npm - @open-mercato/core - Versions diffs - 0.6.5-develop.4534.1.b459babe6d → 0.6.5-develop.4544.1.71c003c861 - Mend

@open-mercato/core 0.6.5-develop.4534.1.b459babe6d → 0.6.5-develop.4544.1.71c003c861

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (633) hide show

package/dist/modules/auth/api/roles/acl/route.js CHANGED Viewed

@@ -4,9 +4,10 @@ import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
 import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
 import { logCrudAccess } from "@open-mercato/shared/lib/crud/factory";
 import { isCrudHttpError } from "@open-mercato/shared/lib/crud/errors";
+import { enforceCommandOptimisticLock } from "@open-mercato/shared/lib/crud/optimistic-lock-command";
+import { withAtomicFlush } from "@open-mercato/shared/lib/commands/flush";
 import { RoleAcl, Role } from "@open-mercato/core/modules/auth/data/entities";
 import { resolveIsSuperAdmin } from "@open-mercato/core/modules/auth/lib/tenantAccess";
-import { withAtomicFlush } from "@open-mercato/shared/lib/commands/flush";
 import {
   assertActorCanGrantAcl,
   assertActorCanModifySuperAdminRoleTarget,
@@ -30,7 +31,8 @@ const metadata = {
 const roleAclResponseSchema = z.object({
   isSuperAdmin: z.boolean(),
   features: z.array(z.string()),
-  organizations: z.array(z.string()).nullable()
+  organizations: z.array(z.string()).nullable(),
+  updatedAt: z.string().nullable()
 });
 const roleAclUpdateResponseSchema = z.object({
   ok: z.literal(true),
@@ -83,8 +85,9 @@ async function GET(req) {
   const response = acl ? {
     isSuperAdmin: !!acl.isSuperAdmin,
     features: Array.isArray(acl.featuresJson) ? acl.featuresJson : [],
-    organizations: Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null
-  } : { isSuperAdmin: false, features: [], organizations: null };
+    organizations: Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null,
+    updatedAt: acl.updatedAt instanceof Date ? acl.updatedAt.toISOString() : null
+  } : { isSuperAdmin: false, features: [], organizations: null, updatedAt: null };
   await logCrudAccess({
     container,
     auth,
@@ -147,7 +150,19 @@ async function PUT(req) {
     }
   }
   let acl = await em.findOne(RoleAcl, { role, tenantId: targetTenantId });
-  if (!acl) {
+  if (acl) {
+    try {
+      enforceCommandOptimisticLock({
+        resourceKind: "auth.role_acl",
+        resourceId: acl.id,
+        current: acl.updatedAt ?? null,
+        request: req
+      });
+    } catch (err) {
+      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status });
+      throw err;
+    }
+  } else {
     acl = em.create(RoleAcl, {
       role,
       tenantId: targetTenantId,
@@ -177,14 +192,18 @@ async function PUT(req) {
     throw err;
   }
   const aclToPersist = acl;
-  await withAtomicFlush(em, [
-    () => {
-      aclToPersist.organizationsJson = requestedOrganizations;
-      aclToPersist.isSuperAdmin = requestedIsSuperAdmin;
-      aclToPersist.featuresJson = requestedFeatures;
-      em.persist(aclToPersist);
-    }
-  ], { transaction: true });
+  await withAtomicFlush(
+    em,
+    [
+      () => {
+        aclToPersist.organizationsJson = requestedOrganizations;
+        aclToPersist.isSuperAdmin = requestedIsSuperAdmin;
+        aclToPersist.featuresJson = requestedFeatures;
+        em.persist(aclToPersist);
+      }
+    ],
+    { transaction: true }
+  );
   if (targetTenantId) {
     await rbacService.invalidateTenantCache(targetTenantId);
     try {

package/dist/modules/auth/api/roles/acl/route.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../../src/modules/auth/api/roles/acl/route.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { logCrudAccess } from '@open-mercato/shared/lib/crud/factory'\nimport { isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { RoleAcl, Role } from '@open-mercato/core/modules/auth/data/entities'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'\nimport { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { withAtomicFlush } from '@open-mercato/shared/lib/commands/flush'\nimport {\n  assertActorCanGrantAcl,\n  assertActorCanModifySuperAdminRoleTarget,\n  normalizeGrantFeatureList,\n} from '@open-mercato/core/modules/auth/lib/grantChecks'\n\ntype TaggableCache = { deleteByTags?: (tags: string[]) => Promise<void> | void }\n\nconst getSchema = z.object({\n  roleId: z.string().uuid(),\n  tenantId: z.string().uuid().optional(),\n})\nconst putSchema = z.object({\n  roleId: z.string().uuid(),\n  isSuperAdmin: z.boolean().optional(),\n  features: z.array(z.string()).optional(),\n  organizations: z.array(z.string()).nullable().optional(),\n  tenantId: z.string().uuid().optional(),\n})\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['auth.acl.manage'] },\n  PUT: { requireAuth: true, requireFeatures: ['auth.acl.manage'] },\n}\n\nconst roleAclResponseSchema = z.object({\n  isSuperAdmin: z.boolean(),\n  features: z.array(z.string()),\n  organizations: z.array(z.string()).nullable(),\n})\n\nconst roleAclUpdateResponseSchema = z.object({\n  ok: z.literal(true),\n  sanitized: z.boolean(),\n})\n\nconst roleAclErrorSchema = z.object({ error: z.string() })\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  const url = new URL(req.url)\n  const parsed = getSchema.safeParse({\n    roleId: url.searchParams.get('roleId'),\n    tenantId: url.searchParams.get('tenantId') || undefined,\n  })\n  if (!parsed.success) return NextResponse.json({ error: 'Invalid input' }, { status: 400 })\n  const container = await createRequestContainer()\n  const isSuperAdmin = await resolveIsSuperAdmin({ auth, container })\n  const em = container.resolve('em') as EntityManager\n  const authTenantId = auth.tenantId ?? null\n  const roleFilter: Record<string, unknown> = { id: parsed.data.roleId }\n  if (!isSuperAdmin && authTenantId) {\n    roleFilter.$or = [{ tenantId: authTenantId }, { tenantId: null }]\n  }\n  const role = await em.findOne(Role, roleFilter)\n  if (!role) return NextResponse.json({ error: 'Not found' }, { status: 404 })\n  const roleTenantId = role?.tenantId ? String(role.tenantId) : null\n\n  let tenantScope = parsed.data.tenantId ?? roleTenantId ?? authTenantId ?? null\n  if (parsed.data.tenantId && parsed.data.tenantId !== tenantScope) {\n    if (isSuperAdmin || parsed.data.tenantId === authTenantId) tenantScope = parsed.data.tenantId\n    else return NextResponse.json({ error: 'Forbidden' }, { status: 403 })\n  }\n  if (!tenantScope && !isSuperAdmin) tenantScope = authTenantId ?? null\n\n  if (!isSuperAdmin && auth.sub) {\n    try {\n      await assertActorCanModifySuperAdminRoleTarget({\n        em,\n        rbacService: container.resolve('rbacService') as RbacService,\n        actorUserId: auth.sub,\n        tenantId: tenantScope,\n        organizationId: auth.orgId ?? null,\n        targetRoleId: parsed.data.roleId,\n        actorIsSuperAdmin: false,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n\n  const acl = tenantScope\n    ? await em.findOne(RoleAcl, { role, tenantId: tenantScope })\n    : null\n  const response = acl\n    ? {\n        isSuperAdmin: !!acl.isSuperAdmin,\n        features: Array.isArray(acl.featuresJson) ? acl.featuresJson : [],\n        organizations: Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null,\n      }\n    : { isSuperAdmin: false, features: [], organizations: null }\n\n  await logCrudAccess({\n    container,\n    auth,\n    request: req,\n    items: [{ id: parsed.data.roleId, ...response }],\n    idField: 'id',\n    resourceKind: 'auth.role_acl',\n    organizationId: auth.orgId ?? null,\n    tenantId: tenantScope,\n    query: { roleId: parsed.data.roleId, tenantId: tenantScope },\n    accessType: 'read:item',\n  })\n\n  return NextResponse.json(response)\n}\n\nexport async function PUT(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  const body = await req.json().catch(() => ({}))\n  const parsed = putSchema.safeParse(body)\n  if (!parsed.success) return NextResponse.json({ error: 'Invalid input' }, { status: 400 })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  const isSuperAdmin = await resolveIsSuperAdmin({ auth, container })\n  const rbacService = container.resolve('rbacService') as RbacService\n  const authTenantId = auth.tenantId ?? null\n  const putRoleFilter: Record<string, unknown> = { id: parsed.data.roleId }\n  if (!isSuperAdmin && authTenantId) {\n    putRoleFilter.$or = [{ tenantId: authTenantId }, { tenantId: null }]\n  }\n  const role = await em.findOne(Role, putRoleFilter)\n  if (!role) return NextResponse.json({ error: 'Not found' }, { status: 404 })\n\n  const roleTenantId = role?.tenantId ? String(role.tenantId) : null\n\n  let targetTenantId = parsed.data.tenantId ?? roleTenantId ?? authTenantId ?? null\n  if (parsed.data.tenantId && parsed.data.tenantId !== targetTenantId) {\n    if (isSuperAdmin || parsed.data.tenantId === authTenantId) {\n      targetTenantId = parsed.data.tenantId\n    } else {\n      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })\n    }\n  }\n  if (!targetTenantId && !isSuperAdmin) targetTenantId = authTenantId ?? null\n  if (!targetTenantId) return NextResponse.json({ error: 'Tenant required' }, { status: 400 })\n\n  if (!isSuperAdmin && targetTenantId !== authTenantId) {\n    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })\n  }\n\n  if (!isSuperAdmin && auth.sub) {\n    try {\n      await assertActorCanModifySuperAdminRoleTarget({\n        em,\n        rbacService,\n        actorUserId: auth.sub,\n        tenantId: targetTenantId,\n        organizationId: auth.orgId ?? null,\n        targetRoleId: parsed.data.roleId,\n        actorIsSuperAdmin: false,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n\n  let acl = await em.findOne(RoleAcl, { role, tenantId: targetTenantId })\n  if (!acl) {\n    acl = em.create(RoleAcl, {\n      role,\n      tenantId: targetTenantId,\n      createdAt: new Date(),\n      isSuperAdmin: false,\n    })\n  }\n\n  const existingIsSuperAdmin = !!acl.isSuperAdmin\n  const existingFeatures = normalizeGrantFeatureList(acl.featuresJson)\n  const existingOrganizations = normalizeOrganizations(acl.organizationsJson)\n  const requestedIsSuperAdmin = parsed.data.isSuperAdmin ?? existingIsSuperAdmin\n  const requestedFeatures = parsed.data.features === undefined\n    ? existingFeatures\n    : normalizeGrantFeatureList(parsed.data.features)\n  const requestedOrganizations = parsed.data.organizations === undefined\n    ? existingOrganizations\n    : normalizeOrganizations(parsed.data.organizations)\n\n  try {\n    await assertActorCanGrantAcl({\n      em,\n      rbacService,\n      actorUserId: auth.sub,\n      tenantId: targetTenantId,\n      organizationId: auth.orgId ?? null,\n      isSuperAdmin: requestedIsSuperAdmin,\n      features: requestedFeatures,\n      organizations: requestedOrganizations,\n    })\n  } catch (err) {\n    if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n    throw err\n  }\n\n  const aclToPersist = acl\n  await withAtomicFlush(em, [\n    () => {\n      aclToPersist.organizationsJson = requestedOrganizations\n      aclToPersist.isSuperAdmin = requestedIsSuperAdmin\n      aclToPersist.featuresJson = requestedFeatures\n      em.persist(aclToPersist)\n    },\n  ], { transaction: true })\n\n  // Invalidate cache for all users in this tenant since role ACL changed\n  if (targetTenantId) {\n    await rbacService.invalidateTenantCache(targetTenantId)\n    // Sidebar nav caches depend on RBAC; invalidate tenant scope nav caches\n    try {\n      const cache = container.resolve('cache') as TaggableCache | undefined\n      if (cache?.deleteByTags) await cache.deleteByTags([`rbac:tenant:${targetTenantId}`])\n    } catch {}\n  }\n  \n  return NextResponse.json({\n    ok: true,\n    sanitized: false,\n  })\n}\n\nfunction normalizeOrganizations(organizations: unknown): string[] | null {\n  if (!Array.isArray(organizations)) return null\n  return normalizeGrantFeatureList(organizations)\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Role ACL management',\n  methods: {\n    GET: {\n      summary: 'Fetch role ACL',\n      description: 'Returns the feature and organization assignments associated with a role within the current tenant.',\n      query: getSchema,\n      responses: [\n        { status: 200, description: 'Role ACL entry', schema: roleAclResponseSchema },\n        { status: 400, description: 'Invalid role id', schema: roleAclErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: roleAclErrorSchema },\n        { status: 404, description: 'Role not found', schema: roleAclErrorSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update role ACL',\n      description: 'Replaces the feature list, super admin flag, and optional organization assignments for a role.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: putSchema,\n      },\n      responses: [\n        { status: 200, description: 'Role ACL updated', schema: roleAclUpdateResponseSchema },\n        { status: 400, description: 'Invalid payload', schema: roleAclErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: roleAclErrorSchema },\n        { status: 403, description: 'Insufficient privileges to modify ACL', schema: roleAclErrorSchema },\n        { status: 404, description: 'Role not found', schema: roleAclErrorSchema },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,qBAAqB;AAC9B,SAAS,uBAAuB;AAChC,SAAS,SAAS,YAAY;AAE9B,SAAS,2BAA2B;AAEpC,SAAS,uBAAuB;AAChC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAIP,MAAM,YAAY,EAAE,OAAO;AAAA,EACzB,QAAQ,EAAE,OAAO,EAAE,KAAK;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AACvC,CAAC;AACD,MAAM,YAAY,EAAE,OAAO;AAAA,EACzB,QAAQ,EAAE,OAAO,EAAE,KAAK;AAAA,EACxB,cAAc,EAAE,QAAQ,EAAE,SAAS;AAAA,EACnC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACvC,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS;AAAA,EACvD,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AACvC,CAAC;AAEM,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AACjE;AAEA,MAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,cAAc,EAAE,QAAQ;AAAA,EACxB,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC5B,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAC9C,CAAC;AAED,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,WAAW,EAAE,QAAQ;AACvB,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAEzD,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,SAAS,UAAU,UAAU;AAAA,IACjC,QAAQ,IAAI,aAAa,IAAI,QAAQ;AAAA,IACrC,UAAU,IAAI,aAAa,IAAI,UAAU,KAAK;AAAA,EAChD,CAAC;AACD,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,eAAe,MAAM,oBAAoB,EAAE,MAAM,UAAU,CAAC;AAClE,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,eAAe,KAAK,YAAY;AACtC,QAAM,aAAsC,EAAE,IAAI,OAAO,KAAK,OAAO;AACrE,MAAI,CAAC,gBAAgB,cAAc;AACjC,eAAW,MAAM,CAAC,EAAE,UAAU,aAAa,GAAG,EAAE,UAAU,KAAK,CAAC;AAAA,EAClE;AACA,QAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,UAAU;AAC9C,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC3E,QAAM,eAAe,MAAM,WAAW,OAAO,KAAK,QAAQ,IAAI;AAE9D,MAAI,cAAc,OAAO,KAAK,YAAY,gBAAgB,gBAAgB;AAC1E,MAAI,OAAO,KAAK,YAAY,OAAO,KAAK,aAAa,aAAa;AAChE,QAAI,gBAAgB,OAAO,KAAK,aAAa,aAAc,eAAc,OAAO,KAAK;AAAA,QAChF,QAAO,aAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACvE;AACA,MAAI,CAAC,eAAe,CAAC,aAAc,eAAc,gBAAgB;AAEjE,MAAI,CAAC,gBAAgB,KAAK,KAAK;AAC7B,QAAI;AACF,YAAM,yCAAyC;AAAA,QAC7C;AAAA,QACA,aAAa,UAAU,QAAQ,aAAa;AAAA,QAC5C,aAAa,KAAK;AAAA,QAClB,UAAU;AAAA,QACV,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AAEA,QAAM,MAAM,cACR,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,UAAU,YAAY,CAAC,IACzD;AACJ,QAAM,WAAW,MACb;AAAA,IACE,cAAc,CAAC,CAAC,IAAI;AAAA,IACpB,UAAU,MAAM,QAAQ,IAAI,YAAY,IAAI,IAAI,eAAe,CAAC;AAAA,IAChE,eAAe,MAAM,QAAQ,IAAI,iBAAiB,IAAI,IAAI,oBAAoB;AAAA,EAChF,IACA,EAAE,cAAc,OAAO,UAAU,CAAC,GAAG,eAAe,KAAK;AAE7D,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT,OAAO,CAAC,EAAE,IAAI,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,IAC/C,SAAS;AAAA,IACT,cAAc;AAAA,IACd,gBAAgB,KAAK,SAAS;AAAA,IAC9B,UAAU;AAAA,IACV,OAAO,EAAE,QAAQ,OAAO,KAAK,QAAQ,UAAU,YAAY;AAAA,IAC3D,YAAY;AAAA,EACd,CAAC;AAED,SAAO,aAAa,KAAK,QAAQ;AACnC;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9E,QAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AAC9C,QAAM,SAAS,UAAU,UAAU,IAAI;AACvC,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,eAAe,MAAM,oBAAoB,EAAE,MAAM,UAAU,CAAC;AAClE,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,eAAe,KAAK,YAAY;AACtC,QAAM,gBAAyC,EAAE,IAAI,OAAO,KAAK,OAAO;AACxE,MAAI,CAAC,gBAAgB,cAAc;AACjC,kBAAc,MAAM,CAAC,EAAE,UAAU,aAAa,GAAG,EAAE,UAAU,KAAK,CAAC;AAAA,EACrE;AACA,QAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,aAAa;AACjD,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE3E,QAAM,eAAe,MAAM,WAAW,OAAO,KAAK,QAAQ,IAAI;AAE9D,MAAI,iBAAiB,OAAO,KAAK,YAAY,gBAAgB,gBAAgB;AAC7E,MAAI,OAAO,KAAK,YAAY,OAAO,KAAK,aAAa,gBAAgB;AACnE,QAAI,gBAAgB,OAAO,KAAK,aAAa,cAAc;AACzD,uBAAiB,OAAO,KAAK;AAAA,IAC/B,OAAO;AACL,aAAO,aAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAClE;AAAA,EACF;AACA,MAAI,CAAC,kBAAkB,CAAC,aAAc,kBAAiB,gBAAgB;AACvE,MAAI,CAAC,eAAgB,QAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE3F,MAAI,CAAC,gBAAgB,mBAAmB,cAAc;AACpD,WAAO,aAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClE;AAEA,MAAI,CAAC,gBAAgB,KAAK,KAAK;AAC7B,QAAI;AACF,YAAM,yCAAyC;AAAA,QAC7C;AAAA,QACA;AAAA,QACA,aAAa,KAAK;AAAA,QAClB,UAAU;AAAA,QACV,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AAEA,MAAI,MAAM,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,UAAU,eAAe,CAAC;AACtE,MAAI,CAAC,KAAK;AACR,UAAM,GAAG,OAAO,SAAS;AAAA,MACvB;AAAA,MACA,UAAU;AAAA,MACV,WAAW,oBAAI,KAAK;AAAA,MACpB,cAAc;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,QAAM,uBAAuB,CAAC,CAAC,IAAI;AACnC,QAAM,mBAAmB,0BAA0B,IAAI,YAAY;AACnE,QAAM,wBAAwB,uBAAuB,IAAI,iBAAiB;AAC1E,QAAM,wBAAwB,OAAO,KAAK,gBAAgB;AAC1D,QAAM,oBAAoB,OAAO,KAAK,aAAa,SAC/C,mBACA,0BAA0B,OAAO,KAAK,QAAQ;AAClD,QAAM,yBAAyB,OAAO,KAAK,kBAAkB,SACzD,wBACA,uBAAuB,OAAO,KAAK,aAAa;AAEpD,MAAI;AACF,UAAM,uBAAuB;AAAA,MAC3B;AAAA,MACA;AAAA,MACA,aAAa,KAAK;AAAA,MAClB,UAAU;AAAA,MACV,gBAAgB,KAAK,SAAS;AAAA,MAC9B,cAAc;AAAA,MACd,UAAU;AAAA,MACV,eAAe;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,QAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,UAAM;AAAA,EACR;AAEA,QAAM,eAAe;AACrB,QAAM,gBAAgB,IAAI;AAAA,IACxB,MAAM;AACJ,mBAAa,oBAAoB;AACjC,mBAAa,eAAe;AAC5B,mBAAa,eAAe;AAC5B,SAAG,QAAQ,YAAY;AAAA,IACzB;AAAA,EACF,GAAG,EAAE,aAAa,KAAK,CAAC;AAGxB,MAAI,gBAAgB;AAClB,UAAM,YAAY,sBAAsB,cAAc;AAEtD,QAAI;AACF,YAAM,QAAQ,UAAU,QAAQ,OAAO;AACvC,UAAI,OAAO,aAAc,OAAM,MAAM,aAAa,CAAC,eAAe,cAAc,EAAE,CAAC;AAAA,IACrF,QAAQ;AAAA,IAAC;AAAA,EACX;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,WAAW;AAAA,EACb,CAAC;AACH;AAEA,SAAS,uBAAuB,eAAyC;AACvE,MAAI,CAAC,MAAM,QAAQ,aAAa,EAAG,QAAO;AAC1C,SAAO,0BAA0B,aAAa;AAChD;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,sBAAsB;AAAA,QAC5E,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,mBAAmB;AAAA,MAC3E;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,4BAA4B;AAAA,QACpF,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,yCAAyC,QAAQ,mBAAmB;AAAA,QAChG,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,mBAAmB;AAAA,MAC3E;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { logCrudAccess } from '@open-mercato/shared/lib/crud/factory'\nimport { isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { enforceCommandOptimisticLock } from '@open-mercato/shared/lib/crud/optimistic-lock-command'\nimport { withAtomicFlush } from '@open-mercato/shared/lib/commands/flush'\nimport { RoleAcl, Role } from '@open-mercato/core/modules/auth/data/entities'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'\nimport { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport {\n  assertActorCanGrantAcl,\n  assertActorCanModifySuperAdminRoleTarget,\n  normalizeGrantFeatureList,\n} from '@open-mercato/core/modules/auth/lib/grantChecks'\n\ntype TaggableCache = { deleteByTags?: (tags: string[]) => Promise<void> | void }\n\nconst getSchema = z.object({\n  roleId: z.string().uuid(),\n  tenantId: z.string().uuid().optional(),\n})\nconst putSchema = z.object({\n  roleId: z.string().uuid(),\n  isSuperAdmin: z.boolean().optional(),\n  features: z.array(z.string()).optional(),\n  organizations: z.array(z.string()).nullable().optional(),\n  tenantId: z.string().uuid().optional(),\n})\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['auth.acl.manage'] },\n  PUT: { requireAuth: true, requireFeatures: ['auth.acl.manage'] },\n}\n\nconst roleAclResponseSchema = z.object({\n  isSuperAdmin: z.boolean(),\n  features: z.array(z.string()),\n  organizations: z.array(z.string()).nullable(),\n  updatedAt: z.string().nullable(),\n})\n\nconst roleAclUpdateResponseSchema = z.object({\n  ok: z.literal(true),\n  sanitized: z.boolean(),\n})\n\nconst roleAclErrorSchema = z.object({ error: z.string() })\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  const url = new URL(req.url)\n  const parsed = getSchema.safeParse({\n    roleId: url.searchParams.get('roleId'),\n    tenantId: url.searchParams.get('tenantId') || undefined,\n  })\n  if (!parsed.success) return NextResponse.json({ error: 'Invalid input' }, { status: 400 })\n  const container = await createRequestContainer()\n  const isSuperAdmin = await resolveIsSuperAdmin({ auth, container })\n  const em = container.resolve('em') as EntityManager\n  const authTenantId = auth.tenantId ?? null\n  const roleFilter: Record<string, unknown> = { id: parsed.data.roleId }\n  if (!isSuperAdmin && authTenantId) {\n    roleFilter.$or = [{ tenantId: authTenantId }, { tenantId: null }]\n  }\n  const role = await em.findOne(Role, roleFilter)\n  if (!role) return NextResponse.json({ error: 'Not found' }, { status: 404 })\n  const roleTenantId = role?.tenantId ? String(role.tenantId) : null\n\n  let tenantScope = parsed.data.tenantId ?? roleTenantId ?? authTenantId ?? null\n  if (parsed.data.tenantId && parsed.data.tenantId !== tenantScope) {\n    if (isSuperAdmin || parsed.data.tenantId === authTenantId) tenantScope = parsed.data.tenantId\n    else return NextResponse.json({ error: 'Forbidden' }, { status: 403 })\n  }\n  if (!tenantScope && !isSuperAdmin) tenantScope = authTenantId ?? null\n\n  if (!isSuperAdmin && auth.sub) {\n    try {\n      await assertActorCanModifySuperAdminRoleTarget({\n        em,\n        rbacService: container.resolve('rbacService') as RbacService,\n        actorUserId: auth.sub,\n        tenantId: tenantScope,\n        organizationId: auth.orgId ?? null,\n        targetRoleId: parsed.data.roleId,\n        actorIsSuperAdmin: false,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n\n  const acl = tenantScope\n    ? await em.findOne(RoleAcl, { role, tenantId: tenantScope })\n    : null\n  const response = acl\n    ? {\n        isSuperAdmin: !!acl.isSuperAdmin,\n        features: Array.isArray(acl.featuresJson) ? acl.featuresJson : [],\n        organizations: Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null,\n        updatedAt: acl.updatedAt instanceof Date ? acl.updatedAt.toISOString() : null,\n      }\n    : { isSuperAdmin: false, features: [], organizations: null, updatedAt: null }\n\n  await logCrudAccess({\n    container,\n    auth,\n    request: req,\n    items: [{ id: parsed.data.roleId, ...response }],\n    idField: 'id',\n    resourceKind: 'auth.role_acl',\n    organizationId: auth.orgId ?? null,\n    tenantId: tenantScope,\n    query: { roleId: parsed.data.roleId, tenantId: tenantScope },\n    accessType: 'read:item',\n  })\n\n  return NextResponse.json(response)\n}\n\nexport async function PUT(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  const body = await req.json().catch(() => ({}))\n  const parsed = putSchema.safeParse(body)\n  if (!parsed.success) return NextResponse.json({ error: 'Invalid input' }, { status: 400 })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  const isSuperAdmin = await resolveIsSuperAdmin({ auth, container })\n  const rbacService = container.resolve('rbacService') as RbacService\n  const authTenantId = auth.tenantId ?? null\n  const putRoleFilter: Record<string, unknown> = { id: parsed.data.roleId }\n  if (!isSuperAdmin && authTenantId) {\n    putRoleFilter.$or = [{ tenantId: authTenantId }, { tenantId: null }]\n  }\n  const role = await em.findOne(Role, putRoleFilter)\n  if (!role) return NextResponse.json({ error: 'Not found' }, { status: 404 })\n\n  const roleTenantId = role?.tenantId ? String(role.tenantId) : null\n\n  let targetTenantId = parsed.data.tenantId ?? roleTenantId ?? authTenantId ?? null\n  if (parsed.data.tenantId && parsed.data.tenantId !== targetTenantId) {\n    if (isSuperAdmin || parsed.data.tenantId === authTenantId) {\n      targetTenantId = parsed.data.tenantId\n    } else {\n      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })\n    }\n  }\n  if (!targetTenantId && !isSuperAdmin) targetTenantId = authTenantId ?? null\n  if (!targetTenantId) return NextResponse.json({ error: 'Tenant required' }, { status: 400 })\n\n  if (!isSuperAdmin && targetTenantId !== authTenantId) {\n    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })\n  }\n\n  if (!isSuperAdmin && auth.sub) {\n    try {\n      await assertActorCanModifySuperAdminRoleTarget({\n        em,\n        rbacService,\n        actorUserId: auth.sub,\n        tenantId: targetTenantId,\n        organizationId: auth.orgId ?? null,\n        targetRoleId: parsed.data.roleId,\n        actorIsSuperAdmin: false,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n\n  let acl = await em.findOne(RoleAcl, { role, tenantId: targetTenantId })\n  // Optimistic lock: refuse a stale ACL overwrite so two admins editing the same\n  // role's features in parallel cannot silently clobber each other (#2055). The\n  // check is strictly additive \u2014 when the client sends no expected-version header\n  // it is a no-op. Skipped when the ACL row does not exist yet (first grant has\n  // no prior version to conflict with).\n  if (acl) {\n    try {\n      enforceCommandOptimisticLock({\n        resourceKind: 'auth.role_acl',\n        resourceId: acl.id,\n        current: acl.updatedAt ?? null,\n        request: req,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  } else {\n    acl = em.create(RoleAcl, {\n      role,\n      tenantId: targetTenantId,\n      createdAt: new Date(),\n      isSuperAdmin: false,\n    })\n  }\n\n  const existingIsSuperAdmin = !!acl.isSuperAdmin\n  const existingFeatures = normalizeGrantFeatureList(acl.featuresJson)\n  const existingOrganizations = normalizeOrganizations(acl.organizationsJson)\n  const requestedIsSuperAdmin = parsed.data.isSuperAdmin ?? existingIsSuperAdmin\n  const requestedFeatures = parsed.data.features === undefined\n    ? existingFeatures\n    : normalizeGrantFeatureList(parsed.data.features)\n  const requestedOrganizations = parsed.data.organizations === undefined\n    ? existingOrganizations\n    : normalizeOrganizations(parsed.data.organizations)\n\n  try {\n    await assertActorCanGrantAcl({\n      em,\n      rbacService,\n      actorUserId: auth.sub,\n      tenantId: targetTenantId,\n      organizationId: auth.orgId ?? null,\n      isSuperAdmin: requestedIsSuperAdmin,\n      features: requestedFeatures,\n      organizations: requestedOrganizations,\n    })\n  } catch (err) {\n    if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n    throw err\n  }\n\n  // Persist the ACL mutation inside a transaction so the role-permission write\n  // commits atomically (proper ACL-edit transaction handling).\n  const aclToPersist = acl\n  await withAtomicFlush(\n    em,\n    [\n      () => {\n        aclToPersist.organizationsJson = requestedOrganizations\n        aclToPersist.isSuperAdmin = requestedIsSuperAdmin\n        aclToPersist.featuresJson = requestedFeatures\n        em.persist(aclToPersist)\n      },\n    ],\n    { transaction: true },\n  )\n\n  // Invalidate cache for all users in this tenant since role ACL changed\n  if (targetTenantId) {\n    await rbacService.invalidateTenantCache(targetTenantId)\n    // Sidebar nav caches depend on RBAC; invalidate tenant scope nav caches\n    try {\n      const cache = container.resolve('cache') as TaggableCache | undefined\n      if (cache?.deleteByTags) await cache.deleteByTags([`rbac:tenant:${targetTenantId}`])\n    } catch {}\n  }\n  \n  return NextResponse.json({\n    ok: true,\n    sanitized: false,\n  })\n}\n\nfunction normalizeOrganizations(organizations: unknown): string[] | null {\n  if (!Array.isArray(organizations)) return null\n  return normalizeGrantFeatureList(organizations)\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Role ACL management',\n  methods: {\n    GET: {\n      summary: 'Fetch role ACL',\n      description: 'Returns the feature and organization assignments associated with a role within the current tenant.',\n      query: getSchema,\n      responses: [\n        { status: 200, description: 'Role ACL entry', schema: roleAclResponseSchema },\n        { status: 400, description: 'Invalid role id', schema: roleAclErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: roleAclErrorSchema },\n        { status: 404, description: 'Role not found', schema: roleAclErrorSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update role ACL',\n      description: 'Replaces the feature list, super admin flag, and optional organization assignments for a role.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: putSchema,\n      },\n      responses: [\n        { status: 200, description: 'Role ACL updated', schema: roleAclUpdateResponseSchema },\n        { status: 400, description: 'Invalid payload', schema: roleAclErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: roleAclErrorSchema },\n        { status: 403, description: 'Insufficient privileges to modify ACL', schema: roleAclErrorSchema },\n        { status: 404, description: 'Role not found', schema: roleAclErrorSchema },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,qBAAqB;AAC9B,SAAS,uBAAuB;AAChC,SAAS,oCAAoC;AAC7C,SAAS,uBAAuB;AAChC,SAAS,SAAS,YAAY;AAE9B,SAAS,2BAA2B;AAEpC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAIP,MAAM,YAAY,EAAE,OAAO;AAAA,EACzB,QAAQ,EAAE,OAAO,EAAE,KAAK;AAAA,EACxB,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AACvC,CAAC;AACD,MAAM,YAAY,EAAE,OAAO;AAAA,EACzB,QAAQ,EAAE,OAAO,EAAE,KAAK;AAAA,EACxB,cAAc,EAAE,QAAQ,EAAE,SAAS;AAAA,EACnC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACvC,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS;AAAA,EACvD,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AACvC,CAAC;AAEM,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AACjE;AAEA,MAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,cAAc,EAAE,QAAQ;AAAA,EACxB,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC5B,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC5C,WAAW,EAAE,OAAO,EAAE,SAAS;AACjC,CAAC;AAED,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,WAAW,EAAE,QAAQ;AACvB,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAEzD,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,SAAS,UAAU,UAAU;AAAA,IACjC,QAAQ,IAAI,aAAa,IAAI,QAAQ;AAAA,IACrC,UAAU,IAAI,aAAa,IAAI,UAAU,KAAK;AAAA,EAChD,CAAC;AACD,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,eAAe,MAAM,oBAAoB,EAAE,MAAM,UAAU,CAAC;AAClE,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,eAAe,KAAK,YAAY;AACtC,QAAM,aAAsC,EAAE,IAAI,OAAO,KAAK,OAAO;AACrE,MAAI,CAAC,gBAAgB,cAAc;AACjC,eAAW,MAAM,CAAC,EAAE,UAAU,aAAa,GAAG,EAAE,UAAU,KAAK,CAAC;AAAA,EAClE;AACA,QAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,UAAU;AAC9C,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC3E,QAAM,eAAe,MAAM,WAAW,OAAO,KAAK,QAAQ,IAAI;AAE9D,MAAI,cAAc,OAAO,KAAK,YAAY,gBAAgB,gBAAgB;AAC1E,MAAI,OAAO,KAAK,YAAY,OAAO,KAAK,aAAa,aAAa;AAChE,QAAI,gBAAgB,OAAO,KAAK,aAAa,aAAc,eAAc,OAAO,KAAK;AAAA,QAChF,QAAO,aAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACvE;AACA,MAAI,CAAC,eAAe,CAAC,aAAc,eAAc,gBAAgB;AAEjE,MAAI,CAAC,gBAAgB,KAAK,KAAK;AAC7B,QAAI;AACF,YAAM,yCAAyC;AAAA,QAC7C;AAAA,QACA,aAAa,UAAU,QAAQ,aAAa;AAAA,QAC5C,aAAa,KAAK;AAAA,QAClB,UAAU;AAAA,QACV,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AAEA,QAAM,MAAM,cACR,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,UAAU,YAAY,CAAC,IACzD;AACJ,QAAM,WAAW,MACb;AAAA,IACE,cAAc,CAAC,CAAC,IAAI;AAAA,IACpB,UAAU,MAAM,QAAQ,IAAI,YAAY,IAAI,IAAI,eAAe,CAAC;AAAA,IAChE,eAAe,MAAM,QAAQ,IAAI,iBAAiB,IAAI,IAAI,oBAAoB;AAAA,IAC9E,WAAW,IAAI,qBAAqB,OAAO,IAAI,UAAU,YAAY,IAAI;AAAA,EAC3E,IACA,EAAE,cAAc,OAAO,UAAU,CAAC,GAAG,eAAe,MAAM,WAAW,KAAK;AAE9E,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT,OAAO,CAAC,EAAE,IAAI,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,IAC/C,SAAS;AAAA,IACT,cAAc;AAAA,IACd,gBAAgB,KAAK,SAAS;AAAA,IAC9B,UAAU;AAAA,IACV,OAAO,EAAE,QAAQ,OAAO,KAAK,QAAQ,UAAU,YAAY;AAAA,IAC3D,YAAY;AAAA,EACd,CAAC;AAED,SAAO,aAAa,KAAK,QAAQ;AACnC;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9E,QAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AAC9C,QAAM,SAAS,UAAU,UAAU,IAAI;AACvC,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,eAAe,MAAM,oBAAoB,EAAE,MAAM,UAAU,CAAC;AAClE,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,eAAe,KAAK,YAAY;AACtC,QAAM,gBAAyC,EAAE,IAAI,OAAO,KAAK,OAAO;AACxE,MAAI,CAAC,gBAAgB,cAAc;AACjC,kBAAc,MAAM,CAAC,EAAE,UAAU,aAAa,GAAG,EAAE,UAAU,KAAK,CAAC;AAAA,EACrE;AACA,QAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,aAAa;AACjD,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE3E,QAAM,eAAe,MAAM,WAAW,OAAO,KAAK,QAAQ,IAAI;AAE9D,MAAI,iBAAiB,OAAO,KAAK,YAAY,gBAAgB,gBAAgB;AAC7E,MAAI,OAAO,KAAK,YAAY,OAAO,KAAK,aAAa,gBAAgB;AACnE,QAAI,gBAAgB,OAAO,KAAK,aAAa,cAAc;AACzD,uBAAiB,OAAO,KAAK;AAAA,IAC/B,OAAO;AACL,aAAO,aAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAClE;AAAA,EACF;AACA,MAAI,CAAC,kBAAkB,CAAC,aAAc,kBAAiB,gBAAgB;AACvE,MAAI,CAAC,eAAgB,QAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE3F,MAAI,CAAC,gBAAgB,mBAAmB,cAAc;AACpD,WAAO,aAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClE;AAEA,MAAI,CAAC,gBAAgB,KAAK,KAAK;AAC7B,QAAI;AACF,YAAM,yCAAyC;AAAA,QAC7C;AAAA,QACA;AAAA,QACA,aAAa,KAAK;AAAA,QAClB,UAAU;AAAA,QACV,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AAEA,MAAI,MAAM,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,UAAU,eAAe,CAAC;AAMtE,MAAI,KAAK;AACP,QAAI;AACF,mCAA6B;AAAA,QAC3B,cAAc;AAAA,QACd,YAAY,IAAI;AAAA,QAChB,SAAS,IAAI,aAAa;AAAA,QAC1B,SAAS;AAAA,MACX,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF,OAAO;AACL,UAAM,GAAG,OAAO,SAAS;AAAA,MACvB;AAAA,MACA,UAAU;AAAA,MACV,WAAW,oBAAI,KAAK;AAAA,MACpB,cAAc;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,QAAM,uBAAuB,CAAC,CAAC,IAAI;AACnC,QAAM,mBAAmB,0BAA0B,IAAI,YAAY;AACnE,QAAM,wBAAwB,uBAAuB,IAAI,iBAAiB;AAC1E,QAAM,wBAAwB,OAAO,KAAK,gBAAgB;AAC1D,QAAM,oBAAoB,OAAO,KAAK,aAAa,SAC/C,mBACA,0BAA0B,OAAO,KAAK,QAAQ;AAClD,QAAM,yBAAyB,OAAO,KAAK,kBAAkB,SACzD,wBACA,uBAAuB,OAAO,KAAK,aAAa;AAEpD,MAAI;AACF,UAAM,uBAAuB;AAAA,MAC3B;AAAA,MACA;AAAA,MACA,aAAa,KAAK;AAAA,MAClB,UAAU;AAAA,MACV,gBAAgB,KAAK,SAAS;AAAA,MAC9B,cAAc;AAAA,MACd,UAAU;AAAA,MACV,eAAe;AAAA,IACjB,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,QAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,UAAM;AAAA,EACR;AAIA,QAAM,eAAe;AACrB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,MACE,MAAM;AACJ,qBAAa,oBAAoB;AACjC,qBAAa,eAAe;AAC5B,qBAAa,eAAe;AAC5B,WAAG,QAAQ,YAAY;AAAA,MACzB;AAAA,IACF;AAAA,IACA,EAAE,aAAa,KAAK;AAAA,EACtB;AAGA,MAAI,gBAAgB;AAClB,UAAM,YAAY,sBAAsB,cAAc;AAEtD,QAAI;AACF,YAAM,QAAQ,UAAU,QAAQ,OAAO;AACvC,UAAI,OAAO,aAAc,OAAM,MAAM,aAAa,CAAC,eAAe,cAAc,EAAE,CAAC;AAAA,IACrF,QAAQ;AAAA,IAAC;AAAA,EACX;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,WAAW;AAAA,EACb,CAAC;AACH;AAEA,SAAS,uBAAuB,eAAyC;AACvE,MAAI,CAAC,MAAM,QAAQ,aAAa,EAAG,QAAO;AAC1C,SAAO,0BAA0B,aAAa;AAChD;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,sBAAsB;AAAA,QAC5E,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,mBAAmB;AAAA,MAC3E;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,4BAA4B;AAAA,QACpF,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,yCAAyC,QAAQ,mBAAmB;AAAA,QAChG,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,mBAAmB;AAAA,MAC3E;AAAA,IACF;AAAA,EACF;AACF;",
   "names": []
 }

package/dist/modules/auth/api/roles/route.js CHANGED Viewed

@@ -34,7 +34,8 @@ const roleListItemSchema = z.object({
   usersCount: z.number().int().nonnegative(),
   tenantId: z.string().uuid().nullable(),
   tenantIds: z.array(z.string().uuid()).optional(),
-  tenantName: z.string().nullable()
+  tenantName: z.string().nullable(),
+  updatedAt: z.string().nullable().optional()
 });
 const roleListResponseSchema = z.object({
   items: z.array(roleListItemSchema),
@@ -200,6 +201,7 @@ async function GET(req) {
       tenantId: tenantId ?? null,
       tenantIds: exposeTenant && tenantId ? [tenantId] : [],
       tenantName: exposeTenant ? tenantName : null,
+      updatedAt: r.updatedAt instanceof Date ? r.updatedAt.toISOString() : null,
       ...cfByRole[idStr] || {}
     };
   });

package/dist/modules/auth/api/roles/route.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../src/modules/auth/api/roles/route.ts"],
-  "sourcesContent": ["/* eslint-disable @typescript-eslint/no-explicit-any */\nimport { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { logCrudAccess, makeCrudRoute } from '@open-mercato/shared/lib/crud/factory'\nimport { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { Role, RoleAcl, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { Tenant } from '@open-mercato/core/modules/directory/data/entities'\nimport { E } from '#generated/entities.ids.generated'\nimport { loadCustomFieldValues } from '@open-mercato/shared/lib/crud/custom-fields'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'\nimport { roleCrudEvents, roleCrudIndexer } from '@open-mercato/core/modules/auth/commands/roles'\nimport { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'\nimport { assertActorCanModifySuperAdminRoleTarget } from '@open-mercato/core/modules/auth/lib/grantChecks'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\n\nconst querySchema = z.object({\n  id: z.string().uuid().optional(),\n  page: z.coerce.number().min(1).default(1),\n  pageSize: z.coerce.number().min(1).max(100).default(50),\n  search: z.string().optional(),\n  tenantId: z.string().uuid().optional(),\n}).passthrough()\n\nconst roleCreateSchema = z.object({\n  name: z.string().min(2).max(100),\n  tenantId: z.string().uuid().optional(),\n})\n\nconst roleUpdateSchema = z.object({\n  id: z.string().uuid(),\n  name: z.string().min(2).max(100).optional(),\n  tenantId: z.string().uuid().optional(),\n})\n\nconst roleListItemSchema = z.object({\n  id: z.string().uuid(),\n  name: z.string(),\n  usersCount: z.number().int().nonnegative(),\n  tenantId: z.string().uuid().nullable(),\n  tenantIds: z.array(z.string().uuid()).optional(),\n  tenantName: z.string().nullable(),\n})\n\nconst roleListResponseSchema = z.object({\n  items: z.array(roleListItemSchema),\n  total: z.number().int().nonnegative(),\n  totalPages: z.number().int().positive(),\n  isSuperAdmin: z.boolean().optional(),\n})\n\nconst okResponseSchema = z.object({ ok: z.literal(true) })\n\nconst errorResponseSchema = z.object({ error: z.string() })\n\nconst routeMetadata = {\n  GET: { requireAuth: true, requireFeatures: ['auth.roles.list'] },\n  POST: { requireAuth: true, requireFeatures: ['auth.roles.manage'] },\n  PUT: { requireAuth: true, requireFeatures: ['auth.roles.manage'] },\n  DELETE: { requireAuth: true, requireFeatures: ['auth.roles.manage'] },\n}\n\nexport const metadata = routeMetadata\n\nconst rawBodySchema = z.object({}).passthrough()\ntype CrudInput = Record<string, unknown>\n\nconst crud = makeCrudRoute<CrudInput, CrudInput, Record<string, unknown>>({\n  metadata: routeMetadata,\n  orm: {\n    entity: Role,\n    idField: 'id',\n    orgField: null,\n    tenantField: null,\n    softDeleteField: 'deletedAt',\n  },\n  events: roleCrudEvents,\n  indexer: roleCrudIndexer,\n  actions: {\n    create: {\n      commandId: 'auth.roles.create',\n      schema: rawBodySchema,\n      mapInput: ({ parsed }) => parsed,\n      response: ({ result }) => ({ id: String(result.id) }),\n      status: 201,\n    },\n    update: {\n      commandId: 'auth.roles.update',\n      schema: rawBodySchema,\n      mapInput: async ({ parsed, ctx }) => {\n        if (ctx.request && typeof parsed.id === 'string' && parsed.id.length) {\n          await assertCanModifySuperAdminRole(ctx.request, parsed.id)\n        }\n        return parsed\n      },\n      response: () => ({ ok: true }),\n    },\n    delete: {\n      commandId: 'auth.roles.delete',\n      response: () => ({ ok: true }),\n    },\n  },\n})\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n  const url = new URL(req.url)\n  const parsed = querySchema.safeParse({\n    id: url.searchParams.get('id') || undefined,\n    page: url.searchParams.get('page') || undefined,\n    pageSize: url.searchParams.get('pageSize') || undefined,\n    search: url.searchParams.get('search') || undefined,\n    tenantId: url.searchParams.get('tenantId') || undefined,\n  })\n  if (!parsed.success) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n  const container = await createRequestContainer()\n  const em = (container.resolve('em') as EntityManager)\n  let isSuperAdmin = false\n  try {\n    if (auth.sub) {\n      const rbacService = container.resolve('rbacService') as any\n      const acl = await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n      isSuperAdmin = !!acl?.isSuperAdmin\n    }\n  } catch (err) {\n    console.error('roles: failed to resolve rbac', err)\n  }\n  const actorTenantId = auth.tenantId ? String(auth.tenantId) : null\n  if (!isSuperAdmin && !actorTenantId) {\n    return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n  }\n  let superAdminRoleIds: Set<string> | null = null\n  if (!isSuperAdmin && actorTenantId) {\n    const superAdminAcls = await findWithDecryption(em, RoleAcl, { tenantId: actorTenantId, isSuperAdmin: true }, {}, { tenantId: actorTenantId, organizationId: null })\n    if (superAdminAcls.length) {\n      superAdminRoleIds = new Set(\n        superAdminAcls\n          .map((acl) => {\n            const roleRef = acl.role\n            const idValue = roleRef?.id\n            return idValue ? String(idValue) : null\n          })\n          .filter((id): id is string => !!id),\n      )\n    } else {\n      superAdminRoleIds = new Set()\n    }\n  }\n  const { id, page, pageSize, search, tenantId: requestedTenantId } = parsed.data\n  const tenantFilter = isSuperAdmin && requestedTenantId ? String(requestedTenantId) : null\n  const filters: any[] = [{ deletedAt: null }]\n  if (id) filters.push({ id })\n  if (search) filters.push({ name: { $ilike: `%${escapeLikePattern(search)}%` } })\n  if (!isSuperAdmin && actorTenantId) {\n    filters.push({ tenantId: actorTenantId })\n    filters.push({ name: { $ne: 'superadmin' } })\n    if (superAdminRoleIds && superAdminRoleIds.size) {\n      filters.push({ id: { $nin: Array.from(superAdminRoleIds) } })\n    }\n  } else if (tenantFilter) {\n    filters.push({ tenantId: tenantFilter })\n  }\n  const where = filters.length > 1 ? { $and: filters } : filters[0]\n  const [rows, count] = await em.findAndCount(Role, where, { limit: pageSize, offset: (page - 1) * pageSize })\n  const roleIds = rows.map((r: any) => String(r.id))\n  const counts: Record<string, number> = {}\n  if (roleIds.length) {\n    const userRoleFilter: FilterQuery<UserRole> = { role: { $in: roleIds }, deletedAt: null }\n    const links = await findWithDecryption(em, UserRole, userRoleFilter, {}, { tenantId: null, organizationId: null })\n    for (const l of links) {\n      const rid = String((l as any).role?.id || (l as any).role)\n      counts[rid] = (counts[rid] || 0) + 1\n    }\n  }\n  const roleTenantIds = rows\n    .map((role: any) => (role.tenantId ? String(role.tenantId) : null))\n    .filter((tenantId): tenantId is string => typeof tenantId === 'string' && tenantId.length > 0)\n  const uniqueTenantIds = Array.from(new Set(roleTenantIds))\n  let tenantMap: Record<string, string> = {}\n  if (uniqueTenantIds.length) {\n    const tenants = await findWithDecryption(em, Tenant, { id: { $in: uniqueTenantIds as any }, deletedAt: null }, {}, { tenantId: null, organizationId: null })\n    tenantMap = tenants.reduce<Record<string, string>>((acc, tenant) => {\n      const tid = tenant?.id ? String(tenant.id) : null\n      if (!tid) return acc\n      const rawName = (tenant as any)?.name\n      const name = typeof rawName === 'string' && rawName.length > 0 ? rawName : tid\n      acc[tid] = name\n      return acc\n    }, {})\n  }\n  const tenantByRole: Record<string, string | null> = {}\n  for (const role of rows) {\n    const rid = String(role.id)\n    tenantByRole[rid] = role.tenantId ? String(role.tenantId) : null\n  }\n  const tenantFallbacks = Array.from(new Set<string | null>([\n    auth.tenantId ?? null,\n    tenantFilter ?? null,\n    ...Object.values(tenantByRole),\n  ]))\n  const cfByRole = roleIds.length\n    ? await loadCustomFieldValues({\n        em,\n        entityId: E.auth.role,\n        recordIds: roleIds,\n        tenantIdByRecord: tenantByRole,\n        tenantFallbacks,\n      })\n    : {}\n  const items = rows.map((r: any) => {\n    const idStr = String(r.id)\n    const tenantId = tenantByRole[idStr]\n    const tenantName = tenantId ? tenantMap[tenantId] ?? tenantId : null\n    const exposeTenant = isSuperAdmin || (tenantId && auth.tenantId && tenantId === auth.tenantId)\n    return {\n      id: idStr,\n      name: String(r.name),\n      usersCount: counts[idStr] || 0,\n      tenantId: tenantId ?? null,\n      tenantIds: exposeTenant && tenantId ? [tenantId] : [],\n      tenantName: exposeTenant ? tenantName : null,\n      ...(cfByRole[idStr] || {}),\n    }\n  })\n  const totalPages = Math.max(1, Math.ceil(count / pageSize))\n  await logCrudAccess({\n    container,\n    auth,\n    request: req,\n    items,\n    idField: 'id',\n    resourceKind: 'auth.role',\n    organizationId: null,\n    tenantId: auth.tenantId ?? null,\n    query: parsed.data,\n    accessType: id ? 'read:item' : undefined,\n  })\n  return NextResponse.json({ items, total: count, totalPages, isSuperAdmin })\n}\n\nexport const POST = crud.POST\nexport const PUT = crud.PUT\nexport const DELETE = async (req: Request) => {\n  const targetId = new URL(req.url).searchParams.get('id')\n  if (targetId) {\n    try {\n      await assertCanModifySuperAdminRole(req, targetId)\n    } catch (err) {\n      if (err instanceof CrudHttpError) {\n        return NextResponse.json(err.body, { status: err.status })\n      }\n      throw err\n    }\n  }\n  return crud.DELETE(req)\n}\n\nasync function assertCanModifySuperAdminRole(req: Request, targetRoleId: string) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) throw new CrudHttpError(401, { error: 'Unauthorized' })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  await assertActorCanModifySuperAdminRoleTarget({\n    em,\n    rbacService: container.resolve('rbacService') as RbacService,\n    actorUserId: auth.sub,\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    targetRoleId,\n  })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Role management',\n  methods: {\n    GET: {\n      summary: 'List roles',\n      description:\n        'Returns available roles within the current tenant. Super administrators receive visibility across tenants.',\n      query: querySchema,\n      responses: [\n        { status: 200, description: 'Role collection', schema: roleListResponseSchema },\n      ],\n    },\n    POST: {\n      summary: 'Create role',\n      description: 'Creates a new role for the current tenant or globally when `tenantId` is omitted.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: roleCreateSchema,\n      },\n      responses: [\n        {\n          status: 201,\n          description: 'Role created',\n          schema: z.object({ id: z.string().uuid() }),\n        },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload', schema: errorResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update role',\n      description: 'Updates mutable fields on an existing role.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: roleUpdateSchema,\n      },\n      responses: [\n        {\n          status: 200,\n          description: 'Role updated',\n          schema: okResponseSchema,\n        },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload', schema: errorResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n        { status: 404, description: 'Role not found', schema: errorResponseSchema },\n      ],\n    },\n    DELETE: {\n      summary: 'Delete role',\n      description: 'Deletes a role by identifier. Fails when users remain assigned.',\n      query: z.object({ id: z.string().uuid().describe('Role identifier') }),\n      responses: [\n        { status: 200, description: 'Role deleted', schema: okResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Role cannot be deleted', schema: errorResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n        { status: 404, description: 'Role not found', schema: errorResponseSchema },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AACA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,eAAe,qBAAqB;AAC7C,SAAS,qBAAqB;AAC9B,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,MAAM,SAAS,gBAAgB;AACxC,SAAS,cAAc;AACvB,SAAS,SAAS;AAClB,SAAS,6BAA6B;AACtC,SAAS,0BAA0B;AAEnC,SAAS,gBAAgB,uBAAuB;AAChD,SAAS,yBAAyB;AAClC,SAAS,gDAAgD;AAGzD,MAAM,cAAc,EAAE,OAAO;AAAA,EAC3B,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC/B,MAAM,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,QAAQ,CAAC;AAAA,EACxC,UAAU,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,QAAQ,EAAE;AAAA,EACtD,QAAQ,EAAE,OAAO,EAAE,SAAS;AAAA,EAC5B,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AACvC,CAAC,EAAE,YAAY;AAEf,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG;AAAA,EAC/B,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AACvC,CAAC;AAED,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EAC1C,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AACvC,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EACzC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EACrC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAAA,EAC/C,YAAY,EAAE,OAAO,EAAE,SAAS;AAClC,CAAC;AAED,MAAM,yBAAyB,EAAE,OAAO;AAAA,EACtC,OAAO,EAAE,MAAM,kBAAkB;AAAA,EACjC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EACpC,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACtC,cAAc,EAAE,QAAQ,EAAE,SAAS;AACrC,CAAC;AAED,MAAM,mBAAmB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;AAEzD,MAAM,sBAAsB,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAE1D,MAAM,gBAAgB;AAAA,EACpB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AAAA,EAClE,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AAAA,EACjE,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACtE;AAEO,MAAM,WAAW;AAExB,MAAM,gBAAgB,EAAE,OAAO,CAAC,CAAC,EAAE,YAAY;AAG/C,MAAM,OAAO,cAA6D;AAAA,EACxE,UAAU;AAAA,EACV,KAAK;AAAA,IACH,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,UAAU;AAAA,IACV,aAAa;AAAA,IACb,iBAAiB;AAAA,EACnB;AAAA,EACA,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,SAAS;AAAA,IACP,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,QAAQ;AAAA,MACR,UAAU,CAAC,EAAE,OAAO,MAAM;AAAA,MAC1B,UAAU,CAAC,EAAE,OAAO,OAAO,EAAE,IAAI,OAAO,OAAO,EAAE,EAAE;AAAA,MACnD,QAAQ;AAAA,IACV;AAAA,IACA,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,QAAQ;AAAA,MACR,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,YAAI,IAAI,WAAW,OAAO,OAAO,OAAO,YAAY,OAAO,GAAG,QAAQ;AACpE,gBAAM,8BAA8B,IAAI,SAAS,OAAO,EAAE;AAAA,QAC5D;AACA,eAAO;AAAA,MACT;AAAA,MACA,UAAU,OAAO,EAAE,IAAI,KAAK;AAAA,IAC9B;AAAA,IACA,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,UAAU,OAAO,EAAE,IAAI,KAAK;AAAA,IAC9B;AAAA,EACF;AACF,CAAC;AAED,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAC1E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,SAAS,YAAY,UAAU;AAAA,IACnC,IAAI,IAAI,aAAa,IAAI,IAAI,KAAK;AAAA,IAClC,MAAM,IAAI,aAAa,IAAI,MAAM,KAAK;AAAA,IACtC,UAAU,IAAI,aAAa,IAAI,UAAU,KAAK;AAAA,IAC9C,QAAQ,IAAI,aAAa,IAAI,QAAQ,KAAK;AAAA,IAC1C,UAAU,IAAI,aAAa,IAAI,UAAU,KAAK;AAAA,EAChD,CAAC;AACD,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AACpF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAM,UAAU,QAAQ,IAAI;AAClC,MAAI,eAAe;AACnB,MAAI;AACF,QAAI,KAAK,KAAK;AACZ,YAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,YAAM,MAAM,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC;AACvH,qBAAe,CAAC,CAAC,KAAK;AAAA,IACxB;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,iCAAiC,GAAG;AAAA,EACpD;AACA,QAAM,gBAAgB,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAC9D,MAAI,CAAC,gBAAgB,CAAC,eAAe;AACnC,WAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,EAC/E;AACA,MAAI,oBAAwC;AAC5C,MAAI,CAAC,gBAAgB,eAAe;AAClC,UAAM,iBAAiB,MAAM,mBAAmB,IAAI,SAAS,EAAE,UAAU,eAAe,cAAc,KAAK,GAAG,CAAC,GAAG,EAAE,UAAU,eAAe,gBAAgB,KAAK,CAAC;AACnK,QAAI,eAAe,QAAQ;AACzB,0BAAoB,IAAI;AAAA,QACtB,eACG,IAAI,CAAC,QAAQ;AACZ,gBAAM,UAAU,IAAI;AACpB,gBAAM,UAAU,SAAS;AACzB,iBAAO,UAAU,OAAO,OAAO,IAAI;AAAA,QACrC,CAAC,EACA,OAAO,CAACA,QAAqB,CAAC,CAACA,GAAE;AAAA,MACtC;AAAA,IACF,OAAO;AACL,0BAAoB,oBAAI,IAAI;AAAA,IAC9B;AAAA,EACF;AACA,QAAM,EAAE,IAAI,MAAM,UAAU,QAAQ,UAAU,kBAAkB,IAAI,OAAO;AAC3E,QAAM,eAAe,gBAAgB,oBAAoB,OAAO,iBAAiB,IAAI;AACrF,QAAM,UAAiB,CAAC,EAAE,WAAW,KAAK,CAAC;AAC3C,MAAI,GAAI,SAAQ,KAAK,EAAE,GAAG,CAAC;AAC3B,MAAI,OAAQ,SAAQ,KAAK,EAAE,MAAM,EAAE,QAAQ,IAAI,kBAAkB,MAAM,CAAC,IAAI,EAAE,CAAC;AAC/E,MAAI,CAAC,gBAAgB,eAAe;AAClC,YAAQ,KAAK,EAAE,UAAU,cAAc,CAAC;AACxC,YAAQ,KAAK,EAAE,MAAM,EAAE,KAAK,aAAa,EAAE,CAAC;AAC5C,QAAI,qBAAqB,kBAAkB,MAAM;AAC/C,cAAQ,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,KAAK,iBAAiB,EAAE,EAAE,CAAC;AAAA,IAC9D;AAAA,EACF,WAAW,cAAc;AACvB,YAAQ,KAAK,EAAE,UAAU,aAAa,CAAC;AAAA,EACzC;AACA,QAAM,QAAQ,QAAQ,SAAS,IAAI,EAAE,MAAM,QAAQ,IAAI,QAAQ,CAAC;AAChE,QAAM,CAAC,MAAM,KAAK,IAAI,MAAM,GAAG,aAAa,MAAM,OAAO,EAAE,OAAO,UAAU,SAAS,OAAO,KAAK,SAAS,CAAC;AAC3G,QAAM,UAAU,KAAK,IAAI,CAAC,MAAW,OAAO,EAAE,EAAE,CAAC;AACjD,QAAM,SAAiC,CAAC;AACxC,MAAI,QAAQ,QAAQ;AAClB,UAAM,iBAAwC,EAAE,MAAM,EAAE,KAAK,QAAQ,GAAG,WAAW,KAAK;AACxF,UAAM,QAAQ,MAAM,mBAAmB,IAAI,UAAU,gBAAgB,CAAC,GAAG,EAAE,UAAU,MAAM,gBAAgB,KAAK,CAAC;AACjH,eAAW,KAAK,OAAO;AACrB,YAAM,MAAM,OAAQ,EAAU,MAAM,MAAO,EAAU,IAAI;AACzD,aAAO,GAAG,KAAK,OAAO,GAAG,KAAK,KAAK;AAAA,IACrC;AAAA,EACF;AACA,QAAM,gBAAgB,KACnB,IAAI,CAAC,SAAe,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,IAAK,EACjE,OAAO,CAAC,aAAiC,OAAO,aAAa,YAAY,SAAS,SAAS,CAAC;AAC/F,QAAM,kBAAkB,MAAM,KAAK,IAAI,IAAI,aAAa,CAAC;AACzD,MAAI,YAAoC,CAAC;AACzC,MAAI,gBAAgB,QAAQ;AAC1B,UAAM,UAAU,MAAM,mBAAmB,IAAI,QAAQ,EAAE,IAAI,EAAE,KAAK,gBAAuB,GAAG,WAAW,KAAK,GAAG,CAAC,GAAG,EAAE,UAAU,MAAM,gBAAgB,KAAK,CAAC;AAC3J,gBAAY,QAAQ,OAA+B,CAAC,KAAK,WAAW;AAClE,YAAM,MAAM,QAAQ,KAAK,OAAO,OAAO,EAAE,IAAI;AAC7C,UAAI,CAAC,IAAK,QAAO;AACjB,YAAM,UAAW,QAAgB;AACjC,YAAM,OAAO,OAAO,YAAY,YAAY,QAAQ,SAAS,IAAI,UAAU;AAC3E,UAAI,GAAG,IAAI;AACX,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACP;AACA,QAAM,eAA8C,CAAC;AACrD,aAAW,QAAQ,MAAM;AACvB,UAAM,MAAM,OAAO,KAAK,EAAE;AAC1B,iBAAa,GAAG,IAAI,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,EAC9D;AACA,QAAM,kBAAkB,MAAM,KAAK,oBAAI,IAAmB;AAAA,IACxD,KAAK,YAAY;AAAA,IACjB,gBAAgB;AAAA,IAChB,GAAG,OAAO,OAAO,YAAY;AAAA,EAC/B,CAAC,CAAC;AACF,QAAM,WAAW,QAAQ,SACrB,MAAM,sBAAsB;AAAA,IAC1B;AAAA,IACA,UAAU,EAAE,KAAK;AAAA,IACjB,WAAW;AAAA,IACX,kBAAkB;AAAA,IAClB;AAAA,EACF,CAAC,IACD,CAAC;AACL,QAAM,QAAQ,KAAK,IAAI,CAAC,MAAW;AACjC,UAAM,QAAQ,OAAO,EAAE,EAAE;AACzB,UAAM,WAAW,aAAa,KAAK;AACnC,UAAM,aAAa,WAAW,UAAU,QAAQ,KAAK,WAAW;AAChE,UAAM,eAAe,gBAAiB,YAAY,KAAK,YAAY,aAAa,KAAK;AACrF,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,MAAM,OAAO,EAAE,IAAI;AAAA,MACnB,YAAY,OAAO,KAAK,KAAK;AAAA,MAC7B,UAAU,YAAY;AAAA,MACtB,WAAW,gBAAgB,WAAW,CAAC,QAAQ,IAAI,CAAC;AAAA,MACpD,YAAY,eAAe,aAAa;AAAA,MACxC,GAAI,SAAS,KAAK,KAAK,CAAC;AAAA,IAC1B;AAAA,EACF,CAAC;AACD,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,KAAK,QAAQ,QAAQ,CAAC;AAC1D,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA,SAAS;AAAA,IACT,cAAc;AAAA,IACd,gBAAgB;AAAA,IAChB,UAAU,KAAK,YAAY;AAAA,IAC3B,OAAO,OAAO;AAAA,IACd,YAAY,KAAK,cAAc;AAAA,EACjC,CAAC;AACD,SAAO,aAAa,KAAK,EAAE,OAAO,OAAO,OAAO,YAAY,aAAa,CAAC;AAC5E;AAEO,MAAM,OAAO,KAAK;AAClB,MAAM,MAAM,KAAK;AACjB,MAAM,SAAS,OAAO,QAAiB;AAC5C,QAAM,WAAW,IAAI,IAAI,IAAI,GAAG,EAAE,aAAa,IAAI,IAAI;AACvD,MAAI,UAAU;AACZ,QAAI;AACF,YAAM,8BAA8B,KAAK,QAAQ;AAAA,IACnD,SAAS,KAAK;AACZ,UAAI,eAAe,eAAe;AAChC,eAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AAAA,MAC3D;AACA,YAAM;AAAA,IACR;AAAA,EACF;AACA,SAAO,KAAK,OAAO,GAAG;AACxB;AAEA,eAAe,8BAA8B,KAAc,cAAsB;AAC/E,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,IAAK,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,eAAe,CAAC;AACtE,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,yCAAyC;AAAA,IAC7C;AAAA,IACA,aAAa,UAAU,QAAQ,aAAa;AAAA,IAC5C,aAAa,KAAK;AAAA,IAClB,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,CAAC;AACH;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aACE;AAAA,MACF,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,uBAAuB;AAAA,MAChF;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,QAC5C;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,oBAAoB;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,MAC1E;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,oBAAoB;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,oBAAoB;AAAA,MAC5E;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,iBAAiB,EAAE,CAAC;AAAA,MACrE,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,iBAAiB;AAAA,MACvE;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,0BAA0B,QAAQ,oBAAoB;AAAA,QAClF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,oBAAoB;AAAA,MAC5E;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["/* eslint-disable @typescript-eslint/no-explicit-any */\nimport { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { logCrudAccess, makeCrudRoute } from '@open-mercato/shared/lib/crud/factory'\nimport { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { Role, RoleAcl, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { Tenant } from '@open-mercato/core/modules/directory/data/entities'\nimport { E } from '#generated/entities.ids.generated'\nimport { loadCustomFieldValues } from '@open-mercato/shared/lib/crud/custom-fields'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'\nimport { roleCrudEvents, roleCrudIndexer } from '@open-mercato/core/modules/auth/commands/roles'\nimport { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'\nimport { assertActorCanModifySuperAdminRoleTarget } from '@open-mercato/core/modules/auth/lib/grantChecks'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\n\nconst querySchema = z.object({\n  id: z.string().uuid().optional(),\n  page: z.coerce.number().min(1).default(1),\n  pageSize: z.coerce.number().min(1).max(100).default(50),\n  search: z.string().optional(),\n  tenantId: z.string().uuid().optional(),\n}).passthrough()\n\nconst roleCreateSchema = z.object({\n  name: z.string().min(2).max(100),\n  tenantId: z.string().uuid().optional(),\n})\n\nconst roleUpdateSchema = z.object({\n  id: z.string().uuid(),\n  name: z.string().min(2).max(100).optional(),\n  tenantId: z.string().uuid().optional(),\n})\n\nconst roleListItemSchema = z.object({\n  id: z.string().uuid(),\n  name: z.string(),\n  usersCount: z.number().int().nonnegative(),\n  tenantId: z.string().uuid().nullable(),\n  tenantIds: z.array(z.string().uuid()).optional(),\n  tenantName: z.string().nullable(),\n  updatedAt: z.string().nullable().optional(),\n})\n\nconst roleListResponseSchema = z.object({\n  items: z.array(roleListItemSchema),\n  total: z.number().int().nonnegative(),\n  totalPages: z.number().int().positive(),\n  isSuperAdmin: z.boolean().optional(),\n})\n\nconst okResponseSchema = z.object({ ok: z.literal(true) })\n\nconst errorResponseSchema = z.object({ error: z.string() })\n\nconst routeMetadata = {\n  GET: { requireAuth: true, requireFeatures: ['auth.roles.list'] },\n  POST: { requireAuth: true, requireFeatures: ['auth.roles.manage'] },\n  PUT: { requireAuth: true, requireFeatures: ['auth.roles.manage'] },\n  DELETE: { requireAuth: true, requireFeatures: ['auth.roles.manage'] },\n}\n\nexport const metadata = routeMetadata\n\nconst rawBodySchema = z.object({}).passthrough()\ntype CrudInput = Record<string, unknown>\n\nconst crud = makeCrudRoute<CrudInput, CrudInput, Record<string, unknown>>({\n  metadata: routeMetadata,\n  orm: {\n    entity: Role,\n    idField: 'id',\n    orgField: null,\n    tenantField: null,\n    softDeleteField: 'deletedAt',\n  },\n  events: roleCrudEvents,\n  indexer: roleCrudIndexer,\n  actions: {\n    create: {\n      commandId: 'auth.roles.create',\n      schema: rawBodySchema,\n      mapInput: ({ parsed }) => parsed,\n      response: ({ result }) => ({ id: String(result.id) }),\n      status: 201,\n    },\n    update: {\n      commandId: 'auth.roles.update',\n      schema: rawBodySchema,\n      mapInput: async ({ parsed, ctx }) => {\n        if (ctx.request && typeof parsed.id === 'string' && parsed.id.length) {\n          await assertCanModifySuperAdminRole(ctx.request, parsed.id)\n        }\n        return parsed\n      },\n      response: () => ({ ok: true }),\n    },\n    delete: {\n      commandId: 'auth.roles.delete',\n      response: () => ({ ok: true }),\n    },\n  },\n})\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n  const url = new URL(req.url)\n  const parsed = querySchema.safeParse({\n    id: url.searchParams.get('id') || undefined,\n    page: url.searchParams.get('page') || undefined,\n    pageSize: url.searchParams.get('pageSize') || undefined,\n    search: url.searchParams.get('search') || undefined,\n    tenantId: url.searchParams.get('tenantId') || undefined,\n  })\n  if (!parsed.success) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n  const container = await createRequestContainer()\n  const em = (container.resolve('em') as EntityManager)\n  let isSuperAdmin = false\n  try {\n    if (auth.sub) {\n      const rbacService = container.resolve('rbacService') as any\n      const acl = await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n      isSuperAdmin = !!acl?.isSuperAdmin\n    }\n  } catch (err) {\n    console.error('roles: failed to resolve rbac', err)\n  }\n  const actorTenantId = auth.tenantId ? String(auth.tenantId) : null\n  if (!isSuperAdmin && !actorTenantId) {\n    return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n  }\n  let superAdminRoleIds: Set<string> | null = null\n  if (!isSuperAdmin && actorTenantId) {\n    const superAdminAcls = await findWithDecryption(em, RoleAcl, { tenantId: actorTenantId, isSuperAdmin: true }, {}, { tenantId: actorTenantId, organizationId: null })\n    if (superAdminAcls.length) {\n      superAdminRoleIds = new Set(\n        superAdminAcls\n          .map((acl) => {\n            const roleRef = acl.role\n            const idValue = roleRef?.id\n            return idValue ? String(idValue) : null\n          })\n          .filter((id): id is string => !!id),\n      )\n    } else {\n      superAdminRoleIds = new Set()\n    }\n  }\n  const { id, page, pageSize, search, tenantId: requestedTenantId } = parsed.data\n  const tenantFilter = isSuperAdmin && requestedTenantId ? String(requestedTenantId) : null\n  const filters: any[] = [{ deletedAt: null }]\n  if (id) filters.push({ id })\n  if (search) filters.push({ name: { $ilike: `%${escapeLikePattern(search)}%` } })\n  if (!isSuperAdmin && actorTenantId) {\n    filters.push({ tenantId: actorTenantId })\n    filters.push({ name: { $ne: 'superadmin' } })\n    if (superAdminRoleIds && superAdminRoleIds.size) {\n      filters.push({ id: { $nin: Array.from(superAdminRoleIds) } })\n    }\n  } else if (tenantFilter) {\n    filters.push({ tenantId: tenantFilter })\n  }\n  const where = filters.length > 1 ? { $and: filters } : filters[0]\n  const [rows, count] = await em.findAndCount(Role, where, { limit: pageSize, offset: (page - 1) * pageSize })\n  const roleIds = rows.map((r: any) => String(r.id))\n  const counts: Record<string, number> = {}\n  if (roleIds.length) {\n    const userRoleFilter: FilterQuery<UserRole> = { role: { $in: roleIds }, deletedAt: null }\n    const links = await findWithDecryption(em, UserRole, userRoleFilter, {}, { tenantId: null, organizationId: null })\n    for (const l of links) {\n      const rid = String((l as any).role?.id || (l as any).role)\n      counts[rid] = (counts[rid] || 0) + 1\n    }\n  }\n  const roleTenantIds = rows\n    .map((role: any) => (role.tenantId ? String(role.tenantId) : null))\n    .filter((tenantId): tenantId is string => typeof tenantId === 'string' && tenantId.length > 0)\n  const uniqueTenantIds = Array.from(new Set(roleTenantIds))\n  let tenantMap: Record<string, string> = {}\n  if (uniqueTenantIds.length) {\n    const tenants = await findWithDecryption(em, Tenant, { id: { $in: uniqueTenantIds as any }, deletedAt: null }, {}, { tenantId: null, organizationId: null })\n    tenantMap = tenants.reduce<Record<string, string>>((acc, tenant) => {\n      const tid = tenant?.id ? String(tenant.id) : null\n      if (!tid) return acc\n      const rawName = (tenant as any)?.name\n      const name = typeof rawName === 'string' && rawName.length > 0 ? rawName : tid\n      acc[tid] = name\n      return acc\n    }, {})\n  }\n  const tenantByRole: Record<string, string | null> = {}\n  for (const role of rows) {\n    const rid = String(role.id)\n    tenantByRole[rid] = role.tenantId ? String(role.tenantId) : null\n  }\n  const tenantFallbacks = Array.from(new Set<string | null>([\n    auth.tenantId ?? null,\n    tenantFilter ?? null,\n    ...Object.values(tenantByRole),\n  ]))\n  const cfByRole = roleIds.length\n    ? await loadCustomFieldValues({\n        em,\n        entityId: E.auth.role,\n        recordIds: roleIds,\n        tenantIdByRecord: tenantByRole,\n        tenantFallbacks,\n      })\n    : {}\n  const items = rows.map((r: any) => {\n    const idStr = String(r.id)\n    const tenantId = tenantByRole[idStr]\n    const tenantName = tenantId ? tenantMap[tenantId] ?? tenantId : null\n    const exposeTenant = isSuperAdmin || (tenantId && auth.tenantId && tenantId === auth.tenantId)\n    return {\n      id: idStr,\n      name: String(r.name),\n      usersCount: counts[idStr] || 0,\n      tenantId: tenantId ?? null,\n      tenantIds: exposeTenant && tenantId ? [tenantId] : [],\n      tenantName: exposeTenant ? tenantName : null,\n      updatedAt: r.updatedAt instanceof Date ? r.updatedAt.toISOString() : null,\n      ...(cfByRole[idStr] || {}),\n    }\n  })\n  const totalPages = Math.max(1, Math.ceil(count / pageSize))\n  await logCrudAccess({\n    container,\n    auth,\n    request: req,\n    items,\n    idField: 'id',\n    resourceKind: 'auth.role',\n    organizationId: null,\n    tenantId: auth.tenantId ?? null,\n    query: parsed.data,\n    accessType: id ? 'read:item' : undefined,\n  })\n  return NextResponse.json({ items, total: count, totalPages, isSuperAdmin })\n}\n\nexport const POST = crud.POST\nexport const PUT = crud.PUT\nexport const DELETE = async (req: Request) => {\n  const targetId = new URL(req.url).searchParams.get('id')\n  if (targetId) {\n    try {\n      await assertCanModifySuperAdminRole(req, targetId)\n    } catch (err) {\n      if (err instanceof CrudHttpError) {\n        return NextResponse.json(err.body, { status: err.status })\n      }\n      throw err\n    }\n  }\n  return crud.DELETE(req)\n}\n\nasync function assertCanModifySuperAdminRole(req: Request, targetRoleId: string) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) throw new CrudHttpError(401, { error: 'Unauthorized' })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  await assertActorCanModifySuperAdminRoleTarget({\n    em,\n    rbacService: container.resolve('rbacService') as RbacService,\n    actorUserId: auth.sub,\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    targetRoleId,\n  })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Role management',\n  methods: {\n    GET: {\n      summary: 'List roles',\n      description:\n        'Returns available roles within the current tenant. Super administrators receive visibility across tenants.',\n      query: querySchema,\n      responses: [\n        { status: 200, description: 'Role collection', schema: roleListResponseSchema },\n      ],\n    },\n    POST: {\n      summary: 'Create role',\n      description: 'Creates a new role for the current tenant or globally when `tenantId` is omitted.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: roleCreateSchema,\n      },\n      responses: [\n        {\n          status: 201,\n          description: 'Role created',\n          schema: z.object({ id: z.string().uuid() }),\n        },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload', schema: errorResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update role',\n      description: 'Updates mutable fields on an existing role.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: roleUpdateSchema,\n      },\n      responses: [\n        {\n          status: 200,\n          description: 'Role updated',\n          schema: okResponseSchema,\n        },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload', schema: errorResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n        { status: 404, description: 'Role not found', schema: errorResponseSchema },\n      ],\n    },\n    DELETE: {\n      summary: 'Delete role',\n      description: 'Deletes a role by identifier. Fails when users remain assigned.',\n      query: z.object({ id: z.string().uuid().describe('Role identifier') }),\n      responses: [\n        { status: 200, description: 'Role deleted', schema: okResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Role cannot be deleted', schema: errorResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n        { status: 404, description: 'Role not found', schema: errorResponseSchema },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AACA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,eAAe,qBAAqB;AAC7C,SAAS,qBAAqB;AAC9B,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,MAAM,SAAS,gBAAgB;AACxC,SAAS,cAAc;AACvB,SAAS,SAAS;AAClB,SAAS,6BAA6B;AACtC,SAAS,0BAA0B;AAEnC,SAAS,gBAAgB,uBAAuB;AAChD,SAAS,yBAAyB;AAClC,SAAS,gDAAgD;AAGzD,MAAM,cAAc,EAAE,OAAO;AAAA,EAC3B,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC/B,MAAM,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,QAAQ,CAAC;AAAA,EACxC,UAAU,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,QAAQ,EAAE;AAAA,EACtD,QAAQ,EAAE,OAAO,EAAE,SAAS;AAAA,EAC5B,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AACvC,CAAC,EAAE,YAAY;AAEf,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG;AAAA,EAC/B,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AACvC,CAAC;AAED,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EAC1C,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AACvC,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EACzC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EACrC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAAA,EAC/C,YAAY,EAAE,OAAO,EAAE,SAAS;AAAA,EAChC,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAC5C,CAAC;AAED,MAAM,yBAAyB,EAAE,OAAO;AAAA,EACtC,OAAO,EAAE,MAAM,kBAAkB;AAAA,EACjC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EACpC,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACtC,cAAc,EAAE,QAAQ,EAAE,SAAS;AACrC,CAAC;AAED,MAAM,mBAAmB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;AAEzD,MAAM,sBAAsB,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAE1D,MAAM,gBAAgB;AAAA,EACpB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AAAA,EAClE,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AAAA,EACjE,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACtE;AAEO,MAAM,WAAW;AAExB,MAAM,gBAAgB,EAAE,OAAO,CAAC,CAAC,EAAE,YAAY;AAG/C,MAAM,OAAO,cAA6D;AAAA,EACxE,UAAU;AAAA,EACV,KAAK;AAAA,IACH,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,UAAU;AAAA,IACV,aAAa;AAAA,IACb,iBAAiB;AAAA,EACnB;AAAA,EACA,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,SAAS;AAAA,IACP,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,QAAQ;AAAA,MACR,UAAU,CAAC,EAAE,OAAO,MAAM;AAAA,MAC1B,UAAU,CAAC,EAAE,OAAO,OAAO,EAAE,IAAI,OAAO,OAAO,EAAE,EAAE;AAAA,MACnD,QAAQ;AAAA,IACV;AAAA,IACA,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,QAAQ;AAAA,MACR,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,YAAI,IAAI,WAAW,OAAO,OAAO,OAAO,YAAY,OAAO,GAAG,QAAQ;AACpE,gBAAM,8BAA8B,IAAI,SAAS,OAAO,EAAE;AAAA,QAC5D;AACA,eAAO;AAAA,MACT;AAAA,MACA,UAAU,OAAO,EAAE,IAAI,KAAK;AAAA,IAC9B;AAAA,IACA,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,UAAU,OAAO,EAAE,IAAI,KAAK;AAAA,IAC9B;AAAA,EACF;AACF,CAAC;AAED,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAC1E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,SAAS,YAAY,UAAU;AAAA,IACnC,IAAI,IAAI,aAAa,IAAI,IAAI,KAAK;AAAA,IAClC,MAAM,IAAI,aAAa,IAAI,MAAM,KAAK;AAAA,IACtC,UAAU,IAAI,aAAa,IAAI,UAAU,KAAK;AAAA,IAC9C,QAAQ,IAAI,aAAa,IAAI,QAAQ,KAAK;AAAA,IAC1C,UAAU,IAAI,aAAa,IAAI,UAAU,KAAK;AAAA,EAChD,CAAC;AACD,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AACpF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAM,UAAU,QAAQ,IAAI;AAClC,MAAI,eAAe;AACnB,MAAI;AACF,QAAI,KAAK,KAAK;AACZ,YAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,YAAM,MAAM,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC;AACvH,qBAAe,CAAC,CAAC,KAAK;AAAA,IACxB;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,iCAAiC,GAAG;AAAA,EACpD;AACA,QAAM,gBAAgB,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAC9D,MAAI,CAAC,gBAAgB,CAAC,eAAe;AACnC,WAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,EAC/E;AACA,MAAI,oBAAwC;AAC5C,MAAI,CAAC,gBAAgB,eAAe;AAClC,UAAM,iBAAiB,MAAM,mBAAmB,IAAI,SAAS,EAAE,UAAU,eAAe,cAAc,KAAK,GAAG,CAAC,GAAG,EAAE,UAAU,eAAe,gBAAgB,KAAK,CAAC;AACnK,QAAI,eAAe,QAAQ;AACzB,0BAAoB,IAAI;AAAA,QACtB,eACG,IAAI,CAAC,QAAQ;AACZ,gBAAM,UAAU,IAAI;AACpB,gBAAM,UAAU,SAAS;AACzB,iBAAO,UAAU,OAAO,OAAO,IAAI;AAAA,QACrC,CAAC,EACA,OAAO,CAACA,QAAqB,CAAC,CAACA,GAAE;AAAA,MACtC;AAAA,IACF,OAAO;AACL,0BAAoB,oBAAI,IAAI;AAAA,IAC9B;AAAA,EACF;AACA,QAAM,EAAE,IAAI,MAAM,UAAU,QAAQ,UAAU,kBAAkB,IAAI,OAAO;AAC3E,QAAM,eAAe,gBAAgB,oBAAoB,OAAO,iBAAiB,IAAI;AACrF,QAAM,UAAiB,CAAC,EAAE,WAAW,KAAK,CAAC;AAC3C,MAAI,GAAI,SAAQ,KAAK,EAAE,GAAG,CAAC;AAC3B,MAAI,OAAQ,SAAQ,KAAK,EAAE,MAAM,EAAE,QAAQ,IAAI,kBAAkB,MAAM,CAAC,IAAI,EAAE,CAAC;AAC/E,MAAI,CAAC,gBAAgB,eAAe;AAClC,YAAQ,KAAK,EAAE,UAAU,cAAc,CAAC;AACxC,YAAQ,KAAK,EAAE,MAAM,EAAE,KAAK,aAAa,EAAE,CAAC;AAC5C,QAAI,qBAAqB,kBAAkB,MAAM;AAC/C,cAAQ,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,KAAK,iBAAiB,EAAE,EAAE,CAAC;AAAA,IAC9D;AAAA,EACF,WAAW,cAAc;AACvB,YAAQ,KAAK,EAAE,UAAU,aAAa,CAAC;AAAA,EACzC;AACA,QAAM,QAAQ,QAAQ,SAAS,IAAI,EAAE,MAAM,QAAQ,IAAI,QAAQ,CAAC;AAChE,QAAM,CAAC,MAAM,KAAK,IAAI,MAAM,GAAG,aAAa,MAAM,OAAO,EAAE,OAAO,UAAU,SAAS,OAAO,KAAK,SAAS,CAAC;AAC3G,QAAM,UAAU,KAAK,IAAI,CAAC,MAAW,OAAO,EAAE,EAAE,CAAC;AACjD,QAAM,SAAiC,CAAC;AACxC,MAAI,QAAQ,QAAQ;AAClB,UAAM,iBAAwC,EAAE,MAAM,EAAE,KAAK,QAAQ,GAAG,WAAW,KAAK;AACxF,UAAM,QAAQ,MAAM,mBAAmB,IAAI,UAAU,gBAAgB,CAAC,GAAG,EAAE,UAAU,MAAM,gBAAgB,KAAK,CAAC;AACjH,eAAW,KAAK,OAAO;AACrB,YAAM,MAAM,OAAQ,EAAU,MAAM,MAAO,EAAU,IAAI;AACzD,aAAO,GAAG,KAAK,OAAO,GAAG,KAAK,KAAK;AAAA,IACrC;AAAA,EACF;AACA,QAAM,gBAAgB,KACnB,IAAI,CAAC,SAAe,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI,IAAK,EACjE,OAAO,CAAC,aAAiC,OAAO,aAAa,YAAY,SAAS,SAAS,CAAC;AAC/F,QAAM,kBAAkB,MAAM,KAAK,IAAI,IAAI,aAAa,CAAC;AACzD,MAAI,YAAoC,CAAC;AACzC,MAAI,gBAAgB,QAAQ;AAC1B,UAAM,UAAU,MAAM,mBAAmB,IAAI,QAAQ,EAAE,IAAI,EAAE,KAAK,gBAAuB,GAAG,WAAW,KAAK,GAAG,CAAC,GAAG,EAAE,UAAU,MAAM,gBAAgB,KAAK,CAAC;AAC3J,gBAAY,QAAQ,OAA+B,CAAC,KAAK,WAAW;AAClE,YAAM,MAAM,QAAQ,KAAK,OAAO,OAAO,EAAE,IAAI;AAC7C,UAAI,CAAC,IAAK,QAAO;AACjB,YAAM,UAAW,QAAgB;AACjC,YAAM,OAAO,OAAO,YAAY,YAAY,QAAQ,SAAS,IAAI,UAAU;AAC3E,UAAI,GAAG,IAAI;AACX,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACP;AACA,QAAM,eAA8C,CAAC;AACrD,aAAW,QAAQ,MAAM;AACvB,UAAM,MAAM,OAAO,KAAK,EAAE;AAC1B,iBAAa,GAAG,IAAI,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,EAC9D;AACA,QAAM,kBAAkB,MAAM,KAAK,oBAAI,IAAmB;AAAA,IACxD,KAAK,YAAY;AAAA,IACjB,gBAAgB;AAAA,IAChB,GAAG,OAAO,OAAO,YAAY;AAAA,EAC/B,CAAC,CAAC;AACF,QAAM,WAAW,QAAQ,SACrB,MAAM,sBAAsB;AAAA,IAC1B;AAAA,IACA,UAAU,EAAE,KAAK;AAAA,IACjB,WAAW;AAAA,IACX,kBAAkB;AAAA,IAClB;AAAA,EACF,CAAC,IACD,CAAC;AACL,QAAM,QAAQ,KAAK,IAAI,CAAC,MAAW;AACjC,UAAM,QAAQ,OAAO,EAAE,EAAE;AACzB,UAAM,WAAW,aAAa,KAAK;AACnC,UAAM,aAAa,WAAW,UAAU,QAAQ,KAAK,WAAW;AAChE,UAAM,eAAe,gBAAiB,YAAY,KAAK,YAAY,aAAa,KAAK;AACrF,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,MAAM,OAAO,EAAE,IAAI;AAAA,MACnB,YAAY,OAAO,KAAK,KAAK;AAAA,MAC7B,UAAU,YAAY;AAAA,MACtB,WAAW,gBAAgB,WAAW,CAAC,QAAQ,IAAI,CAAC;AAAA,MACpD,YAAY,eAAe,aAAa;AAAA,MACxC,WAAW,EAAE,qBAAqB,OAAO,EAAE,UAAU,YAAY,IAAI;AAAA,MACrE,GAAI,SAAS,KAAK,KAAK,CAAC;AAAA,IAC1B;AAAA,EACF,CAAC;AACD,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,KAAK,QAAQ,QAAQ,CAAC;AAC1D,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA,SAAS;AAAA,IACT,cAAc;AAAA,IACd,gBAAgB;AAAA,IAChB,UAAU,KAAK,YAAY;AAAA,IAC3B,OAAO,OAAO;AAAA,IACd,YAAY,KAAK,cAAc;AAAA,EACjC,CAAC;AACD,SAAO,aAAa,KAAK,EAAE,OAAO,OAAO,OAAO,YAAY,aAAa,CAAC;AAC5E;AAEO,MAAM,OAAO,KAAK;AAClB,MAAM,MAAM,KAAK;AACjB,MAAM,SAAS,OAAO,QAAiB;AAC5C,QAAM,WAAW,IAAI,IAAI,IAAI,GAAG,EAAE,aAAa,IAAI,IAAI;AACvD,MAAI,UAAU;AACZ,QAAI;AACF,YAAM,8BAA8B,KAAK,QAAQ;AAAA,IACnD,SAAS,KAAK;AACZ,UAAI,eAAe,eAAe;AAChC,eAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AAAA,MAC3D;AACA,YAAM;AAAA,IACR;AAAA,EACF;AACA,SAAO,KAAK,OAAO,GAAG;AACxB;AAEA,eAAe,8BAA8B,KAAc,cAAsB;AAC/E,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,IAAK,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,eAAe,CAAC;AACtE,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,yCAAyC;AAAA,IAC7C;AAAA,IACA,aAAa,UAAU,QAAQ,aAAa;AAAA,IAC5C,aAAa,KAAK;AAAA,IAClB,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,CAAC;AACH;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aACE;AAAA,MACF,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,uBAAuB;AAAA,MAChF;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,QAC5C;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,oBAAoB;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,MAC1E;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,oBAAoB;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,oBAAoB;AAAA,MAC5E;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,iBAAiB,EAAE,CAAC;AAAA,MACrE,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,iBAAiB;AAAA,MACvE;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,0BAA0B,QAAQ,oBAAoB;AAAA,QAClF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,oBAAoB;AAAA,MAC5E;AAAA,IACF;AAAA,EACF;AACF;",
   "names": ["id"]
 }

package/dist/modules/auth/api/sidebar/preferences/route.js CHANGED Viewed

@@ -8,13 +8,17 @@ import {
   sidebarPreferencesScopeSchema
 } from "../../../data/validators.js";
 import {
+  loadRoleSidebarPreferenceUpdatedAt,
   loadRoleSidebarPreferences,
   loadSidebarPreference,
+  loadSidebarPreferenceUpdatedAt,
   saveRoleSidebarPreference,
   saveSidebarPreference
 } from "../../../services/sidebarPreferencesService.js";
 import { SIDEBAR_PREFERENCES_VERSION } from "@open-mercato/shared/modules/navigation/sidebarPreferences";
 import { withAtomicFlush } from "@open-mercato/shared/lib/commands/flush";
+import { enforceCommandOptimisticLock } from "@open-mercato/shared/lib/crud/optimistic-lock-command";
+import { isCrudHttpError } from "@open-mercato/shared/lib/crud/errors";
 import { Role, RoleSidebarPreference } from "../../../data/entities.js";
 import { z } from "zod";
 const metadata = {
@@ -40,7 +44,8 @@ const sidebarPreferencesResponseSchema = z.object({
   settings: sidebarSettingsSchema,
   canApplyToRoles: z.boolean(),
   roles: z.array(sidebarRoleEntrySchema),
-  scope: sidebarPreferencesScopeSchema
+  scope: sidebarPreferencesScopeSchema,
+  updatedAt: z.string().datetime().nullable()
 });
 const sidebarPreferencesUpdateResponseSchema = sidebarPreferencesResponseSchema.extend({
   appliedRoles: z.array(z.string().uuid()),
@@ -127,6 +132,11 @@ async function GET(req) {
     });
     const pref = rolePrefs.get(role.id) ?? null;
     const rolesPayload2 = await loadRolesPayload(em, { tenantId: auth.tenantId ?? null, locale });
+    const roleVersion = await loadRoleSidebarPreferenceUpdatedAt(em, {
+      roleId: role.id,
+      tenantId: auth.tenantId ?? null,
+      locale
+    });
     return NextResponse.json({
       locale,
       settings: pref ? {
@@ -139,7 +149,8 @@ async function GET(req) {
       } : emptySettings(),
       canApplyToRoles,
       roles: rolesPayload2,
-      scope: { type: "role", roleId: role.id }
+      scope: { type: "role", roleId: role.id },
+      updatedAt: roleVersion?.updatedAt ? roleVersion.updatedAt.toISOString() : null
     });
   }
   const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub;
@@ -150,6 +161,12 @@ async function GET(req) {
     locale
   }) : null;
   const rolesPayload = canApplyToRoles ? await loadRolesPayload(em, { tenantId: auth.tenantId ?? null, locale }) : [];
+  const userVersion = effectiveUserId ? await loadSidebarPreferenceUpdatedAt(em, {
+    userId: effectiveUserId,
+    tenantId: auth.tenantId ?? null,
+    organizationId: auth.orgId ?? null,
+    locale
+  }) : null;
   return NextResponse.json({
     locale,
     settings: {
@@ -162,7 +179,8 @@ async function GET(req) {
     },
     canApplyToRoles,
     roles: rolesPayload,
-    scope: { type: "user" }
+    scope: { type: "user" },
+    updatedAt: userVersion?.updatedAt ? userVersion.updatedAt.toISOString() : null
   });
 }
 async function PUT(req) {
@@ -257,11 +275,34 @@ async function PUT(req) {
     if (!role) {
       return NextResponse.json({ error: "Role not found" }, { status: 404 });
     }
+    const existingRolePref = await loadRoleSidebarPreferenceUpdatedAt(em, {
+      roleId: role.id,
+      tenantId: auth.tenantId ?? null,
+      locale
+    });
+    if (existingRolePref) {
+      try {
+        enforceCommandOptimisticLock({
+          resourceKind: "auth.role_sidebar_preference",
+          resourceId: existingRolePref.id,
+          current: existingRolePref.updatedAt ?? null,
+          request: req
+        });
+      } catch (err) {
+        if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status });
+        throw err;
+      }
+    }
     const saved = await saveRoleSidebarPreference(em, {
       roleId: role.id,
       tenantId: auth.tenantId ?? null,
       locale
     }, payload);
+    const savedRoleVersion = await loadRoleSidebarPreferenceUpdatedAt(em, {
+      roleId: role.id,
+      tenantId: auth.tenantId ?? null,
+      locale
+    });
     if (cache?.deleteByTags) {
       try {
         await cache.deleteByTags([`nav:sidebar:role:${role.id}`]);
@@ -282,6 +323,7 @@ async function PUT(req) {
       canApplyToRoles,
       roles: rolesPayload2,
       scope: { type: "role", roleId: role.id },
+      updatedAt: savedRoleVersion?.updatedAt ? savedRoleVersion.updatedAt.toISOString() : null,
       appliedRoles: [],
       clearedRoles: []
     });
@@ -293,6 +335,25 @@ async function PUT(req) {
   if ((applyToRoles.length > 0 || clearRoleIds.length > 0) && !canApplyToRoles) {
     return NextResponse.json({ error: "Forbidden", requiredFeatures: [FEATURE_MANAGE] }, { status: 403 });
   }
+  const existingUserPref = await loadSidebarPreferenceUpdatedAt(em, {
+    userId: effectiveUserId,
+    tenantId: auth.tenantId ?? null,
+    organizationId: auth.orgId ?? null,
+    locale
+  });
+  if (existingUserPref) {
+    try {
+      enforceCommandOptimisticLock({
+        resourceKind: "auth.sidebar_preference",
+        resourceId: existingUserPref.id,
+        current: existingUserPref.updatedAt ?? null,
+        request: req
+      });
+    } catch (err) {
+      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status });
+      throw err;
+    }
+  }
   const settings = await saveSidebarPreference(em, {
     userId: effectiveUserId,
     tenantId: auth.tenantId ?? null,
@@ -367,12 +428,19 @@ async function PUT(req) {
       hasPreference: rolePrefs.has(role.id)
     }));
   }
+  const savedUserVersion = await loadSidebarPreferenceUpdatedAt(em, {
+    userId: effectiveUserId,
+    tenantId: auth.tenantId ?? null,
+    organizationId: auth.orgId ?? null,
+    locale
+  });
   return NextResponse.json({
     locale,
     settings,
     canApplyToRoles,
     roles: rolesPayload,
     scope: { type: "user" },
+    updatedAt: savedUserVersion?.updatedAt ? savedUserVersion.updatedAt.toISOString() : null,
     appliedRoles: updatedRoleIds,
     clearedRoles: filteredClearRoleIds
   });