npm - @open-mercato/core - Versions diffs - 0.6.5-develop.4534.1.b459babe6d → 0.6.5-develop.4559.1.839e136509 - Mend

@open-mercato/core 0.6.5-develop.4534.1.b459babe6d → 0.6.5-develop.4559.1.839e136509

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (644) hide show

package/dist/helpers/integration/communicationChannelsFixtures.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/helpers/integration/communicationChannelsFixtures.ts"],
-  "sourcesContent": ["import { expect, type APIRequestContext } from '@playwright/test';\nimport { apiRequest } from './api';\nimport { expectId, readJsonSafe } from './generalFixtures';\n\n/**\n * Communication-channels integration fixtures.\n *\n * These drive the TEST-ONLY seed endpoint `POST /api/communication_channels/test-seed`,\n * which is gated by `OM_ENABLE_TEST_CHANNEL_SEEDING` (inert/404 in production). Use\n * {@link isChannelSeedingAvailable} to skip tests when the gate is off rather than\n * failing them.\n */\n\nexport type SeedAddressField =\n  | string\n  | { address: string; name?: string }\n  | Array<string | { address: string; name?: string }>;\n\nconst TEST_SEED_PATH = '/api/communication_channels/test-seed';\n\n/**\n * Probe whether the env-gated test-seed endpoint is enabled in the target app.\n * Returns false when the route answers 404 (flag off) so callers can `test.skip`.\n * The caller's token must hold `communication_channels.connect_user_channel`.\n */\nexport async function isChannelSeedingAvailable(\n  request: APIRequestContext,\n  token: string,\n): Promise<boolean> {\n  // A malformed body returns 422 when the gate is ON and 404 when it is OFF.\n  const response = await apiRequest(request, 'POST', TEST_SEED_PATH, {\n    token,\n    data: { action: '__probe__' },\n  });\n  return response.status() !== 404;\n}\n\n/**\n * Seed a connected, network-free `__test_seed__` channel owned by the caller.\n * Returns the new channel id. Tear down with {@link deleteChannelIfExists}.\n */\nexport async function seedConnectedChannel(\n  request: APIRequestContext,\n  token: string,\n  input: { displayName?: string; externalIdentifier?: string } = {},\n): Promise<string> {\n  const response = await apiRequest(request, 'POST', TEST_SEED_PATH, {\n    token,\n    data: { action: 'connect-channel', ...input },\n  });\n  expect(\n    response.status(),\n    'POST /api/communication_channels/test-seed (connect-channel) should return 201',\n  ).toBe(201);\n  const body = await readJsonSafe<{ channelId?: string }>(response);\n  return expectId(body?.channelId, 'connect-channel response should include channelId');\n}\n\n/**\n * Seed an inbound `MessageChannelLink` for `channelId` and emit\n * `communication_channels.message.received` through the real event bus. The\n * persistent customers link-channel-message-received subscriber is enqueued to\n * the `events` queue \u2014 drain it with `drainIntegrationQueue('events')`.\n *\n * Returns the created link + message ids (the message id is the platform\n * `messages.message` id, usable as `messageThreadId` to thread a follow-up).\n */\nexport async function seedInboundMessage(\n  request: APIRequestContext,\n  token: string,\n  input: {\n    channelId: string;\n    from?: SeedAddressField;\n    to?: SeedAddressField;\n    cc?: SeedAddressField;\n    subject?: string;\n    bodyText?: string;\n    messageId?: string;\n    inReplyTo?: string;\n    references?: string[];\n    messageThreadId?: string;\n    providerKey?: string;\n  },\n): Promise<{ channelLinkId: string; messageId: string; conversationId: string }> {\n  const response = await apiRequest(request, 'POST', TEST_SEED_PATH, {\n    token,\n    data: { action: 'emit-inbound', ...input },\n  });\n  expect(\n    response.status(),\n    'POST /api/communication_channels/test-seed (emit-inbound) should return 201',\n  ).toBe(201);\n  const body = await readJsonSafe<{\n    channelLinkId?: string;\n    messageId?: string;\n    conversationId?: string;\n  }>(response);\n  return {\n    channelLinkId: expectId(body?.channelLinkId, 'emit-inbound response should include channelLinkId'),\n    messageId: expectId(body?.messageId, 'emit-inbound response should include messageId'),\n    conversationId: expectId(\n      body?.conversationId,\n      'emit-inbound response should include conversationId',\n    ),\n  };\n}\n\n/**\n * Best-effort delete of a seeded channel via the owner-scoped DELETE route.\n * Safe to call with a null id in `finally`.\n */\nexport async function deleteChannelIfExists(\n  request: APIRequestContext,\n  token: string | null,\n  channelId: string | null,\n): Promise<void> {\n  if (!token || !channelId) return;\n  await apiRequest(\n    request,\n    'DELETE',\n    `/api/communication_channels/channels/${encodeURIComponent(channelId)}`,\n    { token },\n  ).catch(() => undefined);\n}\n"],
-  "mappings": "AAAA,SAAS,cAAsC;AAC/C,SAAS,kBAAkB;AAC3B,SAAS,UAAU,oBAAoB;AAgBvC,MAAM,iBAAiB;AAOvB,eAAsB,0BACpB,SACA,OACkB;AAElB,QAAM,WAAW,MAAM,WAAW,SAAS,QAAQ,gBAAgB;AAAA,IACjE;AAAA,IACA,MAAM,EAAE,QAAQ,YAAY;AAAA,EAC9B,CAAC;AACD,SAAO,SAAS,OAAO,MAAM;AAC/B;AAMA,eAAsB,qBACpB,SACA,OACA,QAA+D,CAAC,GAC/C;AACjB,QAAM,WAAW,MAAM,WAAW,SAAS,QAAQ,gBAAgB;AAAA,IACjE;AAAA,IACA,MAAM,EAAE,QAAQ,mBAAmB,GAAG,MAAM;AAAA,EAC9C,CAAC;AACD;AAAA,IACE,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,EAAE,KAAK,GAAG;AACV,QAAM,OAAO,MAAM,aAAqC,QAAQ;AAChE,SAAO,SAAS,MAAM,WAAW,mDAAmD;AACtF;AAWA,eAAsB,mBACpB,SACA,OACA,OAa+E;AAC/E,QAAM,WAAW,MAAM,WAAW,SAAS,QAAQ,gBAAgB;AAAA,IACjE;AAAA,IACA,MAAM,EAAE,QAAQ,gBAAgB,GAAG,MAAM;AAAA,EAC3C,CAAC;AACD;AAAA,IACE,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,EAAE,KAAK,GAAG;AACV,QAAM,OAAO,MAAM,aAIhB,QAAQ;AACX,SAAO;AAAA,IACL,eAAe,SAAS,MAAM,eAAe,oDAAoD;AAAA,IACjG,WAAW,SAAS,MAAM,WAAW,gDAAgD;AAAA,IACrF,gBAAgB;AAAA,MACd,MAAM;AAAA,MACN;AAAA,IACF;AAAA,EACF;AACF;AAMA,eAAsB,sBACpB,SACA,OACA,WACe;AACf,MAAI,CAAC,SAAS,CAAC,UAAW;AAC1B,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,wCAAwC,mBAAmB,SAAS,CAAC;AAAA,IACrE,EAAE,MAAM;AAAA,EACV,EAAE,MAAM,MAAM,MAAS;AACzB;",
+  "sourcesContent": ["import { expect, type APIRequestContext } from '@playwright/test';\nimport { apiRequest } from './api';\nimport { expectId, readJsonSafe } from './generalFixtures';\n\n/**\n * Communication-channels integration fixtures.\n *\n * These drive the TEST-ONLY seed endpoint `POST /api/communication_channels/test-seed`,\n * which is gated by `OM_ENABLE_TEST_CHANNEL_SEEDING` (inert/404 in production). Use\n * {@link isChannelSeedingAvailable} to skip tests when the gate is off rather than\n * failing them.\n */\n\nexport type SeedAddressField =\n  | string\n  | { address: string; name?: string }\n  | Array<string | { address: string; name?: string }>;\n\nconst TEST_SEED_PATH = '/api/communication_channels/test-seed';\n\n/**\n * Probe whether the env-gated test-seed endpoint is enabled in the target app.\n * Returns false when the route answers 404 (flag off) so callers can `test.skip`.\n * The caller's token must hold `communication_channels.connect_user_channel`.\n */\nexport async function isChannelSeedingAvailable(\n  request: APIRequestContext,\n  token: string,\n): Promise<boolean> {\n  // A malformed body returns 422 when the gate is ON and 404 when it is OFF.\n  const response = await apiRequest(request, 'POST', TEST_SEED_PATH, {\n    token,\n    data: { action: '__probe__' },\n  });\n  return response.status() !== 404;\n}\n\n/**\n * Seed a connected, network-free `__test_seed__` channel owned by the caller.\n * Returns the new channel id. Tear down with {@link deleteChannelIfExists}.\n */\nexport async function seedConnectedChannel(\n  request: APIRequestContext,\n  token: string,\n  input: { displayName?: string; externalIdentifier?: string } = {},\n): Promise<string> {\n  const response = await apiRequest(request, 'POST', TEST_SEED_PATH, {\n    token,\n    data: { action: 'connect-channel', ...input },\n  });\n  expect(\n    response.status(),\n    'POST /api/communication_channels/test-seed (connect-channel) should return 201',\n  ).toBe(201);\n  const body = await readJsonSafe<{ channelId?: string }>(response);\n  return expectId(body?.channelId, 'connect-channel response should include channelId');\n}\n\n/**\n * Seed an inbound `MessageChannelLink` for `channelId` and emit\n * `communication_channels.message.received` through the real event bus. The\n * persistent customers link-channel-message-received subscriber is enqueued to\n * the `events` queue \u2014 drain it with `drainIntegrationQueue('events')`.\n *\n * Returns the created link + message ids (the message id is the platform\n * `messages.message` id, usable as `messageThreadId` to thread a follow-up).\n *\n * Pass `createThreadMapping: true` to also seed a `ChannelThreadMapping` for the\n * thread \u2014 required before exercising the reaction (`/messages/[id]/reactions`)\n * and thread-assign (`/threads/[id]/assign`) routes, which resolve the owning\n * channel through that mapping.\n */\nexport async function seedInboundMessage(\n  request: APIRequestContext,\n  token: string,\n  input: {\n    channelId: string;\n    from?: SeedAddressField;\n    to?: SeedAddressField;\n    cc?: SeedAddressField;\n    subject?: string;\n    bodyText?: string;\n    messageId?: string;\n    inReplyTo?: string;\n    references?: string[];\n    messageThreadId?: string;\n    providerKey?: string;\n    createThreadMapping?: boolean;\n  },\n): Promise<{ channelLinkId: string; messageId: string; conversationId: string }> {\n  const response = await apiRequest(request, 'POST', TEST_SEED_PATH, {\n    token,\n    data: { action: 'emit-inbound', ...input },\n  });\n  expect(\n    response.status(),\n    'POST /api/communication_channels/test-seed (emit-inbound) should return 201',\n  ).toBe(201);\n  const body = await readJsonSafe<{\n    channelLinkId?: string;\n    messageId?: string;\n    conversationId?: string;\n  }>(response);\n  return {\n    channelLinkId: expectId(body?.channelLinkId, 'emit-inbound response should include channelLinkId'),\n    messageId: expectId(body?.messageId, 'emit-inbound response should include messageId'),\n    conversationId: expectId(\n      body?.conversationId,\n      'emit-inbound response should include conversationId',\n    ),\n  };\n}\n\n/**\n * Best-effort delete of a seeded channel via the owner-scoped DELETE route.\n * Safe to call with a null id in `finally`.\n */\nexport async function deleteChannelIfExists(\n  request: APIRequestContext,\n  token: string | null,\n  channelId: string | null,\n): Promise<void> {\n  if (!token || !channelId) return;\n  await apiRequest(\n    request,\n    'DELETE',\n    `/api/communication_channels/channels/${encodeURIComponent(channelId)}`,\n    { token },\n  ).catch(() => undefined);\n}\n"],
+  "mappings": "AAAA,SAAS,cAAsC;AAC/C,SAAS,kBAAkB;AAC3B,SAAS,UAAU,oBAAoB;AAgBvC,MAAM,iBAAiB;AAOvB,eAAsB,0BACpB,SACA,OACkB;AAElB,QAAM,WAAW,MAAM,WAAW,SAAS,QAAQ,gBAAgB;AAAA,IACjE;AAAA,IACA,MAAM,EAAE,QAAQ,YAAY;AAAA,EAC9B,CAAC;AACD,SAAO,SAAS,OAAO,MAAM;AAC/B;AAMA,eAAsB,qBACpB,SACA,OACA,QAA+D,CAAC,GAC/C;AACjB,QAAM,WAAW,MAAM,WAAW,SAAS,QAAQ,gBAAgB;AAAA,IACjE;AAAA,IACA,MAAM,EAAE,QAAQ,mBAAmB,GAAG,MAAM;AAAA,EAC9C,CAAC;AACD;AAAA,IACE,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,EAAE,KAAK,GAAG;AACV,QAAM,OAAO,MAAM,aAAqC,QAAQ;AAChE,SAAO,SAAS,MAAM,WAAW,mDAAmD;AACtF;AAgBA,eAAsB,mBACpB,SACA,OACA,OAc+E;AAC/E,QAAM,WAAW,MAAM,WAAW,SAAS,QAAQ,gBAAgB;AAAA,IACjE;AAAA,IACA,MAAM,EAAE,QAAQ,gBAAgB,GAAG,MAAM;AAAA,EAC3C,CAAC;AACD;AAAA,IACE,SAAS,OAAO;AAAA,IAChB;AAAA,EACF,EAAE,KAAK,GAAG;AACV,QAAM,OAAO,MAAM,aAIhB,QAAQ;AACX,SAAO;AAAA,IACL,eAAe,SAAS,MAAM,eAAe,oDAAoD;AAAA,IACjG,WAAW,SAAS,MAAM,WAAW,gDAAgD;AAAA,IACrF,gBAAgB;AAAA,MACd,MAAM;AAAA,MACN;AAAA,IACF;AAAA,EACF;AACF;AAMA,eAAsB,sBACpB,SACA,OACA,WACe;AACf,MAAI,CAAC,SAAS,CAAC,UAAW;AAC1B,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,wCAAwC,mBAAmB,SAAS,CAAC;AAAA,IACrE,EAAE,MAAM;AAAA,EACV,EAAE,MAAM,MAAM,MAAS;AACzB;",
   "names": []
 }

package/dist/helpers/integration/dbFixtures.js CHANGED Viewed

@@ -93,6 +93,7 @@ export {
   createOrganizationInDb,
   deleteOrganizationInDb,
   deleteUserAclInDb,
-  setUserAclInDb
+  setUserAclInDb,
+  withClient
 };
 //# sourceMappingURL=dbFixtures.js.map

package/dist/helpers/integration/dbFixtures.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/helpers/integration/dbFixtures.ts"],
-  "sourcesContent": ["import { readFileSync } from 'node:fs';\nimport path from 'node:path';\nimport { Client } from 'pg';\n\n/**\n * Database fixtures for the org-scope fail-open hardening tests.\n *\n * These helpers talk to Postgres directly via `pg` rather than bootstrapping the\n * app DI container, because:\n *  - the directory create command denies non-super-admin actors (the only\n *    loginable accounts here), so orgs cannot be created over the API; and\n *  - granting `customers.*` through the ACL API requires a super-admin actor.\n * Raw SQL keeps the test self-contained and avoids depending on built package\n * `dist/` output for an in-process MikroORM bootstrap.\n */\n\nfunction resolveAppRoot(): string {\n  const fromEnv = process.env.OM_TEST_APP_ROOT?.trim();\n  return fromEnv ? path.resolve(fromEnv) : path.resolve(process.cwd(), 'apps/mercato');\n}\n\nfunction readEnvValue(key: string): string | undefined {\n  if (process.env[key]) return process.env[key];\n  const candidatePaths = [\n    path.resolve(resolveAppRoot(), '.env'),\n    path.resolve(process.cwd(), 'apps/mercato/.env'),\n    path.resolve(process.cwd(), '.env'),\n  ];\n  for (const envPath of candidatePaths) {\n    try {\n      const content = readFileSync(envPath, 'utf-8');\n      const match = content.match(new RegExp(`^${key}=(.+)$`, 'm'));\n      if (match?.[1]) return match[1].trim();\n    } catch {\n      continue;\n    }\n  }\n  return undefined;\n}\n\nfunction resolveDatabaseUrl(): string {\n  const url = readEnvValue('DATABASE_URL');\n  if (!url) throw new Error('[internal] DATABASE_URL is not configured for integration DB fixtures');\n  return url;\n}\n\nasync function withClient<T>(run: (client: Client) => Promise<T>): Promise<T> {\n  const client = new Client({ connectionString: resolveDatabaseUrl() });\n  await client.connect();\n  try {\n    return await run(client);\n  } finally {\n    await client.end();\n  }\n}\n\n/**\n * Nulls a user's home organization (`organization_id`) directly in the database.\n *\n * Required to construct the \"floating restricted user\" precondition: the JWT\n * `auth.orgId` is minted from `users.organization_id` at login, so this MUST run\n * BEFORE the user logs in.\n */\nexport async function clearUserHomeOrganization(userId: string): Promise<void> {\n  await withClient(async (client) => {\n    await client.query('update users set organization_id = null where id = $1', [userId]);\n  });\n}\n\n/**\n * Upserts a per-user ACL row, setting the effective feature list and the\n * organization-visibility list.\n *\n * `organizations` maps to `OrganizationScope.allowedIds` (write path) and\n * `filterIds` (read path):\n *   - `[orgA]` => restricted to orgA (write fail-open precondition, #2239)\n *   - `[]`     => restricted to zero orgs (read fail-open precondition, #2245)\n *   - `null`   => unrestricted\n */\nexport async function setUserAclInDb(input: {\n  userId: string;\n  tenantId: string;\n  features: string[];\n  organizations: string[] | null;\n}): Promise<void> {\n  await withClient(async (client) => {\n    const existing = await client.query<{ id: string }>(\n      'select id from user_acls where user_id = $1 and tenant_id = $2 limit 1',\n      [input.userId, input.tenantId],\n    );\n    const featuresJson = JSON.stringify(input.features);\n    const organizationsJson = input.organizations === null ? null : JSON.stringify(input.organizations);\n    if (existing.rows.length > 0) {\n      await client.query(\n        'update user_acls set features_json = $2::jsonb, organizations_json = $3::jsonb, is_super_admin = false, updated_at = now() where id = $1',\n        [existing.rows[0].id, featuresJson, organizationsJson],\n      );\n      return;\n    }\n    await client.query(\n      `insert into user_acls (id, user_id, tenant_id, features_json, organizations_json, is_super_admin, created_at)\n       values (gen_random_uuid(), $1, $2, $3::jsonb, $4::jsonb, false, now())`,\n      [input.userId, input.tenantId, featuresJson, organizationsJson],\n    );\n  });\n}\n\n/** Removes any per-user ACL rows for the user (best-effort test cleanup). */\nexport async function deleteUserAclInDb(userId: string): Promise<void> {\n  if (!userId) return;\n  await withClient(async (client) => {\n    await client.query('delete from user_acls where user_id = $1', [userId]);\n  });\n}\n\n/**\n * Creates an organization directly in the database within the given tenant.\n *\n * The directory create command routes through `enforceTenantSelection`, which\n * denies the (non-super-admin) accounts loginable on this instance. Landing the\n * org in a known tenant lets the floating user (created under it) share the\n * tenant \u2014 required because cross-tenant access returns 404 before the\n * org-scope guard ever runs.\n */\nexport async function createOrganizationInDb(input: { name: string; tenantId: string }): Promise<string> {\n  return withClient(async (client) => {\n    const result = await client.query<{ id: string }>(\n      `insert into organizations\n         (id, tenant_id, name, is_active, ancestor_ids, child_ids, descendant_ids, depth, created_at, updated_at)\n       values (gen_random_uuid(), $1, $2, true, '[]'::jsonb, '[]'::jsonb, '[]'::jsonb, 0, now(), now())\n       returning id`,\n      [input.tenantId, input.name],\n    );\n    return result.rows[0].id;\n  });\n}\n\n/** Hard-deletes an organization row (best-effort test cleanup). */\nexport async function deleteOrganizationInDb(organizationId: string | null): Promise<void> {\n  if (!organizationId) return;\n  await withClient(async (client) => {\n    await client.query('delete from organizations where id = $1', [organizationId]);\n  });\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,OAAO,UAAU;AACjB,SAAS,cAAc;AAcvB,SAAS,iBAAyB;AAChC,QAAM,UAAU,QAAQ,IAAI,kBAAkB,KAAK;AACnD,SAAO,UAAU,KAAK,QAAQ,OAAO,IAAI,KAAK,QAAQ,QAAQ,IAAI,GAAG,cAAc;AACrF;AAEA,SAAS,aAAa,KAAiC;AACrD,MAAI,QAAQ,IAAI,GAAG,EAAG,QAAO,QAAQ,IAAI,GAAG;AAC5C,QAAM,iBAAiB;AAAA,IACrB,KAAK,QAAQ,eAAe,GAAG,MAAM;AAAA,IACrC,KAAK,QAAQ,QAAQ,IAAI,GAAG,mBAAmB;AAAA,IAC/C,KAAK,QAAQ,QAAQ,IAAI,GAAG,MAAM;AAAA,EACpC;AACA,aAAW,WAAW,gBAAgB;AACpC,QAAI;AACF,YAAM,UAAU,aAAa,SAAS,OAAO;AAC7C,YAAM,QAAQ,QAAQ,MAAM,IAAI,OAAO,IAAI,GAAG,UAAU,GAAG,CAAC;AAC5D,UAAI,QAAQ,CAAC,EAAG,QAAO,MAAM,CAAC,EAAE,KAAK;AAAA,IACvC,QAAQ;AACN;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,qBAA6B;AACpC,QAAM,MAAM,aAAa,cAAc;AACvC,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM,uEAAuE;AACjG,SAAO;AACT;AAEA,eAAe,WAAc,KAAiD;AAC5E,QAAM,SAAS,IAAI,OAAO,EAAE,kBAAkB,mBAAmB,EAAE,CAAC;AACpE,QAAM,OAAO,QAAQ;AACrB,MAAI;AACF,WAAO,MAAM,IAAI,MAAM;AAAA,EACzB,UAAE;AACA,UAAM,OAAO,IAAI;AAAA,EACnB;AACF;AASA,eAAsB,0BAA0B,QAA+B;AAC7E,QAAM,WAAW,OAAO,WAAW;AACjC,UAAM,OAAO,MAAM,yDAAyD,CAAC,MAAM,CAAC;AAAA,EACtF,CAAC;AACH;AAYA,eAAsB,eAAe,OAKnB;AAChB,QAAM,WAAW,OAAO,WAAW;AACjC,UAAM,WAAW,MAAM,OAAO;AAAA,MAC5B;AAAA,MACA,CAAC,MAAM,QAAQ,MAAM,QAAQ;AAAA,IAC/B;AACA,UAAM,eAAe,KAAK,UAAU,MAAM,QAAQ;AAClD,UAAM,oBAAoB,MAAM,kBAAkB,OAAO,OAAO,KAAK,UAAU,MAAM,aAAa;AAClG,QAAI,SAAS,KAAK,SAAS,GAAG;AAC5B,YAAM,OAAO;AAAA,QACX;AAAA,QACA,CAAC,SAAS,KAAK,CAAC,EAAE,IAAI,cAAc,iBAAiB;AAAA,MACvD;AACA;AAAA,IACF;AACA,UAAM,OAAO;AAAA,MACX;AAAA;AAAA,MAEA,CAAC,MAAM,QAAQ,MAAM,UAAU,cAAc,iBAAiB;AAAA,IAChE;AAAA,EACF,CAAC;AACH;AAGA,eAAsB,kBAAkB,QAA+B;AACrE,MAAI,CAAC,OAAQ;AACb,QAAM,WAAW,OAAO,WAAW;AACjC,UAAM,OAAO,MAAM,4CAA4C,CAAC,MAAM,CAAC;AAAA,EACzE,CAAC;AACH;AAWA,eAAsB,uBAAuB,OAA4D;AACvG,SAAO,WAAW,OAAO,WAAW;AAClC,UAAM,SAAS,MAAM,OAAO;AAAA,MAC1B;AAAA;AAAA;AAAA;AAAA,MAIA,CAAC,MAAM,UAAU,MAAM,IAAI;AAAA,IAC7B;AACA,WAAO,OAAO,KAAK,CAAC,EAAE;AAAA,EACxB,CAAC;AACH;AAGA,eAAsB,uBAAuB,gBAA8C;AACzF,MAAI,CAAC,eAAgB;AACrB,QAAM,WAAW,OAAO,WAAW;AACjC,UAAM,OAAO,MAAM,2CAA2C,CAAC,cAAc,CAAC;AAAA,EAChF,CAAC;AACH;",
+  "sourcesContent": ["import { readFileSync } from 'node:fs';\nimport path from 'node:path';\nimport { Client } from 'pg';\n\n/**\n * Database fixtures for the org-scope fail-open hardening tests.\n *\n * These helpers talk to Postgres directly via `pg` rather than bootstrapping the\n * app DI container, because:\n *  - the directory create command denies non-super-admin actors (the only\n *    loginable accounts here), so orgs cannot be created over the API; and\n *  - granting `customers.*` through the ACL API requires a super-admin actor.\n * Raw SQL keeps the test self-contained and avoids depending on built package\n * `dist/` output for an in-process MikroORM bootstrap.\n */\n\nfunction resolveAppRoot(): string {\n  const fromEnv = process.env.OM_TEST_APP_ROOT?.trim();\n  return fromEnv ? path.resolve(fromEnv) : path.resolve(process.cwd(), 'apps/mercato');\n}\n\nfunction readEnvValue(key: string): string | undefined {\n  if (process.env[key]) return process.env[key];\n  const candidatePaths = [\n    path.resolve(resolveAppRoot(), '.env'),\n    path.resolve(process.cwd(), 'apps/mercato/.env'),\n    path.resolve(process.cwd(), '.env'),\n  ];\n  for (const envPath of candidatePaths) {\n    try {\n      const content = readFileSync(envPath, 'utf-8');\n      const match = content.match(new RegExp(`^${key}=(.+)$`, 'm'));\n      if (match?.[1]) return match[1].trim();\n    } catch {\n      continue;\n    }\n  }\n  return undefined;\n}\n\nfunction resolveDatabaseUrl(): string {\n  const url = readEnvValue('DATABASE_URL');\n  if (!url) throw new Error('[internal] DATABASE_URL is not configured for integration DB fixtures');\n  return url;\n}\n\nexport async function withClient<T>(run: (client: Client) => Promise<T>): Promise<T> {\n  const client = new Client({ connectionString: resolveDatabaseUrl() });\n  await client.connect();\n  try {\n    return await run(client);\n  } finally {\n    await client.end();\n  }\n}\n\n/**\n * Nulls a user's home organization (`organization_id`) directly in the database.\n *\n * Required to construct the \"floating restricted user\" precondition: the JWT\n * `auth.orgId` is minted from `users.organization_id` at login, so this MUST run\n * BEFORE the user logs in.\n */\nexport async function clearUserHomeOrganization(userId: string): Promise<void> {\n  await withClient(async (client) => {\n    await client.query('update users set organization_id = null where id = $1', [userId]);\n  });\n}\n\n/**\n * Upserts a per-user ACL row, setting the effective feature list and the\n * organization-visibility list.\n *\n * `organizations` maps to `OrganizationScope.allowedIds` (write path) and\n * `filterIds` (read path):\n *   - `[orgA]` => restricted to orgA (write fail-open precondition, #2239)\n *   - `[]`     => restricted to zero orgs (read fail-open precondition, #2245)\n *   - `null`   => unrestricted\n */\nexport async function setUserAclInDb(input: {\n  userId: string;\n  tenantId: string;\n  features: string[];\n  organizations: string[] | null;\n}): Promise<void> {\n  await withClient(async (client) => {\n    const existing = await client.query<{ id: string }>(\n      'select id from user_acls where user_id = $1 and tenant_id = $2 limit 1',\n      [input.userId, input.tenantId],\n    );\n    const featuresJson = JSON.stringify(input.features);\n    const organizationsJson = input.organizations === null ? null : JSON.stringify(input.organizations);\n    if (existing.rows.length > 0) {\n      await client.query(\n        'update user_acls set features_json = $2::jsonb, organizations_json = $3::jsonb, is_super_admin = false, updated_at = now() where id = $1',\n        [existing.rows[0].id, featuresJson, organizationsJson],\n      );\n      return;\n    }\n    await client.query(\n      `insert into user_acls (id, user_id, tenant_id, features_json, organizations_json, is_super_admin, created_at)\n       values (gen_random_uuid(), $1, $2, $3::jsonb, $4::jsonb, false, now())`,\n      [input.userId, input.tenantId, featuresJson, organizationsJson],\n    );\n  });\n}\n\n/** Removes any per-user ACL rows for the user (best-effort test cleanup). */\nexport async function deleteUserAclInDb(userId: string): Promise<void> {\n  if (!userId) return;\n  await withClient(async (client) => {\n    await client.query('delete from user_acls where user_id = $1', [userId]);\n  });\n}\n\n/**\n * Creates an organization directly in the database within the given tenant.\n *\n * The directory create command routes through `enforceTenantSelection`, which\n * denies the (non-super-admin) accounts loginable on this instance. Landing the\n * org in a known tenant lets the floating user (created under it) share the\n * tenant \u2014 required because cross-tenant access returns 404 before the\n * org-scope guard ever runs.\n */\nexport async function createOrganizationInDb(input: { name: string; tenantId: string }): Promise<string> {\n  return withClient(async (client) => {\n    const result = await client.query<{ id: string }>(\n      `insert into organizations\n         (id, tenant_id, name, is_active, ancestor_ids, child_ids, descendant_ids, depth, created_at, updated_at)\n       values (gen_random_uuid(), $1, $2, true, '[]'::jsonb, '[]'::jsonb, '[]'::jsonb, 0, now(), now())\n       returning id`,\n      [input.tenantId, input.name],\n    );\n    return result.rows[0].id;\n  });\n}\n\n/** Hard-deletes an organization row (best-effort test cleanup). */\nexport async function deleteOrganizationInDb(organizationId: string | null): Promise<void> {\n  if (!organizationId) return;\n  await withClient(async (client) => {\n    await client.query('delete from organizations where id = $1', [organizationId]);\n  });\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,OAAO,UAAU;AACjB,SAAS,cAAc;AAcvB,SAAS,iBAAyB;AAChC,QAAM,UAAU,QAAQ,IAAI,kBAAkB,KAAK;AACnD,SAAO,UAAU,KAAK,QAAQ,OAAO,IAAI,KAAK,QAAQ,QAAQ,IAAI,GAAG,cAAc;AACrF;AAEA,SAAS,aAAa,KAAiC;AACrD,MAAI,QAAQ,IAAI,GAAG,EAAG,QAAO,QAAQ,IAAI,GAAG;AAC5C,QAAM,iBAAiB;AAAA,IACrB,KAAK,QAAQ,eAAe,GAAG,MAAM;AAAA,IACrC,KAAK,QAAQ,QAAQ,IAAI,GAAG,mBAAmB;AAAA,IAC/C,KAAK,QAAQ,QAAQ,IAAI,GAAG,MAAM;AAAA,EACpC;AACA,aAAW,WAAW,gBAAgB;AACpC,QAAI;AACF,YAAM,UAAU,aAAa,SAAS,OAAO;AAC7C,YAAM,QAAQ,QAAQ,MAAM,IAAI,OAAO,IAAI,GAAG,UAAU,GAAG,CAAC;AAC5D,UAAI,QAAQ,CAAC,EAAG,QAAO,MAAM,CAAC,EAAE,KAAK;AAAA,IACvC,QAAQ;AACN;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,qBAA6B;AACpC,QAAM,MAAM,aAAa,cAAc;AACvC,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM,uEAAuE;AACjG,SAAO;AACT;AAEA,eAAsB,WAAc,KAAiD;AACnF,QAAM,SAAS,IAAI,OAAO,EAAE,kBAAkB,mBAAmB,EAAE,CAAC;AACpE,QAAM,OAAO,QAAQ;AACrB,MAAI;AACF,WAAO,MAAM,IAAI,MAAM;AAAA,EACzB,UAAE;AACA,UAAM,OAAO,IAAI;AAAA,EACnB;AACF;AASA,eAAsB,0BAA0B,QAA+B;AAC7E,QAAM,WAAW,OAAO,WAAW;AACjC,UAAM,OAAO,MAAM,yDAAyD,CAAC,MAAM,CAAC;AAAA,EACtF,CAAC;AACH;AAYA,eAAsB,eAAe,OAKnB;AAChB,QAAM,WAAW,OAAO,WAAW;AACjC,UAAM,WAAW,MAAM,OAAO;AAAA,MAC5B;AAAA,MACA,CAAC,MAAM,QAAQ,MAAM,QAAQ;AAAA,IAC/B;AACA,UAAM,eAAe,KAAK,UAAU,MAAM,QAAQ;AAClD,UAAM,oBAAoB,MAAM,kBAAkB,OAAO,OAAO,KAAK,UAAU,MAAM,aAAa;AAClG,QAAI,SAAS,KAAK,SAAS,GAAG;AAC5B,YAAM,OAAO;AAAA,QACX;AAAA,QACA,CAAC,SAAS,KAAK,CAAC,EAAE,IAAI,cAAc,iBAAiB;AAAA,MACvD;AACA;AAAA,IACF;AACA,UAAM,OAAO;AAAA,MACX;AAAA;AAAA,MAEA,CAAC,MAAM,QAAQ,MAAM,UAAU,cAAc,iBAAiB;AAAA,IAChE;AAAA,EACF,CAAC;AACH;AAGA,eAAsB,kBAAkB,QAA+B;AACrE,MAAI,CAAC,OAAQ;AACb,QAAM,WAAW,OAAO,WAAW;AACjC,UAAM,OAAO,MAAM,4CAA4C,CAAC,MAAM,CAAC;AAAA,EACzE,CAAC;AACH;AAWA,eAAsB,uBAAuB,OAA4D;AACvG,SAAO,WAAW,OAAO,WAAW;AAClC,UAAM,SAAS,MAAM,OAAO;AAAA,MAC1B;AAAA;AAAA;AAAA;AAAA,MAIA,CAAC,MAAM,UAAU,MAAM,IAAI;AAAA,IAC7B;AACA,WAAO,OAAO,KAAK,CAAC,EAAE;AAAA,EACxB,CAAC;AACH;AAGA,eAAsB,uBAAuB,gBAA8C;AACzF,MAAI,CAAC,eAAgB;AACrB,QAAM,WAAW,OAAO,WAAW;AACjC,UAAM,OAAO,MAAM,2CAA2C,CAAC,cAAc,CAAC;AAAA,EAChF,CAAC;AACH;",
   "names": []
 }

package/dist/helpers/integration/optimisticLockUi.js ADDED Viewed

@@ -0,0 +1,104 @@
+import { expect } from "@playwright/test";
+import {
+  OPTIMISTIC_LOCK_HEADER_NAME,
+  OPTIMISTIC_LOCK_CONFLICT_CODE
+} from "@open-mercato/shared/lib/crud/optimistic-lock-headers";
+const BASE_URL = process.env.BASE_URL?.trim() || "";
+function resolveApiUrl(path) {
+  return BASE_URL ? `${BASE_URL}${path}` : path;
+}
+const CONFLICT_BANNER_TESTID = "record-conflict-banner";
+const CONFLICT_DIALOG_TESTID = "record-lock-conflict-dialog";
+function authHeaders(token, lockValue) {
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    "Content-Type": "application/json"
+  };
+  if (lockValue !== void 0) headers[OPTIMISTIC_LOCK_HEADER_NAME] = lockValue;
+  return headers;
+}
+async function readUpdatedAt(request, token, basePath, id, idParam = "id") {
+  const response = await request.fetch(
+    resolveApiUrl(`${basePath}?${idParam}=${encodeURIComponent(id)}`),
+    { method: "GET", headers: authHeaders(token) }
+  );
+  expect(response.status(), `GET ${basePath}?${idParam}=... should be 200`).toBe(200);
+  const body = await response.json();
+  const item = Array.isArray(body.items) ? body.items[0] : body;
+  expect(item, `response should include the record for id=${id}`).toBeTruthy();
+  const raw = item?.updated_at ?? item?.updatedAt;
+  expect(typeof raw, `record should expose updated_at, got ${String(raw)}`).toBe("string");
+  const ms = Date.parse(raw);
+  expect(Number.isFinite(ms), `updated_at should parse, got ${String(raw)}`).toBe(true);
+  return new Date(ms).toISOString();
+}
+async function bumpRecordViaApi(request, token, basePath, putBody, opts = {}) {
+  const response = await request.fetch(resolveApiUrl(basePath), {
+    method: opts.method ?? "PUT",
+    headers: authHeaders(token),
+    data: putBody
+  });
+  expect(
+    response.status(),
+    `out-of-band ${opts.method ?? "PUT"} ${basePath} should succeed (additive path), got ${response.status()}`
+  ).toBeLessThan(300);
+  const id = putBody[opts.idParam ?? "id"];
+  if (typeof id === "string") {
+    try {
+      return await readUpdatedAt(request, token, basePath, id, opts.idParam);
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+async function putWithLock(request, token, basePath, body, lockValue) {
+  return request.fetch(resolveApiUrl(basePath), {
+    method: "PUT",
+    headers: authHeaders(token, lockValue),
+    data: body
+  });
+}
+async function expectConflictBody(response) {
+  expect(response.status(), "stale write should be 409").toBe(409);
+  const body = await response.json();
+  expect(body.code, "body.code should be the optimistic-lock conflict code").toBe(OPTIMISTIC_LOCK_CONFLICT_CODE);
+  return body;
+}
+async function expectConflictBanner(page) {
+  const conflictSurface = page.getByTestId(CONFLICT_BANNER_TESTID).or(page.getByTestId(CONFLICT_DIALOG_TESTID));
+  await expect(
+    conflictSurface.first(),
+    "a conflict surface (OSS bar or record_locks dialog) should appear after a stale save"
+  ).toBeVisible({ timeout: 1e4 });
+}
+async function expectNoConflictBanner(page) {
+  await expect(
+    page.getByTestId(CONFLICT_BANNER_TESTID),
+    "a clean save must not surface a false-positive conflict bar"
+  ).toHaveCount(0);
+  await expect(
+    page.getByTestId(CONFLICT_DIALOG_TESTID),
+    "a clean save must not surface a false-positive conflict dialog"
+  ).toHaveCount(0);
+}
+async function clickConflictRefresh(page) {
+  await page.getByTestId(CONFLICT_BANNER_TESTID).getByRole("button", { name: /refresh/i }).click();
+}
+async function dismissConflictBanner(page) {
+  await page.getByTestId(CONFLICT_BANNER_TESTID).getByRole("button", { name: /dismiss/i }).click();
+}
+export {
+  CONFLICT_BANNER_TESTID,
+  CONFLICT_DIALOG_TESTID,
+  bumpRecordViaApi,
+  clickConflictRefresh,
+  dismissConflictBanner,
+  expectConflictBanner,
+  expectConflictBody,
+  expectNoConflictBanner,
+  putWithLock,
+  readUpdatedAt,
+  resolveApiUrl
+};
+//# sourceMappingURL=optimisticLockUi.js.map

package/dist/helpers/integration/optimisticLockUi.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/helpers/integration/optimisticLockUi.ts"],
+  "sourcesContent": ["import { expect, type APIRequestContext, type Page } from '@playwright/test'\nimport {\n  OPTIMISTIC_LOCK_HEADER_NAME,\n  OPTIMISTIC_LOCK_CONFLICT_CODE,\n} from '@open-mercato/shared/lib/crud/optimistic-lock-headers'\n\n/**\n * Shared helpers for the browser-driven optimistic-lock specs\n * (`TC-LOCK-OSS-014..046`). They make the conflict deterministic without two\n * real tabs or sleeps: the spec loads an edit page in the browser (the form\n * captures the record's `updated_at`), then advances `updated_at` out-of-band\n * via a header-less API PUT (additive path, always succeeds), and finally edits\n * + saves in the browser so the now-stale header triggers the 409 \u2192 conflict bar.\n *\n * See `packages/core/src/modules/sales/__integration__/__concurrent_edit_pattern.md`\n * and the conflict bar component\n * `packages/ui/src/backend/conflicts/RecordConflictBanner.tsx`\n * (`data-testid=\"record-conflict-banner\"`).\n */\n\nconst BASE_URL = process.env.BASE_URL?.trim() || ''\n\nexport function resolveApiUrl(path: string): string {\n  return BASE_URL ? `${BASE_URL}${path}` : path\n}\n\nexport const CONFLICT_BANNER_TESTID = 'record-conflict-banner'\n\n/**\n * The enterprise `record_locks` module (enabled in CI via\n * `OM_ENABLE_ENTERPRISE_MODULES=true`) supersedes the OSS banner with a richer\n * \"Conflict detected\" resolution dialog. Both are valid surfaces for \"the stale\n * write was refused\": on a CrudForm edit page either one can win depending on\n * whether the record_locks incoming-changes SSE (fired by the out-of-band bump)\n * is processed before the browser's stale save reaches the server. Asserting one\n * fixed surface is therefore racy; we wait for whichever conflict surface appears.\n * (List-delete / non-form flows have no record_locks lock and only ever surface\n * the OSS banner, so matching either surface is safe there too.)\n */\nexport const CONFLICT_DIALOG_TESTID = 'record-lock-conflict-dialog'\n\nfunction authHeaders(token: string, lockValue?: string): Record<string, string> {\n  const headers: Record<string, string> = {\n    Authorization: `Bearer ${token}`,\n    'Content-Type': 'application/json',\n  }\n  if (lockValue !== undefined) headers[OPTIMISTIC_LOCK_HEADER_NAME] = lockValue\n  return headers\n}\n\n/**\n * Read a record's current `updated_at` from a list-shaped CRUD GET\n * (`GET <basePath>?id=<id>` \u2192 `items[0].updated_at`), normalized to ISO.\n * Works for the `makeCrudRoute` list responses (snake or camel case).\n */\nexport async function readUpdatedAt(\n  request: APIRequestContext,\n  token: string,\n  basePath: string,\n  id: string,\n  idParam = 'id',\n): Promise<string> {\n  const response = await request.fetch(\n    resolveApiUrl(`${basePath}?${idParam}=${encodeURIComponent(id)}`),\n    { method: 'GET', headers: authHeaders(token) },\n  )\n  expect(response.status(), `GET ${basePath}?${idParam}=... should be 200`).toBe(200)\n  const body = (await response.json()) as\n    | { items?: Array<Record<string, unknown>> }\n    | Record<string, unknown>\n  const item = Array.isArray((body as { items?: unknown[] }).items)\n    ? (body as { items: Array<Record<string, unknown>> }).items[0]\n    : (body as Record<string, unknown>)\n  expect(item, `response should include the record for id=${id}`).toBeTruthy()\n  const raw = (item?.updated_at ?? item?.updatedAt) as string | undefined\n  expect(typeof raw, `record should expose updated_at, got ${String(raw)}`).toBe('string')\n  const ms = Date.parse(raw as string)\n  expect(Number.isFinite(ms), `updated_at should parse, got ${String(raw)}`).toBe(true)\n  return new Date(ms).toISOString()\n}\n\n/**\n * Advance a record's `updated_at` out-of-band so the browser's loaded form now\n * holds a stale token. Uses a **header-less** PUT (the strictly-additive path\n * always succeeds and bumps `updated_at`). Returns the new ISO `updated_at`.\n */\nexport async function bumpRecordViaApi(\n  request: APIRequestContext,\n  token: string,\n  basePath: string,\n  putBody: Record<string, unknown>,\n  opts: { idParam?: string; method?: 'PUT' | 'PATCH' } = {},\n): Promise<string | null> {\n  const response = await request.fetch(resolveApiUrl(basePath), {\n    method: opts.method ?? 'PUT',\n    headers: authHeaders(token),\n    data: putBody,\n  })\n  expect(\n    response.status(),\n    `out-of-band ${opts.method ?? 'PUT'} ${basePath} should succeed (additive path), got ${response.status()}`,\n  ).toBeLessThan(300)\n  const id = putBody[opts.idParam ?? 'id']\n  if (typeof id === 'string') {\n    try {\n      return await readUpdatedAt(request, token, basePath, id, opts.idParam)\n    } catch {\n      return null\n    }\n  }\n  return null\n}\n\n/** Direct API helpers to assert the 409 contract body (used by the negative/UX specs). */\nexport async function putWithLock(\n  request: APIRequestContext,\n  token: string,\n  basePath: string,\n  body: Record<string, unknown>,\n  lockValue: string,\n) {\n  return request.fetch(resolveApiUrl(basePath), {\n    method: 'PUT',\n    headers: authHeaders(token, lockValue),\n    data: body,\n  })\n}\n\nexport async function expectConflictBody(response: { status(): number; json(): Promise<unknown> }) {\n  expect(response.status(), 'stale write should be 409').toBe(409)\n  const body = (await response.json()) as { code?: string; currentUpdatedAt?: string; expectedUpdatedAt?: string }\n  expect(body.code, 'body.code should be the optimistic-lock conflict code').toBe(OPTIMISTIC_LOCK_CONFLICT_CODE)\n  return body\n}\n\n/**\n * Assert a stale save was refused and surfaced as a conflict. Matches EITHER the\n * OSS `record-conflict-banner` OR the enterprise record_locks \"Conflict detected\"\n * dialog \u2014 see `CONFLICT_DIALOG_TESTID` for why both are valid and why pinning one\n * is racy when enterprise modules are enabled.\n */\nexport async function expectConflictBanner(page: Page): Promise<void> {\n  const conflictSurface = page\n    .getByTestId(CONFLICT_BANNER_TESTID)\n    .or(page.getByTestId(CONFLICT_DIALOG_TESTID))\n  await expect(\n    conflictSurface.first(),\n    'a conflict surface (OSS bar or record_locks dialog) should appear after a stale save',\n  ).toBeVisible({ timeout: 10_000 })\n}\n\n/** Assert no conflict surface is present (a clean single-tab save must not 409). */\nexport async function expectNoConflictBanner(page: Page): Promise<void> {\n  await expect(\n    page.getByTestId(CONFLICT_BANNER_TESTID),\n    'a clean save must not surface a false-positive conflict bar',\n  ).toHaveCount(0)\n  await expect(\n    page.getByTestId(CONFLICT_DIALOG_TESTID),\n    'a clean save must not surface a false-positive conflict dialog',\n  ).toHaveCount(0)\n}\n\n/** Click the conflict bar's Refresh button. */\nexport async function clickConflictRefresh(page: Page): Promise<void> {\n  await page.getByTestId(CONFLICT_BANNER_TESTID).getByRole('button', { name: /refresh/i }).click()\n}\n\n/** Dismiss the conflict bar via its close (X) button. */\nexport async function dismissConflictBanner(page: Page): Promise<void> {\n  await page.getByTestId(CONFLICT_BANNER_TESTID).getByRole('button', { name: /dismiss/i }).click()\n}\n"],
+  "mappings": "AAAA,SAAS,cAAiD;AAC1D;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAgBP,MAAM,WAAW,QAAQ,IAAI,UAAU,KAAK,KAAK;AAE1C,SAAS,cAAc,MAAsB;AAClD,SAAO,WAAW,GAAG,QAAQ,GAAG,IAAI,KAAK;AAC3C;AAEO,MAAM,yBAAyB;AAa/B,MAAM,yBAAyB;AAEtC,SAAS,YAAY,OAAe,WAA4C;AAC9E,QAAM,UAAkC;AAAA,IACtC,eAAe,UAAU,KAAK;AAAA,IAC9B,gBAAgB;AAAA,EAClB;AACA,MAAI,cAAc,OAAW,SAAQ,2BAA2B,IAAI;AACpE,SAAO;AACT;AAOA,eAAsB,cACpB,SACA,OACA,UACA,IACA,UAAU,MACO;AACjB,QAAM,WAAW,MAAM,QAAQ;AAAA,IAC7B,cAAc,GAAG,QAAQ,IAAI,OAAO,IAAI,mBAAmB,EAAE,CAAC,EAAE;AAAA,IAChE,EAAE,QAAQ,OAAO,SAAS,YAAY,KAAK,EAAE;AAAA,EAC/C;AACA,SAAO,SAAS,OAAO,GAAG,OAAO,QAAQ,IAAI,OAAO,oBAAoB,EAAE,KAAK,GAAG;AAClF,QAAM,OAAQ,MAAM,SAAS,KAAK;AAGlC,QAAM,OAAO,MAAM,QAAS,KAA+B,KAAK,IAC3D,KAAmD,MAAM,CAAC,IAC1D;AACL,SAAO,MAAM,6CAA6C,EAAE,EAAE,EAAE,WAAW;AAC3E,QAAM,MAAO,MAAM,cAAc,MAAM;AACvC,SAAO,OAAO,KAAK,wCAAwC,OAAO,GAAG,CAAC,EAAE,EAAE,KAAK,QAAQ;AACvF,QAAM,KAAK,KAAK,MAAM,GAAa;AACnC,SAAO,OAAO,SAAS,EAAE,GAAG,gCAAgC,OAAO,GAAG,CAAC,EAAE,EAAE,KAAK,IAAI;AACpF,SAAO,IAAI,KAAK,EAAE,EAAE,YAAY;AAClC;AAOA,eAAsB,iBACpB,SACA,OACA,UACA,SACA,OAAuD,CAAC,GAChC;AACxB,QAAM,WAAW,MAAM,QAAQ,MAAM,cAAc,QAAQ,GAAG;AAAA,IAC5D,QAAQ,KAAK,UAAU;AAAA,IACvB,SAAS,YAAY,KAAK;AAAA,IAC1B,MAAM;AAAA,EACR,CAAC;AACD;AAAA,IACE,SAAS,OAAO;AAAA,IAChB,eAAe,KAAK,UAAU,KAAK,IAAI,QAAQ,wCAAwC,SAAS,OAAO,CAAC;AAAA,EAC1G,EAAE,aAAa,GAAG;AAClB,QAAM,KAAK,QAAQ,KAAK,WAAW,IAAI;AACvC,MAAI,OAAO,OAAO,UAAU;AAC1B,QAAI;AACF,aAAO,MAAM,cAAc,SAAS,OAAO,UAAU,IAAI,KAAK,OAAO;AAAA,IACvE,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAGA,eAAsB,YACpB,SACA,OACA,UACA,MACA,WACA;AACA,SAAO,QAAQ,MAAM,cAAc,QAAQ,GAAG;AAAA,IAC5C,QAAQ;AAAA,IACR,SAAS,YAAY,OAAO,SAAS;AAAA,IACrC,MAAM;AAAA,EACR,CAAC;AACH;AAEA,eAAsB,mBAAmB,UAA0D;AACjG,SAAO,SAAS,OAAO,GAAG,2BAA2B,EAAE,KAAK,GAAG;AAC/D,QAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,SAAO,KAAK,MAAM,uDAAuD,EAAE,KAAK,6BAA6B;AAC7G,SAAO;AACT;AAQA,eAAsB,qBAAqB,MAA2B;AACpE,QAAM,kBAAkB,KACrB,YAAY,sBAAsB,EAClC,GAAG,KAAK,YAAY,sBAAsB,CAAC;AAC9C,QAAM;AAAA,IACJ,gBAAgB,MAAM;AAAA,IACtB;AAAA,EACF,EAAE,YAAY,EAAE,SAAS,IAAO,CAAC;AACnC;AAGA,eAAsB,uBAAuB,MAA2B;AACtE,QAAM;AAAA,IACJ,KAAK,YAAY,sBAAsB;AAAA,IACvC;AAAA,EACF,EAAE,YAAY,CAAC;AACf,QAAM;AAAA,IACJ,KAAK,YAAY,sBAAsB;AAAA,IACvC;AAAA,EACF,EAAE,YAAY,CAAC;AACjB;AAGA,eAAsB,qBAAqB,MAA2B;AACpE,QAAM,KAAK,YAAY,sBAAsB,EAAE,UAAU,UAAU,EAAE,MAAM,WAAW,CAAC,EAAE,MAAM;AACjG;AAGA,eAAsB,sBAAsB,MAA2B;AACrE,QAAM,KAAK,YAAY,sBAAsB,EAAE,UAAU,UAAU,EAAE,MAAM,WAAW,CAAC,EAAE,MAAM;AACjG;",
+  "names": []
+}

package/dist/helpers/integration/salesFixtures.js CHANGED Viewed

@@ -46,6 +46,22 @@ async function createOrderLineFixture(request, token, orderId, data) {
     ["id", "lineId"]
   );
 }
+async function canManageSalesOrders(request, token) {
+  const response = await apiRequest(request, "POST", "/api/sales/orders", {
+    token,
+    data: { currencyCode: "USD" }
+  });
+  if (response.status() === 403) return false;
+  if (!response.ok()) return false;
+  const id = readId(await response.json(), ["id", "orderId"]);
+  if (id) {
+    try {
+      await apiRequest(request, "DELETE", "/api/sales/orders", { token, data: { id } });
+    } catch {
+    }
+  }
+  return true;
+}
 async function deleteSalesEntityIfExists(request, token, path, id) {
   if (!token || !id) return;
   try {
@@ -55,6 +71,7 @@ async function deleteSalesEntityIfExists(request, token, path, id) {
   }
 }
 export {
+  canManageSalesOrders,
   createOrderLineFixture,
   createSalesOrderFixture,
   createSalesQuoteFixture,

package/dist/helpers/integration/salesFixtures.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/helpers/integration/salesFixtures.ts"],
-  "sourcesContent": ["import { expect, type APIRequestContext } from '@playwright/test';\nimport { apiRequest } from './api';\n\ntype JsonMap = Record<string, unknown>;\n\nfunction readId(payload: unknown, keys: string[]): string | null {\n  if (!payload || typeof payload !== 'object') return null;\n  const map = payload as JsonMap;\n  for (const key of keys) {\n    const value = map[key];\n    if (typeof value === 'string' && value.length > 0) return value;\n  }\n  for (const value of Object.values(map)) {\n    if (value && typeof value === 'object' && !Array.isArray(value)) {\n      const nested = readId(value, keys);\n      if (nested) return nested;\n    }\n  }\n  return null;\n}\n\nasync function createEntity(\n  request: APIRequestContext,\n  token: string,\n  path: string,\n  data: Record<string, unknown>,\n  idKeys: string[],\n): Promise<string> {\n  const response = await apiRequest(request, 'POST', path, { token, data });\n  const body = (await response.json()) as unknown;\n  expect(response.ok(), `Failed POST ${path}: ${response.status()}`).toBeTruthy();\n  const id = readId(body, idKeys);\n  expect(id, `No id in POST ${path} response`).toBeTruthy();\n  return id as string;\n}\n\nexport async function createSalesQuoteFixture(\n  request: APIRequestContext,\n  token: string,\n  currencyCode = 'USD',\n): Promise<string> {\n  return createEntity(request, token, '/api/sales/quotes', { currencyCode }, ['id', 'quoteId']);\n}\n\nexport async function createSalesOrderFixture(\n  request: APIRequestContext,\n  token: string,\n  currencyCode = 'USD',\n): Promise<string> {\n  return createEntity(request, token, '/api/sales/orders', { currencyCode }, ['id', 'orderId']);\n}\n\nexport async function createOrderLineFixture(\n  request: APIRequestContext,\n  token: string,\n  orderId: string,\n  data?: Record<string, unknown>,\n): Promise<string> {\n  return createEntity(\n    request,\n    token,\n    '/api/sales/order-lines',\n    {\n      orderId,\n      currencyCode: 'USD',\n      quantity: 1,\n      name: `QA line ${Date.now()}`,\n      unitPriceNet: 10,\n      unitPriceGross: 12,\n      ...(data ?? {}),\n    },\n    ['id', 'lineId'],\n  );\n}\n\nexport async function deleteSalesEntityIfExists(\n  request: APIRequestContext,\n  token: string | null,\n  path: string,\n  id: string | null,\n): Promise<void> {\n  if (!token || !id) return;\n  try {\n    await apiRequest(request, 'DELETE', `${path}?id=${encodeURIComponent(id)}`, { token });\n  } catch {\n    return;\n  }\n}\n\n"],
-  "mappings": "AAAA,SAAS,cAAsC;AAC/C,SAAS,kBAAkB;AAI3B,SAAS,OAAO,SAAkB,MAA+B;AAC/D,MAAI,CAAC,WAAW,OAAO,YAAY,SAAU,QAAO;AACpD,QAAM,MAAM;AACZ,aAAW,OAAO,MAAM;AACtB,UAAM,QAAQ,IAAI,GAAG;AACrB,QAAI,OAAO,UAAU,YAAY,MAAM,SAAS,EAAG,QAAO;AAAA,EAC5D;AACA,aAAW,SAAS,OAAO,OAAO,GAAG,GAAG;AACtC,QAAI,SAAS,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK,GAAG;AAC/D,YAAM,SAAS,OAAO,OAAO,IAAI;AACjC,UAAI,OAAQ,QAAO;AAAA,IACrB;AAAA,EACF;AACA,SAAO;AACT;AAEA,eAAe,aACb,SACA,OACA,MACA,MACA,QACiB;AACjB,QAAM,WAAW,MAAM,WAAW,SAAS,QAAQ,MAAM,EAAE,OAAO,KAAK,CAAC;AACxE,QAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,SAAO,SAAS,GAAG,GAAG,eAAe,IAAI,KAAK,SAAS,OAAO,CAAC,EAAE,EAAE,WAAW;AAC9E,QAAM,KAAK,OAAO,MAAM,MAAM;AAC9B,SAAO,IAAI,iBAAiB,IAAI,WAAW,EAAE,WAAW;AACxD,SAAO;AACT;AAEA,eAAsB,wBACpB,SACA,OACA,eAAe,OACE;AACjB,SAAO,aAAa,SAAS,OAAO,qBAAqB,EAAE,aAAa,GAAG,CAAC,MAAM,SAAS,CAAC;AAC9F;AAEA,eAAsB,wBACpB,SACA,OACA,eAAe,OACE;AACjB,SAAO,aAAa,SAAS,OAAO,qBAAqB,EAAE,aAAa,GAAG,CAAC,MAAM,SAAS,CAAC;AAC9F;AAEA,eAAsB,uBACpB,SACA,OACA,SACA,MACiB;AACjB,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,MACE;AAAA,MACA,cAAc;AAAA,MACd,UAAU;AAAA,MACV,MAAM,WAAW,KAAK,IAAI,CAAC;AAAA,MAC3B,cAAc;AAAA,MACd,gBAAgB;AAAA,MAChB,GAAI,QAAQ,CAAC;AAAA,IACf;AAAA,IACA,CAAC,MAAM,QAAQ;AAAA,EACjB;AACF;AAEA,eAAsB,0BACpB,SACA,OACA,MACA,IACe;AACf,MAAI,CAAC,SAAS,CAAC,GAAI;AACnB,MAAI;AACF,UAAM,WAAW,SAAS,UAAU,GAAG,IAAI,OAAO,mBAAmB,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC;AAAA,EACvF,QAAQ;AACN;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { expect, type APIRequestContext } from '@playwright/test';\nimport { apiRequest } from './api';\n\ntype JsonMap = Record<string, unknown>;\n\nfunction readId(payload: unknown, keys: string[]): string | null {\n  if (!payload || typeof payload !== 'object') return null;\n  const map = payload as JsonMap;\n  for (const key of keys) {\n    const value = map[key];\n    if (typeof value === 'string' && value.length > 0) return value;\n  }\n  for (const value of Object.values(map)) {\n    if (value && typeof value === 'object' && !Array.isArray(value)) {\n      const nested = readId(value, keys);\n      if (nested) return nested;\n    }\n  }\n  return null;\n}\n\nasync function createEntity(\n  request: APIRequestContext,\n  token: string,\n  path: string,\n  data: Record<string, unknown>,\n  idKeys: string[],\n): Promise<string> {\n  const response = await apiRequest(request, 'POST', path, { token, data });\n  const body = (await response.json()) as unknown;\n  expect(response.ok(), `Failed POST ${path}: ${response.status()}`).toBeTruthy();\n  const id = readId(body, idKeys);\n  expect(id, `No id in POST ${path} response`).toBeTruthy();\n  return id as string;\n}\n\nexport async function createSalesQuoteFixture(\n  request: APIRequestContext,\n  token: string,\n  currencyCode = 'USD',\n): Promise<string> {\n  return createEntity(request, token, '/api/sales/quotes', { currencyCode }, ['id', 'quoteId']);\n}\n\nexport async function createSalesOrderFixture(\n  request: APIRequestContext,\n  token: string,\n  currencyCode = 'USD',\n): Promise<string> {\n  return createEntity(request, token, '/api/sales/orders', { currencyCode }, ['id', 'orderId']);\n}\n\nexport async function createOrderLineFixture(\n  request: APIRequestContext,\n  token: string,\n  orderId: string,\n  data?: Record<string, unknown>,\n): Promise<string> {\n  return createEntity(\n    request,\n    token,\n    '/api/sales/order-lines',\n    {\n      orderId,\n      currencyCode: 'USD',\n      quantity: 1,\n      name: `QA line ${Date.now()}`,\n      unitPriceNet: 10,\n      unitPriceGross: 12,\n      ...(data ?? {}),\n    },\n    ['id', 'lineId'],\n  );\n}\n\n/**\n * Probe whether the authenticated principal can create a sales order on the\n * current tenant (i.e. holds `sales.orders.manage`). Sales-write integration\n * specs use this to self-skip on dev databases whose role ACLs were never\n * synced (`yarn mercato auth sync-role-acls`) rather than fail spuriously \u2014\n * CI bootstraps a fully-synced tenant so the probe passes there. The probed\n * order is deleted immediately so the check leaves no residue.\n */\nexport async function canManageSalesOrders(\n  request: APIRequestContext,\n  token: string,\n): Promise<boolean> {\n  const response = await apiRequest(request, 'POST', '/api/sales/orders', {\n    token,\n    data: { currencyCode: 'USD' },\n  });\n  if (response.status() === 403) return false;\n  if (!response.ok()) return false;\n  const id = readId((await response.json()) as unknown, ['id', 'orderId']);\n  if (id) {\n    try {\n      await apiRequest(request, 'DELETE', '/api/sales/orders', { token, data: { id } });\n    } catch {\n      // best-effort cleanup\n    }\n  }\n  return true;\n}\n\nexport async function deleteSalesEntityIfExists(\n  request: APIRequestContext,\n  token: string | null,\n  path: string,\n  id: string | null,\n): Promise<void> {\n  if (!token || !id) return;\n  try {\n    await apiRequest(request, 'DELETE', `${path}?id=${encodeURIComponent(id)}`, { token });\n  } catch {\n    return;\n  }\n}\n\n"],
+  "mappings": "AAAA,SAAS,cAAsC;AAC/C,SAAS,kBAAkB;AAI3B,SAAS,OAAO,SAAkB,MAA+B;AAC/D,MAAI,CAAC,WAAW,OAAO,YAAY,SAAU,QAAO;AACpD,QAAM,MAAM;AACZ,aAAW,OAAO,MAAM;AACtB,UAAM,QAAQ,IAAI,GAAG;AACrB,QAAI,OAAO,UAAU,YAAY,MAAM,SAAS,EAAG,QAAO;AAAA,EAC5D;AACA,aAAW,SAAS,OAAO,OAAO,GAAG,GAAG;AACtC,QAAI,SAAS,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK,GAAG;AAC/D,YAAM,SAAS,OAAO,OAAO,IAAI;AACjC,UAAI,OAAQ,QAAO;AAAA,IACrB;AAAA,EACF;AACA,SAAO;AACT;AAEA,eAAe,aACb,SACA,OACA,MACA,MACA,QACiB;AACjB,QAAM,WAAW,MAAM,WAAW,SAAS,QAAQ,MAAM,EAAE,OAAO,KAAK,CAAC;AACxE,QAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,SAAO,SAAS,GAAG,GAAG,eAAe,IAAI,KAAK,SAAS,OAAO,CAAC,EAAE,EAAE,WAAW;AAC9E,QAAM,KAAK,OAAO,MAAM,MAAM;AAC9B,SAAO,IAAI,iBAAiB,IAAI,WAAW,EAAE,WAAW;AACxD,SAAO;AACT;AAEA,eAAsB,wBACpB,SACA,OACA,eAAe,OACE;AACjB,SAAO,aAAa,SAAS,OAAO,qBAAqB,EAAE,aAAa,GAAG,CAAC,MAAM,SAAS,CAAC;AAC9F;AAEA,eAAsB,wBACpB,SACA,OACA,eAAe,OACE;AACjB,SAAO,aAAa,SAAS,OAAO,qBAAqB,EAAE,aAAa,GAAG,CAAC,MAAM,SAAS,CAAC;AAC9F;AAEA,eAAsB,uBACpB,SACA,OACA,SACA,MACiB;AACjB,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,MACE;AAAA,MACA,cAAc;AAAA,MACd,UAAU;AAAA,MACV,MAAM,WAAW,KAAK,IAAI,CAAC;AAAA,MAC3B,cAAc;AAAA,MACd,gBAAgB;AAAA,MAChB,GAAI,QAAQ,CAAC;AAAA,IACf;AAAA,IACA,CAAC,MAAM,QAAQ;AAAA,EACjB;AACF;AAUA,eAAsB,qBACpB,SACA,OACkB;AAClB,QAAM,WAAW,MAAM,WAAW,SAAS,QAAQ,qBAAqB;AAAA,IACtE;AAAA,IACA,MAAM,EAAE,cAAc,MAAM;AAAA,EAC9B,CAAC;AACD,MAAI,SAAS,OAAO,MAAM,IAAK,QAAO;AACtC,MAAI,CAAC,SAAS,GAAG,EAAG,QAAO;AAC3B,QAAM,KAAK,OAAQ,MAAM,SAAS,KAAK,GAAe,CAAC,MAAM,SAAS,CAAC;AACvE,MAAI,IAAI;AACN,QAAI;AACF,YAAM,WAAW,SAAS,UAAU,qBAAqB,EAAE,OAAO,MAAM,EAAE,GAAG,EAAE,CAAC;AAAA,IAClF,QAAQ;AAAA,IAER;AAAA,EACF;AACA,SAAO;AACT;AAEA,eAAsB,0BACpB,SACA,OACA,MACA,IACe;AACf,MAAI,CAAC,SAAS,CAAC,GAAI;AACnB,MAAI;AACF,UAAM,WAAW,SAAS,UAAU,GAAG,IAAI,OAAO,mBAAmB,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC;AAAA,EACvF,QAAQ;AACN;AAAA,EACF;AACF;",
   "names": []
 }

package/dist/modules/api_keys/backend/api-keys/page.js CHANGED Viewed

@@ -6,7 +6,8 @@ import { Page, PageBody } from "@open-mercato/ui/backend/Page";
 import { DataTable } from "@open-mercato/ui/backend/DataTable";
 import { Button } from "@open-mercato/ui/primitives/button";
 import { RowActions } from "@open-mercato/ui/backend/RowActions";
-import { apiCall } from "@open-mercato/ui/backend/utils/apiCall";
+import { apiCall, withScopedApiRequestHeaders } from "@open-mercato/ui/backend/utils/apiCall";
+import { buildOptimisticLockHeader } from "@open-mercato/ui/backend/utils/optimisticLock";
 import { flash } from "@open-mercato/ui/backend/FlashMessages";
 import { useOrganizationScopeVersion } from "@open-mercato/shared/lib/frontend/useOrganizationScope";
 import { useT } from "@open-mercato/shared/lib/i18n/context";
@@ -80,10 +81,13 @@ function ApiKeysListPage() {
     });
     if (!confirmed) return;
     try {
-      const call = await apiCall(
-        `/api/api_keys/keys?id=${encodeURIComponent(row.id)}`,
-        { method: "DELETE" },
-        { fallback: null }
+      const call = await withScopedApiRequestHeaders(
+        buildOptimisticLockHeader(row.updatedAt),
+        () => apiCall(
+          `/api/api_keys/keys?id=${encodeURIComponent(row.id)}`,
+          { method: "DELETE" },
+          { fallback: null }
+        )
       );
       if (!call.ok) {
         const errorPayload = call.result;

package/dist/modules/api_keys/backend/api-keys/page.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../src/modules/api_keys/backend/api-keys/page.tsx"],
-  "sourcesContent": ["\"use client\"\nimport * as React from 'react'\nimport Link from 'next/link'\nimport { Page, PageBody } from '@open-mercato/ui/backend/Page'\nimport { DataTable } from '@open-mercato/ui/backend/DataTable'\nimport type { ColumnDef } from '@tanstack/react-table'\nimport { Button } from '@open-mercato/ui/primitives/button'\nimport { RowActions } from '@open-mercato/ui/backend/RowActions'\nimport { apiCall } from '@open-mercato/ui/backend/utils/apiCall'\nimport { flash } from '@open-mercato/ui/backend/FlashMessages'\nimport { useOrganizationScopeVersion } from '@open-mercato/shared/lib/frontend/useOrganizationScope'\nimport { useT } from '@open-mercato/shared/lib/i18n/context'\nimport { useConfirmDialog } from '@open-mercato/ui/backend/confirm-dialog'\n\ntype RoleSummary = { id: string; name: string | null }\n\ntype Row = {\n  id: string\n  name: string\n  description: string | null\n  keyPrefix: string\n  organizationId: string | null\n  organizationName: string | null\n  createdAt: string\n  lastUsedAt: string | null\n  expiresAt: string | null\n  roles: RoleSummary[]\n}\n\ntype ResponsePayload = {\n  items: Row[]\n  total: number\n  page: number\n  totalPages: number\n}\n\nfunction formatDate(value: string | null, t: (key: string, params?: Record<string, string | number>) => string) {\n  if (!value) return t('api_keys.list.noDate')\n  try {\n    const date = new Date(value)\n    if (Number.isNaN(date.getTime())) return t('api_keys.list.noDate')\n    return date.toLocaleString()\n  } catch {\n    return t('api_keys.list.noDate')\n  }\n}\n\nexport default function ApiKeysListPage() {\n  const [rows, setRows] = React.useState<Row[]>([])\n  const [page, setPage] = React.useState(1)\n  const [total, setTotal] = React.useState(0)\n  const [totalPages, setTotalPages] = React.useState(1)\n  const [search, setSearch] = React.useState('')\n  const [isLoading, setIsLoading] = React.useState(true)\n  const [reloadToken, setReloadToken] = React.useState(0)\n  const scopeVersion = useOrganizationScopeVersion()\n  const t = useT()\n  const { confirm, ConfirmDialogElement } = useConfirmDialog()\n\n  React.useEffect(() => {\n    let cancelled = false\n    async function load() {\n      setIsLoading(true)\n      try {\n        const params = new URLSearchParams()\n        params.set('page', String(page))\n        params.set('pageSize', '20')\n        if (search) params.set('search', search)\n        const fallback: ResponsePayload = { items: [], total: 0, page, totalPages: 1 }\n        const call = await apiCall<ResponsePayload>(\n          `/api/api_keys/keys?${params.toString()}`,\n          undefined,\n          { fallback },\n        )\n        if (!call.ok) {\n          const errorPayload = call.result as { error?: string } | undefined\n          const message = typeof errorPayload?.error === 'string' ? errorPayload.error : t('api_keys.list.error.loadFailed')\n          flash(message, 'error')\n          return\n        }\n        const payload = call.result ?? fallback\n        if (!cancelled) {\n          setRows(Array.isArray(payload.items) ? payload.items : [])\n          setTotal(payload.total || 0)\n          setTotalPages(payload.totalPages || 1)\n        }\n      } catch (error) {\n        if (!cancelled) {\n          const message = error instanceof Error ? error.message : t('api_keys.list.error.loadFailed')\n          flash(message, 'error')\n        }\n      } finally {\n        if (!cancelled) setIsLoading(false)\n      }\n    }\n    load()\n    return () => { cancelled = true }\n  }, [page, search, reloadToken, scopeVersion, t])\n\n  const handleDelete = React.useCallback(async (row: Row) => {\n    const confirmed = await confirm({\n      title: t('api_keys.list.confirmDelete', { name: row.name }),\n      variant: 'destructive',\n    })\n    if (!confirmed) return\n    try {\n      const call = await apiCall<{ error?: string }>(\n        `/api/api_keys/keys?id=${encodeURIComponent(row.id)}`,\n        { method: 'DELETE' },\n        { fallback: null },\n      )\n      if (!call.ok) {\n        const errorPayload = call.result as { error?: string } | undefined\n        const message = typeof errorPayload?.error === 'string' ? errorPayload.error : t('api_keys.list.error.deleteFailed')\n        flash(message, 'error')\n        return\n      }\n      flash(t('api_keys.list.success.deleted'), 'success')\n      setReloadToken((token) => token + 1)\n    } catch (error) {\n      const message = error instanceof Error ? error.message : t('api_keys.list.error.deleteFailed')\n      flash(message, 'error')\n    }\n  }, [confirm, t])\n\n  const columns = React.useMemo<ColumnDef<Row>[]>(() => [\n    { accessorKey: 'name', header: t('api_keys.list.columns.name') },\n    {\n      accessorKey: 'keyPrefix',\n      header: t('api_keys.list.columns.key'),\n      cell: ({ row }) => <code className=\"text-xs\">{row.original.keyPrefix}\u2026</code>,\n    },\n    {\n      accessorKey: 'organizationName',\n      header: t('api_keys.list.columns.organization'),\n      cell: ({ row }) => row.original.organizationName || t('api_keys.list.noDate'),\n    },\n    {\n      accessorKey: 'roles',\n      header: t('api_keys.list.columns.roles'),\n      cell: ({ row }) => (\n        <div className=\"flex flex-wrap gap-1\">\n          {row.original.roles.length === 0 && <span className=\"text-muted-foreground text-xs\">{t('api_keys.list.noRoles')}</span>}\n          {row.original.roles.map((role) => (\n            <span\n              key={role.id}\n              className=\"inline-flex items-center rounded-full border px-2 py-0.5 text-xs font-medium\"\n            >\n              {role.name || role.id}\n            </span>\n          ))}\n        </div>\n      ),\n    },\n    {\n      accessorKey: 'lastUsedAt',\n      header: t('api_keys.list.columns.lastUsed'),\n      cell: ({ row }) => formatDate(row.original.lastUsedAt, t),\n    },\n    {\n      accessorKey: 'expiresAt',\n      header: t('api_keys.list.columns.expires'),\n      cell: ({ row }) => formatDate(row.original.expiresAt, t),\n    },\n  ], [t])\n\n  return (\n    <Page>\n      <PageBody>\n        <DataTable\n          title={t('api_keys.list.title')}\n          actions={(\n            <Button asChild>\n              <Link href=\"/backend/api-keys/create\">{t('api_keys.list.actions.create')}</Link>\n            </Button>\n          )}\n          columns={columns}\n          data={rows}\n          searchValue={search}\n          onSearchChange={(value) => { setSearch(value); setPage(1) }}\n          perspective={{ tableId: 'api_keys.list' }}\n          rowActions={(row) => (\n            <RowActions items={[\n              { id: 'delete', label: t('common.delete'), destructive: true, onSelect: () => { void handleDelete(row) } },\n            ]} />\n          )}\n          pagination={{ page, pageSize: 20, total, totalPages, onPageChange: setPage }}\n          isLoading={isLoading}\n        />\n      </PageBody>\n      {ConfirmDialogElement}\n    </Page>\n  )\n}\n"],
-  "mappings": ";AAkIyB,SAYqB,KAZrB;AAjIzB,YAAY,WAAW;AACvB,OAAO,UAAU;AACjB,SAAS,MAAM,gBAAgB;AAC/B,SAAS,iBAAiB;AAE1B,SAAS,cAAc;AACvB,SAAS,kBAAkB;AAC3B,SAAS,eAAe;AACxB,SAAS,aAAa;AACtB,SAAS,mCAAmC;AAC5C,SAAS,YAAY;AACrB,SAAS,wBAAwB;AAwBjC,SAAS,WAAW,OAAsB,GAAsE;AAC9G,MAAI,CAAC,MAAO,QAAO,EAAE,sBAAsB;AAC3C,MAAI;AACF,UAAM,OAAO,IAAI,KAAK,KAAK;AAC3B,QAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,EAAG,QAAO,EAAE,sBAAsB;AACjE,WAAO,KAAK,eAAe;AAAA,EAC7B,QAAQ;AACN,WAAO,EAAE,sBAAsB;AAAA,EACjC;AACF;AAEe,SAAR,kBAAmC;AACxC,QAAM,CAAC,MAAM,OAAO,IAAI,MAAM,SAAgB,CAAC,CAAC;AAChD,QAAM,CAAC,MAAM,OAAO,IAAI,MAAM,SAAS,CAAC;AACxC,QAAM,CAAC,OAAO,QAAQ,IAAI,MAAM,SAAS,CAAC;AAC1C,QAAM,CAAC,YAAY,aAAa,IAAI,MAAM,SAAS,CAAC;AACpD,QAAM,CAAC,QAAQ,SAAS,IAAI,MAAM,SAAS,EAAE;AAC7C,QAAM,CAAC,WAAW,YAAY,IAAI,MAAM,SAAS,IAAI;AACrD,QAAM,CAAC,aAAa,cAAc,IAAI,MAAM,SAAS,CAAC;AACtD,QAAM,eAAe,4BAA4B;AACjD,QAAM,IAAI,KAAK;AACf,QAAM,EAAE,SAAS,qBAAqB,IAAI,iBAAiB;AAE3D,QAAM,UAAU,MAAM;AACpB,QAAI,YAAY;AAChB,mBAAe,OAAO;AACpB,mBAAa,IAAI;AACjB,UAAI;AACF,cAAM,SAAS,IAAI,gBAAgB;AACnC,eAAO,IAAI,QAAQ,OAAO,IAAI,CAAC;AAC/B,eAAO,IAAI,YAAY,IAAI;AAC3B,YAAI,OAAQ,QAAO,IAAI,UAAU,MAAM;AACvC,cAAM,WAA4B,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,MAAM,YAAY,EAAE;AAC7E,cAAM,OAAO,MAAM;AAAA,UACjB,sBAAsB,OAAO,SAAS,CAAC;AAAA,UACvC;AAAA,UACA,EAAE,SAAS;AAAA,QACb;AACA,YAAI,CAAC,KAAK,IAAI;AACZ,gBAAM,eAAe,KAAK;AAC1B,gBAAM,UAAU,OAAO,cAAc,UAAU,WAAW,aAAa,QAAQ,EAAE,gCAAgC;AACjH,gBAAM,SAAS,OAAO;AACtB;AAAA,QACF;AACA,cAAM,UAAU,KAAK,UAAU;AAC/B,YAAI,CAAC,WAAW;AACd,kBAAQ,MAAM,QAAQ,QAAQ,KAAK,IAAI,QAAQ,QAAQ,CAAC,CAAC;AACzD,mBAAS,QAAQ,SAAS,CAAC;AAC3B,wBAAc,QAAQ,cAAc,CAAC;AAAA,QACvC;AAAA,MACF,SAAS,OAAO;AACd,YAAI,CAAC,WAAW;AACd,gBAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,EAAE,gCAAgC;AAC3F,gBAAM,SAAS,OAAO;AAAA,QACxB;AAAA,MACF,UAAE;AACA,YAAI,CAAC,UAAW,cAAa,KAAK;AAAA,MACpC;AAAA,IACF;AACA,SAAK;AACL,WAAO,MAAM;AAAE,kBAAY;AAAA,IAAK;AAAA,EAClC,GAAG,CAAC,MAAM,QAAQ,aAAa,cAAc,CAAC,CAAC;AAE/C,QAAM,eAAe,MAAM,YAAY,OAAO,QAAa;AACzD,UAAM,YAAY,MAAM,QAAQ;AAAA,MAC9B,OAAO,EAAE,+BAA+B,EAAE,MAAM,IAAI,KAAK,CAAC;AAAA,MAC1D,SAAS;AAAA,IACX,CAAC;AACD,QAAI,CAAC,UAAW;AAChB,QAAI;AACF,YAAM,OAAO,MAAM;AAAA,QACjB,yBAAyB,mBAAmB,IAAI,EAAE,CAAC;AAAA,QACnD,EAAE,QAAQ,SAAS;AAAA,QACnB,EAAE,UAAU,KAAK;AAAA,MACnB;AACA,UAAI,CAAC,KAAK,IAAI;AACZ,cAAM,eAAe,KAAK;AAC1B,cAAM,UAAU,OAAO,cAAc,UAAU,WAAW,aAAa,QAAQ,EAAE,kCAAkC;AACnH,cAAM,SAAS,OAAO;AACtB;AAAA,MACF;AACA,YAAM,EAAE,+BAA+B,GAAG,SAAS;AACnD,qBAAe,CAAC,UAAU,QAAQ,CAAC;AAAA,IACrC,SAAS,OAAO;AACd,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,EAAE,kCAAkC;AAC7F,YAAM,SAAS,OAAO;AAAA,IACxB;AAAA,EACF,GAAG,CAAC,SAAS,CAAC,CAAC;AAEf,QAAM,UAAU,MAAM,QAA0B,MAAM;AAAA,IACpD,EAAE,aAAa,QAAQ,QAAQ,EAAE,4BAA4B,EAAE;AAAA,IAC/D;AAAA,MACE,aAAa;AAAA,MACb,QAAQ,EAAE,2BAA2B;AAAA,MACrC,MAAM,CAAC,EAAE,IAAI,MAAM,qBAAC,UAAK,WAAU,WAAW;AAAA,YAAI,SAAS;AAAA,QAAU;AAAA,SAAC;AAAA,IACxE;AAAA,IACA;AAAA,MACE,aAAa;AAAA,MACb,QAAQ,EAAE,oCAAoC;AAAA,MAC9C,MAAM,CAAC,EAAE,IAAI,MAAM,IAAI,SAAS,oBAAoB,EAAE,sBAAsB;AAAA,IAC9E;AAAA,IACA;AAAA,MACE,aAAa;AAAA,MACb,QAAQ,EAAE,6BAA6B;AAAA,MACvC,MAAM,CAAC,EAAE,IAAI,MACX,qBAAC,SAAI,WAAU,wBACZ;AAAA,YAAI,SAAS,MAAM,WAAW,KAAK,oBAAC,UAAK,WAAU,iCAAiC,YAAE,uBAAuB,GAAE;AAAA,QAC/G,IAAI,SAAS,MAAM,IAAI,CAAC,SACvB;AAAA,UAAC;AAAA;AAAA,YAEC,WAAU;AAAA,YAET,eAAK,QAAQ,KAAK;AAAA;AAAA,UAHd,KAAK;AAAA,QAIZ,CACD;AAAA,SACH;AAAA,IAEJ;AAAA,IACA;AAAA,MACE,aAAa;AAAA,MACb,QAAQ,EAAE,gCAAgC;AAAA,MAC1C,MAAM,CAAC,EAAE,IAAI,MAAM,WAAW,IAAI,SAAS,YAAY,CAAC;AAAA,IAC1D;AAAA,IACA;AAAA,MACE,aAAa;AAAA,MACb,QAAQ,EAAE,+BAA+B;AAAA,MACzC,MAAM,CAAC,EAAE,IAAI,MAAM,WAAW,IAAI,SAAS,WAAW,CAAC;AAAA,IACzD;AAAA,EACF,GAAG,CAAC,CAAC,CAAC;AAEN,SACE,qBAAC,QACC;AAAA,wBAAC,YACC;AAAA,MAAC;AAAA;AAAA,QACC,OAAO,EAAE,qBAAqB;AAAA,QAC9B,SACE,oBAAC,UAAO,SAAO,MACb,8BAAC,QAAK,MAAK,4BAA4B,YAAE,8BAA8B,GAAE,GAC3E;AAAA,QAEF;AAAA,QACA,MAAM;AAAA,QACN,aAAa;AAAA,QACb,gBAAgB,CAAC,UAAU;AAAE,oBAAU,KAAK;AAAG,kBAAQ,CAAC;AAAA,QAAE;AAAA,QAC1D,aAAa,EAAE,SAAS,gBAAgB;AAAA,QACxC,YAAY,CAAC,QACX,oBAAC,cAAW,OAAO;AAAA,UACjB,EAAE,IAAI,UAAU,OAAO,EAAE,eAAe,GAAG,aAAa,MAAM,UAAU,MAAM;AAAE,iBAAK,aAAa,GAAG;AAAA,UAAE,EAAE;AAAA,QAC3G,GAAG;AAAA,QAEL,YAAY,EAAE,MAAM,UAAU,IAAI,OAAO,YAAY,cAAc,QAAQ;AAAA,QAC3E;AAAA;AAAA,IACF,GACF;AAAA,IACC;AAAA,KACH;AAEJ;",
+  "sourcesContent": ["\"use client\"\nimport * as React from 'react'\nimport Link from 'next/link'\nimport { Page, PageBody } from '@open-mercato/ui/backend/Page'\nimport { DataTable } from '@open-mercato/ui/backend/DataTable'\nimport type { ColumnDef } from '@tanstack/react-table'\nimport { Button } from '@open-mercato/ui/primitives/button'\nimport { RowActions } from '@open-mercato/ui/backend/RowActions'\nimport { apiCall, withScopedApiRequestHeaders } from '@open-mercato/ui/backend/utils/apiCall'\nimport { buildOptimisticLockHeader } from '@open-mercato/ui/backend/utils/optimisticLock'\nimport { flash } from '@open-mercato/ui/backend/FlashMessages'\nimport { useOrganizationScopeVersion } from '@open-mercato/shared/lib/frontend/useOrganizationScope'\nimport { useT } from '@open-mercato/shared/lib/i18n/context'\nimport { useConfirmDialog } from '@open-mercato/ui/backend/confirm-dialog'\n\ntype RoleSummary = { id: string; name: string | null }\n\ntype Row = {\n  id: string\n  name: string\n  description: string | null\n  keyPrefix: string\n  organizationId: string | null\n  organizationName: string | null\n  createdAt: string\n  lastUsedAt: string | null\n  expiresAt: string | null\n  roles: RoleSummary[]\n  updatedAt?: string | null\n}\n\ntype ResponsePayload = {\n  items: Row[]\n  total: number\n  page: number\n  totalPages: number\n}\n\nfunction formatDate(value: string | null, t: (key: string, params?: Record<string, string | number>) => string) {\n  if (!value) return t('api_keys.list.noDate')\n  try {\n    const date = new Date(value)\n    if (Number.isNaN(date.getTime())) return t('api_keys.list.noDate')\n    return date.toLocaleString()\n  } catch {\n    return t('api_keys.list.noDate')\n  }\n}\n\nexport default function ApiKeysListPage() {\n  const [rows, setRows] = React.useState<Row[]>([])\n  const [page, setPage] = React.useState(1)\n  const [total, setTotal] = React.useState(0)\n  const [totalPages, setTotalPages] = React.useState(1)\n  const [search, setSearch] = React.useState('')\n  const [isLoading, setIsLoading] = React.useState(true)\n  const [reloadToken, setReloadToken] = React.useState(0)\n  const scopeVersion = useOrganizationScopeVersion()\n  const t = useT()\n  const { confirm, ConfirmDialogElement } = useConfirmDialog()\n\n  React.useEffect(() => {\n    let cancelled = false\n    async function load() {\n      setIsLoading(true)\n      try {\n        const params = new URLSearchParams()\n        params.set('page', String(page))\n        params.set('pageSize', '20')\n        if (search) params.set('search', search)\n        const fallback: ResponsePayload = { items: [], total: 0, page, totalPages: 1 }\n        const call = await apiCall<ResponsePayload>(\n          `/api/api_keys/keys?${params.toString()}`,\n          undefined,\n          { fallback },\n        )\n        if (!call.ok) {\n          const errorPayload = call.result as { error?: string } | undefined\n          const message = typeof errorPayload?.error === 'string' ? errorPayload.error : t('api_keys.list.error.loadFailed')\n          flash(message, 'error')\n          return\n        }\n        const payload = call.result ?? fallback\n        if (!cancelled) {\n          setRows(Array.isArray(payload.items) ? payload.items : [])\n          setTotal(payload.total || 0)\n          setTotalPages(payload.totalPages || 1)\n        }\n      } catch (error) {\n        if (!cancelled) {\n          const message = error instanceof Error ? error.message : t('api_keys.list.error.loadFailed')\n          flash(message, 'error')\n        }\n      } finally {\n        if (!cancelled) setIsLoading(false)\n      }\n    }\n    load()\n    return () => { cancelled = true }\n  }, [page, search, reloadToken, scopeVersion, t])\n\n  const handleDelete = React.useCallback(async (row: Row) => {\n    const confirmed = await confirm({\n      title: t('api_keys.list.confirmDelete', { name: row.name }),\n      variant: 'destructive',\n    })\n    if (!confirmed) return\n    try {\n      const call = await withScopedApiRequestHeaders(\n        buildOptimisticLockHeader(row.updatedAt),\n        () => apiCall<{ error?: string }>(\n          `/api/api_keys/keys?id=${encodeURIComponent(row.id)}`,\n          { method: 'DELETE' },\n          { fallback: null },\n        ),\n      )\n      if (!call.ok) {\n        const errorPayload = call.result as { error?: string } | undefined\n        const message = typeof errorPayload?.error === 'string' ? errorPayload.error : t('api_keys.list.error.deleteFailed')\n        flash(message, 'error')\n        return\n      }\n      flash(t('api_keys.list.success.deleted'), 'success')\n      setReloadToken((token) => token + 1)\n    } catch (error) {\n      const message = error instanceof Error ? error.message : t('api_keys.list.error.deleteFailed')\n      flash(message, 'error')\n    }\n  }, [confirm, t])\n\n  const columns = React.useMemo<ColumnDef<Row>[]>(() => [\n    { accessorKey: 'name', header: t('api_keys.list.columns.name') },\n    {\n      accessorKey: 'keyPrefix',\n      header: t('api_keys.list.columns.key'),\n      cell: ({ row }) => <code className=\"text-xs\">{row.original.keyPrefix}\u2026</code>,\n    },\n    {\n      accessorKey: 'organizationName',\n      header: t('api_keys.list.columns.organization'),\n      cell: ({ row }) => row.original.organizationName || t('api_keys.list.noDate'),\n    },\n    {\n      accessorKey: 'roles',\n      header: t('api_keys.list.columns.roles'),\n      cell: ({ row }) => (\n        <div className=\"flex flex-wrap gap-1\">\n          {row.original.roles.length === 0 && <span className=\"text-muted-foreground text-xs\">{t('api_keys.list.noRoles')}</span>}\n          {row.original.roles.map((role) => (\n            <span\n              key={role.id}\n              className=\"inline-flex items-center rounded-full border px-2 py-0.5 text-xs font-medium\"\n            >\n              {role.name || role.id}\n            </span>\n          ))}\n        </div>\n      ),\n    },\n    {\n      accessorKey: 'lastUsedAt',\n      header: t('api_keys.list.columns.lastUsed'),\n      cell: ({ row }) => formatDate(row.original.lastUsedAt, t),\n    },\n    {\n      accessorKey: 'expiresAt',\n      header: t('api_keys.list.columns.expires'),\n      cell: ({ row }) => formatDate(row.original.expiresAt, t),\n    },\n  ], [t])\n\n  return (\n    <Page>\n      <PageBody>\n        <DataTable\n          title={t('api_keys.list.title')}\n          actions={(\n            <Button asChild>\n              <Link href=\"/backend/api-keys/create\">{t('api_keys.list.actions.create')}</Link>\n            </Button>\n          )}\n          columns={columns}\n          data={rows}\n          searchValue={search}\n          onSearchChange={(value) => { setSearch(value); setPage(1) }}\n          perspective={{ tableId: 'api_keys.list' }}\n          rowActions={(row) => (\n            <RowActions items={[\n              { id: 'delete', label: t('common.delete'), destructive: true, onSelect: () => { void handleDelete(row) } },\n            ]} />\n          )}\n          pagination={{ page, pageSize: 20, total, totalPages, onPageChange: setPage }}\n          isLoading={isLoading}\n        />\n      </PageBody>\n      {ConfirmDialogElement}\n    </Page>\n  )\n}\n"],
+  "mappings": ";AAuIyB,SAYqB,KAZrB;AAtIzB,YAAY,WAAW;AACvB,OAAO,UAAU;AACjB,SAAS,MAAM,gBAAgB;AAC/B,SAAS,iBAAiB;AAE1B,SAAS,cAAc;AACvB,SAAS,kBAAkB;AAC3B,SAAS,SAAS,mCAAmC;AACrD,SAAS,iCAAiC;AAC1C,SAAS,aAAa;AACtB,SAAS,mCAAmC;AAC5C,SAAS,YAAY;AACrB,SAAS,wBAAwB;AAyBjC,SAAS,WAAW,OAAsB,GAAsE;AAC9G,MAAI,CAAC,MAAO,QAAO,EAAE,sBAAsB;AAC3C,MAAI;AACF,UAAM,OAAO,IAAI,KAAK,KAAK;AAC3B,QAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,EAAG,QAAO,EAAE,sBAAsB;AACjE,WAAO,KAAK,eAAe;AAAA,EAC7B,QAAQ;AACN,WAAO,EAAE,sBAAsB;AAAA,EACjC;AACF;AAEe,SAAR,kBAAmC;AACxC,QAAM,CAAC,MAAM,OAAO,IAAI,MAAM,SAAgB,CAAC,CAAC;AAChD,QAAM,CAAC,MAAM,OAAO,IAAI,MAAM,SAAS,CAAC;AACxC,QAAM,CAAC,OAAO,QAAQ,IAAI,MAAM,SAAS,CAAC;AAC1C,QAAM,CAAC,YAAY,aAAa,IAAI,MAAM,SAAS,CAAC;AACpD,QAAM,CAAC,QAAQ,SAAS,IAAI,MAAM,SAAS,EAAE;AAC7C,QAAM,CAAC,WAAW,YAAY,IAAI,MAAM,SAAS,IAAI;AACrD,QAAM,CAAC,aAAa,cAAc,IAAI,MAAM,SAAS,CAAC;AACtD,QAAM,eAAe,4BAA4B;AACjD,QAAM,IAAI,KAAK;AACf,QAAM,EAAE,SAAS,qBAAqB,IAAI,iBAAiB;AAE3D,QAAM,UAAU,MAAM;AACpB,QAAI,YAAY;AAChB,mBAAe,OAAO;AACpB,mBAAa,IAAI;AACjB,UAAI;AACF,cAAM,SAAS,IAAI,gBAAgB;AACnC,eAAO,IAAI,QAAQ,OAAO,IAAI,CAAC;AAC/B,eAAO,IAAI,YAAY,IAAI;AAC3B,YAAI,OAAQ,QAAO,IAAI,UAAU,MAAM;AACvC,cAAM,WAA4B,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,MAAM,YAAY,EAAE;AAC7E,cAAM,OAAO,MAAM;AAAA,UACjB,sBAAsB,OAAO,SAAS,CAAC;AAAA,UACvC;AAAA,UACA,EAAE,SAAS;AAAA,QACb;AACA,YAAI,CAAC,KAAK,IAAI;AACZ,gBAAM,eAAe,KAAK;AAC1B,gBAAM,UAAU,OAAO,cAAc,UAAU,WAAW,aAAa,QAAQ,EAAE,gCAAgC;AACjH,gBAAM,SAAS,OAAO;AACtB;AAAA,QACF;AACA,cAAM,UAAU,KAAK,UAAU;AAC/B,YAAI,CAAC,WAAW;AACd,kBAAQ,MAAM,QAAQ,QAAQ,KAAK,IAAI,QAAQ,QAAQ,CAAC,CAAC;AACzD,mBAAS,QAAQ,SAAS,CAAC;AAC3B,wBAAc,QAAQ,cAAc,CAAC;AAAA,QACvC;AAAA,MACF,SAAS,OAAO;AACd,YAAI,CAAC,WAAW;AACd,gBAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,EAAE,gCAAgC;AAC3F,gBAAM,SAAS,OAAO;AAAA,QACxB;AAAA,MACF,UAAE;AACA,YAAI,CAAC,UAAW,cAAa,KAAK;AAAA,MACpC;AAAA,IACF;AACA,SAAK;AACL,WAAO,MAAM;AAAE,kBAAY;AAAA,IAAK;AAAA,EAClC,GAAG,CAAC,MAAM,QAAQ,aAAa,cAAc,CAAC,CAAC;AAE/C,QAAM,eAAe,MAAM,YAAY,OAAO,QAAa;AACzD,UAAM,YAAY,MAAM,QAAQ;AAAA,MAC9B,OAAO,EAAE,+BAA+B,EAAE,MAAM,IAAI,KAAK,CAAC;AAAA,MAC1D,SAAS;AAAA,IACX,CAAC;AACD,QAAI,CAAC,UAAW;AAChB,QAAI;AACF,YAAM,OAAO,MAAM;AAAA,QACjB,0BAA0B,IAAI,SAAS;AAAA,QACvC,MAAM;AAAA,UACJ,yBAAyB,mBAAmB,IAAI,EAAE,CAAC;AAAA,UACnD,EAAE,QAAQ,SAAS;AAAA,UACnB,EAAE,UAAU,KAAK;AAAA,QACnB;AAAA,MACF;AACA,UAAI,CAAC,KAAK,IAAI;AACZ,cAAM,eAAe,KAAK;AAC1B,cAAM,UAAU,OAAO,cAAc,UAAU,WAAW,aAAa,QAAQ,EAAE,kCAAkC;AACnH,cAAM,SAAS,OAAO;AACtB;AAAA,MACF;AACA,YAAM,EAAE,+BAA+B,GAAG,SAAS;AACnD,qBAAe,CAAC,UAAU,QAAQ,CAAC;AAAA,IACrC,SAAS,OAAO;AACd,YAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,EAAE,kCAAkC;AAC7F,YAAM,SAAS,OAAO;AAAA,IACxB;AAAA,EACF,GAAG,CAAC,SAAS,CAAC,CAAC;AAEf,QAAM,UAAU,MAAM,QAA0B,MAAM;AAAA,IACpD,EAAE,aAAa,QAAQ,QAAQ,EAAE,4BAA4B,EAAE;AAAA,IAC/D;AAAA,MACE,aAAa;AAAA,MACb,QAAQ,EAAE,2BAA2B;AAAA,MACrC,MAAM,CAAC,EAAE,IAAI,MAAM,qBAAC,UAAK,WAAU,WAAW;AAAA,YAAI,SAAS;AAAA,QAAU;AAAA,SAAC;AAAA,IACxE;AAAA,IACA;AAAA,MACE,aAAa;AAAA,MACb,QAAQ,EAAE,oCAAoC;AAAA,MAC9C,MAAM,CAAC,EAAE,IAAI,MAAM,IAAI,SAAS,oBAAoB,EAAE,sBAAsB;AAAA,IAC9E;AAAA,IACA;AAAA,MACE,aAAa;AAAA,MACb,QAAQ,EAAE,6BAA6B;AAAA,MACvC,MAAM,CAAC,EAAE,IAAI,MACX,qBAAC,SAAI,WAAU,wBACZ;AAAA,YAAI,SAAS,MAAM,WAAW,KAAK,oBAAC,UAAK,WAAU,iCAAiC,YAAE,uBAAuB,GAAE;AAAA,QAC/G,IAAI,SAAS,MAAM,IAAI,CAAC,SACvB;AAAA,UAAC;AAAA;AAAA,YAEC,WAAU;AAAA,YAET,eAAK,QAAQ,KAAK;AAAA;AAAA,UAHd,KAAK;AAAA,QAIZ,CACD;AAAA,SACH;AAAA,IAEJ;AAAA,IACA;AAAA,MACE,aAAa;AAAA,MACb,QAAQ,EAAE,gCAAgC;AAAA,MAC1C,MAAM,CAAC,EAAE,IAAI,MAAM,WAAW,IAAI,SAAS,YAAY,CAAC;AAAA,IAC1D;AAAA,IACA;AAAA,MACE,aAAa;AAAA,MACb,QAAQ,EAAE,+BAA+B;AAAA,MACzC,MAAM,CAAC,EAAE,IAAI,MAAM,WAAW,IAAI,SAAS,WAAW,CAAC;AAAA,IACzD;AAAA,EACF,GAAG,CAAC,CAAC,CAAC;AAEN,SACE,qBAAC,QACC;AAAA,wBAAC,YACC;AAAA,MAAC;AAAA;AAAA,QACC,OAAO,EAAE,qBAAqB;AAAA,QAC9B,SACE,oBAAC,UAAO,SAAO,MACb,8BAAC,QAAK,MAAK,4BAA4B,YAAE,8BAA8B,GAAE,GAC3E;AAAA,QAEF;AAAA,QACA,MAAM;AAAA,QACN,aAAa;AAAA,QACb,gBAAgB,CAAC,UAAU;AAAE,oBAAU,KAAK;AAAG,kBAAQ,CAAC;AAAA,QAAE;AAAA,QAC1D,aAAa,EAAE,SAAS,gBAAgB;AAAA,QACxC,YAAY,CAAC,QACX,oBAAC,cAAW,OAAO;AAAA,UACjB,EAAE,IAAI,UAAU,OAAO,EAAE,eAAe,GAAG,aAAa,MAAM,UAAU,MAAM;AAAE,iBAAK,aAAa,GAAG;AAAA,UAAE,EAAE;AAAA,QAC3G,GAAG;AAAA,QAEL,YAAY,EAAE,MAAM,UAAU,IAAI,OAAO,YAAY,cAAc,QAAQ;AAAA,QAC3E;AAAA;AAAA,IACF,GACF;AAAA,IACC;AAAA,KACH;AAEJ;",
   "names": []
 }

package/dist/modules/attachments/components/AttachmentPartitionSettings.js CHANGED Viewed

@@ -21,7 +21,8 @@ import {
   DialogHeader,
   DialogTitle
 } from "@open-mercato/ui/primitives/dialog";
-import { apiCall, readApiResultOrThrow } from "@open-mercato/ui/backend/utils/apiCall";
+import { apiCall, readApiResultOrThrow, withScopedApiRequestHeaders } from "@open-mercato/ui/backend/utils/apiCall";
+import { buildOptimisticLockHeader } from "@open-mercato/ui/backend/utils/optimisticLock";
 import { flash } from "@open-mercato/ui/backend/FlashMessages";
 import { raiseCrudError } from "@open-mercato/ui/backend/utils/serverErrors";
 import { useT } from "@open-mercato/shared/lib/i18n/context";
@@ -181,11 +182,15 @@ function AttachmentPartitionSettings({ s3Enabled }) {
       };
       const method = dialog.mode === "create" ? "POST" : "PUT";
       const body = dialog.mode === "edit" ? JSON.stringify({ id: dialog.entry.id, ...payload }) : JSON.stringify(payload);
-      const call = await apiCall("/api/attachments/partitions", {
-        method,
-        headers: { "content-type": "application/json" },
-        body
-      });
+      const lockHeader = dialog.mode === "edit" ? buildOptimisticLockHeader(dialog.entry.updatedAt) : {};
+      const call = await withScopedApiRequestHeaders(
+        lockHeader,
+        () => apiCall("/api/attachments/partitions", {
+          method,
+          headers: { "content-type": "application/json" },
+          body
+        })
+      );
       if (!call.ok) {
         await raiseCrudError(
           call.response,
@@ -218,9 +223,12 @@ function AttachmentPartitionSettings({ s3Enabled }) {
       });
       if (!confirmed) return;
       try {
-        const call = await apiCall(`/api/attachments/partitions?id=${encodeURIComponent(entry.id)}`, {
-          method: "DELETE"
-        });
+        const call = await withScopedApiRequestHeaders(
+          buildOptimisticLockHeader(entry.updatedAt),
+          () => apiCall(`/api/attachments/partitions?id=${encodeURIComponent(entry.id)}`, {
+            method: "DELETE"
+          })
+        );
         if (!call.ok) {
           await raiseCrudError(
             call.response,