@open-mercato/core 0.6.4-develop.4331.1.64a8535120 → 0.6.4-develop.4358.1.233d5675c7

package/src/modules/customers/components/detail/ConfirmDealLostDialog.tsx

@@ -8,6 +8,7 @@ import { Alert, AlertDescription, AlertTitle } from '@open-mercato/ui/primitives
 import { Button } from '@open-mercato/ui/primitives/button'
 import { Dialog, DialogContent, DialogFooter, DialogHeader, DialogTitle } from '@open-mercato/ui/primitives/dialog'
 import { Textarea } from '@open-mercato/ui/primitives/textarea'
+import { useDialogKeyHandler } from '@open-mercato/ui/hooks/useDialogKeyHandler'
 
 type LossReasonOption = {
   id: string
@@ -39,6 +40,7 @@ export function ConfirmDealLostDialog({
   const [lossReasons, setLossReasons] = React.useState<LossReasonOption[]>([])
   const [reasonListOpen, setReasonListOpen] = React.useState(false)
   const [error, setError] = React.useState('')
+  const [isConfirming, setIsConfirming] = React.useState(false)
 
   React.useEffect(() => {
     if (!open) return
@@ -74,18 +76,21 @@ export function ConfirmDealLostDialog({
       setError(t('customers.deals.detail.lost.reasonRequired', 'Please select a loss reason'))
       return
     }
-    await onConfirm({
-      lossReasonId,
-      lossNotes: lossNotes.trim() || undefined,
-    })
+    setIsConfirming(true)
+    try {
+      await onConfirm({
+        lossReasonId,
+        lossNotes: lossNotes.trim() || undefined,
+      })
+    } finally {
+      setIsConfirming(false)
+    }
   }, [lossNotes, lossReasonId, onConfirm, t])
 
-  const handleKeyDown = React.useCallback((event: React.KeyboardEvent) => {
-    if ((event.metaKey || event.ctrlKey) && event.key === 'Enter') {
-      event.preventDefault()
-      void handleConfirm()
-    }
-  }, [handleConfirm])
+  const handleKeyDown = useDialogKeyHandler({
+    onConfirm: () => void handleConfirm(),
+    disabled: isConfirming,
+  })
 
   return (
     <Dialog open={open} onOpenChange={(nextOpen) => { if (!nextOpen) onClose() }}>

package/src/modules/customers/components/detail/ScheduleActivityDialog.tsx

@@ -13,6 +13,7 @@ import { Alert, AlertDescription, AlertTitle } from '@open-mercato/ui/primitives
 import { Button } from '@open-mercato/ui/primitives/button'
 import { IconButton } from '@open-mercato/ui/primitives/icon-button'
 import { Dialog, DialogContent, DialogTitle } from '@open-mercato/ui/primitives/dialog'
+import { useDialogKeyHandler } from '@open-mercato/ui/hooks/useDialogKeyHandler'
 import { VisuallyHidden } from '@radix-ui/react-visually-hidden'
 import { PhoneNumberField, SwitchableMarkdownInput } from '@open-mercato/ui/backend/inputs'
 import { useConfirmDialog } from '@open-mercato/ui/backend/confirm-dialog'
@@ -444,12 +445,7 @@ export function ScheduleActivityDialog({
     }
   }, [callDirection, callOutcome, callPhoneInvalidMessage, callPhoneNumber, isDateMissing, isTimeMissing, state.activityType, state.allDay, state.date, state.description, dealId, state.duration, editData, entityId, state.guestPermissions, state.linkedEntities, state.location, onActivityCreated, onClose, state.participants, state.recurrenceCount, state.recurrenceDays, state.recurrenceEnabled, state.recurrenceEndDate, state.recurrenceEndType, state.reminderMinutes, runGuardedMutation, state.startTime, t, taskPriority, state.title, translateErrorMessage, trimmedCallPhone, trimmedDate, trimmedStartTime, state.visibility, visibleFields]) // eslint-disable-line react-hooks/exhaustive-deps
 
-  const handleKeyDown = React.useCallback((e: React.KeyboardEvent) => {
-    if ((e.metaKey || e.ctrlKey) && e.key === 'Enter') {
-      e.preventDefault()
-      handleSave()
-    }
-  }, [handleSave])
+  const handleKeyDown = useDialogKeyHandler({ onConfirm: handleSave })
 
   return (
     <Dialog open={open} onOpenChange={(o) => { if (!o) void guardedClose() }}>

package/src/modules/entities/api/records.ts

@@ -261,7 +261,7 @@ export async function POST(req: Request) {
     // Validate against custom field definitions
     try {
       const { validateCustomFieldValuesServer } = await import('../lib/validation')
-      const check = await validateCustomFieldValuesServer(em, { entityId, organizationId: targetOrgId, tenantId: auth.tenantId!, values: norm })
+      const check = await validateCustomFieldValuesServer(em, { entityId, organizationId: targetOrgId, tenantId: auth.tenantId!, values: norm, rejectUndeclaredKeys: true })
       if (!check.ok) return NextResponse.json({ error: 'Validation failed', fields: check.fieldErrors }, { status: 400 })
     } catch { /* ignore if helper missing */ }
 
@@ -322,7 +322,7 @@ export async function PUT(req: Request) {
     // Validate against custom field definitions
     try {
       const { validateCustomFieldValuesServer } = await import('../lib/validation')
-      const check = await validateCustomFieldValuesServer(em, { entityId, organizationId: targetOrgId, tenantId: auth.tenantId!, values: norm })
+      const check = await validateCustomFieldValuesServer(em, { entityId, organizationId: targetOrgId, tenantId: auth.tenantId!, values: norm, rejectUndeclaredKeys: true })
       if (!check.ok) return NextResponse.json({ error: 'Validation failed', fields: check.fieldErrors }, { status: 400 })
     } catch { /* ignore if helper missing */ }
 

package/src/modules/entities/lib/helpers.ts

@@ -1,6 +1,10 @@
 import type { EntityManager } from '@mikro-orm/core'
 import type { TenantDataEncryptionService } from '@open-mercato/shared/lib/encryption/tenantDataEncryptionService'
 import { encryptCustomFieldValue, resolveTenantEncryptionService } from '@open-mercato/shared/lib/encryption/customFieldValues'
+import {
+  MAX_CUSTOM_FIELD_KEYS_PER_RECORD,
+  TOO_MANY_CUSTOM_FIELDS_ERROR,
+} from '@open-mercato/shared/modules/entities/validation'
 import { CustomFieldDef, CustomFieldValue } from '../data/entities'
 
 type Primitive = string | number | boolean | null | undefined
@@ -69,16 +73,32 @@ export async function setRecordCustomFields(
   if (preferDefs) {
     const defs = await em.find(CustomFieldDef, {
       entityId,
+      isActive: true,
+      deletedAt: null,
       organizationId: { $in: [organizationId, null] as any },
       tenantId: { $in: [tenantId, null] as any },
     })
-    // Prefer org+tenant-specific over global if duplicates
+    const scopeScore = (def: CustomFieldDef) => (def.tenantId ? 2 : 0) + (def.organizationId ? 1 : 0)
     defsByKey = {}
     for (const d of defs) {
       const existing = defsByKey[d.key]
-      if (!existing || 
-          (existing.organizationId == null && d.organizationId != null) ||
-          (existing.tenantId == null && d.tenantId != null)) {
+      if (!existing) {
+        defsByKey[d.key] = d
+        continue
+      }
+      const nextScore = scopeScore(d)
+      const existingScore = scopeScore(existing)
+      if (nextScore > existingScore) {
+        defsByKey[d.key] = d
+        continue
+      }
+      if (nextScore < existingScore) continue
+
+      const nextUpdatedAt = d.updatedAt instanceof Date ? d.updatedAt.getTime() : new Date(d.updatedAt).getTime()
+      const existingUpdatedAt = existing.updatedAt instanceof Date
+        ? existing.updatedAt.getTime()
+        : new Date(existing.updatedAt).getTime()
+      if (nextUpdatedAt >= existingUpdatedAt) {
         defsByKey[d.key] = d
       }
     }
@@ -93,6 +113,11 @@ export async function setRecordCustomFields(
     return encryptionService
   }
   const keys = Object.keys(values)
+  const presentKeyCount = keys.filter((key) => values[key] !== undefined).length
+  if (preferDefs && presentKeyCount > MAX_CUSTOM_FIELD_KEYS_PER_RECORD) {
+    throw new Error(TOO_MANY_CUSTOM_FIELDS_ERROR)
+  }
+
   for (const fieldKey of keys) {
     const raw = values[fieldKey]
     if (raw === undefined) continue

package/src/modules/entities/lib/validation.ts

@@ -4,7 +4,13 @@ import { validateValuesAgainstDefs } from '@open-mercato/shared/modules/entities
 
 export async function validateCustomFieldValuesServer(
   em: EntityManager,
-  opts: { entityId: string; organizationId?: string | null; tenantId?: string | null; values: Record<string, any> },
+  opts: {
+    entityId: string
+    organizationId?: string | null
+    tenantId?: string | null
+    values: Record<string, any>
+    rejectUndeclaredKeys?: boolean
+  },
 ): Promise<{ ok: boolean; fieldErrors: Record<string, string> }> {
   const organizationId = opts.organizationId ?? null
   const tenantId = opts.tenantId ?? null
@@ -51,5 +57,7 @@ export async function validateCustomFieldValuesServer(
       byKey.set(d.key, d)
     }
   }
-  return validateValuesAgainstDefs(opts.values, Array.from(byKey.values()) as any)
+  return validateValuesAgainstDefs(opts.values, Array.from(byKey.values()) as any, {
+    rejectUndeclaredKeys: opts.rejectUndeclaredKeys === true,
+  })
 }

package/src/modules/sales/components/documents/AdjustmentDialog.tsx

@@ -4,6 +4,7 @@
 
 import * as React from 'react'
 import { Dialog, DialogContent, DialogHeader, DialogTitle } from '@open-mercato/ui/primitives/dialog'
+import { useDialogKeyHandler } from '@open-mercato/ui/hooks/useDialogKeyHandler'
 import { Badge } from '@open-mercato/ui/primitives/badge'
 import { Button } from '@open-mercato/ui/primitives/button'
 import { Input } from '@open-mercato/ui/primitives/input'
@@ -716,22 +717,20 @@ export function AdjustmentDialog({
     ]
   )
 
+  const handleSubmitForm = React.useCallback(
+    () => dialogContentRef.current?.querySelector('form')?.requestSubmit(),
+    [],
+  )
+  const handleKeyDown = useDialogKeyHandler({
+    onConfirm: handleSubmitForm,
+    onCancel: () => onOpenChange(false),
+  })
+
   return (
     <Dialog open={open} onOpenChange={onOpenChange}>
       <DialogContent
         className="sm:max-w-5xl"
-        onKeyDown={(event) => {
-          if (event.key === 'Escape') {
-            event.preventDefault()
-            onOpenChange(false)
-            return
-          }
-          if ((event.metaKey || event.ctrlKey) && event.key === 'Enter') {
-            event.preventDefault()
-            const form = dialogContentRef.current?.querySelector('form')
-            form?.requestSubmit()
-          }
-        }}
+        onKeyDown={handleKeyDown}
         ref={dialogContentRef}
       >
         <DialogHeader>

package/src/modules/sales/components/documents/LineItemDialog.tsx

@@ -21,6 +21,7 @@ import {
   DialogHeader,
   DialogTitle,
 } from "@open-mercato/ui/primitives/dialog";
+import { useDialogKeyHandler } from "@open-mercato/ui/hooks/useDialogKeyHandler";
 import { Button } from "@open-mercato/ui/primitives/button";
 import { Input } from "@open-mercato/ui/primitives/input";
 import {
@@ -2795,6 +2796,15 @@ export function LineItemDialog({
     resetForm,
   ]);
 
+  const handleSubmitForm = React.useCallback(
+    () => dialogContentRef.current?.querySelector("form")?.requestSubmit(),
+    [],
+  )
+  const handleKeyDown = useDialogKeyHandler({
+    onConfirm: handleSubmitForm,
+    onCancel: closeDialog,
+  })
+
   return (
     <Dialog
       open={open}
@@ -2803,16 +2813,7 @@ export function LineItemDialog({
       <DialogContent
         className="sm:max-w-5xl"
         ref={dialogContentRef}
-        onKeyDown={(event) => {
-          if ((event.metaKey || event.ctrlKey) && event.key === "Enter") {
-            event.preventDefault();
-            dialogContentRef.current?.querySelector("form")?.requestSubmit();
-          }
-          if (event.key === "Escape") {
-            event.preventDefault();
-            closeDialog();
-          }
-        }}
+        onKeyDown={handleKeyDown}
       >
         <DialogHeader>
           <DialogTitle>

package/src/modules/sales/components/documents/PaymentDialog.tsx

@@ -9,6 +9,7 @@ import { collectCustomFieldValues } from '@open-mercato/ui/backend/utils/customF
 import { createCrud, updateCrud } from '@open-mercato/ui/backend/utils/crud'
 import { createCrudFormError } from '@open-mercato/ui/backend/utils/serverErrors'
 import { Dialog, DialogContent, DialogHeader, DialogTitle } from '@open-mercato/ui/primitives/dialog'
+import { useDialogKeyHandler } from '@open-mercato/ui/hooks/useDialogKeyHandler'
 import { Input } from '@open-mercato/ui/primitives/input'
 import { Spinner } from '@open-mercato/ui/primitives/spinner'
 import { E } from '#generated/entities.ids.generated'
@@ -552,29 +553,21 @@ export function PaymentDialog({
     [currencyCode, mode, onOpenChange, onSaved, orderId, organizationId, payment?.id, t, tenantId]
   )
 
-  const handleShortcutSubmit = React.useCallback(
-    (event: React.KeyboardEvent<HTMLDivElement>) => {
-      if ((event.metaKey || event.ctrlKey) && event.key === 'Enter') {
-        event.preventDefault()
-        const form = dialogContentRef.current?.querySelector('form')
-        form?.requestSubmit()
-      }
-    },
-    []
+  const handleSubmitForm = React.useCallback(
+    () => dialogContentRef.current?.querySelector('form')?.requestSubmit(),
+    [],
   )
+  const handleKeyDown = useDialogKeyHandler({
+    onConfirm: handleSubmitForm,
+    onCancel: () => onOpenChange(false),
+  })
 
   return (
     <Dialog open={open} onOpenChange={onOpenChange}>
       <DialogContent
         ref={dialogContentRef}
         className="sm:max-w-5xl"
-        onKeyDown={(event) => {
-          if (event.key === 'Escape') {
-            event.preventDefault()
-            onOpenChange(false)
-          }
-          handleShortcutSubmit(event)
-        }}
+        onKeyDown={handleKeyDown}
       >
         <DialogHeader>
           <DialogTitle>

package/src/modules/sales/components/documents/ShipmentDialog.tsx

@@ -3,6 +3,7 @@
 import * as React from 'react'
 import { MapPin, Truck } from 'lucide-react'
 import { Dialog, DialogContent, DialogHeader, DialogTitle } from '@open-mercato/ui/primitives/dialog'
+import { useDialogKeyHandler } from '@open-mercato/ui/hooks/useDialogKeyHandler'
 import { Input } from '@open-mercato/ui/primitives/input'
 import { Textarea } from '@open-mercato/ui/primitives/textarea'
 import { Label } from '@open-mercato/ui/primitives/label'
@@ -1109,13 +1110,14 @@ export function ShipmentDialog({
     ],
   )
 
-  const handleShortcutSubmit = React.useCallback((event: React.KeyboardEvent<HTMLDivElement>) => {
-    if ((event.metaKey || event.ctrlKey) && event.key === 'Enter') {
-      event.preventDefault()
-      const form = dialogContentRef.current?.querySelector('form')
-      form?.requestSubmit()
-    }
-  }, [])
+  const handleSubmitForm = React.useCallback(
+    () => dialogContentRef.current?.querySelector('form')?.requestSubmit(),
+    [],
+  )
+  const handleKeyDown = useDialogKeyHandler({
+    onConfirm: handleSubmitForm,
+    onCancel: onClose,
+  })
 
   const fields = React.useMemo<CrudField[]>(() => {
     const shippingAdjustmentLabel = t(
@@ -1523,13 +1525,7 @@ export function ShipmentDialog({
       <DialogContent
         ref={dialogContentRef}
         className="sm:max-w-5xl"
-        onKeyDown={(event) => {
-          if (event.key === 'Escape') {
-            event.preventDefault()
-            onClose()
-          }
-          handleShortcutSubmit(event)
-        }}
+        onKeyDown={handleKeyDown}
       >
         <DialogHeader>
           <DialogTitle>

package/src/modules/staff/api/timesheets/time-entries/[id]/segments/[segmentId]/route.ts

@@ -6,7 +6,9 @@ import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/directory/utils/organizationScope'
 import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import { readJsonSafe } from '@open-mercato/shared/lib/http/readJsonSafe'
+import { CrudHttpError, isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import type { EntityManager } from '@mikro-orm/postgresql'
+import { LockMode } from '@mikro-orm/core'
 import { StaffTimeEntry, StaffTimeEntrySegment } from '../../../../../../data/entities'
 import { staffTimeEntrySegmentUpdateSchema } from '../../../../../../data/validators'
 import { getStaffMemberByUserId } from '../../../../../../lib/staffMemberResolver'
@@ -110,25 +112,62 @@ export async function PATCH(req: Request) {
     )
   }
 
-  if (parsed.data.startedAt !== undefined) {
-    segment.startedAt = parsed.data.startedAt
-  }
-  if (parsed.data.endedAt !== undefined) {
-    segment.endedAt = parsed.data.endedAt ?? null
-  }
-  if (parsed.data.segmentType !== undefined) {
-    segment.segmentType = parsed.data.segmentType
+  // Apply the segment edit inside a single transaction with a PESSIMISTIC_WRITE
+  // lock on the parent time entry row, re-loading the segment under the lock so
+  // concurrent segment edits / timer-stop recomputes on the same entry serialize
+  // instead of racing on a shared in-memory snapshot (issue #2416).
+  let updatedSegment: StaffTimeEntrySegment
+  try {
+    updatedSegment = await em.transactional(async (trx) => {
+      const lockedEntry = await findOneWithDecryption(
+        trx,
+        StaffTimeEntry,
+        { id: ids.entryId, tenantId, organizationId, deletedAt: null },
+        { lockMode: LockMode.PESSIMISTIC_WRITE },
+        scopeCtx,
+      )
+      if (!lockedEntry) {
+        throw new CrudHttpError(404, { error: 'Time entry not found' })
+      }
+
+      const lockedSegment = await findOneWithDecryption(
+        trx,
+        StaffTimeEntrySegment,
+        { id: ids.segmentId, timeEntryId: ids.entryId, tenantId, organizationId, deletedAt: null },
+        {},
+        scopeCtx,
+      )
+      if (!lockedSegment) {
+        throw new CrudHttpError(404, { error: 'Segment not found' })
+      }
+
+      if (parsed.data.startedAt !== undefined) {
+        lockedSegment.startedAt = parsed.data.startedAt
+      }
+      if (parsed.data.endedAt !== undefined) {
+        lockedSegment.endedAt = parsed.data.endedAt ?? null
+      }
+      if (parsed.data.segmentType !== undefined) {
+        lockedSegment.segmentType = parsed.data.segmentType
+      }
+
+      await trx.flush()
+      return lockedSegment
+    })
+  } catch (err) {
+    if (isCrudHttpError(err)) {
+      return NextResponse.json(err.body, { status: err.status })
+    }
+    throw err
   }
 
-  await em.flush()
-
   if (guardResult.afterSuccessCallbacks.length) {
     await runStaffMutationGuardAfterSuccess(guardResult.afterSuccessCallbacks, {
       tenantId,
       organizationId,
       userId: auth.sub ?? '',
       resourceKind: 'staff.timesheets.time_entry_segment',
-      resourceId: segment.id,
+      resourceId: updatedSegment.id,
       operation: 'update',
       requestMethod: req.method,
       requestHeaders: req.headers,
@@ -138,13 +177,13 @@ export async function PATCH(req: Request) {
   return NextResponse.json({
     ok: true,
     item: {
-      id: segment.id,
-      timeEntryId: segment.timeEntryId,
-      startedAt: segment.startedAt,
-      endedAt: segment.endedAt,
-      segmentType: segment.segmentType,
-      createdAt: segment.createdAt,
-      updatedAt: segment.updatedAt,
+      id: updatedSegment.id,
+      timeEntryId: updatedSegment.timeEntryId,
+      startedAt: updatedSegment.startedAt,
+      endedAt: updatedSegment.endedAt,
+      segmentType: updatedSegment.segmentType,
+      createdAt: updatedSegment.createdAt,
+      updatedAt: updatedSegment.updatedAt,
     },
   })
 }

package/src/modules/staff/api/timesheets/time-entries/[id]/segments/route.ts

@@ -9,6 +9,7 @@ import { parseScopedCommandInput } from '@open-mercato/shared/lib/api/scoped'
 import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import { readJsonSafe } from '@open-mercato/shared/lib/http/readJsonSafe'
 import type { EntityManager } from '@mikro-orm/postgresql'
+import { LockMode } from '@mikro-orm/core'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { StaffTimeEntry, StaffTimeEntrySegment } from '../../../../../data/entities'
 import { staffTimeEntrySegmentCreateSchema } from '../../../../../data/validators'
@@ -109,17 +110,35 @@ export async function POST(req: Request) {
       )
     }
 
-    const segmentData = {
-      tenantId: input.tenantId,
-      organizationId: input.organizationId,
-      timeEntryId: input.timeEntryId,
-      startedAt: input.startedAt,
-      endedAt: input.endedAt ?? null,
-      segmentType: input.segmentType,
-    }
-    const segment = em.create(StaffTimeEntrySegment, segmentData as never)
+    // Create the segment inside a single transaction with a PESSIMISTIC_WRITE
+    // lock on the parent time entry row, so segment writes serialize against
+    // concurrent timer-stop / segment mutations that recompute the entry from a
+    // shared snapshot (issue #2416).
+    const segment = await em.transactional(async (trx) => {
+      const lockedEntry = await findOneWithDecryption(
+        trx,
+        StaffTimeEntry,
+        { id: entryId, tenantId, organizationId, deletedAt: null },
+        { lockMode: LockMode.PESSIMISTIC_WRITE },
+        scopeCtx,
+      )
+      if (!lockedEntry) {
+        throw new CrudHttpError(404, { error: translate('staff.timesheets.errors.entryNotFound', 'Time entry not found.') })
+      }
+
+      const segmentData = {
+        tenantId: input.tenantId,
+        organizationId: input.organizationId,
+        timeEntryId: input.timeEntryId,
+        startedAt: input.startedAt,
+        endedAt: input.endedAt ?? null,
+        segmentType: input.segmentType,
+      }
+      const created = trx.create(StaffTimeEntrySegment, segmentData as never)
 
-    await em.flush()
+      await trx.flush()
+      return created
+    })
 
     if (guardResult.afterSuccessCallbacks.length) {
       await runStaffMutationGuardAfterSuccess(guardResult.afterSuccessCallbacks, {

package/src/modules/staff/api/timesheets/time-entries/[id]/timer-start/route.ts

@@ -7,6 +7,7 @@ import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import type { EntityManager } from '@mikro-orm/postgresql'
+import { LockMode } from '@mikro-orm/core'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { StaffTimeEntry, StaffTimeEntrySegment } from '../../../../../data/entities'
 import { getStaffMemberByUserId } from '../../../../../lib/staffMemberResolver'
@@ -98,20 +99,43 @@ export async function POST(req: Request) {
       )
     }
 
-    const now = new Date()
-    entry.startedAt = now
-    entry.source = 'timer'
-
-    const segmentData = {
-      tenantId,
-      organizationId,
-      timeEntryId: entry.id,
-      startedAt: now,
-      segmentType: 'work' as const,
-    }
-    em.create(StaffTimeEntrySegment, segmentData as never)
-
-    await em.flush()
+    // Start the timer inside a single transaction with a PESSIMISTIC_WRITE lock
+    // on the time entry row, re-checking startedAt under the lock so two
+    // concurrent timer-start calls on the same entry cannot both create an
+    // initial work segment (issue #2416).
+    const now = await em.transactional(async (trx) => {
+      const lockedEntry = await findOneWithDecryption(
+        trx,
+        StaffTimeEntry,
+        { id: entryId, tenantId, organizationId, deletedAt: null },
+        { lockMode: LockMode.PESSIMISTIC_WRITE },
+        scopeCtx,
+      )
+      if (!lockedEntry) {
+        throw new CrudHttpError(404, { error: translate('staff.timesheets.errors.entryNotFound', 'Time entry not found.') })
+      }
+      if (lockedEntry.startedAt) {
+        throw new CrudHttpError(409, {
+          error: translate('staff.timesheets.errors.timerAlreadyStarted', 'Timer is already started for this entry.'),
+        })
+      }
+
+      const startedAt = new Date()
+      lockedEntry.startedAt = startedAt
+      lockedEntry.source = 'timer'
+
+      const segmentData = {
+        tenantId,
+        organizationId,
+        timeEntryId: lockedEntry.id,
+        startedAt,
+        segmentType: 'work' as const,
+      }
+      trx.create(StaffTimeEntrySegment, segmentData as never)
+
+      await trx.flush()
+      return startedAt
+    })
 
     void emitStaffEvent('staff.timesheets.time_entry.timer_started', {
       id: entry.id,