npm - @open-mercato/core - Versions diffs - 0.6.5-develop.4384.1.ce2ec6eaaa → 0.6.5-develop.4393.1.de282b5dfd - Mend

@open-mercato/core 0.6.5-develop.4384.1.ce2ec6eaaa → 0.6.5-develop.4393.1.de282b5dfd

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (533) hide show

package/src/modules/customers/api/interactions/[id]/visibility/route.ts ADDED Viewed

@@ -0,0 +1,179 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { readJsonSafe } from '@open-mercato/shared/lib/http/readJsonSafe'
+import type { CommandBus } from '@open-mercato/shared/lib/commands'
+import {
+  validateCrudMutationGuard,
+  runCrudMutationGuardAfterSuccess,
+} from '@open-mercato/shared/lib/crud/mutation-guard'
+import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/directory/utils/organizationScope'
+import { CustomerInteraction } from '../../../../data/entities'
+import type { InteractionUpdateInput } from '../../../../data/validators'
+import { resolveAuthActorId } from '../../../../lib/interactionRequestContext'
+import { emitCustomersEvent } from '../../../../events'
+export const metadata = {
+  path: '/customers/interactions/[id]/visibility',
+  PATCH: {
+    requireAuth: true,
+    requireFeatures: ['customers.email.compose'],
+  },
+}
+const bodySchema = z.object({ visibility: z.enum(['private', 'shared']) }).strict()
+type RouteContext = { params: Promise<{ id: string }> | { id: string } }
+export async function PATCH(req: Request, context: RouteContext): Promise<Response> {
+  const { id } = await context.params
+  if (!z.string().uuid().safeParse(id).success) {
+    return NextResponse.json({ error: 'Invalid interaction id' }, { status: 400 })
+  }
+  const auth = await getAuthFromRequest(req)
+  if (!auth?.sub || !auth?.tenantId) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+  let body: z.infer<typeof bodySchema>
+  try {
+    body = bodySchema.parse(await readJsonSafe(req, null))
+  } catch (err) {
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : 'Invalid request body' },
+      { status: 422 },
+    )
+  }
+  const container = await createRequestContainer()
+  const em = (container.resolve('em') as EntityManager).fork()
+  const scope = await resolveOrganizationScopeForRequest({ container, auth, request: req })
+  const organizationId = scope?.selectedId ?? (auth as { orgId?: string | null }).orgId ?? null
+  const dscope = { tenantId: auth.tenantId as string, organizationId }
+  const userId = resolveAuthActorId(auth)
+  const guardResult = await validateCrudMutationGuard(container, {
+    tenantId: auth.tenantId,
+    organizationId,
+    userId,
+    resourceKind: 'customers.interaction',
+    resourceId: id,
+    operation: 'custom',
+    requestMethod: req.method,
+    requestHeaders: req.headers,
+  })
+  if (guardResult && !guardResult.ok) {
+    return NextResponse.json(guardResult.body, { status: guardResult.status })
+  }
+  const interaction = (await findOneWithDecryption(
+    em,
+    CustomerInteraction,
+    {
+      id,
+      tenantId: auth.tenantId,
+      organizationId,
+      deletedAt: null,
+      interactionType: 'email',
+    } as any,
+    undefined,
+    dscope,
+  )) as { id: string; authorUserId?: string | null; visibility?: string | null } | null
+  if (!interaction) {
+    return NextResponse.json({ error: 'Email not found' }, { status: 404 })
+  }
+  // Personal mailbox privacy (v1: strict owner-only): ONLY the author may flip
+  // their own email's visibility — no admin bypass. Return 404 (not 403) for
+  // everyone else so we don't leak the row's existence — this also covers
+  // non-authors who cannot see a private email in the first place.
+  const isAuthor = !!interaction.authorUserId && interaction.authorUserId === auth.sub
+  if (!isAuthor) {
+    return NextResponse.json({ error: 'Email not found' }, { status: 404 })
+  }
+  // No-op: visibility is already at the requested value.
+  if (interaction.visibility === body.visibility) {
+    return NextResponse.json({ ok: true, changed: false })
+  }
+  const previousVisibility = (interaction.visibility ?? 'private') as 'private' | 'shared'
+  // Route the write through the interactions update command so the change runs
+  // the full mutation pipeline — query-index refresh, audit log and undo —
+  // instead of a raw em.flush() that would leave the indexed `entity_indexes`
+  // doc stale. Authorization (author-only, v1) was already enforced above; the
+  // command only owns persistence and side effects.
+  const commandBus = container.resolve('commandBus') as CommandBus
+  await commandBus.execute<InteractionUpdateInput, { interactionId: string }>(
+    'customers.interactions.update',
+    {
+      input: { id, visibility: body.visibility },
+      ctx: {
+        container,
+        auth: auth as never,
+        organizationScope: null,
+        selectedOrganizationId: organizationId,
+        organizationIds: organizationId ? [organizationId] : null,
+      },
+    },
+  )
+  if (guardResult?.ok && guardResult.shouldRunAfterSuccess) {
+    await runCrudMutationGuardAfterSuccess(container, {
+      tenantId: auth.tenantId,
+      organizationId,
+      userId,
+      resourceKind: 'customers.interaction',
+      resourceId: id,
+      operation: 'custom',
+      requestMethod: req.method,
+      requestHeaders: req.headers,
+      metadata: guardResult.metadata ?? null,
+    })
+  }
+  // Emit audit event best-effort — failure must NOT roll back the DB flush.
+  try {
+    await emitCustomersEvent('customers.email.visibility_changed', {
+      interactionId: interaction.id,
+      previousVisibility,
+      nextVisibility: body.visibility,
+      authorUserId: interaction.authorUserId ?? null,
+      actorUserId: auth.sub,
+      // v1: strict owner-only — only the author reaches this point, so a
+      // visibility change is never an admin bypass.
+      adminBypass: false,
+      tenantId: auth.tenantId,
+      organizationId,
+    })
+  } catch {
+    /* swallow — audit emission must not block the response */
+  }
+  return NextResponse.json({ ok: true, changed: true })
+}
+export const openApi = {
+  tags: ['Customers', 'Email'],
+  methods: {
+    PATCH: {
+      summary: 'Flip an email interaction visibility (private ↔ shared)',
+      tags: ['Customers', 'Email'],
+      responses: [
+        { status: 200, description: 'Updated' },
+        { status: 400, description: 'Invalid id' },
+        { status: 401, description: 'Unauthorized' },
+        { status: 404, description: 'Email not found or not visible to caller' },
+        { status: 422, description: 'Invalid body' },
+      ],
+    },
+  },
+}
+export default PATCH

package/src/modules/customers/api/interactions/counts/route.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
 import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/directory/utils/organizationScope'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
+import { applyEmailVisibilityFilter } from '../../../lib/visibilityFilter'
 const querySchema = z.object({
   entityId: z.string().uuid(),
@@ -87,6 +88,15 @@ export async function GET(req: Request) {
       baseQuery = baseQuery.where('status', '=', query.status)
     }
+    // Per-user email privacy: exclude other users' private emails from the
+    // per-type counts so the `email` total matches the visibility-filtered list.
+    // v1 strict owner-only — no admin bypass (the filter ignores caller features).
+    const viewerUserId = auth.isApiKey ? null : auth.sub ?? null
+    baseQuery = applyEmailVisibilityFilter(baseQuery, {
+      currentUserId: viewerUserId,
+      userFeatures: undefined,
+    })
     // Raw SELECT: reads only unencrypted columns (id, interaction_type); title/notes are excluded to avoid ciphertext leakage.
     const rows = await baseQuery
       .select(['interaction_type', sql<string>`count(*)`.as('count')])

package/src/modules/customers/api/interactions/route.ts CHANGED Viewed

@@ -22,6 +22,7 @@ import {
   defaultOkResponseSchema,
 } from '../openapi'
 import { CUSTOMER_INTERACTION_ENTITY_ID } from '../../lib/interactionCompatibility'
+import { applyEmailVisibilityFilter } from '../../lib/visibilityFilter'
 import { resolveCanonicalActivityTargetId } from '../../lib/legacyActivityBridge'
 import type { CommandBus, CommandRuntimeContext } from '@open-mercato/shared/lib/commands'
@@ -301,6 +302,7 @@ async function buildEnricherContext(
   container: { resolve: (name: string) => unknown },
   auth: NonNullable<Awaited<ReturnType<typeof getAuthFromRequest>>>,
   organizationId: string | null,
+  precomputedUserFeatures?: { userId: string; features: string[] | undefined },
 ): Promise<EnricherContext> {
   const userId =
     (typeof auth.sub === 'string' && auth.sub.trim().length > 0
@@ -311,13 +313,20 @@ async function buildEnricherContext(
           ? auth.keyId
           : 'system')
+  // Reuse features already resolved for this same user (the GET handler resolves
+  // them once for the visibility filter) to avoid a second RBAC lookup per request.
+  const userFeatures =
+    precomputedUserFeatures && precomputedUserFeatures.userId === userId
+      ? precomputedUserFeatures.features
+      : await resolveUserFeatures(container, userId, auth.tenantId ?? null, organizationId)
   return {
     organizationId: organizationId ?? '',
     tenantId: auth.tenantId ?? '',
     userId,
     em: container.resolve('em'),
     container,
-    userFeatures: await resolveUserFeatures(container, userId, auth.tenantId ?? null, organizationId),
+    userFeatures,
   }
 }
@@ -415,6 +424,12 @@ export async function GET(req: Request) {
     }
     if (query.excludeInteractionType) rowsQuery = rowsQuery.where('interaction_type', '!=', query.excludeInteractionType)
     if (query.search) {
+      // NOTE: for tenants with data encryption enabled, `title`/`body` are
+      // ciphertext at rest (see encryption.ts), so this ILIKE matches encrypted
+      // bytes and returns no rows — substring search over encrypted free-text
+      // columns is unsupported, the same documented limitation as
+      // customer_activity / customer_comment. The returned page's title/body are
+      // still decrypted for display further below.
       const searchTerm = `%${query.search}%`
       rowsQuery = rowsQuery.where(sql<boolean>`coalesce(title, '') ilike ${searchTerm} or coalesce(body, '') ilike ${searchTerm}`)
     }
@@ -438,6 +453,21 @@ export async function GET(req: Request) {
       ]))
     }
+    // ── Email visibility filter (2026-05-27) ──────────────────────────────
+    // Non-email interactions pass through; email rows with visibility='private'
+    // are filtered out unless the caller is the author or has admin bypass.
+    // API-key callers have no user identity (`auth.sub` undefined): resolve the
+    // viewer to null so they never gain the author bypass and only see shared
+    // emails (fail-closed). Mirrors counts/people/activities routes.
+    const viewerUserId = auth.isApiKey ? null : (auth.sub ?? null)
+    const callerUserFeatures = viewerUserId
+      ? await resolveUserFeatures(container, viewerUserId, auth.tenantId ?? null, selectedOrganizationId)
+      : undefined
+    rowsQuery = applyEmailVisibilityFilter(rowsQuery as any, {
+      currentUserId: viewerUserId,
+      userFeatures: callerUserFeatures,
+    })
     rowsQuery = rowsQuery.orderBy(sql`${sql.raw(sortSql)} ${sql.raw(sortDir)}`).orderBy('id', sortDir)
     const rows = await rowsQuery.execute() as InteractionListRow[]
@@ -460,7 +490,7 @@ export async function GET(req: Request) {
     )
     const interactionIds = pageRows.map((row) => row.id)
-    const [users, deals, customFieldValues] = await Promise.all([
+    const [users, deals, customFieldValues, interactionRecords] = await Promise.all([
       authorIds.length > 0 ? findWithDecryption(em, User, { id: { $in: authorIds } }, undefined, { tenantId: auth.tenantId, organizationId: selectedOrganizationId }) : Promise.resolve([]),
       dealIds.length > 0 ? findWithDecryption(em, CustomerDeal, { id: { $in: dealIds } }, undefined, { tenantId: auth.tenantId, organizationId: selectedOrganizationId }) : Promise.resolve([]),
       interactionIds.length > 0
@@ -473,6 +503,9 @@ export async function GET(req: Request) {
             tenantFallbacks: [auth.tenantId].filter((value): value is string => !!value),
           })
         : Promise.resolve<Record<string, Record<string, unknown>>>({}),
+      interactionIds.length > 0
+        ? findWithDecryption(em, CustomerInteraction, { id: { $in: interactionIds } } as never, undefined, { tenantId: auth.tenantId, organizationId: selectedOrganizationId })
+        : Promise.resolve([]),
     ])
     const userMap = new Map(
@@ -487,14 +520,22 @@ export async function GET(req: Request) {
     const dealMap = new Map(
       deals.map((deal) => [deal.id, deal.title]),
     )
+    // title/body are encrypted at rest (see encryption.ts). The kysely rows above
+    // carry ciphertext when tenant encryption is enabled, so override them with the
+    // decrypted values from findWithDecryption for the returned page.
+    const interactionContentMap = new Map(
+      (interactionRecords as Array<{ id: string; title?: string | null; body?: string | null }>).map(
+        (record) => [record.id, { title: record.title ?? null, body: record.body ?? null }],
+      ),
+    )
     const baseItems = pageRows.map((row) => ({
       id: row.id,
       entityId: row.entity_id,
       dealId: row.deal_id ?? null,
       interactionType: row.interaction_type,
-      title: row.title ?? null,
-      body: row.body ?? null,
+      title: (interactionContentMap.has(row.id) ? interactionContentMap.get(row.id)!.title : row.title) ?? null,
+      body: (interactionContentMap.has(row.id) ? interactionContentMap.get(row.id)!.body : row.body) ?? null,
       status: row.status,
       scheduledAt: toIsoString(row.scheduled_at),
       occurredAt: toIsoString(row.occurred_at),
@@ -526,7 +567,12 @@ export async function GET(req: Request) {
       customValues: normalizeCustomFieldResponse(customFieldValues[row.id]) ?? null,
     }))
-    const enricherContext = await buildEnricherContext(container, auth, selectedOrganizationId)
+    const enricherContext = await buildEnricherContext(
+      container,
+      auth,
+      selectedOrganizationId,
+      viewerUserId ? { userId: viewerUserId, features: callerUserFeatures } : undefined,
+    )
     const enriched = await applyResponseEnrichers(baseItems, 'customers.interaction', enricherContext)
     let nextCursor: string | undefined

package/src/modules/customers/api/people/[id]/email-threads/route.ts ADDED Viewed

@@ -0,0 +1,92 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/directory/utils/organizationScope'
+import { CustomerEntity } from '../../../../data/entities'
+import { buildPersonEmailThreads } from '../../../../lib/personEmailThreads'
+export const metadata = {
+  path: '/customers/people/[id]/email-threads',
+  GET: {
+    requireAuth: true,
+    requireFeatures: ['customers.people.view'],
+  },
+}
+type RouteContext = {
+  params: Promise<{ id: string }> | { id: string }
+}
+export async function GET(req: Request, context: RouteContext): Promise<Response> {
+  const { id: personId } = await context.params
+  if (!z.string().uuid().safeParse(personId).success) {
+    return NextResponse.json({ error: 'Invalid person id' }, { status: 400 })
+  }
+  const auth = await getAuthFromRequest(req)
+  if (!auth?.sub || !auth?.tenantId) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+  const container = await createRequestContainer()
+  const scope = await resolveOrganizationScopeForRequest({ container, auth, request: req })
+  const organizationId = scope?.selectedId ?? (auth as { orgId?: string | null }).orgId ?? null
+  const em = (container.resolve('em') as EntityManager).fork()
+  const dscope = { tenantId: auth.tenantId as string, organizationId }
+  // Verify the Person exists in the caller's tenant/org (ownership check,
+  // same pattern as the [id]/emails compose route).
+  const person = await findOneWithDecryption(
+    em,
+    CustomerEntity,
+    {
+      id: personId,
+      kind: 'person',
+      tenantId: auth.tenantId,
+      organizationId,
+      deletedAt: null,
+    } as never,
+    undefined,
+    dscope,
+  )
+  if (!person) {
+    return NextResponse.json({ error: 'Person not found' }, { status: 404 })
+  }
+  const viewerUserId = auth.isApiKey ? null : auth.sub ?? null
+  const threads = await buildPersonEmailThreads(em, {
+    personId,
+    tenantId: auth.tenantId as string,
+    organizationId,
+    viewerUserId,
+    // The v1 visibility filter is owner-only and ignores `userFeatures`; match
+    // the sibling read routes (people/[id], interactions) by passing `undefined`
+    // rather than paying an RBAC round-trip the filter discards.
+    userFeatures: undefined,
+  })
+  return NextResponse.json({ threads })
+}
+export const openApi = {
+  tags: ['Customers', 'Email'],
+  methods: {
+    GET: {
+      summary: 'List a Person\'s email threads (Gmail-style conversation grouping)',
+      tags: ['Customers', 'Email'],
+      responses: [
+        { status: 200, description: 'Email threads for the person, grouped by conversation' },
+        { status: 400, description: 'Invalid person id' },
+        { status: 401, description: 'Unauthorized' },
+        { status: 403, description: 'Missing customers.people.view feature' },
+        { status: 404, description: 'Person not found' },
+      ],
+    },
+  },
+}
+export default GET

package/src/modules/customers/api/people/[id]/emails/route.ts ADDED Viewed

@@ -0,0 +1,184 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { EntityManager } from '@mikro-orm/postgresql'
+import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { readJsonSafe } from '@open-mercato/shared/lib/http/readJsonSafe'
+import {
+  validateCrudMutationGuard,
+  runCrudMutationGuardAfterSuccess,
+} from '@open-mercato/shared/lib/crud/mutation-guard'
+import { resolveOrganizationScopeForRequest } from '@open-mercato/core/modules/directory/utils/organizationScope'
+import { resolveAuthActorId } from '../../../../lib/interactionRequestContext'
+import { CustomerEntity } from '../../../../data/entities'
+import type { SendAsUserService } from '@open-mercato/core/modules/communication_channels/lib/send-as-user'
+export const metadata = {
+  path: '/customers/people/[id]/emails',
+  POST: {
+    requireAuth: true,
+    requireFeatures: ['customers.email.compose'],
+  },
+}
+const composeSchema = z
+  .object({
+    userChannelId: z.string().uuid(),
+    to: z.array(z.string().email()).min(1).max(50),
+    cc: z.array(z.string().email()).max(50).optional(),
+    bcc: z.array(z.string().email()).max(50).optional(),
+    subject: z.string().min(1).max(500),
+    body: z.string().min(1).max(200_000),
+    bodyFormat: z.enum(['text', 'html']).default('html'),
+    visibility: z.enum(['private', 'shared']).default('private'),
+    inReplyTo: z.string().max(500).optional(),
+    references: z.array(z.string().max(500)).max(50).optional(),
+    parentMessageId: z.string().uuid().optional(),
+  })
+  .strict()
+type RouteContext = {
+  params: Promise<{ id: string }> | { id: string }
+}
+export async function POST(req: Request, context: RouteContext): Promise<Response> {
+  const { id: personId } = await context.params
+  if (!z.string().uuid().safeParse(personId).success) {
+    return NextResponse.json({ error: 'Invalid person id' }, { status: 400 })
+  }
+  const auth = await getAuthFromRequest(req)
+  if (!auth?.sub || !auth?.tenantId) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+  let body: z.infer<typeof composeSchema>
+  try {
+    body = composeSchema.parse(await readJsonSafe(req, null))
+  } catch (err) {
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : 'Invalid request body' },
+      { status: 422 },
+    )
+  }
+  const container = await createRequestContainer()
+  const userId = resolveAuthActorId(auth)
+  const scope = await resolveOrganizationScopeForRequest({ container, auth, request: req })
+  const organizationId = scope?.selectedId ?? (auth as { orgId?: string | null }).orgId ?? null
+  const guardResult = await validateCrudMutationGuard(container, {
+    tenantId: auth.tenantId,
+    organizationId,
+    userId,
+    resourceKind: 'customers.person',
+    resourceId: personId,
+    operation: 'custom',
+    requestMethod: req.method,
+    requestHeaders: req.headers,
+  })
+  if (guardResult && !guardResult.ok) {
+    return NextResponse.json(guardResult.body, { status: guardResult.status })
+  }
+  const em = (container.resolve('em') as EntityManager).fork()
+  const dscope = { tenantId: auth.tenantId as string, organizationId }
+  // 1. Verify the Person exists in the caller's tenant.
+  //    Uses CustomerEntity (kind='person') as the canonical ownership check —
+  //    the same pattern as the existing [id]/route.ts GET handler.
+  const person = await findOneWithDecryption(
+    em,
+    CustomerEntity,
+    {
+      id: personId,
+      kind: 'person',
+      tenantId: auth.tenantId,
+      organizationId,
+      deletedAt: null,
+    } as never,
+    undefined,
+    dscope,
+  )
+  if (!person) {
+    return NextResponse.json({ error: 'Person not found' }, { status: 404 })
+  }
+  // 2. Call the hub's send-as-user facade in-process (resolved via DI) so the
+  //    customers module makes no HTTP self-call. `crmVisibility` and `crmPersonId`
+  //    are injected as channelMetadata so the link-channel-message subscriber can
+  //    anchor the sent message back to this Person on the
+  //    `communication_channels.message.sent` event.
+  const sendAsUserService = container.resolve(
+    'communicationChannelsSendAsUser',
+  ) as SendAsUserService
+  const sendResult = await sendAsUserService(
+    container,
+    { userId: auth.sub as string, tenantId: auth.tenantId as string, organizationId, auth },
+    {
+      userChannelId: body.userChannelId,
+      to: body.to,
+      cc: body.cc,
+      bcc: body.bcc,
+      subject: body.subject,
+      body: body.bodyFormat === 'html' ? { html: body.body } : { plain: body.body },
+      inReplyTo: body.inReplyTo,
+      references: body.references,
+      parentMessageId: body.parentMessageId,
+      channelMetadata: {
+        crmVisibility: body.visibility,
+        crmPersonId: personId,
+      },
+    },
+  )
+  if (!sendResult.ok) {
+    return NextResponse.json({ error: sendResult.error }, { status: sendResult.status })
+  }
+  if (guardResult?.ok && guardResult.shouldRunAfterSuccess) {
+    await runCrudMutationGuardAfterSuccess(container, {
+      tenantId: auth.tenantId,
+      organizationId,
+      userId,
+      resourceKind: 'customers.person',
+      resourceId: personId,
+      operation: 'custom',
+      requestMethod: req.method,
+      requestHeaders: req.headers,
+      metadata: guardResult.metadata ?? null,
+    })
+  }
+  // Delivery is async (handled by the outbound queue worker), so this is the
+  // enqueue time — not the provider send time — and the provider's external
+  // message id is not known yet (the worker assigns it on successful delivery).
+  return NextResponse.json({
+    messageId: sendResult.messageId,
+    threadId: sendResult.threadId,
+    queuedAt: new Date().toISOString(),
+  })
+}
+export const openApi = {
+  tags: ['Customers', 'Email'],
+  methods: {
+    POST: {
+      summary: 'Compose + send an email anchored to a Person',
+      tags: ['Customers', 'Email'],
+      responses: [
+        { status: 200, description: 'Email queued for send' },
+        { status: 400, description: 'Invalid person id' },
+        { status: 401, description: 'Unauthorized' },
+        { status: 403, description: 'Missing customers.email.compose feature or mutation guard rejection' },
+        { status: 404, description: 'Person or channel not found' },
+        { status: 409, description: 'Channel not connected' },
+        { status: 422, description: 'Invalid request body' },
+        { status: 500, description: 'Send failed' },
+      ],
+    },
+  },
+}
+export default POST

package/src/modules/customers/api/people/[id]/route.ts CHANGED Viewed

@@ -40,6 +40,7 @@ import { parseBooleanFromUnknown, parseBooleanToken } from '@open-mercato/shared
 import { isOrganizationReadAccessAllowed } from '@open-mercato/core/modules/directory/utils/organizationScopeGuard'
 import { loadPersonCompanyLinks, summarizePersonCompanies } from '../../../lib/personCompanies'
 import { normalizeCustomerDetailCustomFields } from '../../detailCustomFields'
+import { buildEmailVisibilityMikroFilter } from '../../../lib/visibilityFilter'
 export const metadata = {
   GET: { requireAuth: true, requireFeatures: ['customers.people.view'] },
@@ -513,14 +514,25 @@ export async function GET(_req: Request, ctx: { params?: { id?: string } }) {
       profiler.mark('comments_loaded', { count: comments.length })
     }
+    // Per-user email privacy (CRM email integration spec, "Layer 1 — DB filter"):
+    // exclude private email interactions owned by other users from every read
+    // path that returns customer_interactions. Non-email rows, shared emails, and
+    // legacy null-visibility rows pass through. v1 is strict owner-only: there is
+    // NO admin bypass — the filter ignores caller features, and
+    // `customers.email.view_private` is reserved (inert) for v2 oversight.
+    const emailVisibilityFilter = buildEmailVisibilityMikroFilter({
+      currentUserId: viewerUserId,
+      userFeatures: undefined,
+    })
     const shouldLoadCanonicalInteractions = includeInteractions || includeActivities || includeTodos
     const canonicalInteractionRows = shouldLoadCanonicalInteractions
       ? await findWithDecryption(
           em,
           CustomerInteraction,
           interactionFlags.unified
-            ? { entity: person.id, deletedAt: null }
-            : { entity: person.id },
+            ? { entity: person.id, deletedAt: null, ...emailVisibilityFilter }
+            : { entity: person.id, ...emailVisibilityFilter },
           { orderBy: { scheduledAt: 'asc', createdAt: 'desc' }, limit: 100 },
           { tenantId: person.tenantId ?? auth.tenantId ?? null, organizationId: person.organizationId ?? auth.orgId ?? null },
         )
@@ -566,6 +578,7 @@ export async function GET(_req: Request, ctx: { params?: { id?: string } }) {
               deletedAt: null,
               status: 'planned',
               interactionType: { $ne: 'task' },
+              ...emailVisibilityFilter,
             },
             { orderBy: { scheduledAt: 'ASC', createdAt: 'ASC' }, limit: plannedPreviewLimit },
             { tenantId: person.tenantId ?? auth.tenantId ?? null, organizationId: person.organizationId ?? auth.orgId ?? null },
@@ -715,12 +728,14 @@ export async function GET(_req: Request, ctx: { params?: { id?: string } }) {
         tenantId: person.tenantId,
         deletedAt: null,
         interactionType: { $ne: 'task' },
+        ...emailVisibilityFilter,
       }),
       interactions: await em.count(CustomerInteraction, {
         entity: person.id,
         organizationId: person.organizationId,
         tenantId: person.tenantId,
         deletedAt: null,
+        ...emailVisibilityFilter,
       }),
       todos: interactionFlags.unified
         ? await em.count(CustomerInteraction, {