@open-mercato/core 0.6.4-develop.4239.1.4a264a5828 → 0.6.4-develop.4264.1.53368d85fe

package/src/modules/business_rules/cli.ts

@@ -2,6 +2,10 @@ import type { ModuleCli } from '@open-mercato/shared/modules/registry'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import type { EntityManager } from '@mikro-orm/postgresql'
 import { BusinessRule } from './data/entities'
+import {
+  invalidateBusinessRuleDiscoveryCache,
+  resolveBusinessRuleDiscoveryCache,
+} from './lib/rule-engine'
 import * as fs from 'fs'
 import * as path from 'path'
 
@@ -39,6 +43,7 @@ const seedGuardRules: ModuleCli = {
     try {
       const { resolve } = await createRequestContainer()
       const em = resolve<EntityManager>('em')
+      const cache = resolveBusinessRuleDiscoveryCache(resolve)
 
       // Read guard rules from workflows examples
       const rulesPath = path.join(__dirname, '../workflows/examples', 'guard-rules-example.json')
@@ -70,6 +75,7 @@ const seedGuardRules: ModuleCli = {
         })
 
         await em.persist(rule).flush()
+        await invalidateBusinessRuleDiscoveryCache(cache, tenantId, organizationId)
         console.log(`  ✓ Seeded guard rule: ${rule.ruleName}`)
         seededCount++
       }

package/src/modules/business_rules/lib/rule-engine.ts

@@ -1,4 +1,5 @@
 import type { EntityManager } from '@mikro-orm/core'
+import { runWithCacheTenant, type CacheStrategy } from '@open-mercato/cache'
 import type { EventBus } from '@open-mercato/events'
 import { BusinessRule, RuleExecutionLog, type RuleType } from '../data/entities'
 import * as ruleEvaluator from './rule-evaluator'
@@ -22,6 +23,7 @@ const EXECUTION_RESULT_FAILURE = 'FAILURE'
 const MAX_RULES_PER_EXECUTION = 100
 const MAX_SINGLE_RULE_TIMEOUT_MS = 30000  // 30 seconds
 const MAX_TOTAL_EXECUTION_TIMEOUT_MS = 60000  // 60 seconds
+const RULE_DISCOVERY_CACHE_TTL = 5 * 60 * 1000
 
 /**
  * Rule execution context
@@ -86,8 +88,138 @@ export interface RuleDiscoveryOptions {
   ruleType?: RuleType
 }
 
+type CachedRuleDiscovery = {
+  ruleIds: string[]
+}
+
+export type RuleDiscoveryCache = Pick<CacheStrategy, 'get' | 'set' | 'deleteByTags'>
+
+export type RuleDiscoveryCacheOptions = {
+  cache?: RuleDiscoveryCache | null
+}
+
+function normalizeCachePart(value: string | null | undefined): string {
+  return encodeURIComponent(value?.trim() || '*')
+}
+
+function getRuleDiscoveryCacheKey(options: RuleDiscoveryOptions): string {
+  return [
+    normalizeCachePart(options.tenantId),
+    normalizeCachePart(options.organizationId),
+    normalizeCachePart(options.entityType),
+    normalizeCachePart(options.eventType),
+    normalizeCachePart(options.ruleType),
+  ].join(':')
+}
+
+function isCachedRuleDiscovery(value: unknown): value is CachedRuleDiscovery {
+  if (!value || typeof value !== 'object') return false
+  const ruleIds = (value as CachedRuleDiscovery).ruleIds
+  return Array.isArray(ruleIds) && ruleIds.every((entry) => typeof entry === 'string')
+}
+
+export function isRuleDiscoveryCache(value: unknown): value is RuleDiscoveryCache {
+  if (!value || typeof value !== 'object') return false
+  const candidate = value as Partial<RuleDiscoveryCache>
+  return (
+    typeof candidate.get === 'function'
+    && typeof candidate.set === 'function'
+    && typeof candidate.deleteByTags === 'function'
+  )
+}
+
+export function resolveBusinessRuleDiscoveryCache(resolve: (token: string) => unknown): RuleDiscoveryCache | null {
+  try {
+    const cache = resolve('cache')
+    return isRuleDiscoveryCache(cache) ? cache : null
+  } catch {
+    return null
+  }
+}
+
+function getRuleDiscoveryCacheTags(options: Pick<RuleDiscoveryOptions, 'organizationId'>): string[] {
+  return [
+    'business_rules:discovery',
+    `business_rules:discovery:organization:${options.organizationId}`,
+  ]
+}
+
+async function getCachedRuleDiscovery(
+  cache: RuleDiscoveryCache | null | undefined,
+  options: RuleDiscoveryOptions,
+): Promise<CachedRuleDiscovery | null> {
+  if (!cache) return null
+
+  let value: unknown
+  try {
+    value = await runWithCacheTenant(options.tenantId, () =>
+      cache.get(getRuleDiscoveryCacheKey(options))
+    )
+  } catch (error) {
+    console.warn('[business_rules] Failed to read rule discovery cache:', error)
+    return null
+  }
+
+  return isCachedRuleDiscovery(value) ? value : null
+}
+
+async function cacheRuleDiscovery(
+  cache: RuleDiscoveryCache | null | undefined,
+  options: RuleDiscoveryOptions,
+  rules: BusinessRule[],
+): Promise<void> {
+  if (!cache) return
+
+  const ruleIds = rules
+    .map((rule) => rule.id)
+    .filter((id): id is string => typeof id === 'string' && id.length > 0)
+
+  if (ruleIds.length !== rules.length) return
+
+  try {
+    await runWithCacheTenant(options.tenantId, () =>
+      cache.set(
+        getRuleDiscoveryCacheKey(options),
+        { ruleIds },
+        {
+          ttl: RULE_DISCOVERY_CACHE_TTL,
+          tags: getRuleDiscoveryCacheTags(options),
+        },
+      )
+    )
+  } catch (error) {
+    console.warn('[business_rules] Failed to write rule discovery cache:', error)
+  }
+}
+
+export async function invalidateBusinessRuleDiscoveryCache(
+  cache: RuleDiscoveryCache | null | undefined,
+  tenantId?: string | null,
+  organizationId?: string | null,
+): Promise<void> {
+  if (!cache) return
+
+  const normalizedTenantId = tenantId?.trim()
+  const normalizedOrganizationId = organizationId?.trim()
+
+  if (!normalizedTenantId) {
+    return
+  }
+
+  const tags = normalizedOrganizationId
+    ? [`business_rules:discovery:organization:${normalizedOrganizationId}`]
+    : ['business_rules:discovery']
+
+  try {
+    await runWithCacheTenant(normalizedTenantId, () => cache.deleteByTags(tags))
+  } catch (error) {
+    console.warn('[business_rules] Failed to invalidate rule discovery cache:', error)
+  }
+}
+
 export type RuleEngineExecutionOptions = {
   eventBus?: Pick<EventBus, 'emitEvent'> | null
+  cache?: RuleDiscoveryCache | null
 }
 
 type RuleExecutionFailedPayload = {
@@ -213,7 +345,7 @@ export async function executeRules(
       eventType: context.eventType,
       tenantId: context.tenantId,
       organizationId: context.organizationId,
-    })
+    }, { cache: options.cache })
 
     // Check rule count limit
     if (rules.length > MAX_RULES_PER_EXECUTION) {
@@ -468,14 +600,14 @@ export async function executeSingleRule(
  */
 export async function findApplicableRules(
   em: EntityManager,
-  options: RuleDiscoveryOptions
+  options: RuleDiscoveryOptions,
+  cacheOptions: RuleDiscoveryCacheOptions = {},
 ): Promise<BusinessRule[]> {
   // Validate input
   ruleDiscoveryOptionsSchema.parse(options)
 
   const { entityType, eventType, tenantId, organizationId, ruleType } = options
-
-  const where: Partial<BusinessRule> = {
+  const baseWhere: Record<string, unknown> = {
     entityType,
     tenantId,
     organizationId,
@@ -484,16 +616,38 @@ export async function findApplicableRules(
   }
 
   if (eventType) {
-    where.eventType = eventType
+    baseWhere.eventType = eventType
   }
 
   if (ruleType) {
-    where.ruleType = ruleType
+    baseWhere.ruleType = ruleType
   }
 
-  const rules = await em.find(BusinessRule, where, {
-    orderBy: { priority: 'DESC', ruleId: 'ASC' },
-  })
+  const cached = await getCachedRuleDiscovery(cacheOptions.cache, options)
+  let rules: BusinessRule[]
+
+  if (cached) {
+    if (cached.ruleIds.length === 0) {
+      rules = []
+    } else {
+      const cachedRules = await em.find(BusinessRule, {
+        ...baseWhere,
+        id: { $in: cached.ruleIds },
+      }, {
+        orderBy: { priority: 'DESC', ruleId: 'ASC' },
+      } as any)
+      const byId = new Map(cachedRules.map((rule) => [rule.id, rule]))
+      rules = cached.ruleIds
+        .map((id) => byId.get(id))
+        .filter((rule): rule is BusinessRule => Boolean(rule))
+    }
+  } else {
+    rules = await em.find(BusinessRule, baseWhere as Partial<BusinessRule>, {
+      orderBy: { priority: 'DESC', ruleId: 'ASC' },
+    })
+
+    await cacheRuleDiscovery(cacheOptions.cache, options, rules)
+  }
 
   // Filter by effective date range
   const now = new Date()

package/src/modules/business_rules/subscribers/crud-rule-trigger.ts

@@ -11,7 +11,7 @@
  */
 
 import type { EntityManager } from '@mikro-orm/core'
-import { executeRules } from '../lib/rule-engine'
+import { executeRules, resolveBusinessRuleDiscoveryCache } from '../lib/rule-engine'
 
 export const metadata = {
   event: '*',
@@ -64,6 +64,7 @@ export default async function handle(
   if (!tenantId || !organizationId) return
 
   const em = ctx.resolve<EntityManager>('em')
+  const cache = resolveBusinessRuleDiscoveryCache(ctx.resolve)
 
   try {
     await executeRules(em, {
@@ -72,7 +73,7 @@ export default async function handle(
       data,
       tenantId,
       organizationId,
-    })
+    }, { cache })
   } catch (error) {
     console.error(`[business_rules] Rule execution failed for event ${eventName}:`, error)
   }

package/src/modules/catalog/api/products/route.ts

@@ -628,9 +628,13 @@ async function decorateProductsAfterList(
       "catalogPricingService",
     );
 
+    const pricingEntries: Array<{ rows: PriceRow[]; context: PricingContext } | null> = [];
     for (const item of items) {
       const id = typeof item.id === "string" ? item.id : null;
-      if (!id) continue;
+      if (!id) {
+        pricingEntries.push(null);
+        continue;
+      }
       const offerEntries = offersByProduct.get(id) ?? [];
       item.offers = offerEntries;
       const channelIds = Array.from(
@@ -668,10 +672,25 @@ async function decorateProductsAfterList(
         pricingContext.channelId || channelIds.length !== 1
           ? pricingContext
           : { ...pricingContext, channelId: channelIds[0] };
-      const best = await pricingService.resolvePrice(priceCandidates, {
-        ...channelScopedContext,
-        quantity: normalizedQuantityForPricing,
+      pricingEntries.push({
+        rows: priceCandidates,
+        context: { ...channelScopedContext, quantity: normalizedQuantityForPricing },
       });
+    }
+
+    const resolveInputs: Array<{ rows: PriceRow[]; context: PricingContext }> = [];
+    const resolveIndices: number[] = [];
+    for (let i = 0; i < pricingEntries.length; i++) {
+      if (pricingEntries[i] !== null) {
+        resolveInputs.push(pricingEntries[i]!);
+        resolveIndices.push(i);
+      }
+    }
+    const priceResults = await pricingService.resolvePriceMany(resolveInputs);
+
+    for (let i = 0; i < resolveIndices.length; i++) {
+      const item = items[resolveIndices[i]];
+      const best = priceResults[i];
       if (best) {
         item.pricing = {
           kind: resolvePriceKindCode(best),

package/src/modules/catalog/lib/pricing.ts

@@ -180,3 +180,12 @@ export async function resolveCatalogPrice(
 
   return resolved ?? null
 }
+
+export async function resolveCatalogPriceBatch(
+  entries: Array<{ rows: PriceRow[]; context: PricingContext }>,
+  options?: { eventBus?: EventBus | null }
+): Promise<Array<PriceRow | null>> {
+  return Promise.all(
+    entries.map(({ rows, context }) => resolveCatalogPrice(rows, context, options))
+  )
+}

package/src/modules/catalog/services/catalogPricingService.ts

@@ -1,12 +1,14 @@
 import type { EventBus } from '@open-mercato/events'
 import {
   resolveCatalogPrice,
+  resolveCatalogPriceBatch,
   type PriceRow,
   type PricingContext,
 } from '../lib/pricing'
 
 export interface CatalogPricingService {
   resolvePrice(rows: PriceRow[], context: PricingContext): Promise<PriceRow | null>
+  resolvePriceMany(entries: Array<{ rows: PriceRow[]; context: PricingContext }>): Promise<Array<PriceRow | null>>
 }
 
 export class DefaultCatalogPricingService implements CatalogPricingService {
@@ -15,6 +17,10 @@ export class DefaultCatalogPricingService implements CatalogPricingService {
   async resolvePrice(rows: PriceRow[], context: PricingContext): Promise<PriceRow | null> {
     return resolveCatalogPrice(rows, context, { eventBus: this.eventBus })
   }
+
+  async resolvePriceMany(entries: Array<{ rows: PriceRow[]; context: PricingContext }>): Promise<Array<PriceRow | null>> {
+    return resolveCatalogPriceBatch(entries, { eventBus: this.eventBus })
+  }
 }
 
 export type { PriceRow, PricingContext }

package/src/modules/customer_accounts/api/portal/events/stream.ts

@@ -173,6 +173,12 @@ export async function GET(req: Request): Promise<Response> {
       }
       portalConnections.add(connection)
 
+      // Flush an initial comment so the runtime sends the response headers and
+      // first body byte immediately, firing the browser EventSource `open`
+      // event without waiting for the first heartbeat (30s) or matching event.
+      // Comment lines (`:` prefix) are ignored by EventSource message parsing.
+      controller.enqueue(encoder.encode(': connected\n\n'))
+
       heartbeatTimer = setInterval(() => {
         try {
           controller.enqueue(encoder.encode(':heartbeat\n\n'))

package/src/modules/customers/api/activities/route.ts

@@ -185,7 +185,7 @@ function paginateActivityItems(
   }
 }
 
-async function decorateActivityItems(
+export async function decorateActivityItems(
   em: EntityManager,
   items: ActivityItem[],
   decryptionScope?: { tenantId: string; organizationId: string },
@@ -207,12 +207,23 @@ async function decorateActivityItems(
     ),
   )
 
+  if (dealIds.length > 0 && (!decryptionScope?.tenantId || !decryptionScope?.organizationId)) {
+    const { translate } = await resolveTranslations()
+    throw new CrudHttpError(400, {
+      error: translate('customers.errors.tenant_required', 'Tenant context is required'),
+    })
+  }
+
   const [users, deals] = await Promise.all([
     authorIds.length > 0 ? em.find(User, { id: { $in: authorIds } }) : Promise.resolve([]),
-    dealIds.length > 0
-      ? decryptionScope
-        ? findWithDecryption(em, CustomerDeal, { id: { $in: dealIds } }, undefined, decryptionScope)
-        : em.find(CustomerDeal, { id: { $in: dealIds } })
+    dealIds.length > 0 && decryptionScope
+      ? findWithDecryption(
+          em,
+          CustomerDeal,
+          { id: { $in: dealIds }, tenantId: decryptionScope.tenantId, organizationId: decryptionScope.organizationId },
+          undefined,
+          decryptionScope,
+        )
       : Promise.resolve([]),
   ])
 

package/src/modules/customers/api/comments/route.ts

@@ -139,13 +139,23 @@ const crud = makeCrudRoute({
         ),
       )
       if (!dealIds.length) return
+      const tenantId = ctx.auth?.tenantId ?? null
+      const organizationId = ctx.selectedOrganizationId ?? ctx.auth?.orgId ?? null
+      if (!tenantId || !organizationId) {
+        const { translate } = await resolveTranslations()
+        throw new CrudHttpError(400, {
+          error: translate('customers.errors.tenant_required', 'Tenant context is required'),
+        })
+      }
       try {
         const em = (ctx.container.resolve('em') as EntityManager)
-        const tenantId = ctx.auth?.tenantId ?? null
-        const organizationId = ctx.selectedOrganizationId ?? ctx.auth?.orgId ?? null
-        const deals = tenantId && organizationId
-          ? await findWithDecryption(em, CustomerDeal, { id: { $in: dealIds } }, undefined, { tenantId, organizationId })
-          : await em.find(CustomerDeal, { id: { $in: dealIds } })
+        const deals = await findWithDecryption(
+          em,
+          CustomerDeal,
+          { id: { $in: dealIds }, tenantId, organizationId },
+          undefined,
+          { tenantId, organizationId },
+        )
         const map = new Map<string, string>()
         deals.forEach((deal: CustomerDeal) => {
           if (deal.id) map.set(deal.id, deal.title ?? '')

package/src/modules/customers/api/companies/[id]/people/route.ts

@@ -8,6 +8,7 @@ import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/d
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import {
   CustomerEntity,
   CustomerPersonCompanyLink,
@@ -115,10 +116,7 @@ export async function GET(req: Request, ctx: { params?: { id?: string } }) {
       throw new CrudHttpError(404, { error: translate('customers.errors.company_not_found', 'Company not found') })
     }
 
-    const allowedOrgIds = new Set<string>()
-    if (scope?.filterIds?.length) scope.filterIds.forEach((entry) => allowedOrgIds.add(entry))
-    else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-    if (allowedOrgIds.size > 0 && company.organizationId && !allowedOrgIds.has(company.organizationId)) {
+    if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: company.organizationId })) {
       throw new CrudHttpError(403, { error: translate('customers.errors.access_denied', 'Access denied') })
     }
 

package/src/modules/customers/api/companies/[id]/route.ts

@@ -47,6 +47,7 @@ import {
   withActiveCustomerPersonCompanyLinkFilter,
 } from '../../../lib/personCompanyLinkTable'
 import { normalizeCustomerDetailCustomFields } from '../../detailCustomFields'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 
 export const metadata = {
   GET: { requireAuth: true, requireFeatures: ['customers.companies.view'] },
@@ -386,11 +387,7 @@ export async function GET(_req: Request, ctx: { params?: { id?: string } }) {
   if (!company) return notFound('Company not found')
 
   if (auth.tenantId && company.tenantId !== auth.tenantId) return notFound('Company not found')
-  const allowedOrgIds = new Set<string>()
-  if (scope?.filterIds?.length) scope.filterIds.forEach((id) => allowedOrgIds.add(id))
-  else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-
-  if (allowedOrgIds.size && company.organizationId && !allowedOrgIds.has(company.organizationId)) {
+  if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: company.organizationId })) {
     return forbidden('Access denied')
   }
 

package/src/modules/customers/api/deals/[id]/companies/route.ts

@@ -8,6 +8,7 @@ import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/d
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import { CustomerCompanyProfile, CustomerDeal, CustomerDealCompanyLink, CustomerEntity } from '../../../../data/entities'
 
 const paramsSchema = z.object({
@@ -97,10 +98,7 @@ export async function GET(req: Request, ctx: { params?: { id?: string } }) {
       throw new CrudHttpError(404, { error: translate('customers.errors.deal_not_found', 'Deal not found') })
     }
 
-    const allowedOrgIds = new Set<string>()
-    if (scope?.filterIds?.length) scope.filterIds.forEach((entry) => allowedOrgIds.add(entry))
-    else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-    if (allowedOrgIds.size > 0 && deal.organizationId && !allowedOrgIds.has(deal.organizationId)) {
+    if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: deal.organizationId })) {
       throw new CrudHttpError(403, { error: translate('customers.errors.access_denied', 'Access denied') })
     }
 

package/src/modules/customers/api/deals/[id]/people/route.ts

@@ -8,6 +8,7 @@ import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/d
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import { CustomerDeal, CustomerDealPersonLink, CustomerEntity } from '../../../../data/entities'
 
 const paramsSchema = z.object({
@@ -97,10 +98,7 @@ export async function GET(req: Request, ctx: { params?: { id?: string } }) {
       throw new CrudHttpError(404, { error: translate('customers.errors.deal_not_found', 'Deal not found') })
     }
 
-    const allowedOrgIds = new Set<string>()
-    if (scope?.filterIds?.length) scope.filterIds.forEach((entry) => allowedOrgIds.add(entry))
-    else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-    if (allowedOrgIds.size > 0 && deal.organizationId && !allowedOrgIds.has(deal.organizationId)) {
+    if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: deal.organizationId })) {
       throw new CrudHttpError(403, { error: translate('customers.errors.access_denied', 'Access denied') })
     }
 

package/src/modules/customers/api/deals/[id]/route.ts

@@ -22,6 +22,7 @@ import { E } from '#generated/entities.ids.generated'
 import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import { decryptEntitiesWithFallbackScope } from '@open-mercato/shared/lib/encryption/subscriber'
 import { isMissingDealStageTransitionTable, warnMissingDealStageTransitionTable } from '../../../lib/dealStageTransitionTable'
 
@@ -377,15 +378,7 @@ export async function GET(request: Request, context: { params?: Record<string, u
     return notFound('Deal not found')
   }
 
-  const allowedOrgIds = new Set<string>()
-  if (Array.isArray(scope?.filterIds)) {
-    scope.filterIds.forEach((id) => {
-      if (typeof id === 'string' && id.trim().length) allowedOrgIds.add(id)
-    })
-  } else if (auth.orgId) {
-    allowedOrgIds.add(auth.orgId)
-  }
-  if (allowedOrgIds.size && deal.organizationId && !allowedOrgIds.has(deal.organizationId)) {
+  if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: deal.organizationId })) {
     return forbidden('Access denied')
   }
 

package/src/modules/customers/api/deals/[id]/stats/route.ts

@@ -10,6 +10,7 @@ import { DictionaryEntry } from '@open-mercato/core/modules/dictionaries/data/en
 import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 
 export const metadata = {
   GET: { requireAuth: true, requireFeatures: ['customers.deals.view'] },
@@ -97,15 +98,7 @@ export async function GET(request: Request, context: { params?: Record<string, u
     return notFound(translate('customers.errors.deal_not_found', 'Deal not found'))
   }
 
-  const allowedOrgIds = new Set<string>()
-  if (Array.isArray(scope?.filterIds)) {
-    scope.filterIds.forEach((id) => {
-      if (typeof id === 'string' && id.trim().length) allowedOrgIds.add(id)
-    })
-  } else if (auth.orgId) {
-    allowedOrgIds.add(auth.orgId)
-  }
-  if (allowedOrgIds.size && deal.organizationId && !allowedOrgIds.has(deal.organizationId)) {
+  if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: deal.organizationId })) {
     return forbidden(translate('customers.errors.access_denied', 'Access denied'))
   }
 

package/src/modules/customers/api/entity-roles-factory.ts

@@ -7,6 +7,7 @@ import { validateCrudMutationGuard, runCrudMutationGuardAfterSuccess } from '@op
 import { CrudHttpError, isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import { User } from '@open-mercato/core/modules/auth/data/entities'
 import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
 import { CustomerEntity, CustomerEntityRole } from '../data/entities'
@@ -69,24 +70,13 @@ async function buildContext(request: Request) {
   }
 }
 
-function collectAllowedOrganizationIds(
-  scope: Awaited<ReturnType<typeof resolveCustomersRequestContext>>['scope'],
-  auth: Awaited<ReturnType<typeof resolveCustomersRequestContext>>['auth'],
-) {
-  const allowedOrgIds = new Set<string>()
-  if (scope?.filterIds?.length) scope.filterIds.forEach((id) => allowedOrgIds.add(id))
-  else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-  return allowedOrgIds
-}
-
 function ensureRouteOrganizationAccess(
   organizationId: string,
   scope: Awaited<ReturnType<typeof resolveCustomersRequestContext>>['scope'],
   auth: Awaited<ReturnType<typeof resolveCustomersRequestContext>>['auth'],
   translate: Translator,
 ) {
-  const allowedOrgIds = collectAllowedOrganizationIds(scope, auth)
-  if (allowedOrgIds.size > 0 && !allowedOrgIds.has(organizationId)) {
+  if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId })) {
     throw new CrudHttpError(403, { error: translate('customers.errors.access_denied', 'Access denied') })
   }
 }

package/src/modules/customers/api/people/[id]/companies/context.ts

@@ -7,6 +7,7 @@ import {
   CustomerPersonProfile,
 } from '@open-mercato/core/modules/customers/data/entities'
 import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/directory/utils/organizationScope'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 
@@ -37,11 +38,7 @@ export async function loadPersonContext(req: Request, personId: string) {
     throw new CrudHttpError(404, { error: translate('customers.errors.person_not_found', 'Person not found') })
   }
 
-  const allowedOrgIds = new Set<string>()
-  if (scope?.filterIds?.length) scope.filterIds.forEach((entry) => allowedOrgIds.add(entry))
-  else if (authenticatedAuth.orgId) allowedOrgIds.add(authenticatedAuth.orgId)
-
-  if (allowedOrgIds.size > 0 && !allowedOrgIds.has(person.organizationId)) {
+  if (!isOrganizationReadAccessAllowed({ scope, auth: authenticatedAuth, organizationId: person.organizationId })) {
     throw new CrudHttpError(403, { error: translate('customers.errors.access_denied', 'Access denied') })
   }
 

package/src/modules/customers/api/people/[id]/companies/enriched/route.ts

@@ -8,6 +8,7 @@ import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/d
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import {
   CustomerEntity,
   CustomerCompanyProfile,
@@ -173,11 +174,7 @@ export async function GET(req: Request, ctx: { params?: { id?: string } }) {
       throw new CrudHttpError(404, { error: translate('customers.errors.person_not_found', 'Person not found') })
     }
 
-    const allowedOrgIds = new Set<string>()
-    if (scope?.filterIds?.length) scope.filterIds.forEach((entry) => allowedOrgIds.add(entry))
-    else if (auth.orgId) allowedOrgIds.add(auth.orgId)
-
-    if (allowedOrgIds.size > 0 && !allowedOrgIds.has(person.organizationId)) {
+    if (!isOrganizationReadAccessAllowed({ scope, auth, organizationId: person.organizationId })) {
       throw new CrudHttpError(403, { error: translate('customers.errors.access_denied', 'Access denied') })
     }