npm - @open-mercato/core - Versions diffs - 0.6.4-develop.4217.1.c9aa050183 → 0.6.4-develop.4236.1.9fa6806b34 - Mend

@open-mercato/core 0.6.4-develop.4217.1.c9aa050183 → 0.6.4-develop.4236.1.9fa6806b34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (370) hide show

package/src/modules/staff/api/interceptors.ts ADDED Viewed

@@ -0,0 +1,122 @@
+import type { ApiInterceptor, InterceptorContext } from '@open-mercato/shared/lib/crud/api-interceptor'
+import { hasFeature } from '@open-mercato/shared/security/features'
+import { getStaffMemberByUserId } from '../lib/staffMemberResolver'
+type RbacServiceLike = {
+  userHasAllFeatures: (
+    userId: string,
+    required: string[],
+    scope: { tenantId: string | null; organizationId: string | null },
+  ) => Promise<boolean>
+}
+/**
+ * Checks whether the caller has manage_all rights, honoring wildcard ACL grants
+ * (`staff.*`, `*`) and the super-admin flag.
+ *
+ * `context.userFeatures` is populated only on CRUD-factory routes (factory.ts
+ * calls `rbacService.getGrantedFeatures`). Custom routes that wire interceptors
+ * manually (like `dashboards/widgets/data`) pass `auth.features` directly, and
+ * the JWT does NOT include features — so we must fall back to loading the ACL
+ * from `rbacService.userHasAllFeatures`, which is cached and wildcard-aware.
+ */
+async function hasManageAllFeature(context: InterceptorContext): Promise<boolean> {
+  if (hasFeature(context.userFeatures, 'staff.timesheets.manage_all')) return true
+  try {
+    const rbac = context.container.resolve('rbacService') as RbacServiceLike | undefined
+    if (rbac?.userHasAllFeatures) {
+      return await rbac.userHasAllFeatures(
+        context.userId,
+        ['staff.timesheets.manage_all'],
+        { tenantId: context.tenantId ?? null, organizationId: context.organizationId ?? null },
+      )
+    }
+  } catch {
+    // rbacService not available — fall through to deny
+  }
+  return false
+}
+export const interceptors: ApiInterceptor[] = [
+  {
+    id: 'staff.timesheets.self-scope-widget-data',
+    targetRoute: 'dashboards/widgets/data',
+    methods: ['POST'],
+    priority: 70,
+    async before(request, context) {
+      const entityType = request.body?.entityType
+      if (entityType !== 'staff:staff_time_entries') {
+        return { ok: true }
+      }
+      if (await hasManageAllFeature(context)) {
+        return { ok: true }
+      }
+      const staffMember = await getStaffMemberByUserId(
+        context.em,
+        context.userId,
+        context.tenantId ?? null,
+        context.organizationId ?? null,
+      )
+      if (!staffMember) {
+        return {
+          ok: false,
+          statusCode: 403,
+          message: 'User is not a staff member.',
+        }
+      }
+      const existingFilters = Array.isArray(request.body?.filters) ? request.body.filters : []
+      const otherFilters = existingFilters.filter(
+        (f: Record<string, unknown>) => f.field !== 'staffMemberId',
+      )
+      return {
+        ok: true,
+        body: {
+          ...request.body,
+          filters: [
+            ...otherFilters,
+            { field: 'staffMemberId', operator: 'eq', value: staffMember.id },
+          ],
+        },
+      }
+    },
+  },
+  {
+    id: 'staff.timesheets.self-scope-time-entries',
+    targetRoute: 'staff/timesheets/time-entries',
+    methods: ['GET'],
+    priority: 70,
+    async before(request, context) {
+      if (await hasManageAllFeature(context)) {
+        return { ok: true }
+      }
+      const staffMember = await getStaffMemberByUserId(
+        context.em,
+        context.userId,
+        context.tenantId ?? null,
+        context.organizationId ?? null,
+      )
+      if (!staffMember) {
+        return {
+          ok: false,
+          statusCode: 403,
+          message: 'User is not a staff member.',
+        }
+      }
+      return {
+        ok: true,
+        query: {
+          ...(request.query ?? {}),
+          staffMemberId: staffMember.id,
+        },
+      }
+    },
+  },
+]

package/src/modules/staff/api/timesheets/my-projects/[projectId]/route.ts ADDED Viewed

@@ -0,0 +1,191 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/directory/utils/organizationScope'
+import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
+import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { readJsonSafe } from '@open-mercato/shared/lib/http/readJsonSafe'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import { StaffTimeProjectMember, StaffTeamMember } from '../../../../data/entities'
+import { staffMyProjectVisibilityUpdateSchema } from '../../../../data/validators'
+import {
+  resolveUserFeatures,
+  runStaffMutationGuardAfterSuccess,
+  runStaffMutationGuards,
+} from '../../../guards'
+export const metadata = {
+  PATCH: { requireAuth: true, requireFeatures: ['staff.timesheets.manage_own'] },
+}
+function extractProjectIdFromUrl(req: Request): string | null {
+  try {
+    const url = new URL(req.url)
+    const match = url.pathname.match(/\/my-projects\/([^/]+)(?:\/|$)/)
+    return match?.[1] ?? null
+  } catch {
+    return null
+  }
+}
+/**
+ * PATCH /api/staff/timesheets/my-projects/{projectId}
+ *
+ * Self-service endpoint for the authenticated user to toggle visibility of a
+ * time project on their own My Timesheets grid. Does not require the admin-only
+ * `staff.timesheets.projects.manage` feature — only `staff.timesheets.manage_own`.
+ *
+ * Added 2026-04-13 to close a gap in the original UX enhancements spec:
+ * "+ Add row" and the new X remove button need to persist per-user grid membership.
+ */
+export async function PATCH(req: Request) {
+  try {
+    const container = await createRequestContainer()
+    const auth = await getAuthFromRequest(req)
+    const { translate } = await resolveTranslations()
+    if (!auth) {
+      throw new CrudHttpError(401, { error: translate('staff.errors.unauthorized', 'Unauthorized') })
+    }
+    const projectId = extractProjectIdFromUrl(req)
+    if (!projectId || !z.string().uuid().safeParse(projectId).success) {
+      throw new CrudHttpError(400, {
+        error: translate('staff.timesheets.errors.invalidProjectId', 'Invalid project id.'),
+      })
+    }
+    const scope = await resolveOrganizationScopeForRequest({ container, auth, request: req })
+    const tenantId = scope?.tenantId ?? auth.tenantId ?? null
+    const organizationId = scope?.selectedId ?? auth.orgId ?? null
+    if (!tenantId || !organizationId) {
+      throw new CrudHttpError(400, {
+        error: translate('staff.errors.missingScope', 'Missing tenant or organization scope.'),
+      })
+    }
+    const rawBody = await readJsonSafe(req, {})
+    const parsed = staffMyProjectVisibilityUpdateSchema.safeParse(rawBody)
+    if (!parsed.success) {
+      throw new CrudHttpError(400, {
+        error: translate('staff.timesheets.errors.invalidBody', 'Invalid request body.'),
+        details: parsed.error.flatten(),
+      })
+    }
+    const em = (container.resolve('em') as EntityManager).fork()
+    const scopeCtx = { tenantId, organizationId }
+    const staffMember = await findOneWithDecryption(
+      em,
+      StaffTeamMember,
+      { userId: auth.sub, tenantId, organizationId, deletedAt: null },
+      {},
+      scopeCtx,
+    )
+    if (!staffMember) {
+      throw new CrudHttpError(403, {
+        error: translate('staff.timesheets.errors.noStaffMember', 'No staff member linked to your account.'),
+      })
+    }
+    const membership = await findOneWithDecryption(
+      em,
+      StaffTimeProjectMember,
+      {
+        timeProjectId: projectId,
+        staffMemberId: staffMember.id,
+        tenantId,
+        organizationId,
+        deletedAt: null,
+        status: 'active',
+      },
+      {},
+      scopeCtx,
+    )
+    if (!membership) {
+      throw new CrudHttpError(404, {
+        error: translate('staff.timesheets.errors.notAssigned', 'You are not assigned to this project.'),
+      })
+    }
+    const guardResult = await runStaffMutationGuards(
+      container,
+      {
+        tenantId,
+        organizationId,
+        userId: auth.sub ?? '',
+        resourceKind: 'staff.timesheets.time_project_member',
+        resourceId: membership.id,
+        operation: 'update',
+        requestMethod: req.method,
+        requestHeaders: req.headers,
+        mutationPayload: parsed.data as unknown as Record<string, unknown>,
+      },
+      resolveUserFeatures(auth),
+    )
+    if (!guardResult.ok) {
+      return NextResponse.json(
+        guardResult.errorBody ?? { error: 'Operation blocked by guard' },
+        { status: guardResult.errorStatus ?? 422 },
+      )
+    }
+    membership.showInGrid = parsed.data.showInGrid
+    await em.flush()
+    if (guardResult.afterSuccessCallbacks.length) {
+      await runStaffMutationGuardAfterSuccess(guardResult.afterSuccessCallbacks, {
+        tenantId,
+        organizationId,
+        userId: auth.sub ?? '',
+        resourceKind: 'staff.timesheets.time_project_member',
+        resourceId: membership.id,
+        operation: 'update',
+        requestMethod: req.method,
+        requestHeaders: req.headers,
+      })
+    }
+    return NextResponse.json({ ok: true, showInGrid: membership.showInGrid }, { status: 200 })
+  } catch (err) {
+    if (err instanceof CrudHttpError) {
+      return NextResponse.json(err.body, { status: err.status })
+    }
+    console.error('staff.timesheets.my-projects.patch failed', err)
+    const { translate } = await resolveTranslations()
+    return NextResponse.json(
+      { error: translate('staff.timesheets.errors.updateMyProject', 'Failed to update project visibility.') },
+      { status: 400 },
+    )
+  }
+}
+export const openApi: OpenApiRouteDoc = {
+  tag: 'Staff',
+  summary: 'My project grid visibility',
+  methods: {
+    PATCH: {
+      summary: 'Toggle grid visibility for one of the caller\'s assigned time projects',
+      description:
+        'Self-service endpoint. Only the authenticated user can toggle `show_in_grid` on their own active membership for the given project. Does not require the admin-only `staff.timesheets.projects.manage` feature.',
+      requestBody: {
+        contentType: 'application/json',
+        schema: staffMyProjectVisibilityUpdateSchema,
+      },
+      responses: [
+        {
+          status: 200,
+          description: 'Visibility updated',
+          schema: z.object({ ok: z.boolean(), showInGrid: z.boolean() }),
+        },
+        { status: 400, description: 'Invalid input', schema: z.object({ error: z.string() }) },
+        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },
+        { status: 403, description: 'No staff member linked', schema: z.object({ error: z.string() }) },
+        { status: 404, description: 'Project membership not found', schema: z.object({ error: z.string() }) },
+      ],
+    },
+  },
+}

package/src/modules/staff/api/timesheets/my-projects/route.ts ADDED Viewed

@@ -0,0 +1,115 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/directory/utils/organizationScope'
+import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
+import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import { StaffTimeProjectMember, StaffTeamMember } from '../../../data/entities'
+export const metadata = {
+  GET: { requireAuth: true, requireFeatures: ['staff.timesheets.view'] },
+}
+/**
+ * GET /api/staff/timesheets/my-projects
+ *
+ * Spec N+1 Mitigation — Query 1:
+ * Returns staff_time_project_members for the authenticated staff member.
+ * Used by "My Timesheets" grid to resolve assigned project IDs.
+ */
+export async function GET(req: Request) {
+  try {
+    const container = await createRequestContainer()
+    const auth = await getAuthFromRequest(req)
+    const { translate } = await resolveTranslations()
+    if (!auth) throw new CrudHttpError(401, { error: translate('staff.errors.unauthorized', 'Unauthorized') })
+    const scope = await resolveOrganizationScopeForRequest({ container, auth, request: req })
+    const tenantId = scope?.tenantId ?? auth.tenantId ?? null
+    const organizationId = scope?.selectedId ?? auth.orgId ?? null
+    if (!tenantId || !organizationId) {
+      throw new CrudHttpError(400, { error: translate('staff.errors.missingScope', 'Missing tenant or organization scope.') })
+    }
+    const em = (container.resolve('em') as EntityManager).fork()
+    const scopeCtx = { tenantId, organizationId }
+    const staffMember = await findOneWithDecryption(
+      em,
+      StaffTeamMember,
+      { userId: auth.sub, tenantId, organizationId, deletedAt: null },
+      {},
+      scopeCtx,
+    )
+    if (!staffMember) {
+      throw new CrudHttpError(403, { error: translate('staff.timesheets.errors.noStaffMember', 'No staff member linked to your account.') })
+    }
+    const assignments = await findWithDecryption(
+      em,
+      StaffTimeProjectMember,
+      { staffMemberId: staffMember.id, tenantId, organizationId, deletedAt: null, status: 'active' },
+      {},
+      scopeCtx,
+    )
+    const items = assignments.map((assignment) => ({
+      id: assignment.id,
+      time_project_id: assignment.timeProjectId,
+      staff_member_id: assignment.staffMemberId,
+      role: assignment.role ?? null,
+      status: assignment.status ?? null,
+      assigned_start_date: assignment.assignedStartDate ?? null,
+      assigned_end_date: assignment.assignedEndDate ?? null,
+      show_in_grid: assignment.showInGrid ?? false,
+    }))
+    return NextResponse.json({ items, total: items.length }, { status: 200 })
+  } catch (err) {
+    if (err instanceof CrudHttpError) {
+      return NextResponse.json(err.body, { status: err.status })
+    }
+    console.error('staff.timesheets.my-projects failed', err)
+    const { translate } = await resolveTranslations()
+    return NextResponse.json(
+      { error: translate('staff.timesheets.errors.myProjects', 'Failed to load your projects.') },
+      { status: 400 },
+    )
+  }
+}
+export const openApi: OpenApiRouteDoc = {
+  tag: 'Staff',
+  summary: 'My assigned time projects',
+  methods: {
+    GET: {
+      summary: 'List assigned time project memberships for the current user',
+      description: 'Returns staff_time_project_members where the authenticated user is an active member. Used by the My Timesheets grid to resolve assigned project IDs (spec N+1 mitigation query 1).',
+      responses: [
+        {
+          status: 200,
+          description: 'Assigned project memberships',
+          schema: z.object({
+            items: z.array(z.object({
+              id: z.string().uuid(),
+              time_project_id: z.string().uuid(),
+              staff_member_id: z.string().uuid(),
+              role: z.string().nullable(),
+              status: z.string().nullable(),
+              assigned_start_date: z.string().nullable(),
+              assigned_end_date: z.string().nullable(),
+              show_in_grid: z.boolean(),
+            })),
+            total: z.number(),
+          }),
+        },
+        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },
+        { status: 403, description: 'No staff member linked', schema: z.object({ error: z.string() }) },
+      ],
+    },
+  },
+}

package/src/modules/staff/api/timesheets/projects/kpis/route.ts ADDED Viewed

@@ -0,0 +1,159 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/directory/utils/organizationScope'
+import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
+import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
+import { StaffTeamMember } from '../../../../data/entities'
+import {
+  computeCollabProjectsKpis,
+  computePmProjectsKpis,
+} from '../../../../lib/timesheets-projects/computeProjectsKpis'
+const VIEW_FEATURE = 'staff.timesheets.projects.view'
+const MANAGE_FEATURE = 'staff.timesheets.projects.manage'
+export const metadata = {
+  GET: { requireAuth: true, requireFeatures: [VIEW_FEATURE] },
+}
+const deltaSchema = z.object({
+  current: z.number(),
+  previous: z.number(),
+  deltaPct: z.number().nullable(),
+})
+const pmResponseSchema = z.object({
+  role: z.literal('pm'),
+  totals: z.object({
+    total: z.number().int(),
+    active: z.number().int(),
+    onHold: z.number().int(),
+    completed: z.number().int(),
+  }),
+  hoursWeek: deltaSchema,
+  hoursMonth: deltaSchema,
+  teamActive: z.object({ count: z.number().int() }),
+  assignedToMe: z.object({ total: z.number().int(), active: z.number().int() }),
+})
+const collabResponseSchema = z.object({
+  role: z.literal('collab'),
+  myProjects: z.object({
+    total: z.number().int(),
+    active: z.number().int(),
+  }),
+  myHoursWeek: deltaSchema,
+  myHoursMonth: deltaSchema,
+})
+export async function GET(req: Request) {
+  try {
+    const container = await createRequestContainer()
+    const auth = await getAuthFromRequest(req)
+    const { translate } = await resolveTranslations()
+    if (!auth) {
+      throw new CrudHttpError(401, {
+        error: translate('staff.errors.unauthorized', 'Unauthorized'),
+      })
+    }
+    const scope = await resolveOrganizationScopeForRequest({ container, auth, request: req })
+    const tenantId = scope?.tenantId ?? auth.tenantId ?? null
+    const organizationId = scope?.selectedId ?? auth.orgId ?? null
+    if (!tenantId || !organizationId) {
+      throw new CrudHttpError(400, {
+        error: translate('staff.errors.missingScope', 'Missing tenant or organization scope.'),
+      })
+    }
+    const em = container.resolve('em') as EntityManager
+    const rbac = container.resolve('rbacService') as RbacService
+    const isPm = await rbac.userHasAllFeatures(auth.sub, [MANAGE_FEATURE], {
+      tenantId,
+      organizationId,
+    })
+    const staffMember = await findOneWithDecryption(
+      em.fork(),
+      StaffTeamMember,
+      { userId: auth.sub, tenantId, organizationId, deletedAt: null },
+      {},
+      { tenantId, organizationId },
+    )
+    if (isPm) {
+      const result = await computePmProjectsKpis({
+        em,
+        tenantId,
+        organizationId,
+        callerStaffMemberId: staffMember?.id ?? null,
+      })
+      return NextResponse.json(result, { status: 200 })
+    }
+    if (!staffMember) {
+      throw new CrudHttpError(403, {
+        error: translate(
+          'staff.timesheets.errors.noStaffMember',
+          'No staff member linked to your account.',
+        ),
+      })
+    }
+    const result = await computeCollabProjectsKpis({
+      em,
+      tenantId,
+      organizationId,
+      staffMemberId: staffMember.id,
+    })
+    return NextResponse.json(result, { status: 200 })
+  } catch (err) {
+    if (err instanceof CrudHttpError) {
+      return NextResponse.json(err.body, { status: err.status })
+    }
+    console.error('staff.timesheets.projects.kpis failed', err)
+    const { translate } = await resolveTranslations()
+    return NextResponse.json(
+      {
+        error: translate(
+          'staff.timesheets.errors.projectsKpis',
+          'Failed to load project KPIs.',
+        ),
+      },
+      { status: 500 },
+    )
+  }
+}
+export const openApi: OpenApiRouteDoc = {
+  tag: 'Staff',
+  summary: 'Timesheet projects KPIs',
+  methods: {
+    GET: {
+      summary: 'Aggregate KPIs for the timesheets Projects page',
+      description:
+        'Returns a role-aware KPI payload. Users with `staff.timesheets.projects.manage` get the PM shape (portfolio totals, monthly team hours, active team member count). Other viewers get the Collaborator shape scoped to their own memberships and hours.',
+      responses: [
+        {
+          status: 200,
+          description: 'PM or Collaborator KPIs',
+          schema: z.union([pmResponseSchema, collabResponseSchema]),
+        },
+        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },
+        {
+          status: 403,
+          description: 'Missing viewing feature or no staff member linked',
+          schema: z.object({ error: z.string() }),
+        },
+        { status: 500, description: 'Aggregation failure', schema: z.object({ error: z.string() }) },
+      ],
+    },
+  },
+}