npm - @open-mercato/core - Versions diffs - 0.6.4-develop.4382.1.6b4f656b77 → 0.6.4 - Mend

@open-mercato/core 0.6.4-develop.4382.1.6b4f656b77 → 0.6.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1795) hide show

package/dist/modules/auth/lib/grantChecks.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/lib/grantChecks.ts"],
-  "sourcesContent": ["import type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'\nimport { CrudHttpError, forbidden } from '@open-mercato/shared/lib/crud/errors'\nimport { hasFeature } from '@open-mercato/shared/security/features'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { Role, RoleAcl, UserAcl, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\n\ntype ActorAcl = {\n  isSuperAdmin: boolean\n  features: string[]\n  organizations: string[] | null\n}\n\ntype GrantCheckContext = {\n  em: EntityManager\n  rbacService: RbacService\n  actorUserId: string | null | undefined\n  tenantId: string | null | undefined\n  organizationId?: string | null | undefined\n}\n\ntype RoleGrantCheckInput = GrantCheckContext & {\n  roles: Role[]\n}\n\ntype RoleTokenGrantCheckInput = GrantCheckContext & {\n  roleTokens: unknown\n}\n\ntype FeatureGrantCheckInput = GrantCheckContext & {\n  features: unknown\n  isSuperAdmin?: boolean\n  organizations?: string[] | null\n}\n\ntype SuperAdminUserTargetInput = GrantCheckContext & {\n  targetUserId: string\n  actorIsSuperAdmin?: boolean\n}\n\ntype SuperAdminRoleTargetInput = GrantCheckContext & {\n  targetRoleId: string\n  actorIsSuperAdmin?: boolean\n}\n\nconst UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i\n\nexport async function assertActorCanGrantRoleTokens(input: RoleTokenGrantCheckInput): Promise<Role[]> {\n  const tokens = normalizeStringList(input.roleTokens)\n  if (!tokens.length) return []\n\n  const tenantId = normalizeNullableString(input.tenantId)\n  const roles = await resolveRolesForGrant(input.em, tokens, tenantId)\n  await assertActorCanGrantRoles({ ...input, tenantId, roles })\n  return roles\n}\n\nexport async function assertActorCanGrantRoles(input: RoleGrantCheckInput): Promise<void> {\n  if (!input.roles.length) return\n\n  const tenantId = normalizeNullableString(input.tenantId)\n  const actorAcl = await loadActorAcl({ ...input, tenantId })\n  if (actorAcl.isSuperAdmin) return\n\n  if (!tenantId) {\n    throw forbidden('Tenant context is required to grant roles.')\n  }\n\n  for (const role of input.roles) {\n    const roleTenantId = normalizeNullableString(role.tenantId)\n    if (roleTenantId !== tenantId) {\n      throw forbidden('Cannot grant a role outside the target tenant.')\n    }\n\n    const acl = await findOneWithDecryption(\n      input.em,\n      RoleAcl,\n      { role, tenantId } as FilterQuery<RoleAcl>,\n      {},\n      { tenantId, organizationId: null },\n    )\n    if (!acl) continue\n\n    assertActorCanGrantAclSnapshot(actorAcl, {\n      isSuperAdmin: !!acl.isSuperAdmin,\n      features: normalizeStringList(acl.featuresJson),\n      organizations: normalizeOrganizationList(acl.organizationsJson),\n    })\n  }\n}\n\nexport async function assertActorCanGrantAcl(input: FeatureGrantCheckInput): Promise<void> {\n  const actorAcl = await loadActorAcl(input)\n  if (actorAcl.isSuperAdmin) return\n\n  const tenantId = normalizeNullableString(input.tenantId)\n  if (!tenantId) {\n    throw forbidden('Tenant context is required to grant ACL features.')\n  }\n\n  assertActorCanGrantAclSnapshot(actorAcl, {\n    isSuperAdmin: !!input.isSuperAdmin,\n    features: normalizeStringList(input.features),\n    organizations: input.organizations === undefined ? undefined : normalizeOrganizationList(input.organizations),\n  })\n}\n\nexport function normalizeGrantFeatureList(features: unknown): string[] {\n  return normalizeStringList(features)\n}\n\nexport async function assertActorCanModifySuperAdminUserTarget(input: SuperAdminUserTargetInput): Promise<void> {\n  const actorIsSuperAdmin = await resolveActorIsSuperAdmin(input)\n  if (actorIsSuperAdmin) return\n  const targetIsSuperAdmin = await isUserEffectivelySuperAdmin(input.em, input.targetUserId)\n  if (targetIsSuperAdmin) {\n    throw forbidden('Only super administrators can modify super administrator accounts.')\n  }\n}\n\nexport async function assertActorCanModifySuperAdminRoleTarget(input: SuperAdminRoleTargetInput): Promise<void> {\n  const actorIsSuperAdmin = await resolveActorIsSuperAdmin(input)\n  if (actorIsSuperAdmin) return\n  const targetIsSuperAdmin = await isRoleEffectivelySuperAdmin(input.em, input.targetRoleId)\n  if (targetIsSuperAdmin) {\n    throw forbidden('Only super administrators can modify super administrator roles.')\n  }\n}\n\nasync function resolveActorIsSuperAdmin(input: GrantCheckContext & { actorIsSuperAdmin?: boolean }): Promise<boolean> {\n  if (typeof input.actorIsSuperAdmin === 'boolean') return input.actorIsSuperAdmin\n  const acl = await loadActorAcl(input)\n  return acl.isSuperAdmin\n}\n\nexport async function isUserEffectivelySuperAdmin(em: EntityManager, userId: string): Promise<boolean> {\n  const directGrant = await em.findOne(\n    UserAcl,\n    { user: userId as unknown, isSuperAdmin: true } as FilterQuery<UserAcl>,\n  )\n  if (directGrant && (directGrant as { isSuperAdmin?: boolean }).isSuperAdmin === true) return true\n  const links = await findWithDecryption(\n    em,\n    UserRole,\n    { user: userId as unknown } as FilterQuery<UserRole>,\n    { populate: ['role'] },\n    { tenantId: null, organizationId: null },\n  )\n  const roleIds = (Array.isArray(links) ? links : [])\n    .map((link) => {\n      const role = (link as { role?: { id?: unknown } | string | null }).role\n      if (!role) return null\n      if (typeof role === 'string') return role\n      return role.id ? String(role.id) : null\n    })\n    .filter((id): id is string => typeof id === 'string' && id.length > 0)\n  if (!roleIds.length) return false\n  const roleGrant = await em.findOne(\n    RoleAcl,\n    { role: { $in: roleIds } as unknown, isSuperAdmin: true } as FilterQuery<RoleAcl>,\n  )\n  return !!roleGrant && (roleGrant as { isSuperAdmin?: boolean }).isSuperAdmin === true\n}\n\nexport async function isRoleEffectivelySuperAdmin(em: EntityManager, roleId: string): Promise<boolean> {\n  const grant = await em.findOne(\n    RoleAcl,\n    { role: roleId as unknown, isSuperAdmin: true } as FilterQuery<RoleAcl>,\n  )\n  return !!grant && (grant as { isSuperAdmin?: boolean }).isSuperAdmin === true\n}\n\nexport async function listSuperAdminUserIds(em: EntityManager, tenantId: string | null): Promise<Set<string>> {\n  const ids = new Set<string>()\n  const userAclFilter: Record<string, unknown> = { isSuperAdmin: true }\n  if (tenantId) userAclFilter.tenantId = tenantId\n  const userAcls = await em.find(UserAcl, userAclFilter as FilterQuery<UserAcl>)\n  for (const acl of userAcls) {\n    const userRef = (acl as { user?: { id?: unknown } | string | null }).user\n    const userId = userRef && typeof userRef === 'object'\n      ? userRef.id\n      : userRef\n    if (userId) ids.add(String(userId))\n  }\n  const roleAcls = await em.find(\n    RoleAcl,\n    { isSuperAdmin: true } as FilterQuery<RoleAcl>,\n  )\n  const roleIds = roleAcls\n    .map((acl) => {\n      const roleRef = (acl as { role?: { id?: unknown } | string | null }).role\n      if (!roleRef) return null\n      if (typeof roleRef === 'string') return roleRef\n      return roleRef.id ? String(roleRef.id) : null\n    })\n    .filter((id): id is string => typeof id === 'string' && id.length > 0)\n  if (roleIds.length) {\n    const links = await findWithDecryption(\n      em,\n      UserRole,\n      { role: { $in: roleIds } as unknown } as FilterQuery<UserRole>,\n      {},\n      { tenantId: null, organizationId: null },\n    )\n    for (const link of Array.isArray(links) ? links : []) {\n      const userRef = (link as { user?: { id?: unknown } | string | null }).user\n      const userId = userRef && typeof userRef === 'object'\n        ? userRef.id\n        : userRef\n      if (userId) ids.add(String(userId))\n    }\n  }\n  return ids\n}\n\nasync function loadActorAcl(input: GrantCheckContext): Promise<ActorAcl> {\n  const actorUserId = normalizeNullableString(input.actorUserId)\n  if (!actorUserId) throw forbidden('Not authorized to grant ACL privileges.')\n\n  const acl = await input.rbacService.loadAcl(actorUserId, {\n    tenantId: normalizeNullableString(input.tenantId),\n    organizationId: normalizeNullableString(input.organizationId),\n  })\n\n  return {\n    isSuperAdmin: !!acl?.isSuperAdmin,\n    features: normalizeStringList(acl?.features),\n    organizations: normalizeOrganizationList(acl?.organizations),\n  }\n}\n\nasync function resolveRolesForGrant(\n  em: EntityManager,\n  roleTokens: string[],\n  tenantId: string | null,\n): Promise<Role[]> {\n  const roles: Role[] = []\n  const missingRoles: string[] = []\n\n  for (const token of roleTokens) {\n    const role = await resolveRoleForGrant(em, token, tenantId)\n    if (!role) {\n      missingRoles.push(token)\n    } else {\n      roles.push(role)\n    }\n  }\n\n  if (missingRoles.length) {\n    const labels = missingRoles.map((role) => `\"${role}\"`).join(', ')\n    throw new CrudHttpError(400, { error: `Role(s) not found: ${labels}` })\n  }\n\n  return roles\n}\n\nasync function resolveRoleForGrant(\n  em: EntityManager,\n  token: string,\n  tenantId: string | null,\n): Promise<Role | null> {\n  const where: Record<string, unknown> = UUID_RE.test(token)\n    ? { id: token, deletedAt: null }\n    : { name: token, deletedAt: null }\n  if (tenantId) where.tenantId = tenantId\n  return findOneWithDecryption(\n    em,\n    Role,\n    where as FilterQuery<Role>,\n    {},\n    { tenantId, organizationId: null },\n  )\n}\n\nfunction assertActorCanGrantAclSnapshot(\n  actorAcl: ActorAcl,\n  requested: {\n    isSuperAdmin: boolean\n    features: string[]\n    organizations?: string[] | null\n  },\n): void {\n  if (requested.isSuperAdmin) {\n    throw forbidden('Only super administrators can grant super admin access.')\n  }\n\n  const actorGrantableFeatures = actorAcl.features.filter((grant) => grant !== '*')\n  for (const feature of requested.features) {\n    if (feature === '*') {\n      throw forbidden('Only super administrators can grant global wildcard access.')\n    }\n    if (isWildcardFeature(feature)) {\n      if (!hasFeature(actorGrantableFeatures, feature)) {\n        throw forbidden(`Cannot grant feature wildcard ${feature}.`)\n      }\n      continue\n    }\n    if (!hasFeature(actorGrantableFeatures, feature)) {\n      throw forbidden(`Cannot grant feature ${feature}.`)\n    }\n  }\n\n  if (requested.organizations !== undefined) {\n    assertActorCanGrantOrganizations(actorAcl.organizations, requested.organizations)\n  }\n}\n\nfunction assertActorCanGrantOrganizations(\n  actorOrganizations: string[] | null,\n  requestedOrganizations: string[] | null,\n): void {\n  if (actorOrganizations === null || actorOrganizations.includes('__all__')) return\n\n  if (requestedOrganizations === null || requestedOrganizations.includes('__all__')) {\n    throw forbidden('Cannot grant unrestricted organization access.')\n  }\n\n  for (const organizationId of requestedOrganizations) {\n    if (!actorOrganizations.includes(organizationId)) {\n      throw forbidden('Cannot grant organization access outside actor scope.')\n    }\n  }\n}\n\nfunction normalizeStringList(values: unknown): string[] {\n  if (!Array.isArray(values)) return []\n  const dedup = new Set<string>()\n  for (const value of values) {\n    if (typeof value !== 'string') continue\n    const trimmed = value.trim()\n    if (!trimmed) continue\n    dedup.add(trimmed)\n  }\n  return Array.from(dedup)\n}\n\nfunction normalizeOrganizationList(values: unknown): string[] | null {\n  if (values === null || values === undefined) return null\n  return normalizeStringList(values)\n}\n\nfunction normalizeNullableString(value: unknown): string | null {\n  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null\n}\n\nfunction isWildcardFeature(feature: string): boolean {\n  return feature.endsWith('.*')\n}\n"],
-  "mappings": "AACA,SAAS,eAAe,iBAAiB;AACzC,SAAS,kBAAkB;AAC3B,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,MAAM,SAAS,SAAS,gBAAgB;AAyCjD,MAAM,UAAU;AAEhB,eAAsB,8BAA8B,OAAkD;AACpG,QAAM,SAAS,oBAAoB,MAAM,UAAU;AACnD,MAAI,CAAC,OAAO,OAAQ,QAAO,CAAC;AAE5B,QAAM,WAAW,wBAAwB,MAAM,QAAQ;AACvD,QAAM,QAAQ,MAAM,qBAAqB,MAAM,IAAI,QAAQ,QAAQ;AACnE,QAAM,yBAAyB,EAAE,GAAG,OAAO,UAAU,MAAM,CAAC;AAC5D,SAAO;AACT;AAEA,eAAsB,yBAAyB,OAA2C;AACxF,MAAI,CAAC,MAAM,MAAM,OAAQ;AAEzB,QAAM,WAAW,wBAAwB,MAAM,QAAQ;AACvD,QAAM,WAAW,MAAM,aAAa,EAAE,GAAG,OAAO,SAAS,CAAC;AAC1D,MAAI,SAAS,aAAc;AAE3B,MAAI,CAAC,UAAU;AACb,UAAM,UAAU,4CAA4C;AAAA,EAC9D;AAEA,aAAW,QAAQ,MAAM,OAAO;AAC9B,UAAM,eAAe,wBAAwB,KAAK,QAAQ;AAC1D,QAAI,iBAAiB,UAAU;AAC7B,YAAM,UAAU,gDAAgD;AAAA,IAClE;AAEA,UAAM,MAAM,MAAM;AAAA,MAChB,MAAM;AAAA,MACN;AAAA,MACA,EAAE,MAAM,SAAS;AAAA,MACjB,CAAC;AAAA,MACD,EAAE,UAAU,gBAAgB,KAAK;AAAA,IACnC;AACA,QAAI,CAAC,IAAK;AAEV,mCAA+B,UAAU;AAAA,MACvC,cAAc,CAAC,CAAC,IAAI;AAAA,MACpB,UAAU,oBAAoB,IAAI,YAAY;AAAA,MAC9C,eAAe,0BAA0B,IAAI,iBAAiB;AAAA,IAChE,CAAC;AAAA,EACH;AACF;AAEA,eAAsB,uBAAuB,OAA8C;AACzF,QAAM,WAAW,MAAM,aAAa,KAAK;AACzC,MAAI,SAAS,aAAc;AAE3B,QAAM,WAAW,wBAAwB,MAAM,QAAQ;AACvD,MAAI,CAAC,UAAU;AACb,UAAM,UAAU,mDAAmD;AAAA,EACrE;AAEA,iCAA+B,UAAU;AAAA,IACvC,cAAc,CAAC,CAAC,MAAM;AAAA,IACtB,UAAU,oBAAoB,MAAM,QAAQ;AAAA,IAC5C,eAAe,MAAM,kBAAkB,SAAY,SAAY,0BAA0B,MAAM,aAAa;AAAA,EAC9G,CAAC;AACH;AAEO,SAAS,0BAA0B,UAA6B;AACrE,SAAO,oBAAoB,QAAQ;AACrC;AAEA,eAAsB,yCAAyC,OAAiD;AAC9G,QAAM,oBAAoB,MAAM,yBAAyB,KAAK;AAC9D,MAAI,kBAAmB;AACvB,QAAM,qBAAqB,MAAM,4BAA4B,MAAM,IAAI,MAAM,YAAY;AACzF,MAAI,oBAAoB;AACtB,UAAM,UAAU,oEAAoE;AAAA,EACtF;AACF;AAEA,eAAsB,yCAAyC,OAAiD;AAC9G,QAAM,oBAAoB,MAAM,yBAAyB,KAAK;AAC9D,MAAI,kBAAmB;AACvB,QAAM,qBAAqB,MAAM,4BAA4B,MAAM,IAAI,MAAM,YAAY;AACzF,MAAI,oBAAoB;AACtB,UAAM,UAAU,iEAAiE;AAAA,EACnF;AACF;AAEA,eAAe,yBAAyB,OAA8E;AACpH,MAAI,OAAO,MAAM,sBAAsB,UAAW,QAAO,MAAM;AAC/D,QAAM,MAAM,MAAM,aAAa,KAAK;AACpC,SAAO,IAAI;AACb;AAEA,eAAsB,4BAA4B,IAAmB,QAAkC;AACrG,QAAM,cAAc,MAAM,GAAG;AAAA,IAC3B;AAAA,IACA,EAAE,MAAM,QAAmB,cAAc,KAAK;AAAA,EAChD;AACA,MAAI,eAAgB,YAA2C,iBAAiB,KAAM,QAAO;AAC7F,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,OAAkB;AAAA,IAC1B,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,EACzC;AACA,QAAM,WAAW,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,GAC9C,IAAI,CAAC,SAAS;AACb,UAAM,OAAQ,KAAqD;AACnE,QAAI,CAAC,KAAM,QAAO;AAClB,QAAI,OAAO,SAAS,SAAU,QAAO;AACrC,WAAO,KAAK,KAAK,OAAO,KAAK,EAAE,IAAI;AAAA,EACrC,CAAC,EACA,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AACvE,MAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,QAAM,YAAY,MAAM,GAAG;AAAA,IACzB;AAAA,IACA,EAAE,MAAM,EAAE,KAAK,QAAQ,GAAc,cAAc,KAAK;AAAA,EAC1D;AACA,SAAO,CAAC,CAAC,aAAc,UAAyC,iBAAiB;AACnF;AAEA,eAAsB,4BAA4B,IAAmB,QAAkC;AACrG,QAAM,QAAQ,MAAM,GAAG;AAAA,IACrB;AAAA,IACA,EAAE,MAAM,QAAmB,cAAc,KAAK;AAAA,EAChD;AACA,SAAO,CAAC,CAAC,SAAU,MAAqC,iBAAiB;AAC3E;AAEA,eAAsB,sBAAsB,IAAmB,UAA+C;AAC5G,QAAM,MAAM,oBAAI,IAAY;AAC5B,QAAM,gBAAyC,EAAE,cAAc,KAAK;AACpE,MAAI,SAAU,eAAc,WAAW;AACvC,QAAM,WAAW,MAAM,GAAG,KAAK,SAAS,aAAqC;AAC7E,aAAW,OAAO,UAAU;AAC1B,UAAM,UAAW,IAAoD;AACrE,UAAM,SAAS,WAAW,OAAO,YAAY,WACzC,QAAQ,KACR;AACJ,QAAI,OAAQ,KAAI,IAAI,OAAO,MAAM,CAAC;AAAA,EACpC;AACA,QAAM,WAAW,MAAM,GAAG;AAAA,IACxB;AAAA,IACA,EAAE,cAAc,KAAK;AAAA,EACvB;AACA,QAAM,UAAU,SACb,IAAI,CAAC,QAAQ;AACZ,UAAM,UAAW,IAAoD;AACrE,QAAI,CAAC,QAAS,QAAO;AACrB,QAAI,OAAO,YAAY,SAAU,QAAO;AACxC,WAAO,QAAQ,KAAK,OAAO,QAAQ,EAAE,IAAI;AAAA,EAC3C,CAAC,EACA,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AACvE,MAAI,QAAQ,QAAQ;AAClB,UAAM,QAAQ,MAAM;AAAA,MAClB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,EAAE,KAAK,QAAQ,EAAa;AAAA,MACpC,CAAC;AAAA,MACD,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,IACzC;AACA,eAAW,QAAQ,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,GAAG;AACpD,YAAM,UAAW,KAAqD;AACtE,YAAM,SAAS,WAAW,OAAO,YAAY,WACzC,QAAQ,KACR;AACJ,UAAI,OAAQ,KAAI,IAAI,OAAO,MAAM,CAAC;AAAA,IACpC;AAAA,EACF;AACA,SAAO;AACT;AAEA,eAAe,aAAa,OAA6C;AACvE,QAAM,cAAc,wBAAwB,MAAM,WAAW;AAC7D,MAAI,CAAC,YAAa,OAAM,UAAU,yCAAyC;AAE3E,QAAM,MAAM,MAAM,MAAM,YAAY,QAAQ,aAAa;AAAA,IACvD,UAAU,wBAAwB,MAAM,QAAQ;AAAA,IAChD,gBAAgB,wBAAwB,MAAM,cAAc;AAAA,EAC9D,CAAC;AAED,SAAO;AAAA,IACL,cAAc,CAAC,CAAC,KAAK;AAAA,IACrB,UAAU,oBAAoB,KAAK,QAAQ;AAAA,IAC3C,eAAe,0BAA0B,KAAK,aAAa;AAAA,EAC7D;AACF;AAEA,eAAe,qBACb,IACA,YACA,UACiB;AACjB,QAAM,QAAgB,CAAC;AACvB,QAAM,eAAyB,CAAC;AAEhC,aAAW,SAAS,YAAY;AAC9B,UAAM,OAAO,MAAM,oBAAoB,IAAI,OAAO,QAAQ;AAC1D,QAAI,CAAC,MAAM;AACT,mBAAa,KAAK,KAAK;AAAA,IACzB,OAAO;AACL,YAAM,KAAK,IAAI;AAAA,IACjB;AAAA,EACF;AAEA,MAAI,aAAa,QAAQ;AACvB,UAAM,SAAS,aAAa,IAAI,CAAC,SAAS,IAAI,IAAI,GAAG,EAAE,KAAK,IAAI;AAChE,UAAM,IAAI,cAAc,KAAK,EAAE,OAAO,sBAAsB,MAAM,GAAG,CAAC;AAAA,EACxE;AAEA,SAAO;AACT;AAEA,eAAe,oBACb,IACA,OACA,UACsB;AACtB,QAAM,QAAiC,QAAQ,KAAK,KAAK,IACrD,EAAE,IAAI,OAAO,WAAW,KAAK,IAC7B,EAAE,MAAM,OAAO,WAAW,KAAK;AACnC,MAAI,SAAU,OAAM,WAAW;AAC/B,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC;AAAA,IACD,EAAE,UAAU,gBAAgB,KAAK;AAAA,EACnC;AACF;AAEA,SAAS,+BACP,UACA,WAKM;AACN,MAAI,UAAU,cAAc;AAC1B,UAAM,UAAU,yDAAyD;AAAA,EAC3E;AAEA,QAAM,yBAAyB,SAAS,SAAS,OAAO,CAAC,UAAU,UAAU,GAAG;AAChF,aAAW,WAAW,UAAU,UAAU;AACxC,QAAI,YAAY,KAAK;AACnB,YAAM,UAAU,6DAA6D;AAAA,IAC/E;AACA,QAAI,kBAAkB,OAAO,GAAG;AAC9B,UAAI,CAAC,WAAW,wBAAwB,OAAO,GAAG;AAChD,cAAM,UAAU,iCAAiC,OAAO,GAAG;AAAA,MAC7D;AACA;AAAA,IACF;AACA,QAAI,CAAC,WAAW,wBAAwB,OAAO,GAAG;AAChD,YAAM,UAAU,wBAAwB,OAAO,GAAG;AAAA,IACpD;AAAA,EACF;AAEA,MAAI,UAAU,kBAAkB,QAAW;AACzC,qCAAiC,SAAS,eAAe,UAAU,aAAa;AAAA,EAClF;AACF;AAEA,SAAS,iCACP,oBACA,wBACM;AACN,MAAI,uBAAuB,QAAQ,mBAAmB,SAAS,SAAS,EAAG;AAE3E,MAAI,2BAA2B,QAAQ,uBAAuB,SAAS,SAAS,GAAG;AACjF,UAAM,UAAU,gDAAgD;AAAA,EAClE;AAEA,aAAW,kBAAkB,wBAAwB;AACnD,QAAI,CAAC,mBAAmB,SAAS,cAAc,GAAG;AAChD,YAAM,UAAU,uDAAuD;AAAA,IACzE;AAAA,EACF;AACF;AAEA,SAAS,oBAAoB,QAA2B;AACtD,MAAI,CAAC,MAAM,QAAQ,MAAM,EAAG,QAAO,CAAC;AACpC,QAAM,QAAQ,oBAAI,IAAY;AAC9B,aAAW,SAAS,QAAQ;AAC1B,QAAI,OAAO,UAAU,SAAU;AAC/B,UAAM,UAAU,MAAM,KAAK;AAC3B,QAAI,CAAC,QAAS;AACd,UAAM,IAAI,OAAO;AAAA,EACnB;AACA,SAAO,MAAM,KAAK,KAAK;AACzB;AAEA,SAAS,0BAA0B,QAAkC;AACnE,MAAI,WAAW,QAAQ,WAAW,OAAW,QAAO;AACpD,SAAO,oBAAoB,MAAM;AACnC;AAEA,SAAS,wBAAwB,OAA+B;AAC9D,SAAO,OAAO,UAAU,YAAY,MAAM,KAAK,EAAE,SAAS,IAAI,MAAM,KAAK,IAAI;AAC/E;AAEA,SAAS,kBAAkB,SAA0B;AACnD,SAAO,QAAQ,SAAS,IAAI;AAC9B;",
+  "sourcesContent": ["import type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'\nimport { CrudHttpError, forbidden } from '@open-mercato/shared/lib/crud/errors'\nimport { hasFeature } from '@open-mercato/shared/security/features'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { Role, RoleAcl, User, UserAcl, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\n\ntype ActorAcl = {\n  isSuperAdmin: boolean\n  features: string[]\n  organizations: string[] | null\n}\n\ntype GrantCheckContext = {\n  em: EntityManager\n  rbacService: RbacService\n  actorUserId: string | null | undefined\n  tenantId: string | null | undefined\n  organizationId?: string | null | undefined\n}\n\ntype RoleGrantCheckInput = GrantCheckContext & {\n  roles: Role[]\n}\n\ntype RoleTokenGrantCheckInput = GrantCheckContext & {\n  roleTokens: unknown\n}\n\ntype FeatureGrantCheckInput = GrantCheckContext & {\n  features: unknown\n  isSuperAdmin?: boolean\n  organizations?: string[] | null\n}\n\ntype SuperAdminUserTargetInput = GrantCheckContext & {\n  targetUserId: string\n  actorIsSuperAdmin?: boolean\n}\n\ntype SuperAdminRoleTargetInput = GrantCheckContext & {\n  targetRoleId: string\n  actorIsSuperAdmin?: boolean\n}\n\nconst UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i\n\nexport async function assertActorCanGrantRoleTokens(input: RoleTokenGrantCheckInput): Promise<Role[]> {\n  const tokens = normalizeStringList(input.roleTokens)\n  if (!tokens.length) return []\n\n  const tenantId = normalizeNullableString(input.tenantId)\n  const roles = await resolveRolesForGrant(input.em, tokens, tenantId)\n  await assertActorCanGrantRoles({ ...input, tenantId, roles })\n  return roles\n}\n\nexport async function assertActorCanGrantRoles(input: RoleGrantCheckInput): Promise<void> {\n  if (!input.roles.length) return\n\n  const tenantId = normalizeNullableString(input.tenantId)\n  const actorAcl = await loadActorAcl({ ...input, tenantId })\n  if (actorAcl.isSuperAdmin) return\n\n  if (!tenantId) {\n    throw forbidden('Tenant context is required to grant roles.')\n  }\n\n  for (const role of input.roles) {\n    const roleTenantId = normalizeNullableString(role.tenantId)\n    if (roleTenantId !== tenantId) {\n      throw forbidden('Cannot grant a role outside the target tenant.')\n    }\n\n    const acl = await findOneWithDecryption(\n      input.em,\n      RoleAcl,\n      { role, tenantId } as FilterQuery<RoleAcl>,\n      {},\n      { tenantId, organizationId: null },\n    )\n    if (!acl) continue\n\n    assertActorCanGrantAclSnapshot(actorAcl, {\n      isSuperAdmin: !!acl.isSuperAdmin,\n      features: normalizeStringList(acl.featuresJson),\n      organizations: normalizeOrganizationList(acl.organizationsJson),\n    })\n  }\n}\n\nexport async function assertActorCanGrantAcl(input: FeatureGrantCheckInput): Promise<void> {\n  const actorAcl = await loadActorAcl(input)\n  if (actorAcl.isSuperAdmin) return\n\n  const tenantId = normalizeNullableString(input.tenantId)\n  if (!tenantId) {\n    throw forbidden('Tenant context is required to grant ACL features.')\n  }\n\n  assertActorCanGrantAclSnapshot(actorAcl, {\n    isSuperAdmin: !!input.isSuperAdmin,\n    features: normalizeStringList(input.features),\n    organizations: input.organizations === undefined ? undefined : normalizeOrganizationList(input.organizations),\n  })\n}\n\nexport function normalizeGrantFeatureList(features: unknown): string[] {\n  return normalizeStringList(features)\n}\n\nexport async function assertActorCanModifySuperAdminUserTarget(input: SuperAdminUserTargetInput): Promise<void> {\n  const actorIsSuperAdmin = await resolveActorIsSuperAdmin(input)\n  if (actorIsSuperAdmin) return\n  const targetIsSuperAdmin = await isUserEffectivelySuperAdmin(input.em, input.targetUserId)\n  if (targetIsSuperAdmin) {\n    throw forbidden('Only super administrators can modify super administrator accounts.')\n  }\n}\n\nexport async function assertActorCanModifySuperAdminRoleTarget(input: SuperAdminRoleTargetInput): Promise<void> {\n  const actorIsSuperAdmin = await resolveActorIsSuperAdmin(input)\n  if (actorIsSuperAdmin) return\n  const targetIsSuperAdmin = await isRoleEffectivelySuperAdmin(input.em, input.targetRoleId)\n  if (targetIsSuperAdmin) {\n    throw forbidden('Only super administrators can modify super administrator roles.')\n  }\n}\n\nexport async function assertActorCanAccessUserTarget(input: SuperAdminUserTargetInput): Promise<void> {\n  const isSuperAdmin = await resolveActorIsSuperAdmin(input)\n  if (isSuperAdmin) return\n\n  const target = await findOneWithDecryption(\n    input.em,\n    User,\n    { id: input.targetUserId } as FilterQuery<User>,\n    {},\n    { tenantId: null, organizationId: null },\n  )\n  // Not found (incl. soft-deleted, which MikroORM's soft-delete filter hides):\n  // delegate to the caller. Every wired call site is itself tenant-scoped \u2014 the\n  // ACL/consents reads filter by auth.tenantId and the user commands re-load by\n  // id within tenant \u2014 so a missing target yields a safe empty/404 there. The\n  // guard's job is to block a foreign *existing* target, below.\n  if (!target) return\n\n  const actorTenantId = normalizeNullableString(input.tenantId)\n  const targetTenantId = normalizeNullableString((target as { tenantId?: string | null }).tenantId)\n  if (!targetTenantId || targetTenantId !== actorTenantId) {\n    throw new CrudHttpError(404, { error: 'User not found' })\n  }\n\n  const actorAcl = await loadActorAcl(input)\n  if (actorAcl.organizations !== null && !actorAcl.organizations.includes('__all__')) {\n    const targetOrganizationId = normalizeNullableString((target as { organizationId?: string | null }).organizationId)\n    if (!targetOrganizationId || !actorAcl.organizations.includes(targetOrganizationId)) {\n      throw forbidden('Not authorized to access this user.')\n    }\n  }\n}\n\nexport async function assertActorCanAccessRoleTarget(input: SuperAdminRoleTargetInput): Promise<void> {\n  const isSuperAdmin = await resolveActorIsSuperAdmin(input)\n  if (isSuperAdmin) return\n\n  const target = await findOneWithDecryption(\n    input.em,\n    Role,\n    { id: input.targetRoleId } as FilterQuery<Role>,\n    {},\n    { tenantId: null, organizationId: null },\n  )\n  // Not found (incl. soft-deleted): delegate (see assertActorCanAccessUserTarget).\n  if (!target) return\n\n  const actorTenantId = normalizeNullableString(input.tenantId)\n  const targetTenantId = normalizeNullableString((target as { tenantId?: string | null }).tenantId)\n  if (!targetTenantId || targetTenantId !== actorTenantId) {\n    throw new CrudHttpError(404, { error: 'Role not found' })\n  }\n}\n\nasync function resolveActorIsSuperAdmin(input: GrantCheckContext & { actorIsSuperAdmin?: boolean }): Promise<boolean> {\n  if (typeof input.actorIsSuperAdmin === 'boolean') return input.actorIsSuperAdmin\n  const acl = await loadActorAcl(input)\n  return acl.isSuperAdmin\n}\n\nexport async function isUserEffectivelySuperAdmin(em: EntityManager, userId: string): Promise<boolean> {\n  const directGrant = await em.findOne(\n    UserAcl,\n    { user: userId as unknown, isSuperAdmin: true } as FilterQuery<UserAcl>,\n  )\n  if (directGrant && (directGrant as { isSuperAdmin?: boolean }).isSuperAdmin === true) return true\n  const links = await findWithDecryption(\n    em,\n    UserRole,\n    { user: userId as unknown } as FilterQuery<UserRole>,\n    { populate: ['role'] },\n    { tenantId: null, organizationId: null },\n  )\n  const roleIds = (Array.isArray(links) ? links : [])\n    .map((link) => {\n      const role = (link as { role?: { id?: unknown } | string | null }).role\n      if (!role) return null\n      if (typeof role === 'string') return role\n      return role.id ? String(role.id) : null\n    })\n    .filter((id): id is string => typeof id === 'string' && id.length > 0)\n  if (!roleIds.length) return false\n  const roleGrant = await em.findOne(\n    RoleAcl,\n    { role: { $in: roleIds } as unknown, isSuperAdmin: true } as FilterQuery<RoleAcl>,\n  )\n  return !!roleGrant && (roleGrant as { isSuperAdmin?: boolean }).isSuperAdmin === true\n}\n\nexport async function isRoleEffectivelySuperAdmin(em: EntityManager, roleId: string): Promise<boolean> {\n  const grant = await em.findOne(\n    RoleAcl,\n    { role: roleId as unknown, isSuperAdmin: true } as FilterQuery<RoleAcl>,\n  )\n  return !!grant && (grant as { isSuperAdmin?: boolean }).isSuperAdmin === true\n}\n\nexport async function listSuperAdminUserIds(em: EntityManager, tenantId: string | null): Promise<Set<string>> {\n  const ids = new Set<string>()\n  const userAclFilter: Record<string, unknown> = { isSuperAdmin: true }\n  if (tenantId) userAclFilter.tenantId = tenantId\n  const userAcls = await em.find(UserAcl, userAclFilter as FilterQuery<UserAcl>)\n  for (const acl of userAcls) {\n    const userRef = (acl as { user?: { id?: unknown } | string | null }).user\n    const userId = userRef && typeof userRef === 'object'\n      ? userRef.id\n      : userRef\n    if (userId) ids.add(String(userId))\n  }\n  const roleAcls = await em.find(\n    RoleAcl,\n    { isSuperAdmin: true } as FilterQuery<RoleAcl>,\n  )\n  const roleIds = roleAcls\n    .map((acl) => {\n      const roleRef = (acl as { role?: { id?: unknown } | string | null }).role\n      if (!roleRef) return null\n      if (typeof roleRef === 'string') return roleRef\n      return roleRef.id ? String(roleRef.id) : null\n    })\n    .filter((id): id is string => typeof id === 'string' && id.length > 0)\n  if (roleIds.length) {\n    const links = await findWithDecryption(\n      em,\n      UserRole,\n      { role: { $in: roleIds } as unknown } as FilterQuery<UserRole>,\n      {},\n      { tenantId: null, organizationId: null },\n    )\n    for (const link of Array.isArray(links) ? links : []) {\n      const userRef = (link as { user?: { id?: unknown } | string | null }).user\n      const userId = userRef && typeof userRef === 'object'\n        ? userRef.id\n        : userRef\n      if (userId) ids.add(String(userId))\n    }\n  }\n  return ids\n}\n\nasync function loadActorAcl(input: GrantCheckContext): Promise<ActorAcl> {\n  const actorUserId = normalizeNullableString(input.actorUserId)\n  if (!actorUserId) throw forbidden('Not authorized to grant ACL privileges.')\n\n  const acl = await input.rbacService.loadAcl(actorUserId, {\n    tenantId: normalizeNullableString(input.tenantId),\n    organizationId: normalizeNullableString(input.organizationId),\n  })\n\n  return {\n    isSuperAdmin: !!acl?.isSuperAdmin,\n    features: normalizeStringList(acl?.features),\n    organizations: normalizeOrganizationList(acl?.organizations),\n  }\n}\n\nasync function resolveRolesForGrant(\n  em: EntityManager,\n  roleTokens: string[],\n  tenantId: string | null,\n): Promise<Role[]> {\n  const roles: Role[] = []\n  const missingRoles: string[] = []\n\n  for (const token of roleTokens) {\n    const role = await resolveRoleForGrant(em, token, tenantId)\n    if (!role) {\n      missingRoles.push(token)\n    } else {\n      roles.push(role)\n    }\n  }\n\n  if (missingRoles.length) {\n    const labels = missingRoles.map((role) => `\"${role}\"`).join(', ')\n    throw new CrudHttpError(400, { error: `Role(s) not found: ${labels}` })\n  }\n\n  return roles\n}\n\nasync function resolveRoleForGrant(\n  em: EntityManager,\n  token: string,\n  tenantId: string | null,\n): Promise<Role | null> {\n  const where: Record<string, unknown> = UUID_RE.test(token)\n    ? { id: token, deletedAt: null }\n    : { name: token, deletedAt: null }\n  if (tenantId) where.tenantId = tenantId\n  return findOneWithDecryption(\n    em,\n    Role,\n    where as FilterQuery<Role>,\n    {},\n    { tenantId, organizationId: null },\n  )\n}\n\nfunction assertActorCanGrantAclSnapshot(\n  actorAcl: ActorAcl,\n  requested: {\n    isSuperAdmin: boolean\n    features: string[]\n    organizations?: string[] | null\n  },\n): void {\n  if (requested.isSuperAdmin) {\n    throw forbidden('Only super administrators can grant super admin access.')\n  }\n\n  const actorGrantableFeatures = actorAcl.features.filter((grant) => grant !== '*')\n  for (const feature of requested.features) {\n    if (feature === '*') {\n      throw forbidden('Only super administrators can grant global wildcard access.')\n    }\n    if (isWildcardFeature(feature)) {\n      if (!hasFeature(actorGrantableFeatures, feature)) {\n        throw forbidden(`Cannot grant feature wildcard ${feature}.`)\n      }\n      continue\n    }\n    if (!hasFeature(actorGrantableFeatures, feature)) {\n      throw forbidden(`Cannot grant feature ${feature}.`)\n    }\n  }\n\n  if (requested.organizations !== undefined) {\n    assertActorCanGrantOrganizations(actorAcl.organizations, requested.organizations)\n  }\n}\n\nfunction assertActorCanGrantOrganizations(\n  actorOrganizations: string[] | null,\n  requestedOrganizations: string[] | null,\n): void {\n  if (actorOrganizations === null || actorOrganizations.includes('__all__')) return\n\n  if (requestedOrganizations === null || requestedOrganizations.includes('__all__')) {\n    throw forbidden('Cannot grant unrestricted organization access.')\n  }\n\n  for (const organizationId of requestedOrganizations) {\n    if (!actorOrganizations.includes(organizationId)) {\n      throw forbidden('Cannot grant organization access outside actor scope.')\n    }\n  }\n}\n\nfunction normalizeStringList(values: unknown): string[] {\n  if (!Array.isArray(values)) return []\n  const dedup = new Set<string>()\n  for (const value of values) {\n    if (typeof value !== 'string') continue\n    const trimmed = value.trim()\n    if (!trimmed) continue\n    dedup.add(trimmed)\n  }\n  return Array.from(dedup)\n}\n\nfunction normalizeOrganizationList(values: unknown): string[] | null {\n  if (values === null || values === undefined) return null\n  return normalizeStringList(values)\n}\n\nfunction normalizeNullableString(value: unknown): string | null {\n  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null\n}\n\nfunction isWildcardFeature(feature: string): boolean {\n  return feature.endsWith('.*')\n}\n"],
+  "mappings": "AACA,SAAS,eAAe,iBAAiB;AACzC,SAAS,kBAAkB;AAC3B,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,MAAM,SAAS,MAAM,SAAS,gBAAgB;AAyCvD,MAAM,UAAU;AAEhB,eAAsB,8BAA8B,OAAkD;AACpG,QAAM,SAAS,oBAAoB,MAAM,UAAU;AACnD,MAAI,CAAC,OAAO,OAAQ,QAAO,CAAC;AAE5B,QAAM,WAAW,wBAAwB,MAAM,QAAQ;AACvD,QAAM,QAAQ,MAAM,qBAAqB,MAAM,IAAI,QAAQ,QAAQ;AACnE,QAAM,yBAAyB,EAAE,GAAG,OAAO,UAAU,MAAM,CAAC;AAC5D,SAAO;AACT;AAEA,eAAsB,yBAAyB,OAA2C;AACxF,MAAI,CAAC,MAAM,MAAM,OAAQ;AAEzB,QAAM,WAAW,wBAAwB,MAAM,QAAQ;AACvD,QAAM,WAAW,MAAM,aAAa,EAAE,GAAG,OAAO,SAAS,CAAC;AAC1D,MAAI,SAAS,aAAc;AAE3B,MAAI,CAAC,UAAU;AACb,UAAM,UAAU,4CAA4C;AAAA,EAC9D;AAEA,aAAW,QAAQ,MAAM,OAAO;AAC9B,UAAM,eAAe,wBAAwB,KAAK,QAAQ;AAC1D,QAAI,iBAAiB,UAAU;AAC7B,YAAM,UAAU,gDAAgD;AAAA,IAClE;AAEA,UAAM,MAAM,MAAM;AAAA,MAChB,MAAM;AAAA,MACN;AAAA,MACA,EAAE,MAAM,SAAS;AAAA,MACjB,CAAC;AAAA,MACD,EAAE,UAAU,gBAAgB,KAAK;AAAA,IACnC;AACA,QAAI,CAAC,IAAK;AAEV,mCAA+B,UAAU;AAAA,MACvC,cAAc,CAAC,CAAC,IAAI;AAAA,MACpB,UAAU,oBAAoB,IAAI,YAAY;AAAA,MAC9C,eAAe,0BAA0B,IAAI,iBAAiB;AAAA,IAChE,CAAC;AAAA,EACH;AACF;AAEA,eAAsB,uBAAuB,OAA8C;AACzF,QAAM,WAAW,MAAM,aAAa,KAAK;AACzC,MAAI,SAAS,aAAc;AAE3B,QAAM,WAAW,wBAAwB,MAAM,QAAQ;AACvD,MAAI,CAAC,UAAU;AACb,UAAM,UAAU,mDAAmD;AAAA,EACrE;AAEA,iCAA+B,UAAU;AAAA,IACvC,cAAc,CAAC,CAAC,MAAM;AAAA,IACtB,UAAU,oBAAoB,MAAM,QAAQ;AAAA,IAC5C,eAAe,MAAM,kBAAkB,SAAY,SAAY,0BAA0B,MAAM,aAAa;AAAA,EAC9G,CAAC;AACH;AAEO,SAAS,0BAA0B,UAA6B;AACrE,SAAO,oBAAoB,QAAQ;AACrC;AAEA,eAAsB,yCAAyC,OAAiD;AAC9G,QAAM,oBAAoB,MAAM,yBAAyB,KAAK;AAC9D,MAAI,kBAAmB;AACvB,QAAM,qBAAqB,MAAM,4BAA4B,MAAM,IAAI,MAAM,YAAY;AACzF,MAAI,oBAAoB;AACtB,UAAM,UAAU,oEAAoE;AAAA,EACtF;AACF;AAEA,eAAsB,yCAAyC,OAAiD;AAC9G,QAAM,oBAAoB,MAAM,yBAAyB,KAAK;AAC9D,MAAI,kBAAmB;AACvB,QAAM,qBAAqB,MAAM,4BAA4B,MAAM,IAAI,MAAM,YAAY;AACzF,MAAI,oBAAoB;AACtB,UAAM,UAAU,iEAAiE;AAAA,EACnF;AACF;AAEA,eAAsB,+BAA+B,OAAiD;AACpG,QAAM,eAAe,MAAM,yBAAyB,KAAK;AACzD,MAAI,aAAc;AAElB,QAAM,SAAS,MAAM;AAAA,IACnB,MAAM;AAAA,IACN;AAAA,IACA,EAAE,IAAI,MAAM,aAAa;AAAA,IACzB,CAAC;AAAA,IACD,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,EACzC;AAMA,MAAI,CAAC,OAAQ;AAEb,QAAM,gBAAgB,wBAAwB,MAAM,QAAQ;AAC5D,QAAM,iBAAiB,wBAAyB,OAAwC,QAAQ;AAChG,MAAI,CAAC,kBAAkB,mBAAmB,eAAe;AACvD,UAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAAA,EAC1D;AAEA,QAAM,WAAW,MAAM,aAAa,KAAK;AACzC,MAAI,SAAS,kBAAkB,QAAQ,CAAC,SAAS,cAAc,SAAS,SAAS,GAAG;AAClF,UAAM,uBAAuB,wBAAyB,OAA8C,cAAc;AAClH,QAAI,CAAC,wBAAwB,CAAC,SAAS,cAAc,SAAS,oBAAoB,GAAG;AACnF,YAAM,UAAU,qCAAqC;AAAA,IACvD;AAAA,EACF;AACF;AAEA,eAAsB,+BAA+B,OAAiD;AACpG,QAAM,eAAe,MAAM,yBAAyB,KAAK;AACzD,MAAI,aAAc;AAElB,QAAM,SAAS,MAAM;AAAA,IACnB,MAAM;AAAA,IACN;AAAA,IACA,EAAE,IAAI,MAAM,aAAa;AAAA,IACzB,CAAC;AAAA,IACD,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,EACzC;AAEA,MAAI,CAAC,OAAQ;AAEb,QAAM,gBAAgB,wBAAwB,MAAM,QAAQ;AAC5D,QAAM,iBAAiB,wBAAyB,OAAwC,QAAQ;AAChG,MAAI,CAAC,kBAAkB,mBAAmB,eAAe;AACvD,UAAM,IAAI,cAAc,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAAA,EAC1D;AACF;AAEA,eAAe,yBAAyB,OAA8E;AACpH,MAAI,OAAO,MAAM,sBAAsB,UAAW,QAAO,MAAM;AAC/D,QAAM,MAAM,MAAM,aAAa,KAAK;AACpC,SAAO,IAAI;AACb;AAEA,eAAsB,4BAA4B,IAAmB,QAAkC;AACrG,QAAM,cAAc,MAAM,GAAG;AAAA,IAC3B;AAAA,IACA,EAAE,MAAM,QAAmB,cAAc,KAAK;AAAA,EAChD;AACA,MAAI,eAAgB,YAA2C,iBAAiB,KAAM,QAAO;AAC7F,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,OAAkB;AAAA,IAC1B,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,EACzC;AACA,QAAM,WAAW,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,GAC9C,IAAI,CAAC,SAAS;AACb,UAAM,OAAQ,KAAqD;AACnE,QAAI,CAAC,KAAM,QAAO;AAClB,QAAI,OAAO,SAAS,SAAU,QAAO;AACrC,WAAO,KAAK,KAAK,OAAO,KAAK,EAAE,IAAI;AAAA,EACrC,CAAC,EACA,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AACvE,MAAI,CAAC,QAAQ,OAAQ,QAAO;AAC5B,QAAM,YAAY,MAAM,GAAG;AAAA,IACzB;AAAA,IACA,EAAE,MAAM,EAAE,KAAK,QAAQ,GAAc,cAAc,KAAK;AAAA,EAC1D;AACA,SAAO,CAAC,CAAC,aAAc,UAAyC,iBAAiB;AACnF;AAEA,eAAsB,4BAA4B,IAAmB,QAAkC;AACrG,QAAM,QAAQ,MAAM,GAAG;AAAA,IACrB;AAAA,IACA,EAAE,MAAM,QAAmB,cAAc,KAAK;AAAA,EAChD;AACA,SAAO,CAAC,CAAC,SAAU,MAAqC,iBAAiB;AAC3E;AAEA,eAAsB,sBAAsB,IAAmB,UAA+C;AAC5G,QAAM,MAAM,oBAAI,IAAY;AAC5B,QAAM,gBAAyC,EAAE,cAAc,KAAK;AACpE,MAAI,SAAU,eAAc,WAAW;AACvC,QAAM,WAAW,MAAM,GAAG,KAAK,SAAS,aAAqC;AAC7E,aAAW,OAAO,UAAU;AAC1B,UAAM,UAAW,IAAoD;AACrE,UAAM,SAAS,WAAW,OAAO,YAAY,WACzC,QAAQ,KACR;AACJ,QAAI,OAAQ,KAAI,IAAI,OAAO,MAAM,CAAC;AAAA,EACpC;AACA,QAAM,WAAW,MAAM,GAAG;AAAA,IACxB;AAAA,IACA,EAAE,cAAc,KAAK;AAAA,EACvB;AACA,QAAM,UAAU,SACb,IAAI,CAAC,QAAQ;AACZ,UAAM,UAAW,IAAoD;AACrE,QAAI,CAAC,QAAS,QAAO;AACrB,QAAI,OAAO,YAAY,SAAU,QAAO;AACxC,WAAO,QAAQ,KAAK,OAAO,QAAQ,EAAE,IAAI;AAAA,EAC3C,CAAC,EACA,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AACvE,MAAI,QAAQ,QAAQ;AAClB,UAAM,QAAQ,MAAM;AAAA,MAClB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,EAAE,KAAK,QAAQ,EAAa;AAAA,MACpC,CAAC;AAAA,MACD,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,IACzC;AACA,eAAW,QAAQ,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,GAAG;AACpD,YAAM,UAAW,KAAqD;AACtE,YAAM,SAAS,WAAW,OAAO,YAAY,WACzC,QAAQ,KACR;AACJ,UAAI,OAAQ,KAAI,IAAI,OAAO,MAAM,CAAC;AAAA,IACpC;AAAA,EACF;AACA,SAAO;AACT;AAEA,eAAe,aAAa,OAA6C;AACvE,QAAM,cAAc,wBAAwB,MAAM,WAAW;AAC7D,MAAI,CAAC,YAAa,OAAM,UAAU,yCAAyC;AAE3E,QAAM,MAAM,MAAM,MAAM,YAAY,QAAQ,aAAa;AAAA,IACvD,UAAU,wBAAwB,MAAM,QAAQ;AAAA,IAChD,gBAAgB,wBAAwB,MAAM,cAAc;AAAA,EAC9D,CAAC;AAED,SAAO;AAAA,IACL,cAAc,CAAC,CAAC,KAAK;AAAA,IACrB,UAAU,oBAAoB,KAAK,QAAQ;AAAA,IAC3C,eAAe,0BAA0B,KAAK,aAAa;AAAA,EAC7D;AACF;AAEA,eAAe,qBACb,IACA,YACA,UACiB;AACjB,QAAM,QAAgB,CAAC;AACvB,QAAM,eAAyB,CAAC;AAEhC,aAAW,SAAS,YAAY;AAC9B,UAAM,OAAO,MAAM,oBAAoB,IAAI,OAAO,QAAQ;AAC1D,QAAI,CAAC,MAAM;AACT,mBAAa,KAAK,KAAK;AAAA,IACzB,OAAO;AACL,YAAM,KAAK,IAAI;AAAA,IACjB;AAAA,EACF;AAEA,MAAI,aAAa,QAAQ;AACvB,UAAM,SAAS,aAAa,IAAI,CAAC,SAAS,IAAI,IAAI,GAAG,EAAE,KAAK,IAAI;AAChE,UAAM,IAAI,cAAc,KAAK,EAAE,OAAO,sBAAsB,MAAM,GAAG,CAAC;AAAA,EACxE;AAEA,SAAO;AACT;AAEA,eAAe,oBACb,IACA,OACA,UACsB;AACtB,QAAM,QAAiC,QAAQ,KAAK,KAAK,IACrD,EAAE,IAAI,OAAO,WAAW,KAAK,IAC7B,EAAE,MAAM,OAAO,WAAW,KAAK;AACnC,MAAI,SAAU,OAAM,WAAW;AAC/B,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC;AAAA,IACD,EAAE,UAAU,gBAAgB,KAAK;AAAA,EACnC;AACF;AAEA,SAAS,+BACP,UACA,WAKM;AACN,MAAI,UAAU,cAAc;AAC1B,UAAM,UAAU,yDAAyD;AAAA,EAC3E;AAEA,QAAM,yBAAyB,SAAS,SAAS,OAAO,CAAC,UAAU,UAAU,GAAG;AAChF,aAAW,WAAW,UAAU,UAAU;AACxC,QAAI,YAAY,KAAK;AACnB,YAAM,UAAU,6DAA6D;AAAA,IAC/E;AACA,QAAI,kBAAkB,OAAO,GAAG;AAC9B,UAAI,CAAC,WAAW,wBAAwB,OAAO,GAAG;AAChD,cAAM,UAAU,iCAAiC,OAAO,GAAG;AAAA,MAC7D;AACA;AAAA,IACF;AACA,QAAI,CAAC,WAAW,wBAAwB,OAAO,GAAG;AAChD,YAAM,UAAU,wBAAwB,OAAO,GAAG;AAAA,IACpD;AAAA,EACF;AAEA,MAAI,UAAU,kBAAkB,QAAW;AACzC,qCAAiC,SAAS,eAAe,UAAU,aAAa;AAAA,EAClF;AACF;AAEA,SAAS,iCACP,oBACA,wBACM;AACN,MAAI,uBAAuB,QAAQ,mBAAmB,SAAS,SAAS,EAAG;AAE3E,MAAI,2BAA2B,QAAQ,uBAAuB,SAAS,SAAS,GAAG;AACjF,UAAM,UAAU,gDAAgD;AAAA,EAClE;AAEA,aAAW,kBAAkB,wBAAwB;AACnD,QAAI,CAAC,mBAAmB,SAAS,cAAc,GAAG;AAChD,YAAM,UAAU,uDAAuD;AAAA,IACzE;AAAA,EACF;AACF;AAEA,SAAS,oBAAoB,QAA2B;AACtD,MAAI,CAAC,MAAM,QAAQ,MAAM,EAAG,QAAO,CAAC;AACpC,QAAM,QAAQ,oBAAI,IAAY;AAC9B,aAAW,SAAS,QAAQ;AAC1B,QAAI,OAAO,UAAU,SAAU;AAC/B,UAAM,UAAU,MAAM,KAAK;AAC3B,QAAI,CAAC,QAAS;AACd,UAAM,IAAI,OAAO;AAAA,EACnB;AACA,SAAO,MAAM,KAAK,KAAK;AACzB;AAEA,SAAS,0BAA0B,QAAkC;AACnE,MAAI,WAAW,QAAQ,WAAW,OAAW,QAAO;AACpD,SAAO,oBAAoB,MAAM;AACnC;AAEA,SAAS,wBAAwB,OAA+B;AAC9D,SAAO,OAAO,UAAU,YAAY,MAAM,KAAK,EAAE,SAAS,IAAI,MAAM,KAAK,IAAI;AAC/E;AAEA,SAAS,kBAAkB,SAA0B;AACnD,SAAO,QAAQ,SAAS,IAAI;AAC9B;",
   "names": []
 }

package/dist/modules/auth/lib/sessionIntegrity.js CHANGED Viewed

@@ -34,7 +34,7 @@ async function resolveCanonicalStaffAuthContext(em, auth) {
       return null;
     }
   }
-  const sessionPromise = sessionId !== null ? findOneWithDecryption(em, Session, { id: sessionId, deletedAt: null }) : Promise.resolve(null);
+  const sessionPromise = sessionId !== null ? findOneWithDecryption(em, Session, { id: sessionId, user: subjectId, deletedAt: null }) : Promise.resolve(null);
   const userPromise = findOneWithDecryption(
     em,
     User,
@@ -45,6 +45,7 @@ async function resolveCanonicalStaffAuthContext(em, auth) {
   const [session, user] = await Promise.all([sessionPromise, userPromise]);
   if (sessionId !== null) {
     if (!session) return null;
+    if (resolveSessionUserId(session) !== subjectId) return null;
     if (session.expiresAt.getTime() < Date.now()) return null;
   }
   if (!user) return null;
@@ -78,6 +79,15 @@ async function resolveCanonicalStaffAuthContext(em, auth) {
     isSuperAdmin
   };
 }
+function resolveSessionUserId(session) {
+  const owner = session.user;
+  if (typeof owner === "string") return owner;
+  if (owner && typeof owner === "object") {
+    const ownerId = owner.id;
+    if (typeof ownerId === "string") return ownerId;
+  }
+  return null;
+}
 async function userAclGrantsSuperAdmin(em, userId, tenantId, organizationId) {
   const userAcl = await findOneWithDecryption(
     em,

package/dist/modules/auth/lib/sessionIntegrity.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/lib/sessionIntegrity.ts"],
-  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport type { AuthContext } from '@open-mercato/shared/lib/auth/server'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { Role, RoleAcl, Session, User, UserAcl, UserRole } from '@open-mercato/core/modules/auth/data/entities'\n\nconst UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i\nconst INVALID_SCOPE = Symbol('invalid-scope')\n\ntype NormalizedScopeId = string | null | typeof INVALID_SCOPE\n\nfunction normalizeScopeId(value: unknown): NormalizedScopeId {\n  if (value === null || value === undefined) return null\n  if (typeof value !== 'string') return INVALID_SCOPE\n  const trimmed = value.trim()\n  if (!trimmed) return null\n  return UUID_RE.test(trimmed) ? trimmed : INVALID_SCOPE\n}\n\nfunction resolveActorTenantId(auth: NonNullable<AuthContext>): NormalizedScopeId {\n  const actorTenantId = (auth as { actorTenantId?: unknown }).actorTenantId\n  return normalizeScopeId(actorTenantId ?? auth.tenantId ?? null)\n}\n\nfunction resolveActorOrganizationId(auth: NonNullable<AuthContext>): NormalizedScopeId {\n  const actorOrgId = (auth as { actorOrgId?: unknown }).actorOrgId\n  return normalizeScopeId(actorOrgId ?? auth.orgId ?? null)\n}\n\nexport async function resolveCanonicalStaffAuthContext(\n  em: EntityManager,\n  auth: AuthContext,\n): Promise<AuthContext> {\n  if (!auth) return null\n  if (auth.isApiKey) return auth\n\n  const subjectId = normalizeScopeId(auth.sub)\n  const actorTenantId = resolveActorTenantId(auth)\n  const actorOrganizationId = resolveActorOrganizationId(auth)\n  if (\n    subjectId === INVALID_SCOPE ||\n    actorTenantId === INVALID_SCOPE ||\n    actorOrganizationId === INVALID_SCOPE\n  ) {\n    return null\n  }\n\n  // Session binding: when the JWT carries an `sid` claim, require the referenced session to\n  // still exist (not soft-deleted, not expired). This is what makes logout / password-reset\n  // actually invalidate an already-issued JWT.\n  //\n  // Legacy tokens (pre-migration, without `sid`) are allowed through during the grace period\n  // (controlled by JWT_LEGACY_GRACE_MINUTES) so that rolling deployments don't force-logout\n  // every user. Once the grace period expires these tokens will fail signature verification\n  // in `verifyJwt` before reaching this point.\n  const sessionId = normalizeScopeId(typeof auth.sid === 'string' ? auth.sid : null)\n  if (sessionId === INVALID_SCOPE) return null\n  if (sessionId === null) {\n    // Legacy token without sid \u2014 allow only if it was verified via the legacy fallback path.\n    // The `_legacyToken` flag is set by `verifyJwt` when a token passes raw-secret verification\n    // but fails audience-derived verification. Without this flag, reject.\n    if ((auth as Record<string, unknown>)._legacyToken === true) {\n      // Allow through without session validation \u2014 the token will expire naturally\n    } else {\n      return null\n    }\n  }\n  // The session-revocation check and the user load are independent (neither reads\n  // the other's result), so they run concurrently to collapse two sequential DB\n  // round-trips into one. The `em` here is a fresh request-scoped EntityManager\n  // (resolved per request, never inside an explicit transaction), so concurrent\n  // reads on it are safe.\n  const sessionPromise = sessionId !== null\n    ? findOneWithDecryption(em, Session, { id: sessionId, deletedAt: null })\n    : Promise.resolve(null)\n  const userPromise = findOneWithDecryption(\n    em,\n    User,\n    { id: subjectId, deletedAt: null },\n    undefined,\n    { tenantId: actorTenantId, organizationId: actorOrganizationId },\n  )\n  const [session, user] = await Promise.all([sessionPromise, userPromise])\n\n  if (sessionId !== null) {\n    if (!session) return null\n    if (session.expiresAt.getTime() < Date.now()) return null\n  }\n\n  if (!user) return null\n\n  const currentTenantId = normalizeScopeId(user.tenantId ?? null)\n  const currentOrganizationId = normalizeScopeId(user.organizationId ?? null)\n  if (\n    currentTenantId === INVALID_SCOPE ||\n    currentOrganizationId === INVALID_SCOPE ||\n    currentTenantId !== actorTenantId ||\n    currentOrganizationId !== actorOrganizationId\n  ) {\n    return null\n  }\n\n  // Role links and the per-user super-admin flag are likewise independent, so they\n  // run concurrently. The role-level super-admin lookup depends on the resolved\n  // role ids, so it stays sequential after the links resolve (and is skipped\n  // entirely when the per-user flag already grants super-admin).\n  const linksPromise = currentTenantId\n    ? findWithDecryption(\n        em,\n        UserRole,\n        {\n          user: user.id,\n          deletedAt: null,\n          role: { tenantId: currentTenantId, deletedAt: null } as unknown as Role,\n        } as never,\n        { populate: ['role'] },\n        { tenantId: currentTenantId, organizationId: currentOrganizationId },\n      )\n    : Promise.resolve([] as UserRole[])\n  const userAclSuperAdminPromise = currentTenantId\n    ? userAclGrantsSuperAdmin(em, user.id, currentTenantId, currentOrganizationId)\n    : Promise.resolve(false)\n  const [links, userAclSuperAdmin] = await Promise.all([linksPromise, userAclSuperAdminPromise])\n\n  const linkedRoles = links\n    .map((link) => link.role)\n    .filter((role): role is Role => !!role)\n\n  const roles = linkedRoles\n    .map((role) => role.name)\n    .filter((name): name is string => typeof name === 'string' && name.trim().length > 0)\n\n  const isSuperAdmin = currentTenantId\n    ? userAclSuperAdmin || (await roleAclGrantsSuperAdmin(em, linkedRoles, currentTenantId, currentOrganizationId))\n    : false\n\n  return {\n    ...auth,\n    sub: user.id,\n    tenantId: currentTenantId,\n    orgId: currentOrganizationId,\n    roles,\n    isSuperAdmin,\n  }\n}\n\nasync function userAclGrantsSuperAdmin(\n  em: EntityManager,\n  userId: string,\n  tenantId: string,\n  organizationId: string | null,\n): Promise<boolean> {\n  const userAcl = await findOneWithDecryption(\n    em,\n    UserAcl,\n    {\n      user: userId,\n      tenantId,\n      isSuperAdmin: true,\n      deletedAt: null,\n    } as never,\n    undefined,\n    { tenantId, organizationId },\n  )\n  return !!(userAcl && (userAcl as { isSuperAdmin?: boolean }).isSuperAdmin === true)\n}\n\nasync function roleAclGrantsSuperAdmin(\n  em: EntityManager,\n  linkedRoles: Role[],\n  tenantId: string,\n  organizationId: string | null,\n): Promise<boolean> {\n  const roleIds = Array.from(\n    new Set(\n      linkedRoles\n        .map((role) => (role?.id ? String(role.id) : null))\n        .filter((id): id is string => typeof id === 'string' && id.length > 0),\n    ),\n  )\n  if (!roleIds.length) return false\n\n  const roleAcl = await findOneWithDecryption(\n    em,\n    RoleAcl,\n    {\n      tenantId,\n      isSuperAdmin: true,\n      deletedAt: null,\n      role: { $in: roleIds },\n    } as never,\n    undefined,\n    { tenantId, organizationId },\n  )\n  return !!(roleAcl && (roleAcl as { isSuperAdmin?: boolean }).isSuperAdmin === true)\n}\n\nexport async function isAuthContextValid(\n  em: EntityManager,\n  auth: AuthContext,\n): Promise<boolean> {\n  return (await resolveCanonicalStaffAuthContext(em, auth)) !== null\n}\n"],
-  "mappings": "AAEA,SAAS,uBAAuB,0BAA0B;AAC1D,SAAe,SAAS,SAAS,MAAM,SAAS,gBAAgB;AAEhE,MAAM,UAAU;AAChB,MAAM,gBAAgB,uBAAO,eAAe;AAI5C,SAAS,iBAAiB,OAAmC;AAC3D,MAAI,UAAU,QAAQ,UAAU,OAAW,QAAO;AAClD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,QAAM,UAAU,MAAM,KAAK;AAC3B,MAAI,CAAC,QAAS,QAAO;AACrB,SAAO,QAAQ,KAAK,OAAO,IAAI,UAAU;AAC3C;AAEA,SAAS,qBAAqB,MAAmD;AAC/E,QAAM,gBAAiB,KAAqC;AAC5D,SAAO,iBAAiB,iBAAiB,KAAK,YAAY,IAAI;AAChE;AAEA,SAAS,2BAA2B,MAAmD;AACrF,QAAM,aAAc,KAAkC;AACtD,SAAO,iBAAiB,cAAc,KAAK,SAAS,IAAI;AAC1D;AAEA,eAAsB,iCACpB,IACA,MACsB;AACtB,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,KAAK,SAAU,QAAO;AAE1B,QAAM,YAAY,iBAAiB,KAAK,GAAG;AAC3C,QAAM,gBAAgB,qBAAqB,IAAI;AAC/C,QAAM,sBAAsB,2BAA2B,IAAI;AAC3D,MACE,cAAc,iBACd,kBAAkB,iBAClB,wBAAwB,eACxB;AACA,WAAO;AAAA,EACT;AAUA,QAAM,YAAY,iBAAiB,OAAO,KAAK,QAAQ,WAAW,KAAK,MAAM,IAAI;AACjF,MAAI,cAAc,cAAe,QAAO;AACxC,MAAI,cAAc,MAAM;AAItB,QAAK,KAAiC,iBAAiB,MAAM;AAAA,IAE7D,OAAO;AACL,aAAO;AAAA,IACT;AAAA,EACF;AAMA,QAAM,iBAAiB,cAAc,OACjC,sBAAsB,IAAI,SAAS,EAAE,IAAI,WAAW,WAAW,KAAK,CAAC,IACrE,QAAQ,QAAQ,IAAI;AACxB,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,WAAW,WAAW,KAAK;AAAA,IACjC;AAAA,IACA,EAAE,UAAU,eAAe,gBAAgB,oBAAoB;AAAA,EACjE;AACA,QAAM,CAAC,SAAS,IAAI,IAAI,MAAM,QAAQ,IAAI,CAAC,gBAAgB,WAAW,CAAC;AAEvE,MAAI,cAAc,MAAM;AACtB,QAAI,CAAC,QAAS,QAAO;AACrB,QAAI,QAAQ,UAAU,QAAQ,IAAI,KAAK,IAAI,EAAG,QAAO;AAAA,EACvD;AAEA,MAAI,CAAC,KAAM,QAAO;AAElB,QAAM,kBAAkB,iBAAiB,KAAK,YAAY,IAAI;AAC9D,QAAM,wBAAwB,iBAAiB,KAAK,kBAAkB,IAAI;AAC1E,MACE,oBAAoB,iBACpB,0BAA0B,iBAC1B,oBAAoB,iBACpB,0BAA0B,qBAC1B;AACA,WAAO;AAAA,EACT;AAMA,QAAM,eAAe,kBACjB;AAAA,IACE;AAAA,IACA;AAAA,IACA;AAAA,MACE,MAAM,KAAK;AAAA,MACX,WAAW;AAAA,MACX,MAAM,EAAE,UAAU,iBAAiB,WAAW,KAAK;AAAA,IACrD;AAAA,IACA,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,iBAAiB,gBAAgB,sBAAsB;AAAA,EACrE,IACA,QAAQ,QAAQ,CAAC,CAAe;AACpC,QAAM,2BAA2B,kBAC7B,wBAAwB,IAAI,KAAK,IAAI,iBAAiB,qBAAqB,IAC3E,QAAQ,QAAQ,KAAK;AACzB,QAAM,CAAC,OAAO,iBAAiB,IAAI,MAAM,QAAQ,IAAI,CAAC,cAAc,wBAAwB,CAAC;AAE7F,QAAM,cAAc,MACjB,IAAI,CAAC,SAAS,KAAK,IAAI,EACvB,OAAO,CAAC,SAAuB,CAAC,CAAC,IAAI;AAExC,QAAM,QAAQ,YACX,IAAI,CAAC,SAAS,KAAK,IAAI,EACvB,OAAO,CAAC,SAAyB,OAAO,SAAS,YAAY,KAAK,KAAK,EAAE,SAAS,CAAC;AAEtF,QAAM,eAAe,kBACjB,qBAAsB,MAAM,wBAAwB,IAAI,aAAa,iBAAiB,qBAAqB,IAC3G;AAEJ,SAAO;AAAA,IACL,GAAG;AAAA,IACH,KAAK,KAAK;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAe,wBACb,IACA,QACA,UACA,gBACkB;AAClB,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,cAAc;AAAA,MACd,WAAW;AAAA,IACb;AAAA,IACA;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,SAAO,CAAC,EAAE,WAAY,QAAuC,iBAAiB;AAChF;AAEA,eAAe,wBACb,IACA,aACA,UACA,gBACkB;AAClB,QAAM,UAAU,MAAM;AAAA,IACpB,IAAI;AAAA,MACF,YACG,IAAI,CAAC,SAAU,MAAM,KAAK,OAAO,KAAK,EAAE,IAAI,IAAK,EACjD,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AAAA,IACzE;AAAA,EACF;AACA,MAAI,CAAC,QAAQ,OAAQ,QAAO;AAE5B,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,MACE;AAAA,MACA,cAAc;AAAA,MACd,WAAW;AAAA,MACX,MAAM,EAAE,KAAK,QAAQ;AAAA,IACvB;AAAA,IACA;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,SAAO,CAAC,EAAE,WAAY,QAAuC,iBAAiB;AAChF;AAEA,eAAsB,mBACpB,IACA,MACkB;AAClB,SAAQ,MAAM,iCAAiC,IAAI,IAAI,MAAO;AAChE;",
+  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport type { AuthContext } from '@open-mercato/shared/lib/auth/server'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { Role, RoleAcl, Session, User, UserAcl, UserRole } from '@open-mercato/core/modules/auth/data/entities'\n\nconst UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i\nconst INVALID_SCOPE = Symbol('invalid-scope')\n\ntype NormalizedScopeId = string | null | typeof INVALID_SCOPE\n\nfunction normalizeScopeId(value: unknown): NormalizedScopeId {\n  if (value === null || value === undefined) return null\n  if (typeof value !== 'string') return INVALID_SCOPE\n  const trimmed = value.trim()\n  if (!trimmed) return null\n  return UUID_RE.test(trimmed) ? trimmed : INVALID_SCOPE\n}\n\nfunction resolveActorTenantId(auth: NonNullable<AuthContext>): NormalizedScopeId {\n  const actorTenantId = (auth as { actorTenantId?: unknown }).actorTenantId\n  return normalizeScopeId(actorTenantId ?? auth.tenantId ?? null)\n}\n\nfunction resolveActorOrganizationId(auth: NonNullable<AuthContext>): NormalizedScopeId {\n  const actorOrgId = (auth as { actorOrgId?: unknown }).actorOrgId\n  return normalizeScopeId(actorOrgId ?? auth.orgId ?? null)\n}\n\nexport async function resolveCanonicalStaffAuthContext(\n  em: EntityManager,\n  auth: AuthContext,\n): Promise<AuthContext> {\n  if (!auth) return null\n  if (auth.isApiKey) return auth\n\n  const subjectId = normalizeScopeId(auth.sub)\n  const actorTenantId = resolveActorTenantId(auth)\n  const actorOrganizationId = resolveActorOrganizationId(auth)\n  if (\n    subjectId === INVALID_SCOPE ||\n    actorTenantId === INVALID_SCOPE ||\n    actorOrganizationId === INVALID_SCOPE\n  ) {\n    return null\n  }\n\n  // Session binding: when the JWT carries an `sid` claim, require the referenced session to\n  // still exist (not soft-deleted, not expired). This is what makes logout / password-reset\n  // actually invalidate an already-issued JWT.\n  //\n  // Legacy tokens (pre-migration, without `sid`) are allowed through during the grace period\n  // (controlled by JWT_LEGACY_GRACE_MINUTES) so that rolling deployments don't force-logout\n  // every user. Once the grace period expires these tokens will fail signature verification\n  // in `verifyJwt` before reaching this point.\n  const sessionId = normalizeScopeId(typeof auth.sid === 'string' ? auth.sid : null)\n  if (sessionId === INVALID_SCOPE) return null\n  if (sessionId === null) {\n    // Legacy token without sid \u2014 allow only if it was verified via the legacy fallback path.\n    // The `_legacyToken` flag is set by `verifyJwt` when a token passes raw-secret verification\n    // but fails audience-derived verification. Without this flag, reject.\n    if ((auth as Record<string, unknown>)._legacyToken === true) {\n      // Allow through without session validation \u2014 the token will expire naturally\n    } else {\n      return null\n    }\n  }\n  // The session-revocation check and the user load are independent (neither reads\n  // the other's result), so they run concurrently to collapse two sequential DB\n  // round-trips into one. The `em` here is a fresh request-scoped EntityManager\n  // (resolved per request, never inside an explicit transaction), so concurrent\n  // reads on it are safe.\n  //\n  // The session lookup is bound to the token subject (`user: subjectId`) so the\n  // referenced session must actually belong to the JWT's subject. Without this\n  // binding, a forged-but-otherwise-valid token could pair `sub` for one user with\n  // a still-live `sid` belonging to another, evading per-user session revocation\n  // (logout / deleteAllUserSessions / password reset).\n  const sessionPromise = sessionId !== null\n    ? findOneWithDecryption(em, Session, { id: sessionId, user: subjectId, deletedAt: null })\n    : Promise.resolve(null)\n  const userPromise = findOneWithDecryption(\n    em,\n    User,\n    { id: subjectId, deletedAt: null },\n    undefined,\n    { tenantId: actorTenantId, organizationId: actorOrganizationId },\n  )\n  const [session, user] = await Promise.all([sessionPromise, userPromise])\n\n  if (sessionId !== null) {\n    if (!session) return null\n    if (resolveSessionUserId(session) !== subjectId) return null\n    if (session.expiresAt.getTime() < Date.now()) return null\n  }\n\n  if (!user) return null\n\n  const currentTenantId = normalizeScopeId(user.tenantId ?? null)\n  const currentOrganizationId = normalizeScopeId(user.organizationId ?? null)\n  if (\n    currentTenantId === INVALID_SCOPE ||\n    currentOrganizationId === INVALID_SCOPE ||\n    currentTenantId !== actorTenantId ||\n    currentOrganizationId !== actorOrganizationId\n  ) {\n    return null\n  }\n\n  // Role links and the per-user super-admin flag are likewise independent, so they\n  // run concurrently. The role-level super-admin lookup depends on the resolved\n  // role ids, so it stays sequential after the links resolve (and is skipped\n  // entirely when the per-user flag already grants super-admin).\n  const linksPromise = currentTenantId\n    ? findWithDecryption(\n        em,\n        UserRole,\n        {\n          user: user.id,\n          deletedAt: null,\n          role: { tenantId: currentTenantId, deletedAt: null } as unknown as Role,\n        } as never,\n        { populate: ['role'] },\n        { tenantId: currentTenantId, organizationId: currentOrganizationId },\n      )\n    : Promise.resolve([] as UserRole[])\n  const userAclSuperAdminPromise = currentTenantId\n    ? userAclGrantsSuperAdmin(em, user.id, currentTenantId, currentOrganizationId)\n    : Promise.resolve(false)\n  const [links, userAclSuperAdmin] = await Promise.all([linksPromise, userAclSuperAdminPromise])\n\n  const linkedRoles = links\n    .map((link) => link.role)\n    .filter((role): role is Role => !!role)\n\n  const roles = linkedRoles\n    .map((role) => role.name)\n    .filter((name): name is string => typeof name === 'string' && name.trim().length > 0)\n\n  const isSuperAdmin = currentTenantId\n    ? userAclSuperAdmin || (await roleAclGrantsSuperAdmin(em, linkedRoles, currentTenantId, currentOrganizationId))\n    : false\n\n  return {\n    ...auth,\n    sub: user.id,\n    tenantId: currentTenantId,\n    orgId: currentOrganizationId,\n    roles,\n    isSuperAdmin,\n  }\n}\n\nfunction resolveSessionUserId(session: Session): string | null {\n  const owner = (session as { user?: unknown }).user\n  if (typeof owner === 'string') return owner\n  if (owner && typeof owner === 'object') {\n    const ownerId = (owner as { id?: unknown }).id\n    if (typeof ownerId === 'string') return ownerId\n  }\n  return null\n}\n\nasync function userAclGrantsSuperAdmin(\n  em: EntityManager,\n  userId: string,\n  tenantId: string,\n  organizationId: string | null,\n): Promise<boolean> {\n  const userAcl = await findOneWithDecryption(\n    em,\n    UserAcl,\n    {\n      user: userId,\n      tenantId,\n      isSuperAdmin: true,\n      deletedAt: null,\n    } as never,\n    undefined,\n    { tenantId, organizationId },\n  )\n  return !!(userAcl && (userAcl as { isSuperAdmin?: boolean }).isSuperAdmin === true)\n}\n\nasync function roleAclGrantsSuperAdmin(\n  em: EntityManager,\n  linkedRoles: Role[],\n  tenantId: string,\n  organizationId: string | null,\n): Promise<boolean> {\n  const roleIds = Array.from(\n    new Set(\n      linkedRoles\n        .map((role) => (role?.id ? String(role.id) : null))\n        .filter((id): id is string => typeof id === 'string' && id.length > 0),\n    ),\n  )\n  if (!roleIds.length) return false\n\n  const roleAcl = await findOneWithDecryption(\n    em,\n    RoleAcl,\n    {\n      tenantId,\n      isSuperAdmin: true,\n      deletedAt: null,\n      role: { $in: roleIds },\n    } as never,\n    undefined,\n    { tenantId, organizationId },\n  )\n  return !!(roleAcl && (roleAcl as { isSuperAdmin?: boolean }).isSuperAdmin === true)\n}\n\nexport async function isAuthContextValid(\n  em: EntityManager,\n  auth: AuthContext,\n): Promise<boolean> {\n  return (await resolveCanonicalStaffAuthContext(em, auth)) !== null\n}\n"],
+  "mappings": "AAEA,SAAS,uBAAuB,0BAA0B;AAC1D,SAAe,SAAS,SAAS,MAAM,SAAS,gBAAgB;AAEhE,MAAM,UAAU;AAChB,MAAM,gBAAgB,uBAAO,eAAe;AAI5C,SAAS,iBAAiB,OAAmC;AAC3D,MAAI,UAAU,QAAQ,UAAU,OAAW,QAAO;AAClD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,QAAM,UAAU,MAAM,KAAK;AAC3B,MAAI,CAAC,QAAS,QAAO;AACrB,SAAO,QAAQ,KAAK,OAAO,IAAI,UAAU;AAC3C;AAEA,SAAS,qBAAqB,MAAmD;AAC/E,QAAM,gBAAiB,KAAqC;AAC5D,SAAO,iBAAiB,iBAAiB,KAAK,YAAY,IAAI;AAChE;AAEA,SAAS,2BAA2B,MAAmD;AACrF,QAAM,aAAc,KAAkC;AACtD,SAAO,iBAAiB,cAAc,KAAK,SAAS,IAAI;AAC1D;AAEA,eAAsB,iCACpB,IACA,MACsB;AACtB,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,KAAK,SAAU,QAAO;AAE1B,QAAM,YAAY,iBAAiB,KAAK,GAAG;AAC3C,QAAM,gBAAgB,qBAAqB,IAAI;AAC/C,QAAM,sBAAsB,2BAA2B,IAAI;AAC3D,MACE,cAAc,iBACd,kBAAkB,iBAClB,wBAAwB,eACxB;AACA,WAAO;AAAA,EACT;AAUA,QAAM,YAAY,iBAAiB,OAAO,KAAK,QAAQ,WAAW,KAAK,MAAM,IAAI;AACjF,MAAI,cAAc,cAAe,QAAO;AACxC,MAAI,cAAc,MAAM;AAItB,QAAK,KAAiC,iBAAiB,MAAM;AAAA,IAE7D,OAAO;AACL,aAAO;AAAA,IACT;AAAA,EACF;AAYA,QAAM,iBAAiB,cAAc,OACjC,sBAAsB,IAAI,SAAS,EAAE,IAAI,WAAW,MAAM,WAAW,WAAW,KAAK,CAAC,IACtF,QAAQ,QAAQ,IAAI;AACxB,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,WAAW,WAAW,KAAK;AAAA,IACjC;AAAA,IACA,EAAE,UAAU,eAAe,gBAAgB,oBAAoB;AAAA,EACjE;AACA,QAAM,CAAC,SAAS,IAAI,IAAI,MAAM,QAAQ,IAAI,CAAC,gBAAgB,WAAW,CAAC;AAEvE,MAAI,cAAc,MAAM;AACtB,QAAI,CAAC,QAAS,QAAO;AACrB,QAAI,qBAAqB,OAAO,MAAM,UAAW,QAAO;AACxD,QAAI,QAAQ,UAAU,QAAQ,IAAI,KAAK,IAAI,EAAG,QAAO;AAAA,EACvD;AAEA,MAAI,CAAC,KAAM,QAAO;AAElB,QAAM,kBAAkB,iBAAiB,KAAK,YAAY,IAAI;AAC9D,QAAM,wBAAwB,iBAAiB,KAAK,kBAAkB,IAAI;AAC1E,MACE,oBAAoB,iBACpB,0BAA0B,iBAC1B,oBAAoB,iBACpB,0BAA0B,qBAC1B;AACA,WAAO;AAAA,EACT;AAMA,QAAM,eAAe,kBACjB;AAAA,IACE;AAAA,IACA;AAAA,IACA;AAAA,MACE,MAAM,KAAK;AAAA,MACX,WAAW;AAAA,MACX,MAAM,EAAE,UAAU,iBAAiB,WAAW,KAAK;AAAA,IACrD;AAAA,IACA,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,iBAAiB,gBAAgB,sBAAsB;AAAA,EACrE,IACA,QAAQ,QAAQ,CAAC,CAAe;AACpC,QAAM,2BAA2B,kBAC7B,wBAAwB,IAAI,KAAK,IAAI,iBAAiB,qBAAqB,IAC3E,QAAQ,QAAQ,KAAK;AACzB,QAAM,CAAC,OAAO,iBAAiB,IAAI,MAAM,QAAQ,IAAI,CAAC,cAAc,wBAAwB,CAAC;AAE7F,QAAM,cAAc,MACjB,IAAI,CAAC,SAAS,KAAK,IAAI,EACvB,OAAO,CAAC,SAAuB,CAAC,CAAC,IAAI;AAExC,QAAM,QAAQ,YACX,IAAI,CAAC,SAAS,KAAK,IAAI,EACvB,OAAO,CAAC,SAAyB,OAAO,SAAS,YAAY,KAAK,KAAK,EAAE,SAAS,CAAC;AAEtF,QAAM,eAAe,kBACjB,qBAAsB,MAAM,wBAAwB,IAAI,aAAa,iBAAiB,qBAAqB,IAC3G;AAEJ,SAAO;AAAA,IACL,GAAG;AAAA,IACH,KAAK,KAAK;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,IACP;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,qBAAqB,SAAiC;AAC7D,QAAM,QAAS,QAA+B;AAC9C,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,UAAW,MAA2B;AAC5C,QAAI,OAAO,YAAY,SAAU,QAAO;AAAA,EAC1C;AACA,SAAO;AACT;AAEA,eAAe,wBACb,IACA,QACA,UACA,gBACkB;AAClB,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,cAAc;AAAA,MACd,WAAW;AAAA,IACb;AAAA,IACA;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,SAAO,CAAC,EAAE,WAAY,QAAuC,iBAAiB;AAChF;AAEA,eAAe,wBACb,IACA,aACA,UACA,gBACkB;AAClB,QAAM,UAAU,MAAM;AAAA,IACpB,IAAI;AAAA,MACF,YACG,IAAI,CAAC,SAAU,MAAM,KAAK,OAAO,KAAK,EAAE,IAAI,IAAK,EACjD,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AAAA,IACzE;AAAA,EACF;AACA,MAAI,CAAC,QAAQ,OAAQ,QAAO;AAE5B,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,MACE;AAAA,MACA,cAAc;AAAA,MACd,WAAW;AAAA,MACX,MAAM,EAAE,KAAK,QAAQ;AAAA,IACvB;AAAA,IACA;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,SAAO,CAAC,EAAE,WAAY,QAAuC,iBAAiB;AAChF;AAEA,eAAsB,mBACpB,IACA,MACkB;AAClB,SAAQ,MAAM,iCAAiC,IAAI,IAAI,MAAO;AAChE;",
   "names": []
 }

package/dist/modules/auth/services/authService.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { compare, hash } from "bcryptjs";
 import { User, UserRole, Session, PasswordReset } from "@open-mercato/core/modules/auth/data/entities";
-import { computeEmailHash } from "@open-mercato/core/modules/auth/lib/emailHash";
+import { emailHashLookupValues } from "@open-mercato/core/modules/auth/lib/emailHash";
 import { generateAuthToken, hashAuthToken } from "@open-mercato/core/modules/auth/lib/tokenHash";
 import { findWithDecryption, findOneWithDecryption } from "@open-mercato/shared/lib/encryption/find";
 class AuthService {
@@ -8,27 +8,27 @@ class AuthService {
     this.em = em;
   }
   async findUserByEmail(email) {
-    const emailHash = computeEmailHash(email);
+    const emailHashes = emailHashLookupValues(email);
     return findOneWithDecryption(this.em, User, {
       deletedAt: null,
       $or: [
         { email },
-        { emailHash }
+        { emailHash: { $in: emailHashes } }
       ]
     });
   }
   async findUsersByEmail(email) {
-    const emailHash = computeEmailHash(email);
+    const emailHashes = emailHashLookupValues(email);
     return findWithDecryption(this.em, User, {
       deletedAt: null,
       $or: [
         { email },
-        { emailHash }
+        { emailHash: { $in: emailHashes } }
       ]
     });
   }
   async findUserByEmailAndTenant(email, tenantId) {
-    const emailHash = computeEmailHash(email);
+    const emailHashes = emailHashLookupValues(email);
     return findOneWithDecryption(
       this.em,
       User,
@@ -37,7 +37,7 @@ class AuthService {
         deletedAt: null,
         $or: [
           { email },
-          { emailHash }
+          { emailHash: { $in: emailHashes } }
         ]
       },
       void 0,
@@ -74,10 +74,7 @@ class AuthService {
   }
   async deleteSessionByToken(token) {
     const hashedToken = hashAuthToken(token);
-    const deleted = await this.em.nativeDelete(Session, { token: hashedToken });
-    if (!deleted) {
-      await this.em.nativeDelete(Session, { token });
-    }
+    await this.em.nativeDelete(Session, { token: hashedToken });
   }
   async deleteSessionById(sessionId) {
     await this.em.nativeDelete(Session, { id: sessionId });
@@ -94,10 +91,7 @@ class AuthService {
   async refreshFromSessionToken(token) {
     const now = /* @__PURE__ */ new Date();
     const hashedToken = hashAuthToken(token);
-    let sess = await this.em.findOne(Session, { token: hashedToken });
-    if (!sess) {
-      sess = await this.em.findOne(Session, { token });
-    }
+    const sess = await this.em.findOne(Session, { token: hashedToken });
     if (!sess || sess.expiresAt <= now) return null;
     const user = await findOneWithDecryption(this.em, User, { id: sess.user.id, deletedAt: null });
     if (!user) return null;
@@ -117,10 +111,7 @@ class AuthService {
   async confirmPasswordReset(token, newPassword) {
     const now = /* @__PURE__ */ new Date();
     const hashedToken = hashAuthToken(token);
-    let row = await this.em.findOne(PasswordReset, { token: hashedToken });
-    if (!row) {
-      row = await this.em.findOne(PasswordReset, { token });
-    }
+    const row = await this.em.findOne(PasswordReset, { token: hashedToken });
     if (!row || row.usedAt && row.usedAt <= now || row.expiresAt <= now) return null;
     const affected = await this.em.nativeUpdate(
       PasswordReset,

package/dist/modules/auth/services/authService.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/services/authService.ts"],
-  "sourcesContent": ["import { EntityManager } from '@mikro-orm/postgresql'\nimport { compare, hash } from 'bcryptjs'\nimport { User, Role, UserRole, Session, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { generateAuthToken, hashAuthToken } from '@open-mercato/core/modules/auth/lib/tokenHash'\nimport { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\nexport class AuthService {\n  constructor(private em: EntityManager) {}\n\n  async findUserByEmail(email: string) {\n    const emailHash = computeEmailHash(email)\n    return findOneWithDecryption(this.em, User, {\n      deletedAt: null,\n      $or: [\n        { email },\n        { emailHash },\n      ],\n    } as any)\n  }\n\n  async findUsersByEmail(email: string) {\n    const emailHash = computeEmailHash(email)\n    return findWithDecryption(this.em, User, {\n      deletedAt: null,\n      $or: [\n        { email },\n        { emailHash },\n      ],\n    } as any)\n  }\n\n  async findUserByEmailAndTenant(email: string, tenantId: string) {\n    const emailHash = computeEmailHash(email)\n    return findOneWithDecryption(\n      this.em,\n      User,\n      {\n        tenantId,\n        deletedAt: null,\n        $or: [\n          { email },\n          { emailHash },\n        ],\n      } as any,\n      undefined,\n      { tenantId },\n    )\n  }\n\n  async verifyPassword(user: User, password: string) {\n    if (!user.passwordHash) return false\n    return compare(password, user.passwordHash)\n  }\n\n  async updateLastLoginAt(user: User) {\n    const now = new Date()\n    // Use native update to avoid flushing unrelated entities that might be pending in this EM\n    await this.em.nativeUpdate(User, { id: user.id }, { lastLoginAt: now })\n    user.lastLoginAt = now\n  }\n\n  async getUserRoles(user: User, tenantId?: string | null): Promise<string[]> {\n    const resolvedTenantId = tenantId ?? user.tenantId ?? null\n    if (!resolvedTenantId) return []\n    const links = await findWithDecryption(\n      this.em,\n      UserRole,\n      { user, deletedAt: null, role: { tenantId: resolvedTenantId, deletedAt: null } as any },\n      { populate: ['role'] },\n      { tenantId: resolvedTenantId, organizationId: user.organizationId ?? null },\n    )\n    return links.map((l) => l.role.name)\n  }\n\n\n  async createSession(user: User, expiresAt: Date): Promise<{ session: Session; token: string }> {\n    const rawToken = generateAuthToken()\n    const tokenHash = hashAuthToken(rawToken)\n    const sess = this.em.create(Session as any, { user, token: tokenHash, expiresAt, createdAt: new Date() } as any)\n    await this.em.persist(sess).flush()\n    return { session: sess as Session, token: rawToken }\n  }\n\n  async deleteSessionByToken(token: string) {\n    const hashedToken = hashAuthToken(token)\n    const deleted = await this.em.nativeDelete(Session, { token: hashedToken })\n    if (!deleted) {\n      await this.em.nativeDelete(Session, { token })\n    }\n  }\n\n  async deleteSessionById(sessionId: string) {\n    await this.em.nativeDelete(Session, { id: sessionId })\n  }\n\n  async findActiveSessionById(sessionId: string): Promise<Session | null> {\n    const session = await this.em.findOne(Session, { id: sessionId, deletedAt: null })\n    if (!session) return null\n    if (session.expiresAt.getTime() < Date.now()) return null\n    return session\n  }\n\n  async deleteAllUserSessions(userId: string) {\n    await this.em.nativeDelete(Session, { user: userId })\n  }\n\n  async refreshFromSessionToken(token: string) {\n    const now = new Date()\n    const hashedToken = hashAuthToken(token)\n    let sess = await this.em.findOne(Session, { token: hashedToken })\n    if (!sess) {\n      sess = await this.em.findOne(Session, { token })\n    }\n    if (!sess || sess.expiresAt <= now) return null\n    const user = await findOneWithDecryption(this.em, User, { id: sess.user.id, deletedAt: null })\n    if (!user) return null\n    const roles = await this.getUserRoles(user, user.tenantId ?? null)\n    return { user, roles, session: sess }\n  }\n\n  async requestPasswordReset(email: string) {\n    const user = await this.findUserByEmail(email)\n    if (!user) return null\n    const rawToken = generateAuthToken()\n    const tokenHash = hashAuthToken(rawToken)\n    const expiresAt = new Date(Date.now() + 60 * 60 * 1000)\n    const row = this.em.create(PasswordReset as any, { user, token: tokenHash, expiresAt, createdAt: new Date() } as any)\n    await this.em.persist(row).flush()\n    return { user, token: rawToken }\n  }\n\n  async confirmPasswordReset(token: string, newPassword: string): Promise<User | null> {\n    const now = new Date()\n    const hashedToken = hashAuthToken(token)\n    let row = await this.em.findOne(PasswordReset, { token: hashedToken })\n    if (!row) {\n      row = await this.em.findOne(PasswordReset, { token })\n    }\n    if (!row || (row.usedAt && row.usedAt <= now) || row.expiresAt <= now) return null\n\n    // Atomic compare-and-set: only mark used if still unused \u2014 prevents token replay under concurrency\n    const affected = await this.em.nativeUpdate(\n      PasswordReset,\n      { id: row.id, usedAt: null },\n      { usedAt: now },\n    )\n    if (affected === 0) return null\n\n    const user = await findOneWithDecryption(this.em, User, { id: row.user.id, deletedAt: null })\n    if (!user) return null\n    user.passwordHash = await hash(newPassword, 10)\n    await this.em.flush()\n    await this.deleteAllUserSessions(String(user.id))\n    return user\n  }\n}\n"],
-  "mappings": "AACA,SAAS,SAAS,YAAY;AAC9B,SAAS,MAAY,UAAU,SAAS,qBAAqB;AAC7D,SAAS,wBAAwB;AACjC,SAAS,mBAAmB,qBAAqB;AACjD,SAAS,oBAAoB,6BAA6B;AAEnD,MAAM,YAAY;AAAA,EACvB,YAAoB,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAExC,MAAM,gBAAgB,OAAe;AACnC,UAAM,YAAY,iBAAiB,KAAK;AACxC,WAAO,sBAAsB,KAAK,IAAI,MAAM;AAAA,MAC1C,WAAW;AAAA,MACX,KAAK;AAAA,QACH,EAAE,MAAM;AAAA,QACR,EAAE,UAAU;AAAA,MACd;AAAA,IACF,CAAQ;AAAA,EACV;AAAA,EAEA,MAAM,iBAAiB,OAAe;AACpC,UAAM,YAAY,iBAAiB,KAAK;AACxC,WAAO,mBAAmB,KAAK,IAAI,MAAM;AAAA,MACvC,WAAW;AAAA,MACX,KAAK;AAAA,QACH,EAAE,MAAM;AAAA,QACR,EAAE,UAAU;AAAA,MACd;AAAA,IACF,CAAQ;AAAA,EACV;AAAA,EAEA,MAAM,yBAAyB,OAAe,UAAkB;AAC9D,UAAM,YAAY,iBAAiB,KAAK;AACxC,WAAO;AAAA,MACL,KAAK;AAAA,MACL;AAAA,MACA;AAAA,QACE;AAAA,QACA,WAAW;AAAA,QACX,KAAK;AAAA,UACH,EAAE,MAAM;AAAA,UACR,EAAE,UAAU;AAAA,QACd;AAAA,MACF;AAAA,MACA;AAAA,MACA,EAAE,SAAS;AAAA,IACb;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,MAAY,UAAkB;AACjD,QAAI,CAAC,KAAK,aAAc,QAAO;AAC/B,WAAO,QAAQ,UAAU,KAAK,YAAY;AAAA,EAC5C;AAAA,EAEA,MAAM,kBAAkB,MAAY;AAClC,UAAM,MAAM,oBAAI,KAAK;AAErB,UAAM,KAAK,GAAG,aAAa,MAAM,EAAE,IAAI,KAAK,GAAG,GAAG,EAAE,aAAa,IAAI,CAAC;AACtE,SAAK,cAAc;AAAA,EACrB;AAAA,EAEA,MAAM,aAAa,MAAY,UAA6C;AAC1E,UAAM,mBAAmB,YAAY,KAAK,YAAY;AACtD,QAAI,CAAC,iBAAkB,QAAO,CAAC;AAC/B,UAAM,QAAQ,MAAM;AAAA,MAClB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,MAAM,WAAW,MAAM,MAAM,EAAE,UAAU,kBAAkB,WAAW,KAAK,EAAS;AAAA,MACtF,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,MACrB,EAAE,UAAU,kBAAkB,gBAAgB,KAAK,kBAAkB,KAAK;AAAA,IAC5E;AACA,WAAO,MAAM,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI;AAAA,EACrC;AAAA,EAGA,MAAM,cAAc,MAAY,WAA+D;AAC7F,UAAM,WAAW,kBAAkB;AACnC,UAAM,YAAY,cAAc,QAAQ;AACxC,UAAM,OAAO,KAAK,GAAG,OAAO,SAAgB,EAAE,MAAM,OAAO,WAAW,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAQ;AAC/G,UAAM,KAAK,GAAG,QAAQ,IAAI,EAAE,MAAM;AAClC,WAAO,EAAE,SAAS,MAAiB,OAAO,SAAS;AAAA,EACrD;AAAA,EAEA,MAAM,qBAAqB,OAAe;AACxC,UAAM,cAAc,cAAc,KAAK;AACvC,UAAM,UAAU,MAAM,KAAK,GAAG,aAAa,SAAS,EAAE,OAAO,YAAY,CAAC;AAC1E,QAAI,CAAC,SAAS;AACZ,YAAM,KAAK,GAAG,aAAa,SAAS,EAAE,MAAM,CAAC;AAAA,IAC/C;AAAA,EACF;AAAA,EAEA,MAAM,kBAAkB,WAAmB;AACzC,UAAM,KAAK,GAAG,aAAa,SAAS,EAAE,IAAI,UAAU,CAAC;AAAA,EACvD;AAAA,EAEA,MAAM,sBAAsB,WAA4C;AACtE,UAAM,UAAU,MAAM,KAAK,GAAG,QAAQ,SAAS,EAAE,IAAI,WAAW,WAAW,KAAK,CAAC;AACjF,QAAI,CAAC,QAAS,QAAO;AACrB,QAAI,QAAQ,UAAU,QAAQ,IAAI,KAAK,IAAI,EAAG,QAAO;AACrD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,sBAAsB,QAAgB;AAC1C,UAAM,KAAK,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAAA,EACtD;AAAA,EAEA,MAAM,wBAAwB,OAAe;AAC3C,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,cAAc,cAAc,KAAK;AACvC,QAAI,OAAO,MAAM,KAAK,GAAG,QAAQ,SAAS,EAAE,OAAO,YAAY,CAAC;AAChE,QAAI,CAAC,MAAM;AACT,aAAO,MAAM,KAAK,GAAG,QAAQ,SAAS,EAAE,MAAM,CAAC;AAAA,IACjD;AACA,QAAI,CAAC,QAAQ,KAAK,aAAa,IAAK,QAAO;AAC3C,UAAM,OAAO,MAAM,sBAAsB,KAAK,IAAI,MAAM,EAAE,IAAI,KAAK,KAAK,IAAI,WAAW,KAAK,CAAC;AAC7F,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,QAAQ,MAAM,KAAK,aAAa,MAAM,KAAK,YAAY,IAAI;AACjE,WAAO,EAAE,MAAM,OAAO,SAAS,KAAK;AAAA,EACtC;AAAA,EAEA,MAAM,qBAAqB,OAAe;AACxC,UAAM,OAAO,MAAM,KAAK,gBAAgB,KAAK;AAC7C,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,WAAW,kBAAkB;AACnC,UAAM,YAAY,cAAc,QAAQ;AACxC,UAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,GAAI;AACtD,UAAM,MAAM,KAAK,GAAG,OAAO,eAAsB,EAAE,MAAM,OAAO,WAAW,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAQ;AACpH,UAAM,KAAK,GAAG,QAAQ,GAAG,EAAE,MAAM;AACjC,WAAO,EAAE,MAAM,OAAO,SAAS;AAAA,EACjC;AAAA,EAEA,MAAM,qBAAqB,OAAe,aAA2C;AACnF,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,cAAc,cAAc,KAAK;AACvC,QAAI,MAAM,MAAM,KAAK,GAAG,QAAQ,eAAe,EAAE,OAAO,YAAY,CAAC;AACrE,QAAI,CAAC,KAAK;AACR,YAAM,MAAM,KAAK,GAAG,QAAQ,eAAe,EAAE,MAAM,CAAC;AAAA,IACtD;AACA,QAAI,CAAC,OAAQ,IAAI,UAAU,IAAI,UAAU,OAAQ,IAAI,aAAa,IAAK,QAAO;AAG9E,UAAM,WAAW,MAAM,KAAK,GAAG;AAAA,MAC7B;AAAA,MACA,EAAE,IAAI,IAAI,IAAI,QAAQ,KAAK;AAAA,MAC3B,EAAE,QAAQ,IAAI;AAAA,IAChB;AACA,QAAI,aAAa,EAAG,QAAO;AAE3B,UAAM,OAAO,MAAM,sBAAsB,KAAK,IAAI,MAAM,EAAE,IAAI,IAAI,KAAK,IAAI,WAAW,KAAK,CAAC;AAC5F,QAAI,CAAC,KAAM,QAAO;AAClB,SAAK,eAAe,MAAM,KAAK,aAAa,EAAE;AAC9C,UAAM,KAAK,GAAG,MAAM;AACpB,UAAM,KAAK,sBAAsB,OAAO,KAAK,EAAE,CAAC;AAChD,WAAO;AAAA,EACT;AACF;",
+  "sourcesContent": ["import { EntityManager } from '@mikro-orm/postgresql'\nimport { compare, hash } from 'bcryptjs'\nimport { User, Role, UserRole, Session, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport { emailHashLookupValues } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { generateAuthToken, hashAuthToken } from '@open-mercato/core/modules/auth/lib/tokenHash'\nimport { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\nexport class AuthService {\n  constructor(private em: EntityManager) {}\n\n  async findUserByEmail(email: string) {\n    const emailHashes = emailHashLookupValues(email)\n    return findOneWithDecryption(this.em, User, {\n      deletedAt: null,\n      $or: [\n        { email },\n        { emailHash: { $in: emailHashes } },\n      ],\n    } as any)\n  }\n\n  async findUsersByEmail(email: string) {\n    const emailHashes = emailHashLookupValues(email)\n    return findWithDecryption(this.em, User, {\n      deletedAt: null,\n      $or: [\n        { email },\n        { emailHash: { $in: emailHashes } },\n      ],\n    } as any)\n  }\n\n  async findUserByEmailAndTenant(email: string, tenantId: string) {\n    const emailHashes = emailHashLookupValues(email)\n    return findOneWithDecryption(\n      this.em,\n      User,\n      {\n        tenantId,\n        deletedAt: null,\n        $or: [\n          { email },\n          { emailHash: { $in: emailHashes } },\n        ],\n      } as any,\n      undefined,\n      { tenantId },\n    )\n  }\n\n  async verifyPassword(user: User, password: string) {\n    if (!user.passwordHash) return false\n    return compare(password, user.passwordHash)\n  }\n\n  async updateLastLoginAt(user: User) {\n    const now = new Date()\n    // Use native update to avoid flushing unrelated entities that might be pending in this EM\n    await this.em.nativeUpdate(User, { id: user.id }, { lastLoginAt: now })\n    user.lastLoginAt = now\n  }\n\n  async getUserRoles(user: User, tenantId?: string | null): Promise<string[]> {\n    const resolvedTenantId = tenantId ?? user.tenantId ?? null\n    if (!resolvedTenantId) return []\n    const links = await findWithDecryption(\n      this.em,\n      UserRole,\n      { user, deletedAt: null, role: { tenantId: resolvedTenantId, deletedAt: null } as any },\n      { populate: ['role'] },\n      { tenantId: resolvedTenantId, organizationId: user.organizationId ?? null },\n    )\n    return links.map((l) => l.role.name)\n  }\n\n\n  async createSession(user: User, expiresAt: Date): Promise<{ session: Session; token: string }> {\n    const rawToken = generateAuthToken()\n    const tokenHash = hashAuthToken(rawToken)\n    const sess = this.em.create(Session as any, { user, token: tokenHash, expiresAt, createdAt: new Date() } as any)\n    await this.em.persist(sess).flush()\n    return { session: sess as Session, token: rawToken }\n  }\n\n  async deleteSessionByToken(token: string) {\n    const hashedToken = hashAuthToken(token)\n    await this.em.nativeDelete(Session, { token: hashedToken })\n  }\n\n  async deleteSessionById(sessionId: string) {\n    await this.em.nativeDelete(Session, { id: sessionId })\n  }\n\n  async findActiveSessionById(sessionId: string): Promise<Session | null> {\n    const session = await this.em.findOne(Session, { id: sessionId, deletedAt: null })\n    if (!session) return null\n    if (session.expiresAt.getTime() < Date.now()) return null\n    return session\n  }\n\n  async deleteAllUserSessions(userId: string) {\n    await this.em.nativeDelete(Session, { user: userId })\n  }\n\n  async refreshFromSessionToken(token: string) {\n    const now = new Date()\n    const hashedToken = hashAuthToken(token)\n    const sess = await this.em.findOne(Session, { token: hashedToken })\n    if (!sess || sess.expiresAt <= now) return null\n    const user = await findOneWithDecryption(this.em, User, { id: sess.user.id, deletedAt: null })\n    if (!user) return null\n    const roles = await this.getUserRoles(user, user.tenantId ?? null)\n    return { user, roles, session: sess }\n  }\n\n  async requestPasswordReset(email: string) {\n    const user = await this.findUserByEmail(email)\n    if (!user) return null\n    const rawToken = generateAuthToken()\n    const tokenHash = hashAuthToken(rawToken)\n    const expiresAt = new Date(Date.now() + 60 * 60 * 1000)\n    const row = this.em.create(PasswordReset as any, { user, token: tokenHash, expiresAt, createdAt: new Date() } as any)\n    await this.em.persist(row).flush()\n    return { user, token: rawToken }\n  }\n\n  async confirmPasswordReset(token: string, newPassword: string): Promise<User | null> {\n    const now = new Date()\n    const hashedToken = hashAuthToken(token)\n    const row = await this.em.findOne(PasswordReset, { token: hashedToken })\n    if (!row || (row.usedAt && row.usedAt <= now) || row.expiresAt <= now) return null\n\n    // Atomic compare-and-set: only mark used if still unused \u2014 prevents token replay under concurrency\n    const affected = await this.em.nativeUpdate(\n      PasswordReset,\n      { id: row.id, usedAt: null },\n      { usedAt: now },\n    )\n    if (affected === 0) return null\n\n    const user = await findOneWithDecryption(this.em, User, { id: row.user.id, deletedAt: null })\n    if (!user) return null\n    user.passwordHash = await hash(newPassword, 10)\n    await this.em.flush()\n    await this.deleteAllUserSessions(String(user.id))\n    return user\n  }\n}\n"],
+  "mappings": "AACA,SAAS,SAAS,YAAY;AAC9B,SAAS,MAAY,UAAU,SAAS,qBAAqB;AAC7D,SAAS,6BAA6B;AACtC,SAAS,mBAAmB,qBAAqB;AACjD,SAAS,oBAAoB,6BAA6B;AAEnD,MAAM,YAAY;AAAA,EACvB,YAAoB,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAExC,MAAM,gBAAgB,OAAe;AACnC,UAAM,cAAc,sBAAsB,KAAK;AAC/C,WAAO,sBAAsB,KAAK,IAAI,MAAM;AAAA,MAC1C,WAAW;AAAA,MACX,KAAK;AAAA,QACH,EAAE,MAAM;AAAA,QACR,EAAE,WAAW,EAAE,KAAK,YAAY,EAAE;AAAA,MACpC;AAAA,IACF,CAAQ;AAAA,EACV;AAAA,EAEA,MAAM,iBAAiB,OAAe;AACpC,UAAM,cAAc,sBAAsB,KAAK;AAC/C,WAAO,mBAAmB,KAAK,IAAI,MAAM;AAAA,MACvC,WAAW;AAAA,MACX,KAAK;AAAA,QACH,EAAE,MAAM;AAAA,QACR,EAAE,WAAW,EAAE,KAAK,YAAY,EAAE;AAAA,MACpC;AAAA,IACF,CAAQ;AAAA,EACV;AAAA,EAEA,MAAM,yBAAyB,OAAe,UAAkB;AAC9D,UAAM,cAAc,sBAAsB,KAAK;AAC/C,WAAO;AAAA,MACL,KAAK;AAAA,MACL;AAAA,MACA;AAAA,QACE;AAAA,QACA,WAAW;AAAA,QACX,KAAK;AAAA,UACH,EAAE,MAAM;AAAA,UACR,EAAE,WAAW,EAAE,KAAK,YAAY,EAAE;AAAA,QACpC;AAAA,MACF;AAAA,MACA;AAAA,MACA,EAAE,SAAS;AAAA,IACb;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,MAAY,UAAkB;AACjD,QAAI,CAAC,KAAK,aAAc,QAAO;AAC/B,WAAO,QAAQ,UAAU,KAAK,YAAY;AAAA,EAC5C;AAAA,EAEA,MAAM,kBAAkB,MAAY;AAClC,UAAM,MAAM,oBAAI,KAAK;AAErB,UAAM,KAAK,GAAG,aAAa,MAAM,EAAE,IAAI,KAAK,GAAG,GAAG,EAAE,aAAa,IAAI,CAAC;AACtE,SAAK,cAAc;AAAA,EACrB;AAAA,EAEA,MAAM,aAAa,MAAY,UAA6C;AAC1E,UAAM,mBAAmB,YAAY,KAAK,YAAY;AACtD,QAAI,CAAC,iBAAkB,QAAO,CAAC;AAC/B,UAAM,QAAQ,MAAM;AAAA,MAClB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,MAAM,WAAW,MAAM,MAAM,EAAE,UAAU,kBAAkB,WAAW,KAAK,EAAS;AAAA,MACtF,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,MACrB,EAAE,UAAU,kBAAkB,gBAAgB,KAAK,kBAAkB,KAAK;AAAA,IAC5E;AACA,WAAO,MAAM,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI;AAAA,EACrC;AAAA,EAGA,MAAM,cAAc,MAAY,WAA+D;AAC7F,UAAM,WAAW,kBAAkB;AACnC,UAAM,YAAY,cAAc,QAAQ;AACxC,UAAM,OAAO,KAAK,GAAG,OAAO,SAAgB,EAAE,MAAM,OAAO,WAAW,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAQ;AAC/G,UAAM,KAAK,GAAG,QAAQ,IAAI,EAAE,MAAM;AAClC,WAAO,EAAE,SAAS,MAAiB,OAAO,SAAS;AAAA,EACrD;AAAA,EAEA,MAAM,qBAAqB,OAAe;AACxC,UAAM,cAAc,cAAc,KAAK;AACvC,UAAM,KAAK,GAAG,aAAa,SAAS,EAAE,OAAO,YAAY,CAAC;AAAA,EAC5D;AAAA,EAEA,MAAM,kBAAkB,WAAmB;AACzC,UAAM,KAAK,GAAG,aAAa,SAAS,EAAE,IAAI,UAAU,CAAC;AAAA,EACvD;AAAA,EAEA,MAAM,sBAAsB,WAA4C;AACtE,UAAM,UAAU,MAAM,KAAK,GAAG,QAAQ,SAAS,EAAE,IAAI,WAAW,WAAW,KAAK,CAAC;AACjF,QAAI,CAAC,QAAS,QAAO;AACrB,QAAI,QAAQ,UAAU,QAAQ,IAAI,KAAK,IAAI,EAAG,QAAO;AACrD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,sBAAsB,QAAgB;AAC1C,UAAM,KAAK,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAAA,EACtD;AAAA,EAEA,MAAM,wBAAwB,OAAe;AAC3C,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,cAAc,cAAc,KAAK;AACvC,UAAM,OAAO,MAAM,KAAK,GAAG,QAAQ,SAAS,EAAE,OAAO,YAAY,CAAC;AAClE,QAAI,CAAC,QAAQ,KAAK,aAAa,IAAK,QAAO;AAC3C,UAAM,OAAO,MAAM,sBAAsB,KAAK,IAAI,MAAM,EAAE,IAAI,KAAK,KAAK,IAAI,WAAW,KAAK,CAAC;AAC7F,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,QAAQ,MAAM,KAAK,aAAa,MAAM,KAAK,YAAY,IAAI;AACjE,WAAO,EAAE,MAAM,OAAO,SAAS,KAAK;AAAA,EACtC;AAAA,EAEA,MAAM,qBAAqB,OAAe;AACxC,UAAM,OAAO,MAAM,KAAK,gBAAgB,KAAK;AAC7C,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,WAAW,kBAAkB;AACnC,UAAM,YAAY,cAAc,QAAQ;AACxC,UAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,GAAI;AACtD,UAAM,MAAM,KAAK,GAAG,OAAO,eAAsB,EAAE,MAAM,OAAO,WAAW,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAQ;AACpH,UAAM,KAAK,GAAG,QAAQ,GAAG,EAAE,MAAM;AACjC,WAAO,EAAE,MAAM,OAAO,SAAS;AAAA,EACjC;AAAA,EAEA,MAAM,qBAAqB,OAAe,aAA2C;AACnF,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,cAAc,cAAc,KAAK;AACvC,UAAM,MAAM,MAAM,KAAK,GAAG,QAAQ,eAAe,EAAE,OAAO,YAAY,CAAC;AACvE,QAAI,CAAC,OAAQ,IAAI,UAAU,IAAI,UAAU,OAAQ,IAAI,aAAa,IAAK,QAAO;AAG9E,UAAM,WAAW,MAAM,KAAK,GAAG;AAAA,MAC7B;AAAA,MACA,EAAE,IAAI,IAAI,IAAI,QAAQ,KAAK;AAAA,MAC3B,EAAE,QAAQ,IAAI;AAAA,IAChB;AACA,QAAI,aAAa,EAAG,QAAO;AAE3B,UAAM,OAAO,MAAM,sBAAsB,KAAK,IAAI,MAAM,EAAE,IAAI,IAAI,KAAK,IAAI,WAAW,KAAK,CAAC;AAC5F,QAAI,CAAC,KAAM,QAAO;AAClB,SAAK,eAAe,MAAM,KAAK,aAAa,EAAE;AAC9C,UAAM,KAAK,GAAG,MAAM;AACpB,UAAM,KAAK,sBAAsB,OAAO,KAAK,EAAE,CAAC;AAChD,WAAO;AAAA,EACT;AACF;",
   "names": []
 }

package/dist/modules/auth/services/sidebarPreferencesService.js CHANGED Viewed

@@ -16,6 +16,30 @@ async function loadSidebarPreference(em, scope) {
   );
   return normalizeSidebarSettings(existing?.settingsJson);
 }
+async function loadSidebarPreferenceUpdatedAt(em, scope) {
+  const { userId, tenantId, organizationId } = normalizeScope(scope);
+  const existing = await findOneWithDecryption(
+    em,
+    UserSidebarPreference,
+    { user: userId, tenantId, organizationId },
+    void 0,
+    { tenantId, organizationId }
+  );
+  if (!existing) return null;
+  return { id: existing.id, updatedAt: existing.updatedAt ?? null };
+}
+async function loadRoleSidebarPreferenceUpdatedAt(em, scope) {
+  const { roleId, tenantId } = normalizeRoleScope(scope);
+  const existing = await findOneWithDecryption(
+    em,
+    RoleSidebarPreference,
+    { role: roleId, tenantId },
+    void 0,
+    { tenantId, organizationId: null }
+  );
+  if (!existing) return null;
+  return { id: existing.id, updatedAt: existing.updatedAt ?? null };
+}
 async function saveSidebarPreference(em, scope, input) {
   const normalized = normalizeSidebarSettings({
     ...input,
@@ -271,7 +295,7 @@ async function updateSidebarVariant(em, scope, variantId, input) {
   if (!variant) return null;
   const target = variant;
   await withAtomicFlush(em, [
-    async () => {
+    () => {
       if (typeof input.name === "string" && input.name.trim().length > 0) {
         target.name = input.name.trim();
       }
@@ -282,11 +306,13 @@ async function updateSidebarVariant(em, scope, variantId, input) {
         });
       }
       if (typeof input.isActive === "boolean") {
-        if (input.isActive) {
-          await deactivateAllVariants(em, scope, variantId);
-        }
         target.isActive = input.isActive;
       }
+    },
+    async () => {
+      if (input.isActive === true) {
+        await deactivateAllVariants(em, scope, variantId);
+      }
     }
   ], { transaction: true });
   return toVariantRecord(target);
@@ -325,8 +351,10 @@ export {
   deleteSidebarVariant,
   listSidebarVariants,
   loadFirstRoleSidebarPreference,
+  loadRoleSidebarPreferenceUpdatedAt,
   loadRoleSidebarPreferences,
   loadSidebarPreference,
+  loadSidebarPreferenceUpdatedAt,
   loadSidebarVariant,
   nextVariantAutoName,
   saveRoleSidebarPreference,

package/dist/modules/auth/services/sidebarPreferencesService.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/services/sidebarPreferencesService.ts"],
-  "sourcesContent": ["import { EntityManager, type FilterQuery } from '@mikro-orm/postgresql'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { withAtomicFlush } from '@open-mercato/shared/lib/commands/flush'\nimport { Role, RoleSidebarPreference, SidebarVariant, User, UserSidebarPreference } from '../data/entities'\nimport {\n  SIDEBAR_PREFERENCES_VERSION,\n  SidebarPreferencesSettings,\n  normalizeSidebarSettings,\n} from '@open-mercato/shared/modules/navigation/sidebarPreferences'\n\nexport type SidebarPreferenceScope = {\n  userId: string\n  tenantId?: string | null\n  organizationId?: string | null\n  locale: string\n}\n\nexport type RoleSidebarPreferenceScope = {\n  roleId: string\n  tenantId?: string | null\n  locale: string\n}\n\nexport type SidebarItemLike<T = Record<string, unknown>> = {\n  id?: string\n  href: string\n  title: string\n  defaultTitle: string\n  children?: SidebarItemLike<T>[]\n} & T\n\nexport type SidebarGroupLike<T = Record<string, unknown>> = {\n  id: string\n  name: string\n  defaultName: string\n  items: SidebarItemLike<T>[]\n  weight?: number\n} & T\n\nexport async function loadSidebarPreference(\n  em: EntityManager,\n  scope: SidebarPreferenceScope,\n): Promise<SidebarPreferencesSettings> {\n  // Cross-locale: variants & preferences are scoped per (user, tenant, org) only.\n  // The `locale` field on the row is kept for audit / when the row was created.\n  const { userId, tenantId, organizationId } = normalizeScope(scope)\n  const existing = await findOneWithDecryption(\n    em,\n    UserSidebarPreference,\n    { user: userId, tenantId, organizationId },\n    undefined,\n    { tenantId, organizationId },\n  )\n  return normalizeSidebarSettings(existing?.settingsJson as SidebarPreferencesSettings | undefined)\n}\n\nexport async function saveSidebarPreference(\n  em: EntityManager,\n  scope: SidebarPreferenceScope,\n  input: SidebarPreferencesSettings,\n): Promise<SidebarPreferencesSettings> {\n  const normalized = normalizeSidebarSettings({\n    ...input,\n    version: input?.version ?? SIDEBAR_PREFERENCES_VERSION,\n  })\n  const { userId, tenantId, organizationId, locale } = normalizeScope(scope)\n  let pref = await findOneWithDecryption(\n    em,\n    UserSidebarPreference,\n    { user: userId, tenantId, organizationId },\n    undefined,\n    { tenantId, organizationId },\n  )\n  if (!pref) {\n    pref = em.create(UserSidebarPreference, {\n      user: em.getReference(User, userId),\n      tenantId,\n      organizationId,\n      locale,\n      settingsJson: normalized,\n      createdAt: new Date(),\n    })\n  } else {\n    pref.settingsJson = normalized\n  }\n  await em.flush()\n  return normalized\n}\n\nexport async function loadRoleSidebarPreferences(\n  em: EntityManager,\n  options: { roleIds: string[]; tenantId?: string | null; locale?: string },\n): Promise<Map<string, SidebarPreferencesSettings>> {\n  if (!options.roleIds.length) return new Map()\n  const tenantId = options.tenantId ?? null\n  const tenantFilter = tenantId === null ? null : { $in: [tenantId, null] }\n  const prefs = await findWithDecryption(\n    em,\n    RoleSidebarPreference,\n    { role: { $in: options.roleIds }, tenantId: tenantFilter } as FilterQuery<RoleSidebarPreference>,\n    undefined,\n    { tenantId, organizationId: null },\n  )\n  const map = new Map<string, SidebarPreferencesSettings>()\n  for (const pref of prefs) {\n    const key = pref.role.id\n    if (tenantId !== null) {\n      const existing = map.get(key)\n      if (existing && pref.tenantId === null) continue\n      if (!existing || pref.tenantId === tenantId) {\n        map.set(key, normalizeSidebarSettings(pref.settingsJson as SidebarPreferencesSettings | undefined))\n      }\n      continue\n    }\n    map.set(key, normalizeSidebarSettings(pref.settingsJson as SidebarPreferencesSettings | undefined))\n  }\n  return map\n}\n\nexport async function loadFirstRoleSidebarPreference(\n  em: EntityManager,\n  options: { roleIds: string[]; tenantId?: string | null; locale?: string },\n): Promise<SidebarPreferencesSettings | null> {\n  if (!options.roleIds.length) return null\n  const tenantId = options.tenantId ?? null\n  const tenantFilter = tenantId === null ? null : { $in: [tenantId, null] }\n  const prefs = await findWithDecryption(\n    em,\n    RoleSidebarPreference,\n    { role: { $in: options.roleIds }, tenantId: tenantFilter } as FilterQuery<RoleSidebarPreference>,\n    undefined,\n    { tenantId, organizationId: null },\n  )\n  if (!prefs.length) return null\n  const ordered = options.roleIds\n    .map((id) => {\n      if (tenantId !== null) {\n        const specific = prefs.find((pref) => pref.role.id === id && pref.tenantId === tenantId)\n        if (specific) return specific\n      }\n      return prefs.find((pref) => pref.role.id === id && pref.tenantId === null)\n    })\n    .filter(Boolean) as RoleSidebarPreference[]\n  const first = ordered[0] ?? prefs[0]\n  return normalizeSidebarSettings(first?.settingsJson as SidebarPreferencesSettings | undefined)\n}\n\nexport async function saveRoleSidebarPreference(\n  em: EntityManager,\n  scope: RoleSidebarPreferenceScope,\n  input: SidebarPreferencesSettings,\n): Promise<SidebarPreferencesSettings> {\n  const normalized = normalizeSidebarSettings({\n    ...input,\n    version: input?.version ?? SIDEBAR_PREFERENCES_VERSION,\n  })\n  const { roleId, tenantId, locale } = normalizeRoleScope(scope)\n  let pref = await findOneWithDecryption(\n    em,\n    RoleSidebarPreference,\n    { role: roleId, tenantId },\n    undefined,\n    { tenantId, organizationId: null },\n  )\n  if (!pref) {\n    pref = em.create(RoleSidebarPreference, {\n      role: em.getReference(Role, roleId),\n      tenantId,\n      locale,\n      settingsJson: normalized,\n      createdAt: new Date(),\n    })\n  } else {\n    pref.settingsJson = normalized\n  }\n  await em.flush()\n  return normalized\n}\n\nexport function applySidebarPreference<T extends SidebarGroupLike>(\n  groups: T[],\n  settings?: SidebarPreferencesSettings | null,\n): T[] {\n  const normalized = normalizeSidebarSettings(settings)\n  const orderIndex = new Map<string, number>()\n  normalized.groupOrder?.forEach((id, idx) => {\n    if (!orderIndex.has(id)) orderIndex.set(id, idx)\n  })\n  const hiddenSet = new Set(normalized.hiddenItems ?? [])\n  const resolveItemKey = (item: SidebarItemLike): string => {\n    const candidate = item.id?.trim()\n    if (candidate && candidate.length > 0) return candidate\n    return item.href\n  }\n  const applyItems = <TI extends SidebarItemLike>(items: TI[]): TI[] => {\n    return items.map((item) => {\n      const itemKey = resolveItemKey(item)\n      const override = normalized.itemLabels?.[itemKey] ?? normalized.itemLabels?.[item.href]\n      const nextChildren = item.children ? applyItems(item.children) : undefined\n      const hidden = hiddenSet.has(itemKey) || hiddenSet.has(item.href)\n      const next = {\n        ...item,\n        title: override && override.trim().length > 0 ? override.trim() : item.defaultTitle,\n        children: nextChildren,\n      } as TI & { hidden?: boolean }\n      next.hidden = hidden\n      return next\n    })\n  }\n  const mapped = groups.map((group) => {\n    const override = normalized.groupLabels?.[group.id]\n    return {\n      ...group,\n      name: override && override.trim().length > 0 ? override.trim() : group.defaultName,\n      items: applyItems(group.items),\n    }\n  })\n  mapped.sort((a, b) => {\n    const ao = orderIndex.has(a.id) ? orderIndex.get(a.id)! : Number.POSITIVE_INFINITY\n    const bo = orderIndex.has(b.id) ? orderIndex.get(b.id)! : Number.POSITIVE_INFINITY\n    if (ao !== bo) return ao - bo\n    const aw = typeof a.weight === 'number' ? a.weight : 10_000\n    const bw = typeof b.weight === 'number' ? b.weight : 10_000\n    if (aw !== bw) return aw - bw\n    return a.defaultName.localeCompare(b.defaultName)\n  })\n  return mapped\n}\n\nfunction normalizeScope(scope: SidebarPreferenceScope) {\n  return {\n    userId: scope.userId,\n    tenantId: scope.tenantId ?? null,\n    organizationId: scope.organizationId ?? null,\n    locale: scope.locale,\n  }\n}\n\nfunction normalizeRoleScope(scope: RoleSidebarPreferenceScope) {\n  return {\n    roleId: scope.roleId,\n    tenantId: scope.tenantId ?? null,\n    locale: scope.locale,\n  }\n}\n\n// --- Named variants (per-user library of saved sidebar layouts) ----------------\n\nexport type VariantScope = {\n  userId: string\n  tenantId?: string | null\n  organizationId?: string | null\n  locale: string\n}\n\nexport type SidebarVariantRecord = {\n  id: string\n  name: string\n  isActive: boolean\n  settings: SidebarPreferencesSettings\n  createdAt: Date\n  updatedAt?: Date | null\n}\n\nfunction toVariantRecord(variant: SidebarVariant): SidebarVariantRecord {\n  return {\n    id: variant.id,\n    name: variant.name,\n    isActive: variant.isActive === true,\n    settings: normalizeSidebarSettings(variant.settingsJson as SidebarPreferencesSettings | undefined),\n    createdAt: variant.createdAt,\n    updatedAt: variant.updatedAt ?? null,\n  }\n}\n\nexport async function listSidebarVariants(\n  em: EntityManager,\n  scope: VariantScope,\n): Promise<SidebarVariantRecord[]> {\n  // Cross-locale: variants are scoped per (user, tenant) only.\n  const { userId, tenantId, organizationId } = normalizeVariantScope(scope)\n  const variants = await findWithDecryption(\n    em,\n    SidebarVariant,\n    { user: userId, tenantId, deletedAt: null },\n    { orderBy: { createdAt: 'asc' } },\n    { tenantId, organizationId },\n  )\n  return variants.map(toVariantRecord)\n}\n\nexport async function loadSidebarVariant(\n  em: EntityManager,\n  scope: VariantScope,\n  variantId: string,\n): Promise<SidebarVariantRecord | null> {\n  const { userId, tenantId, organizationId } = normalizeVariantScope(scope)\n  const variant = await findOneWithDecryption(\n    em,\n    SidebarVariant,\n    { id: variantId, user: userId, tenantId, deletedAt: null },\n    undefined,\n    { tenantId, organizationId },\n  )\n  return variant ? toVariantRecord(variant) : null\n}\n\nexport async function nextVariantAutoName(\n  em: EntityManager,\n  scope: VariantScope,\n  prefix = 'My preferences',\n): Promise<string> {\n  const variants = await listSidebarVariants(em, scope)\n  // Match names like \"My preferences\", \"My preferences 2\", \"My preferences 17\"\n  const usedNumbers = new Set<number>()\n  for (const variant of variants) {\n    if (variant.name === prefix) {\n      usedNumbers.add(1)\n      continue\n    }\n    const escaped = prefix.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&')\n    const match = variant.name.match(new RegExp(`^${escaped}\\\\s+(\\\\d+)$`))\n    if (match) {\n      const n = Number.parseInt(match[1], 10)\n      if (!Number.isNaN(n)) usedNumbers.add(n)\n    }\n  }\n  if (!usedNumbers.has(1)) return prefix\n  let next = 2\n  while (usedNumbers.has(next)) next += 1\n  return `${prefix} ${next}`\n}\n\nexport async function createSidebarVariant(\n  em: EntityManager,\n  scope: VariantScope,\n  input: {\n    name?: string | null\n    settings?: Partial<SidebarPreferencesSettings> | null\n    isActive?: boolean\n  },\n): Promise<SidebarVariantRecord> {\n  const { userId, tenantId, organizationId, locale } = normalizeVariantScope(scope)\n  const finalName = (input.name ?? '').trim() || (await nextVariantAutoName(em, scope))\n  const settings = normalizeSidebarSettings({\n    ...(input.settings ?? {}),\n    version: input.settings?.version ?? SIDEBAR_PREFERENCES_VERSION,\n  })\n\n  let variant!: SidebarVariant\n  await withAtomicFlush(em, [\n    async () => {\n      if (input.isActive === true) {\n        await deactivateAllVariants(em, scope)\n      }\n      variant = em.create(SidebarVariant, {\n        user: em.getReference(User, userId),\n        tenantId,\n        organizationId,\n        locale,\n        name: finalName,\n        settingsJson: settings,\n        isActive: input.isActive === true,\n        createdAt: new Date(),\n      })\n    },\n  ], { transaction: true })\n  return toVariantRecord(variant)\n}\n\nexport async function updateSidebarVariant(\n  em: EntityManager,\n  scope: VariantScope,\n  variantId: string,\n  input: {\n    name?: string\n    settings?: Partial<SidebarPreferencesSettings> | null\n    isActive?: boolean\n  },\n): Promise<SidebarVariantRecord | null> {\n  const { userId, tenantId, organizationId } = normalizeVariantScope(scope)\n  const variant = await findOneWithDecryption(\n    em,\n    SidebarVariant,\n    { id: variantId, user: userId, tenantId, deletedAt: null },\n    undefined,\n    { tenantId, organizationId },\n  )\n  if (!variant) return null\n  const target = variant\n  await withAtomicFlush(em, [\n    async () => {\n      if (typeof input.name === 'string' && input.name.trim().length > 0) {\n        target.name = input.name.trim()\n      }\n      if (input.settings) {\n        target.settingsJson = normalizeSidebarSettings({\n          ...input.settings,\n          version: input.settings.version ?? SIDEBAR_PREFERENCES_VERSION,\n        })\n      }\n      if (typeof input.isActive === 'boolean') {\n        if (input.isActive) {\n          await deactivateAllVariants(em, scope, variantId)\n        }\n        target.isActive = input.isActive\n      }\n    },\n  ], { transaction: true })\n  return toVariantRecord(target)\n}\n\nexport async function deleteSidebarVariant(\n  em: EntityManager,\n  scope: VariantScope,\n  variantId: string,\n): Promise<boolean> {\n  const { userId, tenantId, organizationId } = normalizeVariantScope(scope)\n  const variant = await findOneWithDecryption(\n    em,\n    SidebarVariant,\n    { id: variantId, user: userId, tenantId, deletedAt: null },\n    undefined,\n    { tenantId, organizationId },\n  )\n  if (!variant) return false\n  variant.deletedAt = new Date()\n  variant.isActive = false\n  await em.flush()\n  return true\n}\n\nasync function deactivateAllVariants(\n  em: EntityManager,\n  scope: VariantScope,\n  exceptId?: string,\n): Promise<void> {\n  const { userId, tenantId } = normalizeVariantScope(scope)\n  const where: FilterQuery<SidebarVariant> = exceptId\n    ? { user: userId, tenantId, isActive: true, deletedAt: null, id: { $ne: exceptId } }\n    : { user: userId, tenantId, isActive: true, deletedAt: null }\n  await em.nativeUpdate(SidebarVariant, where, { isActive: false })\n}\n\nfunction normalizeVariantScope(scope: VariantScope) {\n  return {\n    userId: scope.userId,\n    tenantId: scope.tenantId ?? null,\n    organizationId: scope.organizationId ?? null,\n    locale: scope.locale,\n  }\n}\n"],
-  "mappings": "AACA,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,uBAAuB;AAChC,SAAS,MAAM,uBAAuB,gBAAgB,MAAM,6BAA6B;AACzF;AAAA,EACE;AAAA,EAEA;AAAA,OACK;AA+BP,eAAsB,sBACpB,IACA,OACqC;AAGrC,QAAM,EAAE,QAAQ,UAAU,eAAe,IAAI,eAAe,KAAK;AACjE,QAAM,WAAW,MAAM;AAAA,IACrB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,UAAU,eAAe;AAAA,IACzC;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,SAAO,yBAAyB,UAAU,YAAsD;AAClG;AAEA,eAAsB,sBACpB,IACA,OACA,OACqC;AACrC,QAAM,aAAa,yBAAyB;AAAA,IAC1C,GAAG;AAAA,IACH,SAAS,OAAO,WAAW;AAAA,EAC7B,CAAC;AACD,QAAM,EAAE,QAAQ,UAAU,gBAAgB,OAAO,IAAI,eAAe,KAAK;AACzE,MAAI,OAAO,MAAM;AAAA,IACf;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,UAAU,eAAe;AAAA,IACzC;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,MAAI,CAAC,MAAM;AACT,WAAO,GAAG,OAAO,uBAAuB;AAAA,MACtC,MAAM,GAAG,aAAa,MAAM,MAAM;AAAA,MAClC;AAAA,MACA;AAAA,MACA;AAAA,MACA,cAAc;AAAA,MACd,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AAAA,EACH,OAAO;AACL,SAAK,eAAe;AAAA,EACtB;AACA,QAAM,GAAG,MAAM;AACf,SAAO;AACT;AAEA,eAAsB,2BACpB,IACA,SACkD;AAClD,MAAI,CAAC,QAAQ,QAAQ,OAAQ,QAAO,oBAAI,IAAI;AAC5C,QAAM,WAAW,QAAQ,YAAY;AACrC,QAAM,eAAe,aAAa,OAAO,OAAO,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE;AACxE,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,EAAE,KAAK,QAAQ,QAAQ,GAAG,UAAU,aAAa;AAAA,IACzD;AAAA,IACA,EAAE,UAAU,gBAAgB,KAAK;AAAA,EACnC;AACA,QAAM,MAAM,oBAAI,IAAwC;AACxD,aAAW,QAAQ,OAAO;AACxB,UAAM,MAAM,KAAK,KAAK;AACtB,QAAI,aAAa,MAAM;AACrB,YAAM,WAAW,IAAI,IAAI,GAAG;AAC5B,UAAI,YAAY,KAAK,aAAa,KAAM;AACxC,UAAI,CAAC,YAAY,KAAK,aAAa,UAAU;AAC3C,YAAI,IAAI,KAAK,yBAAyB,KAAK,YAAsD,CAAC;AAAA,MACpG;AACA;AAAA,IACF;AACA,QAAI,IAAI,KAAK,yBAAyB,KAAK,YAAsD,CAAC;AAAA,EACpG;AACA,SAAO;AACT;AAEA,eAAsB,+BACpB,IACA,SAC4C;AAC5C,MAAI,CAAC,QAAQ,QAAQ,OAAQ,QAAO;AACpC,QAAM,WAAW,QAAQ,YAAY;AACrC,QAAM,eAAe,aAAa,OAAO,OAAO,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE;AACxE,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,EAAE,KAAK,QAAQ,QAAQ,GAAG,UAAU,aAAa;AAAA,IACzD;AAAA,IACA,EAAE,UAAU,gBAAgB,KAAK;AAAA,EACnC;AACA,MAAI,CAAC,MAAM,OAAQ,QAAO;AAC1B,QAAM,UAAU,QAAQ,QACrB,IAAI,CAAC,OAAO;AACX,QAAI,aAAa,MAAM;AACrB,YAAM,WAAW,MAAM,KAAK,CAAC,SAAS,KAAK,KAAK,OAAO,MAAM,KAAK,aAAa,QAAQ;AACvF,UAAI,SAAU,QAAO;AAAA,IACvB;AACA,WAAO,MAAM,KAAK,CAAC,SAAS,KAAK,KAAK,OAAO,MAAM,KAAK,aAAa,IAAI;AAAA,EAC3E,CAAC,EACA,OAAO,OAAO;AACjB,QAAM,QAAQ,QAAQ,CAAC,KAAK,MAAM,CAAC;AACnC,SAAO,yBAAyB,OAAO,YAAsD;AAC/F;AAEA,eAAsB,0BACpB,IACA,OACA,OACqC;AACrC,QAAM,aAAa,yBAAyB;AAAA,IAC1C,GAAG;AAAA,IACH,SAAS,OAAO,WAAW;AAAA,EAC7B,CAAC;AACD,QAAM,EAAE,QAAQ,UAAU,OAAO,IAAI,mBAAmB,KAAK;AAC7D,MAAI,OAAO,MAAM;AAAA,IACf;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,SAAS;AAAA,IACzB;AAAA,IACA,EAAE,UAAU,gBAAgB,KAAK;AAAA,EACnC;AACA,MAAI,CAAC,MAAM;AACT,WAAO,GAAG,OAAO,uBAAuB;AAAA,MACtC,MAAM,GAAG,aAAa,MAAM,MAAM;AAAA,MAClC;AAAA,MACA;AAAA,MACA,cAAc;AAAA,MACd,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AAAA,EACH,OAAO;AACL,SAAK,eAAe;AAAA,EACtB;AACA,QAAM,GAAG,MAAM;AACf,SAAO;AACT;AAEO,SAAS,uBACd,QACA,UACK;AACL,QAAM,aAAa,yBAAyB,QAAQ;AACpD,QAAM,aAAa,oBAAI,IAAoB;AAC3C,aAAW,YAAY,QAAQ,CAAC,IAAI,QAAQ;AAC1C,QAAI,CAAC,WAAW,IAAI,EAAE,EAAG,YAAW,IAAI,IAAI,GAAG;AAAA,EACjD,CAAC;AACD,QAAM,YAAY,IAAI,IAAI,WAAW,eAAe,CAAC,CAAC;AACtD,QAAM,iBAAiB,CAAC,SAAkC;AACxD,UAAM,YAAY,KAAK,IAAI,KAAK;AAChC,QAAI,aAAa,UAAU,SAAS,EAAG,QAAO;AAC9C,WAAO,KAAK;AAAA,EACd;AACA,QAAM,aAAa,CAA6B,UAAsB;AACpE,WAAO,MAAM,IAAI,CAAC,SAAS;AACzB,YAAM,UAAU,eAAe,IAAI;AACnC,YAAM,WAAW,WAAW,aAAa,OAAO,KAAK,WAAW,aAAa,KAAK,IAAI;AACtF,YAAM,eAAe,KAAK,WAAW,WAAW,KAAK,QAAQ,IAAI;AACjE,YAAM,SAAS,UAAU,IAAI,OAAO,KAAK,UAAU,IAAI,KAAK,IAAI;AAChE,YAAM,OAAO;AAAA,QACX,GAAG;AAAA,QACH,OAAO,YAAY,SAAS,KAAK,EAAE,SAAS,IAAI,SAAS,KAAK,IAAI,KAAK;AAAA,QACvE,UAAU;AAAA,MACZ;AACA,WAAK,SAAS;AACd,aAAO;AAAA,IACT,CAAC;AAAA,EACH;AACA,QAAM,SAAS,OAAO,IAAI,CAAC,UAAU;AACnC,UAAM,WAAW,WAAW,cAAc,MAAM,EAAE;AAClD,WAAO;AAAA,MACL,GAAG;AAAA,MACH,MAAM,YAAY,SAAS,KAAK,EAAE,SAAS,IAAI,SAAS,KAAK,IAAI,MAAM;AAAA,MACvE,OAAO,WAAW,MAAM,KAAK;AAAA,IAC/B;AAAA,EACF,CAAC;AACD,SAAO,KAAK,CAAC,GAAG,MAAM;AACpB,UAAM,KAAK,WAAW,IAAI,EAAE,EAAE,IAAI,WAAW,IAAI,EAAE,EAAE,IAAK,OAAO;AACjE,UAAM,KAAK,WAAW,IAAI,EAAE,EAAE,IAAI,WAAW,IAAI,EAAE,EAAE,IAAK,OAAO;AACjE,QAAI,OAAO,GAAI,QAAO,KAAK;AAC3B,UAAM,KAAK,OAAO,EAAE,WAAW,WAAW,EAAE,SAAS;AACrD,UAAM,KAAK,OAAO,EAAE,WAAW,WAAW,EAAE,SAAS;AACrD,QAAI,OAAO,GAAI,QAAO,KAAK;AAC3B,WAAO,EAAE,YAAY,cAAc,EAAE,WAAW;AAAA,EAClD,CAAC;AACD,SAAO;AACT;AAEA,SAAS,eAAe,OAA+B;AACrD,SAAO;AAAA,IACL,QAAQ,MAAM;AAAA,IACd,UAAU,MAAM,YAAY;AAAA,IAC5B,gBAAgB,MAAM,kBAAkB;AAAA,IACxC,QAAQ,MAAM;AAAA,EAChB;AACF;AAEA,SAAS,mBAAmB,OAAmC;AAC7D,SAAO;AAAA,IACL,QAAQ,MAAM;AAAA,IACd,UAAU,MAAM,YAAY;AAAA,IAC5B,QAAQ,MAAM;AAAA,EAChB;AACF;AAoBA,SAAS,gBAAgB,SAA+C;AACtE,SAAO;AAAA,IACL,IAAI,QAAQ;AAAA,IACZ,MAAM,QAAQ;AAAA,IACd,UAAU,QAAQ,aAAa;AAAA,IAC/B,UAAU,yBAAyB,QAAQ,YAAsD;AAAA,IACjG,WAAW,QAAQ;AAAA,IACnB,WAAW,QAAQ,aAAa;AAAA,EAClC;AACF;AAEA,eAAsB,oBACpB,IACA,OACiC;AAEjC,QAAM,EAAE,QAAQ,UAAU,eAAe,IAAI,sBAAsB,KAAK;AACxE,QAAM,WAAW,MAAM;AAAA,IACrB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,UAAU,WAAW,KAAK;AAAA,IAC1C,EAAE,SAAS,EAAE,WAAW,MAAM,EAAE;AAAA,IAChC,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,SAAO,SAAS,IAAI,eAAe;AACrC;AAEA,eAAsB,mBACpB,IACA,OACA,WACsC;AACtC,QAAM,EAAE,QAAQ,UAAU,eAAe,IAAI,sBAAsB,KAAK;AACxE,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,WAAW,MAAM,QAAQ,UAAU,WAAW,KAAK;AAAA,IACzD;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,SAAO,UAAU,gBAAgB,OAAO,IAAI;AAC9C;AAEA,eAAsB,oBACpB,IACA,OACA,SAAS,kBACQ;AACjB,QAAM,WAAW,MAAM,oBAAoB,IAAI,KAAK;AAEpD,QAAM,cAAc,oBAAI,IAAY;AACpC,aAAW,WAAW,UAAU;AAC9B,QAAI,QAAQ,SAAS,QAAQ;AAC3B,kBAAY,IAAI,CAAC;AACjB;AAAA,IACF;AACA,UAAM,UAAU,OAAO,QAAQ,uBAAuB,MAAM;AAC5D,UAAM,QAAQ,QAAQ,KAAK,MAAM,IAAI,OAAO,IAAI,OAAO,aAAa,CAAC;AACrE,QAAI,OAAO;AACT,YAAM,IAAI,OAAO,SAAS,MAAM,CAAC,GAAG,EAAE;AACtC,UAAI,CAAC,OAAO,MAAM,CAAC,EAAG,aAAY,IAAI,CAAC;AAAA,IACzC;AAAA,EACF;AACA,MAAI,CAAC,YAAY,IAAI,CAAC,EAAG,QAAO;AAChC,MAAI,OAAO;AACX,SAAO,YAAY,IAAI,IAAI,EAAG,SAAQ;AACtC,SAAO,GAAG,MAAM,IAAI,IAAI;AAC1B;AAEA,eAAsB,qBACpB,IACA,OACA,OAK+B;AAC/B,QAAM,EAAE,QAAQ,UAAU,gBAAgB,OAAO,IAAI,sBAAsB,KAAK;AAChF,QAAM,aAAa,MAAM,QAAQ,IAAI,KAAK,KAAM,MAAM,oBAAoB,IAAI,KAAK;AACnF,QAAM,WAAW,yBAAyB;AAAA,IACxC,GAAI,MAAM,YAAY,CAAC;AAAA,IACvB,SAAS,MAAM,UAAU,WAAW;AAAA,EACtC,CAAC;AAED,MAAI;AACJ,QAAM,gBAAgB,IAAI;AAAA,IACxB,YAAY;AACV,UAAI,MAAM,aAAa,MAAM;AAC3B,cAAM,sBAAsB,IAAI,KAAK;AAAA,MACvC;AACA,gBAAU,GAAG,OAAO,gBAAgB;AAAA,QAClC,MAAM,GAAG,aAAa,MAAM,MAAM;AAAA,QAClC;AAAA,QACA;AAAA,QACA;AAAA,QACA,MAAM;AAAA,QACN,cAAc;AAAA,QACd,UAAU,MAAM,aAAa;AAAA,QAC7B,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC;AAAA,IACH;AAAA,EACF,GAAG,EAAE,aAAa,KAAK,CAAC;AACxB,SAAO,gBAAgB,OAAO;AAChC;AAEA,eAAsB,qBACpB,IACA,OACA,WACA,OAKsC;AACtC,QAAM,EAAE,QAAQ,UAAU,eAAe,IAAI,sBAAsB,KAAK;AACxE,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,WAAW,MAAM,QAAQ,UAAU,WAAW,KAAK;AAAA,IACzD;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,MAAI,CAAC,QAAS,QAAO;AACrB,QAAM,SAAS;AACf,QAAM,gBAAgB,IAAI;AAAA,IACxB,YAAY;AACV,UAAI,OAAO,MAAM,SAAS,YAAY,MAAM,KAAK,KAAK,EAAE,SAAS,GAAG;AAClE,eAAO,OAAO,MAAM,KAAK,KAAK;AAAA,MAChC;AACA,UAAI,MAAM,UAAU;AAClB,eAAO,eAAe,yBAAyB;AAAA,UAC7C,GAAG,MAAM;AAAA,UACT,SAAS,MAAM,SAAS,WAAW;AAAA,QACrC,CAAC;AAAA,MACH;AACA,UAAI,OAAO,MAAM,aAAa,WAAW;AACvC,YAAI,MAAM,UAAU;AAClB,gBAAM,sBAAsB,IAAI,OAAO,SAAS;AAAA,QAClD;AACA,eAAO,WAAW,MAAM;AAAA,MAC1B;AAAA,IACF;AAAA,EACF,GAAG,EAAE,aAAa,KAAK,CAAC;AACxB,SAAO,gBAAgB,MAAM;AAC/B;AAEA,eAAsB,qBACpB,IACA,OACA,WACkB;AAClB,QAAM,EAAE,QAAQ,UAAU,eAAe,IAAI,sBAAsB,KAAK;AACxE,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,WAAW,MAAM,QAAQ,UAAU,WAAW,KAAK;AAAA,IACzD;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,MAAI,CAAC,QAAS,QAAO;AACrB,UAAQ,YAAY,oBAAI,KAAK;AAC7B,UAAQ,WAAW;AACnB,QAAM,GAAG,MAAM;AACf,SAAO;AACT;AAEA,eAAe,sBACb,IACA,OACA,UACe;AACf,QAAM,EAAE,QAAQ,SAAS,IAAI,sBAAsB,KAAK;AACxD,QAAM,QAAqC,WACvC,EAAE,MAAM,QAAQ,UAAU,UAAU,MAAM,WAAW,MAAM,IAAI,EAAE,KAAK,SAAS,EAAE,IACjF,EAAE,MAAM,QAAQ,UAAU,UAAU,MAAM,WAAW,KAAK;AAC9D,QAAM,GAAG,aAAa,gBAAgB,OAAO,EAAE,UAAU,MAAM,CAAC;AAClE;AAEA,SAAS,sBAAsB,OAAqB;AAClD,SAAO;AAAA,IACL,QAAQ,MAAM;AAAA,IACd,UAAU,MAAM,YAAY;AAAA,IAC5B,gBAAgB,MAAM,kBAAkB;AAAA,IACxC,QAAQ,MAAM;AAAA,EAChB;AACF;",
+  "sourcesContent": ["import { EntityManager, type FilterQuery } from '@mikro-orm/postgresql'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { withAtomicFlush } from '@open-mercato/shared/lib/commands/flush'\nimport { Role, RoleSidebarPreference, SidebarVariant, User, UserSidebarPreference } from '../data/entities'\nimport {\n  SIDEBAR_PREFERENCES_VERSION,\n  SidebarPreferencesSettings,\n  normalizeSidebarSettings,\n} from '@open-mercato/shared/modules/navigation/sidebarPreferences'\n\nexport type SidebarPreferenceScope = {\n  userId: string\n  tenantId?: string | null\n  organizationId?: string | null\n  locale: string\n}\n\nexport type RoleSidebarPreferenceScope = {\n  roleId: string\n  tenantId?: string | null\n  locale: string\n}\n\nexport type SidebarItemLike<T = Record<string, unknown>> = {\n  id?: string\n  href: string\n  title: string\n  defaultTitle: string\n  children?: SidebarItemLike<T>[]\n} & T\n\nexport type SidebarGroupLike<T = Record<string, unknown>> = {\n  id: string\n  name: string\n  defaultName: string\n  items: SidebarItemLike<T>[]\n  weight?: number\n} & T\n\nexport async function loadSidebarPreference(\n  em: EntityManager,\n  scope: SidebarPreferenceScope,\n): Promise<SidebarPreferencesSettings> {\n  // Cross-locale: variants & preferences are scoped per (user, tenant, org) only.\n  // The `locale` field on the row is kept for audit / when the row was created.\n  const { userId, tenantId, organizationId } = normalizeScope(scope)\n  const existing = await findOneWithDecryption(\n    em,\n    UserSidebarPreference,\n    { user: userId, tenantId, organizationId },\n    undefined,\n    { tenantId, organizationId },\n  )\n  return normalizeSidebarSettings(existing?.settingsJson as SidebarPreferencesSettings | undefined)\n}\n\nexport async function loadSidebarPreferenceUpdatedAt(\n  em: EntityManager,\n  scope: SidebarPreferenceScope,\n): Promise<{ id: string; updatedAt: Date | null } | null> {\n  const { userId, tenantId, organizationId } = normalizeScope(scope)\n  const existing = await findOneWithDecryption(\n    em,\n    UserSidebarPreference,\n    { user: userId, tenantId, organizationId },\n    undefined,\n    { tenantId, organizationId },\n  )\n  if (!existing) return null\n  return { id: existing.id, updatedAt: existing.updatedAt ?? null }\n}\n\nexport async function loadRoleSidebarPreferenceUpdatedAt(\n  em: EntityManager,\n  scope: RoleSidebarPreferenceScope,\n): Promise<{ id: string; updatedAt: Date | null } | null> {\n  const { roleId, tenantId } = normalizeRoleScope(scope)\n  const existing = await findOneWithDecryption(\n    em,\n    RoleSidebarPreference,\n    { role: roleId, tenantId },\n    undefined,\n    { tenantId, organizationId: null },\n  )\n  if (!existing) return null\n  return { id: existing.id, updatedAt: existing.updatedAt ?? null }\n}\n\nexport async function saveSidebarPreference(\n  em: EntityManager,\n  scope: SidebarPreferenceScope,\n  input: SidebarPreferencesSettings,\n): Promise<SidebarPreferencesSettings> {\n  const normalized = normalizeSidebarSettings({\n    ...input,\n    version: input?.version ?? SIDEBAR_PREFERENCES_VERSION,\n  })\n  const { userId, tenantId, organizationId, locale } = normalizeScope(scope)\n  let pref = await findOneWithDecryption(\n    em,\n    UserSidebarPreference,\n    { user: userId, tenantId, organizationId },\n    undefined,\n    { tenantId, organizationId },\n  )\n  if (!pref) {\n    pref = em.create(UserSidebarPreference, {\n      user: em.getReference(User, userId),\n      tenantId,\n      organizationId,\n      locale,\n      settingsJson: normalized,\n      createdAt: new Date(),\n    })\n  } else {\n    pref.settingsJson = normalized\n  }\n  await em.flush()\n  return normalized\n}\n\nexport async function loadRoleSidebarPreferences(\n  em: EntityManager,\n  options: { roleIds: string[]; tenantId?: string | null; locale?: string },\n): Promise<Map<string, SidebarPreferencesSettings>> {\n  if (!options.roleIds.length) return new Map()\n  const tenantId = options.tenantId ?? null\n  const tenantFilter = tenantId === null ? null : { $in: [tenantId, null] }\n  const prefs = await findWithDecryption(\n    em,\n    RoleSidebarPreference,\n    { role: { $in: options.roleIds }, tenantId: tenantFilter } as FilterQuery<RoleSidebarPreference>,\n    undefined,\n    { tenantId, organizationId: null },\n  )\n  const map = new Map<string, SidebarPreferencesSettings>()\n  for (const pref of prefs) {\n    const key = pref.role.id\n    if (tenantId !== null) {\n      const existing = map.get(key)\n      if (existing && pref.tenantId === null) continue\n      if (!existing || pref.tenantId === tenantId) {\n        map.set(key, normalizeSidebarSettings(pref.settingsJson as SidebarPreferencesSettings | undefined))\n      }\n      continue\n    }\n    map.set(key, normalizeSidebarSettings(pref.settingsJson as SidebarPreferencesSettings | undefined))\n  }\n  return map\n}\n\nexport async function loadFirstRoleSidebarPreference(\n  em: EntityManager,\n  options: { roleIds: string[]; tenantId?: string | null; locale?: string },\n): Promise<SidebarPreferencesSettings | null> {\n  if (!options.roleIds.length) return null\n  const tenantId = options.tenantId ?? null\n  const tenantFilter = tenantId === null ? null : { $in: [tenantId, null] }\n  const prefs = await findWithDecryption(\n    em,\n    RoleSidebarPreference,\n    { role: { $in: options.roleIds }, tenantId: tenantFilter } as FilterQuery<RoleSidebarPreference>,\n    undefined,\n    { tenantId, organizationId: null },\n  )\n  if (!prefs.length) return null\n  const ordered = options.roleIds\n    .map((id) => {\n      if (tenantId !== null) {\n        const specific = prefs.find((pref) => pref.role.id === id && pref.tenantId === tenantId)\n        if (specific) return specific\n      }\n      return prefs.find((pref) => pref.role.id === id && pref.tenantId === null)\n    })\n    .filter(Boolean) as RoleSidebarPreference[]\n  const first = ordered[0] ?? prefs[0]\n  return normalizeSidebarSettings(first?.settingsJson as SidebarPreferencesSettings | undefined)\n}\n\nexport async function saveRoleSidebarPreference(\n  em: EntityManager,\n  scope: RoleSidebarPreferenceScope,\n  input: SidebarPreferencesSettings,\n): Promise<SidebarPreferencesSettings> {\n  const normalized = normalizeSidebarSettings({\n    ...input,\n    version: input?.version ?? SIDEBAR_PREFERENCES_VERSION,\n  })\n  const { roleId, tenantId, locale } = normalizeRoleScope(scope)\n  let pref = await findOneWithDecryption(\n    em,\n    RoleSidebarPreference,\n    { role: roleId, tenantId },\n    undefined,\n    { tenantId, organizationId: null },\n  )\n  if (!pref) {\n    pref = em.create(RoleSidebarPreference, {\n      role: em.getReference(Role, roleId),\n      tenantId,\n      locale,\n      settingsJson: normalized,\n      createdAt: new Date(),\n    })\n  } else {\n    pref.settingsJson = normalized\n  }\n  await em.flush()\n  return normalized\n}\n\nexport function applySidebarPreference<T extends SidebarGroupLike>(\n  groups: T[],\n  settings?: SidebarPreferencesSettings | null,\n): T[] {\n  const normalized = normalizeSidebarSettings(settings)\n  const orderIndex = new Map<string, number>()\n  normalized.groupOrder?.forEach((id, idx) => {\n    if (!orderIndex.has(id)) orderIndex.set(id, idx)\n  })\n  const hiddenSet = new Set(normalized.hiddenItems ?? [])\n  const resolveItemKey = (item: SidebarItemLike): string => {\n    const candidate = item.id?.trim()\n    if (candidate && candidate.length > 0) return candidate\n    return item.href\n  }\n  const applyItems = <TI extends SidebarItemLike>(items: TI[]): TI[] => {\n    return items.map((item) => {\n      const itemKey = resolveItemKey(item)\n      const override = normalized.itemLabels?.[itemKey] ?? normalized.itemLabels?.[item.href]\n      const nextChildren = item.children ? applyItems(item.children) : undefined\n      const hidden = hiddenSet.has(itemKey) || hiddenSet.has(item.href)\n      const next = {\n        ...item,\n        title: override && override.trim().length > 0 ? override.trim() : item.defaultTitle,\n        children: nextChildren,\n      } as TI & { hidden?: boolean }\n      next.hidden = hidden\n      return next\n    })\n  }\n  const mapped = groups.map((group) => {\n    const override = normalized.groupLabels?.[group.id]\n    return {\n      ...group,\n      name: override && override.trim().length > 0 ? override.trim() : group.defaultName,\n      items: applyItems(group.items),\n    }\n  })\n  mapped.sort((a, b) => {\n    const ao = orderIndex.has(a.id) ? orderIndex.get(a.id)! : Number.POSITIVE_INFINITY\n    const bo = orderIndex.has(b.id) ? orderIndex.get(b.id)! : Number.POSITIVE_INFINITY\n    if (ao !== bo) return ao - bo\n    const aw = typeof a.weight === 'number' ? a.weight : 10_000\n    const bw = typeof b.weight === 'number' ? b.weight : 10_000\n    if (aw !== bw) return aw - bw\n    return a.defaultName.localeCompare(b.defaultName)\n  })\n  return mapped\n}\n\nfunction normalizeScope(scope: SidebarPreferenceScope) {\n  return {\n    userId: scope.userId,\n    tenantId: scope.tenantId ?? null,\n    organizationId: scope.organizationId ?? null,\n    locale: scope.locale,\n  }\n}\n\nfunction normalizeRoleScope(scope: RoleSidebarPreferenceScope) {\n  return {\n    roleId: scope.roleId,\n    tenantId: scope.tenantId ?? null,\n    locale: scope.locale,\n  }\n}\n\n// --- Named variants (per-user library of saved sidebar layouts) ----------------\n\nexport type VariantScope = {\n  userId: string\n  tenantId?: string | null\n  organizationId?: string | null\n  locale: string\n}\n\nexport type SidebarVariantRecord = {\n  id: string\n  name: string\n  isActive: boolean\n  settings: SidebarPreferencesSettings\n  createdAt: Date\n  updatedAt?: Date | null\n}\n\nfunction toVariantRecord(variant: SidebarVariant): SidebarVariantRecord {\n  return {\n    id: variant.id,\n    name: variant.name,\n    isActive: variant.isActive === true,\n    settings: normalizeSidebarSettings(variant.settingsJson as SidebarPreferencesSettings | undefined),\n    createdAt: variant.createdAt,\n    updatedAt: variant.updatedAt ?? null,\n  }\n}\n\nexport async function listSidebarVariants(\n  em: EntityManager,\n  scope: VariantScope,\n): Promise<SidebarVariantRecord[]> {\n  // Cross-locale: variants are scoped per (user, tenant) only.\n  const { userId, tenantId, organizationId } = normalizeVariantScope(scope)\n  const variants = await findWithDecryption(\n    em,\n    SidebarVariant,\n    { user: userId, tenantId, deletedAt: null },\n    { orderBy: { createdAt: 'asc' } },\n    { tenantId, organizationId },\n  )\n  return variants.map(toVariantRecord)\n}\n\nexport async function loadSidebarVariant(\n  em: EntityManager,\n  scope: VariantScope,\n  variantId: string,\n): Promise<SidebarVariantRecord | null> {\n  const { userId, tenantId, organizationId } = normalizeVariantScope(scope)\n  const variant = await findOneWithDecryption(\n    em,\n    SidebarVariant,\n    { id: variantId, user: userId, tenantId, deletedAt: null },\n    undefined,\n    { tenantId, organizationId },\n  )\n  return variant ? toVariantRecord(variant) : null\n}\n\nexport async function nextVariantAutoName(\n  em: EntityManager,\n  scope: VariantScope,\n  prefix = 'My preferences',\n): Promise<string> {\n  const variants = await listSidebarVariants(em, scope)\n  // Match names like \"My preferences\", \"My preferences 2\", \"My preferences 17\"\n  const usedNumbers = new Set<number>()\n  for (const variant of variants) {\n    if (variant.name === prefix) {\n      usedNumbers.add(1)\n      continue\n    }\n    const escaped = prefix.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&')\n    const match = variant.name.match(new RegExp(`^${escaped}\\\\s+(\\\\d+)$`))\n    if (match) {\n      const n = Number.parseInt(match[1], 10)\n      if (!Number.isNaN(n)) usedNumbers.add(n)\n    }\n  }\n  if (!usedNumbers.has(1)) return prefix\n  let next = 2\n  while (usedNumbers.has(next)) next += 1\n  return `${prefix} ${next}`\n}\n\nexport async function createSidebarVariant(\n  em: EntityManager,\n  scope: VariantScope,\n  input: {\n    name?: string | null\n    settings?: Partial<SidebarPreferencesSettings> | null\n    isActive?: boolean\n  },\n): Promise<SidebarVariantRecord> {\n  const { userId, tenantId, organizationId, locale } = normalizeVariantScope(scope)\n  const finalName = (input.name ?? '').trim() || (await nextVariantAutoName(em, scope))\n  const settings = normalizeSidebarSettings({\n    ...(input.settings ?? {}),\n    version: input.settings?.version ?? SIDEBAR_PREFERENCES_VERSION,\n  })\n\n  let variant!: SidebarVariant\n  await withAtomicFlush(em, [\n    async () => {\n      if (input.isActive === true) {\n        await deactivateAllVariants(em, scope)\n      }\n      variant = em.create(SidebarVariant, {\n        user: em.getReference(User, userId),\n        tenantId,\n        organizationId,\n        locale,\n        name: finalName,\n        settingsJson: settings,\n        isActive: input.isActive === true,\n        createdAt: new Date(),\n      })\n    },\n  ], { transaction: true })\n  return toVariantRecord(variant)\n}\n\nexport async function updateSidebarVariant(\n  em: EntityManager,\n  scope: VariantScope,\n  variantId: string,\n  input: {\n    name?: string\n    settings?: Partial<SidebarPreferencesSettings> | null\n    isActive?: boolean\n  },\n): Promise<SidebarVariantRecord | null> {\n  const { userId, tenantId, organizationId } = normalizeVariantScope(scope)\n  const variant = await findOneWithDecryption(\n    em,\n    SidebarVariant,\n    { id: variantId, user: userId, tenantId, deletedAt: null },\n    undefined,\n    { tenantId, organizationId },\n  )\n  if (!variant) return null\n  const target = variant\n  await withAtomicFlush(em, [\n    () => {\n      if (typeof input.name === 'string' && input.name.trim().length > 0) {\n        target.name = input.name.trim()\n      }\n      if (input.settings) {\n        target.settingsJson = normalizeSidebarSettings({\n          ...input.settings,\n          version: input.settings.version ?? SIDEBAR_PREFERENCES_VERSION,\n        })\n      }\n      if (typeof input.isActive === 'boolean') {\n        target.isActive = input.isActive\n      }\n    },\n    async () => {\n      if (input.isActive === true) {\n        await deactivateAllVariants(em, scope, variantId)\n      }\n    },\n  ], { transaction: true })\n  return toVariantRecord(target)\n}\n\nexport async function deleteSidebarVariant(\n  em: EntityManager,\n  scope: VariantScope,\n  variantId: string,\n): Promise<boolean> {\n  const { userId, tenantId, organizationId } = normalizeVariantScope(scope)\n  const variant = await findOneWithDecryption(\n    em,\n    SidebarVariant,\n    { id: variantId, user: userId, tenantId, deletedAt: null },\n    undefined,\n    { tenantId, organizationId },\n  )\n  if (!variant) return false\n  variant.deletedAt = new Date()\n  variant.isActive = false\n  await em.flush()\n  return true\n}\n\nasync function deactivateAllVariants(\n  em: EntityManager,\n  scope: VariantScope,\n  exceptId?: string,\n): Promise<void> {\n  const { userId, tenantId } = normalizeVariantScope(scope)\n  const where: FilterQuery<SidebarVariant> = exceptId\n    ? { user: userId, tenantId, isActive: true, deletedAt: null, id: { $ne: exceptId } }\n    : { user: userId, tenantId, isActive: true, deletedAt: null }\n  await em.nativeUpdate(SidebarVariant, where, { isActive: false })\n}\n\nfunction normalizeVariantScope(scope: VariantScope) {\n  return {\n    userId: scope.userId,\n    tenantId: scope.tenantId ?? null,\n    organizationId: scope.organizationId ?? null,\n    locale: scope.locale,\n  }\n}\n"],
+  "mappings": "AACA,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,uBAAuB;AAChC,SAAS,MAAM,uBAAuB,gBAAgB,MAAM,6BAA6B;AACzF;AAAA,EACE;AAAA,EAEA;AAAA,OACK;AA+BP,eAAsB,sBACpB,IACA,OACqC;AAGrC,QAAM,EAAE,QAAQ,UAAU,eAAe,IAAI,eAAe,KAAK;AACjE,QAAM,WAAW,MAAM;AAAA,IACrB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,UAAU,eAAe;AAAA,IACzC;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,SAAO,yBAAyB,UAAU,YAAsD;AAClG;AAEA,eAAsB,+BACpB,IACA,OACwD;AACxD,QAAM,EAAE,QAAQ,UAAU,eAAe,IAAI,eAAe,KAAK;AACjE,QAAM,WAAW,MAAM;AAAA,IACrB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,UAAU,eAAe;AAAA,IACzC;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,MAAI,CAAC,SAAU,QAAO;AACtB,SAAO,EAAE,IAAI,SAAS,IAAI,WAAW,SAAS,aAAa,KAAK;AAClE;AAEA,eAAsB,mCACpB,IACA,OACwD;AACxD,QAAM,EAAE,QAAQ,SAAS,IAAI,mBAAmB,KAAK;AACrD,QAAM,WAAW,MAAM;AAAA,IACrB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,SAAS;AAAA,IACzB;AAAA,IACA,EAAE,UAAU,gBAAgB,KAAK;AAAA,EACnC;AACA,MAAI,CAAC,SAAU,QAAO;AACtB,SAAO,EAAE,IAAI,SAAS,IAAI,WAAW,SAAS,aAAa,KAAK;AAClE;AAEA,eAAsB,sBACpB,IACA,OACA,OACqC;AACrC,QAAM,aAAa,yBAAyB;AAAA,IAC1C,GAAG;AAAA,IACH,SAAS,OAAO,WAAW;AAAA,EAC7B,CAAC;AACD,QAAM,EAAE,QAAQ,UAAU,gBAAgB,OAAO,IAAI,eAAe,KAAK;AACzE,MAAI,OAAO,MAAM;AAAA,IACf;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,UAAU,eAAe;AAAA,IACzC;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,MAAI,CAAC,MAAM;AACT,WAAO,GAAG,OAAO,uBAAuB;AAAA,MACtC,MAAM,GAAG,aAAa,MAAM,MAAM;AAAA,MAClC;AAAA,MACA;AAAA,MACA;AAAA,MACA,cAAc;AAAA,MACd,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AAAA,EACH,OAAO;AACL,SAAK,eAAe;AAAA,EACtB;AACA,QAAM,GAAG,MAAM;AACf,SAAO;AACT;AAEA,eAAsB,2BACpB,IACA,SACkD;AAClD,MAAI,CAAC,QAAQ,QAAQ,OAAQ,QAAO,oBAAI,IAAI;AAC5C,QAAM,WAAW,QAAQ,YAAY;AACrC,QAAM,eAAe,aAAa,OAAO,OAAO,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE;AACxE,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,EAAE,KAAK,QAAQ,QAAQ,GAAG,UAAU,aAAa;AAAA,IACzD;AAAA,IACA,EAAE,UAAU,gBAAgB,KAAK;AAAA,EACnC;AACA,QAAM,MAAM,oBAAI,IAAwC;AACxD,aAAW,QAAQ,OAAO;AACxB,UAAM,MAAM,KAAK,KAAK;AACtB,QAAI,aAAa,MAAM;AACrB,YAAM,WAAW,IAAI,IAAI,GAAG;AAC5B,UAAI,YAAY,KAAK,aAAa,KAAM;AACxC,UAAI,CAAC,YAAY,KAAK,aAAa,UAAU;AAC3C,YAAI,IAAI,KAAK,yBAAyB,KAAK,YAAsD,CAAC;AAAA,MACpG;AACA;AAAA,IACF;AACA,QAAI,IAAI,KAAK,yBAAyB,KAAK,YAAsD,CAAC;AAAA,EACpG;AACA,SAAO;AACT;AAEA,eAAsB,+BACpB,IACA,SAC4C;AAC5C,MAAI,CAAC,QAAQ,QAAQ,OAAQ,QAAO;AACpC,QAAM,WAAW,QAAQ,YAAY;AACrC,QAAM,eAAe,aAAa,OAAO,OAAO,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE;AACxE,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,EAAE,KAAK,QAAQ,QAAQ,GAAG,UAAU,aAAa;AAAA,IACzD;AAAA,IACA,EAAE,UAAU,gBAAgB,KAAK;AAAA,EACnC;AACA,MAAI,CAAC,MAAM,OAAQ,QAAO;AAC1B,QAAM,UAAU,QAAQ,QACrB,IAAI,CAAC,OAAO;AACX,QAAI,aAAa,MAAM;AACrB,YAAM,WAAW,MAAM,KAAK,CAAC,SAAS,KAAK,KAAK,OAAO,MAAM,KAAK,aAAa,QAAQ;AACvF,UAAI,SAAU,QAAO;AAAA,IACvB;AACA,WAAO,MAAM,KAAK,CAAC,SAAS,KAAK,KAAK,OAAO,MAAM,KAAK,aAAa,IAAI;AAAA,EAC3E,CAAC,EACA,OAAO,OAAO;AACjB,QAAM,QAAQ,QAAQ,CAAC,KAAK,MAAM,CAAC;AACnC,SAAO,yBAAyB,OAAO,YAAsD;AAC/F;AAEA,eAAsB,0BACpB,IACA,OACA,OACqC;AACrC,QAAM,aAAa,yBAAyB;AAAA,IAC1C,GAAG;AAAA,IACH,SAAS,OAAO,WAAW;AAAA,EAC7B,CAAC;AACD,QAAM,EAAE,QAAQ,UAAU,OAAO,IAAI,mBAAmB,KAAK;AAC7D,MAAI,OAAO,MAAM;AAAA,IACf;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,SAAS;AAAA,IACzB;AAAA,IACA,EAAE,UAAU,gBAAgB,KAAK;AAAA,EACnC;AACA,MAAI,CAAC,MAAM;AACT,WAAO,GAAG,OAAO,uBAAuB;AAAA,MACtC,MAAM,GAAG,aAAa,MAAM,MAAM;AAAA,MAClC;AAAA,MACA;AAAA,MACA,cAAc;AAAA,MACd,WAAW,oBAAI,KAAK;AAAA,IACtB,CAAC;AAAA,EACH,OAAO;AACL,SAAK,eAAe;AAAA,EACtB;AACA,QAAM,GAAG,MAAM;AACf,SAAO;AACT;AAEO,SAAS,uBACd,QACA,UACK;AACL,QAAM,aAAa,yBAAyB,QAAQ;AACpD,QAAM,aAAa,oBAAI,IAAoB;AAC3C,aAAW,YAAY,QAAQ,CAAC,IAAI,QAAQ;AAC1C,QAAI,CAAC,WAAW,IAAI,EAAE,EAAG,YAAW,IAAI,IAAI,GAAG;AAAA,EACjD,CAAC;AACD,QAAM,YAAY,IAAI,IAAI,WAAW,eAAe,CAAC,CAAC;AACtD,QAAM,iBAAiB,CAAC,SAAkC;AACxD,UAAM,YAAY,KAAK,IAAI,KAAK;AAChC,QAAI,aAAa,UAAU,SAAS,EAAG,QAAO;AAC9C,WAAO,KAAK;AAAA,EACd;AACA,QAAM,aAAa,CAA6B,UAAsB;AACpE,WAAO,MAAM,IAAI,CAAC,SAAS;AACzB,YAAM,UAAU,eAAe,IAAI;AACnC,YAAM,WAAW,WAAW,aAAa,OAAO,KAAK,WAAW,aAAa,KAAK,IAAI;AACtF,YAAM,eAAe,KAAK,WAAW,WAAW,KAAK,QAAQ,IAAI;AACjE,YAAM,SAAS,UAAU,IAAI,OAAO,KAAK,UAAU,IAAI,KAAK,IAAI;AAChE,YAAM,OAAO;AAAA,QACX,GAAG;AAAA,QACH,OAAO,YAAY,SAAS,KAAK,EAAE,SAAS,IAAI,SAAS,KAAK,IAAI,KAAK;AAAA,QACvE,UAAU;AAAA,MACZ;AACA,WAAK,SAAS;AACd,aAAO;AAAA,IACT,CAAC;AAAA,EACH;AACA,QAAM,SAAS,OAAO,IAAI,CAAC,UAAU;AACnC,UAAM,WAAW,WAAW,cAAc,MAAM,EAAE;AAClD,WAAO;AAAA,MACL,GAAG;AAAA,MACH,MAAM,YAAY,SAAS,KAAK,EAAE,SAAS,IAAI,SAAS,KAAK,IAAI,MAAM;AAAA,MACvE,OAAO,WAAW,MAAM,KAAK;AAAA,IAC/B;AAAA,EACF,CAAC;AACD,SAAO,KAAK,CAAC,GAAG,MAAM;AACpB,UAAM,KAAK,WAAW,IAAI,EAAE,EAAE,IAAI,WAAW,IAAI,EAAE,EAAE,IAAK,OAAO;AACjE,UAAM,KAAK,WAAW,IAAI,EAAE,EAAE,IAAI,WAAW,IAAI,EAAE,EAAE,IAAK,OAAO;AACjE,QAAI,OAAO,GAAI,QAAO,KAAK;AAC3B,UAAM,KAAK,OAAO,EAAE,WAAW,WAAW,EAAE,SAAS;AACrD,UAAM,KAAK,OAAO,EAAE,WAAW,WAAW,EAAE,SAAS;AACrD,QAAI,OAAO,GAAI,QAAO,KAAK;AAC3B,WAAO,EAAE,YAAY,cAAc,EAAE,WAAW;AAAA,EAClD,CAAC;AACD,SAAO;AACT;AAEA,SAAS,eAAe,OAA+B;AACrD,SAAO;AAAA,IACL,QAAQ,MAAM;AAAA,IACd,UAAU,MAAM,YAAY;AAAA,IAC5B,gBAAgB,MAAM,kBAAkB;AAAA,IACxC,QAAQ,MAAM;AAAA,EAChB;AACF;AAEA,SAAS,mBAAmB,OAAmC;AAC7D,SAAO;AAAA,IACL,QAAQ,MAAM;AAAA,IACd,UAAU,MAAM,YAAY;AAAA,IAC5B,QAAQ,MAAM;AAAA,EAChB;AACF;AAoBA,SAAS,gBAAgB,SAA+C;AACtE,SAAO;AAAA,IACL,IAAI,QAAQ;AAAA,IACZ,MAAM,QAAQ;AAAA,IACd,UAAU,QAAQ,aAAa;AAAA,IAC/B,UAAU,yBAAyB,QAAQ,YAAsD;AAAA,IACjG,WAAW,QAAQ;AAAA,IACnB,WAAW,QAAQ,aAAa;AAAA,EAClC;AACF;AAEA,eAAsB,oBACpB,IACA,OACiC;AAEjC,QAAM,EAAE,QAAQ,UAAU,eAAe,IAAI,sBAAsB,KAAK;AACxE,QAAM,WAAW,MAAM;AAAA,IACrB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,UAAU,WAAW,KAAK;AAAA,IAC1C,EAAE,SAAS,EAAE,WAAW,MAAM,EAAE;AAAA,IAChC,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,SAAO,SAAS,IAAI,eAAe;AACrC;AAEA,eAAsB,mBACpB,IACA,OACA,WACsC;AACtC,QAAM,EAAE,QAAQ,UAAU,eAAe,IAAI,sBAAsB,KAAK;AACxE,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,WAAW,MAAM,QAAQ,UAAU,WAAW,KAAK;AAAA,IACzD;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,SAAO,UAAU,gBAAgB,OAAO,IAAI;AAC9C;AAEA,eAAsB,oBACpB,IACA,OACA,SAAS,kBACQ;AACjB,QAAM,WAAW,MAAM,oBAAoB,IAAI,KAAK;AAEpD,QAAM,cAAc,oBAAI,IAAY;AACpC,aAAW,WAAW,UAAU;AAC9B,QAAI,QAAQ,SAAS,QAAQ;AAC3B,kBAAY,IAAI,CAAC;AACjB;AAAA,IACF;AACA,UAAM,UAAU,OAAO,QAAQ,uBAAuB,MAAM;AAC5D,UAAM,QAAQ,QAAQ,KAAK,MAAM,IAAI,OAAO,IAAI,OAAO,aAAa,CAAC;AACrE,QAAI,OAAO;AACT,YAAM,IAAI,OAAO,SAAS,MAAM,CAAC,GAAG,EAAE;AACtC,UAAI,CAAC,OAAO,MAAM,CAAC,EAAG,aAAY,IAAI,CAAC;AAAA,IACzC;AAAA,EACF;AACA,MAAI,CAAC,YAAY,IAAI,CAAC,EAAG,QAAO;AAChC,MAAI,OAAO;AACX,SAAO,YAAY,IAAI,IAAI,EAAG,SAAQ;AACtC,SAAO,GAAG,MAAM,IAAI,IAAI;AAC1B;AAEA,eAAsB,qBACpB,IACA,OACA,OAK+B;AAC/B,QAAM,EAAE,QAAQ,UAAU,gBAAgB,OAAO,IAAI,sBAAsB,KAAK;AAChF,QAAM,aAAa,MAAM,QAAQ,IAAI,KAAK,KAAM,MAAM,oBAAoB,IAAI,KAAK;AACnF,QAAM,WAAW,yBAAyB;AAAA,IACxC,GAAI,MAAM,YAAY,CAAC;AAAA,IACvB,SAAS,MAAM,UAAU,WAAW;AAAA,EACtC,CAAC;AAED,MAAI;AACJ,QAAM,gBAAgB,IAAI;AAAA,IACxB,YAAY;AACV,UAAI,MAAM,aAAa,MAAM;AAC3B,cAAM,sBAAsB,IAAI,KAAK;AAAA,MACvC;AACA,gBAAU,GAAG,OAAO,gBAAgB;AAAA,QAClC,MAAM,GAAG,aAAa,MAAM,MAAM;AAAA,QAClC;AAAA,QACA;AAAA,QACA;AAAA,QACA,MAAM;AAAA,QACN,cAAc;AAAA,QACd,UAAU,MAAM,aAAa;AAAA,QAC7B,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC;AAAA,IACH;AAAA,EACF,GAAG,EAAE,aAAa,KAAK,CAAC;AACxB,SAAO,gBAAgB,OAAO;AAChC;AAEA,eAAsB,qBACpB,IACA,OACA,WACA,OAKsC;AACtC,QAAM,EAAE,QAAQ,UAAU,eAAe,IAAI,sBAAsB,KAAK;AACxE,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,WAAW,MAAM,QAAQ,UAAU,WAAW,KAAK;AAAA,IACzD;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,MAAI,CAAC,QAAS,QAAO;AACrB,QAAM,SAAS;AACf,QAAM,gBAAgB,IAAI;AAAA,IACxB,MAAM;AACJ,UAAI,OAAO,MAAM,SAAS,YAAY,MAAM,KAAK,KAAK,EAAE,SAAS,GAAG;AAClE,eAAO,OAAO,MAAM,KAAK,KAAK;AAAA,MAChC;AACA,UAAI,MAAM,UAAU;AAClB,eAAO,eAAe,yBAAyB;AAAA,UAC7C,GAAG,MAAM;AAAA,UACT,SAAS,MAAM,SAAS,WAAW;AAAA,QACrC,CAAC;AAAA,MACH;AACA,UAAI,OAAO,MAAM,aAAa,WAAW;AACvC,eAAO,WAAW,MAAM;AAAA,MAC1B;AAAA,IACF;AAAA,IACA,YAAY;AACV,UAAI,MAAM,aAAa,MAAM;AAC3B,cAAM,sBAAsB,IAAI,OAAO,SAAS;AAAA,MAClD;AAAA,IACF;AAAA,EACF,GAAG,EAAE,aAAa,KAAK,CAAC;AACxB,SAAO,gBAAgB,MAAM;AAC/B;AAEA,eAAsB,qBACpB,IACA,OACA,WACkB;AAClB,QAAM,EAAE,QAAQ,UAAU,eAAe,IAAI,sBAAsB,KAAK;AACxE,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,WAAW,MAAM,QAAQ,UAAU,WAAW,KAAK;AAAA,IACzD;AAAA,IACA,EAAE,UAAU,eAAe;AAAA,EAC7B;AACA,MAAI,CAAC,QAAS,QAAO;AACrB,UAAQ,YAAY,oBAAI,KAAK;AAC7B,UAAQ,WAAW;AACnB,QAAM,GAAG,MAAM;AACf,SAAO;AACT;AAEA,eAAe,sBACb,IACA,OACA,UACe;AACf,QAAM,EAAE,QAAQ,SAAS,IAAI,sBAAsB,KAAK;AACxD,QAAM,QAAqC,WACvC,EAAE,MAAM,QAAQ,UAAU,UAAU,MAAM,WAAW,MAAM,IAAI,EAAE,KAAK,SAAS,EAAE,IACjF,EAAE,MAAM,QAAQ,UAAU,UAAU,MAAM,WAAW,KAAK;AAC9D,QAAM,GAAG,aAAa,gBAAgB,OAAO,EAAE,UAAU,MAAM,CAAC;AAClE;AAEA,SAAS,sBAAsB,OAAqB;AAClD,SAAO;AAAA,IACL,QAAQ,MAAM;AAAA,IACd,UAAU,MAAM,YAAY;AAAA,IAC5B,gBAAgB,MAAM,kBAAkB;AAAA,IACxC,QAAQ,MAAM;AAAA,EAChB;AACF;",
   "names": []
 }

package/dist/modules/business_rules/api/rules/route.js CHANGED Viewed

@@ -3,6 +3,8 @@ import { z } from "zod";
 import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
 import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
 import { resolveTranslations } from "@open-mercato/shared/lib/i18n/server";
+import { isCrudHttpError } from "@open-mercato/shared/lib/crud/errors";
+import { enforceCommandOptimisticLock } from "@open-mercato/shared/lib/crud/optimistic-lock-command";
 import { BusinessRule } from "../../data/entities.js";
 import { escapeLikePattern } from "@open-mercato/shared/lib/db/escapeLikePattern";
 import {
@@ -235,6 +237,19 @@ async function PUT(req) {
   if (!rule) {
     return NextResponse.json({ error: "Rule not found" }, { status: 404 });
   }
+  try {
+    enforceCommandOptimisticLock({
+      resourceKind: "business_rules.rule",
+      resourceId: rule.id,
+      current: rule.updatedAt ?? null,
+      request: req
+    });
+  } catch (err) {
+    if (isCrudHttpError(err)) {
+      return NextResponse.json(err.body, { status: err.status });
+    }
+    throw err;
+  }
   em.assign(rule, parsed.data);
   try {
     await em.persist(rule).flush();
@@ -270,6 +285,19 @@ async function DELETE(req) {
   if (!rule) {
     return NextResponse.json({ error: "Rule not found" }, { status: 404 });
   }
+  try {
+    enforceCommandOptimisticLock({
+      resourceKind: "business_rules.rule",
+      resourceId: rule.id,
+      current: rule.updatedAt ?? null,
+      request: req
+    });
+  } catch (err) {
+    if (isCrudHttpError(err)) {
+      return NextResponse.json(err.body, { status: err.status });
+    }
+    throw err;
+  }
   rule.deletedAt = /* @__PURE__ */ new Date();
   await em.persist(rule).flush();
   await invalidateBusinessRuleDiscoveryCache(cache, rule.tenantId, rule.organizationId);