@open-mercato/core 0.6.4-develop.4095.1.9c790dc021 → 0.6.4-develop.4110.1.836aafde58

package/dist/modules/planner/components/availabilityRulesEditorState.js

@@ -0,0 +1,8 @@
+function resolveRuleSetSelectValue(ruleSets, selectedRulesetId) {
+  if (!selectedRulesetId) return void 0;
+  return ruleSets.some((ruleSet) => ruleSet.id === selectedRulesetId) ? selectedRulesetId : void 0;
+}
+export {
+  resolveRuleSetSelectValue
+};
+//# sourceMappingURL=availabilityRulesEditorState.js.map

package/dist/modules/planner/components/availabilityRulesEditorState.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/planner/components/availabilityRulesEditorState.ts"],
+  "sourcesContent": ["export type AvailabilityRuleSetOption = {\n  id: string\n}\n\nexport function resolveRuleSetSelectValue(\n  ruleSets: AvailabilityRuleSetOption[],\n  selectedRulesetId: string | null | undefined,\n): string | undefined {\n  if (!selectedRulesetId) return undefined\n  return ruleSets.some((ruleSet) => ruleSet.id === selectedRulesetId) ? selectedRulesetId : undefined\n}\n"],
+  "mappings": "AAIO,SAAS,0BACd,UACA,mBACoB;AACpB,MAAI,CAAC,kBAAmB,QAAO;AAC/B,SAAO,SAAS,KAAK,CAAC,YAAY,QAAQ,OAAO,iBAAiB,IAAI,oBAAoB;AAC5F;",
+  "names": []
+}

package/dist/modules/query_index/acl.js

@@ -1,7 +1,17 @@
 const features = [
   { id: "query_index.status.view", title: "View index status", module: "query_index" },
-  { id: "query_index.reindex", title: "Trigger reindex", module: "query_index" },
-  { id: "query_index.purge", title: "Purge index", module: "query_index" }
+  {
+    id: "query_index.reindex",
+    title: "Trigger reindex",
+    module: "query_index",
+    dependsOn: ["query_index.status.view"]
+  },
+  {
+    id: "query_index.purge",
+    title: "Purge index",
+    module: "query_index",
+    dependsOn: ["query_index.status.view"]
+  }
 ];
 var acl_default = features;
 export {

package/dist/modules/query_index/acl.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/modules/query_index/acl.ts"],
-  "sourcesContent": ["export const features = [\n  { id: 'query_index.status.view', title: 'View index status', module: 'query_index' },\n  { id: 'query_index.reindex', title: 'Trigger reindex', module: 'query_index' },\n  { id: 'query_index.purge', title: 'Purge index', module: 'query_index' },\n]\n\nexport default features\n"],
-  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB,EAAE,IAAI,2BAA2B,OAAO,qBAAqB,QAAQ,cAAc;AAAA,EACnF,EAAE,IAAI,uBAAuB,OAAO,mBAAmB,QAAQ,cAAc;AAAA,EAC7E,EAAE,IAAI,qBAAqB,OAAO,eAAe,QAAQ,cAAc;AACzE;AAEA,IAAO,cAAQ;",
+  "sourcesContent": ["export const features = [\n  { id: 'query_index.status.view', title: 'View index status', module: 'query_index' },\n  {\n    id: 'query_index.reindex',\n    title: 'Trigger reindex',\n    module: 'query_index',\n    dependsOn: ['query_index.status.view'],\n  },\n  {\n    id: 'query_index.purge',\n    title: 'Purge index',\n    module: 'query_index',\n    dependsOn: ['query_index.status.view'],\n  },\n]\n\nexport default features\n"],
+  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB,EAAE,IAAI,2BAA2B,OAAO,qBAAqB,QAAQ,cAAc;AAAA,EACnF;AAAA,IACE,IAAI;AAAA,IACJ,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,WAAW,CAAC,yBAAyB;AAAA,EACvC;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,WAAW,CAAC,yBAAyB;AAAA,EACvC;AACF;AAEA,IAAO,cAAQ;",
   "names": []
 }

package/dist/modules/resources/acl.js

@@ -1,6 +1,11 @@
 const features = [
   { id: "resources.view", title: "View resources", module: "resources" },
-  { id: "resources.manage_resources", title: "Manage resources", module: "resources" }
+  {
+    id: "resources.manage_resources",
+    title: "Manage resources",
+    module: "resources",
+    dependsOn: ["resources.view"]
+  }
 ];
 var acl_default = features;
 export {

package/dist/modules/resources/acl.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/modules/resources/acl.ts"],
-  "sourcesContent": ["export const features = [\n  { id: 'resources.view', title: 'View resources', module: 'resources' },\n  { id: 'resources.manage_resources', title: 'Manage resources', module: 'resources' },\n]\n\nexport default features\n"],
-  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB,EAAE,IAAI,kBAAkB,OAAO,kBAAkB,QAAQ,YAAY;AAAA,EACrE,EAAE,IAAI,8BAA8B,OAAO,oBAAoB,QAAQ,YAAY;AACrF;AAEA,IAAO,cAAQ;",
+  "sourcesContent": ["export const features = [\n  { id: 'resources.view', title: 'View resources', module: 'resources' },\n  {\n    id: 'resources.manage_resources',\n    title: 'Manage resources',\n    module: 'resources',\n    dependsOn: ['resources.view'],\n  },\n]\n\nexport default features\n"],
+  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB,EAAE,IAAI,kBAAkB,OAAO,kBAAkB,QAAQ,YAAY;AAAA,EACrE;AAAA,IACE,IAAI;AAAA,IACJ,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,WAAW,CAAC,gBAAgB;AAAA,EAC9B;AACF;AAEA,IAAO,cAAQ;",
   "names": []
 }

package/dist/modules/sync_excel/acl.js

@@ -1,6 +1,11 @@
 const features = [
   { id: "sync_excel.view", title: "View sync_excel uploads and previews", module: "sync_excel" },
-  { id: "sync_excel.run", title: "Upload CSV files and prepare imports", module: "sync_excel" }
+  {
+    id: "sync_excel.run",
+    title: "Upload CSV files and prepare imports",
+    module: "sync_excel",
+    dependsOn: ["sync_excel.view"]
+  }
 ];
 var acl_default = features;
 export {

package/dist/modules/sync_excel/acl.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/modules/sync_excel/acl.ts"],
-  "sourcesContent": ["export const features = [\n  { id: 'sync_excel.view', title: 'View sync_excel uploads and previews', module: 'sync_excel' },\n  { id: 'sync_excel.run', title: 'Upload CSV files and prepare imports', module: 'sync_excel' },\n]\n\nexport default features\n"],
-  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB,EAAE,IAAI,mBAAmB,OAAO,wCAAwC,QAAQ,aAAa;AAAA,EAC7F,EAAE,IAAI,kBAAkB,OAAO,wCAAwC,QAAQ,aAAa;AAC9F;AAEA,IAAO,cAAQ;",
+  "sourcesContent": ["export const features = [\n  { id: 'sync_excel.view', title: 'View sync_excel uploads and previews', module: 'sync_excel' },\n  {\n    id: 'sync_excel.run',\n    title: 'Upload CSV files and prepare imports',\n    module: 'sync_excel',\n    dependsOn: ['sync_excel.view'],\n  },\n]\n\nexport default features\n"],
+  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB,EAAE,IAAI,mBAAmB,OAAO,wCAAwC,QAAQ,aAAa;AAAA,EAC7F;AAAA,IACE,IAAI;AAAA,IACJ,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,WAAW,CAAC,iBAAiB;AAAA,EAC/B;AACF;AAEA,IAAO,cAAQ;",
   "names": []
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/core",
-  "version": "0.6.4-develop.4095.1.9c790dc021",
+  "version": "0.6.4-develop.4110.1.836aafde58",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -243,16 +243,16 @@
     "zod": "^4.4.3"
   },
   "peerDependencies": {
-    "@open-mercato/ai-assistant": "0.6.4-develop.4095.1.9c790dc021",
-    "@open-mercato/shared": "0.6.4-develop.4095.1.9c790dc021",
-    "@open-mercato/ui": "0.6.4-develop.4095.1.9c790dc021",
+    "@open-mercato/ai-assistant": "0.6.4-develop.4110.1.836aafde58",
+    "@open-mercato/shared": "0.6.4-develop.4110.1.836aafde58",
+    "@open-mercato/ui": "0.6.4-develop.4110.1.836aafde58",
     "react": "^19.0.0",
     "react-dom": "^19.0.0"
   },
   "devDependencies": {
-    "@open-mercato/ai-assistant": "0.6.4-develop.4095.1.9c790dc021",
-    "@open-mercato/shared": "0.6.4-develop.4095.1.9c790dc021",
-    "@open-mercato/ui": "0.6.4-develop.4095.1.9c790dc021",
+    "@open-mercato/ai-assistant": "0.6.4-develop.4110.1.836aafde58",
+    "@open-mercato/shared": "0.6.4-develop.4110.1.836aafde58",
+    "@open-mercato/ui": "0.6.4-develop.4110.1.836aafde58",
     "@testing-library/dom": "^10.4.1",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.1",

package/src/modules/currencies/acl.ts

@@ -8,26 +8,31 @@ export const features = [
     id: 'currencies.manage',
     title: 'Manage currencies',
     module: 'currencies',
+    dependsOn: ['currencies.view'],
   },
   {
     id: 'currencies.rates.view',
     title: 'View exchange rates',
     module: 'currencies',
+    dependsOn: ['currencies.view'],
   },
   {
     id: 'currencies.rates.manage',
     title: 'Manage exchange rates',
     module: 'currencies',
+    dependsOn: ['currencies.rates.view'],
   },
   {
     id: 'currencies.fetch.view',
     title: 'View currency fetch configuration',
     module: 'currencies',
+    dependsOn: ['currencies.view'],
   },
   {
     id: 'currencies.fetch.manage',
     title: 'Manage currency fetch configuration',
     module: 'currencies',
+    dependsOn: ['currencies.fetch.view'],
   },
 ]
 

package/src/modules/directory/acl.ts

@@ -1,8 +1,18 @@
 export const features = [
     { id: 'directory.tenants.view', title: 'View tenants', module: 'directory' },
-    { id: 'directory.tenants.manage', title: 'Manage tenants', module: 'directory' },
+    {
+        id: 'directory.tenants.manage',
+        title: 'Manage tenants',
+        module: 'directory',
+        dependsOn: ['directory.tenants.view'],
+    },
     { id: 'directory.organizations.view', title: 'View organizations', module: 'directory' },
-    { id: 'directory.organizations.manage', title: 'Manage organizations', module: 'directory' },
+    {
+        id: 'directory.organizations.manage',
+        title: 'Manage organizations',
+        module: 'directory',
+        dependsOn: ['directory.organizations.view'],
+    },
 ]
 
 export default features

package/src/modules/directory/api/tenants/route.ts

@@ -136,27 +136,6 @@ export async function GET(req: Request) {
     orderBy.name = 'ASC'
   }
 
-  const all = await em.find(Tenant, where, { orderBy })
-  const recordIds = all.map((tenant) => String(tenant.id))
-
-  const tenantIdByRecord: Record<string, string | null> = {}
-  const organizationIdByRecord: Record<string, string | null> = {}
-  for (const rid of recordIds) {
-    tenantIdByRecord[rid] = null
-    organizationIdByRecord[rid] = null
-  }
-
-  const cfValues = recordIds.length
-    ? await loadCustomFieldValues({
-        em,
-        entityId: E.directory.tenant,
-        recordIds,
-        tenantIdByRecord,
-        organizationIdByRecord,
-        tenantFallbacks: auth.tenantId ? [auth.tenantId] : [],
-      })
-    : {}
-
   const rawQuery = Array.from(url.searchParams.keys()).reduce<Record<string, unknown>>((acc, key) => {
     const values = url.searchParams.getAll(key)
     if (!values.length) return acc
@@ -175,29 +154,64 @@ export async function GET(req: Request) {
     return [normalizedKey, condition] as const
   })
 
-  const filtered = cfFilterEntries.length
-    ? all.filter((tenant) => {
-        const rid = String(tenant.id)
-        const payload = cfValues[rid] ?? {}
-        return cfFilterEntries.every(([key, expected]) => {
-          const value = payload[`cf_${key}`]
-          if (expected && typeof expected === 'object' && !Array.isArray(expected)) {
-            const maybeIn = (expected as { $in?: unknown[] }).$in
-            if (Array.isArray(maybeIn)) {
-              if (value === undefined || value === null) return false
-              if (Array.isArray(value)) return value.some((val) => maybeIn.includes(val))
-              return maybeIn.includes(value)
-            }
+  const loadCfValues = (tenants: Tenant[]): Promise<Record<string, Record<string, unknown>>> => {
+    const recordIds = tenants.map((tenant) => String(tenant.id))
+    if (!recordIds.length) return Promise.resolve({})
+    const tenantIdByRecord: Record<string, string | null> = {}
+    const organizationIdByRecord: Record<string, string | null> = {}
+    for (const rid of recordIds) {
+      tenantIdByRecord[rid] = null
+      organizationIdByRecord[rid] = null
+    }
+    return loadCustomFieldValues({
+      em,
+      entityId: E.directory.tenant,
+      recordIds,
+      tenantIdByRecord,
+      organizationIdByRecord,
+      tenantFallbacks: auth.tenantId ? [auth.tenantId] : [],
+    })
+  }
+
+  const start = (page - 1) * pageSize
+
+  let pageTenants: Tenant[]
+  let total: number
+  let cfValues: Record<string, Record<string, unknown>>
+
+  if (cfFilterEntries.length) {
+    // Custom-field filters are matched in JS against separately-loaded values,
+    // so the full result set must be fetched before filtering and paging.
+    const all = await em.find(Tenant, where, { orderBy })
+    cfValues = await loadCfValues(all)
+    const filtered = all.filter((tenant) => {
+      const rid = String(tenant.id)
+      const payload = cfValues[rid] ?? {}
+      return cfFilterEntries.every(([key, expected]) => {
+        const value = payload[`cf_${key}`]
+        if (expected && typeof expected === 'object' && !Array.isArray(expected)) {
+          const maybeIn = (expected as { $in?: unknown[] }).$in
+          if (Array.isArray(maybeIn)) {
+            if (value === undefined || value === null) return false
+            if (Array.isArray(value)) return value.some((val) => maybeIn.includes(val))
+            return maybeIn.includes(value)
           }
-          return matchesValue(value, expected)
-        })
+        }
+        return matchesValue(value, expected)
       })
-    : all
+    })
+    total = filtered.length
+    pageTenants = filtered.slice(start, start + pageSize)
+  } else {
+    // No JS-side filtering applies, so pagination is pushed to the database
+    // instead of fetching the whole table and slicing in memory.
+    const [rows, count] = await em.findAndCount(Tenant, where, { orderBy, limit: pageSize, offset: start })
+    total = count
+    pageTenants = rows
+    cfValues = await loadCfValues(rows)
+  }
 
-  const total = filtered.length
-  const start = (page - 1) * pageSize
-  const paged = filtered.slice(start, start + pageSize)
-  const items = paged.map((tenant) => {
+  const items = pageTenants.map((tenant) => {
     const rid = String(tenant.id)
     const cf = cfValues[rid] ?? {}
     return toRow(tenant, cf)

package/src/modules/entities/acl.ts

@@ -1,8 +1,18 @@
 export const features = [
   { id: 'entities.definitions.view', title: 'View custom field definitions', module: 'entities' },
-  { id: 'entities.definitions.manage', title: 'Manage custom field definitions', module: 'entities' },
+  {
+    id: 'entities.definitions.manage',
+    title: 'Manage custom field definitions',
+    module: 'entities',
+    dependsOn: ['entities.definitions.view'],
+  },
   { id: 'entities.records.view', title: 'View records', module: 'entities' },
-  { id: 'entities.records.manage', title: 'Manage records', module: 'entities' },
+  {
+    id: 'entities.records.manage',
+    title: 'Manage records',
+    module: 'entities',
+    dependsOn: ['entities.records.view'],
+  },
 ]
 
 export default features

package/src/modules/integrations/api/[id]/credentials/route.ts

@@ -5,7 +5,10 @@ import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { getIntegration } from '@open-mercato/shared/modules/integrations/types'
 import { emitIntegrationsEvent } from '../../../events'
 import { saveCredentialsSchema } from '../../../data/validators'
-import type { CredentialsService } from '../../../lib/credentials-service'
+import {
+  isCredentialsEncryptionUnavailableError,
+  type CredentialsService,
+} from '../../../lib/credentials-service'
 import {
   resolveUserFeatures,
   runIntegrationMutationGuardAfterSuccess,
@@ -53,7 +56,15 @@ export async function GET(req: Request, ctx: { params?: Promise<{ id?: string }>
   const credentialsService = container.resolve('integrationCredentialsService') as CredentialsService
   const scope = { organizationId: auth.orgId as string, tenantId: auth.tenantId }
 
-  const values = await credentialsService.resolve(integration.id, scope)
+  let values: Record<string, unknown> | null
+  try {
+    values = await credentialsService.resolve(integration.id, scope)
+  } catch (error) {
+    if (isCredentialsEncryptionUnavailableError(error)) {
+      return NextResponse.json({ error: 'Integration credentials encryption is unavailable' }, { status: 503 })
+    }
+    throw error
+  }
 
   return NextResponse.json({
     integrationId: integration.id,
@@ -118,7 +129,14 @@ export async function PUT(req: Request, ctx: { params?: Promise<{ id?: string }>
   const credentialsService = container.resolve('integrationCredentialsService') as CredentialsService
   const scope = { organizationId: auth.orgId as string, tenantId: auth.tenantId }
 
-  await credentialsService.save(integration.id, payloadData.credentials, scope)
+  try {
+    await credentialsService.save(integration.id, payloadData.credentials, scope)
+  } catch (error) {
+    if (isCredentialsEncryptionUnavailableError(error)) {
+      return NextResponse.json({ error: 'Integration credentials encryption is unavailable' }, { status: 503 })
+    }
+    throw error
+  }
 
   await emitIntegrationsEvent('integrations.credentials.updated', {
     integrationId: integration.id,

package/src/modules/integrations/lib/credentials-service.ts

@@ -1,4 +1,3 @@
-import crypto from 'node:crypto'
 import type { EntityManager } from '@mikro-orm/postgresql'
 import { decryptWithAesGcm, encryptWithAesGcm } from '@open-mercato/shared/lib/encryption/aes'
 import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
@@ -14,7 +13,19 @@ import { EncryptionMap } from '../../entities/data/entities'
 import { IntegrationCredentials } from '../data/entities'
 
 const ENCRYPTED_CREDENTIALS_BLOB_KEY = '__om_encrypted_credentials_blob_v1'
-const DERIVED_KEY_CONTEXT = 'integrations.credentials'
+const CREDENTIALS_ENCRYPTION_UNAVAILABLE_MESSAGE =
+  'Integration credentials encryption key is unavailable. Configure Vault KMS or TENANT_DATA_ENCRYPTION_FALLBACK_KEY.'
+
+export class CredentialsEncryptionUnavailableError extends Error {
+  constructor() {
+    super(CREDENTIALS_ENCRYPTION_UNAVAILABLE_MESSAGE)
+    this.name = 'CredentialsEncryptionUnavailableError'
+  }
+}
+
+export function isCredentialsEncryptionUnavailableError(error: unknown): error is CredentialsEncryptionUnavailableError {
+  return error instanceof CredentialsEncryptionUnavailableError
+}
 
 function isRecordValue(value: unknown): value is Record<string, unknown> {
   return !!value && typeof value === 'object' && !Array.isArray(value)
@@ -28,35 +39,6 @@ function normalizeCredentialsRecord(value: unknown): Record<string, unknown> {
   return isRecordValue(parsed) ? parsed : {}
 }
 
-function resolveFallbackEncryptionSecret(): string {
-  const candidates = [
-    process.env.TENANT_DATA_ENCRYPTION_FALLBACK_KEY,
-    process.env.TENANT_DATA_ENCRYPTION_KEY,
-    process.env.AUTH_SECRET,
-    process.env.NEXTAUTH_SECRET,
-  ]
-
-  for (const value of candidates) {
-    const normalized = value?.trim()
-    if (normalized) return normalized
-  }
-
-  if (process.env.NODE_ENV !== 'production') return 'om-dev-tenant-encryption'
-
-  console.warn(
-    '[integrations.credentials] No encryption secret configured; using emergency fallback secret. Configure TENANT_DATA_ENCRYPTION_FALLBACK_KEY immediately.',
-  )
-  return 'om-emergency-fallback-rotate-me'
-}
-
-function deriveDekFromSecret(secret: string, tenantId: string): string {
-  return crypto
-    .createHash('sha256')
-    .update(`${DERIVED_KEY_CONTEXT}:${tenantId}:${secret}`)
-    .digest()
-    .toString('base64')
-}
-
 export function createCredentialsService(em: EntityManager) {
   const credentialsEncryptionSpec = [{ field: 'credentials' }]
 
@@ -100,7 +82,7 @@ export function createCredentialsService(em: EntityManager) {
     const created = await kms.createTenantDek(scope.tenantId)
     if (created?.key) return created.key
 
-    return deriveDekFromSecret(resolveFallbackEncryptionSecret(), scope.tenantId)
+    throw new CredentialsEncryptionUnavailableError()
   }
 
   async function encryptCredentialsBlob(
@@ -162,8 +144,8 @@ export function createCredentialsService(em: EntityManager) {
     },
 
     async save(integrationId: string, credentials: Record<string, unknown>, scope: IntegrationScope): Promise<void> {
-      await ensureCredentialsEncryptionMap(scope)
       const encryptedCredentials = await encryptCredentialsBlob(credentials, scope)
+      await ensureCredentialsEncryptionMap(scope)
 
       const row = await findOneWithDecryption(
         em,