npm - @open-mercato/core - Versions diffs - 0.6.5-develop.4534.1.b459babe6d → 0.6.5-develop.4544.1.71c003c861 - Mend

@open-mercato/core 0.6.5-develop.4534.1.b459babe6d → 0.6.5-develop.4544.1.71c003c861

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (633) hide show

package/dist/modules/auth/api/sidebar/preferences/route.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../../src/modules/auth/api/sidebar/preferences/route.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport {\n  sidebarPreferencesInputSchema,\n  sidebarPreferencesScopeSchema,\n} from '../../../data/validators'\nimport {\n  loadRoleSidebarPreferences,\n  loadSidebarPreference,\n  saveRoleSidebarPreference,\n  saveSidebarPreference,\n} from '../../../services/sidebarPreferencesService'\nimport { SIDEBAR_PREFERENCES_VERSION } from '@open-mercato/shared/modules/navigation/sidebarPreferences'\nimport { withAtomicFlush } from '@open-mercato/shared/lib/commands/flush'\nimport { Role, RoleSidebarPreference } from '../../../data/entities'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { z } from 'zod'\n\nexport const metadata = {\n  GET: { requireAuth: true },\n  PUT: { requireAuth: true, requireFeatures: ['auth.sidebar.manage'] },\n  DELETE: { requireAuth: true, requireFeatures: ['auth.sidebar.manage'] },\n}\n\nconst sidebarSettingsSchema = z.object({\n  version: z.number().int().positive(),\n  groupOrder: z.array(z.string()),\n  groupLabels: z.record(z.string(), z.string()),\n  itemLabels: z.record(z.string(), z.string()),\n  hiddenItems: z.array(z.string()),\n  itemOrder: z.record(z.string(), z.array(z.string())),\n})\n\nconst sidebarRoleEntrySchema = z.object({\n  id: z.string().uuid(),\n  name: z.string(),\n  hasPreference: z.boolean(),\n})\n\nconst sidebarPreferencesResponseSchema = z.object({\n  locale: z.string(),\n  settings: sidebarSettingsSchema,\n  canApplyToRoles: z.boolean(),\n  roles: z.array(sidebarRoleEntrySchema),\n  scope: sidebarPreferencesScopeSchema,\n})\n\nconst sidebarPreferencesUpdateResponseSchema = sidebarPreferencesResponseSchema.extend({\n  appliedRoles: z.array(z.string().uuid()),\n  clearedRoles: z.array(z.string().uuid()),\n})\n\nconst sidebarPreferencesDeleteResponseSchema = z.object({\n  ok: z.literal(true),\n  scope: sidebarPreferencesScopeSchema,\n})\n\nconst sidebarErrorSchema = z.object({\n  error: z.string(),\n})\n\nconst FEATURE_MANAGE = 'auth.sidebar.manage'\n\ntype EmptySettings = {\n  version: number\n  groupOrder: string[]\n  groupLabels: Record<string, string>\n  itemLabels: Record<string, string>\n  hiddenItems: string[]\n  itemOrder: Record<string, string[]>\n}\n\nfunction emptySettings(): EmptySettings {\n  return {\n    version: SIDEBAR_PREFERENCES_VERSION,\n    groupOrder: [],\n    groupLabels: {},\n    itemLabels: {},\n    hiddenItems: [],\n    itemOrder: {},\n  }\n}\n\nasync function loadRolesPayload(\n  em: EntityManager,\n  options: { tenantId: string | null; locale: string },\n): Promise<Array<{ id: string; name: string; hasPreference: boolean }>> {\n  const roleScope: FilterQuery<Role> = options.tenantId\n    ? { $or: [{ tenantId: options.tenantId }, { tenantId: null }] }\n    : { tenantId: null }\n  const roles = await findWithDecryption(\n    em,\n    Role,\n    roleScope,\n    { orderBy: { name: 'asc' } },\n    { tenantId: options.tenantId, organizationId: null },\n  )\n  if (roles.length === 0) return []\n  const rolePrefs = await loadRoleSidebarPreferences(em, {\n    roleIds: roles.map((r: Role) => r.id),\n    tenantId: options.tenantId,\n    locale: options.locale,\n  })\n  return roles.map((role: Role) => ({\n    id: role.id,\n    name: role.name,\n    hasPreference: rolePrefs.has(role.id),\n  }))\n}\n\nasync function findRoleInScope(\n  em: EntityManager,\n  options: { roleId: string; tenantId: string | null },\n): Promise<Role | null> {\n  const role = await findOneWithDecryption(\n    em,\n    Role,\n    { id: options.roleId },\n    undefined,\n    { tenantId: options.tenantId, organizationId: null },\n  )\n  if (!role) return null\n  // Cross-tenant guard: a role belongs to either the auth tenant or the global (null tenant) pool.\n  // Reject the lookup otherwise so a multi-tenant deployment can't leak across tenants.\n  if (role.tenantId && options.tenantId && role.tenantId !== options.tenantId) return null\n  if (role.tenantId && !options.tenantId) return null\n  return role\n}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n\n  const url = new URL(req.url)\n  const roleIdParam = url.searchParams.get('roleId')\n\n  const { locale } = await resolveTranslations()\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as EntityManager\n  const rbac = resolve('rbacService') as any\n\n  const canApplyToRoles = await rbac.userHasAllFeatures?.(\n    auth.sub,\n    [FEATURE_MANAGE],\n    { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },\n  ) ?? false\n\n  // Role-scoped read: requires `auth.sidebar.manage`.\n  if (roleIdParam) {\n    if (!canApplyToRoles) {\n      return NextResponse.json({ error: 'Forbidden', requiredFeatures: [FEATURE_MANAGE] }, { status: 403 })\n    }\n    const role = await findRoleInScope(em, { roleId: roleIdParam, tenantId: auth.tenantId ?? null })\n    if (!role) {\n      return NextResponse.json({ error: 'Role not found' }, { status: 404 })\n    }\n    const rolePrefs = await loadRoleSidebarPreferences(em, {\n      roleIds: [role.id],\n      tenantId: auth.tenantId ?? null,\n      locale,\n    })\n    const pref = rolePrefs.get(role.id) ?? null\n    const rolesPayload = await loadRolesPayload(em, { tenantId: auth.tenantId ?? null, locale })\n    return NextResponse.json({\n      locale,\n      settings: pref\n        ? {\n            version: pref.version ?? SIDEBAR_PREFERENCES_VERSION,\n            groupOrder: pref.groupOrder ?? [],\n            groupLabels: pref.groupLabels ?? {},\n            itemLabels: pref.itemLabels ?? {},\n            hiddenItems: pref.hiddenItems ?? [],\n            itemOrder: pref.itemOrder ?? {},\n          }\n        : emptySettings(),\n      canApplyToRoles,\n      roles: rolesPayload,\n      scope: { type: 'role', roleId: role.id },\n    })\n  }\n\n  // For API key auth, use userId (the actual user) if available\n  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub\n  const settings = effectiveUserId\n    ? await loadSidebarPreference(em, {\n        userId: effectiveUserId,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        locale,\n      })\n    : null\n\n  const rolesPayload = canApplyToRoles\n    ? await loadRolesPayload(em, { tenantId: auth.tenantId ?? null, locale })\n    : []\n\n  return NextResponse.json({\n    locale,\n    settings: {\n      version: settings?.version ?? SIDEBAR_PREFERENCES_VERSION,\n      groupOrder: settings?.groupOrder ?? [],\n      groupLabels: settings?.groupLabels ?? {},\n      itemLabels: settings?.itemLabels ?? {},\n      hiddenItems: settings?.hiddenItems ?? [],\n      itemOrder: settings?.itemOrder ?? {},\n    },\n    canApplyToRoles,\n    roles: rolesPayload,\n    scope: { type: 'user' },\n  })\n}\n\nexport async function PUT(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  // For API key auth, use userId (the actual user) if available\n  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub\n  if (!effectiveUserId) {\n    return NextResponse.json({ error: 'Cannot save preferences: no user associated with this API key' }, { status: 403 })\n  }\n\n  let parsedBody: unknown\n  try {\n    parsedBody = await req.json()\n  } catch {\n    return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 })\n  }\n\n  const parsed = sidebarPreferencesInputSchema.safeParse(parsedBody)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid payload', details: parsed.error.flatten() }, { status: 400 })\n  }\n\n  const sanitizeRecord = (record?: Record<string, string>) => {\n    if (!record) return {}\n    const result: Record<string, string> = {}\n    for (const [key, value] of Object.entries(record)) {\n      const trimmedKey = key.trim()\n      const trimmedValue = value.trim()\n      if (!trimmedKey || !trimmedValue) continue\n      result[trimmedKey] = trimmedValue\n    }\n    return result\n  }\n\n  const groupOrderSource = parsed.data.groupOrder ?? []\n  const seen = new Set<string>()\n  const groupOrder: string[] = []\n  for (const id of groupOrderSource) {\n    const trimmed = id.trim()\n    if (!trimmed || seen.has(trimmed)) continue\n    seen.add(trimmed)\n    groupOrder.push(trimmed)\n  }\n\n  const payload = {\n    version: parsed.data.version ?? SIDEBAR_PREFERENCES_VERSION,\n    groupOrder,\n    groupLabels: sanitizeRecord(parsed.data.groupLabels),\n    itemLabels: sanitizeRecord(parsed.data.itemLabels),\n    hiddenItems: (() => {\n      const source = parsed.data.hiddenItems ?? []\n      const seenHidden = new Set<string>()\n      const values: string[] = []\n      for (const href of source) {\n        const trimmed = href.trim()\n        if (!trimmed || seenHidden.has(trimmed)) continue\n        seenHidden.add(trimmed)\n        values.push(trimmed)\n      }\n      return values\n    })(),\n    itemOrder: (() => {\n      const source = parsed.data.itemOrder ?? {}\n      const out: Record<string, string[]> = {}\n      for (const [groupKey, list] of Object.entries(source)) {\n        const trimmedGroup = groupKey.trim()\n        if (!trimmedGroup) continue\n        const seenItem = new Set<string>()\n        const values: string[] = []\n        for (const itemKey of list) {\n          const trimmedItem = itemKey.trim()\n          if (!trimmedItem || seenItem.has(trimmedItem)) continue\n          seenItem.add(trimmedItem)\n          values.push(trimmedItem)\n        }\n        if (values.length > 0) out[trimmedGroup] = values\n      }\n      return out\n    })(),\n  }\n\n  const { locale } = await resolveTranslations()\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  const rbac = container.resolve('rbacService') as any\n  const cache = container.resolve('cache') as { deleteByTags?: (tags: string[]) => Promise<unknown> } | undefined\n\n  const canApplyToRoles = await rbac.userHasAllFeatures?.(\n    auth.sub,\n    [FEATURE_MANAGE],\n    { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },\n  ) ?? false\n\n  const scope = parsed.data.scope ?? { type: 'user' as const }\n\n  // Role-scoped write: requires `auth.sidebar.manage` and a role visible to this tenant.\n  // applyToRoles/clearRoleIds are forbidden in role scope (validator already rejects them).\n  if (scope.type === 'role') {\n    if (!canApplyToRoles) {\n      return NextResponse.json({ error: 'Forbidden', requiredFeatures: [FEATURE_MANAGE] }, { status: 403 })\n    }\n    const role = await findRoleInScope(em, { roleId: scope.roleId, tenantId: auth.tenantId ?? null })\n    if (!role) {\n      return NextResponse.json({ error: 'Role not found' }, { status: 404 })\n    }\n    const saved = await saveRoleSidebarPreference(em, {\n      roleId: role.id,\n      tenantId: auth.tenantId ?? null,\n      locale,\n    }, payload)\n    if (cache?.deleteByTags) {\n      try {\n        await cache.deleteByTags([`nav:sidebar:role:${role.id}`])\n      } catch {}\n    }\n    const rolesPayload = await loadRolesPayload(em, { tenantId: auth.tenantId ?? null, locale })\n    return NextResponse.json({\n      locale,\n      settings: {\n        version: saved?.version ?? payload.version,\n        groupOrder: saved?.groupOrder ?? payload.groupOrder,\n        groupLabels: saved?.groupLabels ?? payload.groupLabels,\n        itemLabels: saved?.itemLabels ?? payload.itemLabels,\n        hiddenItems: saved?.hiddenItems ?? payload.hiddenItems,\n        itemOrder: saved?.itemOrder ?? payload.itemOrder,\n      },\n      canApplyToRoles,\n      roles: rolesPayload,\n      scope: { type: 'role', roleId: role.id },\n      appliedRoles: [],\n      clearedRoles: [],\n    })\n  }\n\n  const applyToRolesSource = parsed.data.applyToRoles ?? []\n  const applyToRoles = Array.from(new Set(applyToRolesSource.map((id) => id.trim()).filter((id) => id.length > 0)))\n  const clearRoleIdsSource = parsed.data.clearRoleIds ?? []\n  const clearRoleIds = Array.from(new Set(clearRoleIdsSource.map((id) => id.trim()).filter((id) => id.length > 0)))\n\n  if ((applyToRoles.length > 0 || clearRoleIds.length > 0) && !canApplyToRoles) {\n    return NextResponse.json({ error: 'Forbidden', requiredFeatures: [FEATURE_MANAGE] }, { status: 403 })\n  }\n\n  const settings = await saveSidebarPreference(em, {\n    userId: effectiveUserId,\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    locale,\n  }, payload)\n\n  const roleScope: FilterQuery<Role> = auth.tenantId\n    ? { $or: [{ tenantId: auth.tenantId }, { tenantId: null }] }\n    : { tenantId: null }\n  const availableRoles = canApplyToRoles\n    ? await findWithDecryption(\n        em,\n        Role,\n        roleScope,\n        { orderBy: { name: 'asc' } },\n        { tenantId: auth.tenantId ?? null, organizationId: null },\n      )\n    : []\n  const roleMap = new Map<string, Role>(availableRoles.map((role: Role) => [String(role.id), role]))\n\n  if (applyToRoles.length > 0) {\n    const missing = applyToRoles.filter((id) => !roleMap.has(id))\n    if (missing.length) {\n      return NextResponse.json({ error: 'Invalid roles', missing }, { status: 400 })\n    }\n  }\n\n  const updatedRoleIds: string[] = []\n  const filteredClearRoleIds: string[] = []\n  await withAtomicFlush(em, [\n    async () => {\n      for (const roleId of applyToRoles) {\n        const role = roleMap.get(roleId)!\n        await saveRoleSidebarPreference(em, {\n          roleId: role.id,\n          tenantId: auth.tenantId ?? null,\n          locale,\n        }, payload)\n        updatedRoleIds.push(role.id)\n      }\n\n      const clearTargets = clearRoleIds.filter((id) => !updatedRoleIds.includes(id) && !applyToRoles.includes(id))\n      filteredClearRoleIds.push(...clearTargets)\n\n      if (filteredClearRoleIds.length > 0) {\n        // Cross-locale: role preferences are unique per (role, tenantId); keep the delete\n        // filter aligned with save/load helpers so a clear from one locale does not leave\n        // a row created under another locale orphaned.\n        await em.nativeDelete(RoleSidebarPreference, {\n          role: { $in: filteredClearRoleIds },\n          tenantId: auth.tenantId ?? null,\n        })\n      }\n    },\n  ], { transaction: true })\n\n  if (filteredClearRoleIds.length > 0 && cache?.deleteByTags) {\n    try {\n      await cache.deleteByTags(filteredClearRoleIds.map((roleId) => `nav:sidebar:role:${roleId}`))\n    } catch {}\n  }\n\n  if (cache?.deleteByTags) {\n    const tags = [\n      `nav:sidebar:user:${auth.sub}`,\n      `nav:sidebar:scope:${auth.sub}:${auth.tenantId ?? 'null'}:${auth.orgId ?? 'null'}:${locale}`,\n      ...updatedRoleIds.map((roleId) => `nav:sidebar:role:${roleId}`),\n    ]\n    try {\n      await cache.deleteByTags(tags)\n    } catch {}\n  }\n\n  let rolesPayload: Array<{ id: string; name: string; hasPreference: boolean }> = []\n  if (canApplyToRoles) {\n    const rolePrefs = await loadRoleSidebarPreferences(em, {\n      roleIds: availableRoles.map((role: Role) => role.id),\n      tenantId: auth.tenantId ?? null,\n      locale,\n    })\n    rolesPayload = availableRoles.map((role: Role) => ({\n      id: role.id,\n      name: role.name,\n      hasPreference: rolePrefs.has(role.id),\n    }))\n  }\n\n  return NextResponse.json({\n    locale,\n    settings,\n    canApplyToRoles,\n    roles: rolesPayload,\n    scope: { type: 'user' },\n    appliedRoles: updatedRoleIds,\n    clearedRoles: filteredClearRoleIds,\n  })\n}\n\nexport async function DELETE(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n\n  const url = new URL(req.url)\n  const roleIdParam = url.searchParams.get('roleId')\n  if (!roleIdParam) {\n    return NextResponse.json({ error: 'roleId query parameter is required' }, { status: 400 })\n  }\n\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  const rbac = container.resolve('rbacService') as any\n  const cache = container.resolve('cache') as { deleteByTags?: (tags: string[]) => Promise<unknown> } | undefined\n\n  const canApplyToRoles = await rbac.userHasAllFeatures?.(\n    auth.sub,\n    [FEATURE_MANAGE],\n    { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },\n  ) ?? false\n  if (!canApplyToRoles) {\n    return NextResponse.json({ error: 'Forbidden', requiredFeatures: [FEATURE_MANAGE] }, { status: 403 })\n  }\n\n  const role = await findRoleInScope(em, { roleId: roleIdParam, tenantId: auth.tenantId ?? null })\n  if (!role) {\n    return NextResponse.json({ error: 'Role not found' }, { status: 404 })\n  }\n\n  // Cross-locale: keep the delete filter aligned with save/load helpers (no locale).\n  await em.nativeDelete(RoleSidebarPreference, {\n    role: role.id,\n    tenantId: auth.tenantId ?? null,\n  })\n\n  if (cache?.deleteByTags) {\n    try {\n      await cache.deleteByTags([`nav:sidebar:role:${role.id}`])\n    } catch {}\n  }\n\n  return NextResponse.json({ ok: true, scope: { type: 'role', roleId: role.id } })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Sidebar preferences',\n  methods: {\n    GET: {\n      summary: 'Get sidebar preferences',\n      description: 'Returns sidebar customization for the current user (default) or the specified role (`?roleId=\u2026`, requires `auth.sidebar.manage`).',\n      responses: [\n        { status: 200, description: 'Current sidebar configuration', schema: sidebarPreferencesResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: sidebarErrorSchema },\n        { status: 403, description: 'Missing features for role-scope read', schema: sidebarErrorSchema },\n        { status: 404, description: 'Role not found in current tenant scope', schema: sidebarErrorSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update sidebar preferences',\n      description: 'Updates sidebar configuration. With `scope.type === \"user\"` (default) writes the calling user\\'s personal preferences and may optionally apply the same settings to selected roles via `applyToRoles[]`. With `scope.type === \"role\"` writes the named role variant directly (requires `auth.sidebar.manage`); `applyToRoles[]` and `clearRoleIds[]` are rejected in this mode.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: sidebarPreferencesInputSchema,\n      },\n      responses: [\n        { status: 200, description: 'Preferences saved', schema: sidebarPreferencesUpdateResponseSchema },\n        { status: 400, description: 'Invalid payload', schema: sidebarErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: sidebarErrorSchema },\n        { status: 403, description: 'Missing features for role-wide updates', schema: sidebarErrorSchema },\n        { status: 404, description: 'Role not found in current tenant scope', schema: sidebarErrorSchema },\n      ],\n    },\n    DELETE: {\n      summary: 'Delete a role sidebar variant',\n      description: 'Removes the role variant for the current tenant + locale. Idempotent. Requires `auth.sidebar.manage`.',\n      responses: [\n        { status: 200, description: 'Variant deleted (or never existed)', schema: sidebarPreferencesDeleteResponseSchema },\n        { status: 400, description: 'Missing roleId query parameter', schema: sidebarErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: sidebarErrorSchema },\n        { status: 403, description: 'Missing features', schema: sidebarErrorSchema },\n        { status: 404, description: 'Role not found in current tenant scope', schema: sidebarErrorSchema },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,0BAA0B;AACnC,SAAS,2BAA2B;AACpC,SAAS,8BAA8B;AACvC,SAAS,uBAAuB,0BAA0B;AAC1D;AAAA,EACE;AAAA,EACA;AAAA,OACK;AACP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,mCAAmC;AAC5C,SAAS,uBAAuB;AAChC,SAAS,MAAM,6BAA6B;AAE5C,SAAS,SAAS;AAEX,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,KAAK;AAAA,EACzB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,qBAAqB,EAAE;AAAA,EACnE,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,qBAAqB,EAAE;AACxE;AAEA,MAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACnC,YAAY,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC9B,aAAa,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC;AAAA,EAC5C,YAAY,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC;AAAA,EAC3C,aAAa,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC/B,WAAW,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AACrD,CAAC;AAED,MAAM,yBAAyB,EAAE,OAAO;AAAA,EACtC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,eAAe,EAAE,QAAQ;AAC3B,CAAC;AAED,MAAM,mCAAmC,EAAE,OAAO;AAAA,EAChD,QAAQ,EAAE,OAAO;AAAA,EACjB,UAAU;AAAA,EACV,iBAAiB,EAAE,QAAQ;AAAA,EAC3B,OAAO,EAAE,MAAM,sBAAsB;AAAA,EACrC,OAAO;AACT,CAAC;AAED,MAAM,yCAAyC,iCAAiC,OAAO;AAAA,EACrF,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC;AAAA,EACvC,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC;AACzC,CAAC;AAED,MAAM,yCAAyC,EAAE,OAAO;AAAA,EACtD,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,OAAO;AACT,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,OAAO,EAAE,OAAO;AAClB,CAAC;AAED,MAAM,iBAAiB;AAWvB,SAAS,gBAA+B;AACtC,SAAO;AAAA,IACL,SAAS;AAAA,IACT,YAAY,CAAC;AAAA,IACb,aAAa,CAAC;AAAA,IACd,YAAY,CAAC;AAAA,IACb,aAAa,CAAC;AAAA,IACd,WAAW,CAAC;AAAA,EACd;AACF;AAEA,eAAe,iBACb,IACA,SACsE;AACtE,QAAM,YAA+B,QAAQ,WACzC,EAAE,KAAK,CAAC,EAAE,UAAU,QAAQ,SAAS,GAAG,EAAE,UAAU,KAAK,CAAC,EAAE,IAC5D,EAAE,UAAU,KAAK;AACrB,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,IACA,EAAE,SAAS,EAAE,MAAM,MAAM,EAAE;AAAA,IAC3B,EAAE,UAAU,QAAQ,UAAU,gBAAgB,KAAK;AAAA,EACrD;AACA,MAAI,MAAM,WAAW,EAAG,QAAO,CAAC;AAChC,QAAM,YAAY,MAAM,2BAA2B,IAAI;AAAA,IACrD,SAAS,MAAM,IAAI,CAAC,MAAY,EAAE,EAAE;AAAA,IACpC,UAAU,QAAQ;AAAA,IAClB,QAAQ,QAAQ;AAAA,EAClB,CAAC;AACD,SAAO,MAAM,IAAI,CAAC,UAAgB;AAAA,IAChC,IAAI,KAAK;AAAA,IACT,MAAM,KAAK;AAAA,IACX,eAAe,UAAU,IAAI,KAAK,EAAE;AAAA,EACtC,EAAE;AACJ;AAEA,eAAe,gBACb,IACA,SACsB;AACtB,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,QAAQ,OAAO;AAAA,IACrB;AAAA,IACA,EAAE,UAAU,QAAQ,UAAU,gBAAgB,KAAK;AAAA,EACrD;AACA,MAAI,CAAC,KAAM,QAAO;AAGlB,MAAI,KAAK,YAAY,QAAQ,YAAY,KAAK,aAAa,QAAQ,SAAU,QAAO;AACpF,MAAI,KAAK,YAAY,CAAC,QAAQ,SAAU,QAAO;AAC/C,SAAO;AACT;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE9E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,cAAc,IAAI,aAAa,IAAI,QAAQ;AAEjD,QAAM,EAAE,OAAO,IAAI,MAAM,oBAAoB;AAC7C,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AACvB,QAAM,OAAO,QAAQ,aAAa;AAElC,QAAM,kBAAkB,MAAM,KAAK;AAAA,IACjC,KAAK;AAAA,IACL,CAAC,cAAc;AAAA,IACf,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK;AAAA,EACxE,KAAK;AAGL,MAAI,aAAa;AACf,QAAI,CAAC,iBAAiB;AACpB,aAAO,aAAa,KAAK,EAAE,OAAO,aAAa,kBAAkB,CAAC,cAAc,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACtG;AACA,UAAM,OAAO,MAAM,gBAAgB,IAAI,EAAE,QAAQ,aAAa,UAAU,KAAK,YAAY,KAAK,CAAC;AAC/F,QAAI,CAAC,MAAM;AACT,aAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACvE;AACA,UAAM,YAAY,MAAM,2BAA2B,IAAI;AAAA,MACrD,SAAS,CAAC,KAAK,EAAE;AAAA,MACjB,UAAU,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF,CAAC;AACD,UAAM,OAAO,UAAU,IAAI,KAAK,EAAE,KAAK;AACvC,UAAMA,gBAAe,MAAM,iBAAiB,IAAI,EAAE,UAAU,KAAK,YAAY,MAAM,OAAO,CAAC;AAC3F,WAAO,aAAa,KAAK;AAAA,MACvB;AAAA,MACA,UAAU,OACN;AAAA,QACE,SAAS,KAAK,WAAW;AAAA,QACzB,YAAY,KAAK,cAAc,CAAC;AAAA,QAChC,aAAa,KAAK,eAAe,CAAC;AAAA,QAClC,YAAY,KAAK,cAAc,CAAC;AAAA,QAChC,aAAa,KAAK,eAAe,CAAC;AAAA,QAClC,WAAW,KAAK,aAAa,CAAC;AAAA,MAChC,IACA,cAAc;AAAA,MAClB;AAAA,MACA,OAAOA;AAAA,MACP,OAAO,EAAE,MAAM,QAAQ,QAAQ,KAAK,GAAG;AAAA,IACzC,CAAC;AAAA,EACH;AAGA,QAAM,kBAAkB,KAAK,WAAW,KAAK,SAAS,KAAK;AAC3D,QAAM,WAAW,kBACb,MAAM,sBAAsB,IAAI;AAAA,IAC9B,QAAQ;AAAA,IACR,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,CAAC,IACD;AAEJ,QAAM,eAAe,kBACjB,MAAM,iBAAiB,IAAI,EAAE,UAAU,KAAK,YAAY,MAAM,OAAO,CAAC,IACtE,CAAC;AAEL,SAAO,aAAa,KAAK;AAAA,IACvB;AAAA,IACA,UAAU;AAAA,MACR,SAAS,UAAU,WAAW;AAAA,MAC9B,YAAY,UAAU,cAAc,CAAC;AAAA,MACrC,aAAa,UAAU,eAAe,CAAC;AAAA,MACvC,YAAY,UAAU,cAAc,CAAC;AAAA,MACrC,aAAa,UAAU,eAAe,CAAC;AAAA,MACvC,WAAW,UAAU,aAAa,CAAC;AAAA,IACrC;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP,OAAO,EAAE,MAAM,OAAO;AAAA,EACxB,CAAC;AACH;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE9E,QAAM,kBAAkB,KAAK,WAAW,KAAK,SAAS,KAAK;AAC3D,MAAI,CAAC,iBAAiB;AACpB,WAAO,aAAa,KAAK,EAAE,OAAO,gEAAgE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACtH;AAEA,MAAI;AACJ,MAAI;AACF,iBAAa,MAAM,IAAI,KAAK;AAAA,EAC9B,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,SAAS,8BAA8B,UAAU,UAAU;AACjE,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,mBAAmB,SAAS,OAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzG;AAEA,QAAM,iBAAiB,CAAC,WAAoC;AAC1D,QAAI,CAAC,OAAQ,QAAO,CAAC;AACrB,UAAM,SAAiC,CAAC;AACxC,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,MAAM,GAAG;AACjD,YAAM,aAAa,IAAI,KAAK;AAC5B,YAAM,eAAe,MAAM,KAAK;AAChC,UAAI,CAAC,cAAc,CAAC,aAAc;AAClC,aAAO,UAAU,IAAI;AAAA,IACvB;AACA,WAAO;AAAA,EACT;AAEA,QAAM,mBAAmB,OAAO,KAAK,cAAc,CAAC;AACpD,QAAM,OAAO,oBAAI,IAAY;AAC7B,QAAM,aAAuB,CAAC;AAC9B,aAAW,MAAM,kBAAkB;AACjC,UAAM,UAAU,GAAG,KAAK;AACxB,QAAI,CAAC,WAAW,KAAK,IAAI,OAAO,EAAG;AACnC,SAAK,IAAI,OAAO;AAChB,eAAW,KAAK,OAAO;AAAA,EACzB;AAEA,QAAM,UAAU;AAAA,IACd,SAAS,OAAO,KAAK,WAAW;AAAA,IAChC;AAAA,IACA,aAAa,eAAe,OAAO,KAAK,WAAW;AAAA,IACnD,YAAY,eAAe,OAAO,KAAK,UAAU;AAAA,IACjD,cAAc,MAAM;AAClB,YAAM,SAAS,OAAO,KAAK,eAAe,CAAC;AAC3C,YAAM,aAAa,oBAAI,IAAY;AACnC,YAAM,SAAmB,CAAC;AAC1B,iBAAW,QAAQ,QAAQ;AACzB,cAAM,UAAU,KAAK,KAAK;AAC1B,YAAI,CAAC,WAAW,WAAW,IAAI,OAAO,EAAG;AACzC,mBAAW,IAAI,OAAO;AACtB,eAAO,KAAK,OAAO;AAAA,MACrB;AACA,aAAO;AAAA,IACT,GAAG;AAAA,IACH,YAAY,MAAM;AAChB,YAAM,SAAS,OAAO,KAAK,aAAa,CAAC;AACzC,YAAM,MAAgC,CAAC;AACvC,iBAAW,CAAC,UAAU,IAAI,KAAK,OAAO,QAAQ,MAAM,GAAG;AACrD,cAAM,eAAe,SAAS,KAAK;AACnC,YAAI,CAAC,aAAc;AACnB,cAAM,WAAW,oBAAI,IAAY;AACjC,cAAM,SAAmB,CAAC;AAC1B,mBAAW,WAAW,MAAM;AAC1B,gBAAM,cAAc,QAAQ,KAAK;AACjC,cAAI,CAAC,eAAe,SAAS,IAAI,WAAW,EAAG;AAC/C,mBAAS,IAAI,WAAW;AACxB,iBAAO,KAAK,WAAW;AAAA,QACzB;AACA,YAAI,OAAO,SAAS,EAAG,KAAI,YAAY,IAAI;AAAA,MAC7C;AACA,aAAO;AAAA,IACT,GAAG;AAAA,EACL;AAEA,QAAM,EAAE,OAAO,IAAI,MAAM,oBAAoB;AAC7C,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,OAAO,UAAU,QAAQ,aAAa;AAC5C,QAAM,QAAQ,UAAU,QAAQ,OAAO;AAEvC,QAAM,kBAAkB,MAAM,KAAK;AAAA,IACjC,KAAK;AAAA,IACL,CAAC,cAAc;AAAA,IACf,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK;AAAA,EACxE,KAAK;AAEL,QAAM,QAAQ,OAAO,KAAK,SAAS,EAAE,MAAM,OAAgB;AAI3D,MAAI,MAAM,SAAS,QAAQ;AACzB,QAAI,CAAC,iBAAiB;AACpB,aAAO,aAAa,KAAK,EAAE,OAAO,aAAa,kBAAkB,CAAC,cAAc,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACtG;AACA,UAAM,OAAO,MAAM,gBAAgB,IAAI,EAAE,QAAQ,MAAM,QAAQ,UAAU,KAAK,YAAY,KAAK,CAAC;AAChG,QAAI,CAAC,MAAM;AACT,aAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACvE;AACA,UAAM,QAAQ,MAAM,0BAA0B,IAAI;AAAA,MAChD,QAAQ,KAAK;AAAA,MACb,UAAU,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF,GAAG,OAAO;AACV,QAAI,OAAO,cAAc;AACvB,UAAI;AACF,cAAM,MAAM,aAAa,CAAC,oBAAoB,KAAK,EAAE,EAAE,CAAC;AAAA,MAC1D,QAAQ;AAAA,MAAC;AAAA,IACX;AACA,UAAMA,gBAAe,MAAM,iBAAiB,IAAI,EAAE,UAAU,KAAK,YAAY,MAAM,OAAO,CAAC;AAC3F,WAAO,aAAa,KAAK;AAAA,MACvB;AAAA,MACA,UAAU;AAAA,QACR,SAAS,OAAO,WAAW,QAAQ;AAAA,QACnC,YAAY,OAAO,cAAc,QAAQ;AAAA,QACzC,aAAa,OAAO,eAAe,QAAQ;AAAA,QAC3C,YAAY,OAAO,cAAc,QAAQ;AAAA,QACzC,aAAa,OAAO,eAAe,QAAQ;AAAA,QAC3C,WAAW,OAAO,aAAa,QAAQ;AAAA,MACzC;AAAA,MACA;AAAA,MACA,OAAOA;AAAA,MACP,OAAO,EAAE,MAAM,QAAQ,QAAQ,KAAK,GAAG;AAAA,MACvC,cAAc,CAAC;AAAA,MACf,cAAc,CAAC;AAAA,IACjB,CAAC;AAAA,EACH;AAEA,QAAM,qBAAqB,OAAO,KAAK,gBAAgB,CAAC;AACxD,QAAM,eAAe,MAAM,KAAK,IAAI,IAAI,mBAAmB,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,EAAE,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC;AAChH,QAAM,qBAAqB,OAAO,KAAK,gBAAgB,CAAC;AACxD,QAAM,eAAe,MAAM,KAAK,IAAI,IAAI,mBAAmB,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,EAAE,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC;AAEhH,OAAK,aAAa,SAAS,KAAK,aAAa,SAAS,MAAM,CAAC,iBAAiB;AAC5E,WAAO,aAAa,KAAK,EAAE,OAAO,aAAa,kBAAkB,CAAC,cAAc,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACtG;AAEA,QAAM,WAAW,MAAM,sBAAsB,IAAI;AAAA,IAC/C,QAAQ;AAAA,IACR,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,GAAG,OAAO;AAEV,QAAM,YAA+B,KAAK,WACtC,EAAE,KAAK,CAAC,EAAE,UAAU,KAAK,SAAS,GAAG,EAAE,UAAU,KAAK,CAAC,EAAE,IACzD,EAAE,UAAU,KAAK;AACrB,QAAM,iBAAiB,kBACnB,MAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,EAAE,SAAS,EAAE,MAAM,MAAM,EAAE;AAAA,IAC3B,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK;AAAA,EAC1D,IACA,CAAC;AACL,QAAM,UAAU,IAAI,IAAkB,eAAe,IAAI,CAAC,SAAe,CAAC,OAAO,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC;AAEjG,MAAI,aAAa,SAAS,GAAG;AAC3B,UAAM,UAAU,aAAa,OAAO,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;AAC5D,QAAI,QAAQ,QAAQ;AAClB,aAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,QAAQ,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC/E;AAAA,EACF;AAEA,QAAM,iBAA2B,CAAC;AAClC,QAAM,uBAAiC,CAAC;AACxC,QAAM,gBAAgB,IAAI;AAAA,IACxB,YAAY;AACV,iBAAW,UAAU,cAAc;AACjC,cAAM,OAAO,QAAQ,IAAI,MAAM;AAC/B,cAAM,0BAA0B,IAAI;AAAA,UAClC,QAAQ,KAAK;AAAA,UACb,UAAU,KAAK,YAAY;AAAA,UAC3B;AAAA,QACF,GAAG,OAAO;AACV,uBAAe,KAAK,KAAK,EAAE;AAAA,MAC7B;AAEA,YAAM,eAAe,aAAa,OAAO,CAAC,OAAO,CAAC,eAAe,SAAS,EAAE,KAAK,CAAC,aAAa,SAAS,EAAE,CAAC;AAC3G,2BAAqB,KAAK,GAAG,YAAY;AAEzC,UAAI,qBAAqB,SAAS,GAAG;AAInC,cAAM,GAAG,aAAa,uBAAuB;AAAA,UAC3C,MAAM,EAAE,KAAK,qBAAqB;AAAA,UAClC,UAAU,KAAK,YAAY;AAAA,QAC7B,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF,GAAG,EAAE,aAAa,KAAK,CAAC;AAExB,MAAI,qBAAqB,SAAS,KAAK,OAAO,cAAc;AAC1D,QAAI;AACF,YAAM,MAAM,aAAa,qBAAqB,IAAI,CAAC,WAAW,oBAAoB,MAAM,EAAE,CAAC;AAAA,IAC7F,QAAQ;AAAA,IAAC;AAAA,EACX;AAEA,MAAI,OAAO,cAAc;AACvB,UAAM,OAAO;AAAA,MACX,oBAAoB,KAAK,GAAG;AAAA,MAC5B,qBAAqB,KAAK,GAAG,IAAI,KAAK,YAAY,MAAM,IAAI,KAAK,SAAS,MAAM,IAAI,MAAM;AAAA,MAC1F,GAAG,eAAe,IAAI,CAAC,WAAW,oBAAoB,MAAM,EAAE;AAAA,IAChE;AACA,QAAI;AACF,YAAM,MAAM,aAAa,IAAI;AAAA,IAC/B,QAAQ;AAAA,IAAC;AAAA,EACX;AAEA,MAAI,eAA4E,CAAC;AACjF,MAAI,iBAAiB;AACnB,UAAM,YAAY,MAAM,2BAA2B,IAAI;AAAA,MACrD,SAAS,eAAe,IAAI,CAAC,SAAe,KAAK,EAAE;AAAA,MACnD,UAAU,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF,CAAC;AACD,mBAAe,eAAe,IAAI,CAAC,UAAgB;AAAA,MACjD,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,eAAe,UAAU,IAAI,KAAK,EAAE;AAAA,IACtC,EAAE;AAAA,EACJ;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP,OAAO,EAAE,MAAM,OAAO;AAAA,IACtB,cAAc;AAAA,IACd,cAAc;AAAA,EAChB,CAAC;AACH;AAEA,eAAsB,OAAO,KAAc;AACzC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE9E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,cAAc,IAAI,aAAa,IAAI,QAAQ;AACjD,MAAI,CAAC,aAAa;AAChB,WAAO,aAAa,KAAK,EAAE,OAAO,qCAAqC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,OAAO,UAAU,QAAQ,aAAa;AAC5C,QAAM,QAAQ,UAAU,QAAQ,OAAO;AAEvC,QAAM,kBAAkB,MAAM,KAAK;AAAA,IACjC,KAAK;AAAA,IACL,CAAC,cAAc;AAAA,IACf,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK;AAAA,EACxE,KAAK;AACL,MAAI,CAAC,iBAAiB;AACpB,WAAO,aAAa,KAAK,EAAE,OAAO,aAAa,kBAAkB,CAAC,cAAc,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACtG;AAEA,QAAM,OAAO,MAAM,gBAAgB,IAAI,EAAE,QAAQ,aAAa,UAAU,KAAK,YAAY,KAAK,CAAC;AAC/F,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACvE;AAGA,QAAM,GAAG,aAAa,uBAAuB;AAAA,IAC3C,MAAM,KAAK;AAAA,IACX,UAAU,KAAK,YAAY;AAAA,EAC7B,CAAC;AAED,MAAI,OAAO,cAAc;AACvB,QAAI;AACF,YAAM,MAAM,aAAa,CAAC,oBAAoB,KAAK,EAAE,EAAE,CAAC;AAAA,IAC1D,QAAQ;AAAA,IAAC;AAAA,EACX;AAEA,SAAO,aAAa,KAAK,EAAE,IAAI,MAAM,OAAO,EAAE,MAAM,QAAQ,QAAQ,KAAK,GAAG,EAAE,CAAC;AACjF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,iCAAiC,QAAQ,iCAAiC;AAAA,QACtG,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,mBAAmB;AAAA,QAC/F,EAAE,QAAQ,KAAK,aAAa,0CAA0C,QAAQ,mBAAmB;AAAA,MACnG;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,uCAAuC;AAAA,QAChG,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,0CAA0C,QAAQ,mBAAmB;AAAA,QACjG,EAAE,QAAQ,KAAK,aAAa,0CAA0C,QAAQ,mBAAmB;AAAA,MACnG;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,sCAAsC,QAAQ,uCAAuC;AAAA,QACjH,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,mBAAmB;AAAA,QACzF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,mBAAmB;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,0CAA0C,QAAQ,mBAAmB;AAAA,MACnG;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport {\n  sidebarPreferencesInputSchema,\n  sidebarPreferencesScopeSchema,\n} from '../../../data/validators'\nimport {\n  loadRoleSidebarPreferenceUpdatedAt,\n  loadRoleSidebarPreferences,\n  loadSidebarPreference,\n  loadSidebarPreferenceUpdatedAt,\n  saveRoleSidebarPreference,\n  saveSidebarPreference,\n} from '../../../services/sidebarPreferencesService'\nimport { SIDEBAR_PREFERENCES_VERSION } from '@open-mercato/shared/modules/navigation/sidebarPreferences'\nimport { withAtomicFlush } from '@open-mercato/shared/lib/commands/flush'\nimport { enforceCommandOptimisticLock } from '@open-mercato/shared/lib/crud/optimistic-lock-command'\nimport { isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { Role, RoleSidebarPreference } from '../../../data/entities'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { z } from 'zod'\n\nexport const metadata = {\n  GET: { requireAuth: true },\n  PUT: { requireAuth: true, requireFeatures: ['auth.sidebar.manage'] },\n  DELETE: { requireAuth: true, requireFeatures: ['auth.sidebar.manage'] },\n}\n\nconst sidebarSettingsSchema = z.object({\n  version: z.number().int().positive(),\n  groupOrder: z.array(z.string()),\n  groupLabels: z.record(z.string(), z.string()),\n  itemLabels: z.record(z.string(), z.string()),\n  hiddenItems: z.array(z.string()),\n  itemOrder: z.record(z.string(), z.array(z.string())),\n})\n\nconst sidebarRoleEntrySchema = z.object({\n  id: z.string().uuid(),\n  name: z.string(),\n  hasPreference: z.boolean(),\n})\n\nconst sidebarPreferencesResponseSchema = z.object({\n  locale: z.string(),\n  settings: sidebarSettingsSchema,\n  canApplyToRoles: z.boolean(),\n  roles: z.array(sidebarRoleEntrySchema),\n  scope: sidebarPreferencesScopeSchema,\n  updatedAt: z.string().datetime().nullable(),\n})\n\nconst sidebarPreferencesUpdateResponseSchema = sidebarPreferencesResponseSchema.extend({\n  appliedRoles: z.array(z.string().uuid()),\n  clearedRoles: z.array(z.string().uuid()),\n})\n\nconst sidebarPreferencesDeleteResponseSchema = z.object({\n  ok: z.literal(true),\n  scope: sidebarPreferencesScopeSchema,\n})\n\nconst sidebarErrorSchema = z.object({\n  error: z.string(),\n})\n\nconst FEATURE_MANAGE = 'auth.sidebar.manage'\n\ntype EmptySettings = {\n  version: number\n  groupOrder: string[]\n  groupLabels: Record<string, string>\n  itemLabels: Record<string, string>\n  hiddenItems: string[]\n  itemOrder: Record<string, string[]>\n}\n\nfunction emptySettings(): EmptySettings {\n  return {\n    version: SIDEBAR_PREFERENCES_VERSION,\n    groupOrder: [],\n    groupLabels: {},\n    itemLabels: {},\n    hiddenItems: [],\n    itemOrder: {},\n  }\n}\n\nasync function loadRolesPayload(\n  em: EntityManager,\n  options: { tenantId: string | null; locale: string },\n): Promise<Array<{ id: string; name: string; hasPreference: boolean }>> {\n  const roleScope: FilterQuery<Role> = options.tenantId\n    ? { $or: [{ tenantId: options.tenantId }, { tenantId: null }] }\n    : { tenantId: null }\n  const roles = await findWithDecryption(\n    em,\n    Role,\n    roleScope,\n    { orderBy: { name: 'asc' } },\n    { tenantId: options.tenantId, organizationId: null },\n  )\n  if (roles.length === 0) return []\n  const rolePrefs = await loadRoleSidebarPreferences(em, {\n    roleIds: roles.map((r: Role) => r.id),\n    tenantId: options.tenantId,\n    locale: options.locale,\n  })\n  return roles.map((role: Role) => ({\n    id: role.id,\n    name: role.name,\n    hasPreference: rolePrefs.has(role.id),\n  }))\n}\n\nasync function findRoleInScope(\n  em: EntityManager,\n  options: { roleId: string; tenantId: string | null },\n): Promise<Role | null> {\n  const role = await findOneWithDecryption(\n    em,\n    Role,\n    { id: options.roleId },\n    undefined,\n    { tenantId: options.tenantId, organizationId: null },\n  )\n  if (!role) return null\n  // Cross-tenant guard: a role belongs to either the auth tenant or the global (null tenant) pool.\n  // Reject the lookup otherwise so a multi-tenant deployment can't leak across tenants.\n  if (role.tenantId && options.tenantId && role.tenantId !== options.tenantId) return null\n  if (role.tenantId && !options.tenantId) return null\n  return role\n}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n\n  const url = new URL(req.url)\n  const roleIdParam = url.searchParams.get('roleId')\n\n  const { locale } = await resolveTranslations()\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as EntityManager\n  const rbac = resolve('rbacService') as any\n\n  const canApplyToRoles = await rbac.userHasAllFeatures?.(\n    auth.sub,\n    [FEATURE_MANAGE],\n    { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },\n  ) ?? false\n\n  // Role-scoped read: requires `auth.sidebar.manage`.\n  if (roleIdParam) {\n    if (!canApplyToRoles) {\n      return NextResponse.json({ error: 'Forbidden', requiredFeatures: [FEATURE_MANAGE] }, { status: 403 })\n    }\n    const role = await findRoleInScope(em, { roleId: roleIdParam, tenantId: auth.tenantId ?? null })\n    if (!role) {\n      return NextResponse.json({ error: 'Role not found' }, { status: 404 })\n    }\n    const rolePrefs = await loadRoleSidebarPreferences(em, {\n      roleIds: [role.id],\n      tenantId: auth.tenantId ?? null,\n      locale,\n    })\n    const pref = rolePrefs.get(role.id) ?? null\n    const rolesPayload = await loadRolesPayload(em, { tenantId: auth.tenantId ?? null, locale })\n    const roleVersion = await loadRoleSidebarPreferenceUpdatedAt(em, {\n      roleId: role.id,\n      tenantId: auth.tenantId ?? null,\n      locale,\n    })\n    return NextResponse.json({\n      locale,\n      settings: pref\n        ? {\n            version: pref.version ?? SIDEBAR_PREFERENCES_VERSION,\n            groupOrder: pref.groupOrder ?? [],\n            groupLabels: pref.groupLabels ?? {},\n            itemLabels: pref.itemLabels ?? {},\n            hiddenItems: pref.hiddenItems ?? [],\n            itemOrder: pref.itemOrder ?? {},\n          }\n        : emptySettings(),\n      canApplyToRoles,\n      roles: rolesPayload,\n      scope: { type: 'role', roleId: role.id },\n      updatedAt: roleVersion?.updatedAt ? roleVersion.updatedAt.toISOString() : null,\n    })\n  }\n\n  // For API key auth, use userId (the actual user) if available\n  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub\n  const settings = effectiveUserId\n    ? await loadSidebarPreference(em, {\n        userId: effectiveUserId,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        locale,\n      })\n    : null\n\n  const rolesPayload = canApplyToRoles\n    ? await loadRolesPayload(em, { tenantId: auth.tenantId ?? null, locale })\n    : []\n\n  const userVersion = effectiveUserId\n    ? await loadSidebarPreferenceUpdatedAt(em, {\n        userId: effectiveUserId,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        locale,\n      })\n    : null\n\n  return NextResponse.json({\n    locale,\n    settings: {\n      version: settings?.version ?? SIDEBAR_PREFERENCES_VERSION,\n      groupOrder: settings?.groupOrder ?? [],\n      groupLabels: settings?.groupLabels ?? {},\n      itemLabels: settings?.itemLabels ?? {},\n      hiddenItems: settings?.hiddenItems ?? [],\n      itemOrder: settings?.itemOrder ?? {},\n    },\n    canApplyToRoles,\n    roles: rolesPayload,\n    scope: { type: 'user' },\n    updatedAt: userVersion?.updatedAt ? userVersion.updatedAt.toISOString() : null,\n  })\n}\n\nexport async function PUT(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  // For API key auth, use userId (the actual user) if available\n  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub\n  if (!effectiveUserId) {\n    return NextResponse.json({ error: 'Cannot save preferences: no user associated with this API key' }, { status: 403 })\n  }\n\n  let parsedBody: unknown\n  try {\n    parsedBody = await req.json()\n  } catch {\n    return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 })\n  }\n\n  const parsed = sidebarPreferencesInputSchema.safeParse(parsedBody)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid payload', details: parsed.error.flatten() }, { status: 400 })\n  }\n\n  const sanitizeRecord = (record?: Record<string, string>) => {\n    if (!record) return {}\n    const result: Record<string, string> = {}\n    for (const [key, value] of Object.entries(record)) {\n      const trimmedKey = key.trim()\n      const trimmedValue = value.trim()\n      if (!trimmedKey || !trimmedValue) continue\n      result[trimmedKey] = trimmedValue\n    }\n    return result\n  }\n\n  const groupOrderSource = parsed.data.groupOrder ?? []\n  const seen = new Set<string>()\n  const groupOrder: string[] = []\n  for (const id of groupOrderSource) {\n    const trimmed = id.trim()\n    if (!trimmed || seen.has(trimmed)) continue\n    seen.add(trimmed)\n    groupOrder.push(trimmed)\n  }\n\n  const payload = {\n    version: parsed.data.version ?? SIDEBAR_PREFERENCES_VERSION,\n    groupOrder,\n    groupLabels: sanitizeRecord(parsed.data.groupLabels),\n    itemLabels: sanitizeRecord(parsed.data.itemLabels),\n    hiddenItems: (() => {\n      const source = parsed.data.hiddenItems ?? []\n      const seenHidden = new Set<string>()\n      const values: string[] = []\n      for (const href of source) {\n        const trimmed = href.trim()\n        if (!trimmed || seenHidden.has(trimmed)) continue\n        seenHidden.add(trimmed)\n        values.push(trimmed)\n      }\n      return values\n    })(),\n    itemOrder: (() => {\n      const source = parsed.data.itemOrder ?? {}\n      const out: Record<string, string[]> = {}\n      for (const [groupKey, list] of Object.entries(source)) {\n        const trimmedGroup = groupKey.trim()\n        if (!trimmedGroup) continue\n        const seenItem = new Set<string>()\n        const values: string[] = []\n        for (const itemKey of list) {\n          const trimmedItem = itemKey.trim()\n          if (!trimmedItem || seenItem.has(trimmedItem)) continue\n          seenItem.add(trimmedItem)\n          values.push(trimmedItem)\n        }\n        if (values.length > 0) out[trimmedGroup] = values\n      }\n      return out\n    })(),\n  }\n\n  const { locale } = await resolveTranslations()\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  const rbac = container.resolve('rbacService') as any\n  const cache = container.resolve('cache') as { deleteByTags?: (tags: string[]) => Promise<unknown> } | undefined\n\n  const canApplyToRoles = await rbac.userHasAllFeatures?.(\n    auth.sub,\n    [FEATURE_MANAGE],\n    { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },\n  ) ?? false\n\n  const scope = parsed.data.scope ?? { type: 'user' as const }\n\n  // Role-scoped write: requires `auth.sidebar.manage` and a role visible to this tenant.\n  // applyToRoles/clearRoleIds are forbidden in role scope (validator already rejects them).\n  if (scope.type === 'role') {\n    if (!canApplyToRoles) {\n      return NextResponse.json({ error: 'Forbidden', requiredFeatures: [FEATURE_MANAGE] }, { status: 403 })\n    }\n    const role = await findRoleInScope(em, { roleId: scope.roleId, tenantId: auth.tenantId ?? null })\n    if (!role) {\n      return NextResponse.json({ error: 'Role not found' }, { status: 404 })\n    }\n    const existingRolePref = await loadRoleSidebarPreferenceUpdatedAt(em, {\n      roleId: role.id,\n      tenantId: auth.tenantId ?? null,\n      locale,\n    })\n    if (existingRolePref) {\n      try {\n        enforceCommandOptimisticLock({\n          resourceKind: 'auth.role_sidebar_preference',\n          resourceId: existingRolePref.id,\n          current: existingRolePref.updatedAt ?? null,\n          request: req,\n        })\n      } catch (err) {\n        if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n        throw err\n      }\n    }\n    const saved = await saveRoleSidebarPreference(em, {\n      roleId: role.id,\n      tenantId: auth.tenantId ?? null,\n      locale,\n    }, payload)\n    const savedRoleVersion = await loadRoleSidebarPreferenceUpdatedAt(em, {\n      roleId: role.id,\n      tenantId: auth.tenantId ?? null,\n      locale,\n    })\n    if (cache?.deleteByTags) {\n      try {\n        await cache.deleteByTags([`nav:sidebar:role:${role.id}`])\n      } catch {}\n    }\n    const rolesPayload = await loadRolesPayload(em, { tenantId: auth.tenantId ?? null, locale })\n    return NextResponse.json({\n      locale,\n      settings: {\n        version: saved?.version ?? payload.version,\n        groupOrder: saved?.groupOrder ?? payload.groupOrder,\n        groupLabels: saved?.groupLabels ?? payload.groupLabels,\n        itemLabels: saved?.itemLabels ?? payload.itemLabels,\n        hiddenItems: saved?.hiddenItems ?? payload.hiddenItems,\n        itemOrder: saved?.itemOrder ?? payload.itemOrder,\n      },\n      canApplyToRoles,\n      roles: rolesPayload,\n      scope: { type: 'role', roleId: role.id },\n      updatedAt: savedRoleVersion?.updatedAt ? savedRoleVersion.updatedAt.toISOString() : null,\n      appliedRoles: [],\n      clearedRoles: [],\n    })\n  }\n\n  const applyToRolesSource = parsed.data.applyToRoles ?? []\n  const applyToRoles = Array.from(new Set(applyToRolesSource.map((id) => id.trim()).filter((id) => id.length > 0)))\n  const clearRoleIdsSource = parsed.data.clearRoleIds ?? []\n  const clearRoleIds = Array.from(new Set(clearRoleIdsSource.map((id) => id.trim()).filter((id) => id.length > 0)))\n\n  if ((applyToRoles.length > 0 || clearRoleIds.length > 0) && !canApplyToRoles) {\n    return NextResponse.json({ error: 'Forbidden', requiredFeatures: [FEATURE_MANAGE] }, { status: 403 })\n  }\n\n  const existingUserPref = await loadSidebarPreferenceUpdatedAt(em, {\n    userId: effectiveUserId,\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    locale,\n  })\n  if (existingUserPref) {\n    try {\n      enforceCommandOptimisticLock({\n        resourceKind: 'auth.sidebar_preference',\n        resourceId: existingUserPref.id,\n        current: existingUserPref.updatedAt ?? null,\n        request: req,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n\n  const settings = await saveSidebarPreference(em, {\n    userId: effectiveUserId,\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    locale,\n  }, payload)\n\n  const roleScope: FilterQuery<Role> = auth.tenantId\n    ? { $or: [{ tenantId: auth.tenantId }, { tenantId: null }] }\n    : { tenantId: null }\n  const availableRoles = canApplyToRoles\n    ? await findWithDecryption(\n        em,\n        Role,\n        roleScope,\n        { orderBy: { name: 'asc' } },\n        { tenantId: auth.tenantId ?? null, organizationId: null },\n      )\n    : []\n  const roleMap = new Map<string, Role>(availableRoles.map((role: Role) => [String(role.id), role]))\n\n  if (applyToRoles.length > 0) {\n    const missing = applyToRoles.filter((id) => !roleMap.has(id))\n    if (missing.length) {\n      return NextResponse.json({ error: 'Invalid roles', missing }, { status: 400 })\n    }\n  }\n\n  const updatedRoleIds: string[] = []\n  const filteredClearRoleIds: string[] = []\n  await withAtomicFlush(em, [\n    async () => {\n      for (const roleId of applyToRoles) {\n        const role = roleMap.get(roleId)!\n        await saveRoleSidebarPreference(em, {\n          roleId: role.id,\n          tenantId: auth.tenantId ?? null,\n          locale,\n        }, payload)\n        updatedRoleIds.push(role.id)\n      }\n\n      const clearTargets = clearRoleIds.filter((id) => !updatedRoleIds.includes(id) && !applyToRoles.includes(id))\n      filteredClearRoleIds.push(...clearTargets)\n\n      if (filteredClearRoleIds.length > 0) {\n        // Cross-locale: role preferences are unique per (role, tenantId); keep the delete\n        // filter aligned with save/load helpers so a clear from one locale does not leave\n        // a row created under another locale orphaned.\n        await em.nativeDelete(RoleSidebarPreference, {\n          role: { $in: filteredClearRoleIds },\n          tenantId: auth.tenantId ?? null,\n        })\n      }\n    },\n  ], { transaction: true })\n\n  if (filteredClearRoleIds.length > 0 && cache?.deleteByTags) {\n    try {\n      await cache.deleteByTags(filteredClearRoleIds.map((roleId) => `nav:sidebar:role:${roleId}`))\n    } catch {}\n  }\n\n  if (cache?.deleteByTags) {\n    const tags = [\n      `nav:sidebar:user:${auth.sub}`,\n      `nav:sidebar:scope:${auth.sub}:${auth.tenantId ?? 'null'}:${auth.orgId ?? 'null'}:${locale}`,\n      ...updatedRoleIds.map((roleId) => `nav:sidebar:role:${roleId}`),\n    ]\n    try {\n      await cache.deleteByTags(tags)\n    } catch {}\n  }\n\n  let rolesPayload: Array<{ id: string; name: string; hasPreference: boolean }> = []\n  if (canApplyToRoles) {\n    const rolePrefs = await loadRoleSidebarPreferences(em, {\n      roleIds: availableRoles.map((role: Role) => role.id),\n      tenantId: auth.tenantId ?? null,\n      locale,\n    })\n    rolesPayload = availableRoles.map((role: Role) => ({\n      id: role.id,\n      name: role.name,\n      hasPreference: rolePrefs.has(role.id),\n    }))\n  }\n\n  const savedUserVersion = await loadSidebarPreferenceUpdatedAt(em, {\n    userId: effectiveUserId,\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    locale,\n  })\n\n  return NextResponse.json({\n    locale,\n    settings,\n    canApplyToRoles,\n    roles: rolesPayload,\n    scope: { type: 'user' },\n    updatedAt: savedUserVersion?.updatedAt ? savedUserVersion.updatedAt.toISOString() : null,\n    appliedRoles: updatedRoleIds,\n    clearedRoles: filteredClearRoleIds,\n  })\n}\n\nexport async function DELETE(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n\n  const url = new URL(req.url)\n  const roleIdParam = url.searchParams.get('roleId')\n  if (!roleIdParam) {\n    return NextResponse.json({ error: 'roleId query parameter is required' }, { status: 400 })\n  }\n\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  const rbac = container.resolve('rbacService') as any\n  const cache = container.resolve('cache') as { deleteByTags?: (tags: string[]) => Promise<unknown> } | undefined\n\n  const canApplyToRoles = await rbac.userHasAllFeatures?.(\n    auth.sub,\n    [FEATURE_MANAGE],\n    { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null },\n  ) ?? false\n  if (!canApplyToRoles) {\n    return NextResponse.json({ error: 'Forbidden', requiredFeatures: [FEATURE_MANAGE] }, { status: 403 })\n  }\n\n  const role = await findRoleInScope(em, { roleId: roleIdParam, tenantId: auth.tenantId ?? null })\n  if (!role) {\n    return NextResponse.json({ error: 'Role not found' }, { status: 404 })\n  }\n\n  // Cross-locale: keep the delete filter aligned with save/load helpers (no locale).\n  await em.nativeDelete(RoleSidebarPreference, {\n    role: role.id,\n    tenantId: auth.tenantId ?? null,\n  })\n\n  if (cache?.deleteByTags) {\n    try {\n      await cache.deleteByTags([`nav:sidebar:role:${role.id}`])\n    } catch {}\n  }\n\n  return NextResponse.json({ ok: true, scope: { type: 'role', roleId: role.id } })\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'Sidebar preferences',\n  methods: {\n    GET: {\n      summary: 'Get sidebar preferences',\n      description: 'Returns sidebar customization for the current user (default) or the specified role (`?roleId=\u2026`, requires `auth.sidebar.manage`).',\n      responses: [\n        { status: 200, description: 'Current sidebar configuration', schema: sidebarPreferencesResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: sidebarErrorSchema },\n        { status: 403, description: 'Missing features for role-scope read', schema: sidebarErrorSchema },\n        { status: 404, description: 'Role not found in current tenant scope', schema: sidebarErrorSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update sidebar preferences',\n      description: 'Updates sidebar configuration. With `scope.type === \"user\"` (default) writes the calling user\\'s personal preferences and may optionally apply the same settings to selected roles via `applyToRoles[]`. With `scope.type === \"role\"` writes the named role variant directly (requires `auth.sidebar.manage`); `applyToRoles[]` and `clearRoleIds[]` are rejected in this mode.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: sidebarPreferencesInputSchema,\n      },\n      responses: [\n        { status: 200, description: 'Preferences saved', schema: sidebarPreferencesUpdateResponseSchema },\n        { status: 400, description: 'Invalid payload', schema: sidebarErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: sidebarErrorSchema },\n        { status: 403, description: 'Missing features for role-wide updates', schema: sidebarErrorSchema },\n        { status: 404, description: 'Role not found in current tenant scope', schema: sidebarErrorSchema },\n      ],\n    },\n    DELETE: {\n      summary: 'Delete a role sidebar variant',\n      description: 'Removes the role variant for the current tenant + locale. Idempotent. Requires `auth.sidebar.manage`.',\n      responses: [\n        { status: 200, description: 'Variant deleted (or never existed)', schema: sidebarPreferencesDeleteResponseSchema },\n        { status: 400, description: 'Missing roleId query parameter', schema: sidebarErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: sidebarErrorSchema },\n        { status: 403, description: 'Missing features', schema: sidebarErrorSchema },\n        { status: 404, description: 'Role not found in current tenant scope', schema: sidebarErrorSchema },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,0BAA0B;AACnC,SAAS,2BAA2B;AACpC,SAAS,8BAA8B;AACvC,SAAS,uBAAuB,0BAA0B;AAC1D;AAAA,EACE;AAAA,EACA;AAAA,OACK;AACP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,mCAAmC;AAC5C,SAAS,uBAAuB;AAChC,SAAS,oCAAoC;AAC7C,SAAS,uBAAuB;AAChC,SAAS,MAAM,6BAA6B;AAE5C,SAAS,SAAS;AAEX,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,KAAK;AAAA,EACzB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,qBAAqB,EAAE;AAAA,EACnE,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,qBAAqB,EAAE;AACxE;AAEA,MAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACnC,YAAY,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC9B,aAAa,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC;AAAA,EAC5C,YAAY,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC;AAAA,EAC3C,aAAa,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC/B,WAAW,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AACrD,CAAC;AAED,MAAM,yBAAyB,EAAE,OAAO;AAAA,EACtC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,MAAM,EAAE,OAAO;AAAA,EACf,eAAe,EAAE,QAAQ;AAC3B,CAAC;AAED,MAAM,mCAAmC,EAAE,OAAO;AAAA,EAChD,QAAQ,EAAE,OAAO;AAAA,EACjB,UAAU;AAAA,EACV,iBAAiB,EAAE,QAAQ;AAAA,EAC3B,OAAO,EAAE,MAAM,sBAAsB;AAAA,EACrC,OAAO;AAAA,EACP,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAC5C,CAAC;AAED,MAAM,yCAAyC,iCAAiC,OAAO;AAAA,EACrF,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC;AAAA,EACvC,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC;AACzC,CAAC;AAED,MAAM,yCAAyC,EAAE,OAAO;AAAA,EACtD,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,OAAO;AACT,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,OAAO,EAAE,OAAO;AAClB,CAAC;AAED,MAAM,iBAAiB;AAWvB,SAAS,gBAA+B;AACtC,SAAO;AAAA,IACL,SAAS;AAAA,IACT,YAAY,CAAC;AAAA,IACb,aAAa,CAAC;AAAA,IACd,YAAY,CAAC;AAAA,IACb,aAAa,CAAC;AAAA,IACd,WAAW,CAAC;AAAA,EACd;AACF;AAEA,eAAe,iBACb,IACA,SACsE;AACtE,QAAM,YAA+B,QAAQ,WACzC,EAAE,KAAK,CAAC,EAAE,UAAU,QAAQ,SAAS,GAAG,EAAE,UAAU,KAAK,CAAC,EAAE,IAC5D,EAAE,UAAU,KAAK;AACrB,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,IACA,EAAE,SAAS,EAAE,MAAM,MAAM,EAAE;AAAA,IAC3B,EAAE,UAAU,QAAQ,UAAU,gBAAgB,KAAK;AAAA,EACrD;AACA,MAAI,MAAM,WAAW,EAAG,QAAO,CAAC;AAChC,QAAM,YAAY,MAAM,2BAA2B,IAAI;AAAA,IACrD,SAAS,MAAM,IAAI,CAAC,MAAY,EAAE,EAAE;AAAA,IACpC,UAAU,QAAQ;AAAA,IAClB,QAAQ,QAAQ;AAAA,EAClB,CAAC;AACD,SAAO,MAAM,IAAI,CAAC,UAAgB;AAAA,IAChC,IAAI,KAAK;AAAA,IACT,MAAM,KAAK;AAAA,IACX,eAAe,UAAU,IAAI,KAAK,EAAE;AAAA,EACtC,EAAE;AACJ;AAEA,eAAe,gBACb,IACA,SACsB;AACtB,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA,EAAE,IAAI,QAAQ,OAAO;AAAA,IACrB;AAAA,IACA,EAAE,UAAU,QAAQ,UAAU,gBAAgB,KAAK;AAAA,EACrD;AACA,MAAI,CAAC,KAAM,QAAO;AAGlB,MAAI,KAAK,YAAY,QAAQ,YAAY,KAAK,aAAa,QAAQ,SAAU,QAAO;AACpF,MAAI,KAAK,YAAY,CAAC,QAAQ,SAAU,QAAO;AAC/C,SAAO;AACT;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE9E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,cAAc,IAAI,aAAa,IAAI,QAAQ;AAEjD,QAAM,EAAE,OAAO,IAAI,MAAM,oBAAoB;AAC7C,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AACvB,QAAM,OAAO,QAAQ,aAAa;AAElC,QAAM,kBAAkB,MAAM,KAAK;AAAA,IACjC,KAAK;AAAA,IACL,CAAC,cAAc;AAAA,IACf,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK;AAAA,EACxE,KAAK;AAGL,MAAI,aAAa;AACf,QAAI,CAAC,iBAAiB;AACpB,aAAO,aAAa,KAAK,EAAE,OAAO,aAAa,kBAAkB,CAAC,cAAc,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACtG;AACA,UAAM,OAAO,MAAM,gBAAgB,IAAI,EAAE,QAAQ,aAAa,UAAU,KAAK,YAAY,KAAK,CAAC;AAC/F,QAAI,CAAC,MAAM;AACT,aAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACvE;AACA,UAAM,YAAY,MAAM,2BAA2B,IAAI;AAAA,MACrD,SAAS,CAAC,KAAK,EAAE;AAAA,MACjB,UAAU,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF,CAAC;AACD,UAAM,OAAO,UAAU,IAAI,KAAK,EAAE,KAAK;AACvC,UAAMA,gBAAe,MAAM,iBAAiB,IAAI,EAAE,UAAU,KAAK,YAAY,MAAM,OAAO,CAAC;AAC3F,UAAM,cAAc,MAAM,mCAAmC,IAAI;AAAA,MAC/D,QAAQ,KAAK;AAAA,MACb,UAAU,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF,CAAC;AACD,WAAO,aAAa,KAAK;AAAA,MACvB;AAAA,MACA,UAAU,OACN;AAAA,QACE,SAAS,KAAK,WAAW;AAAA,QACzB,YAAY,KAAK,cAAc,CAAC;AAAA,QAChC,aAAa,KAAK,eAAe,CAAC;AAAA,QAClC,YAAY,KAAK,cAAc,CAAC;AAAA,QAChC,aAAa,KAAK,eAAe,CAAC;AAAA,QAClC,WAAW,KAAK,aAAa,CAAC;AAAA,MAChC,IACA,cAAc;AAAA,MAClB;AAAA,MACA,OAAOA;AAAA,MACP,OAAO,EAAE,MAAM,QAAQ,QAAQ,KAAK,GAAG;AAAA,MACvC,WAAW,aAAa,YAAY,YAAY,UAAU,YAAY,IAAI;AAAA,IAC5E,CAAC;AAAA,EACH;AAGA,QAAM,kBAAkB,KAAK,WAAW,KAAK,SAAS,KAAK;AAC3D,QAAM,WAAW,kBACb,MAAM,sBAAsB,IAAI;AAAA,IAC9B,QAAQ;AAAA,IACR,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,CAAC,IACD;AAEJ,QAAM,eAAe,kBACjB,MAAM,iBAAiB,IAAI,EAAE,UAAU,KAAK,YAAY,MAAM,OAAO,CAAC,IACtE,CAAC;AAEL,QAAM,cAAc,kBAChB,MAAM,+BAA+B,IAAI;AAAA,IACvC,QAAQ;AAAA,IACR,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,CAAC,IACD;AAEJ,SAAO,aAAa,KAAK;AAAA,IACvB;AAAA,IACA,UAAU;AAAA,MACR,SAAS,UAAU,WAAW;AAAA,MAC9B,YAAY,UAAU,cAAc,CAAC;AAAA,MACrC,aAAa,UAAU,eAAe,CAAC;AAAA,MACvC,YAAY,UAAU,cAAc,CAAC;AAAA,MACrC,aAAa,UAAU,eAAe,CAAC;AAAA,MACvC,WAAW,UAAU,aAAa,CAAC;AAAA,IACrC;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP,OAAO,EAAE,MAAM,OAAO;AAAA,IACtB,WAAW,aAAa,YAAY,YAAY,UAAU,YAAY,IAAI;AAAA,EAC5E,CAAC;AACH;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE9E,QAAM,kBAAkB,KAAK,WAAW,KAAK,SAAS,KAAK;AAC3D,MAAI,CAAC,iBAAiB;AACpB,WAAO,aAAa,KAAK,EAAE,OAAO,gEAAgE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACtH;AAEA,MAAI;AACJ,MAAI;AACF,iBAAa,MAAM,IAAI,KAAK;AAAA,EAC9B,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,SAAS,8BAA8B,UAAU,UAAU;AACjE,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,mBAAmB,SAAS,OAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzG;AAEA,QAAM,iBAAiB,CAAC,WAAoC;AAC1D,QAAI,CAAC,OAAQ,QAAO,CAAC;AACrB,UAAM,SAAiC,CAAC;AACxC,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,MAAM,GAAG;AACjD,YAAM,aAAa,IAAI,KAAK;AAC5B,YAAM,eAAe,MAAM,KAAK;AAChC,UAAI,CAAC,cAAc,CAAC,aAAc;AAClC,aAAO,UAAU,IAAI;AAAA,IACvB;AACA,WAAO;AAAA,EACT;AAEA,QAAM,mBAAmB,OAAO,KAAK,cAAc,CAAC;AACpD,QAAM,OAAO,oBAAI,IAAY;AAC7B,QAAM,aAAuB,CAAC;AAC9B,aAAW,MAAM,kBAAkB;AACjC,UAAM,UAAU,GAAG,KAAK;AACxB,QAAI,CAAC,WAAW,KAAK,IAAI,OAAO,EAAG;AACnC,SAAK,IAAI,OAAO;AAChB,eAAW,KAAK,OAAO;AAAA,EACzB;AAEA,QAAM,UAAU;AAAA,IACd,SAAS,OAAO,KAAK,WAAW;AAAA,IAChC;AAAA,IACA,aAAa,eAAe,OAAO,KAAK,WAAW;AAAA,IACnD,YAAY,eAAe,OAAO,KAAK,UAAU;AAAA,IACjD,cAAc,MAAM;AAClB,YAAM,SAAS,OAAO,KAAK,eAAe,CAAC;AAC3C,YAAM,aAAa,oBAAI,IAAY;AACnC,YAAM,SAAmB,CAAC;AAC1B,iBAAW,QAAQ,QAAQ;AACzB,cAAM,UAAU,KAAK,KAAK;AAC1B,YAAI,CAAC,WAAW,WAAW,IAAI,OAAO,EAAG;AACzC,mBAAW,IAAI,OAAO;AACtB,eAAO,KAAK,OAAO;AAAA,MACrB;AACA,aAAO;AAAA,IACT,GAAG;AAAA,IACH,YAAY,MAAM;AAChB,YAAM,SAAS,OAAO,KAAK,aAAa,CAAC;AACzC,YAAM,MAAgC,CAAC;AACvC,iBAAW,CAAC,UAAU,IAAI,KAAK,OAAO,QAAQ,MAAM,GAAG;AACrD,cAAM,eAAe,SAAS,KAAK;AACnC,YAAI,CAAC,aAAc;AACnB,cAAM,WAAW,oBAAI,IAAY;AACjC,cAAM,SAAmB,CAAC;AAC1B,mBAAW,WAAW,MAAM;AAC1B,gBAAM,cAAc,QAAQ,KAAK;AACjC,cAAI,CAAC,eAAe,SAAS,IAAI,WAAW,EAAG;AAC/C,mBAAS,IAAI,WAAW;AACxB,iBAAO,KAAK,WAAW;AAAA,QACzB;AACA,YAAI,OAAO,SAAS,EAAG,KAAI,YAAY,IAAI;AAAA,MAC7C;AACA,aAAO;AAAA,IACT,GAAG;AAAA,EACL;AAEA,QAAM,EAAE,OAAO,IAAI,MAAM,oBAAoB;AAC7C,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,OAAO,UAAU,QAAQ,aAAa;AAC5C,QAAM,QAAQ,UAAU,QAAQ,OAAO;AAEvC,QAAM,kBAAkB,MAAM,KAAK;AAAA,IACjC,KAAK;AAAA,IACL,CAAC,cAAc;AAAA,IACf,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK;AAAA,EACxE,KAAK;AAEL,QAAM,QAAQ,OAAO,KAAK,SAAS,EAAE,MAAM,OAAgB;AAI3D,MAAI,MAAM,SAAS,QAAQ;AACzB,QAAI,CAAC,iBAAiB;AACpB,aAAO,aAAa,KAAK,EAAE,OAAO,aAAa,kBAAkB,CAAC,cAAc,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACtG;AACA,UAAM,OAAO,MAAM,gBAAgB,IAAI,EAAE,QAAQ,MAAM,QAAQ,UAAU,KAAK,YAAY,KAAK,CAAC;AAChG,QAAI,CAAC,MAAM;AACT,aAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACvE;AACA,UAAM,mBAAmB,MAAM,mCAAmC,IAAI;AAAA,MACpE,QAAQ,KAAK;AAAA,MACb,UAAU,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF,CAAC;AACD,QAAI,kBAAkB;AACpB,UAAI;AACF,qCAA6B;AAAA,UAC3B,cAAc;AAAA,UACd,YAAY,iBAAiB;AAAA,UAC7B,SAAS,iBAAiB,aAAa;AAAA,UACvC,SAAS;AAAA,QACX,CAAC;AAAA,MACH,SAAS,KAAK;AACZ,YAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,cAAM;AAAA,MACR;AAAA,IACF;AACA,UAAM,QAAQ,MAAM,0BAA0B,IAAI;AAAA,MAChD,QAAQ,KAAK;AAAA,MACb,UAAU,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF,GAAG,OAAO;AACV,UAAM,mBAAmB,MAAM,mCAAmC,IAAI;AAAA,MACpE,QAAQ,KAAK;AAAA,MACb,UAAU,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF,CAAC;AACD,QAAI,OAAO,cAAc;AACvB,UAAI;AACF,cAAM,MAAM,aAAa,CAAC,oBAAoB,KAAK,EAAE,EAAE,CAAC;AAAA,MAC1D,QAAQ;AAAA,MAAC;AAAA,IACX;AACA,UAAMA,gBAAe,MAAM,iBAAiB,IAAI,EAAE,UAAU,KAAK,YAAY,MAAM,OAAO,CAAC;AAC3F,WAAO,aAAa,KAAK;AAAA,MACvB;AAAA,MACA,UAAU;AAAA,QACR,SAAS,OAAO,WAAW,QAAQ;AAAA,QACnC,YAAY,OAAO,cAAc,QAAQ;AAAA,QACzC,aAAa,OAAO,eAAe,QAAQ;AAAA,QAC3C,YAAY,OAAO,cAAc,QAAQ;AAAA,QACzC,aAAa,OAAO,eAAe,QAAQ;AAAA,QAC3C,WAAW,OAAO,aAAa,QAAQ;AAAA,MACzC;AAAA,MACA;AAAA,MACA,OAAOA;AAAA,MACP,OAAO,EAAE,MAAM,QAAQ,QAAQ,KAAK,GAAG;AAAA,MACvC,WAAW,kBAAkB,YAAY,iBAAiB,UAAU,YAAY,IAAI;AAAA,MACpF,cAAc,CAAC;AAAA,MACf,cAAc,CAAC;AAAA,IACjB,CAAC;AAAA,EACH;AAEA,QAAM,qBAAqB,OAAO,KAAK,gBAAgB,CAAC;AACxD,QAAM,eAAe,MAAM,KAAK,IAAI,IAAI,mBAAmB,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,EAAE,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC;AAChH,QAAM,qBAAqB,OAAO,KAAK,gBAAgB,CAAC;AACxD,QAAM,eAAe,MAAM,KAAK,IAAI,IAAI,mBAAmB,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,EAAE,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC;AAEhH,OAAK,aAAa,SAAS,KAAK,aAAa,SAAS,MAAM,CAAC,iBAAiB;AAC5E,WAAO,aAAa,KAAK,EAAE,OAAO,aAAa,kBAAkB,CAAC,cAAc,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACtG;AAEA,QAAM,mBAAmB,MAAM,+BAA+B,IAAI;AAAA,IAChE,QAAQ;AAAA,IACR,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,CAAC;AACD,MAAI,kBAAkB;AACpB,QAAI;AACF,mCAA6B;AAAA,QAC3B,cAAc;AAAA,QACd,YAAY,iBAAiB;AAAA,QAC7B,SAAS,iBAAiB,aAAa;AAAA,QACvC,SAAS;AAAA,MACX,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AAEA,QAAM,WAAW,MAAM,sBAAsB,IAAI;AAAA,IAC/C,QAAQ;AAAA,IACR,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,GAAG,OAAO;AAEV,QAAM,YAA+B,KAAK,WACtC,EAAE,KAAK,CAAC,EAAE,UAAU,KAAK,SAAS,GAAG,EAAE,UAAU,KAAK,CAAC,EAAE,IACzD,EAAE,UAAU,KAAK;AACrB,QAAM,iBAAiB,kBACnB,MAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,EAAE,SAAS,EAAE,MAAM,MAAM,EAAE;AAAA,IAC3B,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK;AAAA,EAC1D,IACA,CAAC;AACL,QAAM,UAAU,IAAI,IAAkB,eAAe,IAAI,CAAC,SAAe,CAAC,OAAO,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC;AAEjG,MAAI,aAAa,SAAS,GAAG;AAC3B,UAAM,UAAU,aAAa,OAAO,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;AAC5D,QAAI,QAAQ,QAAQ;AAClB,aAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,QAAQ,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC/E;AAAA,EACF;AAEA,QAAM,iBAA2B,CAAC;AAClC,QAAM,uBAAiC,CAAC;AACxC,QAAM,gBAAgB,IAAI;AAAA,IACxB,YAAY;AACV,iBAAW,UAAU,cAAc;AACjC,cAAM,OAAO,QAAQ,IAAI,MAAM;AAC/B,cAAM,0BAA0B,IAAI;AAAA,UAClC,QAAQ,KAAK;AAAA,UACb,UAAU,KAAK,YAAY;AAAA,UAC3B;AAAA,QACF,GAAG,OAAO;AACV,uBAAe,KAAK,KAAK,EAAE;AAAA,MAC7B;AAEA,YAAM,eAAe,aAAa,OAAO,CAAC,OAAO,CAAC,eAAe,SAAS,EAAE,KAAK,CAAC,aAAa,SAAS,EAAE,CAAC;AAC3G,2BAAqB,KAAK,GAAG,YAAY;AAEzC,UAAI,qBAAqB,SAAS,GAAG;AAInC,cAAM,GAAG,aAAa,uBAAuB;AAAA,UAC3C,MAAM,EAAE,KAAK,qBAAqB;AAAA,UAClC,UAAU,KAAK,YAAY;AAAA,QAC7B,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF,GAAG,EAAE,aAAa,KAAK,CAAC;AAExB,MAAI,qBAAqB,SAAS,KAAK,OAAO,cAAc;AAC1D,QAAI;AACF,YAAM,MAAM,aAAa,qBAAqB,IAAI,CAAC,WAAW,oBAAoB,MAAM,EAAE,CAAC;AAAA,IAC7F,QAAQ;AAAA,IAAC;AAAA,EACX;AAEA,MAAI,OAAO,cAAc;AACvB,UAAM,OAAO;AAAA,MACX,oBAAoB,KAAK,GAAG;AAAA,MAC5B,qBAAqB,KAAK,GAAG,IAAI,KAAK,YAAY,MAAM,IAAI,KAAK,SAAS,MAAM,IAAI,MAAM;AAAA,MAC1F,GAAG,eAAe,IAAI,CAAC,WAAW,oBAAoB,MAAM,EAAE;AAAA,IAChE;AACA,QAAI;AACF,YAAM,MAAM,aAAa,IAAI;AAAA,IAC/B,QAAQ;AAAA,IAAC;AAAA,EACX;AAEA,MAAI,eAA4E,CAAC;AACjF,MAAI,iBAAiB;AACnB,UAAM,YAAY,MAAM,2BAA2B,IAAI;AAAA,MACrD,SAAS,eAAe,IAAI,CAAC,SAAe,KAAK,EAAE;AAAA,MACnD,UAAU,KAAK,YAAY;AAAA,MAC3B;AAAA,IACF,CAAC;AACD,mBAAe,eAAe,IAAI,CAAC,UAAgB;AAAA,MACjD,IAAI,KAAK;AAAA,MACT,MAAM,KAAK;AAAA,MACX,eAAe,UAAU,IAAI,KAAK,EAAE;AAAA,IACtC,EAAE;AAAA,EACJ;AAEA,QAAM,mBAAmB,MAAM,+BAA+B,IAAI;AAAA,IAChE,QAAQ;AAAA,IACR,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,CAAC;AAED,SAAO,aAAa,KAAK;AAAA,IACvB;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP,OAAO,EAAE,MAAM,OAAO;AAAA,IACtB,WAAW,kBAAkB,YAAY,iBAAiB,UAAU,YAAY,IAAI;AAAA,IACpF,cAAc;AAAA,IACd,cAAc;AAAA,EAChB,CAAC;AACH;AAEA,eAAsB,OAAO,KAAc;AACzC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE9E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,cAAc,IAAI,aAAa,IAAI,QAAQ;AACjD,MAAI,CAAC,aAAa;AAChB,WAAO,aAAa,KAAK,EAAE,OAAO,qCAAqC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3F;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,OAAO,UAAU,QAAQ,aAAa;AAC5C,QAAM,QAAQ,UAAU,QAAQ,OAAO;AAEvC,QAAM,kBAAkB,MAAM,KAAK;AAAA,IACjC,KAAK;AAAA,IACL,CAAC,cAAc;AAAA,IACf,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK;AAAA,EACxE,KAAK;AACL,MAAI,CAAC,iBAAiB;AACpB,WAAO,aAAa,KAAK,EAAE,OAAO,aAAa,kBAAkB,CAAC,cAAc,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACtG;AAEA,QAAM,OAAO,MAAM,gBAAgB,IAAI,EAAE,QAAQ,aAAa,UAAU,KAAK,YAAY,KAAK,CAAC;AAC/F,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACvE;AAGA,QAAM,GAAG,aAAa,uBAAuB;AAAA,IAC3C,MAAM,KAAK;AAAA,IACX,UAAU,KAAK,YAAY;AAAA,EAC7B,CAAC;AAED,MAAI,OAAO,cAAc;AACvB,QAAI;AACF,YAAM,MAAM,aAAa,CAAC,oBAAoB,KAAK,EAAE,EAAE,CAAC;AAAA,IAC1D,QAAQ;AAAA,IAAC;AAAA,EACX;AAEA,SAAO,aAAa,KAAK,EAAE,IAAI,MAAM,OAAO,EAAE,MAAM,QAAQ,QAAQ,KAAK,GAAG,EAAE,CAAC;AACjF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,iCAAiC,QAAQ,iCAAiC;AAAA,QACtG,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,mBAAmB;AAAA,QAC/F,EAAE,QAAQ,KAAK,aAAa,0CAA0C,QAAQ,mBAAmB;AAAA,MACnG;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,qBAAqB,QAAQ,uCAAuC;AAAA,QAChG,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,0CAA0C,QAAQ,mBAAmB;AAAA,QACjG,EAAE,QAAQ,KAAK,aAAa,0CAA0C,QAAQ,mBAAmB;AAAA,MACnG;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,sCAAsC,QAAQ,uCAAuC;AAAA,QACjH,EAAE,QAAQ,KAAK,aAAa,kCAAkC,QAAQ,mBAAmB;AAAA,QACzF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,mBAAmB;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,0CAA0C,QAAQ,mBAAmB;AAAA,MACnG;AAAA,IACF;AAAA,EACF;AACF;",
   "names": ["rolesPayload"]
 }

package/dist/modules/auth/api/users/acl/route.js CHANGED Viewed

@@ -4,8 +4,9 @@ import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
 import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
 import { logCrudAccess } from "@open-mercato/shared/lib/crud/factory";
 import { forbidden, isCrudHttpError } from "@open-mercato/shared/lib/crud/errors";
-import { UserAcl } from "@open-mercato/core/modules/auth/data/entities";
+import { enforceCommandOptimisticLock } from "@open-mercato/shared/lib/crud/optimistic-lock-command";
 import { withAtomicFlush } from "@open-mercato/shared/lib/commands/flush";
+import { UserAcl } from "@open-mercato/core/modules/auth/data/entities";
 import { assertActorCanModifySuperAdminUserTarget } from "@open-mercato/core/modules/auth/lib/grantChecks";
 const getSchema = z.object({ userId: z.string().uuid() });
 const putSchema = z.object({
@@ -22,7 +23,8 @@ const userAclResponseSchema = z.object({
   hasCustomAcl: z.boolean(),
   isSuperAdmin: z.boolean(),
   features: z.array(z.string()),
-  organizations: z.array(z.string()).nullable()
+  organizations: z.array(z.string()).nullable(),
+  updatedAt: z.string().nullable()
 });
 const userAclUpdateResponseSchema = z.object({
   ok: z.literal(true),
@@ -60,8 +62,9 @@ async function GET(req) {
     hasCustomAcl: true,
     isSuperAdmin: !!acl.isSuperAdmin,
     features: Array.isArray(acl.featuresJson) ? acl.featuresJson : [],
-    organizations: Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null
-  } : { hasCustomAcl: false, isSuperAdmin: false, features: [], organizations: null };
+    organizations: Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null,
+    updatedAt: acl.updatedAt instanceof Date ? acl.updatedAt.toISOString() : null
+  } : { hasCustomAcl: false, isSuperAdmin: false, features: [], organizations: null, updatedAt: null };
   await logCrudAccess({
     container,
     auth,
@@ -106,6 +109,19 @@ async function PUT(req) {
   const requestedFeatures = normalizeFeatureList(parsed.data.features);
   const organizations = Array.isArray(parsed.data.organizations) ? parsed.data.organizations : null;
   let acl = await em.findOne(UserAcl, { user: parsed.data.userId, tenantId: auth.tenantId });
+  if (acl) {
+    try {
+      enforceCommandOptimisticLock({
+        resourceKind: "auth.user_acl",
+        resourceId: acl.id,
+        current: acl.updatedAt ?? null,
+        request: req
+      });
+    } catch (err) {
+      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status });
+      throw err;
+    }
+  }
   const existingIsSuperAdmin = acl ? !!acl.isSuperAdmin : false;
   const existingFeatures = acl && Array.isArray(acl.featuresJson) ? normalizeFeatureList(acl.featuresJson) : [];
   const effectiveFeatures = actorIsSuperAdmin ? requestedFeatures : sanitizeTenantFeatures(requestedFeatures);
@@ -122,22 +138,29 @@ async function PUT(req) {
     }
   }
   const hasCustomAcl = effectiveIsSuperAdmin || effectiveFeatures.length > 0;
-  await withAtomicFlush(em, [
-    () => {
-      if (!hasCustomAcl) {
-        if (acl) em.remove(acl);
-      } else {
-        if (!acl) {
-          acl = em.create(UserAcl, { user: parsed.data.userId, tenantId: auth.tenantId });
-        }
-        const aclRecord = acl;
-        aclRecord.isSuperAdmin = effectiveIsSuperAdmin;
-        aclRecord.featuresJson = effectiveFeatures;
-        aclRecord.organizationsJson = organizations;
-        em.persist(acl);
-      }
+  if (!hasCustomAcl) {
+    if (acl) {
+      const aclToRemove = acl;
+      await withAtomicFlush(em, [() => em.remove(aclToRemove)], { transaction: true });
     }
-  ], { transaction: true });
+  } else {
+    if (!acl) {
+      acl = em.create(UserAcl, { user: parsed.data.userId, tenantId: auth.tenantId });
+    }
+    const aclRecord = acl;
+    await withAtomicFlush(
+      em,
+      [
+        () => {
+          aclRecord.isSuperAdmin = effectiveIsSuperAdmin;
+          aclRecord.featuresJson = effectiveFeatures;
+          aclRecord.organizationsJson = organizations;
+          em.persist(aclRecord);
+        }
+      ],
+      { transaction: true }
+    );
+  }
   await rbacService.invalidateUserCache(parsed.data.userId);
   try {
     const cache = container.resolve("cache");

package/dist/modules/auth/api/users/acl/route.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../../src/modules/auth/api/users/acl/route.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { logCrudAccess } from '@open-mercato/shared/lib/crud/factory'\nimport { forbidden, isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { UserAcl } from '@open-mercato/core/modules/auth/data/entities'\nimport { withAtomicFlush } from '@open-mercato/shared/lib/commands/flush'\nimport { assertActorCanModifySuperAdminUserTarget } from '@open-mercato/core/modules/auth/lib/grantChecks'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport type { EntityManager } from '@mikro-orm/postgresql'\n\nconst getSchema = z.object({ userId: z.string().uuid() })\nconst putSchema = z.object({\n  userId: z.string().uuid(),\n  isSuperAdmin: z.boolean().optional(),\n  features: z.array(z.string()).optional(),\n  organizations: z.array(z.string()).nullable().optional(),\n})\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['auth.acl.manage'] },\n  PUT: { requireAuth: true, requireFeatures: ['auth.acl.manage'] },\n}\n\nconst userAclResponseSchema = z.object({\n  hasCustomAcl: z.boolean(),\n  isSuperAdmin: z.boolean(),\n  features: z.array(z.string()),\n  organizations: z.array(z.string()).nullable(),\n})\n\nconst userAclUpdateResponseSchema = z.object({\n  ok: z.literal(true),\n  sanitized: z.boolean(),\n})\n\nconst userAclErrorSchema = z.object({ error: z.string() })\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  const url = new URL(req.url)\n  const parsed = getSchema.safeParse({ userId: url.searchParams.get('userId') })\n  if (!parsed.success) return NextResponse.json({ error: 'Invalid input' }, { status: 400 })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as any\n  const rbacService = container.resolve('rbacService') as any\n  const actorAcl = auth.sub\n    ? await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n    : null\n  if (!actorAcl?.isSuperAdmin && auth.sub) {\n    try {\n      await assertActorCanModifySuperAdminUserTarget({\n        em: em as EntityManager,\n        rbacService: rbacService as RbacService,\n        actorUserId: auth.sub,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        targetUserId: parsed.data.userId,\n        actorIsSuperAdmin: false,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n  const acl = await em.findOne(UserAcl, { user: parsed.data.userId as any, tenantId: auth.tenantId as any })\n  const response = acl\n    ? {\n        hasCustomAcl: true,\n        isSuperAdmin: !!acl.isSuperAdmin,\n        features: Array.isArray(acl.featuresJson) ? acl.featuresJson : [],\n        organizations: Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null,\n      }\n    : { hasCustomAcl: false, isSuperAdmin: false, features: [], organizations: null }\n\n  await logCrudAccess({\n    container,\n    auth,\n    request: req,\n    items: [{ id: parsed.data.userId, ...response }],\n    idField: 'id',\n    resourceKind: 'auth.user_acl',\n    organizationId: auth.orgId ?? null,\n    tenantId: auth.tenantId ?? null,\n    query: { userId: parsed.data.userId },\n    accessType: 'read:item',\n  })\n\n  return NextResponse.json(response)\n}\n\nexport async function PUT(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  const body = await req.json().catch(() => ({}))\n  const parsed = putSchema.safeParse(body)\n  if (!parsed.success) return NextResponse.json({ error: 'Invalid input' }, { status: 400 })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as any\n  const rbacService = container.resolve('rbacService') as any\n\n  const actorAcl = auth.sub\n    ? await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n    : null\n  const actorIsSuperAdmin = !!actorAcl?.isSuperAdmin\n\n  if (!actorIsSuperAdmin && auth.sub) {\n    try {\n      await assertActorCanModifySuperAdminUserTarget({\n        em: em as EntityManager,\n        rbacService: rbacService as RbacService,\n        actorUserId: auth.sub,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        targetUserId: parsed.data.userId,\n        actorIsSuperAdmin: false,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n\n  const requestedFeatures = normalizeFeatureList(parsed.data.features)\n  const organizations = Array.isArray(parsed.data.organizations) ? parsed.data.organizations : null\n\n  let acl = await em.findOne(UserAcl, { user: parsed.data.userId as any, tenantId: auth.tenantId as any })\n  const existingIsSuperAdmin = acl ? !!acl.isSuperAdmin : false\n  const existingFeatures = acl && Array.isArray(acl.featuresJson) ? normalizeFeatureList(acl.featuresJson) : []\n\n  const effectiveFeatures = actorIsSuperAdmin\n    ? requestedFeatures\n    : sanitizeTenantFeatures(requestedFeatures)\n\n  const requestedIsSuperAdmin = parsed.data.isSuperAdmin ?? false\n  let effectiveIsSuperAdmin = requestedIsSuperAdmin\n\n  if (!actorIsSuperAdmin) {\n    if (requestedIsSuperAdmin && !existingIsSuperAdmin) {\n      throw forbidden('Only super administrators can grant super admin access.')\n    }\n    if (existingIsSuperAdmin && requestedIsSuperAdmin === false) {\n      effectiveIsSuperAdmin = false\n    } else {\n      effectiveIsSuperAdmin = existingIsSuperAdmin\n    }\n  }\n\n  const hasCustomAcl = effectiveIsSuperAdmin || effectiveFeatures.length > 0\n\n  await withAtomicFlush(em, [\n    () => {\n      if (!hasCustomAcl) {\n        if (acl) em.remove(acl)\n      } else {\n        if (!acl) {\n          acl = em.create(UserAcl, { user: parsed.data.userId as any, tenantId: auth.tenantId as any })\n        }\n        const aclRecord = acl as any\n        aclRecord.isSuperAdmin = effectiveIsSuperAdmin\n        aclRecord.featuresJson = effectiveFeatures\n        aclRecord.organizationsJson = organizations\n        em.persist(acl)\n      }\n    },\n  ], { transaction: true })\n\n  // Invalidate cache for this user\n  await rbacService.invalidateUserCache(parsed.data.userId)\n  try {\n    const cache = container.resolve('cache') as any\n    if (cache) await cache.deleteByTags([`rbac:user:${parsed.data.userId}`])\n  } catch {}\n\n  return NextResponse.json({\n    ok: true,\n    sanitized: !actorIsSuperAdmin && (hasRestrictedChanges(requestedFeatures, effectiveFeatures, existingFeatures) || requestedIsSuperAdmin !== effectiveIsSuperAdmin),\n  })\n}\n\nfunction normalizeFeatureList(features: unknown): string[] {\n  if (!Array.isArray(features)) return []\n  const dedup = new Set<string>()\n  for (const value of features) {\n    if (typeof value !== 'string') continue\n    const trimmed = value.trim()\n    if (!trimmed) continue\n    dedup.add(trimmed)\n  }\n  return Array.from(dedup)\n}\n\nfunction sanitizeTenantFeatures(features: string[]): string[] {\n  return features.filter((feature) => !isTenantRestrictedFeature(feature))\n}\n\nfunction isTenantRestrictedFeature(feature: string): boolean {\n  if (feature === '*' || feature === 'directory.*') return true\n  if (feature.startsWith('directory.tenants')) return true\n  return false\n}\n\nfunction hasRestrictedChanges(requested: string[], effective: string[], existing: string[]): boolean {\n  if (requested.length === effective.length) return false\n  const effectiveSet = new Set(effective)\n  const existingSet = new Set(existing)\n  // If the effective set matches existing, we only trimmed restricted duplicates and should not report\n  if (effectiveSet.size === existingSet.size) {\n    let identical = true\n    for (const value of effectiveSet) {\n      if (!existingSet.has(value)) {\n        identical = false\n        break\n      }\n    }\n    if (identical) return false\n  }\n  return true\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'User ACL management',\n  methods: {\n    GET: {\n      summary: 'Fetch user ACL',\n      description: 'Returns custom ACL overrides for a user within the current tenant, if any.',\n      query: getSchema,\n      responses: [\n        { status: 200, description: 'User ACL entry', schema: userAclResponseSchema },\n        { status: 400, description: 'Invalid user id', schema: userAclErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: userAclErrorSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update user ACL',\n      description: 'Configures per-user ACL overrides, including super admin access, feature list, and organization scope.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: putSchema,\n      },\n      responses: [\n        { status: 200, description: 'User ACL updated', schema: userAclUpdateResponseSchema },\n        { status: 400, description: 'Invalid payload', schema: userAclErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: userAclErrorSchema },\n        { status: 403, description: 'Insufficient privileges to modify ACL', schema: userAclErrorSchema },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,qBAAqB;AAC9B,SAAS,WAAW,uBAAuB;AAC3C,SAAS,eAAe;AACxB,SAAS,uBAAuB;AAChC,SAAS,gDAAgD;AAIzD,MAAM,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AACxD,MAAM,YAAY,EAAE,OAAO;AAAA,EACzB,QAAQ,EAAE,OAAO,EAAE,KAAK;AAAA,EACxB,cAAc,EAAE,QAAQ,EAAE,SAAS;AAAA,EACnC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACvC,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS;AACzD,CAAC;AAEM,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AACjE;AAEA,MAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,cAAc,EAAE,QAAQ;AAAA,EACxB,cAAc,EAAE,QAAQ;AAAA,EACxB,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC5B,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAC9C,CAAC;AAED,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,WAAW,EAAE,QAAQ;AACvB,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAEzD,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,SAAS,UAAU,UAAU,EAAE,QAAQ,IAAI,aAAa,IAAI,QAAQ,EAAE,CAAC;AAC7E,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,WAAW,KAAK,MAClB,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC,IAC3G;AACJ,MAAI,CAAC,UAAU,gBAAgB,KAAK,KAAK;AACvC,QAAI;AACF,YAAM,yCAAyC;AAAA,QAC7C;AAAA,QACA;AAAA,QACA,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK,YAAY;AAAA,QAC3B,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AACA,QAAM,MAAM,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,OAAO,KAAK,QAAe,UAAU,KAAK,SAAgB,CAAC;AACzG,QAAM,WAAW,MACb;AAAA,IACE,cAAc;AAAA,IACd,cAAc,CAAC,CAAC,IAAI;AAAA,IACpB,UAAU,MAAM,QAAQ,IAAI,YAAY,IAAI,IAAI,eAAe,CAAC;AAAA,IAChE,eAAe,MAAM,QAAQ,IAAI,iBAAiB,IAAI,IAAI,oBAAoB;AAAA,EAChF,IACA,EAAE,cAAc,OAAO,cAAc,OAAO,UAAU,CAAC,GAAG,eAAe,KAAK;AAElF,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT,OAAO,CAAC,EAAE,IAAI,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,IAC/C,SAAS;AAAA,IACT,cAAc;AAAA,IACd,gBAAgB,KAAK,SAAS;AAAA,IAC9B,UAAU,KAAK,YAAY;AAAA,IAC3B,OAAO,EAAE,QAAQ,OAAO,KAAK,OAAO;AAAA,IACpC,YAAY;AAAA,EACd,CAAC;AAED,SAAO,aAAa,KAAK,QAAQ;AACnC;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9E,QAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AAC9C,QAAM,SAAS,UAAU,UAAU,IAAI;AACvC,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,cAAc,UAAU,QAAQ,aAAa;AAEnD,QAAM,WAAW,KAAK,MAClB,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC,IAC3G;AACJ,QAAM,oBAAoB,CAAC,CAAC,UAAU;AAEtC,MAAI,CAAC,qBAAqB,KAAK,KAAK;AAClC,QAAI;AACF,YAAM,yCAAyC;AAAA,QAC7C;AAAA,QACA;AAAA,QACA,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK,YAAY;AAAA,QAC3B,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AAEA,QAAM,oBAAoB,qBAAqB,OAAO,KAAK,QAAQ;AACnE,QAAM,gBAAgB,MAAM,QAAQ,OAAO,KAAK,aAAa,IAAI,OAAO,KAAK,gBAAgB;AAE7F,MAAI,MAAM,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,OAAO,KAAK,QAAe,UAAU,KAAK,SAAgB,CAAC;AACvG,QAAM,uBAAuB,MAAM,CAAC,CAAC,IAAI,eAAe;AACxD,QAAM,mBAAmB,OAAO,MAAM,QAAQ,IAAI,YAAY,IAAI,qBAAqB,IAAI,YAAY,IAAI,CAAC;AAE5G,QAAM,oBAAoB,oBACtB,oBACA,uBAAuB,iBAAiB;AAE5C,QAAM,wBAAwB,OAAO,KAAK,gBAAgB;AAC1D,MAAI,wBAAwB;AAE5B,MAAI,CAAC,mBAAmB;AACtB,QAAI,yBAAyB,CAAC,sBAAsB;AAClD,YAAM,UAAU,yDAAyD;AAAA,IAC3E;AACA,QAAI,wBAAwB,0BAA0B,OAAO;AAC3D,8BAAwB;AAAA,IAC1B,OAAO;AACL,8BAAwB;AAAA,IAC1B;AAAA,EACF;AAEA,QAAM,eAAe,yBAAyB,kBAAkB,SAAS;AAEzE,QAAM,gBAAgB,IAAI;AAAA,IACxB,MAAM;AACJ,UAAI,CAAC,cAAc;AACjB,YAAI,IAAK,IAAG,OAAO,GAAG;AAAA,MACxB,OAAO;AACL,YAAI,CAAC,KAAK;AACR,gBAAM,GAAG,OAAO,SAAS,EAAE,MAAM,OAAO,KAAK,QAAe,UAAU,KAAK,SAAgB,CAAC;AAAA,QAC9F;AACA,cAAM,YAAY;AAClB,kBAAU,eAAe;AACzB,kBAAU,eAAe;AACzB,kBAAU,oBAAoB;AAC9B,WAAG,QAAQ,GAAG;AAAA,MAChB;AAAA,IACF;AAAA,EACF,GAAG,EAAE,aAAa,KAAK,CAAC;AAGxB,QAAM,YAAY,oBAAoB,OAAO,KAAK,MAAM;AACxD,MAAI;AACF,UAAM,QAAQ,UAAU,QAAQ,OAAO;AACvC,QAAI,MAAO,OAAM,MAAM,aAAa,CAAC,aAAa,OAAO,KAAK,MAAM,EAAE,CAAC;AAAA,EACzE,QAAQ;AAAA,EAAC;AAET,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,WAAW,CAAC,sBAAsB,qBAAqB,mBAAmB,mBAAmB,gBAAgB,KAAK,0BAA0B;AAAA,EAC9I,CAAC;AACH;AAEA,SAAS,qBAAqB,UAA6B;AACzD,MAAI,CAAC,MAAM,QAAQ,QAAQ,EAAG,QAAO,CAAC;AACtC,QAAM,QAAQ,oBAAI,IAAY;AAC9B,aAAW,SAAS,UAAU;AAC5B,QAAI,OAAO,UAAU,SAAU;AAC/B,UAAM,UAAU,MAAM,KAAK;AAC3B,QAAI,CAAC,QAAS;AACd,UAAM,IAAI,OAAO;AAAA,EACnB;AACA,SAAO,MAAM,KAAK,KAAK;AACzB;AAEA,SAAS,uBAAuB,UAA8B;AAC5D,SAAO,SAAS,OAAO,CAAC,YAAY,CAAC,0BAA0B,OAAO,CAAC;AACzE;AAEA,SAAS,0BAA0B,SAA0B;AAC3D,MAAI,YAAY,OAAO,YAAY,cAAe,QAAO;AACzD,MAAI,QAAQ,WAAW,mBAAmB,EAAG,QAAO;AACpD,SAAO;AACT;AAEA,SAAS,qBAAqB,WAAqB,WAAqB,UAA6B;AACnG,MAAI,UAAU,WAAW,UAAU,OAAQ,QAAO;AAClD,QAAM,eAAe,IAAI,IAAI,SAAS;AACtC,QAAM,cAAc,IAAI,IAAI,QAAQ;AAEpC,MAAI,aAAa,SAAS,YAAY,MAAM;AAC1C,QAAI,YAAY;AAChB,eAAW,SAAS,cAAc;AAChC,UAAI,CAAC,YAAY,IAAI,KAAK,GAAG;AAC3B,oBAAY;AACZ;AAAA,MACF;AAAA,IACF;AACA,QAAI,UAAW,QAAO;AAAA,EACxB;AACA,SAAO;AACT;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,sBAAsB;AAAA,QAC5E,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,MACzE;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,4BAA4B;AAAA,QACpF,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,yCAAyC,QAAQ,mBAAmB;AAAA,MAClG;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { logCrudAccess } from '@open-mercato/shared/lib/crud/factory'\nimport { forbidden, isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { enforceCommandOptimisticLock } from '@open-mercato/shared/lib/crud/optimistic-lock-command'\nimport { withAtomicFlush } from '@open-mercato/shared/lib/commands/flush'\nimport { UserAcl } from '@open-mercato/core/modules/auth/data/entities'\nimport { assertActorCanModifySuperAdminUserTarget } from '@open-mercato/core/modules/auth/lib/grantChecks'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport type { EntityManager } from '@mikro-orm/postgresql'\n\nconst getSchema = z.object({ userId: z.string().uuid() })\nconst putSchema = z.object({\n  userId: z.string().uuid(),\n  isSuperAdmin: z.boolean().optional(),\n  features: z.array(z.string()).optional(),\n  organizations: z.array(z.string()).nullable().optional(),\n})\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['auth.acl.manage'] },\n  PUT: { requireAuth: true, requireFeatures: ['auth.acl.manage'] },\n}\n\nconst userAclResponseSchema = z.object({\n  hasCustomAcl: z.boolean(),\n  isSuperAdmin: z.boolean(),\n  features: z.array(z.string()),\n  organizations: z.array(z.string()).nullable(),\n  updatedAt: z.string().nullable(),\n})\n\nconst userAclUpdateResponseSchema = z.object({\n  ok: z.literal(true),\n  sanitized: z.boolean(),\n})\n\nconst userAclErrorSchema = z.object({ error: z.string() })\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  const url = new URL(req.url)\n  const parsed = getSchema.safeParse({ userId: url.searchParams.get('userId') })\n  if (!parsed.success) return NextResponse.json({ error: 'Invalid input' }, { status: 400 })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as any\n  const rbacService = container.resolve('rbacService') as any\n  const actorAcl = auth.sub\n    ? await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n    : null\n  if (!actorAcl?.isSuperAdmin && auth.sub) {\n    try {\n      await assertActorCanModifySuperAdminUserTarget({\n        em: em as EntityManager,\n        rbacService: rbacService as RbacService,\n        actorUserId: auth.sub,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        targetUserId: parsed.data.userId,\n        actorIsSuperAdmin: false,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n  const acl = await em.findOne(UserAcl, { user: parsed.data.userId as any, tenantId: auth.tenantId as any })\n  const response = acl\n    ? {\n        hasCustomAcl: true,\n        isSuperAdmin: !!acl.isSuperAdmin,\n        features: Array.isArray(acl.featuresJson) ? acl.featuresJson : [],\n        organizations: Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null,\n        updatedAt: acl.updatedAt instanceof Date ? acl.updatedAt.toISOString() : null,\n      }\n    : { hasCustomAcl: false, isSuperAdmin: false, features: [], organizations: null, updatedAt: null }\n\n  await logCrudAccess({\n    container,\n    auth,\n    request: req,\n    items: [{ id: parsed.data.userId, ...response }],\n    idField: 'id',\n    resourceKind: 'auth.user_acl',\n    organizationId: auth.orgId ?? null,\n    tenantId: auth.tenantId ?? null,\n    query: { userId: parsed.data.userId },\n    accessType: 'read:item',\n  })\n\n  return NextResponse.json(response)\n}\n\nexport async function PUT(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  const body = await req.json().catch(() => ({}))\n  const parsed = putSchema.safeParse(body)\n  if (!parsed.success) return NextResponse.json({ error: 'Invalid input' }, { status: 400 })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as any\n  const rbacService = container.resolve('rbacService') as any\n\n  const actorAcl = auth.sub\n    ? await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n    : null\n  const actorIsSuperAdmin = !!actorAcl?.isSuperAdmin\n\n  if (!actorIsSuperAdmin && auth.sub) {\n    try {\n      await assertActorCanModifySuperAdminUserTarget({\n        em: em as EntityManager,\n        rbacService: rbacService as RbacService,\n        actorUserId: auth.sub,\n        tenantId: auth.tenantId ?? null,\n        organizationId: auth.orgId ?? null,\n        targetUserId: parsed.data.userId,\n        actorIsSuperAdmin: false,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n\n  const requestedFeatures = normalizeFeatureList(parsed.data.features)\n  const organizations = Array.isArray(parsed.data.organizations) ? parsed.data.organizations : null\n\n  let acl = await em.findOne(UserAcl, { user: parsed.data.userId as any, tenantId: auth.tenantId as any })\n  // Optimistic lock: refuse a stale per-user ACL overwrite so concurrent edits\n  // cannot silently clobber each other (#2055). Strictly additive \u2014 a no-op when\n  // the client sends no expected-version header; skipped when no ACL row exists.\n  if (acl) {\n    try {\n      enforceCommandOptimisticLock({\n        resourceKind: 'auth.user_acl',\n        resourceId: acl.id,\n        current: acl.updatedAt ?? null,\n        request: req,\n      })\n    } catch (err) {\n      if (isCrudHttpError(err)) return NextResponse.json(err.body, { status: err.status })\n      throw err\n    }\n  }\n  const existingIsSuperAdmin = acl ? !!acl.isSuperAdmin : false\n  const existingFeatures = acl && Array.isArray(acl.featuresJson) ? normalizeFeatureList(acl.featuresJson) : []\n\n  const effectiveFeatures = actorIsSuperAdmin\n    ? requestedFeatures\n    : sanitizeTenantFeatures(requestedFeatures)\n\n  const requestedIsSuperAdmin = parsed.data.isSuperAdmin ?? false\n  let effectiveIsSuperAdmin = requestedIsSuperAdmin\n\n  if (!actorIsSuperAdmin) {\n    if (requestedIsSuperAdmin && !existingIsSuperAdmin) {\n      throw forbidden('Only super administrators can grant super admin access.')\n    }\n    if (existingIsSuperAdmin && requestedIsSuperAdmin === false) {\n      effectiveIsSuperAdmin = false\n    } else {\n      effectiveIsSuperAdmin = existingIsSuperAdmin\n    }\n  }\n\n  const hasCustomAcl = effectiveIsSuperAdmin || effectiveFeatures.length > 0\n\n  // Persist the ACL mutation inside a transaction so the per-user permission\n  // write (or removal) commits atomically (proper ACL-edit transaction handling).\n  if (!hasCustomAcl) {\n    if (acl) {\n      const aclToRemove = acl\n      await withAtomicFlush(em, [() => em.remove(aclToRemove)], { transaction: true })\n    }\n  } else {\n    if (!acl) {\n      acl = em.create(UserAcl, { user: parsed.data.userId as any, tenantId: auth.tenantId as any })\n    }\n    const aclRecord = acl as any\n    await withAtomicFlush(\n      em,\n      [\n        () => {\n          aclRecord.isSuperAdmin = effectiveIsSuperAdmin\n          aclRecord.featuresJson = effectiveFeatures\n          aclRecord.organizationsJson = organizations\n          em.persist(aclRecord)\n        },\n      ],\n      { transaction: true },\n    )\n  }\n\n  // Invalidate cache for this user\n  await rbacService.invalidateUserCache(parsed.data.userId)\n  try {\n    const cache = container.resolve('cache') as any\n    if (cache) await cache.deleteByTags([`rbac:user:${parsed.data.userId}`])\n  } catch {}\n\n  return NextResponse.json({\n    ok: true,\n    sanitized: !actorIsSuperAdmin && (hasRestrictedChanges(requestedFeatures, effectiveFeatures, existingFeatures) || requestedIsSuperAdmin !== effectiveIsSuperAdmin),\n  })\n}\n\nfunction normalizeFeatureList(features: unknown): string[] {\n  if (!Array.isArray(features)) return []\n  const dedup = new Set<string>()\n  for (const value of features) {\n    if (typeof value !== 'string') continue\n    const trimmed = value.trim()\n    if (!trimmed) continue\n    dedup.add(trimmed)\n  }\n  return Array.from(dedup)\n}\n\nfunction sanitizeTenantFeatures(features: string[]): string[] {\n  return features.filter((feature) => !isTenantRestrictedFeature(feature))\n}\n\nfunction isTenantRestrictedFeature(feature: string): boolean {\n  if (feature === '*' || feature === 'directory.*') return true\n  if (feature.startsWith('directory.tenants')) return true\n  return false\n}\n\nfunction hasRestrictedChanges(requested: string[], effective: string[], existing: string[]): boolean {\n  if (requested.length === effective.length) return false\n  const effectiveSet = new Set(effective)\n  const existingSet = new Set(existing)\n  // If the effective set matches existing, we only trimmed restricted duplicates and should not report\n  if (effectiveSet.size === existingSet.size) {\n    let identical = true\n    for (const value of effectiveSet) {\n      if (!existingSet.has(value)) {\n        identical = false\n        break\n      }\n    }\n    if (identical) return false\n  }\n  return true\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'User ACL management',\n  methods: {\n    GET: {\n      summary: 'Fetch user ACL',\n      description: 'Returns custom ACL overrides for a user within the current tenant, if any.',\n      query: getSchema,\n      responses: [\n        { status: 200, description: 'User ACL entry', schema: userAclResponseSchema },\n        { status: 400, description: 'Invalid user id', schema: userAclErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: userAclErrorSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update user ACL',\n      description: 'Configures per-user ACL overrides, including super admin access, feature list, and organization scope.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: putSchema,\n      },\n      responses: [\n        { status: 200, description: 'User ACL updated', schema: userAclUpdateResponseSchema },\n        { status: 400, description: 'Invalid payload', schema: userAclErrorSchema },\n        { status: 401, description: 'Unauthorized', schema: userAclErrorSchema },\n        { status: 403, description: 'Insufficient privileges to modify ACL', schema: userAclErrorSchema },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,qBAAqB;AAC9B,SAAS,WAAW,uBAAuB;AAC3C,SAAS,oCAAoC;AAC7C,SAAS,uBAAuB;AAChC,SAAS,eAAe;AACxB,SAAS,gDAAgD;AAIzD,MAAM,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AACxD,MAAM,YAAY,EAAE,OAAO;AAAA,EACzB,QAAQ,EAAE,OAAO,EAAE,KAAK;AAAA,EACxB,cAAc,EAAE,QAAQ,EAAE,SAAS;AAAA,EACnC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACvC,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS;AACzD,CAAC;AAEM,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AACjE;AAEA,MAAM,wBAAwB,EAAE,OAAO;AAAA,EACrC,cAAc,EAAE,QAAQ;AAAA,EACxB,cAAc,EAAE,QAAQ;AAAA,EACxB,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EAC5B,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC5C,WAAW,EAAE,OAAO,EAAE,SAAS;AACjC,CAAC;AAED,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,WAAW,EAAE,QAAQ;AACvB,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAEzD,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,SAAS,UAAU,UAAU,EAAE,QAAQ,IAAI,aAAa,IAAI,QAAQ,EAAE,CAAC;AAC7E,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,QAAM,WAAW,KAAK,MAClB,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC,IAC3G;AACJ,MAAI,CAAC,UAAU,gBAAgB,KAAK,KAAK;AACvC,QAAI;AACF,YAAM,yCAAyC;AAAA,QAC7C;AAAA,QACA;AAAA,QACA,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK,YAAY;AAAA,QAC3B,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AACA,QAAM,MAAM,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,OAAO,KAAK,QAAe,UAAU,KAAK,SAAgB,CAAC;AACzG,QAAM,WAAW,MACb;AAAA,IACE,cAAc;AAAA,IACd,cAAc,CAAC,CAAC,IAAI;AAAA,IACpB,UAAU,MAAM,QAAQ,IAAI,YAAY,IAAI,IAAI,eAAe,CAAC;AAAA,IAChE,eAAe,MAAM,QAAQ,IAAI,iBAAiB,IAAI,IAAI,oBAAoB;AAAA,IAC9E,WAAW,IAAI,qBAAqB,OAAO,IAAI,UAAU,YAAY,IAAI;AAAA,EAC3E,IACA,EAAE,cAAc,OAAO,cAAc,OAAO,UAAU,CAAC,GAAG,eAAe,MAAM,WAAW,KAAK;AAEnG,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT,OAAO,CAAC,EAAE,IAAI,OAAO,KAAK,QAAQ,GAAG,SAAS,CAAC;AAAA,IAC/C,SAAS;AAAA,IACT,cAAc;AAAA,IACd,gBAAgB,KAAK,SAAS;AAAA,IAC9B,UAAU,KAAK,YAAY;AAAA,IAC3B,OAAO,EAAE,QAAQ,OAAO,KAAK,OAAO;AAAA,IACpC,YAAY;AAAA,EACd,CAAC;AAED,SAAO,aAAa,KAAK,QAAQ;AACnC;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9E,QAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AAC9C,QAAM,SAAS,UAAU,UAAU,IAAI;AACvC,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,QAAQ,IAAI,CAAC;AACzF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,cAAc,UAAU,QAAQ,aAAa;AAEnD,QAAM,WAAW,KAAK,MAClB,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC,IAC3G;AACJ,QAAM,oBAAoB,CAAC,CAAC,UAAU;AAEtC,MAAI,CAAC,qBAAqB,KAAK,KAAK;AAClC,QAAI;AACF,YAAM,yCAAyC;AAAA,QAC7C;AAAA,QACA;AAAA,QACA,aAAa,KAAK;AAAA,QAClB,UAAU,KAAK,YAAY;AAAA,QAC3B,gBAAgB,KAAK,SAAS;AAAA,QAC9B,cAAc,OAAO,KAAK;AAAA,QAC1B,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AAEA,QAAM,oBAAoB,qBAAqB,OAAO,KAAK,QAAQ;AACnE,QAAM,gBAAgB,MAAM,QAAQ,OAAO,KAAK,aAAa,IAAI,OAAO,KAAK,gBAAgB;AAE7F,MAAI,MAAM,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,OAAO,KAAK,QAAe,UAAU,KAAK,SAAgB,CAAC;AAIvG,MAAI,KAAK;AACP,QAAI;AACF,mCAA6B;AAAA,QAC3B,cAAc;AAAA,QACd,YAAY,IAAI;AAAA,QAChB,SAAS,IAAI,aAAa;AAAA,QAC1B,SAAS;AAAA,MACX,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,UAAI,gBAAgB,GAAG,EAAG,QAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AACnF,YAAM;AAAA,IACR;AAAA,EACF;AACA,QAAM,uBAAuB,MAAM,CAAC,CAAC,IAAI,eAAe;AACxD,QAAM,mBAAmB,OAAO,MAAM,QAAQ,IAAI,YAAY,IAAI,qBAAqB,IAAI,YAAY,IAAI,CAAC;AAE5G,QAAM,oBAAoB,oBACtB,oBACA,uBAAuB,iBAAiB;AAE5C,QAAM,wBAAwB,OAAO,KAAK,gBAAgB;AAC1D,MAAI,wBAAwB;AAE5B,MAAI,CAAC,mBAAmB;AACtB,QAAI,yBAAyB,CAAC,sBAAsB;AAClD,YAAM,UAAU,yDAAyD;AAAA,IAC3E;AACA,QAAI,wBAAwB,0BAA0B,OAAO;AAC3D,8BAAwB;AAAA,IAC1B,OAAO;AACL,8BAAwB;AAAA,IAC1B;AAAA,EACF;AAEA,QAAM,eAAe,yBAAyB,kBAAkB,SAAS;AAIzE,MAAI,CAAC,cAAc;AACjB,QAAI,KAAK;AACP,YAAM,cAAc;AACpB,YAAM,gBAAgB,IAAI,CAAC,MAAM,GAAG,OAAO,WAAW,CAAC,GAAG,EAAE,aAAa,KAAK,CAAC;AAAA,IACjF;AAAA,EACF,OAAO;AACL,QAAI,CAAC,KAAK;AACR,YAAM,GAAG,OAAO,SAAS,EAAE,MAAM,OAAO,KAAK,QAAe,UAAU,KAAK,SAAgB,CAAC;AAAA,IAC9F;AACA,UAAM,YAAY;AAClB,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,QACE,MAAM;AACJ,oBAAU,eAAe;AACzB,oBAAU,eAAe;AACzB,oBAAU,oBAAoB;AAC9B,aAAG,QAAQ,SAAS;AAAA,QACtB;AAAA,MACF;AAAA,MACA,EAAE,aAAa,KAAK;AAAA,IACtB;AAAA,EACF;AAGA,QAAM,YAAY,oBAAoB,OAAO,KAAK,MAAM;AACxD,MAAI;AACF,UAAM,QAAQ,UAAU,QAAQ,OAAO;AACvC,QAAI,MAAO,OAAM,MAAM,aAAa,CAAC,aAAa,OAAO,KAAK,MAAM,EAAE,CAAC;AAAA,EACzE,QAAQ;AAAA,EAAC;AAET,SAAO,aAAa,KAAK;AAAA,IACvB,IAAI;AAAA,IACJ,WAAW,CAAC,sBAAsB,qBAAqB,mBAAmB,mBAAmB,gBAAgB,KAAK,0BAA0B;AAAA,EAC9I,CAAC;AACH;AAEA,SAAS,qBAAqB,UAA6B;AACzD,MAAI,CAAC,MAAM,QAAQ,QAAQ,EAAG,QAAO,CAAC;AACtC,QAAM,QAAQ,oBAAI,IAAY;AAC9B,aAAW,SAAS,UAAU;AAC5B,QAAI,OAAO,UAAU,SAAU;AAC/B,UAAM,UAAU,MAAM,KAAK;AAC3B,QAAI,CAAC,QAAS;AACd,UAAM,IAAI,OAAO;AAAA,EACnB;AACA,SAAO,MAAM,KAAK,KAAK;AACzB;AAEA,SAAS,uBAAuB,UAA8B;AAC5D,SAAO,SAAS,OAAO,CAAC,YAAY,CAAC,0BAA0B,OAAO,CAAC;AACzE;AAEA,SAAS,0BAA0B,SAA0B;AAC3D,MAAI,YAAY,OAAO,YAAY,cAAe,QAAO;AACzD,MAAI,QAAQ,WAAW,mBAAmB,EAAG,QAAO;AACpD,SAAO;AACT;AAEA,SAAS,qBAAqB,WAAqB,WAAqB,UAA6B;AACnG,MAAI,UAAU,WAAW,UAAU,OAAQ,QAAO;AAClD,QAAM,eAAe,IAAI,IAAI,SAAS;AACtC,QAAM,cAAc,IAAI,IAAI,QAAQ;AAEpC,MAAI,aAAa,SAAS,YAAY,MAAM;AAC1C,QAAI,YAAY;AAChB,eAAW,SAAS,cAAc;AAChC,UAAI,CAAC,YAAY,IAAI,KAAK,GAAG;AAC3B,oBAAY;AACZ;AAAA,MACF;AAAA,IACF;AACA,QAAI,UAAW,QAAO;AAAA,EACxB;AACA,SAAO;AACT;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,sBAAsB;AAAA,QAC5E,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,MACzE;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,oBAAoB,QAAQ,4BAA4B;AAAA,QACpF,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,mBAAmB;AAAA,QAC1E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,mBAAmB;AAAA,QACvE,EAAE,QAAQ,KAAK,aAAa,yCAAyC,QAAQ,mBAAmB;AAAA,MAClG;AAAA,IACF;AAAA,EACF;AACF;",
   "names": []
 }

package/dist/modules/auth/api/users/route.js CHANGED Viewed

@@ -68,7 +68,8 @@ const userListItemSchema = z.object({
   tenantId: z.string().uuid().nullable(),
   tenantName: z.string().nullable(),
   roles: z.array(z.string()),
-  roleIds: z.array(z.string().uuid()).optional()
+  roleIds: z.array(z.string().uuid()).optional(),
+  updatedAt: z.string().nullable().optional()
 });
 const userListResponseSchema = z.object({
   items: z.array(userListItemSchema),
@@ -385,6 +386,7 @@ async function GET(req) {
       roles: roleMap[uid] || [],
       roleIds: roleIdMap[uid] || [],
       hasPassword: !!u.passwordHash,
+      updatedAt: u.updatedAt instanceof Date ? u.updatedAt.toISOString() : null,
       ...cfByUser[uid] || {}
     };
   });

package/dist/modules/auth/api/users/route.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../src/modules/auth/api/users/route.ts"],
-  "sourcesContent": ["/* eslint-disable @typescript-eslint/no-explicit-any */\nimport { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { logCrudAccess, makeCrudRoute } from '@open-mercato/shared/lib/crud/factory'\nimport { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { User, Role, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { Organization, Tenant } from '@open-mercato/core/modules/directory/data/entities'\nimport { E } from '#generated/entities.ids.generated'\nimport { loadCustomFieldValues } from '@open-mercato/shared/lib/crud/custom-fields'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { userCrudEvents, userCrudIndexer } from '@open-mercato/core/modules/auth/commands/users'\nimport {\n  assertActorCanGrantRoleTokens,\n  assertActorCanModifySuperAdminUserTarget,\n  listSuperAdminUserIds,\n} from '@open-mercato/core/modules/auth/lib/grantChecks'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'\nimport { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'\nimport { resolveSearchConfig } from '@open-mercato/shared/lib/search/config'\nimport { tokenizeText } from '@open-mercato/shared/lib/search/tokenize'\nimport { sql } from 'kysely'\nimport { normalizeDisplayNameInput } from '@open-mercato/core/modules/auth/lib/displayName'\nimport {\n  getSelectedTenantFromRequest,\n  resolveOrganizationScopeForRequest,\n} from '@open-mercato/core/modules/directory/utils/organizationScope'\n\nconst querySchema = z.object({\n  id: z.string().uuid().optional(),\n  page: z.coerce.number().min(1).default(1),\n  pageSize: z.coerce.number().min(1).max(100).default(50),\n  search: z.string().optional(),\n  name: z.string().optional(),\n  organizationId: z.string().uuid().optional(),\n  roleIds: z.array(z.string().uuid()).optional(),\n}).passthrough()\n\nconst rawBodySchema = z.object({}).passthrough()\n\nconst passwordSchema = buildPasswordSchema()\n\nconst displayNameSchema = z.preprocess(\n  normalizeDisplayNameInput,\n  z.string().trim().min(1).max(120).nullable().optional(),\n)\n\nconst userCreateSchema = z.object({\n  email: z.string().email(),\n  name: displayNameSchema,\n  password: passwordSchema.optional(),\n  sendInviteEmail: z.boolean().optional(),\n  organizationId: z.string().uuid(),\n  roles: z.array(z.string()).optional(),\n}).refine(\n  (data) => data.password || data.sendInviteEmail,\n  { message: 'Either password or sendInviteEmail is required', path: ['password'] },\n)\n\nconst userUpdateSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string().email().optional(),\n  name: displayNameSchema,\n  password: passwordSchema.optional(),\n  organizationId: z.string().uuid().optional(),\n  roles: z.array(z.string()).optional(),\n})\n\nconst userListItemSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string().email(),\n  name: z.string().nullable(),\n  organizationId: z.string().uuid().nullable(),\n  organizationName: z.string().nullable(),\n  tenantId: z.string().uuid().nullable(),\n  tenantName: z.string().nullable(),\n  roles: z.array(z.string()),\n  roleIds: z.array(z.string().uuid()).optional(),\n})\n\nconst userListResponseSchema = z.object({\n  items: z.array(userListItemSchema),\n  total: z.number().int().nonnegative(),\n  totalPages: z.number().int().positive(),\n  isSuperAdmin: z.boolean().optional(),\n})\n\nconst okResponseSchema = z.object({ ok: z.literal(true) })\n\nconst errorResponseSchema = z.object({ error: z.string() })\n\ntype CrudInput = Record<string, unknown>\ntype UserListFilter = Record<string, unknown>\n\nconst routeMetadata = {\n  GET: { requireAuth: true, requireFeatures: ['auth.users.list'] },\n  POST: { requireAuth: true, requireFeatures: ['auth.users.create'] },\n  PUT: { requireAuth: true, requireFeatures: ['auth.users.edit'] },\n  DELETE: { requireAuth: true, requireFeatures: ['auth.users.delete'] },\n}\n\nexport const metadata = routeMetadata\n\nconst crud = makeCrudRoute<CrudInput, CrudInput, Record<string, unknown>>({\n  metadata: routeMetadata,\n  orm: {\n    entity: User,\n    idField: 'id',\n    orgField: null,\n    tenantField: null,\n    softDeleteField: 'deletedAt',\n  },\n  events: userCrudEvents,\n  indexer: userCrudIndexer,\n  actions: {\n    create: {\n      commandId: 'auth.users.create',\n      schema: rawBodySchema,\n      mapInput: async ({ parsed, ctx }) => {\n        if (ctx.request) {\n          await assertCanAssignRoles(ctx.request, parsed.roles, parsed)\n        }\n        return parsed\n      },\n      response: ({ result }) => ({\n        id: String(result.user.id),\n        ...(result.warning ? { _warning: result.warning } : {}),\n      }),\n      status: 201,\n    },\n    update: {\n      commandId: 'auth.users.update',\n      schema: rawBodySchema,\n      mapInput: async ({ parsed, ctx }) => {\n        if (ctx.request) {\n          if (typeof parsed.id === 'string' && parsed.id.length) {\n            await assertCanModifySuperAdminTarget(ctx.request, parsed.id)\n          }\n          await assertCanAssignRoles(ctx.request, parsed.roles, parsed)\n        }\n        return parsed\n      },\n      response: () => ({ ok: true }),\n    },\n    delete: {\n      commandId: 'auth.users.delete',\n      response: () => ({ ok: true }),\n    },\n  },\n})\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n  const url = new URL(req.url)\n  const rawRoleIds = url.searchParams.getAll('roleId').filter((id): id is string => typeof id === 'string' && id.trim().length > 0)\n  const parsed = querySchema.safeParse({\n    id: url.searchParams.get('id') || undefined,\n    page: url.searchParams.get('page') || undefined,\n    pageSize: url.searchParams.get('pageSize') || undefined,\n    search: url.searchParams.get('search') || undefined,\n    name: url.searchParams.get('name') || undefined,\n    organizationId: url.searchParams.get('organizationId') || undefined,\n    roleIds: rawRoleIds.length ? rawRoleIds : undefined,\n  })\n  if (!parsed.success) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n  const container = await createRequestContainer()\n  const em = (container.resolve('em') as EntityManager)\n  let isSuperAdmin = auth.isSuperAdmin === true\n  try {\n    if (auth.sub) {\n      const rbacService = container.resolve('rbacService') as any\n      const acl = await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n      isSuperAdmin = isSuperAdmin || !!acl?.isSuperAdmin\n    }\n  } catch (err) {\n    console.error('users: failed to resolve rbac', err)\n  }\n  const { id, page, pageSize, search, name, organizationId, roleIds } = parsed.data\n  const filters: any[] = [{ deletedAt: null }]\n  const actorTenantId = auth.tenantId ? String(auth.tenantId) : null\n  let effectiveTenantId: string | null = null\n  let effectiveOrganizationIds: string[] | null = null\n  let effectiveSelectedOrganizationId: string | null = null\n  let usesSelectedTenantScope = false\n  if (!isSuperAdmin) {\n    if (!actorTenantId) {\n      return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n    }\n    effectiveTenantId = actorTenantId\n    const superAdminUserIds = await listSuperAdminUserIds(em, actorTenantId)\n    if (superAdminUserIds.size) {\n      filters.push({ id: { $nin: Array.from(superAdminUserIds) as any } })\n    }\n  } else {\n    const selectedTenantId = getSelectedTenantFromRequest(req)\n    if (typeof selectedTenantId === 'string' && selectedTenantId.trim().length > 0) {\n      const scope = await resolveOrganizationScopeForRequest({\n        container,\n        auth,\n        request: req,\n        tenantId: selectedTenantId.trim(),\n      })\n      if (!scope.tenantId) {\n        return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n      }\n      effectiveTenantId = scope.tenantId\n      effectiveSelectedOrganizationId = scope.selectedId\n      usesSelectedTenantScope = true\n      if (Array.isArray(scope.filterIds)) {\n        if (scope.filterIds.length === 0) {\n          return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n        }\n        effectiveOrganizationIds = scope.filterIds\n      }\n    }\n  }\n  if (effectiveTenantId) {\n    filters.push({ tenantId: effectiveTenantId })\n  }\n  if (effectiveOrganizationIds) {\n    filters.push({ organizationId: { $in: effectiveOrganizationIds as any } })\n  }\n  const scopeOrganizationId = usesSelectedTenantScope\n    ? effectiveSelectedOrganizationId\n    : auth.orgId ?? null\n  if (organizationId) filters.push({ organizationId })\n  const trimmedName = typeof name === 'string' ? name.trim() : ''\n  if (trimmedName) {\n    const searchPattern = `%${escapeLikePattern(trimmedName)}%`\n    const displayNameFilters: UserListFilter[] = [{ name: { $ilike: searchPattern } }]\n    const nameTokenScope: string | null | undefined = isSuperAdmin ? (effectiveTenantId ?? undefined) : auth.tenantId ?? null\n    const matchedDisplayNameIds = await findUserIdsBySearchTokens(em, E.auth.user, trimmedName, nameTokenScope, 'name')\n    if (matchedDisplayNameIds && matchedDisplayNameIds.length) {\n      displayNameFilters.push({ id: { $in: matchedDisplayNameIds } })\n    }\n    filters.push(displayNameFilters.length > 1 ? { $or: displayNameFilters } : displayNameFilters[0])\n  }\n  let idFilter: Set<string> | null = id ? new Set([id]) : null\n  if (Array.isArray(roleIds) && roleIds.length > 0) {\n    const uniqueRoleIds = Array.from(new Set(roleIds))\n    const linksForRoles = await em.find(UserRole, { role: { $in: uniqueRoleIds as any } } as any)\n    const roleUserIds = new Set<string>()\n    for (const link of linksForRoles) {\n      const uid = String((link as any).user?.id || (link as any).user || '')\n      if (uid) roleUserIds.add(uid)\n    }\n    if (roleUserIds.size === 0) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n    if (idFilter) {\n      for (const uid of Array.from(idFilter)) {\n        if (!roleUserIds.has(uid)) idFilter.delete(uid)\n      }\n    } else {\n      idFilter = roleUserIds\n    }\n    if (!idFilter || idFilter.size === 0) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n  }\n  const trimmedSearch = typeof search === 'string' ? search.trim() : ''\n  if (trimmedSearch) {\n    // Email is encrypted at rest, so plaintext search must go through search_tokens.\n    const tenantScope: string | null | undefined = isSuperAdmin ? (effectiveTenantId ?? undefined) : auth.tenantId ?? null\n    const searchFilters: any[] = []\n\n    const matchedIds = await findUserIdsBySearchTokens(em, E.auth.user, trimmedSearch, tenantScope)\n    if (matchedIds && matchedIds.length) {\n      searchFilters.push({ id: { $in: matchedIds as any } })\n    }\n\n    const searchPattern = `%${escapeLikePattern(trimmedSearch)}%`\n    const organizationSearchFilters: any[] = [\n      { deletedAt: null },\n      { name: { $ilike: searchPattern } },\n    ]\n    if (tenantScope) {\n      organizationSearchFilters.push({ tenant: tenantScope })\n    }\n    const matchingOrganizations = await em.find(\n      Organization,\n      organizationSearchFilters.length > 1 ? { $and: organizationSearchFilters } : organizationSearchFilters[0],\n    )\n    const matchingOrganizationIds = matchingOrganizations\n      .map((org) => (org?.id ? String(org.id) : null))\n      .filter((orgId): orgId is string => typeof orgId === 'string' && orgId.length > 0)\n    if (matchingOrganizationIds.length) {\n      searchFilters.push({ organizationId: { $in: matchingOrganizationIds as any } })\n    }\n\n    const roleSearchFilters: any[] = [\n      { deletedAt: null },\n      { name: { $ilike: searchPattern } },\n    ]\n    if (tenantScope) {\n      roleSearchFilters.push({ $or: [{ tenantId: tenantScope }, { tenantId: null }] })\n    }\n    const matchingRoles = await em.find(\n      Role,\n      roleSearchFilters.length > 1 ? { $and: roleSearchFilters } : roleSearchFilters[0],\n    )\n    const matchingRoleIds = matchingRoles\n      .map((role) => (role?.id ? String(role.id) : null))\n      .filter((roleId): roleId is string => typeof roleId === 'string' && roleId.length > 0)\n    if (matchingRoleIds.length) {\n      const roleSearchLinks = await em.find(\n        UserRole,\n        { role: { $in: matchingRoleIds as any } } as any,\n      )\n      const matchingRoleUserIds = Array.from(new Set(\n        roleSearchLinks\n          .map((link) => {\n            const userRef = (link as any).user\n            const userId = userRef?.id ?? userRef\n            return userId ? String(userId) : null\n          })\n          .filter((userId): userId is string => typeof userId === 'string' && userId.length > 0),\n      ))\n      if (matchingRoleUserIds.length) {\n        searchFilters.push({ id: { $in: matchingRoleUserIds as any } })\n      }\n    }\n\n    if (!searchFilters.length) {\n      return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n    }\n\n    filters.push(searchFilters.length > 1 ? { $or: searchFilters } : searchFilters[0])\n  }\n  if (idFilter && idFilter.size) {\n    filters.push({ id: { $in: Array.from(idFilter) as any } })\n  } else if (id) {\n    filters.push({ id })\n  }\n  const where = filters.length > 1 ? { $and: filters } : filters[0]\n  const [rows, count] = await em.findAndCount(User, where, { limit: pageSize, offset: (page - 1) * pageSize })\n  const userIds = rows.map((u: any) => u.id)\n  const links = userIds.length\n    ? await findWithDecryption(\n        em,\n        UserRole,\n        { user: { $in: userIds as any } } as any,\n        { populate: ['role'] },\n        {\n          tenantId: effectiveTenantId ?? auth.tenantId ?? null,\n          organizationId: scopeOrganizationId,\n        },\n      )\n    : []\n  const roleMap: Record<string, string[]> = {}\n  const roleIdMap: Record<string, string[]> = {}\n  for (const l of links) {\n    const uid = String((l as any).user?.id || (l as any).user)\n    const rname = String((l as any).role?.name || '')\n    const rid = String((l as any).role?.id ?? '')\n    if (!roleMap[uid]) roleMap[uid] = []\n    if (!roleIdMap[uid]) roleIdMap[uid] = []\n    if (rname) roleMap[uid].push(rname)\n    if (rid) roleIdMap[uid].push(rid)\n  }\n  const orgIds = rows\n    .map((u: any) => (u.organizationId ? String(u.organizationId) : null))\n    .filter((id): id is string => !!id)\n  const uniqueOrgIds = Array.from(new Set(orgIds))\n  let orgMap: Record<string, string> = {}\n  if (uniqueOrgIds.length) {\n    const organizations = await em.find(\n      Organization,\n      { id: { $in: uniqueOrgIds as any }, deletedAt: null },\n    )\n    orgMap = organizations.reduce<Record<string, string>>((acc, org) => {\n      const orgId = org?.id ? String(org.id) : null\n      if (!orgId) return acc\n      const rawName = (org as any)?.name\n      const orgName = typeof rawName === 'string' && rawName.length > 0 ? rawName : orgId\n      acc[orgId] = orgName\n      return acc\n    }, {})\n  }\n  const tenantIds = rows\n    .map((u: any) => (u.tenantId ? String(u.tenantId) : null))\n    .filter((id): id is string => !!id)\n  const uniqueTenantIds = Array.from(new Set(tenantIds))\n  let tenantMap: Record<string, string> = {}\n  if (uniqueTenantIds.length) {\n    const tenants = await em.find(\n      Tenant,\n      { id: { $in: uniqueTenantIds as any }, deletedAt: null },\n    )\n    tenantMap = tenants.reduce<Record<string, string>>((acc, tenant) => {\n      const tenantId = tenant?.id ? String(tenant.id) : null\n      if (!tenantId) return acc\n      const rawName = (tenant as any)?.name\n      const tenantName = typeof rawName === 'string' && rawName.length > 0 ? rawName : tenantId\n      acc[tenantId] = tenantName\n      return acc\n    }, {})\n  }\n  const tenantByUser: Record<string, string | null> = {}\n  const organizationByUser: Record<string, string | null> = {}\n  for (const u of rows) {\n    const uid = String(u.id)\n    tenantByUser[uid] = u.tenantId ? String(u.tenantId) : null\n    organizationByUser[uid] = u.organizationId ? String(u.organizationId) : null\n  }\n  const cfByUser = userIds.length\n    ? await loadCustomFieldValues({\n        em,\n        entityId: E.auth.user,\n        recordIds: userIds.map(String),\n        tenantIdByRecord: tenantByUser,\n        organizationIdByRecord: organizationByUser,\n        tenantFallbacks: effectiveTenantId ? [effectiveTenantId] : auth.tenantId ? [auth.tenantId] : [],\n      })\n    : {}\n\n  const items = rows.map((u: any) => {\n    const uid = String(u.id)\n    const orgId = u.organizationId ? String(u.organizationId) : null\n    return {\n      id: uid,\n      email: String(u.email),\n      name: u.name ? String(u.name) : null,\n      organizationId: orgId,\n      organizationName: orgId ? orgMap[orgId] ?? orgId : null,\n      tenantId: u.tenantId ? String(u.tenantId) : null,\n      tenantName: u.tenantId ? tenantMap[String(u.tenantId)] ?? String(u.tenantId) : null,\n      roles: roleMap[uid] || [],\n      roleIds: roleIdMap[uid] || [],\n      hasPassword: !!u.passwordHash,\n      ...(cfByUser[uid] || {}),\n    }\n  })\n  const totalPages = Math.max(1, Math.ceil(count / pageSize))\n  await logCrudAccess({\n    container,\n    auth,\n    request: req,\n    items,\n    idField: 'id',\n    resourceKind: 'auth.user',\n    organizationId: effectiveSelectedOrganizationId,\n    tenantId: effectiveTenantId ?? auth.tenantId ?? null,\n    query: parsed.data,\n    accessType: id ? 'read:item' : undefined,\n  })\n  return NextResponse.json({ items, total: count, totalPages, isSuperAdmin })\n}\n\nexport const POST = async (req: Request) => {\n  return crud.POST(req)\n}\n\nexport const PUT = async (req: Request) => {\n  return crud.PUT(req)\n}\n\nexport const DELETE = async (req: Request) => {\n  const targetId = new URL(req.url).searchParams.get('id')\n  if (targetId) {\n    try {\n      await assertCanModifySuperAdminTarget(req, targetId)\n    } catch (err) {\n      if (err instanceof CrudHttpError) {\n        return NextResponse.json(err.body, { status: err.status })\n      }\n      throw err\n    }\n  }\n  return crud.DELETE(req)\n}\n\nasync function findUserIdsBySearchTokens(\n  em: EntityManager,\n  entityType: string,\n  search: string,\n  tenantScope: string | null | undefined,\n  field?: string,\n): Promise<string[] | null> {\n  const trimmed = search.trim()\n  if (!trimmed) return null\n  const searchConfig = resolveSearchConfig()\n  if (!searchConfig.enabled) return []\n  const { hashes } = tokenizeText(trimmed, searchConfig)\n  if (!hashes.length) return []\n\n  const db = (em as any).getKysely() as any\n  let query = db\n    .selectFrom('search_tokens')\n    .select('entity_id')\n    .where('entity_type', '=', entityType)\n    .where('token_hash', 'in', hashes)\n    .groupBy('entity_id')\n    .having(sql<boolean>`count(distinct token_hash) >= ${hashes.length}`)\n  if (field) {\n    query = query.where('field', '=', field)\n  }\n  if (tenantScope !== undefined) {\n    query = query.where(sql<boolean>`tenant_id is not distinct from ${tenantScope}`)\n  }\n  const rows = (await query.execute()) as Array<{ entity_id?: unknown }>\n  return rows\n    .map((row) => (typeof row.entity_id === 'string' ? row.entity_id : null))\n    .filter((id): id is string => typeof id === 'string' && id.length > 0)\n}\n\nasync function assertCanModifySuperAdminTarget(req: Request, targetUserId: string) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) throw new CrudHttpError(401, { error: 'Unauthorized' })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  await assertActorCanModifySuperAdminUserTarget({\n    em,\n    rbacService: container.resolve('rbacService') as RbacService,\n    actorUserId: auth.sub,\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    targetUserId,\n  })\n}\n\nasync function assertCanAssignRoles(req: Request, roles: unknown, payload: Record<string, unknown>) {\n  if (!Array.isArray(roles)) return\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) throw new CrudHttpError(401, { error: 'Unauthorized' })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  const tenantId = await resolveTargetTenantIdForRoleGrant(em, payload, auth.tenantId ?? null)\n  await assertActorCanGrantRoleTokens({\n    em,\n    rbacService: container.resolve('rbacService') as RbacService,\n    actorUserId: auth.sub,\n    tenantId,\n    organizationId: auth.orgId ?? null,\n    roleTokens: roles,\n  })\n}\n\nasync function resolveTargetTenantIdForRoleGrant(\n  em: EntityManager,\n  payload: Record<string, unknown>,\n  fallbackTenantId: string | null,\n): Promise<string | null> {\n  const organizationId = typeof payload.organizationId === 'string' ? payload.organizationId : null\n  if (organizationId) {\n    const organization = await findOneWithDecryption(\n      em,\n      Organization,\n      { id: organizationId },\n      { populate: ['tenant'] },\n      { tenantId: null, organizationId },\n    )\n    return organization?.tenant?.id ? String(organization.tenant.id) : fallbackTenantId\n  }\n\n  const userId = typeof payload.id === 'string' ? payload.id : null\n  if (userId) {\n    const user = await findOneWithDecryption(\n      em,\n      User,\n      { id: userId, deletedAt: null },\n      {},\n      { tenantId: null, organizationId: null },\n    )\n    return user?.tenantId ? String(user.tenantId) : fallbackTenantId\n  }\n\n  return fallbackTenantId\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'User management',\n  methods: {\n    GET: {\n      summary: 'List users',\n      description:\n        'Returns users for the effective selected tenant and organization scope. Search matches email, organization name, and role name. Super administrators may scope the response via the topbar context, organization filters, or role filters.',\n      query: querySchema,\n      responses: [\n        { status: 200, description: 'User collection', schema: userListResponseSchema },\n      ],\n    },\n    POST: {\n      summary: 'Create user',\n      description: 'Creates a new confirmed user within the specified organization, optional display name, and optional roles.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: userCreateSchema,\n      },\n      responses: [\n        {\n          status: 201,\n          description: 'User created',\n          schema: z.object({ id: z.string().uuid() }),\n        },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload or duplicate email', schema: errorResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n        { status: 403, description: 'Attempted to assign privileged roles', schema: errorResponseSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update user',\n      description: 'Updates profile fields including display name, organization assignment, credentials, or role memberships.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: userUpdateSchema,\n      },\n      responses: [\n        { status: 200, description: 'User updated', schema: okResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload', schema: errorResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n        { status: 403, description: 'Attempted to assign privileged roles', schema: errorResponseSchema },\n        { status: 404, description: 'User not found', schema: errorResponseSchema },\n      ],\n    },\n    DELETE: {\n      summary: 'Delete user',\n      description: 'Deletes a user by identifier. Undo support is provided via the command bus.',\n      query: z.object({ id: z.string().uuid().describe('User identifier') }),\n      responses: [\n        { status: 200, description: 'User deleted', schema: okResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'User cannot be deleted', schema: errorResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n        { status: 404, description: 'User not found', schema: errorResponseSchema },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AACA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,eAAe,qBAAqB;AAC7C,SAAS,qBAAqB;AAC9B,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,MAAM,MAAM,gBAAgB;AAErC,SAAS,cAAc,cAAc;AACrC,SAAS,SAAS;AAClB,SAAS,6BAA6B;AAEtC,SAAS,gBAAgB,uBAAuB;AAChD;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,2BAA2B;AACpC,SAAS,yBAAyB;AAClC,SAAS,2BAA2B;AACpC,SAAS,oBAAoB;AAC7B,SAAS,WAAW;AACpB,SAAS,iCAAiC;AAC1C;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAEP,MAAM,cAAc,EAAE,OAAO;AAAA,EAC3B,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC/B,MAAM,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,QAAQ,CAAC;AAAA,EACxC,UAAU,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,QAAQ,EAAE;AAAA,EACtD,QAAQ,EAAE,OAAO,EAAE,SAAS;AAAA,EAC5B,MAAM,EAAE,OAAO,EAAE,SAAS;AAAA,EAC1B,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAC/C,CAAC,EAAE,YAAY;AAEf,MAAM,gBAAgB,EAAE,OAAO,CAAC,CAAC,EAAE,YAAY;AAE/C,MAAM,iBAAiB,oBAAoB;AAE3C,MAAM,oBAAoB,EAAE;AAAA,EAC1B;AAAA,EACA,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS,EAAE,SAAS;AACxD;AAEA,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,MAAM;AAAA,EACN,UAAU,eAAe,SAAS;AAAA,EAClC,iBAAiB,EAAE,QAAQ,EAAE,SAAS;AAAA,EACtC,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC,EAAE;AAAA,EACD,CAAC,SAAS,KAAK,YAAY,KAAK;AAAA,EAChC,EAAE,SAAS,kDAAkD,MAAM,CAAC,UAAU,EAAE;AAClF;AAEA,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AAAA,EACnC,MAAM;AAAA,EACN,UAAU,eAAe,SAAS;AAAA,EAClC,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,MAAM,EAAE,OAAO,EAAE,SAAS;AAAA,EAC1B,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,kBAAkB,EAAE,OAAO,EAAE,SAAS;AAAA,EACtC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EACrC,YAAY,EAAE,OAAO,EAAE,SAAS;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EACzB,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAC/C,CAAC;AAED,MAAM,yBAAyB,EAAE,OAAO;AAAA,EACtC,OAAO,EAAE,MAAM,kBAAkB;AAAA,EACjC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EACpC,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACtC,cAAc,EAAE,QAAQ,EAAE,SAAS;AACrC,CAAC;AAED,MAAM,mBAAmB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;AAEzD,MAAM,sBAAsB,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAK1D,MAAM,gBAAgB;AAAA,EACpB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AAAA,EAClE,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACtE;AAEO,MAAM,WAAW;AAExB,MAAM,OAAO,cAA6D;AAAA,EACxE,UAAU;AAAA,EACV,KAAK;AAAA,IACH,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,UAAU;AAAA,IACV,aAAa;AAAA,IACb,iBAAiB;AAAA,EACnB;AAAA,EACA,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,SAAS;AAAA,IACP,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,QAAQ;AAAA,MACR,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,YAAI,IAAI,SAAS;AACf,gBAAM,qBAAqB,IAAI,SAAS,OAAO,OAAO,MAAM;AAAA,QAC9D;AACA,eAAO;AAAA,MACT;AAAA,MACA,UAAU,CAAC,EAAE,OAAO,OAAO;AAAA,QACzB,IAAI,OAAO,OAAO,KAAK,EAAE;AAAA,QACzB,GAAI,OAAO,UAAU,EAAE,UAAU,OAAO,QAAQ,IAAI,CAAC;AAAA,MACvD;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,IACA,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,QAAQ;AAAA,MACR,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,YAAI,IAAI,SAAS;AACf,cAAI,OAAO,OAAO,OAAO,YAAY,OAAO,GAAG,QAAQ;AACrD,kBAAM,gCAAgC,IAAI,SAAS,OAAO,EAAE;AAAA,UAC9D;AACA,gBAAM,qBAAqB,IAAI,SAAS,OAAO,OAAO,MAAM;AAAA,QAC9D;AACA,eAAO;AAAA,MACT;AAAA,MACA,UAAU,OAAO,EAAE,IAAI,KAAK;AAAA,IAC9B;AAAA,IACA,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,UAAU,OAAO,EAAE,IAAI,KAAK;AAAA,IAC9B;AAAA,EACF;AACF,CAAC;AAED,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAC1E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,aAAa,IAAI,aAAa,OAAO,QAAQ,EAAE,OAAO,CAACA,QAAqB,OAAOA,QAAO,YAAYA,IAAG,KAAK,EAAE,SAAS,CAAC;AAChI,QAAM,SAAS,YAAY,UAAU;AAAA,IACnC,IAAI,IAAI,aAAa,IAAI,IAAI,KAAK;AAAA,IAClC,MAAM,IAAI,aAAa,IAAI,MAAM,KAAK;AAAA,IACtC,UAAU,IAAI,aAAa,IAAI,UAAU,KAAK;AAAA,IAC9C,QAAQ,IAAI,aAAa,IAAI,QAAQ,KAAK;AAAA,IAC1C,MAAM,IAAI,aAAa,IAAI,MAAM,KAAK;AAAA,IACtC,gBAAgB,IAAI,aAAa,IAAI,gBAAgB,KAAK;AAAA,IAC1D,SAAS,WAAW,SAAS,aAAa;AAAA,EAC5C,CAAC;AACD,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AACpF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAM,UAAU,QAAQ,IAAI;AAClC,MAAI,eAAe,KAAK,iBAAiB;AACzC,MAAI;AACF,QAAI,KAAK,KAAK;AACZ,YAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,YAAM,MAAM,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC;AACvH,qBAAe,gBAAgB,CAAC,CAAC,KAAK;AAAA,IACxC;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,iCAAiC,GAAG;AAAA,EACpD;AACA,QAAM,EAAE,IAAI,MAAM,UAAU,QAAQ,MAAM,gBAAgB,QAAQ,IAAI,OAAO;AAC7E,QAAM,UAAiB,CAAC,EAAE,WAAW,KAAK,CAAC;AAC3C,QAAM,gBAAgB,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAC9D,MAAI,oBAAmC;AACvC,MAAI,2BAA4C;AAChD,MAAI,kCAAiD;AACrD,MAAI,0BAA0B;AAC9B,MAAI,CAAC,cAAc;AACjB,QAAI,CAAC,eAAe;AAClB,aAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,IAC/E;AACA,wBAAoB;AACpB,UAAM,oBAAoB,MAAM,sBAAsB,IAAI,aAAa;AACvE,QAAI,kBAAkB,MAAM;AAC1B,cAAQ,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,KAAK,iBAAiB,EAAS,EAAE,CAAC;AAAA,IACrE;AAAA,EACF,OAAO;AACL,UAAM,mBAAmB,6BAA6B,GAAG;AACzD,QAAI,OAAO,qBAAqB,YAAY,iBAAiB,KAAK,EAAE,SAAS,GAAG;AAC9E,YAAM,QAAQ,MAAM,mCAAmC;AAAA,QACrD;AAAA,QACA;AAAA,QACA,SAAS;AAAA,QACT,UAAU,iBAAiB,KAAK;AAAA,MAClC,CAAC;AACD,UAAI,CAAC,MAAM,UAAU;AACnB,eAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,MAC/E;AACA,0BAAoB,MAAM;AAC1B,wCAAkC,MAAM;AACxC,gCAA0B;AAC1B,UAAI,MAAM,QAAQ,MAAM,SAAS,GAAG;AAClC,YAAI,MAAM,UAAU,WAAW,GAAG;AAChC,iBAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,QAC/E;AACA,mCAA2B,MAAM;AAAA,MACnC;AAAA,IACF;AAAA,EACF;AACA,MAAI,mBAAmB;AACrB,YAAQ,KAAK,EAAE,UAAU,kBAAkB,CAAC;AAAA,EAC9C;AACA,MAAI,0BAA0B;AAC5B,YAAQ,KAAK,EAAE,gBAAgB,EAAE,KAAK,yBAAgC,EAAE,CAAC;AAAA,EAC3E;AACA,QAAM,sBAAsB,0BACxB,kCACA,KAAK,SAAS;AAClB,MAAI,eAAgB,SAAQ,KAAK,EAAE,eAAe,CAAC;AACnD,QAAM,cAAc,OAAO,SAAS,WAAW,KAAK,KAAK,IAAI;AAC7D,MAAI,aAAa;AACf,UAAM,gBAAgB,IAAI,kBAAkB,WAAW,CAAC;AACxD,UAAM,qBAAuC,CAAC,EAAE,MAAM,EAAE,QAAQ,cAAc,EAAE,CAAC;AACjF,UAAM,iBAA4C,eAAgB,qBAAqB,SAAa,KAAK,YAAY;AACrH,UAAM,wBAAwB,MAAM,0BAA0B,IAAI,EAAE,KAAK,MAAM,aAAa,gBAAgB,MAAM;AAClH,QAAI,yBAAyB,sBAAsB,QAAQ;AACzD,yBAAmB,KAAK,EAAE,IAAI,EAAE,KAAK,sBAAsB,EAAE,CAAC;AAAA,IAChE;AACA,YAAQ,KAAK,mBAAmB,SAAS,IAAI,EAAE,KAAK,mBAAmB,IAAI,mBAAmB,CAAC,CAAC;AAAA,EAClG;AACA,MAAI,WAA+B,KAAK,oBAAI,IAAI,CAAC,EAAE,CAAC,IAAI;AACxD,MAAI,MAAM,QAAQ,OAAO,KAAK,QAAQ,SAAS,GAAG;AAChD,UAAM,gBAAgB,MAAM,KAAK,IAAI,IAAI,OAAO,CAAC;AACjD,UAAM,gBAAgB,MAAM,GAAG,KAAK,UAAU,EAAE,MAAM,EAAE,KAAK,cAAqB,EAAE,CAAQ;AAC5F,UAAM,cAAc,oBAAI,IAAY;AACpC,eAAW,QAAQ,eAAe;AAChC,YAAM,MAAM,OAAQ,KAAa,MAAM,MAAO,KAAa,QAAQ,EAAE;AACrE,UAAI,IAAK,aAAY,IAAI,GAAG;AAAA,IAC9B;AACA,QAAI,YAAY,SAAS,EAAG,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAC3F,QAAI,UAAU;AACZ,iBAAW,OAAO,MAAM,KAAK,QAAQ,GAAG;AACtC,YAAI,CAAC,YAAY,IAAI,GAAG,EAAG,UAAS,OAAO,GAAG;AAAA,MAChD;AAAA,IACF,OAAO;AACL,iBAAW;AAAA,IACb;AACA,QAAI,CAAC,YAAY,SAAS,SAAS,EAAG,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAAA,EACvG;AACA,QAAM,gBAAgB,OAAO,WAAW,WAAW,OAAO,KAAK,IAAI;AACnE,MAAI,eAAe;AAEjB,UAAM,cAAyC,eAAgB,qBAAqB,SAAa,KAAK,YAAY;AAClH,UAAM,gBAAuB,CAAC;AAE9B,UAAM,aAAa,MAAM,0BAA0B,IAAI,EAAE,KAAK,MAAM,eAAe,WAAW;AAC9F,QAAI,cAAc,WAAW,QAAQ;AACnC,oBAAc,KAAK,EAAE,IAAI,EAAE,KAAK,WAAkB,EAAE,CAAC;AAAA,IACvD;AAEA,UAAM,gBAAgB,IAAI,kBAAkB,aAAa,CAAC;AAC1D,UAAM,4BAAmC;AAAA,MACvC,EAAE,WAAW,KAAK;AAAA,MAClB,EAAE,MAAM,EAAE,QAAQ,cAAc,EAAE;AAAA,IACpC;AACA,QAAI,aAAa;AACf,gCAA0B,KAAK,EAAE,QAAQ,YAAY,CAAC;AAAA,IACxD;AACA,UAAM,wBAAwB,MAAM,GAAG;AAAA,MACrC;AAAA,MACA,0BAA0B,SAAS,IAAI,EAAE,MAAM,0BAA0B,IAAI,0BAA0B,CAAC;AAAA,IAC1G;AACA,UAAM,0BAA0B,sBAC7B,IAAI,CAAC,QAAS,KAAK,KAAK,OAAO,IAAI,EAAE,IAAI,IAAK,EAC9C,OAAO,CAAC,UAA2B,OAAO,UAAU,YAAY,MAAM,SAAS,CAAC;AACnF,QAAI,wBAAwB,QAAQ;AAClC,oBAAc,KAAK,EAAE,gBAAgB,EAAE,KAAK,wBAA+B,EAAE,CAAC;AAAA,IAChF;AAEA,UAAM,oBAA2B;AAAA,MAC/B,EAAE,WAAW,KAAK;AAAA,MAClB,EAAE,MAAM,EAAE,QAAQ,cAAc,EAAE;AAAA,IACpC;AACA,QAAI,aAAa;AACf,wBAAkB,KAAK,EAAE,KAAK,CAAC,EAAE,UAAU,YAAY,GAAG,EAAE,UAAU,KAAK,CAAC,EAAE,CAAC;AAAA,IACjF;AACA,UAAM,gBAAgB,MAAM,GAAG;AAAA,MAC7B;AAAA,MACA,kBAAkB,SAAS,IAAI,EAAE,MAAM,kBAAkB,IAAI,kBAAkB,CAAC;AAAA,IAClF;AACA,UAAM,kBAAkB,cACrB,IAAI,CAAC,SAAU,MAAM,KAAK,OAAO,KAAK,EAAE,IAAI,IAAK,EACjD,OAAO,CAAC,WAA6B,OAAO,WAAW,YAAY,OAAO,SAAS,CAAC;AACvF,QAAI,gBAAgB,QAAQ;AAC1B,YAAM,kBAAkB,MAAM,GAAG;AAAA,QAC/B;AAAA,QACA,EAAE,MAAM,EAAE,KAAK,gBAAuB,EAAE;AAAA,MAC1C;AACA,YAAM,sBAAsB,MAAM,KAAK,IAAI;AAAA,QACzC,gBACG,IAAI,CAAC,SAAS;AACb,gBAAM,UAAW,KAAa;AAC9B,gBAAM,SAAS,SAAS,MAAM;AAC9B,iBAAO,SAAS,OAAO,MAAM,IAAI;AAAA,QACnC,CAAC,EACA,OAAO,CAAC,WAA6B,OAAO,WAAW,YAAY,OAAO,SAAS,CAAC;AAAA,MACzF,CAAC;AACD,UAAI,oBAAoB,QAAQ;AAC9B,sBAAc,KAAK,EAAE,IAAI,EAAE,KAAK,oBAA2B,EAAE,CAAC;AAAA,MAChE;AAAA,IACF;AAEA,QAAI,CAAC,cAAc,QAAQ;AACzB,aAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,IAC/E;AAEA,YAAQ,KAAK,cAAc,SAAS,IAAI,EAAE,KAAK,cAAc,IAAI,cAAc,CAAC,CAAC;AAAA,EACnF;AACA,MAAI,YAAY,SAAS,MAAM;AAC7B,YAAQ,KAAK,EAAE,IAAI,EAAE,KAAK,MAAM,KAAK,QAAQ,EAAS,EAAE,CAAC;AAAA,EAC3D,WAAW,IAAI;AACb,YAAQ,KAAK,EAAE,GAAG,CAAC;AAAA,EACrB;AACA,QAAM,QAAQ,QAAQ,SAAS,IAAI,EAAE,MAAM,QAAQ,IAAI,QAAQ,CAAC;AAChE,QAAM,CAAC,MAAM,KAAK,IAAI,MAAM,GAAG,aAAa,MAAM,OAAO,EAAE,OAAO,UAAU,SAAS,OAAO,KAAK,SAAS,CAAC;AAC3G,QAAM,UAAU,KAAK,IAAI,CAAC,MAAW,EAAE,EAAE;AACzC,QAAM,QAAQ,QAAQ,SAClB,MAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,EAAE,MAAM,EAAE,KAAK,QAAe,EAAE;AAAA,IAChC,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB;AAAA,MACE,UAAU,qBAAqB,KAAK,YAAY;AAAA,MAChD,gBAAgB;AAAA,IAClB;AAAA,EACF,IACA,CAAC;AACL,QAAM,UAAoC,CAAC;AAC3C,QAAM,YAAsC,CAAC;AAC7C,aAAW,KAAK,OAAO;AACrB,UAAM,MAAM,OAAQ,EAAU,MAAM,MAAO,EAAU,IAAI;AACzD,UAAM,QAAQ,OAAQ,EAAU,MAAM,QAAQ,EAAE;AAChD,UAAM,MAAM,OAAQ,EAAU,MAAM,MAAM,EAAE;AAC5C,QAAI,CAAC,QAAQ,GAAG,EAAG,SAAQ,GAAG,IAAI,CAAC;AACnC,QAAI,CAAC,UAAU,GAAG,EAAG,WAAU,GAAG,IAAI,CAAC;AACvC,QAAI,MAAO,SAAQ,GAAG,EAAE,KAAK,KAAK;AAClC,QAAI,IAAK,WAAU,GAAG,EAAE,KAAK,GAAG;AAAA,EAClC;AACA,QAAM,SAAS,KACZ,IAAI,CAAC,MAAY,EAAE,iBAAiB,OAAO,EAAE,cAAc,IAAI,IAAK,EACpE,OAAO,CAACA,QAAqB,CAAC,CAACA,GAAE;AACpC,QAAM,eAAe,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC;AAC/C,MAAI,SAAiC,CAAC;AACtC,MAAI,aAAa,QAAQ;AACvB,UAAM,gBAAgB,MAAM,GAAG;AAAA,MAC7B;AAAA,MACA,EAAE,IAAI,EAAE,KAAK,aAAoB,GAAG,WAAW,KAAK;AAAA,IACtD;AACA,aAAS,cAAc,OAA+B,CAAC,KAAK,QAAQ;AAClE,YAAM,QAAQ,KAAK,KAAK,OAAO,IAAI,EAAE,IAAI;AACzC,UAAI,CAAC,MAAO,QAAO;AACnB,YAAM,UAAW,KAAa;AAC9B,YAAM,UAAU,OAAO,YAAY,YAAY,QAAQ,SAAS,IAAI,UAAU;AAC9E,UAAI,KAAK,IAAI;AACb,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACP;AACA,QAAM,YAAY,KACf,IAAI,CAAC,MAAY,EAAE,WAAW,OAAO,EAAE,QAAQ,IAAI,IAAK,EACxD,OAAO,CAACA,QAAqB,CAAC,CAACA,GAAE;AACpC,QAAM,kBAAkB,MAAM,KAAK,IAAI,IAAI,SAAS,CAAC;AACrD,MAAI,YAAoC,CAAC;AACzC,MAAI,gBAAgB,QAAQ;AAC1B,UAAM,UAAU,MAAM,GAAG;AAAA,MACvB;AAAA,MACA,EAAE,IAAI,EAAE,KAAK,gBAAuB,GAAG,WAAW,KAAK;AAAA,IACzD;AACA,gBAAY,QAAQ,OAA+B,CAAC,KAAK,WAAW;AAClE,YAAM,WAAW,QAAQ,KAAK,OAAO,OAAO,EAAE,IAAI;AAClD,UAAI,CAAC,SAAU,QAAO;AACtB,YAAM,UAAW,QAAgB;AACjC,YAAM,aAAa,OAAO,YAAY,YAAY,QAAQ,SAAS,IAAI,UAAU;AACjF,UAAI,QAAQ,IAAI;AAChB,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACP;AACA,QAAM,eAA8C,CAAC;AACrD,QAAM,qBAAoD,CAAC;AAC3D,aAAW,KAAK,MAAM;AACpB,UAAM,MAAM,OAAO,EAAE,EAAE;AACvB,iBAAa,GAAG,IAAI,EAAE,WAAW,OAAO,EAAE,QAAQ,IAAI;AACtD,uBAAmB,GAAG,IAAI,EAAE,iBAAiB,OAAO,EAAE,cAAc,IAAI;AAAA,EAC1E;AACA,QAAM,WAAW,QAAQ,SACrB,MAAM,sBAAsB;AAAA,IAC1B;AAAA,IACA,UAAU,EAAE,KAAK;AAAA,IACjB,WAAW,QAAQ,IAAI,MAAM;AAAA,IAC7B,kBAAkB;AAAA,IAClB,wBAAwB;AAAA,IACxB,iBAAiB,oBAAoB,CAAC,iBAAiB,IAAI,KAAK,WAAW,CAAC,KAAK,QAAQ,IAAI,CAAC;AAAA,EAChG,CAAC,IACD,CAAC;AAEL,QAAM,QAAQ,KAAK,IAAI,CAAC,MAAW;AACjC,UAAM,MAAM,OAAO,EAAE,EAAE;AACvB,UAAM,QAAQ,EAAE,iBAAiB,OAAO,EAAE,cAAc,IAAI;AAC5D,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO,OAAO,EAAE,KAAK;AAAA,MACrB,MAAM,EAAE,OAAO,OAAO,EAAE,IAAI,IAAI;AAAA,MAChC,gBAAgB;AAAA,MAChB,kBAAkB,QAAQ,OAAO,KAAK,KAAK,QAAQ;AAAA,MACnD,UAAU,EAAE,WAAW,OAAO,EAAE,QAAQ,IAAI;AAAA,MAC5C,YAAY,EAAE,WAAW,UAAU,OAAO,EAAE,QAAQ,CAAC,KAAK,OAAO,EAAE,QAAQ,IAAI;AAAA,MAC/E,OAAO,QAAQ,GAAG,KAAK,CAAC;AAAA,MACxB,SAAS,UAAU,GAAG,KAAK,CAAC;AAAA,MAC5B,aAAa,CAAC,CAAC,EAAE;AAAA,MACjB,GAAI,SAAS,GAAG,KAAK,CAAC;AAAA,IACxB;AAAA,EACF,CAAC;AACD,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,KAAK,QAAQ,QAAQ,CAAC;AAC1D,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA,SAAS;AAAA,IACT,cAAc;AAAA,IACd,gBAAgB;AAAA,IAChB,UAAU,qBAAqB,KAAK,YAAY;AAAA,IAChD,OAAO,OAAO;AAAA,IACd,YAAY,KAAK,cAAc;AAAA,EACjC,CAAC;AACD,SAAO,aAAa,KAAK,EAAE,OAAO,OAAO,OAAO,YAAY,aAAa,CAAC;AAC5E;AAEO,MAAM,OAAO,OAAO,QAAiB;AAC1C,SAAO,KAAK,KAAK,GAAG;AACtB;AAEO,MAAM,MAAM,OAAO,QAAiB;AACzC,SAAO,KAAK,IAAI,GAAG;AACrB;AAEO,MAAM,SAAS,OAAO,QAAiB;AAC5C,QAAM,WAAW,IAAI,IAAI,IAAI,GAAG,EAAE,aAAa,IAAI,IAAI;AACvD,MAAI,UAAU;AACZ,QAAI;AACF,YAAM,gCAAgC,KAAK,QAAQ;AAAA,IACrD,SAAS,KAAK;AACZ,UAAI,eAAe,eAAe;AAChC,eAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AAAA,MAC3D;AACA,YAAM;AAAA,IACR;AAAA,EACF;AACA,SAAO,KAAK,OAAO,GAAG;AACxB;AAEA,eAAe,0BACb,IACA,YACA,QACA,aACA,OAC0B;AAC1B,QAAM,UAAU,OAAO,KAAK;AAC5B,MAAI,CAAC,QAAS,QAAO;AACrB,QAAM,eAAe,oBAAoB;AACzC,MAAI,CAAC,aAAa,QAAS,QAAO,CAAC;AACnC,QAAM,EAAE,OAAO,IAAI,aAAa,SAAS,YAAY;AACrD,MAAI,CAAC,OAAO,OAAQ,QAAO,CAAC;AAE5B,QAAM,KAAM,GAAW,UAAU;AACjC,MAAI,QAAQ,GACT,WAAW,eAAe,EAC1B,OAAO,WAAW,EAClB,MAAM,eAAe,KAAK,UAAU,EACpC,MAAM,cAAc,MAAM,MAAM,EAChC,QAAQ,WAAW,EACnB,OAAO,oCAA6C,OAAO,MAAM,EAAE;AACtE,MAAI,OAAO;AACT,YAAQ,MAAM,MAAM,SAAS,KAAK,KAAK;AAAA,EACzC;AACA,MAAI,gBAAgB,QAAW;AAC7B,YAAQ,MAAM,MAAM,qCAA8C,WAAW,EAAE;AAAA,EACjF;AACA,QAAM,OAAQ,MAAM,MAAM,QAAQ;AAClC,SAAO,KACJ,IAAI,CAAC,QAAS,OAAO,IAAI,cAAc,WAAW,IAAI,YAAY,IAAK,EACvE,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AACzE;AAEA,eAAe,gCAAgC,KAAc,cAAsB;AACjF,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,IAAK,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,eAAe,CAAC;AACtE,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,yCAAyC;AAAA,IAC7C;AAAA,IACA,aAAa,UAAU,QAAQ,aAAa;AAAA,IAC5C,aAAa,KAAK;AAAA,IAClB,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,CAAC;AACH;AAEA,eAAe,qBAAqB,KAAc,OAAgB,SAAkC;AAClG,MAAI,CAAC,MAAM,QAAQ,KAAK,EAAG;AAC3B,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,IAAK,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,eAAe,CAAC;AACtE,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,WAAW,MAAM,kCAAkC,IAAI,SAAS,KAAK,YAAY,IAAI;AAC3F,QAAM,8BAA8B;AAAA,IAClC;AAAA,IACA,aAAa,UAAU,QAAQ,aAAa;AAAA,IAC5C,aAAa,KAAK;AAAA,IAClB;AAAA,IACA,gBAAgB,KAAK,SAAS;AAAA,IAC9B,YAAY;AAAA,EACd,CAAC;AACH;AAEA,eAAe,kCACb,IACA,SACA,kBACwB;AACxB,QAAM,iBAAiB,OAAO,QAAQ,mBAAmB,WAAW,QAAQ,iBAAiB;AAC7F,MAAI,gBAAgB;AAClB,UAAM,eAAe,MAAM;AAAA,MACzB;AAAA,MACA;AAAA,MACA,EAAE,IAAI,eAAe;AAAA,MACrB,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,eAAe;AAAA,IACnC;AACA,WAAO,cAAc,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAAA,EACrE;AAEA,QAAM,SAAS,OAAO,QAAQ,OAAO,WAAW,QAAQ,KAAK;AAC7D,MAAI,QAAQ;AACV,UAAM,OAAO,MAAM;AAAA,MACjB;AAAA,MACA;AAAA,MACA,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MAC9B,CAAC;AAAA,MACD,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,IACzC;AACA,WAAO,MAAM,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,EAClD;AAEA,SAAO;AACT;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aACE;AAAA,MACF,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,uBAAuB;AAAA,MAChF;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,QAC5C;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,sCAAsC,QAAQ,oBAAoB;AAAA,QAC9F,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,oBAAoB;AAAA,MAClG;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,iBAAiB;AAAA,MACvE;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,oBAAoB;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,oBAAoB;AAAA,QAChG,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,oBAAoB;AAAA,MAC5E;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,iBAAiB,EAAE,CAAC;AAAA,MACrE,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,iBAAiB;AAAA,MACvE;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,0BAA0B,QAAQ,oBAAoB;AAAA,QAClF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,oBAAoB;AAAA,MAC5E;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["/* eslint-disable @typescript-eslint/no-explicit-any */\nimport { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { logCrudAccess, makeCrudRoute } from '@open-mercato/shared/lib/crud/factory'\nimport { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { User, Role, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { Organization, Tenant } from '@open-mercato/core/modules/directory/data/entities'\nimport { E } from '#generated/entities.ids.generated'\nimport { loadCustomFieldValues } from '@open-mercato/shared/lib/crud/custom-fields'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { userCrudEvents, userCrudIndexer } from '@open-mercato/core/modules/auth/commands/users'\nimport {\n  assertActorCanGrantRoleTokens,\n  assertActorCanModifySuperAdminUserTarget,\n  listSuperAdminUserIds,\n} from '@open-mercato/core/modules/auth/lib/grantChecks'\nimport { findOneWithDecryption, findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { buildPasswordSchema } from '@open-mercato/shared/lib/auth/passwordPolicy'\nimport { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'\nimport { resolveSearchConfig } from '@open-mercato/shared/lib/search/config'\nimport { tokenizeText } from '@open-mercato/shared/lib/search/tokenize'\nimport { sql } from 'kysely'\nimport { normalizeDisplayNameInput } from '@open-mercato/core/modules/auth/lib/displayName'\nimport {\n  getSelectedTenantFromRequest,\n  resolveOrganizationScopeForRequest,\n} from '@open-mercato/core/modules/directory/utils/organizationScope'\n\nconst querySchema = z.object({\n  id: z.string().uuid().optional(),\n  page: z.coerce.number().min(1).default(1),\n  pageSize: z.coerce.number().min(1).max(100).default(50),\n  search: z.string().optional(),\n  name: z.string().optional(),\n  organizationId: z.string().uuid().optional(),\n  roleIds: z.array(z.string().uuid()).optional(),\n}).passthrough()\n\nconst rawBodySchema = z.object({}).passthrough()\n\nconst passwordSchema = buildPasswordSchema()\n\nconst displayNameSchema = z.preprocess(\n  normalizeDisplayNameInput,\n  z.string().trim().min(1).max(120).nullable().optional(),\n)\n\nconst userCreateSchema = z.object({\n  email: z.string().email(),\n  name: displayNameSchema,\n  password: passwordSchema.optional(),\n  sendInviteEmail: z.boolean().optional(),\n  organizationId: z.string().uuid(),\n  roles: z.array(z.string()).optional(),\n}).refine(\n  (data) => data.password || data.sendInviteEmail,\n  { message: 'Either password or sendInviteEmail is required', path: ['password'] },\n)\n\nconst userUpdateSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string().email().optional(),\n  name: displayNameSchema,\n  password: passwordSchema.optional(),\n  organizationId: z.string().uuid().optional(),\n  roles: z.array(z.string()).optional(),\n})\n\nconst userListItemSchema = z.object({\n  id: z.string().uuid(),\n  email: z.string().email(),\n  name: z.string().nullable(),\n  organizationId: z.string().uuid().nullable(),\n  organizationName: z.string().nullable(),\n  tenantId: z.string().uuid().nullable(),\n  tenantName: z.string().nullable(),\n  roles: z.array(z.string()),\n  roleIds: z.array(z.string().uuid()).optional(),\n  updatedAt: z.string().nullable().optional(),\n})\n\nconst userListResponseSchema = z.object({\n  items: z.array(userListItemSchema),\n  total: z.number().int().nonnegative(),\n  totalPages: z.number().int().positive(),\n  isSuperAdmin: z.boolean().optional(),\n})\n\nconst okResponseSchema = z.object({ ok: z.literal(true) })\n\nconst errorResponseSchema = z.object({ error: z.string() })\n\ntype CrudInput = Record<string, unknown>\ntype UserListFilter = Record<string, unknown>\n\nconst routeMetadata = {\n  GET: { requireAuth: true, requireFeatures: ['auth.users.list'] },\n  POST: { requireAuth: true, requireFeatures: ['auth.users.create'] },\n  PUT: { requireAuth: true, requireFeatures: ['auth.users.edit'] },\n  DELETE: { requireAuth: true, requireFeatures: ['auth.users.delete'] },\n}\n\nexport const metadata = routeMetadata\n\nconst crud = makeCrudRoute<CrudInput, CrudInput, Record<string, unknown>>({\n  metadata: routeMetadata,\n  orm: {\n    entity: User,\n    idField: 'id',\n    orgField: null,\n    tenantField: null,\n    softDeleteField: 'deletedAt',\n  },\n  events: userCrudEvents,\n  indexer: userCrudIndexer,\n  actions: {\n    create: {\n      commandId: 'auth.users.create',\n      schema: rawBodySchema,\n      mapInput: async ({ parsed, ctx }) => {\n        if (ctx.request) {\n          await assertCanAssignRoles(ctx.request, parsed.roles, parsed)\n        }\n        return parsed\n      },\n      response: ({ result }) => ({\n        id: String(result.user.id),\n        ...(result.warning ? { _warning: result.warning } : {}),\n      }),\n      status: 201,\n    },\n    update: {\n      commandId: 'auth.users.update',\n      schema: rawBodySchema,\n      mapInput: async ({ parsed, ctx }) => {\n        if (ctx.request) {\n          if (typeof parsed.id === 'string' && parsed.id.length) {\n            await assertCanModifySuperAdminTarget(ctx.request, parsed.id)\n          }\n          await assertCanAssignRoles(ctx.request, parsed.roles, parsed)\n        }\n        return parsed\n      },\n      response: () => ({ ok: true }),\n    },\n    delete: {\n      commandId: 'auth.users.delete',\n      response: () => ({ ok: true }),\n    },\n  },\n})\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n  const url = new URL(req.url)\n  const rawRoleIds = url.searchParams.getAll('roleId').filter((id): id is string => typeof id === 'string' && id.trim().length > 0)\n  const parsed = querySchema.safeParse({\n    id: url.searchParams.get('id') || undefined,\n    page: url.searchParams.get('page') || undefined,\n    pageSize: url.searchParams.get('pageSize') || undefined,\n    search: url.searchParams.get('search') || undefined,\n    name: url.searchParams.get('name') || undefined,\n    organizationId: url.searchParams.get('organizationId') || undefined,\n    roleIds: rawRoleIds.length ? rawRoleIds : undefined,\n  })\n  if (!parsed.success) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n  const container = await createRequestContainer()\n  const em = (container.resolve('em') as EntityManager)\n  let isSuperAdmin = auth.isSuperAdmin === true\n  try {\n    if (auth.sub) {\n      const rbacService = container.resolve('rbacService') as any\n      const acl = await rbacService.loadAcl(auth.sub, { tenantId: auth.tenantId ?? null, organizationId: auth.orgId ?? null })\n      isSuperAdmin = isSuperAdmin || !!acl?.isSuperAdmin\n    }\n  } catch (err) {\n    console.error('users: failed to resolve rbac', err)\n  }\n  const { id, page, pageSize, search, name, organizationId, roleIds } = parsed.data\n  const filters: any[] = [{ deletedAt: null }]\n  const actorTenantId = auth.tenantId ? String(auth.tenantId) : null\n  let effectiveTenantId: string | null = null\n  let effectiveOrganizationIds: string[] | null = null\n  let effectiveSelectedOrganizationId: string | null = null\n  let usesSelectedTenantScope = false\n  if (!isSuperAdmin) {\n    if (!actorTenantId) {\n      return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n    }\n    effectiveTenantId = actorTenantId\n    const superAdminUserIds = await listSuperAdminUserIds(em, actorTenantId)\n    if (superAdminUserIds.size) {\n      filters.push({ id: { $nin: Array.from(superAdminUserIds) as any } })\n    }\n  } else {\n    const selectedTenantId = getSelectedTenantFromRequest(req)\n    if (typeof selectedTenantId === 'string' && selectedTenantId.trim().length > 0) {\n      const scope = await resolveOrganizationScopeForRequest({\n        container,\n        auth,\n        request: req,\n        tenantId: selectedTenantId.trim(),\n      })\n      if (!scope.tenantId) {\n        return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n      }\n      effectiveTenantId = scope.tenantId\n      effectiveSelectedOrganizationId = scope.selectedId\n      usesSelectedTenantScope = true\n      if (Array.isArray(scope.filterIds)) {\n        if (scope.filterIds.length === 0) {\n          return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n        }\n        effectiveOrganizationIds = scope.filterIds\n      }\n    }\n  }\n  if (effectiveTenantId) {\n    filters.push({ tenantId: effectiveTenantId })\n  }\n  if (effectiveOrganizationIds) {\n    filters.push({ organizationId: { $in: effectiveOrganizationIds as any } })\n  }\n  const scopeOrganizationId = usesSelectedTenantScope\n    ? effectiveSelectedOrganizationId\n    : auth.orgId ?? null\n  if (organizationId) filters.push({ organizationId })\n  const trimmedName = typeof name === 'string' ? name.trim() : ''\n  if (trimmedName) {\n    const searchPattern = `%${escapeLikePattern(trimmedName)}%`\n    const displayNameFilters: UserListFilter[] = [{ name: { $ilike: searchPattern } }]\n    const nameTokenScope: string | null | undefined = isSuperAdmin ? (effectiveTenantId ?? undefined) : auth.tenantId ?? null\n    const matchedDisplayNameIds = await findUserIdsBySearchTokens(em, E.auth.user, trimmedName, nameTokenScope, 'name')\n    if (matchedDisplayNameIds && matchedDisplayNameIds.length) {\n      displayNameFilters.push({ id: { $in: matchedDisplayNameIds } })\n    }\n    filters.push(displayNameFilters.length > 1 ? { $or: displayNameFilters } : displayNameFilters[0])\n  }\n  let idFilter: Set<string> | null = id ? new Set([id]) : null\n  if (Array.isArray(roleIds) && roleIds.length > 0) {\n    const uniqueRoleIds = Array.from(new Set(roleIds))\n    const linksForRoles = await em.find(UserRole, { role: { $in: uniqueRoleIds as any } } as any)\n    const roleUserIds = new Set<string>()\n    for (const link of linksForRoles) {\n      const uid = String((link as any).user?.id || (link as any).user || '')\n      if (uid) roleUserIds.add(uid)\n    }\n    if (roleUserIds.size === 0) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n    if (idFilter) {\n      for (const uid of Array.from(idFilter)) {\n        if (!roleUserIds.has(uid)) idFilter.delete(uid)\n      }\n    } else {\n      idFilter = roleUserIds\n    }\n    if (!idFilter || idFilter.size === 0) return NextResponse.json({ items: [], total: 0, totalPages: 1 })\n  }\n  const trimmedSearch = typeof search === 'string' ? search.trim() : ''\n  if (trimmedSearch) {\n    // Email is encrypted at rest, so plaintext search must go through search_tokens.\n    const tenantScope: string | null | undefined = isSuperAdmin ? (effectiveTenantId ?? undefined) : auth.tenantId ?? null\n    const searchFilters: any[] = []\n\n    const matchedIds = await findUserIdsBySearchTokens(em, E.auth.user, trimmedSearch, tenantScope)\n    if (matchedIds && matchedIds.length) {\n      searchFilters.push({ id: { $in: matchedIds as any } })\n    }\n\n    const searchPattern = `%${escapeLikePattern(trimmedSearch)}%`\n    const organizationSearchFilters: any[] = [\n      { deletedAt: null },\n      { name: { $ilike: searchPattern } },\n    ]\n    if (tenantScope) {\n      organizationSearchFilters.push({ tenant: tenantScope })\n    }\n    const matchingOrganizations = await em.find(\n      Organization,\n      organizationSearchFilters.length > 1 ? { $and: organizationSearchFilters } : organizationSearchFilters[0],\n    )\n    const matchingOrganizationIds = matchingOrganizations\n      .map((org) => (org?.id ? String(org.id) : null))\n      .filter((orgId): orgId is string => typeof orgId === 'string' && orgId.length > 0)\n    if (matchingOrganizationIds.length) {\n      searchFilters.push({ organizationId: { $in: matchingOrganizationIds as any } })\n    }\n\n    const roleSearchFilters: any[] = [\n      { deletedAt: null },\n      { name: { $ilike: searchPattern } },\n    ]\n    if (tenantScope) {\n      roleSearchFilters.push({ $or: [{ tenantId: tenantScope }, { tenantId: null }] })\n    }\n    const matchingRoles = await em.find(\n      Role,\n      roleSearchFilters.length > 1 ? { $and: roleSearchFilters } : roleSearchFilters[0],\n    )\n    const matchingRoleIds = matchingRoles\n      .map((role) => (role?.id ? String(role.id) : null))\n      .filter((roleId): roleId is string => typeof roleId === 'string' && roleId.length > 0)\n    if (matchingRoleIds.length) {\n      const roleSearchLinks = await em.find(\n        UserRole,\n        { role: { $in: matchingRoleIds as any } } as any,\n      )\n      const matchingRoleUserIds = Array.from(new Set(\n        roleSearchLinks\n          .map((link) => {\n            const userRef = (link as any).user\n            const userId = userRef?.id ?? userRef\n            return userId ? String(userId) : null\n          })\n          .filter((userId): userId is string => typeof userId === 'string' && userId.length > 0),\n      ))\n      if (matchingRoleUserIds.length) {\n        searchFilters.push({ id: { $in: matchingRoleUserIds as any } })\n      }\n    }\n\n    if (!searchFilters.length) {\n      return NextResponse.json({ items: [], total: 0, totalPages: 1, isSuperAdmin })\n    }\n\n    filters.push(searchFilters.length > 1 ? { $or: searchFilters } : searchFilters[0])\n  }\n  if (idFilter && idFilter.size) {\n    filters.push({ id: { $in: Array.from(idFilter) as any } })\n  } else if (id) {\n    filters.push({ id })\n  }\n  const where = filters.length > 1 ? { $and: filters } : filters[0]\n  const [rows, count] = await em.findAndCount(User, where, { limit: pageSize, offset: (page - 1) * pageSize })\n  const userIds = rows.map((u: any) => u.id)\n  const links = userIds.length\n    ? await findWithDecryption(\n        em,\n        UserRole,\n        { user: { $in: userIds as any } } as any,\n        { populate: ['role'] },\n        {\n          tenantId: effectiveTenantId ?? auth.tenantId ?? null,\n          organizationId: scopeOrganizationId,\n        },\n      )\n    : []\n  const roleMap: Record<string, string[]> = {}\n  const roleIdMap: Record<string, string[]> = {}\n  for (const l of links) {\n    const uid = String((l as any).user?.id || (l as any).user)\n    const rname = String((l as any).role?.name || '')\n    const rid = String((l as any).role?.id ?? '')\n    if (!roleMap[uid]) roleMap[uid] = []\n    if (!roleIdMap[uid]) roleIdMap[uid] = []\n    if (rname) roleMap[uid].push(rname)\n    if (rid) roleIdMap[uid].push(rid)\n  }\n  const orgIds = rows\n    .map((u: any) => (u.organizationId ? String(u.organizationId) : null))\n    .filter((id): id is string => !!id)\n  const uniqueOrgIds = Array.from(new Set(orgIds))\n  let orgMap: Record<string, string> = {}\n  if (uniqueOrgIds.length) {\n    const organizations = await em.find(\n      Organization,\n      { id: { $in: uniqueOrgIds as any }, deletedAt: null },\n    )\n    orgMap = organizations.reduce<Record<string, string>>((acc, org) => {\n      const orgId = org?.id ? String(org.id) : null\n      if (!orgId) return acc\n      const rawName = (org as any)?.name\n      const orgName = typeof rawName === 'string' && rawName.length > 0 ? rawName : orgId\n      acc[orgId] = orgName\n      return acc\n    }, {})\n  }\n  const tenantIds = rows\n    .map((u: any) => (u.tenantId ? String(u.tenantId) : null))\n    .filter((id): id is string => !!id)\n  const uniqueTenantIds = Array.from(new Set(tenantIds))\n  let tenantMap: Record<string, string> = {}\n  if (uniqueTenantIds.length) {\n    const tenants = await em.find(\n      Tenant,\n      { id: { $in: uniqueTenantIds as any }, deletedAt: null },\n    )\n    tenantMap = tenants.reduce<Record<string, string>>((acc, tenant) => {\n      const tenantId = tenant?.id ? String(tenant.id) : null\n      if (!tenantId) return acc\n      const rawName = (tenant as any)?.name\n      const tenantName = typeof rawName === 'string' && rawName.length > 0 ? rawName : tenantId\n      acc[tenantId] = tenantName\n      return acc\n    }, {})\n  }\n  const tenantByUser: Record<string, string | null> = {}\n  const organizationByUser: Record<string, string | null> = {}\n  for (const u of rows) {\n    const uid = String(u.id)\n    tenantByUser[uid] = u.tenantId ? String(u.tenantId) : null\n    organizationByUser[uid] = u.organizationId ? String(u.organizationId) : null\n  }\n  const cfByUser = userIds.length\n    ? await loadCustomFieldValues({\n        em,\n        entityId: E.auth.user,\n        recordIds: userIds.map(String),\n        tenantIdByRecord: tenantByUser,\n        organizationIdByRecord: organizationByUser,\n        tenantFallbacks: effectiveTenantId ? [effectiveTenantId] : auth.tenantId ? [auth.tenantId] : [],\n      })\n    : {}\n\n  const items = rows.map((u: any) => {\n    const uid = String(u.id)\n    const orgId = u.organizationId ? String(u.organizationId) : null\n    return {\n      id: uid,\n      email: String(u.email),\n      name: u.name ? String(u.name) : null,\n      organizationId: orgId,\n      organizationName: orgId ? orgMap[orgId] ?? orgId : null,\n      tenantId: u.tenantId ? String(u.tenantId) : null,\n      tenantName: u.tenantId ? tenantMap[String(u.tenantId)] ?? String(u.tenantId) : null,\n      roles: roleMap[uid] || [],\n      roleIds: roleIdMap[uid] || [],\n      hasPassword: !!u.passwordHash,\n      updatedAt: u.updatedAt instanceof Date ? u.updatedAt.toISOString() : null,\n      ...(cfByUser[uid] || {}),\n    }\n  })\n  const totalPages = Math.max(1, Math.ceil(count / pageSize))\n  await logCrudAccess({\n    container,\n    auth,\n    request: req,\n    items,\n    idField: 'id',\n    resourceKind: 'auth.user',\n    organizationId: effectiveSelectedOrganizationId,\n    tenantId: effectiveTenantId ?? auth.tenantId ?? null,\n    query: parsed.data,\n    accessType: id ? 'read:item' : undefined,\n  })\n  return NextResponse.json({ items, total: count, totalPages, isSuperAdmin })\n}\n\nexport const POST = async (req: Request) => {\n  return crud.POST(req)\n}\n\nexport const PUT = async (req: Request) => {\n  return crud.PUT(req)\n}\n\nexport const DELETE = async (req: Request) => {\n  const targetId = new URL(req.url).searchParams.get('id')\n  if (targetId) {\n    try {\n      await assertCanModifySuperAdminTarget(req, targetId)\n    } catch (err) {\n      if (err instanceof CrudHttpError) {\n        return NextResponse.json(err.body, { status: err.status })\n      }\n      throw err\n    }\n  }\n  return crud.DELETE(req)\n}\n\nasync function findUserIdsBySearchTokens(\n  em: EntityManager,\n  entityType: string,\n  search: string,\n  tenantScope: string | null | undefined,\n  field?: string,\n): Promise<string[] | null> {\n  const trimmed = search.trim()\n  if (!trimmed) return null\n  const searchConfig = resolveSearchConfig()\n  if (!searchConfig.enabled) return []\n  const { hashes } = tokenizeText(trimmed, searchConfig)\n  if (!hashes.length) return []\n\n  const db = (em as any).getKysely() as any\n  let query = db\n    .selectFrom('search_tokens')\n    .select('entity_id')\n    .where('entity_type', '=', entityType)\n    .where('token_hash', 'in', hashes)\n    .groupBy('entity_id')\n    .having(sql<boolean>`count(distinct token_hash) >= ${hashes.length}`)\n  if (field) {\n    query = query.where('field', '=', field)\n  }\n  if (tenantScope !== undefined) {\n    query = query.where(sql<boolean>`tenant_id is not distinct from ${tenantScope}`)\n  }\n  const rows = (await query.execute()) as Array<{ entity_id?: unknown }>\n  return rows\n    .map((row) => (typeof row.entity_id === 'string' ? row.entity_id : null))\n    .filter((id): id is string => typeof id === 'string' && id.length > 0)\n}\n\nasync function assertCanModifySuperAdminTarget(req: Request, targetUserId: string) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) throw new CrudHttpError(401, { error: 'Unauthorized' })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  await assertActorCanModifySuperAdminUserTarget({\n    em,\n    rbacService: container.resolve('rbacService') as RbacService,\n    actorUserId: auth.sub,\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    targetUserId,\n  })\n}\n\nasync function assertCanAssignRoles(req: Request, roles: unknown, payload: Record<string, unknown>) {\n  if (!Array.isArray(roles)) return\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) throw new CrudHttpError(401, { error: 'Unauthorized' })\n  const container = await createRequestContainer()\n  const em = container.resolve('em') as EntityManager\n  const tenantId = await resolveTargetTenantIdForRoleGrant(em, payload, auth.tenantId ?? null)\n  await assertActorCanGrantRoleTokens({\n    em,\n    rbacService: container.resolve('rbacService') as RbacService,\n    actorUserId: auth.sub,\n    tenantId,\n    organizationId: auth.orgId ?? null,\n    roleTokens: roles,\n  })\n}\n\nasync function resolveTargetTenantIdForRoleGrant(\n  em: EntityManager,\n  payload: Record<string, unknown>,\n  fallbackTenantId: string | null,\n): Promise<string | null> {\n  const organizationId = typeof payload.organizationId === 'string' ? payload.organizationId : null\n  if (organizationId) {\n    const organization = await findOneWithDecryption(\n      em,\n      Organization,\n      { id: organizationId },\n      { populate: ['tenant'] },\n      { tenantId: null, organizationId },\n    )\n    return organization?.tenant?.id ? String(organization.tenant.id) : fallbackTenantId\n  }\n\n  const userId = typeof payload.id === 'string' ? payload.id : null\n  if (userId) {\n    const user = await findOneWithDecryption(\n      em,\n      User,\n      { id: userId, deletedAt: null },\n      {},\n      { tenantId: null, organizationId: null },\n    )\n    return user?.tenantId ? String(user.tenantId) : fallbackTenantId\n  }\n\n  return fallbackTenantId\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Authentication & Accounts',\n  summary: 'User management',\n  methods: {\n    GET: {\n      summary: 'List users',\n      description:\n        'Returns users for the effective selected tenant and organization scope. Search matches email, organization name, and role name. Super administrators may scope the response via the topbar context, organization filters, or role filters.',\n      query: querySchema,\n      responses: [\n        { status: 200, description: 'User collection', schema: userListResponseSchema },\n      ],\n    },\n    POST: {\n      summary: 'Create user',\n      description: 'Creates a new confirmed user within the specified organization, optional display name, and optional roles.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: userCreateSchema,\n      },\n      responses: [\n        {\n          status: 201,\n          description: 'User created',\n          schema: z.object({ id: z.string().uuid() }),\n        },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload or duplicate email', schema: errorResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n        { status: 403, description: 'Attempted to assign privileged roles', schema: errorResponseSchema },\n      ],\n    },\n    PUT: {\n      summary: 'Update user',\n      description: 'Updates profile fields including display name, organization assignment, credentials, or role memberships.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: userUpdateSchema,\n      },\n      responses: [\n        { status: 200, description: 'User updated', schema: okResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid payload', schema: errorResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n        { status: 403, description: 'Attempted to assign privileged roles', schema: errorResponseSchema },\n        { status: 404, description: 'User not found', schema: errorResponseSchema },\n      ],\n    },\n    DELETE: {\n      summary: 'Delete user',\n      description: 'Deletes a user by identifier. Undo support is provided via the command bus.',\n      query: z.object({ id: z.string().uuid().describe('User identifier') }),\n      responses: [\n        { status: 200, description: 'User deleted', schema: okResponseSchema },\n      ],\n      errors: [\n        { status: 400, description: 'User cannot be deleted', schema: errorResponseSchema },\n        { status: 401, description: 'Unauthorized', schema: errorResponseSchema },\n        { status: 404, description: 'User not found', schema: errorResponseSchema },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AACA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,eAAe,qBAAqB;AAC7C,SAAS,qBAAqB;AAC9B,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,MAAM,MAAM,gBAAgB;AAErC,SAAS,cAAc,cAAc;AACrC,SAAS,SAAS;AAClB,SAAS,6BAA6B;AAEtC,SAAS,gBAAgB,uBAAuB;AAChD;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,2BAA2B;AACpC,SAAS,yBAAyB;AAClC,SAAS,2BAA2B;AACpC,SAAS,oBAAoB;AAC7B,SAAS,WAAW;AACpB,SAAS,iCAAiC;AAC1C;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAEP,MAAM,cAAc,EAAE,OAAO;AAAA,EAC3B,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC/B,MAAM,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,QAAQ,CAAC;AAAA,EACxC,UAAU,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,QAAQ,EAAE;AAAA,EACtD,QAAQ,EAAE,OAAO,EAAE,SAAS;AAAA,EAC5B,MAAM,EAAE,OAAO,EAAE,SAAS;AAAA,EAC1B,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAC/C,CAAC,EAAE,YAAY;AAEf,MAAM,gBAAgB,EAAE,OAAO,CAAC,CAAC,EAAE,YAAY;AAE/C,MAAM,iBAAiB,oBAAoB;AAE3C,MAAM,oBAAoB,EAAE;AAAA,EAC1B;AAAA,EACA,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS,EAAE,SAAS;AACxD;AAEA,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,MAAM;AAAA,EACN,UAAU,eAAe,SAAS;AAAA,EAClC,iBAAiB,EAAE,QAAQ,EAAE,SAAS;AAAA,EACtC,gBAAgB,EAAE,OAAO,EAAE,KAAK;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC,EAAE;AAAA,EACD,CAAC,SAAS,KAAK,YAAY,KAAK;AAAA,EAChC,EAAE,SAAS,kDAAkD,MAAM,CAAC,UAAU,EAAE;AAClF;AAEA,MAAM,mBAAmB,EAAE,OAAO;AAAA,EAChC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AAAA,EACnC,MAAM;AAAA,EACN,UAAU,eAAe,SAAS;AAAA,EAClC,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACtC,CAAC;AAED,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,EACpB,OAAO,EAAE,OAAO,EAAE,MAAM;AAAA,EACxB,MAAM,EAAE,OAAO,EAAE,SAAS;AAAA,EAC1B,gBAAgB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EAC3C,kBAAkB,EAAE,OAAO,EAAE,SAAS;AAAA,EACtC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS;AAAA,EACrC,YAAY,EAAE,OAAO,EAAE,SAAS;AAAA,EAChC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC;AAAA,EACzB,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,SAAS;AAAA,EAC7C,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAC5C,CAAC;AAED,MAAM,yBAAyB,EAAE,OAAO;AAAA,EACtC,OAAO,EAAE,MAAM,kBAAkB;AAAA,EACjC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY;AAAA,EACpC,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACtC,cAAc,EAAE,QAAQ,EAAE,SAAS;AACrC,CAAC;AAED,MAAM,mBAAmB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;AAEzD,MAAM,sBAAsB,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAK1D,MAAM,gBAAgB;AAAA,EACpB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AAAA,EAClE,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACtE;AAEO,MAAM,WAAW;AAExB,MAAM,OAAO,cAA6D;AAAA,EACxE,UAAU;AAAA,EACV,KAAK;AAAA,IACH,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,UAAU;AAAA,IACV,aAAa;AAAA,IACb,iBAAiB;AAAA,EACnB;AAAA,EACA,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,SAAS;AAAA,IACP,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,QAAQ;AAAA,MACR,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,YAAI,IAAI,SAAS;AACf,gBAAM,qBAAqB,IAAI,SAAS,OAAO,OAAO,MAAM;AAAA,QAC9D;AACA,eAAO;AAAA,MACT;AAAA,MACA,UAAU,CAAC,EAAE,OAAO,OAAO;AAAA,QACzB,IAAI,OAAO,OAAO,KAAK,EAAE;AAAA,QACzB,GAAI,OAAO,UAAU,EAAE,UAAU,OAAO,QAAQ,IAAI,CAAC;AAAA,MACvD;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,IACA,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,QAAQ;AAAA,MACR,UAAU,OAAO,EAAE,QAAQ,IAAI,MAAM;AACnC,YAAI,IAAI,SAAS;AACf,cAAI,OAAO,OAAO,OAAO,YAAY,OAAO,GAAG,QAAQ;AACrD,kBAAM,gCAAgC,IAAI,SAAS,OAAO,EAAE;AAAA,UAC9D;AACA,gBAAM,qBAAqB,IAAI,SAAS,OAAO,OAAO,MAAM;AAAA,QAC9D;AACA,eAAO;AAAA,MACT;AAAA,MACA,UAAU,OAAO,EAAE,IAAI,KAAK;AAAA,IAC9B;AAAA,IACA,QAAQ;AAAA,MACN,WAAW;AAAA,MACX,UAAU,OAAO,EAAE,IAAI,KAAK;AAAA,IAC9B;AAAA,EACF;AACF,CAAC;AAED,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,KAAM,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAC1E,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,QAAM,aAAa,IAAI,aAAa,OAAO,QAAQ,EAAE,OAAO,CAACA,QAAqB,OAAOA,QAAO,YAAYA,IAAG,KAAK,EAAE,SAAS,CAAC;AAChI,QAAM,SAAS,YAAY,UAAU;AAAA,IACnC,IAAI,IAAI,aAAa,IAAI,IAAI,KAAK;AAAA,IAClC,MAAM,IAAI,aAAa,IAAI,MAAM,KAAK;AAAA,IACtC,UAAU,IAAI,aAAa,IAAI,UAAU,KAAK;AAAA,IAC9C,QAAQ,IAAI,aAAa,IAAI,QAAQ,KAAK;AAAA,IAC1C,MAAM,IAAI,aAAa,IAAI,MAAM,KAAK;AAAA,IACtC,gBAAgB,IAAI,aAAa,IAAI,gBAAgB,KAAK;AAAA,IAC1D,SAAS,WAAW,SAAS,aAAa;AAAA,EAC5C,CAAC;AACD,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AACpF,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAM,UAAU,QAAQ,IAAI;AAClC,MAAI,eAAe,KAAK,iBAAiB;AACzC,MAAI;AACF,QAAI,KAAK,KAAK;AACZ,YAAM,cAAc,UAAU,QAAQ,aAAa;AACnD,YAAM,MAAM,MAAM,YAAY,QAAQ,KAAK,KAAK,EAAE,UAAU,KAAK,YAAY,MAAM,gBAAgB,KAAK,SAAS,KAAK,CAAC;AACvH,qBAAe,gBAAgB,CAAC,CAAC,KAAK;AAAA,IACxC;AAAA,EACF,SAAS,KAAK;AACZ,YAAQ,MAAM,iCAAiC,GAAG;AAAA,EACpD;AACA,QAAM,EAAE,IAAI,MAAM,UAAU,QAAQ,MAAM,gBAAgB,QAAQ,IAAI,OAAO;AAC7E,QAAM,UAAiB,CAAC,EAAE,WAAW,KAAK,CAAC;AAC3C,QAAM,gBAAgB,KAAK,WAAW,OAAO,KAAK,QAAQ,IAAI;AAC9D,MAAI,oBAAmC;AACvC,MAAI,2BAA4C;AAChD,MAAI,kCAAiD;AACrD,MAAI,0BAA0B;AAC9B,MAAI,CAAC,cAAc;AACjB,QAAI,CAAC,eAAe;AAClB,aAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,IAC/E;AACA,wBAAoB;AACpB,UAAM,oBAAoB,MAAM,sBAAsB,IAAI,aAAa;AACvE,QAAI,kBAAkB,MAAM;AAC1B,cAAQ,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,KAAK,iBAAiB,EAAS,EAAE,CAAC;AAAA,IACrE;AAAA,EACF,OAAO;AACL,UAAM,mBAAmB,6BAA6B,GAAG;AACzD,QAAI,OAAO,qBAAqB,YAAY,iBAAiB,KAAK,EAAE,SAAS,GAAG;AAC9E,YAAM,QAAQ,MAAM,mCAAmC;AAAA,QACrD;AAAA,QACA;AAAA,QACA,SAAS;AAAA,QACT,UAAU,iBAAiB,KAAK;AAAA,MAClC,CAAC;AACD,UAAI,CAAC,MAAM,UAAU;AACnB,eAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,MAC/E;AACA,0BAAoB,MAAM;AAC1B,wCAAkC,MAAM;AACxC,gCAA0B;AAC1B,UAAI,MAAM,QAAQ,MAAM,SAAS,GAAG;AAClC,YAAI,MAAM,UAAU,WAAW,GAAG;AAChC,iBAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,QAC/E;AACA,mCAA2B,MAAM;AAAA,MACnC;AAAA,IACF;AAAA,EACF;AACA,MAAI,mBAAmB;AACrB,YAAQ,KAAK,EAAE,UAAU,kBAAkB,CAAC;AAAA,EAC9C;AACA,MAAI,0BAA0B;AAC5B,YAAQ,KAAK,EAAE,gBAAgB,EAAE,KAAK,yBAAgC,EAAE,CAAC;AAAA,EAC3E;AACA,QAAM,sBAAsB,0BACxB,kCACA,KAAK,SAAS;AAClB,MAAI,eAAgB,SAAQ,KAAK,EAAE,eAAe,CAAC;AACnD,QAAM,cAAc,OAAO,SAAS,WAAW,KAAK,KAAK,IAAI;AAC7D,MAAI,aAAa;AACf,UAAM,gBAAgB,IAAI,kBAAkB,WAAW,CAAC;AACxD,UAAM,qBAAuC,CAAC,EAAE,MAAM,EAAE,QAAQ,cAAc,EAAE,CAAC;AACjF,UAAM,iBAA4C,eAAgB,qBAAqB,SAAa,KAAK,YAAY;AACrH,UAAM,wBAAwB,MAAM,0BAA0B,IAAI,EAAE,KAAK,MAAM,aAAa,gBAAgB,MAAM;AAClH,QAAI,yBAAyB,sBAAsB,QAAQ;AACzD,yBAAmB,KAAK,EAAE,IAAI,EAAE,KAAK,sBAAsB,EAAE,CAAC;AAAA,IAChE;AACA,YAAQ,KAAK,mBAAmB,SAAS,IAAI,EAAE,KAAK,mBAAmB,IAAI,mBAAmB,CAAC,CAAC;AAAA,EAClG;AACA,MAAI,WAA+B,KAAK,oBAAI,IAAI,CAAC,EAAE,CAAC,IAAI;AACxD,MAAI,MAAM,QAAQ,OAAO,KAAK,QAAQ,SAAS,GAAG;AAChD,UAAM,gBAAgB,MAAM,KAAK,IAAI,IAAI,OAAO,CAAC;AACjD,UAAM,gBAAgB,MAAM,GAAG,KAAK,UAAU,EAAE,MAAM,EAAE,KAAK,cAAqB,EAAE,CAAQ;AAC5F,UAAM,cAAc,oBAAI,IAAY;AACpC,eAAW,QAAQ,eAAe;AAChC,YAAM,MAAM,OAAQ,KAAa,MAAM,MAAO,KAAa,QAAQ,EAAE;AACrE,UAAI,IAAK,aAAY,IAAI,GAAG;AAAA,IAC9B;AACA,QAAI,YAAY,SAAS,EAAG,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAC3F,QAAI,UAAU;AACZ,iBAAW,OAAO,MAAM,KAAK,QAAQ,GAAG;AACtC,YAAI,CAAC,YAAY,IAAI,GAAG,EAAG,UAAS,OAAO,GAAG;AAAA,MAChD;AAAA,IACF,OAAO;AACL,iBAAW;AAAA,IACb;AACA,QAAI,CAAC,YAAY,SAAS,SAAS,EAAG,QAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,EAAE,CAAC;AAAA,EACvG;AACA,QAAM,gBAAgB,OAAO,WAAW,WAAW,OAAO,KAAK,IAAI;AACnE,MAAI,eAAe;AAEjB,UAAM,cAAyC,eAAgB,qBAAqB,SAAa,KAAK,YAAY;AAClH,UAAM,gBAAuB,CAAC;AAE9B,UAAM,aAAa,MAAM,0BAA0B,IAAI,EAAE,KAAK,MAAM,eAAe,WAAW;AAC9F,QAAI,cAAc,WAAW,QAAQ;AACnC,oBAAc,KAAK,EAAE,IAAI,EAAE,KAAK,WAAkB,EAAE,CAAC;AAAA,IACvD;AAEA,UAAM,gBAAgB,IAAI,kBAAkB,aAAa,CAAC;AAC1D,UAAM,4BAAmC;AAAA,MACvC,EAAE,WAAW,KAAK;AAAA,MAClB,EAAE,MAAM,EAAE,QAAQ,cAAc,EAAE;AAAA,IACpC;AACA,QAAI,aAAa;AACf,gCAA0B,KAAK,EAAE,QAAQ,YAAY,CAAC;AAAA,IACxD;AACA,UAAM,wBAAwB,MAAM,GAAG;AAAA,MACrC;AAAA,MACA,0BAA0B,SAAS,IAAI,EAAE,MAAM,0BAA0B,IAAI,0BAA0B,CAAC;AAAA,IAC1G;AACA,UAAM,0BAA0B,sBAC7B,IAAI,CAAC,QAAS,KAAK,KAAK,OAAO,IAAI,EAAE,IAAI,IAAK,EAC9C,OAAO,CAAC,UAA2B,OAAO,UAAU,YAAY,MAAM,SAAS,CAAC;AACnF,QAAI,wBAAwB,QAAQ;AAClC,oBAAc,KAAK,EAAE,gBAAgB,EAAE,KAAK,wBAA+B,EAAE,CAAC;AAAA,IAChF;AAEA,UAAM,oBAA2B;AAAA,MAC/B,EAAE,WAAW,KAAK;AAAA,MAClB,EAAE,MAAM,EAAE,QAAQ,cAAc,EAAE;AAAA,IACpC;AACA,QAAI,aAAa;AACf,wBAAkB,KAAK,EAAE,KAAK,CAAC,EAAE,UAAU,YAAY,GAAG,EAAE,UAAU,KAAK,CAAC,EAAE,CAAC;AAAA,IACjF;AACA,UAAM,gBAAgB,MAAM,GAAG;AAAA,MAC7B;AAAA,MACA,kBAAkB,SAAS,IAAI,EAAE,MAAM,kBAAkB,IAAI,kBAAkB,CAAC;AAAA,IAClF;AACA,UAAM,kBAAkB,cACrB,IAAI,CAAC,SAAU,MAAM,KAAK,OAAO,KAAK,EAAE,IAAI,IAAK,EACjD,OAAO,CAAC,WAA6B,OAAO,WAAW,YAAY,OAAO,SAAS,CAAC;AACvF,QAAI,gBAAgB,QAAQ;AAC1B,YAAM,kBAAkB,MAAM,GAAG;AAAA,QAC/B;AAAA,QACA,EAAE,MAAM,EAAE,KAAK,gBAAuB,EAAE;AAAA,MAC1C;AACA,YAAM,sBAAsB,MAAM,KAAK,IAAI;AAAA,QACzC,gBACG,IAAI,CAAC,SAAS;AACb,gBAAM,UAAW,KAAa;AAC9B,gBAAM,SAAS,SAAS,MAAM;AAC9B,iBAAO,SAAS,OAAO,MAAM,IAAI;AAAA,QACnC,CAAC,EACA,OAAO,CAAC,WAA6B,OAAO,WAAW,YAAY,OAAO,SAAS,CAAC;AAAA,MACzF,CAAC;AACD,UAAI,oBAAoB,QAAQ;AAC9B,sBAAc,KAAK,EAAE,IAAI,EAAE,KAAK,oBAA2B,EAAE,CAAC;AAAA,MAChE;AAAA,IACF;AAEA,QAAI,CAAC,cAAc,QAAQ;AACzB,aAAO,aAAa,KAAK,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,YAAY,GAAG,aAAa,CAAC;AAAA,IAC/E;AAEA,YAAQ,KAAK,cAAc,SAAS,IAAI,EAAE,KAAK,cAAc,IAAI,cAAc,CAAC,CAAC;AAAA,EACnF;AACA,MAAI,YAAY,SAAS,MAAM;AAC7B,YAAQ,KAAK,EAAE,IAAI,EAAE,KAAK,MAAM,KAAK,QAAQ,EAAS,EAAE,CAAC;AAAA,EAC3D,WAAW,IAAI;AACb,YAAQ,KAAK,EAAE,GAAG,CAAC;AAAA,EACrB;AACA,QAAM,QAAQ,QAAQ,SAAS,IAAI,EAAE,MAAM,QAAQ,IAAI,QAAQ,CAAC;AAChE,QAAM,CAAC,MAAM,KAAK,IAAI,MAAM,GAAG,aAAa,MAAM,OAAO,EAAE,OAAO,UAAU,SAAS,OAAO,KAAK,SAAS,CAAC;AAC3G,QAAM,UAAU,KAAK,IAAI,CAAC,MAAW,EAAE,EAAE;AACzC,QAAM,QAAQ,QAAQ,SAClB,MAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,EAAE,MAAM,EAAE,KAAK,QAAe,EAAE;AAAA,IAChC,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB;AAAA,MACE,UAAU,qBAAqB,KAAK,YAAY;AAAA,MAChD,gBAAgB;AAAA,IAClB;AAAA,EACF,IACA,CAAC;AACL,QAAM,UAAoC,CAAC;AAC3C,QAAM,YAAsC,CAAC;AAC7C,aAAW,KAAK,OAAO;AACrB,UAAM,MAAM,OAAQ,EAAU,MAAM,MAAO,EAAU,IAAI;AACzD,UAAM,QAAQ,OAAQ,EAAU,MAAM,QAAQ,EAAE;AAChD,UAAM,MAAM,OAAQ,EAAU,MAAM,MAAM,EAAE;AAC5C,QAAI,CAAC,QAAQ,GAAG,EAAG,SAAQ,GAAG,IAAI,CAAC;AACnC,QAAI,CAAC,UAAU,GAAG,EAAG,WAAU,GAAG,IAAI,CAAC;AACvC,QAAI,MAAO,SAAQ,GAAG,EAAE,KAAK,KAAK;AAClC,QAAI,IAAK,WAAU,GAAG,EAAE,KAAK,GAAG;AAAA,EAClC;AACA,QAAM,SAAS,KACZ,IAAI,CAAC,MAAY,EAAE,iBAAiB,OAAO,EAAE,cAAc,IAAI,IAAK,EACpE,OAAO,CAACA,QAAqB,CAAC,CAACA,GAAE;AACpC,QAAM,eAAe,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC;AAC/C,MAAI,SAAiC,CAAC;AACtC,MAAI,aAAa,QAAQ;AACvB,UAAM,gBAAgB,MAAM,GAAG;AAAA,MAC7B;AAAA,MACA,EAAE,IAAI,EAAE,KAAK,aAAoB,GAAG,WAAW,KAAK;AAAA,IACtD;AACA,aAAS,cAAc,OAA+B,CAAC,KAAK,QAAQ;AAClE,YAAM,QAAQ,KAAK,KAAK,OAAO,IAAI,EAAE,IAAI;AACzC,UAAI,CAAC,MAAO,QAAO;AACnB,YAAM,UAAW,KAAa;AAC9B,YAAM,UAAU,OAAO,YAAY,YAAY,QAAQ,SAAS,IAAI,UAAU;AAC9E,UAAI,KAAK,IAAI;AACb,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACP;AACA,QAAM,YAAY,KACf,IAAI,CAAC,MAAY,EAAE,WAAW,OAAO,EAAE,QAAQ,IAAI,IAAK,EACxD,OAAO,CAACA,QAAqB,CAAC,CAACA,GAAE;AACpC,QAAM,kBAAkB,MAAM,KAAK,IAAI,IAAI,SAAS,CAAC;AACrD,MAAI,YAAoC,CAAC;AACzC,MAAI,gBAAgB,QAAQ;AAC1B,UAAM,UAAU,MAAM,GAAG;AAAA,MACvB;AAAA,MACA,EAAE,IAAI,EAAE,KAAK,gBAAuB,GAAG,WAAW,KAAK;AAAA,IACzD;AACA,gBAAY,QAAQ,OAA+B,CAAC,KAAK,WAAW;AAClE,YAAM,WAAW,QAAQ,KAAK,OAAO,OAAO,EAAE,IAAI;AAClD,UAAI,CAAC,SAAU,QAAO;AACtB,YAAM,UAAW,QAAgB;AACjC,YAAM,aAAa,OAAO,YAAY,YAAY,QAAQ,SAAS,IAAI,UAAU;AACjF,UAAI,QAAQ,IAAI;AAChB,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACP;AACA,QAAM,eAA8C,CAAC;AACrD,QAAM,qBAAoD,CAAC;AAC3D,aAAW,KAAK,MAAM;AACpB,UAAM,MAAM,OAAO,EAAE,EAAE;AACvB,iBAAa,GAAG,IAAI,EAAE,WAAW,OAAO,EAAE,QAAQ,IAAI;AACtD,uBAAmB,GAAG,IAAI,EAAE,iBAAiB,OAAO,EAAE,cAAc,IAAI;AAAA,EAC1E;AACA,QAAM,WAAW,QAAQ,SACrB,MAAM,sBAAsB;AAAA,IAC1B;AAAA,IACA,UAAU,EAAE,KAAK;AAAA,IACjB,WAAW,QAAQ,IAAI,MAAM;AAAA,IAC7B,kBAAkB;AAAA,IAClB,wBAAwB;AAAA,IACxB,iBAAiB,oBAAoB,CAAC,iBAAiB,IAAI,KAAK,WAAW,CAAC,KAAK,QAAQ,IAAI,CAAC;AAAA,EAChG,CAAC,IACD,CAAC;AAEL,QAAM,QAAQ,KAAK,IAAI,CAAC,MAAW;AACjC,UAAM,MAAM,OAAO,EAAE,EAAE;AACvB,UAAM,QAAQ,EAAE,iBAAiB,OAAO,EAAE,cAAc,IAAI;AAC5D,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO,OAAO,EAAE,KAAK;AAAA,MACrB,MAAM,EAAE,OAAO,OAAO,EAAE,IAAI,IAAI;AAAA,MAChC,gBAAgB;AAAA,MAChB,kBAAkB,QAAQ,OAAO,KAAK,KAAK,QAAQ;AAAA,MACnD,UAAU,EAAE,WAAW,OAAO,EAAE,QAAQ,IAAI;AAAA,MAC5C,YAAY,EAAE,WAAW,UAAU,OAAO,EAAE,QAAQ,CAAC,KAAK,OAAO,EAAE,QAAQ,IAAI;AAAA,MAC/E,OAAO,QAAQ,GAAG,KAAK,CAAC;AAAA,MACxB,SAAS,UAAU,GAAG,KAAK,CAAC;AAAA,MAC5B,aAAa,CAAC,CAAC,EAAE;AAAA,MACjB,WAAW,EAAE,qBAAqB,OAAO,EAAE,UAAU,YAAY,IAAI;AAAA,MACrE,GAAI,SAAS,GAAG,KAAK,CAAC;AAAA,IACxB;AAAA,EACF,CAAC;AACD,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,KAAK,QAAQ,QAAQ,CAAC;AAC1D,QAAM,cAAc;AAAA,IAClB;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA,SAAS;AAAA,IACT,cAAc;AAAA,IACd,gBAAgB;AAAA,IAChB,UAAU,qBAAqB,KAAK,YAAY;AAAA,IAChD,OAAO,OAAO;AAAA,IACd,YAAY,KAAK,cAAc;AAAA,EACjC,CAAC;AACD,SAAO,aAAa,KAAK,EAAE,OAAO,OAAO,OAAO,YAAY,aAAa,CAAC;AAC5E;AAEO,MAAM,OAAO,OAAO,QAAiB;AAC1C,SAAO,KAAK,KAAK,GAAG;AACtB;AAEO,MAAM,MAAM,OAAO,QAAiB;AACzC,SAAO,KAAK,IAAI,GAAG;AACrB;AAEO,MAAM,SAAS,OAAO,QAAiB;AAC5C,QAAM,WAAW,IAAI,IAAI,IAAI,GAAG,EAAE,aAAa,IAAI,IAAI;AACvD,MAAI,UAAU;AACZ,QAAI;AACF,YAAM,gCAAgC,KAAK,QAAQ;AAAA,IACrD,SAAS,KAAK;AACZ,UAAI,eAAe,eAAe;AAChC,eAAO,aAAa,KAAK,IAAI,MAAM,EAAE,QAAQ,IAAI,OAAO,CAAC;AAAA,MAC3D;AACA,YAAM;AAAA,IACR;AAAA,EACF;AACA,SAAO,KAAK,OAAO,GAAG;AACxB;AAEA,eAAe,0BACb,IACA,YACA,QACA,aACA,OAC0B;AAC1B,QAAM,UAAU,OAAO,KAAK;AAC5B,MAAI,CAAC,QAAS,QAAO;AACrB,QAAM,eAAe,oBAAoB;AACzC,MAAI,CAAC,aAAa,QAAS,QAAO,CAAC;AACnC,QAAM,EAAE,OAAO,IAAI,aAAa,SAAS,YAAY;AACrD,MAAI,CAAC,OAAO,OAAQ,QAAO,CAAC;AAE5B,QAAM,KAAM,GAAW,UAAU;AACjC,MAAI,QAAQ,GACT,WAAW,eAAe,EAC1B,OAAO,WAAW,EAClB,MAAM,eAAe,KAAK,UAAU,EACpC,MAAM,cAAc,MAAM,MAAM,EAChC,QAAQ,WAAW,EACnB,OAAO,oCAA6C,OAAO,MAAM,EAAE;AACtE,MAAI,OAAO;AACT,YAAQ,MAAM,MAAM,SAAS,KAAK,KAAK;AAAA,EACzC;AACA,MAAI,gBAAgB,QAAW;AAC7B,YAAQ,MAAM,MAAM,qCAA8C,WAAW,EAAE;AAAA,EACjF;AACA,QAAM,OAAQ,MAAM,MAAM,QAAQ;AAClC,SAAO,KACJ,IAAI,CAAC,QAAS,OAAO,IAAI,cAAc,WAAW,IAAI,YAAY,IAAK,EACvE,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AACzE;AAEA,eAAe,gCAAgC,KAAc,cAAsB;AACjF,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,IAAK,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,eAAe,CAAC;AACtE,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,yCAAyC;AAAA,IAC7C;AAAA,IACA,aAAa,UAAU,QAAQ,aAAa;AAAA,IAC5C,aAAa,KAAK;AAAA,IAClB,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B;AAAA,EACF,CAAC;AACH;AAEA,eAAe,qBAAqB,KAAc,OAAgB,SAAkC;AAClG,MAAI,CAAC,MAAM,QAAQ,KAAK,EAAG;AAC3B,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,IAAK,OAAM,IAAI,cAAc,KAAK,EAAE,OAAO,eAAe,CAAC;AACtE,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,WAAW,MAAM,kCAAkC,IAAI,SAAS,KAAK,YAAY,IAAI;AAC3F,QAAM,8BAA8B;AAAA,IAClC;AAAA,IACA,aAAa,UAAU,QAAQ,aAAa;AAAA,IAC5C,aAAa,KAAK;AAAA,IAClB;AAAA,IACA,gBAAgB,KAAK,SAAS;AAAA,IAC9B,YAAY;AAAA,EACd,CAAC;AACH;AAEA,eAAe,kCACb,IACA,SACA,kBACwB;AACxB,QAAM,iBAAiB,OAAO,QAAQ,mBAAmB,WAAW,QAAQ,iBAAiB;AAC7F,MAAI,gBAAgB;AAClB,UAAM,eAAe,MAAM;AAAA,MACzB;AAAA,MACA;AAAA,MACA,EAAE,IAAI,eAAe;AAAA,MACrB,EAAE,UAAU,CAAC,QAAQ,EAAE;AAAA,MACvB,EAAE,UAAU,MAAM,eAAe;AAAA,IACnC;AACA,WAAO,cAAc,QAAQ,KAAK,OAAO,aAAa,OAAO,EAAE,IAAI;AAAA,EACrE;AAEA,QAAM,SAAS,OAAO,QAAQ,OAAO,WAAW,QAAQ,KAAK;AAC7D,MAAI,QAAQ;AACV,UAAM,OAAO,MAAM;AAAA,MACjB;AAAA,MACA;AAAA,MACA,EAAE,IAAI,QAAQ,WAAW,KAAK;AAAA,MAC9B,CAAC;AAAA,MACD,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,IACzC;AACA,WAAO,MAAM,WAAW,OAAO,KAAK,QAAQ,IAAI;AAAA,EAClD;AAEA,SAAO;AACT;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aACE;AAAA,MACF,OAAO;AAAA,MACP,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,uBAAuB;AAAA,MAChF;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,QAC5C;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,sCAAsC,QAAQ,oBAAoB;AAAA,QAC9F,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,oBAAoB;AAAA,MAClG;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,iBAAiB;AAAA,MACvE;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,mBAAmB,QAAQ,oBAAoB;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,oBAAoB;AAAA,QAChG,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,oBAAoB;AAAA,MAC5E;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,iBAAiB,EAAE,CAAC;AAAA,MACrE,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,iBAAiB;AAAA,MACvE;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,0BAA0B,QAAQ,oBAAoB;AAAA,QAClF,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,oBAAoB;AAAA,QACxE,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,oBAAoB;AAAA,MAC5E;AAAA,IACF;AAAA,EACF;AACF;",
   "names": ["id"]
 }