@open-mercato/core 0.6.4-develop.4121.1.0d7f20d229 → 0.6.4-develop.4152.1.1c429e5200

package/dist/modules/planner/components/availabilityRulesEditorState.js

@@ -2,7 +2,16 @@ function resolveRuleSetSelectValue(ruleSets, selectedRulesetId) {
   if (!selectedRulesetId) return void 0;
   return ruleSets.some((ruleSet) => ruleSet.id === selectedRulesetId) ? selectedRulesetId : void 0;
 }
+function selectCustomRuleIdsToDelete(transition, rules) {
+  if (transition === "switch") return [];
+  return Array.from(new Set(rules.map((rule) => rule.id)));
+}
+function requiresResetConfirmation(rules) {
+  return rules.length > 0;
+}
 export {
-  resolveRuleSetSelectValue
+  requiresResetConfirmation,
+  resolveRuleSetSelectValue,
+  selectCustomRuleIdsToDelete
 };
 //# sourceMappingURL=availabilityRulesEditorState.js.map

package/dist/modules/planner/components/availabilityRulesEditorState.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/planner/components/availabilityRulesEditorState.ts"],
-  "sourcesContent": ["export type AvailabilityRuleSetOption = {\n  id: string\n}\n\nexport function resolveRuleSetSelectValue(\n  ruleSets: AvailabilityRuleSetOption[],\n  selectedRulesetId: string | null | undefined,\n): string | undefined {\n  if (!selectedRulesetId) return undefined\n  return ruleSets.some((ruleSet) => ruleSet.id === selectedRulesetId) ? selectedRulesetId : undefined\n}\n"],
-  "mappings": "AAIO,SAAS,0BACd,UACA,mBACoB;AACpB,MAAI,CAAC,kBAAmB,QAAO;AAC/B,SAAO,SAAS,KAAK,CAAC,YAAY,QAAQ,OAAO,iBAAiB,IAAI,oBAAoB;AAC5F;",
+  "sourcesContent": ["export type AvailabilityRuleSetOption = {\n  id: string\n}\n\nexport type AvailabilityRuleRef = {\n  id: string\n}\n\nexport type RuleSetTransition = 'switch' | 'reset'\n\nexport function resolveRuleSetSelectValue(\n  ruleSets: AvailabilityRuleSetOption[],\n  selectedRulesetId: string | null | undefined,\n): string | undefined {\n  if (!selectedRulesetId) return undefined\n  return ruleSets.some((ruleSet) => ruleSet.id === selectedRulesetId) ? selectedRulesetId : undefined\n}\n\n// Selects which member-level custom rules to delete for a ruleset transition.\n// Switching schedules preserves the member's saved custom hours (#2325): only\n// an explicit \"Reset to schedule\" discards them so the shared schedule applies.\nexport function selectCustomRuleIdsToDelete(\n  transition: RuleSetTransition,\n  rules: AvailabilityRuleRef[],\n): string[] {\n  if (transition === 'switch') return []\n  return Array.from(new Set(rules.map((rule) => rule.id)))\n}\n\nexport function requiresResetConfirmation(rules: AvailabilityRuleRef[]): boolean {\n  return rules.length > 0\n}\n"],
+  "mappings": "AAUO,SAAS,0BACd,UACA,mBACoB;AACpB,MAAI,CAAC,kBAAmB,QAAO;AAC/B,SAAO,SAAS,KAAK,CAAC,YAAY,QAAQ,OAAO,iBAAiB,IAAI,oBAAoB;AAC5F;AAKO,SAAS,4BACd,YACA,OACU;AACV,MAAI,eAAe,SAAU,QAAO,CAAC;AACrC,SAAO,MAAM,KAAK,IAAI,IAAI,MAAM,IAAI,CAAC,SAAS,KAAK,EAAE,CAAC,CAAC;AACzD;AAEO,SAAS,0BAA0B,OAAuC;AAC/E,SAAO,MAAM,SAAS;AACxB;",
   "names": []
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/core",
-  "version": "0.6.4-develop.4121.1.0d7f20d229",
+  "version": "0.6.4-develop.4152.1.1c429e5200",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -243,16 +243,16 @@
     "zod": "^4.4.3"
   },
   "peerDependencies": {
-    "@open-mercato/ai-assistant": "0.6.4-develop.4121.1.0d7f20d229",
-    "@open-mercato/shared": "0.6.4-develop.4121.1.0d7f20d229",
-    "@open-mercato/ui": "0.6.4-develop.4121.1.0d7f20d229",
+    "@open-mercato/ai-assistant": "0.6.4-develop.4152.1.1c429e5200",
+    "@open-mercato/shared": "0.6.4-develop.4152.1.1c429e5200",
+    "@open-mercato/ui": "0.6.4-develop.4152.1.1c429e5200",
     "react": "^19.0.0",
     "react-dom": "^19.0.0"
   },
   "devDependencies": {
-    "@open-mercato/ai-assistant": "0.6.4-develop.4121.1.0d7f20d229",
-    "@open-mercato/shared": "0.6.4-develop.4121.1.0d7f20d229",
-    "@open-mercato/ui": "0.6.4-develop.4121.1.0d7f20d229",
+    "@open-mercato/ai-assistant": "0.6.4-develop.4152.1.1c429e5200",
+    "@open-mercato/shared": "0.6.4-develop.4152.1.1c429e5200",
+    "@open-mercato/ui": "0.6.4-develop.4152.1.1c429e5200",
     "@testing-library/dom": "^10.4.1",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.1",

package/src/modules/customer_accounts/api/admin/users/[id]/reset-password.ts

@@ -52,6 +52,7 @@ export async function POST(req: Request, { params }: { params: { id: string } })
 
   void emitCustomerAccountsEvent('customer_accounts.password.reset', {
     id: user.id,
+    recipientUserId: user.id,
     email: user.email,
     tenantId: auth.tenantId,
     organizationId: auth.orgId,

package/src/modules/customer_accounts/api/admin/users/[id]/send-reset-link.ts

@@ -36,6 +36,7 @@ export async function POST(req: Request, { params }: { params: { id: string } })
 
   void emitCustomerAccountsEvent('customer_accounts.password.reset', {
     id: user.id,
+    recipientUserId: user.id,
     email: user.email,
     tenantId: auth.tenantId,
     organizationId: auth.orgId,

package/src/modules/customer_accounts/api/admin/users/[id]/verify-email.ts

@@ -41,6 +41,7 @@ export async function POST(req: Request, { params }: { params: { id: string } })
 
   void emitCustomerAccountsEvent('customer_accounts.email.verified', {
     id: user.id,
+    recipientUserId: user.id,
     email: user.email,
     tenantId: auth.tenantId,
     organizationId: auth.orgId,

package/src/modules/customer_accounts/api/admin/users/[id].ts

@@ -190,6 +190,7 @@ export async function PUT(req: Request, { params }: { params: { id: string } })
 
   void emitCustomerAccountsEvent('customer_accounts.user.updated', {
     id: user.id,
+    recipientUserId: user.id,
     email: user.email,
     tenantId: auth.tenantId,
     organizationId: auth.orgId,

package/src/modules/customer_accounts/api/email/verify.ts

@@ -35,6 +35,7 @@ export async function POST(req: Request) {
 
   void emitCustomerAccountsEvent('customer_accounts.email.verified', {
     userId: result.userId,
+    recipientUserId: result.userId,
     tenantId: result.tenantId,
   }).catch(() => undefined)
 

package/src/modules/customer_accounts/api/portal/events/stream.ts

@@ -31,6 +31,7 @@ type PortalSseConnection = {
 function normalizeAudience(data: Record<string, unknown>): {
   tenantId: string | null
   organizationScopes: string[]
+  recipientUserScopes: string[]
 } {
   const tenantId = typeof data.tenantId === 'string' ? data.tenantId : null
   const organizationScopes = new Set<string>()
@@ -44,7 +45,24 @@ function normalizeAudience(data: Record<string, unknown>): {
       }
     }
   }
-  return { tenantId, organizationScopes: Array.from(organizationScopes) }
+
+  const recipientUserScopes = new Set<string>()
+  if (typeof data.recipientUserId === 'string' && data.recipientUserId.trim().length > 0) {
+    recipientUserScopes.add(data.recipientUserId.trim())
+  }
+  if (Array.isArray(data.recipientUserIds)) {
+    for (const userId of data.recipientUserIds) {
+      if (typeof userId === 'string' && userId.trim().length > 0) {
+        recipientUserScopes.add(userId.trim())
+      }
+    }
+  }
+
+  return {
+    tenantId,
+    organizationScopes: Array.from(organizationScopes),
+    recipientUserScopes: Array.from(recipientUserScopes),
+  }
 }
 
 function matchesAudience(conn: PortalSseConnection, audience: ReturnType<typeof normalizeAudience>): boolean {
@@ -53,6 +71,9 @@ function matchesAudience(conn: PortalSseConnection, audience: ReturnType<typeof
   if (audience.organizationScopes.length > 0) {
     if (!audience.organizationScopes.includes(conn.organizationId)) return false
   }
+  if (audience.recipientUserScopes.length > 0 && !audience.recipientUserScopes.includes(conn.customerUserId)) {
+    return false
+  }
   return true
 }
 
@@ -194,7 +215,7 @@ export async function GET(req: Request): Promise<Response> {
 
 const methodDoc: OpenApiMethodDoc = {
   summary: 'Subscribe to portal events via SSE (Portal Event Bridge)',
-  description: 'Long-lived SSE connection that receives server-side events marked with portalBroadcast: true. Events are filtered by the customer\'s tenant and organization.',
+  description: 'Long-lived SSE connection that receives server-side events marked with portalBroadcast: true. Events are filtered by the customer\'s tenant, organization, and recipient user audience.',
   tags: ['Customer Portal'],
   responses: [
     {

package/src/modules/dashboards/api/widgets/data/batch/route.ts

@@ -0,0 +1,168 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import type { CacheStrategy } from '@open-mercato/cache'
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/directory/utils/organizationScope'
+import {
+  createWidgetDataService,
+  type WidgetDataRequest,
+  WidgetDataValidationError,
+} from '../../../../services/widgetDataService'
+import { runWidgetDataBatch } from '../../../../lib/widgetDataBatch'
+import type { AnalyticsRegistry } from '../../../../services/analyticsRegistry'
+import type { OpenApiMethodDoc, OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import { dashboardsTag, dashboardsErrorSchema } from '../../../openapi'
+import { widgetDataRequestSchema, widgetDataResponseSchema } from '../schema'
+
+export const metadata = {
+  POST: { requireAuth: true, requireFeatures: ['analytics.view'] },
+}
+
+const MAX_BATCH_SIZE = 50
+
+const widgetDataBatchRequestSchema = z.object({
+  requests: z
+    .array(
+      z.object({
+        id: z.string().min(1),
+        request: widgetDataRequestSchema,
+      }),
+    )
+    .min(1)
+    .max(MAX_BATCH_SIZE),
+})
+
+const widgetDataBatchResponseSchema = z.object({
+  results: z.array(
+    z.discriminatedUnion('ok', [
+      z.object({
+        id: z.string(),
+        ok: z.literal(true),
+        data: widgetDataResponseSchema,
+      }),
+      z.object({
+        id: z.string(),
+        ok: z.literal(false),
+        error: z.string(),
+      }),
+    ]),
+  ),
+})
+
+export async function POST(req: Request) {
+  const auth = await getAuthFromRequest(req)
+  if (!auth) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  let body: unknown
+  try {
+    body = await req.json()
+  } catch {
+    return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 })
+  }
+
+  const parsed = widgetDataBatchRequestSchema.safeParse(body)
+  if (!parsed.success) {
+    return NextResponse.json(
+      { error: 'Invalid request payload', issues: parsed.error.issues },
+      { status: 400 },
+    )
+  }
+
+  const tenantId = auth.tenantId ?? null
+  if (!tenantId) {
+    return NextResponse.json({ error: 'Tenant context is required' }, { status: 400 })
+  }
+
+  // Build the per-request DI/RBAC/org-scope stack exactly once for the whole
+  // batch instead of once per widget (see issue #2273).
+  const container = await createRequestContainer()
+  const analyticsRegistry = container.resolve<AnalyticsRegistry>('analyticsRegistry')
+
+  const em = (container.resolve('em') as EntityManager).fork({
+    clear: true,
+    freshEventManager: true,
+    useContext: true,
+  })
+
+  const scope = await resolveOrganizationScopeForRequest({ container, auth, request: req })
+
+  const organizationIds = (() => {
+    if (scope?.selectedId) return [scope.selectedId]
+    if (Array.isArray(scope?.filterIds) && scope.filterIds.length > 0) return scope.filterIds
+    if (scope?.allowedIds === null) return undefined
+    if (auth.orgId) return [auth.orgId]
+    return undefined
+  })()
+
+  const cache = container.resolve<CacheStrategy>('cache')
+  const service = createWidgetDataService(em, { tenantId, organizationIds }, analyticsRegistry, cache)
+
+  const rbacService = container.resolve<{
+    userHasAllFeatures: (
+      userId: string,
+      features: string[],
+      scope: { tenantId: string; organizationId?: string | null },
+    ) => Promise<boolean>
+  }>('rbacService')
+
+  try {
+    const results = await runWidgetDataBatch(parsed.data.requests as Array<{ id: string; request: WidgetDataRequest }>, {
+      getRequiredFeatures: (entityType) => analyticsRegistry.getRequiredFeatures(entityType),
+      checkFeatures: (features) => {
+        if (features.length === 0) return Promise.resolve(true)
+        return rbacService.userHasAllFeatures(auth.sub, features, {
+          tenantId,
+          organizationId: auth.orgId,
+        })
+      },
+      fetchOne: (request) => service.fetchWidgetData(request),
+      describeError: (error) =>
+        error instanceof WidgetDataValidationError
+          ? error.message
+          : 'An error occurred while processing your request',
+    })
+    return NextResponse.json({ results })
+  } catch (err) {
+    console.error('[widgets/data/batch] Error:', err)
+    return NextResponse.json(
+      { error: 'An error occurred while processing your request' },
+      { status: 500 },
+    )
+  }
+}
+
+const widgetDataBatchPostDoc: OpenApiMethodDoc = {
+  summary: 'Fetch aggregated data for multiple dashboard widgets in one request',
+  description:
+    'Resolves a batch of widget data requests with a single authentication, RBAC, organization-scope, and database-context setup. Each request is keyed by an opaque widget id and resolved independently, so a failure in one widget does not fail the batch.',
+  tags: [dashboardsTag],
+  requestBody: {
+    contentType: 'application/json',
+    schema: widgetDataBatchRequestSchema,
+    description: 'A list of id-keyed widget data requests to resolve together.',
+  },
+  responses: [
+    {
+      status: 200,
+      description: 'Per-widget aggregation results keyed by request id.',
+      schema: widgetDataBatchResponseSchema,
+    },
+  ],
+  errors: [
+    { status: 400, description: 'Invalid request payload', schema: dashboardsErrorSchema },
+    { status: 401, description: 'Authentication required', schema: dashboardsErrorSchema },
+    { status: 500, description: 'Internal server error', schema: dashboardsErrorSchema },
+  ],
+}
+
+export const openApi: OpenApiRouteDoc = {
+  tag: dashboardsTag,
+  summary: 'Batch widget data aggregation endpoint',
+  methods: {
+    POST: widgetDataBatchPostDoc,
+  },
+}

package/src/modules/dashboards/api/widgets/data/route.ts

@@ -1,5 +1,4 @@
 import { NextResponse } from 'next/server'
-import { z } from 'zod'
 import type { EntityManager } from '@mikro-orm/postgresql'
 import type { CacheStrategy } from '@open-mercato/cache'
 import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
@@ -13,100 +12,12 @@ import {
 import type { AnalyticsRegistry } from '../../../services/analyticsRegistry'
 import type { OpenApiMethodDoc, OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { dashboardsTag, dashboardsErrorSchema } from '../../openapi'
+import { widgetDataRequestSchema, widgetDataResponseSchema } from './schema'
 
 export const metadata = {
   POST: { requireAuth: true, requireFeatures: ['analytics.view'] },
 }
 
-const aggregateFunctionSchema = z.enum(['count', 'sum', 'avg', 'min', 'max'])
-const dateGranularitySchema = z.enum(['day', 'week', 'month', 'quarter', 'year'])
-const dateRangePresetSchema = z.enum([
-  'today',
-  'yesterday',
-  'this_week',
-  'last_week',
-  'this_month',
-  'last_month',
-  'this_quarter',
-  'last_quarter',
-  'this_year',
-  'last_year',
-  'last_7_days',
-  'last_30_days',
-  'last_90_days',
-])
-
-const filterOperatorSchema = z.enum([
-  'eq',
-  'neq',
-  'gt',
-  'gte',
-  'lt',
-  'lte',
-  'in',
-  'not_in',
-  'is_null',
-  'is_not_null',
-])
-
-const widgetDataRequestSchema = z.object({
-  entityType: z.string().min(1),
-  metric: z.object({
-    field: z.string().min(1),
-    aggregate: aggregateFunctionSchema,
-  }),
-  groupBy: z
-    .object({
-      field: z.string().min(1),
-      granularity: dateGranularitySchema.optional(),
-      limit: z.number().int().min(1).max(100).optional(),
-      resolveLabels: z.boolean().optional(),
-    })
-    .optional(),
-  filters: z
-    .array(
-      z.object({
-        field: z.string().min(1),
-        operator: filterOperatorSchema,
-        value: z.unknown().optional(),
-      }),
-    )
-    .optional(),
-  dateRange: z
-    .object({
-      field: z.string().min(1),
-      preset: dateRangePresetSchema,
-    })
-    .optional(),
-  comparison: z
-    .object({
-      type: z.enum(['previous_period', 'previous_year']),
-    })
-    .optional(),
-})
-
-const widgetDataItemSchema = z.object({
-  groupKey: z.unknown(),
-  groupLabel: z.string().optional(),
-  value: z.number().nullable(),
-})
-
-const widgetDataResponseSchema = z.object({
-  value: z.number().nullable(),
-  data: z.array(widgetDataItemSchema),
-  comparison: z
-    .object({
-      value: z.number().nullable(),
-      change: z.number(),
-      direction: z.enum(['up', 'down', 'unchanged']),
-    })
-    .optional(),
-  metadata: z.object({
-    fetchedAt: z.string(),
-    recordCount: z.number(),
-  }),
-})
-
 export async function POST(req: Request) {
   const auth = await getAuthFromRequest(req)
   if (!auth) {

package/src/modules/dashboards/api/widgets/data/schema.ts

@@ -0,0 +1,90 @@
+import { z } from 'zod'
+
+export const aggregateFunctionSchema = z.enum(['count', 'sum', 'avg', 'min', 'max'])
+export const dateGranularitySchema = z.enum(['day', 'week', 'month', 'quarter', 'year'])
+export const dateRangePresetSchema = z.enum([
+  'today',
+  'yesterday',
+  'this_week',
+  'last_week',
+  'this_month',
+  'last_month',
+  'this_quarter',
+  'last_quarter',
+  'this_year',
+  'last_year',
+  'last_7_days',
+  'last_30_days',
+  'last_90_days',
+])
+
+export const filterOperatorSchema = z.enum([
+  'eq',
+  'neq',
+  'gt',
+  'gte',
+  'lt',
+  'lte',
+  'in',
+  'not_in',
+  'is_null',
+  'is_not_null',
+])
+
+export const widgetDataRequestSchema = z.object({
+  entityType: z.string().min(1),
+  metric: z.object({
+    field: z.string().min(1),
+    aggregate: aggregateFunctionSchema,
+  }),
+  groupBy: z
+    .object({
+      field: z.string().min(1),
+      granularity: dateGranularitySchema.optional(),
+      limit: z.number().int().min(1).max(100).optional(),
+      resolveLabels: z.boolean().optional(),
+    })
+    .optional(),
+  filters: z
+    .array(
+      z.object({
+        field: z.string().min(1),
+        operator: filterOperatorSchema,
+        value: z.unknown().optional(),
+      }),
+    )
+    .optional(),
+  dateRange: z
+    .object({
+      field: z.string().min(1),
+      preset: dateRangePresetSchema,
+    })
+    .optional(),
+  comparison: z
+    .object({
+      type: z.enum(['previous_period', 'previous_year']),
+    })
+    .optional(),
+})
+
+export const widgetDataItemSchema = z.object({
+  groupKey: z.unknown(),
+  groupLabel: z.string().optional(),
+  value: z.number().nullable(),
+})
+
+export const widgetDataResponseSchema = z.object({
+  value: z.number().nullable(),
+  data: z.array(widgetDataItemSchema),
+  comparison: z
+    .object({
+      value: z.number().nullable(),
+      change: z.number(),
+      direction: z.enum(['up', 'down', 'unchanged']),
+    })
+    .optional(),
+  metadata: z.object({
+    fetchedAt: z.string(),
+    recordCount: z.number(),
+  }),
+})

package/src/modules/dashboards/lib/widgetDataBatch.ts

@@ -0,0 +1,89 @@
+import type { WidgetDataRequest, WidgetDataResponse } from '../services/widgetDataService'
+
+export type WidgetDataBatchEntry = {
+  id: string
+  request: WidgetDataRequest
+}
+
+export type WidgetDataBatchResult =
+  | { id: string; ok: true; data: WidgetDataResponse }
+  | { id: string; ok: false; error: string }
+
+export type WidgetDataBatchDeps = {
+  getRequiredFeatures: (entityType: string) => string[] | null
+  checkFeatures: (features: string[]) => Promise<boolean>
+  fetchOne: (request: WidgetDataRequest) => Promise<WidgetDataResponse>
+  describeError: (error: unknown) => string
+}
+
+/**
+ * Resolves per-entity-type feature access for a batch of widget requests while
+ * collapsing the common case to a single RBAC resolution. The happy path checks
+ * the union of all required features once; only when the union check fails do we
+ * fall back to per-entity-type checks so a single privileged entity type does
+ * not reject widgets the caller is allowed to see.
+ */
+export async function resolveEntityFeatureAccess(
+  entityTypes: string[],
+  getRequiredFeatures: (entityType: string) => string[] | null,
+  checkFeatures: (features: string[]) => Promise<boolean>,
+): Promise<Map<string, boolean>> {
+  const access = new Map<string, boolean>()
+  const featuresByEntity = new Map<string, string[]>()
+  const unionFeatures = new Set<string>()
+
+  for (const entityType of new Set(entityTypes)) {
+    const features = getRequiredFeatures(entityType) ?? []
+    featuresByEntity.set(entityType, features)
+    if (features.length === 0) {
+      access.set(entityType, true)
+    } else {
+      for (const feature of features) unionFeatures.add(feature)
+    }
+  }
+
+  const gated = [...featuresByEntity.entries()].filter(([, features]) => features.length > 0)
+  if (gated.length === 0) return access
+
+  if (await checkFeatures([...unionFeatures])) {
+    for (const [entityType] of gated) access.set(entityType, true)
+    return access
+  }
+
+  for (const [entityType, features] of gated) {
+    access.set(entityType, await checkFeatures(features))
+  }
+  return access
+}
+
+/**
+ * Runs a batch of widget-data requests against shared request-scoped
+ * dependencies (a single container, RBAC resolution, org-scope, and EM fork).
+ * Feature access is resolved once up front; each request is then executed
+ * concurrently with per-widget error isolation so one bad request never fails
+ * the whole batch.
+ */
+export async function runWidgetDataBatch(
+  entries: WidgetDataBatchEntry[],
+  deps: WidgetDataBatchDeps,
+): Promise<WidgetDataBatchResult[]> {
+  const access = await resolveEntityFeatureAccess(
+    entries.map((entry) => entry.request.entityType),
+    deps.getRequiredFeatures,
+    deps.checkFeatures,
+  )
+
+  return Promise.all(
+    entries.map(async (entry): Promise<WidgetDataBatchResult> => {
+      if (access.get(entry.request.entityType) === false) {
+        return { id: entry.id, ok: false, error: 'Forbidden' }
+      }
+      try {
+        const data = await deps.fetchOne(entry.request)
+        return { id: entry.id, ok: true, data }
+      } catch (error) {
+        return { id: entry.id, ok: false, error: deps.describeError(error) }
+      }
+    }),
+  )
+}

package/src/modules/dashboards/widgets/dashboard/aov-kpi/widget.client.tsx

@@ -2,7 +2,7 @@
 
 import * as React from 'react'
 import type { DashboardWidgetComponentProps } from '@open-mercato/shared/modules/dashboard/widgets'
-import { apiCall } from '@open-mercato/ui/backend/utils/apiCall'
+import { useWidgetData, type WidgetDataFetcher } from '@open-mercato/ui/backend/dashboard/widgetData'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
 import { KpiCard, type KpiTrend } from '@open-mercato/ui/backend/charts'
 import {
@@ -15,7 +15,7 @@ import { DEFAULT_SETTINGS, hydrateSettings, type AovKpiSettings } from './config
 import type { WidgetDataResponse } from '../../../services/widgetDataService'
 import { formatCurrencyWithDecimals } from '../../../lib/formatters'
 
-async function fetchAovData(settings: AovKpiSettings): Promise<WidgetDataResponse> {
+async function fetchAovData(settings: AovKpiSettings, fetchWidgetData: WidgetDataFetcher): Promise<WidgetDataResponse> {
   const body = {
     entityType: 'sales:orders',
     metric: {
@@ -29,18 +29,7 @@ async function fetchAovData(settings: AovKpiSettings): Promise<WidgetDataRespons
     comparison: settings.showComparison ? { type: 'previous_period' } : undefined,
   }
 
-  const call = await apiCall<WidgetDataResponse>('/api/dashboards/widgets/data', {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify(body),
-  })
-
-  if (!call.ok) {
-    const errorMsg = (call.result as Record<string, unknown>)?.error
-    throw new Error(typeof errorMsg === 'string' ? errorMsg : 'Failed to fetch AOV data')
-  }
-
-  return call.result as WidgetDataResponse
+  return fetchWidgetData<WidgetDataResponse>(body)
 }
 
 const AovKpiWidget: React.FC<DashboardWidgetComponentProps<AovKpiSettings>> = ({
@@ -57,12 +46,13 @@ const AovKpiWidget: React.FC<DashboardWidgetComponentProps<AovKpiSettings>> = ({
   const [loading, setLoading] = React.useState(true)
   const [error, setError] = React.useState<string | null>(null)
 
+  const fetchWidgetData = useWidgetData()
   const refresh = React.useCallback(async () => {
     onRefreshStateChange?.(true)
     setLoading(true)
     setError(null)
     try {
-      const data = await fetchAovData(hydrated)
+      const data = await fetchAovData(hydrated, fetchWidgetData)
       setValue(data.value)
       if (data.comparison) {
         setTrend({
@@ -79,7 +69,7 @@ const AovKpiWidget: React.FC<DashboardWidgetComponentProps<AovKpiSettings>> = ({
       setLoading(false)
       onRefreshStateChange?.(false)
     }
-  }, [hydrated, onRefreshStateChange, t])
+  }, [hydrated, fetchWidgetData, onRefreshStateChange, t])
 
   React.useEffect(() => {
     refresh().catch(() => {})