery.orderBy('tag', 'asc')\n  const tagRows: Array<{ tag?: string | null }> = await tagQuery\n  const availableTags = tagRows\n    .map((row) => (typeof row.tag === 'string' ? row.tag.trim() : ''))\n    .filter((tag) => tag.length > 0)\n\n  return NextResponse.json({\n    items: enrichedItems,\n    page,\n    pageSize,\n    total,\n    totalPages,\n    availableTags,\n    partitions: partitions.map((entry) => ({\n      code: entry.code,\n      title: entry.title,\n      description: entry.description ?? null,\n      isPublic: entry.isPublic ?? false,\n    })),\n  })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: attachmentsTag,\n  summary: 'Attachment library management',\n  methods: {\n    GET: {\n      summary: 'List attachments',\n      description: 'Returns paginated list of attachments with optional filtering by search term, partition, and tags. Includes available tags and partitions.',\n      query: openApiListQuerySchema,\n      responses: [\n        { status: 200, description: 'Attachments list with pagination and metadata', schema: attachmentListResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid query parameters', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,YAAY,2BAA2B;AAChD,SAAS,yBAAyB,iCAAiC;AACnE,SAAS,8BAA8B;AAEvC,SAAS,4BAA4B,oCAAoC;AACzE,SAAS,yBAAyB;AAClC;AAAA,EACE;AAAA,EACA,6BAA6B;AAAA,EAC7B;AAAA,EACA;AAAA,OACK;AAEP,MAAM,kBAAkB,EAAE,OAAO;AAAA,EAC/B,MAAM,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,QAAQ,CAAC;AAAA,EACxC,UAAU,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,QAAQ,EAAE;AAAA,EACtD,QAAQ,EAAE,OAAO,EAAE,SAAS;AAAA,EAC5B,WAAW,EAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,MAAM,EAAE,OAAO,EAAE,SAAS;AAAA,EAC1B,WAAW,EAAE,KAAK,CAAC,YAAY,YAAY,WAAW,CAAC,EAAE,SAAS;AAAA,EAClE,SAAS,EAAE,KAAK,CAAC,OAAO,MAAM,CAAC,EAAE,SAAS;AAC5C,CAAC;AAEM,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,kBAAkB,EAAE;AAClE;AAEA,SAAS,eAAe,KAAwB;AAC9C,MAAI,CAAC,IAAK,QAAO,CAAC;AAClB,SAAO,IACJ,MAAM,GAAG,EACT,IAAI,CAAC,QAAQ,IAAI,KAAK,CAAC,EACvB,OAAO,CAAC,QAAQ,IAAI,SAAS,CAAC;AACnC;AAEA,SAAS,gBAAgB,OAAwB;AAC/C,QAAM,SAAS,MAAY;AACzB,QAAI,iBAAiB,KAAM,QAAO;AAClC,QAAI,OAAO,UAAU,UAAU;AAC7B,YAAM,SAAS,IAAI,KAAK,KAAK;AAC7B,UAAI,CAAC,OAAO,MAAM,OAAO,QAAQ,CAAC,EAAG,QAAO;AAAA,IAC9C;AACA,UAAM,WAAW,IAAI,KAAK,KAAY;AACtC,QAAI,CAAC,OAAO,MAAM,SAAS,QAAQ,CAAC,EAAG,QAAO;AAC9C,WAAO,oBAAI,KAAK;AAAA,EAClB;AACA,SAAO,OAAO,EAAE,YAAY;AAC9B;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,YAAa,CAAC,KAAK,SAAS,CAAC,KAAK,cAAe;AAClE,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,SAAS,gBAAgB,UAAU,OAAO,YAAY,IAAI,aAAa,QAAQ,CAAC,CAAC;AACvF,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACtE;AAEA,QAAM,EAAE,MAAM,UAAU,QAAQ,WAAW,MAAM,WAAW,QAAQ,IAAI,OAAO;AAC/E,QAAM,UAAU,eAAe,IAAI;AACnC,QAAM,UAAU,OAAO,KAAK;AAC5B,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AACvB,MAAI,cAAkC;AACtC,MAAI;AACF,kBAAc,QAAQ,aAAa;AAAA,EACrC,QAAQ;AACN,kBAAc;AAAA,EAChB;AACA,QAAM,KAAK,GAAG,mBAAmB,YAAY,GAAG;AAChD,QAAM,aAAsC,EAAE,UAAU,KAAK,SAAS;AACtE,MAAI,KAAK,OAAO;AACd,eAAW,iBAAiB,KAAK;AAAA,EACnC;AACA,KAAG,MAAM,UAAU;AACnB,MAAI,UAAU,OAAO,KAAK,EAAE,SAAS,GAAG;AACtC,OAAG,SAAS,EAAE,UAAU,EAAE,QAAQ,IAAI,kBAAkB,OAAO,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;AAAA,EAC/E;AACA,MAAI,aAAa,UAAU,KAAK,EAAE,SAAS,GAAG;AAC5C,OAAG,SAAS,EAAE,eAAe,UAAU,KAAK,EAAE,CAAC;AAAA,EACjD;AACA,MAAI,QAAQ,SAAS,GAAG;AACtB,OAAG,SAAS,iEAAiE,CAAC,KAAK,UAAU,OAAO,CAAC,CAAC;AAAA,EACxG;AACA,QAAM,UAAU,GAAG,MAAM;AACzB,QAAM,WAAmC;AAAA,IACvC,UAAU;AAAA,IACV,UAAU;AAAA,IACV,WAAW;AAAA,EACb;AACA,QAAM,cAAc,SAAS,aAAa,WAAW,KAAK;AAC1D,KAAG,QAAQ,EAAE,CAAC,WAAW,GAAG,YAAY,QAAQ,QAAQ,OAAO,CAAC;AAChE,KAAG,MAAM,QAAQ,EAAE,OAAO,MAAM;AAEhC,QAAM,oBAAoB,GAAG;AAAA,IAC3B;AAAA,IACA,CAAC;AAAA,IACD,EAAE,SAAS,EAAE,OAAO,MAAM,GAAG,QAAQ,CAAC,QAAQ,SAAS,aAAa,EAAS;AAAA,EAC/E;AACA,QAAM,CAAC,SAAS,OAAO,UAAU,IAAI,MAAM,QAAQ,IAAI,CAAC,GAAG,cAAc,GAAG,QAAQ,MAAM,QAAQ,IAAI,GAAG,iBAAiB,CAAC;AAC3H,QAAM,uBAAuB,WAAW,OAA+B,CAAC,KAAK,UAAU;AACrF,QAAI,MAAM,KAAM,KAAI,MAAM,IAAI,IAAI,MAAM,SAAS,MAAM;AACvD,WAAO;AAAA,EACT,GAAG,CAAC,CAAC;AACL,QAAM,QAAQ,QAAQ,IAAI,CAAC,WAAW;AACpC,UAAMA,YAAW,uBAAuB,OAAO,eAAe;AAC9D,UAAM,WAAW,OAAO,YAAY;AACpC,UAAM,UAAU,OAAO,OAAO,aAAa,YAAY,OAAO,SAAS,YAAY,EAAE,WAAW,QAAQ;AACxG,UAAM,eAAe,UACjB,wBAAwB,OAAO,IAAI;AAAA,MACjC,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,MAAM,0BAA0B,QAAQ;AAAA,IAC1C,CAAC,IACD;AACJ,WAAO;AAAA,MACL,IAAI,OAAO;AAAA,MACX;AAAA,MACA,UAAU,OAAO;AAAA,MACjB,UAAU,OAAO;AAAA,MACjB,eAAe,OAAO;AAAA,MACtB,gBAAgB,qBAAqB,OAAO,aAAa,KAAK;AAAA,MAC9D,KAAK,OAAO;AAAA,MACZ,WAAW,gBAAgB,OAAO,SAAS;AAAA,MAC3C,MAAMA,UAAS,QAAQ,CAAC;AAAA,MACxB,aAAaA,UAAS,eAAe,CAAC;AAAA,MACtC;AAAA,MACA,SAAS,OAAO,WAAW,OAAO,QAAQ,KAAK,IAAI,OAAO,UAAU;AAAA,IACtE;AAAA,EACF,CAAC;AAED,QAAM,iBAAiB,MAAM,QAAQ,CAAC,SAAS,KAAK,eAAe,CAAC,CAAC;AACrE,QAAM,cAAc,MAAM,6BAA6B,gBAAgB;AAAA,IACrE;AAAA,IACA,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC;AACD,QAAM,gBAAgB,YAAY,OAC9B,MAAM,IAAI,CAAC,UAAU;AAAA,IACnB,GAAG;AAAA,IACH,aAAa,2BAA2B,KAAK,eAAe,CAAC,GAAG,WAAW;AAAA,EAC7E,EAAE,IACF;AAEJ,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,KAAK,QAAQ,QAAQ,CAAC;AAC1D,QAAM,OAAQ,GAAW,cAAc,EAAE,QAAQ;AACjD,QAAM,WAAW,KACd;AAAA,IACC,KAAK,IAAI,4FAA4F;AAAA,EACvG,EACC,KAAK,aAAa,EAClB,MAAM,aAAa,KAAK,QAAQ;AACnC,MAAI,KAAK,OAAO;AACd,aAAS,SAAS,mBAAmB,KAAK,KAAK;AAAA,EACjD;AACA,WAAS,QAAQ,OAAO,KAAK;AAC7B,QAAM,UAA0C,MAAM;AACtD,QAAM,gBAAgB,QACnB,IAAI,CAAC,QAAS,OAAO,IAAI,QAAQ,WAAW,IAAI,IAAI,KAAK,IAAI,EAAG,EAChE,OAAO,CAAC,QAAQ,IAAI,SAAS,CAAC;AAEjC,SAAO,aAAa,KAAK;AAAA,IACvB,OAAO;AAAA,IACP;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY,WAAW,IAAI,CAAC,WAAW;AAAA,MACrC,MAAM,MAAM;AAAA,MACZ,OAAO,MAAM;AAAA,MACb,aAAa,MAAM,eAAe;AAAA,MAClC,UAAU,MAAM,YAAY;AAAA,IAC9B,EAAE;AAAA,EACJ,CAAC;AACH;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,iDAAiD,QAAQ,6BAA6B;AAAA,MACpH;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,sBAAsB;AAAA,QACtF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,MAC5E;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { sql } from 'kysely'\nimport { Attachment, AttachmentPartition } from '../../data/entities'\nimport { buildAttachmentImageUrl, slugifyAttachmentFileName } from '../../lib/imageUrls'\nimport { readAttachmentMetadata } from '../../lib/metadata'\nimport type { QueryEngine } from '@open-mercato/shared/lib/query/types'\nimport { applyAssignmentEnrichments, resolveAssignmentEnrichments } from '../../lib/assignmentDetails'\nimport { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'\nimport {\n  attachmentsTag,\n  attachmentListQuerySchema as openApiListQuerySchema,\n  attachmentListResponseSchema,\n  attachmentErrorSchema,\n} from '../openapi'\n\nconst listQuerySchema = z.object({\n  page: z.coerce.number().min(1).default(1),\n  pageSize: z.coerce.number().min(1).max(100).default(25),\n  search: z.string().optional(),\n  partition: z.string().optional(),\n  tags: z.string().optional(),\n  sortField: z.enum(['fileName', 'fileSize', 'createdAt']).optional(),\n  sortDir: z.enum(['asc', 'desc']).optional(),\n})\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['attachments.view'] },\n}\n\nfunction buildTagFilter(raw?: string): string[] {\n  if (!raw) return []\n  return raw\n    .split(',')\n    .map((tag) => tag.trim())\n    .filter((tag) => tag.length > 0)\n}\n\nfunction formatDateValue(value: unknown): string {\n  const toDate = (): Date => {\n    if (value instanceof Date) return value\n    if (typeof value === 'string') {\n      const parsed = new Date(value)\n      if (!Number.isNaN(parsed.getTime())) return parsed\n    }\n    const fallback = new Date(value as any)\n    if (!Number.isNaN(fallback.getTime())) return fallback\n    return new Date()\n  }\n  return toDate().toISOString()\n}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.tenantId || (!auth.orgId && !auth.isSuperAdmin)) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  const url = new URL(req.url)\n  const parsed = listQuerySchema.safeParse(Object.fromEntries(url.searchParams.entries()))\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid query' }, { status: 400 })\n  }\n\n  const { page, pageSize, search, partition, tags, sortField, sortDir } = parsed.data\n  const tagList = buildTagFilter(tags)\n  const offset = (page - 1) * pageSize\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as EntityManager\n  let queryEngine: QueryEngine | null = null\n  try {\n    queryEngine = resolve('queryEngine') as QueryEngine\n  } catch {\n    queryEngine = null\n  }\n  const qb = em.createQueryBuilder(Attachment, 'a')\n  const baseFilter: Record<string, unknown> = { tenantId: auth.tenantId }\n  if (auth.orgId) {\n    baseFilter.organizationId = auth.orgId\n  }\n  qb.where(baseFilter)\n  if (search && search.trim().length > 0) {\n    qb.andWhere({ fileName: { $ilike: `%${escapeLikePattern(search.trim())}%` } })\n  }\n  if (partition && partition.trim().length > 0) {\n    qb.andWhere({ partitionCode: partition.trim() })\n  }\n  if (tagList.length > 0) {\n    qb.andWhere(`coalesce(a.storage_metadata->'tags', '[]'::jsonb) @> ?::jsonb`, [JSON.stringify(tagList)])\n  }\n  const countQb = qb.clone()\n  const orderMap: Record<string, string> = {\n    fileName: 'a.file_name',\n    fileSize: 'a.file_size',\n    createdAt: 'a.created_at',\n  }\n  const orderColumn = orderMap[sortField ?? 'createdAt'] ?? 'a.created_at'\n  qb.orderBy({ [orderColumn]: sortDir === 'asc' ? 'asc' : 'desc' })\n  qb.limit(pageSize).offset(offset)\n\n  const partitionsPromise = em.find(\n    AttachmentPartition,\n    {},\n    { orderBy: { title: 'asc' }, fields: ['code', 'title', 'description'] as any },\n  )\n  const [records, total, partitions] = await Promise.all([qb.getResultList(), countQb.getCount('a.id', true), partitionsPromise])\n  const partitionTitleByCode = partitions.reduce<Record<string, string>>((acc, entry) => {\n    if (entry.code) acc[entry.code] = entry.title ?? entry.code\n    return acc\n  }, {})\n  const items = records.map((record) => {\n    const metadata = readAttachmentMetadata(record.storageMetadata)\n    const fileName = record.fileName || ''\n    const isImage = typeof record.mimeType === 'string' && record.mimeType.toLowerCase().startsWith('image/')\n    const thumbnailUrl = isImage\n      ? buildAttachmentImageUrl(record.id, {\n          width: 200,\n          height: 200,\n          slug: slugifyAttachmentFileName(fileName),\n        })\n      : undefined\n    return {\n      id: record.id,\n      fileName,\n      fileSize: record.fileSize,\n      mimeType: record.mimeType,\n      partitionCode: record.partitionCode,\n      partitionTitle: partitionTitleByCode[record.partitionCode] ?? null,\n      url: record.url,\n      createdAt: formatDateValue(record.createdAt),\n      tags: metadata.tags ?? [],\n      assignments: metadata.assignments ?? [],\n      thumbnailUrl,\n      content: record.content && record.content.trim() ? record.content : null,\n    }\n  })\n\n  const allAssignments = items.flatMap((item) => item.assignments ?? [])\n  const enrichments = await resolveAssignmentEnrichments(allAssignments, {\n    queryEngine,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  })\n  const enrichedItems = enrichments.size\n    ? items.map((item) => ({\n        ...item,\n        assignments: applyAssignmentEnrichments(item.assignments ?? [], enrichments),\n      }))\n    : items\n\n  const totalPages = Math.max(1, Math.ceil(Number(total) / pageSize))\n  const db = em.getKysely<any>() as any\n  let tagQuery = db\n    .selectFrom('attachments')\n    .select(sql<string>`distinct jsonb_array_elements_text(coalesce(storage_metadata->'tags', '[]'::jsonb))`.as('tag'))\n    .where('tenant_id', '=', auth.tenantId)\n  if (auth.orgId) {\n    tagQuery = tagQuery.where('organization_id', '=', auth.orgId)\n  }\n  const tagRows = await tagQuery.orderBy('tag', 'asc').execute() as Array<{ tag?: string | null }>\n  const availableTags = tagRows\n    .map((row) => (typeof row.tag === 'string' ? row.tag.trim() : ''))\n    .filter((tag) => tag.length > 0)\n\n  return NextResponse.json({\n    items: enrichedItems,\n    page,\n    pageSize,\n    total,\n    totalPages,\n    availableTags,\n    partitions: partitions.map((entry) => ({\n      code: entry.code,\n      title: entry.title,\n      description: entry.description ?? null,\n      isPublic: entry.isPublic ?? false,\n    })),\n  })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: attachmentsTag,\n  summary: 'Attachment library management',\n  methods: {\n    GET: {\n      summary: 'List attachments',\n      description: 'Returns paginated list of attachments with optional filtering by search term, partition, and tags. Includes available tags and partitions.',\n      query: openApiListQuerySchema,\n      responses: [\n        { status: 200, description: 'Attachments list with pagination and metadata', schema: attachmentListResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid query parameters', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,WAAW;AACpB,SAAS,YAAY,2BAA2B;AAChD,SAAS,yBAAyB,iCAAiC;AACnE,SAAS,8BAA8B;AAEvC,SAAS,4BAA4B,oCAAoC;AACzE,SAAS,yBAAyB;AAClC;AAAA,EACE;AAAA,EACA,6BAA6B;AAAA,EAC7B;AAAA,EACA;AAAA,OACK;AAEP,MAAM,kBAAkB,EAAE,OAAO;AAAA,EAC/B,MAAM,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,QAAQ,CAAC;AAAA,EACxC,UAAU,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,QAAQ,EAAE;AAAA,EACtD,QAAQ,EAAE,OAAO,EAAE,SAAS;AAAA,EAC5B,WAAW,EAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,MAAM,EAAE,OAAO,EAAE,SAAS;AAAA,EAC1B,WAAW,EAAE,KAAK,CAAC,YAAY,YAAY,WAAW,CAAC,EAAE,SAAS;AAAA,EAClE,SAAS,EAAE,KAAK,CAAC,OAAO,MAAM,CAAC,EAAE,SAAS;AAC5C,CAAC;AAEM,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,kBAAkB,EAAE;AAClE;AAEA,SAAS,eAAe,KAAwB;AAC9C,MAAI,CAAC,IAAK,QAAO,CAAC;AAClB,SAAO,IACJ,MAAM,GAAG,EACT,IAAI,CAAC,QAAQ,IAAI,KAAK,CAAC,EACvB,OAAO,CAAC,QAAQ,IAAI,SAAS,CAAC;AACnC;AAEA,SAAS,gBAAgB,OAAwB;AAC/C,QAAM,SAAS,MAAY;AACzB,QAAI,iBAAiB,KAAM,QAAO;AAClC,QAAI,OAAO,UAAU,UAAU;AAC7B,YAAM,SAAS,IAAI,KAAK,KAAK;AAC7B,UAAI,CAAC,OAAO,MAAM,OAAO,QAAQ,CAAC,EAAG,QAAO;AAAA,IAC9C;AACA,UAAM,WAAW,IAAI,KAAK,KAAY;AACtC,QAAI,CAAC,OAAO,MAAM,SAAS,QAAQ,CAAC,EAAG,QAAO;AAC9C,WAAO,oBAAI,KAAK;AAAA,EAClB;AACA,SAAO,OAAO,EAAE,YAAY;AAC9B;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,YAAa,CAAC,KAAK,SAAS,CAAC,KAAK,cAAe;AAClE,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,SAAS,gBAAgB,UAAU,OAAO,YAAY,IAAI,aAAa,QAAQ,CAAC,CAAC;AACvF,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACtE;AAEA,QAAM,EAAE,MAAM,UAAU,QAAQ,WAAW,MAAM,WAAW,QAAQ,IAAI,OAAO;AAC/E,QAAM,UAAU,eAAe,IAAI;AACnC,QAAM,UAAU,OAAO,KAAK;AAC5B,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AACvB,MAAI,cAAkC;AACtC,MAAI;AACF,kBAAc,QAAQ,aAAa;AAAA,EACrC,QAAQ;AACN,kBAAc;AAAA,EAChB;AACA,QAAM,KAAK,GAAG,mBAAmB,YAAY,GAAG;AAChD,QAAM,aAAsC,EAAE,UAAU,KAAK,SAAS;AACtE,MAAI,KAAK,OAAO;AACd,eAAW,iBAAiB,KAAK;AAAA,EACnC;AACA,KAAG,MAAM,UAAU;AACnB,MAAI,UAAU,OAAO,KAAK,EAAE,SAAS,GAAG;AACtC,OAAG,SAAS,EAAE,UAAU,EAAE,QAAQ,IAAI,kBAAkB,OAAO,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;AAAA,EAC/E;AACA,MAAI,aAAa,UAAU,KAAK,EAAE,SAAS,GAAG;AAC5C,OAAG,SAAS,EAAE,eAAe,UAAU,KAAK,EAAE,CAAC;AAAA,EACjD;AACA,MAAI,QAAQ,SAAS,GAAG;AACtB,OAAG,SAAS,iEAAiE,CAAC,KAAK,UAAU,OAAO,CAAC,CAAC;AAAA,EACxG;AACA,QAAM,UAAU,GAAG,MAAM;AACzB,QAAM,WAAmC;AAAA,IACvC,UAAU;AAAA,IACV,UAAU;AAAA,IACV,WAAW;AAAA,EACb;AACA,QAAM,cAAc,SAAS,aAAa,WAAW,KAAK;AAC1D,KAAG,QAAQ,EAAE,CAAC,WAAW,GAAG,YAAY,QAAQ,QAAQ,OAAO,CAAC;AAChE,KAAG,MAAM,QAAQ,EAAE,OAAO,MAAM;AAEhC,QAAM,oBAAoB,GAAG;AAAA,IAC3B;AAAA,IACA,CAAC;AAAA,IACD,EAAE,SAAS,EAAE,OAAO,MAAM,GAAG,QAAQ,CAAC,QAAQ,SAAS,aAAa,EAAS;AAAA,EAC/E;AACA,QAAM,CAAC,SAAS,OAAO,UAAU,IAAI,MAAM,QAAQ,IAAI,CAAC,GAAG,cAAc,GAAG,QAAQ,SAAS,QAAQ,IAAI,GAAG,iBAAiB,CAAC;AAC9H,QAAM,uBAAuB,WAAW,OAA+B,CAAC,KAAK,UAAU;AACrF,QAAI,MAAM,KAAM,KAAI,MAAM,IAAI,IAAI,MAAM,SAAS,MAAM;AACvD,WAAO;AAAA,EACT,GAAG,CAAC,CAAC;AACL,QAAM,QAAQ,QAAQ,IAAI,CAAC,WAAW;AACpC,UAAMA,YAAW,uBAAuB,OAAO,eAAe;AAC9D,UAAM,WAAW,OAAO,YAAY;AACpC,UAAM,UAAU,OAAO,OAAO,aAAa,YAAY,OAAO,SAAS,YAAY,EAAE,WAAW,QAAQ;AACxG,UAAM,eAAe,UACjB,wBAAwB,OAAO,IAAI;AAAA,MACjC,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,MAAM,0BAA0B,QAAQ;AAAA,IAC1C,CAAC,IACD;AACJ,WAAO;AAAA,MACL,IAAI,OAAO;AAAA,MACX;AAAA,MACA,UAAU,OAAO;AAAA,MACjB,UAAU,OAAO;AAAA,MACjB,eAAe,OAAO;AAAA,MACtB,gBAAgB,qBAAqB,OAAO,aAAa,KAAK;AAAA,MAC9D,KAAK,OAAO;AAAA,MACZ,WAAW,gBAAgB,OAAO,SAAS;AAAA,MAC3C,MAAMA,UAAS,QAAQ,CAAC;AAAA,MACxB,aAAaA,UAAS,eAAe,CAAC;AAAA,MACtC;AAAA,MACA,SAAS,OAAO,WAAW,OAAO,QAAQ,KAAK,IAAI,OAAO,UAAU;AAAA,IACtE;AAAA,EACF,CAAC;AAED,QAAM,iBAAiB,MAAM,QAAQ,CAAC,SAAS,KAAK,eAAe,CAAC,CAAC;AACrE,QAAM,cAAc,MAAM,6BAA6B,gBAAgB;AAAA,IACrE;AAAA,IACA,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC;AACD,QAAM,gBAAgB,YAAY,OAC9B,MAAM,IAAI,CAAC,UAAU;AAAA,IACnB,GAAG;AAAA,IACH,aAAa,2BAA2B,KAAK,eAAe,CAAC,GAAG,WAAW;AAAA,EAC7E,EAAE,IACF;AAEJ,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,KAAK,OAAO,KAAK,IAAI,QAAQ,CAAC;AAClE,QAAM,KAAK,GAAG,UAAe;AAC7B,MAAI,WAAW,GACZ,WAAW,aAAa,EACxB,OAAO,yFAAiG,GAAG,KAAK,CAAC,EACjH,MAAM,aAAa,KAAK,KAAK,QAAQ;AACxC,MAAI,KAAK,OAAO;AACd,eAAW,SAAS,MAAM,mBAAmB,KAAK,KAAK,KAAK;AAAA,EAC9D;AACA,QAAM,UAAU,MAAM,SAAS,QAAQ,OAAO,KAAK,EAAE,QAAQ;AAC7D,QAAM,gBAAgB,QACnB,IAAI,CAAC,QAAS,OAAO,IAAI,QAAQ,WAAW,IAAI,IAAI,KAAK,IAAI,EAAG,EAChE,OAAO,CAAC,QAAQ,IAAI,SAAS,CAAC;AAEjC,SAAO,aAAa,KAAK;AAAA,IACvB,OAAO;AAAA,IACP;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY,WAAW,IAAI,CAAC,WAAW;AAAA,MACrC,MAAM,MAAM;AAAA,MACZ,OAAO,MAAM;AAAA,MACb,aAAa,MAAM,eAAe;AAAA,MAClC,UAAU,MAAM,YAAY;AAAA,IAC9B,EAAE;AAAA,EACJ,CAAC;AACH;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,iDAAiD,QAAQ,6BAA6B;AAAA,MACpH;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,sBAAsB;AAAA,QACtF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,MAC5E;AAAA,IACF;AAAA,EACF;AACF;",
   "names": ["metadata"]
 }

package/dist/modules/attachments/api/partitions/route.js

@@ -92,7 +92,7 @@ async function POST(req) {
     requiresOcr: typeof parsed.data.requiresOcr === "boolean" ? parsed.data.requiresOcr : resolveDefaultAttachmentOcrEnabled(),
     ocrModel: parsed.data.ocrModel?.trim() || null
   });
-  await em.persistAndFlush(entry);
+  await em.persist(entry).flush();
   return NextResponse.json({ item: serializePartition(entry) }, { status: 201 });
 }
 async function PUT(req) {
@@ -133,7 +133,7 @@ async function PUT(req) {
   if (parsed.data.ocrModel !== void 0) {
     entry.ocrModel = parsed.data.ocrModel?.trim() || null;
   }
-  await em.persistAndFlush(entry);
+  await em.persist(entry).flush();
   return NextResponse.json({ item: serializePartition(entry) });
 }
 async function DELETE(req) {
@@ -165,7 +165,7 @@ async function DELETE(req) {
   if (usage > 0) {
     return NextResponse.json({ error: "Partition is in use and cannot be removed." }, { status: 409 });
   }
-  await em.removeAndFlush(entry);
+  await em.remove(entry).flush();
   return NextResponse.json({ ok: true });
 }
 const openApi = {

package/dist/modules/attachments/api/partitions/route.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../src/modules/attachments/api/partitions/route.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { Attachment, AttachmentPartition } from '../../data/entities'\nimport { ensureDefaultPartitions, DEFAULT_ATTACHMENT_PARTITIONS, sanitizePartitionCode, isPartitionSettingsLocked } from '../../lib/partitions'\nimport { resolvePartitionEnvKey } from '../../lib/partitionEnv'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { resolveDefaultAttachmentOcrEnabled } from '../../lib/ocrConfig'\nimport {\n  attachmentsTag,\n  partitionCreateSchema,\n  partitionUpdateSchema,\n  partitionResponseSchema,\n  partitionListResponseSchema,\n  attachmentErrorSchema,\n} from '../openapi'\n\nconst deleteSchema = z.object({\n  id: z.string().uuid(),\n})\n\nconst DEFAULT_CODES = new Set(DEFAULT_ATTACHMENT_PARTITIONS.map((entry) => entry.code))\n\nfunction serializePartition(entry: AttachmentPartition) {\n  return {\n    id: entry.id,\n    code: entry.code,\n    title: entry.title,\n    description: entry.description ?? null,\n    isPublic: entry.isPublic ?? false,\n    requiresOcr: entry.requiresOcr ?? resolveDefaultAttachmentOcrEnabled(),\n    ocrModel: entry.ocrModel ?? null,\n    createdAt: entry.createdAt instanceof Date ? entry.createdAt.toISOString() : null,\n    updatedAt: entry.updatedAt instanceof Date ? entry.updatedAt.toISOString() : null,\n    envKey: resolvePartitionEnvKey(entry.code),\n  }\n}\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['attachments.manage'] },\n  POST: { requireAuth: true, requireFeatures: ['attachments.manage'] },\n  PUT: { requireAuth: true, requireFeatures: ['attachments.manage'] },\n  DELETE: { requireAuth: true, requireFeatures: ['attachments.manage'] },\n} as const\n\nasync function resolveEm() {\n  const { resolve } = await createRequestContainer()\n  return resolve('em') as EntityManager\n}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  const em = await resolveEm()\n  await ensureDefaultPartitions(em)\n  const rows = await em.find(AttachmentPartition, {}, { orderBy: { createdAt: 'asc' } })\n  return NextResponse.json({ items: rows.map((entry) => serializePartition(entry)) })\n}\n\nexport async function POST(req: Request) {\n  if (isPartitionSettingsLocked()) {\n    return NextResponse.json(\n      { error: 'Attachment partitions are managed by the environment in demo/onboarding mode.' },\n      { status: 403 },\n    )\n  }\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  let json: unknown = null\n  try {\n    json = await req.json()\n  } catch {\n    json = null\n  }\n  const parsed = partitionCreateSchema.safeParse(json)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid payload' }, { status: 400 })\n  }\n  const code = sanitizePartitionCode(parsed.data.code)\n  if (!code) {\n    return NextResponse.json({ error: 'Partition code is required.' }, { status: 400 })\n  }\n  const em = await resolveEm()\n  await ensureDefaultPartitions(em)\n  const exists = await em.findOne(AttachmentPartition, { code })\n  if (exists) {\n    return NextResponse.json({ error: 'Partition code already exists.' }, { status: 409 })\n  }\n  const entry = em.create(AttachmentPartition, {\n    code,\n    title: parsed.data.title.trim(),\n    description: parsed.data.description?.trim() ?? null,\n    storageDriver: 'local',\n    isPublic: parsed.data.isPublic ?? false,\n    requiresOcr:\n      typeof parsed.data.requiresOcr === 'boolean'\n        ? parsed.data.requiresOcr\n        : resolveDefaultAttachmentOcrEnabled(),\n    ocrModel: parsed.data.ocrModel?.trim() || null,\n  })\n  await em.persistAndFlush(entry)\n  return NextResponse.json({ item: serializePartition(entry) }, { status: 201 })\n}\n\nexport async function PUT(req: Request) {\n  if (isPartitionSettingsLocked()) {\n    return NextResponse.json(\n      { error: 'Attachment partitions are managed by the environment in demo/onboarding mode.' },\n      { status: 403 },\n    )\n  }\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  let json: unknown = null\n  try {\n    json = await req.json()\n  } catch {\n    json = null\n  }\n  const parsed = partitionUpdateSchema.safeParse(json)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid payload' }, { status: 400 })\n  }\n  const em = await resolveEm()\n  const entry = await em.findOne(AttachmentPartition, { id: parsed.data.id })\n  if (!entry) {\n    return NextResponse.json({ error: 'Partition not found' }, { status: 404 })\n  }\n  if (sanitizePartitionCode(parsed.data.code) !== entry.code) {\n    return NextResponse.json({ error: 'Partition code cannot be changed.' }, { status: 400 })\n  }\n  entry.title = parsed.data.title.trim()\n  entry.description = parsed.data.description?.trim() ?? null\n  entry.isPublic = parsed.data.isPublic ?? false\n  if (typeof parsed.data.requiresOcr === 'boolean') {\n    entry.requiresOcr = parsed.data.requiresOcr\n  }\n  if (parsed.data.ocrModel !== undefined) {\n    entry.ocrModel = parsed.data.ocrModel?.trim() || null\n  }\n  await em.persistAndFlush(entry)\n  return NextResponse.json({ item: serializePartition(entry) })\n}\n\nexport async function DELETE(req: Request) {\n  if (isPartitionSettingsLocked()) {\n    return NextResponse.json(\n      { error: 'Attachment partitions are managed by the environment in demo/onboarding mode.' },\n      { status: 403 },\n    )\n  }\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  const url = new URL(req.url)\n  const id = url.searchParams.get('id')\n  const parsed = deleteSchema.safeParse({ id })\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Partition id is required' }, { status: 400 })\n  }\n  const em = await resolveEm()\n  const entry = await em.findOne(AttachmentPartition, { id: parsed.data.id })\n  if (!entry) {\n    return NextResponse.json({ error: 'Partition not found' }, { status: 404 })\n  }\n  if (DEFAULT_CODES.has(entry.code)) {\n    return NextResponse.json({ error: 'Default partitions cannot be removed.' }, { status: 400 })\n  }\n  const usage = await em.count(Attachment, { partitionCode: entry.code })\n  if (usage > 0) {\n    return NextResponse.json({ error: 'Partition is in use and cannot be removed.' }, { status: 409 })\n  }\n  await em.removeAndFlush(entry)\n  return NextResponse.json({ ok: true })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: attachmentsTag,\n  summary: 'Attachment partition management',\n  methods: {\n    GET: {\n      summary: 'List all attachment partitions',\n      description: 'Returns all configured attachment partitions with storage settings, OCR configuration, and access control settings.',\n      responses: [\n        { status: 200, description: 'List of partitions', schema: partitionListResponseSchema },\n      ],\n      errors: [\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n      ],\n    },\n    POST: {\n      summary: 'Create new partition',\n      description: 'Creates a new attachment partition with specified storage and OCR settings. Requires unique partition code.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: partitionCreateSchema,\n      },\n      responses: [\n        { status: 201, description: 'Partition created successfully', schema: partitionResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload or partition code', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n        { status: 403, description: 'Partitions locked in demo mode', schema: attachmentErrorSchema },\n        { status: 409, description: 'Partition code already exists', schema: attachmentErrorSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update partition',\n      description: 'Updates an existing partition. Partition code cannot be changed. Title, description, OCR settings, and access control can be modified.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: partitionUpdateSchema,\n      },\n      responses: [\n        { status: 200, description: 'Partition updated successfully', schema: partitionResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload or code change attempt', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n        { status: 403, description: 'Partitions locked in demo mode', schema: attachmentErrorSchema },\n        { status: 404, description: 'Partition not found', schema: attachmentErrorSchema },\n      ],\n    },\n    DELETE: {\n      summary: 'Delete partition',\n      description: 'Deletes a partition. Default partitions cannot be deleted. Partitions with existing attachments cannot be deleted.',\n      responses: [\n        { status: 200, description: 'Partition deleted successfully', schema: z.object({ ok: z.literal(true) }) },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid ID or default partition deletion attempt', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n        { status: 403, description: 'Partitions locked in demo mode', schema: attachmentErrorSchema },\n        { status: 404, description: 'Partition not found', schema: attachmentErrorSchema },\n        { status: 409, description: 'Partition in use', schema: attachmentErrorSchema },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,YAAY,2BAA2B;AAChD,SAAS,yBAAyB,+BAA+B,uBAAuB,iCAAiC;AACzH,SAAS,8BAA8B;AAEvC,SAAS,0CAA0C;AACnD;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAEP,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,IAAI,EAAE,OAAO,EAAE,KAAK;AACtB,CAAC;AAED,MAAM,gBAAgB,IAAI,IAAI,8BAA8B,IAAI,CAAC,UAAU,MAAM,IAAI,CAAC;AAEtF,SAAS,mBAAmB,OAA4B;AACtD,SAAO;AAAA,IACL,IAAI,MAAM;AAAA,IACV,MAAM,MAAM;AAAA,IACZ,OAAO,MAAM;AAAA,IACb,aAAa,MAAM,eAAe;AAAA,IAClC,UAAU,MAAM,YAAY;AAAA,IAC5B,aAAa,MAAM,eAAe,mCAAmC;AAAA,IACrE,UAAU,MAAM,YAAY;AAAA,IAC5B,WAAW,MAAM,qBAAqB,OAAO,MAAM,UAAU,YAAY,IAAI;AAAA,IAC7E,WAAW,MAAM,qBAAqB,OAAO,MAAM,UAAU,YAAY,IAAI;AAAA,IAC7E,QAAQ,uBAAuB,MAAM,IAAI;AAAA,EAC3C;AACF;AAEO,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,oBAAoB,EAAE;AAAA,EAClE,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,oBAAoB,EAAE;AAAA,EACnE,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,oBAAoB,EAAE;AAAA,EAClE,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,oBAAoB,EAAE;AACvE;AAEA,eAAe,YAAY;AACzB,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,SAAO,QAAQ,IAAI;AACrB;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,KAAK;AACd,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,QAAM,KAAK,MAAM,UAAU;AAC3B,QAAM,wBAAwB,EAAE;AAChC,QAAM,OAAO,MAAM,GAAG,KAAK,qBAAqB,CAAC,GAAG,EAAE,SAAS,EAAE,WAAW,MAAM,EAAE,CAAC;AACrF,SAAO,aAAa,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC,UAAU,mBAAmB,KAAK,CAAC,EAAE,CAAC;AACpF;AAEA,eAAsB,KAAK,KAAc;AACvC,MAAI,0BAA0B,GAAG;AAC/B,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,gFAAgF;AAAA,MACzF,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AACA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,KAAK;AACd,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,MAAI,OAAgB;AACpB,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACA,QAAM,SAAS,sBAAsB,UAAU,IAAI;AACnD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxE;AACA,QAAM,OAAO,sBAAsB,OAAO,KAAK,IAAI;AACnD,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,OAAO,8BAA8B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACpF;AACA,QAAM,KAAK,MAAM,UAAU;AAC3B,QAAM,wBAAwB,EAAE;AAChC,QAAM,SAAS,MAAM,GAAG,QAAQ,qBAAqB,EAAE,KAAK,CAAC;AAC7D,MAAI,QAAQ;AACV,WAAO,aAAa,KAAK,EAAE,OAAO,iCAAiC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACvF;AACA,QAAM,QAAQ,GAAG,OAAO,qBAAqB;AAAA,IAC3C;AAAA,IACA,OAAO,OAAO,KAAK,MAAM,KAAK;AAAA,IAC9B,aAAa,OAAO,KAAK,aAAa,KAAK,KAAK;AAAA,IAChD,eAAe;AAAA,IACf,UAAU,OAAO,KAAK,YAAY;AAAA,IAClC,aACE,OAAO,OAAO,KAAK,gBAAgB,YAC/B,OAAO,KAAK,cACZ,mCAAmC;AAAA,IACzC,UAAU,OAAO,KAAK,UAAU,KAAK,KAAK;AAAA,EAC5C,CAAC;AACD,QAAM,GAAG,gBAAgB,KAAK;AAC9B,SAAO,aAAa,KAAK,EAAE,MAAM,mBAAmB,KAAK,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC/E;AAEA,eAAsB,IAAI,KAAc;AACtC,MAAI,0BAA0B,GAAG;AAC/B,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,gFAAgF;AAAA,MACzF,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AACA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,KAAK;AACd,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,MAAI,OAAgB;AACpB,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACA,QAAM,SAAS,sBAAsB,UAAU,IAAI;AACnD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxE;AACA,QAAM,KAAK,MAAM,UAAU;AAC3B,QAAM,QAAQ,MAAM,GAAG,QAAQ,qBAAqB,EAAE,IAAI,OAAO,KAAK,GAAG,CAAC;AAC1E,MAAI,CAAC,OAAO;AACV,WAAO,aAAa,KAAK,EAAE,OAAO,sBAAsB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5E;AACA,MAAI,sBAAsB,OAAO,KAAK,IAAI,MAAM,MAAM,MAAM;AAC1D,WAAO,aAAa,KAAK,EAAE,OAAO,oCAAoC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1F;AACA,QAAM,QAAQ,OAAO,KAAK,MAAM,KAAK;AACrC,QAAM,cAAc,OAAO,KAAK,aAAa,KAAK,KAAK;AACvD,QAAM,WAAW,OAAO,KAAK,YAAY;AACzC,MAAI,OAAO,OAAO,KAAK,gBAAgB,WAAW;AAChD,UAAM,cAAc,OAAO,KAAK;AAAA,EAClC;AACA,MAAI,OAAO,KAAK,aAAa,QAAW;AACtC,UAAM,WAAW,OAAO,KAAK,UAAU,KAAK,KAAK;AAAA,EACnD;AACA,QAAM,GAAG,gBAAgB,KAAK;AAC9B,SAAO,aAAa,KAAK,EAAE,MAAM,mBAAmB,KAAK,EAAE,CAAC;AAC9D;AAEA,eAAsB,OAAO,KAAc;AACzC,MAAI,0BAA0B,GAAG;AAC/B,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,gFAAgF;AAAA,MACzF,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AACA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,KAAK;AACd,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,KAAK,IAAI,aAAa,IAAI,IAAI;AACpC,QAAM,SAAS,aAAa,UAAU,EAAE,GAAG,CAAC;AAC5C,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjF;AACA,QAAM,KAAK,MAAM,UAAU;AAC3B,QAAM,QAAQ,MAAM,GAAG,QAAQ,qBAAqB,EAAE,IAAI,OAAO,KAAK,GAAG,CAAC;AAC1E,MAAI,CAAC,OAAO;AACV,WAAO,aAAa,KAAK,EAAE,OAAO,sBAAsB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5E;AACA,MAAI,cAAc,IAAI,MAAM,IAAI,GAAG;AACjC,WAAO,aAAa,KAAK,EAAE,OAAO,wCAAwC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC9F;AACA,QAAM,QAAQ,MAAM,GAAG,MAAM,YAAY,EAAE,eAAe,MAAM,KAAK,CAAC;AACtE,MAAI,QAAQ,GAAG;AACb,WAAO,aAAa,KAAK,EAAE,OAAO,6CAA6C,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnG;AACA,QAAM,GAAG,eAAe,KAAK;AAC7B,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,sBAAsB,QAAQ,4BAA4B;AAAA,MACxF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,MAC5E;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,wBAAwB;AAAA,MAChG;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,qCAAqC,QAAQ,sBAAsB;AAAA,QAC/F,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,sBAAsB;AAAA,QAC5F,EAAE,QAAQ,KAAK,aAAa,iCAAiC,QAAQ,sBAAsB;AAAA,MAC7F;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,wBAAwB;AAAA,MAChG;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,0CAA0C,QAAQ,sBAAsB;AAAA,QACpG,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,sBAAsB;AAAA,QAC5F,EAAE,QAAQ,KAAK,aAAa,uBAAuB,QAAQ,sBAAsB;AAAA,MACnF;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC,EAAE;AAAA,MAC1G;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,oDAAoD,QAAQ,sBAAsB;AAAA,QAC9G,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,sBAAsB;AAAA,QAC5F,EAAE,QAAQ,KAAK,aAAa,uBAAuB,QAAQ,sBAAsB;AAAA,QACjF,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,sBAAsB;AAAA,MAChF;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { Attachment, AttachmentPartition } from '../../data/entities'\nimport { ensureDefaultPartitions, DEFAULT_ATTACHMENT_PARTITIONS, sanitizePartitionCode, isPartitionSettingsLocked } from '../../lib/partitions'\nimport { resolvePartitionEnvKey } from '../../lib/partitionEnv'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { resolveDefaultAttachmentOcrEnabled } from '../../lib/ocrConfig'\nimport {\n  attachmentsTag,\n  partitionCreateSchema,\n  partitionUpdateSchema,\n  partitionResponseSchema,\n  partitionListResponseSchema,\n  attachmentErrorSchema,\n} from '../openapi'\n\nconst deleteSchema = z.object({\n  id: z.string().uuid(),\n})\n\nconst DEFAULT_CODES = new Set(DEFAULT_ATTACHMENT_PARTITIONS.map((entry) => entry.code))\n\nfunction serializePartition(entry: AttachmentPartition) {\n  return {\n    id: entry.id,\n    code: entry.code,\n    title: entry.title,\n    description: entry.description ?? null,\n    isPublic: entry.isPublic ?? false,\n    requiresOcr: entry.requiresOcr ?? resolveDefaultAttachmentOcrEnabled(),\n    ocrModel: entry.ocrModel ?? null,\n    createdAt: entry.createdAt instanceof Date ? entry.createdAt.toISOString() : null,\n    updatedAt: entry.updatedAt instanceof Date ? entry.updatedAt.toISOString() : null,\n    envKey: resolvePartitionEnvKey(entry.code),\n  }\n}\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['attachments.manage'] },\n  POST: { requireAuth: true, requireFeatures: ['attachments.manage'] },\n  PUT: { requireAuth: true, requireFeatures: ['attachments.manage'] },\n  DELETE: { requireAuth: true, requireFeatures: ['attachments.manage'] },\n} as const\n\nasync function resolveEm() {\n  const { resolve } = await createRequestContainer()\n  return resolve('em') as EntityManager\n}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  const em = await resolveEm()\n  await ensureDefaultPartitions(em)\n  const rows = await em.find(AttachmentPartition, {}, { orderBy: { createdAt: 'asc' } })\n  return NextResponse.json({ items: rows.map((entry) => serializePartition(entry)) })\n}\n\nexport async function POST(req: Request) {\n  if (isPartitionSettingsLocked()) {\n    return NextResponse.json(\n      { error: 'Attachment partitions are managed by the environment in demo/onboarding mode.' },\n      { status: 403 },\n    )\n  }\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  let json: unknown = null\n  try {\n    json = await req.json()\n  } catch {\n    json = null\n  }\n  const parsed = partitionCreateSchema.safeParse(json)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid payload' }, { status: 400 })\n  }\n  const code = sanitizePartitionCode(parsed.data.code)\n  if (!code) {\n    return NextResponse.json({ error: 'Partition code is required.' }, { status: 400 })\n  }\n  const em = await resolveEm()\n  await ensureDefaultPartitions(em)\n  const exists = await em.findOne(AttachmentPartition, { code })\n  if (exists) {\n    return NextResponse.json({ error: 'Partition code already exists.' }, { status: 409 })\n  }\n  const entry = em.create(AttachmentPartition, {\n    code,\n    title: parsed.data.title.trim(),\n    description: parsed.data.description?.trim() ?? null,\n    storageDriver: 'local',\n    isPublic: parsed.data.isPublic ?? false,\n    requiresOcr:\n      typeof parsed.data.requiresOcr === 'boolean'\n        ? parsed.data.requiresOcr\n        : resolveDefaultAttachmentOcrEnabled(),\n    ocrModel: parsed.data.ocrModel?.trim() || null,\n  })\n  await em.persist(entry).flush()\n  return NextResponse.json({ item: serializePartition(entry) }, { status: 201 })\n}\n\nexport async function PUT(req: Request) {\n  if (isPartitionSettingsLocked()) {\n    return NextResponse.json(\n      { error: 'Attachment partitions are managed by the environment in demo/onboarding mode.' },\n      { status: 403 },\n    )\n  }\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  let json: unknown = null\n  try {\n    json = await req.json()\n  } catch {\n    json = null\n  }\n  const parsed = partitionUpdateSchema.safeParse(json)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid payload' }, { status: 400 })\n  }\n  const em = await resolveEm()\n  const entry = await em.findOne(AttachmentPartition, { id: parsed.data.id })\n  if (!entry) {\n    return NextResponse.json({ error: 'Partition not found' }, { status: 404 })\n  }\n  if (sanitizePartitionCode(parsed.data.code) !== entry.code) {\n    return NextResponse.json({ error: 'Partition code cannot be changed.' }, { status: 400 })\n  }\n  entry.title = parsed.data.title.trim()\n  entry.description = parsed.data.description?.trim() ?? null\n  entry.isPublic = parsed.data.isPublic ?? false\n  if (typeof parsed.data.requiresOcr === 'boolean') {\n    entry.requiresOcr = parsed.data.requiresOcr\n  }\n  if (parsed.data.ocrModel !== undefined) {\n    entry.ocrModel = parsed.data.ocrModel?.trim() || null\n  }\n  await em.persist(entry).flush()\n  return NextResponse.json({ item: serializePartition(entry) })\n}\n\nexport async function DELETE(req: Request) {\n  if (isPartitionSettingsLocked()) {\n    return NextResponse.json(\n      { error: 'Attachment partitions are managed by the environment in demo/onboarding mode.' },\n      { status: 403 },\n    )\n  }\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  const url = new URL(req.url)\n  const id = url.searchParams.get('id')\n  const parsed = deleteSchema.safeParse({ id })\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Partition id is required' }, { status: 400 })\n  }\n  const em = await resolveEm()\n  const entry = await em.findOne(AttachmentPartition, { id: parsed.data.id })\n  if (!entry) {\n    return NextResponse.json({ error: 'Partition not found' }, { status: 404 })\n  }\n  if (DEFAULT_CODES.has(entry.code)) {\n    return NextResponse.json({ error: 'Default partitions cannot be removed.' }, { status: 400 })\n  }\n  const usage = await em.count(Attachment, { partitionCode: entry.code })\n  if (usage > 0) {\n    return NextResponse.json({ error: 'Partition is in use and cannot be removed.' }, { status: 409 })\n  }\n  await em.remove(entry).flush()\n  return NextResponse.json({ ok: true })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: attachmentsTag,\n  summary: 'Attachment partition management',\n  methods: {\n    GET: {\n      summary: 'List all attachment partitions',\n      description: 'Returns all configured attachment partitions with storage settings, OCR configuration, and access control settings.',\n      responses: [\n        { status: 200, description: 'List of partitions', schema: partitionListResponseSchema },\n      ],\n      errors: [\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n      ],\n    },\n    POST: {\n      summary: 'Create new partition',\n      description: 'Creates a new attachment partition with specified storage and OCR settings. Requires unique partition code.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: partitionCreateSchema,\n      },\n      responses: [\n        { status: 201, description: 'Partition created successfully', schema: partitionResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload or partition code', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n        { status: 403, description: 'Partitions locked in demo mode', schema: attachmentErrorSchema },\n        { status: 409, description: 'Partition code already exists', schema: attachmentErrorSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update partition',\n      description: 'Updates an existing partition. Partition code cannot be changed. Title, description, OCR settings, and access control can be modified.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: partitionUpdateSchema,\n      },\n      responses: [\n        { status: 200, description: 'Partition updated successfully', schema: partitionResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload or code change attempt', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n        { status: 403, description: 'Partitions locked in demo mode', schema: attachmentErrorSchema },\n        { status: 404, description: 'Partition not found', schema: attachmentErrorSchema },\n      ],\n    },\n    DELETE: {\n      summary: 'Delete partition',\n      description: 'Deletes a partition. Default partitions cannot be deleted. Partitions with existing attachments cannot be deleted.',\n      responses: [\n        { status: 200, description: 'Partition deleted successfully', schema: z.object({ ok: z.literal(true) }) },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid ID or default partition deletion attempt', schema: attachmentErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: attachmentErrorSchema },\n        { status: 403, description: 'Partitions locked in demo mode', schema: attachmentErrorSchema },\n        { status: 404, description: 'Partition not found', schema: attachmentErrorSchema },\n        { status: 409, description: 'Partition in use', schema: attachmentErrorSchema },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,YAAY,2BAA2B;AAChD,SAAS,yBAAyB,+BAA+B,uBAAuB,iCAAiC;AACzH,SAAS,8BAA8B;AAEvC,SAAS,0CAA0C;AACnD;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAEP,MAAM,eAAe,EAAE,OAAO;AAAA,EAC5B,IAAI,EAAE,OAAO,EAAE,KAAK;AACtB,CAAC;AAED,MAAM,gBAAgB,IAAI,IAAI,8BAA8B,IAAI,CAAC,UAAU,MAAM,IAAI,CAAC;AAEtF,SAAS,mBAAmB,OAA4B;AACtD,SAAO;AAAA,IACL,IAAI,MAAM;AAAA,IACV,MAAM,MAAM;AAAA,IACZ,OAAO,MAAM;AAAA,IACb,aAAa,MAAM,eAAe;AAAA,IAClC,UAAU,MAAM,YAAY;AAAA,IAC5B,aAAa,MAAM,eAAe,mCAAmC;AAAA,IACrE,UAAU,MAAM,YAAY;AAAA,IAC5B,WAAW,MAAM,qBAAqB,OAAO,MAAM,UAAU,YAAY,IAAI;AAAA,IAC7E,WAAW,MAAM,qBAAqB,OAAO,MAAM,UAAU,YAAY,IAAI;AAAA,IAC7E,QAAQ,uBAAuB,MAAM,IAAI;AAAA,EAC3C;AACF;AAEO,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,oBAAoB,EAAE;AAAA,EAClE,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,oBAAoB,EAAE;AAAA,EACnE,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,oBAAoB,EAAE;AAAA,EAClE,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,oBAAoB,EAAE;AACvE;AAEA,eAAe,YAAY;AACzB,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,SAAO,QAAQ,IAAI;AACrB;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,KAAK;AACd,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,QAAM,KAAK,MAAM,UAAU;AAC3B,QAAM,wBAAwB,EAAE;AAChC,QAAM,OAAO,MAAM,GAAG,KAAK,qBAAqB,CAAC,GAAG,EAAE,SAAS,EAAE,WAAW,MAAM,EAAE,CAAC;AACrF,SAAO,aAAa,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC,UAAU,mBAAmB,KAAK,CAAC,EAAE,CAAC;AACpF;AAEA,eAAsB,KAAK,KAAc;AACvC,MAAI,0BAA0B,GAAG;AAC/B,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,gFAAgF;AAAA,MACzF,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AACA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,KAAK;AACd,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,MAAI,OAAgB;AACpB,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACA,QAAM,SAAS,sBAAsB,UAAU,IAAI;AACnD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxE;AACA,QAAM,OAAO,sBAAsB,OAAO,KAAK,IAAI;AACnD,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,OAAO,8BAA8B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACpF;AACA,QAAM,KAAK,MAAM,UAAU;AAC3B,QAAM,wBAAwB,EAAE;AAChC,QAAM,SAAS,MAAM,GAAG,QAAQ,qBAAqB,EAAE,KAAK,CAAC;AAC7D,MAAI,QAAQ;AACV,WAAO,aAAa,KAAK,EAAE,OAAO,iCAAiC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACvF;AACA,QAAM,QAAQ,GAAG,OAAO,qBAAqB;AAAA,IAC3C;AAAA,IACA,OAAO,OAAO,KAAK,MAAM,KAAK;AAAA,IAC9B,aAAa,OAAO,KAAK,aAAa,KAAK,KAAK;AAAA,IAChD,eAAe;AAAA,IACf,UAAU,OAAO,KAAK,YAAY;AAAA,IAClC,aACE,OAAO,OAAO,KAAK,gBAAgB,YAC/B,OAAO,KAAK,cACZ,mCAAmC;AAAA,IACzC,UAAU,OAAO,KAAK,UAAU,KAAK,KAAK;AAAA,EAC5C,CAAC;AACD,QAAM,GAAG,QAAQ,KAAK,EAAE,MAAM;AAC9B,SAAO,aAAa,KAAK,EAAE,MAAM,mBAAmB,KAAK,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC/E;AAEA,eAAsB,IAAI,KAAc;AACtC,MAAI,0BAA0B,GAAG;AAC/B,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,gFAAgF;AAAA,MACzF,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AACA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,KAAK;AACd,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,MAAI,OAAgB;AACpB,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACA,QAAM,SAAS,sBAAsB,UAAU,IAAI;AACnD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxE;AACA,QAAM,KAAK,MAAM,UAAU;AAC3B,QAAM,QAAQ,MAAM,GAAG,QAAQ,qBAAqB,EAAE,IAAI,OAAO,KAAK,GAAG,CAAC;AAC1E,MAAI,CAAC,OAAO;AACV,WAAO,aAAa,KAAK,EAAE,OAAO,sBAAsB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5E;AACA,MAAI,sBAAsB,OAAO,KAAK,IAAI,MAAM,MAAM,MAAM;AAC1D,WAAO,aAAa,KAAK,EAAE,OAAO,oCAAoC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1F;AACA,QAAM,QAAQ,OAAO,KAAK,MAAM,KAAK;AACrC,QAAM,cAAc,OAAO,KAAK,aAAa,KAAK,KAAK;AACvD,QAAM,WAAW,OAAO,KAAK,YAAY;AACzC,MAAI,OAAO,OAAO,KAAK,gBAAgB,WAAW;AAChD,UAAM,cAAc,OAAO,KAAK;AAAA,EAClC;AACA,MAAI,OAAO,KAAK,aAAa,QAAW;AACtC,UAAM,WAAW,OAAO,KAAK,UAAU,KAAK,KAAK;AAAA,EACnD;AACA,QAAM,GAAG,QAAQ,KAAK,EAAE,MAAM;AAC9B,SAAO,aAAa,KAAK,EAAE,MAAM,mBAAmB,KAAK,EAAE,CAAC;AAC9D;AAEA,eAAsB,OAAO,KAAc;AACzC,MAAI,0BAA0B,GAAG;AAC/B,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,gFAAgF;AAAA,MACzF,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AACA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,KAAK;AACd,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,KAAK,IAAI,aAAa,IAAI,IAAI;AACpC,QAAM,SAAS,aAAa,UAAU,EAAE,GAAG,CAAC;AAC5C,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjF;AACA,QAAM,KAAK,MAAM,UAAU;AAC3B,QAAM,QAAQ,MAAM,GAAG,QAAQ,qBAAqB,EAAE,IAAI,OAAO,KAAK,GAAG,CAAC;AAC1E,MAAI,CAAC,OAAO;AACV,WAAO,aAAa,KAAK,EAAE,OAAO,sBAAsB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5E;AACA,MAAI,cAAc,IAAI,MAAM,IAAI,GAAG;AACjC,WAAO,aAAa,KAAK,EAAE,OAAO,wCAAwC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC9F;AACA,QAAM,QAAQ,MAAM,GAAG,MAAM,YAAY,EAAE,eAAe,MAAM,KAAK,CAAC;AACtE,MAAI,QAAQ,GAAG;AACb,WAAO,aAAa,KAAK,EAAE,OAAO,6CAA6C,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnG;AACA,QAAM,GAAG,OAAO,KAAK,EAAE,MAAM;AAC7B,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,sBAAsB,QAAQ,4BAA4B;AAAA,MACxF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,MAC5E;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,wBAAwB;AAAA,MAChG;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,qCAAqC,QAAQ,sBAAsB;AAAA,QAC/F,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,sBAAsB;AAAA,QAC5F,EAAE,QAAQ,KAAK,aAAa,iCAAiC,QAAQ,sBAAsB;AAAA,MAC7F;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,wBAAwB;AAAA,MAChG;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,0CAA0C,QAAQ,sBAAsB;AAAA,QACpG,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,sBAAsB;AAAA,QAC5F,EAAE,QAAQ,KAAK,aAAa,uBAAuB,QAAQ,sBAAsB;AAAA,MACnF;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC,EAAE;AAAA,MAC1G;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,oDAAoD,QAAQ,sBAAsB;AAAA,QAC9G,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,sBAAsB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,sBAAsB;AAAA,QAC5F,EAAE,QAAQ,KAAK,aAAa,uBAAuB,QAAQ,sBAAsB;AAAA,QACjF,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,sBAAsB;AAAA,MAChF;AAAA,IACF;AAAA,EACF;AACF;",
   "names": []
 }

package/dist/modules/attachments/api/route.js

@@ -2,6 +2,7 @@ import { NextResponse } from "next/server";
 import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
 import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
 import { z } from "zod";
+import { sql } from "kysely";
 import { buildAttachmentFileUrl, buildAttachmentImageUrl, slugifyAttachmentFileName } from "../lib/imageUrls.js";
 import { ensureDefaultPartitions, resolveDefaultPartitionCode, sanitizePartitionCode } from "../lib/partitions.js";
 import { Attachment, AttachmentPartition } from "../data/entities.js";
@@ -384,7 +385,7 @@ async function POST(req) {
     content: extractedContent,
     storageMetadata: metadata2
   });
-  await em.persistAndFlush(att);
+  await em.persist(att).flush();
   if (useLlmOcr) {
     requestOcrProcessing(em, att, stored.absolutePath).catch((error) => {
       console.error("[attachments] failed to queue OCR processing", error);
@@ -442,9 +443,9 @@ async function POST(req) {
 }
 async function readTenantAttachmentUsageBytes(em, tenantId) {
   try {
-    const knex = em.getConnection().getKnex();
-    const row = await knex("attachments").where({ tenant_id: tenantId }).sum({ totalSize: "file_size" }).first();
-    const total = row?.totalSize;
+    const db = em.getKysely();
+    const row = await db.selectFrom("attachments").select(sql`sum(file_size)`.as("total_size")).where("tenant_id", "=", tenantId).executeTakeFirst();
+    const total = row?.total_size;
     if (typeof total === "number") return Number.isFinite(total) ? total : 0;
     if (typeof total === "string") {
       const parsed = Number(total);
@@ -467,7 +468,7 @@ async function DELETE(req) {
   const deleteFilter = { id, tenantId: auth.tenantId, organizationId: auth.orgId };
   const record = await em.findOne(Attachment, deleteFilter);
   if (!record) return NextResponse.json({ error: "Attachment not found" }, { status: 404 });
-  await em.removeAndFlush(record);
+  await em.remove(record).flush();
   await clearAttachmentThumbnailCache(record.partitionCode, record.id).catch((error) => {
     console.error("[attachments] failed to cleanup cached thumbnails", error);
   });