@open-mercato/core 0.6.4-develop.4239.1.4a264a5828 → 0.6.4-develop.4264.1.53368d85fe

package/src/modules/customers/api/people/[id]/route.ts

@@ -37,6 +37,7 @@ import type { EntityId } from '@open-mercato/shared/modules/entities'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import { parseBooleanFromUnknown, parseBooleanToken } from '@open-mercato/shared/lib/boolean'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import { loadPersonCompanyLinks, summarizePersonCompanies } from '../../../lib/personCompanies'
 import { normalizeCustomerDetailCustomFields } from '../../detailCustomFields'
 
@@ -474,11 +475,7 @@ export async function GET(_req: Request, ctx: { params?: { id?: string } }) {
       profileMeta = { reason: 'person_tenant_mismatch' }
       return notFound('Person not found')
     }
-    const allowedOrgIds = new Set<string>()
-    if (scope?.filterIds?.length) scope.filterIds.forEach((id) => allowedOrgIds.add(id))
-    else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-
-    if (allowedOrgIds.size && person.organizationId && !allowedOrgIds.has(person.organizationId)) {
+    if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: person.organizationId })) {
       statusCode = 403
       profileMeta = { reason: 'organization_forbidden' }
       return forbidden('Access denied')

package/src/modules/directory/utils/organizationScopeGuard.ts

@@ -0,0 +1,39 @@
+import type { AuthContext } from '@open-mercato/shared/lib/auth/server'
+import { isOrganizationAccessAllowed } from '@open-mercato/shared/lib/auth/organizationAccess'
+import type { OrganizationScope } from './organizationScope'
+
+export type OrganizationReadAccessInput = {
+  scope: OrganizationScope | null | undefined
+  auth: AuthContext
+  organizationId: string | null
+}
+
+/**
+ * Fail-closed read guard for single-record detail routes. Centralizes the
+ * decision so callers keep their own deny mechanism (throw / return response)
+ * and their own i18n key.
+ *
+ * Unrestricted access (super admin or `scope.allowedIds === null`) is the only
+ * bypass. For a restricted principal the allowed set is derived the same way
+ * the detail routes always have (`filterIds` narrows the active view, else the
+ * principal's home org); an empty derived set denies instead of skipping.
+ */
+export function isOrganizationReadAccessAllowed(input: OrganizationReadAccessInput): boolean {
+  const isSuperAdmin = input.auth?.isSuperAdmin === true
+  if (isSuperAdmin || input.scope?.allowedIds === null) return true
+
+  const allowedOrganizationIds = new Set<string>()
+  if (input.scope?.filterIds?.length) {
+    for (const id of input.scope.filterIds) {
+      if (typeof id === 'string' && id.trim().length) allowedOrganizationIds.add(id)
+    }
+  } else if (input.auth?.orgId) {
+    allowedOrganizationIds.add(input.auth.orgId)
+  }
+
+  return isOrganizationAccessAllowed({
+    isSuperAdmin,
+    allowedOrganizationIds: Array.from(allowedOrganizationIds),
+    targetOrganizationId: input.organizationId,
+  })
+}

package/src/modules/staff/i18n/de.json

@@ -118,6 +118,14 @@
   "staff.audit.teams.create": "Team erstellen",
   "staff.audit.teams.delete": "Team löschen",
   "staff.audit.teams.update": "Team aktualisieren",
+  "staff.audit.timesheets.time_entries.create": "Zeiteintrag erstellen",
+  "staff.audit.timesheets.time_entries.delete": "Zeiteintrag löschen",
+  "staff.audit.timesheets.time_entries.update": "Zeiteintrag aktualisieren",
+  "staff.audit.timesheets.time_project_members.assign": "Zeitprojektmitglied zuweisen",
+  "staff.audit.timesheets.time_project_members.unassign": "Zeitprojektmitglied entfernen",
+  "staff.audit.timesheets.time_projects.create": "Zeitprojekt erstellen",
+  "staff.audit.timesheets.time_projects.delete": "Zeitprojekt löschen",
+  "staff.audit.timesheets.time_projects.update": "Zeitprojekt aktualisieren",
   "staff.availability.errors.organizationRequired": "Organisationskontext ist erforderlich.",
   "staff.availability.errors.unauthorized": "Nicht autorisiert",
   "staff.availability.errors.updateDateSpecific": "Datumsspezifische Verfügbarkeit konnte nicht gespeichert werden.",
@@ -202,6 +210,7 @@
   "staff.availabilityRuleSets.tabs.availability": "Verfügbarkeit",
   "staff.availabilityRuleSets.tabs.details": "Details",
   "staff.availabilityRuleSets.tabs.label": "Zeitplanbereiche",
+  "staff.errors.missingScope": "Mandanten- oder Organisationskontext fehlt.",
   "staff.errors.unauthorized": "Nicht autorisiert",
   "staff.leaveRequests.actions.accept": "Genehmigen",
   "staff.leaveRequests.actions.add": "Neuer Antrag",
@@ -413,6 +422,7 @@
   "staff.search.badge.team": "Team",
   "staff.search.badge.teamMember": "Teammitglied",
   "staff.search.badge.teamRole": "Teamrolle",
+  "staff.search.badge.timeProject": "Projekt",
   "staff.search.service.maxAttendees": "Max. {{count}}",
   "staff.search.status.active": "Aktiv",
   "staff.search.status.inactive": "Inaktiv",
@@ -918,13 +928,26 @@
   "staff.teams.tabs.details": "Details",
   "staff.teams.tabs.label": "Teamabschnitte",
   "staff.teams.tabs.members": "Teammitglieder",
+  "staff.timesheets.errors.bulkSave": "Zeiteinträge konnten nicht im Stapel gespeichert werden.",
   "staff.timesheets.errors.entryNotFound": "Zeiteintrag nicht gefunden, gelöscht oder Ihnen nicht zugeordnet.",
+  "staff.timesheets.errors.invalidBody": "Ungültiger Anfragetext.",
+  "staff.timesheets.errors.invalidProjectId": "Ungültige Projekt-ID.",
+  "staff.timesheets.errors.memberRequired": "Die ID des Zeitprojektmitglieds ist erforderlich.",
+  "staff.timesheets.errors.missingEntryId": "Eintrags-ID fehlt.",
+  "staff.timesheets.errors.myProjects": "Ihre Projekte konnten nicht geladen werden.",
+  "staff.timesheets.errors.noActiveSegment": "Für diesen Eintrag wurde kein aktives Timer-Segment gefunden.",
   "staff.timesheets.errors.noStaffMember": "Ihrem Konto ist kein Mitarbeiter zugeordnet.",
+  "staff.timesheets.errors.notAssigned": "Sie sind diesem Projekt nicht zugewiesen.",
   "staff.timesheets.errors.notOwner": "Sie können nur Ihre eigenen Zeiteinträge verwalten.",
   "staff.timesheets.errors.projectCodeDuplicate": "Ein Projekt mit diesem Code existiert bereits.",
   "staff.timesheets.errors.projectNotFound": "Zeitprojekt nicht gefunden oder nicht zugänglich.",
   "staff.timesheets.errors.projectsKpis": "Failed to load project KPIs.",
+  "staff.timesheets.errors.segmentCreate": "Zeiteintragssegment konnte nicht erstellt werden.",
   "staff.timesheets.errors.staffMemberNotFound": "Mitarbeiter nicht gefunden oder nicht zugänglich.",
+  "staff.timesheets.errors.timerAlreadyStarted": "Der Timer ist für diesen Eintrag bereits gestartet.",
+  "staff.timesheets.errors.timerStart": "Timer konnte nicht gestartet werden.",
+  "staff.timesheets.errors.timerStop": "Timer konnte nicht gestoppt werden.",
+  "staff.timesheets.errors.updateMyProject": "Projektsichtbarkeit konnte nicht aktualisiert werden.",
   "staff.timesheets.my.addRow.createProject": "Create a new project",
   "staff.timesheets.my.addRow.error": "Das Projekt konnte nicht hinzugefügt werden. Bitte erneut versuchen.",
   "staff.timesheets.my.addRow.noProjects": "No projects assigned",

package/src/modules/staff/i18n/en.json

@@ -118,6 +118,14 @@
   "staff.audit.teams.create": "Create team",
   "staff.audit.teams.delete": "Delete team",
   "staff.audit.teams.update": "Update team",
+  "staff.audit.timesheets.time_entries.create": "Create time entry",
+  "staff.audit.timesheets.time_entries.delete": "Delete time entry",
+  "staff.audit.timesheets.time_entries.update": "Update time entry",
+  "staff.audit.timesheets.time_project_members.assign": "Assign time project member",
+  "staff.audit.timesheets.time_project_members.unassign": "Unassign time project member",
+  "staff.audit.timesheets.time_projects.create": "Create time project",
+  "staff.audit.timesheets.time_projects.delete": "Delete time project",
+  "staff.audit.timesheets.time_projects.update": "Update time project",
   "staff.availability.errors.organizationRequired": "Organization context is required.",
   "staff.availability.errors.unauthorized": "Unauthorized",
   "staff.availability.errors.updateDateSpecific": "Failed to save date-specific availability.",
@@ -202,6 +210,7 @@
   "staff.availabilityRuleSets.tabs.availability": "Availability",
   "staff.availabilityRuleSets.tabs.details": "Details",
   "staff.availabilityRuleSets.tabs.label": "Schedule sections",
+  "staff.errors.missingScope": "Missing tenant or organization scope.",
   "staff.errors.unauthorized": "Unauthorized",
   "staff.leaveRequests.actions.accept": "Approve",
   "staff.leaveRequests.actions.add": "New request",
@@ -413,6 +422,7 @@
   "staff.search.badge.team": "Team",
   "staff.search.badge.teamMember": "Team member",
   "staff.search.badge.teamRole": "Team role",
+  "staff.search.badge.timeProject": "Project",
   "staff.search.service.maxAttendees": "Max {{count}}",
   "staff.search.status.active": "Active",
   "staff.search.status.inactive": "Inactive",
@@ -918,13 +928,26 @@
   "staff.teams.tabs.details": "Details",
   "staff.teams.tabs.label": "Team sections",
   "staff.teams.tabs.members": "Team members",
+  "staff.timesheets.errors.bulkSave": "Failed to bulk save time entries.",
   "staff.timesheets.errors.entryNotFound": "Time entry not found, deleted, or not owned by you.",
+  "staff.timesheets.errors.invalidBody": "Invalid request body.",
+  "staff.timesheets.errors.invalidProjectId": "Invalid project id.",
+  "staff.timesheets.errors.memberRequired": "Time project member id is required.",
+  "staff.timesheets.errors.missingEntryId": "Missing entry ID.",
+  "staff.timesheets.errors.myProjects": "Failed to load your projects.",
+  "staff.timesheets.errors.noActiveSegment": "No active timer segment found for this entry.",
   "staff.timesheets.errors.noStaffMember": "No staff member linked to your account.",
+  "staff.timesheets.errors.notAssigned": "You are not assigned to this project.",
   "staff.timesheets.errors.notOwner": "You can only manage your own time entries.",
   "staff.timesheets.errors.projectCodeDuplicate": "A project with this code already exists.",
   "staff.timesheets.errors.projectNotFound": "Time project not found or not accessible.",
   "staff.timesheets.errors.projectsKpis": "Failed to load project KPIs.",
+  "staff.timesheets.errors.segmentCreate": "Failed to create time entry segment.",
   "staff.timesheets.errors.staffMemberNotFound": "Staff member not found or not accessible.",
+  "staff.timesheets.errors.timerAlreadyStarted": "Timer is already started for this entry.",
+  "staff.timesheets.errors.timerStart": "Failed to start timer.",
+  "staff.timesheets.errors.timerStop": "Failed to stop timer.",
+  "staff.timesheets.errors.updateMyProject": "Failed to update project visibility.",
   "staff.timesheets.my.addRow.createProject": "Create a new project",
   "staff.timesheets.my.addRow.error": "Could not add the project. Please try again.",
   "staff.timesheets.my.addRow.noProjects": "No projects assigned",

package/src/modules/staff/i18n/es.json

@@ -118,6 +118,14 @@
   "staff.audit.teams.create": "Crear equipo",
   "staff.audit.teams.delete": "Eliminar equipo",
   "staff.audit.teams.update": "Actualizar equipo",
+  "staff.audit.timesheets.time_entries.create": "Crear registro de tiempo",
+  "staff.audit.timesheets.time_entries.delete": "Eliminar registro de tiempo",
+  "staff.audit.timesheets.time_entries.update": "Actualizar registro de tiempo",
+  "staff.audit.timesheets.time_project_members.assign": "Asignar miembro del proyecto de tiempo",
+  "staff.audit.timesheets.time_project_members.unassign": "Desasignar miembro del proyecto de tiempo",
+  "staff.audit.timesheets.time_projects.create": "Crear proyecto de tiempo",
+  "staff.audit.timesheets.time_projects.delete": "Eliminar proyecto de tiempo",
+  "staff.audit.timesheets.time_projects.update": "Actualizar proyecto de tiempo",
   "staff.availability.errors.organizationRequired": "Se requiere el contexto de la organización.",
   "staff.availability.errors.unauthorized": "No autorizado",
   "staff.availability.errors.updateDateSpecific": "No se pudo guardar la disponibilidad por fecha.",
@@ -202,6 +210,7 @@
   "staff.availabilityRuleSets.tabs.availability": "Disponibilidad",
   "staff.availabilityRuleSets.tabs.details": "Detalles",
   "staff.availabilityRuleSets.tabs.label": "Secciones del horario",
+  "staff.errors.missingScope": "Falta el contexto de inquilino u organización.",
   "staff.errors.unauthorized": "No autorizado",
   "staff.leaveRequests.actions.accept": "Aprobar",
   "staff.leaveRequests.actions.add": "Nueva solicitud",
@@ -413,6 +422,7 @@
   "staff.search.badge.team": "Equipo",
   "staff.search.badge.teamMember": "Miembro del equipo",
   "staff.search.badge.teamRole": "Rol del equipo",
+  "staff.search.badge.timeProject": "Proyecto",
   "staff.search.service.maxAttendees": "Máx. {{count}}",
   "staff.search.status.active": "Activo",
   "staff.search.status.inactive": "Inactivo",
@@ -918,13 +928,26 @@
   "staff.teams.tabs.details": "Detalles",
   "staff.teams.tabs.label": "Secciones del equipo",
   "staff.teams.tabs.members": "Miembros del equipo",
+  "staff.timesheets.errors.bulkSave": "No se pudieron guardar en lote los registros de tiempo.",
   "staff.timesheets.errors.entryNotFound": "Registro de tiempo no encontrado, eliminado o no asignado a ti.",
+  "staff.timesheets.errors.invalidBody": "Cuerpo de la solicitud no válido.",
+  "staff.timesheets.errors.invalidProjectId": "Identificador de proyecto no válido.",
+  "staff.timesheets.errors.memberRequired": "El identificador del miembro del proyecto de tiempo es obligatorio.",
+  "staff.timesheets.errors.missingEntryId": "Falta el identificador del registro.",
+  "staff.timesheets.errors.myProjects": "No se pudieron cargar tus proyectos.",
+  "staff.timesheets.errors.noActiveSegment": "No se encontró ningún segmento de temporizador activo para este registro.",
   "staff.timesheets.errors.noStaffMember": "Ningún miembro del personal vinculado a tu cuenta.",
+  "staff.timesheets.errors.notAssigned": "No estás asignado a este proyecto.",
   "staff.timesheets.errors.notOwner": "Solo puedes gestionar tus propios registros de tiempo.",
   "staff.timesheets.errors.projectCodeDuplicate": "Ya existe un proyecto con este código.",
   "staff.timesheets.errors.projectNotFound": "Proyecto de tiempo no encontrado o no accesible.",
   "staff.timesheets.errors.projectsKpis": "Failed to load project KPIs.",
+  "staff.timesheets.errors.segmentCreate": "No se pudo crear el segmento del registro de tiempo.",
   "staff.timesheets.errors.staffMemberNotFound": "Miembro del personal no encontrado o no accesible.",
+  "staff.timesheets.errors.timerAlreadyStarted": "El temporizador ya está iniciado para este registro.",
+  "staff.timesheets.errors.timerStart": "No se pudo iniciar el temporizador.",
+  "staff.timesheets.errors.timerStop": "No se pudo detener el temporizador.",
+  "staff.timesheets.errors.updateMyProject": "No se pudo actualizar la visibilidad del proyecto.",
   "staff.timesheets.my.addRow.createProject": "Create a new project",
   "staff.timesheets.my.addRow.error": "No se pudo añadir el proyecto. Inténtalo de nuevo.",
   "staff.timesheets.my.addRow.noProjects": "No projects assigned",

package/src/modules/staff/i18n/pl.json

@@ -118,6 +118,14 @@
   "staff.audit.teams.create": "Utwórz zespół",
   "staff.audit.teams.delete": "Usuń zespół",
   "staff.audit.teams.update": "Zaktualizuj zespół",
+  "staff.audit.timesheets.time_entries.create": "Utwórz wpis czasu",
+  "staff.audit.timesheets.time_entries.delete": "Usuń wpis czasu",
+  "staff.audit.timesheets.time_entries.update": "Zaktualizuj wpis czasu",
+  "staff.audit.timesheets.time_project_members.assign": "Przypisz członka projektu czasu",
+  "staff.audit.timesheets.time_project_members.unassign": "Usuń przypisanie członka projektu czasu",
+  "staff.audit.timesheets.time_projects.create": "Utwórz projekt czasu",
+  "staff.audit.timesheets.time_projects.delete": "Usuń projekt czasu",
+  "staff.audit.timesheets.time_projects.update": "Zaktualizuj projekt czasu",
   "staff.availability.errors.organizationRequired": "Wymagany jest kontekst organizacji.",
   "staff.availability.errors.unauthorized": "Brak autoryzacji",
   "staff.availability.errors.updateDateSpecific": "Nie udało się zapisać dostępności dla dat.",
@@ -202,6 +210,7 @@
   "staff.availabilityRuleSets.tabs.availability": "Dostępność",
   "staff.availabilityRuleSets.tabs.details": "Szczegóły",
   "staff.availabilityRuleSets.tabs.label": "Sekcje harmonogramu",
+  "staff.errors.missingScope": "Brak kontekstu najemcy lub organizacji.",
   "staff.errors.unauthorized": "Brak autoryzacji",
   "staff.leaveRequests.actions.accept": "Zatwierdź",
   "staff.leaveRequests.actions.add": "Nowy wniosek",
@@ -413,6 +422,7 @@
   "staff.search.badge.team": "Zespół",
   "staff.search.badge.teamMember": "Członek zespołu",
   "staff.search.badge.teamRole": "Rola zespołu",
+  "staff.search.badge.timeProject": "Projekt",
   "staff.search.service.maxAttendees": "Maks. {{count}}",
   "staff.search.status.active": "Aktywny",
   "staff.search.status.inactive": "Nieaktywny",
@@ -918,13 +928,26 @@
   "staff.teams.tabs.details": "Szczegóły",
   "staff.teams.tabs.label": "Sekcje zespołu",
   "staff.teams.tabs.members": "Członkowie zespołu",
+  "staff.timesheets.errors.bulkSave": "Nie udało się zbiorczo zapisać wpisów czasu.",
   "staff.timesheets.errors.entryNotFound": "Wpis czasu nie istnieje, został usunięty lub nie należy do Ciebie.",
+  "staff.timesheets.errors.invalidBody": "Nieprawidłowe ciało żądania.",
+  "staff.timesheets.errors.invalidProjectId": "Nieprawidłowy identyfikator projektu.",
+  "staff.timesheets.errors.memberRequired": "Identyfikator członka projektu czasu jest wymagany.",
+  "staff.timesheets.errors.missingEntryId": "Brak identyfikatora wpisu.",
+  "staff.timesheets.errors.myProjects": "Nie udało się załadować Twoich projektów.",
+  "staff.timesheets.errors.noActiveSegment": "Nie znaleziono aktywnego segmentu czasomierza dla tego wpisu.",
   "staff.timesheets.errors.noStaffMember": "Brak pracownika powiązanego z Twoim kontem.",
+  "staff.timesheets.errors.notAssigned": "Nie jesteś przypisany do tego projektu.",
   "staff.timesheets.errors.notOwner": "Możesz zarządzać tylko własnymi wpisami czasu.",
   "staff.timesheets.errors.projectCodeDuplicate": "Projekt o tym kodzie już istnieje.",
   "staff.timesheets.errors.projectNotFound": "Projekt czasowy nie został znaleziony lub jest niedostępny.",
   "staff.timesheets.errors.projectsKpis": "Failed to load project KPIs.",
+  "staff.timesheets.errors.segmentCreate": "Nie udało się utworzyć segmentu wpisu czasu.",
   "staff.timesheets.errors.staffMemberNotFound": "Pracownik nie został znaleziony lub jest niedostępny.",
+  "staff.timesheets.errors.timerAlreadyStarted": "Czasomierz jest już uruchomiony dla tego wpisu.",
+  "staff.timesheets.errors.timerStart": "Nie udało się uruchomić czasomierza.",
+  "staff.timesheets.errors.timerStop": "Nie udało się zatrzymać czasomierza.",
+  "staff.timesheets.errors.updateMyProject": "Nie udało się zaktualizować widoczności projektu.",
   "staff.timesheets.my.addRow.createProject": "Create a new project",
   "staff.timesheets.my.addRow.error": "Nie udało się dodać projektu. Spróbuj ponownie.",
   "staff.timesheets.my.addRow.noProjects": "No projects assigned",

package/src/modules/workflows/cli.ts

@@ -4,6 +4,10 @@ import { getRedisUrl, getRedisUrlOrThrow } from '@open-mercato/shared/lib/redis/
 import type { EntityManager } from '@mikro-orm/postgresql'
 import { WorkflowDefinition } from './data/entities'
 import { BusinessRule, type RuleType } from '@open-mercato/core/modules/business_rules/data/entities'
+import {
+  invalidateBusinessRuleDiscoveryCache,
+  resolveBusinessRuleDiscoveryCache,
+} from '@open-mercato/core/modules/business_rules/lib/rule-engine'
 import * as fs from 'fs'
 import * as path from 'path'
 import { fileURLToPath } from 'url'
@@ -69,6 +73,7 @@ const seedDemoWithRules: ModuleCli = {
     try {
       const { resolve } = await createRequestContainer()
       const em = resolve<EntityManager>('em')
+      const cache = resolveBusinessRuleDiscoveryCache(resolve)
 
       // Import BusinessRule entity
       const { BusinessRule } = await import('../business_rules/data/entities')
@@ -100,6 +105,7 @@ const seedDemoWithRules: ModuleCli = {
         })
 
         await em.persist(rule).flush()
+        await invalidateBusinessRuleDiscoveryCache(cache, tenantId, organizationId)
         console.log(`  ✓ Seeded guard rule: ${rule.ruleName}`)
         seededCount++
       }
@@ -211,6 +217,7 @@ const seedOrderApproval: ModuleCli = {
     try {
       const { resolve } = await createRequestContainer()
       const em = resolve<EntityManager>('em')
+      const cache = resolveBusinessRuleDiscoveryCache(resolve)
 
       // 1. Seed order approval guard rules first
       const guardRulesPath = path.join(__dirname, 'examples', 'order-approval-guard-rules.json')
@@ -252,6 +259,7 @@ const seedOrderApproval: ModuleCli = {
 
       if (rulesSeeded > 0) {
         await em.flush()
+        await invalidateBusinessRuleDiscoveryCache(cache, tenantId, organizationId)
       }
 
       console.log(`✅ Seeded order approval guard rules`)

package/src/modules/workflows/lib/seeds.ts

@@ -4,6 +4,10 @@ import * as path from 'path'
 import { fileURLToPath } from 'node:url'
 import { WorkflowDefinition, type WorkflowDefinitionData } from '../data/entities'
 import { BusinessRule, type RuleType } from '@open-mercato/core/modules/business_rules/data/entities'
+import {
+  invalidateBusinessRuleDiscoveryCache,
+  type RuleDiscoveryCache,
+} from '@open-mercato/core/modules/business_rules/lib/rule-engine'
 
 const __esmDirname = path.dirname(fileURLToPath(import.meta.url))
 
@@ -130,6 +134,7 @@ async function seedGuardRules(
   em: EntityManager,
   scope: WorkflowSeedScope,
   fileName: string,
+  cache?: RuleDiscoveryCache | null,
 ): Promise<{ seeded: number; skipped: number; updated: number }> {
   const seeds = readExampleJson<GuardRuleSeed[]>(fileName)
   if (!Array.isArray(seeds)) {
@@ -185,16 +190,21 @@ async function seedGuardRules(
   }
   if (seeded > 0 || updated > 0) {
     await em.flush()
+    await invalidateBusinessRuleDiscoveryCache(cache, scope.tenantId, scope.organizationId)
   }
   return { seeded, skipped, updated }
 }
 
-export async function seedExampleWorkflows(em: EntityManager, scope: WorkflowSeedScope): Promise<void> {
+export async function seedExampleWorkflows(
+  em: EntityManager,
+  scope: WorkflowSeedScope,
+  options: { cache?: RuleDiscoveryCache | null } = {},
+): Promise<void> {
   // workflows.checkout-demo and workflows.simple-approval are now code-defined
   // (see packages/core/src/modules/workflows/workflows.ts). Seeding DB rows for
   // them would shadow the code definitions in the merge layer, so they are no
   // longer seeded here. Existing tenants are migrated via Migration20260428102318.
-  await seedGuardRules(em, scope, 'guard-rules-example.json')
+  await seedGuardRules(em, scope, 'guard-rules-example.json', options.cache)
   await seedWorkflowDefinition(em, scope, 'sales-pipeline-definition.json')
-  await seedGuardRules(em, scope, 'order-approval-guard-rules.json')
+  await seedGuardRules(em, scope, 'order-approval-guard-rules.json', options.cache)
 }

package/src/modules/workflows/setup.ts

@@ -1,10 +1,12 @@
 import type { ModuleSetupConfig } from '@open-mercato/shared/modules/setup'
+import { resolveBusinessRuleDiscoveryCache } from '@open-mercato/core/modules/business_rules/lib/rule-engine'
 import { seedExampleWorkflows } from './lib/seeds'
 
 export const setup: ModuleSetupConfig = {
   seedDefaults: async (ctx) => {
     const scope = { tenantId: ctx.tenantId, organizationId: ctx.organizationId }
-    await seedExampleWorkflows(ctx.em, scope)
+    const cache = resolveBusinessRuleDiscoveryCache(ctx.container.resolve.bind(ctx.container))
+    await seedExampleWorkflows(ctx.em, scope, { cache })
   },
 
   defaultRoleFeatures: {