@open-mercato/core 0.5.1-develop.3045.b4b3320cc2 → 0.6.0

package/src/modules/audit_logs/services/accessLogService.ts

@@ -8,6 +8,7 @@ import {
   type AccessLogListQuery,
 } from '@open-mercato/core/modules/audit_logs/data/validators'
 import { resolveTenantEncryptionService } from '@open-mercato/shared/lib/encryption/customFieldValues'
+import { parseDecryptedFieldValue } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'
 import { E } from '#generated/entities.ids.generated'
 
 const CORE_RESOURCE_KINDS = new Set<string>(['auth.user', 'auth.role'])
@@ -190,6 +191,25 @@ export class AccessLogService {
       },
     )
 
+    // Encrypted jsonb columns (`fields_json`, `context_json`) come back as raw
+    // JSON strings from the encryption subscriber after issue #1810 follow-up
+    // (entity-field decryption no longer auto-parses). Restore the structured
+    // shape on read so API consumers see typed objects/arrays.
+    for (const item of items) {
+      const rawFieldsJson = (item as { fieldsJson?: unknown }).fieldsJson
+      if (typeof rawFieldsJson === 'string') {
+        const parsed = parseDecryptedFieldValue(rawFieldsJson)
+        item.fieldsJson = Array.isArray(parsed) ? (parsed as string[]) : null
+      }
+      const rawContextJson = (item as { contextJson?: unknown }).contextJson
+      if (typeof rawContextJson === 'string') {
+        const parsed = parseDecryptedFieldValue(rawContextJson)
+        item.contextJson = parsed && typeof parsed === 'object' && !Array.isArray(parsed)
+          ? (parsed as Record<string, unknown>)
+          : null
+      }
+    }
+
     const totalPages = Math.max(1, Math.ceil((total || 0) / (pageSize || 1)))
     return { items, total, page, pageSize, totalPages }
   }

package/src/modules/audit_logs/services/actionLogService.ts

@@ -151,15 +151,23 @@ export class ActionLogService {
         ...decrypted,
       } as Record<string, unknown>
 
-      merged.changesJson = deepDecrypt(merged.changesJson ?? merged.changes_json ?? entry.changesJson ?? entry.changes_json)
+      // Audit log jsonb columns are encrypted as JSON-stringified payloads. After the
+      // service-level `decryptEntityPayload` call (which now returns raw strings —
+      // see issue #1810 follow-up), reattach the structured shape via
+      // `parseDecryptedFieldValue` before running the recursive `deepDecrypt` walk
+      // so nested encrypted strings inside payload objects/arrays are handled.
+      const restoreJson = (value: unknown): unknown =>
+        typeof value === 'string' ? parseDecryptedFieldValue(value) : value
+
+      merged.changesJson = deepDecrypt(restoreJson(merged.changesJson ?? merged.changes_json ?? entry.changesJson ?? entry.changes_json))
       merged.changes_json = merged.changesJson
-      merged.snapshotBefore = deepDecrypt(merged.snapshotBefore ?? merged.snapshot_before ?? entry.snapshotBefore ?? entry.snapshot_before)
+      merged.snapshotBefore = deepDecrypt(restoreJson(merged.snapshotBefore ?? merged.snapshot_before ?? entry.snapshotBefore ?? entry.snapshot_before))
       merged.snapshot_before = merged.snapshotBefore
-      merged.snapshotAfter = deepDecrypt(merged.snapshotAfter ?? merged.snapshot_after ?? entry.snapshotAfter ?? entry.snapshot_after)
+      merged.snapshotAfter = deepDecrypt(restoreJson(merged.snapshotAfter ?? merged.snapshot_after ?? entry.snapshotAfter ?? entry.snapshot_after))
       merged.snapshot_after = merged.snapshotAfter
-      merged.commandPayload = deepDecrypt(merged.commandPayload ?? merged.command_payload ?? entry.commandPayload ?? entry.command_payload)
+      merged.commandPayload = deepDecrypt(restoreJson(merged.commandPayload ?? merged.command_payload ?? entry.commandPayload ?? entry.command_payload))
       merged.command_payload = merged.commandPayload
-      merged.contextJson = deepDecrypt(merged.contextJson ?? merged.context_json ?? entry.contextJson ?? entry.context_json)
+      merged.contextJson = deepDecrypt(restoreJson(merged.contextJson ?? merged.context_json ?? entry.contextJson ?? entry.context_json))
       merged.context_json = merged.contextJson
 
       return merged as T

package/src/modules/auth/api/roles/acl/route.ts

@@ -4,11 +4,12 @@ import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { logCrudAccess } from '@open-mercato/shared/lib/crud/factory'
-import { forbidden } from '@open-mercato/shared/lib/crud/errors'
+import { isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { RoleAcl, Role } from '@open-mercato/core/modules/auth/data/entities'
 import type { EntityManager } from '@mikro-orm/postgresql'
 import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
+import { assertActorCanGrantAcl, normalizeGrantFeatureList } from '@open-mercato/core/modules/auth/lib/grantChecks'
 
 type TaggableCache = { deleteByTags?: (tags: string[]) => Promise<void> | void }
 
@@ -132,12 +133,6 @@ export async function PUT(req: Request) {
     return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
   }
 
-  const actorAcl = auth.sub
-    ? await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })
-    : null
-  const actorIsSuperAdmin = !!actorAcl?.isSuperAdmin
-
-  const requestedFeatures = normalizeFeatureList(parsed.data.features)
   let acl = await em.findOne(RoleAcl, { role, tenantId: targetTenantId })
   if (!acl) {
     acl = em.create(RoleAcl, {
@@ -149,27 +144,35 @@ export async function PUT(req: Request) {
   }
 
   const existingIsSuperAdmin = !!acl.isSuperAdmin
+  const existingFeatures = normalizeGrantFeatureList(acl.featuresJson)
+  const existingOrganizations = normalizeOrganizations(acl.organizationsJson)
   const requestedIsSuperAdmin = parsed.data.isSuperAdmin ?? existingIsSuperAdmin
-  let effectiveIsSuperAdmin = requestedIsSuperAdmin
-
-  if (!actorIsSuperAdmin) {
-    if (requestedIsSuperAdmin && !existingIsSuperAdmin) {
-      throw forbidden('Only super administrators can mark a role as super admin.')
-    }
-    if (existingIsSuperAdmin && requestedIsSuperAdmin === false) {
-      effectiveIsSuperAdmin = false
-    } else {
-      effectiveIsSuperAdmin = existingIsSuperAdmin
-    }
+  const requestedFeatures = parsed.data.features === undefined
+    ? existingFeatures
+    : normalizeGrantFeatureList(parsed.data.features)
+  const requestedOrganizations = parsed.data.organizations === undefined
+    ? existingOrganizations
+    : normalizeOrganizations(parsed.data.organizations)
+
+  try {
+    await assertActorCanGrantAcl({
+      em,
+      rbacService,
+      actorUserId: auth.sub,
+      tenantId: targetTenantId,
+      organizationId: auth.orgId ?? null,
+      isSuperAdmin: requestedIsSuperAdmin,
+      features: requestedFeatures,
+      organizations: requestedOrganizations,
+    })
+  } catch (err) {
+    if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })
+    throw err
   }
 
-  const effectiveFeatures = actorIsSuperAdmin
-    ? requestedFeatures
-    : sanitizeTenantFeatures(requestedFeatures)
-
-  if (parsed.data.organizations !== undefined) acl.organizationsJson = parsed.data.organizations
-  acl.isSuperAdmin = effectiveIsSuperAdmin
-  acl.featuresJson = effectiveFeatures
+  acl.organizationsJson = requestedOrganizations
+  acl.isSuperAdmin = requestedIsSuperAdmin
+  acl.featuresJson = requestedFeatures
   await em.persist(acl).flush()
   
   // Invalidate cache for all users in this tenant since role ACL changed
@@ -184,30 +187,13 @@ export async function PUT(req: Request) {
   
   return NextResponse.json({
     ok: true,
-    sanitized: !actorIsSuperAdmin && (effectiveFeatures.length !== requestedFeatures.length || effectiveIsSuperAdmin !== requestedIsSuperAdmin),
+    sanitized: false,
   })
 }
 
-function normalizeFeatureList(features: unknown): string[] {
-  if (!Array.isArray(features)) return []
-  const dedup = new Set<string>()
-  for (const value of features) {
-    if (typeof value !== 'string') continue
-    const trimmed = value.trim()
-    if (!trimmed) continue
-    dedup.add(trimmed)
-  }
-  return Array.from(dedup)
-}
-
-function sanitizeTenantFeatures(features: string[]): string[] {
-  return features.filter((feature) => !isTenantRestrictedFeature(feature))
-}
-
-function isTenantRestrictedFeature(feature: string): boolean {
-  if (feature === '*' || feature === 'directory.*') return true
-  if (feature.startsWith('directory.tenants')) return true
-  return false
+function normalizeOrganizations(organizations: unknown): string[] | null {
+  if (!Array.isArray(organizations)) return null
+  return normalizeGrantFeatureList(organizations)
 }
 
 export const openApi: OpenApiRouteDoc = {

package/src/modules/auth/api/users/route.ts

@@ -3,17 +3,18 @@ import { NextResponse } from 'next/server'
 import { z } from 'zod'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { logCrudAccess, makeCrudRoute } from '@open-mercato/shared/lib/crud/factory'
-import { forbidden } from '@open-mercato/shared/lib/crud/errors'
+import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { User, Role, UserRole } from '@open-mercato/core/modules/auth/data/entities'
-import { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
+import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
 import { Organization, Tenant } from '@open-mercato/core/modules/directory/data/entities'
 import { E } from '#generated/entities.ids.generated'
 import { loadCustomFieldValues } from '@open-mercato/shared/lib/crud/custom-fields'
 import type { EntityManager } from '@mikro-orm/postgresql'
 import { userCrudEvents, userCrudIndexer } from '@open-mercato/core/modules/auth/commands/users'
-import { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { assertActorCanGrantRoleTokens } from '@open-mercato/core/modules/auth/lib/grantChecks'
+import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'
 import { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'
 import { resolveSearchConfig } from '@open-mercato/shared/lib/search/config'
@@ -102,7 +103,7 @@ const crud = makeCrudRoute<CrudInput, CrudInput, Record<string, unknown>>({
       schema: rawBodySchema,
       mapInput: async ({ parsed, ctx }) => {
         if (ctx.request) {
-          await assertCanAssignRoles(ctx.request, parsed.roles)
+          await assertCanAssignRoles(ctx.request, parsed.roles, parsed)
         }
         return parsed
       },
@@ -117,7 +118,7 @@ const crud = makeCrudRoute<CrudInput, CrudInput, Record<string, unknown>>({
       schema: rawBodySchema,
       mapInput: async ({ parsed, ctx }) => {
         if (ctx.request) {
-          await assertCanAssignRoles(ctx.request, parsed.roles)
+          await assertCanAssignRoles(ctx.request, parsed.roles, parsed)
         }
         return parsed
       },
@@ -371,14 +372,10 @@ export async function GET(req: Request) {
 }
 
 export const POST = async (req: Request) => {
-  const body = await req.clone().json().catch(() => ({}))
-  await assertCanAssignRoles(req, body?.roles)
   return crud.POST(req)
 }
 
 export const PUT = async (req: Request) => {
-  const body = await req.clone().json().catch(() => ({}))
-  await assertCanAssignRoles(req, body?.roles)
   return crud.PUT(req)
 }
 
@@ -414,35 +411,53 @@ async function findUserIdsBySearchTokens(
     .filter((id): id is string => typeof id === 'string' && id.length > 0)
 }
 
-const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
-
-async function assertCanAssignRoles(req: Request, roles: unknown) {
+async function assertCanAssignRoles(req: Request, roles: unknown, payload: Record<string, unknown>) {
   if (!Array.isArray(roles)) return
-  const values = roles
-    .map((role) => (typeof role === 'string' ? role.trim() : null))
-    .filter((role): role is string => !!role)
-  if (!values.length) return
+  const auth = await getAuthFromRequest(req)
+  if (!auth?.sub) throw new CrudHttpError(401, { error: 'Unauthorized' })
+  const container = await createRequestContainer()
+  const em = container.resolve('em') as EntityManager
+  const tenantId = await resolveTargetTenantIdForRoleGrant(em, payload, auth.tenantId ?? null)
+  await assertActorCanGrantRoleTokens({
+    em,
+    rbacService: container.resolve('rbacService') as RbacService,
+    actorUserId: auth.sub,
+    tenantId,
+    organizationId: auth.orgId ?? null,
+    roleTokens: roles,
+  })
+}
 
-  let hasSuperAdmin = values.some((v) => v.toLowerCase() === 'superadmin')
-  if (!hasSuperAdmin) {
-    const uuids = values.filter((v) => UUID_RE.test(v))
-    if (uuids.length) {
-      const container = await createRequestContainer()
-      const em = container.resolve('em') as EntityManager
-      const matched = await em.find(Role, { id: { $in: uuids as any } })
-      hasSuperAdmin = matched.some((r) => String(r.name).toLowerCase() === 'superadmin')
-    }
+async function resolveTargetTenantIdForRoleGrant(
+  em: EntityManager,
+  payload: Record<string, unknown>,
+  fallbackTenantId: string | null,
+): Promise<string | null> {
+  const organizationId = typeof payload.organizationId === 'string' ? payload.organizationId : null
+  if (organizationId) {
+    const organization = await findOneWithDecryption(
+      em,
+      Organization,
+      { id: organizationId },
+      { populate: ['tenant'] },
+      { tenantId: null, organizationId },
+    )
+    return organization?.tenant?.id ? String(organization.tenant.id) : fallbackTenantId
   }
-  if (!hasSuperAdmin) return
 
-  const auth = await getAuthFromRequest(req)
-  if (!auth) throw new Error('Unauthorized')
-  const container = await createRequestContainer()
-  const rbac = container.resolve('rbacService') as RbacService
-  const acl = await rbac.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })
-  if (!acl?.isSuperAdmin) {
-    throw forbidden('Only super administrators can assign the superadmin role.')
+  const userId = typeof payload.id === 'string' ? payload.id : null
+  if (userId) {
+    const user = await findOneWithDecryption(
+      em,
+      User,
+      { id: userId, deletedAt: null },
+      {},
+      { tenantId: null, organizationId: null },
+    )
+    return user?.tenantId ? String(user.tenantId) : fallbackTenantId
   }
+
+  return fallbackTenantId
 }
 
 export const openApi: OpenApiRouteDoc = {

package/src/modules/auth/lib/grantChecks.ts

@@ -0,0 +1,234 @@
+import type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'
+import { CrudHttpError, forbidden } from '@open-mercato/shared/lib/crud/errors'
+import { hasFeature } from '@open-mercato/shared/security/features'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { Role, RoleAcl } from '@open-mercato/core/modules/auth/data/entities'
+import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
+
+type ActorAcl = {
+  isSuperAdmin: boolean
+  features: string[]
+  organizations: string[] | null
+}
+
+type GrantCheckContext = {
+  em: EntityManager
+  rbacService: RbacService
+  actorUserId: string | null | undefined
+  tenantId: string | null | undefined
+  organizationId?: string | null | undefined
+}
+
+type RoleGrantCheckInput = GrantCheckContext & {
+  roles: Role[]
+}
+
+type RoleTokenGrantCheckInput = GrantCheckContext & {
+  roleTokens: unknown
+}
+
+type FeatureGrantCheckInput = GrantCheckContext & {
+  features: unknown
+  isSuperAdmin?: boolean
+  organizations?: string[] | null
+}
+
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+
+export async function assertActorCanGrantRoleTokens(input: RoleTokenGrantCheckInput): Promise<Role[]> {
+  const tokens = normalizeStringList(input.roleTokens)
+  if (!tokens.length) return []
+
+  const tenantId = normalizeNullableString(input.tenantId)
+  const roles = await resolveRolesForGrant(input.em, tokens, tenantId)
+  await assertActorCanGrantRoles({ ...input, tenantId, roles })
+  return roles
+}
+
+export async function assertActorCanGrantRoles(input: RoleGrantCheckInput): Promise<void> {
+  if (!input.roles.length) return
+
+  const tenantId = normalizeNullableString(input.tenantId)
+  const actorAcl = await loadActorAcl({ ...input, tenantId })
+  if (actorAcl.isSuperAdmin) return
+
+  if (!tenantId) {
+    throw forbidden('Tenant context is required to grant roles.')
+  }
+
+  for (const role of input.roles) {
+    const roleTenantId = normalizeNullableString(role.tenantId)
+    if (roleTenantId !== tenantId) {
+      throw forbidden('Cannot grant a role outside the target tenant.')
+    }
+
+    const acl = await findOneWithDecryption(
+      input.em,
+      RoleAcl,
+      { role, tenantId } as FilterQuery<RoleAcl>,
+      {},
+      { tenantId, organizationId: null },
+    )
+    if (!acl) continue
+
+    assertActorCanGrantAclSnapshot(actorAcl, {
+      isSuperAdmin: !!acl.isSuperAdmin,
+      features: normalizeStringList(acl.featuresJson),
+      organizations: normalizeOrganizationList(acl.organizationsJson),
+    })
+  }
+}
+
+export async function assertActorCanGrantAcl(input: FeatureGrantCheckInput): Promise<void> {
+  const actorAcl = await loadActorAcl(input)
+  if (actorAcl.isSuperAdmin) return
+
+  const tenantId = normalizeNullableString(input.tenantId)
+  if (!tenantId) {
+    throw forbidden('Tenant context is required to grant ACL features.')
+  }
+
+  assertActorCanGrantAclSnapshot(actorAcl, {
+    isSuperAdmin: !!input.isSuperAdmin,
+    features: normalizeStringList(input.features),
+    organizations: input.organizations === undefined ? undefined : normalizeOrganizationList(input.organizations),
+  })
+}
+
+export function normalizeGrantFeatureList(features: unknown): string[] {
+  return normalizeStringList(features)
+}
+
+async function loadActorAcl(input: GrantCheckContext): Promise<ActorAcl> {
+  const actorUserId = normalizeNullableString(input.actorUserId)
+  if (!actorUserId) throw forbidden('Not authorized to grant ACL privileges.')
+
+  const acl = await input.rbacService.loadAcl(actorUserId, {
+    tenantId: normalizeNullableString(input.tenantId),
+    organizationId: normalizeNullableString(input.organizationId),
+  })
+
+  return {
+    isSuperAdmin: !!acl?.isSuperAdmin,
+    features: normalizeStringList(acl?.features),
+    organizations: normalizeOrganizationList(acl?.organizations),
+  }
+}
+
+async function resolveRolesForGrant(
+  em: EntityManager,
+  roleTokens: string[],
+  tenantId: string | null,
+): Promise<Role[]> {
+  const roles: Role[] = []
+  const missingRoles: string[] = []
+
+  for (const token of roleTokens) {
+    const role = await resolveRoleForGrant(em, token, tenantId)
+    if (!role) {
+      missingRoles.push(token)
+    } else {
+      roles.push(role)
+    }
+  }
+
+  if (missingRoles.length) {
+    const labels = missingRoles.map((role) => `"${role}"`).join(', ')
+    throw new CrudHttpError(400, { error: `Role(s) not found: ${labels}` })
+  }
+
+  return roles
+}
+
+async function resolveRoleForGrant(
+  em: EntityManager,
+  token: string,
+  tenantId: string | null,
+): Promise<Role | null> {
+  const where: Record<string, unknown> = UUID_RE.test(token)
+    ? { id: token, deletedAt: null }
+    : { name: token, deletedAt: null }
+  if (tenantId) where.tenantId = tenantId
+  return findOneWithDecryption(
+    em,
+    Role,
+    where as FilterQuery<Role>,
+    {},
+    { tenantId, organizationId: null },
+  )
+}
+
+function assertActorCanGrantAclSnapshot(
+  actorAcl: ActorAcl,
+  requested: {
+    isSuperAdmin: boolean
+    features: string[]
+    organizations?: string[] | null
+  },
+): void {
+  if (requested.isSuperAdmin) {
+    throw forbidden('Only super administrators can grant super admin access.')
+  }
+
+  const actorGrantableFeatures = actorAcl.features.filter((grant) => grant !== '*')
+  for (const feature of requested.features) {
+    if (feature === '*') {
+      throw forbidden('Only super administrators can grant global wildcard access.')
+    }
+    if (isWildcardFeature(feature)) {
+      if (!hasFeature(actorGrantableFeatures, feature)) {
+        throw forbidden(`Cannot grant feature wildcard ${feature}.`)
+      }
+      continue
+    }
+    if (!hasFeature(actorGrantableFeatures, feature)) {
+      throw forbidden(`Cannot grant feature ${feature}.`)
+    }
+  }
+
+  if (requested.organizations !== undefined) {
+    assertActorCanGrantOrganizations(actorAcl.organizations, requested.organizations)
+  }
+}
+
+function assertActorCanGrantOrganizations(
+  actorOrganizations: string[] | null,
+  requestedOrganizations: string[] | null,
+): void {
+  if (actorOrganizations === null || actorOrganizations.includes('__all__')) return
+
+  if (requestedOrganizations === null || requestedOrganizations.includes('__all__')) {
+    throw forbidden('Cannot grant unrestricted organization access.')
+  }
+
+  for (const organizationId of requestedOrganizations) {
+    if (!actorOrganizations.includes(organizationId)) {
+      throw forbidden('Cannot grant organization access outside actor scope.')
+    }
+  }
+}
+
+function normalizeStringList(values: unknown): string[] {
+  if (!Array.isArray(values)) return []
+  const dedup = new Set<string>()
+  for (const value of values) {
+    if (typeof value !== 'string') continue
+    const trimmed = value.trim()
+    if (!trimmed) continue
+    dedup.add(trimmed)
+  }
+  return Array.from(dedup)
+}
+
+function normalizeOrganizationList(values: unknown): string[] | null {
+  if (values === null || values === undefined) return null
+  return normalizeStringList(values)
+}
+
+function normalizeNullableString(value: unknown): string | null {
+  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null
+}
+
+function isWildcardFeature(feature: string): boolean {
+  return feature.endsWith('.*')
+}

package/src/modules/configs/cli.ts

@@ -12,6 +12,7 @@ import {
   previewCachePurge,
   type CachePurgeRequest,
 } from './lib/cache-cli'
+import { touchGeneratedBarrels } from './lib/touchGeneratedBarrels'
 
 type ParsedArgs = Record<string, string | boolean>
 
@@ -256,6 +257,16 @@ async function runStructuralCachePurge(args: ParsedArgs) {
     pattern: 'nav:*',
   }
   await runCachePurge(nextArgs)
+  const quiet = flagEnabled(args, 'quiet')
+  try {
+    touchGeneratedBarrels({ quiet })
+  } catch (err) {
+    if (!quiet) {
+      console.warn(
+        `[structural] failed to touch generated barrels: ${(err as Error).message ?? err}`,
+      )
+    }
+  }
 }
 
 function envDisablesAutoIndexing(): boolean {

package/src/modules/configs/lib/touchGeneratedBarrels.ts

@@ -0,0 +1,61 @@
+import fs from 'node:fs'
+import path from 'node:path'
+
+const GENERATED_DIR_RELATIVE = path.join('.mercato', 'generated')
+const TOUCHABLE_PATTERN = /\.generated(?:\.[a-z0-9]+)?(?:\.ts|\.checksum)$/i
+const MAX_PARENT_WALK = 5
+
+export type TouchGeneratedBarrelsOptions = {
+  cwd?: string
+  quiet?: boolean
+  log?: (message: string) => void
+}
+
+export type TouchGeneratedBarrelsResult = {
+  generatedDir: string | null
+  files: string[]
+}
+
+export function findGeneratedDir(startDir: string): string | null {
+  let current = path.resolve(startDir)
+  for (let depth = 0; depth <= MAX_PARENT_WALK; depth += 1) {
+    const candidate = path.join(current, GENERATED_DIR_RELATIVE)
+    if (fs.existsSync(candidate) && fs.statSync(candidate).isDirectory()) {
+      return candidate
+    }
+    const parent = path.dirname(current)
+    if (parent === current) break
+    current = parent
+  }
+  return null
+}
+
+export function touchGeneratedBarrels(
+  options: TouchGeneratedBarrelsOptions = {},
+): TouchGeneratedBarrelsResult {
+  const cwd = options.cwd ?? process.cwd()
+  const log = options.log ?? ((message: string) => console.log(message))
+  const quiet = options.quiet === true
+
+  const generatedDir = findGeneratedDir(cwd)
+  if (!generatedDir) {
+    return { generatedDir: null, files: [] }
+  }
+
+  const touched: string[] = []
+  const entries = fs.readdirSync(generatedDir, { withFileTypes: true })
+  for (const entry of entries) {
+    if (!entry.isFile()) continue
+    if (!TOUCHABLE_PATTERN.test(entry.name)) continue
+    const filePath = path.join(generatedDir, entry.name)
+    const contents = fs.readFileSync(filePath)
+    fs.writeFileSync(filePath, contents)
+    touched.push(filePath)
+  }
+
+  if (!quiet && touched.length > 0) {
+    log(`🔁 [structural] touched ${touched.length} generated barrel(s) → ${generatedDir}`)
+  }
+
+  return { generatedDir, files: touched }
+}