@open-mercato/core 0.6.5-develop.5337.1.534b781eac → 0.6.5

package/src/modules/attachments/AGENTS.md

@@ -0,0 +1,79 @@
+# Attachments Module — Agent Guidelines
+
+The `attachments` module owns file uploads, storage drivers, partitions, OCR, and
+the `attachments` table. Every attachment row carries a `tenant_id` /
+`organization_id` scope pair that governs cross-tenant access.
+
+## Scope & Access Policy
+
+`attachments.tenant_id` and `attachments.organization_id` are **nullable** at the
+DB level, but only two scope shapes are valid:
+
+| Shape | `tenant_id` | `organization_id` | Meaning | Who can read it |
+|-------|-------------|-------------------|---------|-----------------|
+| **Scoped** | set | set | Belongs to one tenant + org | Same-scope principals + superadmin |
+| **Global** | null | null | Legacy "global attachment" | Any authenticated principal (and unauthenticated only on a `is_public` partition) |
+| **Partial-null** ❌ | set / null | null / set | **Invalid — never create** | Nobody (fail-closed) except superadmin |
+
+The "both-or-neither" rule is the legitimate-unscoped use case referenced by
+[#2109](https://github.com/open-mercato/open-mercato/issues/2109): a fully-global
+(both-null) attachment is intentionally supported by `isSameScope`, so the columns
+cannot simply be made `NOT NULL` without breaking that semantic or backfilling a
+sentinel tenant onto legacy rows.
+
+### Why partial-null is dangerous
+
+`isSameScope` (`lib/access.ts`) deliberately **fails closed** on partial-null rows
+(#2107): a row with one scope column set and the other null matches no principal's
+auth and is unreadable by everyone except a superadmin. Such a row is therefore
+*dead data* — it can only ever leak through a future code path that reads or
+exports attachments **without** going through `checkAttachmentAccess` (a new export
+endpoint, webhook delivery, OCR worker, or migration backfill). That is exactly the
+fail-open class the access fix closed at read time; the creation guard closes it at
+write time.
+
+## Always
+
+- **MUST call `assertAttachmentScopeInvariant({ tenantId, organizationId })` from
+  `lib/access.ts` before persisting any new `Attachment` row.** It throws on a
+  partial-null scope and accepts both fully-scoped and fully-global rows. The
+  attachments upload route (`api/route.ts`) already guards its creation site.
+- **MUST gate every attachment read through `checkAttachmentAccess`** (`lib/access.ts`)
+  so tenant scoping and partition visibility are enforced consistently.
+- When copying/cloning attachments across records, **carry the source row's scope
+  pair as a unit** (both columns together) rather than overriding one column with a
+  possibly-null value.
+
+## Never
+
+- **Never create a partial-null attachment** (one scope column set, the other null).
+- **Never read or expose attachment rows without `checkAttachmentAccess`** — bypassing
+  it reintroduces the cross-tenant fail-open class.
+
+## Known cross-module creation paths
+
+These paths create `Attachment` rows from other modules and must preserve the
+both-or-neither invariant (audited for #2109):
+
+- `packages/core/src/modules/attachments/api/route.ts` — primary upload; scope comes
+  from authenticated request context (both set). **Guarded.**
+- `packages/core/src/modules/sync_excel/lib/upload-storage.ts` — both scopes are
+  required inputs (type-enforced). Safe.
+- `packages/core/src/modules/catalog/seed/examples.ts` — both scopes required on
+  `SeedScope`. Safe.
+- `packages/core/src/modules/catalog/commands/variants.ts` — clones variant media to
+  the product; inherits the source/variant scope pair (`?? null` only collapses to
+  the global both-null shape).
+- `packages/core/src/modules/messages/lib/attachments.ts`
+  (`copyAttachmentsForForwardMessages`) — copies forwarded message attachments and
+  accepts a nullable `targetOrganizationId` with a non-null `tenantId`. This is the
+  one path that can construct a partial-null row; copy the **source attachment's**
+  scope pair when wiring new callers, and apply the creation guard if this path is
+  refactored.
+
+## Validation Commands
+
+```bash
+yarn workspace @open-mercato/core test -- access
+yarn workspace @open-mercato/core build
+```

package/src/modules/attachments/api/library/route.ts

@@ -10,7 +10,7 @@ import { buildAttachmentImageUrl, slugifyAttachmentFileName } from '../../lib/im
 import { readAttachmentMetadata } from '../../lib/metadata'
 import type { QueryEngine } from '@open-mercato/shared/lib/query/types'
 import { applyAssignmentEnrichments, resolveAssignmentEnrichments } from '../../lib/assignmentDetails'
-import { escapeLikePattern } from '@open-mercato/shared/lib/db/escapeLikePattern'
+import { buildIlikeTerm } from '@open-mercato/shared/lib/db/buildIlikeTerm'
 import { ensureDefaultPartitions } from '../../lib/partitions'
 import {
   attachmentsTag,
@@ -85,7 +85,7 @@ export async function GET(req: Request) {
   }
   qb.where(baseFilter)
   if (search && search.trim().length > 0) {
-    qb.andWhere({ fileName: { $ilike: `%${escapeLikePattern(search.trim())}%` } })
+    qb.andWhere({ fileName: { $ilike: buildIlikeTerm(search.trim()) } })
   }
   if (partition && partition.trim().length > 0) {
     qb.andWhere({ partitionCode: partition.trim() })

package/src/modules/attachments/api/route.ts

@@ -12,6 +12,7 @@ import { requestOcrProcessing } from '../lib/ocrQueue'
 import { StorageDriverFactory } from '../lib/drivers'
 import { OcrService, shouldUseLlmOcr } from '../lib/ocrService'
 import { clearAttachmentThumbnailCache } from '../lib/thumbnailCache'
+import { assertAttachmentScopeInvariant } from '../lib/access'
 import {
   mergeAttachmentMetadata,
   normalizeAttachmentAssignments,
@@ -421,6 +422,7 @@ export async function POST(req: Request) {
   }
   const metadata = mergeAttachmentMetadata(null, { assignments, tags })
   const attachmentId = randomUUID()
+  assertAttachmentScopeInvariant({ tenantId: auth.tenantId, organizationId: auth.orgId })
   const att = em.create(Attachment, {
     id: attachmentId,
     entityId,

package/src/modules/attachments/components/AttachmentContentPreview.tsx

@@ -1,7 +1,5 @@
 import * as React from 'react'
-import ReactMarkdown from 'react-markdown'
-import remarkGfm from 'remark-gfm'
-import type { PluggableList } from 'unified'
+import { MarkdownContent } from '@open-mercato/ui/backend/markdown'
 import { Button } from '@open-mercato/ui/primitives/button'
 
 type Props = {
@@ -26,7 +24,6 @@ export function AttachmentContentPreview({
   const [expanded, setExpanded] = React.useState(false)
   const [tab, setTab] = React.useState<'source' | 'preview'>('source')
   const text = (content ?? '').trim()
-  const markdownPlugins = React.useMemo<PluggableList>(() => [remarkGfm], [])
 
   // ARIA IDs for accessibility
   const sourceTabId = 'attachment-content-preview-tab-source'
@@ -96,9 +93,12 @@ export function AttachmentContentPreview({
           id={previewPanelId}
           aria-labelledby={previewTabId}
           data-testid="markdown-preview"
-          className="text-sm text-muted-foreground [&>*]:mb-2 [&>*:last-child]:mb-0 [&_ul]:ml-4 [&_ul]:list-disc [&_ol]:ml-4 [&_ol]:list-decimal [&_code]:rounded [&_code]:bg-muted [&_code]:px-1 [&_code]:py-0.5 [&_pre]:rounded-md [&_pre]:bg-muted [&_pre]:p-3 [&_pre]:text-xs"
         >
-          <ReactMarkdown remarkPlugins={markdownPlugins}>{text}</ReactMarkdown>
+          <MarkdownContent
+            body={text}
+            format="markdown"
+            className="text-sm text-muted-foreground [&>*]:mb-2 [&>*:last-child]:mb-0 [&_ul]:ml-4 [&_ul]:list-disc [&_ol]:ml-4 [&_ol]:list-decimal [&_code]:rounded [&_code]:bg-muted [&_code]:px-1 [&_code]:py-0.5 [&_pre]:rounded-md [&_pre]:bg-muted [&_pre]:p-3 [&_pre]:text-xs"
+          />
         </div>
       )}
 

package/src/modules/attachments/lib/access.ts

@@ -1,6 +1,42 @@
 import type { AuthContext } from '@open-mercato/shared/lib/auth/server'
 import type { Attachment, AttachmentPartition } from '../data/entities'
 
+export type AttachmentScope = {
+  tenantId?: string | null
+  organizationId?: string | null
+}
+
+function normalizeScopeValue(value: string | null | undefined): string | null {
+  if (typeof value !== 'string') return null
+  const trimmed = value.trim()
+  return trimmed.length > 0 ? trimmed : null
+}
+
+/**
+ * Enforce the attachments scope invariant at every creation boundary:
+ * an attachment is either fully **global** (both `tenant_id` and
+ * `organization_id` null) or fully **scoped** (both set) — never partial.
+ *
+ * `isSameScope` deliberately treats a partial-null row as inaccessible to
+ * every non-superadmin principal (fail-closed, #2107), so a partial-null row
+ * is dead data that can only ever leak through a future code path that skips
+ * the access check. Guarding creation keeps that class of fail-open bug from
+ * re-emerging (#2109). Call this before persisting any `Attachment`.
+ */
+export function assertAttachmentScopeInvariant(scope: AttachmentScope): void {
+  const tenantId = normalizeScopeValue(scope.tenantId)
+  const organizationId = normalizeScopeValue(scope.organizationId)
+  const tenantSet = tenantId !== null
+  const organizationSet = organizationId !== null
+  if (tenantSet !== organizationSet) {
+    const missing = tenantSet ? 'organization_id' : 'tenant_id'
+    throw new Error(
+      `[internal] Attachment scope invariant violated: ${missing} is null while the other scope column is set. ` +
+        'Attachments must be either fully scoped (both tenant_id and organization_id) or fully global (both null).',
+    )
+  }
+}
+
 export function isSuperAdminAuth(auth: AuthContext | null | undefined): boolean {
   if (!auth) return false
   if ((auth as any).isSuperAdmin === true) return true

package/src/modules/audit_logs/api/audit-logs/actions/redo/route.ts

@@ -70,10 +70,22 @@ export async function POST(req: Request) {
   if (log.actorUserId && log.actorUserId !== auth.sub && !canRedoTenant) {
     return NextResponse.json({ error: 'Redo target not available' }, { status: 400 })
   }
-  if (log.tenantId && auth.tenantId && log.tenantId !== auth.tenantId) {
+  // Fail closed on tenant scope: `audit_logs.redo_tenant` only widens scope WITHIN a
+  // tenant, never across tenants, so a tenant-scoped target always requires a caller
+  // bound to that same tenant. A caller whose tenantId is null (tenant-less global
+  // account or unscoped API key) must never redo a tenant-scoped row. Mirrors the
+  // hardened undo route (issue #2685, ported in #2931).
+  if (log.tenantId && log.tenantId !== (auth.tenantId ?? null)) {
     return NextResponse.json({ error: 'Redo target not available' }, { status: 400 })
   }
-  if (log.organizationId && scopedOrgId && log.organizationId !== scopedOrgId) {
+  // Tenant-level redoers may redo across organizations within the tenant, so an
+  // unresolved (null) caller org is allowed and only an explicit mismatch is rejected.
+  // Every other caller must resolve to the target's own organization — a null caller
+  // org must not bypass an org-scoped target (issue #2685, ported in #2931).
+  const orgScopeMismatch = canRedoTenant
+    ? Boolean(log.organizationId && scopedOrgId && log.organizationId !== scopedOrgId)
+    : Boolean(log.organizationId && log.organizationId !== scopedOrgId)
+  if (orgScopeMismatch) {
     return NextResponse.json({ error: 'Redo target not available' }, { status: 400 })
   }
 

package/src/modules/audit_logs/data/entities.ts

@@ -96,6 +96,7 @@ export class ActionLog {
 @Entity({ tableName: 'access_logs' })
 @Index({ name: 'access_logs_tenant_idx', properties: ['tenantId', 'createdAt'] })
 @Index({ name: 'access_logs_actor_idx', properties: ['actorUserId', 'createdAt'] })
+@Index({ name: 'access_logs_created_at_idx', properties: ['createdAt'] })
 export class AccessLog {
   @PrimaryKey({ type: 'uuid', defaultRaw: 'gen_random_uuid()' })
   id!: string

package/src/modules/audit_logs/migrations/.snapshot-open-mercato.json

@@ -208,6 +208,16 @@
           "primary": false,
           "unique": false
         },
+        {
+          "keyName": "access_logs_created_at_idx",
+          "columnNames": [
+            "created_at"
+          ],
+          "composite": false,
+          "constraint": false,
+          "primary": false,
+          "unique": false
+        },
         {
           "keyName": "access_logs_pkey",
           "columnNames": [

package/src/modules/audit_logs/migrations/Migration20260611104500.ts

@@ -0,0 +1,13 @@
+import { Migration } from '@mikro-orm/migrations';
+
+export class Migration20260611104500 extends Migration {
+
+  override up(): void | Promise<void> {
+    this.addSql(`create index "access_logs_created_at_idx" on "access_logs" ("created_at");`);
+  }
+
+  override down(): void | Promise<void> {
+    this.addSql(`drop index "access_logs_created_at_idx";`);
+  }
+
+}

package/src/modules/audit_logs/services/accessLogService.ts

@@ -20,10 +20,23 @@ function toPositiveNumber(value: string | undefined, fallback: number): number {
   return parsed
 }
 
+function toNonNegativeNumber(value: string | undefined, fallback: number): number {
+  if (value === undefined || value === '') return fallback
+  const parsed = Number(value)
+  if (!Number.isFinite(parsed) || parsed < 0) return fallback
+  return parsed
+}
+
 const CORE_RETENTION_DAYS = toPositiveNumber(process.env.AUDIT_LOGS_CORE_RETENTION_DAYS, 7)
 const NON_CORE_RETENTION_HOURS = toPositiveNumber(process.env.AUDIT_LOGS_NON_CORE_RETENTION_HOURS, 8)
 const CORE_RETENTION_MS = CORE_RETENTION_DAYS * 24 * 60 * 60 * 1000
 const NON_CORE_RETENTION_MS = NON_CORE_RETENTION_HOURS * 60 * 60 * 1000
+// Rotation runs after every successful write; without a gate that means two
+// DELETE statements per CRUD GET. Amortize to one rotation per interval per
+// process — `0` opts back into rotate-on-every-write (test harnesses).
+const ROTATE_INTERVAL_MS = toNonNegativeNumber(process.env.AUDIT_LOGS_ROTATE_INTERVAL_MS, 60_000)
+
+let lastRotatedAt: number | null = null
 const UUID_REGEX = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$/
 // Postgres has a hard limit of 65k bind parameters per statement. Each access
 // log row uses 10 bind values (see INSERT below), so 500 rows × 10 = 5 000
@@ -380,6 +393,8 @@ export class AccessLogService {
 
   private async rotate(fork: EntityManager) {
     const now = Date.now()
+    if (ROTATE_INTERVAL_MS > 0 && lastRotatedAt !== null && now - lastRotatedAt < ROTATE_INTERVAL_MS) return
+    lastRotatedAt = now
     const coreCutoff = new Date(now - CORE_RETENTION_MS)
     const nonCoreCutoff = new Date(now - NON_CORE_RETENTION_MS)
     try {

package/src/modules/auth/api/admin/nav.ts

@@ -69,6 +69,13 @@ const sectionGroupSchema = z.object({
 })
 
 const adminNavResponseSchema = z.object({
+  brand: z.object({
+    name: z.string().optional(),
+    logo: z.object({
+      src: z.string(),
+      alt: z.string().optional(),
+    }).nullable().optional(),
+  }).nullable().optional(),
   groups: z.array(
     z.object({
       id: z.string().optional(),
@@ -160,6 +167,8 @@ export async function GET(req: Request) {
         `nav:entities:${cacheScopeTenantId || 'null'}`,
         `nav:locale:${locale}`,
         `nav:sidebar:user:${auth.sub}`,
+        cacheScopeTenantId ? `nav:sidebar:tenant:${cacheScopeTenantId}` : undefined,
+        cacheScopeOrganizationId ? `nav:sidebar:organization:${cacheScopeOrganizationId}` : undefined,
         `nav:sidebar:scope:${auth.sub}:${cacheScopeTenantId || 'null'}:${cacheScopeOrganizationId || 'null'}:${locale}`,
         ...((Array.isArray(auth.roles) ? auth.roles : []).map((role) => `nav:sidebar:role:${role}`)),
       ].filter(Boolean) as string[]

package/src/modules/auth/api/login.ts

@@ -108,21 +108,21 @@ export async function POST(req: Request) {
     user = await auth.findUserByEmailAndTenant(parsed.data.email, tenantId)
   } else {
     const users = await auth.findUsersByEmail(parsed.data.email)
-    if (users.length > 1) {
-      return NextResponse.json({
-        ok: false,
-        error: translate('auth.login.errors.tenantRequired', 'Use the login link provided with your tenant activation to continue.'),
-      }, { status: 400 })
-    }
-    user = users[0] ?? null
-  }
-  if (!user || !user.passwordHash) {
-    void emitAuthEvent('auth.login.failed', { email: parsed.data.email, reason: 'invalid_credentials' }).catch(() => undefined)
-    return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid email or password') }, { status: 401 })
+    // Never disclose that an email is registered across multiple tenants — a
+    // password-independent 400-vs-401 response is an account/topology oracle
+    // (issue #2242). Treat an ambiguous match as no resolvable user and fall
+    // through to the uniform invalid-credentials path; tenant-selection
+    // guidance is delivered out-of-band via the activation/login link.
+    user = users.length === 1 ? users[0] : null
   }
+  // Always verify the password — verifyPassword runs a constant-time bcrypt
+  // comparison even when the user is missing or has no hash — so unknown-email,
+  // wrong-password, and multi-tenant cases return an identical 401 with
+  // identical latency.
   const ok = await auth.verifyPassword(user, parsed.data.password)
-  if (!ok) {
-    void emitAuthEvent('auth.login.failed', { email: parsed.data.email, reason: 'invalid_password' }).catch(() => undefined)
+  if (!user || !ok) {
+    const reason = user?.passwordHash ? 'invalid_password' : 'invalid_credentials'
+    void emitAuthEvent('auth.login.failed', { email: parsed.data.email, reason }).catch(() => undefined)
     return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid email or password') }, { status: 401 })
   }
   // Optional role requirement

package/src/modules/auth/commands/users.ts

@@ -204,9 +204,14 @@ const createUserCommand: CommandHandler<Record<string, unknown>, CreateUserResul
       { tenantId: null, organizationId: parsed.organizationId },
     )
     if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })
+    const tenantId = organization.tenant?.id ? String(organization.tenant.id) : null
 
     const emailHash = computeEmailHash(parsed.email)
-    const duplicate = await findOneWithDecryption(em, User, { $or: [{ email: parsed.email }, { emailHash: { $in: emailHashLookupValues(parsed.email) } }], deletedAt: null } as any, {}, { tenantId: null, organizationId: null })
+    // Email is unique per-tenant, not globally (see Migration20260610120000:
+    // users_tenant_email_hash_uniq). Scope the duplicate check to the target tenant so the same
+    // email may legitimately exist in other tenants without blocking creation or leaking
+    // cross-tenant account existence (#2934).
+    const duplicate = await findOneWithDecryption(em, User, { $or: [{ email: parsed.email }, { emailHash: { $in: emailHashLookupValues(parsed.email) } }], deletedAt: null, tenantId } as any, {}, { tenantId: null, organizationId: null })
     if (duplicate) await throwDuplicateEmailError()
 
     let passwordHash: string | null = null
@@ -214,7 +219,6 @@ const createUserCommand: CommandHandler<Record<string, unknown>, CreateUserResul
       const { hash } = await import('bcryptjs')
       passwordHash = await hash(parsed.password, 10)
     }
-    const tenantId = organization.tenant?.id ? String(organization.tenant.id) : null
 
     const de = (ctx.container.resolve('dataEngine') as DataEngine)
     let user: User
@@ -518,13 +522,34 @@ const updateUserCommand: CommandHandler<Record<string, unknown>, User> = {
       ? await loadUserRoleNames(em, parsed.id)
       : null
 
+    // Resolve the tenant the user will belong to after this update first, so the email
+    // duplicate check below can be scoped to it. Email is unique per-tenant, not globally
+    // (see Migration20260610120000: users_tenant_email_hash_uniq) — a matching email in another
+    // tenant must not block the update or leak cross-tenant account existence (#2934).
+    let tenantId: string | null | undefined
+    if (parsed.organizationId !== undefined) {
+      const organization = await findOneWithDecryption(
+        em,
+        Organization,
+        { id: parsed.organizationId },
+        { populate: ['tenant'] },
+        { tenantId: null, organizationId: parsed.organizationId ?? null },
+      )
+      if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })
+      tenantId = organization.tenant?.id ? String(organization.tenant.id) : null
+    }
+
     if (parsed.email !== undefined) {
+      const targetTenantId = tenantId !== undefined
+        ? tenantId
+        : await resolveUserTenantId(em, parsed.id)
       const duplicate = await findOneWithDecryption(
         em,
         User,
         {
           $or: [{ email: parsed.email }, { emailHash: { $in: emailHashLookupValues(parsed.email) } }],
           deletedAt: null,
+          tenantId: targetTenantId,
           id: { $ne: parsed.id } as any,
         } as FilterQuery<User>,
         {},
@@ -543,19 +568,6 @@ const updateUserCommand: CommandHandler<Record<string, unknown>, User> = {
       emailHash = computeEmailHash(parsed.email)
     }
 
-    let tenantId: string | null | undefined
-    if (parsed.organizationId !== undefined) {
-      const organization = await findOneWithDecryption(
-        em,
-        Organization,
-        { id: parsed.organizationId },
-        { populate: ['tenant'] },
-        { tenantId: null, organizationId: parsed.organizationId ?? null },
-      )
-      if (!organization) throw new CrudHttpError(400, { error: 'Organization not found' })
-      tenantId = organization.tenant?.id ? String(organization.tenant.id) : null
-    }
-
     const actorTenantScope = resolveActorTenantScope(ctx)
     const updateWhere: Record<string, unknown> = { id: parsed.id, deletedAt: null }
     if (actorTenantScope) updateWhere.tenantId = actorTenantScope
@@ -1069,6 +1081,11 @@ function arrayEquals(left: string[] | undefined, right: string[]): boolean {
   return left.every((value, idx) => value === right[idx])
 }
 
+async function resolveUserTenantId(em: EntityManager, id: string): Promise<string | null> {
+  const existing = await findOneWithDecryption(em, User, { id, deletedAt: null }, {}, { tenantId: null, organizationId: null })
+  return existing?.tenantId ? String(existing.tenantId) : null
+}
+
 async function throwDuplicateEmailError(): Promise<never> {
   const { translate } = await resolveTranslations()
   const message = translate('auth.users.errors.emailExists', 'Email already in use')

package/src/modules/auth/data/entities.ts

@@ -1,6 +1,16 @@
 import { Entity, Index, ManyToOne, PrimaryKey, Property, Unique } from '@mikro-orm/decorators/legacy'
 
 @Entity({ tableName: 'users' })
+// Email uniqueness is per-tenant, enforced by a partial unique index
+// (`users_tenant_email_hash_uniq`) on `(tenant_id, email_hash)` over live rows
+// (`WHERE deleted_at IS NULL AND email_hash IS NOT NULL`), owned by raw SQL in
+// Migration20260610120000. It keys on the deterministic `email_hash`, not `email`, because
+// `email` is encrypted at rest with a per-row IV (see encryption.ts) — its ciphertext is
+// non-deterministic, so a unique index on it would not detect duplicates. A `@Unique`
+// decorator can't express a partial, tenant-scoped index, so the entity omits it — the
+// migration is the source of truth. A global unique constraint contradicts the multi-tenant
+// login flow and leaks cross-tenant account existence (#2934). Mirrors
+// `customer_users_tenant_email_hash_uniq`.
 export class User {
   @PrimaryKey({ type: 'uuid', defaultRaw: 'gen_random_uuid()' })
   id!: string
@@ -11,7 +21,7 @@ export class User {
   @Property({ name: 'organization_id', type: 'uuid', nullable: true })
   organizationId?: string | null
 
-  @Property({ type: 'text', unique: true })
+  @Property({ type: 'text' })
   email!: string
 
   @Property({ name: 'email_hash', type: 'text', nullable: true })
@@ -168,6 +178,8 @@ export class SidebarVariant {
 }
 
 @Entity({ tableName: 'user_roles' })
+@Index({ name: 'user_roles_user_id_idx', properties: ['user'] })
+@Index({ name: 'user_roles_role_id_idx', properties: ['role'] })
 export class UserRole {
   @PrimaryKey({ type: 'uuid', defaultRaw: 'gen_random_uuid()' })
   id!: string

package/src/modules/auth/i18n/de.json

@@ -43,7 +43,6 @@
   "auth.login.errors.invalidCredentials": "Ungültige E-Mail oder ungültiges Passwort",
   "auth.login.errors.permissionDenied": "Du hast keine Berechtigung, auf diesen Bereich zuzugreifen. Bitte wende dich an deine Administration.",
   "auth.login.errors.tenantInvalid": "Tenant nicht gefunden. Entferne die Tenant-Auswahl und versuche es erneut.",
-  "auth.login.errors.tenantRequired": "Nutze den Login-Link aus deiner Tenant-Aktivierung, um fortzufahren.",
   "auth.login.featureDenied": "Du hast keinen Zugriff auf diese Funktion ({feature}). Bitte wende dich an deine Administration.",
   "auth.login.forgotPassword": "Passwort vergessen?",
   "auth.login.loading": "Wird geladen ...",

package/src/modules/auth/i18n/en.json

@@ -43,7 +43,6 @@
   "auth.login.errors.invalidCredentials": "Invalid email or password",
   "auth.login.errors.permissionDenied": "You do not have permission to access this area. Please contact your administrator.",
   "auth.login.errors.tenantInvalid": "Tenant not found. Clear the tenant selection and try again.",
-  "auth.login.errors.tenantRequired": "Use the login link provided with your tenant activation to continue.",
   "auth.login.featureDenied": "You don't have access to this feature ({feature}). Please contact your administrator.",
   "auth.login.forgotPassword": "Forgot password?",
   "auth.login.loading": "Loading...",

package/src/modules/auth/i18n/es.json

@@ -43,7 +43,6 @@
   "auth.login.errors.invalidCredentials": "Correo electrónico o contraseña no válidos",
   "auth.login.errors.permissionDenied": "No tienes permiso para acceder a esta área. Ponte en contacto con tu administrador.",
   "auth.login.errors.tenantInvalid": "No se encontró el inquilino. Borra la selección e inténtalo de nuevo.",
-  "auth.login.errors.tenantRequired": "Usa el enlace de inicio de sesión proporcionado con la activación de tu inquilino para continuar.",
   "auth.login.featureDenied": "No tienes acceso a esta funcionalidad ({feature}). Ponte en contacto con tu administrador.",
   "auth.login.forgotPassword": "¿Olvidaste tu contraseña?",
   "auth.login.loading": "Cargando...",

package/src/modules/auth/i18n/pl.json

@@ -43,7 +43,6 @@
   "auth.login.errors.invalidCredentials": "Nieprawidłowy email lub hasło",
   "auth.login.errors.permissionDenied": "Nie masz uprawnień do tego obszaru. Skontaktuj się z administratorem.",
   "auth.login.errors.tenantInvalid": "Nie znaleziono najemcy. Wyczyść wybór i spróbuj ponownie.",
-  "auth.login.errors.tenantRequired": "Użyj linku logowania z aktywacji najemcy, aby kontynuować.",
   "auth.login.featureDenied": "Nie masz dostępu do tej funkcji ({feature}). Skontaktuj się z administratorem.",
   "auth.login.forgotPassword": "Nie pamiętasz hasła?",
   "auth.login.loading": "Ładowanie...",

package/src/modules/auth/lib/backendChrome.tsx

@@ -22,9 +22,15 @@ import { resolveRegisteredLucideIconNode } from '@open-mercato/ui/backend/icons/
 import { profilePathPrefixes, profileSections } from './profile-sections'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { filterGrantsByEnabledModules } from '@open-mercato/shared/security/enabledModulesRegistry'
-import { resolveFeatureCheckContext } from '@open-mercato/core/modules/directory/utils/organizationScope'
+import {
+  getSelectedOrganizationFromRequest,
+  resolveFeatureCheckContext,
+} from '@open-mercato/core/modules/directory/utils/organizationScope'
+import { isAllOrganizationsSelection } from '@open-mercato/core/modules/directory/constants'
+import { Organization } from '@open-mercato/core/modules/directory/data/entities'
 import { CustomEntity } from '@open-mercato/core/modules/entities/data/entities'
 import { Role } from '@open-mercato/core/modules/auth/data/entities'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import {
   applySidebarPreference,
   loadFirstRoleSidebarPreference,
@@ -397,6 +403,35 @@ export async function resolveBackendChromePayload({
     ),
   )
 
+  const requestOrganizationId = request ? getSelectedOrganizationFromRequest(request) : null
+  const fallbackOrganizationId = selectedOrganizationId ?? requestOrganizationId ?? auth.orgId ?? null
+  const brandOrganizationId = scopedOrganizationId
+    ?? (fallbackOrganizationId && !isAllOrganizationsSelection(fallbackOrganizationId) ? fallbackOrganizationId : null)
+
+  let brand: BackendChromePayload['brand'] = null
+  if (brandOrganizationId && scopedTenantId) {
+    try {
+      const organization = await findOneWithDecryption(
+        em,
+        Organization,
+        { id: brandOrganizationId, tenant: scopedTenantId, deletedAt: null },
+        undefined,
+        { tenantId: scopedTenantId, organizationId: brandOrganizationId },
+      )
+      if (organization?.logoUrl) {
+        brand = {
+          name: organization.name,
+          logo: {
+            src: organization.logoUrl,
+            alt: `${organization.name} logo`,
+          },
+        }
+      }
+    } catch {
+      brand = null
+    }
+  }
+
   return {
     groups: appliedGroups.map(({ weight: _weight, ...group }) => group),
     settingsSections,
@@ -405,5 +440,6 @@ export async function resolveBackendChromePayload({
     profilePathPrefixes,
     grantedFeatures,
     roles: Array.isArray(auth.roles) ? auth.roles : [],
+    brand,
   }
 }

package/src/modules/auth/lib/consentIntegrity.ts

@@ -14,18 +14,21 @@ const DEV_ONLY_SECRET = 'om-consent-integrity-dev-only-secret'
 let missingSecretWarned = false
 
 function getSecret(): string {
-  const secret = process.env.CONSENT_INTEGRITY_SECRET || process.env.NEXTAUTH_SECRET
+  const secret = process.env.CONSENT_INTEGRITY_SECRET
+    || process.env.AUTH_SECRET
+    || process.env.NEXTAUTH_SECRET
+    || process.env.JWT_SECRET
   if (!secret) {
     if (process.env.NODE_ENV === 'production') {
       throw new Error(
-        '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set. ' +
+        '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set. ' +
         'Refusing to compute or verify consent integrity hashes in production without a real secret.',
       )
     }
     if (!missingSecretWarned) {
       missingSecretWarned = true
       console.warn(
-        '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set — ' +
+        '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set — ' +
         'using insecure dev-only default. Set a secret before deploying to production.',
       )
     }

package/src/modules/auth/migrations/.snapshot-open-mercato.json

@@ -668,16 +668,6 @@
         }
       },
       "indexes": [
-        {
-          "columnNames": [
-            "email"
-          ],
-          "composite": false,
-          "keyName": "users_email_unique",
-          "constraint": true,
-          "primary": false,
-          "unique": true
-        },
         {
           "columnNames": [
             "email_hash"
@@ -1742,6 +1732,26 @@
         }
       },
       "indexes": [
+        {
+          "keyName": "user_roles_user_id_idx",
+          "columnNames": [
+            "user_id"
+          ],
+          "composite": false,
+          "constraint": false,
+          "primary": false,
+          "unique": false
+        },
+        {
+          "keyName": "user_roles_role_id_idx",
+          "columnNames": [
+            "role_id"
+          ],
+          "composite": false,
+          "constraint": false,
+          "primary": false,
+          "unique": false
+        },
         {
           "keyName": "user_roles_pkey",
           "columnNames": [