npm - @open-mercato/core - Versions diffs - 0.6.5-develop.4384.1.ce2ec6eaaa → 0.6.5-develop.4393.1.de282b5dfd - Mend

@open-mercato/core 0.6.5-develop.4384.1.ce2ec6eaaa → 0.6.5-develop.4393.1.de282b5dfd

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (533) hide show

package/dist/modules/communication_channels/api/get/oauth/[provider]/callback/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../../src/modules/communication_channels/api/get/oauth/%5Bprovider%5D/callback/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { toAbsoluteUrl } from '@open-mercato/shared/lib/url'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { createConnectedChannelRow, MailboxAlreadyConnectedError } from '../../../../../lib/connect-channel'\nimport { getChannelAdapter } from '../../../../../lib/adapter-registry-singleton'\nimport { resolveOAuthClientCredentials } from '../../../../../lib/oauth-client-config'\nimport {\n  COMMUNICATION_CHANNELS_OAUTH_STATE_COOKIE_NAME,\n  DEFAULT_OAUTH_RETURN_URL,\n  normalizeOAuthReturnUrl,\n  OAuthStateError,\n  verifyOAuthState,\n} from '../../../../../lib/oauth-state'\n\nexport const metadata = {\n  path: '/communication_channels/oauth/[provider]/callback',\n  // No auth feature gate \u2014 the state cookie carries identity. The route still\n  // verifies the session below to bind the callback to its initiator.\n  GET: { requireAuth: true },\n}\n\ntype RouteContext = {\n  params: Promise<{ provider: string }> | { provider: string }\n}\n\ntype CredentialsServiceLike = {\n  resolve: (\n    integrationId: string,\n    scope: { organizationId: string; tenantId: string; userId?: string | null },\n  ) => Promise<Record<string, unknown> | null>\n  save?: (\n    integrationId: string,\n    credentials: Record<string, unknown>,\n    scope: { organizationId: string; tenantId: string; userId?: string | null },\n  ) => Promise<void>\n}\n\nfunction redirectWithFlash(\n  req: Request,\n  returnUrl: string,\n  flash: { type: 'connected' | 'error'; code?: string; provider?: string; channelId?: string },\n): Response {\n  const base = new URL(\n    normalizeOAuthReturnUrl(returnUrl, DEFAULT_OAUTH_RETURN_URL),\n    new URL(req.url).origin,\n  )\n  base.searchParams.set('flash', flash.type)\n  if (flash.code) base.searchParams.set('code', flash.code)\n  if (flash.provider) base.searchParams.set('provider', flash.provider)\n  if (flash.channelId) base.searchParams.set('channelId', flash.channelId)\n  const response = NextResponse.redirect(base.toString(), 302)\n  response.cookies.set({\n    name: COMMUNICATION_CHANNELS_OAUTH_STATE_COOKIE_NAME,\n    value: '',\n    httpOnly: true,\n    secure: process.env.NODE_ENV === 'production',\n    sameSite: 'lax',\n    path: '/',\n    maxAge: 0,\n  })\n  return response\n}\n\nexport async function GET(req: Request, context: RouteContext): Promise<Response> {\n  const { provider } = await context.params\n  const url = new URL(req.url)\n  const code = url.searchParams.get('code') ?? ''\n  const stateParam = url.searchParams.get('state') ?? ''\n  const error = url.searchParams.get('error')\n\n  if (error) {\n    return redirectWithFlash(req, DEFAULT_OAUTH_RETURN_URL, { type: 'error', code: error, provider })\n  }\n  if (!code || !stateParam) {\n    return redirectWithFlash(req, DEFAULT_OAUTH_RETURN_URL, {\n      type: 'error',\n      code: 'missing_code_or_state',\n      provider,\n    })\n  }\n\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub || !auth?.tenantId) {\n    return redirectWithFlash(req, DEFAULT_OAUTH_RETURN_URL, {\n      type: 'error',\n      code: 'unauthorized',\n      provider,\n    })\n  }\n\n  const adapter = getChannelAdapter(provider)\n  if (!adapter || typeof adapter.exchangeOAuthCode !== 'function') {\n    return redirectWithFlash(req, DEFAULT_OAUTH_RETURN_URL, {\n      type: 'error',\n      code: 'unknown_provider',\n      provider,\n    })\n  }\n\n  const cookieValue = req.headers.get('cookie') ?? ''\n  const stateCookie = parseCookie(cookieValue, COMMUNICATION_CHANNELS_OAUTH_STATE_COOKIE_NAME)\n\n  let statePayload\n  try {\n    statePayload = verifyOAuthState({\n      cookie: stateCookie,\n      expectedUserId: auth.sub as string,\n      expectedProviderKey: provider,\n      expectedState: stateParam,\n    })\n  } catch (err) {\n    const errCode = err instanceof OAuthStateError ? err.code : 'invalid_state'\n    return redirectWithFlash(req, DEFAULT_OAUTH_RETURN_URL, {\n      type: 'error',\n      code: errCode,\n      provider,\n    })\n  }\n\n  // Defense-in-depth: the signed state is minted for a specific tenant at\n  // initiate time and `verifyOAuthState` already binds it to `auth.sub`. Assert\n  // the session tenant matches too, so a token/session anomaly can never create\n  // a channel under a different tenant than the one that started the flow.\n  if (statePayload.tenantId !== auth.tenantId) {\n    return redirectWithFlash(req, DEFAULT_OAUTH_RETURN_URL, {\n      type: 'error',\n      code: 'tenant_mismatch',\n      provider,\n    })\n  }\n\n  const returnUrl = normalizeOAuthReturnUrl(statePayload.returnUrl, DEFAULT_OAUTH_RETURN_URL)\n\n  // Exchange the code via the adapter.\n  const container = await createRequestContainer()\n  const credentialsService = (() => {\n    try {\n      return container.resolve('integrationCredentialsService') as CredentialsServiceLike\n    } catch {\n      return null\n    }\n  })()\n  // Resolve the tenant's OAuth client app config from the `channel_<provider>`\n  // integration (userId = null). Same source the `initiate` route uses; a\n  // missing row means the provider was never configured, so bounce back with an\n  // actionable code rather than attempting an exchange with empty credentials.\n  const oauthClientCredentials = await resolveOAuthClientCredentials(credentialsService, provider, {\n    tenantId: statePayload.tenantId,\n    organizationId: statePayload.organizationId ?? null,\n  })\n  if (!oauthClientCredentials) {\n    return redirectWithFlash(req, returnUrl, {\n      type: 'error',\n      code: 'oauth_client_not_configured',\n      provider,\n    })\n  }\n\n  // Must byte-for-byte match the redirect_uri sent at authorize time (the\n  // `initiate` route), including behind a reverse proxy \u2014 derive it from the\n  // configured app origin rather than the raw request URL.\n  const redirectUri = toAbsoluteUrl(req, `/api/communication_channels/oauth/${provider}/callback`)\n\n  let exchange\n  try {\n    exchange = await adapter.exchangeOAuthCode({\n      code,\n      redirectUri,\n      credentials: oauthClientCredentials,\n      scope: {\n        tenantId: statePayload.tenantId,\n        organizationId: statePayload.organizationId ?? statePayload.tenantId,\n      },\n      stateExtra: statePayload.extra,\n    })\n  } catch (err) {\n    console.warn(\n      `[communication_channels:oauth] code exchange failed for provider ${provider}:`,\n      err instanceof Error ? err.message : err,\n    )\n    return redirectWithFlash(req, returnUrl, {\n      type: 'error',\n      code: 'exchange_failed',\n      provider,\n    })\n  }\n\n  // Persist the encrypted credentials under a per-user `integration_credentials`\n  // row, then create / update the per-user `CommunicationChannel`.\n  const em = (container.resolve('em') as EntityManager).fork()\n  // Per-user scope: pass `userId` so the credentials service writes to a\n  // user-scoped row instead of overwriting the tenant-wide row. Without this,\n  // two users on the same tenant share one credentials row (see review R2-C1\n  // / N1, 2026-05-26).\n  const credentialsScope = {\n    tenantId: statePayload.tenantId,\n    organizationId: statePayload.organizationId ?? statePayload.tenantId,\n    userId: auth.sub as string,\n  }\n  let credentialsRefId: string | null = null\n  let credentialsPersisted = false\n  if (credentialsService?.save) {\n    try {\n      // Save under a per-provider integration id namespace; per-user scoping is\n      // recorded on `IntegrationCredentials.user_id` via the `scope.userId`.\n      // Arg order MUST be (integrationId, credentials, scope) \u2014 matches the real\n      // CredentialsService signature; the legacy reversed order corrupted the\n      // saved row by writing the scope object into the credentials field.\n      await credentialsService.save(\n        `channel_${provider}`,\n        {\n          ...exchange.credentials,\n          userId: auth.sub,\n          expiresAt: exchange.expiresAt ? exchange.expiresAt.toISOString() : undefined,\n        },\n        credentialsScope,\n      )\n      credentialsPersisted = true\n    } catch (err) {\n      console.warn(\n        `[communication_channels:oauth] persisting credentials failed for provider ${provider}:`,\n        err instanceof Error ? err.message : err,\n      )\n    }\n  }\n  // Resolve the saved row's id so we can link `channel.credentialsRef` to it.\n  // `credentialsService.save` is `void`-returning by contract, so we re-find the\n  // row immediately afterwards. Best-effort \u2014 null is acceptable; the channel\n  // creation below will downgrade to `requires_reauth` so workers don't poll\n  // a credential-less channel.\n  if (credentialsPersisted) {\n    try {\n      const { IntegrationCredentials } = await import('@open-mercato/core/modules/integrations/data/entities')\n      const { findOneWithDecryption } = await import('@open-mercato/shared/lib/encryption/find')\n      const row = await findOneWithDecryption(\n        em,\n        IntegrationCredentials,\n        {\n          integrationId: `channel_${provider}`,\n          tenantId: credentialsScope.tenantId,\n          organizationId: credentialsScope.organizationId,\n          userId: credentialsScope.userId,\n          deletedAt: null,\n        },\n        undefined,\n        credentialsScope,\n      )\n      credentialsRefId = (row as { id?: string } | null)?.id ?? null\n    } catch {\n      credentialsRefId = null\n    }\n  }\n\n  const displayName =\n    exchange.displayName ?? exchange.externalIdentifier ?? `${provider} channel`\n  // Fail-safe: if credentials persistence failed (no `credentialsRef` available),\n  // create the channel in `requires_reauth` so workers don't poll a channel that\n  // has no usable credentials. The user can re-run the OAuth flow to recover\n  // (see review R2-H4 / F6, 2026-05-26).\n  const credentialsAvailable = credentialsRefId !== null\n  let channel\n  try {\n    channel = await createConnectedChannelRow({\n      em,\n      adapter,\n      providerKey: provider,\n      displayName,\n      externalIdentifier: exchange.externalIdentifier ?? null,\n      credentialsRefId,\n      userId: auth.sub as string,\n      scope: { tenantId: statePayload.tenantId, organizationId: statePayload.organizationId ?? null },\n    })\n  } catch (err) {\n    // Same mailbox already connected via another provider \u2014 don't create a second\n    // channel that double-ingests every message; send the user back with a flash.\n    if (err instanceof MailboxAlreadyConnectedError) {\n      console.warn(\n        `[communication_channels:oauth] mailbox ${err.externalIdentifier} already connected via ${err.existingProviderKey}`,\n      )\n      return redirectWithFlash(req, returnUrl, {\n        type: 'error',\n        code: 'mailbox_already_connected',\n        provider,\n      })\n    }\n    throw err\n  }\n\n  // Spec C \u00A7 Phase C5 \u2014 best-effort push registration for OAuth providers\n  // that support it (Gmail). Same shape as the credential-connect\n  // path: failures persist as `pushStatus='failed'` on channelState and DO\n  // NOT fail the connect \u2014 polling fallback covers until the operator clicks\n  // \"Re-register push\" on the channels page.\n  const adapterSupportsPush =\n    typeof adapter.registerPush === 'function' && typeof adapter.unregisterPush === 'function'\n  if (\n    credentialsAvailable &&\n    adapterSupportsPush &&\n    statePayload.organizationId &&\n    provider === 'gmail'\n  ) {\n    try {\n      const { pushRegister } = await import('../../../../../commands/push-register')\n      await pushRegister({\n        container,\n        scope: {\n          tenantId: statePayload.tenantId,\n          organizationId: statePayload.organizationId,\n          userId: auth.sub as string,\n        },\n        input: { channelId: channel.id },\n      })\n    } catch (err) {\n      console.warn(\n        `[oauth-callback] best-effort pushRegister failed for ${channel.id}: ${\n          err instanceof Error ? err.message : String(err)\n        }`,\n      )\n    }\n  }\n\n  return redirectWithFlash(req, returnUrl, {\n    type: 'connected',\n    provider,\n    channelId: channel.id,\n  })\n}\n\nfunction parseCookie(header: string, name: string): string | null {\n  if (!header) return null\n  const segments = header.split(';')\n  for (const segment of segments) {\n    const trimmed = segment.trim()\n    if (trimmed.startsWith(`${name}=`)) {\n      return decodeURIComponent(trimmed.slice(name.length + 1))\n    }\n  }\n  return null\n}\n\nexport const openApi = {\n  tags: ['CommunicationChannels'],\n  methods: {\n    GET: {\n      summary: 'OAuth callback \u2014 exchange code, persist credentials, create per-user channel',\n      tags: ['CommunicationChannels'],\n      responses: [\n        { status: 302, description: 'Redirect back to returnUrl with flash query params' },\n      ],\n    },\n  },\n}\nexport default GET\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,0BAA0B;AACnC,SAAS,qBAAqB;AAC9B,SAAS,8BAA8B;AAEvC,SAAS,2BAA2B,oCAAoC;AACxE,SAAS,yBAAyB;AAClC,SAAS,qCAAqC;AAC9C;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAEA,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA;AAAA;AAAA,EAGN,KAAK,EAAE,aAAa,KAAK;AAC3B;AAkBA,SAAS,kBACP,KACA,WACA,OACU;AACV,QAAM,OAAO,IAAI;AAAA,IACf,wBAAwB,WAAW,wBAAwB;AAAA,IAC3D,IAAI,IAAI,IAAI,GAAG,EAAE;AAAA,EACnB;AACA,OAAK,aAAa,IAAI,SAAS,MAAM,IAAI;AACzC,MAAI,MAAM,KAAM,MAAK,aAAa,IAAI,QAAQ,MAAM,IAAI;AACxD,MAAI,MAAM,SAAU,MAAK,aAAa,IAAI,YAAY,MAAM,QAAQ;AACpE,MAAI,MAAM,UAAW,MAAK,aAAa,IAAI,aAAa,MAAM,SAAS;AACvE,QAAM,WAAW,aAAa,SAAS,KAAK,SAAS,GAAG,GAAG;AAC3D,WAAS,QAAQ,IAAI;AAAA,IACnB,MAAM;AAAA,IACN,OAAO;AAAA,IACP,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,EACV,CAAC;AACD,SAAO;AACT;AAEA,eAAsB,IAAI,KAAc,SAA0C;AAChF,QAAM,EAAE,SAAS,IAAI,MAAM,QAAQ;AACnC,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,OAAO,IAAI,aAAa,IAAI,MAAM,KAAK;AAC7C,QAAM,aAAa,IAAI,aAAa,IAAI,OAAO,KAAK;AACpD,QAAM,QAAQ,IAAI,aAAa,IAAI,OAAO;AAE1C,MAAI,OAAO;AACT,WAAO,kBAAkB,KAAK,0BAA0B,EAAE,MAAM,SAAS,MAAM,OAAO,SAAS,CAAC;AAAA,EAClG;AACA,MAAI,CAAC,QAAQ,CAAC,YAAY;AACxB,WAAO,kBAAkB,KAAK,0BAA0B;AAAA,MACtD,MAAM;AAAA,MACN,MAAM;AAAA,MACN;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,OAAO,CAAC,MAAM,UAAU;AACjC,WAAO,kBAAkB,KAAK,0BAA0B;AAAA,MACtD,MAAM;AAAA,MACN,MAAM;AAAA,MACN;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,UAAU,kBAAkB,QAAQ;AAC1C,MAAI,CAAC,WAAW,OAAO,QAAQ,sBAAsB,YAAY;AAC/D,WAAO,kBAAkB,KAAK,0BAA0B;AAAA,MACtD,MAAM;AAAA,MACN,MAAM;AAAA,MACN;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,IAAI,QAAQ,IAAI,QAAQ,KAAK;AACjD,QAAM,cAAc,YAAY,aAAa,8CAA8C;AAE3F,MAAI;AACJ,MAAI;AACF,mBAAe,iBAAiB;AAAA,MAC9B,QAAQ;AAAA,MACR,gBAAgB,KAAK;AAAA,MACrB,qBAAqB;AAAA,MACrB,eAAe;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,UAAM,UAAU,eAAe,kBAAkB,IAAI,OAAO;AAC5D,WAAO,kBAAkB,KAAK,0BAA0B;AAAA,MACtD,MAAM;AAAA,MACN,MAAM;AAAA,MACN;AAAA,IACF,CAAC;AAAA,EACH;AAMA,MAAI,aAAa,aAAa,KAAK,UAAU;AAC3C,WAAO,kBAAkB,KAAK,0BAA0B;AAAA,MACtD,MAAM;AAAA,MACN,MAAM;AAAA,MACN;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,YAAY,wBAAwB,aAAa,WAAW,wBAAwB;AAG1F,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,sBAAsB,MAAM;AAChC,QAAI;AACF,aAAO,UAAU,QAAQ,+BAA+B;AAAA,IAC1D,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF,GAAG;AAKH,QAAM,yBAAyB,MAAM,8BAA8B,oBAAoB,UAAU;AAAA,IAC/F,UAAU,aAAa;AAAA,IACvB,gBAAgB,aAAa,kBAAkB;AAAA,EACjD,CAAC;AACD,MAAI,CAAC,wBAAwB;AAC3B,WAAO,kBAAkB,KAAK,WAAW;AAAA,MACvC,MAAM;AAAA,MACN,MAAM;AAAA,MACN;AAAA,IACF,CAAC;AAAA,EACH;AAKA,QAAM,cAAc,cAAc,KAAK,qCAAqC,QAAQ,WAAW;AAE/F,MAAI;AACJ,MAAI;AACF,eAAW,MAAM,QAAQ,kBAAkB;AAAA,MACzC;AAAA,MACA;AAAA,MACA,aAAa;AAAA,MACb,OAAO;AAAA,QACL,UAAU,aAAa;AAAA,QACvB,gBAAgB,aAAa,kBAAkB,aAAa;AAAA,MAC9D;AAAA,MACA,YAAY,aAAa;AAAA,IAC3B,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,YAAQ;AAAA,MACN,oEAAoE,QAAQ;AAAA,MAC5E,eAAe,QAAQ,IAAI,UAAU;AAAA,IACvC;AACA,WAAO,kBAAkB,KAAK,WAAW;AAAA,MACvC,MAAM;AAAA,MACN,MAAM;AAAA,MACN;AAAA,IACF,CAAC;AAAA,EACH;AAIA,QAAM,KAAM,UAAU,QAAQ,IAAI,EAAoB,KAAK;AAK3D,QAAM,mBAAmB;AAAA,IACvB,UAAU,aAAa;AAAA,IACvB,gBAAgB,aAAa,kBAAkB,aAAa;AAAA,IAC5D,QAAQ,KAAK;AAAA,EACf;AACA,MAAI,mBAAkC;AACtC,MAAI,uBAAuB;AAC3B,MAAI,oBAAoB,MAAM;AAC5B,QAAI;AAMF,YAAM,mBAAmB;AAAA,QACvB,WAAW,QAAQ;AAAA,QACnB;AAAA,UACE,GAAG,SAAS;AAAA,UACZ,QAAQ,KAAK;AAAA,UACb,WAAW,SAAS,YAAY,SAAS,UAAU,YAAY,IAAI;AAAA,QACrE;AAAA,QACA;AAAA,MACF;AACA,6BAAuB;AAAA,IACzB,SAAS,KAAK;AACZ,cAAQ;AAAA,QACN,6EAA6E,QAAQ;AAAA,QACrF,eAAe,QAAQ,IAAI,UAAU;AAAA,MACvC;AAAA,IACF;AAAA,EACF;AAMA,MAAI,sBAAsB;AACxB,QAAI;AACF,YAAM,EAAE,uBAAuB,IAAI,MAAM,OAAO,uDAAuD;AACvG,YAAM,EAAE,sBAAsB,IAAI,MAAM,OAAO,0CAA0C;AACzF,YAAM,MAAM,MAAM;AAAA,QAChB;AAAA,QACA;AAAA,QACA;AAAA,UACE,eAAe,WAAW,QAAQ;AAAA,UAClC,UAAU,iBAAiB;AAAA,UAC3B,gBAAgB,iBAAiB;AAAA,UACjC,QAAQ,iBAAiB;AAAA,UACzB,WAAW;AAAA,QACb;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,yBAAoB,KAAgC,MAAM;AAAA,IAC5D,QAAQ;AACN,yBAAmB;AAAA,IACrB;AAAA,EACF;AAEA,QAAM,cACJ,SAAS,eAAe,SAAS,sBAAsB,GAAG,QAAQ;AAKpE,QAAM,uBAAuB,qBAAqB;AAClD,MAAI;AACJ,MAAI;AACF,cAAU,MAAM,0BAA0B;AAAA,MACxC;AAAA,MACA;AAAA,MACA,aAAa;AAAA,MACb;AAAA,MACA,oBAAoB,SAAS,sBAAsB;AAAA,MACnD;AAAA,MACA,QAAQ,KAAK;AAAA,MACb,OAAO,EAAE,UAAU,aAAa,UAAU,gBAAgB,aAAa,kBAAkB,KAAK;AAAA,IAChG,CAAC;AAAA,EACH,SAAS,KAAK;AAGZ,QAAI,eAAe,8BAA8B;AAC/C,cAAQ;AAAA,QACN,0CAA0C,IAAI,kBAAkB,0BAA0B,IAAI,mBAAmB;AAAA,MACnH;AACA,aAAO,kBAAkB,KAAK,WAAW;AAAA,QACvC,MAAM;AAAA,QACN,MAAM;AAAA,QACN;AAAA,MACF,CAAC;AAAA,IACH;AACA,UAAM;AAAA,EACR;AAOA,QAAM,sBACJ,OAAO,QAAQ,iBAAiB,cAAc,OAAO,QAAQ,mBAAmB;AAClF,MACE,wBACA,uBACA,aAAa,kBACb,aAAa,SACb;AACA,QAAI;AACF,YAAM,EAAE,aAAa,IAAI,MAAM,OAAO,uCAAuC;AAC7E,YAAM,aAAa;AAAA,QACjB;AAAA,QACA,OAAO;AAAA,UACL,UAAU,aAAa;AAAA,UACvB,gBAAgB,aAAa;AAAA,UAC7B,QAAQ,KAAK;AAAA,QACf;AAAA,QACA,OAAO,EAAE,WAAW,QAAQ,GAAG;AAAA,MACjC,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,cAAQ;AAAA,QACN,wDAAwD,QAAQ,EAAE,KAChE,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CACjD;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO,kBAAkB,KAAK,WAAW;AAAA,IACvC,MAAM;AAAA,IACN;AAAA,IACA,WAAW,QAAQ;AAAA,EACrB,CAAC;AACH;AAEA,SAAS,YAAY,QAAgB,MAA6B;AAChE,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,WAAW,OAAO,MAAM,GAAG;AACjC,aAAW,WAAW,UAAU;AAC9B,UAAM,UAAU,QAAQ,KAAK;AAC7B,QAAI,QAAQ,WAAW,GAAG,IAAI,GAAG,GAAG;AAClC,aAAO,mBAAmB,QAAQ,MAAM,KAAK,SAAS,CAAC,CAAC;AAAA,IAC1D;AAAA,EACF;AACA,SAAO;AACT;AAEO,MAAM,UAAU;AAAA,EACrB,MAAM,CAAC,uBAAuB;AAAA,EAC9B,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,MAAM,CAAC,uBAAuB;AAAA,MAC9B,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,qDAAqD;AAAA,MACnF;AAAA,IACF;AAAA,EACF;AACF;AACA,IAAO,gBAAQ;",
+  "names": []
+}

package/dist/modules/communication_channels/api/post/channels/[id]/import-history/route.js ADDED Viewed

@@ -0,0 +1,168 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { findOneWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { CommunicationChannel } from "../../../../../data/entities.js";
+import { ChannelAccessDeniedError, assertCanManageChannel } from "../../../../../lib/access-control.js";
+import {
+  queueImportHistory,
+  queueImportHistorySchema
+} from "../../../../../commands/queue-import-history.js";
+import { validateRouteMutationGuard } from "../../../../../lib/route-mutation-guard.js";
+const metadata = {
+  path: "/communication_channels/channels/[id]/import-history",
+  POST: {
+    requireAuth: true,
+    requireFeatures: ["communication_channels.connect_user_channel"]
+  }
+};
+const bodySchema = queueImportHistorySchema.omit({ channelId: true });
+async function POST(req, context) {
+  const { id } = await context.params;
+  if (!z.string().uuid().safeParse(id).success) {
+    return NextResponse.json({ error: "Invalid channel id" }, { status: 400 });
+  }
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.sub || !auth?.tenantId) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  let rawBody;
+  try {
+    const text = await req.text();
+    rawBody = text ? JSON.parse(text) : {};
+  } catch {
+    return NextResponse.json({ error: "Invalid JSON body" }, { status: 400 });
+  }
+  const parsed = bodySchema.safeParse(rawBody);
+  if (!parsed.success) {
+    const first = parsed.error.issues[0];
+    return NextResponse.json(
+      {
+        error: first?.message ?? "Invalid request",
+        fieldErrors: first ? { [first.path.join(".")]: first.message } : void 0
+      },
+      { status: 400 }
+    );
+  }
+  const container = await createRequestContainer();
+  const em = container.resolve("em").fork();
+  const organizationId = auth.orgId ?? null;
+  if (!organizationId) {
+    return NextResponse.json({ error: "No organization scope" }, { status: 400 });
+  }
+  const dscope = { tenantId: auth.tenantId, organizationId };
+  const channel = await findOneWithDecryption(
+    em,
+    CommunicationChannel,
+    {
+      id,
+      tenantId: auth.tenantId,
+      organizationId,
+      deletedAt: null
+    },
+    void 0,
+    dscope
+  );
+  if (!channel) {
+    return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+  }
+  let userFeatures = [];
+  try {
+    const rbac = container.resolve("rbacService");
+    const acl = await rbac.loadAcl(auth.sub, {
+      tenantId: auth.tenantId,
+      organizationId
+    });
+    userFeatures = acl?.isSuperAdmin ? ["*"] : Array.isArray(acl?.features) ? acl.features : [];
+  } catch {
+    userFeatures = [];
+  }
+  try {
+    assertCanManageChannel(
+      { userId: channel.userId },
+      auth.sub,
+      userFeatures,
+      "communication_channels.channel.import_history"
+    );
+  } catch (err) {
+    if (err instanceof ChannelAccessDeniedError) {
+      return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+    }
+    throw err;
+  }
+  const guard = await validateRouteMutationGuard({
+    container,
+    req,
+    auth,
+    input: {
+      resourceKind: "communication_channels.channel",
+      resourceId: id,
+      operation: "custom",
+      mutationPayload: parsed.data
+    }
+  });
+  if ("response" in guard) return guard.response;
+  try {
+    const result = await queueImportHistory({
+      container,
+      scope: {
+        tenantId: auth.tenantId,
+        organizationId,
+        userId: auth.sub
+      },
+      input: { channelId: id, ...parsed.data }
+    });
+    await guard.afterSuccess();
+    return NextResponse.json({ ok: true, ...result }, { status: 202 });
+  } catch (err) {
+    const candidate = err;
+    if (candidate && typeof candidate.status === "number") {
+      return NextResponse.json(
+        {
+          error: candidate.message,
+          fieldErrors: candidate.fieldErrors
+        },
+        { status: candidate.status }
+      );
+    }
+    console.error(`[import-history] failed to enqueue for channel ${id}:`, err);
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : "Failed to queue import-history" },
+      { status: 500 }
+    );
+  }
+}
+const openApi = {
+  tags: ["CommunicationChannels"],
+  methods: {
+    POST: {
+      summary: "Queue a backlog import for a channel (Spec B \xA7 Phase B6)",
+      tags: ["CommunicationChannels"],
+      requestBody: {
+        required: true,
+        contentType: "application/json",
+        schema: bodySchema
+      },
+      responses: [
+        { status: 202, description: "Import job queued; returns { progressJobId }" },
+        { status: 400, description: "Invalid channel id or unsupported provider" },
+        { status: 401, description: "Unauthorized" },
+        { status: 404, description: "Channel not found / not accessible" },
+        { status: 409, description: "Channel is not connected (requires reauth / error)" },
+        {
+          status: 429,
+          description: "Another import is already running for this channel"
+        }
+      ]
+    }
+  }
+};
+var route_default = POST;
+export {
+  POST,
+  route_default as default,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/communication_channels/api/post/channels/[id]/import-history/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../../src/modules/communication_channels/api/post/channels/%5Bid%5D/import-history/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport type { CrudFormError } from '@open-mercato/ui/backend/utils/serverErrors'\nimport { CommunicationChannel } from '../../../../../data/entities'\nimport { ChannelAccessDeniedError, assertCanManageChannel } from '../../../../../lib/access-control'\nimport {\n  queueImportHistory,\n  queueImportHistorySchema,\n} from '../../../../../commands/queue-import-history'\nimport { validateRouteMutationGuard } from '../../../../../lib/route-mutation-guard'\n\ntype RbacServiceLike = {\n  loadAcl: (\n    userId: string,\n    scope: { tenantId: string | null; organizationId: string | null },\n  ) => Promise<{ isSuperAdmin: boolean; features: string[]; organizations: string[] | null }>\n}\n\n/**\n * Spec B \u00A7 Phase B6 \u2014 operator-triggered backlog import.\n *\n * Enqueues a `channel-import-history` job that calls\n * `adapter.importHistory(...)` paginated up to `maxMessages`, routes each\n * message through `ingest-inbound-message`, and reports progress on a\n * `ProgressJob` consumed by the existing ProgressTopBar.\n *\n * Owner self-service: a user may import history for their OWN mailbox (gated by\n * `connect_user_channel`). Importing into a shared/tenant-wide channel still\n * requires `communication_channels.channel.import_history` \u2014 enforced per\n * channel type by `assertCanManageChannel` in the handler.\n */\nexport const metadata = {\n  path: '/communication_channels/channels/[id]/import-history',\n  POST: {\n    requireAuth: true,\n    requireFeatures: ['communication_channels.connect_user_channel'],\n  },\n}\n\ntype RouteContext = {\n  params: Promise<{ id: string }> | { id: string }\n}\n\nconst bodySchema = queueImportHistorySchema.omit({ channelId: true })\n\nexport async function POST(req: Request, context: RouteContext): Promise<Response> {\n  const { id } = await context.params\n  if (!z.string().uuid().safeParse(id).success) {\n    return NextResponse.json({ error: 'Invalid channel id' }, { status: 400 })\n  }\n\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub || !auth?.tenantId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n\n  // Parse body defensively \u2014 the route is called from a CrudForm dialog, but\n  // also from automated tests / scripts.\n  let rawBody: unknown\n  try {\n    const text = await req.text()\n    rawBody = text ? JSON.parse(text) : {}\n  } catch {\n    return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 })\n  }\n  const parsed = bodySchema.safeParse(rawBody)\n  if (!parsed.success) {\n    const first = parsed.error.issues[0]\n    return NextResponse.json(\n      {\n        error: first?.message ?? 'Invalid request',\n        fieldErrors: first ? { [first.path.join('.')]: first.message } : undefined,\n      },\n      { status: 400 },\n    )\n  }\n\n  const container = await createRequestContainer()\n  const em = (container.resolve('em') as EntityManager).fork()\n  const organizationId = (auth as { orgId?: string | null }).orgId ?? null\n  if (!organizationId) {\n    return NextResponse.json({ error: 'No organization scope' }, { status: 400 })\n  }\n  const dscope = { tenantId: auth.tenantId as string, organizationId }\n\n  // Per-user access guard \u2014 load the channel just to check ownership; the\n  // command repeats the lookup but at the cost of one extra read we get a\n  // clean 404 for non-owners (instead of a generic 500 from inside the cmd).\n  const channel = await findOneWithDecryption(\n    em,\n    CommunicationChannel,\n    {\n      id,\n      tenantId: auth.tenantId as string,\n      organizationId,\n      deletedAt: null,\n    },\n    undefined,\n    dscope,\n  )\n  if (!channel) {\n    return NextResponse.json({ error: 'Channel not found' }, { status: 404 })\n  }\n\n  let userFeatures: string[] = []\n  try {\n    const rbac = container.resolve('rbacService') as RbacServiceLike\n    const acl = await rbac.loadAcl(auth.sub as string, {\n      tenantId: auth.tenantId as string,\n      organizationId,\n    })\n    userFeatures = acl?.isSuperAdmin ? ['*'] : Array.isArray(acl?.features) ? acl.features : []\n  } catch {\n    userFeatures = []\n  }\n  try {\n    assertCanManageChannel(\n      { userId: (channel as { userId?: string | null }).userId },\n      auth.sub as string,\n      userFeatures,\n      'communication_channels.channel.import_history',\n    )\n  } catch (err) {\n    if (err instanceof ChannelAccessDeniedError) {\n      return NextResponse.json({ error: 'Channel not found' }, { status: 404 })\n    }\n    throw err\n  }\n\n  const guard = await validateRouteMutationGuard({\n    container,\n    req,\n    auth,\n    input: {\n      resourceKind: 'communication_channels.channel',\n      resourceId: id,\n      operation: 'custom',\n      mutationPayload: parsed.data as unknown as Record<string, unknown>,\n    },\n  })\n  if ('response' in guard) return guard.response\n\n  try {\n    const result = await queueImportHistory({\n      container,\n      scope: {\n        tenantId: auth.tenantId as string,\n        organizationId,\n        userId: auth.sub as string,\n      },\n      input: { channelId: id, ...parsed.data },\n    })\n    await guard.afterSuccess()\n    // 202 Accepted: durable work runs in the channel-import-history worker; the\n    // response carries progressJobId for the ProgressTopBar (progress module contract).\n    return NextResponse.json({ ok: true, ...result }, { status: 202 })\n  } catch (err) {\n    const candidate = err as CrudFormError\n    if (candidate && typeof candidate.status === 'number') {\n      return NextResponse.json(\n        {\n          error: candidate.message,\n          fieldErrors: candidate.fieldErrors,\n        },\n        { status: candidate.status },\n      )\n    }\n    console.error(`[import-history] failed to enqueue for channel ${id}:`, err)\n    return NextResponse.json(\n      { error: err instanceof Error ? err.message : 'Failed to queue import-history' },\n      { status: 500 },\n    )\n  }\n}\n\nexport const openApi = {\n  tags: ['CommunicationChannels'],\n  methods: {\n    POST: {\n      summary: 'Queue a backlog import for a channel (Spec B \u00A7 Phase B6)',\n      tags: ['CommunicationChannels'],\n      requestBody: {\n        required: true,\n        contentType: 'application/json',\n        schema: bodySchema,\n      },\n      responses: [\n        { status: 202, description: 'Import job queued; returns { progressJobId }' },\n        { status: 400, description: 'Invalid channel id or unsupported provider' },\n        { status: 401, description: 'Unauthorized' },\n        { status: 404, description: 'Channel not found / not accessible' },\n        { status: 409, description: 'Channel is not connected (requires reauth / error)' },\n        {\n          status: 429,\n          description: 'Another import is already running for this channel',\n        },\n      ],\n    },\n  },\n}\n\nexport default POST\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAClB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,6BAA6B;AAEtC,SAAS,4BAA4B;AACrC,SAAS,0BAA0B,8BAA8B;AACjE;AAAA,EACE;AAAA,EACA;AAAA,OACK;AACP,SAAS,kCAAkC;AAsBpC,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,MAAM;AAAA,IACJ,aAAa;AAAA,IACb,iBAAiB,CAAC,6CAA6C;AAAA,EACjE;AACF;AAMA,MAAM,aAAa,yBAAyB,KAAK,EAAE,WAAW,KAAK,CAAC;AAEpE,eAAsB,KAAK,KAAc,SAA0C;AACjF,QAAM,EAAE,GAAG,IAAI,MAAM,QAAQ;AAC7B,MAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,SAAS;AAC5C,WAAO,aAAa,KAAK,EAAE,OAAO,qBAAqB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3E;AAEA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,OAAO,CAAC,MAAM,UAAU;AACjC,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAIA,MAAI;AACJ,MAAI;AACF,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,cAAU,OAAO,KAAK,MAAM,IAAI,IAAI,CAAC;AAAA,EACvC,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1E;AACA,QAAM,SAAS,WAAW,UAAU,OAAO;AAC3C,MAAI,CAAC,OAAO,SAAS;AACnB,UAAM,QAAQ,OAAO,MAAM,OAAO,CAAC;AACnC,WAAO,aAAa;AAAA,MAClB;AAAA,QACE,OAAO,OAAO,WAAW;AAAA,QACzB,aAAa,QAAQ,EAAE,CAAC,MAAM,KAAK,KAAK,GAAG,CAAC,GAAG,MAAM,QAAQ,IAAI;AAAA,MACnE;AAAA,MACA,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAM,UAAU,QAAQ,IAAI,EAAoB,KAAK;AAC3D,QAAM,iBAAkB,KAAmC,SAAS;AACpE,MAAI,CAAC,gBAAgB;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,wBAAwB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC9E;AACA,QAAM,SAAS,EAAE,UAAU,KAAK,UAAoB,eAAe;AAKnE,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,MACE;AAAA,MACA,UAAU,KAAK;AAAA,MACf;AAAA,MACA,WAAW;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,aAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1E;AAEA,MAAI,eAAyB,CAAC;AAC9B,MAAI;AACF,UAAM,OAAO,UAAU,QAAQ,aAAa;AAC5C,UAAM,MAAM,MAAM,KAAK,QAAQ,KAAK,KAAe;AAAA,MACjD,UAAU,KAAK;AAAA,MACf;AAAA,IACF,CAAC;AACD,mBAAe,KAAK,eAAe,CAAC,GAAG,IAAI,MAAM,QAAQ,KAAK,QAAQ,IAAI,IAAI,WAAW,CAAC;AAAA,EAC5F,QAAQ;AACN,mBAAe,CAAC;AAAA,EAClB;AACA,MAAI;AACF;AAAA,MACE,EAAE,QAAS,QAAuC,OAAO;AAAA,MACzD,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,QAAI,eAAe,0BAA0B;AAC3C,aAAO,aAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC1E;AACA,UAAM;AAAA,EACR;AAEA,QAAM,QAAQ,MAAM,2BAA2B;AAAA,IAC7C;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO;AAAA,MACL,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,WAAW;AAAA,MACX,iBAAiB,OAAO;AAAA,IAC1B;AAAA,EACF,CAAC;AACD,MAAI,cAAc,MAAO,QAAO,MAAM;AAEtC,MAAI;AACF,UAAM,SAAS,MAAM,mBAAmB;AAAA,MACtC;AAAA,MACA,OAAO;AAAA,QACL,UAAU,KAAK;AAAA,QACf;AAAA,QACA,QAAQ,KAAK;AAAA,MACf;AAAA,MACA,OAAO,EAAE,WAAW,IAAI,GAAG,OAAO,KAAK;AAAA,IACzC,CAAC;AACD,UAAM,MAAM,aAAa;AAGzB,WAAO,aAAa,KAAK,EAAE,IAAI,MAAM,GAAG,OAAO,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnE,SAAS,KAAK;AACZ,UAAM,YAAY;AAClB,QAAI,aAAa,OAAO,UAAU,WAAW,UAAU;AACrD,aAAO,aAAa;AAAA,QAClB;AAAA,UACE,OAAO,UAAU;AAAA,UACjB,aAAa,UAAU;AAAA,QACzB;AAAA,QACA,EAAE,QAAQ,UAAU,OAAO;AAAA,MAC7B;AAAA,IACF;AACA,YAAQ,MAAM,kDAAkD,EAAE,KAAK,GAAG;AAC1E,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,eAAe,QAAQ,IAAI,UAAU,iCAAiC;AAAA,MAC/E,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AACF;AAEO,MAAM,UAAU;AAAA,EACrB,MAAM,CAAC,uBAAuB;AAAA,EAC9B,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,MAAM,CAAC,uBAAuB;AAAA,MAC9B,aAAa;AAAA,QACX,UAAU;AAAA,QACV,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,+CAA+C;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,6CAA6C;AAAA,QACzE,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,qCAAqC;AAAA,QACjE,EAAE,QAAQ,KAAK,aAAa,qDAAqD;AAAA,QACjF;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,QACf;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAEA,IAAO,gBAAQ;",
+  "names": []
+}

package/dist/modules/communication_channels/api/post/channels/[id]/poll-now/route.js ADDED Viewed

@@ -0,0 +1,143 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { findOneWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { CommunicationChannel } from "../../../../../data/entities.js";
+import { ChannelAccessDeniedError, assertCanManageChannel } from "../../../../../lib/access-control.js";
+import { COMMUNICATION_CHANNELS_QUEUES, getCommunicationChannelsQueue } from "../../../../../lib/queue.js";
+import { validateRouteMutationGuard } from "../../../../../lib/route-mutation-guard.js";
+const metadata = {
+  path: "/communication_channels/channels/[id]/poll-now",
+  POST: {
+    // Owner self-service: a user may sync their OWN mailbox (gated by
+    // `connect_user_channel`). Polling a shared/tenant-wide channel still
+    // requires `manage` — enforced per channel type by `assertCanManageChannel`.
+    requireAuth: true,
+    requireFeatures: ["communication_channels.connect_user_channel"]
+  }
+};
+async function POST(req, context) {
+  const { id } = await context.params;
+  if (!z.string().uuid().safeParse(id).success) {
+    return NextResponse.json({ error: "Invalid channel id" }, { status: 400 });
+  }
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.sub || !auth?.tenantId) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const container = await createRequestContainer();
+  const em = container.resolve("em").fork();
+  const organizationId = auth.orgId ?? null;
+  const dscope = { tenantId: auth.tenantId, organizationId };
+  const channel = await findOneWithDecryption(
+    em,
+    CommunicationChannel,
+    {
+      id,
+      tenantId: auth.tenantId,
+      organizationId,
+      deletedAt: null
+    },
+    void 0,
+    dscope
+  );
+  if (!channel) {
+    return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+  }
+  let userFeatures = [];
+  try {
+    const rbac = container.resolve("rbacService");
+    const acl = await rbac.loadAcl(auth.sub, {
+      tenantId: auth.tenantId,
+      organizationId
+    });
+    userFeatures = acl?.isSuperAdmin ? ["*"] : Array.isArray(acl?.features) ? acl.features : [];
+  } catch {
+    userFeatures = [];
+  }
+  try {
+    assertCanManageChannel(
+      { userId: channel.userId },
+      auth.sub,
+      userFeatures,
+      "communication_channels.manage"
+    );
+  } catch (err) {
+    if (err instanceof ChannelAccessDeniedError) {
+      return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+    }
+    throw err;
+  }
+  if (!channel.isActive) {
+    return NextResponse.json({ error: "Channel is disabled" }, { status: 409 });
+  }
+  if (channel.status === "requires_reauth") {
+    return NextResponse.json(
+      { error: "Channel needs reauthentication \u2014 reconnect from /backend/profile/communication-channels" },
+      { status: 409 }
+    );
+  }
+  if (channel.status === "disconnected") {
+    return NextResponse.json(
+      { error: "Channel is disconnected \u2014 reconnect to resume polling" },
+      { status: 409 }
+    );
+  }
+  const guard = await validateRouteMutationGuard({
+    container,
+    req,
+    auth,
+    input: {
+      resourceKind: "communication_channels.channel",
+      resourceId: channel.id,
+      operation: "custom",
+      mutationPayload: { action: "poll-now" }
+    }
+  });
+  if ("response" in guard) return guard.response;
+  const queue = getCommunicationChannelsQueue(COMMUNICATION_CHANNELS_QUEUES.poll);
+  const payload = {
+    channelId: channel.id,
+    scope: {
+      tenantId: auth.tenantId,
+      organizationId: organizationId ?? null
+    },
+    attempt: 1
+  };
+  await queue.enqueue(payload);
+  await guard.afterSuccess();
+  return NextResponse.json(
+    {
+      ok: true,
+      channelId: channel.id,
+      queued: true,
+      message: "Poll queued \u2014 new messages will appear after the worker runs."
+    },
+    { status: 202 }
+  );
+}
+const openApi = {
+  tags: ["CommunicationChannels"],
+  methods: {
+    POST: {
+      summary: "Manually trigger a poll cycle for a channel (demo / operator override)",
+      tags: ["CommunicationChannels"],
+      responses: [
+        { status: 202, description: "Poll job enqueued" },
+        { status: 400, description: "Invalid channel id" },
+        { status: 401, description: "Unauthorized" },
+        { status: 404, description: "Channel not found" },
+        { status: 409, description: "Channel disabled or not connected" }
+      ]
+    }
+  }
+};
+var route_default = POST;
+export {
+  POST,
+  route_default as default,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/communication_channels/api/post/channels/[id]/poll-now/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../../src/modules/communication_channels/api/post/channels/%5Bid%5D/poll-now/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { CommunicationChannel } from '../../../../../data/entities'\nimport { ChannelAccessDeniedError, assertCanManageChannel } from '../../../../../lib/access-control'\nimport { COMMUNICATION_CHANNELS_QUEUES, getCommunicationChannelsQueue } from '../../../../../lib/queue'\nimport type { PollChannelJobPayload } from '../../../../../workers/poll-channel'\nimport { validateRouteMutationGuard } from '../../../../../lib/route-mutation-guard'\n\ntype RbacServiceLike = {\n  loadAcl: (\n    userId: string,\n    scope: { tenantId: string | null; organizationId: string | null },\n  ) => Promise<{ isSuperAdmin: boolean; features: string[]; organizations: string[] | null }>\n}\n\nexport const metadata = {\n  path: '/communication_channels/channels/[id]/poll-now',\n  POST: {\n    // Owner self-service: a user may sync their OWN mailbox (gated by\n    // `connect_user_channel`). Polling a shared/tenant-wide channel still\n    // requires `manage` \u2014 enforced per channel type by `assertCanManageChannel`.\n    requireAuth: true,\n    requireFeatures: ['communication_channels.connect_user_channel'],\n  },\n}\n\ntype RouteContext = {\n  params: Promise<{ id: string }> | { id: string }\n}\n\n/**\n * Manual poll trigger \u2014 enqueues a single `poll-channel` job immediately so\n * the operator (or a demo) doesn't have to wait for the 60-second scheduler\n * tick + per-channel `poll_interval_seconds` window.\n *\n * Per-user access guard mirrors the rest of the channels API: only the channel\n * owner (or an admin with `communication_channels.admin`) can trigger a poll.\n */\nexport async function POST(req: Request, context: RouteContext): Promise<Response> {\n  const { id } = await context.params\n  if (!z.string().uuid().safeParse(id).success) {\n    return NextResponse.json({ error: 'Invalid channel id' }, { status: 400 })\n  }\n\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub || !auth?.tenantId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const em = (container.resolve('em') as EntityManager).fork()\n  const organizationId = (auth as { orgId?: string | null }).orgId ?? null\n  const dscope = { tenantId: auth.tenantId as string, organizationId }\n\n  const channel = await findOneWithDecryption(\n    em,\n    CommunicationChannel,\n    {\n      id,\n      tenantId: auth.tenantId as string,\n      organizationId,\n      deletedAt: null,\n    },\n    undefined,\n    dscope,\n  )\n  if (!channel) {\n    return NextResponse.json({ error: 'Channel not found' }, { status: 404 })\n  }\n\n  // Load features via RBAC so admin bypass is honoured.\n  let userFeatures: string[] = []\n  try {\n    const rbac = container.resolve('rbacService') as RbacServiceLike\n    const acl = await rbac.loadAcl(auth.sub as string, {\n      tenantId: auth.tenantId as string,\n      organizationId,\n    })\n    userFeatures = acl?.isSuperAdmin ? ['*'] : Array.isArray(acl?.features) ? acl.features : []\n  } catch {\n    userFeatures = []\n  }\n  try {\n    assertCanManageChannel(\n      { userId: (channel as { userId?: string | null }).userId },\n      auth.sub as string,\n      userFeatures,\n      'communication_channels.manage',\n    )\n  } catch (err) {\n    if (err instanceof ChannelAccessDeniedError) {\n      return NextResponse.json({ error: 'Channel not found' }, { status: 404 })\n    }\n    throw err\n  }\n\n  if (!channel.isActive) {\n    return NextResponse.json({ error: 'Channel is disabled' }, { status: 409 })\n  }\n  // Allow manual poll-now from 'connected' AND 'error' states. The operator's\n  // intent in clicking \"Poll now\" while the channel is in error is exactly\n  // \"retry the connection right now\"; a successful poll auto-resets status\n  // back to 'connected' (see poll-channel.ts).\n  // Block only the explicitly-broken lifecycle states.\n  if (channel.status === 'requires_reauth') {\n    return NextResponse.json(\n      { error: 'Channel needs reauthentication \u2014 reconnect from /backend/profile/communication-channels' },\n      { status: 409 },\n    )\n  }\n  if (channel.status === 'disconnected') {\n    return NextResponse.json(\n      { error: 'Channel is disconnected \u2014 reconnect to resume polling' },\n      { status: 409 },\n    )\n  }\n\n  const guard = await validateRouteMutationGuard({\n    container,\n    req,\n    auth,\n    input: {\n      resourceKind: 'communication_channels.channel',\n      resourceId: channel.id,\n      operation: 'custom',\n      mutationPayload: { action: 'poll-now' },\n    },\n  })\n  if ('response' in guard) return guard.response\n\n  const queue = getCommunicationChannelsQueue(COMMUNICATION_CHANNELS_QUEUES.poll)\n  const payload: PollChannelJobPayload = {\n    channelId: channel.id,\n    scope: {\n      tenantId: auth.tenantId as string,\n      organizationId: organizationId ?? null,\n    },\n    attempt: 1,\n  }\n  await queue.enqueue(payload as unknown as Record<string, unknown>)\n  await guard.afterSuccess()\n\n  return NextResponse.json(\n    {\n      ok: true,\n      channelId: channel.id,\n      queued: true,\n      message: 'Poll queued \u2014 new messages will appear after the worker runs.',\n    },\n    { status: 202 },\n  )\n}\n\nexport const openApi = {\n  tags: ['CommunicationChannels'],\n  methods: {\n    POST: {\n      summary: 'Manually trigger a poll cycle for a channel (demo / operator override)',\n      tags: ['CommunicationChannels'],\n      responses: [\n        { status: 202, description: 'Poll job enqueued' },\n        { status: 400, description: 'Invalid channel id' },\n        { status: 401, description: 'Unauthorized' },\n        { status: 404, description: 'Channel not found' },\n        { status: 409, description: 'Channel disabled or not connected' },\n      ],\n    },\n  },\n}\nexport default POST\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAClB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,6BAA6B;AACtC,SAAS,4BAA4B;AACrC,SAAS,0BAA0B,8BAA8B;AACjE,SAAS,+BAA+B,qCAAqC;AAE7E,SAAS,kCAAkC;AASpC,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,MAAM;AAAA;AAAA;AAAA;AAAA,IAIJ,aAAa;AAAA,IACb,iBAAiB,CAAC,6CAA6C;AAAA,EACjE;AACF;AAcA,eAAsB,KAAK,KAAc,SAA0C;AACjF,QAAM,EAAE,GAAG,IAAI,MAAM,QAAQ;AAC7B,MAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,SAAS;AAC5C,WAAO,aAAa,KAAK,EAAE,OAAO,qBAAqB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3E;AAEA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,OAAO,CAAC,MAAM,UAAU;AACjC,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAM,UAAU,QAAQ,IAAI,EAAoB,KAAK;AAC3D,QAAM,iBAAkB,KAAmC,SAAS;AACpE,QAAM,SAAS,EAAE,UAAU,KAAK,UAAoB,eAAe;AAEnE,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,MACE;AAAA,MACA,UAAU,KAAK;AAAA,MACf;AAAA,MACA,WAAW;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,aAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1E;AAGA,MAAI,eAAyB,CAAC;AAC9B,MAAI;AACF,UAAM,OAAO,UAAU,QAAQ,aAAa;AAC5C,UAAM,MAAM,MAAM,KAAK,QAAQ,KAAK,KAAe;AAAA,MACjD,UAAU,KAAK;AAAA,MACf;AAAA,IACF,CAAC;AACD,mBAAe,KAAK,eAAe,CAAC,GAAG,IAAI,MAAM,QAAQ,KAAK,QAAQ,IAAI,IAAI,WAAW,CAAC;AAAA,EAC5F,QAAQ;AACN,mBAAe,CAAC;AAAA,EAClB;AACA,MAAI;AACF;AAAA,MACE,EAAE,QAAS,QAAuC,OAAO;AAAA,MACzD,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,QAAI,eAAe,0BAA0B;AAC3C,aAAO,aAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC1E;AACA,UAAM;AAAA,EACR;AAEA,MAAI,CAAC,QAAQ,UAAU;AACrB,WAAO,aAAa,KAAK,EAAE,OAAO,sBAAsB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5E;AAMA,MAAI,QAAQ,WAAW,mBAAmB;AACxC,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,+FAA0F;AAAA,MACnG,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AACA,MAAI,QAAQ,WAAW,gBAAgB;AACrC,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,6DAAwD;AAAA,MACjE,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,QAAQ,MAAM,2BAA2B;AAAA,IAC7C;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO;AAAA,MACL,cAAc;AAAA,MACd,YAAY,QAAQ;AAAA,MACpB,WAAW;AAAA,MACX,iBAAiB,EAAE,QAAQ,WAAW;AAAA,IACxC;AAAA,EACF,CAAC;AACD,MAAI,cAAc,MAAO,QAAO,MAAM;AAEtC,QAAM,QAAQ,8BAA8B,8BAA8B,IAAI;AAC9E,QAAM,UAAiC;AAAA,IACrC,WAAW,QAAQ;AAAA,IACnB,OAAO;AAAA,MACL,UAAU,KAAK;AAAA,MACf,gBAAgB,kBAAkB;AAAA,IACpC;AAAA,IACA,SAAS;AAAA,EACX;AACA,QAAM,MAAM,QAAQ,OAA6C;AACjE,QAAM,MAAM,aAAa;AAEzB,SAAO,aAAa;AAAA,IAClB;AAAA,MACE,IAAI;AAAA,MACJ,WAAW,QAAQ;AAAA,MACnB,QAAQ;AAAA,MACR,SAAS;AAAA,IACX;AAAA,IACA,EAAE,QAAQ,IAAI;AAAA,EAChB;AACF;AAEO,MAAM,UAAU;AAAA,EACrB,MAAM,CAAC,uBAAuB;AAAA,EAC9B,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,MAAM,CAAC,uBAAuB;AAAA,MAC9B,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,QAChD,EAAE,QAAQ,KAAK,aAAa,qBAAqB;AAAA,QACjD,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,QAChD,EAAE,QAAQ,KAAK,aAAa,oCAAoC;AAAA,MAClE;AAAA,IACF;AAAA,EACF;AACF;AACA,IAAO,gBAAQ;",
+  "names": []
+}

package/dist/modules/communication_channels/api/post/channels/[id]/push/register/route.js ADDED Viewed

@@ -0,0 +1,127 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { findOneWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { CommunicationChannel } from "../../../../../../data/entities.js";
+import { ChannelAccessDeniedError, assertCanManageChannel } from "../../../../../../lib/access-control.js";
+import { pushRegister } from "../../../../../../commands/push-register.js";
+import { validateRouteMutationGuard } from "../../../../../../lib/route-mutation-guard.js";
+const metadata = {
+  path: "/communication_channels/channels/[id]/push/register",
+  POST: {
+    requireAuth: true,
+    requireFeatures: ["communication_channels.connect_user_channel"]
+  }
+};
+async function POST(req, context) {
+  const { id } = await context.params;
+  if (!z.string().uuid().safeParse(id).success) {
+    return NextResponse.json({ error: "Invalid channel id" }, { status: 400 });
+  }
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.sub || !auth?.tenantId) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const organizationId = auth.orgId ?? null;
+  if (!organizationId) {
+    return NextResponse.json({ error: "No organization scope" }, { status: 400 });
+  }
+  const container = await createRequestContainer();
+  const em = container.resolve("em").fork();
+  const channel = await findOneWithDecryption(
+    em,
+    CommunicationChannel,
+    { id, tenantId: auth.tenantId, organizationId, deletedAt: null },
+    void 0,
+    { tenantId: auth.tenantId, organizationId }
+  );
+  if (!channel) {
+    return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+  }
+  let userFeatures = [];
+  try {
+    const rbac = container.resolve("rbacService");
+    const acl = await rbac.loadAcl(auth.sub, {
+      tenantId: auth.tenantId,
+      organizationId
+    });
+    userFeatures = acl?.isSuperAdmin ? ["*"] : Array.isArray(acl?.features) ? acl.features : [];
+  } catch {
+    userFeatures = [];
+  }
+  try {
+    assertCanManageChannel(
+      { userId: channel.userId },
+      auth.sub,
+      userFeatures,
+      "communication_channels.channel.push.manage"
+    );
+  } catch (err) {
+    if (err instanceof ChannelAccessDeniedError) {
+      return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+    }
+    throw err;
+  }
+  const guard = await validateRouteMutationGuard({
+    container,
+    req,
+    auth,
+    input: {
+      resourceKind: "communication_channels.channel",
+      resourceId: id,
+      operation: "custom",
+      mutationPayload: { pushStatus: "register" }
+    }
+  });
+  if ("response" in guard) return guard.response;
+  try {
+    const result = await pushRegister({
+      container,
+      scope: { tenantId: auth.tenantId, organizationId, userId: auth.sub },
+      input: { channelId: id }
+    });
+    await guard.afterSuccess();
+    return NextResponse.json({ ok: true, ...result }, { status: 202 });
+  } catch (err) {
+    const candidate = err;
+    if (candidate && typeof candidate.status === "number") {
+      return NextResponse.json(
+        { error: candidate.message, fieldErrors: candidate.fieldErrors },
+        { status: candidate.status }
+      );
+    }
+    console.error(`[push-register] failed for channel ${id}:`, err);
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : "Failed to register push" },
+      { status: 500 }
+    );
+  }
+}
+const openApi = {
+  tags: ["CommunicationChannels"],
+  methods: {
+    POST: {
+      summary: "Force-register push delivery for a channel (Spec C \xA7 Phase C5)",
+      tags: ["CommunicationChannels"],
+      responses: [
+        { status: 202, description: "Push registration attempted; check result.pushStatus" },
+        { status: 400, description: "Invalid id or unsupported provider" },
+        { status: 401, description: "Unauthorized" },
+        { status: 403, description: "Missing push.manage feature" },
+        { status: 404, description: "Channel not found" },
+        { status: 409, description: "Provider does not support push (IMAP)" },
+        { status: 502, description: "Provider returned an error during registration" },
+        { status: 503, description: "Webhook base URL or Pub/Sub topic not configured" }
+      ]
+    }
+  }
+};
+var route_default = POST;
+export {
+  POST,
+  route_default as default,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/communication_channels/api/post/channels/[id]/push/register/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../../../src/modules/communication_channels/api/post/channels/%5Bid%5D/push/register/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport type { CrudFormError } from '@open-mercato/ui/backend/utils/serverErrors'\nimport { CommunicationChannel } from '../../../../../../data/entities'\nimport { ChannelAccessDeniedError, assertCanManageChannel } from '../../../../../../lib/access-control'\nimport { pushRegister } from '../../../../../../commands/push-register'\nimport { validateRouteMutationGuard } from '../../../../../../lib/route-mutation-guard'\n\ntype RbacServiceLike = {\n  loadAcl: (\n    userId: string,\n    scope: { tenantId: string | null; organizationId: string | null },\n  ) => Promise<{ isSuperAdmin: boolean; features: string[]; organizations: string[] | null }>\n}\n\n/**\n * Spec C \u00A7 Phase C5 \u2014 Operator-facing \"Re-register push\" endpoint.\n *\n * Owner self-service: a user may (re-)register push on their OWN mailbox (gated\n * by `connect_user_channel`). Registering push on a shared/tenant-wide channel\n * still requires `communication_channels.channel.push.manage` \u2014 enforced per\n * channel type by `assertCanManageChannel` in the handler. Used by the profile\n * page and the channel detail page's `PushStatusSection` to recover from a\n * `pushStatus='failed'` state.\n */\nexport const metadata = {\n  path: '/communication_channels/channels/[id]/push/register',\n  POST: {\n    requireAuth: true,\n    requireFeatures: ['communication_channels.connect_user_channel'],\n  },\n}\n\ntype RouteContext = {\n  params: Promise<{ id: string }> | { id: string }\n}\n\nexport async function POST(req: Request, context: RouteContext): Promise<Response> {\n  const { id } = await context.params\n  if (!z.string().uuid().safeParse(id).success) {\n    return NextResponse.json({ error: 'Invalid channel id' }, { status: 400 })\n  }\n\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub || !auth?.tenantId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n  const organizationId = (auth as { orgId?: string | null }).orgId ?? null\n  if (!organizationId) {\n    return NextResponse.json({ error: 'No organization scope' }, { status: 400 })\n  }\n\n  const container = await createRequestContainer()\n\n  // Defense-in-depth: `push.manage` is admin-default, but enforce per-user\n  // ownership anyway so a non-admin operator who is granted `push.manage`\n  // cannot re-register push on another user's channel. Admins (and tenant-wide\n  // channels) pass via `assertCanAccessChannel`. Automatic callers (OAuth\n  // callback, connect, renew worker) invoke `pushRegister` directly and are\n  // intentionally not subject to this user-facing guard.\n  const em = (container.resolve('em') as EntityManager).fork()\n  const channel = await findOneWithDecryption(\n    em,\n    CommunicationChannel,\n    { id, tenantId: auth.tenantId as string, organizationId, deletedAt: null },\n    undefined,\n    { tenantId: auth.tenantId as string, organizationId },\n  )\n  if (!channel) {\n    return NextResponse.json({ error: 'Channel not found' }, { status: 404 })\n  }\n  let userFeatures: string[] = []\n  try {\n    const rbac = container.resolve('rbacService') as RbacServiceLike\n    const acl = await rbac.loadAcl(auth.sub as string, {\n      tenantId: auth.tenantId as string,\n      organizationId,\n    })\n    userFeatures = acl?.isSuperAdmin ? ['*'] : Array.isArray(acl?.features) ? acl.features : []\n  } catch {\n    userFeatures = []\n  }\n  try {\n    assertCanManageChannel(\n      { userId: (channel as { userId?: string | null }).userId },\n      auth.sub as string,\n      userFeatures,\n      'communication_channels.channel.push.manage',\n    )\n  } catch (err) {\n    if (err instanceof ChannelAccessDeniedError) {\n      return NextResponse.json({ error: 'Channel not found' }, { status: 404 })\n    }\n    throw err\n  }\n\n  const guard = await validateRouteMutationGuard({\n    container,\n    req,\n    auth,\n    input: {\n      resourceKind: 'communication_channels.channel',\n      resourceId: id,\n      operation: 'custom',\n      mutationPayload: { pushStatus: 'register' },\n    },\n  })\n  if ('response' in guard) return guard.response\n\n  try {\n    const result = await pushRegister({\n      container,\n      scope: { tenantId: auth.tenantId as string, organizationId, userId: auth.sub as string },\n      input: { channelId: id },\n    })\n    await guard.afterSuccess()\n    return NextResponse.json({ ok: true, ...result }, { status: 202 })\n  } catch (err) {\n    const candidate = err as CrudFormError\n    if (candidate && typeof candidate.status === 'number') {\n      return NextResponse.json(\n        { error: candidate.message, fieldErrors: candidate.fieldErrors },\n        { status: candidate.status },\n      )\n    }\n    console.error(`[push-register] failed for channel ${id}:`, err)\n    return NextResponse.json(\n      { error: err instanceof Error ? err.message : 'Failed to register push' },\n      { status: 500 },\n    )\n  }\n}\n\nexport const openApi = {\n  tags: ['CommunicationChannels'],\n  methods: {\n    POST: {\n      summary: 'Force-register push delivery for a channel (Spec C \u00A7 Phase C5)',\n      tags: ['CommunicationChannels'],\n      responses: [\n        { status: 202, description: 'Push registration attempted; check result.pushStatus' },\n        { status: 400, description: 'Invalid id or unsupported provider' },\n        { status: 401, description: 'Unauthorized' },\n        { status: 403, description: 'Missing push.manage feature' },\n        { status: 404, description: 'Channel not found' },\n        { status: 409, description: 'Provider does not support push (IMAP)' },\n        { status: 502, description: 'Provider returned an error during registration' },\n        { status: 503, description: 'Webhook base URL or Pub/Sub topic not configured' },\n      ],\n    },\n  },\n}\n\nexport default POST\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,6BAA6B;AAEtC,SAAS,4BAA4B;AACrC,SAAS,0BAA0B,8BAA8B;AACjE,SAAS,oBAAoB;AAC7B,SAAS,kCAAkC;AAmBpC,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,MAAM;AAAA,IACJ,aAAa;AAAA,IACb,iBAAiB,CAAC,6CAA6C;AAAA,EACjE;AACF;AAMA,eAAsB,KAAK,KAAc,SAA0C;AACjF,QAAM,EAAE,GAAG,IAAI,MAAM,QAAQ;AAC7B,MAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,SAAS;AAC5C,WAAO,aAAa,KAAK,EAAE,OAAO,qBAAqB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3E;AAEA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,OAAO,CAAC,MAAM,UAAU;AACjC,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AACA,QAAM,iBAAkB,KAAmC,SAAS;AACpE,MAAI,CAAC,gBAAgB;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,wBAAwB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC9E;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAQ/C,QAAM,KAAM,UAAU,QAAQ,IAAI,EAAoB,KAAK;AAC3D,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,UAAU,KAAK,UAAoB,gBAAgB,WAAW,KAAK;AAAA,IACzE;AAAA,IACA,EAAE,UAAU,KAAK,UAAoB,eAAe;AAAA,EACtD;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,aAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1E;AACA,MAAI,eAAyB,CAAC;AAC9B,MAAI;AACF,UAAM,OAAO,UAAU,QAAQ,aAAa;AAC5C,UAAM,MAAM,MAAM,KAAK,QAAQ,KAAK,KAAe;AAAA,MACjD,UAAU,KAAK;AAAA,MACf;AAAA,IACF,CAAC;AACD,mBAAe,KAAK,eAAe,CAAC,GAAG,IAAI,MAAM,QAAQ,KAAK,QAAQ,IAAI,IAAI,WAAW,CAAC;AAAA,EAC5F,QAAQ;AACN,mBAAe,CAAC;AAAA,EAClB;AACA,MAAI;AACF;AAAA,MACE,EAAE,QAAS,QAAuC,OAAO;AAAA,MACzD,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,QAAI,eAAe,0BAA0B;AAC3C,aAAO,aAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC1E;AACA,UAAM;AAAA,EACR;AAEA,QAAM,QAAQ,MAAM,2BAA2B;AAAA,IAC7C;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO;AAAA,MACL,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,WAAW;AAAA,MACX,iBAAiB,EAAE,YAAY,WAAW;AAAA,IAC5C;AAAA,EACF,CAAC;AACD,MAAI,cAAc,MAAO,QAAO,MAAM;AAEtC,MAAI;AACF,UAAM,SAAS,MAAM,aAAa;AAAA,MAChC;AAAA,MACA,OAAO,EAAE,UAAU,KAAK,UAAoB,gBAAgB,QAAQ,KAAK,IAAc;AAAA,MACvF,OAAO,EAAE,WAAW,GAAG;AAAA,IACzB,CAAC;AACD,UAAM,MAAM,aAAa;AACzB,WAAO,aAAa,KAAK,EAAE,IAAI,MAAM,GAAG,OAAO,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnE,SAAS,KAAK;AACZ,UAAM,YAAY;AAClB,QAAI,aAAa,OAAO,UAAU,WAAW,UAAU;AACrD,aAAO,aAAa;AAAA,QAClB,EAAE,OAAO,UAAU,SAAS,aAAa,UAAU,YAAY;AAAA,QAC/D,EAAE,QAAQ,UAAU,OAAO;AAAA,MAC7B;AAAA,IACF;AACA,YAAQ,MAAM,sCAAsC,EAAE,KAAK,GAAG;AAC9D,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,eAAe,QAAQ,IAAI,UAAU,0BAA0B;AAAA,MACxE,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AACF;AAEO,MAAM,UAAU;AAAA,EACrB,MAAM,CAAC,uBAAuB;AAAA,EAC9B,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,MAAM,CAAC,uBAAuB;AAAA,MAC9B,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,uDAAuD;AAAA,QACnF,EAAE,QAAQ,KAAK,aAAa,qCAAqC;AAAA,QACjE,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,8BAA8B;AAAA,QAC1D,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,QAChD,EAAE,QAAQ,KAAK,aAAa,wCAAwC;AAAA,QACpE,EAAE,QAAQ,KAAK,aAAa,iDAAiD;AAAA,QAC7E,EAAE,QAAQ,KAAK,aAAa,mDAAmD;AAAA,MACjF;AAAA,IACF;AAAA,EACF;AACF;AAEA,IAAO,gBAAQ;",
+  "names": []
+}