npm - @open-mercato/core - Versions diffs - 0.6.5-develop.4516.1.88e6ab71a9 → 0.6.5-develop.4544.1.71c003c861 - Mend

@open-mercato/core 0.6.5-develop.4516.1.88e6ab71a9 → 0.6.5-develop.4544.1.71c003c861

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (726) hide show

package/dist/modules/customer_accounts/api/admin/roles/[id].js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../../src/modules/customer_accounts/api/admin/roles/%5Bid%5D.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { CustomerRole, CustomerRoleAcl, CustomerUserRole } from '@open-mercato/core/modules/customer_accounts/data/entities'\nimport { updateRoleSchema } from '@open-mercato/core/modules/customer_accounts/data/validators'\nimport { emitCustomerAccountsEvent } from '@open-mercato/core/modules/customer_accounts/events'\n\nexport const metadata = {}\n\nconst UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i\n\nexport async function GET(req: Request, { params }: { params: { id: string } }) {\n  if (!UUID_RE.test(params.id)) {\n    return NextResponse.json({ ok: false, error: 'Invalid role ID' }, { status: 400 })\n  }\n\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.view'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const role = await em.findOne(CustomerRole, {\n    id: params.id,\n    tenantId: auth.tenantId,\n    deletedAt: null,\n  })\n  if (!role) {\n    return NextResponse.json({ ok: false, error: 'Role not found' }, { status: 404 })\n  }\n\n  const acl = await em.findOne(CustomerRoleAcl, {\n    role: role.id as any,\n    tenantId: auth.tenantId,\n  })\n\n  const features = acl && Array.isArray(acl.featuresJson) ? acl.featuresJson : []\n\n  return NextResponse.json({\n    ok: true,\n    id: role.id,\n    name: role.name,\n    slug: role.slug,\n    description: role.description || null,\n    isDefault: role.isDefault,\n    isSystem: role.isSystem,\n    customerAssignable: role.customerAssignable,\n    createdAt: role.createdAt,\n    updatedAt: role.updatedAt || null,\n    features,\n  })\n}\n\nexport async function PUT(req: Request, { params }: { params: { id: string } }) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.roles.manage'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  let body: unknown\n  try {\n    body = await req.json()\n  } catch {\n    return NextResponse.json({ ok: false, error: 'Invalid request body' }, { status: 400 })\n  }\n\n  const parsed = updateRoleSchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Validation failed', details: parsed.error.flatten().fieldErrors }, { status: 400 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const role = await em.findOne(CustomerRole, {\n    id: params.id,\n    tenantId: auth.tenantId,\n    deletedAt: null,\n  })\n  if (!role) {\n    return NextResponse.json({ ok: false, error: 'Role not found' }, { status: 404 })\n  }\n\n  if (role.isSystem && parsed.data.name !== undefined && parsed.data.name !== role.name) {\n    return NextResponse.json({ ok: false, error: 'Cannot change name of a system role' }, { status: 400 })\n  }\n\n  const updates: Record<string, unknown> = {}\n  if (parsed.data.name !== undefined) updates.name = parsed.data.name\n  if (parsed.data.description !== undefined) updates.description = parsed.data.description\n  if (parsed.data.isDefault !== undefined) updates.isDefault = parsed.data.isDefault\n  if (parsed.data.customerAssignable !== undefined) updates.customerAssignable = parsed.data.customerAssignable\n\n  if (Object.keys(updates).length > 0) {\n    await em.nativeUpdate(CustomerRole, { id: role.id }, updates)\n  }\n\n  void emitCustomerAccountsEvent('customer_accounts.role.updated', {\n    id: role.id,\n    name: updates.name as string || role.name,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  }).catch(() => undefined)\n\n  return NextResponse.json({ ok: true })\n}\n\nexport async function DELETE(req: Request, { params }: { params: { id: string } }) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.roles.manage'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const role = await em.findOne(CustomerRole, {\n    id: params.id,\n    tenantId: auth.tenantId,\n    deletedAt: null,\n  })\n  if (!role) {\n    return NextResponse.json({ ok: false, error: 'Role not found' }, { status: 404 })\n  }\n\n  if (role.isSystem) {\n    return NextResponse.json({ ok: false, error: 'Cannot delete a system role' }, { status: 400 })\n  }\n\n  const assignedUsersCount = await em.count(CustomerUserRole, {\n    role: role.id as any,\n    deletedAt: null,\n  })\n  if (assignedUsersCount > 0) {\n    return NextResponse.json({ ok: false, error: `Cannot delete role with ${assignedUsersCount} assigned user(s). Reassign users first.` }, { status: 400 })\n  }\n\n  await em.nativeUpdate(CustomerRole, { id: role.id }, { deletedAt: new Date() })\n  await em.nativeUpdate(CustomerRoleAcl, { role: role.id as any }, { deletedAt: new Date() })\n\n  void emitCustomerAccountsEvent('customer_accounts.role.deleted', {\n    id: role.id,\n    name: role.name,\n    slug: role.slug,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  }).catch(() => undefined)\n\n  return NextResponse.json({ ok: true })\n}\n\nconst aclSchema = z.object({\n  features: z.array(z.string()),\n  isPortalAdmin: z.boolean(),\n})\nconst roleDetailSchema = z.object({\n  id: z.string().uuid(),\n  name: z.string(),\n  slug: z.string(),\n  description: z.string().nullable(),\n  isDefault: z.boolean(),\n  isSystem: z.boolean(),\n  customerAssignable: z.boolean(),\n  createdAt: z.string().datetime(),\n  updatedAt: z.string().datetime().nullable(),\n  acl: aclSchema,\n})\n\nconst successSchema = z.object({ ok: z.literal(true) })\nconst errorSchema = z.object({ ok: z.literal(false), error: z.string() })\n\nconst getMethodDoc: OpenApiMethodDoc = {\n  summary: 'Get customer role detail (admin)',\n  description: 'Returns full customer role details including ACL features.',\n  tags: ['Customer Accounts Admin'],\n  responses: [{\n    status: 200,\n    description: 'Role detail with ACL',\n    schema: z.object({ ok: z.literal(true), role: roleDetailSchema }),\n  }],\n  errors: [\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 404, description: 'Role not found', schema: errorSchema },\n  ],\n}\n\nconst putMethodDoc: OpenApiMethodDoc = {\n  summary: 'Update customer role (admin)',\n  description: 'Updates a customer role. System roles are protected from name changes.',\n  tags: ['Customer Accounts Admin'],\n  requestBody: { schema: updateRoleSchema },\n  responses: [{ status: 200, description: 'Role updated', schema: successSchema }],\n  errors: [\n    { status: 400, description: 'Validation failed or system role restriction', schema: errorSchema },\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 404, description: 'Role not found', schema: errorSchema },\n  ],\n}\n\nconst deleteMethodDoc: OpenApiMethodDoc = {\n  summary: 'Delete customer role (admin)',\n  description: 'Soft deletes a customer role and its ACL. System roles and roles with assigned users cannot be deleted.',\n  tags: ['Customer Accounts Admin'],\n  responses: [{ status: 200, description: 'Role deleted', schema: successSchema }],\n  errors: [\n    { status: 400, description: 'System role or has assigned users', schema: errorSchema },\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 404, description: 'Role not found', schema: errorSchema },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Customer role detail management (admin)',\n  pathParams: z.object({ id: z.string().uuid() }),\n  methods: {\n    GET: getMethodDoc,\n    PUT: putMethodDoc,\n    DELETE: deleteMethodDoc,\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,cAAc,iBAAiB,wBAAwB;AAChE,SAAS,wBAAwB;AACjC,SAAS,iCAAiC;AAEnC,MAAM,WAAW,CAAC;AAEzB,MAAM,UAAU;AAEhB,eAAsB,IAAI,KAAc,EAAE,OAAO,GAA+B;AAC9E,MAAI,CAAC,QAAQ,KAAK,OAAO,EAAE,GAAG;AAC5B,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnF;AAEA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,wBAAwB,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACpJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,OAAO,MAAM,GAAG,QAAQ,cAAc;AAAA,IAC1C,IAAI,OAAO;AAAA,IACX,UAAU,KAAK;AAAA,IACf,WAAW;AAAA,EACb,CAAC;AACD,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAEA,QAAM,MAAM,MAAM,GAAG,QAAQ,iBAAiB;AAAA,IAC5C,MAAM,KAAK;AAAA,IACX,UAAU,KAAK;AAAA,EACjB,CAAC;AAED,QAAM,WAAW,OAAO,MAAM,QAAQ,IAAI,YAAY,IAAI,IAAI,eAAe,CAAC;AAE9E,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,IAAI,KAAK;AAAA,IACT,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,IACX,aAAa,KAAK,eAAe;AAAA,IACjC,WAAW,KAAK;AAAA,IAChB,UAAU,KAAK;AAAA,IACf,oBAAoB,KAAK;AAAA,IACzB,WAAW,KAAK;AAAA,IAChB,WAAW,KAAK,aAAa;AAAA,IAC7B;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,IAAI,KAAc,EAAE,OAAO,GAA+B;AAC9E,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,gCAAgC,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AAC5J,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxF;AAEA,QAAM,SAAS,iBAAiB,UAAU,IAAI;AAC9C,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,qBAAqB,SAAS,OAAO,MAAM,QAAQ,EAAE,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClI;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,OAAO,MAAM,GAAG,QAAQ,cAAc;AAAA,IAC1C,IAAI,OAAO;AAAA,IACX,UAAU,KAAK;AAAA,IACf,WAAW;AAAA,EACb,CAAC;AACD,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAEA,MAAI,KAAK,YAAY,OAAO,KAAK,SAAS,UAAa,OAAO,KAAK,SAAS,KAAK,MAAM;AACrF,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,sCAAsC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACvG;AAEA,QAAM,UAAmC,CAAC;AAC1C,MAAI,OAAO,KAAK,SAAS,OAAW,SAAQ,OAAO,OAAO,KAAK;AAC/D,MAAI,OAAO,KAAK,gBAAgB,OAAW,SAAQ,cAAc,OAAO,KAAK;AAC7E,MAAI,OAAO,KAAK,cAAc,OAAW,SAAQ,YAAY,OAAO,KAAK;AACzE,MAAI,OAAO,KAAK,uBAAuB,OAAW,SAAQ,qBAAqB,OAAO,KAAK;AAE3F,MAAI,OAAO,KAAK,OAAO,EAAE,SAAS,GAAG;AACnC,UAAM,GAAG,aAAa,cAAc,EAAE,IAAI,KAAK,GAAG,GAAG,OAAO;AAAA,EAC9D;AAEA,OAAK,0BAA0B,kCAAkC;AAAA,IAC/D,IAAI,KAAK;AAAA,IACT,MAAM,QAAQ,QAAkB,KAAK;AAAA,IACrC,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC,EAAE,MAAM,MAAM,MAAS;AAExB,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEA,eAAsB,OAAO,KAAc,EAAE,OAAO,GAA+B;AACjF,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,gCAAgC,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AAC5J,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,OAAO,MAAM,GAAG,QAAQ,cAAc;AAAA,IAC1C,IAAI,OAAO;AAAA,IACX,UAAU,KAAK;AAAA,IACf,WAAW;AAAA,EACb,CAAC;AACD,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAEA,MAAI,KAAK,UAAU;AACjB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,8BAA8B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC/F;AAEA,QAAM,qBAAqB,MAAM,GAAG,MAAM,kBAAkB;AAAA,IAC1D,MAAM,KAAK;AAAA,IACX,WAAW;AAAA,EACb,CAAC;AACD,MAAI,qBAAqB,GAAG;AAC1B,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,kBAAkB,2CAA2C,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzJ;AAEA,QAAM,GAAG,aAAa,cAAc,EAAE,IAAI,KAAK,GAAG,GAAG,EAAE,WAAW,oBAAI,KAAK,EAAE,CAAC;AAC9E,QAAM,GAAG,aAAa,iBAAiB,EAAE,MAAM,KAAK,GAAU,GAAG,EAAE,WAAW,oBAAI,KAAK,EAAE,CAAC;AAE1F,OAAK,0BAA0B,kCAAkC;AAAA,IAC/D,IAAI,KAAK;AAAA,IACT,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,IACX,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC,EAAE,MAAM,MAAM,MAAS;AAExB,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEA,MAAM,YAAY,EAAE,OAAO;AAAA,EACzB,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC5B,eAAe,EAAE,QAAQ;AAC3B,CAAC;AACD,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,MAAM,EAAE,OAAO;AAAA,EACf,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,WAAW,EAAE,QAAQ;AAAA,EACrB,UAAU,EAAE,QAAQ;AAAA,EACpB,oBAAoB,EAAE,QAAQ;AAAA,EAC9B,WAAW,EAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC1C,KAAK;AACP,CAAC;AAED,MAAM,gBAAgB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;AACtD,MAAM,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,KAAK,GAAG,OAAO,EAAE,OAAO,EAAE,CAAC;AAExE,MAAM,eAAiC;AAAA,EACrC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,WAAW,CAAC;AAAA,IACV,QAAQ;AAAA,IACR,aAAa;AAAA,IACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,GAAG,MAAM,iBAAiB,CAAC;AAAA,EAClE,CAAC;AAAA,EACD,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,EACpE;AACF;AAEA,MAAM,eAAiC;AAAA,EACrC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,aAAa,EAAE,QAAQ,iBAAiB;AAAA,EACxC,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,cAAc,CAAC;AAAA,EAC/E,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,gDAAgD,QAAQ,YAAY;AAAA,IAChG,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,EACpE;AACF;AAEA,MAAM,kBAAoC;AAAA,EACxC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,cAAc,CAAC;AAAA,EAC/E,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qCAAqC,QAAQ,YAAY;AAAA,IACrF,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,EACpE;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,EAC9C,SAAS;AAAA,IACP,KAAK;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,EACV;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { CustomerRole, CustomerRoleAcl, CustomerUserRole } from '@open-mercato/core/modules/customer_accounts/data/entities'\nimport { updateRoleSchema } from '@open-mercato/core/modules/customer_accounts/data/validators'\nimport { emitCustomerAccountsEvent } from '@open-mercato/core/modules/customer_accounts/events'\nimport { enforceCommandOptimisticLock } from '@open-mercato/shared/lib/crud/optimistic-lock-command'\nimport { isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'\n\nexport const metadata = {}\n\nconst UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i\n\nexport async function GET(req: Request, { params }: { params: { id: string } }) {\n  if (!UUID_RE.test(params.id)) {\n    return NextResponse.json({ ok: false, error: 'Invalid role ID' }, { status: 400 })\n  }\n\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.view'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const role = await em.findOne(CustomerRole, {\n    id: params.id,\n    tenantId: auth.tenantId,\n    deletedAt: null,\n  })\n  if (!role) {\n    return NextResponse.json({ ok: false, error: 'Role not found' }, { status: 404 })\n  }\n\n  const acl = await em.findOne(CustomerRoleAcl, {\n    role: role.id as any,\n    tenantId: auth.tenantId,\n  })\n\n  const features = acl && Array.isArray(acl.featuresJson) ? acl.featuresJson : []\n\n  return NextResponse.json({\n    ok: true,\n    id: role.id,\n    name: role.name,\n    slug: role.slug,\n    description: role.description || null,\n    isDefault: role.isDefault,\n    isSystem: role.isSystem,\n    customerAssignable: role.customerAssignable,\n    createdAt: role.createdAt,\n    updatedAt: role.updatedAt || null,\n    features,\n  })\n}\n\nexport async function PUT(req: Request, { params }: { params: { id: string } }) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.roles.manage'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  let body: unknown\n  try {\n    body = await req.json()\n  } catch {\n    return NextResponse.json({ ok: false, error: 'Invalid request body' }, { status: 400 })\n  }\n\n  const parsed = updateRoleSchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Validation failed', details: parsed.error.flatten().fieldErrors }, { status: 400 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const role = await em.findOne(CustomerRole, {\n    id: params.id,\n    tenantId: auth.tenantId,\n    deletedAt: null,\n  })\n  if (!role) {\n    return NextResponse.json({ ok: false, error: 'Role not found' }, { status: 404 })\n  }\n\n  if (role.isSystem && parsed.data.name !== undefined && parsed.data.name !== role.name) {\n    return NextResponse.json({ ok: false, error: 'Cannot change name of a system role' }, { status: 400 })\n  }\n\n  // Optimistic lock: refuse a stale overwrite so two admins editing the same role\n  // in parallel cannot silently clobber each other (#2055). Strictly additive.\n  try {\n    enforceCommandOptimisticLock({\n      resourceKind: 'customer_accounts.role',\n      resourceId: role.id,\n      current: role.updatedAt ?? null,\n      request: req,\n    })\n  } catch (err) {\n    if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n    throw err\n  }\n\n  // Always bump updated_at so the lock version advances on every save \u2014 `nativeUpdate`\n  // bypasses MikroORM's `onUpdate` hook, so set it explicitly.\n  const nextUpdatedAt = new Date()\n  const updates: Record<string, unknown> = { updatedAt: nextUpdatedAt }\n  if (parsed.data.name !== undefined) updates.name = parsed.data.name\n  if (parsed.data.description !== undefined) updates.description = parsed.data.description\n  if (parsed.data.isDefault !== undefined) updates.isDefault = parsed.data.isDefault\n  if (parsed.data.customerAssignable !== undefined) updates.customerAssignable = parsed.data.customerAssignable\n\n  await em.nativeUpdate(CustomerRole, { id: role.id }, updates)\n\n  void emitCustomerAccountsEvent('customer_accounts.role.updated', {\n    id: role.id,\n    name: updates.name as string || role.name,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  }).catch(() => undefined)\n\n  return NextResponse.json({ ok: true, updatedAt: nextUpdatedAt.toISOString() })\n}\n\nexport async function DELETE(req: Request, { params }: { params: { id: string } }) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.roles.manage'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const role = await em.findOne(CustomerRole, {\n    id: params.id,\n    tenantId: auth.tenantId,\n    deletedAt: null,\n  })\n  if (!role) {\n    return NextResponse.json({ ok: false, error: 'Role not found' }, { status: 404 })\n  }\n\n  if (role.isSystem) {\n    return NextResponse.json({ ok: false, error: 'Cannot delete a system role' }, { status: 400 })\n  }\n\n  // Optimistic lock: refuse a stale delete. Strictly additive.\n  try {\n    enforceCommandOptimisticLock({\n      resourceKind: 'customer_accounts.role',\n      resourceId: role.id,\n      current: role.updatedAt ?? null,\n      request: req,\n    })\n  } catch (err) {\n    if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n    throw err\n  }\n\n  const assignedUsersCount = await em.count(CustomerUserRole, {\n    role: role.id as any,\n    deletedAt: null,\n  })\n  if (assignedUsersCount > 0) {\n    return NextResponse.json({ ok: false, error: `Cannot delete role with ${assignedUsersCount} assigned user(s). Reassign users first.` }, { status: 400 })\n  }\n\n  await em.nativeUpdate(CustomerRole, { id: role.id }, { deletedAt: new Date() })\n  await em.nativeUpdate(CustomerRoleAcl, { role: role.id as any }, { deletedAt: new Date() })\n\n  void emitCustomerAccountsEvent('customer_accounts.role.deleted', {\n    id: role.id,\n    name: role.name,\n    slug: role.slug,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  }).catch(() => undefined)\n\n  return NextResponse.json({ ok: true })\n}\n\nconst aclSchema = z.object({\n  features: z.array(z.string()),\n  isPortalAdmin: z.boolean(),\n})\nconst roleDetailSchema = z.object({\n  id: z.string().uuid(),\n  name: z.string(),\n  slug: z.string(),\n  description: z.string().nullable(),\n  isDefault: z.boolean(),\n  isSystem: z.boolean(),\n  customerAssignable: z.boolean(),\n  createdAt: z.string().datetime(),\n  updatedAt: z.string().datetime().nullable(),\n  acl: aclSchema,\n})\n\nconst successSchema = z.object({ ok: z.literal(true) })\nconst errorSchema = z.object({ ok: z.literal(false), error: z.string() })\n\nconst getMethodDoc: OpenApiMethodDoc = {\n  summary: 'Get customer role detail (admin)',\n  description: 'Returns full customer role details including ACL features.',\n  tags: ['Customer Accounts Admin'],\n  responses: [{\n    status: 200,\n    description: 'Role detail with ACL',\n    schema: z.object({ ok: z.literal(true), role: roleDetailSchema }),\n  }],\n  errors: [\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 404, description: 'Role not found', schema: errorSchema },\n  ],\n}\n\nconst putMethodDoc: OpenApiMethodDoc = {\n  summary: 'Update customer role (admin)',\n  description: 'Updates a customer role. System roles are protected from name changes.',\n  tags: ['Customer Accounts Admin'],\n  requestBody: { schema: updateRoleSchema },\n  responses: [{ status: 200, description: 'Role updated', schema: successSchema }],\n  errors: [\n    { status: 400, description: 'Validation failed or system role restriction', schema: errorSchema },\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 404, description: 'Role not found', schema: errorSchema },\n  ],\n}\n\nconst deleteMethodDoc: OpenApiMethodDoc = {\n  summary: 'Delete customer role (admin)',\n  description: 'Soft deletes a customer role and its ACL. System roles and roles with assigned users cannot be deleted.',\n  tags: ['Customer Accounts Admin'],\n  responses: [{ status: 200, description: 'Role deleted', schema: successSchema }],\n  errors: [\n    { status: 400, description: 'System role or has assigned users', schema: errorSchema },\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 404, description: 'Role not found', schema: errorSchema },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Customer role detail management (admin)',\n  pathParams: z.object({ id: z.string().uuid() }),\n  methods: {\n    GET: getMethodDoc,\n    PUT: putMethodDoc,\n    DELETE: deleteMethodDoc,\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,cAAc,iBAAiB,wBAAwB;AAChE,SAAS,wBAAwB;AACjC,SAAS,iCAAiC;AAC1C,SAAS,oCAAoC;AAC7C,SAAS,uBAAuB;AAEzB,MAAM,WAAW,CAAC;AAEzB,MAAM,UAAU;AAEhB,eAAsB,IAAI,KAAc,EAAE,OAAO,GAA+B;AAC9E,MAAI,CAAC,QAAQ,KAAK,OAAO,EAAE,GAAG;AAC5B,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnF;AAEA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,wBAAwB,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACpJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,OAAO,MAAM,GAAG,QAAQ,cAAc;AAAA,IAC1C,IAAI,OAAO;AAAA,IACX,UAAU,KAAK;AAAA,IACf,WAAW;AAAA,EACb,CAAC;AACD,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAEA,QAAM,MAAM,MAAM,GAAG,QAAQ,iBAAiB;AAAA,IAC5C,MAAM,KAAK;AAAA,IACX,UAAU,KAAK;AAAA,EACjB,CAAC;AAED,QAAM,WAAW,OAAO,MAAM,QAAQ,IAAI,YAAY,IAAI,IAAI,eAAe,CAAC;AAE9E,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,IAAI,KAAK;AAAA,IACT,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,IACX,aAAa,KAAK,eAAe;AAAA,IACjC,WAAW,KAAK;AAAA,IAChB,UAAU,KAAK;AAAA,IACf,oBAAoB,KAAK;AAAA,IACzB,WAAW,KAAK;AAAA,IAChB,WAAW,KAAK,aAAa;AAAA,IAC7B;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,IAAI,KAAc,EAAE,OAAO,GAA+B;AAC9E,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,gCAAgC,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AAC5J,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxF;AAEA,QAAM,SAAS,iBAAiB,UAAU,IAAI;AAC9C,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,qBAAqB,SAAS,OAAO,MAAM,QAAQ,EAAE,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClI;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,OAAO,MAAM,GAAG,QAAQ,cAAc;AAAA,IAC1C,IAAI,OAAO;AAAA,IACX,UAAU,KAAK;AAAA,IACf,WAAW;AAAA,EACb,CAAC;AACD,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAEA,MAAI,KAAK,YAAY,OAAO,KAAK,SAAS,UAAa,OAAO,KAAK,SAAS,KAAK,MAAM;AACrF,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,sCAAsC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACvG;AAIA,MAAI;AACF,iCAA6B;AAAA,MAC3B,cAAc;AAAA,MACd,YAAY,KAAK;AAAA,MACjB,SAAS,KAAK,aAAa;AAAA,MAC3B,SAAS;AAAA,IACX,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,QAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,UAAM;AAAA,EACR;AAIA,QAAM,gBAAgB,oBAAI,KAAK;AAC/B,QAAM,UAAmC,EAAE,WAAW,cAAc;AACpE,MAAI,OAAO,KAAK,SAAS,OAAW,SAAQ,OAAO,OAAO,KAAK;AAC/D,MAAI,OAAO,KAAK,gBAAgB,OAAW,SAAQ,cAAc,OAAO,KAAK;AAC7E,MAAI,OAAO,KAAK,cAAc,OAAW,SAAQ,YAAY,OAAO,KAAK;AACzE,MAAI,OAAO,KAAK,uBAAuB,OAAW,SAAQ,qBAAqB,OAAO,KAAK;AAE3F,QAAM,GAAG,aAAa,cAAc,EAAE,IAAI,KAAK,GAAG,GAAG,OAAO;AAE5D,OAAK,0BAA0B,kCAAkC;AAAA,IAC/D,IAAI,KAAK;AAAA,IACT,MAAM,QAAQ,QAAkB,KAAK;AAAA,IACrC,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC,EAAE,MAAM,MAAM,MAAS;AAExB,SAAO,aAAa,KAAK,EAAE,IAAI,MAAM,WAAW,cAAc,YAAY,EAAE,CAAC;AAC/E;AAEA,eAAsB,OAAO,KAAc,EAAE,OAAO,GAA+B;AACjF,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,gCAAgC,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AAC5J,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,OAAO,MAAM,GAAG,QAAQ,cAAc;AAAA,IAC1C,IAAI,OAAO;AAAA,IACX,UAAU,KAAK;AAAA,IACf,WAAW;AAAA,EACb,CAAC;AACD,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAEA,MAAI,KAAK,UAAU;AACjB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,8BAA8B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC/F;AAGA,MAAI;AACF,iCAA6B;AAAA,MAC3B,cAAc;AAAA,MACd,YAAY,KAAK;AAAA,MACjB,SAAS,KAAK,aAAa;AAAA,MAC3B,SAAS;AAAA,IACX,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,QAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,UAAM;AAAA,EACR;AAEA,QAAM,qBAAqB,MAAM,GAAG,MAAM,kBAAkB;AAAA,IAC1D,MAAM,KAAK;AAAA,IACX,WAAW;AAAA,EACb,CAAC;AACD,MAAI,qBAAqB,GAAG;AAC1B,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,kBAAkB,2CAA2C,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzJ;AAEA,QAAM,GAAG,aAAa,cAAc,EAAE,IAAI,KAAK,GAAG,GAAG,EAAE,WAAW,oBAAI,KAAK,EAAE,CAAC;AAC9E,QAAM,GAAG,aAAa,iBAAiB,EAAE,MAAM,KAAK,GAAU,GAAG,EAAE,WAAW,oBAAI,KAAK,EAAE,CAAC;AAE1F,OAAK,0BAA0B,kCAAkC;AAAA,IAC/D,IAAI,KAAK;AAAA,IACT,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,IACX,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC,EAAE,MAAM,MAAM,MAAS;AAExB,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEA,MAAM,YAAY,EAAE,OAAO;AAAA,EACzB,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC5B,eAAe,EAAE,QAAQ;AAC3B,CAAC;AACD,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,MAAM,EAAE,OAAO;AAAA,EACf,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,WAAW,EAAE,QAAQ;AAAA,EACrB,UAAU,EAAE,QAAQ;AAAA,EACpB,oBAAoB,EAAE,QAAQ;AAAA,EAC9B,WAAW,EAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC1C,KAAK;AACP,CAAC;AAED,MAAM,gBAAgB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;AACtD,MAAM,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,KAAK,GAAG,OAAO,EAAE,OAAO,EAAE,CAAC;AAExE,MAAM,eAAiC;AAAA,EACrC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,WAAW,CAAC;AAAA,IACV,QAAQ;AAAA,IACR,aAAa;AAAA,IACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,GAAG,MAAM,iBAAiB,CAAC;AAAA,EAClE,CAAC;AAAA,EACD,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,EACpE;AACF;AAEA,MAAM,eAAiC;AAAA,EACrC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,aAAa,EAAE,QAAQ,iBAAiB;AAAA,EACxC,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,cAAc,CAAC;AAAA,EAC/E,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,gDAAgD,QAAQ,YAAY;AAAA,IAChG,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,EACpE;AACF;AAEA,MAAM,kBAAoC;AAAA,EACxC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,cAAc,CAAC;AAAA,EAC/E,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qCAAqC,QAAQ,YAAY;AAAA,IACrF,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,EACpE;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,EAC9C,SAAS;AAAA,IACP,KAAK;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,EACV;AACF;",
   "names": []
 }

package/dist/modules/customer_accounts/api/admin/roles.js CHANGED Viewed

@@ -49,7 +49,8 @@ async function GET(req) {
     isDefault: role.isDefault,
     isSystem: role.isSystem,
     customerAssignable: role.customerAssignable,
-    createdAt: role.createdAt
+    createdAt: role.createdAt,
+    updatedAt: role.updatedAt || null
   }));
   return NextResponse.json({ ok: true, items, total, totalPages, page });
 }
@@ -133,7 +134,8 @@ const roleSchema = z.object({
   isDefault: z.boolean(),
   isSystem: z.boolean(),
   customerAssignable: z.boolean(),
-  createdAt: z.string().datetime()
+  createdAt: z.string().datetime(),
+  updatedAt: z.string().datetime().nullable()
 });
 const roleResponseSchema = z.object({
   id: z.string().uuid(),

package/dist/modules/customer_accounts/api/admin/roles.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../src/modules/customer_accounts/api/admin/roles.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { CustomerRole, CustomerRoleAcl } from '@open-mercato/core/modules/customer_accounts/data/entities'\nimport { createRoleSchema } from '@open-mercato/core/modules/customer_accounts/data/validators'\nimport { emitCustomerAccountsEvent } from '@open-mercato/core/modules/customer_accounts/events'\n\nexport const metadata = {}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.view'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  const url = new URL(req.url)\n  const page = Math.max(1, parseInt(url.searchParams.get('page') || '1', 10) || 1)\n  const pageSize = Math.min(100, Math.max(1, parseInt(url.searchParams.get('pageSize') || '50', 10) || 50))\n  const search = (url.searchParams.get('search') || '').trim()\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const where: Record<string, unknown> = {\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n    deletedAt: null,\n  }\n\n  if (search) {\n    const escapedSearch = search.replace(/[%_\\\\]/g, '\\\\$&')\n    where.$or = [\n      { name: { $ilike: `%${escapedSearch}%` } },\n      { slug: { $ilike: `%${escapedSearch}%` } },\n    ]\n  }\n\n  const offset = (page - 1) * pageSize\n  const [paged, total] = await em.findAndCount(CustomerRole, where as any, {\n    orderBy: { createdAt: 'ASC' },\n    limit: pageSize,\n    offset,\n  })\n\n  const totalPages = Math.max(1, Math.ceil(total / pageSize))\n\n  const items = paged.map((role) => ({\n    id: role.id,\n    name: role.name,\n    slug: role.slug,\n    description: role.description || null,\n    isDefault: role.isDefault,\n    isSystem: role.isSystem,\n    customerAssignable: role.customerAssignable,\n    createdAt: role.createdAt,\n  }))\n\n  return NextResponse.json({ ok: true, items, total, totalPages, page })\n}\n\nexport async function POST(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.roles.manage'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  let body: unknown\n  try {\n    body = await req.json()\n  } catch {\n    return NextResponse.json({ ok: false, error: 'Invalid request body' }, { status: 400 })\n  }\n\n  const parsed = createRoleSchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Validation failed', details: parsed.error.flatten().fieldErrors }, { status: 400 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const existing = await em.findOne(CustomerRole, {\n    tenantId: auth.tenantId,\n    slug: parsed.data.slug,\n    deletedAt: null,\n  })\n  if (existing) {\n    return NextResponse.json({ ok: false, error: 'A role with this slug already exists' }, { status: 409 })\n  }\n\n  const role = em.create(CustomerRole, {\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n    name: parsed.data.name,\n    slug: parsed.data.slug,\n    description: parsed.data.description || null,\n    isDefault: parsed.data.isDefault ?? false,\n    customerAssignable: parsed.data.customerAssignable ?? false,\n    isSystem: false,\n    createdAt: new Date(),\n  } as any) as CustomerRole\n  em.persist(role)\n\n  const acl = em.create(CustomerRoleAcl, {\n    role,\n    tenantId: auth.tenantId,\n    featuresJson: [],\n    isPortalAdmin: false,\n    createdAt: new Date(),\n  } as any)\n  em.persist(acl)\n\n  await em.flush()\n\n  void emitCustomerAccountsEvent('customer_accounts.role.created', {\n    id: role.id,\n    name: role.name,\n    slug: role.slug,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  }).catch(() => undefined)\n\n  return NextResponse.json({\n    ok: true,\n    role: {\n      id: role.id,\n      name: role.name,\n      slug: role.slug,\n      description: role.description || null,\n      isDefault: role.isDefault,\n      isSystem: role.isSystem,\n      customerAssignable: role.customerAssignable,\n      createdAt: role.createdAt,\n    },\n  }, { status: 201 })\n}\n\nconst roleSchema = z.object({\n  id: z.string().uuid(),\n  name: z.string(),\n  slug: z.string(),\n  description: z.string().nullable(),\n  isDefault: z.boolean(),\n  isSystem: z.boolean(),\n  customerAssignable: z.boolean(),\n  createdAt: z.string().datetime(),\n})\n\nconst roleResponseSchema = z.object({\n  id: z.string().uuid(),\n  name: z.string(),\n  slug: z.string(),\n  description: z.string().nullable(),\n  isDefault: z.boolean(),\n  isSystem: z.boolean(),\n  customerAssignable: z.boolean(),\n  createdAt: z.string().datetime(),\n})\n\nconst errorSchema = z.object({ ok: z.literal(false), error: z.string() })\n\nconst getMethodDoc: OpenApiMethodDoc = {\n  summary: 'List customer roles (admin)',\n  description: 'Returns all customer roles for the tenant.',\n  tags: ['Customer Accounts Admin'],\n  responses: [{\n    status: 200,\n    description: 'Role list',\n    schema: z.object({ ok: z.literal(true), items: z.array(roleSchema), total: z.number(), totalPages: z.number(), page: z.number() }),\n  }],\n  errors: [\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n  ],\n}\n\nconst postMethodDoc: OpenApiMethodDoc = {\n  summary: 'Create customer role (admin)',\n  description: 'Creates a new customer role with an empty ACL.',\n  tags: ['Customer Accounts Admin'],\n  requestBody: { schema: createRoleSchema },\n  responses: [{ status: 201, description: 'Role created', schema: z.object({ ok: z.literal(true), role: roleResponseSchema }) }],\n  errors: [\n    { status: 400, description: 'Validation failed', schema: errorSchema },\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 409, description: 'Slug already exists', schema: errorSchema },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Customer role management (admin)',\n  methods: {\n    GET: getMethodDoc,\n    POST: postMethodDoc,\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,cAAc,uBAAuB;AAC9C,SAAS,wBAAwB;AACjC,SAAS,iCAAiC;AAEnC,MAAM,WAAW,CAAC;AAEzB,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,wBAAwB,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACpJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,OAAO,KAAK,IAAI,GAAG,SAAS,IAAI,aAAa,IAAI,MAAM,KAAK,KAAK,EAAE,KAAK,CAAC;AAC/E,QAAM,WAAW,KAAK,IAAI,KAAK,KAAK,IAAI,GAAG,SAAS,IAAI,aAAa,IAAI,UAAU,KAAK,MAAM,EAAE,KAAK,EAAE,CAAC;AACxG,QAAM,UAAU,IAAI,aAAa,IAAI,QAAQ,KAAK,IAAI,KAAK;AAE3D,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,QAAiC;AAAA,IACrC,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,IACrB,WAAW;AAAA,EACb;AAEA,MAAI,QAAQ;AACV,UAAM,gBAAgB,OAAO,QAAQ,WAAW,MAAM;AACtD,UAAM,MAAM;AAAA,MACV,EAAE,MAAM,EAAE,QAAQ,IAAI,aAAa,IAAI,EAAE;AAAA,MACzC,EAAE,MAAM,EAAE,QAAQ,IAAI,aAAa,IAAI,EAAE;AAAA,IAC3C;AAAA,EACF;AAEA,QAAM,UAAU,OAAO,KAAK;AAC5B,QAAM,CAAC,OAAO,KAAK,IAAI,MAAM,GAAG,aAAa,cAAc,OAAc;AAAA,IACvE,SAAS,EAAE,WAAW,MAAM;AAAA,IAC5B,OAAO;AAAA,IACP;AAAA,EACF,CAAC;AAED,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,KAAK,QAAQ,QAAQ,CAAC;AAE1D,QAAM,QAAQ,MAAM,IAAI,CAAC,UAAU;AAAA,IACjC,IAAI,KAAK;AAAA,IACT,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,IACX,aAAa,KAAK,eAAe;AAAA,IACjC,WAAW,KAAK;AAAA,IAChB,UAAU,KAAK;AAAA,IACf,oBAAoB,KAAK;AAAA,IACzB,WAAW,KAAK;AAAA,EAClB,EAAE;AAEF,SAAO,aAAa,KAAK,EAAE,IAAI,MAAM,OAAO,OAAO,YAAY,KAAK,CAAC;AACvE;AAEA,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,gCAAgC,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AAC5J,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxF;AAEA,QAAM,SAAS,iBAAiB,UAAU,IAAI;AAC9C,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,qBAAqB,SAAS,OAAO,MAAM,QAAQ,EAAE,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClI;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,WAAW,MAAM,GAAG,QAAQ,cAAc;AAAA,IAC9C,UAAU,KAAK;AAAA,IACf,MAAM,OAAO,KAAK;AAAA,IAClB,WAAW;AAAA,EACb,CAAC;AACD,MAAI,UAAU;AACZ,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,uCAAuC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxG;AAEA,QAAM,OAAO,GAAG,OAAO,cAAc;AAAA,IACnC,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,IACrB,MAAM,OAAO,KAAK;AAAA,IAClB,MAAM,OAAO,KAAK;AAAA,IAClB,aAAa,OAAO,KAAK,eAAe;AAAA,IACxC,WAAW,OAAO,KAAK,aAAa;AAAA,IACpC,oBAAoB,OAAO,KAAK,sBAAsB;AAAA,IACtD,UAAU;AAAA,IACV,WAAW,oBAAI,KAAK;AAAA,EACtB,CAAQ;AACR,KAAG,QAAQ,IAAI;AAEf,QAAM,MAAM,GAAG,OAAO,iBAAiB;AAAA,IACrC;AAAA,IACA,UAAU,KAAK;AAAA,IACf,cAAc,CAAC;AAAA,IACf,eAAe;AAAA,IACf,WAAW,oBAAI,KAAK;AAAA,EACtB,CAAQ;AACR,KAAG,QAAQ,GAAG;AAEd,QAAM,GAAG,MAAM;AAEf,OAAK,0BAA0B,kCAAkC;AAAA,IAC/D,IAAI,KAAK;AAAA,IACT,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,IACX,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC,EAAE,MAAM,MAAM,MAAS;AAExB,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,MAAM;AAAA,MACJ,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,MAAM,KAAK;AAAA,MACX,aAAa,KAAK,eAAe;AAAA,MACjC,WAAW,KAAK;AAAA,MAChB,UAAU,KAAK;AAAA,MACf,oBAAoB,KAAK;AAAA,MACzB,WAAW,KAAK;AAAA,IAClB;AAAA,EACF,GAAG,EAAE,QAAQ,IAAI,CAAC;AACpB;AAEA,MAAM,aAAa,EAAE,OAAO;AAAA,EAC1B,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,MAAM,EAAE,OAAO;AAAA,EACf,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,WAAW,EAAE,QAAQ;AAAA,EACrB,UAAU,EAAE,QAAQ;AAAA,EACpB,oBAAoB,EAAE,QAAQ;AAAA,EAC9B,WAAW,EAAE,OAAO,EAAE,SAAS;AACjC,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,MAAM,EAAE,OAAO;AAAA,EACf,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,WAAW,EAAE,QAAQ;AAAA,EACrB,UAAU,EAAE,QAAQ;AAAA,EACpB,oBAAoB,EAAE,QAAQ;AAAA,EAC9B,WAAW,EAAE,OAAO,EAAE,SAAS;AACjC,CAAC;AAED,MAAM,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,KAAK,GAAG,OAAO,EAAE,OAAO,EAAE,CAAC;AAExE,MAAM,eAAiC;AAAA,EACrC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,WAAW,CAAC;AAAA,IACV,QAAQ;AAAA,IACR,aAAa;AAAA,IACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,GAAG,OAAO,EAAE,MAAM,UAAU,GAAG,OAAO,EAAE,OAAO,GAAG,YAAY,EAAE,OAAO,GAAG,MAAM,EAAE,OAAO,EAAE,CAAC;AAAA,EACnI,CAAC;AAAA,EACD,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,EAC9E;AACF;AAEA,MAAM,gBAAkC;AAAA,EACtC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,aAAa,EAAE,QAAQ,iBAAiB;AAAA,EACxC,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,GAAG,MAAM,mBAAmB,CAAC,EAAE,CAAC;AAAA,EAC7H,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,uBAAuB,QAAQ,YAAY;AAAA,EACzE;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { CustomerRole, CustomerRoleAcl } from '@open-mercato/core/modules/customer_accounts/data/entities'\nimport { createRoleSchema } from '@open-mercato/core/modules/customer_accounts/data/validators'\nimport { emitCustomerAccountsEvent } from '@open-mercato/core/modules/customer_accounts/events'\n\nexport const metadata = {}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.view'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  const url = new URL(req.url)\n  const page = Math.max(1, parseInt(url.searchParams.get('page') || '1', 10) || 1)\n  const pageSize = Math.min(100, Math.max(1, parseInt(url.searchParams.get('pageSize') || '50', 10) || 50))\n  const search = (url.searchParams.get('search') || '').trim()\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const where: Record<string, unknown> = {\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n    deletedAt: null,\n  }\n\n  if (search) {\n    const escapedSearch = search.replace(/[%_\\\\]/g, '\\\\$&')\n    where.$or = [\n      { name: { $ilike: `%${escapedSearch}%` } },\n      { slug: { $ilike: `%${escapedSearch}%` } },\n    ]\n  }\n\n  const offset = (page - 1) * pageSize\n  const [paged, total] = await em.findAndCount(CustomerRole, where as any, {\n    orderBy: { createdAt: 'ASC' },\n    limit: pageSize,\n    offset,\n  })\n\n  const totalPages = Math.max(1, Math.ceil(total / pageSize))\n\n  const items = paged.map((role) => ({\n    id: role.id,\n    name: role.name,\n    slug: role.slug,\n    description: role.description || null,\n    isDefault: role.isDefault,\n    isSystem: role.isSystem,\n    customerAssignable: role.customerAssignable,\n    createdAt: role.createdAt,\n    updatedAt: role.updatedAt || null,\n  }))\n\n  return NextResponse.json({ ok: true, items, total, totalPages, page })\n}\n\nexport async function POST(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.roles.manage'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  let body: unknown\n  try {\n    body = await req.json()\n  } catch {\n    return NextResponse.json({ ok: false, error: 'Invalid request body' }, { status: 400 })\n  }\n\n  const parsed = createRoleSchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Validation failed', details: parsed.error.flatten().fieldErrors }, { status: 400 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const existing = await em.findOne(CustomerRole, {\n    tenantId: auth.tenantId,\n    slug: parsed.data.slug,\n    deletedAt: null,\n  })\n  if (existing) {\n    return NextResponse.json({ ok: false, error: 'A role with this slug already exists' }, { status: 409 })\n  }\n\n  const role = em.create(CustomerRole, {\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n    name: parsed.data.name,\n    slug: parsed.data.slug,\n    description: parsed.data.description || null,\n    isDefault: parsed.data.isDefault ?? false,\n    customerAssignable: parsed.data.customerAssignable ?? false,\n    isSystem: false,\n    createdAt: new Date(),\n  } as any) as CustomerRole\n  em.persist(role)\n\n  const acl = em.create(CustomerRoleAcl, {\n    role,\n    tenantId: auth.tenantId,\n    featuresJson: [],\n    isPortalAdmin: false,\n    createdAt: new Date(),\n  } as any)\n  em.persist(acl)\n\n  await em.flush()\n\n  void emitCustomerAccountsEvent('customer_accounts.role.created', {\n    id: role.id,\n    name: role.name,\n    slug: role.slug,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  }).catch(() => undefined)\n\n  return NextResponse.json({\n    ok: true,\n    role: {\n      id: role.id,\n      name: role.name,\n      slug: role.slug,\n      description: role.description || null,\n      isDefault: role.isDefault,\n      isSystem: role.isSystem,\n      customerAssignable: role.customerAssignable,\n      createdAt: role.createdAt,\n    },\n  }, { status: 201 })\n}\n\nconst roleSchema = z.object({\n  id: z.string().uuid(),\n  name: z.string(),\n  slug: z.string(),\n  description: z.string().nullable(),\n  isDefault: z.boolean(),\n  isSystem: z.boolean(),\n  customerAssignable: z.boolean(),\n  createdAt: z.string().datetime(),\n  updatedAt: z.string().datetime().nullable(),\n})\n\nconst roleResponseSchema = z.object({\n  id: z.string().uuid(),\n  name: z.string(),\n  slug: z.string(),\n  description: z.string().nullable(),\n  isDefault: z.boolean(),\n  isSystem: z.boolean(),\n  customerAssignable: z.boolean(),\n  createdAt: z.string().datetime(),\n})\n\nconst errorSchema = z.object({ ok: z.literal(false), error: z.string() })\n\nconst getMethodDoc: OpenApiMethodDoc = {\n  summary: 'List customer roles (admin)',\n  description: 'Returns all customer roles for the tenant.',\n  tags: ['Customer Accounts Admin'],\n  responses: [{\n    status: 200,\n    description: 'Role list',\n    schema: z.object({ ok: z.literal(true), items: z.array(roleSchema), total: z.number(), totalPages: z.number(), page: z.number() }),\n  }],\n  errors: [\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n  ],\n}\n\nconst postMethodDoc: OpenApiMethodDoc = {\n  summary: 'Create customer role (admin)',\n  description: 'Creates a new customer role with an empty ACL.',\n  tags: ['Customer Accounts Admin'],\n  requestBody: { schema: createRoleSchema },\n  responses: [{ status: 201, description: 'Role created', schema: z.object({ ok: z.literal(true), role: roleResponseSchema }) }],\n  errors: [\n    { status: 400, description: 'Validation failed', schema: errorSchema },\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 409, description: 'Slug already exists', schema: errorSchema },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Customer role management (admin)',\n  methods: {\n    GET: getMethodDoc,\n    POST: postMethodDoc,\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,cAAc,uBAAuB;AAC9C,SAAS,wBAAwB;AACjC,SAAS,iCAAiC;AAEnC,MAAM,WAAW,CAAC;AAEzB,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,wBAAwB,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACpJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,OAAO,KAAK,IAAI,GAAG,SAAS,IAAI,aAAa,IAAI,MAAM,KAAK,KAAK,EAAE,KAAK,CAAC;AAC/E,QAAM,WAAW,KAAK,IAAI,KAAK,KAAK,IAAI,GAAG,SAAS,IAAI,aAAa,IAAI,UAAU,KAAK,MAAM,EAAE,KAAK,EAAE,CAAC;AACxG,QAAM,UAAU,IAAI,aAAa,IAAI,QAAQ,KAAK,IAAI,KAAK;AAE3D,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,QAAiC;AAAA,IACrC,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,IACrB,WAAW;AAAA,EACb;AAEA,MAAI,QAAQ;AACV,UAAM,gBAAgB,OAAO,QAAQ,WAAW,MAAM;AACtD,UAAM,MAAM;AAAA,MACV,EAAE,MAAM,EAAE,QAAQ,IAAI,aAAa,IAAI,EAAE;AAAA,MACzC,EAAE,MAAM,EAAE,QAAQ,IAAI,aAAa,IAAI,EAAE;AAAA,IAC3C;AAAA,EACF;AAEA,QAAM,UAAU,OAAO,KAAK;AAC5B,QAAM,CAAC,OAAO,KAAK,IAAI,MAAM,GAAG,aAAa,cAAc,OAAc;AAAA,IACvE,SAAS,EAAE,WAAW,MAAM;AAAA,IAC5B,OAAO;AAAA,IACP;AAAA,EACF,CAAC;AAED,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,KAAK,QAAQ,QAAQ,CAAC;AAE1D,QAAM,QAAQ,MAAM,IAAI,CAAC,UAAU;AAAA,IACjC,IAAI,KAAK;AAAA,IACT,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,IACX,aAAa,KAAK,eAAe;AAAA,IACjC,WAAW,KAAK;AAAA,IAChB,UAAU,KAAK;AAAA,IACf,oBAAoB,KAAK;AAAA,IACzB,WAAW,KAAK;AAAA,IAChB,WAAW,KAAK,aAAa;AAAA,EAC/B,EAAE;AAEF,SAAO,aAAa,KAAK,EAAE,IAAI,MAAM,OAAO,OAAO,YAAY,KAAK,CAAC;AACvE;AAEA,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,gCAAgC,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AAC5J,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxF;AAEA,QAAM,SAAS,iBAAiB,UAAU,IAAI;AAC9C,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,qBAAqB,SAAS,OAAO,MAAM,QAAQ,EAAE,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClI;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,WAAW,MAAM,GAAG,QAAQ,cAAc;AAAA,IAC9C,UAAU,KAAK;AAAA,IACf,MAAM,OAAO,KAAK;AAAA,IAClB,WAAW;AAAA,EACb,CAAC;AACD,MAAI,UAAU;AACZ,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,uCAAuC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxG;AAEA,QAAM,OAAO,GAAG,OAAO,cAAc;AAAA,IACnC,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,IACrB,MAAM,OAAO,KAAK;AAAA,IAClB,MAAM,OAAO,KAAK;AAAA,IAClB,aAAa,OAAO,KAAK,eAAe;AAAA,IACxC,WAAW,OAAO,KAAK,aAAa;AAAA,IACpC,oBAAoB,OAAO,KAAK,sBAAsB;AAAA,IACtD,UAAU;AAAA,IACV,WAAW,oBAAI,KAAK;AAAA,EACtB,CAAQ;AACR,KAAG,QAAQ,IAAI;AAEf,QAAM,MAAM,GAAG,OAAO,iBAAiB;AAAA,IACrC;AAAA,IACA,UAAU,KAAK;AAAA,IACf,cAAc,CAAC;AAAA,IACf,eAAe;AAAA,IACf,WAAW,oBAAI,KAAK;AAAA,EACtB,CAAQ;AACR,KAAG,QAAQ,GAAG;AAEd,QAAM,GAAG,MAAM;AAEf,OAAK,0BAA0B,kCAAkC;AAAA,IAC/D,IAAI,KAAK;AAAA,IACT,MAAM,KAAK;AAAA,IACX,MAAM,KAAK;AAAA,IACX,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC,EAAE,MAAM,MAAM,MAAS;AAExB,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,MAAM;AAAA,MACJ,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,MAAM,KAAK;AAAA,MACX,aAAa,KAAK,eAAe;AAAA,MACjC,WAAW,KAAK;AAAA,MAChB,UAAU,KAAK;AAAA,MACf,oBAAoB,KAAK;AAAA,MACzB,WAAW,KAAK;AAAA,IAClB;AAAA,EACF,GAAG,EAAE,QAAQ,IAAI,CAAC;AACpB;AAEA,MAAM,aAAa,EAAE,OAAO;AAAA,EAC1B,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,MAAM,EAAE,OAAO;AAAA,EACf,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,WAAW,EAAE,QAAQ;AAAA,EACrB,UAAU,EAAE,QAAQ;AAAA,EACpB,oBAAoB,EAAE,QAAQ;AAAA,EAC9B,WAAW,EAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAC5C,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,MAAM,EAAE,OAAO;AAAA,EACf,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,WAAW,EAAE,QAAQ;AAAA,EACrB,UAAU,EAAE,QAAQ;AAAA,EACpB,oBAAoB,EAAE,QAAQ;AAAA,EAC9B,WAAW,EAAE,OAAO,EAAE,SAAS;AACjC,CAAC;AAED,MAAM,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,KAAK,GAAG,OAAO,EAAE,OAAO,EAAE,CAAC;AAExE,MAAM,eAAiC;AAAA,EACrC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,WAAW,CAAC;AAAA,IACV,QAAQ;AAAA,IACR,aAAa;AAAA,IACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,GAAG,OAAO,EAAE,MAAM,UAAU,GAAG,OAAO,EAAE,OAAO,GAAG,YAAY,EAAE,OAAO,GAAG,MAAM,EAAE,OAAO,EAAE,CAAC;AAAA,EACnI,CAAC;AAAA,EACD,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,EAC9E;AACF;AAEA,MAAM,gBAAkC;AAAA,EACtC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,aAAa,EAAE,QAAQ,iBAAiB;AAAA,EACxC,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,GAAG,MAAM,mBAAmB,CAAC,EAAE,CAAC;AAAA,EAC7H,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,uBAAuB,QAAQ,YAAY;AAAA,EACzE;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AACF;",
   "names": []
 }

package/dist/modules/customer_accounts/api/admin/users/[id].js CHANGED Viewed

@@ -6,6 +6,8 @@ import { CustomerUser, CustomerUserRole, CustomerRole, CustomerUserSession } fro
 import { adminUpdateUserSchema } from "@open-mercato/core/modules/customer_accounts/data/validators";
 import { emitCustomerAccountsEvent } from "@open-mercato/core/modules/customer_accounts/events";
 import { findOneWithDecryption, findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { enforceCommandOptimisticLock } from "@open-mercato/shared/lib/crud/optimistic-lock-command";
+import { isCrudHttpError } from "@open-mercato/shared/lib/crud/errors";
 const metadata = {};
 const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 async function GET(req, { params }) {
@@ -113,15 +115,25 @@ async function PUT(req, { params }) {
   if (!user) {
     return NextResponse.json({ ok: false, error: "User not found" }, { status: 404 });
   }
-  const updates = {};
+  try {
+    enforceCommandOptimisticLock({
+      resourceKind: "customer_accounts.user",
+      resourceId: user.id,
+      current: user.updatedAt ?? null,
+      request: req
+    });
+  } catch (err) {
+    if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status });
+    throw err;
+  }
+  const nextUpdatedAt = /* @__PURE__ */ new Date();
+  const updates = { updatedAt: nextUpdatedAt };
   if (parsed.data.displayName !== void 0) updates.displayName = parsed.data.displayName;
   if (parsed.data.isActive !== void 0) updates.isActive = parsed.data.isActive;
   if (parsed.data.lockedUntil !== void 0) updates.lockedUntil = parsed.data.lockedUntil ? new Date(parsed.data.lockedUntil) : null;
   if (parsed.data.personEntityId !== void 0) updates.personEntityId = parsed.data.personEntityId;
   if (parsed.data.customerEntityId !== void 0) updates.customerEntityId = parsed.data.customerEntityId;
-  if (Object.keys(updates).length > 0) {
-    await em.nativeUpdate(CustomerUser, { id: user.id }, updates);
-  }
+  await em.nativeUpdate(CustomerUser, { id: user.id }, updates);
   let rolesChanged = false;
   if (parsed.data.roleIds !== void 0) {
     const requestedRoleIds = parsed.data.roleIds;
@@ -165,7 +177,7 @@ async function PUT(req, { params }) {
     organizationId: auth.orgId,
     updatedBy: auth.sub
   }).catch(() => void 0);
-  return NextResponse.json({ ok: true });
+  return NextResponse.json({ ok: true, updatedAt: nextUpdatedAt.toISOString() });
 }
 async function DELETE(req, { params }) {
   const auth = await getAuthFromRequest(req);
@@ -189,6 +201,17 @@ async function DELETE(req, { params }) {
   if (!user) {
     return NextResponse.json({ ok: false, error: "User not found" }, { status: 404 });
   }
+  try {
+    enforceCommandOptimisticLock({
+      resourceKind: "customer_accounts.user",
+      resourceId: user.id,
+      current: user.updatedAt ?? null,
+      request: req
+    });
+  } catch (err) {
+    if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status });
+    throw err;
+  }
   const customerUserService = container.resolve("customerUserService");
   const customerSessionService = container.resolve("customerSessionService");
   await customerUserService.softDelete(user.id);

package/dist/modules/customer_accounts/api/admin/users/[id].js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../../src/modules/customer_accounts/api/admin/users/%5Bid%5D.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { CustomerUser, CustomerUserRole, CustomerRole, CustomerUserSession } from '@open-mercato/core/modules/customer_accounts/data/entities'\nimport { CustomerUserService } from '@open-mercato/core/modules/customer_accounts/services/customerUserService'\nimport { CustomerSessionService } from '@open-mercato/core/modules/customer_accounts/services/customerSessionService'\nimport { CustomerRbacService } from '@open-mercato/core/modules/customer_accounts/services/customerRbacService'\nimport { adminUpdateUserSchema } from '@open-mercato/core/modules/customer_accounts/data/validators'\nimport { emitCustomerAccountsEvent } from '@open-mercato/core/modules/customer_accounts/events'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\nexport const metadata = {}\n\nconst UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i\n\nexport async function GET(req: Request, { params }: { params: { id: string } }) {\n  if (!UUID_RE.test(params.id)) {\n    return NextResponse.json({ ok: false, error: 'Invalid user ID' }, { status: 400 })\n  }\n\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.view'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const user = await findOneWithDecryption(\n    em,\n    CustomerUser,\n    { id: params.id, tenantId: auth.tenantId, deletedAt: null } as any,\n    undefined,\n    { tenantId: auth.tenantId, organizationId: auth.orgId },\n  )\n  if (!user) {\n    return NextResponse.json({ ok: false, error: 'User not found' }, { status: 404 })\n  }\n\n  const userRoles = await findWithDecryption(\n    em,\n    CustomerUserRole,\n    { user: user.id as any, deletedAt: null } as any,\n    { populate: ['role'] },\n    { tenantId: auth.tenantId, organizationId: auth.orgId },\n  )\n  const roles = userRoles.map((ur) => ({\n    id: (ur.role as any).id,\n    name: (ur.role as any).name,\n    slug: (ur.role as any).slug,\n  }))\n\n  const activeSessions = await findWithDecryption(\n    em,\n    CustomerUserSession,\n    {\n      user: user.id as any,\n      deletedAt: null,\n      expiresAt: { $gt: new Date() },\n    } as any,\n    { orderBy: { lastUsedAt: 'DESC' } },\n    { tenantId: auth.tenantId, organizationId: auth.orgId },\n  )\n\n  const sessions = activeSessions.map((session) => ({\n    id: session.id,\n    ipAddress: (session as any).ipAddress || null,\n    userAgent: (session as any).userAgent || null,\n    lastUsedAt: (session as any).lastUsedAt || null,\n    createdAt: session.createdAt,\n    expiresAt: session.expiresAt,\n  }))\n\n  return NextResponse.json({\n    ok: true,\n    id: user.id,\n    email: user.email,\n    displayName: user.displayName,\n    emailVerifiedAt: user.emailVerifiedAt || null,\n    isActive: user.isActive,\n    lockedUntil: user.lockedUntil || null,\n    lastLoginAt: user.lastLoginAt || null,\n    customerEntityId: user.customerEntityId || null,\n    personEntityId: user.personEntityId || null,\n    createdAt: user.createdAt,\n    updatedAt: user.updatedAt || null,\n    roles,\n    sessions,\n  })\n}\n\nexport async function PUT(req: Request, { params }: { params: { id: string } }) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.manage'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  let body: unknown\n  try {\n    body = await req.json()\n  } catch {\n    return NextResponse.json({ ok: false, error: 'Invalid request body' }, { status: 400 })\n  }\n\n  const parsed = adminUpdateUserSchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Validation failed', details: parsed.error.flatten().fieldErrors }, { status: 400 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const user = await findOneWithDecryption(\n    em,\n    CustomerUser,\n    { id: params.id, tenantId: auth.tenantId, deletedAt: null } as any,\n    undefined,\n    { tenantId: auth.tenantId, organizationId: auth.orgId },\n  )\n  if (!user) {\n    return NextResponse.json({ ok: false, error: 'User not found' }, { status: 404 })\n  }\n\n  const updates: Record<string, unknown> = {}\n  if (parsed.data.displayName !== undefined) updates.displayName = parsed.data.displayName\n  if (parsed.data.isActive !== undefined) updates.isActive = parsed.data.isActive\n  if (parsed.data.lockedUntil !== undefined) updates.lockedUntil = parsed.data.lockedUntil ? new Date(parsed.data.lockedUntil) : null\n  if (parsed.data.personEntityId !== undefined) updates.personEntityId = parsed.data.personEntityId\n  if (parsed.data.customerEntityId !== undefined) updates.customerEntityId = parsed.data.customerEntityId\n\n  if (Object.keys(updates).length > 0) {\n    await em.nativeUpdate(CustomerUser, { id: user.id }, updates)\n  }\n\n  let rolesChanged = false\n  if (parsed.data.roleIds !== undefined) {\n    const requestedRoleIds = parsed.data.roleIds\n    const validRoles = requestedRoleIds.length > 0\n      ? await findWithDecryption(\n          em,\n          CustomerRole,\n          {\n            id: { $in: requestedRoleIds } as any,\n            tenantId: auth.tenantId,\n            deletedAt: null,\n          } as any,\n          undefined,\n          { tenantId: auth.tenantId, organizationId: auth.orgId },\n        )\n      : []\n    if (validRoles.length !== requestedRoleIds.length) {\n      const foundIds = new Set(validRoles.map((role) => role.id))\n      const missingId = requestedRoleIds.find((roleId) => !foundIds.has(roleId))\n      return NextResponse.json({ ok: false, error: `Role ${missingId} not found` }, { status: 400 })\n    }\n\n    await em.nativeDelete(CustomerUserRole, { user: user.id } as Record<string, unknown>)\n\n    for (const role of validRoles) {\n      const userRole = em.create(CustomerUserRole, {\n        user,\n        role,\n        createdAt: new Date(),\n      } as any)\n      em.persist(userRole)\n    }\n    await em.flush()\n    rolesChanged = true\n  }\n\n  if (rolesChanged) {\n    const customerRbacService = container.resolve('customerRbacService') as CustomerRbacService\n    await customerRbacService.invalidateUserCache(user.id)\n  }\n\n  void emitCustomerAccountsEvent('customer_accounts.user.updated', {\n    id: user.id,\n    recipientUserId: user.id,\n    email: user.email,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n    updatedBy: auth.sub,\n  }).catch(() => undefined)\n\n  return NextResponse.json({ ok: true })\n}\n\nexport async function DELETE(req: Request, { params }: { params: { id: string } }) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.manage'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const user = await findOneWithDecryption(\n    em,\n    CustomerUser,\n    { id: params.id, tenantId: auth.tenantId, deletedAt: null } as any,\n    undefined,\n    { tenantId: auth.tenantId, organizationId: auth.orgId },\n  )\n  if (!user) {\n    return NextResponse.json({ ok: false, error: 'User not found' }, { status: 404 })\n  }\n\n  const customerUserService = container.resolve('customerUserService') as CustomerUserService\n  const customerSessionService = container.resolve('customerSessionService') as CustomerSessionService\n\n  await customerUserService.softDelete(user.id)\n  await customerSessionService.revokeAllUserSessions(user.id)\n\n  void emitCustomerAccountsEvent('customer_accounts.user.deleted', {\n    id: user.id,\n    email: user.email,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n    deletedBy: auth.sub,\n  }).catch(() => undefined)\n\n  return NextResponse.json({ ok: true })\n}\n\nconst roleSchema = z.object({ id: z.string().uuid(), name: z.string(), slug: z.string() })\nconst userDetailSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string(),\n  displayName: z.string(),\n  emailVerified: z.boolean(),\n  isActive: z.boolean(),\n  lockedUntil: z.string().datetime().nullable(),\n  lastLoginAt: z.string().datetime().nullable(),\n  failedLoginAttempts: z.number(),\n  customerEntityId: z.string().uuid().nullable(),\n  personEntityId: z.string().uuid().nullable(),\n  createdAt: z.string().datetime(),\n  updatedAt: z.string().datetime().nullable(),\n  roles: z.array(roleSchema),\n  activeSessionCount: z.number(),\n})\n\nconst successSchema = z.object({ ok: z.literal(true) })\nconst errorSchema = z.object({ ok: z.literal(false), error: z.string() })\n\nconst getMethodDoc: OpenApiMethodDoc = {\n  summary: 'Get customer user detail (admin)',\n  description: 'Returns full customer user details including CRM links, roles, and active session count.',\n  tags: ['Customer Accounts Admin'],\n  responses: [{\n    status: 200,\n    description: 'User detail',\n    schema: z.object({ ok: z.literal(true), user: userDetailSchema }),\n  }],\n  errors: [\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 404, description: 'User not found', schema: errorSchema },\n  ],\n}\n\nconst putMethodDoc: OpenApiMethodDoc = {\n  summary: 'Update customer user (admin)',\n  description: 'Updates a customer user. Staff can update status, lock, CRM links, and roles. Role assignment bypasses customer_assignable check.',\n  tags: ['Customer Accounts Admin'],\n  requestBody: { schema: adminUpdateUserSchema },\n  responses: [{ status: 200, description: 'User updated', schema: successSchema }],\n  errors: [\n    { status: 400, description: 'Validation failed or role not found', schema: errorSchema },\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 404, description: 'User not found', schema: errorSchema },\n  ],\n}\n\nconst deleteMethodDoc: OpenApiMethodDoc = {\n  summary: 'Delete customer user (admin)',\n  description: 'Soft deletes a customer user and revokes all their active sessions.',\n  tags: ['Customer Accounts Admin'],\n  responses: [{ status: 200, description: 'User deleted', schema: successSchema }],\n  errors: [\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 404, description: 'User not found', schema: errorSchema },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Customer user detail management (admin)',\n  pathParams: z.object({ id: z.string().uuid() }),\n  methods: {\n    GET: getMethodDoc,\n    PUT: putMethodDoc,\n    DELETE: deleteMethodDoc,\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,cAAc,kBAAkB,cAAc,2BAA2B;AAIlF,SAAS,6BAA6B;AACtC,SAAS,iCAAiC;AAC1C,SAAS,uBAAuB,0BAA0B;AAEnD,MAAM,WAAW,CAAC;AAEzB,MAAM,UAAU;AAEhB,eAAsB,IAAI,KAAc,EAAE,OAAO,GAA+B;AAC9E,MAAI,CAAC,QAAQ,KAAK,OAAO,EAAE,GAAG;AAC5B,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnF;AAEA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,wBAAwB,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACpJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,OAAO,IAAI,UAAU,KAAK,UAAU,WAAW,KAAK;AAAA,IAC1D;AAAA,IACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD;AACA,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAEA,QAAM,YAAY,MAAM;AAAA,IACtB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,KAAK,IAAW,WAAW,KAAK;AAAA,IACxC,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD;AACA,QAAM,QAAQ,UAAU,IAAI,CAAC,QAAQ;AAAA,IACnC,IAAK,GAAG,KAAa;AAAA,IACrB,MAAO,GAAG,KAAa;AAAA,IACvB,MAAO,GAAG,KAAa;AAAA,EACzB,EAAE;AAEF,QAAM,iBAAiB,MAAM;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,MACE,MAAM,KAAK;AAAA,MACX,WAAW;AAAA,MACX,WAAW,EAAE,KAAK,oBAAI,KAAK,EAAE;AAAA,IAC/B;AAAA,IACA,EAAE,SAAS,EAAE,YAAY,OAAO,EAAE;AAAA,IAClC,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD;AAEA,QAAM,WAAW,eAAe,IAAI,CAAC,aAAa;AAAA,IAChD,IAAI,QAAQ;AAAA,IACZ,WAAY,QAAgB,aAAa;AAAA,IACzC,WAAY,QAAgB,aAAa;AAAA,IACzC,YAAa,QAAgB,cAAc;AAAA,IAC3C,WAAW,QAAQ;AAAA,IACnB,WAAW,QAAQ;AAAA,EACrB,EAAE;AAEF,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,IAAI,KAAK;AAAA,IACT,OAAO,KAAK;AAAA,IACZ,aAAa,KAAK;AAAA,IAClB,iBAAiB,KAAK,mBAAmB;AAAA,IACzC,UAAU,KAAK;AAAA,IACf,aAAa,KAAK,eAAe;AAAA,IACjC,aAAa,KAAK,eAAe;AAAA,IACjC,kBAAkB,KAAK,oBAAoB;AAAA,IAC3C,gBAAgB,KAAK,kBAAkB;AAAA,IACvC,WAAW,KAAK;AAAA,IAChB,WAAW,KAAK,aAAa;AAAA,IAC7B;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,IAAI,KAAc,EAAE,OAAO,GAA+B;AAC9E,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,0BAA0B,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACtJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxF;AAEA,QAAM,SAAS,sBAAsB,UAAU,IAAI;AACnD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,qBAAqB,SAAS,OAAO,MAAM,QAAQ,EAAE,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClI;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,OAAO,IAAI,UAAU,KAAK,UAAU,WAAW,KAAK;AAAA,IAC1D;AAAA,IACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD;AACA,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAEA,QAAM,UAAmC,CAAC;AAC1C,MAAI,OAAO,KAAK,gBAAgB,OAAW,SAAQ,cAAc,OAAO,KAAK;AAC7E,MAAI,OAAO,KAAK,aAAa,OAAW,SAAQ,WAAW,OAAO,KAAK;AACvE,MAAI,OAAO,KAAK,gBAAgB,OAAW,SAAQ,cAAc,OAAO,KAAK,cAAc,IAAI,KAAK,OAAO,KAAK,WAAW,IAAI;AAC/H,MAAI,OAAO,KAAK,mBAAmB,OAAW,SAAQ,iBAAiB,OAAO,KAAK;AACnF,MAAI,OAAO,KAAK,qBAAqB,OAAW,SAAQ,mBAAmB,OAAO,KAAK;AAEvF,MAAI,OAAO,KAAK,OAAO,EAAE,SAAS,GAAG;AACnC,UAAM,GAAG,aAAa,cAAc,EAAE,IAAI,KAAK,GAAG,GAAG,OAAO;AAAA,EAC9D;AAEA,MAAI,eAAe;AACnB,MAAI,OAAO,KAAK,YAAY,QAAW;AACrC,UAAM,mBAAmB,OAAO,KAAK;AACrC,UAAM,aAAa,iBAAiB,SAAS,IACzC,MAAM;AAAA,MACJ;AAAA,MACA;AAAA,MACA;AAAA,QACE,IAAI,EAAE,KAAK,iBAAiB;AAAA,QAC5B,UAAU,KAAK;AAAA,QACf,WAAW;AAAA,MACb;AAAA,MACA;AAAA,MACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,IACxD,IACA,CAAC;AACL,QAAI,WAAW,WAAW,iBAAiB,QAAQ;AACjD,YAAM,WAAW,IAAI,IAAI,WAAW,IAAI,CAAC,SAAS,KAAK,EAAE,CAAC;AAC1D,YAAM,YAAY,iBAAiB,KAAK,CAAC,WAAW,CAAC,SAAS,IAAI,MAAM,CAAC;AACzE,aAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,QAAQ,SAAS,aAAa,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC/F;AAEA,UAAM,GAAG,aAAa,kBAAkB,EAAE,MAAM,KAAK,GAAG,CAA4B;AAEpF,eAAW,QAAQ,YAAY;AAC7B,YAAM,WAAW,GAAG,OAAO,kBAAkB;AAAA,QAC3C;AAAA,QACA;AAAA,QACA,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAQ;AACR,SAAG,QAAQ,QAAQ;AAAA,IACrB;AACA,UAAM,GAAG,MAAM;AACf,mBAAe;AAAA,EACjB;AAEA,MAAI,cAAc;AAChB,UAAM,sBAAsB,UAAU,QAAQ,qBAAqB;AACnE,UAAM,oBAAoB,oBAAoB,KAAK,EAAE;AAAA,EACvD;AAEA,OAAK,0BAA0B,kCAAkC;AAAA,IAC/D,IAAI,KAAK;AAAA,IACT,iBAAiB,KAAK;AAAA,IACtB,OAAO,KAAK;AAAA,IACZ,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,IACrB,WAAW,KAAK;AAAA,EAClB,CAAC,EAAE,MAAM,MAAM,MAAS;AAExB,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEA,eAAsB,OAAO,KAAc,EAAE,OAAO,GAA+B;AACjF,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,0BAA0B,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACtJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,OAAO,IAAI,UAAU,KAAK,UAAU,WAAW,KAAK;AAAA,IAC1D;AAAA,IACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD;AACA,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAEA,QAAM,sBAAsB,UAAU,QAAQ,qBAAqB;AACnE,QAAM,yBAAyB,UAAU,QAAQ,wBAAwB;AAEzE,QAAM,oBAAoB,WAAW,KAAK,EAAE;AAC5C,QAAM,uBAAuB,sBAAsB,KAAK,EAAE;AAE1D,OAAK,0BAA0B,kCAAkC;AAAA,IAC/D,IAAI,KAAK;AAAA,IACT,OAAO,KAAK;AAAA,IACZ,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,IACrB,WAAW,KAAK;AAAA,EAClB,CAAC,EAAE,MAAM,MAAM,MAAS;AAExB,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEA,MAAM,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,GAAG,MAAM,EAAE,OAAO,GAAG,MAAM,EAAE,OAAO,EAAE,CAAC;AACzF,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO;AAAA,EAChB,aAAa,EAAE,OAAO;AAAA,EACtB,eAAe,EAAE,QAAQ;AAAA,EACzB,UAAU,EAAE,QAAQ;AAAA,EACpB,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC5C,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC5C,qBAAqB,EAAE,OAAO;AAAA,EAC9B,kBAAkB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC7C,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,WAAW,EAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC1C,OAAO,EAAE,MAAM,UAAU;AAAA,EACzB,oBAAoB,EAAE,OAAO;AAC/B,CAAC;AAED,MAAM,gBAAgB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;AACtD,MAAM,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,KAAK,GAAG,OAAO,EAAE,OAAO,EAAE,CAAC;AAExE,MAAM,eAAiC;AAAA,EACrC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,WAAW,CAAC;AAAA,IACV,QAAQ;AAAA,IACR,aAAa;AAAA,IACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,GAAG,MAAM,iBAAiB,CAAC;AAAA,EAClE,CAAC;AAAA,EACD,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,EACpE;AACF;AAEA,MAAM,eAAiC;AAAA,EACrC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,aAAa,EAAE,QAAQ,sBAAsB;AAAA,EAC7C,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,cAAc,CAAC;AAAA,EAC/E,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,uCAAuC,QAAQ,YAAY;AAAA,IACvF,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,EACpE;AACF;AAEA,MAAM,kBAAoC;AAAA,EACxC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,cAAc,CAAC;AAAA,EAC/E,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,EACpE;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,EAC9C,SAAS;AAAA,IACP,KAAK;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,EACV;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { CustomerUser, CustomerUserRole, CustomerRole, CustomerUserSession } from '@open-mercato/core/modules/customer_accounts/data/entities'\nimport { CustomerUserService } from '@open-mercato/core/modules/customer_accounts/services/customerUserService'\nimport { CustomerSessionService } from '@open-mercato/core/modules/customer_accounts/services/customerSessionService'\nimport { CustomerRbacService } from '@open-mercato/core/modules/customer_accounts/services/customerRbacService'\nimport { adminUpdateUserSchema } from '@open-mercato/core/modules/customer_accounts/data/validators'\nimport { emitCustomerAccountsEvent } from '@open-mercato/core/modules/customer_accounts/events'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { enforceCommandOptimisticLock } from '@open-mercato/shared/lib/crud/optimistic-lock-command'\nimport { isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'\n\nexport const metadata = {}\n\nconst UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i\n\nexport async function GET(req: Request, { params }: { params: { id: string } }) {\n  if (!UUID_RE.test(params.id)) {\n    return NextResponse.json({ ok: false, error: 'Invalid user ID' }, { status: 400 })\n  }\n\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.view'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const user = await findOneWithDecryption(\n    em,\n    CustomerUser,\n    { id: params.id, tenantId: auth.tenantId, deletedAt: null } as any,\n    undefined,\n    { tenantId: auth.tenantId, organizationId: auth.orgId },\n  )\n  if (!user) {\n    return NextResponse.json({ ok: false, error: 'User not found' }, { status: 404 })\n  }\n\n  const userRoles = await findWithDecryption(\n    em,\n    CustomerUserRole,\n    { user: user.id as any, deletedAt: null } as any,\n    { populate: ['role'] },\n    { tenantId: auth.tenantId, organizationId: auth.orgId },\n  )\n  const roles = userRoles.map((ur) => ({\n    id: (ur.role as any).id,\n    name: (ur.role as any).name,\n    slug: (ur.role as any).slug,\n  }))\n\n  const activeSessions = await findWithDecryption(\n    em,\n    CustomerUserSession,\n    {\n      user: user.id as any,\n      deletedAt: null,\n      expiresAt: { $gt: new Date() },\n    } as any,\n    { orderBy: { lastUsedAt: 'DESC' } },\n    { tenantId: auth.tenantId, organizationId: auth.orgId },\n  )\n\n  const sessions = activeSessions.map((session) => ({\n    id: session.id,\n    ipAddress: (session as any).ipAddress || null,\n    userAgent: (session as any).userAgent || null,\n    lastUsedAt: (session as any).lastUsedAt || null,\n    createdAt: session.createdAt,\n    expiresAt: session.expiresAt,\n  }))\n\n  return NextResponse.json({\n    ok: true,\n    id: user.id,\n    email: user.email,\n    displayName: user.displayName,\n    emailVerifiedAt: user.emailVerifiedAt || null,\n    isActive: user.isActive,\n    lockedUntil: user.lockedUntil || null,\n    lastLoginAt: user.lastLoginAt || null,\n    customerEntityId: user.customerEntityId || null,\n    personEntityId: user.personEntityId || null,\n    createdAt: user.createdAt,\n    updatedAt: user.updatedAt || null,\n    roles,\n    sessions,\n  })\n}\n\nexport async function PUT(req: Request, { params }: { params: { id: string } }) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.manage'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  let body: unknown\n  try {\n    body = await req.json()\n  } catch {\n    return NextResponse.json({ ok: false, error: 'Invalid request body' }, { status: 400 })\n  }\n\n  const parsed = adminUpdateUserSchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Validation failed', details: parsed.error.flatten().fieldErrors }, { status: 400 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const user = await findOneWithDecryption(\n    em,\n    CustomerUser,\n    { id: params.id, tenantId: auth.tenantId, deletedAt: null } as any,\n    undefined,\n    { tenantId: auth.tenantId, organizationId: auth.orgId },\n  )\n  if (!user) {\n    return NextResponse.json({ ok: false, error: 'User not found' }, { status: 404 })\n  }\n\n  // Optimistic lock: refuse a stale overwrite so two admins editing the same\n  // customer user in parallel cannot silently clobber each other (#2055). The\n  // check is strictly additive \u2014 a no-op when the client sends no expected-version header.\n  try {\n    enforceCommandOptimisticLock({\n      resourceKind: 'customer_accounts.user',\n      resourceId: user.id,\n      current: user.updatedAt ?? null,\n      request: req,\n    })\n  } catch (err) {\n    if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n    throw err\n  }\n\n  // Always bump updated_at so the optimistic-lock version advances on every save.\n  // `nativeUpdate` bypasses MikroORM's `onUpdate` hook, so set it explicitly \u2014 without\n  // this the version never changes and concurrent edits cannot be detected (#2055).\n  const nextUpdatedAt = new Date()\n  const updates: Record<string, unknown> = { updatedAt: nextUpdatedAt }\n  if (parsed.data.displayName !== undefined) updates.displayName = parsed.data.displayName\n  if (parsed.data.isActive !== undefined) updates.isActive = parsed.data.isActive\n  if (parsed.data.lockedUntil !== undefined) updates.lockedUntil = parsed.data.lockedUntil ? new Date(parsed.data.lockedUntil) : null\n  if (parsed.data.personEntityId !== undefined) updates.personEntityId = parsed.data.personEntityId\n  if (parsed.data.customerEntityId !== undefined) updates.customerEntityId = parsed.data.customerEntityId\n\n  await em.nativeUpdate(CustomerUser, { id: user.id }, updates)\n\n  let rolesChanged = false\n  if (parsed.data.roleIds !== undefined) {\n    const requestedRoleIds = parsed.data.roleIds\n    const validRoles = requestedRoleIds.length > 0\n      ? await findWithDecryption(\n          em,\n          CustomerRole,\n          {\n            id: { $in: requestedRoleIds } as any,\n            tenantId: auth.tenantId,\n            deletedAt: null,\n          } as any,\n          undefined,\n          { tenantId: auth.tenantId, organizationId: auth.orgId },\n        )\n      : []\n    if (validRoles.length !== requestedRoleIds.length) {\n      const foundIds = new Set(validRoles.map((role) => role.id))\n      const missingId = requestedRoleIds.find((roleId) => !foundIds.has(roleId))\n      return NextResponse.json({ ok: false, error: `Role ${missingId} not found` }, { status: 400 })\n    }\n\n    await em.nativeDelete(CustomerUserRole, { user: user.id } as Record<string, unknown>)\n\n    for (const role of validRoles) {\n      const userRole = em.create(CustomerUserRole, {\n        user,\n        role,\n        createdAt: new Date(),\n      } as any)\n      em.persist(userRole)\n    }\n    await em.flush()\n    rolesChanged = true\n  }\n\n  if (rolesChanged) {\n    const customerRbacService = container.resolve('customerRbacService') as CustomerRbacService\n    await customerRbacService.invalidateUserCache(user.id)\n  }\n\n  void emitCustomerAccountsEvent('customer_accounts.user.updated', {\n    id: user.id,\n    recipientUserId: user.id,\n    email: user.email,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n    updatedBy: auth.sub,\n  }).catch(() => undefined)\n\n  return NextResponse.json({ ok: true, updatedAt: nextUpdatedAt.toISOString() })\n}\n\nexport async function DELETE(req: Request, { params }: { params: { id: string } }) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.manage'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager\n\n  const user = await findOneWithDecryption(\n    em,\n    CustomerUser,\n    { id: params.id, tenantId: auth.tenantId, deletedAt: null } as any,\n    undefined,\n    { tenantId: auth.tenantId, organizationId: auth.orgId },\n  )\n  if (!user) {\n    return NextResponse.json({ ok: false, error: 'User not found' }, { status: 404 })\n  }\n\n  // Optimistic lock: refuse a stale delete (e.g. deleting a record another admin\n  // already modified). Strictly additive \u2014 a no-op without the expected-version header.\n  try {\n    enforceCommandOptimisticLock({\n      resourceKind: 'customer_accounts.user',\n      resourceId: user.id,\n      current: user.updatedAt ?? null,\n      request: req,\n    })\n  } catch (err) {\n    if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n    throw err\n  }\n\n  const customerUserService = container.resolve('customerUserService') as CustomerUserService\n  const customerSessionService = container.resolve('customerSessionService') as CustomerSessionService\n\n  await customerUserService.softDelete(user.id)\n  await customerSessionService.revokeAllUserSessions(user.id)\n\n  void emitCustomerAccountsEvent('customer_accounts.user.deleted', {\n    id: user.id,\n    email: user.email,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n    deletedBy: auth.sub,\n  }).catch(() => undefined)\n\n  return NextResponse.json({ ok: true })\n}\n\nconst roleSchema = z.object({ id: z.string().uuid(), name: z.string(), slug: z.string() })\nconst userDetailSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string(),\n  displayName: z.string(),\n  emailVerified: z.boolean(),\n  isActive: z.boolean(),\n  lockedUntil: z.string().datetime().nullable(),\n  lastLoginAt: z.string().datetime().nullable(),\n  failedLoginAttempts: z.number(),\n  customerEntityId: z.string().uuid().nullable(),\n  personEntityId: z.string().uuid().nullable(),\n  createdAt: z.string().datetime(),\n  updatedAt: z.string().datetime().nullable(),\n  roles: z.array(roleSchema),\n  activeSessionCount: z.number(),\n})\n\nconst successSchema = z.object({ ok: z.literal(true) })\nconst errorSchema = z.object({ ok: z.literal(false), error: z.string() })\n\nconst getMethodDoc: OpenApiMethodDoc = {\n  summary: 'Get customer user detail (admin)',\n  description: 'Returns full customer user details including CRM links, roles, and active session count.',\n  tags: ['Customer Accounts Admin'],\n  responses: [{\n    status: 200,\n    description: 'User detail',\n    schema: z.object({ ok: z.literal(true), user: userDetailSchema }),\n  }],\n  errors: [\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 404, description: 'User not found', schema: errorSchema },\n  ],\n}\n\nconst putMethodDoc: OpenApiMethodDoc = {\n  summary: 'Update customer user (admin)',\n  description: 'Updates a customer user. Staff can update status, lock, CRM links, and roles. Role assignment bypasses customer_assignable check.',\n  tags: ['Customer Accounts Admin'],\n  requestBody: { schema: adminUpdateUserSchema },\n  responses: [{ status: 200, description: 'User updated', schema: successSchema }],\n  errors: [\n    { status: 400, description: 'Validation failed or role not found', schema: errorSchema },\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 404, description: 'User not found', schema: errorSchema },\n  ],\n}\n\nconst deleteMethodDoc: OpenApiMethodDoc = {\n  summary: 'Delete customer user (admin)',\n  description: 'Soft deletes a customer user and revokes all their active sessions.',\n  tags: ['Customer Accounts Admin'],\n  responses: [{ status: 200, description: 'User deleted', schema: successSchema }],\n  errors: [\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 404, description: 'User not found', schema: errorSchema },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Customer user detail management (admin)',\n  pathParams: z.object({ id: z.string().uuid() }),\n  methods: {\n    GET: getMethodDoc,\n    PUT: putMethodDoc,\n    DELETE: deleteMethodDoc,\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,cAAc,kBAAkB,cAAc,2BAA2B;AAIlF,SAAS,6BAA6B;AACtC,SAAS,iCAAiC;AAC1C,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,oCAAoC;AAC7C,SAAS,uBAAuB;AAEzB,MAAM,WAAW,CAAC;AAEzB,MAAM,UAAU;AAEhB,eAAsB,IAAI,KAAc,EAAE,OAAO,GAA+B;AAC9E,MAAI,CAAC,QAAQ,KAAK,OAAO,EAAE,GAAG;AAC5B,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnF;AAEA,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,wBAAwB,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACpJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,OAAO,IAAI,UAAU,KAAK,UAAU,WAAW,KAAK;AAAA,IAC1D;AAAA,IACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD;AACA,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAEA,QAAM,YAAY,MAAM;AAAA,IACtB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,KAAK,IAAW,WAAW,KAAK;AAAA,IACxC,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD;AACA,QAAM,QAAQ,UAAU,IAAI,CAAC,QAAQ;AAAA,IACnC,IAAK,GAAG,KAAa;AAAA,IACrB,MAAO,GAAG,KAAa;AAAA,IACvB,MAAO,GAAG,KAAa;AAAA,EACzB,EAAE;AAEF,QAAM,iBAAiB,MAAM;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,MACE,MAAM,KAAK;AAAA,MACX,WAAW;AAAA,MACX,WAAW,EAAE,KAAK,oBAAI,KAAK,EAAE;AAAA,IAC/B;AAAA,IACA,EAAE,SAAS,EAAE,YAAY,OAAO,EAAE;AAAA,IAClC,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD;AAEA,QAAM,WAAW,eAAe,IAAI,CAAC,aAAa;AAAA,IAChD,IAAI,QAAQ;AAAA,IACZ,WAAY,QAAgB,aAAa;AAAA,IACzC,WAAY,QAAgB,aAAa;AAAA,IACzC,YAAa,QAAgB,cAAc;AAAA,IAC3C,WAAW,QAAQ;AAAA,IACnB,WAAW,QAAQ;AAAA,EACrB,EAAE;AAEF,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,IAAI,KAAK;AAAA,IACT,OAAO,KAAK;AAAA,IACZ,aAAa,KAAK;AAAA,IAClB,iBAAiB,KAAK,mBAAmB;AAAA,IACzC,UAAU,KAAK;AAAA,IACf,aAAa,KAAK,eAAe;AAAA,IACjC,aAAa,KAAK,eAAe;AAAA,IACjC,kBAAkB,KAAK,oBAAoB;AAAA,IAC3C,gBAAgB,KAAK,kBAAkB;AAAA,IACvC,WAAW,KAAK;AAAA,IAChB,WAAW,KAAK,aAAa;AAAA,IAC7B;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,IAAI,KAAc,EAAE,OAAO,GAA+B;AAC9E,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,0BAA0B,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACtJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxF;AAEA,QAAM,SAAS,sBAAsB,UAAU,IAAI;AACnD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,qBAAqB,SAAS,OAAO,MAAM,QAAQ,EAAE,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClI;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,OAAO,IAAI,UAAU,KAAK,UAAU,WAAW,KAAK;AAAA,IAC1D;AAAA,IACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD;AACA,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAKA,MAAI;AACF,iCAA6B;AAAA,MAC3B,cAAc;AAAA,MACd,YAAY,KAAK;AAAA,MACjB,SAAS,KAAK,aAAa;AAAA,MAC3B,SAAS;AAAA,IACX,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,QAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,UAAM;AAAA,EACR;AAKA,QAAM,gBAAgB,oBAAI,KAAK;AAC/B,QAAM,UAAmC,EAAE,WAAW,cAAc;AACpE,MAAI,OAAO,KAAK,gBAAgB,OAAW,SAAQ,cAAc,OAAO,KAAK;AAC7E,MAAI,OAAO,KAAK,aAAa,OAAW,SAAQ,WAAW,OAAO,KAAK;AACvE,MAAI,OAAO,KAAK,gBAAgB,OAAW,SAAQ,cAAc,OAAO,KAAK,cAAc,IAAI,KAAK,OAAO,KAAK,WAAW,IAAI;AAC/H,MAAI,OAAO,KAAK,mBAAmB,OAAW,SAAQ,iBAAiB,OAAO,KAAK;AACnF,MAAI,OAAO,KAAK,qBAAqB,OAAW,SAAQ,mBAAmB,OAAO,KAAK;AAEvF,QAAM,GAAG,aAAa,cAAc,EAAE,IAAI,KAAK,GAAG,GAAG,OAAO;AAE5D,MAAI,eAAe;AACnB,MAAI,OAAO,KAAK,YAAY,QAAW;AACrC,UAAM,mBAAmB,OAAO,KAAK;AACrC,UAAM,aAAa,iBAAiB,SAAS,IACzC,MAAM;AAAA,MACJ;AAAA,MACA;AAAA,MACA;AAAA,QACE,IAAI,EAAE,KAAK,iBAAiB;AAAA,QAC5B,UAAU,KAAK;AAAA,QACf,WAAW;AAAA,MACb;AAAA,MACA;AAAA,MACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,IACxD,IACA,CAAC;AACL,QAAI,WAAW,WAAW,iBAAiB,QAAQ;AACjD,YAAM,WAAW,IAAI,IAAI,WAAW,IAAI,CAAC,SAAS,KAAK,EAAE,CAAC;AAC1D,YAAM,YAAY,iBAAiB,KAAK,CAAC,WAAW,CAAC,SAAS,IAAI,MAAM,CAAC;AACzE,aAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,QAAQ,SAAS,aAAa,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC/F;AAEA,UAAM,GAAG,aAAa,kBAAkB,EAAE,MAAM,KAAK,GAAG,CAA4B;AAEpF,eAAW,QAAQ,YAAY;AAC7B,YAAM,WAAW,GAAG,OAAO,kBAAkB;AAAA,QAC3C;AAAA,QACA;AAAA,QACA,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAQ;AACR,SAAG,QAAQ,QAAQ;AAAA,IACrB;AACA,UAAM,GAAG,MAAM;AACf,mBAAe;AAAA,EACjB;AAEA,MAAI,cAAc;AAChB,UAAM,sBAAsB,UAAU,QAAQ,qBAAqB;AACnE,UAAM,oBAAoB,oBAAoB,KAAK,EAAE;AAAA,EACvD;AAEA,OAAK,0BAA0B,kCAAkC;AAAA,IAC/D,IAAI,KAAK;AAAA,IACT,iBAAiB,KAAK;AAAA,IACtB,OAAO,KAAK;AAAA,IACZ,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,IACrB,WAAW,KAAK;AAAA,EAClB,CAAC,EAAE,MAAM,MAAM,MAAS;AAExB,SAAO,aAAa,KAAK,EAAE,IAAI,MAAM,WAAW,cAAc,YAAY,EAAE,CAAC;AAC/E;AAEA,eAAsB,OAAO,KAAc,EAAE,OAAO,GAA+B;AACjF,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,0BAA0B,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACtJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,OAAO,IAAI,UAAU,KAAK,UAAU,WAAW,KAAK;AAAA,IAC1D;AAAA,IACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD;AACA,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClF;AAIA,MAAI;AACF,iCAA6B;AAAA,MAC3B,cAAc;AAAA,MACd,YAAY,KAAK;AAAA,MACjB,SAAS,KAAK,aAAa;AAAA,MAC3B,SAAS;AAAA,IACX,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,QAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,UAAM;AAAA,EACR;AAEA,QAAM,sBAAsB,UAAU,QAAQ,qBAAqB;AACnE,QAAM,yBAAyB,UAAU,QAAQ,wBAAwB;AAEzE,QAAM,oBAAoB,WAAW,KAAK,EAAE;AAC5C,QAAM,uBAAuB,sBAAsB,KAAK,EAAE;AAE1D,OAAK,0BAA0B,kCAAkC;AAAA,IAC/D,IAAI,KAAK;AAAA,IACT,OAAO,KAAK;AAAA,IACZ,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,IACrB,WAAW,KAAK;AAAA,EAClB,CAAC,EAAE,MAAM,MAAM,MAAS;AAExB,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEA,MAAM,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,GAAG,MAAM,EAAE,OAAO,GAAG,MAAM,EAAE,OAAO,EAAE,CAAC;AACzF,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO;AAAA,EAChB,aAAa,EAAE,OAAO;AAAA,EACtB,eAAe,EAAE,QAAQ;AAAA,EACzB,UAAU,EAAE,QAAQ;AAAA,EACpB,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC5C,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC5C,qBAAqB,EAAE,OAAO;AAAA,EAC9B,kBAAkB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC7C,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,WAAW,EAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC1C,OAAO,EAAE,MAAM,UAAU;AAAA,EACzB,oBAAoB,EAAE,OAAO;AAC/B,CAAC;AAED,MAAM,gBAAgB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;AACtD,MAAM,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,KAAK,GAAG,OAAO,EAAE,OAAO,EAAE,CAAC;AAExE,MAAM,eAAiC;AAAA,EACrC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,WAAW,CAAC;AAAA,IACV,QAAQ;AAAA,IACR,aAAa;AAAA,IACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,GAAG,MAAM,iBAAiB,CAAC;AAAA,EAClE,CAAC;AAAA,EACD,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,EACpE;AACF;AAEA,MAAM,eAAiC;AAAA,EACrC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,aAAa,EAAE,QAAQ,sBAAsB;AAAA,EAC7C,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,cAAc,CAAC;AAAA,EAC/E,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,uCAAuC,QAAQ,YAAY;AAAA,IACvF,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,EACpE;AACF;AAEA,MAAM,kBAAoC;AAAA,EACxC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,cAAc,CAAC;AAAA,EAC/E,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,YAAY;AAAA,EACpE;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,EAC9C,SAAS;AAAA,IACP,KAAK;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,EACV;AACF;",
   "names": []
 }

package/dist/modules/customer_accounts/api/admin/users.js CHANGED Viewed

@@ -140,6 +140,7 @@ async function GET(req) {
     customerEntityId: user.customerEntityId || null,
     personEntityId: user.personEntityId || null,
     createdAt: user.createdAt,
+    updatedAt: user.updatedAt || null,
     roles: rolesByUserId.get(user.id) ?? []
   }));
   const totalPages = Math.max(1, Math.ceil(total / pageSize));
@@ -237,6 +238,7 @@ const userSchema = z.object({
   customerEntityId: z.string().uuid().nullable(),
   personEntityId: z.string().uuid().nullable(),
   createdAt: z.string().datetime(),
+  updatedAt: z.string().datetime().nullable(),
   roles: z.array(roleSchema)
 });
 const successSchema = z.object({

package/dist/modules/customer_accounts/api/admin/users.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../src/modules/customer_accounts/api/admin/users.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { CustomerUserService } from '@open-mercato/core/modules/customer_accounts/services/customerUserService'\nimport { CustomerUser, CustomerUserRole, CustomerRole } from '@open-mercato/core/modules/customer_accounts/data/entities'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { adminCreateUserSchema } from '@open-mercato/core/modules/customer_accounts/data/validators'\nimport { emitCustomerAccountsEvent } from '@open-mercato/core/modules/customer_accounts/events'\nimport { findAndCountWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { hashForLookup } from '@open-mercato/shared/lib/encryption/aes'\nimport { E } from '#generated/entities.ids.generated'\nimport { resolveSearchConfig } from '@open-mercato/shared/lib/search/config'\nimport { tokenizeText } from '@open-mercato/shared/lib/search/tokenize'\nimport { sql } from 'kysely'\n\nconst EMAIL_LIKE_PATTERN = /^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$/\n\nexport const metadata = {}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.view'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  const em = container.resolve('em') as EntityManager\n\n  const url = new URL(req.url)\n  const page = Math.max(1, parseInt(url.searchParams.get('page') || '1'))\n  const pageSize = Math.min(100, Math.max(1, parseInt(url.searchParams.get('pageSize') || '25')))\n  const status = url.searchParams.get('status') as 'active' | 'inactive' | 'locked' | null\n  const customerEntityId = url.searchParams.get('customerEntityId')\n  const personEntityId = url.searchParams.get('personEntityId')\n  const roleId = url.searchParams.get('roleId')\n  const search = url.searchParams.get('search')\n\n  const where: Record<string, unknown> = {\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n    deletedAt: null,\n  }\n\n  if (status === 'active') {\n    where.isActive = true\n    where.$or = [{ lockedUntil: null }, { lockedUntil: { $lt: new Date() } }]\n  } else if (status === 'inactive') {\n    where.isActive = false\n  } else if (status === 'locked') {\n    where.lockedUntil = { $gt: new Date() }\n  }\n\n  if (customerEntityId) {\n    where.customerEntityId = customerEntityId\n  }\n\n  if (personEntityId) {\n    where.personEntityId = personEntityId\n  }\n\n  if (search) {\n    const trimmedSearch = search.trim()\n    // email/displayName are stored encrypted, so SQL ILIKE on the ciphertext\n    // never matches a plaintext search term. Use search_tokens table for partial\n    // matches and emailHash for exact email lookups.\n    const searchFilter: Record<string, unknown>[] = []\n\n    // Search encrypted fields via search_tokens\n    const matchedIds = await findCustomerUserIdsBySearchTokens(em, E.customer_accounts.customer_user, trimmedSearch, auth.tenantId)\n    if (matchedIds && matchedIds.length > 0) {\n      searchFilter.push({ id: { $in: matchedIds } })\n    }\n\n    // Also support exact email lookup via emailHash\n    if (EMAIL_LIKE_PATTERN.test(search)) {\n      searchFilter.push({ emailHash: hashForLookup(search) })\n    }\n\n    if (searchFilter.length > 0) {\n      if (where.$or) {\n        where.$and = [{ $or: where.$or }, { $or: searchFilter }]\n        delete where.$or\n      } else {\n        where.$or = searchFilter\n      }\n    } else {\n      // No search results found, return empty\n      return NextResponse.json({\n        ok: true,\n        items: [],\n        total: 0,\n        totalPages: 1,\n        page,\n      })\n    }\n  }\n\n  let userIds: string[] | null = null\n  if (roleId) {\n    const roleLinks = await findWithDecryption(\n      em,\n      CustomerUserRole,\n      { role: roleId as any, deletedAt: null } as any,\n      undefined,\n      { tenantId: auth.tenantId, organizationId: auth.orgId },\n    )\n    userIds = roleLinks.map((link) => (link.user as any)?.id || (link.user as unknown as string))\n    if (userIds.length === 0) {\n      return NextResponse.json({\n        ok: true,\n        items: [],\n        total: 0,\n        totalPages: 1,\n        page,\n      })\n    }\n    where.id = { $in: userIds }\n  }\n\n  const offset = (page - 1) * pageSize\n  const [users, total] = await findAndCountWithDecryption(\n    em,\n    CustomerUser,\n    where as any,\n    {\n      orderBy: { createdAt: 'DESC' },\n      limit: pageSize,\n      offset,\n    },\n    { tenantId: auth.tenantId, organizationId: auth.orgId },\n  )\n\n  const pageUserIds = users.map((user) => user.id)\n  const userRoleLinks = pageUserIds.length > 0\n    ? await findWithDecryption(\n        em,\n        CustomerUserRole,\n        { user: { $in: pageUserIds } as any, deletedAt: null } as any,\n        { populate: ['role'] },\n        { tenantId: auth.tenantId, organizationId: auth.orgId },\n      )\n    : []\n\n  const rolesByUserId = new Map<string, Array<{ id: string; name: string; slug: string }>>()\n  for (const link of userRoleLinks) {\n    const linkUserId = (link.user as any)?.id ?? (link.user as unknown as string)\n    const role = link.role as any\n    const bucket = rolesByUserId.get(linkUserId)\n    const entry = { id: role.id, name: role.name, slug: role.slug }\n    if (bucket) bucket.push(entry)\n    else rolesByUserId.set(linkUserId, [entry])\n  }\n\n  const items = users.map((user) => ({\n    id: user.id,\n    email: user.email,\n    displayName: user.displayName,\n    emailVerified: !!user.emailVerifiedAt,\n    isActive: user.isActive,\n    lockedUntil: user.lockedUntil || null,\n    lastLoginAt: user.lastLoginAt || null,\n    customerEntityId: user.customerEntityId || null,\n    personEntityId: user.personEntityId || null,\n    createdAt: user.createdAt,\n    roles: rolesByUserId.get(user.id) ?? [],\n  }))\n\n  const totalPages = Math.max(1, Math.ceil(total / pageSize))\n\n  return NextResponse.json({\n    ok: true,\n    items,\n    total,\n    totalPages,\n    page,\n  })\n}\n\nexport async function POST(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.manage'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  let body: unknown\n  try {\n    body = await req.json()\n  } catch {\n    return NextResponse.json({ ok: false, error: 'Invalid request body' }, { status: 400 })\n  }\n\n  const parsed = adminCreateUserSchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Validation failed', details: parsed.error.flatten().fieldErrors }, { status: 400 })\n  }\n\n  const em = container.resolve('em') as EntityManager\n  const customerUserService = container.resolve('customerUserService') as CustomerUserService\n\n  const existing = await customerUserService.findByEmail(parsed.data.email, auth.tenantId!)\n  if (existing) {\n    return NextResponse.json({ ok: false, error: 'A user with this email already exists' }, { status: 409 })\n  }\n\n  const user = await customerUserService.createUser(\n    parsed.data.email,\n    parsed.data.password,\n    parsed.data.displayName,\n    { tenantId: auth.tenantId!, organizationId: auth.orgId! },\n  )\n  user.emailVerifiedAt = new Date()\n\n  // Persist the user, its company association, and its role links in one\n  // transaction so a flush failure on the role loop cannot leave a roleless\n  // user committed (privilege gap).\n  await em.transactional(async (tx) => {\n    tx.persist(user)\n    await tx.flush()\n\n    if (parsed.data.customerEntityId) {\n      await tx.nativeUpdate(CustomerUser, { id: user.id }, { customerEntityId: parsed.data.customerEntityId })\n    }\n\n    if (parsed.data.roleIds && parsed.data.roleIds.length > 0) {\n      const validRoles = await findWithDecryption(\n        tx,\n        CustomerRole,\n        {\n          id: { $in: parsed.data.roleIds } as any,\n          tenantId: auth.tenantId,\n          deletedAt: null,\n        } as any,\n        undefined,\n        { tenantId: auth.tenantId, organizationId: auth.orgId },\n      )\n      for (const role of validRoles) {\n        const userRole = tx.create(CustomerUserRole, {\n          user,\n          role,\n          createdAt: new Date(),\n        } as any)\n        tx.persist(userRole)\n      }\n    }\n  })\n\n  void emitCustomerAccountsEvent('customer_accounts.user.created', {\n    id: user.id,\n    email: user.email,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n    createdBy: auth.sub,\n  }).catch(() => undefined)\n\n  return NextResponse.json({\n    ok: true,\n    user: { id: user.id, email: user.email, displayName: user.displayName },\n  }, { status: 201 })\n}\n\nconst roleSchema = z.object({ id: z.string().uuid(), name: z.string(), slug: z.string() })\nconst userSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string(),\n  displayName: z.string(),\n  emailVerified: z.boolean(),\n  isActive: z.boolean(),\n  lockedUntil: z.string().datetime().nullable(),\n  lastLoginAt: z.string().datetime().nullable(),\n  customerEntityId: z.string().uuid().nullable(),\n  personEntityId: z.string().uuid().nullable(),\n  createdAt: z.string().datetime(),\n  roles: z.array(roleSchema),\n})\n\nconst successSchema = z.object({\n  ok: z.literal(true),\n  user: z.object({ id: z.string().uuid(), email: z.string(), displayName: z.string() }),\n})\nconst errorSchema = z.object({ ok: z.literal(false), error: z.string() })\n\nasync function findCustomerUserIdsBySearchTokens(\n  em: EntityManager,\n  entityType: string,\n  search: string,\n  tenantScope: string | null | undefined,\n  field?: string,\n): Promise<string[] | null> {\n  const trimmed = search.trim()\n  if (!trimmed) return null\n  const searchConfig = resolveSearchConfig()\n  if (!searchConfig.enabled) return []\n  const { hashes } = tokenizeText(trimmed, searchConfig)\n  if (!hashes.length) return []\n\n  const db = (em as any).getKysely() as any\n  let query = db\n    .selectFrom('search_tokens')\n    .select('entity_id')\n    .where('entity_type', '=', entityType)\n    .where('token_hash', 'in', hashes)\n    .groupBy('entity_id')\n    .having(sql<boolean>`count(distinct token_hash) >= ${hashes.length}`)\n  if (field) {\n    query = query.where('field', '=', field)\n  }\n  if (tenantScope !== undefined) {\n    query = query.where(sql<boolean>`tenant_id is not distinct from ${tenantScope}`)\n  }\n  const rows = (await query.execute()) as Array<{ entity_id?: unknown }>\n  return rows\n    .map((row) => (typeof row.entity_id === 'string' ? row.entity_id : null))\n    .filter((id): id is string => typeof id === 'string' && id.length > 0)\n}\n\nconst getMethodDoc: OpenApiMethodDoc = {\n  summary: 'List customer users (admin)',\n  description: 'Returns a paginated list of customer users with roles. Supports filtering by status, company, role, and search.',\n  tags: ['Customer Accounts Admin'],\n  query: z.object({\n    page: z.number().int().positive().optional(),\n    pageSize: z.number().int().positive().max(100).optional(),\n    status: z.enum(['active', 'inactive', 'locked']).optional(),\n    customerEntityId: z.string().uuid().optional(),\n    roleId: z.string().uuid().optional(),\n    search: z.string().optional(),\n  }),\n  responses: [{\n    status: 200,\n    description: 'Paginated user list',\n    schema: z.object({ ok: z.literal(true), items: z.array(userSchema), total: z.number(), totalPages: z.number(), page: z.number() }),\n  }],\n  errors: [\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n  ],\n}\n\nconst postMethodDoc: OpenApiMethodDoc = {\n  summary: 'Create customer user (admin)',\n  description: 'Creates a new customer user directly. Staff-initiated, bypasses signup flow.',\n  tags: ['Customer Accounts Admin'],\n  requestBody: { schema: adminCreateUserSchema },\n  responses: [{ status: 201, description: 'User created', schema: successSchema }],\n  errors: [\n    { status: 400, description: 'Validation failed', schema: errorSchema },\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 409, description: 'Email already exists', schema: errorSchema },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Customer user management (admin)',\n  methods: {\n    GET: getMethodDoc,\n    POST: postMethodDoc,\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAGvC,SAAS,cAAc,kBAAkB,oBAAoB;AAE7D,SAAS,6BAA6B;AACtC,SAAS,iCAAiC;AAC1C,SAAS,4BAA4B,0BAA0B;AAC/D,SAAS,qBAAqB;AAC9B,SAAS,SAAS;AAClB,SAAS,2BAA2B;AACpC,SAAS,oBAAoB;AAC7B,SAAS,WAAW;AAEpB,MAAM,qBAAqB;AAEpB,MAAM,WAAW,CAAC;AAEzB,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,wBAAwB,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACpJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,OAAO,KAAK,IAAI,GAAG,SAAS,IAAI,aAAa,IAAI,MAAM,KAAK,GAAG,CAAC;AACtE,QAAM,WAAW,KAAK,IAAI,KAAK,KAAK,IAAI,GAAG,SAAS,IAAI,aAAa,IAAI,UAAU,KAAK,IAAI,CAAC,CAAC;AAC9F,QAAM,SAAS,IAAI,aAAa,IAAI,QAAQ;AAC5C,QAAM,mBAAmB,IAAI,aAAa,IAAI,kBAAkB;AAChE,QAAM,iBAAiB,IAAI,aAAa,IAAI,gBAAgB;AAC5D,QAAM,SAAS,IAAI,aAAa,IAAI,QAAQ;AAC5C,QAAM,SAAS,IAAI,aAAa,IAAI,QAAQ;AAE5C,QAAM,QAAiC;AAAA,IACrC,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,IACrB,WAAW;AAAA,EACb;AAEA,MAAI,WAAW,UAAU;AACvB,UAAM,WAAW;AACjB,UAAM,MAAM,CAAC,EAAE,aAAa,KAAK,GAAG,EAAE,aAAa,EAAE,KAAK,oBAAI,KAAK,EAAE,EAAE,CAAC;AAAA,EAC1E,WAAW,WAAW,YAAY;AAChC,UAAM,WAAW;AAAA,EACnB,WAAW,WAAW,UAAU;AAC9B,UAAM,cAAc,EAAE,KAAK,oBAAI,KAAK,EAAE;AAAA,EACxC;AAEA,MAAI,kBAAkB;AACpB,UAAM,mBAAmB;AAAA,EAC3B;AAEA,MAAI,gBAAgB;AAClB,UAAM,iBAAiB;AAAA,EACzB;AAEA,MAAI,QAAQ;AACV,UAAM,gBAAgB,OAAO,KAAK;AAIlC,UAAM,eAA0C,CAAC;AAGjD,UAAM,aAAa,MAAM,kCAAkC,IAAI,EAAE,kBAAkB,eAAe,eAAe,KAAK,QAAQ;AAC9H,QAAI,cAAc,WAAW,SAAS,GAAG;AACvC,mBAAa,KAAK,EAAE,IAAI,EAAE,KAAK,WAAW,EAAE,CAAC;AAAA,IAC/C;AAGA,QAAI,mBAAmB,KAAK,MAAM,GAAG;AACnC,mBAAa,KAAK,EAAE,WAAW,cAAc,MAAM,EAAE,CAAC;AAAA,IACxD;AAEA,QAAI,aAAa,SAAS,GAAG;AAC3B,UAAI,MAAM,KAAK;AACb,cAAM,OAAO,CAAC,EAAE,KAAK,MAAM,IAAI,GAAG,EAAE,KAAK,aAAa,CAAC;AACvD,eAAO,MAAM;AAAA,MACf,OAAO;AACL,cAAM,MAAM;AAAA,MACd;AAAA,IACF,OAAO;AAEL,aAAO,aAAa,KAAK;AAAA,QACvB,IAAI;AAAA,QACJ,OAAO,CAAC;AAAA,QACR,OAAO;AAAA,QACP,YAAY;AAAA,QACZ;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,UAA2B;AAC/B,MAAI,QAAQ;AACV,UAAM,YAAY,MAAM;AAAA,MACtB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,QAAe,WAAW,KAAK;AAAA,MACvC;AAAA,MACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,IACxD;AACA,cAAU,UAAU,IAAI,CAAC,SAAU,KAAK,MAAc,MAAO,KAAK,IAA0B;AAC5F,QAAI,QAAQ,WAAW,GAAG;AACxB,aAAO,aAAa,KAAK;AAAA,QACvB,IAAI;AAAA,QACJ,OAAO,CAAC;AAAA,QACR,OAAO;AAAA,QACP,YAAY;AAAA,QACZ;AAAA,MACF,CAAC;AAAA,IACH;AACA,UAAM,KAAK,EAAE,KAAK,QAAQ;AAAA,EAC5B;AAEA,QAAM,UAAU,OAAO,KAAK;AAC5B,QAAM,CAAC,OAAO,KAAK,IAAI,MAAM;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,MACE,SAAS,EAAE,WAAW,OAAO;AAAA,MAC7B,OAAO;AAAA,MACP;AAAA,IACF;AAAA,IACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD;AAEA,QAAM,cAAc,MAAM,IAAI,CAAC,SAAS,KAAK,EAAE;AAC/C,QAAM,gBAAgB,YAAY,SAAS,IACvC,MAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,EAAE,MAAM,EAAE,KAAK,YAAY,GAAU,WAAW,KAAK;AAAA,IACrD,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD,IACA,CAAC;AAEL,QAAM,gBAAgB,oBAAI,IAA+D;AACzF,aAAW,QAAQ,eAAe;AAChC,UAAM,aAAc,KAAK,MAAc,MAAO,KAAK;AACnD,UAAM,OAAO,KAAK;AAClB,UAAM,SAAS,cAAc,IAAI,UAAU;AAC3C,UAAM,QAAQ,EAAE,IAAI,KAAK,IAAI,MAAM,KAAK,MAAM,MAAM,KAAK,KAAK;AAC9D,QAAI,OAAQ,QAAO,KAAK,KAAK;AAAA,QACxB,eAAc,IAAI,YAAY,CAAC,KAAK,CAAC;AAAA,EAC5C;AAEA,QAAM,QAAQ,MAAM,IAAI,CAAC,UAAU;AAAA,IACjC,IAAI,KAAK;AAAA,IACT,OAAO,KAAK;AAAA,IACZ,aAAa,KAAK;AAAA,IAClB,eAAe,CAAC,CAAC,KAAK;AAAA,IACtB,UAAU,KAAK;AAAA,IACf,aAAa,KAAK,eAAe;AAAA,IACjC,aAAa,KAAK,eAAe;AAAA,IACjC,kBAAkB,KAAK,oBAAoB;AAAA,IAC3C,gBAAgB,KAAK,kBAAkB;AAAA,IACvC,WAAW,KAAK;AAAA,IAChB,OAAO,cAAc,IAAI,KAAK,EAAE,KAAK,CAAC;AAAA,EACxC,EAAE;AAEF,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,KAAK,QAAQ,QAAQ,CAAC;AAE1D,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,0BAA0B,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACtJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxF;AAEA,QAAM,SAAS,sBAAsB,UAAU,IAAI;AACnD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,qBAAqB,SAAS,OAAO,MAAM,QAAQ,EAAE,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClI;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,sBAAsB,UAAU,QAAQ,qBAAqB;AAEnE,QAAM,WAAW,MAAM,oBAAoB,YAAY,OAAO,KAAK,OAAO,KAAK,QAAS;AACxF,MAAI,UAAU;AACZ,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,wCAAwC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzG;AAEA,QAAM,OAAO,MAAM,oBAAoB;AAAA,IACrC,OAAO,KAAK;AAAA,IACZ,OAAO,KAAK;AAAA,IACZ,OAAO,KAAK;AAAA,IACZ,EAAE,UAAU,KAAK,UAAW,gBAAgB,KAAK,MAAO;AAAA,EAC1D;AACA,OAAK,kBAAkB,oBAAI,KAAK;AAKhC,QAAM,GAAG,cAAc,OAAO,OAAO;AACnC,OAAG,QAAQ,IAAI;AACf,UAAM,GAAG,MAAM;AAEf,QAAI,OAAO,KAAK,kBAAkB;AAChC,YAAM,GAAG,aAAa,cAAc,EAAE,IAAI,KAAK,GAAG,GAAG,EAAE,kBAAkB,OAAO,KAAK,iBAAiB,CAAC;AAAA,IACzG;AAEA,QAAI,OAAO,KAAK,WAAW,OAAO,KAAK,QAAQ,SAAS,GAAG;AACzD,YAAM,aAAa,MAAM;AAAA,QACvB;AAAA,QACA;AAAA,QACA;AAAA,UACE,IAAI,EAAE,KAAK,OAAO,KAAK,QAAQ;AAAA,UAC/B,UAAU,KAAK;AAAA,UACf,WAAW;AAAA,QACb;AAAA,QACA;AAAA,QACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,MACxD;AACA,iBAAW,QAAQ,YAAY;AAC7B,cAAM,WAAW,GAAG,OAAO,kBAAkB;AAAA,UAC3C;AAAA,UACA;AAAA,UACA,WAAW,oBAAI,KAAK;AAAA,QACtB,CAAQ;AACR,WAAG,QAAQ,QAAQ;AAAA,MACrB;AAAA,IACF;AAAA,EACF,CAAC;AAED,OAAK,0BAA0B,kCAAkC;AAAA,IAC/D,IAAI,KAAK;AAAA,IACT,OAAO,KAAK;AAAA,IACZ,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,IACrB,WAAW,KAAK;AAAA,EAClB,CAAC,EAAE,MAAM,MAAM,MAAS;AAExB,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,MAAM,EAAE,IAAI,KAAK,IAAI,OAAO,KAAK,OAAO,aAAa,KAAK,YAAY;AAAA,EACxE,GAAG,EAAE,QAAQ,IAAI,CAAC;AACpB;AAEA,MAAM,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,GAAG,MAAM,EAAE,OAAO,GAAG,MAAM,EAAE,OAAO,EAAE,CAAC;AACzF,MAAM,aAAa,EAAE,OAAO;AAAA,EAC1B,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO;AAAA,EAChB,aAAa,EAAE,OAAO;AAAA,EACtB,eAAe,EAAE,QAAQ;AAAA,EACzB,UAAU,EAAE,QAAQ;AAAA,EACpB,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC5C,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC5C,kBAAkB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC7C,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,WAAW,EAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,OAAO,EAAE,MAAM,UAAU;AAC3B,CAAC;AAED,MAAM,gBAAgB,EAAE,OAAO;AAAA,EAC7B,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,GAAG,OAAO,EAAE,OAAO,GAAG,aAAa,EAAE,OAAO,EAAE,CAAC;AACtF,CAAC;AACD,MAAM,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,KAAK,GAAG,OAAO,EAAE,OAAO,EAAE,CAAC;AAExE,eAAe,kCACb,IACA,YACA,QACA,aACA,OAC0B;AAC1B,QAAM,UAAU,OAAO,KAAK;AAC5B,MAAI,CAAC,QAAS,QAAO;AACrB,QAAM,eAAe,oBAAoB;AACzC,MAAI,CAAC,aAAa,QAAS,QAAO,CAAC;AACnC,QAAM,EAAE,OAAO,IAAI,aAAa,SAAS,YAAY;AACrD,MAAI,CAAC,OAAO,OAAQ,QAAO,CAAC;AAE5B,QAAM,KAAM,GAAW,UAAU;AACjC,MAAI,QAAQ,GACT,WAAW,eAAe,EAC1B,OAAO,WAAW,EAClB,MAAM,eAAe,KAAK,UAAU,EACpC,MAAM,cAAc,MAAM,MAAM,EAChC,QAAQ,WAAW,EACnB,OAAO,oCAA6C,OAAO,MAAM,EAAE;AACtE,MAAI,OAAO;AACT,YAAQ,MAAM,MAAM,SAAS,KAAK,KAAK;AAAA,EACzC;AACA,MAAI,gBAAgB,QAAW;AAC7B,YAAQ,MAAM,MAAM,qCAA8C,WAAW,EAAE;AAAA,EACjF;AACA,QAAM,OAAQ,MAAM,MAAM,QAAQ;AAClC,SAAO,KACJ,IAAI,CAAC,QAAS,OAAO,IAAI,cAAc,WAAW,IAAI,YAAY,IAAK,EACvE,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AACzE;AAEA,MAAM,eAAiC;AAAA,EACrC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,OAAO,EAAE,OAAO;AAAA,IACd,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,IAC3C,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,IACxD,QAAQ,EAAE,KAAK,CAAC,UAAU,YAAY,QAAQ,CAAC,EAAE,SAAS;AAAA,IAC1D,kBAAkB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,IAC7C,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,IACnC,QAAQ,EAAE,OAAO,EAAE,SAAS;AAAA,EAC9B,CAAC;AAAA,EACD,WAAW,CAAC;AAAA,IACV,QAAQ;AAAA,IACR,aAAa;AAAA,IACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,GAAG,OAAO,EAAE,MAAM,UAAU,GAAG,OAAO,EAAE,OAAO,GAAG,YAAY,EAAE,OAAO,GAAG,MAAM,EAAE,OAAO,EAAE,CAAC;AAAA,EACnI,CAAC;AAAA,EACD,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,EAC9E;AACF;AAEA,MAAM,gBAAkC;AAAA,EACtC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,aAAa,EAAE,QAAQ,sBAAsB;AAAA,EAC7C,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,cAAc,CAAC;AAAA,EAC/E,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,wBAAwB,QAAQ,YAAY;AAAA,EAC1E;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { CustomerUserService } from '@open-mercato/core/modules/customer_accounts/services/customerUserService'\nimport { CustomerUser, CustomerUserRole, CustomerRole } from '@open-mercato/core/modules/customer_accounts/data/entities'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { adminCreateUserSchema } from '@open-mercato/core/modules/customer_accounts/data/validators'\nimport { emitCustomerAccountsEvent } from '@open-mercato/core/modules/customer_accounts/events'\nimport { findAndCountWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { hashForLookup } from '@open-mercato/shared/lib/encryption/aes'\nimport { E } from '#generated/entities.ids.generated'\nimport { resolveSearchConfig } from '@open-mercato/shared/lib/search/config'\nimport { tokenizeText } from '@open-mercato/shared/lib/search/tokenize'\nimport { sql } from 'kysely'\n\nconst EMAIL_LIKE_PATTERN = /^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$/\n\nexport const metadata = {}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.view'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  const em = container.resolve('em') as EntityManager\n\n  const url = new URL(req.url)\n  const page = Math.max(1, parseInt(url.searchParams.get('page') || '1'))\n  const pageSize = Math.min(100, Math.max(1, parseInt(url.searchParams.get('pageSize') || '25')))\n  const status = url.searchParams.get('status') as 'active' | 'inactive' | 'locked' | null\n  const customerEntityId = url.searchParams.get('customerEntityId')\n  const personEntityId = url.searchParams.get('personEntityId')\n  const roleId = url.searchParams.get('roleId')\n  const search = url.searchParams.get('search')\n\n  const where: Record<string, unknown> = {\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n    deletedAt: null,\n  }\n\n  if (status === 'active') {\n    where.isActive = true\n    where.$or = [{ lockedUntil: null }, { lockedUntil: { $lt: new Date() } }]\n  } else if (status === 'inactive') {\n    where.isActive = false\n  } else if (status === 'locked') {\n    where.lockedUntil = { $gt: new Date() }\n  }\n\n  if (customerEntityId) {\n    where.customerEntityId = customerEntityId\n  }\n\n  if (personEntityId) {\n    where.personEntityId = personEntityId\n  }\n\n  if (search) {\n    const trimmedSearch = search.trim()\n    // email/displayName are stored encrypted, so SQL ILIKE on the ciphertext\n    // never matches a plaintext search term. Use search_tokens table for partial\n    // matches and emailHash for exact email lookups.\n    const searchFilter: Record<string, unknown>[] = []\n\n    // Search encrypted fields via search_tokens\n    const matchedIds = await findCustomerUserIdsBySearchTokens(em, E.customer_accounts.customer_user, trimmedSearch, auth.tenantId)\n    if (matchedIds && matchedIds.length > 0) {\n      searchFilter.push({ id: { $in: matchedIds } })\n    }\n\n    // Also support exact email lookup via emailHash\n    if (EMAIL_LIKE_PATTERN.test(search)) {\n      searchFilter.push({ emailHash: hashForLookup(search) })\n    }\n\n    if (searchFilter.length > 0) {\n      if (where.$or) {\n        where.$and = [{ $or: where.$or }, { $or: searchFilter }]\n        delete where.$or\n      } else {\n        where.$or = searchFilter\n      }\n    } else {\n      // No search results found, return empty\n      return NextResponse.json({\n        ok: true,\n        items: [],\n        total: 0,\n        totalPages: 1,\n        page,\n      })\n    }\n  }\n\n  let userIds: string[] | null = null\n  if (roleId) {\n    const roleLinks = await findWithDecryption(\n      em,\n      CustomerUserRole,\n      { role: roleId as any, deletedAt: null } as any,\n      undefined,\n      { tenantId: auth.tenantId, organizationId: auth.orgId },\n    )\n    userIds = roleLinks.map((link) => (link.user as any)?.id || (link.user as unknown as string))\n    if (userIds.length === 0) {\n      return NextResponse.json({\n        ok: true,\n        items: [],\n        total: 0,\n        totalPages: 1,\n        page,\n      })\n    }\n    where.id = { $in: userIds }\n  }\n\n  const offset = (page - 1) * pageSize\n  const [users, total] = await findAndCountWithDecryption(\n    em,\n    CustomerUser,\n    where as any,\n    {\n      orderBy: { createdAt: 'DESC' },\n      limit: pageSize,\n      offset,\n    },\n    { tenantId: auth.tenantId, organizationId: auth.orgId },\n  )\n\n  const pageUserIds = users.map((user) => user.id)\n  const userRoleLinks = pageUserIds.length > 0\n    ? await findWithDecryption(\n        em,\n        CustomerUserRole,\n        { user: { $in: pageUserIds } as any, deletedAt: null } as any,\n        { populate: ['role'] },\n        { tenantId: auth.tenantId, organizationId: auth.orgId },\n      )\n    : []\n\n  const rolesByUserId = new Map<string, Array<{ id: string; name: string; slug: string }>>()\n  for (const link of userRoleLinks) {\n    const linkUserId = (link.user as any)?.id ?? (link.user as unknown as string)\n    const role = link.role as any\n    const bucket = rolesByUserId.get(linkUserId)\n    const entry = { id: role.id, name: role.name, slug: role.slug }\n    if (bucket) bucket.push(entry)\n    else rolesByUserId.set(linkUserId, [entry])\n  }\n\n  const items = users.map((user) => ({\n    id: user.id,\n    email: user.email,\n    displayName: user.displayName,\n    emailVerified: !!user.emailVerifiedAt,\n    isActive: user.isActive,\n    lockedUntil: user.lockedUntil || null,\n    lastLoginAt: user.lastLoginAt || null,\n    customerEntityId: user.customerEntityId || null,\n    personEntityId: user.personEntityId || null,\n    createdAt: user.createdAt,\n    updatedAt: user.updatedAt || null,\n    roles: rolesByUserId.get(user.id) ?? [],\n  }))\n\n  const totalPages = Math.max(1, Math.ceil(total / pageSize))\n\n  return NextResponse.json({\n    ok: true,\n    items,\n    total,\n    totalPages,\n    page,\n  })\n}\n\nexport async function POST(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })\n  }\n\n  const container = await createRequestContainer()\n  const rbacService = container.resolve('rbacService') as RbacService\n  const hasAccess = await rbacService.userHasAllFeatures(auth.sub, ['customer_accounts.manage'], { tenantId: auth.tenantId, organizationId: auth.orgId })\n  if (!hasAccess) {\n    return NextResponse.json({ ok: false, error: 'Insufficient permissions' }, { status: 403 })\n  }\n\n  let body: unknown\n  try {\n    body = await req.json()\n  } catch {\n    return NextResponse.json({ ok: false, error: 'Invalid request body' }, { status: 400 })\n  }\n\n  const parsed = adminCreateUserSchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json({ ok: false, error: 'Validation failed', details: parsed.error.flatten().fieldErrors }, { status: 400 })\n  }\n\n  const em = container.resolve('em') as EntityManager\n  const customerUserService = container.resolve('customerUserService') as CustomerUserService\n\n  const existing = await customerUserService.findByEmail(parsed.data.email, auth.tenantId!)\n  if (existing) {\n    return NextResponse.json({ ok: false, error: 'A user with this email already exists' }, { status: 409 })\n  }\n\n  const user = await customerUserService.createUser(\n    parsed.data.email,\n    parsed.data.password,\n    parsed.data.displayName,\n    { tenantId: auth.tenantId!, organizationId: auth.orgId! },\n  )\n  user.emailVerifiedAt = new Date()\n\n  // Persist the user, its company association, and its role links in one\n  // transaction so a flush failure on the role loop cannot leave a roleless\n  // user committed (privilege gap).\n  await em.transactional(async (tx) => {\n    tx.persist(user)\n    await tx.flush()\n\n    if (parsed.data.customerEntityId) {\n      await tx.nativeUpdate(CustomerUser, { id: user.id }, { customerEntityId: parsed.data.customerEntityId })\n    }\n\n    if (parsed.data.roleIds && parsed.data.roleIds.length > 0) {\n      const validRoles = await findWithDecryption(\n        tx,\n        CustomerRole,\n        {\n          id: { $in: parsed.data.roleIds } as any,\n          tenantId: auth.tenantId,\n          deletedAt: null,\n        } as any,\n        undefined,\n        { tenantId: auth.tenantId, organizationId: auth.orgId },\n      )\n      for (const role of validRoles) {\n        const userRole = tx.create(CustomerUserRole, {\n          user,\n          role,\n          createdAt: new Date(),\n        } as any)\n        tx.persist(userRole)\n      }\n    }\n  })\n\n  void emitCustomerAccountsEvent('customer_accounts.user.created', {\n    id: user.id,\n    email: user.email,\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n    createdBy: auth.sub,\n  }).catch(() => undefined)\n\n  return NextResponse.json({\n    ok: true,\n    user: { id: user.id, email: user.email, displayName: user.displayName },\n  }, { status: 201 })\n}\n\nconst roleSchema = z.object({ id: z.string().uuid(), name: z.string(), slug: z.string() })\nconst userSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string(),\n  displayName: z.string(),\n  emailVerified: z.boolean(),\n  isActive: z.boolean(),\n  lockedUntil: z.string().datetime().nullable(),\n  lastLoginAt: z.string().datetime().nullable(),\n  customerEntityId: z.string().uuid().nullable(),\n  personEntityId: z.string().uuid().nullable(),\n  createdAt: z.string().datetime(),\n  updatedAt: z.string().datetime().nullable(),\n  roles: z.array(roleSchema),\n})\n\nconst successSchema = z.object({\n  ok: z.literal(true),\n  user: z.object({ id: z.string().uuid(), email: z.string(), displayName: z.string() }),\n})\nconst errorSchema = z.object({ ok: z.literal(false), error: z.string() })\n\nasync function findCustomerUserIdsBySearchTokens(\n  em: EntityManager,\n  entityType: string,\n  search: string,\n  tenantScope: string | null | undefined,\n  field?: string,\n): Promise<string[] | null> {\n  const trimmed = search.trim()\n  if (!trimmed) return null\n  const searchConfig = resolveSearchConfig()\n  if (!searchConfig.enabled) return []\n  const { hashes } = tokenizeText(trimmed, searchConfig)\n  if (!hashes.length) return []\n\n  const db = (em as any).getKysely() as any\n  let query = db\n    .selectFrom('search_tokens')\n    .select('entity_id')\n    .where('entity_type', '=', entityType)\n    .where('token_hash', 'in', hashes)\n    .groupBy('entity_id')\n    .having(sql<boolean>`count(distinct token_hash) >= ${hashes.length}`)\n  if (field) {\n    query = query.where('field', '=', field)\n  }\n  if (tenantScope !== undefined) {\n    query = query.where(sql<boolean>`tenant_id is not distinct from ${tenantScope}`)\n  }\n  const rows = (await query.execute()) as Array<{ entity_id?: unknown }>\n  return rows\n    .map((row) => (typeof row.entity_id === 'string' ? row.entity_id : null))\n    .filter((id): id is string => typeof id === 'string' && id.length > 0)\n}\n\nconst getMethodDoc: OpenApiMethodDoc = {\n  summary: 'List customer users (admin)',\n  description: 'Returns a paginated list of customer users with roles. Supports filtering by status, company, role, and search.',\n  tags: ['Customer Accounts Admin'],\n  query: z.object({\n    page: z.number().int().positive().optional(),\n    pageSize: z.number().int().positive().max(100).optional(),\n    status: z.enum(['active', 'inactive', 'locked']).optional(),\n    customerEntityId: z.string().uuid().optional(),\n    roleId: z.string().uuid().optional(),\n    search: z.string().optional(),\n  }),\n  responses: [{\n    status: 200,\n    description: 'Paginated user list',\n    schema: z.object({ ok: z.literal(true), items: z.array(userSchema), total: z.number(), totalPages: z.number(), page: z.number() }),\n  }],\n  errors: [\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n  ],\n}\n\nconst postMethodDoc: OpenApiMethodDoc = {\n  summary: 'Create customer user (admin)',\n  description: 'Creates a new customer user directly. Staff-initiated, bypasses signup flow.',\n  tags: ['Customer Accounts Admin'],\n  requestBody: { schema: adminCreateUserSchema },\n  responses: [{ status: 201, description: 'User created', schema: successSchema }],\n  errors: [\n    { status: 400, description: 'Validation failed', schema: errorSchema },\n    { status: 401, description: 'Not authenticated', schema: errorSchema },\n    { status: 403, description: 'Insufficient permissions', schema: errorSchema },\n    { status: 409, description: 'Email already exists', schema: errorSchema },\n  ],\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  summary: 'Customer user management (admin)',\n  methods: {\n    GET: getMethodDoc,\n    POST: postMethodDoc,\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAGvC,SAAS,cAAc,kBAAkB,oBAAoB;AAE7D,SAAS,6BAA6B;AACtC,SAAS,iCAAiC;AAC1C,SAAS,4BAA4B,0BAA0B;AAC/D,SAAS,qBAAqB;AAC9B,SAAS,SAAS;AAClB,SAAS,2BAA2B;AACpC,SAAS,oBAAoB;AAC7B,SAAS,WAAW;AAEpB,MAAM,qBAAqB;AAEpB,MAAM,WAAW,CAAC;AAEzB,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,wBAAwB,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACpJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AAEjC,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,OAAO,KAAK,IAAI,GAAG,SAAS,IAAI,aAAa,IAAI,MAAM,KAAK,GAAG,CAAC;AACtE,QAAM,WAAW,KAAK,IAAI,KAAK,KAAK,IAAI,GAAG,SAAS,IAAI,aAAa,IAAI,UAAU,KAAK,IAAI,CAAC,CAAC;AAC9F,QAAM,SAAS,IAAI,aAAa,IAAI,QAAQ;AAC5C,QAAM,mBAAmB,IAAI,aAAa,IAAI,kBAAkB;AAChE,QAAM,iBAAiB,IAAI,aAAa,IAAI,gBAAgB;AAC5D,QAAM,SAAS,IAAI,aAAa,IAAI,QAAQ;AAC5C,QAAM,SAAS,IAAI,aAAa,IAAI,QAAQ;AAE5C,QAAM,QAAiC;AAAA,IACrC,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,IACrB,WAAW;AAAA,EACb;AAEA,MAAI,WAAW,UAAU;AACvB,UAAM,WAAW;AACjB,UAAM,MAAM,CAAC,EAAE,aAAa,KAAK,GAAG,EAAE,aAAa,EAAE,KAAK,oBAAI,KAAK,EAAE,EAAE,CAAC;AAAA,EAC1E,WAAW,WAAW,YAAY;AAChC,UAAM,WAAW;AAAA,EACnB,WAAW,WAAW,UAAU;AAC9B,UAAM,cAAc,EAAE,KAAK,oBAAI,KAAK,EAAE;AAAA,EACxC;AAEA,MAAI,kBAAkB;AACpB,UAAM,mBAAmB;AAAA,EAC3B;AAEA,MAAI,gBAAgB;AAClB,UAAM,iBAAiB;AAAA,EACzB;AAEA,MAAI,QAAQ;AACV,UAAM,gBAAgB,OAAO,KAAK;AAIlC,UAAM,eAA0C,CAAC;AAGjD,UAAM,aAAa,MAAM,kCAAkC,IAAI,EAAE,kBAAkB,eAAe,eAAe,KAAK,QAAQ;AAC9H,QAAI,cAAc,WAAW,SAAS,GAAG;AACvC,mBAAa,KAAK,EAAE,IAAI,EAAE,KAAK,WAAW,EAAE,CAAC;AAAA,IAC/C;AAGA,QAAI,mBAAmB,KAAK,MAAM,GAAG;AACnC,mBAAa,KAAK,EAAE,WAAW,cAAc,MAAM,EAAE,CAAC;AAAA,IACxD;AAEA,QAAI,aAAa,SAAS,GAAG;AAC3B,UAAI,MAAM,KAAK;AACb,cAAM,OAAO,CAAC,EAAE,KAAK,MAAM,IAAI,GAAG,EAAE,KAAK,aAAa,CAAC;AACvD,eAAO,MAAM;AAAA,MACf,OAAO;AACL,cAAM,MAAM;AAAA,MACd;AAAA,IACF,OAAO;AAEL,aAAO,aAAa,KAAK;AAAA,QACvB,IAAI;AAAA,QACJ,OAAO,CAAC;AAAA,QACR,OAAO;AAAA,QACP,YAAY;AAAA,QACZ;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,UAA2B;AAC/B,MAAI,QAAQ;AACV,UAAM,YAAY,MAAM;AAAA,MACtB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,QAAe,WAAW,KAAK;AAAA,MACvC;AAAA,MACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,IACxD;AACA,cAAU,UAAU,IAAI,CAAC,SAAU,KAAK,MAAc,MAAO,KAAK,IAA0B;AAC5F,QAAI,QAAQ,WAAW,GAAG;AACxB,aAAO,aAAa,KAAK;AAAA,QACvB,IAAI;AAAA,QACJ,OAAO,CAAC;AAAA,QACR,OAAO;AAAA,QACP,YAAY;AAAA,QACZ;AAAA,MACF,CAAC;AAAA,IACH;AACA,UAAM,KAAK,EAAE,KAAK,QAAQ;AAAA,EAC5B;AAEA,QAAM,UAAU,OAAO,KAAK;AAC5B,QAAM,CAAC,OAAO,KAAK,IAAI,MAAM;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,MACE,SAAS,EAAE,WAAW,OAAO;AAAA,MAC7B,OAAO;AAAA,MACP;AAAA,IACF;AAAA,IACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD;AAEA,QAAM,cAAc,MAAM,IAAI,CAAC,SAAS,KAAK,EAAE;AAC/C,QAAM,gBAAgB,YAAY,SAAS,IACvC,MAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,EAAE,MAAM,EAAE,KAAK,YAAY,GAAU,WAAW,KAAK;AAAA,IACrD,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,EACxD,IACA,CAAC;AAEL,QAAM,gBAAgB,oBAAI,IAA+D;AACzF,aAAW,QAAQ,eAAe;AAChC,UAAM,aAAc,KAAK,MAAc,MAAO,KAAK;AACnD,UAAM,OAAO,KAAK;AAClB,UAAM,SAAS,cAAc,IAAI,UAAU;AAC3C,UAAM,QAAQ,EAAE,IAAI,KAAK,IAAI,MAAM,KAAK,MAAM,MAAM,KAAK,KAAK;AAC9D,QAAI,OAAQ,QAAO,KAAK,KAAK;AAAA,QACxB,eAAc,IAAI,YAAY,CAAC,KAAK,CAAC;AAAA,EAC5C;AAEA,QAAM,QAAQ,MAAM,IAAI,CAAC,UAAU;AAAA,IACjC,IAAI,KAAK;AAAA,IACT,OAAO,KAAK;AAAA,IACZ,aAAa,KAAK;AAAA,IAClB,eAAe,CAAC,CAAC,KAAK;AAAA,IACtB,UAAU,KAAK;AAAA,IACf,aAAa,KAAK,eAAe;AAAA,IACjC,aAAa,KAAK,eAAe;AAAA,IACjC,kBAAkB,KAAK,oBAAoB;AAAA,IAC3C,gBAAgB,KAAK,kBAAkB;AAAA,IACvC,WAAW,KAAK;AAAA,IAChB,WAAW,KAAK,aAAa;AAAA,IAC7B,OAAO,cAAc,IAAI,KAAK,EAAE,KAAK,CAAC;AAAA,EACxC,EAAE;AAEF,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,KAAK,QAAQ,QAAQ,CAAC;AAE1D,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,YAAY,MAAM,YAAY,mBAAmB,KAAK,KAAK,CAAC,0BAA0B,GAAG,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM,CAAC;AACtJ,MAAI,CAAC,WAAW;AACd,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5F;AAEA,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxF;AAEA,QAAM,SAAS,sBAAsB,UAAU,IAAI;AACnD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,qBAAqB,SAAS,OAAO,MAAM,QAAQ,EAAE,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClI;AAEA,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,sBAAsB,UAAU,QAAQ,qBAAqB;AAEnE,QAAM,WAAW,MAAM,oBAAoB,YAAY,OAAO,KAAK,OAAO,KAAK,QAAS;AACxF,MAAI,UAAU;AACZ,WAAO,aAAa,KAAK,EAAE,IAAI,OAAO,OAAO,wCAAwC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzG;AAEA,QAAM,OAAO,MAAM,oBAAoB;AAAA,IACrC,OAAO,KAAK;AAAA,IACZ,OAAO,KAAK;AAAA,IACZ,OAAO,KAAK;AAAA,IACZ,EAAE,UAAU,KAAK,UAAW,gBAAgB,KAAK,MAAO;AAAA,EAC1D;AACA,OAAK,kBAAkB,oBAAI,KAAK;AAKhC,QAAM,GAAG,cAAc,OAAO,OAAO;AACnC,OAAG,QAAQ,IAAI;AACf,UAAM,GAAG,MAAM;AAEf,QAAI,OAAO,KAAK,kBAAkB;AAChC,YAAM,GAAG,aAAa,cAAc,EAAE,IAAI,KAAK,GAAG,GAAG,EAAE,kBAAkB,OAAO,KAAK,iBAAiB,CAAC;AAAA,IACzG;AAEA,QAAI,OAAO,KAAK,WAAW,OAAO,KAAK,QAAQ,SAAS,GAAG;AACzD,YAAM,aAAa,MAAM;AAAA,QACvB;AAAA,QACA;AAAA,QACA;AAAA,UACE,IAAI,EAAE,KAAK,OAAO,KAAK,QAAQ;AAAA,UAC/B,UAAU,KAAK;AAAA,UACf,WAAW;AAAA,QACb;AAAA,QACA;AAAA,QACA,EAAE,UAAU,KAAK,UAAU,gBAAgB,KAAK,MAAM;AAAA,MACxD;AACA,iBAAW,QAAQ,YAAY;AAC7B,cAAM,WAAW,GAAG,OAAO,kBAAkB;AAAA,UAC3C;AAAA,UACA;AAAA,UACA,WAAW,oBAAI,KAAK;AAAA,QACtB,CAAQ;AACR,WAAG,QAAQ,QAAQ;AAAA,MACrB;AAAA,IACF;AAAA,EACF,CAAC;AAED,OAAK,0BAA0B,kCAAkC;AAAA,IAC/D,IAAI,KAAK;AAAA,IACT,OAAO,KAAK;AAAA,IACZ,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,IACrB,WAAW,KAAK;AAAA,EAClB,CAAC,EAAE,MAAM,MAAM,MAAS;AAExB,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,MAAM,EAAE,IAAI,KAAK,IAAI,OAAO,KAAK,OAAO,aAAa,KAAK,YAAY;AAAA,EACxE,GAAG,EAAE,QAAQ,IAAI,CAAC;AACpB;AAEA,MAAM,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,GAAG,MAAM,EAAE,OAAO,GAAG,MAAM,EAAE,OAAO,EAAE,CAAC;AACzF,MAAM,aAAa,EAAE,OAAO;AAAA,EAC1B,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO;AAAA,EAChB,aAAa,EAAE,OAAO;AAAA,EACtB,eAAe,EAAE,QAAQ;AAAA,EACzB,UAAU,EAAE,QAAQ;AAAA,EACpB,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC5C,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC5C,kBAAkB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC7C,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,WAAW,EAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC1C,OAAO,EAAE,MAAM,UAAU;AAC3B,CAAC;AAED,MAAM,gBAAgB,EAAE,OAAO;AAAA,EAC7B,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,GAAG,OAAO,EAAE,OAAO,GAAG,aAAa,EAAE,OAAO,EAAE,CAAC;AACtF,CAAC;AACD,MAAM,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,KAAK,GAAG,OAAO,EAAE,OAAO,EAAE,CAAC;AAExE,eAAe,kCACb,IACA,YACA,QACA,aACA,OAC0B;AAC1B,QAAM,UAAU,OAAO,KAAK;AAC5B,MAAI,CAAC,QAAS,QAAO;AACrB,QAAM,eAAe,oBAAoB;AACzC,MAAI,CAAC,aAAa,QAAS,QAAO,CAAC;AACnC,QAAM,EAAE,OAAO,IAAI,aAAa,SAAS,YAAY;AACrD,MAAI,CAAC,OAAO,OAAQ,QAAO,CAAC;AAE5B,QAAM,KAAM,GAAW,UAAU;AACjC,MAAI,QAAQ,GACT,WAAW,eAAe,EAC1B,OAAO,WAAW,EAClB,MAAM,eAAe,KAAK,UAAU,EACpC,MAAM,cAAc,MAAM,MAAM,EAChC,QAAQ,WAAW,EACnB,OAAO,oCAA6C,OAAO,MAAM,EAAE;AACtE,MAAI,OAAO;AACT,YAAQ,MAAM,MAAM,SAAS,KAAK,KAAK;AAAA,EACzC;AACA,MAAI,gBAAgB,QAAW;AAC7B,YAAQ,MAAM,MAAM,qCAA8C,WAAW,EAAE;AAAA,EACjF;AACA,QAAM,OAAQ,MAAM,MAAM,QAAQ;AAClC,SAAO,KACJ,IAAI,CAAC,QAAS,OAAO,IAAI,cAAc,WAAW,IAAI,YAAY,IAAK,EACvE,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AACzE;AAEA,MAAM,eAAiC;AAAA,EACrC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,OAAO,EAAE,OAAO;AAAA,IACd,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA,IAC3C,UAAU,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,IACxD,QAAQ,EAAE,KAAK,CAAC,UAAU,YAAY,QAAQ,CAAC,EAAE,SAAS;AAAA,IAC1D,kBAAkB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,IAC7C,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,IACnC,QAAQ,EAAE,OAAO,EAAE,SAAS;AAAA,EAC9B,CAAC;AAAA,EACD,WAAW,CAAC;AAAA,IACV,QAAQ;AAAA,IACR,aAAa;AAAA,IACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,GAAG,OAAO,EAAE,MAAM,UAAU,GAAG,OAAO,EAAE,OAAO,GAAG,YAAY,EAAE,OAAO,GAAG,MAAM,EAAE,OAAO,EAAE,CAAC;AAAA,EACnI,CAAC;AAAA,EACD,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,EAC9E;AACF;AAEA,MAAM,gBAAkC;AAAA,EACtC,SAAS;AAAA,EACT,aAAa;AAAA,EACb,MAAM,CAAC,yBAAyB;AAAA,EAChC,aAAa,EAAE,QAAQ,sBAAsB;AAAA,EAC7C,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,cAAc,CAAC;AAAA,EAC/E,QAAQ;AAAA,IACN,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,YAAY;AAAA,IACrE,EAAE,QAAQ,KAAK,aAAa,4BAA4B,QAAQ,YAAY;AAAA,IAC5E,EAAE,QAAQ,KAAK,aAAa,wBAAwB,QAAQ,YAAY;AAAA,EAC1E;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AACF;",
   "names": []
 }

package/dist/modules/customer_accounts/backend/customer_accounts/roles/[id]/page.js CHANGED Viewed

@@ -7,7 +7,9 @@ import { Page, PageBody } from "@open-mercato/ui/backend/Page";
 import { CrudForm } from "@open-mercato/ui/backend/CrudForm";
 import { Button } from "@open-mercato/ui/primitives/button";
 import { Spinner } from "@open-mercato/ui/primitives/spinner";
-import { apiCall, readApiResultOrThrow } from "@open-mercato/ui/backend/utils/apiCall";
+import { apiCall, readApiResultOrThrow, withScopedApiRequestHeaders } from "@open-mercato/ui/backend/utils/apiCall";
+import { buildOptimisticLockHeader } from "@open-mercato/ui/backend/utils/optimisticLock";
+import { surfaceRecordConflict } from "@open-mercato/ui/backend/conflicts";
 import { flash } from "@open-mercato/ui/backend/FlashMessages";
 import { useT } from "@open-mercato/shared/lib/i18n/context";
 import { RecordNotFoundState, ErrorMessage } from "@open-mercato/ui/backend/detail";
@@ -213,12 +215,14 @@ function CustomerRoleDetailPage({ params }) {
       description: data.description || "",
       isDefault: data.isDefault,
       customerAssignable: data.customerAssignable,
-      features: data.features
+      features: data.features,
+      updatedAt: data.updatedAt ?? data.updated_at ?? null
     };
   }, [data]);
   const handleSubmit = React.useCallback(async (values) => {
     if (!id) return;
-    const roleCall = await apiCall(
+    const headers = buildOptimisticLockHeader(data?.updatedAt ?? data?.updated_at ?? null);
+    const roleCall = await withScopedApiRequestHeaders(headers, () => apiCall(
       `/api/customer_accounts/admin/roles/${encodeURIComponent(id)}`,
       {
         method: "PUT",
@@ -230,8 +234,9 @@ function CustomerRoleDetailPage({ params }) {
           customerAssignable: values.customerAssignable
         })
       }
-    );
+    ));
     if (!roleCall.ok) {
+      if (surfaceRecordConflict({ status: roleCall.status, body: roleCall.result }, t)) return;
       flash(t("customer_accounts.admin.roleDetail.error.save", "Failed to save role"), "error");
       return;
     }
@@ -250,20 +255,22 @@ function CustomerRoleDetailPage({ params }) {
     }
     flash(t("customer_accounts.admin.roleDetail.flash.saved", "Role updated"), "success");
     router.push("/backend/customer_accounts/roles");
-  }, [id, router, t]);
+  }, [data?.updatedAt, data?.updated_at, id, router, t]);
   const handleDelete = React.useCallback(async () => {
     if (!id) return;
-    const call = await apiCall(
+    const headers = buildOptimisticLockHeader(data?.updatedAt ?? data?.updated_at ?? null);
+    const call = await withScopedApiRequestHeaders(headers, () => apiCall(
       `/api/customer_accounts/admin/roles/${encodeURIComponent(id)}`,
       { method: "DELETE" }
-    );
+    ));
     if (!call.ok) {
+      if (surfaceRecordConflict({ status: call.status, body: call.result }, t)) return;
       flash(t("customer_accounts.admin.roles.error.delete", "Failed to delete role"), "error");
       return;
     }
     flash(t("customer_accounts.admin.roles.flash.deleted", "Role deleted"), "success");
     router.push("/backend/customer_accounts/roles");
-  }, [id, router, t]);
+  }, [data?.updatedAt, data?.updated_at, id, router, t]);
   if (isLoading) {
     return /* @__PURE__ */ jsx(Page, { children: /* @__PURE__ */ jsx(PageBody, { children: /* @__PURE__ */ jsxs("div", { className: "flex h-[50vh] flex-col items-center justify-center gap-2 text-muted-foreground", children: [
       /* @__PURE__ */ jsx(Spinner, { className: "h-6 w-6" }),
@@ -297,6 +304,7 @@ function CustomerRoleDetailPage({ params }) {
       fields,
       groups,
       initialValues,
+      optimisticLockUpdatedAt: data.updatedAt ?? data.updated_at ?? null,
       entityId: "customer_accounts:customer_role",
       onSubmit: handleSubmit,
       onDelete: !data.isSystem ? handleDelete : void 0,