@open-mercato/core 0.6.4-develop.4038.1.91ce075c8a → 0.6.4-develop.4106.1.12c205a613

package/dist/modules/resources/acl.js

@@ -1,6 +1,11 @@
 const features = [
   { id: "resources.view", title: "View resources", module: "resources" },
-  { id: "resources.manage_resources", title: "Manage resources", module: "resources" }
+  {
+    id: "resources.manage_resources",
+    title: "Manage resources",
+    module: "resources",
+    dependsOn: ["resources.view"]
+  }
 ];
 var acl_default = features;
 export {

package/dist/modules/resources/acl.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/modules/resources/acl.ts"],
-  "sourcesContent": ["export const features = [\n  { id: 'resources.view', title: 'View resources', module: 'resources' },\n  { id: 'resources.manage_resources', title: 'Manage resources', module: 'resources' },\n]\n\nexport default features\n"],
-  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB,EAAE,IAAI,kBAAkB,OAAO,kBAAkB,QAAQ,YAAY;AAAA,EACrE,EAAE,IAAI,8BAA8B,OAAO,oBAAoB,QAAQ,YAAY;AACrF;AAEA,IAAO,cAAQ;",
+  "sourcesContent": ["export const features = [\n  { id: 'resources.view', title: 'View resources', module: 'resources' },\n  {\n    id: 'resources.manage_resources',\n    title: 'Manage resources',\n    module: 'resources',\n    dependsOn: ['resources.view'],\n  },\n]\n\nexport default features\n"],
+  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB,EAAE,IAAI,kBAAkB,OAAO,kBAAkB,QAAQ,YAAY;AAAA,EACrE;AAAA,IACE,IAAI;AAAA,IACJ,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,WAAW,CAAC,gBAAgB;AAAA,EAC9B;AACF;AAEA,IAAO,cAAQ;",
   "names": []
 }

package/dist/modules/sync_excel/acl.js

@@ -1,6 +1,11 @@
 const features = [
   { id: "sync_excel.view", title: "View sync_excel uploads and previews", module: "sync_excel" },
-  { id: "sync_excel.run", title: "Upload CSV files and prepare imports", module: "sync_excel" }
+  {
+    id: "sync_excel.run",
+    title: "Upload CSV files and prepare imports",
+    module: "sync_excel",
+    dependsOn: ["sync_excel.view"]
+  }
 ];
 var acl_default = features;
 export {

package/dist/modules/sync_excel/acl.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/modules/sync_excel/acl.ts"],
-  "sourcesContent": ["export const features = [\n  { id: 'sync_excel.view', title: 'View sync_excel uploads and previews', module: 'sync_excel' },\n  { id: 'sync_excel.run', title: 'Upload CSV files and prepare imports', module: 'sync_excel' },\n]\n\nexport default features\n"],
-  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB,EAAE,IAAI,mBAAmB,OAAO,wCAAwC,QAAQ,aAAa;AAAA,EAC7F,EAAE,IAAI,kBAAkB,OAAO,wCAAwC,QAAQ,aAAa;AAC9F;AAEA,IAAO,cAAQ;",
+  "sourcesContent": ["export const features = [\n  { id: 'sync_excel.view', title: 'View sync_excel uploads and previews', module: 'sync_excel' },\n  {\n    id: 'sync_excel.run',\n    title: 'Upload CSV files and prepare imports',\n    module: 'sync_excel',\n    dependsOn: ['sync_excel.view'],\n  },\n]\n\nexport default features\n"],
+  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB,EAAE,IAAI,mBAAmB,OAAO,wCAAwC,QAAQ,aAAa;AAAA,EAC7F;AAAA,IACE,IAAI;AAAA,IACJ,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,WAAW,CAAC,iBAAiB;AAAA,EAC/B;AACF;AAEA,IAAO,cAAQ;",
   "names": []
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/core",
-  "version": "0.6.4-develop.4038.1.91ce075c8a",
+  "version": "0.6.4-develop.4106.1.12c205a613",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -243,16 +243,16 @@
     "zod": "^4.4.3"
   },
   "peerDependencies": {
-    "@open-mercato/ai-assistant": "0.6.4-develop.4038.1.91ce075c8a",
-    "@open-mercato/shared": "0.6.4-develop.4038.1.91ce075c8a",
-    "@open-mercato/ui": "0.6.4-develop.4038.1.91ce075c8a",
+    "@open-mercato/ai-assistant": "0.6.4-develop.4106.1.12c205a613",
+    "@open-mercato/shared": "0.6.4-develop.4106.1.12c205a613",
+    "@open-mercato/ui": "0.6.4-develop.4106.1.12c205a613",
     "react": "^19.0.0",
     "react-dom": "^19.0.0"
   },
   "devDependencies": {
-    "@open-mercato/ai-assistant": "0.6.4-develop.4038.1.91ce075c8a",
-    "@open-mercato/shared": "0.6.4-develop.4038.1.91ce075c8a",
-    "@open-mercato/ui": "0.6.4-develop.4038.1.91ce075c8a",
+    "@open-mercato/ai-assistant": "0.6.4-develop.4106.1.12c205a613",
+    "@open-mercato/shared": "0.6.4-develop.4106.1.12c205a613",
+    "@open-mercato/ui": "0.6.4-develop.4106.1.12c205a613",
     "@testing-library/dom": "^10.4.1",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.1",

package/src/modules/currencies/acl.ts

@@ -8,26 +8,31 @@ export const features = [
     id: 'currencies.manage',
     title: 'Manage currencies',
     module: 'currencies',
+    dependsOn: ['currencies.view'],
   },
   {
     id: 'currencies.rates.view',
     title: 'View exchange rates',
     module: 'currencies',
+    dependsOn: ['currencies.view'],
   },
   {
     id: 'currencies.rates.manage',
     title: 'Manage exchange rates',
     module: 'currencies',
+    dependsOn: ['currencies.rates.view'],
   },
   {
     id: 'currencies.fetch.view',
     title: 'View currency fetch configuration',
     module: 'currencies',
+    dependsOn: ['currencies.view'],
   },
   {
     id: 'currencies.fetch.manage',
     title: 'Manage currency fetch configuration',
     module: 'currencies',
+    dependsOn: ['currencies.fetch.view'],
   },
 ]
 

package/src/modules/directory/acl.ts

@@ -1,8 +1,18 @@
 export const features = [
     { id: 'directory.tenants.view', title: 'View tenants', module: 'directory' },
-    { id: 'directory.tenants.manage', title: 'Manage tenants', module: 'directory' },
+    {
+        id: 'directory.tenants.manage',
+        title: 'Manage tenants',
+        module: 'directory',
+        dependsOn: ['directory.tenants.view'],
+    },
     { id: 'directory.organizations.view', title: 'View organizations', module: 'directory' },
-    { id: 'directory.organizations.manage', title: 'Manage organizations', module: 'directory' },
+    {
+        id: 'directory.organizations.manage',
+        title: 'Manage organizations',
+        module: 'directory',
+        dependsOn: ['directory.organizations.view'],
+    },
 ]
 
 export default features

package/src/modules/directory/api/tenants/route.ts

@@ -136,27 +136,6 @@ export async function GET(req: Request) {
     orderBy.name = 'ASC'
   }
 
-  const all = await em.find(Tenant, where, { orderBy })
-  const recordIds = all.map((tenant) => String(tenant.id))
-
-  const tenantIdByRecord: Record<string, string | null> = {}
-  const organizationIdByRecord: Record<string, string | null> = {}
-  for (const rid of recordIds) {
-    tenantIdByRecord[rid] = null
-    organizationIdByRecord[rid] = null
-  }
-
-  const cfValues = recordIds.length
-    ? await loadCustomFieldValues({
-        em,
-        entityId: E.directory.tenant,
-        recordIds,
-        tenantIdByRecord,
-        organizationIdByRecord,
-        tenantFallbacks: auth.tenantId ? [auth.tenantId] : [],
-      })
-    : {}
-
   const rawQuery = Array.from(url.searchParams.keys()).reduce<Record<string, unknown>>((acc, key) => {
     const values = url.searchParams.getAll(key)
     if (!values.length) return acc
@@ -175,29 +154,64 @@ export async function GET(req: Request) {
     return [normalizedKey, condition] as const
   })
 
-  const filtered = cfFilterEntries.length
-    ? all.filter((tenant) => {
-        const rid = String(tenant.id)
-        const payload = cfValues[rid] ?? {}
-        return cfFilterEntries.every(([key, expected]) => {
-          const value = payload[`cf_${key}`]
-          if (expected && typeof expected === 'object' && !Array.isArray(expected)) {
-            const maybeIn = (expected as { $in?: unknown[] }).$in
-            if (Array.isArray(maybeIn)) {
-              if (value === undefined || value === null) return false
-              if (Array.isArray(value)) return value.some((val) => maybeIn.includes(val))
-              return maybeIn.includes(value)
-            }
+  const loadCfValues = (tenants: Tenant[]): Promise<Record<string, Record<string, unknown>>> => {
+    const recordIds = tenants.map((tenant) => String(tenant.id))
+    if (!recordIds.length) return Promise.resolve({})
+    const tenantIdByRecord: Record<string, string | null> = {}
+    const organizationIdByRecord: Record<string, string | null> = {}
+    for (const rid of recordIds) {
+      tenantIdByRecord[rid] = null
+      organizationIdByRecord[rid] = null
+    }
+    return loadCustomFieldValues({
+      em,
+      entityId: E.directory.tenant,
+      recordIds,
+      tenantIdByRecord,
+      organizationIdByRecord,
+      tenantFallbacks: auth.tenantId ? [auth.tenantId] : [],
+    })
+  }
+
+  const start = (page - 1) * pageSize
+
+  let pageTenants: Tenant[]
+  let total: number
+  let cfValues: Record<string, Record<string, unknown>>
+
+  if (cfFilterEntries.length) {
+    // Custom-field filters are matched in JS against separately-loaded values,
+    // so the full result set must be fetched before filtering and paging.
+    const all = await em.find(Tenant, where, { orderBy })
+    cfValues = await loadCfValues(all)
+    const filtered = all.filter((tenant) => {
+      const rid = String(tenant.id)
+      const payload = cfValues[rid] ?? {}
+      return cfFilterEntries.every(([key, expected]) => {
+        const value = payload[`cf_${key}`]
+        if (expected && typeof expected === 'object' && !Array.isArray(expected)) {
+          const maybeIn = (expected as { $in?: unknown[] }).$in
+          if (Array.isArray(maybeIn)) {
+            if (value === undefined || value === null) return false
+            if (Array.isArray(value)) return value.some((val) => maybeIn.includes(val))
+            return maybeIn.includes(value)
           }
-          return matchesValue(value, expected)
-        })
+        }
+        return matchesValue(value, expected)
       })
-    : all
+    })
+    total = filtered.length
+    pageTenants = filtered.slice(start, start + pageSize)
+  } else {
+    // No JS-side filtering applies, so pagination is pushed to the database
+    // instead of fetching the whole table and slicing in memory.
+    const [rows, count] = await em.findAndCount(Tenant, where, { orderBy, limit: pageSize, offset: start })
+    total = count
+    pageTenants = rows
+    cfValues = await loadCfValues(rows)
+  }
 
-  const total = filtered.length
-  const start = (page - 1) * pageSize
-  const paged = filtered.slice(start, start + pageSize)
-  const items = paged.map((tenant) => {
+  const items = pageTenants.map((tenant) => {
     const rid = String(tenant.id)
     const cf = cfValues[rid] ?? {}
     return toRow(tenant, cf)

package/src/modules/entities/acl.ts

@@ -1,8 +1,18 @@
 export const features = [
   { id: 'entities.definitions.view', title: 'View custom field definitions', module: 'entities' },
-  { id: 'entities.definitions.manage', title: 'Manage custom field definitions', module: 'entities' },
+  {
+    id: 'entities.definitions.manage',
+    title: 'Manage custom field definitions',
+    module: 'entities',
+    dependsOn: ['entities.definitions.view'],
+  },
   { id: 'entities.records.view', title: 'View records', module: 'entities' },
-  { id: 'entities.records.manage', title: 'Manage records', module: 'entities' },
+  {
+    id: 'entities.records.manage',
+    title: 'Manage records',
+    module: 'entities',
+    dependsOn: ['entities.records.view'],
+  },
 ]
 
 export default features

package/src/modules/integrations/api/[id]/credentials/route.ts

@@ -5,7 +5,10 @@ import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { getIntegration } from '@open-mercato/shared/modules/integrations/types'
 import { emitIntegrationsEvent } from '../../../events'
 import { saveCredentialsSchema } from '../../../data/validators'
-import type { CredentialsService } from '../../../lib/credentials-service'
+import {
+  isCredentialsEncryptionUnavailableError,
+  type CredentialsService,
+} from '../../../lib/credentials-service'
 import {
   resolveUserFeatures,
   runIntegrationMutationGuardAfterSuccess,
@@ -53,7 +56,15 @@ export async function GET(req: Request, ctx: { params?: Promise<{ id?: string }>
   const credentialsService = container.resolve('integrationCredentialsService') as CredentialsService
   const scope = { organizationId: auth.orgId as string, tenantId: auth.tenantId }
 
-  const values = await credentialsService.resolve(integration.id, scope)
+  let values: Record<string, unknown> | null
+  try {
+    values = await credentialsService.resolve(integration.id, scope)
+  } catch (error) {
+    if (isCredentialsEncryptionUnavailableError(error)) {
+      return NextResponse.json({ error: 'Integration credentials encryption is unavailable' }, { status: 503 })
+    }
+    throw error
+  }
 
   return NextResponse.json({
     integrationId: integration.id,
@@ -118,7 +129,14 @@ export async function PUT(req: Request, ctx: { params?: Promise<{ id?: string }>
   const credentialsService = container.resolve('integrationCredentialsService') as CredentialsService
   const scope = { organizationId: auth.orgId as string, tenantId: auth.tenantId }
 
-  await credentialsService.save(integration.id, payloadData.credentials, scope)
+  try {
+    await credentialsService.save(integration.id, payloadData.credentials, scope)
+  } catch (error) {
+    if (isCredentialsEncryptionUnavailableError(error)) {
+      return NextResponse.json({ error: 'Integration credentials encryption is unavailable' }, { status: 503 })
+    }
+    throw error
+  }
 
   await emitIntegrationsEvent('integrations.credentials.updated', {
     integrationId: integration.id,

package/src/modules/integrations/lib/credentials-service.ts

@@ -1,4 +1,3 @@
-import crypto from 'node:crypto'
 import type { EntityManager } from '@mikro-orm/postgresql'
 import { decryptWithAesGcm, encryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'
 import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
@@ -14,7 +13,19 @@ import { EncryptionMap } from '../../entities/data/entities'
 import { IntegrationCredentials } from '../data/entities'
 
 const ENCRYPTED_CREDENTIALS_BLOB_KEY = '__om_encrypted_credentials_blob_v1'
-const DERIVED_KEY_CONTEXT = 'integrations.credentials'
+const CREDENTIALS_ENCRYPTION_UNAVAILABLE_MESSAGE =
+  'Integration credentials encryption key is unavailable. Configure Vault KMS or TENANT_DATA_ENCRYPTION_FALLBACK_KEY.'
+
+export class CredentialsEncryptionUnavailableError extends Error {
+  constructor() {
+    super(CREDENTIALS_ENCRYPTION_UNAVAILABLE_MESSAGE)
+    this.name = 'CredentialsEncryptionUnavailableError'
+  }
+}
+
+export function isCredentialsEncryptionUnavailableError(error: unknown): error is CredentialsEncryptionUnavailableError {
+  return error instanceof CredentialsEncryptionUnavailableError
+}
 
 function isRecordValue(value: unknown): value is Record<string, unknown> {
   return !!value && typeof value === 'object' && !Array.isArray(value)
@@ -28,35 +39,6 @@ function normalizeCredentialsRecord(value: unknown): Record<string, unknown> {
   return isRecordValue(parsed) ? parsed : {}
 }
 
-function resolveFallbackEncryptionSecret(): string {
-  const candidates = [
-    process.env.TENANT_DATA_ENCRYPTION_FALLBACK_KEY,
-    process.env.TENANT_DATA_ENCRYPTION_KEY,
-    process.env.AUTH_SECRET,
-    process.env.NEXTAUTH_SECRET,
-  ]
-
-  for (const value of candidates) {
-    const normalized = value?.trim()
-    if (normalized) return normalized
-  }
-
-  if (process.env.NODE_ENV !== 'production') return 'om-dev-tenant-encryption'
-
-  console.warn(
-    '[integrations.credentials] No encryption secret configured; using emergency fallback secret. Configure TENANT_DATA_ENCRYPTION_FALLBACK_KEY immediately.',
-  )
-  return 'om-emergency-fallback-rotate-me'
-}
-
-function deriveDekFromSecret(secret: string, tenantId: string): string {
-  return crypto
-    .createHash('sha256')
-    .update(`${DERIVED_KEY_CONTEXT}:${tenantId}:${secret}`)
-    .digest()
-    .toString('base64')
-}
-
 export function createCredentialsService(em: EntityManager) {
   const credentialsEncryptionSpec = [{ field: 'credentials' }]
 
@@ -100,7 +82,7 @@ export function createCredentialsService(em: EntityManager) {
     const created = await kms.createTenantDek(scope.tenantId)
     if (created?.key) return created.key
 
-    return deriveDekFromSecret(resolveFallbackEncryptionSecret(), scope.tenantId)
+    throw new CredentialsEncryptionUnavailableError()
   }
 
   async function encryptCredentialsBlob(
@@ -162,8 +144,8 @@ export function createCredentialsService(em: EntityManager) {
     },
 
     async save(integrationId: string, credentials: Record<string, unknown>, scope: IntegrationScope): Promise<void> {
-      await ensureCredentialsEncryptionMap(scope)
       const encryptedCredentials = await encryptCredentialsBlob(credentials, scope)
+      await ensureCredentialsEncryptionMap(scope)
 
       const row = await findOneWithDecryption(
         em,

package/src/modules/query_index/acl.ts

@@ -1,7 +1,17 @@
 export const features = [
   { id: 'query_index.status.view', title: 'View index status', module: 'query_index' },
-  { id: 'query_index.reindex', title: 'Trigger reindex', module: 'query_index' },
-  { id: 'query_index.purge', title: 'Purge index', module: 'query_index' },
+  {
+    id: 'query_index.reindex',
+    title: 'Trigger reindex',
+    module: 'query_index',
+    dependsOn: ['query_index.status.view'],
+  },
+  {
+    id: 'query_index.purge',
+    title: 'Purge index',
+    module: 'query_index',
+    dependsOn: ['query_index.status.view'],
+  },
 ]
 
 export default features

package/src/modules/query_index/lib/engine.ts

@@ -1,4 +1,4 @@
-import type { QueryEngine, QueryOptions, QueryResult, FilterOp, Filter, QueryCustomFieldSource, PartialIndexWarning, QueryExtensionsConfig } from '@open-mercato/shared/lib/query/types'
+import type { QueryEngine, QueryOptions, QueryResult, FilterOp, Filter, QueryCustomFieldSource, PartialIndexWarning, QueryExtensionsConfig, Sort } from '@open-mercato/shared/lib/query/types'
 import { SortDir } from '@open-mercato/shared/lib/query/types'
 import type { EntityId } from '@open-mercato/shared/modules/entities'
 import type { EntityManager } from '@mikro-orm/postgresql'
@@ -21,6 +21,7 @@ import {
 import { resolveSearchConfig, type SearchConfig } from '@open-mercato/shared/lib/search/config'
 import { tokenizeText } from '@open-mercato/shared/lib/search/tokenize'
 import { runBeforeQueryPipeline, runAfterQueryPipeline, type QueryExtensionContext } from '@open-mercato/shared/lib/query/query-extension-runner'
+import { resolveEncryptedSortFields, sortRowsInMemory } from '@open-mercato/shared/lib/query/encrypted-sort'
 
 function buildFilterableCustomFieldJoins(
   sources: QueryCustomFieldSource[] | undefined,
@@ -90,6 +91,7 @@ type SearchRuntime = {
 
 type EncryptionResolver = () => {
   decryptEntityPayload?: (entityId: EntityId, payload: Record<string, unknown>, tenantId?: string | null, organizationId?: string | null) => Promise<Record<string, unknown>>
+  getEncryptedFieldNames?: (entityId: EntityId, tenantId?: string | null, organizationId?: string | null) => Promise<readonly string[]>
   isEnabled?: () => boolean
 } | null
 
@@ -504,6 +506,28 @@ export class HybridQueryEngine implements QueryEngine {
         if (field === 'organization_id' && columns.has('id')) return 'id'
         return null
       }
+      const fallbackOrgId =
+        opts.organizationId
+        ?? (Array.isArray(opts.organizationIds) && opts.organizationIds.length === 1 ? opts.organizationIds[0] : null)
+      const encSvc = this.getEncryptionService()
+      const resolvedSorts: Sort[] = []
+      for (const sort of opts.sort || []) {
+        const field = String(sort.field)
+        if (field.startsWith('cf:')) {
+          resolvedSorts.push({ ...sort, field })
+        } else {
+          const baseField = resolveBaseColumn(field)
+          if (baseField) resolvedSorts.push({ ...sort, field: baseField })
+        }
+      }
+      const encryptedSortFields = await resolveEncryptedSortFields(
+        encSvc,
+        entity,
+        resolvedSorts.filter((sort) => !sort.field.startsWith('cf:')).map((sort) => sort.field),
+        opts.tenantId ?? null,
+        fallbackOrgId,
+      )
+      const requiresPlaintextSort = encryptedSortFields.size > 0
 
       // ────────────────────────────────────────────────────────────────
       // Build a reusable "applyQueryShape" function that applies every
@@ -735,6 +759,9 @@ export class HybridQueryEngine implements QueryEngine {
 
       // Selection (for data query)
       const selectFieldSet = new Set<string>((opts.fields && opts.fields.length) ? opts.fields.map(String) : Array.from(columns.keys()))
+      if (requiresPlaintextSort) {
+        for (const field of encryptedSortFields) selectFieldSet.add(field)
+      }
       if (opts.includeCustomFields === true) {
         const entityIds = Array.from(new Set(indexSources.map((src) => String(src.entityId))))
         try {
@@ -767,7 +794,8 @@ export class HybridQueryEngine implements QueryEngine {
 
       const applySort = (q: AnyBuilder): AnyBuilder => {
         let next = q
-        for (const s of opts.sort || []) {
+        if (requiresPlaintextSort) return next
+        for (const s of resolvedSorts) {
           const fieldName = String(s.field)
           if (fieldName.startsWith('cf:')) {
             const textExpr = this.buildCfTextExprSql(fieldName, indexSources)
@@ -845,7 +873,9 @@ export class HybridQueryEngine implements QueryEngine {
       let dataBuilder = await applyQueryShape(dataRoot)
       dataBuilder = applySelection(dataBuilder)
       dataBuilder = applySort(dataBuilder)
-      dataBuilder = dataBuilder.limit(pageSize).offset((page - 1) * pageSize)
+      if (!requiresPlaintextSort) {
+        dataBuilder = dataBuilder.limit(pageSize).offset((page - 1) * pageSize)
+      }
 
       if (debugEnabled && sqlDebugEnabled) {
         const compiled = dataBuilder.compile()
@@ -859,15 +889,11 @@ export class HybridQueryEngine implements QueryEngine {
       if (debugEnabled) this.debug('query:complete', { entity, total, items: Array.isArray(itemsRaw) ? itemsRaw.length : 0 })
 
       let items = itemsRaw as any[]
-      const encSvc = this.getEncryptionService()
       const dekKeyCache = new Map<string | null, string | null>()
       if (encSvc?.decryptEntityPayload) {
         const decrypt = encSvc.decryptEntityPayload.bind(encSvc) as (
           entityId: EntityId, payload: Record<string, unknown>, tenantId: string | null, organizationId: string | null,
         ) => Promise<Record<string, unknown>>
-        const fallbackOrgId =
-          opts.organizationId
-          ?? (Array.isArray(opts.organizationIds) && opts.organizationIds.length === 1 ? opts.organizationIds[0] : null)
         items = await Promise.all(
           items.map(async (item) => {
             try {
@@ -900,6 +926,10 @@ export class HybridQueryEngine implements QueryEngine {
           }),
         )
       }
+      if (requiresPlaintextSort) {
+        items = sortRowsInMemory(items as Record<string, unknown>[], resolvedSorts)
+          .slice((page - 1) * pageSize, page * pageSize)
+      }
 
       const typedItems = items as unknown as T[]
       let result: QueryResult<T> = { items: typedItems, page, pageSize, total }

package/src/modules/resources/acl.ts

@@ -1,6 +1,11 @@
 export const features = [
   { id: 'resources.view', title: 'View resources', module: 'resources' },
-  { id: 'resources.manage_resources', title: 'Manage resources', module: 'resources' },
+  {
+    id: 'resources.manage_resources',
+    title: 'Manage resources',
+    module: 'resources',
+    dependsOn: ['resources.view'],
+  },
 ]
 
 export default features

package/src/modules/sync_excel/acl.ts

@@ -1,6 +1,11 @@
 export const features = [
   { id: 'sync_excel.view', title: 'View sync_excel uploads and previews', module: 'sync_excel' },
-  { id: 'sync_excel.run', title: 'Upload CSV files and prepare imports', module: 'sync_excel' },
+  {
+    id: 'sync_excel.run',
+    title: 'Upload CSV files and prepare imports',
+    module: 'sync_excel',
+    dependsOn: ['sync_excel.view'],
+  },
 ]
 
 export default features