@open-mercato/core 0.5.1-develop.2744.9c8be0dd93 → 0.5.1-develop.2762.90c271efe2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/.turbo/turbo-build.log +1 -1
  2. package/dist/modules/audit_logs/services/accessLogService.js +3 -4
  3. package/dist/modules/audit_logs/services/accessLogService.js.map +2 -2
  4. package/dist/modules/audit_logs/services/actionLogService.js +3 -2
  5. package/dist/modules/audit_logs/services/actionLogService.js.map +2 -2
  6. package/dist/modules/auth/api/users/route.js +38 -2
  7. package/dist/modules/auth/api/users/route.js.map +2 -2
  8. package/dist/modules/catalog/lib/bulkDelete.js +17 -14
  9. package/dist/modules/catalog/lib/bulkDelete.js.map +2 -2
  10. package/dist/modules/configs/lib/system-status.js +2 -1
  11. package/dist/modules/configs/lib/system-status.js.map +2 -2
  12. package/dist/modules/customer_accounts/api/portal/password-change.js +3 -1
  13. package/dist/modules/customer_accounts/api/portal/password-change.js.map +2 -2
  14. package/dist/modules/customers/api/deals/[id]/route.js +2 -1
  15. package/dist/modules/customers/api/deals/[id]/route.js.map +2 -2
  16. package/dist/modules/customers/api/interactions/route.js +2 -1
  17. package/dist/modules/customers/api/interactions/route.js.map +2 -2
  18. package/dist/modules/customers/lib/interactionReadModel.js +6 -1
  19. package/dist/modules/customers/lib/interactionReadModel.js.map +2 -2
  20. package/dist/modules/feature_toggles/lib/feature-flag-check.js +7 -3
  21. package/dist/modules/feature_toggles/lib/feature-flag-check.js.map +2 -2
  22. package/dist/modules/inbox_ops/encryption.js +47 -0
  23. package/dist/modules/inbox_ops/encryption.js.map +7 -0
  24. package/dist/modules/workflows/api/definitions/[id]/route.js +3 -0
  25. package/dist/modules/workflows/api/definitions/[id]/route.js.map +2 -2
  26. package/dist/modules/workflows/api/definitions/route.js +2 -0
  27. package/dist/modules/workflows/api/definitions/route.js.map +2 -2
  28. package/package.json +3 -3
  29. package/src/modules/audit_logs/services/accessLogService.ts +5 -4
  30. package/src/modules/audit_logs/services/actionLogService.ts +9 -2
  31. package/src/modules/auth/api/users/route.ts +55 -2
  32. package/src/modules/catalog/lib/bulkDelete.ts +17 -14
  33. package/src/modules/configs/lib/system-status.ts +2 -1
  34. package/src/modules/customer_accounts/api/portal/password-change.ts +6 -1
  35. package/src/modules/customers/api/deals/[id]/route.ts +2 -1
  36. package/src/modules/customers/api/interactions/route.ts +2 -1
  37. package/src/modules/customers/lib/interactionReadModel.ts +12 -1
  38. package/src/modules/feature_toggles/lib/feature-flag-check.ts +7 -4
  39. package/src/modules/inbox_ops/encryption.ts +51 -0
  40. package/src/modules/workflows/api/definitions/[id]/route.ts +7 -0
  41. package/src/modules/workflows/api/definitions/route.ts +6 -0
package/.turbo/turbo-build.log CHANGED
@@ -1,4 +1,4 @@
1
- [build:core] found 2340 entry points
1
+ [build:core] found 2344 entry points
2
2
  [build:core] built successfully
3
3
  [build:core:generated] found 169 entry points
4
4
  [build:core:generated] built successfully
package/dist/modules/audit_logs/services/accessLogService.js CHANGED
@@ -114,12 +114,11 @@ class AccessLogService {
114
114
  context: void 0
115
115
  };
116
116
  }
117
+ const UUID_REGEX = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$/;
117
118
  const toNullableUuid = (value) => {
118
119
  if (typeof value !== "string" || value.length === 0) return null;
119
- if (value.startsWith("api_key:")) {
120
- return value.slice("api_key:".length);
121
- }
122
- return value;
120
+ const candidate = value.startsWith("api_key:") ? value.slice("api_key:".length) : value;
121
+ return UUID_REGEX.test(candidate) ? candidate : null;
123
122
  };
124
123
  const fields = Array.isArray(input.fields) ? input.fields.filter((f) => typeof f === "string" && f.length > 0) : void 0;
125
124
  const context = typeof input.context === "object" && input.context !== null ? input.context : void 0;
package/dist/modules/audit_logs/services/accessLogService.js.map CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "version": 3,
3
3
  "sources": ["../../../../src/modules/audit_logs/services/accessLogService.ts"],
4
- "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport type { FilterQuery } from '@mikro-orm/core'\nimport { AccessLog } from '@open-mercato/core/modules/audit_logs/data/entities'\nimport {\n accessLogCreateSchema,\n accessLogListSchema,\n type AccessLogCreateInput,\n type AccessLogListQuery,\n} from '@open-mercato/core/modules/audit_logs/data/validators'\nimport { resolveTenantEncryptionService } from '@open-mercato/shared/lib/encryption/customFieldValues'\nimport { E } from '#generated/entities.ids.generated'\n\nconst CORE_RESOURCE_KINDS = new Set<string>(['auth.user', 'auth.role'])\n\nfunction toPositiveNumber(value: string | undefined, fallback: number): number {\n if (!value) return fallback\n const parsed = Number(value)\n if (!Number.isFinite(parsed) || parsed <= 0) return fallback\n return parsed\n}\n\nconst CORE_RETENTION_DAYS = toPositiveNumber(process.env.AUDIT_LOGS_CORE_RETENTION_DAYS, 7)\nconst NON_CORE_RETENTION_HOURS = toPositiveNumber(process.env.AUDIT_LOGS_NON_CORE_RETENTION_HOURS, 8)\nconst CORE_RETENTION_MS = CORE_RETENTION_DAYS * 24 * 60 * 60 * 1000\nconst NON_CORE_RETENTION_MS = NON_CORE_RETENTION_HOURS * 60 * 60 * 1000\n\nlet validationWarningLogged = false\nlet runtimeValidationAvailable: boolean | null = null\n\nconst isZodRuntimeMissing = (err: unknown) => err instanceof TypeError && typeof err.message === 'string' && err.message.includes('_zod')\n\nexport class AccessLogService {\n constructor(private readonly em: EntityManager) {}\n\n async log(input: AccessLogCreateInput): Promise<AccessLog | null> {\n let data: AccessLogCreateInput\n const schema = accessLogCreateSchema as typeof accessLogCreateSchema & { _zod?: unknown }\n const canValidate = Boolean(schema && typeof schema.parse === 'function')\n const shouldValidate = canValidate && runtimeValidationAvailable !== false\n if (shouldValidate) {\n try {\n data = schema.parse(input)\n runtimeValidationAvailable = true\n } catch (err) {\n if (!isZodRuntimeMissing(err) && !validationWarningLogged) {\n validationWarningLogged = true\n // eslint-disable-next-line no-console\n console.warn('[audit_logs] falling back to permissive access log payload parser', err)\n }\n if (isZodRuntimeMissing(err)) runtimeValidationAvailable = false\n data = this.normalizeInput(input)\n }\n } else {\n data = this.normalizeInput(input)\n }\n const fork = this.em.fork({ useContext: true })\n const fields = Array.isArray(data.fields) && data.fields.length ? data.fields : null\n const context = data.context && Object.keys(data.context).length ? data.context : null\n const createdAt = new Date()\n const tenantId = data.tenantId ?? null\n const organizationId = data.organizationId ?? null\n\n type AccessLogEncryptedFields = {\n resourceKind?: unknown\n resourceId?: unknown\n accessType?: unknown\n fieldsJson?: unknown\n contextJson?: unknown\n }\n const encryption = resolveTenantEncryptionService(fork as any)\n const encrypted = encryption\n ? ((await encryption.encryptEntityPayload(\n E.audit_logs.access_log,\n {\n resourceKind: data.resourceKind,\n resourceId: data.resourceId,\n accessType: data.accessType,\n fieldsJson: fields,\n contextJson: context,\n },\n tenantId,\n organizationId,\n )) as AccessLogEncryptedFields)\n : null\n\n const payload = {\n resourceKind: encrypted?.resourceKind ?? data.resourceKind,\n resourceId: encrypted?.resourceId ?? data.resourceId,\n accessType: encrypted?.accessType ?? data.accessType,\n fieldsJson: encrypted?.fieldsJson ?? fields,\n contextJson: encrypted?.contextJson ?? context,\n }\n\n const rows = await fork.getConnection().execute(\n `insert into \"access_logs\" (\"tenant_id\", \"organization_id\", \"actor_user_id\", \"resource_kind\", \"resource_id\", \"access_type\", \"fields_json\", \"context_json\", \"created_at\", \"deleted_at\") values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?) returning \"id\"`,\n [\n tenantId,\n organizationId,\n data.actorUserId ?? null,\n payload.resourceKind,\n payload.resourceId,\n payload.accessType,\n payload.fieldsJson !== null && payload.fieldsJson !== undefined ? JSON.stringify(payload.fieldsJson) : null,\n payload.contextJson !== null && payload.contextJson !== undefined ? JSON.stringify(payload.contextJson) : null,\n createdAt,\n null,\n ],\n )\n await this.rotate(fork)\n const id = Array.isArray(rows) && rows.length > 0 ? rows[0]?.id ?? null : null\n if (!id) return null\n const entry = fork.create(AccessLog, {\n id,\n tenantId: data.tenantId ?? null,\n organizationId: data.organizationId ?? null,\n actorUserId: data.actorUserId ?? null,\n resourceKind: data.resourceKind,\n resourceId: data.resourceId,\n accessType: data.accessType,\n fieldsJson: fields,\n contextJson: context,\n createdAt,\n })\n return entry\n }\n\n private normalizeInput(input: Partial<AccessLogCreateInput> | null | undefined): AccessLogCreateInput {\n if (!input) {\n return {\n tenantId: null,\n organizationId: null,\n actorUserId: null,\n resourceKind: 'unknown',\n resourceId: 'unknown',\n accessType: 'unknown',\n fields: undefined,\n context: undefined,\n }\n }\n const toNullableUuid = (value: unknown) => {\n if (typeof value !== 'string' || value.length === 0) return null\n // Extract UUID from \"api_key:<uuid>\" format (used by workflow authentication)\n if (value.startsWith('api_key:')) {\n return value.slice('api_key:'.length)\n }\n return value\n }\n const fields = Array.isArray(input.fields)\n ? input.fields.filter((f): f is string => typeof f === 'string' && f.length > 0)\n : undefined\n const context = typeof input.context === 'object' && input.context !== null\n ? input.context as Record<string, unknown>\n : undefined\n return {\n tenantId: toNullableUuid(input.tenantId),\n organizationId: toNullableUuid(input.organizationId),\n actorUserId: toNullableUuid(input.actorUserId),\n resourceKind: String(input.resourceKind || 'unknown'),\n resourceId: String(input.resourceId || 'unknown'),\n accessType: String(input.accessType || 'unknown'),\n fields,\n context,\n }\n }\n\n async list(query: Partial<AccessLogListQuery>) {\n const parsed = accessLogListSchema.parse({\n ...query,\n })\n\n const where: FilterQuery<AccessLog> = { deletedAt: null }\n if (parsed.tenantId) where.tenantId = parsed.tenantId\n if (parsed.organizationId) where.organizationId = parsed.organizationId\n if (parsed.actorUserId) where.actorUserId = parsed.actorUserId\n if (parsed.resourceKind) where.resourceKind = parsed.resourceKind\n if (parsed.accessType) where.accessType = parsed.accessType\n if (parsed.before) where.createdAt = { ...(where.createdAt as Record<string, any> | undefined), $lt: parsed.before } as any\n if (parsed.after) where.createdAt = { ...(where.createdAt as Record<string, any> | undefined), $gt: parsed.after } as any\n\n const pageSize = parsed.pageSize ?? parsed.limit ?? 50\n const page = parsed.page ?? 1\n const offset = (page - 1) * pageSize\n\n const [items, total] = await this.em.findAndCount(\n AccessLog,\n where,\n {\n orderBy: { createdAt: 'desc' },\n limit: pageSize,\n offset,\n },\n )\n\n const totalPages = Math.max(1, Math.ceil((total || 0) / (pageSize || 1)))\n return { items, total, page, pageSize, totalPages }\n }\n\n private async rotate(fork: EntityManager) {\n const now = Date.now()\n const coreCutoff = new Date(now - CORE_RETENTION_MS)\n const nonCoreCutoff = new Date(now - NON_CORE_RETENTION_MS)\n try {\n if (CORE_RESOURCE_KINDS.size > 0) {\n await fork.nativeDelete(AccessLog, {\n resourceKind: { $in: Array.from(CORE_RESOURCE_KINDS) },\n createdAt: { $lt: coreCutoff },\n })\n }\n await fork.nativeDelete(AccessLog, {\n resourceKind: { $nin: Array.from(CORE_RESOURCE_KINDS) },\n createdAt: { $lt: nonCoreCutoff },\n })\n } catch (err) {\n // eslint-disable-next-line no-console\n console.warn('[audit_logs] failed to rotate access logs', err)\n }\n }\n}\n"],
5
- "mappings": "AAEA,SAAS,iBAAiB;AAC1B;AAAA,EACE;AAAA,EACA;AAAA,OAGK;AACP,SAAS,sCAAsC;AAC/C,SAAS,SAAS;AAElB,MAAM,sBAAsB,oBAAI,IAAY,CAAC,aAAa,WAAW,CAAC;AAEtE,SAAS,iBAAiB,OAA2B,UAA0B;AAC7E,MAAI,CAAC,MAAO,QAAO;AACnB,QAAM,SAAS,OAAO,KAAK;AAC3B,MAAI,CAAC,OAAO,SAAS,MAAM,KAAK,UAAU,EAAG,QAAO;AACpD,SAAO;AACT;AAEA,MAAM,sBAAsB,iBAAiB,QAAQ,IAAI,gCAAgC,CAAC;AAC1F,MAAM,2BAA2B,iBAAiB,QAAQ,IAAI,qCAAqC,CAAC;AACpG,MAAM,oBAAoB,sBAAsB,KAAK,KAAK,KAAK;AAC/D,MAAM,wBAAwB,2BAA2B,KAAK,KAAK;AAEnE,IAAI,0BAA0B;AAC9B,IAAI,6BAA6C;AAEjD,MAAM,sBAAsB,CAAC,QAAiB,eAAe,aAAa,OAAO,IAAI,YAAY,YAAY,IAAI,QAAQ,SAAS,MAAM;AAEjI,MAAM,iBAAiB;AAAA,EAC5B,YAA6B,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAEjD,MAAM,IAAI,OAAwD;AAChE,QAAI;AACJ,UAAM,SAAS;AACf,UAAM,cAAc,QAAQ,UAAU,OAAO,OAAO,UAAU,UAAU;AACxE,UAAM,iBAAiB,eAAe,+BAA+B;AACrE,QAAI,gBAAgB;AAClB,UAAI;AACF,eAAO,OAAO,MAAM,KAAK;AACzB,qCAA6B;AAAA,MAC/B,SAAS,KAAK;AACZ,YAAI,CAAC,oBAAoB,GAAG,KAAK,CAAC,yBAAyB;AACzD,oCAA0B;AAE1B,kBAAQ,KAAK,qEAAqE,GAAG;AAAA,QACvF;AACA,YAAI,oBAAoB,GAAG,EAAG,8BAA6B;AAC3D,eAAO,KAAK,eAAe,KAAK;AAAA,MAClC;AAAA,IACF,OAAO;AACL,aAAO,KAAK,eAAe,KAAK;AAAA,IAClC;AACA,UAAM,OAAO,KAAK,GAAG,KAAK,EAAE,YAAY,KAAK,CAAC;AAC9C,UAAM,SAAS,MAAM,QAAQ,KAAK,MAAM,KAAK,KAAK,OAAO,SAAS,KAAK,SAAS;AAChF,UAAM,UAAU,KAAK,WAAW,OAAO,KAAK,KAAK,OAAO,EAAE,SAAS,KAAK,UAAU;AAClF,UAAM,YAAY,oBAAI,KAAK;AAC3B,UAAM,WAAW,KAAK,YAAY;AAClC,UAAM,iBAAiB,KAAK,kBAAkB;AAS9C,UAAM,aAAa,+BAA+B,IAAW;AAC7D,UAAM,YAAY,aACZ,MAAM,WAAW;AAAA,MACjB,EAAE,WAAW;AAAA,MACb;AAAA,QACE,cAAc,KAAK;AAAA,QACnB,YAAY,KAAK;AAAA,QACjB,YAAY,KAAK;AAAA,QACjB,YAAY;AAAA,QACZ,aAAa;AAAA,MACf;AAAA,MACA;AAAA,MACA;AAAA,IACF,IACA;AAEJ,UAAM,UAAU;AAAA,MACd,cAAc,WAAW,gBAAgB,KAAK;AAAA,MAC9C,YAAY,WAAW,cAAc,KAAK;AAAA,MAC1C,YAAY,WAAW,cAAc,KAAK;AAAA,MAC1C,YAAY,WAAW,cAAc;AAAA,MACrC,aAAa,WAAW,eAAe;AAAA,IACzC;AAEA,UAAM,OAAO,MAAM,KAAK,cAAc,EAAE;AAAA,MACtC;AAAA,MACA;AAAA,QACE;AAAA,QACA;AAAA,QACA,KAAK,eAAe;AAAA,QACpB,QAAQ;AAAA,QACR,QAAQ;AAAA,QACR,QAAQ;AAAA,QACR,QAAQ,eAAe,QAAQ,QAAQ,eAAe,SAAY,KAAK,UAAU,QAAQ,UAAU,IAAI;AAAA,QACvG,QAAQ,gBAAgB,QAAQ,QAAQ,gBAAgB,SAAY,KAAK,UAAU,QAAQ,WAAW,IAAI;AAAA,QAC1G;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,UAAM,KAAK,OAAO,IAAI;AACtB,UAAM,KAAK,MAAM,QAAQ,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,GAAG,MAAM,OAAO;AAC1E,QAAI,CAAC,GAAI,QAAO;AAChB,UAAM,QAAQ,KAAK,OAAO,WAAW;AAAA,MACnC;AAAA,MACA,UAAU,KAAK,YAAY;AAAA,MAC3B,gBAAgB,KAAK,kBAAkB;AAAA,MACvC,aAAa,KAAK,eAAe;AAAA,MACjC,cAAc,KAAK;AAAA,MACnB,YAAY,KAAK;AAAA,MACjB,YAAY,KAAK;AAAA,MACjB,YAAY;AAAA,MACZ,aAAa;AAAA,MACb;AAAA,IACF,CAAC;AACD,WAAO;AAAA,EACT;AAAA,EAEQ,eAAe,OAA+E;AACpG,QAAI,CAAC,OAAO;AACV,aAAO;AAAA,QACL,UAAU;AAAA,QACV,gBAAgB;AAAA,QAChB,aAAa;AAAA,QACb,cAAc;AAAA,QACd,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,QAAQ;AAAA,QACR,SAAS;AAAA,MACX;AAAA,IACF;AACA,UAAM,iBAAiB,CAAC,UAAmB;AACzC,UAAI,OAAO,UAAU,YAAY,MAAM,WAAW,EAAG,QAAO;AAE5D,UAAI,MAAM,WAAW,UAAU,GAAG;AAChC,eAAO,MAAM,MAAM,WAAW,MAAM;AAAA,MACtC;AACA,aAAO;AAAA,IACT;AACA,UAAM,SAAS,MAAM,QAAQ,MAAM,MAAM,IACrC,MAAM,OAAO,OAAO,CAAC,MAAmB,OAAO,MAAM,YAAY,EAAE,SAAS,CAAC,IAC7E;AACJ,UAAM,UAAU,OAAO,MAAM,YAAY,YAAY,MAAM,YAAY,OACnE,MAAM,UACN;AACJ,WAAO;AAAA,MACL,UAAU,eAAe,MAAM,QAAQ;AAAA,MACvC,gBAAgB,eAAe,MAAM,cAAc;AAAA,MACnD,aAAa,eAAe,MAAM,WAAW;AAAA,MAC7C,cAAc,OAAO,MAAM,gBAAgB,SAAS;AAAA,MACpD,YAAY,OAAO,MAAM,cAAc,SAAS;AAAA,MAChD,YAAY,OAAO,MAAM,cAAc,SAAS;AAAA,MAChD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,KAAK,OAAoC;AAC7C,UAAM,SAAS,oBAAoB,MAAM;AAAA,MACvC,GAAG;AAAA,IACL,CAAC;AAED,UAAM,QAAgC,EAAE,WAAW,KAAK;AACxD,QAAI,OAAO,SAAU,OAAM,WAAW,OAAO;AAC7C,QAAI,OAAO,eAAgB,OAAM,iBAAiB,OAAO;AACzD,QAAI,OAAO,YAAa,OAAM,cAAc,OAAO;AACnD,QAAI,OAAO,aAAc,OAAM,eAAe,OAAO;AACrD,QAAI,OAAO,WAAY,OAAM,aAAa,OAAO;AACjD,QAAI,OAAO,OAAQ,OAAM,YAAY,EAAE,GAAI,MAAM,WAA+C,KAAK,OAAO,OAAO;AACnH,QAAI,OAAO,MAAO,OAAM,YAAY,EAAE,GAAI,MAAM,WAA+C,KAAK,OAAO,MAAM;AAEjH,UAAM,WAAW,OAAO,YAAY,OAAO,SAAS;AACpD,UAAM,OAAO,OAAO,QAAQ;AAC5B,UAAM,UAAU,OAAO,KAAK;AAE5B,UAAM,CAAC,OAAO,KAAK,IAAI,MAAM,KAAK,GAAG;AAAA,MACnC;AAAA,MACA;AAAA,MACA;AAAA,QACE,SAAS,EAAE,WAAW,OAAO;AAAA,QAC7B,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AAEA,UAAM,aAAa,KAAK,IAAI,GAAG,KAAK,MAAM,SAAS,MAAM,YAAY,EAAE,CAAC;AACxE,WAAO,EAAE,OAAO,OAAO,MAAM,UAAU,WAAW;AAAA,EACpD;AAAA,EAEA,MAAc,OAAO,MAAqB;AACxC,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,aAAa,IAAI,KAAK,MAAM,iBAAiB;AACnD,UAAM,gBAAgB,IAAI,KAAK,MAAM,qBAAqB;AAC1D,QAAI;AACF,UAAI,oBAAoB,OAAO,GAAG;AAChC,cAAM,KAAK,aAAa,WAAW;AAAA,UACjC,cAAc,EAAE,KAAK,MAAM,KAAK,mBAAmB,EAAE;AAAA,UACrD,WAAW,EAAE,KAAK,WAAW;AAAA,QAC/B,CAAC;AAAA,MACH;AACA,YAAM,KAAK,aAAa,WAAW;AAAA,QACjC,cAAc,EAAE,MAAM,MAAM,KAAK,mBAAmB,EAAE;AAAA,QACtD,WAAW,EAAE,KAAK,cAAc;AAAA,MAClC,CAAC;AAAA,IACH,SAAS,KAAK;AAEZ,cAAQ,KAAK,6CAA6C,GAAG;AAAA,IAC/D;AAAA,EACF;AACF;",
4
+ "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport type { FilterQuery } from '@mikro-orm/core'\nimport { AccessLog } from '@open-mercato/core/modules/audit_logs/data/entities'\nimport {\n accessLogCreateSchema,\n accessLogListSchema,\n type AccessLogCreateInput,\n type AccessLogListQuery,\n} from '@open-mercato/core/modules/audit_logs/data/validators'\nimport { resolveTenantEncryptionService } from '@open-mercato/shared/lib/encryption/customFieldValues'\nimport { E } from '#generated/entities.ids.generated'\n\nconst CORE_RESOURCE_KINDS = new Set<string>(['auth.user', 'auth.role'])\n\nfunction toPositiveNumber(value: string | undefined, fallback: number): number {\n if (!value) return fallback\n const parsed = Number(value)\n if (!Number.isFinite(parsed) || parsed <= 0) return fallback\n return parsed\n}\n\nconst CORE_RETENTION_DAYS = toPositiveNumber(process.env.AUDIT_LOGS_CORE_RETENTION_DAYS, 7)\nconst NON_CORE_RETENTION_HOURS = toPositiveNumber(process.env.AUDIT_LOGS_NON_CORE_RETENTION_HOURS, 8)\nconst CORE_RETENTION_MS = CORE_RETENTION_DAYS * 24 * 60 * 60 * 1000\nconst NON_CORE_RETENTION_MS = NON_CORE_RETENTION_HOURS * 60 * 60 * 1000\n\nlet validationWarningLogged = false\nlet runtimeValidationAvailable: boolean | null = null\n\nconst isZodRuntimeMissing = (err: unknown) => err instanceof TypeError && typeof err.message === 'string' && err.message.includes('_zod')\n\nexport class AccessLogService {\n constructor(private readonly em: EntityManager) {}\n\n async log(input: AccessLogCreateInput): Promise<AccessLog | null> {\n let data: AccessLogCreateInput\n const schema = accessLogCreateSchema as typeof accessLogCreateSchema & { _zod?: unknown }\n const canValidate = Boolean(schema && typeof schema.parse === 'function')\n const shouldValidate = canValidate && runtimeValidationAvailable !== false\n if (shouldValidate) {\n try {\n data = schema.parse(input)\n runtimeValidationAvailable = true\n } catch (err) {\n if (!isZodRuntimeMissing(err) && !validationWarningLogged) {\n validationWarningLogged = true\n // eslint-disable-next-line no-console\n console.warn('[audit_logs] falling back to permissive access log payload parser', err)\n }\n if (isZodRuntimeMissing(err)) runtimeValidationAvailable = false\n data = this.normalizeInput(input)\n }\n } else {\n data = this.normalizeInput(input)\n }\n const fork = this.em.fork({ useContext: true })\n const fields = Array.isArray(data.fields) && data.fields.length ? data.fields : null\n const context = data.context && Object.keys(data.context).length ? data.context : null\n const createdAt = new Date()\n const tenantId = data.tenantId ?? null\n const organizationId = data.organizationId ?? null\n\n type AccessLogEncryptedFields = {\n resourceKind?: unknown\n resourceId?: unknown\n accessType?: unknown\n fieldsJson?: unknown\n contextJson?: unknown\n }\n const encryption = resolveTenantEncryptionService(fork as any)\n const encrypted = encryption\n ? ((await encryption.encryptEntityPayload(\n E.audit_logs.access_log,\n {\n resourceKind: data.resourceKind,\n resourceId: data.resourceId,\n accessType: data.accessType,\n fieldsJson: fields,\n contextJson: context,\n },\n tenantId,\n organizationId,\n )) as AccessLogEncryptedFields)\n : null\n\n const payload = {\n resourceKind: encrypted?.resourceKind ?? data.resourceKind,\n resourceId: encrypted?.resourceId ?? data.resourceId,\n accessType: encrypted?.accessType ?? data.accessType,\n fieldsJson: encrypted?.fieldsJson ?? fields,\n contextJson: encrypted?.contextJson ?? context,\n }\n\n const rows = await fork.getConnection().execute(\n `insert into \"access_logs\" (\"tenant_id\", \"organization_id\", \"actor_user_id\", \"resource_kind\", \"resource_id\", \"access_type\", \"fields_json\", \"context_json\", \"created_at\", \"deleted_at\") values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?) returning \"id\"`,\n [\n tenantId,\n organizationId,\n data.actorUserId ?? null,\n payload.resourceKind,\n payload.resourceId,\n payload.accessType,\n payload.fieldsJson !== null && payload.fieldsJson !== undefined ? JSON.stringify(payload.fieldsJson) : null,\n payload.contextJson !== null && payload.contextJson !== undefined ? JSON.stringify(payload.contextJson) : null,\n createdAt,\n null,\n ],\n )\n await this.rotate(fork)\n const id = Array.isArray(rows) && rows.length > 0 ? rows[0]?.id ?? null : null\n if (!id) return null\n const entry = fork.create(AccessLog, {\n id,\n tenantId: data.tenantId ?? null,\n organizationId: data.organizationId ?? null,\n actorUserId: data.actorUserId ?? null,\n resourceKind: data.resourceKind,\n resourceId: data.resourceId,\n accessType: data.accessType,\n fieldsJson: fields,\n contextJson: context,\n createdAt,\n })\n return entry\n }\n\n private normalizeInput(input: Partial<AccessLogCreateInput> | null | undefined): AccessLogCreateInput {\n if (!input) {\n return {\n tenantId: null,\n organizationId: null,\n actorUserId: null,\n resourceKind: 'unknown',\n resourceId: 'unknown',\n accessType: 'unknown',\n fields: undefined,\n context: undefined,\n }\n }\n const UUID_REGEX = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$/\n const toNullableUuid = (value: unknown) => {\n if (typeof value !== 'string' || value.length === 0) return null\n // Extract UUID from \"api_key:<uuid>\" format (used by workflow authentication)\n const candidate = value.startsWith('api_key:') ? value.slice('api_key:'.length) : value\n // System actors (sync workers, scheduler, etc.) use non-UUID subjects like\n // \"system:...\". Reject those so the uuid column stays valid.\n return UUID_REGEX.test(candidate) ? candidate : null\n }\n const fields = Array.isArray(input.fields)\n ? input.fields.filter((f): f is string => typeof f === 'string' && f.length > 0)\n : undefined\n const context = typeof input.context === 'object' && input.context !== null\n ? input.context as Record<string, unknown>\n : undefined\n return {\n tenantId: toNullableUuid(input.tenantId),\n organizationId: toNullableUuid(input.organizationId),\n actorUserId: toNullableUuid(input.actorUserId),\n resourceKind: String(input.resourceKind || 'unknown'),\n resourceId: String(input.resourceId || 'unknown'),\n accessType: String(input.accessType || 'unknown'),\n fields,\n context,\n }\n }\n\n async list(query: Partial<AccessLogListQuery>) {\n const parsed = accessLogListSchema.parse({\n ...query,\n })\n\n const where: FilterQuery<AccessLog> = { deletedAt: null }\n if (parsed.tenantId) where.tenantId = parsed.tenantId\n if (parsed.organizationId) where.organizationId = parsed.organizationId\n if (parsed.actorUserId) where.actorUserId = parsed.actorUserId\n if (parsed.resourceKind) where.resourceKind = parsed.resourceKind\n if (parsed.accessType) where.accessType = parsed.accessType\n if (parsed.before) where.createdAt = { ...(where.createdAt as Record<string, any> | undefined), $lt: parsed.before } as any\n if (parsed.after) where.createdAt = { ...(where.createdAt as Record<string, any> | undefined), $gt: parsed.after } as any\n\n const pageSize = parsed.pageSize ?? parsed.limit ?? 50\n const page = parsed.page ?? 1\n const offset = (page - 1) * pageSize\n\n const [items, total] = await this.em.findAndCount(\n AccessLog,\n where,\n {\n orderBy: { createdAt: 'desc' },\n limit: pageSize,\n offset,\n },\n )\n\n const totalPages = Math.max(1, Math.ceil((total || 0) / (pageSize || 1)))\n return { items, total, page, pageSize, totalPages }\n }\n\n private async rotate(fork: EntityManager) {\n const now = Date.now()\n const coreCutoff = new Date(now - CORE_RETENTION_MS)\n const nonCoreCutoff = new Date(now - NON_CORE_RETENTION_MS)\n try {\n if (CORE_RESOURCE_KINDS.size > 0) {\n await fork.nativeDelete(AccessLog, {\n resourceKind: { $in: Array.from(CORE_RESOURCE_KINDS) },\n createdAt: { $lt: coreCutoff },\n })\n }\n await fork.nativeDelete(AccessLog, {\n resourceKind: { $nin: Array.from(CORE_RESOURCE_KINDS) },\n createdAt: { $lt: nonCoreCutoff },\n })\n } catch (err) {\n // eslint-disable-next-line no-console\n console.warn('[audit_logs] failed to rotate access logs', err)\n }\n }\n}\n"],
5
+ "mappings": "AAEA,SAAS,iBAAiB;AAC1B;AAAA,EACE;AAAA,EACA;AAAA,OAGK;AACP,SAAS,sCAAsC;AAC/C,SAAS,SAAS;AAElB,MAAM,sBAAsB,oBAAI,IAAY,CAAC,aAAa,WAAW,CAAC;AAEtE,SAAS,iBAAiB,OAA2B,UAA0B;AAC7E,MAAI,CAAC,MAAO,QAAO;AACnB,QAAM,SAAS,OAAO,KAAK;AAC3B,MAAI,CAAC,OAAO,SAAS,MAAM,KAAK,UAAU,EAAG,QAAO;AACpD,SAAO;AACT;AAEA,MAAM,sBAAsB,iBAAiB,QAAQ,IAAI,gCAAgC,CAAC;AAC1F,MAAM,2BAA2B,iBAAiB,QAAQ,IAAI,qCAAqC,CAAC;AACpG,MAAM,oBAAoB,sBAAsB,KAAK,KAAK,KAAK;AAC/D,MAAM,wBAAwB,2BAA2B,KAAK,KAAK;AAEnE,IAAI,0BAA0B;AAC9B,IAAI,6BAA6C;AAEjD,MAAM,sBAAsB,CAAC,QAAiB,eAAe,aAAa,OAAO,IAAI,YAAY,YAAY,IAAI,QAAQ,SAAS,MAAM;AAEjI,MAAM,iBAAiB;AAAA,EAC5B,YAA6B,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAEjD,MAAM,IAAI,OAAwD;AAChE,QAAI;AACJ,UAAM,SAAS;AACf,UAAM,cAAc,QAAQ,UAAU,OAAO,OAAO,UAAU,UAAU;AACxE,UAAM,iBAAiB,eAAe,+BAA+B;AACrE,QAAI,gBAAgB;AAClB,UAAI;AACF,eAAO,OAAO,MAAM,KAAK;AACzB,qCAA6B;AAAA,MAC/B,SAAS,KAAK;AACZ,YAAI,CAAC,oBAAoB,GAAG,KAAK,CAAC,yBAAyB;AACzD,oCAA0B;AAE1B,kBAAQ,KAAK,qEAAqE,GAAG;AAAA,QACvF;AACA,YAAI,oBAAoB,GAAG,EAAG,8BAA6B;AAC3D,eAAO,KAAK,eAAe,KAAK;AAAA,MAClC;AAAA,IACF,OAAO;AACL,aAAO,KAAK,eAAe,KAAK;AAAA,IAClC;AACA,UAAM,OAAO,KAAK,GAAG,KAAK,EAAE,YAAY,KAAK,CAAC;AAC9C,UAAM,SAAS,MAAM,QAAQ,KAAK,MAAM,KAAK,KAAK,OAAO,SAAS,KAAK,SAAS;AAChF,UAAM,UAAU,KAAK,WAAW,OAAO,KAAK,KAAK,OAAO,EAAE,SAAS,KAAK,UAAU;AAClF,UAAM,YAAY,oBAAI,KAAK;AAC3B,UAAM,WAAW,KAAK,YAAY;AAClC,UAAM,iBAAiB,KAAK,kBAAkB;AAS9C,UAAM,aAAa,+BAA+B,IAAW;AAC7D,UAAM,YAAY,aACZ,MAAM,WAAW;AAAA,MACjB,EAAE,WAAW;AAAA,MACb;AAAA,QACE,cAAc,KAAK;AAAA,QACnB,YAAY,KAAK;AAAA,QACjB,YAAY,KAAK;AAAA,QACjB,YAAY;AAAA,QACZ,aAAa;AAAA,MACf;AAAA,MACA;AAAA,MACA;AAAA,IACF,IACA;AAEJ,UAAM,UAAU;AAAA,MACd,cAAc,WAAW,gBAAgB,KAAK;AAAA,MAC9C,YAAY,WAAW,cAAc,KAAK;AAAA,MAC1C,YAAY,WAAW,cAAc,KAAK;AAAA,MAC1C,YAAY,WAAW,cAAc;AAAA,MACrC,aAAa,WAAW,eAAe;AAAA,IACzC;AAEA,UAAM,OAAO,MAAM,KAAK,cAAc,EAAE;AAAA,MACtC;AAAA,MACA;AAAA,QACE;AAAA,QACA;AAAA,QACA,KAAK,eAAe;AAAA,QACpB,QAAQ;AAAA,QACR,QAAQ;AAAA,QACR,QAAQ;AAAA,QACR,QAAQ,eAAe,QAAQ,QAAQ,eAAe,SAAY,KAAK,UAAU,QAAQ,UAAU,IAAI;AAAA,QACvG,QAAQ,gBAAgB,QAAQ,QAAQ,gBAAgB,SAAY,KAAK,UAAU,QAAQ,WAAW,IAAI;AAAA,QAC1G;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,UAAM,KAAK,OAAO,IAAI;AACtB,UAAM,KAAK,MAAM,QAAQ,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,GAAG,MAAM,OAAO;AAC1E,QAAI,CAAC,GAAI,QAAO;AAChB,UAAM,QAAQ,KAAK,OAAO,WAAW;AAAA,MACnC;AAAA,MACA,UAAU,KAAK,YAAY;AAAA,MAC3B,gBAAgB,KAAK,kBAAkB;AAAA,MACvC,aAAa,KAAK,eAAe;AAAA,MACjC,cAAc,KAAK;AAAA,MACnB,YAAY,KAAK;AAAA,MACjB,YAAY,KAAK;AAAA,MACjB,YAAY;AAAA,MACZ,aAAa;AAAA,MACb;AAAA,IACF,CAAC;AACD,WAAO;AAAA,EACT;AAAA,EAEQ,eAAe,OAA+E;AACpG,QAAI,CAAC,OAAO;AACV,aAAO;AAAA,QACL,UAAU;AAAA,QACV,gBAAgB;AAAA,QAChB,aAAa;AAAA,QACb,cAAc;AAAA,QACd,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,QAAQ;AAAA,QACR,SAAS;AAAA,MACX;AAAA,IACF;AACA,UAAM,aAAa;AACnB,UAAM,iBAAiB,CAAC,UAAmB;AACzC,UAAI,OAAO,UAAU,YAAY,MAAM,WAAW,EAAG,QAAO;AAE5D,YAAM,YAAY,MAAM,WAAW,UAAU,IAAI,MAAM,MAAM,WAAW,MAAM,IAAI;AAGlF,aAAO,WAAW,KAAK,SAAS,IAAI,YAAY;AAAA,IAClD;AACA,UAAM,SAAS,MAAM,QAAQ,MAAM,MAAM,IACrC,MAAM,OAAO,OAAO,CAAC,MAAmB,OAAO,MAAM,YAAY,EAAE,SAAS,CAAC,IAC7E;AACJ,UAAM,UAAU,OAAO,MAAM,YAAY,YAAY,MAAM,YAAY,OACnE,MAAM,UACN;AACJ,WAAO;AAAA,MACL,UAAU,eAAe,MAAM,QAAQ;AAAA,MACvC,gBAAgB,eAAe,MAAM,cAAc;AAAA,MACnD,aAAa,eAAe,MAAM,WAAW;AAAA,MAC7C,cAAc,OAAO,MAAM,gBAAgB,SAAS;AAAA,MACpD,YAAY,OAAO,MAAM,cAAc,SAAS;AAAA,MAChD,YAAY,OAAO,MAAM,cAAc,SAAS;AAAA,MAChD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,KAAK,OAAoC;AAC7C,UAAM,SAAS,oBAAoB,MAAM;AAAA,MACvC,GAAG;AAAA,IACL,CAAC;AAED,UAAM,QAAgC,EAAE,WAAW,KAAK;AACxD,QAAI,OAAO,SAAU,OAAM,WAAW,OAAO;AAC7C,QAAI,OAAO,eAAgB,OAAM,iBAAiB,OAAO;AACzD,QAAI,OAAO,YAAa,OAAM,cAAc,OAAO;AACnD,QAAI,OAAO,aAAc,OAAM,eAAe,OAAO;AACrD,QAAI,OAAO,WAAY,OAAM,aAAa,OAAO;AACjD,QAAI,OAAO,OAAQ,OAAM,YAAY,EAAE,GAAI,MAAM,WAA+C,KAAK,OAAO,OAAO;AACnH,QAAI,OAAO,MAAO,OAAM,YAAY,EAAE,GAAI,MAAM,WAA+C,KAAK,OAAO,MAAM;AAEjH,UAAM,WAAW,OAAO,YAAY,OAAO,SAAS;AACpD,UAAM,OAAO,OAAO,QAAQ;AAC5B,UAAM,UAAU,OAAO,KAAK;AAE5B,UAAM,CAAC,OAAO,KAAK,IAAI,MAAM,KAAK,GAAG;AAAA,MACnC;AAAA,MACA;AAAA,MACA;AAAA,QACE,SAAS,EAAE,WAAW,OAAO;AAAA,QAC7B,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AAEA,UAAM,aAAa,KAAK,IAAI,GAAG,KAAK,MAAM,SAAS,MAAM,YAAY,EAAE,CAAC;AACxE,WAAO,EAAE,OAAO,OAAO,MAAM,UAAU,WAAW;AAAA,EACpD;AAAA,EAEA,MAAc,OAAO,MAAqB;AACxC,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,aAAa,IAAI,KAAK,MAAM,iBAAiB;AACnD,UAAM,gBAAgB,IAAI,KAAK,MAAM,qBAAqB;AAC1D,QAAI;AACF,UAAI,oBAAoB,OAAO,GAAG;AAChC,cAAM,KAAK,aAAa,WAAW;AAAA,UACjC,cAAc,EAAE,KAAK,MAAM,KAAK,mBAAmB,EAAE;AAAA,UACrD,WAAW,EAAE,KAAK,WAAW;AAAA,QAC/B,CAAC;AAAA,MACH;AACA,YAAM,KAAK,aAAa,WAAW;AAAA,QACjC,cAAc,EAAE,MAAM,MAAM,KAAK,mBAAmB,EAAE;AAAA,QACtD,WAAW,EAAE,KAAK,cAAc;AAAA,MAClC,CAAC;AAAA,IACH,SAAS,KAAK;AAEZ,cAAQ,KAAK,6CAA6C,GAAG;AAAA,IAC/D;AAAA,EACF;AACF;",
6
6
  "names": []
7
7
  }
package/dist/modules/audit_logs/services/actionLogService.js CHANGED
@@ -203,10 +203,11 @@ class ActionLogService {
203
203
  context: void 0
204
204
  };
205
205
  }
206
+ const UUID_REGEX = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$/;
206
207
  const toNullableUuid = (value) => {
207
208
  if (typeof value !== "string" || value.length === 0) return null;
208
- if (value.startsWith("api_key:")) return value.slice("api_key:".length);
209
- return value;
209
+ const candidate = value.startsWith("api_key:") ? value.slice("api_key:".length) : value;
210
+ return UUID_REGEX.test(candidate) ? candidate : null;
210
211
  };
211
212
  const normalizeRecordLike = (value) => {
212
213
  if (value === null) return null;
package/dist/modules/audit_logs/services/actionLogService.js.map CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "version": 3,
3
3
  "sources": ["../../../../src/modules/audit_logs/services/actionLogService.ts"],
4
- "sourcesContent": ["import type { FilterQuery } from '@mikro-orm/core'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { sql } from 'kysely'\nimport { ActionLog } from '@open-mercato/core/modules/audit_logs/data/entities'\nimport {\n actionLogCreateSchema,\n actionLogListSchema,\n type ActionLogCreateInput,\n type ActionLogListQuery,\n} from '@open-mercato/core/modules/audit_logs/data/validators'\nimport { isRecord } from '@open-mercato/core/modules/audit_logs/lib/changeRows'\nimport {\n ACTION_LOG_FILTER_TYPES,\n type ActionLogFilterType,\n deriveActionLogProjection,\n} from '@open-mercato/core/modules/audit_logs/lib/projections'\nimport { decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'\nimport { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'\nimport { toOptionalString } from '@open-mercato/shared/lib/string/coerce'\n\nlet validationWarningLogged = false\nlet runtimeValidationAvailable: boolean | null = null\nlet decryptionWarningLogged = false\n\nconst isZodRuntimeMissing = (err: unknown) => err instanceof TypeError && typeof err.message === 'string' && err.message.includes('_zod')\n\nconst SORT_FIELDS = {\n createdAt: 'action_logs.created_at',\n} as const\n\ntype ActionLogProjectionBackfillOptions = {\n batchSize?: number\n force?: boolean\n logger?: (message: string) => void\n organizationId?: string | null\n tenantId?: string | null\n}\n\nexport type ActionLogProjectionBackfillResult = {\n errors: number\n scanned: number\n skipped: number\n updated: number\n}\n\ntype BackfillRow = {\n action_label: string | null\n action_type: string | null\n actor_user_id: string | null\n changed_fields: string[] | null\n changes_json: Record<string, unknown> | null\n command_id: string\n context_json: Record<string, unknown> | null\n created_at: Date\n id: string\n organization_id: string | null\n primary_changed_field: string | null\n snapshot_before: unknown | null\n source_key: string | null\n tenant_id: string | null\n}\n\nfunction readString(record: Record<string, unknown>, ...keys: string[]): string | null {\n for (const key of keys) {\n const value = record[key]\n if (typeof value === 'string' && value.length > 0) return value\n }\n\n return null\n}\n\nfunction readRecord(record: Record<string, unknown>, ...keys: string[]): Record<string, unknown> | null {\n for (const key of keys) {\n const value = record[key]\n if (isRecord(value)) return value\n }\n\n return null\n}\n\nfunction readValue(record: Record<string, unknown>, ...keys: string[]): unknown {\n for (const key of keys) {\n if (Object.prototype.hasOwnProperty.call(record, key)) return record[key]\n }\n\n return undefined\n}\n\nfunction readStringArray(record: Record<string, unknown>, ...keys: string[]): string[] | null {\n for (const key of keys) {\n const value = record[key]\n if (Array.isArray(value)) {\n return value.filter((entry): entry is string => typeof entry === 'string')\n }\n }\n\n return null\n}\n\nfunction stringArraysEqual(left: string[] | null, right: string[]): boolean {\n if (!Array.isArray(left)) return false\n if (left.length !== right.length) return false\n\n return left.every((value, index) => value === right[index])\n}\n\nexport class ActionLogService {\n constructor(\n private readonly em: EntityManager,\n private readonly tenantEncryptionService?: TenantDataEncryptionService,\n ) {}\n\n private async decryptEntryPayload<T extends Record<string, unknown>>(entry: T): Promise<T> {\n if (!this.tenantEncryptionService?.isEnabled()) return entry\n\n try {\n const tenantId = readString(entry, 'tenantId', 'tenant_id')\n const organizationId = readString(entry, 'organizationId', 'organization_id')\n const dek = await this.tenantEncryptionService.getDek(tenantId)\n const deepDecrypt = (value: unknown): unknown => {\n if (!dek) return value\n if (typeof value === 'string' && value.split(':').length === 4 && value.endsWith(':v1')) {\n const decrypted = decryptWithAesGcm(value, dek.key)\n if (decrypted === null) return value\n try {\n return JSON.parse(decrypted)\n } catch {\n return decrypted\n }\n }\n if (Array.isArray(value)) return value.map((item) => deepDecrypt(item))\n if (value && typeof value === 'object') {\n const copy: Record<string, unknown> = {}\n for (const [key, item] of Object.entries(value as Record<string, unknown>)) {\n copy[key] = deepDecrypt(item)\n }\n return copy\n }\n return value\n }\n\n const decrypted = await this.tenantEncryptionService.decryptEntityPayload(\n 'audit_logs:action_log',\n entry,\n tenantId,\n organizationId,\n )\n\n const merged = {\n ...entry,\n ...decrypted,\n } as Record<string, unknown>\n\n merged.changesJson = deepDecrypt(merged.changesJson ?? merged.changes_json ?? entry.changesJson ?? entry.changes_json)\n merged.changes_json = merged.changesJson\n merged.snapshotBefore = deepDecrypt(merged.snapshotBefore ?? merged.snapshot_before ?? entry.snapshotBefore ?? entry.snapshot_before)\n merged.snapshot_before = merged.snapshotBefore\n merged.snapshotAfter = deepDecrypt(merged.snapshotAfter ?? merged.snapshot_after ?? entry.snapshotAfter ?? entry.snapshot_after)\n merged.snapshot_after = merged.snapshotAfter\n merged.commandPayload = deepDecrypt(merged.commandPayload ?? merged.command_payload ?? entry.commandPayload ?? entry.command_payload)\n merged.command_payload = merged.commandPayload\n merged.contextJson = deepDecrypt(merged.contextJson ?? merged.context_json ?? entry.contextJson ?? entry.context_json)\n merged.context_json = merged.contextJson\n\n return merged as T\n } catch (err) {\n if (!decryptionWarningLogged) {\n decryptionWarningLogged = true\n console.warn('[audit_logs] failed to decrypt action log entry', err)\n }\n return entry\n }\n }\n\n private async decryptEntries(entries: ActionLog | ActionLog[] | null | undefined): Promise<void> {\n if (!entries) return\n\n const list = Array.isArray(entries) ? entries : [entries]\n for (const entry of list) {\n Object.assign(entry as unknown as Record<string, unknown>, await this.decryptEntryPayload(entry as unknown as Record<string, unknown>))\n }\n }\n\n async log(input: ActionLogCreateInput): Promise<ActionLog | null> {\n const data = this.parseCreateInput(input)\n const fork = this.em.fork()\n const log = this.createLogEntity(fork, data)\n await fork.persist(log).flush()\n await this.decryptEntries(log)\n return log\n }\n\n private parseCreateInput(input: ActionLogCreateInput): ActionLogCreateInput {\n let data: ActionLogCreateInput\n const schema = actionLogCreateSchema as typeof actionLogCreateSchema & { _zod?: unknown }\n const canValidate = Boolean(schema && typeof schema.parse === 'function')\n const shouldValidate = canValidate && runtimeValidationAvailable !== false\n\n if (shouldValidate) {\n try {\n data = schema.parse(input)\n runtimeValidationAvailable = true\n } catch (err) {\n if (!isZodRuntimeMissing(err) && !validationWarningLogged) {\n validationWarningLogged = true\n console.warn('[audit_logs] falling back to permissive action log payload parser', err)\n }\n if (isZodRuntimeMissing(err)) runtimeValidationAvailable = false\n data = this.normalizeInput(input)\n }\n } else {\n data = this.normalizeInput(input)\n }\n\n return data\n }\n\n private createLogEntity(fork: EntityManager, data: ActionLogCreateInput): ActionLog {\n const projection = deriveActionLogProjection({\n actorUserId: data.actorUserId ?? null,\n actionLabel: data.actionLabel ?? null,\n changes: isRecord(data.changes) ? data.changes : null,\n commandId: data.commandId,\n context: isRecord(data.context) ? data.context : null,\n snapshotBefore: data.snapshotBefore,\n })\n\n return fork.create(ActionLog, {\n tenantId: data.tenantId ?? null,\n organizationId: data.organizationId ?? null,\n actorUserId: data.actorUserId ?? null,\n commandId: data.commandId,\n actionLabel: data.actionLabel ?? null,\n actionType: projection.actionType,\n resourceKind: data.resourceKind ?? null,\n resourceId: data.resourceId ?? null,\n parentResourceKind: data.parentResourceKind ?? null,\n parentResourceId: data.parentResourceId ?? null,\n executionState: data.executionState ?? 'done',\n undoToken: data.undoToken ?? null,\n commandPayload: data.commandPayload ?? null,\n snapshotBefore: data.snapshotBefore ?? null,\n snapshotAfter: data.snapshotAfter ?? null,\n changesJson: isRecord(data.changes) ? data.changes : null,\n changedFields: projection.changedFields,\n primaryChangedField: projection.primaryChangedField,\n contextJson: isRecord(data.context) ? data.context : null,\n sourceKey: projection.sourceKey,\n createdAt: new Date(),\n updatedAt: new Date(),\n })\n }\n\n private normalizeInput(input: Partial<ActionLogCreateInput> | null | undefined): ActionLogCreateInput {\n if (!input) {\n return {\n tenantId: null,\n organizationId: null,\n actorUserId: null,\n commandId: 'unknown',\n actionLabel: undefined,\n resourceKind: undefined,\n resourceId: undefined,\n executionState: 'done',\n undoToken: undefined,\n commandPayload: undefined,\n snapshotBefore: undefined,\n snapshotAfter: undefined,\n changes: undefined,\n context: undefined,\n }\n }\n\n const toNullableUuid = (value: unknown) => {\n if (typeof value !== 'string' || value.length === 0) return null\n if (value.startsWith('api_key:')) return value.slice('api_key:'.length)\n return value\n }\n\n const normalizeRecordLike = (value: unknown): ActionLogCreateInput['changes'] => {\n if (value === null) return null\n if (Array.isArray(value)) return value\n if (typeof value === 'object') return value as Record<string, unknown>\n return undefined\n }\n\n const normalizeContext = (value: unknown) => (\n typeof value === 'object' && value !== null && !Array.isArray(value)\n ? value as Record<string, unknown>\n : undefined\n )\n\n return {\n tenantId: toNullableUuid(input.tenantId),\n organizationId: toNullableUuid(input.organizationId),\n actorUserId: toNullableUuid(input.actorUserId),\n commandId: typeof input.commandId === 'string' && input.commandId.length > 0 ? input.commandId : 'unknown',\n actionLabel: toOptionalString(input.actionLabel) ?? undefined,\n resourceKind: toOptionalString(input.resourceKind) ?? undefined,\n resourceId: toOptionalString(input.resourceId) ?? undefined,\n parentResourceKind: toOptionalString(input.parentResourceKind) ?? null,\n parentResourceId: toOptionalString(input.parentResourceId) ?? null,\n executionState: input.executionState === 'undone' || input.executionState === 'failed' ? input.executionState : 'done',\n undoToken: toOptionalString(input.undoToken) ?? undefined,\n commandPayload: input.commandPayload,\n snapshotBefore: input.snapshotBefore,\n snapshotAfter: input.snapshotAfter,\n changes: normalizeRecordLike(input.changes),\n context: normalizeContext(input.context),\n }\n }\n\n private parseListQuery(query: Partial<ActionLogListQuery>) {\n return actionLogListSchema.parse({\n ...query,\n })\n }\n\n private resolveActorUserIds(parsed: ActionLogListQuery): string[] {\n const values = [...(parsed.actorUserIds ?? [])]\n if (parsed.actorUserId) values.push(parsed.actorUserId)\n\n return Array.from(new Set(values.map((value) => value.trim()).filter(Boolean)))\n }\n\n private resolveFieldNames(parsed: ActionLogListQuery): string[] {\n const values = [...(parsed.fieldNames ?? [])]\n if (parsed.fieldName) values.push(parsed.fieldName)\n\n return Array.from(new Set(values.map((value) => value.trim()).filter(Boolean)))\n }\n\n private resolveActionTypes(parsed: ActionLogListQuery): ActionLogFilterType[] {\n const values = [...(parsed.actionTypes ?? [])]\n if (parsed.actionType) values.push(parsed.actionType)\n\n return Array.from(new Set(values))\n .filter((value): value is ActionLogFilterType => ACTION_LOG_FILTER_TYPES.includes(value as ActionLogFilterType))\n }\n\n private resolvePagination(parsed: ActionLogListQuery): { page: number; pageSize: number; offset: number; limit: number } {\n const pageSize =\n typeof parsed.pageSize === 'number' && parsed.pageSize > 0\n ? parsed.pageSize\n : typeof parsed.limit === 'number' && parsed.limit > 0\n ? parsed.limit\n : 50\n const page = typeof parsed.page === 'number' && parsed.page > 0 ? parsed.page : 1\n const offset =\n typeof parsed.offset === 'number' && parsed.offset >= 0\n ? parsed.offset\n : (page - 1) * pageSize\n return { page, pageSize, offset, limit: pageSize }\n }\n\n private async loadEntries(parsed: ActionLogListQuery, options?: { paginate?: boolean }) {\n let query = (this.buildListQuery(parsed) as any).select('action_logs.id as id')\n\n if (options?.paginate !== false) {\n const { limit, offset } = this.resolvePagination(parsed)\n query = query.limit(limit).offset(offset)\n }\n\n const rows = await query.execute()\n const ids = rows.map((row: any) => row.id).filter(Boolean)\n if (ids.length === 0) return []\n\n const results = await this.em.find(ActionLog, {\n id: { $in: ids } as any,\n deletedAt: null,\n })\n await this.decryptEntries(results)\n\n const byId = new Map(results.map((entry: any) => [entry.id, entry]))\n return ids\n .map((id: any) => byId.get(id))\n .filter((entry: any): entry is ActionLog => Boolean(entry))\n }\n\n private buildListQuery(parsed: ActionLogListQuery): any {\n let query = (this.em.getKysely<any>() as any)\n .selectFrom('action_logs')\n .selectAll()\n .where('action_logs.deleted_at', 'is', null) as any\n\n if (parsed.tenantId) query = query.where('action_logs.tenant_id', '=', parsed.tenantId)\n if (parsed.organizationId) query = query.where('action_logs.organization_id', '=', parsed.organizationId)\n\n const actorUserIds = this.resolveActorUserIds(parsed)\n if (actorUserIds.length === 1) query = query.where('action_logs.actor_user_id', '=', actorUserIds[0])\n if (actorUserIds.length > 1) query = query.where('action_logs.actor_user_id', 'in', actorUserIds)\n\n if (parsed.includeRelated && parsed.resourceKind && parsed.resourceId) {\n query = query.where((eb: any) =>\n eb.or([\n eb.and([\n eb('action_logs.resource_kind', '=', parsed.resourceKind),\n eb('action_logs.resource_id', '=', parsed.resourceId),\n ]),\n eb.and([\n eb('action_logs.parent_resource_kind', '=', parsed.resourceKind),\n eb('action_logs.parent_resource_id', '=', parsed.resourceId),\n ]),\n ])\n )\n } else {\n if (parsed.resourceKind) query = query.where('action_logs.resource_kind', '=', parsed.resourceKind)\n if (parsed.resourceId) query = query.where('action_logs.resource_id', '=', parsed.resourceId)\n }\n\n if (parsed.undoableOnly) query = query.where('action_logs.undo_token', 'is not', null)\n if (parsed.before) query = query.where('action_logs.created_at', '<', parsed.before)\n if (parsed.after) query = query.where('action_logs.created_at', '>', parsed.after)\n\n const fieldNames = this.resolveFieldNames(parsed)\n if (fieldNames.length === 1) query = query.where('action_logs.primary_changed_field', '=', fieldNames[0])\n if (fieldNames.length > 1) query = query.where('action_logs.primary_changed_field', 'in', fieldNames)\n\n const actionTypes = this.resolveActionTypes(parsed)\n if (actionTypes.length === 1) query = query.where('action_logs.action_type', '=', actionTypes[0])\n if (actionTypes.length > 1) query = query.where('action_logs.action_type', 'in', actionTypes)\n\n if (parsed.sortField === 'user') {\n query = query.leftJoin('users as audit_actor', 'audit_actor.id', 'action_logs.actor_user_id')\n }\n\n const sortDir = parsed.sortDir === 'asc' ? 'asc' : 'desc'\n switch (parsed.sortField) {\n case 'user':\n query = query.orderBy(sql`coalesce(nullif(audit_actor.name, ''), audit_actor.email, '')`, sortDir)\n break\n case 'action':\n query = query.orderBy(sql`coalesce(action_logs.action_type, '')`, sortDir)\n break\n case 'field':\n query = query.orderBy(sql`coalesce(action_logs.primary_changed_field, '')`, sortDir)\n break\n case 'source':\n query = query.orderBy(sql`coalesce(action_logs.source_key, '')`, sortDir)\n break\n case 'createdAt':\n default:\n query = query.orderBy(SORT_FIELDS.createdAt, sortDir)\n query = query.orderBy('action_logs.id', sortDir)\n return query\n }\n\n query = query.orderBy('action_logs.created_at', 'desc')\n query = query.orderBy('action_logs.id', 'desc')\n return query\n }\n\n async count(query: Partial<ActionLogListQuery>) {\n const parsed = this.parseListQuery(query)\n const row = await (this.buildListQuery(parsed) as any)\n .clearSelect()\n .clearOrderBy()\n .select(sql<string>`count(*)`.as('count'))\n .executeTakeFirst()\n\n if (!row) return 0\n const rawCount = row.count ?? 0\n return typeof rawCount === 'number' ? rawCount : Number.parseInt(rawCount, 10) || 0\n }\n\n async list(query: Partial<ActionLogListQuery>) {\n const parsed = this.parseListQuery(query)\n const { page, pageSize } = this.resolvePagination(parsed)\n const [items, total] = await Promise.all([\n this.loadEntries(parsed),\n this.count(parsed),\n ])\n const totalPages = Math.max(1, Math.ceil((total || 0) / (pageSize || 1)))\n return { items, total, page, pageSize, totalPages }\n }\n\n async latestUndoableForActor(actorUserId: string, scope: { tenantId?: string | null; organizationId?: string | null }) {\n const where: FilterQuery<ActionLog> = {\n actorUserId,\n undoToken: { $ne: null } as any,\n executionState: 'done',\n deletedAt: null,\n }\n if (scope.tenantId) where.tenantId = scope.tenantId\n if (scope.organizationId) where.organizationId = scope.organizationId\n\n const entry = await this.em.findOne(ActionLog, where, { orderBy: { createdAt: 'desc' } })\n await this.decryptEntries(entry)\n return entry\n }\n\n async markUndone(id: string, traceInput?: ActionLogCreateInput) {\n const fork = this.em.fork()\n const log = await fork.findOne(ActionLog, { id, deletedAt: null })\n if (!log) return null\n\n log.executionState = 'undone'\n log.undoToken = null\n\n const traceLog = traceInput ? this.createLogEntity(fork, this.parseCreateInput(traceInput)) : null\n if (traceLog) {\n fork.persist(traceLog)\n }\n\n await fork.flush()\n await this.decryptEntries(log)\n if (traceLog) await this.decryptEntries(traceLog)\n\n return log\n }\n\n async findByUndoToken(undoToken: string) {\n const entry = await this.em.findOne(ActionLog, { undoToken, deletedAt: null })\n await this.decryptEntries(entry)\n return entry\n }\n\n async findById(id: string) {\n const entry = await this.em.findOne(ActionLog, { id, deletedAt: null })\n await this.decryptEntries(entry)\n return entry\n }\n\n async latestUndoableForResource(params: {\n actorUserId: string\n tenantId?: string | null\n organizationId?: string | null\n resourceKind?: string | null\n resourceId?: string | null\n }) {\n const where: FilterQuery<ActionLog> = {\n actorUserId: params.actorUserId,\n undoToken: { $ne: null } as any,\n executionState: 'done',\n deletedAt: null,\n }\n if (params.tenantId) where.tenantId = params.tenantId\n if (params.organizationId) where.organizationId = params.organizationId\n if (params.resourceKind) where.resourceKind = params.resourceKind\n if (params.resourceId) where.resourceId = params.resourceId\n\n const entry = await this.em.findOne(ActionLog, where, { orderBy: { createdAt: 'desc' } })\n await this.decryptEntries(entry)\n return entry\n }\n\n async latestUndoneForActor(actorUserId: string, scope: { tenantId?: string | null; organizationId?: string | null }) {\n const where: FilterQuery<ActionLog> = {\n actorUserId,\n executionState: 'undone',\n deletedAt: null,\n }\n if (scope.tenantId) where.tenantId = scope.tenantId\n if (scope.organizationId) where.organizationId = scope.organizationId\n\n const entry = await this.em.findOne(ActionLog, where, { orderBy: { updatedAt: 'desc' } })\n await this.decryptEntries(entry)\n return entry\n }\n\n async markRedone(id: string) {\n const log = await this.em.findOne(ActionLog, { id, deletedAt: null })\n if (!log) return null\n\n log.executionState = 'redone'\n log.undoToken = null\n await this.em.flush()\n return log\n }\n\n async backfillProjections(options: ActionLogProjectionBackfillOptions = {}): Promise<ActionLogProjectionBackfillResult> {\n const batchSize = Math.min(Math.max(Math.trunc(options.batchSize ?? 250), 1), 1000)\n const logger = options.logger ?? (() => {})\n const result: ActionLogProjectionBackfillResult = {\n errors: 0,\n scanned: 0,\n skipped: 0,\n updated: 0,\n }\n\n let cursorCreatedAt: Date | null = null\n let cursorId: string | null = null\n\n while (true) {\n const rowsQuery = (this.em.getKysely<any>() as any)\n .selectFrom('action_logs')\n .select([\n 'action_logs.id',\n 'action_logs.tenant_id',\n 'action_logs.organization_id',\n 'action_logs.actor_user_id',\n 'action_logs.command_id',\n 'action_logs.action_label',\n 'action_logs.snapshot_before',\n 'action_logs.changes_json',\n 'action_logs.context_json',\n 'action_logs.action_type',\n 'action_logs.source_key',\n 'action_logs.changed_fields',\n 'action_logs.primary_changed_field',\n 'action_logs.created_at',\n ])\n .where('action_logs.deleted_at', 'is', null) as any\n\n if (options.tenantId) rowsQuery.where('action_logs.tenant_id', '=', options.tenantId)\n if (options.organizationId) rowsQuery.where('action_logs.organization_id', '=', options.organizationId)\n\n if (!options.force) {\n rowsQuery.where((eb: any) =>\n eb.or([\n eb('action_logs.action_type', 'is', null),\n eb('action_logs.source_key', 'is', null),\n eb('action_logs.changed_fields', 'is', null),\n ])\n )\n }\n\n if (cursorCreatedAt && cursorId) {\n rowsQuery.where((eb: any) =>\n eb.or([\n eb('action_logs.created_at', '>', cursorCreatedAt),\n eb.and([\n eb('action_logs.created_at', '=', cursorCreatedAt),\n eb('action_logs.id', '>', cursorId),\n ]),\n ])\n )\n }\n\n const rows = await rowsQuery\n .orderBy('created_at', 'asc')\n .orderBy('id', 'asc')\n .limit(batchSize)\n\n if (rows.length === 0) break\n\n for (const row of rows) {\n result.scanned += 1\n\n try {\n const decrypted = await this.decryptEntryPayload(row as unknown as Record<string, unknown>)\n const projection = deriveActionLogProjection({\n actorUserId: readString(decrypted, 'actorUserId', 'actor_user_id'),\n actionLabel: readString(decrypted, 'actionLabel', 'action_label'),\n changes: readRecord(decrypted, 'changesJson', 'changes_json'),\n commandId: readString(decrypted, 'commandId', 'command_id') ?? 'unknown',\n context: readRecord(decrypted, 'contextJson', 'context_json'),\n snapshotBefore: readValue(decrypted, 'snapshotBefore', 'snapshot_before'),\n })\n\n const needsUpdate = options.force === true\n || row.action_type !== projection.actionType\n || row.source_key !== projection.sourceKey\n || row.primary_changed_field !== projection.primaryChangedField\n || !stringArraysEqual(row.changed_fields, projection.changedFields)\n\n if (!needsUpdate) {\n result.skipped += 1\n continue\n }\n\n await (this.em.getKysely<any>() as any)\n .updateTable('action_logs')\n .set({\n action_type: projection.actionType,\n changed_fields: projection.changedFields,\n primary_changed_field: projection.primaryChangedField,\n source_key: projection.sourceKey,\n })\n .where('id', '=', row.id)\n .execute()\n\n result.updated += 1\n } catch (err) {\n result.errors += 1\n logger(`[backfill] Failed for action log ${row.id}: ${err instanceof Error ? err.message : String(err)}`)\n }\n }\n\n const lastRow = rows[rows.length - 1]\n cursorCreatedAt = lastRow.created_at\n cursorId = lastRow.id\n\n logger(\n `[backfill] Processed ${result.scanned} action logs (updated: ${result.updated}, skipped: ${result.skipped}, errors: ${result.errors})`,\n )\n\n if (rows.length < batchSize) break\n }\n\n return result\n }\n}\n"],
5
- "mappings": "AAEA,SAAS,WAAW;AACpB,SAAS,iBAAiB;AAC1B;AAAA,EACE;AAAA,EACA;AAAA,OAGK;AACP,SAAS,gBAAgB;AACzB;AAAA,EACE;AAAA,EAEA;AAAA,OACK;AACP,SAAS,yBAAyB;AAElC,SAAS,wBAAwB;AAEjC,IAAI,0BAA0B;AAC9B,IAAI,6BAA6C;AACjD,IAAI,0BAA0B;AAE9B,MAAM,sBAAsB,CAAC,QAAiB,eAAe,aAAa,OAAO,IAAI,YAAY,YAAY,IAAI,QAAQ,SAAS,MAAM;AAExI,MAAM,cAAc;AAAA,EAClB,WAAW;AACb;AAkCA,SAAS,WAAW,WAAoC,MAA+B;AACrF,aAAW,OAAO,MAAM;AACtB,UAAM,QAAQ,OAAO,GAAG;AACxB,QAAI,OAAO,UAAU,YAAY,MAAM,SAAS,EAAG,QAAO;AAAA,EAC5D;AAEA,SAAO;AACT;AAEA,SAAS,WAAW,WAAoC,MAAgD;AACtG,aAAW,OAAO,MAAM;AACtB,UAAM,QAAQ,OAAO,GAAG;AACxB,QAAI,SAAS,KAAK,EAAG,QAAO;AAAA,EAC9B;AAEA,SAAO;AACT;AAEA,SAAS,UAAU,WAAoC,MAAyB;AAC9E,aAAW,OAAO,MAAM;AACtB,QAAI,OAAO,UAAU,eAAe,KAAK,QAAQ,GAAG,EAAG,QAAO,OAAO,GAAG;AAAA,EAC1E;AAEA,SAAO;AACT;AAEA,SAAS,gBAAgB,WAAoC,MAAiC;AAC5F,aAAW,OAAO,MAAM;AACtB,UAAM,QAAQ,OAAO,GAAG;AACxB,QAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,aAAO,MAAM,OAAO,CAAC,UAA2B,OAAO,UAAU,QAAQ;AAAA,IAC3E;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,kBAAkB,MAAuB,OAA0B;AAC1E,MAAI,CAAC,MAAM,QAAQ,IAAI,EAAG,QAAO;AACjC,MAAI,KAAK,WAAW,MAAM,OAAQ,QAAO;AAEzC,SAAO,KAAK,MAAM,CAAC,OAAO,UAAU,UAAU,MAAM,KAAK,CAAC;AAC5D;AAEO,MAAM,iBAAiB;AAAA,EAC5B,YACmB,IACA,yBACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAEH,MAAc,oBAAuD,OAAsB;AACzF,QAAI,CAAC,KAAK,yBAAyB,UAAU,EAAG,QAAO;AAEvD,QAAI;AACF,YAAM,WAAW,WAAW,OAAO,YAAY,WAAW;AAC1D,YAAM,iBAAiB,WAAW,OAAO,kBAAkB,iBAAiB;AAC5E,YAAM,MAAM,MAAM,KAAK,wBAAwB,OAAO,QAAQ;AAC9D,YAAM,cAAc,CAAC,UAA4B;AAC/C,YAAI,CAAC,IAAK,QAAO;AACjB,YAAI,OAAO,UAAU,YAAY,MAAM,MAAM,GAAG,EAAE,WAAW,KAAK,MAAM,SAAS,KAAK,GAAG;AACvF,gBAAMA,aAAY,kBAAkB,OAAO,IAAI,GAAG;AAClD,cAAIA,eAAc,KAAM,QAAO;AAC/B,cAAI;AACF,mBAAO,KAAK,MAAMA,UAAS;AAAA,UAC7B,QAAQ;AACN,mBAAOA;AAAA,UACT;AAAA,QACF;AACA,YAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,MAAM,IAAI,CAAC,SAAS,YAAY,IAAI,CAAC;AACtE,YAAI,SAAS,OAAO,UAAU,UAAU;AACtC,gBAAM,OAAgC,CAAC;AACvC,qBAAW,CAAC,KAAK,IAAI,KAAK,OAAO,QAAQ,KAAgC,GAAG;AAC1E,iBAAK,GAAG,IAAI,YAAY,IAAI;AAAA,UAC9B;AACA,iBAAO;AAAA,QACT;AACA,eAAO;AAAA,MACT;AAEA,YAAM,YAAY,MAAM,KAAK,wBAAwB;AAAA,QACnD;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,YAAM,SAAS;AAAA,QACb,GAAG;AAAA,QACH,GAAG;AAAA,MACL;AAEA,aAAO,cAAc,YAAY,OAAO,eAAe,OAAO,gBAAgB,MAAM,eAAe,MAAM,YAAY;AACrH,aAAO,eAAe,OAAO;AAC7B,aAAO,iBAAiB,YAAY,OAAO,kBAAkB,OAAO,mBAAmB,MAAM,kBAAkB,MAAM,eAAe;AACpI,aAAO,kBAAkB,OAAO;AAChC,aAAO,gBAAgB,YAAY,OAAO,iBAAiB,OAAO,kBAAkB,MAAM,iBAAiB,MAAM,cAAc;AAC/H,aAAO,iBAAiB,OAAO;AAC/B,aAAO,iBAAiB,YAAY,OAAO,kBAAkB,OAAO,mBAAmB,MAAM,kBAAkB,MAAM,eAAe;AACpI,aAAO,kBAAkB,OAAO;AAChC,aAAO,cAAc,YAAY,OAAO,eAAe,OAAO,gBAAgB,MAAM,eAAe,MAAM,YAAY;AACrH,aAAO,eAAe,OAAO;AAE7B,aAAO;AAAA,IACT,SAAS,KAAK;AACZ,UAAI,CAAC,yBAAyB;AAC5B,kCAA0B;AAC1B,gBAAQ,KAAK,mDAAmD,GAAG;AAAA,MACrE;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAc,eAAe,SAAoE;AAC/F,QAAI,CAAC,QAAS;AAEd,UAAM,OAAO,MAAM,QAAQ,OAAO,IAAI,UAAU,CAAC,OAAO;AACxD,eAAW,SAAS,MAAM;AACxB,aAAO,OAAO,OAA6C,MAAM,KAAK,oBAAoB,KAA2C,CAAC;AAAA,IACxI;AAAA,EACF;AAAA,EAEA,MAAM,IAAI,OAAwD;AAChE,UAAM,OAAO,KAAK,iBAAiB,KAAK;AACxC,UAAM,OAAO,KAAK,GAAG,KAAK;AAC1B,UAAM,MAAM,KAAK,gBAAgB,MAAM,IAAI;AAC3C,UAAM,KAAK,QAAQ,GAAG,EAAE,MAAM;AAC9B,UAAM,KAAK,eAAe,GAAG;AAC7B,WAAO;AAAA,EACT;AAAA,EAEQ,iBAAiB,OAAmD;AAC1E,QAAI;AACJ,UAAM,SAAS;AACf,UAAM,cAAc,QAAQ,UAAU,OAAO,OAAO,UAAU,UAAU;AACxE,UAAM,iBAAiB,eAAe,+BAA+B;AAErE,QAAI,gBAAgB;AAClB,UAAI;AACF,eAAO,OAAO,MAAM,KAAK;AACzB,qCAA6B;AAAA,MAC/B,SAAS,KAAK;AACZ,YAAI,CAAC,oBAAoB,GAAG,KAAK,CAAC,yBAAyB;AACzD,oCAA0B;AAC1B,kBAAQ,KAAK,qEAAqE,GAAG;AAAA,QACvF;AACA,YAAI,oBAAoB,GAAG,EAAG,8BAA6B;AAC3D,eAAO,KAAK,eAAe,KAAK;AAAA,MAClC;AAAA,IACF,OAAO;AACL,aAAO,KAAK,eAAe,KAAK;AAAA,IAClC;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,gBAAgB,MAAqB,MAAuC;AAClF,UAAM,aAAa,0BAA0B;AAAA,MAC3C,aAAa,KAAK,eAAe;AAAA,MACjC,aAAa,KAAK,eAAe;AAAA,MACjC,SAAS,SAAS,KAAK,OAAO,IAAI,KAAK,UAAU;AAAA,MACjD,WAAW,KAAK;AAAA,MAChB,SAAS,SAAS,KAAK,OAAO,IAAI,KAAK,UAAU;AAAA,MACjD,gBAAgB,KAAK;AAAA,IACvB,CAAC;AAED,WAAO,KAAK,OAAO,WAAW;AAAA,MAC5B,UAAU,KAAK,YAAY;AAAA,MAC3B,gBAAgB,KAAK,kBAAkB;AAAA,MACvC,aAAa,KAAK,eAAe;AAAA,MACjC,WAAW,KAAK;AAAA,MAChB,aAAa,KAAK,eAAe;AAAA,MACjC,YAAY,WAAW;AAAA,MACvB,cAAc,KAAK,gBAAgB;AAAA,MACnC,YAAY,KAAK,cAAc;AAAA,MAC/B,oBAAoB,KAAK,sBAAsB;AAAA,MAC/C,kBAAkB,KAAK,oBAAoB;AAAA,MAC3C,gBAAgB,KAAK,kBAAkB;AAAA,MACvC,WAAW,KAAK,aAAa;AAAA,MAC7B,gBAAgB,KAAK,kBAAkB;AAAA,MACvC,gBAAgB,KAAK,kBAAkB;AAAA,MACvC,eAAe,KAAK,iBAAiB;AAAA,MACrC,aAAa,SAAS,KAAK,OAAO,IAAI,KAAK,UAAU;AAAA,MACrD,eAAe,WAAW;AAAA,MAC1B,qBAAqB,WAAW;AAAA,MAChC,aAAa,SAAS,KAAK,OAAO,IAAI,KAAK,UAAU;AAAA,MACrD,WAAW,WAAW;AAAA,MACtB,WAAW,oBAAI,KAAK;AAAA,MACpB,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AAAA,EACH;AAAA,EAEQ,eAAe,OAA+E;AACpG,QAAI,CAAC,OAAO;AACV,aAAO;AAAA,QACL,UAAU;AAAA,QACV,gBAAgB;AAAA,QAChB,aAAa;AAAA,QACb,WAAW;AAAA,QACX,aAAa;AAAA,QACb,cAAc;AAAA,QACd,YAAY;AAAA,QACZ,gBAAgB;AAAA,QAChB,WAAW;AAAA,QACX,gBAAgB;AAAA,QAChB,gBAAgB;AAAA,QAChB,eAAe;AAAA,QACf,SAAS;AAAA,QACT,SAAS;AAAA,MACX;AAAA,IACF;AAEA,UAAM,iBAAiB,CAAC,UAAmB;AACzC,UAAI,OAAO,UAAU,YAAY,MAAM,WAAW,EAAG,QAAO;AAC5D,UAAI,MAAM,WAAW,UAAU,EAAG,QAAO,MAAM,MAAM,WAAW,MAAM;AACtE,aAAO;AAAA,IACT;AAEA,UAAM,sBAAsB,CAAC,UAAoD;AAC/E,UAAI,UAAU,KAAM,QAAO;AAC3B,UAAI,MAAM,QAAQ,KAAK,EAAG,QAAO;AACjC,UAAI,OAAO,UAAU,SAAU,QAAO;AACtC,aAAO;AAAA,IACT;AAEA,UAAM,mBAAmB,CAAC,UACxB,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,KAAK,IAC/D,QACA;AAGN,WAAO;AAAA,MACL,UAAU,eAAe,MAAM,QAAQ;AAAA,MACvC,gBAAgB,eAAe,MAAM,cAAc;AAAA,MACnD,aAAa,eAAe,MAAM,WAAW;AAAA,MAC7C,WAAW,OAAO,MAAM,cAAc,YAAY,MAAM,UAAU,SAAS,IAAI,MAAM,YAAY;AAAA,MACjG,aAAa,iBAAiB,MAAM,WAAW,KAAK;AAAA,MACpD,cAAc,iBAAiB,MAAM,YAAY,KAAK;AAAA,MACtD,YAAY,iBAAiB,MAAM,UAAU,KAAK;AAAA,MAClD,oBAAoB,iBAAiB,MAAM,kBAAkB,KAAK;AAAA,MAClE,kBAAkB,iBAAiB,MAAM,gBAAgB,KAAK;AAAA,MAC9D,gBAAgB,MAAM,mBAAmB,YAAY,MAAM,mBAAmB,WAAW,MAAM,iBAAiB;AAAA,MAChH,WAAW,iBAAiB,MAAM,SAAS,KAAK;AAAA,MAChD,gBAAgB,MAAM;AAAA,MACtB,gBAAgB,MAAM;AAAA,MACtB,eAAe,MAAM;AAAA,MACrB,SAAS,oBAAoB,MAAM,OAAO;AAAA,MAC1C,SAAS,iBAAiB,MAAM,OAAO;AAAA,IACzC;AAAA,EACF;AAAA,EAEQ,eAAe,OAAoC;AACzD,WAAO,oBAAoB,MAAM;AAAA,MAC/B,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,QAAsC;AAChE,UAAM,SAAS,CAAC,GAAI,OAAO,gBAAgB,CAAC,CAAE;AAC9C,QAAI,OAAO,YAAa,QAAO,KAAK,OAAO,WAAW;AAEtD,WAAO,MAAM,KAAK,IAAI,IAAI,OAAO,IAAI,CAAC,UAAU,MAAM,KAAK,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC;AAAA,EAChF;AAAA,EAEQ,kBAAkB,QAAsC;AAC9D,UAAM,SAAS,CAAC,GAAI,OAAO,cAAc,CAAC,CAAE;AAC5C,QAAI,OAAO,UAAW,QAAO,KAAK,OAAO,SAAS;AAElD,WAAO,MAAM,KAAK,IAAI,IAAI,OAAO,IAAI,CAAC,UAAU,MAAM,KAAK,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC;AAAA,EAChF;AAAA,EAEQ,mBAAmB,QAAmD;AAC5E,UAAM,SAAS,CAAC,GAAI,OAAO,eAAe,CAAC,CAAE;AAC7C,QAAI,OAAO,WAAY,QAAO,KAAK,OAAO,UAAU;AAEpD,WAAO,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC,EAC9B,OAAO,CAAC,UAAwC,wBAAwB,SAAS,KAA4B,CAAC;AAAA,EACnH;AAAA,EAEQ,kBAAkB,QAA+F;AACvH,UAAM,WACJ,OAAO,OAAO,aAAa,YAAY,OAAO,WAAW,IACrD,OAAO,WACP,OAAO,OAAO,UAAU,YAAY,OAAO,QAAQ,IACjD,OAAO,QACP;AACR,UAAM,OAAO,OAAO,OAAO,SAAS,YAAY,OAAO,OAAO,IAAI,OAAO,OAAO;AAChF,UAAM,SACJ,OAAO,OAAO,WAAW,YAAY,OAAO,UAAU,IAClD,OAAO,UACN,OAAO,KAAK;AACnB,WAAO,EAAE,MAAM,UAAU,QAAQ,OAAO,SAAS;AAAA,EACnD;AAAA,EAEA,MAAc,YAAY,QAA4B,SAAkC;AACtF,QAAI,QAAS,KAAK,eAAe,MAAM,EAAU,OAAO,sBAAsB;AAE9E,QAAI,SAAS,aAAa,OAAO;AAC/B,YAAM,EAAE,OAAO,OAAO,IAAI,KAAK,kBAAkB,MAAM;AACvD,cAAQ,MAAM,MAAM,KAAK,EAAE,OAAO,MAAM;AAAA,IAC1C;AAEA,UAAM,OAAO,MAAM,MAAM,QAAQ;AACjC,UAAM,MAAM,KAAK,IAAI,CAAC,QAAa,IAAI,EAAE,EAAE,OAAO,OAAO;AACzD,QAAI,IAAI,WAAW,EAAG,QAAO,CAAC;AAE9B,UAAM,UAAU,MAAM,KAAK,GAAG,KAAK,WAAW;AAAA,MAC5C,IAAI,EAAE,KAAK,IAAI;AAAA,MACf,WAAW;AAAA,IACb,CAAC;AACD,UAAM,KAAK,eAAe,OAAO;AAEjC,UAAM,OAAO,IAAI,IAAI,QAAQ,IAAI,CAAC,UAAe,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC;AACnE,WAAO,IACJ,IAAI,CAAC,OAAY,KAAK,IAAI,EAAE,CAAC,EAC7B,OAAO,CAAC,UAAmC,QAAQ,KAAK,CAAC;AAAA,EAC9D;AAAA,EAEQ,eAAe,QAAiC;AACtD,QAAI,QAAS,KAAK,GAAG,UAAe,EACjC,WAAW,aAAa,EACxB,UAAU,EACV,MAAM,0BAA0B,MAAM,IAAI;AAE7C,QAAI,OAAO,SAAU,SAAQ,MAAM,MAAM,yBAAyB,KAAK,OAAO,QAAQ;AACtF,QAAI,OAAO,eAAgB,SAAQ,MAAM,MAAM,+BAA+B,KAAK,OAAO,cAAc;AAExG,UAAM,eAAe,KAAK,oBAAoB,MAAM;AACpD,QAAI,aAAa,WAAW,EAAG,SAAQ,MAAM,MAAM,6BAA6B,KAAK,aAAa,CAAC,CAAC;AACpG,QAAI,aAAa,SAAS,EAAG,SAAQ,MAAM,MAAM,6BAA6B,MAAM,YAAY;AAEhG,QAAI,OAAO,kBAAkB,OAAO,gBAAgB,OAAO,YAAY;AACrE,cAAQ,MAAM;AAAA,QAAM,CAAC,OACnB,GAAG,GAAG;AAAA,UACJ,GAAG,IAAI;AAAA,YACL,GAAG,6BAA6B,KAAK,OAAO,YAAY;AAAA,YACxD,GAAG,2BAA2B,KAAK,OAAO,UAAU;AAAA,UACtD,CAAC;AAAA,UACD,GAAG,IAAI;AAAA,YACL,GAAG,oCAAoC,KAAK,OAAO,YAAY;AAAA,YAC/D,GAAG,kCAAkC,KAAK,OAAO,UAAU;AAAA,UAC7D,CAAC;AAAA,QACH,CAAC;AAAA,MACH;AAAA,IACF,OAAO;AACL,UAAI,OAAO,aAAc,SAAQ,MAAM,MAAM,6BAA6B,KAAK,OAAO,YAAY;AAClG,UAAI,OAAO,WAAY,SAAQ,MAAM,MAAM,2BAA2B,KAAK,OAAO,UAAU;AAAA,IAC9F;AAEA,QAAI,OAAO,aAAc,SAAQ,MAAM,MAAM,0BAA0B,UAAU,IAAI;AACrF,QAAI,OAAO,OAAQ,SAAQ,MAAM,MAAM,0BAA0B,KAAK,OAAO,MAAM;AACnF,QAAI,OAAO,MAAO,SAAQ,MAAM,MAAM,0BAA0B,KAAK,OAAO,KAAK;AAEjF,UAAM,aAAa,KAAK,kBAAkB,MAAM;AAChD,QAAI,WAAW,WAAW,EAAG,SAAQ,MAAM,MAAM,qCAAqC,KAAK,WAAW,CAAC,CAAC;AACxG,QAAI,WAAW,SAAS,EAAG,SAAQ,MAAM,MAAM,qCAAqC,MAAM,UAAU;AAEpG,UAAM,cAAc,KAAK,mBAAmB,MAAM;AAClD,QAAI,YAAY,WAAW,EAAG,SAAQ,MAAM,MAAM,2BAA2B,KAAK,YAAY,CAAC,CAAC;AAChG,QAAI,YAAY,SAAS,EAAG,SAAQ,MAAM,MAAM,2BAA2B,MAAM,WAAW;AAE5F,QAAI,OAAO,cAAc,QAAQ;AAC/B,cAAQ,MAAM,SAAS,wBAAwB,kBAAkB,2BAA2B;AAAA,IAC9F;AAEA,UAAM,UAAU,OAAO,YAAY,QAAQ,QAAQ;AACnD,YAAQ,OAAO,WAAW;AAAA,MACxB,KAAK;AACH,gBAAQ,MAAM,QAAQ,oEAAoE,OAAO;AACjG;AAAA,MACF,KAAK;AACH,gBAAQ,MAAM,QAAQ,4CAA4C,OAAO;AACzE;AAAA,MACF,KAAK;AACH,gBAAQ,MAAM,QAAQ,sDAAsD,OAAO;AACnF;AAAA,MACF,KAAK;AACH,gBAAQ,MAAM,QAAQ,2CAA2C,OAAO;AACxE;AAAA,MACF,KAAK;AAAA,MACL;AACE,gBAAQ,MAAM,QAAQ,YAAY,WAAW,OAAO;AACpD,gBAAQ,MAAM,QAAQ,kBAAkB,OAAO;AAC/C,eAAO;AAAA,IACX;AAEA,YAAQ,MAAM,QAAQ,0BAA0B,MAAM;AACtD,YAAQ,MAAM,QAAQ,kBAAkB,MAAM;AAC9C,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,MAAM,OAAoC;AAC9C,UAAM,SAAS,KAAK,eAAe,KAAK;AACxC,UAAM,MAAM,MAAO,KAAK,eAAe,MAAM,EAC1C,YAAY,EACZ,aAAa,EACb,OAAO,cAAsB,GAAG,OAAO,CAAC,EACxC,iBAAiB;AAEpB,QAAI,CAAC,IAAK,QAAO;AACjB,UAAM,WAAW,IAAI,SAAS;AAC9B,WAAO,OAAO,aAAa,WAAW,WAAW,OAAO,SAAS,UAAU,EAAE,KAAK;AAAA,EACpF;AAAA,EAEA,MAAM,KAAK,OAAoC;AAC7C,UAAM,SAAS,KAAK,eAAe,KAAK;AACxC,UAAM,EAAE,MAAM,SAAS,IAAI,KAAK,kBAAkB,MAAM;AACxD,UAAM,CAAC,OAAO,KAAK,IAAI,MAAM,QAAQ,IAAI;AAAA,MACvC,KAAK,YAAY,MAAM;AAAA,MACvB,KAAK,MAAM,MAAM;AAAA,IACnB,CAAC;AACD,UAAM,aAAa,KAAK,IAAI,GAAG,KAAK,MAAM,SAAS,MAAM,YAAY,EAAE,CAAC;AACxE,WAAO,EAAE,OAAO,OAAO,MAAM,UAAU,WAAW;AAAA,EACpD;AAAA,EAEA,MAAM,uBAAuB,aAAqB,OAAqE;AACrH,UAAM,QAAgC;AAAA,MACpC;AAAA,MACA,WAAW,EAAE,KAAK,KAAK;AAAA,MACvB,gBAAgB;AAAA,MAChB,WAAW;AAAA,IACb;AACA,QAAI,MAAM,SAAU,OAAM,WAAW,MAAM;AAC3C,QAAI,MAAM,eAAgB,OAAM,iBAAiB,MAAM;AAEvD,UAAM,QAAQ,MAAM,KAAK,GAAG,QAAQ,WAAW,OAAO,EAAE,SAAS,EAAE,WAAW,OAAO,EAAE,CAAC;AACxF,UAAM,KAAK,eAAe,KAAK;AAC/B,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,WAAW,IAAY,YAAmC;AAC9D,UAAM,OAAO,KAAK,GAAG,KAAK;AAC1B,UAAM,MAAM,MAAM,KAAK,QAAQ,WAAW,EAAE,IAAI,WAAW,KAAK,CAAC;AACjE,QAAI,CAAC,IAAK,QAAO;AAEjB,QAAI,iBAAiB;AACrB,QAAI,YAAY;AAEhB,UAAM,WAAW,aAAa,KAAK,gBAAgB,MAAM,KAAK,iBAAiB,UAAU,CAAC,IAAI;AAC9F,QAAI,UAAU;AACZ,WAAK,QAAQ,QAAQ;AAAA,IACvB;AAEA,UAAM,KAAK,MAAM;AACjB,UAAM,KAAK,eAAe,GAAG;AAC7B,QAAI,SAAU,OAAM,KAAK,eAAe,QAAQ;AAEhD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,gBAAgB,WAAmB;AACvC,UAAM,QAAQ,MAAM,KAAK,GAAG,QAAQ,WAAW,EAAE,WAAW,WAAW,KAAK,CAAC;AAC7E,UAAM,KAAK,eAAe,KAAK;AAC/B,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,SAAS,IAAY;AACzB,UAAM,QAAQ,MAAM,KAAK,GAAG,QAAQ,WAAW,EAAE,IAAI,WAAW,KAAK,CAAC;AACtE,UAAM,KAAK,eAAe,KAAK;AAC/B,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,0BAA0B,QAM7B;AACD,UAAM,QAAgC;AAAA,MACpC,aAAa,OAAO;AAAA,MACpB,WAAW,EAAE,KAAK,KAAK;AAAA,MACvB,gBAAgB;AAAA,MAChB,WAAW;AAAA,IACb;AACA,QAAI,OAAO,SAAU,OAAM,WAAW,OAAO;AAC7C,QAAI,OAAO,eAAgB,OAAM,iBAAiB,OAAO;AACzD,QAAI,OAAO,aAAc,OAAM,eAAe,OAAO;AACrD,QAAI,OAAO,WAAY,OAAM,aAAa,OAAO;AAEjD,UAAM,QAAQ,MAAM,KAAK,GAAG,QAAQ,WAAW,OAAO,EAAE,SAAS,EAAE,WAAW,OAAO,EAAE,CAAC;AACxF,UAAM,KAAK,eAAe,KAAK;AAC/B,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,qBAAqB,aAAqB,OAAqE;AACnH,UAAM,QAAgC;AAAA,MACpC;AAAA,MACA,gBAAgB;AAAA,MAChB,WAAW;AAAA,IACb;AACA,QAAI,MAAM,SAAU,OAAM,WAAW,MAAM;AAC3C,QAAI,MAAM,eAAgB,OAAM,iBAAiB,MAAM;AAEvD,UAAM,QAAQ,MAAM,KAAK,GAAG,QAAQ,WAAW,OAAO,EAAE,SAAS,EAAE,WAAW,OAAO,EAAE,CAAC;AACxF,UAAM,KAAK,eAAe,KAAK;AAC/B,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,WAAW,IAAY;AAC3B,UAAM,MAAM,MAAM,KAAK,GAAG,QAAQ,WAAW,EAAE,IAAI,WAAW,KAAK,CAAC;AACpE,QAAI,CAAC,IAAK,QAAO;AAEjB,QAAI,iBAAiB;AACrB,QAAI,YAAY;AAChB,UAAM,KAAK,GAAG,MAAM;AACpB,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,oBAAoB,UAA8C,CAAC,GAA+C;AACtH,UAAM,YAAY,KAAK,IAAI,KAAK,IAAI,KAAK,MAAM,QAAQ,aAAa,GAAG,GAAG,CAAC,GAAG,GAAI;AAClF,UAAM,SAAS,QAAQ,WAAW,MAAM;AAAA,IAAC;AACzC,UAAM,SAA4C;AAAA,MAChD,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,SAAS;AAAA,MACT,SAAS;AAAA,IACX;AAEA,QAAI,kBAA+B;AACnC,QAAI,WAA0B;AAE9B,WAAO,MAAM;AACX,YAAM,YAAa,KAAK,GAAG,UAAe,EACvC,WAAW,aAAa,EACxB,OAAO;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,CAAC,EACA,MAAM,0BAA0B,MAAM,IAAI;AAE7C,UAAI,QAAQ,SAAU,WAAU,MAAM,yBAAyB,KAAK,QAAQ,QAAQ;AACpF,UAAI,QAAQ,eAAgB,WAAU,MAAM,+BAA+B,KAAK,QAAQ,cAAc;AAEtG,UAAI,CAAC,QAAQ,OAAO;AAClB,kBAAU;AAAA,UAAM,CAAC,OACf,GAAG,GAAG;AAAA,YACJ,GAAG,2BAA2B,MAAM,IAAI;AAAA,YACxC,GAAG,0BAA0B,MAAM,IAAI;AAAA,YACvC,GAAG,8BAA8B,MAAM,IAAI;AAAA,UAC7C,CAAC;AAAA,QACH;AAAA,MACF;AAEA,UAAI,mBAAmB,UAAU;AAC/B,kBAAU;AAAA,UAAM,CAAC,OACf,GAAG,GAAG;AAAA,YACJ,GAAG,0BAA0B,KAAK,eAAe;AAAA,YACjD,GAAG,IAAI;AAAA,cACL,GAAG,0BAA0B,KAAK,eAAe;AAAA,cACjD,GAAG,kBAAkB,KAAK,QAAQ;AAAA,YACpC,CAAC;AAAA,UACH,CAAC;AAAA,QACH;AAAA,MACF;AAEA,YAAM,OAAO,MAAM,UAChB,QAAQ,cAAc,KAAK,EAC3B,QAAQ,MAAM,KAAK,EACnB,MAAM,SAAS;AAElB,UAAI,KAAK,WAAW,EAAG;AAEvB,iBAAW,OAAO,MAAM;AACtB,eAAO,WAAW;AAElB,YAAI;AACF,gBAAM,YAAY,MAAM,KAAK,oBAAoB,GAAyC;AAC1F,gBAAM,aAAa,0BAA0B;AAAA,YAC3C,aAAa,WAAW,WAAW,eAAe,eAAe;AAAA,YACjE,aAAa,WAAW,WAAW,eAAe,cAAc;AAAA,YAChE,SAAS,WAAW,WAAW,eAAe,cAAc;AAAA,YAC5D,WAAW,WAAW,WAAW,aAAa,YAAY,KAAK;AAAA,YAC/D,SAAS,WAAW,WAAW,eAAe,cAAc;AAAA,YAC5D,gBAAgB,UAAU,WAAW,kBAAkB,iBAAiB;AAAA,UAC1E,CAAC;AAED,gBAAM,cAAc,QAAQ,UAAU,QACjC,IAAI,gBAAgB,WAAW,cAC/B,IAAI,eAAe,WAAW,aAC9B,IAAI,0BAA0B,WAAW,uBACzC,CAAC,kBAAkB,IAAI,gBAAgB,WAAW,aAAa;AAEpE,cAAI,CAAC,aAAa;AAChB,mBAAO,WAAW;AAClB;AAAA,UACF;AAEA,gBAAO,KAAK,GAAG,UAAe,EAC3B,YAAY,aAAa,EACzB,IAAI;AAAA,YACH,aAAa,WAAW;AAAA,YACxB,gBAAgB,WAAW;AAAA,YAC3B,uBAAuB,WAAW;AAAA,YAClC,YAAY,WAAW;AAAA,UACzB,CAAC,EACA,MAAM,MAAM,KAAK,IAAI,EAAE,EACvB,QAAQ;AAEX,iBAAO,WAAW;AAAA,QACpB,SAAS,KAAK;AACZ,iBAAO,UAAU;AACjB,iBAAO,oCAAoC,IAAI,EAAE,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC,EAAE;AAAA,QAC1G;AAAA,MACF;AAEA,YAAM,UAAU,KAAK,KAAK,SAAS,CAAC;AACpC,wBAAkB,QAAQ;AAC1B,iBAAW,QAAQ;AAEnB;AAAA,QACE,wBAAwB,OAAO,OAAO,0BAA0B,OAAO,OAAO,cAAc,OAAO,OAAO,aAAa,OAAO,MAAM;AAAA,MACtI;AAEA,UAAI,KAAK,SAAS,UAAW;AAAA,IAC/B;AAEA,WAAO;AAAA,EACT;AACF;",
4
+ "sourcesContent": ["import type { FilterQuery } from '@mikro-orm/core'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { sql } from 'kysely'\nimport { ActionLog } from '@open-mercato/core/modules/audit_logs/data/entities'\nimport {\n actionLogCreateSchema,\n actionLogListSchema,\n type ActionLogCreateInput,\n type ActionLogListQuery,\n} from '@open-mercato/core/modules/audit_logs/data/validators'\nimport { isRecord } from '@open-mercato/core/modules/audit_logs/lib/changeRows'\nimport {\n ACTION_LOG_FILTER_TYPES,\n type ActionLogFilterType,\n deriveActionLogProjection,\n} from '@open-mercato/core/modules/audit_logs/lib/projections'\nimport { decryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'\nimport { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'\nimport { toOptionalString } from '@open-mercato/shared/lib/string/coerce'\n\nlet validationWarningLogged = false\nlet runtimeValidationAvailable: boolean | null = null\nlet decryptionWarningLogged = false\n\nconst isZodRuntimeMissing = (err: unknown) => err instanceof TypeError && typeof err.message === 'string' && err.message.includes('_zod')\n\nconst SORT_FIELDS = {\n createdAt: 'action_logs.created_at',\n} as const\n\ntype ActionLogProjectionBackfillOptions = {\n batchSize?: number\n force?: boolean\n logger?: (message: string) => void\n organizationId?: string | null\n tenantId?: string | null\n}\n\nexport type ActionLogProjectionBackfillResult = {\n errors: number\n scanned: number\n skipped: number\n updated: number\n}\n\ntype BackfillRow = {\n action_label: string | null\n action_type: string | null\n actor_user_id: string | null\n changed_fields: string[] | null\n changes_json: Record<string, unknown> | null\n command_id: string\n context_json: Record<string, unknown> | null\n created_at: Date\n id: string\n organization_id: string | null\n primary_changed_field: string | null\n snapshot_before: unknown | null\n source_key: string | null\n tenant_id: string | null\n}\n\nfunction readString(record: Record<string, unknown>, ...keys: string[]): string | null {\n for (const key of keys) {\n const value = record[key]\n if (typeof value === 'string' && value.length > 0) return value\n }\n\n return null\n}\n\nfunction readRecord(record: Record<string, unknown>, ...keys: string[]): Record<string, unknown> | null {\n for (const key of keys) {\n const value = record[key]\n if (isRecord(value)) return value\n }\n\n return null\n}\n\nfunction readValue(record: Record<string, unknown>, ...keys: string[]): unknown {\n for (const key of keys) {\n if (Object.prototype.hasOwnProperty.call(record, key)) return record[key]\n }\n\n return undefined\n}\n\nfunction readStringArray(record: Record<string, unknown>, ...keys: string[]): string[] | null {\n for (const key of keys) {\n const value = record[key]\n if (Array.isArray(value)) {\n return value.filter((entry): entry is string => typeof entry === 'string')\n }\n }\n\n return null\n}\n\nfunction stringArraysEqual(left: string[] | null, right: string[]): boolean {\n if (!Array.isArray(left)) return false\n if (left.length !== right.length) return false\n\n return left.every((value, index) => value === right[index])\n}\n\nexport class ActionLogService {\n constructor(\n private readonly em: EntityManager,\n private readonly tenantEncryptionService?: TenantDataEncryptionService,\n ) {}\n\n private async decryptEntryPayload<T extends Record<string, unknown>>(entry: T): Promise<T> {\n if (!this.tenantEncryptionService?.isEnabled()) return entry\n\n try {\n const tenantId = readString(entry, 'tenantId', 'tenant_id')\n const organizationId = readString(entry, 'organizationId', 'organization_id')\n const dek = await this.tenantEncryptionService.getDek(tenantId)\n const deepDecrypt = (value: unknown): unknown => {\n if (!dek) return value\n if (typeof value === 'string' && value.split(':').length === 4 && value.endsWith(':v1')) {\n const decrypted = decryptWithAesGcm(value, dek.key)\n if (decrypted === null) return value\n try {\n return JSON.parse(decrypted)\n } catch {\n return decrypted\n }\n }\n if (Array.isArray(value)) return value.map((item) => deepDecrypt(item))\n if (value && typeof value === 'object') {\n const copy: Record<string, unknown> = {}\n for (const [key, item] of Object.entries(value as Record<string, unknown>)) {\n copy[key] = deepDecrypt(item)\n }\n return copy\n }\n return value\n }\n\n const decrypted = await this.tenantEncryptionService.decryptEntityPayload(\n 'audit_logs:action_log',\n entry,\n tenantId,\n organizationId,\n )\n\n const merged = {\n ...entry,\n ...decrypted,\n } as Record<string, unknown>\n\n merged.changesJson = deepDecrypt(merged.changesJson ?? merged.changes_json ?? entry.changesJson ?? entry.changes_json)\n merged.changes_json = merged.changesJson\n merged.snapshotBefore = deepDecrypt(merged.snapshotBefore ?? merged.snapshot_before ?? entry.snapshotBefore ?? entry.snapshot_before)\n merged.snapshot_before = merged.snapshotBefore\n merged.snapshotAfter = deepDecrypt(merged.snapshotAfter ?? merged.snapshot_after ?? entry.snapshotAfter ?? entry.snapshot_after)\n merged.snapshot_after = merged.snapshotAfter\n merged.commandPayload = deepDecrypt(merged.commandPayload ?? merged.command_payload ?? entry.commandPayload ?? entry.command_payload)\n merged.command_payload = merged.commandPayload\n merged.contextJson = deepDecrypt(merged.contextJson ?? merged.context_json ?? entry.contextJson ?? entry.context_json)\n merged.context_json = merged.contextJson\n\n return merged as T\n } catch (err) {\n if (!decryptionWarningLogged) {\n decryptionWarningLogged = true\n console.warn('[audit_logs] failed to decrypt action log entry', err)\n }\n return entry\n }\n }\n\n private async decryptEntries(entries: ActionLog | ActionLog[] | null | undefined): Promise<void> {\n if (!entries) return\n\n const list = Array.isArray(entries) ? entries : [entries]\n for (const entry of list) {\n Object.assign(entry as unknown as Record<string, unknown>, await this.decryptEntryPayload(entry as unknown as Record<string, unknown>))\n }\n }\n\n async log(input: ActionLogCreateInput): Promise<ActionLog | null> {\n const data = this.parseCreateInput(input)\n const fork = this.em.fork()\n const log = this.createLogEntity(fork, data)\n await fork.persist(log).flush()\n await this.decryptEntries(log)\n return log\n }\n\n private parseCreateInput(input: ActionLogCreateInput): ActionLogCreateInput {\n let data: ActionLogCreateInput\n const schema = actionLogCreateSchema as typeof actionLogCreateSchema & { _zod?: unknown }\n const canValidate = Boolean(schema && typeof schema.parse === 'function')\n const shouldValidate = canValidate && runtimeValidationAvailable !== false\n\n if (shouldValidate) {\n try {\n data = schema.parse(input)\n runtimeValidationAvailable = true\n } catch (err) {\n if (!isZodRuntimeMissing(err) && !validationWarningLogged) {\n validationWarningLogged = true\n console.warn('[audit_logs] falling back to permissive action log payload parser', err)\n }\n if (isZodRuntimeMissing(err)) runtimeValidationAvailable = false\n data = this.normalizeInput(input)\n }\n } else {\n data = this.normalizeInput(input)\n }\n\n return data\n }\n\n private createLogEntity(fork: EntityManager, data: ActionLogCreateInput): ActionLog {\n const projection = deriveActionLogProjection({\n actorUserId: data.actorUserId ?? null,\n actionLabel: data.actionLabel ?? null,\n changes: isRecord(data.changes) ? data.changes : null,\n commandId: data.commandId,\n context: isRecord(data.context) ? data.context : null,\n snapshotBefore: data.snapshotBefore,\n })\n\n return fork.create(ActionLog, {\n tenantId: data.tenantId ?? null,\n organizationId: data.organizationId ?? null,\n actorUserId: data.actorUserId ?? null,\n commandId: data.commandId,\n actionLabel: data.actionLabel ?? null,\n actionType: projection.actionType,\n resourceKind: data.resourceKind ?? null,\n resourceId: data.resourceId ?? null,\n parentResourceKind: data.parentResourceKind ?? null,\n parentResourceId: data.parentResourceId ?? null,\n executionState: data.executionState ?? 'done',\n undoToken: data.undoToken ?? null,\n commandPayload: data.commandPayload ?? null,\n snapshotBefore: data.snapshotBefore ?? null,\n snapshotAfter: data.snapshotAfter ?? null,\n changesJson: isRecord(data.changes) ? data.changes : null,\n changedFields: projection.changedFields,\n primaryChangedField: projection.primaryChangedField,\n contextJson: isRecord(data.context) ? data.context : null,\n sourceKey: projection.sourceKey,\n createdAt: new Date(),\n updatedAt: new Date(),\n })\n }\n\n private normalizeInput(input: Partial<ActionLogCreateInput> | null | undefined): ActionLogCreateInput {\n if (!input) {\n return {\n tenantId: null,\n organizationId: null,\n actorUserId: null,\n commandId: 'unknown',\n actionLabel: undefined,\n resourceKind: undefined,\n resourceId: undefined,\n executionState: 'done',\n undoToken: undefined,\n commandPayload: undefined,\n snapshotBefore: undefined,\n snapshotAfter: undefined,\n changes: undefined,\n context: undefined,\n }\n }\n\n const UUID_REGEX = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$/\n const toNullableUuid = (value: unknown) => {\n if (typeof value !== 'string' || value.length === 0) return null\n // Extract UUID from \"api_key:<uuid>\" format (used by workflow authentication).\n const candidate = value.startsWith('api_key:') ? value.slice('api_key:'.length) : value\n // System actors (outbound sync workers, scheduler, etc.) carry subjects like\n // \"system:example_customers_sync:outbound\" that are not UUIDs. Writing them into\n // `actor_user_id` (uuid column) trips the Postgres driver with\n // `invalid input syntax for type uuid`. Reject anything that isn't a UUID so the\n // action log safely records a null actor for system-originated commands.\n return UUID_REGEX.test(candidate) ? candidate : null\n }\n\n const normalizeRecordLike = (value: unknown): ActionLogCreateInput['changes'] => {\n if (value === null) return null\n if (Array.isArray(value)) return value\n if (typeof value === 'object') return value as Record<string, unknown>\n return undefined\n }\n\n const normalizeContext = (value: unknown) => (\n typeof value === 'object' && value !== null && !Array.isArray(value)\n ? value as Record<string, unknown>\n : undefined\n )\n\n return {\n tenantId: toNullableUuid(input.tenantId),\n organizationId: toNullableUuid(input.organizationId),\n actorUserId: toNullableUuid(input.actorUserId),\n commandId: typeof input.commandId === 'string' && input.commandId.length > 0 ? input.commandId : 'unknown',\n actionLabel: toOptionalString(input.actionLabel) ?? undefined,\n resourceKind: toOptionalString(input.resourceKind) ?? undefined,\n resourceId: toOptionalString(input.resourceId) ?? undefined,\n parentResourceKind: toOptionalString(input.parentResourceKind) ?? null,\n parentResourceId: toOptionalString(input.parentResourceId) ?? null,\n executionState: input.executionState === 'undone' || input.executionState === 'failed' ? input.executionState : 'done',\n undoToken: toOptionalString(input.undoToken) ?? undefined,\n commandPayload: input.commandPayload,\n snapshotBefore: input.snapshotBefore,\n snapshotAfter: input.snapshotAfter,\n changes: normalizeRecordLike(input.changes),\n context: normalizeContext(input.context),\n }\n }\n\n private parseListQuery(query: Partial<ActionLogListQuery>) {\n return actionLogListSchema.parse({\n ...query,\n })\n }\n\n private resolveActorUserIds(parsed: ActionLogListQuery): string[] {\n const values = [...(parsed.actorUserIds ?? [])]\n if (parsed.actorUserId) values.push(parsed.actorUserId)\n\n return Array.from(new Set(values.map((value) => value.trim()).filter(Boolean)))\n }\n\n private resolveFieldNames(parsed: ActionLogListQuery): string[] {\n const values = [...(parsed.fieldNames ?? [])]\n if (parsed.fieldName) values.push(parsed.fieldName)\n\n return Array.from(new Set(values.map((value) => value.trim()).filter(Boolean)))\n }\n\n private resolveActionTypes(parsed: ActionLogListQuery): ActionLogFilterType[] {\n const values = [...(parsed.actionTypes ?? [])]\n if (parsed.actionType) values.push(parsed.actionType)\n\n return Array.from(new Set(values))\n .filter((value): value is ActionLogFilterType => ACTION_LOG_FILTER_TYPES.includes(value as ActionLogFilterType))\n }\n\n private resolvePagination(parsed: ActionLogListQuery): { page: number; pageSize: number; offset: number; limit: number } {\n const pageSize =\n typeof parsed.pageSize === 'number' && parsed.pageSize > 0\n ? parsed.pageSize\n : typeof parsed.limit === 'number' && parsed.limit > 0\n ? parsed.limit\n : 50\n const page = typeof parsed.page === 'number' && parsed.page > 0 ? parsed.page : 1\n const offset =\n typeof parsed.offset === 'number' && parsed.offset >= 0\n ? parsed.offset\n : (page - 1) * pageSize\n return { page, pageSize, offset, limit: pageSize }\n }\n\n private async loadEntries(parsed: ActionLogListQuery, options?: { paginate?: boolean }) {\n let query = (this.buildListQuery(parsed) as any).select('action_logs.id as id')\n\n if (options?.paginate !== false) {\n const { limit, offset } = this.resolvePagination(parsed)\n query = query.limit(limit).offset(offset)\n }\n\n const rows = await query.execute()\n const ids = rows.map((row: any) => row.id).filter(Boolean)\n if (ids.length === 0) return []\n\n const results = await this.em.find(ActionLog, {\n id: { $in: ids } as any,\n deletedAt: null,\n })\n await this.decryptEntries(results)\n\n const byId = new Map(results.map((entry: any) => [entry.id, entry]))\n return ids\n .map((id: any) => byId.get(id))\n .filter((entry: any): entry is ActionLog => Boolean(entry))\n }\n\n private buildListQuery(parsed: ActionLogListQuery): any {\n let query = (this.em.getKysely<any>() as any)\n .selectFrom('action_logs')\n .selectAll()\n .where('action_logs.deleted_at', 'is', null) as any\n\n if (parsed.tenantId) query = query.where('action_logs.tenant_id', '=', parsed.tenantId)\n if (parsed.organizationId) query = query.where('action_logs.organization_id', '=', parsed.organizationId)\n\n const actorUserIds = this.resolveActorUserIds(parsed)\n if (actorUserIds.length === 1) query = query.where('action_logs.actor_user_id', '=', actorUserIds[0])\n if (actorUserIds.length > 1) query = query.where('action_logs.actor_user_id', 'in', actorUserIds)\n\n if (parsed.includeRelated && parsed.resourceKind && parsed.resourceId) {\n query = query.where((eb: any) =>\n eb.or([\n eb.and([\n eb('action_logs.resource_kind', '=', parsed.resourceKind),\n eb('action_logs.resource_id', '=', parsed.resourceId),\n ]),\n eb.and([\n eb('action_logs.parent_resource_kind', '=', parsed.resourceKind),\n eb('action_logs.parent_resource_id', '=', parsed.resourceId),\n ]),\n ])\n )\n } else {\n if (parsed.resourceKind) query = query.where('action_logs.resource_kind', '=', parsed.resourceKind)\n if (parsed.resourceId) query = query.where('action_logs.resource_id', '=', parsed.resourceId)\n }\n\n if (parsed.undoableOnly) query = query.where('action_logs.undo_token', 'is not', null)\n if (parsed.before) query = query.where('action_logs.created_at', '<', parsed.before)\n if (parsed.after) query = query.where('action_logs.created_at', '>', parsed.after)\n\n const fieldNames = this.resolveFieldNames(parsed)\n if (fieldNames.length === 1) query = query.where('action_logs.primary_changed_field', '=', fieldNames[0])\n if (fieldNames.length > 1) query = query.where('action_logs.primary_changed_field', 'in', fieldNames)\n\n const actionTypes = this.resolveActionTypes(parsed)\n if (actionTypes.length === 1) query = query.where('action_logs.action_type', '=', actionTypes[0])\n if (actionTypes.length > 1) query = query.where('action_logs.action_type', 'in', actionTypes)\n\n if (parsed.sortField === 'user') {\n query = query.leftJoin('users as audit_actor', 'audit_actor.id', 'action_logs.actor_user_id')\n }\n\n const sortDir = parsed.sortDir === 'asc' ? 'asc' : 'desc'\n switch (parsed.sortField) {\n case 'user':\n query = query.orderBy(sql`coalesce(nullif(audit_actor.name, ''), audit_actor.email, '')`, sortDir)\n break\n case 'action':\n query = query.orderBy(sql`coalesce(action_logs.action_type, '')`, sortDir)\n break\n case 'field':\n query = query.orderBy(sql`coalesce(action_logs.primary_changed_field, '')`, sortDir)\n break\n case 'source':\n query = query.orderBy(sql`coalesce(action_logs.source_key, '')`, sortDir)\n break\n case 'createdAt':\n default:\n query = query.orderBy(SORT_FIELDS.createdAt, sortDir)\n query = query.orderBy('action_logs.id', sortDir)\n return query\n }\n\n query = query.orderBy('action_logs.created_at', 'desc')\n query = query.orderBy('action_logs.id', 'desc')\n return query\n }\n\n async count(query: Partial<ActionLogListQuery>) {\n const parsed = this.parseListQuery(query)\n const row = await (this.buildListQuery(parsed) as any)\n .clearSelect()\n .clearOrderBy()\n .select(sql<string>`count(*)`.as('count'))\n .executeTakeFirst()\n\n if (!row) return 0\n const rawCount = row.count ?? 0\n return typeof rawCount === 'number' ? rawCount : Number.parseInt(rawCount, 10) || 0\n }\n\n async list(query: Partial<ActionLogListQuery>) {\n const parsed = this.parseListQuery(query)\n const { page, pageSize } = this.resolvePagination(parsed)\n const [items, total] = await Promise.all([\n this.loadEntries(parsed),\n this.count(parsed),\n ])\n const totalPages = Math.max(1, Math.ceil((total || 0) / (pageSize || 1)))\n return { items, total, page, pageSize, totalPages }\n }\n\n async latestUndoableForActor(actorUserId: string, scope: { tenantId?: string | null; organizationId?: string | null }) {\n const where: FilterQuery<ActionLog> = {\n actorUserId,\n undoToken: { $ne: null } as any,\n executionState: 'done',\n deletedAt: null,\n }\n if (scope.tenantId) where.tenantId = scope.tenantId\n if (scope.organizationId) where.organizationId = scope.organizationId\n\n const entry = await this.em.findOne(ActionLog, where, { orderBy: { createdAt: 'desc' } })\n await this.decryptEntries(entry)\n return entry\n }\n\n async markUndone(id: string, traceInput?: ActionLogCreateInput) {\n const fork = this.em.fork()\n const log = await fork.findOne(ActionLog, { id, deletedAt: null })\n if (!log) return null\n\n log.executionState = 'undone'\n log.undoToken = null\n\n const traceLog = traceInput ? this.createLogEntity(fork, this.parseCreateInput(traceInput)) : null\n if (traceLog) {\n fork.persist(traceLog)\n }\n\n await fork.flush()\n await this.decryptEntries(log)\n if (traceLog) await this.decryptEntries(traceLog)\n\n return log\n }\n\n async findByUndoToken(undoToken: string) {\n const entry = await this.em.findOne(ActionLog, { undoToken, deletedAt: null })\n await this.decryptEntries(entry)\n return entry\n }\n\n async findById(id: string) {\n const entry = await this.em.findOne(ActionLog, { id, deletedAt: null })\n await this.decryptEntries(entry)\n return entry\n }\n\n async latestUndoableForResource(params: {\n actorUserId: string\n tenantId?: string | null\n organizationId?: string | null\n resourceKind?: string | null\n resourceId?: string | null\n }) {\n const where: FilterQuery<ActionLog> = {\n actorUserId: params.actorUserId,\n undoToken: { $ne: null } as any,\n executionState: 'done',\n deletedAt: null,\n }\n if (params.tenantId) where.tenantId = params.tenantId\n if (params.organizationId) where.organizationId = params.organizationId\n if (params.resourceKind) where.resourceKind = params.resourceKind\n if (params.resourceId) where.resourceId = params.resourceId\n\n const entry = await this.em.findOne(ActionLog, where, { orderBy: { createdAt: 'desc' } })\n await this.decryptEntries(entry)\n return entry\n }\n\n async latestUndoneForActor(actorUserId: string, scope: { tenantId?: string | null; organizationId?: string | null }) {\n const where: FilterQuery<ActionLog> = {\n actorUserId,\n executionState: 'undone',\n deletedAt: null,\n }\n if (scope.tenantId) where.tenantId = scope.tenantId\n if (scope.organizationId) where.organizationId = scope.organizationId\n\n const entry = await this.em.findOne(ActionLog, where, { orderBy: { updatedAt: 'desc' } })\n await this.decryptEntries(entry)\n return entry\n }\n\n async markRedone(id: string) {\n const log = await this.em.findOne(ActionLog, { id, deletedAt: null })\n if (!log) return null\n\n log.executionState = 'redone'\n log.undoToken = null\n await this.em.flush()\n return log\n }\n\n async backfillProjections(options: ActionLogProjectionBackfillOptions = {}): Promise<ActionLogProjectionBackfillResult> {\n const batchSize = Math.min(Math.max(Math.trunc(options.batchSize ?? 250), 1), 1000)\n const logger = options.logger ?? (() => {})\n const result: ActionLogProjectionBackfillResult = {\n errors: 0,\n scanned: 0,\n skipped: 0,\n updated: 0,\n }\n\n let cursorCreatedAt: Date | null = null\n let cursorId: string | null = null\n\n while (true) {\n const rowsQuery = (this.em.getKysely<any>() as any)\n .selectFrom('action_logs')\n .select([\n 'action_logs.id',\n 'action_logs.tenant_id',\n 'action_logs.organization_id',\n 'action_logs.actor_user_id',\n 'action_logs.command_id',\n 'action_logs.action_label',\n 'action_logs.snapshot_before',\n 'action_logs.changes_json',\n 'action_logs.context_json',\n 'action_logs.action_type',\n 'action_logs.source_key',\n 'action_logs.changed_fields',\n 'action_logs.primary_changed_field',\n 'action_logs.created_at',\n ])\n .where('action_logs.deleted_at', 'is', null) as any\n\n if (options.tenantId) rowsQuery.where('action_logs.tenant_id', '=', options.tenantId)\n if (options.organizationId) rowsQuery.where('action_logs.organization_id', '=', options.organizationId)\n\n if (!options.force) {\n rowsQuery.where((eb: any) =>\n eb.or([\n eb('action_logs.action_type', 'is', null),\n eb('action_logs.source_key', 'is', null),\n eb('action_logs.changed_fields', 'is', null),\n ])\n )\n }\n\n if (cursorCreatedAt && cursorId) {\n rowsQuery.where((eb: any) =>\n eb.or([\n eb('action_logs.created_at', '>', cursorCreatedAt),\n eb.and([\n eb('action_logs.created_at', '=', cursorCreatedAt),\n eb('action_logs.id', '>', cursorId),\n ]),\n ])\n )\n }\n\n const rows = await rowsQuery\n .orderBy('created_at', 'asc')\n .orderBy('id', 'asc')\n .limit(batchSize)\n\n if (rows.length === 0) break\n\n for (const row of rows) {\n result.scanned += 1\n\n try {\n const decrypted = await this.decryptEntryPayload(row as unknown as Record<string, unknown>)\n const projection = deriveActionLogProjection({\n actorUserId: readString(decrypted, 'actorUserId', 'actor_user_id'),\n actionLabel: readString(decrypted, 'actionLabel', 'action_label'),\n changes: readRecord(decrypted, 'changesJson', 'changes_json'),\n commandId: readString(decrypted, 'commandId', 'command_id') ?? 'unknown',\n context: readRecord(decrypted, 'contextJson', 'context_json'),\n snapshotBefore: readValue(decrypted, 'snapshotBefore', 'snapshot_before'),\n })\n\n const needsUpdate = options.force === true\n || row.action_type !== projection.actionType\n || row.source_key !== projection.sourceKey\n || row.primary_changed_field !== projection.primaryChangedField\n || !stringArraysEqual(row.changed_fields, projection.changedFields)\n\n if (!needsUpdate) {\n result.skipped += 1\n continue\n }\n\n await (this.em.getKysely<any>() as any)\n .updateTable('action_logs')\n .set({\n action_type: projection.actionType,\n changed_fields: projection.changedFields,\n primary_changed_field: projection.primaryChangedField,\n source_key: projection.sourceKey,\n })\n .where('id', '=', row.id)\n .execute()\n\n result.updated += 1\n } catch (err) {\n result.errors += 1\n logger(`[backfill] Failed for action log ${row.id}: ${err instanceof Error ? err.message : String(err)}`)\n }\n }\n\n const lastRow = rows[rows.length - 1]\n cursorCreatedAt = lastRow.created_at\n cursorId = lastRow.id\n\n logger(\n `[backfill] Processed ${result.scanned} action logs (updated: ${result.updated}, skipped: ${result.skipped}, errors: ${result.errors})`,\n )\n\n if (rows.length < batchSize) break\n }\n\n return result\n }\n}\n"],
5
+ "mappings": "AAEA,SAAS,WAAW;AACpB,SAAS,iBAAiB;AAC1B;AAAA,EACE;AAAA,EACA;AAAA,OAGK;AACP,SAAS,gBAAgB;AACzB;AAAA,EACE;AAAA,EAEA;AAAA,OACK;AACP,SAAS,yBAAyB;AAElC,SAAS,wBAAwB;AAEjC,IAAI,0BAA0B;AAC9B,IAAI,6BAA6C;AACjD,IAAI,0BAA0B;AAE9B,MAAM,sBAAsB,CAAC,QAAiB,eAAe,aAAa,OAAO,IAAI,YAAY,YAAY,IAAI,QAAQ,SAAS,MAAM;AAExI,MAAM,cAAc;AAAA,EAClB,WAAW;AACb;AAkCA,SAAS,WAAW,WAAoC,MAA+B;AACrF,aAAW,OAAO,MAAM;AACtB,UAAM,QAAQ,OAAO,GAAG;AACxB,QAAI,OAAO,UAAU,YAAY,MAAM,SAAS,EAAG,QAAO;AAAA,EAC5D;AAEA,SAAO;AACT;AAEA,SAAS,WAAW,WAAoC,MAAgD;AACtG,aAAW,OAAO,MAAM;AACtB,UAAM,QAAQ,OAAO,GAAG;AACxB,QAAI,SAAS,KAAK,EAAG,QAAO;AAAA,EAC9B;AAEA,SAAO;AACT;AAEA,SAAS,UAAU,WAAoC,MAAyB;AAC9E,aAAW,OAAO,MAAM;AACtB,QAAI,OAAO,UAAU,eAAe,KAAK,QAAQ,GAAG,EAAG,QAAO,OAAO,GAAG;AAAA,EAC1E;AAEA,SAAO;AACT;AAEA,SAAS,gBAAgB,WAAoC,MAAiC;AAC5F,aAAW,OAAO,MAAM;AACtB,UAAM,QAAQ,OAAO,GAAG;AACxB,QAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,aAAO,MAAM,OAAO,CAAC,UAA2B,OAAO,UAAU,QAAQ;AAAA,IAC3E;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,kBAAkB,MAAuB,OAA0B;AAC1E,MAAI,CAAC,MAAM,QAAQ,IAAI,EAAG,QAAO;AACjC,MAAI,KAAK,WAAW,MAAM,OAAQ,QAAO;AAEzC,SAAO,KAAK,MAAM,CAAC,OAAO,UAAU,UAAU,MAAM,KAAK,CAAC;AAC5D;AAEO,MAAM,iBAAiB;AAAA,EAC5B,YACmB,IACA,yBACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAEH,MAAc,oBAAuD,OAAsB;AACzF,QAAI,CAAC,KAAK,yBAAyB,UAAU,EAAG,QAAO;AAEvD,QAAI;AACF,YAAM,WAAW,WAAW,OAAO,YAAY,WAAW;AAC1D,YAAM,iBAAiB,WAAW,OAAO,kBAAkB,iBAAiB;AAC5E,YAAM,MAAM,MAAM,KAAK,wBAAwB,OAAO,QAAQ;AAC9D,YAAM,cAAc,CAAC,UAA4B;AAC/C,YAAI,CAAC,IAAK,QAAO;AACjB,YAAI,OAAO,UAAU,YAAY,MAAM,MAAM,GAAG,EAAE,WAAW,KAAK,MAAM,SAAS,KAAK,GAAG;AACvF,gBAAMA,aAAY,kBAAkB,OAAO,IAAI,GAAG;AAClD,cAAIA,eAAc,KAAM,QAAO;AAC/B,cAAI;AACF,mBAAO,KAAK,MAAMA,UAAS;AAAA,UAC7B,QAAQ;AACN,mBAAOA;AAAA,UACT;AAAA,QACF;AACA,YAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,MAAM,IAAI,CAAC,SAAS,YAAY,IAAI,CAAC;AACtE,YAAI,SAAS,OAAO,UAAU,UAAU;AACtC,gBAAM,OAAgC,CAAC;AACvC,qBAAW,CAAC,KAAK,IAAI,KAAK,OAAO,QAAQ,KAAgC,GAAG;AAC1E,iBAAK,GAAG,IAAI,YAAY,IAAI;AAAA,UAC9B;AACA,iBAAO;AAAA,QACT;AACA,eAAO;AAAA,MACT;AAEA,YAAM,YAAY,MAAM,KAAK,wBAAwB;AAAA,QACnD;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,YAAM,SAAS;AAAA,QACb,GAAG;AAAA,QACH,GAAG;AAAA,MACL;AAEA,aAAO,cAAc,YAAY,OAAO,eAAe,OAAO,gBAAgB,MAAM,eAAe,MAAM,YAAY;AACrH,aAAO,eAAe,OAAO;AAC7B,aAAO,iBAAiB,YAAY,OAAO,kBAAkB,OAAO,mBAAmB,MAAM,kBAAkB,MAAM,eAAe;AACpI,aAAO,kBAAkB,OAAO;AAChC,aAAO,gBAAgB,YAAY,OAAO,iBAAiB,OAAO,kBAAkB,MAAM,iBAAiB,MAAM,cAAc;AAC/H,aAAO,iBAAiB,OAAO;AAC/B,aAAO,iBAAiB,YAAY,OAAO,kBAAkB,OAAO,mBAAmB,MAAM,kBAAkB,MAAM,eAAe;AACpI,aAAO,kBAAkB,OAAO;AAChC,aAAO,cAAc,YAAY,OAAO,eAAe,OAAO,gBAAgB,MAAM,eAAe,MAAM,YAAY;AACrH,aAAO,eAAe,OAAO;AAE7B,aAAO;AAAA,IACT,SAAS,KAAK;AACZ,UAAI,CAAC,yBAAyB;AAC5B,kCAA0B;AAC1B,gBAAQ,KAAK,mDAAmD,GAAG;AAAA,MACrE;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAc,eAAe,SAAoE;AAC/F,QAAI,CAAC,QAAS;AAEd,UAAM,OAAO,MAAM,QAAQ,OAAO,IAAI,UAAU,CAAC,OAAO;AACxD,eAAW,SAAS,MAAM;AACxB,aAAO,OAAO,OAA6C,MAAM,KAAK,oBAAoB,KAA2C,CAAC;AAAA,IACxI;AAAA,EACF;AAAA,EAEA,MAAM,IAAI,OAAwD;AAChE,UAAM,OAAO,KAAK,iBAAiB,KAAK;AACxC,UAAM,OAAO,KAAK,GAAG,KAAK;AAC1B,UAAM,MAAM,KAAK,gBAAgB,MAAM,IAAI;AAC3C,UAAM,KAAK,QAAQ,GAAG,EAAE,MAAM;AAC9B,UAAM,KAAK,eAAe,GAAG;AAC7B,WAAO;AAAA,EACT;AAAA,EAEQ,iBAAiB,OAAmD;AAC1E,QAAI;AACJ,UAAM,SAAS;AACf,UAAM,cAAc,QAAQ,UAAU,OAAO,OAAO,UAAU,UAAU;AACxE,UAAM,iBAAiB,eAAe,+BAA+B;AAErE,QAAI,gBAAgB;AAClB,UAAI;AACF,eAAO,OAAO,MAAM,KAAK;AACzB,qCAA6B;AAAA,MAC/B,SAAS,KAAK;AACZ,YAAI,CAAC,oBAAoB,GAAG,KAAK,CAAC,yBAAyB;AACzD,oCAA0B;AAC1B,kBAAQ,KAAK,qEAAqE,GAAG;AAAA,QACvF;AACA,YAAI,oBAAoB,GAAG,EAAG,8BAA6B;AAC3D,eAAO,KAAK,eAAe,KAAK;AAAA,MAClC;AAAA,IACF,OAAO;AACL,aAAO,KAAK,eAAe,KAAK;AAAA,IAClC;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,gBAAgB,MAAqB,MAAuC;AAClF,UAAM,aAAa,0BAA0B;AAAA,MAC3C,aAAa,KAAK,eAAe;AAAA,MACjC,aAAa,KAAK,eAAe;AAAA,MACjC,SAAS,SAAS,KAAK,OAAO,IAAI,KAAK,UAAU;AAAA,MACjD,WAAW,KAAK;AAAA,MAChB,SAAS,SAAS,KAAK,OAAO,IAAI,KAAK,UAAU;AAAA,MACjD,gBAAgB,KAAK;AAAA,IACvB,CAAC;AAED,WAAO,KAAK,OAAO,WAAW;AAAA,MAC5B,UAAU,KAAK,YAAY;AAAA,MAC3B,gBAAgB,KAAK,kBAAkB;AAAA,MACvC,aAAa,KAAK,eAAe;AAAA,MACjC,WAAW,KAAK;AAAA,MAChB,aAAa,KAAK,eAAe;AAAA,MACjC,YAAY,WAAW;AAAA,MACvB,cAAc,KAAK,gBAAgB;AAAA,MACnC,YAAY,KAAK,cAAc;AAAA,MAC/B,oBAAoB,KAAK,sBAAsB;AAAA,MAC/C,kBAAkB,KAAK,oBAAoB;AAAA,MAC3C,gBAAgB,KAAK,kBAAkB;AAAA,MACvC,WAAW,KAAK,aAAa;AAAA,MAC7B,gBAAgB,KAAK,kBAAkB;AAAA,MACvC,gBAAgB,KAAK,kBAAkB;AAAA,MACvC,eAAe,KAAK,iBAAiB;AAAA,MACrC,aAAa,SAAS,KAAK,OAAO,IAAI,KAAK,UAAU;AAAA,MACrD,eAAe,WAAW;AAAA,MAC1B,qBAAqB,WAAW;AAAA,MAChC,aAAa,SAAS,KAAK,OAAO,IAAI,KAAK,UAAU;AAAA,MACrD,WAAW,WAAW;AAAA,MACtB,WAAW,oBAAI,KAAK;AAAA,MACpB,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AAAA,EACH;AAAA,EAEQ,eAAe,OAA+E;AACpG,QAAI,CAAC,OAAO;AACV,aAAO;AAAA,QACL,UAAU;AAAA,QACV,gBAAgB;AAAA,QAChB,aAAa;AAAA,QACb,WAAW;AAAA,QACX,aAAa;AAAA,QACb,cAAc;AAAA,QACd,YAAY;AAAA,QACZ,gBAAgB;AAAA,QAChB,WAAW;AAAA,QACX,gBAAgB;AAAA,QAChB,gBAAgB;AAAA,QAChB,eAAe;AAAA,QACf,SAAS;AAAA,QACT,SAAS;AAAA,MACX;AAAA,IACF;AAEA,UAAM,aAAa;AACnB,UAAM,iBAAiB,CAAC,UAAmB;AACzC,UAAI,OAAO,UAAU,YAAY,MAAM,WAAW,EAAG,QAAO;AAE5D,YAAM,YAAY,MAAM,WAAW,UAAU,IAAI,MAAM,MAAM,WAAW,MAAM,IAAI;AAMlF,aAAO,WAAW,KAAK,SAAS,IAAI,YAAY;AAAA,IAClD;AAEA,UAAM,sBAAsB,CAAC,UAAoD;AAC/E,UAAI,UAAU,KAAM,QAAO;AAC3B,UAAI,MAAM,QAAQ,KAAK,EAAG,QAAO;AACjC,UAAI,OAAO,UAAU,SAAU,QAAO;AACtC,aAAO;AAAA,IACT;AAEA,UAAM,mBAAmB,CAAC,UACxB,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,KAAK,IAC/D,QACA;AAGN,WAAO;AAAA,MACL,UAAU,eAAe,MAAM,QAAQ;AAAA,MACvC,gBAAgB,eAAe,MAAM,cAAc;AAAA,MACnD,aAAa,eAAe,MAAM,WAAW;AAAA,MAC7C,WAAW,OAAO,MAAM,cAAc,YAAY,MAAM,UAAU,SAAS,IAAI,MAAM,YAAY;AAAA,MACjG,aAAa,iBAAiB,MAAM,WAAW,KAAK;AAAA,MACpD,cAAc,iBAAiB,MAAM,YAAY,KAAK;AAAA,MACtD,YAAY,iBAAiB,MAAM,UAAU,KAAK;AAAA,MAClD,oBAAoB,iBAAiB,MAAM,kBAAkB,KAAK;AAAA,MAClE,kBAAkB,iBAAiB,MAAM,gBAAgB,KAAK;AAAA,MAC9D,gBAAgB,MAAM,mBAAmB,YAAY,MAAM,mBAAmB,WAAW,MAAM,iBAAiB;AAAA,MAChH,WAAW,iBAAiB,MAAM,SAAS,KAAK;AAAA,MAChD,gBAAgB,MAAM;AAAA,MACtB,gBAAgB,MAAM;AAAA,MACtB,eAAe,MAAM;AAAA,MACrB,SAAS,oBAAoB,MAAM,OAAO;AAAA,MAC1C,SAAS,iBAAiB,MAAM,OAAO;AAAA,IACzC;AAAA,EACF;AAAA,EAEQ,eAAe,OAAoC;AACzD,WAAO,oBAAoB,MAAM;AAAA,MAC/B,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA,EAEQ,oBAAoB,QAAsC;AAChE,UAAM,SAAS,CAAC,GAAI,OAAO,gBAAgB,CAAC,CAAE;AAC9C,QAAI,OAAO,YAAa,QAAO,KAAK,OAAO,WAAW;AAEtD,WAAO,MAAM,KAAK,IAAI,IAAI,OAAO,IAAI,CAAC,UAAU,MAAM,KAAK,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC;AAAA,EAChF;AAAA,EAEQ,kBAAkB,QAAsC;AAC9D,UAAM,SAAS,CAAC,GAAI,OAAO,cAAc,CAAC,CAAE;AAC5C,QAAI,OAAO,UAAW,QAAO,KAAK,OAAO,SAAS;AAElD,WAAO,MAAM,KAAK,IAAI,IAAI,OAAO,IAAI,CAAC,UAAU,MAAM,KAAK,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC;AAAA,EAChF;AAAA,EAEQ,mBAAmB,QAAmD;AAC5E,UAAM,SAAS,CAAC,GAAI,OAAO,eAAe,CAAC,CAAE;AAC7C,QAAI,OAAO,WAAY,QAAO,KAAK,OAAO,UAAU;AAEpD,WAAO,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC,EAC9B,OAAO,CAAC,UAAwC,wBAAwB,SAAS,KAA4B,CAAC;AAAA,EACnH;AAAA,EAEQ,kBAAkB,QAA+F;AACvH,UAAM,WACJ,OAAO,OAAO,aAAa,YAAY,OAAO,WAAW,IACrD,OAAO,WACP,OAAO,OAAO,UAAU,YAAY,OAAO,QAAQ,IACjD,OAAO,QACP;AACR,UAAM,OAAO,OAAO,OAAO,SAAS,YAAY,OAAO,OAAO,IAAI,OAAO,OAAO;AAChF,UAAM,SACJ,OAAO,OAAO,WAAW,YAAY,OAAO,UAAU,IAClD,OAAO,UACN,OAAO,KAAK;AACnB,WAAO,EAAE,MAAM,UAAU,QAAQ,OAAO,SAAS;AAAA,EACnD;AAAA,EAEA,MAAc,YAAY,QAA4B,SAAkC;AACtF,QAAI,QAAS,KAAK,eAAe,MAAM,EAAU,OAAO,sBAAsB;AAE9E,QAAI,SAAS,aAAa,OAAO;AAC/B,YAAM,EAAE,OAAO,OAAO,IAAI,KAAK,kBAAkB,MAAM;AACvD,cAAQ,MAAM,MAAM,KAAK,EAAE,OAAO,MAAM;AAAA,IAC1C;AAEA,UAAM,OAAO,MAAM,MAAM,QAAQ;AACjC,UAAM,MAAM,KAAK,IAAI,CAAC,QAAa,IAAI,EAAE,EAAE,OAAO,OAAO;AACzD,QAAI,IAAI,WAAW,EAAG,QAAO,CAAC;AAE9B,UAAM,UAAU,MAAM,KAAK,GAAG,KAAK,WAAW;AAAA,MAC5C,IAAI,EAAE,KAAK,IAAI;AAAA,MACf,WAAW;AAAA,IACb,CAAC;AACD,UAAM,KAAK,eAAe,OAAO;AAEjC,UAAM,OAAO,IAAI,IAAI,QAAQ,IAAI,CAAC,UAAe,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC;AACnE,WAAO,IACJ,IAAI,CAAC,OAAY,KAAK,IAAI,EAAE,CAAC,EAC7B,OAAO,CAAC,UAAmC,QAAQ,KAAK,CAAC;AAAA,EAC9D;AAAA,EAEQ,eAAe,QAAiC;AACtD,QAAI,QAAS,KAAK,GAAG,UAAe,EACjC,WAAW,aAAa,EACxB,UAAU,EACV,MAAM,0BAA0B,MAAM,IAAI;AAE7C,QAAI,OAAO,SAAU,SAAQ,MAAM,MAAM,yBAAyB,KAAK,OAAO,QAAQ;AACtF,QAAI,OAAO,eAAgB,SAAQ,MAAM,MAAM,+BAA+B,KAAK,OAAO,cAAc;AAExG,UAAM,eAAe,KAAK,oBAAoB,MAAM;AACpD,QAAI,aAAa,WAAW,EAAG,SAAQ,MAAM,MAAM,6BAA6B,KAAK,aAAa,CAAC,CAAC;AACpG,QAAI,aAAa,SAAS,EAAG,SAAQ,MAAM,MAAM,6BAA6B,MAAM,YAAY;AAEhG,QAAI,OAAO,kBAAkB,OAAO,gBAAgB,OAAO,YAAY;AACrE,cAAQ,MAAM;AAAA,QAAM,CAAC,OACnB,GAAG,GAAG;AAAA,UACJ,GAAG,IAAI;AAAA,YACL,GAAG,6BAA6B,KAAK,OAAO,YAAY;AAAA,YACxD,GAAG,2BAA2B,KAAK,OAAO,UAAU;AAAA,UACtD,CAAC;AAAA,UACD,GAAG,IAAI;AAAA,YACL,GAAG,oCAAoC,KAAK,OAAO,YAAY;AAAA,YAC/D,GAAG,kCAAkC,KAAK,OAAO,UAAU;AAAA,UAC7D,CAAC;AAAA,QACH,CAAC;AAAA,MACH;AAAA,IACF,OAAO;AACL,UAAI,OAAO,aAAc,SAAQ,MAAM,MAAM,6BAA6B,KAAK,OAAO,YAAY;AAClG,UAAI,OAAO,WAAY,SAAQ,MAAM,MAAM,2BAA2B,KAAK,OAAO,UAAU;AAAA,IAC9F;AAEA,QAAI,OAAO,aAAc,SAAQ,MAAM,MAAM,0BAA0B,UAAU,IAAI;AACrF,QAAI,OAAO,OAAQ,SAAQ,MAAM,MAAM,0BAA0B,KAAK,OAAO,MAAM;AACnF,QAAI,OAAO,MAAO,SAAQ,MAAM,MAAM,0BAA0B,KAAK,OAAO,KAAK;AAEjF,UAAM,aAAa,KAAK,kBAAkB,MAAM;AAChD,QAAI,WAAW,WAAW,EAAG,SAAQ,MAAM,MAAM,qCAAqC,KAAK,WAAW,CAAC,CAAC;AACxG,QAAI,WAAW,SAAS,EAAG,SAAQ,MAAM,MAAM,qCAAqC,MAAM,UAAU;AAEpG,UAAM,cAAc,KAAK,mBAAmB,MAAM;AAClD,QAAI,YAAY,WAAW,EAAG,SAAQ,MAAM,MAAM,2BAA2B,KAAK,YAAY,CAAC,CAAC;AAChG,QAAI,YAAY,SAAS,EAAG,SAAQ,MAAM,MAAM,2BAA2B,MAAM,WAAW;AAE5F,QAAI,OAAO,cAAc,QAAQ;AAC/B,cAAQ,MAAM,SAAS,wBAAwB,kBAAkB,2BAA2B;AAAA,IAC9F;AAEA,UAAM,UAAU,OAAO,YAAY,QAAQ,QAAQ;AACnD,YAAQ,OAAO,WAAW;AAAA,MACxB,KAAK;AACH,gBAAQ,MAAM,QAAQ,oEAAoE,OAAO;AACjG;AAAA,MACF,KAAK;AACH,gBAAQ,MAAM,QAAQ,4CAA4C,OAAO;AACzE;AAAA,MACF,KAAK;AACH,gBAAQ,MAAM,QAAQ,sDAAsD,OAAO;AACnF;AAAA,MACF,KAAK;AACH,gBAAQ,MAAM,QAAQ,2CAA2C,OAAO;AACxE;AAAA,MACF,KAAK;AAAA,MACL;AACE,gBAAQ,MAAM,QAAQ,YAAY,WAAW,OAAO;AACpD,gBAAQ,MAAM,QAAQ,kBAAkB,OAAO;AAC/C,eAAO;AAAA,IACX;AAEA,YAAQ,MAAM,QAAQ,0BAA0B,MAAM;AACtD,YAAQ,MAAM,QAAQ,kBAAkB,MAAM;AAC9C,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,MAAM,OAAoC;AAC9C,UAAM,SAAS,KAAK,eAAe,KAAK;AACxC,UAAM,MAAM,MAAO,KAAK,eAAe,MAAM,EAC1C,YAAY,EACZ,aAAa,EACb,OAAO,cAAsB,GAAG,OAAO,CAAC,EACxC,iBAAiB;AAEpB,QAAI,CAAC,IAAK,QAAO;AACjB,UAAM,WAAW,IAAI,SAAS;AAC9B,WAAO,OAAO,aAAa,WAAW,WAAW,OAAO,SAAS,UAAU,EAAE,KAAK;AAAA,EACpF;AAAA,EAEA,MAAM,KAAK,OAAoC;AAC7C,UAAM,SAAS,KAAK,eAAe,KAAK;AACxC,UAAM,EAAE,MAAM,SAAS,IAAI,KAAK,kBAAkB,MAAM;AACxD,UAAM,CAAC,OAAO,KAAK,IAAI,MAAM,QAAQ,IAAI;AAAA,MACvC,KAAK,YAAY,MAAM;AAAA,MACvB,KAAK,MAAM,MAAM;AAAA,IACnB,CAAC;AACD,UAAM,aAAa,KAAK,IAAI,GAAG,KAAK,MAAM,SAAS,MAAM,YAAY,EAAE,CAAC;AACxE,WAAO,EAAE,OAAO,OAAO,MAAM,UAAU,WAAW;AAAA,EACpD;AAAA,EAEA,MAAM,uBAAuB,aAAqB,OAAqE;AACrH,UAAM,QAAgC;AAAA,MACpC;AAAA,MACA,WAAW,EAAE,KAAK,KAAK;AAAA,MACvB,gBAAgB;AAAA,MAChB,WAAW;AAAA,IACb;AACA,QAAI,MAAM,SAAU,OAAM,WAAW,MAAM;AAC3C,QAAI,MAAM,eAAgB,OAAM,iBAAiB,MAAM;AAEvD,UAAM,QAAQ,MAAM,KAAK,GAAG,QAAQ,WAAW,OAAO,EAAE,SAAS,EAAE,WAAW,OAAO,EAAE,CAAC;AACxF,UAAM,KAAK,eAAe,KAAK;AAC/B,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,WAAW,IAAY,YAAmC;AAC9D,UAAM,OAAO,KAAK,GAAG,KAAK;AAC1B,UAAM,MAAM,MAAM,KAAK,QAAQ,WAAW,EAAE,IAAI,WAAW,KAAK,CAAC;AACjE,QAAI,CAAC,IAAK,QAAO;AAEjB,QAAI,iBAAiB;AACrB,QAAI,YAAY;AAEhB,UAAM,WAAW,aAAa,KAAK,gBAAgB,MAAM,KAAK,iBAAiB,UAAU,CAAC,IAAI;AAC9F,QAAI,UAAU;AACZ,WAAK,QAAQ,QAAQ;AAAA,IACvB;AAEA,UAAM,KAAK,MAAM;AACjB,UAAM,KAAK,eAAe,GAAG;AAC7B,QAAI,SAAU,OAAM,KAAK,eAAe,QAAQ;AAEhD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,gBAAgB,WAAmB;AACvC,UAAM,QAAQ,MAAM,KAAK,GAAG,QAAQ,WAAW,EAAE,WAAW,WAAW,KAAK,CAAC;AAC7E,UAAM,KAAK,eAAe,KAAK;AAC/B,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,SAAS,IAAY;AACzB,UAAM,QAAQ,MAAM,KAAK,GAAG,QAAQ,WAAW,EAAE,IAAI,WAAW,KAAK,CAAC;AACtE,UAAM,KAAK,eAAe,KAAK;AAC/B,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,0BAA0B,QAM7B;AACD,UAAM,QAAgC;AAAA,MACpC,aAAa,OAAO;AAAA,MACpB,WAAW,EAAE,KAAK,KAAK;AAAA,MACvB,gBAAgB;AAAA,MAChB,WAAW;AAAA,IACb;AACA,QAAI,OAAO,SAAU,OAAM,WAAW,OAAO;AAC7C,QAAI,OAAO,eAAgB,OAAM,iBAAiB,OAAO;AACzD,QAAI,OAAO,aAAc,OAAM,eAAe,OAAO;AACrD,QAAI,OAAO,WAAY,OAAM,aAAa,OAAO;AAEjD,UAAM,QAAQ,MAAM,KAAK,GAAG,QAAQ,WAAW,OAAO,EAAE,SAAS,EAAE,WAAW,OAAO,EAAE,CAAC;AACxF,UAAM,KAAK,eAAe,KAAK;AAC/B,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,qBAAqB,aAAqB,OAAqE;AACnH,UAAM,QAAgC;AAAA,MACpC;AAAA,MACA,gBAAgB;AAAA,MAChB,WAAW;AAAA,IACb;AACA,QAAI,MAAM,SAAU,OAAM,WAAW,MAAM;AAC3C,QAAI,MAAM,eAAgB,OAAM,iBAAiB,MAAM;AAEvD,UAAM,QAAQ,MAAM,KAAK,GAAG,QAAQ,WAAW,OAAO,EAAE,SAAS,EAAE,WAAW,OAAO,EAAE,CAAC;AACxF,UAAM,KAAK,eAAe,KAAK;AAC/B,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,WAAW,IAAY;AAC3B,UAAM,MAAM,MAAM,KAAK,GAAG,QAAQ,WAAW,EAAE,IAAI,WAAW,KAAK,CAAC;AACpE,QAAI,CAAC,IAAK,QAAO;AAEjB,QAAI,iBAAiB;AACrB,QAAI,YAAY;AAChB,UAAM,KAAK,GAAG,MAAM;AACpB,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,oBAAoB,UAA8C,CAAC,GAA+C;AACtH,UAAM,YAAY,KAAK,IAAI,KAAK,IAAI,KAAK,MAAM,QAAQ,aAAa,GAAG,GAAG,CAAC,GAAG,GAAI;AAClF,UAAM,SAAS,QAAQ,WAAW,MAAM;AAAA,IAAC;AACzC,UAAM,SAA4C;AAAA,MAChD,QAAQ;AAAA,MACR,SAAS;AAAA,MACT,SAAS;AAAA,MACT,SAAS;AAAA,IACX;AAEA,QAAI,kBAA+B;AACnC,QAAI,WAA0B;AAE9B,WAAO,MAAM;AACX,YAAM,YAAa,KAAK,GAAG,UAAe,EACvC,WAAW,aAAa,EACxB,OAAO;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,CAAC,EACA,MAAM,0BAA0B,MAAM,IAAI;AAE7C,UAAI,QAAQ,SAAU,WAAU,MAAM,yBAAyB,KAAK,QAAQ,QAAQ;AACpF,UAAI,QAAQ,eAAgB,WAAU,MAAM,+BAA+B,KAAK,QAAQ,cAAc;AAEtG,UAAI,CAAC,QAAQ,OAAO;AAClB,kBAAU;AAAA,UAAM,CAAC,OACf,GAAG,GAAG;AAAA,YACJ,GAAG,2BAA2B,MAAM,IAAI;AAAA,YACxC,GAAG,0BAA0B,MAAM,IAAI;AAAA,YACvC,GAAG,8BAA8B,MAAM,IAAI;AAAA,UAC7C,CAAC;AAAA,QACH;AAAA,MACF;AAEA,UAAI,mBAAmB,UAAU;AAC/B,kBAAU;AAAA,UAAM,CAAC,OACf,GAAG,GAAG;AAAA,YACJ,GAAG,0BAA0B,KAAK,eAAe;AAAA,YACjD,GAAG,IAAI;AAAA,cACL,GAAG,0BAA0B,KAAK,eAAe;AAAA,cACjD,GAAG,kBAAkB,KAAK,QAAQ;AAAA,YACpC,CAAC;AAAA,UACH,CAAC;AAAA,QACH;AAAA,MACF;AAEA,YAAM,OAAO,MAAM,UAChB,QAAQ,cAAc,KAAK,EAC3B,QAAQ,MAAM,KAAK,EACnB,MAAM,SAAS;AAElB,UAAI,KAAK,WAAW,EAAG;AAEvB,iBAAW,OAAO,MAAM;AACtB,eAAO,WAAW;AAElB,YAAI;AACF,gBAAM,YAAY,MAAM,KAAK,oBAAoB,GAAyC;AAC1F,gBAAM,aAAa,0BAA0B;AAAA,YAC3C,aAAa,WAAW,WAAW,eAAe,eAAe;AAAA,YACjE,aAAa,WAAW,WAAW,eAAe,cAAc;AAAA,YAChE,SAAS,WAAW,WAAW,eAAe,cAAc;AAAA,YAC5D,WAAW,WAAW,WAAW,aAAa,YAAY,KAAK;AAAA,YAC/D,SAAS,WAAW,WAAW,eAAe,cAAc;AAAA,YAC5D,gBAAgB,UAAU,WAAW,kBAAkB,iBAAiB;AAAA,UAC1E,CAAC;AAED,gBAAM,cAAc,QAAQ,UAAU,QACjC,IAAI,gBAAgB,WAAW,cAC/B,IAAI,eAAe,WAAW,aAC9B,IAAI,0BAA0B,WAAW,uBACzC,CAAC,kBAAkB,IAAI,gBAAgB,WAAW,aAAa;AAEpE,cAAI,CAAC,aAAa;AAChB,mBAAO,WAAW;AAClB;AAAA,UACF;AAEA,gBAAO,KAAK,GAAG,UAAe,EAC3B,YAAY,aAAa,EACzB,IAAI;AAAA,YACH,aAAa,WAAW;AAAA,YACxB,gBAAgB,WAAW;AAAA,YAC3B,uBAAuB,WAAW;AAAA,YAClC,YAAY,WAAW;AAAA,UACzB,CAAC,EACA,MAAM,MAAM,KAAK,IAAI,EAAE,EACvB,QAAQ;AAEX,iBAAO,WAAW;AAAA,QACpB,SAAS,KAAK;AACZ,iBAAO,UAAU;AACjB,iBAAO,oCAAoC,IAAI,EAAE,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC,EAAE;AAAA,QAC1G;AAAA,MACF;AAEA,YAAM,UAAU,KAAK,KAAK,SAAS,CAAC;AACpC,wBAAkB,QAAQ;AAC1B,iBAAW,QAAQ;AAEnB;AAAA,QACE,wBAAwB,OAAO,OAAO,0BAA0B,OAAO,OAAO,cAAc,OAAO,OAAO,aAAa,OAAO,MAAM;AAAA,MACtI;AAEA,UAAI,KAAK,SAAS,UAAW;AAAA,IAC/B;AAEA,WAAO;AAAA,EACT;AACF;",
6
6
  "names": ["decrypted"]
7
7
  }
package/dist/modules/auth/api/users/route.js CHANGED
@@ -10,8 +10,10 @@ import { E } from "../../../../generated/entities.ids.generated.js";
10
10
  import { loadCustomFieldValues } from "@open-mercato/shared/lib/crud/custom-fields";
11
11
  import { userCrudEvents, userCrudIndexer } from "@open-mercato/core/modules/auth/commands/users";
12
12
  import { findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
13
- import { escapeLikePattern } from "@open-mercato/shared/lib/db/escapeLikePattern";
14
13
  import { buildPasswordSchema } from "@open-mercato/shared/lib/auth/passwordPolicy";
14
+ import { resolveSearchConfig } from "@open-mercato/shared/lib/search/config";
15
+ import { tokenizeText } from "@open-mercato/shared/lib/search/tokenize";
16
+ import { sql } from "kysely";
15
17
  const querySchema = z.object({
16
18
  id: z.string().uuid().optional(),
17
19
  page: z.coerce.number().min(1).default(1),
@@ -143,7 +145,6 @@ async function GET(req) {
143
145
  where.tenantId = auth.tenantId;
144
146
  }
145
147
  if (organizationId) where.organizationId = organizationId;
146
- if (search) where.email = { $ilike: `%${escapeLikePattern(search)}%` };
147
148
  let idFilter = id ? /* @__PURE__ */ new Set([id]) : null;
148
149
  if (Array.isArray(roleIds) && roleIds.length > 0) {
149
150
  const uniqueRoleIds = Array.from(new Set(roleIds));
@@ -163,6 +164,26 @@ async function GET(req) {
163
164
  }
164
165
  if (!idFilter || idFilter.size === 0) return NextResponse.json({ items: [], total: 0, totalPages: 1 });
165
166
  }
167
+ if (search) {
168
+ const tenantScope = isSuperAdmin ? void 0 : auth.tenantId ?? null;
169
+ const matchedIds = await findUserIdsBySearchTokens(em, E.auth.user, search, tenantScope);
170
+ if (matchedIds !== null) {
171
+ if (matchedIds.length === 0) {
172
+ return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin });
173
+ }
174
+ const matchedSet = new Set(matchedIds);
175
+ if (idFilter) {
176
+ for (const uid of Array.from(idFilter)) {
177
+ if (!matchedSet.has(uid)) idFilter.delete(uid);
178
+ }
179
+ if (idFilter.size === 0) {
180
+ return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin });
181
+ }
182
+ } else {
183
+ idFilter = matchedSet;
184
+ }
185
+ }
186
+ }
166
187
  if (idFilter && idFilter.size) {
167
188
  where.id = { $in: Array.from(idFilter) };
168
189
  } else if (id) {
@@ -279,6 +300,21 @@ const PUT = async (req) => {
279
300
  return crud.PUT(req);
280
301
  };
281
302
  const DELETE = crud.DELETE;
303
+ async function findUserIdsBySearchTokens(em, entityType, search, tenantScope) {
304
+ const trimmed = search.trim();
305
+ if (!trimmed) return null;
306
+ const searchConfig = resolveSearchConfig();
307
+ if (!searchConfig.enabled) return [];
308
+ const { hashes } = tokenizeText(trimmed, searchConfig);
309
+ if (!hashes.length) return [];
310
+ const db = em.getKysely();
311
+ let query = db.selectFrom("search_tokens").select("entity_id").where("entity_type", "=", entityType).where("token_hash", "in", hashes).groupBy("entity_id").having(sql`count(distinct token_hash) >= ${hashes.length}`);
312
+ if (tenantScope !== void 0) {
313
+ query = query.where(sql`tenant_id is not distinct from ${tenantScope}`);
314
+ }
315
+ const rows = await query.execute();
316
+ return rows.map((row) => typeof row.entity_id === "string" ? row.entity_id : null).filter((id) => typeof id === "string" && id.length > 0);
317
+ }
282
318
  const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
283
319
  async function assertCanAssignRoles(req, roles) {
284
320
  if (!Array.isArray(roles)) return;
package/dist/modules/auth/api/users/route.js.map CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "version": 3,
3
3
  "sources": ["../../../../../src/modules/auth/api/users/route.ts"],
4
- "sourcesContent": ["/* eslint-disable @typescript-eslint/no-explicit-any */\nimport { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { logCrudAccess, makeCrudRoute } from '@open-mercato/shared/lib/crud/factory'\nimport { forbidden } from '@open-mercato/shared/lib/crud/errors'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { User, Role, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { Organization, Tenant } from '@open-mercato/core/modules/directory/data/entities'\nimport { E } from '#generated/entities.ids.generated'\nimport { loadCustomFieldValues } from '@open-mercato/shared/lib/crud/custom-fields'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { userCrudEvents, userCrudIndexer } from '@open-mercato/core/modules/auth/commands/users'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'\nimport { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'\n\nconst querySchema = z.object({\n id: z.string().uuid().optional(),\n page: z.coerce.number().min(1).default(1),\n pageSize: z.coerce.number().min(1).max(100).default(50),\n search: z.string().optional(),\n organizationId: z.string().uuid().optional(),\n roleIds: z.array(z.string().uuid()).optional(),\n}).passthrough()\n\nconst rawBodySchema = z.object({}).passthrough()\n\nconst passwordSchema = buildPasswordSchema()\n\nconst userCreateSchema = z.object({\n email: z.string().email(),\n password: passwordSchema.optional(),\n sendInviteEmail: z.boolean().optional(),\n organizationId: z.string().uuid(),\n roles: z.array(z.string()).optional(),\n}).refine(\n (data) => data.password || data.sendInviteEmail,\n { message: 'Either password or sendInviteEmail is required', path: ['password'] },\n)\n\nconst userUpdateSchema = z.object({\n id: z.string().uuid(),\n email: z.string().email().optional(),\n password: passwordSchema.optional(),\n organizationId: z.string().uuid().optional(),\n roles: z.array(z.string()).optional(),\n})\n\nconst userListItemSchema = z.object({\n id: z.string().uuid(),\n email: z.string().email(),\n organizationId: z.string().uuid().nullable(),\n organizationName: z.string().nullable(),\n tenantId: z.string().uuid().nullable(),\n tenantName: z.string().nullable(),\n roles: z.array(z.string()),\n roleIds: z.array(z.string().uuid()).optional(),\n})\n\nconst userListResponseSchema = z.object({\n items: z.array(userListItemSchema),\n total: z.number().int().nonnegative(),\n totalPages: z.number().int().positive(),\n isSuperAdmin: z.boolean().optional(),\n})\n\nconst okResponseSchema = z.object({ ok: z.literal(true) })\n\nconst errorResponseSchema = z.object({ error: z.string() })\n\ntype CrudInput = Record<string, unknown>\n\nconst routeMetadata = {\n GET: { requireAuth: true, requireFeatures: ['auth.users.list'] },\n POST: { requireAuth: true, requireFeatures: ['auth.users.create'] },\n PUT: { requireAuth: true, requireFeatures: ['auth.users.edit'] },\n DELETE: { requireAuth: true, requireFeatures: ['auth.users.delete'] },\n}\n\nexport const metadata = routeMetadata\n\nconst crud = makeCrudRoute<CrudInput, CrudInput, Record<string, unknown>>({\n metadata: routeMetadata,\n orm: {\n entity: User,\n idField: 'id',\n orgField: null,\n tenantField: null,\n softDeleteField: 'deletedAt',\n },\n events: userCrudEvents,\n indexer: userCrudIndexer,\n actions: {\n create: {\n commandId: 'auth.users.create',\n schema: rawBodySchema,\n mapInput: async ({ parsed, ctx }) => {\n if (ctx.request) {\n await assertCanAssignRoles(ctx.request, parsed.roles)\n }\n return parsed\n },\n response: ({ result }) => ({\n id: String(result.user.id),\n ...(result.warning ? { _warning: result.warning } : {}),\n }),\n status: 201,\n },\n update: {\n commandId: 'auth.users.update',\n schema: rawBodySchema,\n mapInput: async ({ parsed, ctx }) => {\n if (ctx.request) {\n await assertCanAssignRoles(ctx.request, parsed.roles)\n }\n return parsed\n },\n response: () => ({ ok: true }),\n },\n delete: {\n commandId: 'auth.users.delete',\n response: () => ({ ok: true }),\n },\n },\n})\n\nexport async function GET(req: Request) {\n const auth = await getAuthFromRequest(req)\n if (!auth) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n const url = new URL(req.url)\n const rawRoleIds = url.searchParams.getAll('roleId').filter((id): id is string => typeof id === 'string' && id.trim().length > 0)\n const parsed = querySchema.safeParse({\n id: url.searchParams.get('id') || undefined,\n page: url.searchParams.get('page') || undefined,\n pageSize: url.searchParams.get('pageSize') || undefined,\n search: url.searchParams.get('search') || undefined,\n organizationId: url.searchParams.get('organizationId') || undefined,\n roleIds: rawRoleIds.length ? rawRoleIds : undefined,\n })\n if (!parsed.success) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n const container = await createRequestContainer()\n const em = (container.resolve('em') as EntityManager)\n let isSuperAdmin = false\n try {\n if (auth.sub) {\n const rbacService = container.resolve('rbacService') as any\n const acl = await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n isSuperAdmin = !!acl?.isSuperAdmin\n }\n } catch (err) {\n console.error('users: failed to resolve rbac', err)\n }\n const { id, page, pageSize, search, organizationId, roleIds } = parsed.data\n const where: any = { deletedAt: null }\n if (!isSuperAdmin) {\n if (!auth.tenantId) {\n return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n }\n where.tenantId = auth.tenantId\n }\n if (organizationId) where.organizationId = organizationId\n if (search) where.email = { $ilike: `%${escapeLikePattern(search)}%` } as any\n let idFilter: Set<string> | null = id ? new Set([id]) : null\n if (Array.isArray(roleIds) && roleIds.length > 0) {\n const uniqueRoleIds = Array.from(new Set(roleIds))\n const linksForRoles = await em.find(UserRole, { role: { $in: uniqueRoleIds as any } } as any)\n const roleUserIds = new Set<string>()\n for (const link of linksForRoles) {\n const uid = String((link as any).user?.id || (link as any).user || '')\n if (uid) roleUserIds.add(uid)\n }\n if (roleUserIds.size === 0) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n if (idFilter) {\n for (const uid of Array.from(idFilter)) {\n if (!roleUserIds.has(uid)) idFilter.delete(uid)\n }\n } else {\n idFilter = roleUserIds\n }\n if (!idFilter || idFilter.size === 0) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n }\n if (idFilter && idFilter.size) {\n where.id = { $in: Array.from(idFilter) as any }\n } else if (id) {\n where.id = id\n }\n const [rows, count] = await em.findAndCount(User, where, { limit: pageSize, offset: (page - 1) * pageSize })\n const userIds = rows.map((u: any) => u.id)\n const links = userIds.length\n ? await findWithDecryption(\n em,\n UserRole,\n { user: { $in: userIds as any } } as any,\n { populate: ['role'] },\n { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },\n )\n : []\n const roleMap: Record<string, string[]> = {}\n const roleIdMap: Record<string, string[]> = {}\n for (const l of links) {\n const uid = String((l as any).user?.id || (l as any).user)\n const rname = String((l as any).role?.name || '')\n const rid = String((l as any).role?.id ?? '')\n if (!roleMap[uid]) roleMap[uid] = []\n if (!roleIdMap[uid]) roleIdMap[uid] = []\n if (rname) roleMap[uid].push(rname)\n if (rid) roleIdMap[uid].push(rid)\n }\n const orgIds = rows\n .map((u: any) => (u.organizationId ? String(u.organizationId) : null))\n .filter((id): id is string => !!id)\n const uniqueOrgIds = Array.from(new Set(orgIds))\n let orgMap: Record<string, string> = {}\n if (uniqueOrgIds.length) {\n const organizations = await em.find(\n Organization,\n { id: { $in: uniqueOrgIds as any }, deletedAt: null },\n )\n orgMap = organizations.reduce<Record<string, string>>((acc, org) => {\n const orgId = org?.id ? String(org.id) : null\n if (!orgId) return acc\n const rawName = (org as any)?.name\n const orgName = typeof rawName === 'string' && rawName.length > 0 ? rawName : orgId\n acc[orgId] = orgName\n return acc\n }, {})\n }\n const tenantIds = rows\n .map((u: any) => (u.tenantId ? String(u.tenantId) : null))\n .filter((id): id is string => !!id)\n const uniqueTenantIds = Array.from(new Set(tenantIds))\n let tenantMap: Record<string, string> = {}\n if (uniqueTenantIds.length) {\n const tenants = await em.find(\n Tenant,\n { id: { $in: uniqueTenantIds as any }, deletedAt: null },\n )\n tenantMap = tenants.reduce<Record<string, string>>((acc, tenant) => {\n const tenantId = tenant?.id ? String(tenant.id) : null\n if (!tenantId) return acc\n const rawName = (tenant as any)?.name\n const tenantName = typeof rawName === 'string' && rawName.length > 0 ? rawName : tenantId\n acc[tenantId] = tenantName\n return acc\n }, {})\n }\n const tenantByUser: Record<string, string | null> = {}\n const organizationByUser: Record<string, string | null> = {}\n for (const u of rows) {\n const uid = String(u.id)\n tenantByUser[uid] = u.tenantId ? String(u.tenantId) : null\n organizationByUser[uid] = u.organizationId ? String(u.organizationId) : null\n }\n const cfByUser = userIds.length\n ? await loadCustomFieldValues({\n em,\n entityId: E.auth.user,\n recordIds: userIds.map(String),\n tenantIdByRecord: tenantByUser,\n organizationIdByRecord: organizationByUser,\n tenantFallbacks: auth.tenantId ? [auth.tenantId] : [],\n })\n : {}\n\n const items = rows.map((u: any) => {\n const uid = String(u.id)\n const orgId = u.organizationId ? String(u.organizationId) : null\n return {\n id: uid,\n email: String(u.email),\n organizationId: orgId,\n organizationName: orgId ? orgMap[orgId] ?? orgId : null,\n tenantId: u.tenantId ? String(u.tenantId) : null,\n tenantName: u.tenantId ? tenantMap[String(u.tenantId)] ?? String(u.tenantId) : null,\n roles: roleMap[uid] || [],\n roleIds: roleIdMap[uid] || [],\n hasPassword: !!u.passwordHash,\n ...(cfByUser[uid] || {}),\n }\n })\n const totalPages = Math.max(1, Math.ceil(count / pageSize))\n await logCrudAccess({\n container,\n auth,\n request: req,\n items,\n idField: 'id',\n resourceKind: 'auth.user',\n organizationId: null,\n tenantId: auth.tenantId ?? null,\n query: parsed.data,\n accessType: id ? 'read:item' : undefined,\n })\n return NextResponse.json({ items, total: count, totalPages, isSuperAdmin })\n}\n\nexport const POST = async (req: Request) => {\n const body = await req.clone().json().catch(() => ({}))\n await assertCanAssignRoles(req, body?.roles)\n return crud.POST(req)\n}\n\nexport const PUT = async (req: Request) => {\n const body = await req.clone().json().catch(() => ({}))\n await assertCanAssignRoles(req, body?.roles)\n return crud.PUT(req)\n}\n\nexport const DELETE = crud.DELETE\n\nconst UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i\n\nasync function assertCanAssignRoles(req: Request, roles: unknown) {\n if (!Array.isArray(roles)) return\n const values = roles\n .map((role) => (typeof role === 'string' ? role.trim() : null))\n .filter((role): role is string => !!role)\n if (!values.length) return\n\n let hasSuperAdmin = values.some((v) => v.toLowerCase() === 'superadmin')\n if (!hasSuperAdmin) {\n const uuids = values.filter((v) => UUID_RE.test(v))\n if (uuids.length) {\n const container = await createRequestContainer()\n const em = container.resolve('em') as EntityManager\n const matched = await em.find(Role, { id: { $in: uuids as any } })\n hasSuperAdmin = matched.some((r) => String(r.name).toLowerCase() === 'superadmin')\n }\n }\n if (!hasSuperAdmin) return\n\n const auth = await getAuthFromRequest(req)\n if (!auth) throw new Error('Unauthorized')\n const container = await createRequestContainer()\n const rbac = container.resolve('rbacService') as RbacService\n const acl = await rbac.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n if (!acl?.isSuperAdmin) {\n throw forbidden('Only super administrators can assign the superadmin role.')\n }\n}\n\nexport const openApi: OpenApiRouteDoc = {\n tag: 'Authentication & Accounts',\n summary: 'User management',\n methods: {\n GET: {\n summary: 'List users',\n description:\n 'Returns users for the current tenant. Super administrators may scope the response via organization or role filters.',\n query: querySchema,\n responses: [\n { status: 200, description: 'User collection', schema: userListResponseSchema },\n ],\n },\n POST: {\n summary: 'Create user',\n description: 'Creates a new confirmed user within the specified organization and optional roles.',\n requestBody: {\n contentType: 'application/json',\n schema: userCreateSchema,\n },\n responses: [\n {\n status: 201,\n description: 'User created',\n schema: z.object({ id: z.string().uuid() }),\n },\n ],\n errors: [\n { status: 400, description: 'Invalid payload or duplicate email', schema: errorResponseSchema },\n { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n { status: 403, description: 'Attempted to assign privileged roles', schema: errorResponseSchema },\n ],\n },\n PUT: {\n summary: 'Update user',\n description: 'Updates profile fields, organization assignment, credentials, or role memberships.',\n requestBody: {\n contentType: 'application/json',\n schema: userUpdateSchema,\n },\n responses: [\n { status: 200, description: 'User updated', schema: okResponseSchema },\n ],\n errors: [\n { status: 400, description: 'Invalid payload', schema: errorResponseSchema },\n { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n { status: 403, description: 'Attempted to assign privileged roles', schema: errorResponseSchema },\n { status: 404, description: 'User not found', schema: errorResponseSchema },\n ],\n },\n DELETE: {\n summary: 'Delete user',\n description: 'Deletes a user by identifier. Undo support is provided via the command bus.',\n query: z.object({ id: z.string().uuid().describe('User identifier') }),\n responses: [\n { status: 200, description: 'User deleted', schema: okResponseSchema },\n ],\n errors: [\n { status: 400, description: 'User cannot be deleted', schema: errorResponseSchema },\n { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n { status: 404, description: 'User not found', schema: errorResponseSchema },\n ],\n },\n },\n}\n"],
5
- "mappings": "AACA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,eAAe,qBAAqB;AAC7C,SAAS,iBAAiB;AAC1B,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,MAAM,MAAM,gBAAgB;AAErC,SAAS,cAAc,cAAc;AACrC,SAAS,SAAS;AAClB,SAAS,6BAA6B;AAEtC,SAAS,gBAAgB,uBAAuB;AAChD,SAAS,0BAA0B;AACnC,SAAS,yBAAyB;AAClC,SAAS,2BAA2B;AAEpC,MAAM,cAAc,EAAE,OAAO;AAAA,EAC3B,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC/B,MAAM,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,QAAQ,CAAC;AAAA,EACxC,UAAU,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,QAAQ,EAAE;AAAA,EACtD,QAAQ,EAAE,OAAO,EAAE,SAAS;AAAA,EAC5B,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAC/C,CAAC,EAAE,YAAY;AAEf,MAAM,gBAAgB,EAAE,OAAO,CAAC,CAAC,EAAE,YAAY;AAE/C,MAAM,iBAAiB,oBAAoB;AAE3C,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,eAAe,SAAS;AAAA,EAClC,iBAAiB,EAAE,QAAQ,EAAE,SAAS;AAAA,EACtC,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC,EAAE;AAAA,EACD,CAAC,SAAS,KAAK,YAAY,KAAK;AAAA,EAChC,EAAE,SAAS,kDAAkD,MAAM,CAAC,UAAU,EAAE;AAClF;AAEA,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AAAA,EACnC,UAAU,eAAe,SAAS;AAAA,EAClC,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,kBAAkB,EAAE,OAAO,EAAE,SAAS;AAAA,EACtC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EACrC,YAAY,EAAE,OAAO,EAAE,SAAS;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EACzB,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAC/C,CAAC;AAED,MAAM,yBAAyB,EAAE,OAAO;AAAA,EACtC,OAAO,EAAE,MAAM,kBAAkB;AAAA,EACjC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EACpC,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACtC,cAAc,EAAE,QAAQ,EAAE,SAAS;AACrC,CAAC;AAED,MAAM,mBAAmB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;AAEzD,MAAM,sBAAsB,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAI1D,MAAM,gBAAgB;AAAA,EACpB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AAAA,EAClE,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACtE;AAEO,MAAM,WAAW;AAExB,MAAM,OAAO,cAA6D;AAAA,EACxE,UAAU;AAAA,EACV,KAAK;AAAA,IACH,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,UAAU;AAAA,IACV,aAAa;AAAA,IACb,iBAAiB;AAAA,EACnB;AAAA,EACA,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,SAAS;AAAA,IACP,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,QAAQ;AAAA,MACR,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,YAAI,IAAI,SAAS;AACf,gBAAM,qBAAqB,IAAI,SAAS,OAAO,KAAK;AAAA,QACtD;AACA,eAAO;AAAA,MACT;AAAA,MACA,UAAU,CAAC,EAAE,OAAO,OAAO;AAAA,QACzB,IAAI,OAAO,OAAO,KAAK,EAAE;AAAA,QACzB,GAAI,OAAO,UAAU,EAAE,UAAU,OAAO,QAAQ,IAAI,CAAC;AAAA,MACvD;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,IACA,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,QAAQ;AAAA,MACR,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,YAAI,IAAI,SAAS;AACf,gBAAM,qBAAqB,IAAI,SAAS,OAAO,KAAK;AAAA,QACtD;AACA,eAAO;AAAA,MACT;AAAA,MACA,UAAU,OAAO,EAAE,IAAI,KAAK;AAAA,IAC9B;AAAA,IACA,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,UAAU,OAAO,EAAE,IAAI,KAAK;AAAA,IAC9B;AAAA,EACF;AACF,CAAC;AAED,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAC1E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,aAAa,IAAI,aAAa,OAAO,QAAQ,EAAE,OAAO,CAACA,QAAqB,OAAOA,QAAO,YAAYA,IAAG,KAAK,EAAE,SAAS,CAAC;AAChI,QAAM,SAAS,YAAY,UAAU;AAAA,IACnC,IAAI,IAAI,aAAa,IAAI,IAAI,KAAK;AAAA,IAClC,MAAM,IAAI,aAAa,IAAI,MAAM,KAAK;AAAA,IACtC,UAAU,IAAI,aAAa,IAAI,UAAU,KAAK;AAAA,IAC9C,QAAQ,IAAI,aAAa,IAAI,QAAQ,KAAK;AAAA,IAC1C,gBAAgB,IAAI,aAAa,IAAI,gBAAgB,KAAK;AAAA,IAC1D,SAAS,WAAW,SAAS,aAAa;AAAA,EAC5C,CAAC;AACD,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AACpF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAM,UAAU,QAAQ,IAAI;AAClC,MAAI,eAAe;AACnB,MAAI;AACF,QAAI,KAAK,KAAK;AACZ,YAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,YAAM,MAAM,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC;AACvH,qBAAe,CAAC,CAAC,KAAK;AAAA,IACxB;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,iCAAiC,GAAG;AAAA,EACpD;AACA,QAAM,EAAE,IAAI,MAAM,UAAU,QAAQ,gBAAgB,QAAQ,IAAI,OAAO;AACvE,QAAM,QAAa,EAAE,WAAW,KAAK;AACrC,MAAI,CAAC,cAAc;AACjB,QAAI,CAAC,KAAK,UAAU;AAClB,aAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,IAC/E;AACA,UAAM,WAAW,KAAK;AAAA,EACxB;AACA,MAAI,eAAgB,OAAM,iBAAiB;AAC3C,MAAI,OAAQ,OAAM,QAAQ,EAAE,QAAQ,IAAI,kBAAkB,MAAM,CAAC,IAAI;AACrE,MAAI,WAA+B,KAAK,oBAAI,IAAI,CAAC,EAAE,CAAC,IAAI;AACxD,MAAI,MAAM,QAAQ,OAAO,KAAK,QAAQ,SAAS,GAAG;AAChD,UAAM,gBAAgB,MAAM,KAAK,IAAI,IAAI,OAAO,CAAC;AACjD,UAAM,gBAAgB,MAAM,GAAG,KAAK,UAAU,EAAE,MAAM,EAAE,KAAK,cAAqB,EAAE,CAAQ;AAC5F,UAAM,cAAc,oBAAI,IAAY;AACpC,eAAW,QAAQ,eAAe;AAChC,YAAM,MAAM,OAAQ,KAAa,MAAM,MAAO,KAAa,QAAQ,EAAE;AACrE,UAAI,IAAK,aAAY,IAAI,GAAG;AAAA,IAC9B;AACA,QAAI,YAAY,SAAS,EAAG,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAC3F,QAAI,UAAU;AACZ,iBAAW,OAAO,MAAM,KAAK,QAAQ,GAAG;AACtC,YAAI,CAAC,YAAY,IAAI,GAAG,EAAG,UAAS,OAAO,GAAG;AAAA,MAChD;AAAA,IACF,OAAO;AACL,iBAAW;AAAA,IACb;AACA,QAAI,CAAC,YAAY,SAAS,SAAS,EAAG,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAAA,EACvG;AACA,MAAI,YAAY,SAAS,MAAM;AAC7B,UAAM,KAAK,EAAE,KAAK,MAAM,KAAK,QAAQ,EAAS;AAAA,EAChD,WAAW,IAAI;AACb,UAAM,KAAK;AAAA,EACb;AACA,QAAM,CAAC,MAAM,KAAK,IAAI,MAAM,GAAG,aAAa,MAAM,OAAO,EAAE,OAAO,UAAU,SAAS,OAAO,KAAK,SAAS,CAAC;AAC3G,QAAM,UAAU,KAAK,IAAI,CAAC,MAAW,EAAE,EAAE;AACzC,QAAM,QAAQ,QAAQ,SAClB,MAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,EAAE,MAAM,EAAE,KAAK,QAAe,EAAE;AAAA,IAChC,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK;AAAA,EACxE,IACA,CAAC;AACL,QAAM,UAAoC,CAAC;AAC3C,QAAM,YAAsC,CAAC;AAC7C,aAAW,KAAK,OAAO;AACrB,UAAM,MAAM,OAAQ,EAAU,MAAM,MAAO,EAAU,IAAI;AACzD,UAAM,QAAQ,OAAQ,EAAU,MAAM,QAAQ,EAAE;AAChD,UAAM,MAAM,OAAQ,EAAU,MAAM,MAAM,EAAE;AAC5C,QAAI,CAAC,QAAQ,GAAG,EAAG,SAAQ,GAAG,IAAI,CAAC;AACnC,QAAI,CAAC,UAAU,GAAG,EAAG,WAAU,GAAG,IAAI,CAAC;AACvC,QAAI,MAAO,SAAQ,GAAG,EAAE,KAAK,KAAK;AAClC,QAAI,IAAK,WAAU,GAAG,EAAE,KAAK,GAAG;AAAA,EAClC;AACA,QAAM,SAAS,KACZ,IAAI,CAAC,MAAY,EAAE,iBAAiB,OAAO,EAAE,cAAc,IAAI,IAAK,EACpE,OAAO,CAACA,QAAqB,CAAC,CAACA,GAAE;AACpC,QAAM,eAAe,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC;AAC/C,MAAI,SAAiC,CAAC;AACtC,MAAI,aAAa,QAAQ;AACvB,UAAM,gBAAgB,MAAM,GAAG;AAAA,MAC7B;AAAA,MACA,EAAE,IAAI,EAAE,KAAK,aAAoB,GAAG,WAAW,KAAK;AAAA,IACtD;AACA,aAAS,cAAc,OAA+B,CAAC,KAAK,QAAQ;AAClE,YAAM,QAAQ,KAAK,KAAK,OAAO,IAAI,EAAE,IAAI;AACzC,UAAI,CAAC,MAAO,QAAO;AACnB,YAAM,UAAW,KAAa;AAC9B,YAAM,UAAU,OAAO,YAAY,YAAY,QAAQ,SAAS,IAAI,UAAU;AAC9E,UAAI,KAAK,IAAI;AACb,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACP;AACA,QAAM,YAAY,KACf,IAAI,CAAC,MAAY,EAAE,WAAW,OAAO,EAAE,QAAQ,IAAI,IAAK,EACxD,OAAO,CAACA,QAAqB,CAAC,CAACA,GAAE;AACpC,QAAM,kBAAkB,MAAM,KAAK,IAAI,IAAI,SAAS,CAAC;AACrD,MAAI,YAAoC,CAAC;AACzC,MAAI,gBAAgB,QAAQ;AAC1B,UAAM,UAAU,MAAM,GAAG;AAAA,MACvB;AAAA,MACA,EAAE,IAAI,EAAE,KAAK,gBAAuB,GAAG,WAAW,KAAK;AAAA,IACzD;AACA,gBAAY,QAAQ,OAA+B,CAAC,KAAK,WAAW;AAClE,YAAM,WAAW,QAAQ,KAAK,OAAO,OAAO,EAAE,IAAI;AAClD,UAAI,CAAC,SAAU,QAAO;AACtB,YAAM,UAAW,QAAgB;AACjC,YAAM,aAAa,OAAO,YAAY,YAAY,QAAQ,SAAS,IAAI,UAAU;AACjF,UAAI,QAAQ,IAAI;AAChB,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACP;AACA,QAAM,eAA8C,CAAC;AACrD,QAAM,qBAAoD,CAAC;AAC3D,aAAW,KAAK,MAAM;AACpB,UAAM,MAAM,OAAO,EAAE,EAAE;AACvB,iBAAa,GAAG,IAAI,EAAE,WAAW,OAAO,EAAE,QAAQ,IAAI;AACtD,uBAAmB,GAAG,IAAI,EAAE,iBAAiB,OAAO,EAAE,cAAc,IAAI;AAAA,EAC1E;AACA,QAAM,WAAW,QAAQ,SACrB,MAAM,sBAAsB;AAAA,IAC1B;AAAA,IACA,UAAU,EAAE,KAAK;AAAA,IACjB,WAAW,QAAQ,IAAI,MAAM;AAAA,IAC7B,kBAAkB;AAAA,IAClB,wBAAwB;AAAA,IACxB,iBAAiB,KAAK,WAAW,CAAC,KAAK,QAAQ,IAAI,CAAC;AAAA,EACtD,CAAC,IACD,CAAC;AAEL,QAAM,QAAQ,KAAK,IAAI,CAAC,MAAW;AACjC,UAAM,MAAM,OAAO,EAAE,EAAE;AACvB,UAAM,QAAQ,EAAE,iBAAiB,OAAO,EAAE,cAAc,IAAI;AAC5D,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO,OAAO,EAAE,KAAK;AAAA,MACrB,gBAAgB;AAAA,MAChB,kBAAkB,QAAQ,OAAO,KAAK,KAAK,QAAQ;AAAA,MACnD,UAAU,EAAE,WAAW,OAAO,EAAE,QAAQ,IAAI;AAAA,MAC5C,YAAY,EAAE,WAAW,UAAU,OAAO,EAAE,QAAQ,CAAC,KAAK,OAAO,EAAE,QAAQ,IAAI;AAAA,MAC/E,OAAO,QAAQ,GAAG,KAAK,CAAC;AAAA,MACxB,SAAS,UAAU,GAAG,KAAK,CAAC;AAAA,MAC5B,aAAa,CAAC,CAAC,EAAE;AAAA,MACjB,GAAI,SAAS,GAAG,KAAK,CAAC;AAAA,IACxB;AAAA,EACF,CAAC;AACD,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,KAAK,QAAQ,QAAQ,CAAC;AAC1D,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA,SAAS;AAAA,IACT,cAAc;AAAA,IACd,gBAAgB;AAAA,IAChB,UAAU,KAAK,YAAY;AAAA,IAC3B,OAAO,OAAO;AAAA,IACd,YAAY,KAAK,cAAc;AAAA,EACjC,CAAC;AACD,SAAO,aAAa,KAAK,EAAE,OAAO,OAAO,OAAO,YAAY,aAAa,CAAC;AAC5E;AAEO,MAAM,OAAO,OAAO,QAAiB;AAC1C,QAAM,OAAO,MAAM,IAAI,MAAM,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACtD,QAAM,qBAAqB,KAAK,MAAM,KAAK;AAC3C,SAAO,KAAK,KAAK,GAAG;AACtB;AAEO,MAAM,MAAM,OAAO,QAAiB;AACzC,QAAM,OAAO,MAAM,IAAI,MAAM,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACtD,QAAM,qBAAqB,KAAK,MAAM,KAAK;AAC3C,SAAO,KAAK,IAAI,GAAG;AACrB;AAEO,MAAM,SAAS,KAAK;AAE3B,MAAM,UAAU;AAEhB,eAAe,qBAAqB,KAAc,OAAgB;AAChE,MAAI,CAAC,MAAM,QAAQ,KAAK,EAAG;AAC3B,QAAM,SAAS,MACZ,IAAI,CAAC,SAAU,OAAO,SAAS,WAAW,KAAK,KAAK,IAAI,IAAK,EAC7D,OAAO,CAAC,SAAyB,CAAC,CAAC,IAAI;AAC1C,MAAI,CAAC,OAAO,OAAQ;AAEpB,MAAI,gBAAgB,OAAO,KAAK,CAAC,MAAM,EAAE,YAAY,MAAM,YAAY;AACvE,MAAI,CAAC,eAAe;AAClB,UAAM,QAAQ,OAAO,OAAO,CAAC,MAAM,QAAQ,KAAK,CAAC,CAAC;AAClD,QAAI,MAAM,QAAQ;AAChB,YAAMC,aAAY,MAAM,uBAAuB;AAC/C,YAAM,KAAKA,WAAU,QAAQ,IAAI;AACjC,YAAM,UAAU,MAAM,GAAG,KAAK,MAAM,EAAE,IAAI,EAAE,KAAK,MAAa,EAAE,CAAC;AACjE,sBAAgB,QAAQ,KAAK,CAAC,MAAM,OAAO,EAAE,IAAI,EAAE,YAAY,MAAM,YAAY;AAAA,IACnF;AAAA,EACF;AACA,MAAI,CAAC,cAAe;AAEpB,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM,cAAc;AACzC,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,OAAO,UAAU,QAAQ,aAAa;AAC5C,QAAM,MAAM,MAAM,KAAK,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC;AAChH,MAAI,CAAC,KAAK,cAAc;AACtB,UAAM,UAAU,2DAA2D;AAAA,EAC7E;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aACE;AAAA,MACF,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,uBAAuB;AAAA,MAChF;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,QAC5C;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,sCAAsC,QAAQ,oBAAoB;AAAA,QAC9F,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,oBAAoB;AAAA,MAClG;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,iBAAiB;AAAA,MACvE;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,oBAAoB;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,oBAAoB;AAAA,QAChG,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,oBAAoB;AAAA,MAC5E;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,iBAAiB,EAAE,CAAC;AAAA,MACrE,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,iBAAiB;AAAA,MACvE;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,0BAA0B,QAAQ,oBAAoB;AAAA,QAClF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,oBAAoB;AAAA,MAC5E;AAAA,IACF;AAAA,EACF;AACF;",
4
+ "sourcesContent": ["/* eslint-disable @typescript-eslint/no-explicit-any */\nimport { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { logCrudAccess, makeCrudRoute } from '@open-mercato/shared/lib/crud/factory'\nimport { forbidden } from '@open-mercato/shared/lib/crud/errors'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { User, Role, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { Organization, Tenant } from '@open-mercato/core/modules/directory/data/entities'\nimport { E } from '#generated/entities.ids.generated'\nimport { loadCustomFieldValues } from '@open-mercato/shared/lib/crud/custom-fields'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { userCrudEvents, userCrudIndexer } from '@open-mercato/core/modules/auth/commands/users'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'\nimport { resolveSearchConfig } from '@open-mercato/shared/lib/search/config'\nimport { tokenizeText } from '@open-mercato/shared/lib/search/tokenize'\nimport { sql } from 'kysely'\n\nconst querySchema = z.object({\n id: z.string().uuid().optional(),\n page: z.coerce.number().min(1).default(1),\n pageSize: z.coerce.number().min(1).max(100).default(50),\n search: z.string().optional(),\n organizationId: z.string().uuid().optional(),\n roleIds: z.array(z.string().uuid()).optional(),\n}).passthrough()\n\nconst rawBodySchema = z.object({}).passthrough()\n\nconst passwordSchema = buildPasswordSchema()\n\nconst userCreateSchema = z.object({\n email: z.string().email(),\n password: passwordSchema.optional(),\n sendInviteEmail: z.boolean().optional(),\n organizationId: z.string().uuid(),\n roles: z.array(z.string()).optional(),\n}).refine(\n (data) => data.password || data.sendInviteEmail,\n { message: 'Either password or sendInviteEmail is required', path: ['password'] },\n)\n\nconst userUpdateSchema = z.object({\n id: z.string().uuid(),\n email: z.string().email().optional(),\n password: passwordSchema.optional(),\n organizationId: z.string().uuid().optional(),\n roles: z.array(z.string()).optional(),\n})\n\nconst userListItemSchema = z.object({\n id: z.string().uuid(),\n email: z.string().email(),\n organizationId: z.string().uuid().nullable(),\n organizationName: z.string().nullable(),\n tenantId: z.string().uuid().nullable(),\n tenantName: z.string().nullable(),\n roles: z.array(z.string()),\n roleIds: z.array(z.string().uuid()).optional(),\n})\n\nconst userListResponseSchema = z.object({\n items: z.array(userListItemSchema),\n total: z.number().int().nonnegative(),\n totalPages: z.number().int().positive(),\n isSuperAdmin: z.boolean().optional(),\n})\n\nconst okResponseSchema = z.object({ ok: z.literal(true) })\n\nconst errorResponseSchema = z.object({ error: z.string() })\n\ntype CrudInput = Record<string, unknown>\n\nconst routeMetadata = {\n GET: { requireAuth: true, requireFeatures: ['auth.users.list'] },\n POST: { requireAuth: true, requireFeatures: ['auth.users.create'] },\n PUT: { requireAuth: true, requireFeatures: ['auth.users.edit'] },\n DELETE: { requireAuth: true, requireFeatures: ['auth.users.delete'] },\n}\n\nexport const metadata = routeMetadata\n\nconst crud = makeCrudRoute<CrudInput, CrudInput, Record<string, unknown>>({\n metadata: routeMetadata,\n orm: {\n entity: User,\n idField: 'id',\n orgField: null,\n tenantField: null,\n softDeleteField: 'deletedAt',\n },\n events: userCrudEvents,\n indexer: userCrudIndexer,\n actions: {\n create: {\n commandId: 'auth.users.create',\n schema: rawBodySchema,\n mapInput: async ({ parsed, ctx }) => {\n if (ctx.request) {\n await assertCanAssignRoles(ctx.request, parsed.roles)\n }\n return parsed\n },\n response: ({ result }) => ({\n id: String(result.user.id),\n ...(result.warning ? { _warning: result.warning } : {}),\n }),\n status: 201,\n },\n update: {\n commandId: 'auth.users.update',\n schema: rawBodySchema,\n mapInput: async ({ parsed, ctx }) => {\n if (ctx.request) {\n await assertCanAssignRoles(ctx.request, parsed.roles)\n }\n return parsed\n },\n response: () => ({ ok: true }),\n },\n delete: {\n commandId: 'auth.users.delete',\n response: () => ({ ok: true }),\n },\n },\n})\n\nexport async function GET(req: Request) {\n const auth = await getAuthFromRequest(req)\n if (!auth) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n const url = new URL(req.url)\n const rawRoleIds = url.searchParams.getAll('roleId').filter((id): id is string => typeof id === 'string' && id.trim().length > 0)\n const parsed = querySchema.safeParse({\n id: url.searchParams.get('id') || undefined,\n page: url.searchParams.get('page') || undefined,\n pageSize: url.searchParams.get('pageSize') || undefined,\n search: url.searchParams.get('search') || undefined,\n organizationId: url.searchParams.get('organizationId') || undefined,\n roleIds: rawRoleIds.length ? rawRoleIds : undefined,\n })\n if (!parsed.success) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n const container = await createRequestContainer()\n const em = (container.resolve('em') as EntityManager)\n let isSuperAdmin = false\n try {\n if (auth.sub) {\n const rbacService = container.resolve('rbacService') as any\n const acl = await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n isSuperAdmin = !!acl?.isSuperAdmin\n }\n } catch (err) {\n console.error('users: failed to resolve rbac', err)\n }\n const { id, page, pageSize, search, organizationId, roleIds } = parsed.data\n const where: any = { deletedAt: null }\n if (!isSuperAdmin) {\n if (!auth.tenantId) {\n return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n }\n where.tenantId = auth.tenantId\n }\n if (organizationId) where.organizationId = organizationId\n let idFilter: Set<string> | null = id ? new Set([id]) : null\n if (Array.isArray(roleIds) && roleIds.length > 0) {\n const uniqueRoleIds = Array.from(new Set(roleIds))\n const linksForRoles = await em.find(UserRole, { role: { $in: uniqueRoleIds as any } } as any)\n const roleUserIds = new Set<string>()\n for (const link of linksForRoles) {\n const uid = String((link as any).user?.id || (link as any).user || '')\n if (uid) roleUserIds.add(uid)\n }\n if (roleUserIds.size === 0) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n if (idFilter) {\n for (const uid of Array.from(idFilter)) {\n if (!roleUserIds.has(uid)) idFilter.delete(uid)\n }\n } else {\n idFilter = roleUserIds\n }\n if (!idFilter || idFilter.size === 0) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n }\n if (search) {\n // Email is encrypted at rest, so $ilike on the column cannot match plaintext input.\n // Resolve candidate users via search_tokens (tokens are built from the decrypted index doc).\n const tenantScope: string | null | undefined = isSuperAdmin ? undefined : auth.tenantId ?? null\n const matchedIds = await findUserIdsBySearchTokens(em, E.auth.user, search, tenantScope)\n if (matchedIds !== null) {\n if (matchedIds.length === 0) {\n return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n }\n const matchedSet = new Set(matchedIds)\n if (idFilter) {\n for (const uid of Array.from(idFilter)) {\n if (!matchedSet.has(uid)) idFilter.delete(uid)\n }\n if (idFilter.size === 0) {\n return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n }\n } else {\n idFilter = matchedSet\n }\n }\n }\n if (idFilter && idFilter.size) {\n where.id = { $in: Array.from(idFilter) as any }\n } else if (id) {\n where.id = id\n }\n const [rows, count] = await em.findAndCount(User, where, { limit: pageSize, offset: (page - 1) * pageSize })\n const userIds = rows.map((u: any) => u.id)\n const links = userIds.length\n ? await findWithDecryption(\n em,\n UserRole,\n { user: { $in: userIds as any } } as any,\n { populate: ['role'] },\n { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },\n )\n : []\n const roleMap: Record<string, string[]> = {}\n const roleIdMap: Record<string, string[]> = {}\n for (const l of links) {\n const uid = String((l as any).user?.id || (l as any).user)\n const rname = String((l as any).role?.name || '')\n const rid = String((l as any).role?.id ?? '')\n if (!roleMap[uid]) roleMap[uid] = []\n if (!roleIdMap[uid]) roleIdMap[uid] = []\n if (rname) roleMap[uid].push(rname)\n if (rid) roleIdMap[uid].push(rid)\n }\n const orgIds = rows\n .map((u: any) => (u.organizationId ? String(u.organizationId) : null))\n .filter((id): id is string => !!id)\n const uniqueOrgIds = Array.from(new Set(orgIds))\n let orgMap: Record<string, string> = {}\n if (uniqueOrgIds.length) {\n const organizations = await em.find(\n Organization,\n { id: { $in: uniqueOrgIds as any }, deletedAt: null },\n )\n orgMap = organizations.reduce<Record<string, string>>((acc, org) => {\n const orgId = org?.id ? String(org.id) : null\n if (!orgId) return acc\n const rawName = (org as any)?.name\n const orgName = typeof rawName === 'string' && rawName.length > 0 ? rawName : orgId\n acc[orgId] = orgName\n return acc\n }, {})\n }\n const tenantIds = rows\n .map((u: any) => (u.tenantId ? String(u.tenantId) : null))\n .filter((id): id is string => !!id)\n const uniqueTenantIds = Array.from(new Set(tenantIds))\n let tenantMap: Record<string, string> = {}\n if (uniqueTenantIds.length) {\n const tenants = await em.find(\n Tenant,\n { id: { $in: uniqueTenantIds as any }, deletedAt: null },\n )\n tenantMap = tenants.reduce<Record<string, string>>((acc, tenant) => {\n const tenantId = tenant?.id ? String(tenant.id) : null\n if (!tenantId) return acc\n const rawName = (tenant as any)?.name\n const tenantName = typeof rawName === 'string' && rawName.length > 0 ? rawName : tenantId\n acc[tenantId] = tenantName\n return acc\n }, {})\n }\n const tenantByUser: Record<string, string | null> = {}\n const organizationByUser: Record<string, string | null> = {}\n for (const u of rows) {\n const uid = String(u.id)\n tenantByUser[uid] = u.tenantId ? String(u.tenantId) : null\n organizationByUser[uid] = u.organizationId ? String(u.organizationId) : null\n }\n const cfByUser = userIds.length\n ? await loadCustomFieldValues({\n em,\n entityId: E.auth.user,\n recordIds: userIds.map(String),\n tenantIdByRecord: tenantByUser,\n organizationIdByRecord: organizationByUser,\n tenantFallbacks: auth.tenantId ? [auth.tenantId] : [],\n })\n : {}\n\n const items = rows.map((u: any) => {\n const uid = String(u.id)\n const orgId = u.organizationId ? String(u.organizationId) : null\n return {\n id: uid,\n email: String(u.email),\n organizationId: orgId,\n organizationName: orgId ? orgMap[orgId] ?? orgId : null,\n tenantId: u.tenantId ? String(u.tenantId) : null,\n tenantName: u.tenantId ? tenantMap[String(u.tenantId)] ?? String(u.tenantId) : null,\n roles: roleMap[uid] || [],\n roleIds: roleIdMap[uid] || [],\n hasPassword: !!u.passwordHash,\n ...(cfByUser[uid] || {}),\n }\n })\n const totalPages = Math.max(1, Math.ceil(count / pageSize))\n await logCrudAccess({\n container,\n auth,\n request: req,\n items,\n idField: 'id',\n resourceKind: 'auth.user',\n organizationId: null,\n tenantId: auth.tenantId ?? null,\n query: parsed.data,\n accessType: id ? 'read:item' : undefined,\n })\n return NextResponse.json({ items, total: count, totalPages, isSuperAdmin })\n}\n\nexport const POST = async (req: Request) => {\n const body = await req.clone().json().catch(() => ({}))\n await assertCanAssignRoles(req, body?.roles)\n return crud.POST(req)\n}\n\nexport const PUT = async (req: Request) => {\n const body = await req.clone().json().catch(() => ({}))\n await assertCanAssignRoles(req, body?.roles)\n return crud.PUT(req)\n}\n\nexport const DELETE = crud.DELETE\n\nasync function findUserIdsBySearchTokens(\n em: EntityManager,\n entityType: string,\n search: string,\n tenantScope: string | null | undefined,\n): Promise<string[] | null> {\n const trimmed = search.trim()\n if (!trimmed) return null\n const searchConfig = resolveSearchConfig()\n if (!searchConfig.enabled) return []\n const { hashes } = tokenizeText(trimmed, searchConfig)\n if (!hashes.length) return []\n\n const db = (em as any).getKysely() as any\n let query = db\n .selectFrom('search_tokens')\n .select('entity_id')\n .where('entity_type', '=', entityType)\n .where('token_hash', 'in', hashes)\n .groupBy('entity_id')\n .having(sql<boolean>`count(distinct token_hash) >= ${hashes.length}`)\n if (tenantScope !== undefined) {\n query = query.where(sql<boolean>`tenant_id is not distinct from ${tenantScope}`)\n }\n const rows = (await query.execute()) as Array<{ entity_id?: unknown }>\n return rows\n .map((row) => (typeof row.entity_id === 'string' ? row.entity_id : null))\n .filter((id): id is string => typeof id === 'string' && id.length > 0)\n}\n\nconst UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i\n\nasync function assertCanAssignRoles(req: Request, roles: unknown) {\n if (!Array.isArray(roles)) return\n const values = roles\n .map((role) => (typeof role === 'string' ? role.trim() : null))\n .filter((role): role is string => !!role)\n if (!values.length) return\n\n let hasSuperAdmin = values.some((v) => v.toLowerCase() === 'superadmin')\n if (!hasSuperAdmin) {\n const uuids = values.filter((v) => UUID_RE.test(v))\n if (uuids.length) {\n const container = await createRequestContainer()\n const em = container.resolve('em') as EntityManager\n const matched = await em.find(Role, { id: { $in: uuids as any } })\n hasSuperAdmin = matched.some((r) => String(r.name).toLowerCase() === 'superadmin')\n }\n }\n if (!hasSuperAdmin) return\n\n const auth = await getAuthFromRequest(req)\n if (!auth) throw new Error('Unauthorized')\n const container = await createRequestContainer()\n const rbac = container.resolve('rbacService') as RbacService\n const acl = await rbac.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n if (!acl?.isSuperAdmin) {\n throw forbidden('Only super administrators can assign the superadmin role.')\n }\n}\n\nexport const openApi: OpenApiRouteDoc = {\n tag: 'Authentication & Accounts',\n summary: 'User management',\n methods: {\n GET: {\n summary: 'List users',\n description:\n 'Returns users for the current tenant. Super administrators may scope the response via organization or role filters.',\n query: querySchema,\n responses: [\n { status: 200, description: 'User collection', schema: userListResponseSchema },\n ],\n },\n POST: {\n summary: 'Create user',\n description: 'Creates a new confirmed user within the specified organization and optional roles.',\n requestBody: {\n contentType: 'application/json',\n schema: userCreateSchema,\n },\n responses: [\n {\n status: 201,\n description: 'User created',\n schema: z.object({ id: z.string().uuid() }),\n },\n ],\n errors: [\n { status: 400, description: 'Invalid payload or duplicate email', schema: errorResponseSchema },\n { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n { status: 403, description: 'Attempted to assign privileged roles', schema: errorResponseSchema },\n ],\n },\n PUT: {\n summary: 'Update user',\n description: 'Updates profile fields, organization assignment, credentials, or role memberships.',\n requestBody: {\n contentType: 'application/json',\n schema: userUpdateSchema,\n },\n responses: [\n { status: 200, description: 'User updated', schema: okResponseSchema },\n ],\n errors: [\n { status: 400, description: 'Invalid payload', schema: errorResponseSchema },\n { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n { status: 403, description: 'Attempted to assign privileged roles', schema: errorResponseSchema },\n { status: 404, description: 'User not found', schema: errorResponseSchema },\n ],\n },\n DELETE: {\n summary: 'Delete user',\n description: 'Deletes a user by identifier. Undo support is provided via the command bus.',\n query: z.object({ id: z.string().uuid().describe('User identifier') }),\n responses: [\n { status: 200, description: 'User deleted', schema: okResponseSchema },\n ],\n errors: [\n { status: 400, description: 'User cannot be deleted', schema: errorResponseSchema },\n { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n { status: 404, description: 'User not found', schema: errorResponseSchema },\n ],\n },\n },\n}\n"],
5
+ "mappings": "AACA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,eAAe,qBAAqB;AAC7C,SAAS,iBAAiB;AAC1B,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,MAAM,MAAM,gBAAgB;AAErC,SAAS,cAAc,cAAc;AACrC,SAAS,SAAS;AAClB,SAAS,6BAA6B;AAEtC,SAAS,gBAAgB,uBAAuB;AAChD,SAAS,0BAA0B;AACnC,SAAS,2BAA2B;AACpC,SAAS,2BAA2B;AACpC,SAAS,oBAAoB;AAC7B,SAAS,WAAW;AAEpB,MAAM,cAAc,EAAE,OAAO;AAAA,EAC3B,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC/B,MAAM,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,QAAQ,CAAC;AAAA,EACxC,UAAU,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,QAAQ,EAAE;AAAA,EACtD,QAAQ,EAAE,OAAO,EAAE,SAAS;AAAA,EAC5B,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAC/C,CAAC,EAAE,YAAY;AAEf,MAAM,gBAAgB,EAAE,OAAO,CAAC,CAAC,EAAE,YAAY;AAE/C,MAAM,iBAAiB,oBAAoB;AAE3C,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,UAAU,eAAe,SAAS;AAAA,EAClC,iBAAiB,EAAE,QAAQ,EAAE,SAAS;AAAA,EACtC,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC,EAAE;AAAA,EACD,CAAC,SAAS,KAAK,YAAY,KAAK;AAAA,EAChC,EAAE,SAAS,kDAAkD,MAAM,CAAC,UAAU,EAAE;AAClF;AAEA,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AAAA,EACnC,UAAU,eAAe,SAAS;AAAA,EAClC,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,kBAAkB,EAAE,OAAO,EAAE,SAAS;AAAA,EACtC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EACrC,YAAY,EAAE,OAAO,EAAE,SAAS;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EACzB,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAC/C,CAAC;AAED,MAAM,yBAAyB,EAAE,OAAO;AAAA,EACtC,OAAO,EAAE,MAAM,kBAAkB;AAAA,EACjC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EACpC,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACtC,cAAc,EAAE,QAAQ,EAAE,SAAS;AACrC,CAAC;AAED,MAAM,mBAAmB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;AAEzD,MAAM,sBAAsB,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAI1D,MAAM,gBAAgB;AAAA,EACpB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AAAA,EAClE,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACtE;AAEO,MAAM,WAAW;AAExB,MAAM,OAAO,cAA6D;AAAA,EACxE,UAAU;AAAA,EACV,KAAK;AAAA,IACH,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,UAAU;AAAA,IACV,aAAa;AAAA,IACb,iBAAiB;AAAA,EACnB;AAAA,EACA,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,SAAS;AAAA,IACP,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,QAAQ;AAAA,MACR,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,YAAI,IAAI,SAAS;AACf,gBAAM,qBAAqB,IAAI,SAAS,OAAO,KAAK;AAAA,QACtD;AACA,eAAO;AAAA,MACT;AAAA,MACA,UAAU,CAAC,EAAE,OAAO,OAAO;AAAA,QACzB,IAAI,OAAO,OAAO,KAAK,EAAE;AAAA,QACzB,GAAI,OAAO,UAAU,EAAE,UAAU,OAAO,QAAQ,IAAI,CAAC;AAAA,MACvD;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,IACA,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,QAAQ;AAAA,MACR,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,YAAI,IAAI,SAAS;AACf,gBAAM,qBAAqB,IAAI,SAAS,OAAO,KAAK;AAAA,QACtD;AACA,eAAO;AAAA,MACT;AAAA,MACA,UAAU,OAAO,EAAE,IAAI,KAAK;AAAA,IAC9B;AAAA,IACA,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,UAAU,OAAO,EAAE,IAAI,KAAK;AAAA,IAC9B;AAAA,EACF;AACF,CAAC;AAED,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAC1E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,aAAa,IAAI,aAAa,OAAO,QAAQ,EAAE,OAAO,CAACA,QAAqB,OAAOA,QAAO,YAAYA,IAAG,KAAK,EAAE,SAAS,CAAC;AAChI,QAAM,SAAS,YAAY,UAAU;AAAA,IACnC,IAAI,IAAI,aAAa,IAAI,IAAI,KAAK;AAAA,IAClC,MAAM,IAAI,aAAa,IAAI,MAAM,KAAK;AAAA,IACtC,UAAU,IAAI,aAAa,IAAI,UAAU,KAAK;AAAA,IAC9C,QAAQ,IAAI,aAAa,IAAI,QAAQ,KAAK;AAAA,IAC1C,gBAAgB,IAAI,aAAa,IAAI,gBAAgB,KAAK;AAAA,IAC1D,SAAS,WAAW,SAAS,aAAa;AAAA,EAC5C,CAAC;AACD,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AACpF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAM,UAAU,QAAQ,IAAI;AAClC,MAAI,eAAe;AACnB,MAAI;AACF,QAAI,KAAK,KAAK;AACZ,YAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,YAAM,MAAM,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC;AACvH,qBAAe,CAAC,CAAC,KAAK;AAAA,IACxB;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,iCAAiC,GAAG;AAAA,EACpD;AACA,QAAM,EAAE,IAAI,MAAM,UAAU,QAAQ,gBAAgB,QAAQ,IAAI,OAAO;AACvE,QAAM,QAAa,EAAE,WAAW,KAAK;AACrC,MAAI,CAAC,cAAc;AACjB,QAAI,CAAC,KAAK,UAAU;AAClB,aAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,IAC/E;AACA,UAAM,WAAW,KAAK;AAAA,EACxB;AACA,MAAI,eAAgB,OAAM,iBAAiB;AAC3C,MAAI,WAA+B,KAAK,oBAAI,IAAI,CAAC,EAAE,CAAC,IAAI;AACxD,MAAI,MAAM,QAAQ,OAAO,KAAK,QAAQ,SAAS,GAAG;AAChD,UAAM,gBAAgB,MAAM,KAAK,IAAI,IAAI,OAAO,CAAC;AACjD,UAAM,gBAAgB,MAAM,GAAG,KAAK,UAAU,EAAE,MAAM,EAAE,KAAK,cAAqB,EAAE,CAAQ;AAC5F,UAAM,cAAc,oBAAI,IAAY;AACpC,eAAW,QAAQ,eAAe;AAChC,YAAM,MAAM,OAAQ,KAAa,MAAM,MAAO,KAAa,QAAQ,EAAE;AACrE,UAAI,IAAK,aAAY,IAAI,GAAG;AAAA,IAC9B;AACA,QAAI,YAAY,SAAS,EAAG,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAC3F,QAAI,UAAU;AACZ,iBAAW,OAAO,MAAM,KAAK,QAAQ,GAAG;AACtC,YAAI,CAAC,YAAY,IAAI,GAAG,EAAG,UAAS,OAAO,GAAG;AAAA,MAChD;AAAA,IACF,OAAO;AACL,iBAAW;AAAA,IACb;AACA,QAAI,CAAC,YAAY,SAAS,SAAS,EAAG,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAAA,EACvG;AACA,MAAI,QAAQ;AAGV,UAAM,cAAyC,eAAe,SAAY,KAAK,YAAY;AAC3F,UAAM,aAAa,MAAM,0BAA0B,IAAI,EAAE,KAAK,MAAM,QAAQ,WAAW;AACvF,QAAI,eAAe,MAAM;AACvB,UAAI,WAAW,WAAW,GAAG;AAC3B,eAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,MAC/E;AACA,YAAM,aAAa,IAAI,IAAI,UAAU;AACrC,UAAI,UAAU;AACZ,mBAAW,OAAO,MAAM,KAAK,QAAQ,GAAG;AACtC,cAAI,CAAC,WAAW,IAAI,GAAG,EAAG,UAAS,OAAO,GAAG;AAAA,QAC/C;AACA,YAAI,SAAS,SAAS,GAAG;AACvB,iBAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,QAC/E;AAAA,MACF,OAAO;AACL,mBAAW;AAAA,MACb;AAAA,IACF;AAAA,EACF;AACA,MAAI,YAAY,SAAS,MAAM;AAC7B,UAAM,KAAK,EAAE,KAAK,MAAM,KAAK,QAAQ,EAAS;AAAA,EAChD,WAAW,IAAI;AACb,UAAM,KAAK;AAAA,EACb;AACA,QAAM,CAAC,MAAM,KAAK,IAAI,MAAM,GAAG,aAAa,MAAM,OAAO,EAAE,OAAO,UAAU,SAAS,OAAO,KAAK,SAAS,CAAC;AAC3G,QAAM,UAAU,KAAK,IAAI,CAAC,MAAW,EAAE,EAAE;AACzC,QAAM,QAAQ,QAAQ,SAClB,MAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,EAAE,MAAM,EAAE,KAAK,QAAe,EAAE;AAAA,IAChC,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK;AAAA,EACxE,IACA,CAAC;AACL,QAAM,UAAoC,CAAC;AAC3C,QAAM,YAAsC,CAAC;AAC7C,aAAW,KAAK,OAAO;AACrB,UAAM,MAAM,OAAQ,EAAU,MAAM,MAAO,EAAU,IAAI;AACzD,UAAM,QAAQ,OAAQ,EAAU,MAAM,QAAQ,EAAE;AAChD,UAAM,MAAM,OAAQ,EAAU,MAAM,MAAM,EAAE;AAC5C,QAAI,CAAC,QAAQ,GAAG,EAAG,SAAQ,GAAG,IAAI,CAAC;AACnC,QAAI,CAAC,UAAU,GAAG,EAAG,WAAU,GAAG,IAAI,CAAC;AACvC,QAAI,MAAO,SAAQ,GAAG,EAAE,KAAK,KAAK;AAClC,QAAI,IAAK,WAAU,GAAG,EAAE,KAAK,GAAG;AAAA,EAClC;AACA,QAAM,SAAS,KACZ,IAAI,CAAC,MAAY,EAAE,iBAAiB,OAAO,EAAE,cAAc,IAAI,IAAK,EACpE,OAAO,CAACA,QAAqB,CAAC,CAACA,GAAE;AACpC,QAAM,eAAe,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC;AAC/C,MAAI,SAAiC,CAAC;AACtC,MAAI,aAAa,QAAQ;AACvB,UAAM,gBAAgB,MAAM,GAAG;AAAA,MAC7B;AAAA,MACA,EAAE,IAAI,EAAE,KAAK,aAAoB,GAAG,WAAW,KAAK;AAAA,IACtD;AACA,aAAS,cAAc,OAA+B,CAAC,KAAK,QAAQ;AAClE,YAAM,QAAQ,KAAK,KAAK,OAAO,IAAI,EAAE,IAAI;AACzC,UAAI,CAAC,MAAO,QAAO;AACnB,YAAM,UAAW,KAAa;AAC9B,YAAM,UAAU,OAAO,YAAY,YAAY,QAAQ,SAAS,IAAI,UAAU;AAC9E,UAAI,KAAK,IAAI;AACb,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACP;AACA,QAAM,YAAY,KACf,IAAI,CAAC,MAAY,EAAE,WAAW,OAAO,EAAE,QAAQ,IAAI,IAAK,EACxD,OAAO,CAACA,QAAqB,CAAC,CAACA,GAAE;AACpC,QAAM,kBAAkB,MAAM,KAAK,IAAI,IAAI,SAAS,CAAC;AACrD,MAAI,YAAoC,CAAC;AACzC,MAAI,gBAAgB,QAAQ;AAC1B,UAAM,UAAU,MAAM,GAAG;AAAA,MACvB;AAAA,MACA,EAAE,IAAI,EAAE,KAAK,gBAAuB,GAAG,WAAW,KAAK;AAAA,IACzD;AACA,gBAAY,QAAQ,OAA+B,CAAC,KAAK,WAAW;AAClE,YAAM,WAAW,QAAQ,KAAK,OAAO,OAAO,EAAE,IAAI;AAClD,UAAI,CAAC,SAAU,QAAO;AACtB,YAAM,UAAW,QAAgB;AACjC,YAAM,aAAa,OAAO,YAAY,YAAY,QAAQ,SAAS,IAAI,UAAU;AACjF,UAAI,QAAQ,IAAI;AAChB,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACP;AACA,QAAM,eAA8C,CAAC;AACrD,QAAM,qBAAoD,CAAC;AAC3D,aAAW,KAAK,MAAM;AACpB,UAAM,MAAM,OAAO,EAAE,EAAE;AACvB,iBAAa,GAAG,IAAI,EAAE,WAAW,OAAO,EAAE,QAAQ,IAAI;AACtD,uBAAmB,GAAG,IAAI,EAAE,iBAAiB,OAAO,EAAE,cAAc,IAAI;AAAA,EAC1E;AACA,QAAM,WAAW,QAAQ,SACrB,MAAM,sBAAsB;AAAA,IAC1B;AAAA,IACA,UAAU,EAAE,KAAK;AAAA,IACjB,WAAW,QAAQ,IAAI,MAAM;AAAA,IAC7B,kBAAkB;AAAA,IAClB,wBAAwB;AAAA,IACxB,iBAAiB,KAAK,WAAW,CAAC,KAAK,QAAQ,IAAI,CAAC;AAAA,EACtD,CAAC,IACD,CAAC;AAEL,QAAM,QAAQ,KAAK,IAAI,CAAC,MAAW;AACjC,UAAM,MAAM,OAAO,EAAE,EAAE;AACvB,UAAM,QAAQ,EAAE,iBAAiB,OAAO,EAAE,cAAc,IAAI;AAC5D,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO,OAAO,EAAE,KAAK;AAAA,MACrB,gBAAgB;AAAA,MAChB,kBAAkB,QAAQ,OAAO,KAAK,KAAK,QAAQ;AAAA,MACnD,UAAU,EAAE,WAAW,OAAO,EAAE,QAAQ,IAAI;AAAA,MAC5C,YAAY,EAAE,WAAW,UAAU,OAAO,EAAE,QAAQ,CAAC,KAAK,OAAO,EAAE,QAAQ,IAAI;AAAA,MAC/E,OAAO,QAAQ,GAAG,KAAK,CAAC;AAAA,MACxB,SAAS,UAAU,GAAG,KAAK,CAAC;AAAA,MAC5B,aAAa,CAAC,CAAC,EAAE;AAAA,MACjB,GAAI,SAAS,GAAG,KAAK,CAAC;AAAA,IACxB;AAAA,EACF,CAAC;AACD,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,KAAK,QAAQ,QAAQ,CAAC;AAC1D,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA,SAAS;AAAA,IACT,cAAc;AAAA,IACd,gBAAgB;AAAA,IAChB,UAAU,KAAK,YAAY;AAAA,IAC3B,OAAO,OAAO;AAAA,IACd,YAAY,KAAK,cAAc;AAAA,EACjC,CAAC;AACD,SAAO,aAAa,KAAK,EAAE,OAAO,OAAO,OAAO,YAAY,aAAa,CAAC;AAC5E;AAEO,MAAM,OAAO,OAAO,QAAiB;AAC1C,QAAM,OAAO,MAAM,IAAI,MAAM,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACtD,QAAM,qBAAqB,KAAK,MAAM,KAAK;AAC3C,SAAO,KAAK,KAAK,GAAG;AACtB;AAEO,MAAM,MAAM,OAAO,QAAiB;AACzC,QAAM,OAAO,MAAM,IAAI,MAAM,EAAE,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACtD,QAAM,qBAAqB,KAAK,MAAM,KAAK;AAC3C,SAAO,KAAK,IAAI,GAAG;AACrB;AAEO,MAAM,SAAS,KAAK;AAE3B,eAAe,0BACb,IACA,YACA,QACA,aAC0B;AAC1B,QAAM,UAAU,OAAO,KAAK;AAC5B,MAAI,CAAC,QAAS,QAAO;AACrB,QAAM,eAAe,oBAAoB;AACzC,MAAI,CAAC,aAAa,QAAS,QAAO,CAAC;AACnC,QAAM,EAAE,OAAO,IAAI,aAAa,SAAS,YAAY;AACrD,MAAI,CAAC,OAAO,OAAQ,QAAO,CAAC;AAE5B,QAAM,KAAM,GAAW,UAAU;AACjC,MAAI,QAAQ,GACT,WAAW,eAAe,EAC1B,OAAO,WAAW,EAClB,MAAM,eAAe,KAAK,UAAU,EACpC,MAAM,cAAc,MAAM,MAAM,EAChC,QAAQ,WAAW,EACnB,OAAO,oCAA6C,OAAO,MAAM,EAAE;AACtE,MAAI,gBAAgB,QAAW;AAC7B,YAAQ,MAAM,MAAM,qCAA8C,WAAW,EAAE;AAAA,EACjF;AACA,QAAM,OAAQ,MAAM,MAAM,QAAQ;AAClC,SAAO,KACJ,IAAI,CAAC,QAAS,OAAO,IAAI,cAAc,WAAW,IAAI,YAAY,IAAK,EACvE,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AACzE;AAEA,MAAM,UAAU;AAEhB,eAAe,qBAAqB,KAAc,OAAgB;AAChE,MAAI,CAAC,MAAM,QAAQ,KAAK,EAAG;AAC3B,QAAM,SAAS,MACZ,IAAI,CAAC,SAAU,OAAO,SAAS,WAAW,KAAK,KAAK,IAAI,IAAK,EAC7D,OAAO,CAAC,SAAyB,CAAC,CAAC,IAAI;AAC1C,MAAI,CAAC,OAAO,OAAQ;AAEpB,MAAI,gBAAgB,OAAO,KAAK,CAAC,MAAM,EAAE,YAAY,MAAM,YAAY;AACvE,MAAI,CAAC,eAAe;AAClB,UAAM,QAAQ,OAAO,OAAO,CAAC,MAAM,QAAQ,KAAK,CAAC,CAAC;AAClD,QAAI,MAAM,QAAQ;AAChB,YAAMC,aAAY,MAAM,uBAAuB;AAC/C,YAAM,KAAKA,WAAU,QAAQ,IAAI;AACjC,YAAM,UAAU,MAAM,GAAG,KAAK,MAAM,EAAE,IAAI,EAAE,KAAK,MAAa,EAAE,CAAC;AACjE,sBAAgB,QAAQ,KAAK,CAAC,MAAM,OAAO,EAAE,IAAI,EAAE,YAAY,MAAM,YAAY;AAAA,IACnF;AAAA,EACF;AACA,MAAI,CAAC,cAAe;AAEpB,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM,cAAc;AACzC,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,OAAO,UAAU,QAAQ,aAAa;AAC5C,QAAM,MAAM,MAAM,KAAK,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC;AAChH,MAAI,CAAC,KAAK,cAAc;AACtB,UAAM,UAAU,2DAA2D;AAAA,EAC7E;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aACE;AAAA,MACF,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,uBAAuB;AAAA,MAChF;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,QAC5C;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,sCAAsC,QAAQ,oBAAoB;AAAA,QAC9F,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,oBAAoB;AAAA,MAClG;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,iBAAiB;AAAA,MACvE;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,oBAAoB;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,oBAAoB;AAAA,QAChG,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,oBAAoB;AAAA,MAC5E;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,iBAAiB,EAAE,CAAC;AAAA,MACrE,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,iBAAiB;AAAA,MACvE;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,0BAA0B,QAAQ,oBAAoB;AAAA,QAClF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,oBAAoB;AAAA,MAC5E;AAAA,IACF;AAAA,EACF;AACF;",
6
6
  "names": ["id", "container"]
7
7
  }
package/dist/modules/catalog/lib/bulkDelete.js CHANGED
@@ -1,4 +1,5 @@
1
1
  import { invalidateCrudCache } from "@open-mercato/shared/lib/crud/cache";
2
+ import { runWithCacheTenant } from "@open-mercato/cache";
2
3
  import { createModuleQueue } from "@open-mercato/queue";
3
4
  const CATALOG_PRODUCT_BULK_DELETE_QUEUE = "catalog-product-bulk-delete";
4
5
  const queues = /* @__PURE__ */ new Map();
@@ -61,20 +62,22 @@ async function deleteCatalogProductsWithProgress(params) {
61
62
  );
62
63
  }
63
64
  const summary = { affectedCount };
64
- for (const id of deletedIds) {
65
- await invalidateCrudCache(
66
- container,
67
- "catalog.product",
68
- {
69
- id,
70
- organizationId: scope.organizationId,
71
- tenantId: scope.tenantId
72
- },
73
- scope.tenantId,
74
- "bulk-delete:catalog.products",
75
- BULK_DELETE_CACHE_ALIASES
76
- );
77
- }
65
+ await runWithCacheTenant(scope.tenantId, async () => {
66
+ for (const id of deletedIds) {
67
+ await invalidateCrudCache(
68
+ container,
69
+ "catalog.product",
70
+ {
71
+ id,
72
+ organizationId: scope.organizationId,
73
+ tenantId: scope.tenantId
74
+ },
75
+ scope.tenantId,
76
+ "bulk-delete:catalog.products",
77
+ BULK_DELETE_CACHE_ALIASES
78
+ );
79
+ }
80
+ });
78
81
  await progressService.completeJob(progressJobId, { resultSummary: summary }, progressContext);
79
82
  return summary;
80
83
  }