@open-mercato/core 0.6.4-develop.4236.1.9fa6806b34 → 0.6.4-develop.4254.1.7a123d970c

package/src/modules/customer_accounts/backend/customer_accounts/users/[id]/page.tsx

@@ -16,6 +16,7 @@ import { flash } from '@open-mercato/ui/backend/FlashMessages'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
 import { useConfirmDialog } from '@open-mercato/ui/backend/confirm-dialog'
 import { useGuardedMutation } from '@open-mercato/ui/backend/injection/useGuardedMutation'
+import { RecordNotFoundState, ErrorMessage } from '@open-mercato/ui/backend/detail'
 
 type UserDetail = {
   id: string
@@ -147,6 +148,7 @@ export default function CustomerUserDetailPage({ params }: { params?: { id?: str
   const [data, setData] = React.useState<UserDetail | null>(null)
   const [isLoading, setIsLoading] = React.useState(true)
   const [error, setError] = React.useState<string | null>(null)
+  const [isNotFound, setIsNotFound] = React.useState(false)
   const [isSaving, setIsSaving] = React.useState(false)
   const [editActive, setEditActive] = React.useState<boolean | null>(null)
   const [editDisplayName, setEditDisplayName] = React.useState('')
@@ -186,7 +188,7 @@ export default function CustomerUserDetailPage({ params }: { params?: { id?: str
 
   React.useEffect(() => {
     if (!id) {
-      setError(t('customer_accounts.admin.detail.error.notFound', 'User not found'))
+      setIsNotFound(true)
       setIsLoading(false)
       return
     }
@@ -194,6 +196,7 @@ export default function CustomerUserDetailPage({ params }: { params?: { id?: str
     async function load() {
       setIsLoading(true)
       setError(null)
+      setIsNotFound(false)
       try {
         const payload = await readApiResultOrThrow<UserDetail>(
           `/api/customer_accounts/admin/users/${encodeURIComponent(id!)}`,
@@ -209,8 +212,12 @@ export default function CustomerUserDetailPage({ params }: { params?: { id?: str
         setEditCustomerEntityId(payload.customerEntityId)
       } catch (err) {
         if (cancelled) return
-        const message = err instanceof Error ? err.message : t('customer_accounts.admin.detail.error.load', 'Failed to load user')
-        setError(message)
+        if ((err as { status?: number }).status === 404) {
+          setIsNotFound(true)
+        } else {
+          const message = err instanceof Error ? err.message : t('customer_accounts.admin.detail.error.load', 'Failed to load user')
+          setError(message)
+        }
       } finally {
         if (!cancelled) setIsLoading(false)
       }
@@ -463,18 +470,34 @@ export default function CustomerUserDetailPage({ params }: { params?: { id?: str
     )
   }
 
+  if (isNotFound) {
+    return (
+      <Page>
+        <PageBody>
+          <RecordNotFoundState
+            label={t('customer_accounts.admin.detail.error.notFound', 'User not found')}
+            backHref="/backend/customer_accounts/users"
+            backLabel={t('customer_accounts.admin.detail.actions.backToList', 'Back to list')}
+          />
+        </PageBody>
+      </Page>
+    )
+  }
+
   if (error || !data) {
     return (
       <Page>
         <PageBody>
-          <div className="flex h-[50vh] flex-col items-center justify-center gap-2 text-muted-foreground">
-            <p>{error || t('customer_accounts.admin.detail.error.notFound', 'User not found')}</p>
-            <Button asChild variant="outline">
-              <Link href="/backend/customer_accounts/users">
-                {t('customer_accounts.admin.detail.actions.backToList', 'Back to list')}
-              </Link>
-            </Button>
-          </div>
+          <ErrorMessage
+            label={error ?? t('customer_accounts.admin.detail.error.notFound', 'User not found')}
+            action={
+              <Button asChild variant="outline" size="sm">
+                <Link href="/backend/customer_accounts/users">
+                  {t('customer_accounts.admin.detail.actions.backToList', 'Back to list')}
+                </Link>
+              </Button>
+            }
+          />
         </PageBody>
       </Page>
     )

package/src/modules/customers/api/activities/route.ts

@@ -185,7 +185,7 @@ function paginateActivityItems(
   }
 }
 
-async function decorateActivityItems(
+export async function decorateActivityItems(
   em: EntityManager,
   items: ActivityItem[],
   decryptionScope?: { tenantId: string; organizationId: string },
@@ -207,12 +207,23 @@ async function decorateActivityItems(
     ),
   )
 
+  if (dealIds.length > 0 && (!decryptionScope?.tenantId || !decryptionScope?.organizationId)) {
+    const { translate } = await resolveTranslations()
+    throw new CrudHttpError(400, {
+      error: translate('customers.errors.tenant_required', 'Tenant context is required'),
+    })
+  }
+
   const [users, deals] = await Promise.all([
     authorIds.length > 0 ? em.find(User, { id: { $in: authorIds } }) : Promise.resolve([]),
-    dealIds.length > 0
-      ? decryptionScope
-        ? findWithDecryption(em, CustomerDeal, { id: { $in: dealIds } }, undefined, decryptionScope)
-        : em.find(CustomerDeal, { id: { $in: dealIds } })
+    dealIds.length > 0 && decryptionScope
+      ? findWithDecryption(
+          em,
+          CustomerDeal,
+          { id: { $in: dealIds }, tenantId: decryptionScope.tenantId, organizationId: decryptionScope.organizationId },
+          undefined,
+          decryptionScope,
+        )
       : Promise.resolve([]),
   ])
 

package/src/modules/customers/api/comments/route.ts

@@ -139,13 +139,23 @@ const crud = makeCrudRoute({
         ),
       )
       if (!dealIds.length) return
+      const tenantId = ctx.auth?.tenantId ?? null
+      const organizationId = ctx.selectedOrganizationId ?? ctx.auth?.orgId ?? null
+      if (!tenantId || !organizationId) {
+        const { translate } = await resolveTranslations()
+        throw new CrudHttpError(400, {
+          error: translate('customers.errors.tenant_required', 'Tenant context is required'),
+        })
+      }
       try {
         const em = (ctx.container.resolve('em') as EntityManager)
-        const tenantId = ctx.auth?.tenantId ?? null
-        const organizationId = ctx.selectedOrganizationId ?? ctx.auth?.orgId ?? null
-        const deals = tenantId && organizationId
-          ? await findWithDecryption(em, CustomerDeal, { id: { $in: dealIds } }, undefined, { tenantId, organizationId })
-          : await em.find(CustomerDeal, { id: { $in: dealIds } })
+        const deals = await findWithDecryption(
+          em,
+          CustomerDeal,
+          { id: { $in: dealIds }, tenantId, organizationId },
+          undefined,
+          { tenantId, organizationId },
+        )
         const map = new Map<string, string>()
         deals.forEach((deal: CustomerDeal) => {
           if (deal.id) map.set(deal.id, deal.title ?? '')

package/src/modules/customers/api/companies/[id]/people/route.ts

@@ -8,6 +8,7 @@ import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/d
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import {
   CustomerEntity,
   CustomerPersonCompanyLink,
@@ -115,10 +116,7 @@ export async function GET(req: Request, ctx: { params?: { id?: string } }) {
       throw new CrudHttpError(404, { error: translate('customers.errors.company_not_found', 'Company not found') })
     }
 
-    const allowedOrgIds = new Set<string>()
-    if (scope?.filterIds?.length) scope.filterIds.forEach((entry) => allowedOrgIds.add(entry))
-    else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-    if (allowedOrgIds.size > 0 && company.organizationId && !allowedOrgIds.has(company.organizationId)) {
+    if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: company.organizationId })) {
       throw new CrudHttpError(403, { error: translate('customers.errors.access_denied', 'Access denied') })
     }
 

package/src/modules/customers/api/companies/[id]/route.ts

@@ -47,6 +47,7 @@ import {
   withActiveCustomerPersonCompanyLinkFilter,
 } from '../../../lib/personCompanyLinkTable'
 import { normalizeCustomerDetailCustomFields } from '../../detailCustomFields'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 
 export const metadata = {
   GET: { requireAuth: true, requireFeatures: ['customers.companies.view'] },
@@ -386,11 +387,7 @@ export async function GET(_req: Request, ctx: { params?: { id?: string } }) {
   if (!company) return notFound('Company not found')
 
   if (auth.tenantId && company.tenantId !== auth.tenantId) return notFound('Company not found')
-  const allowedOrgIds = new Set<string>()
-  if (scope?.filterIds?.length) scope.filterIds.forEach((id) => allowedOrgIds.add(id))
-  else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-
-  if (allowedOrgIds.size && company.organizationId && !allowedOrgIds.has(company.organizationId)) {
+  if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: company.organizationId })) {
     return forbidden('Access denied')
   }
 

package/src/modules/customers/api/deals/[id]/companies/route.ts

@@ -8,6 +8,7 @@ import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/d
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import { CustomerCompanyProfile, CustomerDeal, CustomerDealCompanyLink, CustomerEntity } from '../../../../data/entities'
 
 const paramsSchema = z.object({
@@ -97,10 +98,7 @@ export async function GET(req: Request, ctx: { params?: { id?: string } }) {
       throw new CrudHttpError(404, { error: translate('customers.errors.deal_not_found', 'Deal not found') })
     }
 
-    const allowedOrgIds = new Set<string>()
-    if (scope?.filterIds?.length) scope.filterIds.forEach((entry) => allowedOrgIds.add(entry))
-    else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-    if (allowedOrgIds.size > 0 && deal.organizationId && !allowedOrgIds.has(deal.organizationId)) {
+    if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: deal.organizationId })) {
       throw new CrudHttpError(403, { error: translate('customers.errors.access_denied', 'Access denied') })
     }
 

package/src/modules/customers/api/deals/[id]/people/route.ts

@@ -8,6 +8,7 @@ import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/d
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import { CustomerDeal, CustomerDealPersonLink, CustomerEntity } from '../../../../data/entities'
 
 const paramsSchema = z.object({
@@ -97,10 +98,7 @@ export async function GET(req: Request, ctx: { params?: { id?: string } }) {
       throw new CrudHttpError(404, { error: translate('customers.errors.deal_not_found', 'Deal not found') })
     }
 
-    const allowedOrgIds = new Set<string>()
-    if (scope?.filterIds?.length) scope.filterIds.forEach((entry) => allowedOrgIds.add(entry))
-    else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-    if (allowedOrgIds.size > 0 && deal.organizationId && !allowedOrgIds.has(deal.organizationId)) {
+    if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: deal.organizationId })) {
       throw new CrudHttpError(403, { error: translate('customers.errors.access_denied', 'Access denied') })
     }
 

package/src/modules/customers/api/deals/[id]/route.ts

@@ -22,6 +22,7 @@ import { E } from '#generated/entities.ids.generated'
 import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import { decryptEntitiesWithFallbackScope } from '@open-mercato/shared/lib/encryption/subscriber'
 import { isMissingDealStageTransitionTable, warnMissingDealStageTransitionTable } from '../../../lib/dealStageTransitionTable'
 
@@ -377,15 +378,7 @@ export async function GET(request: Request, context: { params?: Record<string, u
     return notFound('Deal not found')
   }
 
-  const allowedOrgIds = new Set<string>()
-  if (Array.isArray(scope?.filterIds)) {
-    scope.filterIds.forEach((id) => {
-      if (typeof id === 'string' && id.trim().length) allowedOrgIds.add(id)
-    })
-  } else if (auth.orgId) {
-    allowedOrgIds.add(auth.orgId)
-  }
-  if (allowedOrgIds.size && deal.organizationId && !allowedOrgIds.has(deal.organizationId)) {
+  if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: deal.organizationId })) {
     return forbidden('Access denied')
   }
 

package/src/modules/customers/api/deals/[id]/stats/route.ts

@@ -10,6 +10,7 @@ import { DictionaryEntry } from '@open-mercato/core/modules/dictionaries/data/en
 import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 
 export const metadata = {
   GET: { requireAuth: true, requireFeatures: ['customers.deals.view'] },
@@ -97,15 +98,7 @@ export async function GET(request: Request, context: { params?: Record<string, u
     return notFound(translate('customers.errors.deal_not_found', 'Deal not found'))
   }
 
-  const allowedOrgIds = new Set<string>()
-  if (Array.isArray(scope?.filterIds)) {
-    scope.filterIds.forEach((id) => {
-      if (typeof id === 'string' && id.trim().length) allowedOrgIds.add(id)
-    })
-  } else if (auth.orgId) {
-    allowedOrgIds.add(auth.orgId)
-  }
-  if (allowedOrgIds.size && deal.organizationId && !allowedOrgIds.has(deal.organizationId)) {
+  if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: deal.organizationId })) {
     return forbidden(translate('customers.errors.access_denied', 'Access denied'))
   }
 

package/src/modules/customers/api/entity-roles-factory.ts

@@ -7,6 +7,7 @@ import { validateCrudMutationGuard, runCrudMutationGuardAfterSuccess } from '@op
 import { CrudHttpError, isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import { User } from '@open-mercato/core/modules/auth/data/entities'
 import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
 import { CustomerEntity, CustomerEntityRole } from '../data/entities'
@@ -69,24 +70,13 @@ async function buildContext(request: Request) {
   }
 }
 
-function collectAllowedOrganizationIds(
-  scope: Awaited<ReturnType<typeof resolveCustomersRequestContext>>['scope'],
-  auth: Awaited<ReturnType<typeof resolveCustomersRequestContext>>['auth'],
-) {
-  const allowedOrgIds = new Set<string>()
-  if (scope?.filterIds?.length) scope.filterIds.forEach((id) => allowedOrgIds.add(id))
-  else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-  return allowedOrgIds
-}
-
 function ensureRouteOrganizationAccess(
   organizationId: string,
   scope: Awaited<ReturnType<typeof resolveCustomersRequestContext>>['scope'],
   auth: Awaited<ReturnType<typeof resolveCustomersRequestContext>>['auth'],
   translate: Translator,
 ) {
-  const allowedOrgIds = collectAllowedOrganizationIds(scope, auth)
-  if (allowedOrgIds.size > 0 && !allowedOrgIds.has(organizationId)) {
+  if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId })) {
     throw new CrudHttpError(403, { error: translate('customers.errors.access_denied', 'Access denied') })
   }
 }

package/src/modules/customers/api/people/[id]/companies/context.ts

@@ -7,6 +7,7 @@ import {
   CustomerPersonProfile,
 } from '@open-mercato/core/modules/customers/data/entities'
 import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/directory/utils/organizationScope'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 
@@ -37,11 +38,7 @@ export async function loadPersonContext(req: Request, personId: string) {
     throw new CrudHttpError(404, { error: translate('customers.errors.person_not_found', 'Person not found') })
   }
 
-  const allowedOrgIds = new Set<string>()
-  if (scope?.filterIds?.length) scope.filterIds.forEach((entry) => allowedOrgIds.add(entry))
-  else if (authenticatedAuth.orgId) allowedOrgIds.add(authenticatedAuth.orgId)
-
-  if (allowedOrgIds.size > 0 && !allowedOrgIds.has(person.organizationId)) {
+  if (!isOrganizationReadAccessAllowed({ scope, auth: authenticatedAuth, organizationId: person.organizationId })) {
     throw new CrudHttpError(403, { error: translate('customers.errors.access_denied', 'Access denied') })
   }
 

package/src/modules/customers/api/people/[id]/companies/enriched/route.ts

@@ -8,6 +8,7 @@ import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/d
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import {
   CustomerEntity,
   CustomerCompanyProfile,
@@ -173,11 +174,7 @@ export async function GET(req: Request, ctx: { params?: { id?: string } }) {
       throw new CrudHttpError(404, { error: translate('customers.errors.person_not_found', 'Person not found') })
     }
 
-    const allowedOrgIds = new Set<string>()
-    if (scope?.filterIds?.length) scope.filterIds.forEach((entry) => allowedOrgIds.add(entry))
-    else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-
-    if (allowedOrgIds.size > 0 && !allowedOrgIds.has(person.organizationId)) {
+    if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: person.organizationId })) {
       throw new CrudHttpError(403, { error: translate('customers.errors.access_denied', 'Access denied') })
     }
 

package/src/modules/customers/api/people/[id]/route.ts

@@ -37,6 +37,7 @@ import type { EntityId } from '@open-mercato/shared/modules/entities'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import { parseBooleanFromUnknown, parseBooleanToken } from '@open-mercato/shared/lib/boolean'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import { loadPersonCompanyLinks, summarizePersonCompanies } from '../../../lib/personCompanies'
 import { normalizeCustomerDetailCustomFields } from '../../detailCustomFields'
 
@@ -474,11 +475,7 @@ export async function GET(_req: Request, ctx: { params?: { id?: string } }) {
       profileMeta = { reason: 'person_tenant_mismatch' }
       return notFound('Person not found')
     }
-    const allowedOrgIds = new Set<string>()
-    if (scope?.filterIds?.length) scope.filterIds.forEach((id) => allowedOrgIds.add(id))
-    else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-
-    if (allowedOrgIds.size && person.organizationId && !allowedOrgIds.has(person.organizationId)) {
+    if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: person.organizationId })) {
       statusCode = 403
       profileMeta = { reason: 'organization_forbidden' }
       return forbidden('Access denied')

package/src/modules/customers/backend/customers/people/[id]/page.tsx

@@ -20,6 +20,8 @@ import {
   NotesSection,
   type CommentSummary,
   type SectionAction,
+  RecordNotFoundState,
+  ErrorMessage,
 } from '@open-mercato/ui/backend/detail'
 import {
   TagsSection,
@@ -116,6 +118,7 @@ export default function CustomerPersonDetailPage({ params }: { params?: { id?: s
   const [data, setData] = React.useState<PersonOverview | null>(null)
   const [isLoading, setIsLoading] = React.useState(true)
   const [error, setError] = React.useState<string | null>(null)
+  const [isNotFound, setIsNotFound] = React.useState(false)
   const [activeTab, setActiveTab] = React.useState<SectionKey>(initialTab)
   const [sectionAction, setSectionAction] = React.useState<SectionAction | null>(null)
   const [isDeleting, setIsDeleting] = React.useState(false)
@@ -276,7 +279,7 @@ export default function CustomerPersonDetailPage({ params }: { params?: { id?: s
   const initialLoadDoneRef = React.useRef(false)
   const loadData = React.useCallback(async () => {
     if (!id) {
-      setError(t('customers.people.detail.error.notFound'))
+      setIsNotFound(true)
       setIsLoading(false)
       return
     }
@@ -284,6 +287,7 @@ export default function CustomerPersonDetailPage({ params }: { params?: { id?: s
       setIsLoading(true)
     }
     setError(null)
+    setIsNotFound(false)
     try {
       const payload = await readApiResultOrThrow<PersonOverview>(
         `/api/customers/people/${encodeURIComponent(id)}?include=todos`,
@@ -292,8 +296,12 @@ export default function CustomerPersonDetailPage({ params }: { params?: { id?: s
       )
       setData(payload as PersonOverview)
     } catch (err) {
-      const message = err instanceof Error ? err.message : t('customers.people.detail.error.load')
-      setError(message)
+      if ((err as { status?: number }).status === 404) {
+        setIsNotFound(true)
+      } else {
+        const message = err instanceof Error ? err.message : t('customers.people.detail.error.load')
+        setError(message)
+      }
       if (!initialLoadDoneRef.current) setData(null)
     } finally {
       setIsLoading(false)
@@ -469,18 +477,34 @@ export default function CustomerPersonDetailPage({ params }: { params?: { id?: s
       )
     }
   
+    if (isNotFound) {
+      return (
+        <Page>
+          <PageBody>
+            <RecordNotFoundState
+              label={t('customers.people.detail.error.notFound', 'Person not found.')}
+              backHref="/backend/customers/people"
+              backLabel={t('customers.people.detail.actions.backToList', 'Back to people')}
+            />
+          </PageBody>
+        </Page>
+      )
+    }
+
     if (error || !data || !personId) {
       return (
         <Page>
           <PageBody>
-            <div className="flex h-[50vh] flex-col items-center justify-center gap-2 text-muted-foreground">
-              <p>{error || t('customers.people.detail.error.notFound')}</p>
-              <Button asChild variant="outline">
-                <Link href="/backend/customers/people">
-                  {t('customers.people.detail.actions.backToList')}
-                </Link>
-              </Button>
-            </div>
+            <ErrorMessage
+              label={error ?? t('customers.people.detail.error.notFound', 'Person not found.')}
+              action={
+                <Button asChild variant="outline" size="sm">
+                  <Link href="/backend/customers/people">
+                    {t('customers.people.detail.actions.backToList', 'Back to people')}
+                  </Link>
+                </Button>
+              }
+            />
           </PageBody>
         </Page>
       )

package/src/modules/directory/utils/organizationScopeGuard.ts

@@ -0,0 +1,39 @@
+import type { AuthContext } from '@open-mercato/shared/lib/auth/server'
+import { isOrganizationAccessAllowed } from '@open-mercato/shared/lib/auth/organizationAccess'
+import type { OrganizationScope } from './organizationScope'
+
+export type OrganizationReadAccessInput = {
+  scope: OrganizationScope | null | undefined
+  auth: AuthContext
+  organizationId: string | null
+}
+
+/**
+ * Fail-closed read guard for single-record detail routes. Centralizes the
+ * decision so callers keep their own deny mechanism (throw / return response)
+ * and their own i18n key.
+ *
+ * Unrestricted access (super admin or `scope.allowedIds === null`) is the only
+ * bypass. For a restricted principal the allowed set is derived the same way
+ * the detail routes always have (`filterIds` narrows the active view, else the
+ * principal's home org); an empty derived set denies instead of skipping.
+ */
+export function isOrganizationReadAccessAllowed(input: OrganizationReadAccessInput): boolean {
+  const isSuperAdmin = input.auth?.isSuperAdmin === true
+  if (isSuperAdmin || input.scope?.allowedIds === null) return true
+
+  const allowedOrganizationIds = new Set<string>()
+  if (input.scope?.filterIds?.length) {
+    for (const id of input.scope.filterIds) {
+      if (typeof id === 'string' && id.trim().length) allowedOrganizationIds.add(id)
+    }
+  } else if (input.auth?.orgId) {
+    allowedOrganizationIds.add(input.auth.orgId)
+  }
+
+  return isOrganizationAccessAllowed({
+    isSuperAdmin,
+    allowedOrganizationIds: Array.from(allowedOrganizationIds),
+    targetOrganizationId: input.organizationId,
+  })
+}

package/src/modules/progress/acl.ts

@@ -8,21 +8,25 @@ export const features = [
     id: 'progress.create',
     title: 'Create progress jobs',
     module: 'progress',
+    dependsOn: ['progress.view'],
   },
   {
     id: 'progress.update',
     title: 'Update progress jobs',
     module: 'progress',
+    dependsOn: ['progress.view'],
   },
   {
     id: 'progress.cancel',
     title: 'Cancel progress jobs',
     module: 'progress',
+    dependsOn: ['progress.view'],
   },
   {
     id: 'progress.manage',
     title: 'Manage all progress jobs',
     module: 'progress',
+    dependsOn: ['progress.view'],
   },
 ]
 

package/src/modules/workflows/backend/events/[id]/page.tsx

@@ -11,6 +11,7 @@ import { Button } from '@open-mercato/ui/primitives/button'
 import { FormHeader } from '@open-mercato/ui/backend/forms'
 import { Spinner } from '@open-mercato/ui/primitives/spinner'
 import { JsonDisplay } from '@open-mercato/ui/backend/JsonDisplay'
+import { RecordNotFoundState, ErrorMessage } from '@open-mercato/ui/backend/detail'
 
 type WorkflowEvent = {
   id: string
@@ -55,8 +56,13 @@ export default function WorkflowEventDetailPage() {
       const response = await apiFetch(`/api/workflows/events/${eventId}`)
 
       if (!response.ok) {
-        const errorData = await response.json().catch(() => ({}))
-        throw new Error(t('workflows.events.messages.loadFailed'))
+        const httpErr = new Error(
+          response.status === 404
+            ? t('workflows.events.notFound', 'Event not found.')
+            : t('workflows.events.messages.loadFailed')
+        ) as Error & { status: number }
+        httpErr.status = response.status
+        throw httpErr
       }
       const result = await response.json()
       return result as WorkflowEvent
@@ -77,18 +83,34 @@ export default function WorkflowEventDetailPage() {
     )
   }
 
+  const isNotFound = !isLoading && (error as (Error & { status?: number }) | null)?.status === 404
+
+  if (isNotFound) {
+    return (
+      <Page>
+        <PageBody>
+          <RecordNotFoundState
+            label={t('workflows.events.notFound', 'Event not found.')}
+            backHref="/backend/events"
+            backLabel={t('workflows.events.backToList', 'Back to Events')}
+          />
+        </PageBody>
+      </Page>
+    )
+  }
+
   if (error || !event) {
     return (
       <Page>
         <PageBody>
-          <div className="flex h-[50vh] flex-col items-center justify-center gap-2 text-muted-foreground">
-            <p>{error ? t('workflows.events.messages.loadFailed') : t('workflows.events.notFound')}</p>
-            <Button asChild variant="outline">
-              <Link href="/backend/events">
-                {t('workflows.events.backToList')}
-              </Link>
-            </Button>
-          </div>
+          <ErrorMessage
+            label={(error as Error | null)?.message ?? t('workflows.events.messages.loadFailed')}
+            action={
+              <Button asChild variant="outline" size="sm">
+                <Link href="/backend/events">{t('workflows.events.backToList', 'Back to Events')}</Link>
+              </Button>
+            }
+          />
         </PageBody>
       </Page>
     )