npm - @open-mercato/core - Versions diffs - 0.6.5-develop.5337.1.534b781eac → 0.6.5 - Mend

@open-mercato/core 0.6.5-develop.5337.1.534b781eac → 0.6.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (350) hide show

package/dist/modules/directory/utils/organizationScope.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/directory/utils/organizationScope.ts"],
-  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport type { FilterQuery } from '@mikro-orm/core'\nimport type { AwilixContainer } from 'awilix'\nimport { Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { isAllOrganizationsSelection } from '@open-mercato/core/modules/directory/constants'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport type { AuthContext } from '@open-mercato/shared/lib/auth/server'\nimport type { CacheStrategy } from '@open-mercato/cache'\nimport { parseSelectedOrganizationCookie, parseSelectedTenantCookie } from './scopeCookies'\n\nexport { parseSelectedOrganizationCookie, parseSelectedTenantCookie }\n\nexport type OrganizationScope = {\n  selectedId: string | null\n  filterIds: string[] | null\n  allowedIds: string[] | null\n  tenantId: string | null\n}\n\n// Phase 4 \u2014 short-TTL cache for resolveOrganizationScopeForRequest.\n// OrganizationScope is a pure function of (userId, tenantId, selectedOrgId,\n// requestedTenant) between membership changes; caching it bypasses 1\n// SELECT on `organizations` per CRUD request. TTL is short (60s default)\n// to keep staleness bounded for membership/visibility changes. Tag-based\n// invalidation kicks the cache when user_organizations or organizations\n// mutate (wired via invalidateOrganizationScopeCacheFor).\nconst ORG_SCOPE_CACHE_KEY_PREFIX = 'org-scope'\n// Phase 4 default-off until the same readiness probe (`GET /api/customers/people`)\n// stays green with the cache layer engaged. Set `OM_ORG_SCOPE_CACHE_TTL_MS=60000`\n// (or any positive integer) to opt in once cross-request safety is re-verified.\nconst ORG_SCOPE_DEFAULT_TTL_MS = 0\n\nfunction resolveOrgScopeTtlMs(): number {\n  const raw = process.env.OM_ORG_SCOPE_CACHE_TTL_MS\n  if (raw === undefined) return ORG_SCOPE_DEFAULT_TTL_MS\n  const parsed = Number(raw)\n  if (!Number.isFinite(parsed) || parsed < 0) return ORG_SCOPE_DEFAULT_TTL_MS\n  return parsed\n}\n\nfunction buildOrgScopeCacheKey(parts: {\n  userId: string\n  effectiveTenantId: string\n  selectedOrgId: string | null\n  requestedTenantId: string | null\n}): string {\n  const selected = parts.selectedOrgId ?? 'none'\n  const requested = parts.requestedTenantId ?? 'none'\n  return `${ORG_SCOPE_CACHE_KEY_PREFIX}:${parts.userId}:${parts.effectiveTenantId}:${selected}:${requested}`\n}\n\nfunction buildOrgScopeCacheTags(parts: { userId: string; effectiveTenantId: string }): string[] {\n  return [\n    `${ORG_SCOPE_CACHE_KEY_PREFIX}:user:${parts.userId}`,\n    `${ORG_SCOPE_CACHE_KEY_PREFIX}:tenant:${parts.effectiveTenantId}`,\n  ]\n}\n\nfunction isValidCachedScope(value: unknown): value is OrganizationScope {\n  if (typeof value !== 'object' || value === null) return false\n  const record = value as Partial<OrganizationScope>\n  const idOk = (v: unknown) => v === null || typeof v === 'string'\n  const arrOk = (v: unknown) => v === null || (Array.isArray(v) && v.every((entry) => typeof entry === 'string'))\n  return idOk(record.selectedId) && idOk(record.tenantId) && arrOk(record.filterIds) && arrOk(record.allowedIds)\n}\n\nfunction resolveCacheFromContainer(container: AwilixContainer | null | undefined): CacheStrategy | null {\n  if (!container) return null\n  try {\n    const c = container.resolve('cache') as CacheStrategy | undefined\n    if (c && typeof c.get === 'function' && typeof c.set === 'function') return c\n  } catch {\n    return null\n  }\n  return null\n}\n\nexport async function invalidateOrganizationScopeCacheForUser(\n  container: AwilixContainer,\n  userId: string,\n): Promise<void> {\n  const cache = resolveCacheFromContainer(container)\n  if (!cache?.deleteByTags) return\n  try {\n    await cache.deleteByTags([`${ORG_SCOPE_CACHE_KEY_PREFIX}:user:${userId}`])\n  } catch (err) {\n    console.warn('[org-scope:cache] invalidate user failed', err)\n  }\n}\n\nexport async function invalidateOrganizationScopeCacheForTenant(\n  container: AwilixContainer,\n  tenantId: string,\n): Promise<void> {\n  const cache = resolveCacheFromContainer(container)\n  if (!cache?.deleteByTags) return\n  try {\n    await cache.deleteByTags([`${ORG_SCOPE_CACHE_KEY_PREFIX}:tenant:${tenantId}`])\n  } catch (err) {\n    console.warn('[org-scope:cache] invalidate tenant failed', err)\n  }\n}\n\nfunction normalizeOrganizationId(value: unknown): string | null {\n  if (typeof value !== 'string') return null\n  const trimmed = value.trim()\n  return trimmed.length > 0 ? trimmed : null\n}\n\nexport function getSelectedOrganizationFromRequest(req: Request | { cookies?: { get: (name: string) => { value: string } | undefined }; headers?: { get(name: string): string | null } }): string | null {\n  const cookieContainer = (req as { cookies?: { get: (name: string) => { value: string } | undefined } }).cookies\n  if (cookieContainer && typeof cookieContainer.get === 'function') {\n    const val = cookieContainer.get('om_selected_org')?.value\n    return val ?? null\n  }\n  const headerContainer = (req as { headers?: { get(name: string): string | null } }).headers\n  const header = typeof headerContainer?.get === 'function' ? headerContainer.get('cookie') : null\n  return parseSelectedOrganizationCookie(header)\n}\n\nexport function getSelectedTenantFromRequest(\n  req: Request | { cookies?: { get: (name: string) => { value: string } | undefined }; headers?: { get(name: string): string | null } },\n): string | null {\n  const cookieContainer = (req as { cookies?: { get: (name: string) => { value: string } | undefined } }).cookies\n  if (cookieContainer && typeof cookieContainer.get === 'function') {\n    const val = cookieContainer.get('om_selected_tenant')?.value\n    return val ?? null\n  }\n  const headerContainer = (req as { headers?: { get(name: string): string | null } }).headers\n  const header = typeof headerContainer?.get === 'function' ? headerContainer.get('cookie') : null\n  return parseSelectedTenantCookie(header)\n}\n\nfunction normalizeOrganizationIds(ids: string[]): string[] {\n  return Array.from(new Set(\n    ids.map((value) => normalizeOrganizationId(value)).filter((value): value is string => {\n      if (!value) return false\n      if (isAllOrganizationsSelection(value)) return false\n      return true\n    })\n  ))\n}\n\n// Map each organization id to itself plus its persisted descendant ids. Only\n// orgs that exist for the tenant and are not soft-deleted are included, so an\n// unknown/inaccessible id simply has no entry (matching the per-id query that\n// returned an empty set for it).\ntype OrgDescendantMap = Map<string, string[]>\n\n// Issue #2228 \u2014 single round-trip for org-scope resolution. Instead of issuing\n// one `organizations` SELECT per `collectWithDescendants` call (up to 3-4\n// sequential queries per request: accessible set, fallback set, selected set),\n// gather every candidate id up front and fetch their descendant expansions in\n// one `em.find(Organization, { id: $in })`. Expansion then happens in-memory.\nasync function loadOrgDescendantMap(em: EntityManager, tenantId: string, ids: string[]): Promise<OrgDescendantMap> {\n  const unique = normalizeOrganizationIds(ids)\n  if (!unique.length) return new Map()\n  const filter: FilterQuery<Organization> = {\n    tenant: tenantId,\n    id: { $in: unique },\n    deletedAt: null,\n  }\n  const orgs = await em.find(Organization, filter)\n  const map: OrgDescendantMap = new Map()\n  for (const org of orgs) {\n    const id = String(org.id)\n    const expansion = [id]\n    if (Array.isArray(org.descendantIds)) {\n      for (const desc of org.descendantIds) expansion.push(String(desc))\n    }\n    map.set(id, expansion)\n  }\n  return map\n}\n\nfunction expandWithDescendants(map: OrgDescendantMap, ids: string[]): Set<string> {\n  const set = new Set<string>()\n  for (const value of ids) {\n    const id = normalizeOrganizationId(value)\n    if (!id || isAllOrganizationsSelection(id)) continue\n    const expansion = map.get(id)\n    if (!expansion) continue\n    for (const entry of expansion) set.add(entry)\n  }\n  return set\n}\n\nexport async function resolveOrganizationScope({\n  em,\n  rbac,\n  auth,\n  selectedId,\n  tenantId: tenantIdOverride,\n}: {\n  em: EntityManager\n  rbac: RbacService\n  auth: AuthContext\n  selectedId?: string | null\n  tenantId?: string | null\n}): Promise<OrganizationScope> {\n  if (!auth || !auth.sub) {\n    return { selectedId: null, filterIds: null, allowedIds: null, tenantId: null }\n  }\n  const actorTenantId = typeof auth.tenantId === 'string' && auth.tenantId.trim().length > 0 ? auth.tenantId.trim() : null\n  const candidateTenantId = typeof tenantIdOverride === 'string' && tenantIdOverride.trim().length > 0\n    ? tenantIdOverride.trim()\n    : tenantIdOverride === null\n      ? null\n      : actorTenantId\n  if (!candidateTenantId) {\n    return { selectedId: null, filterIds: null, allowedIds: null, tenantId: null }\n  }\n  const usingOverride = candidateTenantId !== actorTenantId\n  const isSuperAdminActor = auth.isSuperAdmin === true\n  const tenantId = usingOverride && actorTenantId && !isSuperAdminActor ? actorTenantId : candidateTenantId\n  if (!tenantId) {\n    return { selectedId: null, filterIds: null, allowedIds: null, tenantId: null }\n  }\n  const normalizedRequestedSelection = normalizeOrganizationId(selectedId)\n  const explicitAllOrgsChoice =\n    normalizedRequestedSelection !== null && isAllOrganizationsSelection(normalizedRequestedSelection)\n  const normalizedSelectedId = explicitAllOrgsChoice\n    ? null\n    : normalizedRequestedSelection\n  const contextOrgId = actorTenantId && actorTenantId === tenantId ? normalizeOrganizationId(auth.orgId) : null\n  const acl = await rbac.loadAcl(auth.sub, { tenantId, organizationId: contextOrgId })\n  const aclIsSuperAdmin = acl?.isSuperAdmin === true\n  const effectiveSuperAdmin = aclIsSuperAdmin || isSuperAdminActor\n  const normalizedAccessible = effectiveSuperAdmin\n    ? null\n    : Array.isArray(acl?.organizations)\n      ? acl.organizations\n        .map((value) => normalizeOrganizationId(value))\n        .filter((value): value is string => value !== null)\n      : null\n  const accessibleList = effectiveSuperAdmin\n    ? null\n    : normalizedAccessible && normalizedAccessible.some((value) => isAllOrganizationsSelection(value))\n      ? null\n      : normalizedAccessible?.filter((value) => !isAllOrganizationsSelection(value)) ?? null\n\n  const accountOrgId = actorTenantId && actorTenantId === tenantId ? normalizeOrganizationId(auth.orgId) : null\n  const fallbackOrgId = accountOrgId ?? null\n\n  // Every id that could be expanded below \u2014 accessible set, fallback (account)\n  // org, and the requested selection \u2014 is known up front, so fetch them all in\n  // a single `organizations` query and expand from the in-memory map.\n  const candidateIds = [\n    ...(accessibleList ?? []),\n    ...(fallbackOrgId ? [fallbackOrgId] : []),\n    ...(normalizedSelectedId ? [normalizedSelectedId] : []),\n  ]\n  const orgDescendants = await loadOrgDescendantMap(em, tenantId, candidateIds)\n  const loadFallbackSet = (): Set<string> | null =>\n    fallbackOrgId ? expandWithDescendants(orgDescendants, [fallbackOrgId]) : null\n\n  let allowedSet: Set<string> | null = null\n  if (accessibleList === null) {\n    allowedSet = null\n  } else if (accessibleList.length === 0) {\n    allowedSet = new Set()\n  } else {\n    allowedSet = expandWithDescendants(orgDescendants, accessibleList)\n  }\n\n  if (allowedSet && allowedSet.size === 0 && fallbackOrgId) {\n    const computed = loadFallbackSet()\n    if (computed && computed.size > 0) {\n      allowedSet = computed\n    }\n  }\n\n  const hasUnrestrictedAccess = effectiveSuperAdmin || (accessibleList === null)\n  const noOrgSelection = normalizedSelectedId === null && !explicitAllOrgsChoice\n  const widenToAllOrgs =\n    (explicitAllOrgsChoice && hasUnrestrictedAccess)\n    || (effectiveSuperAdmin && noOrgSelection)\n  const initialSelected =\n    normalizedSelectedId\n    ?? (widenToAllOrgs ? null : accountOrgId ?? null)\n  let effectiveSelected: string | null = null\n  if (initialSelected) {\n    if (allowedSet === null || allowedSet.has(initialSelected)) {\n      effectiveSelected = initialSelected\n    }\n  }\n\n  let filterSet: Set<string> | null = null\n  if (effectiveSelected) {\n    filterSet = expandWithDescendants(orgDescendants, [effectiveSelected])\n  } else if (allowedSet !== null) {\n    filterSet = allowedSet\n  } else if (widenToAllOrgs) {\n    filterSet = null\n  } else if (auth.orgId) {\n    filterSet = loadFallbackSet()\n  }\n\n  if ((!filterSet || filterSet.size === 0) && fallbackOrgId && !widenToAllOrgs) {\n    const computed = loadFallbackSet()\n    if (computed && computed.size > 0) {\n      filterSet = computed\n      if (!effectiveSelected) {\n        effectiveSelected = fallbackOrgId\n      }\n    }\n  }\n\n  return {\n    selectedId: effectiveSelected,\n    filterIds: filterSet ? Array.from(filterSet) : null,\n    allowedIds: allowedSet ? Array.from(allowedSet) : null,\n    tenantId,\n  }\n}\n\nexport async function resolveOrganizationScopeForRequest({\n  container,\n  auth,\n  request,\n  selectedId,\n  tenantId: tenantOverride,\n}: {\n  container: AwilixContainer\n  auth: AuthContext | null | undefined\n  request?: Request | { cookies?: { get: (name: string) => { value: string } | undefined }; headers?: { get(name: string): string | null } }\n  selectedId?: string | null\n  tenantId?: string | null\n}): Promise<OrganizationScope> {\n  if (!auth || !auth.sub) {\n    return { selectedId: null, filterIds: null, allowedIds: null, tenantId: null }\n  }\n\n  let em: EntityManager | null = null\n  let rbac: RbacService | null = null\n  try { em = container.resolve<EntityManager>('em') } catch { em = null }\n  try { rbac = container.resolve<RbacService>('rbacService') } catch { rbac = null }\n  const normalizeString = (value: unknown): string | null => {\n    if (typeof value === 'string' && value.trim().length > 0) return value.trim()\n    return null\n  }\n  if (!em || !rbac) {\n    const fallbackSelected = normalizeOrganizationId(selectedId ?? auth.orgId ?? null)\n    return {\n      selectedId: fallbackSelected,\n      filterIds: fallbackSelected ? [fallbackSelected] : null,\n      allowedIds: fallbackSelected ? [fallbackSelected] : null,\n      tenantId: normalizeString(auth.tenantId),\n    }\n  }\n\n  const actorTenantField = (auth as { actorTenantId?: string | null }).actorTenantId\n  const actorTenant = actorTenantField === undefined\n    ? normalizeString(auth.tenantId)\n    : actorTenantField === null\n      ? null\n      : normalizeString(actorTenantField)\n  const actorOrgField = (auth as { actorOrgId?: string | null }).actorOrgId\n  const actorOrgId = actorOrgField === undefined\n    ? normalizeString(auth.orgId)\n    : actorOrgField === null\n      ? null\n      : normalizeString(actorOrgField)\n\n  const cookieTenant = request ? getSelectedTenantFromRequest(request) : null\n  const requestedTenant =\n    tenantOverride !== undefined\n      ? tenantOverride\n      : cookieTenant !== undefined\n        ? cookieTenant\n        : undefined\n  const requestedTenantId = typeof requestedTenant === 'string' && requestedTenant.trim().length > 0 ? requestedTenant.trim() : null\n  const isSuperAdminActor = auth.isSuperAdmin === true\n  let effectiveTenantId = requestedTenantId ?? actorTenant ?? null\n  if (actorTenant && effectiveTenantId && effectiveTenantId !== actorTenant && !isSuperAdminActor) {\n    effectiveTenantId = actorTenant\n  }\n  if (!effectiveTenantId) {\n    return { selectedId: null, filterIds: null, allowedIds: null, tenantId: null }\n  }\n\n  const scopedAuth = {\n    ...auth,\n    tenantId: effectiveTenantId,\n    orgId: actorTenant && actorTenant === effectiveTenantId ? actorOrgId ?? null : null,\n  }\n\n  const rawSelected = selectedId !== undefined ? selectedId : (request ? getSelectedOrganizationFromRequest(request) : null)\n  const normalizedSelectedId = typeof rawSelected === 'string' && rawSelected.trim().length > 0\n    ? rawSelected.trim()\n    : null\n\n  const userId = typeof auth.sub === 'string' && auth.sub.length > 0 ? auth.sub : null\n  const ttlMs = resolveOrgScopeTtlMs()\n  const cache = ttlMs > 0 ? resolveCacheFromContainer(container) : null\n  const cacheKey = userId\n    ? buildOrgScopeCacheKey({\n        userId,\n        effectiveTenantId,\n        selectedOrgId: normalizedSelectedId,\n        requestedTenantId: requestedTenantId ?? null,\n      })\n    : null\n\n  if (cache && cacheKey && typeof cache.get === 'function') {\n    try {\n      const cached = await cache.get(cacheKey)\n      if (isValidCachedScope(cached)) return cached\n    } catch (err) {\n      console.warn('[org-scope:cache] read failed', err)\n    }\n  }\n\n  const baseScope = await resolveOrganizationScope({\n    em,\n    rbac,\n    auth: scopedAuth,\n    selectedId: rawSelected,\n    tenantId: effectiveTenantId,\n  })\n\n  if (cache && cacheKey && userId && typeof cache.set === 'function') {\n    try {\n      await cache.set(cacheKey, baseScope, {\n        ttl: ttlMs,\n        tags: buildOrgScopeCacheTags({ userId, effectiveTenantId }),\n      })\n    } catch (err) {\n      console.warn('[org-scope:cache] write failed', err)\n    }\n  }\n\n  return baseScope\n}\n\nexport type FeatureCheckContext = {\n  organizationId: string | null\n  scope: OrganizationScope\n  allowedOrganizationIds: string[] | null\n}\n\nexport async function resolveFeatureCheckContext({\n  container,\n  auth,\n  request,\n  selectedId,\n  tenantId,\n}: {\n  container: AwilixContainer\n  auth: AuthContext | null | undefined\n  request?: Request | { cookies?: { get: (name: string) => { value: string } | undefined } }\n  selectedId?: string | null\n  tenantId?: string | null\n}): Promise<FeatureCheckContext> {\n  const scope = await resolveOrganizationScopeForRequest({ container, auth, request, selectedId, tenantId })\n  const allowedOrganizationIds = scope.allowedIds ?? null\n  const authOrgId = auth?.orgId ?? null\n  const organizationId =\n    scope.selectedId\n    ?? (authOrgId && (!Array.isArray(allowedOrganizationIds) || allowedOrganizationIds.includes(authOrgId)) ? authOrgId : null)\n    ?? (Array.isArray(allowedOrganizationIds) && allowedOrganizationIds.length ? allowedOrganizationIds[0] : null)\n\n  return { organizationId, scope, allowedOrganizationIds }\n}\n"],
-  "mappings": "AAGA,SAAS,oBAAoB;AAC7B,SAAS,mCAAmC;AAI5C,SAAS,iCAAiC,iCAAiC;AAkB3E,MAAM,6BAA6B;AAInC,MAAM,2BAA2B;AAEjC,SAAS,uBAA+B;AACtC,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,QAAQ,OAAW,QAAO;AAC9B,QAAM,SAAS,OAAO,GAAG;AACzB,MAAI,CAAC,OAAO,SAAS,MAAM,KAAK,SAAS,EAAG,QAAO;AACnD,SAAO;AACT;AAEA,SAAS,sBAAsB,OAKpB;AACT,QAAM,WAAW,MAAM,iBAAiB;AACxC,QAAM,YAAY,MAAM,qBAAqB;AAC7C,SAAO,GAAG,0BAA0B,IAAI,MAAM,MAAM,IAAI,MAAM,iBAAiB,IAAI,QAAQ,IAAI,SAAS;AAC1G;AAEA,SAAS,uBAAuB,OAAgE;AAC9F,SAAO;AAAA,IACL,GAAG,0BAA0B,SAAS,MAAM,MAAM;AAAA,IAClD,GAAG,0BAA0B,WAAW,MAAM,iBAAiB;AAAA,EACjE;AACF;AAEA,SAAS,mBAAmB,OAA4C;AACtE,MAAI,OAAO,UAAU,YAAY,UAAU,KAAM,QAAO;AACxD,QAAM,SAAS;AACf,QAAM,OAAO,CAAC,MAAe,MAAM,QAAQ,OAAO,MAAM;AACxD,QAAM,QAAQ,CAAC,MAAe,MAAM,QAAS,MAAM,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,UAAU,OAAO,UAAU,QAAQ;AAC7G,SAAO,KAAK,OAAO,UAAU,KAAK,KAAK,OAAO,QAAQ,KAAK,MAAM,OAAO,SAAS,KAAK,MAAM,OAAO,UAAU;AAC/G;AAEA,SAAS,0BAA0B,WAAqE;AACtG,MAAI,CAAC,UAAW,QAAO;AACvB,MAAI;AACF,UAAM,IAAI,UAAU,QAAQ,OAAO;AACnC,QAAI,KAAK,OAAO,EAAE,QAAQ,cAAc,OAAO,EAAE,QAAQ,WAAY,QAAO;AAAA,EAC9E,QAAQ;AACN,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,eAAsB,wCACpB,WACA,QACe;AACf,QAAM,QAAQ,0BAA0B,SAAS;AACjD,MAAI,CAAC,OAAO,aAAc;AAC1B,MAAI;AACF,UAAM,MAAM,aAAa,CAAC,GAAG,0BAA0B,SAAS,MAAM,EAAE,CAAC;AAAA,EAC3E,SAAS,KAAK;AACZ,YAAQ,KAAK,4CAA4C,GAAG;AAAA,EAC9D;AACF;AAEA,eAAsB,0CACpB,WACA,UACe;AACf,QAAM,QAAQ,0BAA0B,SAAS;AACjD,MAAI,CAAC,OAAO,aAAc;AAC1B,MAAI;AACF,UAAM,MAAM,aAAa,CAAC,GAAG,0BAA0B,WAAW,QAAQ,EAAE,CAAC;AAAA,EAC/E,SAAS,KAAK;AACZ,YAAQ,KAAK,8CAA8C,GAAG;AAAA,EAChE;AACF;AAEA,SAAS,wBAAwB,OAA+B;AAC9D,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,QAAM,UAAU,MAAM,KAAK;AAC3B,SAAO,QAAQ,SAAS,IAAI,UAAU;AACxC;AAEO,SAAS,mCAAmC,KAAsJ;AACvM,QAAM,kBAAmB,IAA+E;AACxG,MAAI,mBAAmB,OAAO,gBAAgB,QAAQ,YAAY;AAChE,UAAM,MAAM,gBAAgB,IAAI,iBAAiB,GAAG;AACpD,WAAO,OAAO;AAAA,EAChB;AACA,QAAM,kBAAmB,IAA2D;AACpF,QAAM,SAAS,OAAO,iBAAiB,QAAQ,aAAa,gBAAgB,IAAI,QAAQ,IAAI;AAC5F,SAAO,gCAAgC,MAAM;AAC/C;AAEO,SAAS,6BACd,KACe;AACf,QAAM,kBAAmB,IAA+E;AACxG,MAAI,mBAAmB,OAAO,gBAAgB,QAAQ,YAAY;AAChE,UAAM,MAAM,gBAAgB,IAAI,oBAAoB,GAAG;AACvD,WAAO,OAAO;AAAA,EAChB;AACA,QAAM,kBAAmB,IAA2D;AACpF,QAAM,SAAS,OAAO,iBAAiB,QAAQ,aAAa,gBAAgB,IAAI,QAAQ,IAAI;AAC5F,SAAO,0BAA0B,MAAM;AACzC;AAEA,SAAS,yBAAyB,KAAyB;AACzD,SAAO,MAAM,KAAK,IAAI;AAAA,IACpB,IAAI,IAAI,CAAC,UAAU,wBAAwB,KAAK,CAAC,EAAE,OAAO,CAAC,UAA2B;AACpF,UAAI,CAAC,MAAO,QAAO;AACnB,UAAI,4BAA4B,KAAK,EAAG,QAAO;AAC/C,aAAO;AAAA,IACT,CAAC;AAAA,EACH,CAAC;AACH;AAaA,eAAe,qBAAqB,IAAmB,UAAkB,KAA0C;AACjH,QAAM,SAAS,yBAAyB,GAAG;AAC3C,MAAI,CAAC,OAAO,OAAQ,QAAO,oBAAI,IAAI;AACnC,QAAM,SAAoC;AAAA,IACxC,QAAQ;AAAA,IACR,IAAI,EAAE,KAAK,OAAO;AAAA,IAClB,WAAW;AAAA,EACb;AACA,QAAM,OAAO,MAAM,GAAG,KAAK,cAAc,MAAM;AAC/C,QAAM,MAAwB,oBAAI,IAAI;AACtC,aAAW,OAAO,MAAM;AACtB,UAAM,KAAK,OAAO,IAAI,EAAE;AACxB,UAAM,YAAY,CAAC,EAAE;AACrB,QAAI,MAAM,QAAQ,IAAI,aAAa,GAAG;AACpC,iBAAW,QAAQ,IAAI,cAAe,WAAU,KAAK,OAAO,IAAI,CAAC;AAAA,IACnE;AACA,QAAI,IAAI,IAAI,SAAS;AAAA,EACvB;AACA,SAAO;AACT;AAEA,SAAS,sBAAsB,KAAuB,KAA4B;AAChF,QAAM,MAAM,oBAAI,IAAY;AAC5B,aAAW,SAAS,KAAK;AACvB,UAAM,KAAK,wBAAwB,KAAK;AACxC,QAAI,CAAC,MAAM,4BAA4B,EAAE,EAAG;AAC5C,UAAM,YAAY,IAAI,IAAI,EAAE;AAC5B,QAAI,CAAC,UAAW;AAChB,eAAW,SAAS,UAAW,KAAI,IAAI,KAAK;AAAA,EAC9C;AACA,SAAO;AACT;AAEA,eAAsB,yBAAyB;AAAA,EAC7C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,UAAU;AACZ,GAM+B;AAC7B,MAAI,CAAC,QAAQ,CAAC,KAAK,KAAK;AACtB,WAAO,EAAE,YAAY,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,KAAK;AAAA,EAC/E;AACA,QAAM,gBAAgB,OAAO,KAAK,aAAa,YAAY,KAAK,SAAS,KAAK,EAAE,SAAS,IAAI,KAAK,SAAS,KAAK,IAAI;AACpH,QAAM,oBAAoB,OAAO,qBAAqB,YAAY,iBAAiB,KAAK,EAAE,SAAS,IAC/F,iBAAiB,KAAK,IACtB,qBAAqB,OACnB,OACA;AACN,MAAI,CAAC,mBAAmB;AACtB,WAAO,EAAE,YAAY,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,KAAK;AAAA,EAC/E;AACA,QAAM,gBAAgB,sBAAsB;AAC5C,QAAM,oBAAoB,KAAK,iBAAiB;AAChD,QAAM,WAAW,iBAAiB,iBAAiB,CAAC,oBAAoB,gBAAgB;AACxF,MAAI,CAAC,UAAU;AACb,WAAO,EAAE,YAAY,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,KAAK;AAAA,EAC/E;AACA,QAAM,+BAA+B,wBAAwB,UAAU;AACvE,QAAM,wBACJ,iCAAiC,QAAQ,4BAA4B,4BAA4B;AACnG,QAAM,uBAAuB,wBACzB,OACA;AACJ,QAAM,eAAe,iBAAiB,kBAAkB,WAAW,wBAAwB,KAAK,KAAK,IAAI;AACzG,QAAM,MAAM,MAAM,KAAK,QAAQ,KAAK,KAAK,EAAE,UAAU,gBAAgB,aAAa,CAAC;AACnF,QAAM,kBAAkB,KAAK,iBAAiB;AAC9C,QAAM,sBAAsB,mBAAmB;AAC/C,QAAM,uBAAuB,sBACzB,OACA,MAAM,QAAQ,KAAK,aAAa,IAC9B,IAAI,cACH,IAAI,CAAC,UAAU,wBAAwB,KAAK,CAAC,EAC7C,OAAO,CAAC,UAA2B,UAAU,IAAI,IAClD;AACN,QAAM,iBAAiB,sBACnB,OACA,wBAAwB,qBAAqB,KAAK,CAAC,UAAU,4BAA4B,KAAK,CAAC,IAC7F,OACA,sBAAsB,OAAO,CAAC,UAAU,CAAC,4BAA4B,KAAK,CAAC,KAAK;AAEtF,QAAM,eAAe,iBAAiB,kBAAkB,WAAW,wBAAwB,KAAK,KAAK,IAAI;AACzG,QAAM,gBAAgB,gBAAgB;AAKtC,QAAM,eAAe;AAAA,IACnB,GAAI,kBAAkB,CAAC;AAAA,IACvB,GAAI,gBAAgB,CAAC,aAAa,IAAI,CAAC;AAAA,IACvC,GAAI,uBAAuB,CAAC,oBAAoB,IAAI,CAAC;AAAA,EACvD;AACA,QAAM,iBAAiB,MAAM,qBAAqB,IAAI,UAAU,YAAY;AAC5E,QAAM,kBAAkB,MACtB,gBAAgB,sBAAsB,gBAAgB,CAAC,aAAa,CAAC,IAAI;AAE3E,MAAI,aAAiC;AACrC,MAAI,mBAAmB,MAAM;AAC3B,iBAAa;AAAA,EACf,WAAW,eAAe,WAAW,GAAG;AACtC,iBAAa,oBAAI,IAAI;AAAA,EACvB,OAAO;AACL,iBAAa,sBAAsB,gBAAgB,cAAc;AAAA,EACnE;AAEA,MAAI,cAAc,WAAW,SAAS,KAAK,eAAe;AACxD,UAAM,WAAW,gBAAgB;AACjC,QAAI,YAAY,SAAS,OAAO,GAAG;AACjC,mBAAa;AAAA,IACf;AAAA,EACF;AAEA,QAAM,wBAAwB,uBAAwB,mBAAmB;AACzE,QAAM,iBAAiB,yBAAyB,QAAQ,CAAC;AACzD,QAAM,iBACH,yBAAyB,yBACtB,uBAAuB;AAC7B,QAAM,kBACJ,yBACI,iBAAiB,OAAO,gBAAgB;AAC9C,MAAI,oBAAmC;AACvC,MAAI,iBAAiB;AACnB,QAAI,eAAe,QAAQ,WAAW,IAAI,eAAe,GAAG;AAC1D,0BAAoB;AAAA,IACtB;AAAA,EACF;AAEA,MAAI,YAAgC;AACpC,MAAI,mBAAmB;AACrB,gBAAY,sBAAsB,gBAAgB,CAAC,iBAAiB,CAAC;AAAA,EACvE,WAAW,eAAe,MAAM;AAC9B,gBAAY;AAAA,EACd,WAAW,gBAAgB;AACzB,gBAAY;AAAA,EACd,WAAW,KAAK,OAAO;AACrB,gBAAY,gBAAgB;AAAA,EAC9B;AAEA,OAAK,CAAC,aAAa,UAAU,SAAS,MAAM,iBAAiB,CAAC,gBAAgB;AAC5E,UAAM,WAAW,gBAAgB;AACjC,QAAI,YAAY,SAAS,OAAO,GAAG;AACjC,kBAAY;AACZ,UAAI,CAAC,mBAAmB;AACtB,4BAAoB;AAAA,MACtB;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,YAAY;AAAA,IACZ,WAAW,YAAY,MAAM,KAAK,SAAS,IAAI;AAAA,IAC/C,YAAY,aAAa,MAAM,KAAK,UAAU,IAAI;AAAA,IAClD;AAAA,EACF;AACF;AAEA,eAAsB,mCAAmC;AAAA,EACvD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,UAAU;AACZ,GAM+B;AAC7B,MAAI,CAAC,QAAQ,CAAC,KAAK,KAAK;AACtB,WAAO,EAAE,YAAY,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,KAAK;AAAA,EAC/E;AAEA,MAAI,KAA2B;AAC/B,MAAI,OAA2B;AAC/B,MAAI;AAAE,SAAK,UAAU,QAAuB,IAAI;AAAA,EAAE,QAAQ;AAAE,SAAK;AAAA,EAAK;AACtE,MAAI;AAAE,WAAO,UAAU,QAAqB,aAAa;AAAA,EAAE,QAAQ;AAAE,WAAO;AAAA,EAAK;AACjF,QAAM,kBAAkB,CAAC,UAAkC;AACzD,QAAI,OAAO,UAAU,YAAY,MAAM,KAAK,EAAE,SAAS,EAAG,QAAO,MAAM,KAAK;AAC5E,WAAO;AAAA,EACT;AACA,MAAI,CAAC,MAAM,CAAC,MAAM;AAChB,UAAM,mBAAmB,wBAAwB,cAAc,KAAK,SAAS,IAAI;AACjF,WAAO;AAAA,MACL,YAAY;AAAA,MACZ,WAAW,mBAAmB,CAAC,gBAAgB,IAAI;AAAA,MACnD,YAAY,mBAAmB,CAAC,gBAAgB,IAAI;AAAA,MACpD,UAAU,gBAAgB,KAAK,QAAQ;AAAA,IACzC;AAAA,EACF;AAEA,QAAM,mBAAoB,KAA2C;AACrE,QAAM,cAAc,qBAAqB,SACrC,gBAAgB,KAAK,QAAQ,IAC7B,qBAAqB,OACnB,OACA,gBAAgB,gBAAgB;AACtC,QAAM,gBAAiB,KAAwC;AAC/D,QAAM,aAAa,kBAAkB,SACjC,gBAAgB,KAAK,KAAK,IAC1B,kBAAkB,OAChB,OACA,gBAAgB,aAAa;AAEnC,QAAM,eAAe,UAAU,6BAA6B,OAAO,IAAI;AACvE,QAAM,kBACJ,mBAAmB,SACf,iBACA,iBAAiB,SACf,eACA;AACR,QAAM,oBAAoB,OAAO,oBAAoB,YAAY,gBAAgB,KAAK,EAAE,SAAS,IAAI,gBAAgB,KAAK,IAAI;AAC9H,QAAM,oBAAoB,KAAK,iBAAiB;AAChD,MAAI,oBAAoB,qBAAqB,eAAe;AAC5D,MAAI,eAAe,qBAAqB,sBAAsB,eAAe,CAAC,mBAAmB;AAC/F,wBAAoB;AAAA,EACtB;AACA,MAAI,CAAC,mBAAmB;AACtB,WAAO,EAAE,YAAY,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,KAAK;AAAA,EAC/E;AAEA,QAAM,aAAa;AAAA,IACjB,GAAG;AAAA,IACH,UAAU;AAAA,IACV,OAAO,eAAe,gBAAgB,oBAAoB,cAAc,OAAO;AAAA,EACjF;AAEA,QAAM,cAAc,eAAe,SAAY,aAAc,UAAU,mCAAmC,OAAO,IAAI;AACrH,QAAM,uBAAuB,OAAO,gBAAgB,YAAY,YAAY,KAAK,EAAE,SAAS,IACxF,YAAY,KAAK,IACjB;AAEJ,QAAM,SAAS,OAAO,KAAK,QAAQ,YAAY,KAAK,IAAI,SAAS,IAAI,KAAK,MAAM;AAChF,QAAM,QAAQ,qBAAqB;AACnC,QAAM,QAAQ,QAAQ,IAAI,0BAA0B,SAAS,IAAI;AACjE,QAAM,WAAW,SACb,sBAAsB;AAAA,IACpB;AAAA,IACA;AAAA,IACA,eAAe;AAAA,IACf,mBAAmB,qBAAqB;AAAA,EAC1C,CAAC,IACD;AAEJ,MAAI,SAAS,YAAY,OAAO,MAAM,QAAQ,YAAY;AACxD,QAAI;AACF,YAAM,SAAS,MAAM,MAAM,IAAI,QAAQ;AACvC,UAAI,mBAAmB,MAAM,EAAG,QAAO;AAAA,IACzC,SAAS,KAAK;AACZ,cAAQ,KAAK,iCAAiC,GAAG;AAAA,IACnD;AAAA,EACF;AAEA,QAAM,YAAY,MAAM,yBAAyB;AAAA,IAC/C;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,YAAY;AAAA,IACZ,UAAU;AAAA,EACZ,CAAC;AAED,MAAI,SAAS,YAAY,UAAU,OAAO,MAAM,QAAQ,YAAY;AAClE,QAAI;AACF,YAAM,MAAM,IAAI,UAAU,WAAW;AAAA,QACnC,KAAK;AAAA,QACL,MAAM,uBAAuB,EAAE,QAAQ,kBAAkB,CAAC;AAAA,MAC5D,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,cAAQ,KAAK,kCAAkC,GAAG;AAAA,IACpD;AAAA,EACF;AAEA,SAAO;AACT;AAQA,eAAsB,2BAA2B;AAAA,EAC/C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAMiC;AAC/B,QAAM,QAAQ,MAAM,mCAAmC,EAAE,WAAW,MAAM,SAAS,YAAY,SAAS,CAAC;AACzG,QAAM,yBAAyB,MAAM,cAAc;AACnD,QAAM,YAAY,MAAM,SAAS;AACjC,QAAM,iBACJ,MAAM,eACF,cAAc,CAAC,MAAM,QAAQ,sBAAsB,KAAK,uBAAuB,SAAS,SAAS,KAAK,YAAY,UAClH,MAAM,QAAQ,sBAAsB,KAAK,uBAAuB,SAAS,uBAAuB,CAAC,IAAI;AAE3G,SAAO,EAAE,gBAAgB,OAAO,uBAAuB;AACzD;",
+  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport type { FilterQuery } from '@mikro-orm/core'\nimport type { AwilixContainer } from 'awilix'\nimport { Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { isAllOrganizationsSelection } from '@open-mercato/core/modules/directory/constants'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport type { AuthContext } from '@open-mercato/shared/lib/auth/server'\nimport type { CacheStrategy } from '@open-mercato/cache'\nimport { parseSelectedOrganizationCookie, parseSelectedTenantCookie } from './scopeCookies'\n\nexport { parseSelectedOrganizationCookie, parseSelectedTenantCookie }\n\nexport type OrganizationScope = {\n  selectedId: string | null\n  filterIds: string[] | null\n  allowedIds: string[] | null\n  tenantId: string | null\n}\n\n// Phase 4 \u2014 short-TTL cache for resolveOrganizationScopeForRequest.\n// OrganizationScope is a pure function of (userId, tenantId, selectedOrgId,\n// requestedTenant) between membership changes; caching it bypasses 1\n// SELECT on `organizations` per CRUD request. TTL is short (60s default)\n// to keep staleness bounded as a backstop. Tag-based invalidation also fires\n// eagerly: per-user entries are dropped by RbacService.invalidateUserCache\n// (every ACL/role grant change goes through it \u2014 see buildOrgScopeUserCacheTag)\n// and per-tenant entries by the directory.organization.* subscriber plus\n// RbacService.invalidateTenantCache (role-ACL changes).\nconst ORG_SCOPE_CACHE_KEY_PREFIX = 'org-scope'\n// Phase 4 default-off until the same readiness probe (`GET /api/customers/people`)\n// stays green with the cache layer engaged. Set `OM_ORG_SCOPE_CACHE_TTL_MS=60000`\n// (or any positive integer) to opt in once cross-request safety is re-verified.\nconst ORG_SCOPE_DEFAULT_TTL_MS = 0\n\nfunction resolveOrgScopeTtlMs(): number {\n  const raw = process.env.OM_ORG_SCOPE_CACHE_TTL_MS\n  if (raw === undefined) return ORG_SCOPE_DEFAULT_TTL_MS\n  const parsed = Number(raw)\n  if (!Number.isFinite(parsed) || parsed < 0) return ORG_SCOPE_DEFAULT_TTL_MS\n  return parsed\n}\n\nfunction buildOrgScopeCacheKey(parts: {\n  userId: string\n  effectiveTenantId: string\n  selectedOrgId: string | null\n  requestedTenantId: string | null\n}): string {\n  const selected = parts.selectedOrgId ?? 'none'\n  const requested = parts.requestedTenantId ?? 'none'\n  return `${ORG_SCOPE_CACHE_KEY_PREFIX}:${parts.userId}:${parts.effectiveTenantId}:${selected}:${requested}`\n}\n\n// Tag builders are exported so the modules that own the \"this user's scope\n// changed\" / \"this tenant's org tree changed\" signals (auth RBAC invalidation,\n// the directory.organization.* subscriber) can drop the matching cross-request\n// cache entries without re-deriving the tag format. Keeping the format in one\n// place is what lets the TTL be enabled safely (issue #2259).\nexport function buildOrgScopeUserCacheTag(userId: string): string {\n  return `${ORG_SCOPE_CACHE_KEY_PREFIX}:user:${userId}`\n}\n\nexport function buildOrgScopeTenantCacheTag(tenantId: string): string {\n  return `${ORG_SCOPE_CACHE_KEY_PREFIX}:tenant:${tenantId}`\n}\n\nfunction buildOrgScopeCacheTags(parts: { userId: string; effectiveTenantId: string }): string[] {\n  return [\n    buildOrgScopeUserCacheTag(parts.userId),\n    buildOrgScopeTenantCacheTag(parts.effectiveTenantId),\n  ]\n}\n\nfunction isValidCachedScope(value: unknown): value is OrganizationScope {\n  if (typeof value !== 'object' || value === null) return false\n  const record = value as Partial<OrganizationScope>\n  const idOk = (v: unknown) => v === null || typeof v === 'string'\n  const arrOk = (v: unknown) => v === null || (Array.isArray(v) && v.every((entry) => typeof entry === 'string'))\n  return idOk(record.selectedId) && idOk(record.tenantId) && arrOk(record.filterIds) && arrOk(record.allowedIds)\n}\n\nfunction resolveCacheFromContainer(container: AwilixContainer | null | undefined): CacheStrategy | null {\n  if (!container) return null\n  try {\n    const c = container.resolve('cache') as CacheStrategy | undefined\n    if (c && typeof c.get === 'function' && typeof c.set === 'function') return c\n  } catch {\n    return null\n  }\n  return null\n}\n\nexport async function invalidateOrganizationScopeCacheForUser(\n  container: AwilixContainer,\n  userId: string,\n): Promise<void> {\n  const cache = resolveCacheFromContainer(container)\n  if (!cache?.deleteByTags) return\n  try {\n    await cache.deleteByTags([buildOrgScopeUserCacheTag(userId)])\n  } catch (err) {\n    console.warn('[org-scope:cache] invalidate user failed', err)\n  }\n}\n\nexport async function invalidateOrganizationScopeCacheForTenant(\n  container: AwilixContainer,\n  tenantId: string,\n): Promise<void> {\n  const cache = resolveCacheFromContainer(container)\n  if (!cache?.deleteByTags) return\n  try {\n    await cache.deleteByTags([buildOrgScopeTenantCacheTag(tenantId)])\n  } catch (err) {\n    console.warn('[org-scope:cache] invalidate tenant failed', err)\n  }\n}\n\n// Issue #2259 \u2014 per-request memoization. resolveOrganizationScopeForRequest\n// runs at least twice per CRUD request: once for the route-level feature check\n// (resolveFeatureCheckContext) and once inside the shared factory's withCtx.\n// Those two call sites use different request-scoped DI containers but are handed\n// the SAME Request instance, so memoizing the resolved scope on a WeakMap keyed\n// by that request collapses the duplicate work \u2014 and the duplicate\n// `organizations` SELECT \u2014 into a single resolution. The inner map is keyed by\n// the same identity tuple as the cross-request cache key, so distinct explicit\n// selectedId/tenant overrides on one request stay independent. There is no\n// staleness risk: the memo lives only for the lifetime of one request and is\n// dropped with the request object by the GC.\nconst orgScopeRequestMemo = new WeakMap<object, Map<string, Promise<OrganizationScope>>>()\n\nfunction getRequestScopeMemo(request: unknown): Map<string, Promise<OrganizationScope>> | null {\n  if (!request || (typeof request !== 'object' && typeof request !== 'function')) return null\n  const key = request as object\n  let memo = orgScopeRequestMemo.get(key)\n  if (!memo) {\n    memo = new Map<string, Promise<OrganizationScope>>()\n    orgScopeRequestMemo.set(key, memo)\n  }\n  return memo\n}\n\nfunction normalizeOrganizationId(value: unknown): string | null {\n  if (typeof value !== 'string') return null\n  const trimmed = value.trim()\n  return trimmed.length > 0 ? trimmed : null\n}\n\nexport function getSelectedOrganizationFromRequest(req: Request | { cookies?: { get: (name: string) => { value: string } | undefined }; headers?: { get(name: string): string | null } }): string | null {\n  const cookieContainer = (req as { cookies?: { get: (name: string) => { value: string } | undefined } }).cookies\n  if (cookieContainer && typeof cookieContainer.get === 'function') {\n    const val = cookieContainer.get('om_selected_org')?.value\n    return val ?? null\n  }\n  const headerContainer = (req as { headers?: { get(name: string): string | null } }).headers\n  const header = typeof headerContainer?.get === 'function' ? headerContainer.get('cookie') : null\n  return parseSelectedOrganizationCookie(header)\n}\n\nexport function getSelectedTenantFromRequest(\n  req: Request | { cookies?: { get: (name: string) => { value: string } | undefined }; headers?: { get(name: string): string | null } },\n): string | null {\n  const cookieContainer = (req as { cookies?: { get: (name: string) => { value: string } | undefined } }).cookies\n  if (cookieContainer && typeof cookieContainer.get === 'function') {\n    const val = cookieContainer.get('om_selected_tenant')?.value\n    return val ?? null\n  }\n  const headerContainer = (req as { headers?: { get(name: string): string | null } }).headers\n  const header = typeof headerContainer?.get === 'function' ? headerContainer.get('cookie') : null\n  return parseSelectedTenantCookie(header)\n}\n\nfunction normalizeOrganizationIds(ids: string[]): string[] {\n  return Array.from(new Set(\n    ids.map((value) => normalizeOrganizationId(value)).filter((value): value is string => {\n      if (!value) return false\n      if (isAllOrganizationsSelection(value)) return false\n      return true\n    })\n  ))\n}\n\n// Map each organization id to itself plus its persisted descendant ids. Only\n// orgs that exist for the tenant and are not soft-deleted are included, so an\n// unknown/inaccessible id simply has no entry (matching the per-id query that\n// returned an empty set for it).\ntype OrgDescendantMap = Map<string, string[]>\n\n// Issue #2228 \u2014 single round-trip for org-scope resolution. Instead of issuing\n// one `organizations` SELECT per `collectWithDescendants` call (up to 3-4\n// sequential queries per request: accessible set, fallback set, selected set),\n// gather every candidate id up front and fetch their descendant expansions in\n// one `em.find(Organization, { id: $in })`. Expansion then happens in-memory.\nasync function loadOrgDescendantMap(em: EntityManager, tenantId: string, ids: string[]): Promise<OrgDescendantMap> {\n  const unique = normalizeOrganizationIds(ids)\n  if (!unique.length) return new Map()\n  const filter: FilterQuery<Organization> = {\n    tenant: tenantId,\n    id: { $in: unique },\n    deletedAt: null,\n  }\n  const orgs = await em.find(Organization, filter)\n  const map: OrgDescendantMap = new Map()\n  for (const org of orgs) {\n    const id = String(org.id)\n    const expansion = [id]\n    if (Array.isArray(org.descendantIds)) {\n      for (const desc of org.descendantIds) expansion.push(String(desc))\n    }\n    map.set(id, expansion)\n  }\n  return map\n}\n\nfunction expandWithDescendants(map: OrgDescendantMap, ids: string[]): Set<string> {\n  const set = new Set<string>()\n  for (const value of ids) {\n    const id = normalizeOrganizationId(value)\n    if (!id || isAllOrganizationsSelection(id)) continue\n    const expansion = map.get(id)\n    if (!expansion) continue\n    for (const entry of expansion) set.add(entry)\n  }\n  return set\n}\n\nexport async function resolveOrganizationScope({\n  em,\n  rbac,\n  auth,\n  selectedId,\n  tenantId: tenantIdOverride,\n}: {\n  em: EntityManager\n  rbac: RbacService\n  auth: AuthContext\n  selectedId?: string | null\n  tenantId?: string | null\n}): Promise<OrganizationScope> {\n  if (!auth || !auth.sub) {\n    return { selectedId: null, filterIds: null, allowedIds: null, tenantId: null }\n  }\n  const actorTenantId = typeof auth.tenantId === 'string' && auth.tenantId.trim().length > 0 ? auth.tenantId.trim() : null\n  const candidateTenantId = typeof tenantIdOverride === 'string' && tenantIdOverride.trim().length > 0\n    ? tenantIdOverride.trim()\n    : tenantIdOverride === null\n      ? null\n      : actorTenantId\n  if (!candidateTenantId) {\n    return { selectedId: null, filterIds: null, allowedIds: null, tenantId: null }\n  }\n  const usingOverride = candidateTenantId !== actorTenantId\n  const isSuperAdminActor = auth.isSuperAdmin === true\n  const tenantId = usingOverride && actorTenantId && !isSuperAdminActor ? actorTenantId : candidateTenantId\n  if (!tenantId) {\n    return { selectedId: null, filterIds: null, allowedIds: null, tenantId: null }\n  }\n  const normalizedRequestedSelection = normalizeOrganizationId(selectedId)\n  const explicitAllOrgsChoice =\n    normalizedRequestedSelection !== null && isAllOrganizationsSelection(normalizedRequestedSelection)\n  const normalizedSelectedId = explicitAllOrgsChoice\n    ? null\n    : normalizedRequestedSelection\n  const contextOrgId = actorTenantId && actorTenantId === tenantId ? normalizeOrganizationId(auth.orgId) : null\n  const acl = await rbac.loadAcl(auth.sub, { tenantId, organizationId: contextOrgId })\n  const aclIsSuperAdmin = acl?.isSuperAdmin === true\n  const effectiveSuperAdmin = aclIsSuperAdmin || isSuperAdminActor\n  const normalizedAccessible = effectiveSuperAdmin\n    ? null\n    : Array.isArray(acl?.organizations)\n      ? acl.organizations\n        .map((value) => normalizeOrganizationId(value))\n        .filter((value): value is string => value !== null)\n      : null\n  const accessibleList = effectiveSuperAdmin\n    ? null\n    : normalizedAccessible && normalizedAccessible.some((value) => isAllOrganizationsSelection(value))\n      ? null\n      : normalizedAccessible?.filter((value) => !isAllOrganizationsSelection(value)) ?? null\n\n  const accountOrgId = actorTenantId && actorTenantId === tenantId ? normalizeOrganizationId(auth.orgId) : null\n  const fallbackOrgId = accountOrgId ?? null\n\n  // Every id that could be expanded below \u2014 accessible set, fallback (account)\n  // org, and the requested selection \u2014 is known up front, so fetch them all in\n  // a single `organizations` query and expand from the in-memory map.\n  const candidateIds = [\n    ...(accessibleList ?? []),\n    ...(fallbackOrgId ? [fallbackOrgId] : []),\n    ...(normalizedSelectedId ? [normalizedSelectedId] : []),\n  ]\n  const orgDescendants = await loadOrgDescendantMap(em, tenantId, candidateIds)\n  const loadFallbackSet = (): Set<string> | null =>\n    fallbackOrgId ? expandWithDescendants(orgDescendants, [fallbackOrgId]) : null\n\n  let allowedSet: Set<string> | null = null\n  if (accessibleList === null) {\n    allowedSet = null\n  } else if (accessibleList.length === 0) {\n    allowedSet = new Set()\n  } else {\n    allowedSet = expandWithDescendants(orgDescendants, accessibleList)\n  }\n\n  if (allowedSet && allowedSet.size === 0 && fallbackOrgId) {\n    const computed = loadFallbackSet()\n    if (computed && computed.size > 0) {\n      allowedSet = computed\n    }\n  }\n\n  const hasUnrestrictedAccess = effectiveSuperAdmin || (accessibleList === null)\n  const noOrgSelection = normalizedSelectedId === null && !explicitAllOrgsChoice\n  const widenToAllOrgs =\n    (explicitAllOrgsChoice && hasUnrestrictedAccess)\n    || (effectiveSuperAdmin && noOrgSelection)\n  const initialSelected =\n    normalizedSelectedId\n    ?? (widenToAllOrgs ? null : accountOrgId ?? null)\n  let effectiveSelected: string | null = null\n  if (initialSelected) {\n    if (allowedSet === null || allowedSet.has(initialSelected)) {\n      effectiveSelected = initialSelected\n    }\n  }\n\n  let filterSet: Set<string> | null = null\n  if (effectiveSelected) {\n    filterSet = expandWithDescendants(orgDescendants, [effectiveSelected])\n  } else if (allowedSet !== null) {\n    filterSet = allowedSet\n  } else if (widenToAllOrgs) {\n    filterSet = null\n  } else if (auth.orgId) {\n    filterSet = loadFallbackSet()\n  }\n\n  if ((!filterSet || filterSet.size === 0) && fallbackOrgId && !widenToAllOrgs) {\n    const computed = loadFallbackSet()\n    if (computed && computed.size > 0) {\n      filterSet = computed\n      if (!effectiveSelected) {\n        effectiveSelected = fallbackOrgId\n      }\n    }\n  }\n\n  return {\n    selectedId: effectiveSelected,\n    filterIds: filterSet ? Array.from(filterSet) : null,\n    allowedIds: allowedSet ? Array.from(allowedSet) : null,\n    tenantId,\n  }\n}\n\nexport async function resolveOrganizationScopeForRequest({\n  container,\n  auth,\n  request,\n  selectedId,\n  tenantId: tenantOverride,\n}: {\n  container: AwilixContainer\n  auth: AuthContext | null | undefined\n  request?: Request | { cookies?: { get: (name: string) => { value: string } | undefined }; headers?: { get(name: string): string | null } }\n  selectedId?: string | null\n  tenantId?: string | null\n}): Promise<OrganizationScope> {\n  if (!auth || !auth.sub) {\n    return { selectedId: null, filterIds: null, allowedIds: null, tenantId: null }\n  }\n\n  let em: EntityManager | null = null\n  let rbac: RbacService | null = null\n  try { em = container.resolve<EntityManager>('em') } catch { em = null }\n  try { rbac = container.resolve<RbacService>('rbacService') } catch { rbac = null }\n  const normalizeString = (value: unknown): string | null => {\n    if (typeof value === 'string' && value.trim().length > 0) return value.trim()\n    return null\n  }\n  if (!em || !rbac) {\n    const fallbackSelected = normalizeOrganizationId(selectedId ?? auth.orgId ?? null)\n    return {\n      selectedId: fallbackSelected,\n      filterIds: fallbackSelected ? [fallbackSelected] : null,\n      allowedIds: fallbackSelected ? [fallbackSelected] : null,\n      tenantId: normalizeString(auth.tenantId),\n    }\n  }\n\n  const actorTenantField = (auth as { actorTenantId?: string | null }).actorTenantId\n  const actorTenant = actorTenantField === undefined\n    ? normalizeString(auth.tenantId)\n    : actorTenantField === null\n      ? null\n      : normalizeString(actorTenantField)\n  const actorOrgField = (auth as { actorOrgId?: string | null }).actorOrgId\n  const actorOrgId = actorOrgField === undefined\n    ? normalizeString(auth.orgId)\n    : actorOrgField === null\n      ? null\n      : normalizeString(actorOrgField)\n\n  const cookieTenant = request ? getSelectedTenantFromRequest(request) : null\n  const requestedTenant =\n    tenantOverride !== undefined\n      ? tenantOverride\n      : cookieTenant !== undefined\n        ? cookieTenant\n        : undefined\n  const requestedTenantId = typeof requestedTenant === 'string' && requestedTenant.trim().length > 0 ? requestedTenant.trim() : null\n  const isSuperAdminActor = auth.isSuperAdmin === true\n  let effectiveTenantId = requestedTenantId ?? actorTenant ?? null\n  if (actorTenant && effectiveTenantId && effectiveTenantId !== actorTenant && !isSuperAdminActor) {\n    effectiveTenantId = actorTenant\n  }\n  if (!effectiveTenantId) {\n    return { selectedId: null, filterIds: null, allowedIds: null, tenantId: null }\n  }\n\n  const scopedAuth = {\n    ...auth,\n    tenantId: effectiveTenantId,\n    orgId: actorTenant && actorTenant === effectiveTenantId ? actorOrgId ?? null : null,\n  }\n\n  const rawSelected = selectedId !== undefined ? selectedId : (request ? getSelectedOrganizationFromRequest(request) : null)\n  const normalizedSelectedId = typeof rawSelected === 'string' && rawSelected.trim().length > 0\n    ? rawSelected.trim()\n    : null\n\n  const userId = typeof auth.sub === 'string' && auth.sub.length > 0 ? auth.sub : null\n  const ttlMs = resolveOrgScopeTtlMs()\n  const cache = ttlMs > 0 ? resolveCacheFromContainer(container) : null\n  const cacheKey = userId\n    ? buildOrgScopeCacheKey({\n        userId,\n        effectiveTenantId,\n        selectedOrgId: normalizedSelectedId,\n        requestedTenantId: requestedTenantId ?? null,\n      })\n    : null\n\n  const requestMemo = getRequestScopeMemo(request)\n  if (requestMemo && cacheKey) {\n    const memoized = requestMemo.get(cacheKey)\n    if (memoized) return memoized\n  }\n\n  const resolveScope = async (): Promise<OrganizationScope> => {\n    if (cache && cacheKey && typeof cache.get === 'function') {\n      try {\n        const cached = await cache.get(cacheKey)\n        if (isValidCachedScope(cached)) return cached\n      } catch (err) {\n        console.warn('[org-scope:cache] read failed', err)\n      }\n    }\n\n    const baseScope = await resolveOrganizationScope({\n      em,\n      rbac,\n      auth: scopedAuth,\n      selectedId: rawSelected,\n      tenantId: effectiveTenantId,\n    })\n\n    if (cache && cacheKey && userId && typeof cache.set === 'function') {\n      try {\n        await cache.set(cacheKey, baseScope, {\n          ttl: ttlMs,\n          tags: buildOrgScopeCacheTags({ userId, effectiveTenantId }),\n        })\n      } catch (err) {\n        console.warn('[org-scope:cache] write failed', err)\n      }\n    }\n\n    return baseScope\n  }\n\n  if (requestMemo && cacheKey) {\n    const pending = resolveScope()\n    requestMemo.set(cacheKey, pending)\n    return pending\n  }\n\n  return resolveScope()\n}\n\nexport type FeatureCheckContext = {\n  organizationId: string | null\n  scope: OrganizationScope\n  allowedOrganizationIds: string[] | null\n}\n\nexport async function resolveFeatureCheckContext({\n  container,\n  auth,\n  request,\n  selectedId,\n  tenantId,\n}: {\n  container: AwilixContainer\n  auth: AuthContext | null | undefined\n  request?: Request | { cookies?: { get: (name: string) => { value: string } | undefined } }\n  selectedId?: string | null\n  tenantId?: string | null\n}): Promise<FeatureCheckContext> {\n  const scope = await resolveOrganizationScopeForRequest({ container, auth, request, selectedId, tenantId })\n  const allowedOrganizationIds = scope.allowedIds ?? null\n  const authOrgId = auth?.orgId ?? null\n  const organizationId =\n    scope.selectedId\n    ?? (authOrgId && (!Array.isArray(allowedOrganizationIds) || allowedOrganizationIds.includes(authOrgId)) ? authOrgId : null)\n    ?? (Array.isArray(allowedOrganizationIds) && allowedOrganizationIds.length ? allowedOrganizationIds[0] : null)\n\n  return { organizationId, scope, allowedOrganizationIds }\n}\n"],
+  "mappings": "AAGA,SAAS,oBAAoB;AAC7B,SAAS,mCAAmC;AAI5C,SAAS,iCAAiC,iCAAiC;AAoB3E,MAAM,6BAA6B;AAInC,MAAM,2BAA2B;AAEjC,SAAS,uBAA+B;AACtC,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,QAAQ,OAAW,QAAO;AAC9B,QAAM,SAAS,OAAO,GAAG;AACzB,MAAI,CAAC,OAAO,SAAS,MAAM,KAAK,SAAS,EAAG,QAAO;AACnD,SAAO;AACT;AAEA,SAAS,sBAAsB,OAKpB;AACT,QAAM,WAAW,MAAM,iBAAiB;AACxC,QAAM,YAAY,MAAM,qBAAqB;AAC7C,SAAO,GAAG,0BAA0B,IAAI,MAAM,MAAM,IAAI,MAAM,iBAAiB,IAAI,QAAQ,IAAI,SAAS;AAC1G;AAOO,SAAS,0BAA0B,QAAwB;AAChE,SAAO,GAAG,0BAA0B,SAAS,MAAM;AACrD;AAEO,SAAS,4BAA4B,UAA0B;AACpE,SAAO,GAAG,0BAA0B,WAAW,QAAQ;AACzD;AAEA,SAAS,uBAAuB,OAAgE;AAC9F,SAAO;AAAA,IACL,0BAA0B,MAAM,MAAM;AAAA,IACtC,4BAA4B,MAAM,iBAAiB;AAAA,EACrD;AACF;AAEA,SAAS,mBAAmB,OAA4C;AACtE,MAAI,OAAO,UAAU,YAAY,UAAU,KAAM,QAAO;AACxD,QAAM,SAAS;AACf,QAAM,OAAO,CAAC,MAAe,MAAM,QAAQ,OAAO,MAAM;AACxD,QAAM,QAAQ,CAAC,MAAe,MAAM,QAAS,MAAM,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,UAAU,OAAO,UAAU,QAAQ;AAC7G,SAAO,KAAK,OAAO,UAAU,KAAK,KAAK,OAAO,QAAQ,KAAK,MAAM,OAAO,SAAS,KAAK,MAAM,OAAO,UAAU;AAC/G;AAEA,SAAS,0BAA0B,WAAqE;AACtG,MAAI,CAAC,UAAW,QAAO;AACvB,MAAI;AACF,UAAM,IAAI,UAAU,QAAQ,OAAO;AACnC,QAAI,KAAK,OAAO,EAAE,QAAQ,cAAc,OAAO,EAAE,QAAQ,WAAY,QAAO;AAAA,EAC9E,QAAQ;AACN,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,eAAsB,wCACpB,WACA,QACe;AACf,QAAM,QAAQ,0BAA0B,SAAS;AACjD,MAAI,CAAC,OAAO,aAAc;AAC1B,MAAI;AACF,UAAM,MAAM,aAAa,CAAC,0BAA0B,MAAM,CAAC,CAAC;AAAA,EAC9D,SAAS,KAAK;AACZ,YAAQ,KAAK,4CAA4C,GAAG;AAAA,EAC9D;AACF;AAEA,eAAsB,0CACpB,WACA,UACe;AACf,QAAM,QAAQ,0BAA0B,SAAS;AACjD,MAAI,CAAC,OAAO,aAAc;AAC1B,MAAI;AACF,UAAM,MAAM,aAAa,CAAC,4BAA4B,QAAQ,CAAC,CAAC;AAAA,EAClE,SAAS,KAAK;AACZ,YAAQ,KAAK,8CAA8C,GAAG;AAAA,EAChE;AACF;AAaA,MAAM,sBAAsB,oBAAI,QAAyD;AAEzF,SAAS,oBAAoB,SAAkE;AAC7F,MAAI,CAAC,WAAY,OAAO,YAAY,YAAY,OAAO,YAAY,WAAa,QAAO;AACvF,QAAM,MAAM;AACZ,MAAI,OAAO,oBAAoB,IAAI,GAAG;AACtC,MAAI,CAAC,MAAM;AACT,WAAO,oBAAI,IAAwC;AACnD,wBAAoB,IAAI,KAAK,IAAI;AAAA,EACnC;AACA,SAAO;AACT;AAEA,SAAS,wBAAwB,OAA+B;AAC9D,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,QAAM,UAAU,MAAM,KAAK;AAC3B,SAAO,QAAQ,SAAS,IAAI,UAAU;AACxC;AAEO,SAAS,mCAAmC,KAAsJ;AACvM,QAAM,kBAAmB,IAA+E;AACxG,MAAI,mBAAmB,OAAO,gBAAgB,QAAQ,YAAY;AAChE,UAAM,MAAM,gBAAgB,IAAI,iBAAiB,GAAG;AACpD,WAAO,OAAO;AAAA,EAChB;AACA,QAAM,kBAAmB,IAA2D;AACpF,QAAM,SAAS,OAAO,iBAAiB,QAAQ,aAAa,gBAAgB,IAAI,QAAQ,IAAI;AAC5F,SAAO,gCAAgC,MAAM;AAC/C;AAEO,SAAS,6BACd,KACe;AACf,QAAM,kBAAmB,IAA+E;AACxG,MAAI,mBAAmB,OAAO,gBAAgB,QAAQ,YAAY;AAChE,UAAM,MAAM,gBAAgB,IAAI,oBAAoB,GAAG;AACvD,WAAO,OAAO;AAAA,EAChB;AACA,QAAM,kBAAmB,IAA2D;AACpF,QAAM,SAAS,OAAO,iBAAiB,QAAQ,aAAa,gBAAgB,IAAI,QAAQ,IAAI;AAC5F,SAAO,0BAA0B,MAAM;AACzC;AAEA,SAAS,yBAAyB,KAAyB;AACzD,SAAO,MAAM,KAAK,IAAI;AAAA,IACpB,IAAI,IAAI,CAAC,UAAU,wBAAwB,KAAK,CAAC,EAAE,OAAO,CAAC,UAA2B;AACpF,UAAI,CAAC,MAAO,QAAO;AACnB,UAAI,4BAA4B,KAAK,EAAG,QAAO;AAC/C,aAAO;AAAA,IACT,CAAC;AAAA,EACH,CAAC;AACH;AAaA,eAAe,qBAAqB,IAAmB,UAAkB,KAA0C;AACjH,QAAM,SAAS,yBAAyB,GAAG;AAC3C,MAAI,CAAC,OAAO,OAAQ,QAAO,oBAAI,IAAI;AACnC,QAAM,SAAoC;AAAA,IACxC,QAAQ;AAAA,IACR,IAAI,EAAE,KAAK,OAAO;AAAA,IAClB,WAAW;AAAA,EACb;AACA,QAAM,OAAO,MAAM,GAAG,KAAK,cAAc,MAAM;AAC/C,QAAM,MAAwB,oBAAI,IAAI;AACtC,aAAW,OAAO,MAAM;AACtB,UAAM,KAAK,OAAO,IAAI,EAAE;AACxB,UAAM,YAAY,CAAC,EAAE;AACrB,QAAI,MAAM,QAAQ,IAAI,aAAa,GAAG;AACpC,iBAAW,QAAQ,IAAI,cAAe,WAAU,KAAK,OAAO,IAAI,CAAC;AAAA,IACnE;AACA,QAAI,IAAI,IAAI,SAAS;AAAA,EACvB;AACA,SAAO;AACT;AAEA,SAAS,sBAAsB,KAAuB,KAA4B;AAChF,QAAM,MAAM,oBAAI,IAAY;AAC5B,aAAW,SAAS,KAAK;AACvB,UAAM,KAAK,wBAAwB,KAAK;AACxC,QAAI,CAAC,MAAM,4BAA4B,EAAE,EAAG;AAC5C,UAAM,YAAY,IAAI,IAAI,EAAE;AAC5B,QAAI,CAAC,UAAW;AAChB,eAAW,SAAS,UAAW,KAAI,IAAI,KAAK;AAAA,EAC9C;AACA,SAAO;AACT;AAEA,eAAsB,yBAAyB;AAAA,EAC7C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,UAAU;AACZ,GAM+B;AAC7B,MAAI,CAAC,QAAQ,CAAC,KAAK,KAAK;AACtB,WAAO,EAAE,YAAY,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,KAAK;AAAA,EAC/E;AACA,QAAM,gBAAgB,OAAO,KAAK,aAAa,YAAY,KAAK,SAAS,KAAK,EAAE,SAAS,IAAI,KAAK,SAAS,KAAK,IAAI;AACpH,QAAM,oBAAoB,OAAO,qBAAqB,YAAY,iBAAiB,KAAK,EAAE,SAAS,IAC/F,iBAAiB,KAAK,IACtB,qBAAqB,OACnB,OACA;AACN,MAAI,CAAC,mBAAmB;AACtB,WAAO,EAAE,YAAY,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,KAAK;AAAA,EAC/E;AACA,QAAM,gBAAgB,sBAAsB;AAC5C,QAAM,oBAAoB,KAAK,iBAAiB;AAChD,QAAM,WAAW,iBAAiB,iBAAiB,CAAC,oBAAoB,gBAAgB;AACxF,MAAI,CAAC,UAAU;AACb,WAAO,EAAE,YAAY,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,KAAK;AAAA,EAC/E;AACA,QAAM,+BAA+B,wBAAwB,UAAU;AACvE,QAAM,wBACJ,iCAAiC,QAAQ,4BAA4B,4BAA4B;AACnG,QAAM,uBAAuB,wBACzB,OACA;AACJ,QAAM,eAAe,iBAAiB,kBAAkB,WAAW,wBAAwB,KAAK,KAAK,IAAI;AACzG,QAAM,MAAM,MAAM,KAAK,QAAQ,KAAK,KAAK,EAAE,UAAU,gBAAgB,aAAa,CAAC;AACnF,QAAM,kBAAkB,KAAK,iBAAiB;AAC9C,QAAM,sBAAsB,mBAAmB;AAC/C,QAAM,uBAAuB,sBACzB,OACA,MAAM,QAAQ,KAAK,aAAa,IAC9B,IAAI,cACH,IAAI,CAAC,UAAU,wBAAwB,KAAK,CAAC,EAC7C,OAAO,CAAC,UAA2B,UAAU,IAAI,IAClD;AACN,QAAM,iBAAiB,sBACnB,OACA,wBAAwB,qBAAqB,KAAK,CAAC,UAAU,4BAA4B,KAAK,CAAC,IAC7F,OACA,sBAAsB,OAAO,CAAC,UAAU,CAAC,4BAA4B,KAAK,CAAC,KAAK;AAEtF,QAAM,eAAe,iBAAiB,kBAAkB,WAAW,wBAAwB,KAAK,KAAK,IAAI;AACzG,QAAM,gBAAgB,gBAAgB;AAKtC,QAAM,eAAe;AAAA,IACnB,GAAI,kBAAkB,CAAC;AAAA,IACvB,GAAI,gBAAgB,CAAC,aAAa,IAAI,CAAC;AAAA,IACvC,GAAI,uBAAuB,CAAC,oBAAoB,IAAI,CAAC;AAAA,EACvD;AACA,QAAM,iBAAiB,MAAM,qBAAqB,IAAI,UAAU,YAAY;AAC5E,QAAM,kBAAkB,MACtB,gBAAgB,sBAAsB,gBAAgB,CAAC,aAAa,CAAC,IAAI;AAE3E,MAAI,aAAiC;AACrC,MAAI,mBAAmB,MAAM;AAC3B,iBAAa;AAAA,EACf,WAAW,eAAe,WAAW,GAAG;AACtC,iBAAa,oBAAI,IAAI;AAAA,EACvB,OAAO;AACL,iBAAa,sBAAsB,gBAAgB,cAAc;AAAA,EACnE;AAEA,MAAI,cAAc,WAAW,SAAS,KAAK,eAAe;AACxD,UAAM,WAAW,gBAAgB;AACjC,QAAI,YAAY,SAAS,OAAO,GAAG;AACjC,mBAAa;AAAA,IACf;AAAA,EACF;AAEA,QAAM,wBAAwB,uBAAwB,mBAAmB;AACzE,QAAM,iBAAiB,yBAAyB,QAAQ,CAAC;AACzD,QAAM,iBACH,yBAAyB,yBACtB,uBAAuB;AAC7B,QAAM,kBACJ,yBACI,iBAAiB,OAAO,gBAAgB;AAC9C,MAAI,oBAAmC;AACvC,MAAI,iBAAiB;AACnB,QAAI,eAAe,QAAQ,WAAW,IAAI,eAAe,GAAG;AAC1D,0BAAoB;AAAA,IACtB;AAAA,EACF;AAEA,MAAI,YAAgC;AACpC,MAAI,mBAAmB;AACrB,gBAAY,sBAAsB,gBAAgB,CAAC,iBAAiB,CAAC;AAAA,EACvE,WAAW,eAAe,MAAM;AAC9B,gBAAY;AAAA,EACd,WAAW,gBAAgB;AACzB,gBAAY;AAAA,EACd,WAAW,KAAK,OAAO;AACrB,gBAAY,gBAAgB;AAAA,EAC9B;AAEA,OAAK,CAAC,aAAa,UAAU,SAAS,MAAM,iBAAiB,CAAC,gBAAgB;AAC5E,UAAM,WAAW,gBAAgB;AACjC,QAAI,YAAY,SAAS,OAAO,GAAG;AACjC,kBAAY;AACZ,UAAI,CAAC,mBAAmB;AACtB,4BAAoB;AAAA,MACtB;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,YAAY;AAAA,IACZ,WAAW,YAAY,MAAM,KAAK,SAAS,IAAI;AAAA,IAC/C,YAAY,aAAa,MAAM,KAAK,UAAU,IAAI;AAAA,IAClD;AAAA,EACF;AACF;AAEA,eAAsB,mCAAmC;AAAA,EACvD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,UAAU;AACZ,GAM+B;AAC7B,MAAI,CAAC,QAAQ,CAAC,KAAK,KAAK;AACtB,WAAO,EAAE,YAAY,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,KAAK;AAAA,EAC/E;AAEA,MAAI,KAA2B;AAC/B,MAAI,OAA2B;AAC/B,MAAI;AAAE,SAAK,UAAU,QAAuB,IAAI;AAAA,EAAE,QAAQ;AAAE,SAAK;AAAA,EAAK;AACtE,MAAI;AAAE,WAAO,UAAU,QAAqB,aAAa;AAAA,EAAE,QAAQ;AAAE,WAAO;AAAA,EAAK;AACjF,QAAM,kBAAkB,CAAC,UAAkC;AACzD,QAAI,OAAO,UAAU,YAAY,MAAM,KAAK,EAAE,SAAS,EAAG,QAAO,MAAM,KAAK;AAC5E,WAAO;AAAA,EACT;AACA,MAAI,CAAC,MAAM,CAAC,MAAM;AAChB,UAAM,mBAAmB,wBAAwB,cAAc,KAAK,SAAS,IAAI;AACjF,WAAO;AAAA,MACL,YAAY;AAAA,MACZ,WAAW,mBAAmB,CAAC,gBAAgB,IAAI;AAAA,MACnD,YAAY,mBAAmB,CAAC,gBAAgB,IAAI;AAAA,MACpD,UAAU,gBAAgB,KAAK,QAAQ;AAAA,IACzC;AAAA,EACF;AAEA,QAAM,mBAAoB,KAA2C;AACrE,QAAM,cAAc,qBAAqB,SACrC,gBAAgB,KAAK,QAAQ,IAC7B,qBAAqB,OACnB,OACA,gBAAgB,gBAAgB;AACtC,QAAM,gBAAiB,KAAwC;AAC/D,QAAM,aAAa,kBAAkB,SACjC,gBAAgB,KAAK,KAAK,IAC1B,kBAAkB,OAChB,OACA,gBAAgB,aAAa;AAEnC,QAAM,eAAe,UAAU,6BAA6B,OAAO,IAAI;AACvE,QAAM,kBACJ,mBAAmB,SACf,iBACA,iBAAiB,SACf,eACA;AACR,QAAM,oBAAoB,OAAO,oBAAoB,YAAY,gBAAgB,KAAK,EAAE,SAAS,IAAI,gBAAgB,KAAK,IAAI;AAC9H,QAAM,oBAAoB,KAAK,iBAAiB;AAChD,MAAI,oBAAoB,qBAAqB,eAAe;AAC5D,MAAI,eAAe,qBAAqB,sBAAsB,eAAe,CAAC,mBAAmB;AAC/F,wBAAoB;AAAA,EACtB;AACA,MAAI,CAAC,mBAAmB;AACtB,WAAO,EAAE,YAAY,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,KAAK;AAAA,EAC/E;AAEA,QAAM,aAAa;AAAA,IACjB,GAAG;AAAA,IACH,UAAU;AAAA,IACV,OAAO,eAAe,gBAAgB,oBAAoB,cAAc,OAAO;AAAA,EACjF;AAEA,QAAM,cAAc,eAAe,SAAY,aAAc,UAAU,mCAAmC,OAAO,IAAI;AACrH,QAAM,uBAAuB,OAAO,gBAAgB,YAAY,YAAY,KAAK,EAAE,SAAS,IACxF,YAAY,KAAK,IACjB;AAEJ,QAAM,SAAS,OAAO,KAAK,QAAQ,YAAY,KAAK,IAAI,SAAS,IAAI,KAAK,MAAM;AAChF,QAAM,QAAQ,qBAAqB;AACnC,QAAM,QAAQ,QAAQ,IAAI,0BAA0B,SAAS,IAAI;AACjE,QAAM,WAAW,SACb,sBAAsB;AAAA,IACpB;AAAA,IACA;AAAA,IACA,eAAe;AAAA,IACf,mBAAmB,qBAAqB;AAAA,EAC1C,CAAC,IACD;AAEJ,QAAM,cAAc,oBAAoB,OAAO;AAC/C,MAAI,eAAe,UAAU;AAC3B,UAAM,WAAW,YAAY,IAAI,QAAQ;AACzC,QAAI,SAAU,QAAO;AAAA,EACvB;AAEA,QAAM,eAAe,YAAwC;AAC3D,QAAI,SAAS,YAAY,OAAO,MAAM,QAAQ,YAAY;AACxD,UAAI;AACF,cAAM,SAAS,MAAM,MAAM,IAAI,QAAQ;AACvC,YAAI,mBAAmB,MAAM,EAAG,QAAO;AAAA,MACzC,SAAS,KAAK;AACZ,gBAAQ,KAAK,iCAAiC,GAAG;AAAA,MACnD;AAAA,IACF;AAEA,UAAM,YAAY,MAAM,yBAAyB;AAAA,MAC/C;AAAA,MACA;AAAA,MACA,MAAM;AAAA,MACN,YAAY;AAAA,MACZ,UAAU;AAAA,IACZ,CAAC;AAED,QAAI,SAAS,YAAY,UAAU,OAAO,MAAM,QAAQ,YAAY;AAClE,UAAI;AACF,cAAM,MAAM,IAAI,UAAU,WAAW;AAAA,UACnC,KAAK;AAAA,UACL,MAAM,uBAAuB,EAAE,QAAQ,kBAAkB,CAAC;AAAA,QAC5D,CAAC;AAAA,MACH,SAAS,KAAK;AACZ,gBAAQ,KAAK,kCAAkC,GAAG;AAAA,MACpD;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAEA,MAAI,eAAe,UAAU;AAC3B,UAAM,UAAU,aAAa;AAC7B,gBAAY,IAAI,UAAU,OAAO;AACjC,WAAO;AAAA,EACT;AAEA,SAAO,aAAa;AACtB;AAQA,eAAsB,2BAA2B;AAAA,EAC/C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAMiC;AAC/B,QAAM,QAAQ,MAAM,mCAAmC,EAAE,WAAW,MAAM,SAAS,YAAY,SAAS,CAAC;AACzG,QAAM,yBAAyB,MAAM,cAAc;AACnD,QAAM,YAAY,MAAM,SAAS;AACjC,QAAM,iBACJ,MAAM,eACF,cAAc,CAAC,MAAM,QAAQ,sBAAsB,KAAK,uBAAuB,SAAS,SAAS,KAAK,YAAY,UAClH,MAAM,QAAQ,sBAAsB,KAAK,uBAAuB,SAAS,uBAAuB,CAAC,IAAI;AAE3G,SAAO,EAAE,gBAAgB,OAAO,uBAAuB;AACzD;",
   "names": []
 }

package/dist/modules/entities/api/definitions.batch.js CHANGED Viewed

@@ -9,13 +9,14 @@ import { mergeEntityFieldsetConfig, normalizeEntityFieldsetConfig } from "../lib
 const metadata = {
   POST: { requireAuth: true, requireFeatures: ["entities.definitions.manage"] }
 };
+const MAX_DEFINITIONS_PER_BATCH = 1e3;
 const batchSchema = z.object({
   entityId: z.string().regex(/^[a-z0-9_]+:[a-z0-9_]+$/),
   definitions: z.array(
     upsertCustomFieldDefSchema.omit({ entityId: true }).extend({
       configJson: z.any().optional()
     })
-  )
+  ).max(MAX_DEFINITIONS_PER_BATCH)
 }).extend(customFieldEntityConfigSchema.shape);
 function cloneFieldsets(fieldsets) {
   if (!Array.isArray(fieldsets)) return void 0;

package/dist/modules/entities/api/definitions.batch.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/entities/api/definitions.batch.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { CacheStrategy } from '@open-mercato/cache'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { CustomFieldDef, CustomFieldEntityConfig } from '@open-mercato/core/modules/entities/data/entities'\nimport { customFieldEntityConfigSchema, upsertCustomFieldDefSchema } from '@open-mercato/core/modules/entities/data/validators'\nimport { z } from 'zod'\nimport { invalidateDefinitionsCache } from './definitions.cache'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { mergeEntityFieldsetConfig, normalizeEntityFieldsetConfig } from '../lib/fieldsets'\n\nexport const metadata = {\n  POST: { requireAuth: true, requireFeatures: ['entities.definitions.manage'] },\n}\n\nconst batchSchema = z\n  .object({\n    entityId: z.string().regex(/^[a-z0-9_]+:[a-z0-9_]+$/),\n    definitions: z.array(\n      upsertCustomFieldDefSchema\n        .omit({ entityId: true })\n        .extend({\n          configJson: z.any().optional(),\n        })\n    ),\n  })\n  .extend(customFieldEntityConfigSchema.shape)\n\ntype IncomingFieldset = z.infer<typeof customFieldEntityConfigSchema>['fieldsets']\n\nfunction cloneFieldsets(fieldsets?: IncomingFieldset): IncomingFieldset {\n  if (!Array.isArray(fieldsets)) return undefined\n  return fieldsets.map((fieldset) => ({\n    code: fieldset.code,\n    label: fieldset.label,\n    icon: fieldset.icon,\n    description: fieldset.description,\n    groups: Array.isArray(fieldset.groups)\n      ? fieldset.groups.map((group) => ({\n          code: group.code,\n          title: group.title,\n          hint: group.hint,\n        }))\n      : undefined,\n  }))\n}\n\nexport async function POST(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.orgId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  let body: any\n  try { body = await req.json() } catch { return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 }) }\n\n  const parsed = batchSchema.safeParse(body)\n  if (!parsed.success) return NextResponse.json({ error: 'Validation failed', details: parsed.error.flatten() }, { status: 400 })\n  const { entityId, definitions, fieldsets, singleFieldsetPerRecord } = parsed.data\n\n  const container = await createRequestContainer()\n  const { resolve } = container\n  const em = resolve('em') as any\n  let cache: CacheStrategy | undefined\n  try {\n    cache = resolve('cache') as CacheStrategy\n  } catch {}\n\n  await em.begin()\n  try {\n    // Prefetch every existing definition for this entity in a single query, then index\n    // by key so the per-definition loop resolves create/update without round trips.\n    const defByKey = new Map<string, any>()\n    const keys = definitions.map((d) => d.key)\n    if (keys.length > 0) {\n      const existingDefs = await em.find(CustomFieldDef, {\n        entityId,\n        key: { $in: keys },\n        organizationId: auth.orgId ?? null,\n        tenantId: auth.tenantId ?? null,\n      })\n      for (const existing of existingDefs) defByKey.set(existing.key, existing)\n    }\n\n    for (const [idx, d] of definitions.entries()) {\n      const where: any = {\n        entityId,\n        key: d.key,\n        organizationId: auth.orgId ?? null,\n        tenantId: auth.tenantId ?? null,\n      }\n      let def = defByKey.get(d.key)\n      if (!def) {\n        def = em.create(CustomFieldDef, { ...where, createdAt: new Date() })\n        defByKey.set(d.key, def)\n      }\n      def.kind = d.kind\n\n      const inCfg = (d as any).configJson ?? {}\n      const cfg: Record<string, any> = { ...inCfg }\n      if (cfg.label == null || String(cfg.label).trim() === '') cfg.label = d.key\n      if (cfg.formEditable === undefined) cfg.formEditable = true\n      if (cfg.listVisible === undefined) cfg.listVisible = true\n      if (d.kind === 'multiline' && (cfg.editor == null || String(cfg.editor).trim() === '')) cfg.editor = 'markdown'\n      cfg.priority = idx\n\n      def.configJson = cfg\n      def.isActive = d.isActive ?? true\n      def.updatedAt = new Date()\n      em.persist(def)\n    }\n    if (fieldsets !== undefined || singleFieldsetPerRecord !== undefined) {\n      const scope: any = { entityId, organizationId: auth.orgId ?? null, tenantId: auth.tenantId ?? null }\n      let cfg = await em.findOne(CustomFieldEntityConfig, scope)\n      if (!cfg) cfg = em.create(CustomFieldEntityConfig, { ...scope, createdAt: new Date() })\n      const existing = normalizeEntityFieldsetConfig(cfg.configJson ?? {})\n      const patch = mergeEntityFieldsetConfig(existing, {\n        fieldsets: fieldsets !== undefined ? cloneFieldsets(fieldsets) ?? [] : undefined,\n        singleFieldsetPerRecord,\n      })\n      cfg.configJson = {\n        fieldsets: patch.fieldsets,\n        singleFieldsetPerRecord: patch.singleFieldsetPerRecord,\n      }\n      cfg.updatedAt = new Date()\n      cfg.isActive = true\n      em.persist(cfg)\n    }\n    await em.flush()\n    await em.commit()\n  } catch (e) {\n    try { await em.rollback() } catch {}\n    return NextResponse.json({ error: 'Failed to save definitions batch' }, { status: 500 })\n  }\n\n  await invalidateDefinitionsCache(cache, {\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    entityIds: [entityId],\n  })\n\n  return NextResponse.json({ ok: true })\n}\n\nconst batchResponseSchema = z.object({\n  ok: z.literal(true),\n})\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Entities',\n  summary: 'Batch upsert custom field definitions',\n  methods: {\n    POST: {\n      summary: 'Save multiple custom field definitions',\n      description: 'Creates or updates multiple definitions for a single entity in one transaction.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: batchSchema,\n      },\n      responses: [\n        {\n          status: 200,\n          description: 'Definitions saved',\n          schema: batchResponseSchema,\n        },\n        {\n          status: 400,\n          description: 'Validation error',\n          schema: z.object({\n            error: z.string(),\n            details: z.any().optional(),\n          }),\n        },\n        {\n          status: 401,\n          description: 'Missing authentication',\n          schema: z.object({ error: z.string() }),\n        },\n        {\n          status: 500,\n          description: 'Unexpected failure',\n          schema: z.object({ error: z.string() }),\n        },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AACvC,SAAS,0BAA0B;AACnC,SAAS,gBAAgB,+BAA+B;AACxD,SAAS,+BAA+B,kCAAkC;AAC1E,SAAS,SAAS;AAClB,SAAS,kCAAkC;AAE3C,SAAS,2BAA2B,qCAAqC;AAElE,MAAM,WAAW;AAAA,EACtB,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,6BAA6B,EAAE;AAC9E;AAEA,MAAM,cAAc,EACjB,OAAO;AAAA,EACN,UAAU,EAAE,OAAO,EAAE,MAAM,yBAAyB;AAAA,EACpD,aAAa,EAAE;AAAA,IACb,2BACG,KAAK,EAAE,UAAU,KAAK,CAAC,EACvB,OAAO;AAAA,MACN,YAAY,EAAE,IAAI,EAAE,SAAS;AAAA,IAC/B,CAAC;AAAA,EACL;AACF,CAAC,EACA,OAAO,8BAA8B,KAAK;AAI7C,SAAS,eAAe,WAAgD;AACtE,MAAI,CAAC,MAAM,QAAQ,SAAS,EAAG,QAAO;AACtC,SAAO,UAAU,IAAI,CAAC,cAAc;AAAA,IAClC,MAAM,SAAS;AAAA,IACf,OAAO,SAAS;AAAA,IAChB,MAAM,SAAS;AAAA,IACf,aAAa,SAAS;AAAA,IACtB,QAAQ,MAAM,QAAQ,SAAS,MAAM,IACjC,SAAS,OAAO,IAAI,CAAC,WAAW;AAAA,MAC9B,MAAM,MAAM;AAAA,MACZ,OAAO,MAAM;AAAA,MACb,MAAM,MAAM;AAAA,IACd,EAAE,IACF;AAAA,EACN,EAAE;AACJ;AAEA,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,MAAO,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC7F,MAAI;AACJ,MAAI;AAAE,WAAO,MAAM,IAAI,KAAK;AAAA,EAAE,QAAQ;AAAE,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAAE;AAE7G,QAAM,SAAS,YAAY,UAAU,IAAI;AACzC,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,qBAAqB,SAAS,OAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9H,QAAM,EAAE,UAAU,aAAa,WAAW,wBAAwB,IAAI,OAAO;AAE7E,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,EAAE,QAAQ,IAAI;AACpB,QAAM,KAAK,QAAQ,IAAI;AACvB,MAAI;AACJ,MAAI;AACF,YAAQ,QAAQ,OAAO;AAAA,EACzB,QAAQ;AAAA,EAAC;AAET,QAAM,GAAG,MAAM;AACf,MAAI;AAGF,UAAM,WAAW,oBAAI,IAAiB;AACtC,UAAM,OAAO,YAAY,IAAI,CAAC,MAAM,EAAE,GAAG;AACzC,QAAI,KAAK,SAAS,GAAG;AACnB,YAAM,eAAe,MAAM,GAAG,KAAK,gBAAgB;AAAA,QACjD;AAAA,QACA,KAAK,EAAE,KAAK,KAAK;AAAA,QACjB,gBAAgB,KAAK,SAAS;AAAA,QAC9B,UAAU,KAAK,YAAY;AAAA,MAC7B,CAAC;AACD,iBAAW,YAAY,aAAc,UAAS,IAAI,SAAS,KAAK,QAAQ;AAAA,IAC1E;AAEA,eAAW,CAAC,KAAK,CAAC,KAAK,YAAY,QAAQ,GAAG;AAC5C,YAAM,QAAa;AAAA,QACjB;AAAA,QACA,KAAK,EAAE;AAAA,QACP,gBAAgB,KAAK,SAAS;AAAA,QAC9B,UAAU,KAAK,YAAY;AAAA,MAC7B;AACA,UAAI,MAAM,SAAS,IAAI,EAAE,GAAG;AAC5B,UAAI,CAAC,KAAK;AACR,cAAM,GAAG,OAAO,gBAAgB,EAAE,GAAG,OAAO,WAAW,oBAAI,KAAK,EAAE,CAAC;AACnE,iBAAS,IAAI,EAAE,KAAK,GAAG;AAAA,MACzB;AACA,UAAI,OAAO,EAAE;AAEb,YAAM,QAAS,EAAU,cAAc,CAAC;AACxC,YAAM,MAA2B,EAAE,GAAG,MAAM;AAC5C,UAAI,IAAI,SAAS,QAAQ,OAAO,IAAI,KAAK,EAAE,KAAK,MAAM,GAAI,KAAI,QAAQ,EAAE;AACxE,UAAI,IAAI,iBAAiB,OAAW,KAAI,eAAe;AACvD,UAAI,IAAI,gBAAgB,OAAW,KAAI,cAAc;AACrD,UAAI,EAAE,SAAS,gBAAgB,IAAI,UAAU,QAAQ,OAAO,IAAI,MAAM,EAAE,KAAK,MAAM,IAAK,KAAI,SAAS;AACrG,UAAI,WAAW;AAEf,UAAI,aAAa;AACjB,UAAI,WAAW,EAAE,YAAY;AAC7B,UAAI,YAAY,oBAAI,KAAK;AACzB,SAAG,QAAQ,GAAG;AAAA,IAChB;AACA,QAAI,cAAc,UAAa,4BAA4B,QAAW;AACpE,YAAM,QAAa,EAAE,UAAU,gBAAgB,KAAK,SAAS,MAAM,UAAU,KAAK,YAAY,KAAK;AACnG,UAAI,MAAM,MAAM,GAAG,QAAQ,yBAAyB,KAAK;AACzD,UAAI,CAAC,IAAK,OAAM,GAAG,OAAO,yBAAyB,EAAE,GAAG,OAAO,WAAW,oBAAI,KAAK,EAAE,CAAC;AACtF,YAAM,WAAW,8BAA8B,IAAI,cAAc,CAAC,CAAC;AACnE,YAAM,QAAQ,0BAA0B,UAAU;AAAA,QAChD,WAAW,cAAc,SAAY,eAAe,SAAS,KAAK,CAAC,IAAI;AAAA,QACvE;AAAA,MACF,CAAC;AACD,UAAI,aAAa;AAAA,QACf,WAAW,MAAM;AAAA,QACjB,yBAAyB,MAAM;AAAA,MACjC;AACA,UAAI,YAAY,oBAAI,KAAK;AACzB,UAAI,WAAW;AACf,SAAG,QAAQ,GAAG;AAAA,IAChB;AACA,UAAM,GAAG,MAAM;AACf,UAAM,GAAG,OAAO;AAAA,EAClB,SAAS,GAAG;AACV,QAAI;AAAE,YAAM,GAAG,SAAS;AAAA,IAAE,QAAQ;AAAA,IAAC;AACnC,WAAO,aAAa,KAAK,EAAE,OAAO,mCAAmC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzF;AAEA,QAAM,2BAA2B,OAAO;AAAA,IACtC,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B,WAAW,CAAC,QAAQ;AAAA,EACtB,CAAC;AAED,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEA,MAAM,sBAAsB,EAAE,OAAO;AAAA,EACnC,IAAI,EAAE,QAAQ,IAAI;AACpB,CAAC;AAEM,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ;AAAA,QACV;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO;AAAA,YACf,OAAO,EAAE,OAAO;AAAA,YAChB,SAAS,EAAE,IAAI,EAAE,SAAS;AAAA,UAC5B,CAAC;AAAA,QACH;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { CacheStrategy } from '@open-mercato/cache'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { CustomFieldDef, CustomFieldEntityConfig } from '@open-mercato/core/modules/entities/data/entities'\nimport { customFieldEntityConfigSchema, upsertCustomFieldDefSchema } from '@open-mercato/core/modules/entities/data/validators'\nimport { z } from 'zod'\nimport { invalidateDefinitionsCache } from './definitions.cache'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { mergeEntityFieldsetConfig, normalizeEntityFieldsetConfig } from '../lib/fieldsets'\n\nexport const metadata = {\n  POST: { requireAuth: true, requireFeatures: ['entities.definitions.manage'] },\n}\n\nconst MAX_DEFINITIONS_PER_BATCH = 1000\n\nconst batchSchema = z\n  .object({\n    entityId: z.string().regex(/^[a-z0-9_]+:[a-z0-9_]+$/),\n    definitions: z\n      .array(\n        upsertCustomFieldDefSchema\n          .omit({ entityId: true })\n          .extend({\n            configJson: z.any().optional(),\n          })\n      )\n      .max(MAX_DEFINITIONS_PER_BATCH),\n  })\n  .extend(customFieldEntityConfigSchema.shape)\n\ntype IncomingFieldset = z.infer<typeof customFieldEntityConfigSchema>['fieldsets']\n\nfunction cloneFieldsets(fieldsets?: IncomingFieldset): IncomingFieldset {\n  if (!Array.isArray(fieldsets)) return undefined\n  return fieldsets.map((fieldset) => ({\n    code: fieldset.code,\n    label: fieldset.label,\n    icon: fieldset.icon,\n    description: fieldset.description,\n    groups: Array.isArray(fieldset.groups)\n      ? fieldset.groups.map((group) => ({\n          code: group.code,\n          title: group.title,\n          hint: group.hint,\n        }))\n      : undefined,\n  }))\n}\n\nexport async function POST(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.orgId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  let body: any\n  try { body = await req.json() } catch { return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 }) }\n\n  const parsed = batchSchema.safeParse(body)\n  if (!parsed.success) return NextResponse.json({ error: 'Validation failed', details: parsed.error.flatten() }, { status: 400 })\n  const { entityId, definitions, fieldsets, singleFieldsetPerRecord } = parsed.data\n\n  const container = await createRequestContainer()\n  const { resolve } = container\n  const em = resolve('em') as any\n  let cache: CacheStrategy | undefined\n  try {\n    cache = resolve('cache') as CacheStrategy\n  } catch {}\n\n  await em.begin()\n  try {\n    // Prefetch every existing definition for this entity in a single query, then index\n    // by key so the per-definition loop resolves create/update without round trips.\n    const defByKey = new Map<string, any>()\n    const keys = definitions.map((d) => d.key)\n    if (keys.length > 0) {\n      const existingDefs = await em.find(CustomFieldDef, {\n        entityId,\n        key: { $in: keys },\n        organizationId: auth.orgId ?? null,\n        tenantId: auth.tenantId ?? null,\n      })\n      for (const existing of existingDefs) defByKey.set(existing.key, existing)\n    }\n\n    for (const [idx, d] of definitions.entries()) {\n      const where: any = {\n        entityId,\n        key: d.key,\n        organizationId: auth.orgId ?? null,\n        tenantId: auth.tenantId ?? null,\n      }\n      let def = defByKey.get(d.key)\n      if (!def) {\n        def = em.create(CustomFieldDef, { ...where, createdAt: new Date() })\n        defByKey.set(d.key, def)\n      }\n      def.kind = d.kind\n\n      const inCfg = (d as any).configJson ?? {}\n      const cfg: Record<string, any> = { ...inCfg }\n      if (cfg.label == null || String(cfg.label).trim() === '') cfg.label = d.key\n      if (cfg.formEditable === undefined) cfg.formEditable = true\n      if (cfg.listVisible === undefined) cfg.listVisible = true\n      if (d.kind === 'multiline' && (cfg.editor == null || String(cfg.editor).trim() === '')) cfg.editor = 'markdown'\n      cfg.priority = idx\n\n      def.configJson = cfg\n      def.isActive = d.isActive ?? true\n      def.updatedAt = new Date()\n      em.persist(def)\n    }\n    if (fieldsets !== undefined || singleFieldsetPerRecord !== undefined) {\n      const scope: any = { entityId, organizationId: auth.orgId ?? null, tenantId: auth.tenantId ?? null }\n      let cfg = await em.findOne(CustomFieldEntityConfig, scope)\n      if (!cfg) cfg = em.create(CustomFieldEntityConfig, { ...scope, createdAt: new Date() })\n      const existing = normalizeEntityFieldsetConfig(cfg.configJson ?? {})\n      const patch = mergeEntityFieldsetConfig(existing, {\n        fieldsets: fieldsets !== undefined ? cloneFieldsets(fieldsets) ?? [] : undefined,\n        singleFieldsetPerRecord,\n      })\n      cfg.configJson = {\n        fieldsets: patch.fieldsets,\n        singleFieldsetPerRecord: patch.singleFieldsetPerRecord,\n      }\n      cfg.updatedAt = new Date()\n      cfg.isActive = true\n      em.persist(cfg)\n    }\n    await em.flush()\n    await em.commit()\n  } catch (e) {\n    try { await em.rollback() } catch {}\n    return NextResponse.json({ error: 'Failed to save definitions batch' }, { status: 500 })\n  }\n\n  await invalidateDefinitionsCache(cache, {\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    entityIds: [entityId],\n  })\n\n  return NextResponse.json({ ok: true })\n}\n\nconst batchResponseSchema = z.object({\n  ok: z.literal(true),\n})\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Entities',\n  summary: 'Batch upsert custom field definitions',\n  methods: {\n    POST: {\n      summary: 'Save multiple custom field definitions',\n      description: 'Creates or updates multiple definitions for a single entity in one transaction.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: batchSchema,\n      },\n      responses: [\n        {\n          status: 200,\n          description: 'Definitions saved',\n          schema: batchResponseSchema,\n        },\n        {\n          status: 400,\n          description: 'Validation error',\n          schema: z.object({\n            error: z.string(),\n            details: z.any().optional(),\n          }),\n        },\n        {\n          status: 401,\n          description: 'Missing authentication',\n          schema: z.object({ error: z.string() }),\n        },\n        {\n          status: 500,\n          description: 'Unexpected failure',\n          schema: z.object({ error: z.string() }),\n        },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AACvC,SAAS,0BAA0B;AACnC,SAAS,gBAAgB,+BAA+B;AACxD,SAAS,+BAA+B,kCAAkC;AAC1E,SAAS,SAAS;AAClB,SAAS,kCAAkC;AAE3C,SAAS,2BAA2B,qCAAqC;AAElE,MAAM,WAAW;AAAA,EACtB,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,6BAA6B,EAAE;AAC9E;AAEA,MAAM,4BAA4B;AAElC,MAAM,cAAc,EACjB,OAAO;AAAA,EACN,UAAU,EAAE,OAAO,EAAE,MAAM,yBAAyB;AAAA,EACpD,aAAa,EACV;AAAA,IACC,2BACG,KAAK,EAAE,UAAU,KAAK,CAAC,EACvB,OAAO;AAAA,MACN,YAAY,EAAE,IAAI,EAAE,SAAS;AAAA,IAC/B,CAAC;AAAA,EACL,EACC,IAAI,yBAAyB;AAClC,CAAC,EACA,OAAO,8BAA8B,KAAK;AAI7C,SAAS,eAAe,WAAgD;AACtE,MAAI,CAAC,MAAM,QAAQ,SAAS,EAAG,QAAO;AACtC,SAAO,UAAU,IAAI,CAAC,cAAc;AAAA,IAClC,MAAM,SAAS;AAAA,IACf,OAAO,SAAS;AAAA,IAChB,MAAM,SAAS;AAAA,IACf,aAAa,SAAS;AAAA,IACtB,QAAQ,MAAM,QAAQ,SAAS,MAAM,IACjC,SAAS,OAAO,IAAI,CAAC,WAAW;AAAA,MAC9B,MAAM,MAAM;AAAA,MACZ,OAAO,MAAM;AAAA,MACb,MAAM,MAAM;AAAA,IACd,EAAE,IACF;AAAA,EACN,EAAE;AACJ;AAEA,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,MAAO,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC7F,MAAI;AACJ,MAAI;AAAE,WAAO,MAAM,IAAI,KAAK;AAAA,EAAE,QAAQ;AAAE,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAAE;AAE7G,QAAM,SAAS,YAAY,UAAU,IAAI;AACzC,MAAI,CAAC,OAAO,QAAS,QAAO,aAAa,KAAK,EAAE,OAAO,qBAAqB,SAAS,OAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9H,QAAM,EAAE,UAAU,aAAa,WAAW,wBAAwB,IAAI,OAAO;AAE7E,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,EAAE,QAAQ,IAAI;AACpB,QAAM,KAAK,QAAQ,IAAI;AACvB,MAAI;AACJ,MAAI;AACF,YAAQ,QAAQ,OAAO;AAAA,EACzB,QAAQ;AAAA,EAAC;AAET,QAAM,GAAG,MAAM;AACf,MAAI;AAGF,UAAM,WAAW,oBAAI,IAAiB;AACtC,UAAM,OAAO,YAAY,IAAI,CAAC,MAAM,EAAE,GAAG;AACzC,QAAI,KAAK,SAAS,GAAG;AACnB,YAAM,eAAe,MAAM,GAAG,KAAK,gBAAgB;AAAA,QACjD;AAAA,QACA,KAAK,EAAE,KAAK,KAAK;AAAA,QACjB,gBAAgB,KAAK,SAAS;AAAA,QAC9B,UAAU,KAAK,YAAY;AAAA,MAC7B,CAAC;AACD,iBAAW,YAAY,aAAc,UAAS,IAAI,SAAS,KAAK,QAAQ;AAAA,IAC1E;AAEA,eAAW,CAAC,KAAK,CAAC,KAAK,YAAY,QAAQ,GAAG;AAC5C,YAAM,QAAa;AAAA,QACjB;AAAA,QACA,KAAK,EAAE;AAAA,QACP,gBAAgB,KAAK,SAAS;AAAA,QAC9B,UAAU,KAAK,YAAY;AAAA,MAC7B;AACA,UAAI,MAAM,SAAS,IAAI,EAAE,GAAG;AAC5B,UAAI,CAAC,KAAK;AACR,cAAM,GAAG,OAAO,gBAAgB,EAAE,GAAG,OAAO,WAAW,oBAAI,KAAK,EAAE,CAAC;AACnE,iBAAS,IAAI,EAAE,KAAK,GAAG;AAAA,MACzB;AACA,UAAI,OAAO,EAAE;AAEb,YAAM,QAAS,EAAU,cAAc,CAAC;AACxC,YAAM,MAA2B,EAAE,GAAG,MAAM;AAC5C,UAAI,IAAI,SAAS,QAAQ,OAAO,IAAI,KAAK,EAAE,KAAK,MAAM,GAAI,KAAI,QAAQ,EAAE;AACxE,UAAI,IAAI,iBAAiB,OAAW,KAAI,eAAe;AACvD,UAAI,IAAI,gBAAgB,OAAW,KAAI,cAAc;AACrD,UAAI,EAAE,SAAS,gBAAgB,IAAI,UAAU,QAAQ,OAAO,IAAI,MAAM,EAAE,KAAK,MAAM,IAAK,KAAI,SAAS;AACrG,UAAI,WAAW;AAEf,UAAI,aAAa;AACjB,UAAI,WAAW,EAAE,YAAY;AAC7B,UAAI,YAAY,oBAAI,KAAK;AACzB,SAAG,QAAQ,GAAG;AAAA,IAChB;AACA,QAAI,cAAc,UAAa,4BAA4B,QAAW;AACpE,YAAM,QAAa,EAAE,UAAU,gBAAgB,KAAK,SAAS,MAAM,UAAU,KAAK,YAAY,KAAK;AACnG,UAAI,MAAM,MAAM,GAAG,QAAQ,yBAAyB,KAAK;AACzD,UAAI,CAAC,IAAK,OAAM,GAAG,OAAO,yBAAyB,EAAE,GAAG,OAAO,WAAW,oBAAI,KAAK,EAAE,CAAC;AACtF,YAAM,WAAW,8BAA8B,IAAI,cAAc,CAAC,CAAC;AACnE,YAAM,QAAQ,0BAA0B,UAAU;AAAA,QAChD,WAAW,cAAc,SAAY,eAAe,SAAS,KAAK,CAAC,IAAI;AAAA,QACvE;AAAA,MACF,CAAC;AACD,UAAI,aAAa;AAAA,QACf,WAAW,MAAM;AAAA,QACjB,yBAAyB,MAAM;AAAA,MACjC;AACA,UAAI,YAAY,oBAAI,KAAK;AACzB,UAAI,WAAW;AACf,SAAG,QAAQ,GAAG;AAAA,IAChB;AACA,UAAM,GAAG,MAAM;AACf,UAAM,GAAG,OAAO;AAAA,EAClB,SAAS,GAAG;AACV,QAAI;AAAE,YAAM,GAAG,SAAS;AAAA,IAAE,QAAQ;AAAA,IAAC;AACnC,WAAO,aAAa,KAAK,EAAE,OAAO,mCAAmC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzF;AAEA,QAAM,2BAA2B,OAAO;AAAA,IACtC,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B,WAAW,CAAC,QAAQ;AAAA,EACtB,CAAC;AAED,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEA,MAAM,sBAAsB,EAAE,OAAO;AAAA,EACnC,IAAI,EAAE,QAAQ,IAAI;AACpB,CAAC;AAEM,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ;AAAA,QACV;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO;AAAA,YACf,OAAO,EAAE,OAAO;AAAA,YAChB,SAAS,EAAE,IAAI,EAAE,SAAS;AAAA,UAC5B,CAAC;AAAA,QACH;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;",
   "names": []
 }

package/dist/modules/entities/api/entities.js CHANGED Viewed

@@ -6,6 +6,7 @@ import { CustomEntity, CustomFieldDef } from "@open-mercato/core/modules/entitie
 import { getEntityIds } from "@open-mercato/shared/lib/encryption/entityIds";
 import { upsertCustomEntitySchema } from "@open-mercato/core/modules/entities/data/validators";
 import { isSystemEntitySelectable } from "@open-mercato/shared/lib/entities/system-entities";
+import { SYSTEM_ENTITY_RECORDS_BLOCKED_CODE, isOrmBackedSystemEntityId } from "@open-mercato/shared/lib/data/engine";
 const metadata = {
   GET: { requireAuth: true },
   POST: { requireAuth: true, requireFeatures: ["entities.definitions.manage"] },
@@ -90,6 +91,12 @@ async function POST(req) {
   const input = parsed.data;
   const { resolve } = await createRequestContainer();
   const em = resolve("em");
+  if (isOrmBackedSystemEntityId(em, input.entityId)) {
+    return NextResponse.json(
+      { error: "System entities cannot be registered as custom entities", code: SYSTEM_ENTITY_RECORDS_BLOCKED_CODE, entityId: input.entityId },
+      { status: 400 }
+    );
+  }
   const where = { entityId: input.entityId, organizationId: auth.orgId ?? null, tenantId: auth.tenantId ?? null };
   let ent = await em.findOne(CustomEntity, where);
   if (!ent) ent = em.create(CustomEntity, { ...where, createdAt: /* @__PURE__ */ new Date() });

package/dist/modules/entities/api/entities.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/entities/api/entities.ts"],
-  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { CustomEntity, CustomFieldDef } from '@open-mercato/core/modules/entities/data/entities'\nimport { getEntityIds } from '@open-mercato/shared/lib/encryption/entityIds'\nimport { upsertCustomEntitySchema } from '@open-mercato/core/modules/entities/data/validators'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { isSystemEntitySelectable } from '@open-mercato/shared/lib/entities/system-entities'\n\nexport const metadata = {\n  GET: { requireAuth: true },\n  POST: { requireAuth: true, requireFeatures: ['entities.definitions.manage'] },\n  DELETE: { requireAuth: true, requireFeatures: ['entities.definitions.manage'] },\n}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.tenantId || (!auth.orgId && !auth.isSuperAdmin)) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as any\n\n  // Generated entities from code\n  const AllEntities = getEntityIds()\n  const generated: { entityId: string; source: 'code'; label: string }[] = []\n  for (const modId of Object.keys(AllEntities)) {\n    const entities = (AllEntities as any)[modId] as Record<string, string>\n    for (const k of Object.keys(entities)) {\n      const id = entities[k]\n      if (!isSystemEntitySelectable(id)) continue\n      generated.push({ entityId: id, source: 'code', label: id })\n    }\n  }\n\n  // Custom user-defined entities (global/org/tenant scoped)\n  const where: any = { isActive: true }\n  where.$and = [\n    { $or: [ { organizationId: auth.orgId ?? undefined as any }, { organizationId: null } ] },\n    { $or: [ { tenantId: auth.tenantId ?? undefined as any }, { tenantId: null } ] },\n  ]\n  const customs = await em.find(CustomEntity as any, where as any, { orderBy: { entityId: 'asc' } as any })\n  // Resolve overlay precedence: prefer organization/tenant-specific over global\n  const customByEntityId = new Map<string, any>()\n  for (const c of customs as any[]) {\n    const specificity = (c.organizationId ? 2 : 0) + (c.tenantId ? 1 : 0)\n    const prev = customByEntityId.get(c.entityId)\n    const prevSpec = prev ? ((prev.organizationId ? 2 : 0) + (prev.tenantId ? 1 : 0)) : -1\n    if (!prev || specificity > prevSpec) customByEntityId.set(c.entityId, c)\n  }\n\n  const custom = Array.from(customByEntityId.values())\n    .filter((c) => isSystemEntitySelectable(c.entityId))\n    .map((c) => ({\n      entityId: c.entityId,\n      source: 'custom' as const,\n      label: c.label,\n      description: c.description ?? undefined,\n      labelField: (c as any).labelField ?? undefined,\n      defaultEditor: (c as any).defaultEditor ?? undefined,\n      showInSidebar: (c as any).showInSidebar ?? false,\n    }))\n\n  const byId = new Map<string, any>()\n  for (const g of generated) byId.set(g.entityId, g)\n  for (const cu of custom) {\n    const existing = byId.get(cu.entityId)\n    byId.set(cu.entityId, { ...existing, ...cu, source: existing?.source ?? cu.source })\n  }\n\n  // Count field definitions scoped to current tenant/org (same scoping as custom entities)\n  const defsWhere: any = { isActive: true }\n  defsWhere.$and = [\n    //{ $or: [ { organizationId: auth.orgId ?? undefined as any }, { organizationId: null } ] }, // the entities and custom fields are defined per tenant\n    { tenantId: auth.tenantId ?? undefined as any },\n  ]\n  const defs = await em.find(CustomFieldDef as any, defsWhere as any)\n  // Count distinct field names (keys) per entityId\n  const keySets = new Map<string, Set<string>>()\n  for (const d of defs as any[]) {\n    const eid = String(d.entityId)\n    const k = String(d.key)\n    if (!isSystemEntitySelectable(eid)) continue\n    const set = keySets.get(eid) || new Set<string>()\n    set.add(k)\n    keySets.set(eid, set)\n  }\n  const counts: Record<string, number> = {}\n  for (const [eid, set] of keySets.entries()) counts[eid] = set.size\n\n  const items = Array.from(byId.values()).map((it: any) => ({ ...it, count: counts[it.entityId] || 0 }))\n  return NextResponse.json({ items })\n}\n\nexport async function POST(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.orgId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n\n  let body: any\n  try { body = await req.json() } catch { return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 }) }\n  const parsed = upsertCustomEntitySchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Validation failed', details: parsed.error.flatten() }, { status: 400 })\n  }\n  const input = parsed.data\n\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as any\n\n  const where: any = { entityId: input.entityId, organizationId: auth.orgId ?? null, tenantId: auth.tenantId ?? null }\n  let ent = await em.findOne(CustomEntity, where)\n  if (!ent) ent = em.create(CustomEntity, { ...where, createdAt: new Date() })\n  ent.label = input.label\n  ent.description = input.description ?? null\n  ent.isActive = input.isActive ?? true\n  ent.labelField = input.labelField ?? ent.labelField ?? null\n  ent.defaultEditor = input.defaultEditor ?? ent.defaultEditor ?? null\n  ent.showInSidebar = input.showInSidebar ?? ent.showInSidebar ?? false\n  ent.updatedAt = new Date()\n  em.persist(ent)\n  await em.flush()\n  // Invalidate sidebar/nav cache for tenant scope (also when tenantId is null)\n  try {\n    const cache = (await createRequestContainer()).resolve('cache') as any\n    if (cache) {\n      await cache.deleteByTags([`nav:entities:${auth.tenantId || 'null'}`])\n    }\n  } catch {}\n  return NextResponse.json({ ok: true, item: { id: ent.id, entityId: ent.entityId, label: ent.label, description: ent.description ?? undefined } })\n}\n\nexport async function DELETE(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.orgId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  let body: any\n  try { body = await req.json() } catch { return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 }) }\n  const entityId = body?.entityId\n  if (!entityId) return NextResponse.json({ error: 'entityId is required' }, { status: 400 })\n\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as any\n\n  const where: any = { entityId, organizationId: auth.orgId ?? null, tenantId: auth.tenantId ?? null }\n  const ent = await em.findOne(CustomEntity, where)\n  if (!ent) return NextResponse.json({ error: 'Not found' }, { status: 404 })\n  ent.isActive = false\n  ent.updatedAt = new Date()\n  ent.deletedAt = ent.deletedAt ?? new Date()\n  em.persist(ent)\n  await em.flush()\n  // Invalidate sidebar/nav cache for tenant scope (also when tenantId is null)\n  try {\n    const cache = (await createRequestContainer()).resolve('cache') as any\n    if (cache) {\n      await cache.deleteByTags([`nav:entities:${auth.tenantId || 'null'}`])\n    }\n  } catch {}\n  return NextResponse.json({ ok: true })\n}\n\nconst entitySummarySchema = z.object({\n  entityId: z.string(),\n  source: z.enum(['code', 'custom']),\n  label: z.string(),\n  description: z.string().optional(),\n  labelField: z.string().optional(),\n  defaultEditor: z.string().optional(),\n  showInSidebar: z.boolean().optional(),\n  count: z.number(),\n})\n\nconst entityListResponseSchema = z.object({\n  items: z.array(entitySummarySchema),\n})\n\nconst deleteEntityRequestSchema = z.object({\n  entityId: z.string(),\n})\n\nconst upsertCustomEntityResponseSchema = z.object({\n  ok: z.literal(true),\n  item: z.object({\n    id: z.string().uuid(),\n    entityId: z.string(),\n    label: z.string(),\n    description: z.string().optional(),\n  }),\n})\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Entities',\n  summary: 'Manage custom entities',\n  methods: {\n    GET: {\n      summary: 'List available entities',\n      description: 'Returns generated and custom entities scoped to the caller with field counts per entity.',\n      responses: [\n        {\n          status: 200,\n          description: 'List of entities',\n          schema: entityListResponseSchema,\n        },\n        {\n          status: 401,\n          description: 'Missing authentication',\n          schema: z.object({ error: z.string() }),\n        },\n      ],\n    },\n    POST: {\n      summary: 'Upsert custom entity',\n      description: 'Creates or updates a tenant/org scoped custom entity definition.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: upsertCustomEntitySchema,\n      },\n      responses: [\n        {\n          status: 200,\n          description: 'Entity saved',\n          schema: upsertCustomEntityResponseSchema,\n        },\n        {\n          status: 400,\n          description: 'Validation error',\n          schema: z.object({\n            error: z.string(),\n            details: z.any().optional(),\n          }),\n        },\n        {\n          status: 401,\n          description: 'Missing authentication',\n          schema: z.object({ error: z.string() }),\n        },\n      ],\n    },\n    DELETE: {\n      summary: 'Soft delete custom entity',\n      description: 'Marks the specified custom entity inactive within the current scope.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: deleteEntityRequestSchema,\n      },\n      responses: [\n        {\n          status: 200,\n          description: 'Entity deleted',\n          schema: z.object({ ok: z.boolean() }),\n        },\n        {\n          status: 400,\n          description: 'Missing entity id',\n          schema: z.object({ error: z.string() }),\n        },\n        {\n          status: 401,\n          description: 'Missing authentication',\n          schema: z.object({ error: z.string() }),\n        },\n        {\n          status: 404,\n          description: 'Entity not found in scope',\n          schema: z.object({ error: z.string() }),\n        },\n      ],\n    },\n  },\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAClB,SAAS,8BAA8B;AACvC,SAAS,0BAA0B;AACnC,SAAS,cAAc,sBAAsB;AAC7C,SAAS,oBAAoB;AAC7B,SAAS,gCAAgC;AAEzC,SAAS,gCAAgC;AAElC,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,KAAK;AAAA,EACzB,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,6BAA6B,EAAE;AAAA,EAC5E,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,6BAA6B,EAAE;AAChF;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,YAAa,CAAC,KAAK,SAAS,CAAC,KAAK,aAAe,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAEvI,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AAGvB,QAAM,cAAc,aAAa;AACjC,QAAM,YAAmE,CAAC;AAC1E,aAAW,SAAS,OAAO,KAAK,WAAW,GAAG;AAC5C,UAAM,WAAY,YAAoB,KAAK;AAC3C,eAAW,KAAK,OAAO,KAAK,QAAQ,GAAG;AACrC,YAAM,KAAK,SAAS,CAAC;AACrB,UAAI,CAAC,yBAAyB,EAAE,EAAG;AACnC,gBAAU,KAAK,EAAE,UAAU,IAAI,QAAQ,QAAQ,OAAO,GAAG,CAAC;AAAA,IAC5D;AAAA,EACF;AAGA,QAAM,QAAa,EAAE,UAAU,KAAK;AACpC,QAAM,OAAO;AAAA,IACX,EAAE,KAAK,CAAE,EAAE,gBAAgB,KAAK,SAAS,OAAiB,GAAG,EAAE,gBAAgB,KAAK,CAAE,EAAE;AAAA,IACxF,EAAE,KAAK,CAAE,EAAE,UAAU,KAAK,YAAY,OAAiB,GAAG,EAAE,UAAU,KAAK,CAAE,EAAE;AAAA,EACjF;AACA,QAAM,UAAU,MAAM,GAAG,KAAK,cAAqB,OAAc,EAAE,SAAS,EAAE,UAAU,MAAM,EAAS,CAAC;AAExG,QAAM,mBAAmB,oBAAI,IAAiB;AAC9C,aAAW,KAAK,SAAkB;AAChC,UAAM,eAAe,EAAE,iBAAiB,IAAI,MAAM,EAAE,WAAW,IAAI;AACnE,UAAM,OAAO,iBAAiB,IAAI,EAAE,QAAQ;AAC5C,UAAM,WAAW,QAAS,KAAK,iBAAiB,IAAI,MAAM,KAAK,WAAW,IAAI,KAAM;AACpF,QAAI,CAAC,QAAQ,cAAc,SAAU,kBAAiB,IAAI,EAAE,UAAU,CAAC;AAAA,EACzE;AAEA,QAAM,SAAS,MAAM,KAAK,iBAAiB,OAAO,CAAC,EAChD,OAAO,CAAC,MAAM,yBAAyB,EAAE,QAAQ,CAAC,EAClD,IAAI,CAAC,OAAO;AAAA,IACX,UAAU,EAAE;AAAA,IACZ,QAAQ;AAAA,IACR,OAAO,EAAE;AAAA,IACT,aAAa,EAAE,eAAe;AAAA,IAC9B,YAAa,EAAU,cAAc;AAAA,IACrC,eAAgB,EAAU,iBAAiB;AAAA,IAC3C,eAAgB,EAAU,iBAAiB;AAAA,EAC7C,EAAE;AAEJ,QAAM,OAAO,oBAAI,IAAiB;AAClC,aAAW,KAAK,UAAW,MAAK,IAAI,EAAE,UAAU,CAAC;AACjD,aAAW,MAAM,QAAQ;AACvB,UAAM,WAAW,KAAK,IAAI,GAAG,QAAQ;AACrC,SAAK,IAAI,GAAG,UAAU,EAAE,GAAG,UAAU,GAAG,IAAI,QAAQ,UAAU,UAAU,GAAG,OAAO,CAAC;AAAA,EACrF;AAGA,QAAM,YAAiB,EAAE,UAAU,KAAK;AACxC,YAAU,OAAO;AAAA;AAAA,IAEf,EAAE,UAAU,KAAK,YAAY,OAAiB;AAAA,EAChD;AACA,QAAM,OAAO,MAAM,GAAG,KAAK,gBAAuB,SAAgB;AAElE,QAAM,UAAU,oBAAI,IAAyB;AAC7C,aAAW,KAAK,MAAe;AAC7B,UAAM,MAAM,OAAO,EAAE,QAAQ;AAC7B,UAAM,IAAI,OAAO,EAAE,GAAG;AACtB,QAAI,CAAC,yBAAyB,GAAG,EAAG;AACpC,UAAM,MAAM,QAAQ,IAAI,GAAG,KAAK,oBAAI,IAAY;AAChD,QAAI,IAAI,CAAC;AACT,YAAQ,IAAI,KAAK,GAAG;AAAA,EACtB;AACA,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,KAAK,GAAG,KAAK,QAAQ,QAAQ,EAAG,QAAO,GAAG,IAAI,IAAI;AAE9D,QAAM,QAAQ,MAAM,KAAK,KAAK,OAAO,CAAC,EAAE,IAAI,CAAC,QAAa,EAAE,GAAG,IAAI,OAAO,OAAO,GAAG,QAAQ,KAAK,EAAE,EAAE;AACrG,SAAO,aAAa,KAAK,EAAE,MAAM,CAAC;AACpC;AAEA,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,MAAO,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE7F,MAAI;AACJ,MAAI;AAAE,WAAO,MAAM,IAAI,KAAK;AAAA,EAAE,QAAQ;AAAE,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAAE;AAC7G,QAAM,SAAS,yBAAyB,UAAU,IAAI;AACtD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,qBAAqB,SAAS,OAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3G;AACA,QAAM,QAAQ,OAAO;AAErB,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AAEvB,QAAM,QAAa,EAAE,UAAU,MAAM,UAAU,gBAAgB,KAAK,SAAS,MAAM,UAAU,KAAK,YAAY,KAAK;AACnH,MAAI,MAAM,MAAM,GAAG,QAAQ,cAAc,KAAK;AAC9C,MAAI,CAAC,IAAK,OAAM,GAAG,OAAO,cAAc,EAAE,GAAG,OAAO,WAAW,oBAAI,KAAK,EAAE,CAAC;AAC3E,MAAI,QAAQ,MAAM;AAClB,MAAI,cAAc,MAAM,eAAe;AACvC,MAAI,WAAW,MAAM,YAAY;AACjC,MAAI,aAAa,MAAM,cAAc,IAAI,cAAc;AACvD,MAAI,gBAAgB,MAAM,iBAAiB,IAAI,iBAAiB;AAChE,MAAI,gBAAgB,MAAM,iBAAiB,IAAI,iBAAiB;AAChE,MAAI,YAAY,oBAAI,KAAK;AACzB,KAAG,QAAQ,GAAG;AACd,QAAM,GAAG,MAAM;AAEf,MAAI;AACF,UAAM,SAAS,MAAM,uBAAuB,GAAG,QAAQ,OAAO;AAC9D,QAAI,OAAO;AACT,YAAM,MAAM,aAAa,CAAC,gBAAgB,KAAK,YAAY,MAAM,EAAE,CAAC;AAAA,IACtE;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO,aAAa,KAAK,EAAE,IAAI,MAAM,MAAM,EAAE,IAAI,IAAI,IAAI,UAAU,IAAI,UAAU,OAAO,IAAI,OAAO,aAAa,IAAI,eAAe,OAAU,EAAE,CAAC;AAClJ;AAEA,eAAsB,OAAO,KAAc;AACzC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,MAAO,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC7F,MAAI;AACJ,MAAI;AAAE,WAAO,MAAM,IAAI,KAAK;AAAA,EAAE,QAAQ;AAAE,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAAE;AAC7G,QAAM,WAAW,MAAM;AACvB,MAAI,CAAC,SAAU,QAAO,aAAa,KAAK,EAAE,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE1F,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AAEvB,QAAM,QAAa,EAAE,UAAU,gBAAgB,KAAK,SAAS,MAAM,UAAU,KAAK,YAAY,KAAK;AACnG,QAAM,MAAM,MAAM,GAAG,QAAQ,cAAc,KAAK;AAChD,MAAI,CAAC,IAAK,QAAO,aAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC1E,MAAI,WAAW;AACf,MAAI,YAAY,oBAAI,KAAK;AACzB,MAAI,YAAY,IAAI,aAAa,oBAAI,KAAK;AAC1C,KAAG,QAAQ,GAAG;AACd,QAAM,GAAG,MAAM;AAEf,MAAI;AACF,UAAM,SAAS,MAAM,uBAAuB,GAAG,QAAQ,OAAO;AAC9D,QAAI,OAAO;AACT,YAAM,MAAM,aAAa,CAAC,gBAAgB,KAAK,YAAY,MAAM,EAAE,CAAC;AAAA,IACtE;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEA,MAAM,sBAAsB,EAAE,OAAO;AAAA,EACnC,UAAU,EAAE,OAAO;AAAA,EACnB,QAAQ,EAAE,KAAK,CAAC,QAAQ,QAAQ,CAAC;AAAA,EACjC,OAAO,EAAE,OAAO;AAAA,EAChB,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,YAAY,EAAE,OAAO,EAAE,SAAS;AAAA,EAChC,eAAe,EAAE,OAAO,EAAE,SAAS;AAAA,EACnC,eAAe,EAAE,QAAQ,EAAE,SAAS;AAAA,EACpC,OAAO,EAAE,OAAO;AAClB,CAAC;AAED,MAAM,2BAA2B,EAAE,OAAO;AAAA,EACxC,OAAO,EAAE,MAAM,mBAAmB;AACpC,CAAC;AAED,MAAM,4BAA4B,EAAE,OAAO;AAAA,EACzC,UAAU,EAAE,OAAO;AACrB,CAAC;AAED,MAAM,mCAAmC,EAAE,OAAO;AAAA,EAChD,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,MAAM,EAAE,OAAO;AAAA,IACb,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,IACpB,UAAU,EAAE,OAAO;AAAA,IACnB,OAAO,EAAE,OAAO;AAAA,IAChB,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACnC,CAAC;AACH,CAAC;AAEM,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ;AAAA,QACV;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,MACF;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ;AAAA,QACV;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO;AAAA,YACf,OAAO,EAAE,OAAO;AAAA,YAChB,SAAS,EAAE,IAAI,EAAE,SAAS;AAAA,UAC5B,CAAC;AAAA,QACH;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,MACF;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;AAAA,QACtC;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { CustomEntity, CustomFieldDef } from '@open-mercato/core/modules/entities/data/entities'\nimport { getEntityIds } from '@open-mercato/shared/lib/encryption/entityIds'\nimport { upsertCustomEntitySchema } from '@open-mercato/core/modules/entities/data/validators'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { isSystemEntitySelectable } from '@open-mercato/shared/lib/entities/system-entities'\nimport { SYSTEM_ENTITY_RECORDS_BLOCKED_CODE, isOrmBackedSystemEntityId } from '@open-mercato/shared/lib/data/engine'\n\nexport const metadata = {\n  GET: { requireAuth: true },\n  POST: { requireAuth: true, requireFeatures: ['entities.definitions.manage'] },\n  DELETE: { requireAuth: true, requireFeatures: ['entities.definitions.manage'] },\n}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.tenantId || (!auth.orgId && !auth.isSuperAdmin)) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as any\n\n  // Generated entities from code\n  const AllEntities = getEntityIds()\n  const generated: { entityId: string; source: 'code'; label: string }[] = []\n  for (const modId of Object.keys(AllEntities)) {\n    const entities = (AllEntities as any)[modId] as Record<string, string>\n    for (const k of Object.keys(entities)) {\n      const id = entities[k]\n      if (!isSystemEntitySelectable(id)) continue\n      generated.push({ entityId: id, source: 'code', label: id })\n    }\n  }\n\n  // Custom user-defined entities (global/org/tenant scoped)\n  const where: any = { isActive: true }\n  where.$and = [\n    { $or: [ { organizationId: auth.orgId ?? undefined as any }, { organizationId: null } ] },\n    { $or: [ { tenantId: auth.tenantId ?? undefined as any }, { tenantId: null } ] },\n  ]\n  const customs = await em.find(CustomEntity as any, where as any, { orderBy: { entityId: 'asc' } as any })\n  // Resolve overlay precedence: prefer organization/tenant-specific over global\n  const customByEntityId = new Map<string, any>()\n  for (const c of customs as any[]) {\n    const specificity = (c.organizationId ? 2 : 0) + (c.tenantId ? 1 : 0)\n    const prev = customByEntityId.get(c.entityId)\n    const prevSpec = prev ? ((prev.organizationId ? 2 : 0) + (prev.tenantId ? 1 : 0)) : -1\n    if (!prev || specificity > prevSpec) customByEntityId.set(c.entityId, c)\n  }\n\n  const custom = Array.from(customByEntityId.values())\n    .filter((c) => isSystemEntitySelectable(c.entityId))\n    .map((c) => ({\n      entityId: c.entityId,\n      source: 'custom' as const,\n      label: c.label,\n      description: c.description ?? undefined,\n      labelField: (c as any).labelField ?? undefined,\n      defaultEditor: (c as any).defaultEditor ?? undefined,\n      showInSidebar: (c as any).showInSidebar ?? false,\n    }))\n\n  const byId = new Map<string, any>()\n  for (const g of generated) byId.set(g.entityId, g)\n  for (const cu of custom) {\n    const existing = byId.get(cu.entityId)\n    byId.set(cu.entityId, { ...existing, ...cu, source: existing?.source ?? cu.source })\n  }\n\n  // Count field definitions scoped to current tenant/org (same scoping as custom entities)\n  const defsWhere: any = { isActive: true }\n  defsWhere.$and = [\n    //{ $or: [ { organizationId: auth.orgId ?? undefined as any }, { organizationId: null } ] }, // the entities and custom fields are defined per tenant\n    { tenantId: auth.tenantId ?? undefined as any },\n  ]\n  const defs = await em.find(CustomFieldDef as any, defsWhere as any)\n  // Count distinct field names (keys) per entityId\n  const keySets = new Map<string, Set<string>>()\n  for (const d of defs as any[]) {\n    const eid = String(d.entityId)\n    const k = String(d.key)\n    if (!isSystemEntitySelectable(eid)) continue\n    const set = keySets.get(eid) || new Set<string>()\n    set.add(k)\n    keySets.set(eid, set)\n  }\n  const counts: Record<string, number> = {}\n  for (const [eid, set] of keySets.entries()) counts[eid] = set.size\n\n  const items = Array.from(byId.values()).map((it: any) => ({ ...it, count: counts[it.entityId] || 0 }))\n  return NextResponse.json({ items })\n}\n\nexport async function POST(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.orgId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n\n  let body: any\n  try { body = await req.json() } catch { return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 }) }\n  const parsed = upsertCustomEntitySchema.safeParse(body)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Validation failed', details: parsed.error.flatten() }, { status: 400 })\n  }\n  const input = parsed.data\n\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as any\n\n  // A registration for a module-declared, table-backed system entity would flip\n  // query-engine classification to doc storage for the whole entity type (#2939's\n  // failure mode via another door) \u2014 refuse to create one.\n  if (isOrmBackedSystemEntityId(em, input.entityId)) {\n    return NextResponse.json(\n      { error: 'System entities cannot be registered as custom entities', code: SYSTEM_ENTITY_RECORDS_BLOCKED_CODE, entityId: input.entityId },\n      { status: 400 },\n    )\n  }\n\n  const where: any = { entityId: input.entityId, organizationId: auth.orgId ?? null, tenantId: auth.tenantId ?? null }\n  let ent = await em.findOne(CustomEntity, where)\n  if (!ent) ent = em.create(CustomEntity, { ...where, createdAt: new Date() })\n  ent.label = input.label\n  ent.description = input.description ?? null\n  ent.isActive = input.isActive ?? true\n  ent.labelField = input.labelField ?? ent.labelField ?? null\n  ent.defaultEditor = input.defaultEditor ?? ent.defaultEditor ?? null\n  ent.showInSidebar = input.showInSidebar ?? ent.showInSidebar ?? false\n  ent.updatedAt = new Date()\n  em.persist(ent)\n  await em.flush()\n  // Invalidate sidebar/nav cache for tenant scope (also when tenantId is null)\n  try {\n    const cache = (await createRequestContainer()).resolve('cache') as any\n    if (cache) {\n      await cache.deleteByTags([`nav:entities:${auth.tenantId || 'null'}`])\n    }\n  } catch {}\n  return NextResponse.json({ ok: true, item: { id: ent.id, entityId: ent.entityId, label: ent.label, description: ent.description ?? undefined } })\n}\n\nexport async function DELETE(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth || !auth.orgId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  let body: any\n  try { body = await req.json() } catch { return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 }) }\n  const entityId = body?.entityId\n  if (!entityId) return NextResponse.json({ error: 'entityId is required' }, { status: 400 })\n\n  const { resolve } = await createRequestContainer()\n  const em = resolve('em') as any\n\n  const where: any = { entityId, organizationId: auth.orgId ?? null, tenantId: auth.tenantId ?? null }\n  const ent = await em.findOne(CustomEntity, where)\n  if (!ent) return NextResponse.json({ error: 'Not found' }, { status: 404 })\n  ent.isActive = false\n  ent.updatedAt = new Date()\n  ent.deletedAt = ent.deletedAt ?? new Date()\n  em.persist(ent)\n  await em.flush()\n  // Invalidate sidebar/nav cache for tenant scope (also when tenantId is null)\n  try {\n    const cache = (await createRequestContainer()).resolve('cache') as any\n    if (cache) {\n      await cache.deleteByTags([`nav:entities:${auth.tenantId || 'null'}`])\n    }\n  } catch {}\n  return NextResponse.json({ ok: true })\n}\n\nconst entitySummarySchema = z.object({\n  entityId: z.string(),\n  source: z.enum(['code', 'custom']),\n  label: z.string(),\n  description: z.string().optional(),\n  labelField: z.string().optional(),\n  defaultEditor: z.string().optional(),\n  showInSidebar: z.boolean().optional(),\n  count: z.number(),\n})\n\nconst entityListResponseSchema = z.object({\n  items: z.array(entitySummarySchema),\n})\n\nconst deleteEntityRequestSchema = z.object({\n  entityId: z.string(),\n})\n\nconst upsertCustomEntityResponseSchema = z.object({\n  ok: z.literal(true),\n  item: z.object({\n    id: z.string().uuid(),\n    entityId: z.string(),\n    label: z.string(),\n    description: z.string().optional(),\n  }),\n})\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Entities',\n  summary: 'Manage custom entities',\n  methods: {\n    GET: {\n      summary: 'List available entities',\n      description: 'Returns generated and custom entities scoped to the caller with field counts per entity.',\n      responses: [\n        {\n          status: 200,\n          description: 'List of entities',\n          schema: entityListResponseSchema,\n        },\n        {\n          status: 401,\n          description: 'Missing authentication',\n          schema: z.object({ error: z.string() }),\n        },\n      ],\n    },\n    POST: {\n      summary: 'Upsert custom entity',\n      description: 'Creates or updates a tenant/org scoped custom entity definition.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: upsertCustomEntitySchema,\n      },\n      responses: [\n        {\n          status: 200,\n          description: 'Entity saved',\n          schema: upsertCustomEntityResponseSchema,\n        },\n        {\n          status: 400,\n          description: 'Validation error',\n          schema: z.object({\n            error: z.string(),\n            details: z.any().optional(),\n          }),\n        },\n        {\n          status: 401,\n          description: 'Missing authentication',\n          schema: z.object({ error: z.string() }),\n        },\n      ],\n    },\n    DELETE: {\n      summary: 'Soft delete custom entity',\n      description: 'Marks the specified custom entity inactive within the current scope.',\n      requestBody: {\n        contentType: 'application/json',\n        schema: deleteEntityRequestSchema,\n      },\n      responses: [\n        {\n          status: 200,\n          description: 'Entity deleted',\n          schema: z.object({ ok: z.boolean() }),\n        },\n        {\n          status: 400,\n          description: 'Missing entity id',\n          schema: z.object({ error: z.string() }),\n        },\n        {\n          status: 401,\n          description: 'Missing authentication',\n          schema: z.object({ error: z.string() }),\n        },\n        {\n          status: 404,\n          description: 'Entity not found in scope',\n          schema: z.object({ error: z.string() }),\n        },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAClB,SAAS,8BAA8B;AACvC,SAAS,0BAA0B;AACnC,SAAS,cAAc,sBAAsB;AAC7C,SAAS,oBAAoB;AAC7B,SAAS,gCAAgC;AAEzC,SAAS,gCAAgC;AACzC,SAAS,oCAAoC,iCAAiC;AAEvE,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,KAAK;AAAA,EACzB,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,6BAA6B,EAAE;AAAA,EAC5E,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,6BAA6B,EAAE;AAChF;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,YAAa,CAAC,KAAK,SAAS,CAAC,KAAK,aAAe,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAEvI,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AAGvB,QAAM,cAAc,aAAa;AACjC,QAAM,YAAmE,CAAC;AAC1E,aAAW,SAAS,OAAO,KAAK,WAAW,GAAG;AAC5C,UAAM,WAAY,YAAoB,KAAK;AAC3C,eAAW,KAAK,OAAO,KAAK,QAAQ,GAAG;AACrC,YAAM,KAAK,SAAS,CAAC;AACrB,UAAI,CAAC,yBAAyB,EAAE,EAAG;AACnC,gBAAU,KAAK,EAAE,UAAU,IAAI,QAAQ,QAAQ,OAAO,GAAG,CAAC;AAAA,IAC5D;AAAA,EACF;AAGA,QAAM,QAAa,EAAE,UAAU,KAAK;AACpC,QAAM,OAAO;AAAA,IACX,EAAE,KAAK,CAAE,EAAE,gBAAgB,KAAK,SAAS,OAAiB,GAAG,EAAE,gBAAgB,KAAK,CAAE,EAAE;AAAA,IACxF,EAAE,KAAK,CAAE,EAAE,UAAU,KAAK,YAAY,OAAiB,GAAG,EAAE,UAAU,KAAK,CAAE,EAAE;AAAA,EACjF;AACA,QAAM,UAAU,MAAM,GAAG,KAAK,cAAqB,OAAc,EAAE,SAAS,EAAE,UAAU,MAAM,EAAS,CAAC;AAExG,QAAM,mBAAmB,oBAAI,IAAiB;AAC9C,aAAW,KAAK,SAAkB;AAChC,UAAM,eAAe,EAAE,iBAAiB,IAAI,MAAM,EAAE,WAAW,IAAI;AACnE,UAAM,OAAO,iBAAiB,IAAI,EAAE,QAAQ;AAC5C,UAAM,WAAW,QAAS,KAAK,iBAAiB,IAAI,MAAM,KAAK,WAAW,IAAI,KAAM;AACpF,QAAI,CAAC,QAAQ,cAAc,SAAU,kBAAiB,IAAI,EAAE,UAAU,CAAC;AAAA,EACzE;AAEA,QAAM,SAAS,MAAM,KAAK,iBAAiB,OAAO,CAAC,EAChD,OAAO,CAAC,MAAM,yBAAyB,EAAE,QAAQ,CAAC,EAClD,IAAI,CAAC,OAAO;AAAA,IACX,UAAU,EAAE;AAAA,IACZ,QAAQ;AAAA,IACR,OAAO,EAAE;AAAA,IACT,aAAa,EAAE,eAAe;AAAA,IAC9B,YAAa,EAAU,cAAc;AAAA,IACrC,eAAgB,EAAU,iBAAiB;AAAA,IAC3C,eAAgB,EAAU,iBAAiB;AAAA,EAC7C,EAAE;AAEJ,QAAM,OAAO,oBAAI,IAAiB;AAClC,aAAW,KAAK,UAAW,MAAK,IAAI,EAAE,UAAU,CAAC;AACjD,aAAW,MAAM,QAAQ;AACvB,UAAM,WAAW,KAAK,IAAI,GAAG,QAAQ;AACrC,SAAK,IAAI,GAAG,UAAU,EAAE,GAAG,UAAU,GAAG,IAAI,QAAQ,UAAU,UAAU,GAAG,OAAO,CAAC;AAAA,EACrF;AAGA,QAAM,YAAiB,EAAE,UAAU,KAAK;AACxC,YAAU,OAAO;AAAA;AAAA,IAEf,EAAE,UAAU,KAAK,YAAY,OAAiB;AAAA,EAChD;AACA,QAAM,OAAO,MAAM,GAAG,KAAK,gBAAuB,SAAgB;AAElE,QAAM,UAAU,oBAAI,IAAyB;AAC7C,aAAW,KAAK,MAAe;AAC7B,UAAM,MAAM,OAAO,EAAE,QAAQ;AAC7B,UAAM,IAAI,OAAO,EAAE,GAAG;AACtB,QAAI,CAAC,yBAAyB,GAAG,EAAG;AACpC,UAAM,MAAM,QAAQ,IAAI,GAAG,KAAK,oBAAI,IAAY;AAChD,QAAI,IAAI,CAAC;AACT,YAAQ,IAAI,KAAK,GAAG;AAAA,EACtB;AACA,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,KAAK,GAAG,KAAK,QAAQ,QAAQ,EAAG,QAAO,GAAG,IAAI,IAAI;AAE9D,QAAM,QAAQ,MAAM,KAAK,KAAK,OAAO,CAAC,EAAE,IAAI,CAAC,QAAa,EAAE,GAAG,IAAI,OAAO,OAAO,GAAG,QAAQ,KAAK,EAAE,EAAE;AACrG,SAAO,aAAa,KAAK,EAAE,MAAM,CAAC;AACpC;AAEA,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,MAAO,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE7F,MAAI;AACJ,MAAI;AAAE,WAAO,MAAM,IAAI,KAAK;AAAA,EAAE,QAAQ;AAAE,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAAE;AAC7G,QAAM,SAAS,yBAAyB,UAAU,IAAI;AACtD,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,qBAAqB,SAAS,OAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3G;AACA,QAAM,QAAQ,OAAO;AAErB,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AAKvB,MAAI,0BAA0B,IAAI,MAAM,QAAQ,GAAG;AACjD,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,2DAA2D,MAAM,oCAAoC,UAAU,MAAM,SAAS;AAAA,MACvI,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,QAAa,EAAE,UAAU,MAAM,UAAU,gBAAgB,KAAK,SAAS,MAAM,UAAU,KAAK,YAAY,KAAK;AACnH,MAAI,MAAM,MAAM,GAAG,QAAQ,cAAc,KAAK;AAC9C,MAAI,CAAC,IAAK,OAAM,GAAG,OAAO,cAAc,EAAE,GAAG,OAAO,WAAW,oBAAI,KAAK,EAAE,CAAC;AAC3E,MAAI,QAAQ,MAAM;AAClB,MAAI,cAAc,MAAM,eAAe;AACvC,MAAI,WAAW,MAAM,YAAY;AACjC,MAAI,aAAa,MAAM,cAAc,IAAI,cAAc;AACvD,MAAI,gBAAgB,MAAM,iBAAiB,IAAI,iBAAiB;AAChE,MAAI,gBAAgB,MAAM,iBAAiB,IAAI,iBAAiB;AAChE,MAAI,YAAY,oBAAI,KAAK;AACzB,KAAG,QAAQ,GAAG;AACd,QAAM,GAAG,MAAM;AAEf,MAAI;AACF,UAAM,SAAS,MAAM,uBAAuB,GAAG,QAAQ,OAAO;AAC9D,QAAI,OAAO;AACT,YAAM,MAAM,aAAa,CAAC,gBAAgB,KAAK,YAAY,MAAM,EAAE,CAAC;AAAA,IACtE;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO,aAAa,KAAK,EAAE,IAAI,MAAM,MAAM,EAAE,IAAI,IAAI,IAAI,UAAU,IAAI,UAAU,OAAO,IAAI,OAAO,aAAa,IAAI,eAAe,OAAU,EAAE,CAAC;AAClJ;AAEA,eAAsB,OAAO,KAAc;AACzC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,QAAQ,CAAC,KAAK,MAAO,QAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC7F,MAAI;AACJ,MAAI;AAAE,WAAO,MAAM,IAAI,KAAK;AAAA,EAAE,QAAQ;AAAE,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAAE;AAC7G,QAAM,WAAW,MAAM;AACvB,MAAI,CAAC,SAAU,QAAO,aAAa,KAAK,EAAE,OAAO,uBAAuB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAE1F,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,KAAK,QAAQ,IAAI;AAEvB,QAAM,QAAa,EAAE,UAAU,gBAAgB,KAAK,SAAS,MAAM,UAAU,KAAK,YAAY,KAAK;AACnG,QAAM,MAAM,MAAM,GAAG,QAAQ,cAAc,KAAK;AAChD,MAAI,CAAC,IAAK,QAAO,aAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC1E,MAAI,WAAW;AACf,MAAI,YAAY,oBAAI,KAAK;AACzB,MAAI,YAAY,IAAI,aAAa,oBAAI,KAAK;AAC1C,KAAG,QAAQ,GAAG;AACd,QAAM,GAAG,MAAM;AAEf,MAAI;AACF,UAAM,SAAS,MAAM,uBAAuB,GAAG,QAAQ,OAAO;AAC9D,QAAI,OAAO;AACT,YAAM,MAAM,aAAa,CAAC,gBAAgB,KAAK,YAAY,MAAM,EAAE,CAAC;AAAA,IACtE;AAAA,EACF,QAAQ;AAAA,EAAC;AACT,SAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AACvC;AAEA,MAAM,sBAAsB,EAAE,OAAO;AAAA,EACnC,UAAU,EAAE,OAAO;AAAA,EACnB,QAAQ,EAAE,KAAK,CAAC,QAAQ,QAAQ,CAAC;AAAA,EACjC,OAAO,EAAE,OAAO;AAAA,EAChB,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,YAAY,EAAE,OAAO,EAAE,SAAS;AAAA,EAChC,eAAe,EAAE,OAAO,EAAE,SAAS;AAAA,EACnC,eAAe,EAAE,QAAQ,EAAE,SAAS;AAAA,EACpC,OAAO,EAAE,OAAO;AAClB,CAAC;AAED,MAAM,2BAA2B,EAAE,OAAO;AAAA,EACxC,OAAO,EAAE,MAAM,mBAAmB;AACpC,CAAC;AAED,MAAM,4BAA4B,EAAE,OAAO;AAAA,EACzC,UAAU,EAAE,OAAO;AACrB,CAAC;AAED,MAAM,mCAAmC,EAAE,OAAO;AAAA,EAChD,IAAI,EAAE,QAAQ,IAAI;AAAA,EAClB,MAAM,EAAE,OAAO;AAAA,IACb,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA,IACpB,UAAU,EAAE,OAAO;AAAA,IACnB,OAAO,EAAE,OAAO;AAAA,IAChB,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACnC,CAAC;AACH,CAAC;AAEM,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ;AAAA,QACV;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,MACF;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ;AAAA,QACV;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO;AAAA,YACf,OAAO,EAAE,OAAO;AAAA,YAChB,SAAS,EAAE,IAAI,EAAE,SAAS;AAAA,UAC5B,CAAC;AAAA,QACH;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,MACF;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;AAAA,QACtC;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,QACA;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAAA,QACxC;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;",
   "names": []
 }

package/dist/modules/entities/api/records.js CHANGED Viewed

@@ -4,6 +4,7 @@ import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
 import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
 import { normalizeExportFormat, serializeExport, defaultExportFilename, ensureColumns } from "@open-mercato/shared/lib/crud/exporters";
 import { resolveOrganizationScope, getSelectedOrganizationFromRequest } from "@open-mercato/core/modules/directory/utils/organizationScope";
+import { SYSTEM_ENTITY_RECORDS_BLOCKED_CODE, isOrmBackedSystemEntityId } from "@open-mercato/shared/lib/data/engine";
 import { parseBooleanToken, parseBooleanWithDefault } from "@open-mercato/shared/lib/boolean";
 import { enforceCommandOptimisticLock } from "@open-mercato/shared/lib/crud/optimistic-lock-command";
 import { isCrudHttpError } from "@open-mercato/shared/lib/crud/errors";
@@ -29,21 +30,22 @@ function isDeclaredCustomEntity(entityId) {
   return declaredCustomEntityIds?.has(entityId) ?? false;
 }
 const CUSTOM_ENTITY_RECORD_RESOURCE_KIND = "entities.record";
-async function detectCustomEntity(em, entityId) {
-  if (isDeclaredCustomEntity(entityId)) return true;
+async function classifyRecordsEntity(em, entityId) {
+  if (isOrmBackedSystemEntityId(em, entityId)) return "system";
+  if (isDeclaredCustomEntity(entityId)) return "custom";
   try {
     const { CustomEntity } = await import("../data/entities.js");
-    const found = await em.findOne(CustomEntity, { entityId, isActive: true });
-    if (found) return true;
+    const found = await em.findOne(CustomEntity, { entityId });
+    if (found) return "custom";
   } catch {
   }
-  try {
-    const db = em.getKysely();
-    const row = await db.selectFrom("custom_entities_storage").select(["entity_id"]).where("entity_type", "=", entityId).limit(1).executeTakeFirst();
-    return !!row;
-  } catch {
-  }
-  return false;
+  return "unknown";
+}
+function systemEntityRecordsRejection(entityId) {
+  return NextResponse.json(
+    { error: "Records are available for custom entities only", code: SYSTEM_ENTITY_RECORDS_BLOCKED_CODE, entityId },
+    { status: 400 }
+  );
 }
 async function readCustomEntityRecordUpdatedAt(em, input) {
   try {
@@ -116,7 +118,9 @@ async function GET(req) {
     const rbac = resolve("rbacService");
     const scope = await resolveOrganizationScope({ em, rbac, auth, selectedId: getSelectedOrganizationFromRequest(req) });
     let organizationIds = scope.filterIds;
-    const isCustomEntity = await detectCustomEntity(em, entityId);
+    const entityKind = await classifyRecordsEntity(em, entityId);
+    if (entityKind === "system") return systemEntityRecordsRejection(entityId);
+    const isCustomEntity = entityKind === "custom";
     await assertEntityAclForRequest({ auth, entityId, action: "view", isCustomEntity, rbac });
     if (organizationIds && organizationIds.length === 0) {
       return NextResponse.json({ items: [], total: 0, page, pageSize, totalPages: 0 });
@@ -191,6 +195,7 @@ async function GET(req) {
     if (organizationIds && organizationIds.length) {
       qopts.organizationIds = organizationIds;
     }
+    if (isCustomEntity) qopts.forceCustomEntityStorage = true;
     for (const [k, v] of qpEntries) buildFilter(k, v, isCustomEntity);
     const res = await qe.query(entityId, qopts);
     const rawItems = res.items || [];
@@ -309,7 +314,9 @@ async function POST(req) {
     const scope = await resolveOrganizationScope({ em, rbac, auth, selectedId: getSelectedOrganizationFromRequest(req) });
     const targetOrgId = scope.selectedId ?? auth.orgId;
     if (!targetOrgId) return NextResponse.json({ error: "Organization context is required" }, { status: 400 });
-    const isCustomEntity = await detectCustomEntity(em, entityId);
+    const entityKind = await classifyRecordsEntity(em, entityId);
+    if (entityKind === "system") return systemEntityRecordsRejection(entityId);
+    const isCustomEntity = entityKind === "custom";
     await assertEntityAclForRequest({ auth, entityId, action: "manage", isCustomEntity, rbac });
     const norm = normalizeValues(values);
     try {
@@ -371,7 +378,9 @@ async function PUT(req) {
     const scope = await resolveOrganizationScope({ em, rbac, auth, selectedId: getSelectedOrganizationFromRequest(req) });
     const targetOrgId = scope.selectedId ?? auth.orgId;
     if (!targetOrgId) return NextResponse.json({ error: "Organization context is required" }, { status: 400 });
-    const isCustomEntity = await detectCustomEntity(em, entityId);
+    const entityKind = await classifyRecordsEntity(em, entityId);
+    if (entityKind === "system") return systemEntityRecordsRejection(entityId);
+    const isCustomEntity = entityKind === "custom";
     await assertEntityAclForRequest({ auth, entityId, action: "manage", isCustomEntity, rbac });
     const norm = normalizeValues(values);
     try {
@@ -455,7 +464,9 @@ async function DELETE(req) {
     const scope = await resolveOrganizationScope({ em, rbac, auth, selectedId: getSelectedOrganizationFromRequest(req) });
     const targetOrgId = scope.selectedId ?? auth.orgId;
     if (!targetOrgId) return NextResponse.json({ error: "Organization context is required" }, { status: 400 });
-    const isCustomEntity = await detectCustomEntity(em, entityId);
+    const entityKind = await classifyRecordsEntity(em, entityId);
+    if (entityKind === "system") return systemEntityRecordsRejection(entityId);
+    const isCustomEntity = entityKind === "custom";
     await assertEntityAclForRequest({ auth, entityId, action: "manage", isCustomEntity, rbac });
     await de.deleteCustomEntityRecord({ entityId, recordId, organizationId: targetOrgId, tenantId: auth.tenantId, soft: true });
     return NextResponse.json({ ok: true });