npm - @open-mercato/core - Versions diffs - 0.6.5-develop.4384.1.ce2ec6eaaa → 0.6.5-develop.4397.1.9a65481757 - Mend

@open-mercato/core 0.6.5-develop.4384.1.ce2ec6eaaa → 0.6.5-develop.4397.1.9a65481757

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (533) hide show

package/dist/modules/communication_channels/api/get/channels/[id]/health/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../../src/modules/communication_channels/api/get/channels/%5Bid%5D/health/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { CommunicationChannel, ExternalConversation, MessageChannelLink } from '../../../../../data/entities'\nimport { ChannelAccessDeniedError, assertCanAccessChannel } from '../../../../../lib/access-control'\n\ntype RbacServiceLike = {\n  loadAcl: (\n    userId: string,\n    scope: { tenantId: string | null; organizationId: string | null },\n  ) => Promise<{ isSuperAdmin: boolean; features: string[]; organizations: string[] | null }>\n}\n\nexport const metadata = {\n  path: '/communication_channels/channels/[id]/health',\n  GET: { requireAuth: true, requireFeatures: ['communication_channels.view'] },\n}\n\ntype RouteContext = {\n  params: Promise<{ id: string }> | { id: string }\n}\n\nconst WINDOW_HOURS = 24\nconst RECENT_FAILURES_LIMIT = 10\n\n/**\n * Channel health snapshot \u2014 live aggregates from `message_channel_links` rather\n * than a dedicated `HealthLog` table.\n *\n * Returns counts of `sent` / `failed` / `pending` deliveries in the trailing\n * 24-hour window, plus the most recent failed links with last-error context.\n *\n * Per-user isolation: aggregates are scoped to **this channel only** via the\n * `external_conversations.channelId` join (a MessageChannelLink does not have a\n * direct channelId column \u2014 the link goes through ExternalConversation). Before\n * any DB read for aggregates, the channel must pass `assertCanAccessChannel`\n * so a non-admin caller cannot inspect another user's channel telemetry.\n */\nexport async function GET(req: Request, context: RouteContext): Promise<Response> {\n  const { id } = await context.params\n  if (!z.string().uuid().safeParse(id).success) {\n    return NextResponse.json({ error: 'Invalid channel id' }, { status: 400 })\n  }\n\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.tenantId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const em = (container.resolve('em') as EntityManager).fork()\n\n  const dscope = {\n    tenantId: auth.tenantId as string,\n    organizationId: (auth as { orgId?: string | null }).orgId ?? null,\n  }\n  const channel = await findOneWithDecryption(\n    em,\n    CommunicationChannel,\n    { id, tenantId: auth.tenantId, organizationId: dscope.organizationId, deletedAt: null },\n    undefined,\n    dscope,\n  )\n  if (!channel) {\n    return NextResponse.json({ error: 'Channel not found' }, { status: 404 })\n  }\n\n  let userFeatures: string[] = []\n  try {\n    const rbac = container.resolve('rbacService') as RbacServiceLike\n    const acl = await rbac.loadAcl(auth.sub as string, {\n      tenantId: auth.tenantId as string,\n      organizationId: dscope.organizationId,\n    })\n    userFeatures = acl?.isSuperAdmin ? ['*'] : Array.isArray(acl?.features) ? acl.features : []\n  } catch {\n    userFeatures = []\n  }\n  try {\n    assertCanAccessChannel(channel, auth.sub as string, userFeatures)\n  } catch (err) {\n    if (err instanceof ChannelAccessDeniedError) {\n      return NextResponse.json({ error: 'Channel not found' }, { status: 404 })\n    }\n    throw err\n  }\n\n  // ExternalConversation is append-only on the hub side \u2014 no soft-delete column.\n  // Scope by channel + tenant so aggregates stay isolated even when the same\n  // provider is connected by multiple users in the same tenant.\n  const conversations = await findWithDecryption(\n    em,\n    ExternalConversation,\n    { channelId: channel.id, tenantId: auth.tenantId },\n    undefined,\n    dscope,\n  )\n  const conversationIds = conversations.map((c) => c.id).filter(Boolean) as string[]\n\n  let links: MessageChannelLink[] = []\n  let recentFailures: MessageChannelLink[] = []\n  if (conversationIds.length > 0) {\n    const since = new Date(Date.now() - WINDOW_HOURS * 60 * 60 * 1000)\n    links = await findWithDecryption(\n      em,\n      MessageChannelLink,\n      {\n        externalConversationId: { $in: conversationIds },\n        tenantId: auth.tenantId,\n        createdAt: { $gte: since },\n      },\n      undefined,\n      dscope,\n    )\n    recentFailures = await findWithDecryption(\n      em,\n      MessageChannelLink,\n      {\n        externalConversationId: { $in: conversationIds },\n        tenantId: auth.tenantId,\n        deliveryStatus: 'failed',\n      },\n      { limit: RECENT_FAILURES_LIMIT, orderBy: { createdAt: 'desc' } },\n      dscope,\n    )\n  }\n\n  const counts = { sent: 0, delivered: 0, read: 0, failed: 0, pending: 0, queued: 0, other: 0 }\n  for (const link of links) {\n    const key = link.deliveryStatus as keyof typeof counts\n    if (key in counts) counts[key] += 1\n    else counts.other += 1\n  }\n\n  return NextResponse.json({\n    channelId: channel.id,\n    providerKey: channel.providerKey,\n    channelType: channel.channelType,\n    windowHours: WINDOW_HOURS,\n    counts,\n    totalsLast24h: links.length,\n    recentFailures: recentFailures.map((link) => ({\n      id: link.id,\n      messageId: link.messageId,\n      direction: link.direction,\n      createdAt: link.createdAt?.toISOString?.() ?? null,\n      lastError:\n        (link.channelMetadata as Record<string, unknown> | null)?.lastError ?? null,\n      transient:\n        (link.channelMetadata as Record<string, unknown> | null)?.transient ?? null,\n    })),\n  })\n}\n\nexport const openApi = {\n  tags: ['CommunicationChannels'],\n  methods: {\n    GET: {\n      summary: 'Snapshot of channel delivery health (last 24h)',\n      tags: ['CommunicationChannels'],\n      responses: [\n        { status: 200, description: 'Health snapshot' },\n        { status: 400, description: 'Invalid channel id' },\n        { status: 401, description: 'Unauthorized' },\n        { status: 404, description: 'Channel not found' },\n      ],\n    },\n  },\n}\nexport default GET\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAClB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,sBAAsB,sBAAsB,0BAA0B;AAC/E,SAAS,0BAA0B,8BAA8B;AAS1D,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,6BAA6B,EAAE;AAC7E;AAMA,MAAM,eAAe;AACrB,MAAM,wBAAwB;AAe9B,eAAsB,IAAI,KAAc,SAA0C;AAChF,QAAM,EAAE,GAAG,IAAI,MAAM,QAAQ;AAC7B,MAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,SAAS;AAC5C,WAAO,aAAa,KAAK,EAAE,OAAO,qBAAqB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3E;AAEA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,UAAU;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAM,UAAU,QAAQ,IAAI,EAAoB,KAAK;AAE3D,QAAM,SAAS;AAAA,IACb,UAAU,KAAK;AAAA,IACf,gBAAiB,KAAmC,SAAS;AAAA,EAC/D;AACA,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,UAAU,KAAK,UAAU,gBAAgB,OAAO,gBAAgB,WAAW,KAAK;AAAA,IACtF;AAAA,IACA;AAAA,EACF;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,aAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1E;AAEA,MAAI,eAAyB,CAAC;AAC9B,MAAI;AACF,UAAM,OAAO,UAAU,QAAQ,aAAa;AAC5C,UAAM,MAAM,MAAM,KAAK,QAAQ,KAAK,KAAe;AAAA,MACjD,UAAU,KAAK;AAAA,MACf,gBAAgB,OAAO;AAAA,IACzB,CAAC;AACD,mBAAe,KAAK,eAAe,CAAC,GAAG,IAAI,MAAM,QAAQ,KAAK,QAAQ,IAAI,IAAI,WAAW,CAAC;AAAA,EAC5F,QAAQ;AACN,mBAAe,CAAC;AAAA,EAClB;AACA,MAAI;AACF,2BAAuB,SAAS,KAAK,KAAe,YAAY;AAAA,EAClE,SAAS,KAAK;AACZ,QAAI,eAAe,0BAA0B;AAC3C,aAAO,aAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC1E;AACA,UAAM;AAAA,EACR;AAKA,QAAM,gBAAgB,MAAM;AAAA,IAC1B;AAAA,IACA;AAAA,IACA,EAAE,WAAW,QAAQ,IAAI,UAAU,KAAK,SAAS;AAAA,IACjD;AAAA,IACA;AAAA,EACF;AACA,QAAM,kBAAkB,cAAc,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,OAAO,OAAO;AAErE,MAAI,QAA8B,CAAC;AACnC,MAAI,iBAAuC,CAAC;AAC5C,MAAI,gBAAgB,SAAS,GAAG;AAC9B,UAAM,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,eAAe,KAAK,KAAK,GAAI;AACjE,YAAQ,MAAM;AAAA,MACZ;AAAA,MACA;AAAA,MACA;AAAA,QACE,wBAAwB,EAAE,KAAK,gBAAgB;AAAA,QAC/C,UAAU,KAAK;AAAA,QACf,WAAW,EAAE,MAAM,MAAM;AAAA,MAC3B;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,qBAAiB,MAAM;AAAA,MACrB;AAAA,MACA;AAAA,MACA;AAAA,QACE,wBAAwB,EAAE,KAAK,gBAAgB;AAAA,QAC/C,UAAU,KAAK;AAAA,QACf,gBAAgB;AAAA,MAClB;AAAA,MACA,EAAE,OAAO,uBAAuB,SAAS,EAAE,WAAW,OAAO,EAAE;AAAA,MAC/D;AAAA,IACF;AAAA,EACF;AAEA,QAAM,SAAS,EAAE,MAAM,GAAG,WAAW,GAAG,MAAM,GAAG,QAAQ,GAAG,SAAS,GAAG,QAAQ,GAAG,OAAO,EAAE;AAC5F,aAAW,QAAQ,OAAO;AACxB,UAAM,MAAM,KAAK;AACjB,QAAI,OAAO,OAAQ,QAAO,GAAG,KAAK;AAAA,QAC7B,QAAO,SAAS;AAAA,EACvB;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB,WAAW,QAAQ;AAAA,IACnB,aAAa,QAAQ;AAAA,IACrB,aAAa,QAAQ;AAAA,IACrB,aAAa;AAAA,IACb;AAAA,IACA,eAAe,MAAM;AAAA,IACrB,gBAAgB,eAAe,IAAI,CAAC,UAAU;AAAA,MAC5C,IAAI,KAAK;AAAA,MACT,WAAW,KAAK;AAAA,MAChB,WAAW,KAAK;AAAA,MAChB,WAAW,KAAK,WAAW,cAAc,KAAK;AAAA,MAC9C,WACG,KAAK,iBAAoD,aAAa;AAAA,MACzE,WACG,KAAK,iBAAoD,aAAa;AAAA,IAC3E,EAAE;AAAA,EACJ,CAAC;AACH;AAEO,MAAM,UAAU;AAAA,EACrB,MAAM,CAAC,uBAAuB;AAAA,EAC9B,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,MAAM,CAAC,uBAAuB;AAAA,MAC9B,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,kBAAkB;AAAA,QAC9C,EAAE,QAAQ,KAAK,aAAa,qBAAqB;AAAA,QACjD,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,MAClD;AAAA,IACF;AAAA,EACF;AACF;AACA,IAAO,gBAAQ;",
+  "names": []
+}

package/dist/modules/communication_channels/api/get/channels/[id]/route.js ADDED Viewed

@@ -0,0 +1,93 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { findOneWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { CommunicationChannel } from "../../../../data/entities.js";
+import { ChannelAccessDeniedError, assertCanAccessChannel } from "../../../../lib/access-control.js";
+const metadata = {
+  path: "/communication_channels/channels/[id]",
+  GET: { requireAuth: true, requireFeatures: ["communication_channels.view"] }
+};
+async function GET(req, context) {
+  const { id } = await context.params;
+  if (!z.string().uuid().safeParse(id).success) {
+    return NextResponse.json({ error: "Invalid channel id" }, { status: 400 });
+  }
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.tenantId) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const container = await createRequestContainer();
+  const em = container.resolve("em").fork();
+  const channel = await findOneWithDecryption(
+    em,
+    CommunicationChannel,
+    {
+      id,
+      tenantId: auth.tenantId,
+      organizationId: auth.orgId ?? null,
+      deletedAt: null
+    },
+    void 0,
+    { tenantId: auth.tenantId, organizationId: auth.orgId ?? null }
+  );
+  if (!channel) {
+    return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+  }
+  let userFeatures = [];
+  try {
+    const rbac = container.resolve("rbacService");
+    const acl = await rbac.loadAcl(auth.sub, {
+      tenantId: auth.tenantId,
+      organizationId: auth.orgId ?? null
+    });
+    userFeatures = acl?.isSuperAdmin ? ["*"] : Array.isArray(acl?.features) ? acl.features : [];
+  } catch {
+    userFeatures = [];
+  }
+  try {
+    assertCanAccessChannel(channel, auth.sub, userFeatures);
+  } catch (err) {
+    if (err instanceof ChannelAccessDeniedError) {
+      return NextResponse.json({ error: "Channel not found" }, { status: 404 });
+    }
+    throw err;
+  }
+  return NextResponse.json({
+    id: channel.id,
+    providerKey: channel.providerKey,
+    channelType: channel.channelType,
+    displayName: channel.displayName,
+    externalIdentifier: channel.externalIdentifier ?? null,
+    credentialsRef: channel.credentialsRef ?? null,
+    capabilities: channel.capabilities ?? null,
+    isActive: channel.isActive,
+    organizationId: channel.organizationId ?? null,
+    createdAt: channel.createdAt?.toISOString?.() ?? null,
+    updatedAt: channel.updatedAt?.toISOString?.() ?? null
+  });
+}
+const openApi = {
+  tags: ["CommunicationChannels"],
+  methods: {
+    GET: {
+      summary: "Get a single communication channel by id",
+      tags: ["CommunicationChannels"],
+      responses: [
+        { status: 200, description: "Channel detail" },
+        { status: 400, description: "Invalid channel id" },
+        { status: 401, description: "Unauthorized" },
+        { status: 404, description: "Channel not found" }
+      ]
+    }
+  }
+};
+var route_default = GET;
+export {
+  GET,
+  route_default as default,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/communication_channels/api/get/channels/[id]/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../src/modules/communication_channels/api/get/channels/%5Bid%5D/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { CommunicationChannel } from '../../../../data/entities'\nimport { ChannelAccessDeniedError, assertCanAccessChannel } from '../../../../lib/access-control'\n\ntype RbacServiceLike = {\n  loadAcl: (\n    userId: string,\n    scope: { tenantId: string | null; organizationId: string | null },\n  ) => Promise<{ isSuperAdmin: boolean; features: string[]; organizations: string[] | null }>\n}\n\nexport const metadata = {\n  path: '/communication_channels/channels/[id]',\n  GET: { requireAuth: true, requireFeatures: ['communication_channels.view'] },\n}\n\ntype RouteContext = {\n  params: Promise<{ id: string }> | { id: string }\n}\n\nexport async function GET(req: Request, context: RouteContext): Promise<Response> {\n  const { id } = await context.params\n  if (!z.string().uuid().safeParse(id).success) {\n    return NextResponse.json({ error: 'Invalid channel id' }, { status: 400 })\n  }\n\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.tenantId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const em = (container.resolve('em') as EntityManager).fork()\n\n  const channel = await findOneWithDecryption(\n    em,\n    CommunicationChannel,\n    {\n      id,\n      tenantId: auth.tenantId,\n      organizationId: (auth as { orgId?: string | null }).orgId ?? null,\n      deletedAt: null,\n    },\n    undefined,\n    { tenantId: auth.tenantId as string, organizationId: (auth as { orgId?: string | null }).orgId ?? null },\n  )\n  if (!channel) {\n    return NextResponse.json({ error: 'Channel not found' }, { status: 404 })\n  }\n\n  // Per-user access guard: callers without `communication_channels.admin` can\n  // only see tenant-wide channels (userId IS NULL) or channels they own.\n  let userFeatures: string[] = []\n  try {\n    const rbac = container.resolve('rbacService') as RbacServiceLike\n    const acl = await rbac.loadAcl(auth.sub as string, {\n      tenantId: auth.tenantId as string,\n      organizationId: (auth as { orgId?: string | null }).orgId ?? null,\n    })\n    userFeatures = acl?.isSuperAdmin\n      ? ['*']\n      : (Array.isArray(acl?.features) ? acl.features : [])\n  } catch {\n    userFeatures = []\n  }\n  try {\n    assertCanAccessChannel(channel, auth.sub as string, userFeatures)\n  } catch (err) {\n    if (err instanceof ChannelAccessDeniedError) {\n      // 404 (not 403) \u2014 don't leak existence of other users' channels.\n      return NextResponse.json({ error: 'Channel not found' }, { status: 404 })\n    }\n    throw err\n  }\n\n  return NextResponse.json({\n    id: channel.id,\n    providerKey: channel.providerKey,\n    channelType: channel.channelType,\n    displayName: channel.displayName,\n    externalIdentifier: channel.externalIdentifier ?? null,\n    credentialsRef: channel.credentialsRef ?? null,\n    capabilities: channel.capabilities ?? null,\n    isActive: channel.isActive,\n    organizationId: channel.organizationId ?? null,\n    createdAt: channel.createdAt?.toISOString?.() ?? null,\n    updatedAt: channel.updatedAt?.toISOString?.() ?? null,\n  })\n}\n\nexport const openApi = {\n  tags: ['CommunicationChannels'],\n  methods: {\n    GET: {\n      summary: 'Get a single communication channel by id',\n      tags: ['CommunicationChannels'],\n      responses: [\n        { status: 200, description: 'Channel detail' },\n        { status: 400, description: 'Invalid channel id' },\n        { status: 401, description: 'Unauthorized' },\n        { status: 404, description: 'Channel not found' },\n      ],\n    },\n  },\n}\nexport default GET\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAClB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,6BAA6B;AACtC,SAAS,4BAA4B;AACrC,SAAS,0BAA0B,8BAA8B;AAS1D,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,6BAA6B,EAAE;AAC7E;AAMA,eAAsB,IAAI,KAAc,SAA0C;AAChF,QAAM,EAAE,GAAG,IAAI,MAAM,QAAQ;AAC7B,MAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,SAAS;AAC5C,WAAO,aAAa,KAAK,EAAE,OAAO,qBAAqB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3E;AAEA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,UAAU;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAM,UAAU,QAAQ,IAAI,EAAoB,KAAK;AAE3D,QAAM,UAAU,MAAM;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,MACE;AAAA,MACA,UAAU,KAAK;AAAA,MACf,gBAAiB,KAAmC,SAAS;AAAA,MAC7D,WAAW;AAAA,IACb;AAAA,IACA;AAAA,IACA,EAAE,UAAU,KAAK,UAAoB,gBAAiB,KAAmC,SAAS,KAAK;AAAA,EACzG;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,aAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1E;AAIA,MAAI,eAAyB,CAAC;AAC9B,MAAI;AACF,UAAM,OAAO,UAAU,QAAQ,aAAa;AAC5C,UAAM,MAAM,MAAM,KAAK,QAAQ,KAAK,KAAe;AAAA,MACjD,UAAU,KAAK;AAAA,MACf,gBAAiB,KAAmC,SAAS;AAAA,IAC/D,CAAC;AACD,mBAAe,KAAK,eAChB,CAAC,GAAG,IACH,MAAM,QAAQ,KAAK,QAAQ,IAAI,IAAI,WAAW,CAAC;AAAA,EACtD,QAAQ;AACN,mBAAe,CAAC;AAAA,EAClB;AACA,MAAI;AACF,2BAAuB,SAAS,KAAK,KAAe,YAAY;AAAA,EAClE,SAAS,KAAK;AACZ,QAAI,eAAe,0BAA0B;AAE3C,aAAO,aAAa,KAAK,EAAE,OAAO,oBAAoB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC1E;AACA,UAAM;AAAA,EACR;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI,QAAQ;AAAA,IACZ,aAAa,QAAQ;AAAA,IACrB,aAAa,QAAQ;AAAA,IACrB,aAAa,QAAQ;AAAA,IACrB,oBAAoB,QAAQ,sBAAsB;AAAA,IAClD,gBAAgB,QAAQ,kBAAkB;AAAA,IAC1C,cAAc,QAAQ,gBAAgB;AAAA,IACtC,UAAU,QAAQ;AAAA,IAClB,gBAAgB,QAAQ,kBAAkB;AAAA,IAC1C,WAAW,QAAQ,WAAW,cAAc,KAAK;AAAA,IACjD,WAAW,QAAQ,WAAW,cAAc,KAAK;AAAA,EACnD,CAAC;AACH;AAEO,MAAM,UAAU;AAAA,EACrB,MAAM,CAAC,uBAAuB;AAAA,EAC9B,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,MAAM,CAAC,uBAAuB;AAAA,MAC9B,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,iBAAiB;AAAA,QAC7C,EAAE,QAAQ,KAAK,aAAa,qBAAqB;AAAA,QACjD,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,MAClD;AAAA,IACF;AAAA,EACF;AACF;AACA,IAAO,gBAAQ;",
+  "names": []
+}

package/dist/modules/communication_channels/api/get/channels/route.js ADDED Viewed

@@ -0,0 +1,96 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { findAndCountWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { CommunicationChannel } from "../../../data/entities.js";
+const metadata = {
+  path: "/communication_channels/channels",
+  GET: { requireAuth: true, requireFeatures: ["communication_channels.view"] }
+};
+const listQuerySchema = z.object({
+  page: z.coerce.number().int().min(1).default(1),
+  pageSize: z.coerce.number().int().min(1).max(100).default(50),
+  providerKey: z.string().optional(),
+  channelType: z.string().optional(),
+  isActive: z.union([z.literal("true"), z.literal("false")]).optional().transform((value) => value === void 0 ? void 0 : value === "true")
+});
+async function GET(req) {
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.tenantId) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const url = new URL(req.url);
+  const parsed = listQuerySchema.safeParse(Object.fromEntries(url.searchParams.entries()));
+  if (!parsed.success) {
+    return NextResponse.json(
+      { error: "Invalid query", details: parsed.error.flatten() },
+      { status: 400 }
+    );
+  }
+  const { page, pageSize, providerKey, channelType, isActive } = parsed.data;
+  const container = await createRequestContainer();
+  const em = container.resolve("em").fork();
+  const where = {
+    tenantId: auth.tenantId,
+    organizationId: auth.orgId ?? null,
+    deletedAt: null,
+    userId: null
+  };
+  if (providerKey) where.providerKey = providerKey;
+  if (channelType) where.channelType = channelType;
+  if (isActive !== void 0) where.isActive = isActive;
+  const [items, total] = await findAndCountWithDecryption(
+    em,
+    CommunicationChannel,
+    where,
+    {
+      limit: pageSize,
+      offset: (page - 1) * pageSize,
+      orderBy: { createdAt: "desc" }
+    },
+    { tenantId: auth.tenantId, organizationId: auth.orgId ?? null }
+  );
+  return NextResponse.json({
+    items: items.map(serializeChannel),
+    total,
+    page,
+    pageSize,
+    totalPages: Math.max(1, Math.ceil(total / pageSize))
+  });
+}
+function serializeChannel(channel) {
+  return {
+    id: channel.id,
+    providerKey: channel.providerKey,
+    channelType: channel.channelType,
+    displayName: channel.displayName,
+    externalIdentifier: channel.externalIdentifier ?? null,
+    isActive: channel.isActive,
+    capabilities: channel.capabilities ?? null,
+    createdAt: channel.createdAt?.toISOString?.() ?? null,
+    updatedAt: channel.updatedAt?.toISOString?.() ?? null
+  };
+}
+const openApi = {
+  tags: ["CommunicationChannels"],
+  methods: {
+    GET: {
+      summary: "List communication channels for the current tenant",
+      tags: ["CommunicationChannels"],
+      responses: [
+        { status: 200, description: "Channel list (paginated)" },
+        { status: 400, description: "Invalid query parameters" },
+        { status: 401, description: "Unauthorized" }
+      ]
+    }
+  }
+};
+var route_default = GET;
+export {
+  GET,
+  route_default as default,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/communication_channels/api/get/channels/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../src/modules/communication_channels/api/get/channels/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { findAndCountWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { CommunicationChannel } from '../../../data/entities'\n\nexport const metadata = {\n  path: '/communication_channels/channels',\n  GET: { requireAuth: true, requireFeatures: ['communication_channels.view'] },\n}\n\nconst listQuerySchema = z.object({\n  page: z.coerce.number().int().min(1).default(1),\n  pageSize: z.coerce.number().int().min(1).max(100).default(50),\n  providerKey: z.string().optional(),\n  channelType: z.string().optional(),\n  isActive: z\n    .union([z.literal('true'), z.literal('false')])\n    .optional()\n    .transform((value) => (value === undefined ? undefined : value === 'true')),\n})\n\nexport async function GET(req: Request): Promise<Response> {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.tenantId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n\n  const url = new URL(req.url)\n  const parsed = listQuerySchema.safeParse(Object.fromEntries(url.searchParams.entries()))\n  if (!parsed.success) {\n    return NextResponse.json(\n      { error: 'Invalid query', details: parsed.error.flatten() },\n      { status: 400 },\n    )\n  }\n  const { page, pageSize, providerKey, channelType, isActive } = parsed.data\n\n  const container = await createRequestContainer()\n  const em = (container.resolve('em') as EntityManager).fork()\n\n  // Personal mailbox privacy (v1: strict owner-only). The admin Channels page\n  // lists ONLY shared / tenant-wide channels (WhatsApp Business, shared inboxes,\n  // Slack workspaces) \u2014 rows where `user_id IS NULL`. Per-user email mailboxes\n  // (`user_id` set) are private to their owner and surface exclusively on the\n  // profile page (`/api/communication_channels/me/channels`), never here, so no\n  // one \u2014 admins included \u2014 can see another user's connected personal account.\n  const where: Record<string, unknown> = {\n    tenantId: auth.tenantId,\n    organizationId: (auth as { orgId?: string | null }).orgId ?? null,\n    deletedAt: null,\n    userId: null,\n  }\n  if (providerKey) where.providerKey = providerKey\n  if (channelType) where.channelType = channelType\n  if (isActive !== undefined) where.isActive = isActive\n\n  const [items, total] = await findAndCountWithDecryption(\n    em,\n    CommunicationChannel,\n    where,\n    {\n      limit: pageSize,\n      offset: (page - 1) * pageSize,\n      orderBy: { createdAt: 'desc' },\n    },\n    { tenantId: auth.tenantId as string, organizationId: (auth as { orgId?: string | null }).orgId ?? null },\n  )\n\n  return NextResponse.json({\n    items: items.map(serializeChannel),\n    total,\n    page,\n    pageSize,\n    totalPages: Math.max(1, Math.ceil(total / pageSize)),\n  })\n}\n\nfunction serializeChannel(channel: CommunicationChannel) {\n  return {\n    id: channel.id,\n    providerKey: channel.providerKey,\n    channelType: channel.channelType,\n    displayName: channel.displayName,\n    externalIdentifier: channel.externalIdentifier ?? null,\n    isActive: channel.isActive,\n    capabilities: channel.capabilities ?? null,\n    createdAt: channel.createdAt?.toISOString?.() ?? null,\n    updatedAt: channel.updatedAt?.toISOString?.() ?? null,\n  }\n}\n\nexport const openApi = {\n  tags: ['CommunicationChannels'],\n  methods: {\n    GET: {\n      summary: 'List communication channels for the current tenant',\n      tags: ['CommunicationChannels'],\n      responses: [\n        { status: 200, description: 'Channel list (paginated)' },\n        { status: 400, description: 'Invalid query parameters' },\n        { status: 401, description: 'Unauthorized' },\n      ],\n    },\n  },\n}\nexport default GET\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAClB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,kCAAkC;AAC3C,SAAS,4BAA4B;AAE9B,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,6BAA6B,EAAE;AAC7E;AAEA,MAAM,kBAAkB,EAAE,OAAO;AAAA,EAC/B,MAAM,EAAE,OAAO,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,QAAQ,CAAC;AAAA,EAC9C,UAAU,EAAE,OAAO,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,QAAQ,EAAE;AAAA,EAC5D,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,UAAU,EACP,MAAM,CAAC,EAAE,QAAQ,MAAM,GAAG,EAAE,QAAQ,OAAO,CAAC,CAAC,EAC7C,SAAS,EACT,UAAU,CAAC,UAAW,UAAU,SAAY,SAAY,UAAU,MAAO;AAC9E,CAAC;AAED,eAAsB,IAAI,KAAiC;AACzD,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,UAAU;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,SAAS,gBAAgB,UAAU,OAAO,YAAY,IAAI,aAAa,QAAQ,CAAC,CAAC;AACvF,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,iBAAiB,SAAS,OAAO,MAAM,QAAQ,EAAE;AAAA,MAC1D,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AACA,QAAM,EAAE,MAAM,UAAU,aAAa,aAAa,SAAS,IAAI,OAAO;AAEtE,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAM,UAAU,QAAQ,IAAI,EAAoB,KAAK;AAQ3D,QAAM,QAAiC;AAAA,IACrC,UAAU,KAAK;AAAA,IACf,gBAAiB,KAAmC,SAAS;AAAA,IAC7D,WAAW;AAAA,IACX,QAAQ;AAAA,EACV;AACA,MAAI,YAAa,OAAM,cAAc;AACrC,MAAI,YAAa,OAAM,cAAc;AACrC,MAAI,aAAa,OAAW,OAAM,WAAW;AAE7C,QAAM,CAAC,OAAO,KAAK,IAAI,MAAM;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,SAAS,OAAO,KAAK;AAAA,MACrB,SAAS,EAAE,WAAW,OAAO;AAAA,IAC/B;AAAA,IACA,EAAE,UAAU,KAAK,UAAoB,gBAAiB,KAAmC,SAAS,KAAK;AAAA,EACzG;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB,OAAO,MAAM,IAAI,gBAAgB;AAAA,IACjC;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY,KAAK,IAAI,GAAG,KAAK,KAAK,QAAQ,QAAQ,CAAC;AAAA,EACrD,CAAC;AACH;AAEA,SAAS,iBAAiB,SAA+B;AACvD,SAAO;AAAA,IACL,IAAI,QAAQ;AAAA,IACZ,aAAa,QAAQ;AAAA,IACrB,aAAa,QAAQ;AAAA,IACrB,aAAa,QAAQ;AAAA,IACrB,oBAAoB,QAAQ,sBAAsB;AAAA,IAClD,UAAU,QAAQ;AAAA,IAClB,cAAc,QAAQ,gBAAgB;AAAA,IACtC,WAAW,QAAQ,WAAW,cAAc,KAAK;AAAA,IACjD,WAAW,QAAQ,WAAW,cAAc,KAAK;AAAA,EACnD;AACF;AAEO,MAAM,UAAU;AAAA,EACrB,MAAM,CAAC,uBAAuB;AAAA,EAC9B,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,MAAM,CAAC,uBAAuB;AAAA,MAC9B,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,2BAA2B;AAAA,QACvD,EAAE,QAAQ,KAAK,aAAa,2BAA2B;AAAA,QACvD,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,MAC7C;AAAA,IACF;AAAA,EACF;AACF;AACA,IAAO,gBAAQ;",
+  "names": []
+}

package/dist/modules/communication_channels/api/get/me/channels/route.js ADDED Viewed

@@ -0,0 +1,82 @@
+import { NextResponse } from "next/server";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { CommunicationChannel } from "../../../../data/entities.js";
+const metadata = {
+  path: "/communication_channels/me/channels",
+  GET: {
+    requireAuth: true,
+    requireFeatures: ["communication_channels.connect_user_channel"]
+  }
+};
+async function GET(req) {
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.sub || !auth?.tenantId) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const container = await createRequestContainer();
+  const em = container.resolve("em").fork();
+  const channels = await findWithDecryption(
+    em,
+    CommunicationChannel,
+    {
+      tenantId: auth.tenantId,
+      organizationId: auth.orgId ?? null,
+      userId: auth.sub,
+      deletedAt: null
+    },
+    { orderBy: { createdAt: "desc" } },
+    { tenantId: auth.tenantId, organizationId: auth.orgId ?? null }
+  );
+  return NextResponse.json({
+    items: channels.map(serialize),
+    total: channels.length
+  });
+}
+function serialize(channel) {
+  const channelState = channel.channelState ?? null;
+  const pushStatus = typeof channelState?.pushStatus === "string" ? channelState.pushStatus : null;
+  const lastPushError = channelState?.lastPushError && typeof channelState.lastPushError === "object" ? {
+    code: channelState.lastPushError.code ?? null,
+    message: channelState.lastPushError.message ?? null,
+    at: channelState.lastPushError.at ?? null
+  } : null;
+  return {
+    id: channel.id,
+    providerKey: channel.providerKey,
+    channelType: channel.channelType,
+    displayName: channel.displayName,
+    externalIdentifier: channel.externalIdentifier ?? null,
+    isPrimary: channel.isPrimary,
+    isActive: channel.isActive,
+    status: channel.status,
+    lastError: channel.lastError ?? null,
+    pollIntervalSeconds: channel.pollIntervalSeconds ?? null,
+    lastPolledAt: channel.lastPolledAt?.toISOString?.() ?? null,
+    pushStatus,
+    lastPushError,
+    createdAt: channel.createdAt?.toISOString?.() ?? null
+  };
+}
+const openApi = {
+  tags: ["CommunicationChannels"],
+  methods: {
+    GET: {
+      summary: "List the current user's connected channels",
+      tags: ["CommunicationChannels"],
+      responses: [
+        { status: 200, description: "List of user-owned channels" },
+        { status: 401, description: "Unauthorized" }
+      ]
+    }
+  }
+};
+var route_default = GET;
+export {
+  GET,
+  route_default as default,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/communication_channels/api/get/me/channels/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../src/modules/communication_channels/api/get/me/channels/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { CommunicationChannel } from '../../../../data/entities'\n\nexport const metadata = {\n  path: '/communication_channels/me/channels',\n  GET: {\n    requireAuth: true,\n    requireFeatures: ['communication_channels.connect_user_channel'],\n  },\n}\n\n/**\n * List the current user's owned channels. Used by the profile page.\n *\n * Returns the user-scoped subset only (NOT tenant-wide channels). Admin views\n * of all channels live under `/api/communication_channels/channels` (slice 2e).\n */\nexport async function GET(req: Request): Promise<Response> {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub || !auth?.tenantId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const em = (container.resolve('em') as EntityManager).fork()\n\n  const channels = await findWithDecryption(\n    em,\n    CommunicationChannel,\n    {\n      tenantId: auth.tenantId as string,\n      organizationId: (auth as { orgId?: string | null }).orgId ?? null,\n      userId: auth.sub as string,\n      deletedAt: null,\n    },\n    { orderBy: { createdAt: 'desc' } },\n    { tenantId: auth.tenantId as string, organizationId: (auth as { orgId?: string | null }).orgId ?? null },\n  )\n\n  return NextResponse.json({\n    items: (channels as CommunicationChannel[]).map(serialize),\n    total: channels.length,\n  })\n}\n\nfunction serialize(channel: CommunicationChannel) {\n  // Spec C \u2014 expose push status + last push error to the operator UI so\n  // the `PushStatusSection` can render the \"Re-register push\" affordance.\n  const channelState =\n    (channel.channelState as\n      | { pushStatus?: string; lastPushError?: { code?: string; message?: string; at?: string } | null }\n      | null) ?? null\n  const pushStatus =\n    typeof channelState?.pushStatus === 'string'\n      ? (channelState.pushStatus as 'active' | 'inactive' | 'failed')\n      : null\n  const lastPushError =\n    channelState?.lastPushError && typeof channelState.lastPushError === 'object'\n      ? {\n          code: channelState.lastPushError.code ?? null,\n          message: channelState.lastPushError.message ?? null,\n          at: channelState.lastPushError.at ?? null,\n        }\n      : null\n  return {\n    id: channel.id,\n    providerKey: channel.providerKey,\n    channelType: channel.channelType,\n    displayName: channel.displayName,\n    externalIdentifier: channel.externalIdentifier ?? null,\n    isPrimary: channel.isPrimary,\n    isActive: channel.isActive,\n    status: channel.status,\n    lastError: channel.lastError ?? null,\n    pollIntervalSeconds: channel.pollIntervalSeconds ?? null,\n    lastPolledAt: channel.lastPolledAt?.toISOString?.() ?? null,\n    pushStatus,\n    lastPushError,\n    createdAt: channel.createdAt?.toISOString?.() ?? null,\n  }\n}\n\nexport const openApi = {\n  tags: ['CommunicationChannels'],\n  methods: {\n    GET: {\n      summary: 'List the current user\\'s connected channels',\n      tags: ['CommunicationChannels'],\n      responses: [\n        { status: 200, description: 'List of user-owned channels' },\n        { status: 401, description: 'Unauthorized' },\n      ],\n    },\n  },\n}\nexport default GET\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,0BAA0B;AACnC,SAAS,4BAA4B;AAE9B,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,KAAK;AAAA,IACH,aAAa;AAAA,IACb,iBAAiB,CAAC,6CAA6C;AAAA,EACjE;AACF;AAQA,eAAsB,IAAI,KAAiC;AACzD,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,OAAO,CAAC,MAAM,UAAU;AACjC,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAM,UAAU,QAAQ,IAAI,EAAoB,KAAK;AAE3D,QAAM,WAAW,MAAM;AAAA,IACrB;AAAA,IACA;AAAA,IACA;AAAA,MACE,UAAU,KAAK;AAAA,MACf,gBAAiB,KAAmC,SAAS;AAAA,MAC7D,QAAQ,KAAK;AAAA,MACb,WAAW;AAAA,IACb;AAAA,IACA,EAAE,SAAS,EAAE,WAAW,OAAO,EAAE;AAAA,IACjC,EAAE,UAAU,KAAK,UAAoB,gBAAiB,KAAmC,SAAS,KAAK;AAAA,EACzG;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB,OAAQ,SAAoC,IAAI,SAAS;AAAA,IACzD,OAAO,SAAS;AAAA,EAClB,CAAC;AACH;AAEA,SAAS,UAAU,SAA+B;AAGhD,QAAM,eACH,QAAQ,gBAEI;AACf,QAAM,aACJ,OAAO,cAAc,eAAe,WAC/B,aAAa,aACd;AACN,QAAM,gBACJ,cAAc,iBAAiB,OAAO,aAAa,kBAAkB,WACjE;AAAA,IACE,MAAM,aAAa,cAAc,QAAQ;AAAA,IACzC,SAAS,aAAa,cAAc,WAAW;AAAA,IAC/C,IAAI,aAAa,cAAc,MAAM;AAAA,EACvC,IACA;AACN,SAAO;AAAA,IACL,IAAI,QAAQ;AAAA,IACZ,aAAa,QAAQ;AAAA,IACrB,aAAa,QAAQ;AAAA,IACrB,aAAa,QAAQ;AAAA,IACrB,oBAAoB,QAAQ,sBAAsB;AAAA,IAClD,WAAW,QAAQ;AAAA,IACnB,UAAU,QAAQ;AAAA,IAClB,QAAQ,QAAQ;AAAA,IAChB,WAAW,QAAQ,aAAa;AAAA,IAChC,qBAAqB,QAAQ,uBAAuB;AAAA,IACpD,cAAc,QAAQ,cAAc,cAAc,KAAK;AAAA,IACvD;AAAA,IACA;AAAA,IACA,WAAW,QAAQ,WAAW,cAAc,KAAK;AAAA,EACnD;AACF;AAEO,MAAM,UAAU;AAAA,EACrB,MAAM,CAAC,uBAAuB;AAAA,EAC9B,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,MAAM,CAAC,uBAAuB;AAAA,MAC9B,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,8BAA8B;AAAA,QAC1D,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,MAC7C;AAAA,IACF;AAAA,EACF;AACF;AACA,IAAO,gBAAQ;",
+  "names": []
+}

package/dist/modules/communication_channels/api/get/oauth/[provider]/callback/route.js ADDED Viewed

@@ -0,0 +1,274 @@
+import { NextResponse } from "next/server";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { toAbsoluteUrl } from "@open-mercato/shared/lib/url";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { createConnectedChannelRow, MailboxAlreadyConnectedError } from "../../../../../lib/connect-channel.js";
+import { getChannelAdapter } from "../../../../../lib/adapter-registry-singleton.js";
+import { resolveOAuthClientCredentials } from "../../../../../lib/oauth-client-config.js";
+import {
+  COMMUNICATION_CHANNELS_OAUTH_STATE_COOKIE_NAME,
+  DEFAULT_OAUTH_RETURN_URL,
+  normalizeOAuthReturnUrl,
+  OAuthStateError,
+  verifyOAuthState
+} from "../../../../../lib/oauth-state.js";
+const metadata = {
+  path: "/communication_channels/oauth/[provider]/callback",
+  // No auth feature gate — the state cookie carries identity. The route still
+  // verifies the session below to bind the callback to its initiator.
+  GET: { requireAuth: true }
+};
+function redirectWithFlash(req, returnUrl, flash) {
+  const base = new URL(
+    normalizeOAuthReturnUrl(returnUrl, DEFAULT_OAUTH_RETURN_URL),
+    new URL(req.url).origin
+  );
+  base.searchParams.set("flash", flash.type);
+  if (flash.code) base.searchParams.set("code", flash.code);
+  if (flash.provider) base.searchParams.set("provider", flash.provider);
+  if (flash.channelId) base.searchParams.set("channelId", flash.channelId);
+  const response = NextResponse.redirect(base.toString(), 302);
+  response.cookies.set({
+    name: COMMUNICATION_CHANNELS_OAUTH_STATE_COOKIE_NAME,
+    value: "",
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    maxAge: 0
+  });
+  return response;
+}
+async function GET(req, context) {
+  const { provider } = await context.params;
+  const url = new URL(req.url);
+  const code = url.searchParams.get("code") ?? "";
+  const stateParam = url.searchParams.get("state") ?? "";
+  const error = url.searchParams.get("error");
+  if (error) {
+    return redirectWithFlash(req, DEFAULT_OAUTH_RETURN_URL, { type: "error", code: error, provider });
+  }
+  if (!code || !stateParam) {
+    return redirectWithFlash(req, DEFAULT_OAUTH_RETURN_URL, {
+      type: "error",
+      code: "missing_code_or_state",
+      provider
+    });
+  }
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.sub || !auth?.tenantId) {
+    return redirectWithFlash(req, DEFAULT_OAUTH_RETURN_URL, {
+      type: "error",
+      code: "unauthorized",
+      provider
+    });
+  }
+  const adapter = getChannelAdapter(provider);
+  if (!adapter || typeof adapter.exchangeOAuthCode !== "function") {
+    return redirectWithFlash(req, DEFAULT_OAUTH_RETURN_URL, {
+      type: "error",
+      code: "unknown_provider",
+      provider
+    });
+  }
+  const cookieValue = req.headers.get("cookie") ?? "";
+  const stateCookie = parseCookie(cookieValue, COMMUNICATION_CHANNELS_OAUTH_STATE_COOKIE_NAME);
+  let statePayload;
+  try {
+    statePayload = verifyOAuthState({
+      cookie: stateCookie,
+      expectedUserId: auth.sub,
+      expectedProviderKey: provider,
+      expectedState: stateParam
+    });
+  } catch (err) {
+    const errCode = err instanceof OAuthStateError ? err.code : "invalid_state";
+    return redirectWithFlash(req, DEFAULT_OAUTH_RETURN_URL, {
+      type: "error",
+      code: errCode,
+      provider
+    });
+  }
+  if (statePayload.tenantId !== auth.tenantId) {
+    return redirectWithFlash(req, DEFAULT_OAUTH_RETURN_URL, {
+      type: "error",
+      code: "tenant_mismatch",
+      provider
+    });
+  }
+  const returnUrl = normalizeOAuthReturnUrl(statePayload.returnUrl, DEFAULT_OAUTH_RETURN_URL);
+  const container = await createRequestContainer();
+  const credentialsService = (() => {
+    try {
+      return container.resolve("integrationCredentialsService");
+    } catch {
+      return null;
+    }
+  })();
+  const oauthClientCredentials = await resolveOAuthClientCredentials(credentialsService, provider, {
+    tenantId: statePayload.tenantId,
+    organizationId: statePayload.organizationId ?? null
+  });
+  if (!oauthClientCredentials) {
+    return redirectWithFlash(req, returnUrl, {
+      type: "error",
+      code: "oauth_client_not_configured",
+      provider
+    });
+  }
+  const redirectUri = toAbsoluteUrl(req, `/api/communication_channels/oauth/${provider}/callback`);
+  let exchange;
+  try {
+    exchange = await adapter.exchangeOAuthCode({
+      code,
+      redirectUri,
+      credentials: oauthClientCredentials,
+      scope: {
+        tenantId: statePayload.tenantId,
+        organizationId: statePayload.organizationId ?? statePayload.tenantId
+      },
+      stateExtra: statePayload.extra
+    });
+  } catch (err) {
+    console.warn(
+      `[communication_channels:oauth] code exchange failed for provider ${provider}:`,
+      err instanceof Error ? err.message : err
+    );
+    return redirectWithFlash(req, returnUrl, {
+      type: "error",
+      code: "exchange_failed",
+      provider
+    });
+  }
+  const em = container.resolve("em").fork();
+  const credentialsScope = {
+    tenantId: statePayload.tenantId,
+    organizationId: statePayload.organizationId ?? statePayload.tenantId,
+    userId: auth.sub
+  };
+  let credentialsRefId = null;
+  let credentialsPersisted = false;
+  if (credentialsService?.save) {
+    try {
+      await credentialsService.save(
+        `channel_${provider}`,
+        {
+          ...exchange.credentials,
+          userId: auth.sub,
+          expiresAt: exchange.expiresAt ? exchange.expiresAt.toISOString() : void 0
+        },
+        credentialsScope
+      );
+      credentialsPersisted = true;
+    } catch (err) {
+      console.warn(
+        `[communication_channels:oauth] persisting credentials failed for provider ${provider}:`,
+        err instanceof Error ? err.message : err
+      );
+    }
+  }
+  if (credentialsPersisted) {
+    try {
+      const { IntegrationCredentials } = await import("@open-mercato/core/modules/integrations/data/entities");
+      const { findOneWithDecryption } = await import("@open-mercato/shared/lib/encryption/find");
+      const row = await findOneWithDecryption(
+        em,
+        IntegrationCredentials,
+        {
+          integrationId: `channel_${provider}`,
+          tenantId: credentialsScope.tenantId,
+          organizationId: credentialsScope.organizationId,
+          userId: credentialsScope.userId,
+          deletedAt: null
+        },
+        void 0,
+        credentialsScope
+      );
+      credentialsRefId = row?.id ?? null;
+    } catch {
+      credentialsRefId = null;
+    }
+  }
+  const displayName = exchange.displayName ?? exchange.externalIdentifier ?? `${provider} channel`;
+  const credentialsAvailable = credentialsRefId !== null;
+  let channel;
+  try {
+    channel = await createConnectedChannelRow({
+      em,
+      adapter,
+      providerKey: provider,
+      displayName,
+      externalIdentifier: exchange.externalIdentifier ?? null,
+      credentialsRefId,
+      userId: auth.sub,
+      scope: { tenantId: statePayload.tenantId, organizationId: statePayload.organizationId ?? null }
+    });
+  } catch (err) {
+    if (err instanceof MailboxAlreadyConnectedError) {
+      console.warn(
+        `[communication_channels:oauth] mailbox ${err.externalIdentifier} already connected via ${err.existingProviderKey}`
+      );
+      return redirectWithFlash(req, returnUrl, {
+        type: "error",
+        code: "mailbox_already_connected",
+        provider
+      });
+    }
+    throw err;
+  }
+  const adapterSupportsPush = typeof adapter.registerPush === "function" && typeof adapter.unregisterPush === "function";
+  if (credentialsAvailable && adapterSupportsPush && statePayload.organizationId && provider === "gmail") {
+    try {
+      const { pushRegister } = await import("../../../../../commands/push-register.js");
+      await pushRegister({
+        container,
+        scope: {
+          tenantId: statePayload.tenantId,
+          organizationId: statePayload.organizationId,
+          userId: auth.sub
+        },
+        input: { channelId: channel.id }
+      });
+    } catch (err) {
+      console.warn(
+        `[oauth-callback] best-effort pushRegister failed for ${channel.id}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  return redirectWithFlash(req, returnUrl, {
+    type: "connected",
+    provider,
+    channelId: channel.id
+  });
+}
+function parseCookie(header, name) {
+  if (!header) return null;
+  const segments = header.split(";");
+  for (const segment of segments) {
+    const trimmed = segment.trim();
+    if (trimmed.startsWith(`${name}=`)) {
+      return decodeURIComponent(trimmed.slice(name.length + 1));
+    }
+  }
+  return null;
+}
+const openApi = {
+  tags: ["CommunicationChannels"],
+  methods: {
+    GET: {
+      summary: "OAuth callback \u2014 exchange code, persist credentials, create per-user channel",
+      tags: ["CommunicationChannels"],
+      responses: [
+        { status: 302, description: "Redirect back to returnUrl with flash query params" }
+      ]
+    }
+  }
+};
+var route_default = GET;
+export {
+  GET,
+  route_default as default,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map