npm - @open-mercato/core - Versions diffs - 0.6.4-develop.4239.1.4a264a5828 → 0.6.4-develop.4254.1.7a123d970c - Mend

@open-mercato/core 0.6.4-develop.4239.1.4a264a5828 → 0.6.4-develop.4254.1.7a123d970c

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (80) hide show

package/src/modules/directory/utils/organizationScopeGuard.ts ADDED Viewed

@@ -0,0 +1,39 @@
+import type { AuthContext } from '@open-mercato/shared/lib/auth/server'
+import { isOrganizationAccessAllowed } from '@open-mercato/shared/lib/auth/organizationAccess'
+import type { OrganizationScope } from './organizationScope'
+export type OrganizationReadAccessInput = {
+  scope: OrganizationScope | null | undefined
+  auth: AuthContext
+  organizationId: string | null
+}
+/**
+ * Fail-closed read guard for single-record detail routes. Centralizes the
+ * decision so callers keep their own deny mechanism (throw / return response)
+ * and their own i18n key.
+ *
+ * Unrestricted access (super admin or `scope.allowedIds === null`) is the only
+ * bypass. For a restricted principal the allowed set is derived the same way
+ * the detail routes always have (`filterIds` narrows the active view, else the
+ * principal's home org); an empty derived set denies instead of skipping.
+ */
+export function isOrganizationReadAccessAllowed(input: OrganizationReadAccessInput): boolean {
+  const isSuperAdmin = input.auth?.isSuperAdmin === true
+  if (isSuperAdmin || input.scope?.allowedIds === null) return true
+  const allowedOrganizationIds = new Set<string>()
+  if (input.scope?.filterIds?.length) {
+    for (const id of input.scope.filterIds) {
+      if (typeof id === 'string' && id.trim().length) allowedOrganizationIds.add(id)
+    }
+  } else if (input.auth?.orgId) {
+    allowedOrganizationIds.add(input.auth.orgId)
+  }
+  return isOrganizationAccessAllowed({
+    isSuperAdmin,
+    allowedOrganizationIds: Array.from(allowedOrganizationIds),
+    targetOrganizationId: input.organizationId,
+  })
+}

package/src/modules/workflows/cli.ts CHANGED Viewed

@@ -4,6 +4,10 @@ import { getRedisUrl, getRedisUrlOrThrow } from '@open-mercato/shared/lib/redis/
 import type { EntityManager } from '@mikro-orm/postgresql'
 import { WorkflowDefinition } from './data/entities'
 import { BusinessRule, type RuleType } from '@open-mercato/core/modules/business_rules/data/entities'
+import {
+  invalidateBusinessRuleDiscoveryCache,
+  resolveBusinessRuleDiscoveryCache,
+} from '@open-mercato/core/modules/business_rules/lib/rule-engine'
 import * as fs from 'fs'
 import * as path from 'path'
 import { fileURLToPath } from 'url'
@@ -69,6 +73,7 @@ const seedDemoWithRules: ModuleCli = {
     try {
       const { resolve } = await createRequestContainer()
       const em = resolve<EntityManager>('em')
+      const cache = resolveBusinessRuleDiscoveryCache(resolve)
       // Import BusinessRule entity
       const { BusinessRule } = await import('../business_rules/data/entities')
@@ -100,6 +105,7 @@ const seedDemoWithRules: ModuleCli = {
         })
         await em.persist(rule).flush()
+        await invalidateBusinessRuleDiscoveryCache(cache, tenantId, organizationId)
         console.log(`  ✓ Seeded guard rule: ${rule.ruleName}`)
         seededCount++
       }
@@ -211,6 +217,7 @@ const seedOrderApproval: ModuleCli = {
     try {
       const { resolve } = await createRequestContainer()
       const em = resolve<EntityManager>('em')
+      const cache = resolveBusinessRuleDiscoveryCache(resolve)
       // 1. Seed order approval guard rules first
       const guardRulesPath = path.join(__dirname, 'examples', 'order-approval-guard-rules.json')
@@ -252,6 +259,7 @@ const seedOrderApproval: ModuleCli = {
       if (rulesSeeded > 0) {
         await em.flush()
+        await invalidateBusinessRuleDiscoveryCache(cache, tenantId, organizationId)
       }
       console.log(`✅ Seeded order approval guard rules`)

package/src/modules/workflows/lib/seeds.ts CHANGED Viewed

@@ -4,6 +4,10 @@ import * as path from 'path'
 import { fileURLToPath } from 'node:url'
 import { WorkflowDefinition, type WorkflowDefinitionData } from '../data/entities'
 import { BusinessRule, type RuleType } from '@open-mercato/core/modules/business_rules/data/entities'
+import {
+  invalidateBusinessRuleDiscoveryCache,
+  type RuleDiscoveryCache,
+} from '@open-mercato/core/modules/business_rules/lib/rule-engine'
 const __esmDirname = path.dirname(fileURLToPath(import.meta.url))
@@ -130,6 +134,7 @@ async function seedGuardRules(
   em: EntityManager,
   scope: WorkflowSeedScope,
   fileName: string,
+  cache?: RuleDiscoveryCache | null,
 ): Promise<{ seeded: number; skipped: number; updated: number }> {
   const seeds = readExampleJson<GuardRuleSeed[]>(fileName)
   if (!Array.isArray(seeds)) {
@@ -185,16 +190,21 @@ async function seedGuardRules(
   }
   if (seeded > 0 || updated > 0) {
     await em.flush()
+    await invalidateBusinessRuleDiscoveryCache(cache, scope.tenantId, scope.organizationId)
   }
   return { seeded, skipped, updated }
 }
-export async function seedExampleWorkflows(em: EntityManager, scope: WorkflowSeedScope): Promise<void> {
+export async function seedExampleWorkflows(
+  em: EntityManager,
+  scope: WorkflowSeedScope,
+  options: { cache?: RuleDiscoveryCache | null } = {},
+): Promise<void> {
   // workflows.checkout-demo and workflows.simple-approval are now code-defined
   // (see packages/core/src/modules/workflows/workflows.ts). Seeding DB rows for
   // them would shadow the code definitions in the merge layer, so they are no
   // longer seeded here. Existing tenants are migrated via Migration20260428102318.
-  await seedGuardRules(em, scope, 'guard-rules-example.json')
+  await seedGuardRules(em, scope, 'guard-rules-example.json', options.cache)
   await seedWorkflowDefinition(em, scope, 'sales-pipeline-definition.json')
-  await seedGuardRules(em, scope, 'order-approval-guard-rules.json')
+  await seedGuardRules(em, scope, 'order-approval-guard-rules.json', options.cache)
 }

package/src/modules/workflows/setup.ts CHANGED Viewed

@@ -1,10 +1,12 @@
 import type { ModuleSetupConfig } from '@open-mercato/shared/modules/setup'
+import { resolveBusinessRuleDiscoveryCache } from '@open-mercato/core/modules/business_rules/lib/rule-engine'
 import { seedExampleWorkflows } from './lib/seeds'
 export const setup: ModuleSetupConfig = {
   seedDefaults: async (ctx) => {
     const scope = { tenantId: ctx.tenantId, organizationId: ctx.organizationId }
-    await seedExampleWorkflows(ctx.em, scope)
+    const cache = resolveBusinessRuleDiscoveryCache(ctx.container.resolve.bind(ctx.container))
+    await seedExampleWorkflows(ctx.em, scope, { cache })
   },
   defaultRoleFeatures: {