@open-mercato/core 0.6.5-develop.5337.1.534b781eac → 0.6.5

package/dist/modules/auth/lib/backendChrome.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/lib/backendChrome.tsx"],
-  "sourcesContent": ["import * as React from 'react'\nimport type { FilterQuery } from '@mikro-orm/core'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport type { AwilixContainer } from 'awilix'\nimport type { AuthContext } from '@open-mercato/shared/lib/auth/server'\nimport type { BackendRouteManifestEntry } from '@open-mercato/shared/modules/registry'\nimport type {\n  BackendChromePayload,\n  BackendChromeNavGroup,\n  BackendChromeNavItem,\n  BackendChromeSectionGroup,\n  BackendChromeSectionItem,\n} from '@open-mercato/shared/modules/navigation/backendChrome'\nimport {\n  buildAdminNav,\n  buildSettingsSections,\n  computeSettingsPathPrefixes,\n  convertToSectionNavGroups,\n  type AdminNavItem,\n} from '@open-mercato/ui/backend/utils/nav'\nimport { resolveRegisteredLucideIconNode } from '@open-mercato/ui/backend/icons/lucideRegistry'\nimport { profilePathPrefixes, profileSections } from './profile-sections'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { filterGrantsByEnabledModules } from '@open-mercato/shared/security/enabledModulesRegistry'\nimport { resolveFeatureCheckContext } from '@open-mercato/core/modules/directory/utils/organizationScope'\nimport { CustomEntity } from '@open-mercato/core/modules/entities/data/entities'\nimport { Role } from '@open-mercato/core/modules/auth/data/entities'\nimport {\n  applySidebarPreference,\n  loadFirstRoleSidebarPreference,\n  loadSidebarPreference,\n} from '@open-mercato/core/modules/auth/services/sidebarPreferencesService'\nimport type { SidebarPreferencesSettings } from '@open-mercato/shared/modules/navigation/sidebarPreferences'\n\ntype TranslationFn = (key: string | undefined, fallback: string) => string\n\ntype RouteModule = {\n  id: string\n  backendRoutes?: BackendRouteManifestEntry[]\n}\n\nexport function groupBackendRoutesByModule(routes: BackendRouteManifestEntry[]): RouteModule[] {\n  return Array.from(\n    routes.reduce((grouped, route) => {\n      const list = grouped.get(route.moduleId) ?? []\n      list.push(route)\n      grouped.set(route.moduleId, list)\n      return grouped\n    }, new Map<string, BackendRouteManifestEntry[]>()),\n  ).map(([id, backendRoutes]) => ({ id, backendRoutes }))\n}\n\ntype SerializableSectionItem = {\n  id: string\n  label: string\n  labelKey?: string\n  href: string\n  icon?: React.ReactNode\n  order?: number\n  children?: SerializableSectionItem[]\n}\n\ntype SerializableSectionGroup = {\n  id: string\n  label: string\n  labelKey?: string\n  order?: number\n  items: SerializableSectionItem[]\n}\n\ntype ResolvedNavItem = Omit<BackendChromeNavItem, 'defaultTitle' | 'children'> & {\n  defaultTitle: string\n  children?: ResolvedNavItem[]\n}\n\ntype ResolveBackendChromePayloadArgs = {\n  auth: Exclude<AuthContext, null>\n  locale: string\n  modules: RouteModule[]\n  translate: TranslationFn\n  request?: Request\n  selectedOrganizationId?: string | null\n  selectedTenantId?: string | null\n}\n\nconst settingsSectionOrder: Record<string, number> = {\n  system: 1,\n  auth: 2,\n  'customer-portal': 3,\n  'data-designer': 4,\n  'module-configs': 5,\n  directory: 6,\n  'feature-toggles': 7,\n}\n\ntype NavGroupWithWeight = Omit<BackendChromeNavGroup, 'id' | 'defaultName' | 'items'> & {\n  id: string\n  defaultName: string\n  items: ResolvedNavItem[]\n  weight: number\n}\n\nlet renderToStaticMarkupPromise: Promise<typeof import('react-dom/server')> | null = null\n\nasync function serializeIconMarkup(icon: React.ReactNode | undefined): Promise<string | undefined> {\n  if (!icon) return undefined\n  if (!renderToStaticMarkupPromise) {\n    renderToStaticMarkupPromise = import('react-dom/server')\n  }\n  const { renderToStaticMarkup } = await renderToStaticMarkupPromise\n\n  const normalizedIcon = typeof icon === 'string'\n    ? resolveRegisteredLucideIconNode(icon, 'size-4')\n    : icon\n\n  if (!normalizedIcon) return undefined\n\n  try {\n    const markup = renderToStaticMarkup(<>{normalizedIcon}</>)\n    return markup.trim().length > 0 ? markup : undefined\n  } catch {\n    // Some icon values may be client-only component references after dependency upgrades.\n    // Avoid taking down the entire nav payload because one icon cannot be rendered server-side.\n    return undefined\n  }\n}\n\nasync function serializeNavItem(item: AdminNavItem): Promise<ResolvedNavItem> {\n  return {\n    id: item.href,\n    href: item.href,\n    title: item.title,\n    defaultTitle: item.defaultTitle,\n    enabled: item.enabled,\n    hidden: item.hidden,\n    pageContext: item.pageContext,\n    iconName: typeof item.icon === 'string' ? item.icon : undefined,\n    iconMarkup: await serializeIconMarkup(item.icon),\n    children: item.children ? await Promise.all(item.children.map((child) => serializeNavItem(child))) : undefined,\n  }\n}\n\nfunction normalizeGroupWeights(groups: NavGroupWithWeight[]): NavGroupWithWeight[] {\n  const defaultGroupOrder = [\n    'customers.nav.group',\n    'catalog.nav.group',\n    'customers~sales.nav.group',\n    'resources.nav.group',\n    'staff.nav.group',\n    'entities.nav.group',\n    'directory.nav.group',\n    'customers.storage.nav.group',\n  ]\n  const groupOrderIndex = new Map(defaultGroupOrder.map((id, index) => [id, index]))\n  groups.sort((a, b) => {\n    const aIndex = groupOrderIndex.get(a.id)\n    const bIndex = groupOrderIndex.get(b.id)\n    if (aIndex !== undefined || bIndex !== undefined) {\n      if (aIndex === undefined) return 1\n      if (bIndex === undefined) return -1\n      if (aIndex !== bIndex) return aIndex - bIndex\n    }\n    if (a.weight !== b.weight) return a.weight - b.weight\n    return a.name.localeCompare(b.name)\n  })\n  const defaultGroupCount = defaultGroupOrder.length\n  groups.forEach((group, index) => {\n    const rank = groupOrderIndex.get(group.id)\n    const fallbackWeight = typeof group.weight === 'number' ? group.weight : 10_000\n    group.weight =\n      (rank !== undefined ? rank : defaultGroupCount + index) * 1_000_000 +\n      Math.min(Math.max(fallbackWeight, 0), 999_999)\n  })\n  return groups\n}\n\nasync function groupEntries(entries: AdminNavItem[]): Promise<NavGroupWithWeight[]> {\n  const groupMap = new Map<string, NavGroupWithWeight>()\n  for (const entry of entries) {\n    const weight = entry.priority ?? entry.order ?? 10_000\n    const serializedItem = await serializeNavItem(entry)\n    const existing = groupMap.get(entry.groupId)\n    if (existing) {\n      existing.items.push(serializedItem)\n      if (weight < existing.weight) existing.weight = weight\n      continue\n    }\n    groupMap.set(entry.groupId, {\n      id: entry.groupId,\n      name: entry.group,\n      defaultName: entry.groupDefaultName,\n      items: [serializedItem],\n      weight,\n    })\n  }\n  return normalizeGroupWeights(Array.from(groupMap.values()))\n}\n\nfunction adoptSidebarDefaults(groups: NavGroupWithWeight[]): NavGroupWithWeight[] {\n  const adoptItems = (items: ResolvedNavItem[]): ResolvedNavItem[] =>\n    items.map((item) => ({\n      ...item,\n      defaultTitle: item.title,\n      children: item.children ? adoptItems(item.children) : undefined,\n    }))\n\n  return groups.map((group) => ({\n    ...group,\n    defaultName: group.name,\n    items: adoptItems(group.items),\n  }))\n}\n\nasync function serializeSectionItem(item: {\n  id: string\n  label: string\n  labelKey?: string\n  href: string\n  icon?: React.ReactNode\n  order?: number\n  children?: SerializableSectionItem[]\n}): Promise<BackendChromeSectionItem> {\n  return {\n    id: item.id,\n    label: item.label,\n    labelKey: item.labelKey,\n    href: item.href,\n    order: item.order,\n    iconName: typeof item.icon === 'string' ? item.icon : undefined,\n    iconMarkup: await serializeIconMarkup(item.icon),\n    children: item.children ? await Promise.all(item.children.map((child) => serializeSectionItem(child))) : undefined,\n  }\n}\n\nasync function serializeSectionGroups(groups: SerializableSectionGroup[]): Promise<BackendChromeSectionGroup[]> {\n  return Promise.all(groups.map(async (group) => ({\n    id: group.id,\n    label: group.label,\n    labelKey: group.labelKey,\n    order: group.order,\n    items: await Promise.all(group.items.map((item) => serializeSectionItem(item))),\n  })))\n}\n\nasync function loadScopedContainer(): Promise<AwilixContainer> {\n  return createRequestContainer()\n}\n\nexport async function resolveBackendChromePayload({\n  auth,\n  locale,\n  modules,\n  translate,\n  request,\n  selectedOrganizationId,\n  selectedTenantId,\n}: ResolveBackendChromePayloadArgs): Promise<BackendChromePayload> {\n  const container = await loadScopedContainer()\n  const em = container.resolve('em') as EntityManager\n  const rbac = container.resolve('rbacService') as {\n    loadAcl: (userId: string, scope: { tenantId: string | null; organizationId: string | null }) => Promise<{\n      isSuperAdmin: boolean\n      features: string[]\n    }>\n    userHasAllFeatures: (userId: string, required: string[], scope: { tenantId: string | null; organizationId: string | null }) => Promise<boolean>\n  }\n\n  let scopedOrganizationId: string | null = auth.orgId ?? null\n  let scopedTenantId: string | null = auth.tenantId ?? null\n  let allowNavigation = true\n\n  try {\n    const { organizationId, scope, allowedOrganizationIds } = await resolveFeatureCheckContext({\n      container,\n      auth,\n      request,\n      selectedId: selectedOrganizationId,\n      tenantId: selectedTenantId,\n    })\n    scopedOrganizationId = organizationId\n    scopedTenantId = scope.tenantId ?? auth.tenantId ?? null\n    if (Array.isArray(allowedOrganizationIds) && allowedOrganizationIds.length === 0) {\n      allowNavigation = false\n    }\n  } catch {\n    scopedOrganizationId = auth.orgId ?? null\n    scopedTenantId = auth.tenantId ?? null\n  }\n\n  const acl = allowNavigation\n    ? await rbac.loadAcl(auth.sub, {\n        tenantId: scopedTenantId,\n        organizationId: scopedOrganizationId,\n      })\n    : { isSuperAdmin: false, features: [] }\n\n  const rawGrantedFeatures = acl.isSuperAdmin ? ['*'] : acl.features\n  const grantedFeatures = filterGrantsByEnabledModules(rawGrantedFeatures)\n  const featureChecker = async (features: string[]): Promise<string[]> => {\n    if (!allowNavigation || !features.length) return []\n    const context = {\n      tenantId: scopedTenantId ?? auth.tenantId ?? null,\n      organizationId: scopedOrganizationId ?? null,\n    }\n    const hasAll = await rbac.userHasAllFeatures(auth.sub, features, context)\n    if (hasAll) return features\n\n    const granted: string[] = []\n    for (const feature of features) {\n      const hasFeature = await rbac.userHasAllFeatures(auth.sub, [feature], context)\n      if (hasFeature) granted.push(feature)\n    }\n    return granted\n  }\n\n  let userEntities: Array<{ entityId: string; label: string; href: string }> = []\n  if (allowNavigation) {\n    try {\n      const where: FilterQuery<CustomEntity> = {\n        isActive: true,\n        showInSidebar: true,\n      }\n      where.$and = [\n        { $or: [{ organizationId: scopedOrganizationId ?? undefined }, { organizationId: null }] },\n        { $or: [{ tenantId: scopedTenantId ?? undefined }, { tenantId: null }] },\n      ]\n      const entities = await em.find(CustomEntity, where, { orderBy: { label: 'asc' } })\n      userEntities = entities.map((entity) => ({\n        entityId: entity.entityId,\n        label: entity.label,\n        href: `/backend/entities/user/${encodeURIComponent(entity.entityId)}/records`,\n      }))\n    } catch {\n      userEntities = []\n    }\n  }\n\n  const ctxAuth = {\n    roles: auth.roles || [],\n    sub: auth.sub,\n    tenantId: scopedTenantId,\n    orgId: scopedOrganizationId,\n  }\n  const entries = allowNavigation\n    ? await buildAdminNav(\n        modules,\n        { auth: ctxAuth },\n        userEntities,\n        translate,\n        { checkFeatures: featureChecker },\n      )\n    : []\n\n  let rolePreference: SidebarPreferencesSettings | null = null\n  let userPreference: SidebarPreferencesSettings | null = null\n\n  if (Array.isArray(auth.roles) && auth.roles.length > 0) {\n    const roleRecords = scopedTenantId\n      ? await em.find(Role, {\n          name: { $in: auth.roles },\n          tenantId: scopedTenantId,\n        })\n      : []\n    const roleIds = Array.isArray(roleRecords) ? roleRecords.map((role) => role.id) : []\n    if (roleIds.length > 0) {\n      rolePreference = await loadFirstRoleSidebarPreference(em, {\n        roleIds,\n        tenantId: scopedTenantId,\n        locale,\n      })\n    }\n  }\n\n  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub\n  if (effectiveUserId) {\n    userPreference = await loadSidebarPreference(em, {\n      userId: effectiveUserId,\n      tenantId: scopedTenantId,\n      organizationId: scopedOrganizationId,\n      locale,\n    })\n  }\n\n  const baseGroups = await groupEntries(entries)\n  const groupsWithRole = rolePreference\n    ? applySidebarPreference<NavGroupWithWeight>(baseGroups, rolePreference)\n    : baseGroups\n  const baseForUser = adoptSidebarDefaults(groupsWithRole)\n  const appliedGroups = userPreference\n    ? applySidebarPreference<NavGroupWithWeight>(baseForUser, userPreference)\n    : baseForUser\n\n  const settingsSections = await serializeSectionGroups(\n    convertToSectionNavGroups(\n      buildSettingsSections(entries, settingsSectionOrder),\n      translate,\n    ),\n  )\n\n  return {\n    groups: appliedGroups.map(({ weight: _weight, ...group }) => group),\n    settingsSections,\n    settingsPathPrefixes: computeSettingsPathPrefixes(buildSettingsSections(entries, settingsSectionOrder)),\n    profileSections: await serializeSectionGroups(profileSections),\n    profilePathPrefixes,\n    grantedFeatures,\n    roles: Array.isArray(auth.roles) ? auth.roles : [],\n  }\n}\n"],
-  "mappings": "AAsHwC;AAzGxC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AACP,SAAS,uCAAuC;AAChD,SAAS,qBAAqB,uBAAuB;AACrD,SAAS,8BAA8B;AACvC,SAAS,oCAAoC;AAC7C,SAAS,kCAAkC;AAC3C,SAAS,oBAAoB;AAC7B,SAAS,YAAY;AACrB;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAUA,SAAS,2BAA2B,QAAoD;AAC7F,SAAO,MAAM;AAAA,IACX,OAAO,OAAO,CAAC,SAAS,UAAU;AAChC,YAAM,OAAO,QAAQ,IAAI,MAAM,QAAQ,KAAK,CAAC;AAC7C,WAAK,KAAK,KAAK;AACf,cAAQ,IAAI,MAAM,UAAU,IAAI;AAChC,aAAO;AAAA,IACT,GAAG,oBAAI,IAAyC,CAAC;AAAA,EACnD,EAAE,IAAI,CAAC,CAAC,IAAI,aAAa,OAAO,EAAE,IAAI,cAAc,EAAE;AACxD;AAmCA,MAAM,uBAA+C;AAAA,EACnD,QAAQ;AAAA,EACR,MAAM;AAAA,EACN,mBAAmB;AAAA,EACnB,iBAAiB;AAAA,EACjB,kBAAkB;AAAA,EAClB,WAAW;AAAA,EACX,mBAAmB;AACrB;AASA,IAAI,8BAAiF;AAErF,eAAe,oBAAoB,MAAgE;AACjG,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,CAAC,6BAA6B;AAChC,kCAA8B,OAAO,kBAAkB;AAAA,EACzD;AACA,QAAM,EAAE,qBAAqB,IAAI,MAAM;AAEvC,QAAM,iBAAiB,OAAO,SAAS,WACnC,gCAAgC,MAAM,QAAQ,IAC9C;AAEJ,MAAI,CAAC,eAAgB,QAAO;AAE5B,MAAI;AACF,UAAM,SAAS,qBAAqB,gCAAG,0BAAe,CAAG;AACzD,WAAO,OAAO,KAAK,EAAE,SAAS,IAAI,SAAS;AAAA,EAC7C,QAAQ;AAGN,WAAO;AAAA,EACT;AACF;AAEA,eAAe,iBAAiB,MAA8C;AAC5E,SAAO;AAAA,IACL,IAAI,KAAK;AAAA,IACT,MAAM,KAAK;AAAA,IACX,OAAO,KAAK;AAAA,IACZ,cAAc,KAAK;AAAA,IACnB,SAAS,KAAK;AAAA,IACd,QAAQ,KAAK;AAAA,IACb,aAAa,KAAK;AAAA,IAClB,UAAU,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO;AAAA,IACtD,YAAY,MAAM,oBAAoB,KAAK,IAAI;AAAA,IAC/C,UAAU,KAAK,WAAW,MAAM,QAAQ,IAAI,KAAK,SAAS,IAAI,CAAC,UAAU,iBAAiB,KAAK,CAAC,CAAC,IAAI;AAAA,EACvG;AACF;AAEA,SAAS,sBAAsB,QAAoD;AACjF,QAAM,oBAAoB;AAAA,IACxB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,kBAAkB,IAAI,IAAI,kBAAkB,IAAI,CAAC,IAAI,UAAU,CAAC,IAAI,KAAK,CAAC,CAAC;AACjF,SAAO,KAAK,CAAC,GAAG,MAAM;AACpB,UAAM,SAAS,gBAAgB,IAAI,EAAE,EAAE;AACvC,UAAM,SAAS,gBAAgB,IAAI,EAAE,EAAE;AACvC,QAAI,WAAW,UAAa,WAAW,QAAW;AAChD,UAAI,WAAW,OAAW,QAAO;AACjC,UAAI,WAAW,OAAW,QAAO;AACjC,UAAI,WAAW,OAAQ,QAAO,SAAS;AAAA,IACzC;AACA,QAAI,EAAE,WAAW,EAAE,OAAQ,QAAO,EAAE,SAAS,EAAE;AAC/C,WAAO,EAAE,KAAK,cAAc,EAAE,IAAI;AAAA,EACpC,CAAC;AACD,QAAM,oBAAoB,kBAAkB;AAC5C,SAAO,QAAQ,CAAC,OAAO,UAAU;AAC/B,UAAM,OAAO,gBAAgB,IAAI,MAAM,EAAE;AACzC,UAAM,iBAAiB,OAAO,MAAM,WAAW,WAAW,MAAM,SAAS;AACzE,UAAM,UACH,SAAS,SAAY,OAAO,oBAAoB,SAAS,MAC1D,KAAK,IAAI,KAAK,IAAI,gBAAgB,CAAC,GAAG,MAAO;AAAA,EACjD,CAAC;AACD,SAAO;AACT;AAEA,eAAe,aAAa,SAAwD;AAClF,QAAM,WAAW,oBAAI,IAAgC;AACrD,aAAW,SAAS,SAAS;AAC3B,UAAM,SAAS,MAAM,YAAY,MAAM,SAAS;AAChD,UAAM,iBAAiB,MAAM,iBAAiB,KAAK;AACnD,UAAM,WAAW,SAAS,IAAI,MAAM,OAAO;AAC3C,QAAI,UAAU;AACZ,eAAS,MAAM,KAAK,cAAc;AAClC,UAAI,SAAS,SAAS,OAAQ,UAAS,SAAS;AAChD;AAAA,IACF;AACA,aAAS,IAAI,MAAM,SAAS;AAAA,MAC1B,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,aAAa,MAAM;AAAA,MACnB,OAAO,CAAC,cAAc;AAAA,MACtB;AAAA,IACF,CAAC;AAAA,EACH;AACA,SAAO,sBAAsB,MAAM,KAAK,SAAS,OAAO,CAAC,CAAC;AAC5D;AAEA,SAAS,qBAAqB,QAAoD;AAChF,QAAM,aAAa,CAAC,UAClB,MAAM,IAAI,CAAC,UAAU;AAAA,IACnB,GAAG;AAAA,IACH,cAAc,KAAK;AAAA,IACnB,UAAU,KAAK,WAAW,WAAW,KAAK,QAAQ,IAAI;AAAA,EACxD,EAAE;AAEJ,SAAO,OAAO,IAAI,CAAC,WAAW;AAAA,IAC5B,GAAG;AAAA,IACH,aAAa,MAAM;AAAA,IACnB,OAAO,WAAW,MAAM,KAAK;AAAA,EAC/B,EAAE;AACJ;AAEA,eAAe,qBAAqB,MAQE;AACpC,SAAO;AAAA,IACL,IAAI,KAAK;AAAA,IACT,OAAO,KAAK;AAAA,IACZ,UAAU,KAAK;AAAA,IACf,MAAM,KAAK;AAAA,IACX,OAAO,KAAK;AAAA,IACZ,UAAU,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO;AAAA,IACtD,YAAY,MAAM,oBAAoB,KAAK,IAAI;AAAA,IAC/C,UAAU,KAAK,WAAW,MAAM,QAAQ,IAAI,KAAK,SAAS,IAAI,CAAC,UAAU,qBAAqB,KAAK,CAAC,CAAC,IAAI;AAAA,EAC3G;AACF;AAEA,eAAe,uBAAuB,QAA0E;AAC9G,SAAO,QAAQ,IAAI,OAAO,IAAI,OAAO,WAAW;AAAA,IAC9C,IAAI,MAAM;AAAA,IACV,OAAO,MAAM;AAAA,IACb,UAAU,MAAM;AAAA,IAChB,OAAO,MAAM;AAAA,IACb,OAAO,MAAM,QAAQ,IAAI,MAAM,MAAM,IAAI,CAAC,SAAS,qBAAqB,IAAI,CAAC,CAAC;AAAA,EAChF,EAAE,CAAC;AACL;AAEA,eAAe,sBAAgD;AAC7D,SAAO,uBAAuB;AAChC;AAEA,eAAsB,4BAA4B;AAAA,EAChD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAAmE;AACjE,QAAM,YAAY,MAAM,oBAAoB;AAC5C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,OAAO,UAAU,QAAQ,aAAa;AAQ5C,MAAI,uBAAsC,KAAK,SAAS;AACxD,MAAI,iBAAgC,KAAK,YAAY;AACrD,MAAI,kBAAkB;AAEtB,MAAI;AACF,UAAM,EAAE,gBAAgB,OAAO,uBAAuB,IAAI,MAAM,2BAA2B;AAAA,MACzF;AAAA,MACA;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ,UAAU;AAAA,IACZ,CAAC;AACD,2BAAuB;AACvB,qBAAiB,MAAM,YAAY,KAAK,YAAY;AACpD,QAAI,MAAM,QAAQ,sBAAsB,KAAK,uBAAuB,WAAW,GAAG;AAChF,wBAAkB;AAAA,IACpB;AAAA,EACF,QAAQ;AACN,2BAAuB,KAAK,SAAS;AACrC,qBAAiB,KAAK,YAAY;AAAA,EACpC;AAEA,QAAM,MAAM,kBACR,MAAM,KAAK,QAAQ,KAAK,KAAK;AAAA,IAC3B,UAAU;AAAA,IACV,gBAAgB;AAAA,EAClB,CAAC,IACD,EAAE,cAAc,OAAO,UAAU,CAAC,EAAE;AAExC,QAAM,qBAAqB,IAAI,eAAe,CAAC,GAAG,IAAI,IAAI;AAC1D,QAAM,kBAAkB,6BAA6B,kBAAkB;AACvE,QAAM,iBAAiB,OAAO,aAA0C;AACtE,QAAI,CAAC,mBAAmB,CAAC,SAAS,OAAQ,QAAO,CAAC;AAClD,UAAM,UAAU;AAAA,MACd,UAAU,kBAAkB,KAAK,YAAY;AAAA,MAC7C,gBAAgB,wBAAwB;AAAA,IAC1C;AACA,UAAM,SAAS,MAAM,KAAK,mBAAmB,KAAK,KAAK,UAAU,OAAO;AACxE,QAAI,OAAQ,QAAO;AAEnB,UAAM,UAAoB,CAAC;AAC3B,eAAW,WAAW,UAAU;AAC9B,YAAM,aAAa,MAAM,KAAK,mBAAmB,KAAK,KAAK,CAAC,OAAO,GAAG,OAAO;AAC7E,UAAI,WAAY,SAAQ,KAAK,OAAO;AAAA,IACtC;AACA,WAAO;AAAA,EACT;AAEA,MAAI,eAAyE,CAAC;AAC9E,MAAI,iBAAiB;AACnB,QAAI;AACF,YAAM,QAAmC;AAAA,QACvC,UAAU;AAAA,QACV,eAAe;AAAA,MACjB;AACA,YAAM,OAAO;AAAA,QACX,EAAE,KAAK,CAAC,EAAE,gBAAgB,wBAAwB,OAAU,GAAG,EAAE,gBAAgB,KAAK,CAAC,EAAE;AAAA,QACzF,EAAE,KAAK,CAAC,EAAE,UAAU,kBAAkB,OAAU,GAAG,EAAE,UAAU,KAAK,CAAC,EAAE;AAAA,MACzE;AACA,YAAM,WAAW,MAAM,GAAG,KAAK,cAAc,OAAO,EAAE,SAAS,EAAE,OAAO,MAAM,EAAE,CAAC;AACjF,qBAAe,SAAS,IAAI,CAAC,YAAY;AAAA,QACvC,UAAU,OAAO;AAAA,QACjB,OAAO,OAAO;AAAA,QACd,MAAM,0BAA0B,mBAAmB,OAAO,QAAQ,CAAC;AAAA,MACrE,EAAE;AAAA,IACJ,QAAQ;AACN,qBAAe,CAAC;AAAA,IAClB;AAAA,EACF;AAEA,QAAM,UAAU;AAAA,IACd,OAAO,KAAK,SAAS,CAAC;AAAA,IACtB,KAAK,KAAK;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,EACT;AACA,QAAM,UAAU,kBACZ,MAAM;AAAA,IACJ;AAAA,IACA,EAAE,MAAM,QAAQ;AAAA,IAChB;AAAA,IACA;AAAA,IACA,EAAE,eAAe,eAAe;AAAA,EAClC,IACA,CAAC;AAEL,MAAI,iBAAoD;AACxD,MAAI,iBAAoD;AAExD,MAAI,MAAM,QAAQ,KAAK,KAAK,KAAK,KAAK,MAAM,SAAS,GAAG;AACtD,UAAM,cAAc,iBAChB,MAAM,GAAG,KAAK,MAAM;AAAA,MAClB,MAAM,EAAE,KAAK,KAAK,MAAM;AAAA,MACxB,UAAU;AAAA,IACZ,CAAC,IACD,CAAC;AACL,UAAM,UAAU,MAAM,QAAQ,WAAW,IAAI,YAAY,IAAI,CAAC,SAAS,KAAK,EAAE,IAAI,CAAC;AACnF,QAAI,QAAQ,SAAS,GAAG;AACtB,uBAAiB,MAAM,+BAA+B,IAAI;AAAA,QACxD;AAAA,QACA,UAAU;AAAA,QACV;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,QAAM,kBAAkB,KAAK,WAAW,KAAK,SAAS,KAAK;AAC3D,MAAI,iBAAiB;AACnB,qBAAiB,MAAM,sBAAsB,IAAI;AAAA,MAC/C,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,gBAAgB;AAAA,MAChB;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,aAAa,MAAM,aAAa,OAAO;AAC7C,QAAM,iBAAiB,iBACnB,uBAA2C,YAAY,cAAc,IACrE;AACJ,QAAM,cAAc,qBAAqB,cAAc;AACvD,QAAM,gBAAgB,iBAClB,uBAA2C,aAAa,cAAc,IACtE;AAEJ,QAAM,mBAAmB,MAAM;AAAA,IAC7B;AAAA,MACE,sBAAsB,SAAS,oBAAoB;AAAA,MACnD;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAQ,cAAc,IAAI,CAAC,EAAE,QAAQ,SAAS,GAAG,MAAM,MAAM,KAAK;AAAA,IAClE;AAAA,IACA,sBAAsB,4BAA4B,sBAAsB,SAAS,oBAAoB,CAAC;AAAA,IACtG,iBAAiB,MAAM,uBAAuB,eAAe;AAAA,IAC7D;AAAA,IACA;AAAA,IACA,OAAO,MAAM,QAAQ,KAAK,KAAK,IAAI,KAAK,QAAQ,CAAC;AAAA,EACnD;AACF;",
+  "sourcesContent": ["import * as React from 'react'\nimport type { FilterQuery } from '@mikro-orm/core'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport type { AwilixContainer } from 'awilix'\nimport type { AuthContext } from '@open-mercato/shared/lib/auth/server'\nimport type { BackendRouteManifestEntry } from '@open-mercato/shared/modules/registry'\nimport type {\n  BackendChromePayload,\n  BackendChromeNavGroup,\n  BackendChromeNavItem,\n  BackendChromeSectionGroup,\n  BackendChromeSectionItem,\n} from '@open-mercato/shared/modules/navigation/backendChrome'\nimport {\n  buildAdminNav,\n  buildSettingsSections,\n  computeSettingsPathPrefixes,\n  convertToSectionNavGroups,\n  type AdminNavItem,\n} from '@open-mercato/ui/backend/utils/nav'\nimport { resolveRegisteredLucideIconNode } from '@open-mercato/ui/backend/icons/lucideRegistry'\nimport { profilePathPrefixes, profileSections } from './profile-sections'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { filterGrantsByEnabledModules } from '@open-mercato/shared/security/enabledModulesRegistry'\nimport {\n  getSelectedOrganizationFromRequest,\n  resolveFeatureCheckContext,\n} from '@open-mercato/core/modules/directory/utils/organizationScope'\nimport { isAllOrganizationsSelection } from '@open-mercato/core/modules/directory/constants'\nimport { Organization } from '@open-mercato/core/modules/directory/data/entities'\nimport { CustomEntity } from '@open-mercato/core/modules/entities/data/entities'\nimport { Role } from '@open-mercato/core/modules/auth/data/entities'\nimport { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport {\n  applySidebarPreference,\n  loadFirstRoleSidebarPreference,\n  loadSidebarPreference,\n} from '@open-mercato/core/modules/auth/services/sidebarPreferencesService'\nimport type { SidebarPreferencesSettings } from '@open-mercato/shared/modules/navigation/sidebarPreferences'\n\ntype TranslationFn = (key: string | undefined, fallback: string) => string\n\ntype RouteModule = {\n  id: string\n  backendRoutes?: BackendRouteManifestEntry[]\n}\n\nexport function groupBackendRoutesByModule(routes: BackendRouteManifestEntry[]): RouteModule[] {\n  return Array.from(\n    routes.reduce((grouped, route) => {\n      const list = grouped.get(route.moduleId) ?? []\n      list.push(route)\n      grouped.set(route.moduleId, list)\n      return grouped\n    }, new Map<string, BackendRouteManifestEntry[]>()),\n  ).map(([id, backendRoutes]) => ({ id, backendRoutes }))\n}\n\ntype SerializableSectionItem = {\n  id: string\n  label: string\n  labelKey?: string\n  href: string\n  icon?: React.ReactNode\n  order?: number\n  children?: SerializableSectionItem[]\n}\n\ntype SerializableSectionGroup = {\n  id: string\n  label: string\n  labelKey?: string\n  order?: number\n  items: SerializableSectionItem[]\n}\n\ntype ResolvedNavItem = Omit<BackendChromeNavItem, 'defaultTitle' | 'children'> & {\n  defaultTitle: string\n  children?: ResolvedNavItem[]\n}\n\ntype ResolveBackendChromePayloadArgs = {\n  auth: Exclude<AuthContext, null>\n  locale: string\n  modules: RouteModule[]\n  translate: TranslationFn\n  request?: Request\n  selectedOrganizationId?: string | null\n  selectedTenantId?: string | null\n}\n\nconst settingsSectionOrder: Record<string, number> = {\n  system: 1,\n  auth: 2,\n  'customer-portal': 3,\n  'data-designer': 4,\n  'module-configs': 5,\n  directory: 6,\n  'feature-toggles': 7,\n}\n\ntype NavGroupWithWeight = Omit<BackendChromeNavGroup, 'id' | 'defaultName' | 'items'> & {\n  id: string\n  defaultName: string\n  items: ResolvedNavItem[]\n  weight: number\n}\n\nlet renderToStaticMarkupPromise: Promise<typeof import('react-dom/server')> | null = null\n\nasync function serializeIconMarkup(icon: React.ReactNode | undefined): Promise<string | undefined> {\n  if (!icon) return undefined\n  if (!renderToStaticMarkupPromise) {\n    renderToStaticMarkupPromise = import('react-dom/server')\n  }\n  const { renderToStaticMarkup } = await renderToStaticMarkupPromise\n\n  const normalizedIcon = typeof icon === 'string'\n    ? resolveRegisteredLucideIconNode(icon, 'size-4')\n    : icon\n\n  if (!normalizedIcon) return undefined\n\n  try {\n    const markup = renderToStaticMarkup(<>{normalizedIcon}</>)\n    return markup.trim().length > 0 ? markup : undefined\n  } catch {\n    // Some icon values may be client-only component references after dependency upgrades.\n    // Avoid taking down the entire nav payload because one icon cannot be rendered server-side.\n    return undefined\n  }\n}\n\nasync function serializeNavItem(item: AdminNavItem): Promise<ResolvedNavItem> {\n  return {\n    id: item.href,\n    href: item.href,\n    title: item.title,\n    defaultTitle: item.defaultTitle,\n    enabled: item.enabled,\n    hidden: item.hidden,\n    pageContext: item.pageContext,\n    iconName: typeof item.icon === 'string' ? item.icon : undefined,\n    iconMarkup: await serializeIconMarkup(item.icon),\n    children: item.children ? await Promise.all(item.children.map((child) => serializeNavItem(child))) : undefined,\n  }\n}\n\nfunction normalizeGroupWeights(groups: NavGroupWithWeight[]): NavGroupWithWeight[] {\n  const defaultGroupOrder = [\n    'customers.nav.group',\n    'catalog.nav.group',\n    'customers~sales.nav.group',\n    'resources.nav.group',\n    'staff.nav.group',\n    'entities.nav.group',\n    'directory.nav.group',\n    'customers.storage.nav.group',\n  ]\n  const groupOrderIndex = new Map(defaultGroupOrder.map((id, index) => [id, index]))\n  groups.sort((a, b) => {\n    const aIndex = groupOrderIndex.get(a.id)\n    const bIndex = groupOrderIndex.get(b.id)\n    if (aIndex !== undefined || bIndex !== undefined) {\n      if (aIndex === undefined) return 1\n      if (bIndex === undefined) return -1\n      if (aIndex !== bIndex) return aIndex - bIndex\n    }\n    if (a.weight !== b.weight) return a.weight - b.weight\n    return a.name.localeCompare(b.name)\n  })\n  const defaultGroupCount = defaultGroupOrder.length\n  groups.forEach((group, index) => {\n    const rank = groupOrderIndex.get(group.id)\n    const fallbackWeight = typeof group.weight === 'number' ? group.weight : 10_000\n    group.weight =\n      (rank !== undefined ? rank : defaultGroupCount + index) * 1_000_000 +\n      Math.min(Math.max(fallbackWeight, 0), 999_999)\n  })\n  return groups\n}\n\nasync function groupEntries(entries: AdminNavItem[]): Promise<NavGroupWithWeight[]> {\n  const groupMap = new Map<string, NavGroupWithWeight>()\n  for (const entry of entries) {\n    const weight = entry.priority ?? entry.order ?? 10_000\n    const serializedItem = await serializeNavItem(entry)\n    const existing = groupMap.get(entry.groupId)\n    if (existing) {\n      existing.items.push(serializedItem)\n      if (weight < existing.weight) existing.weight = weight\n      continue\n    }\n    groupMap.set(entry.groupId, {\n      id: entry.groupId,\n      name: entry.group,\n      defaultName: entry.groupDefaultName,\n      items: [serializedItem],\n      weight,\n    })\n  }\n  return normalizeGroupWeights(Array.from(groupMap.values()))\n}\n\nfunction adoptSidebarDefaults(groups: NavGroupWithWeight[]): NavGroupWithWeight[] {\n  const adoptItems = (items: ResolvedNavItem[]): ResolvedNavItem[] =>\n    items.map((item) => ({\n      ...item,\n      defaultTitle: item.title,\n      children: item.children ? adoptItems(item.children) : undefined,\n    }))\n\n  return groups.map((group) => ({\n    ...group,\n    defaultName: group.name,\n    items: adoptItems(group.items),\n  }))\n}\n\nasync function serializeSectionItem(item: {\n  id: string\n  label: string\n  labelKey?: string\n  href: string\n  icon?: React.ReactNode\n  order?: number\n  children?: SerializableSectionItem[]\n}): Promise<BackendChromeSectionItem> {\n  return {\n    id: item.id,\n    label: item.label,\n    labelKey: item.labelKey,\n    href: item.href,\n    order: item.order,\n    iconName: typeof item.icon === 'string' ? item.icon : undefined,\n    iconMarkup: await serializeIconMarkup(item.icon),\n    children: item.children ? await Promise.all(item.children.map((child) => serializeSectionItem(child))) : undefined,\n  }\n}\n\nasync function serializeSectionGroups(groups: SerializableSectionGroup[]): Promise<BackendChromeSectionGroup[]> {\n  return Promise.all(groups.map(async (group) => ({\n    id: group.id,\n    label: group.label,\n    labelKey: group.labelKey,\n    order: group.order,\n    items: await Promise.all(group.items.map((item) => serializeSectionItem(item))),\n  })))\n}\n\nasync function loadScopedContainer(): Promise<AwilixContainer> {\n  return createRequestContainer()\n}\n\nexport async function resolveBackendChromePayload({\n  auth,\n  locale,\n  modules,\n  translate,\n  request,\n  selectedOrganizationId,\n  selectedTenantId,\n}: ResolveBackendChromePayloadArgs): Promise<BackendChromePayload> {\n  const container = await loadScopedContainer()\n  const em = container.resolve('em') as EntityManager\n  const rbac = container.resolve('rbacService') as {\n    loadAcl: (userId: string, scope: { tenantId: string | null; organizationId: string | null }) => Promise<{\n      isSuperAdmin: boolean\n      features: string[]\n    }>\n    userHasAllFeatures: (userId: string, required: string[], scope: { tenantId: string | null; organizationId: string | null }) => Promise<boolean>\n  }\n\n  let scopedOrganizationId: string | null = auth.orgId ?? null\n  let scopedTenantId: string | null = auth.tenantId ?? null\n  let allowNavigation = true\n\n  try {\n    const { organizationId, scope, allowedOrganizationIds } = await resolveFeatureCheckContext({\n      container,\n      auth,\n      request,\n      selectedId: selectedOrganizationId,\n      tenantId: selectedTenantId,\n    })\n    scopedOrganizationId = organizationId\n    scopedTenantId = scope.tenantId ?? auth.tenantId ?? null\n    if (Array.isArray(allowedOrganizationIds) && allowedOrganizationIds.length === 0) {\n      allowNavigation = false\n    }\n  } catch {\n    scopedOrganizationId = auth.orgId ?? null\n    scopedTenantId = auth.tenantId ?? null\n  }\n\n  const acl = allowNavigation\n    ? await rbac.loadAcl(auth.sub, {\n        tenantId: scopedTenantId,\n        organizationId: scopedOrganizationId,\n      })\n    : { isSuperAdmin: false, features: [] }\n\n  const rawGrantedFeatures = acl.isSuperAdmin ? ['*'] : acl.features\n  const grantedFeatures = filterGrantsByEnabledModules(rawGrantedFeatures)\n  const featureChecker = async (features: string[]): Promise<string[]> => {\n    if (!allowNavigation || !features.length) return []\n    const context = {\n      tenantId: scopedTenantId ?? auth.tenantId ?? null,\n      organizationId: scopedOrganizationId ?? null,\n    }\n    const hasAll = await rbac.userHasAllFeatures(auth.sub, features, context)\n    if (hasAll) return features\n\n    const granted: string[] = []\n    for (const feature of features) {\n      const hasFeature = await rbac.userHasAllFeatures(auth.sub, [feature], context)\n      if (hasFeature) granted.push(feature)\n    }\n    return granted\n  }\n\n  let userEntities: Array<{ entityId: string; label: string; href: string }> = []\n  if (allowNavigation) {\n    try {\n      const where: FilterQuery<CustomEntity> = {\n        isActive: true,\n        showInSidebar: true,\n      }\n      where.$and = [\n        { $or: [{ organizationId: scopedOrganizationId ?? undefined }, { organizationId: null }] },\n        { $or: [{ tenantId: scopedTenantId ?? undefined }, { tenantId: null }] },\n      ]\n      const entities = await em.find(CustomEntity, where, { orderBy: { label: 'asc' } })\n      userEntities = entities.map((entity) => ({\n        entityId: entity.entityId,\n        label: entity.label,\n        href: `/backend/entities/user/${encodeURIComponent(entity.entityId)}/records`,\n      }))\n    } catch {\n      userEntities = []\n    }\n  }\n\n  const ctxAuth = {\n    roles: auth.roles || [],\n    sub: auth.sub,\n    tenantId: scopedTenantId,\n    orgId: scopedOrganizationId,\n  }\n  const entries = allowNavigation\n    ? await buildAdminNav(\n        modules,\n        { auth: ctxAuth },\n        userEntities,\n        translate,\n        { checkFeatures: featureChecker },\n      )\n    : []\n\n  let rolePreference: SidebarPreferencesSettings | null = null\n  let userPreference: SidebarPreferencesSettings | null = null\n\n  if (Array.isArray(auth.roles) && auth.roles.length > 0) {\n    const roleRecords = scopedTenantId\n      ? await em.find(Role, {\n          name: { $in: auth.roles },\n          tenantId: scopedTenantId,\n        })\n      : []\n    const roleIds = Array.isArray(roleRecords) ? roleRecords.map((role) => role.id) : []\n    if (roleIds.length > 0) {\n      rolePreference = await loadFirstRoleSidebarPreference(em, {\n        roleIds,\n        tenantId: scopedTenantId,\n        locale,\n      })\n    }\n  }\n\n  const effectiveUserId = auth.isApiKey ? auth.userId : auth.sub\n  if (effectiveUserId) {\n    userPreference = await loadSidebarPreference(em, {\n      userId: effectiveUserId,\n      tenantId: scopedTenantId,\n      organizationId: scopedOrganizationId,\n      locale,\n    })\n  }\n\n  const baseGroups = await groupEntries(entries)\n  const groupsWithRole = rolePreference\n    ? applySidebarPreference<NavGroupWithWeight>(baseGroups, rolePreference)\n    : baseGroups\n  const baseForUser = adoptSidebarDefaults(groupsWithRole)\n  const appliedGroups = userPreference\n    ? applySidebarPreference<NavGroupWithWeight>(baseForUser, userPreference)\n    : baseForUser\n\n  const settingsSections = await serializeSectionGroups(\n    convertToSectionNavGroups(\n      buildSettingsSections(entries, settingsSectionOrder),\n      translate,\n    ),\n  )\n\n  const requestOrganizationId = request ? getSelectedOrganizationFromRequest(request) : null\n  const fallbackOrganizationId = selectedOrganizationId ?? requestOrganizationId ?? auth.orgId ?? null\n  const brandOrganizationId = scopedOrganizationId\n    ?? (fallbackOrganizationId && !isAllOrganizationsSelection(fallbackOrganizationId) ? fallbackOrganizationId : null)\n\n  let brand: BackendChromePayload['brand'] = null\n  if (brandOrganizationId && scopedTenantId) {\n    try {\n      const organization = await findOneWithDecryption(\n        em,\n        Organization,\n        { id: brandOrganizationId, tenant: scopedTenantId, deletedAt: null },\n        undefined,\n        { tenantId: scopedTenantId, organizationId: brandOrganizationId },\n      )\n      if (organization?.logoUrl) {\n        brand = {\n          name: organization.name,\n          logo: {\n            src: organization.logoUrl,\n            alt: `${organization.name} logo`,\n          },\n        }\n      }\n    } catch {\n      brand = null\n    }\n  }\n\n  return {\n    groups: appliedGroups.map(({ weight: _weight, ...group }) => group),\n    settingsSections,\n    settingsPathPrefixes: computeSettingsPathPrefixes(buildSettingsSections(entries, settingsSectionOrder)),\n    profileSections: await serializeSectionGroups(profileSections),\n    profilePathPrefixes,\n    grantedFeatures,\n    roles: Array.isArray(auth.roles) ? auth.roles : [],\n    brand,\n  }\n}\n"],
+  "mappings": "AA4HwC;AA/GxC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AACP,SAAS,uCAAuC;AAChD,SAAS,qBAAqB,uBAAuB;AACrD,SAAS,8BAA8B;AACvC,SAAS,oCAAoC;AAC7C;AAAA,EACE;AAAA,EACA;AAAA,OACK;AACP,SAAS,mCAAmC;AAC5C,SAAS,oBAAoB;AAC7B,SAAS,oBAAoB;AAC7B,SAAS,YAAY;AACrB,SAAS,6BAA6B;AACtC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAUA,SAAS,2BAA2B,QAAoD;AAC7F,SAAO,MAAM;AAAA,IACX,OAAO,OAAO,CAAC,SAAS,UAAU;AAChC,YAAM,OAAO,QAAQ,IAAI,MAAM,QAAQ,KAAK,CAAC;AAC7C,WAAK,KAAK,KAAK;AACf,cAAQ,IAAI,MAAM,UAAU,IAAI;AAChC,aAAO;AAAA,IACT,GAAG,oBAAI,IAAyC,CAAC;AAAA,EACnD,EAAE,IAAI,CAAC,CAAC,IAAI,aAAa,OAAO,EAAE,IAAI,cAAc,EAAE;AACxD;AAmCA,MAAM,uBAA+C;AAAA,EACnD,QAAQ;AAAA,EACR,MAAM;AAAA,EACN,mBAAmB;AAAA,EACnB,iBAAiB;AAAA,EACjB,kBAAkB;AAAA,EAClB,WAAW;AAAA,EACX,mBAAmB;AACrB;AASA,IAAI,8BAAiF;AAErF,eAAe,oBAAoB,MAAgE;AACjG,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,CAAC,6BAA6B;AAChC,kCAA8B,OAAO,kBAAkB;AAAA,EACzD;AACA,QAAM,EAAE,qBAAqB,IAAI,MAAM;AAEvC,QAAM,iBAAiB,OAAO,SAAS,WACnC,gCAAgC,MAAM,QAAQ,IAC9C;AAEJ,MAAI,CAAC,eAAgB,QAAO;AAE5B,MAAI;AACF,UAAM,SAAS,qBAAqB,gCAAG,0BAAe,CAAG;AACzD,WAAO,OAAO,KAAK,EAAE,SAAS,IAAI,SAAS;AAAA,EAC7C,QAAQ;AAGN,WAAO;AAAA,EACT;AACF;AAEA,eAAe,iBAAiB,MAA8C;AAC5E,SAAO;AAAA,IACL,IAAI,KAAK;AAAA,IACT,MAAM,KAAK;AAAA,IACX,OAAO,KAAK;AAAA,IACZ,cAAc,KAAK;AAAA,IACnB,SAAS,KAAK;AAAA,IACd,QAAQ,KAAK;AAAA,IACb,aAAa,KAAK;AAAA,IAClB,UAAU,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO;AAAA,IACtD,YAAY,MAAM,oBAAoB,KAAK,IAAI;AAAA,IAC/C,UAAU,KAAK,WAAW,MAAM,QAAQ,IAAI,KAAK,SAAS,IAAI,CAAC,UAAU,iBAAiB,KAAK,CAAC,CAAC,IAAI;AAAA,EACvG;AACF;AAEA,SAAS,sBAAsB,QAAoD;AACjF,QAAM,oBAAoB;AAAA,IACxB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,kBAAkB,IAAI,IAAI,kBAAkB,IAAI,CAAC,IAAI,UAAU,CAAC,IAAI,KAAK,CAAC,CAAC;AACjF,SAAO,KAAK,CAAC,GAAG,MAAM;AACpB,UAAM,SAAS,gBAAgB,IAAI,EAAE,EAAE;AACvC,UAAM,SAAS,gBAAgB,IAAI,EAAE,EAAE;AACvC,QAAI,WAAW,UAAa,WAAW,QAAW;AAChD,UAAI,WAAW,OAAW,QAAO;AACjC,UAAI,WAAW,OAAW,QAAO;AACjC,UAAI,WAAW,OAAQ,QAAO,SAAS;AAAA,IACzC;AACA,QAAI,EAAE,WAAW,EAAE,OAAQ,QAAO,EAAE,SAAS,EAAE;AAC/C,WAAO,EAAE,KAAK,cAAc,EAAE,IAAI;AAAA,EACpC,CAAC;AACD,QAAM,oBAAoB,kBAAkB;AAC5C,SAAO,QAAQ,CAAC,OAAO,UAAU;AAC/B,UAAM,OAAO,gBAAgB,IAAI,MAAM,EAAE;AACzC,UAAM,iBAAiB,OAAO,MAAM,WAAW,WAAW,MAAM,SAAS;AACzE,UAAM,UACH,SAAS,SAAY,OAAO,oBAAoB,SAAS,MAC1D,KAAK,IAAI,KAAK,IAAI,gBAAgB,CAAC,GAAG,MAAO;AAAA,EACjD,CAAC;AACD,SAAO;AACT;AAEA,eAAe,aAAa,SAAwD;AAClF,QAAM,WAAW,oBAAI,IAAgC;AACrD,aAAW,SAAS,SAAS;AAC3B,UAAM,SAAS,MAAM,YAAY,MAAM,SAAS;AAChD,UAAM,iBAAiB,MAAM,iBAAiB,KAAK;AACnD,UAAM,WAAW,SAAS,IAAI,MAAM,OAAO;AAC3C,QAAI,UAAU;AACZ,eAAS,MAAM,KAAK,cAAc;AAClC,UAAI,SAAS,SAAS,OAAQ,UAAS,SAAS;AAChD;AAAA,IACF;AACA,aAAS,IAAI,MAAM,SAAS;AAAA,MAC1B,IAAI,MAAM;AAAA,MACV,MAAM,MAAM;AAAA,MACZ,aAAa,MAAM;AAAA,MACnB,OAAO,CAAC,cAAc;AAAA,MACtB;AAAA,IACF,CAAC;AAAA,EACH;AACA,SAAO,sBAAsB,MAAM,KAAK,SAAS,OAAO,CAAC,CAAC;AAC5D;AAEA,SAAS,qBAAqB,QAAoD;AAChF,QAAM,aAAa,CAAC,UAClB,MAAM,IAAI,CAAC,UAAU;AAAA,IACnB,GAAG;AAAA,IACH,cAAc,KAAK;AAAA,IACnB,UAAU,KAAK,WAAW,WAAW,KAAK,QAAQ,IAAI;AAAA,EACxD,EAAE;AAEJ,SAAO,OAAO,IAAI,CAAC,WAAW;AAAA,IAC5B,GAAG;AAAA,IACH,aAAa,MAAM;AAAA,IACnB,OAAO,WAAW,MAAM,KAAK;AAAA,EAC/B,EAAE;AACJ;AAEA,eAAe,qBAAqB,MAQE;AACpC,SAAO;AAAA,IACL,IAAI,KAAK;AAAA,IACT,OAAO,KAAK;AAAA,IACZ,UAAU,KAAK;AAAA,IACf,MAAM,KAAK;AAAA,IACX,OAAO,KAAK;AAAA,IACZ,UAAU,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO;AAAA,IACtD,YAAY,MAAM,oBAAoB,KAAK,IAAI;AAAA,IAC/C,UAAU,KAAK,WAAW,MAAM,QAAQ,IAAI,KAAK,SAAS,IAAI,CAAC,UAAU,qBAAqB,KAAK,CAAC,CAAC,IAAI;AAAA,EAC3G;AACF;AAEA,eAAe,uBAAuB,QAA0E;AAC9G,SAAO,QAAQ,IAAI,OAAO,IAAI,OAAO,WAAW;AAAA,IAC9C,IAAI,MAAM;AAAA,IACV,OAAO,MAAM;AAAA,IACb,UAAU,MAAM;AAAA,IAChB,OAAO,MAAM;AAAA,IACb,OAAO,MAAM,QAAQ,IAAI,MAAM,MAAM,IAAI,CAAC,SAAS,qBAAqB,IAAI,CAAC,CAAC;AAAA,EAChF,EAAE,CAAC;AACL;AAEA,eAAe,sBAAgD;AAC7D,SAAO,uBAAuB;AAChC;AAEA,eAAsB,4BAA4B;AAAA,EAChD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,GAAmE;AACjE,QAAM,YAAY,MAAM,oBAAoB;AAC5C,QAAM,KAAK,UAAU,QAAQ,IAAI;AACjC,QAAM,OAAO,UAAU,QAAQ,aAAa;AAQ5C,MAAI,uBAAsC,KAAK,SAAS;AACxD,MAAI,iBAAgC,KAAK,YAAY;AACrD,MAAI,kBAAkB;AAEtB,MAAI;AACF,UAAM,EAAE,gBAAgB,OAAO,uBAAuB,IAAI,MAAM,2BAA2B;AAAA,MACzF;AAAA,MACA;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ,UAAU;AAAA,IACZ,CAAC;AACD,2BAAuB;AACvB,qBAAiB,MAAM,YAAY,KAAK,YAAY;AACpD,QAAI,MAAM,QAAQ,sBAAsB,KAAK,uBAAuB,WAAW,GAAG;AAChF,wBAAkB;AAAA,IACpB;AAAA,EACF,QAAQ;AACN,2BAAuB,KAAK,SAAS;AACrC,qBAAiB,KAAK,YAAY;AAAA,EACpC;AAEA,QAAM,MAAM,kBACR,MAAM,KAAK,QAAQ,KAAK,KAAK;AAAA,IAC3B,UAAU;AAAA,IACV,gBAAgB;AAAA,EAClB,CAAC,IACD,EAAE,cAAc,OAAO,UAAU,CAAC,EAAE;AAExC,QAAM,qBAAqB,IAAI,eAAe,CAAC,GAAG,IAAI,IAAI;AAC1D,QAAM,kBAAkB,6BAA6B,kBAAkB;AACvE,QAAM,iBAAiB,OAAO,aAA0C;AACtE,QAAI,CAAC,mBAAmB,CAAC,SAAS,OAAQ,QAAO,CAAC;AAClD,UAAM,UAAU;AAAA,MACd,UAAU,kBAAkB,KAAK,YAAY;AAAA,MAC7C,gBAAgB,wBAAwB;AAAA,IAC1C;AACA,UAAM,SAAS,MAAM,KAAK,mBAAmB,KAAK,KAAK,UAAU,OAAO;AACxE,QAAI,OAAQ,QAAO;AAEnB,UAAM,UAAoB,CAAC;AAC3B,eAAW,WAAW,UAAU;AAC9B,YAAM,aAAa,MAAM,KAAK,mBAAmB,KAAK,KAAK,CAAC,OAAO,GAAG,OAAO;AAC7E,UAAI,WAAY,SAAQ,KAAK,OAAO;AAAA,IACtC;AACA,WAAO;AAAA,EACT;AAEA,MAAI,eAAyE,CAAC;AAC9E,MAAI,iBAAiB;AACnB,QAAI;AACF,YAAM,QAAmC;AAAA,QACvC,UAAU;AAAA,QACV,eAAe;AAAA,MACjB;AACA,YAAM,OAAO;AAAA,QACX,EAAE,KAAK,CAAC,EAAE,gBAAgB,wBAAwB,OAAU,GAAG,EAAE,gBAAgB,KAAK,CAAC,EAAE;AAAA,QACzF,EAAE,KAAK,CAAC,EAAE,UAAU,kBAAkB,OAAU,GAAG,EAAE,UAAU,KAAK,CAAC,EAAE;AAAA,MACzE;AACA,YAAM,WAAW,MAAM,GAAG,KAAK,cAAc,OAAO,EAAE,SAAS,EAAE,OAAO,MAAM,EAAE,CAAC;AACjF,qBAAe,SAAS,IAAI,CAAC,YAAY;AAAA,QACvC,UAAU,OAAO;AAAA,QACjB,OAAO,OAAO;AAAA,QACd,MAAM,0BAA0B,mBAAmB,OAAO,QAAQ,CAAC;AAAA,MACrE,EAAE;AAAA,IACJ,QAAQ;AACN,qBAAe,CAAC;AAAA,IAClB;AAAA,EACF;AAEA,QAAM,UAAU;AAAA,IACd,OAAO,KAAK,SAAS,CAAC;AAAA,IACtB,KAAK,KAAK;AAAA,IACV,UAAU;AAAA,IACV,OAAO;AAAA,EACT;AACA,QAAM,UAAU,kBACZ,MAAM;AAAA,IACJ;AAAA,IACA,EAAE,MAAM,QAAQ;AAAA,IAChB;AAAA,IACA;AAAA,IACA,EAAE,eAAe,eAAe;AAAA,EAClC,IACA,CAAC;AAEL,MAAI,iBAAoD;AACxD,MAAI,iBAAoD;AAExD,MAAI,MAAM,QAAQ,KAAK,KAAK,KAAK,KAAK,MAAM,SAAS,GAAG;AACtD,UAAM,cAAc,iBAChB,MAAM,GAAG,KAAK,MAAM;AAAA,MAClB,MAAM,EAAE,KAAK,KAAK,MAAM;AAAA,MACxB,UAAU;AAAA,IACZ,CAAC,IACD,CAAC;AACL,UAAM,UAAU,MAAM,QAAQ,WAAW,IAAI,YAAY,IAAI,CAAC,SAAS,KAAK,EAAE,IAAI,CAAC;AACnF,QAAI,QAAQ,SAAS,GAAG;AACtB,uBAAiB,MAAM,+BAA+B,IAAI;AAAA,QACxD;AAAA,QACA,UAAU;AAAA,QACV;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,QAAM,kBAAkB,KAAK,WAAW,KAAK,SAAS,KAAK;AAC3D,MAAI,iBAAiB;AACnB,qBAAiB,MAAM,sBAAsB,IAAI;AAAA,MAC/C,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,gBAAgB;AAAA,MAChB;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,aAAa,MAAM,aAAa,OAAO;AAC7C,QAAM,iBAAiB,iBACnB,uBAA2C,YAAY,cAAc,IACrE;AACJ,QAAM,cAAc,qBAAqB,cAAc;AACvD,QAAM,gBAAgB,iBAClB,uBAA2C,aAAa,cAAc,IACtE;AAEJ,QAAM,mBAAmB,MAAM;AAAA,IAC7B;AAAA,MACE,sBAAsB,SAAS,oBAAoB;AAAA,MACnD;AAAA,IACF;AAAA,EACF;AAEA,QAAM,wBAAwB,UAAU,mCAAmC,OAAO,IAAI;AACtF,QAAM,yBAAyB,0BAA0B,yBAAyB,KAAK,SAAS;AAChG,QAAM,sBAAsB,yBACtB,0BAA0B,CAAC,4BAA4B,sBAAsB,IAAI,yBAAyB;AAEhH,MAAI,QAAuC;AAC3C,MAAI,uBAAuB,gBAAgB;AACzC,QAAI;AACF,YAAM,eAAe,MAAM;AAAA,QACzB;AAAA,QACA;AAAA,QACA,EAAE,IAAI,qBAAqB,QAAQ,gBAAgB,WAAW,KAAK;AAAA,QACnE;AAAA,QACA,EAAE,UAAU,gBAAgB,gBAAgB,oBAAoB;AAAA,MAClE;AACA,UAAI,cAAc,SAAS;AACzB,gBAAQ;AAAA,UACN,MAAM,aAAa;AAAA,UACnB,MAAM;AAAA,YACJ,KAAK,aAAa;AAAA,YAClB,KAAK,GAAG,aAAa,IAAI;AAAA,UAC3B;AAAA,QACF;AAAA,MACF;AAAA,IACF,QAAQ;AACN,cAAQ;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAQ,cAAc,IAAI,CAAC,EAAE,QAAQ,SAAS,GAAG,MAAM,MAAM,KAAK;AAAA,IAClE;AAAA,IACA,sBAAsB,4BAA4B,sBAAsB,SAAS,oBAAoB,CAAC;AAAA,IACtG,iBAAiB,MAAM,uBAAuB,eAAe;AAAA,IAC7D;AAAA,IACA;AAAA,IACA,OAAO,MAAM,QAAQ,KAAK,KAAK,IAAI,KAAK,QAAQ,CAAC;AAAA,IACjD;AAAA,EACF;AACF;",
   "names": []
 }

package/dist/modules/auth/lib/consentIntegrity.js

@@ -2,17 +2,17 @@ import { createHmac, timingSafeEqual } from "node:crypto";
 const DEV_ONLY_SECRET = "om-consent-integrity-dev-only-secret";
 let missingSecretWarned = false;
 function getSecret() {
-  const secret = process.env.CONSENT_INTEGRITY_SECRET || process.env.NEXTAUTH_SECRET;
+  const secret = process.env.CONSENT_INTEGRITY_SECRET || process.env.AUTH_SECRET || process.env.NEXTAUTH_SECRET || process.env.JWT_SECRET;
   if (!secret) {
     if (process.env.NODE_ENV === "production") {
       throw new Error(
-        "[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set. Refusing to compute or verify consent integrity hashes in production without a real secret."
+        "[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set. Refusing to compute or verify consent integrity hashes in production without a real secret."
       );
     }
     if (!missingSecretWarned) {
       missingSecretWarned = true;
       console.warn(
-        "[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set \u2014 using insecure dev-only default. Set a secret before deploying to production."
+        "[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set \u2014 using insecure dev-only default. Set a secret before deploying to production."
       );
     }
     return DEV_ONLY_SECRET;

package/dist/modules/auth/lib/consentIntegrity.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/lib/consentIntegrity.ts"],
-  "sourcesContent": ["import { createHmac, timingSafeEqual } from 'node:crypto'\n\ntype ConsentHashInput = {\n  userId: string\n  consentType: string\n  isGranted: boolean\n  grantedAt: Date | string | null | undefined\n  withdrawnAt?: Date | string | null | undefined\n  ipAddress: string | null | undefined\n  source: string | null | undefined\n}\n\nconst DEV_ONLY_SECRET = 'om-consent-integrity-dev-only-secret'\nlet missingSecretWarned = false\n\nfunction getSecret(): string {\n  const secret = process.env.CONSENT_INTEGRITY_SECRET || process.env.NEXTAUTH_SECRET\n  if (!secret) {\n    if (process.env.NODE_ENV === 'production') {\n      throw new Error(\n        '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set. ' +\n        'Refusing to compute or verify consent integrity hashes in production without a real secret.',\n      )\n    }\n    if (!missingSecretWarned) {\n      missingSecretWarned = true\n      console.warn(\n        '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set \u2014 ' +\n        'using insecure dev-only default. Set a secret before deploying to production.',\n      )\n    }\n    return DEV_ONLY_SECRET\n  }\n  return secret\n}\n\nfunction normalizeDate(date: Date | string | null | undefined): string {\n  if (!date) return ''\n  const d = typeof date === 'string' ? new Date(date) : date\n  return d.toISOString()\n}\n\nexport function computeConsentIntegrityHash(input: ConsentHashInput): string {\n  const payload = [\n    input.userId,\n    input.consentType,\n    String(input.isGranted),\n    normalizeDate(input.grantedAt),\n    normalizeDate(input.withdrawnAt),\n    input.ipAddress ?? '',\n    input.source ?? '',\n  ].join('|')\n\n  return createHmac('sha256', getSecret()).update(payload).digest('hex')\n}\n\nexport function verifyConsentIntegrityHash(input: ConsentHashInput, hash: string | null | undefined): boolean {\n  if (!hash) return false\n  const expected = computeConsentIntegrityHash(input)\n  if (expected.length !== hash.length) return false\n  return timingSafeEqual(Buffer.from(expected), Buffer.from(hash))\n}\n"],
-  "mappings": "AAAA,SAAS,YAAY,uBAAuB;AAY5C,MAAM,kBAAkB;AACxB,IAAI,sBAAsB;AAE1B,SAAS,YAAoB;AAC3B,QAAM,SAAS,QAAQ,IAAI,4BAA4B,QAAQ,IAAI;AACnE,MAAI,CAAC,QAAQ;AACX,QAAI,QAAQ,IAAI,aAAa,cAAc;AACzC,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AACA,QAAI,CAAC,qBAAqB;AACxB,4BAAsB;AACtB,cAAQ;AAAA,QACN;AAAA,MAEF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,cAAc,MAAgD;AACrE,MAAI,CAAC,KAAM,QAAO;AAClB,QAAM,IAAI,OAAO,SAAS,WAAW,IAAI,KAAK,IAAI,IAAI;AACtD,SAAO,EAAE,YAAY;AACvB;AAEO,SAAS,4BAA4B,OAAiC;AAC3E,QAAM,UAAU;AAAA,IACd,MAAM;AAAA,IACN,MAAM;AAAA,IACN,OAAO,MAAM,SAAS;AAAA,IACtB,cAAc,MAAM,SAAS;AAAA,IAC7B,cAAc,MAAM,WAAW;AAAA,IAC/B,MAAM,aAAa;AAAA,IACnB,MAAM,UAAU;AAAA,EAClB,EAAE,KAAK,GAAG;AAEV,SAAO,WAAW,UAAU,UAAU,CAAC,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK;AACvE;AAEO,SAAS,2BAA2B,OAAyB,MAA0C;AAC5G,MAAI,CAAC,KAAM,QAAO;AAClB,QAAM,WAAW,4BAA4B,KAAK;AAClD,MAAI,SAAS,WAAW,KAAK,OAAQ,QAAO;AAC5C,SAAO,gBAAgB,OAAO,KAAK,QAAQ,GAAG,OAAO,KAAK,IAAI,CAAC;AACjE;",
+  "sourcesContent": ["import { createHmac, timingSafeEqual } from 'node:crypto'\n\ntype ConsentHashInput = {\n  userId: string\n  consentType: string\n  isGranted: boolean\n  grantedAt: Date | string | null | undefined\n  withdrawnAt?: Date | string | null | undefined\n  ipAddress: string | null | undefined\n  source: string | null | undefined\n}\n\nconst DEV_ONLY_SECRET = 'om-consent-integrity-dev-only-secret'\nlet missingSecretWarned = false\n\nfunction getSecret(): string {\n  const secret = process.env.CONSENT_INTEGRITY_SECRET\n    || process.env.AUTH_SECRET\n    || process.env.NEXTAUTH_SECRET\n    || process.env.JWT_SECRET\n  if (!secret) {\n    if (process.env.NODE_ENV === 'production') {\n      throw new Error(\n        '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set. ' +\n        'Refusing to compute or verify consent integrity hashes in production without a real secret.',\n      )\n    }\n    if (!missingSecretWarned) {\n      missingSecretWarned = true\n      console.warn(\n        '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set \u2014 ' +\n        'using insecure dev-only default. Set a secret before deploying to production.',\n      )\n    }\n    return DEV_ONLY_SECRET\n  }\n  return secret\n}\n\nfunction normalizeDate(date: Date | string | null | undefined): string {\n  if (!date) return ''\n  const d = typeof date === 'string' ? new Date(date) : date\n  return d.toISOString()\n}\n\nexport function computeConsentIntegrityHash(input: ConsentHashInput): string {\n  const payload = [\n    input.userId,\n    input.consentType,\n    String(input.isGranted),\n    normalizeDate(input.grantedAt),\n    normalizeDate(input.withdrawnAt),\n    input.ipAddress ?? '',\n    input.source ?? '',\n  ].join('|')\n\n  return createHmac('sha256', getSecret()).update(payload).digest('hex')\n}\n\nexport function verifyConsentIntegrityHash(input: ConsentHashInput, hash: string | null | undefined): boolean {\n  if (!hash) return false\n  const expected = computeConsentIntegrityHash(input)\n  if (expected.length !== hash.length) return false\n  return timingSafeEqual(Buffer.from(expected), Buffer.from(hash))\n}\n"],
+  "mappings": "AAAA,SAAS,YAAY,uBAAuB;AAY5C,MAAM,kBAAkB;AACxB,IAAI,sBAAsB;AAE1B,SAAS,YAAoB;AAC3B,QAAM,SAAS,QAAQ,IAAI,4BACtB,QAAQ,IAAI,eACZ,QAAQ,IAAI,mBACZ,QAAQ,IAAI;AACjB,MAAI,CAAC,QAAQ;AACX,QAAI,QAAQ,IAAI,aAAa,cAAc;AACzC,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AACA,QAAI,CAAC,qBAAqB;AACxB,4BAAsB;AACtB,cAAQ;AAAA,QACN;AAAA,MAEF;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,cAAc,MAAgD;AACrE,MAAI,CAAC,KAAM,QAAO;AAClB,QAAM,IAAI,OAAO,SAAS,WAAW,IAAI,KAAK,IAAI,IAAI;AACtD,SAAO,EAAE,YAAY;AACvB;AAEO,SAAS,4BAA4B,OAAiC;AAC3E,QAAM,UAAU;AAAA,IACd,MAAM;AAAA,IACN,MAAM;AAAA,IACN,OAAO,MAAM,SAAS;AAAA,IACtB,cAAc,MAAM,SAAS;AAAA,IAC7B,cAAc,MAAM,WAAW;AAAA,IAC/B,MAAM,aAAa;AAAA,IACnB,MAAM,UAAU;AAAA,EAClB,EAAE,KAAK,GAAG;AAEV,SAAO,WAAW,UAAU,UAAU,CAAC,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK;AACvE;AAEO,SAAS,2BAA2B,OAAyB,MAA0C;AAC5G,MAAI,CAAC,KAAM,QAAO;AAClB,QAAM,WAAW,4BAA4B,KAAK;AAClD,MAAI,SAAS,WAAW,KAAK,OAAQ,QAAO;AAC5C,SAAO,gBAAgB,OAAO,KAAK,QAAQ,GAAG,OAAO,KAAK,IAAI,CAAC;AACjE;",
   "names": []
 }

package/dist/modules/auth/migrations/Migration20260610120000.js

@@ -0,0 +1,30 @@
+import { Migration } from "@mikro-orm/migrations";
+class Migration20260610120000 extends Migration {
+  up() {
+    this.addSql(`
+      with ranked as (
+        select id,
+               row_number() over (
+                 partition by tenant_id, email_hash
+                 order by coalesce(updated_at, created_at) desc, created_at desc, id desc
+               ) as rn
+        from users
+        where deleted_at is null and email_hash is not null
+      )
+      update users
+      set deleted_at = now()
+      from ranked
+      where users.id = ranked.id and ranked.rn > 1;
+    `);
+    this.addSql(`alter table "users" drop constraint if exists "users_email_unique";`);
+    this.addSql(`create unique index if not exists "users_tenant_email_hash_uniq" on "users" ("tenant_id", "email_hash") where "deleted_at" is null and "email_hash" is not null;`);
+  }
+  down() {
+    this.addSql(`drop index if exists "users_tenant_email_hash_uniq";`);
+    this.addSql(`alter table "users" add constraint "users_email_unique" unique ("email");`);
+  }
+}
+export {
+  Migration20260610120000
+};
+//# sourceMappingURL=Migration20260610120000.js.map

package/dist/modules/auth/migrations/Migration20260610120000.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/auth/migrations/Migration20260610120000.ts"],
+  "sourcesContent": ["import { Migration } from '@mikro-orm/migrations';\n\n// #2934: User email uniqueness must be per-tenant, not global. The original\n// `users_email_unique` constraint (unique on `email` across all tenants) contradicts the\n// multi-tenant login flow \u2014 which resolves the same email across tenants via\n// `findUsersByEmail` \u2014 and leaks cross-tenant account existence / enables registration\n// squatting. Replace it with a partial unique index scoped per-tenant over live rows.\n//\n// The index is keyed on `email_hash`, NOT `email`: `email` is encrypted at rest with a\n// per-row IV (auth/encryption.ts -> shared aes.ts), so its ciphertext is non-deterministic\n// and a unique index on it would never detect duplicates under the default (encryption-on)\n// configuration. `email_hash` is the deterministic lookup hash the application already\n// de-dupes on, so the constraint is effective in both encryption-on and encryption-off\n// modes. This mirrors `customer_users_tenant_email_hash_uniq` in customer_accounts.\n//\n// `WHERE deleted_at IS NULL` lets a soft-deleted user's email be reused (the old non-partial\n// constraint blocked this); `AND email_hash IS NOT NULL` skips the rare legacy/bootstrap rows\n// that predate hash population (encryption-off `setup-app` users) \u2014 those remain protected by\n// the tenant-scoped application duplicate check.\n//\n// Before creating the index, soft-delete any pre-existing duplicate live rows per\n// (tenant_id, email_hash), keeping the most-recently-updated one. Under encryption the old\n// `email` constraint never fired, so same-tenant duplicates were only blocked by the\n// application check and a historical race could have slipped one through; the dedupe makes\n// the index creation safe on such data (no-op when there are none).\nexport class Migration20260610120000 extends Migration {\n\n  override up(): void | Promise<void> {\n    this.addSql(`\n      with ranked as (\n        select id,\n               row_number() over (\n                 partition by tenant_id, email_hash\n                 order by coalesce(updated_at, created_at) desc, created_at desc, id desc\n               ) as rn\n        from users\n        where deleted_at is null and email_hash is not null\n      )\n      update users\n      set deleted_at = now()\n      from ranked\n      where users.id = ranked.id and ranked.rn > 1;\n    `);\n    this.addSql(`alter table \"users\" drop constraint if exists \"users_email_unique\";`);\n    this.addSql(`create unique index if not exists \"users_tenant_email_hash_uniq\" on \"users\" (\"tenant_id\", \"email_hash\") where \"deleted_at\" is null and \"email_hash\" is not null;`);\n  }\n\n  override down(): void | Promise<void> {\n    this.addSql(`drop index if exists \"users_tenant_email_hash_uniq\";`);\n    this.addSql(`alter table \"users\" add constraint \"users_email_unique\" unique (\"email\");`);\n  }\n\n}\n"],
+  "mappings": "AAAA,SAAS,iBAAiB;AAyBnB,MAAM,gCAAgC,UAAU;AAAA,EAE5C,KAA2B;AAClC,SAAK,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAcX;AACD,SAAK,OAAO,qEAAqE;AACjF,SAAK,OAAO,kKAAkK;AAAA,EAChL;AAAA,EAES,OAA6B;AACpC,SAAK,OAAO,sDAAsD;AAClE,SAAK,OAAO,2EAA2E;AAAA,EACzF;AAEF;",
+  "names": []
+}

package/dist/modules/auth/migrations/Migration20260611103000.js

@@ -0,0 +1,15 @@
+import { Migration } from "@mikro-orm/migrations";
+class Migration20260611103000 extends Migration {
+  up() {
+    this.addSql(`create index if not exists "user_roles_user_id_idx" on "user_roles" ("user_id");`);
+    this.addSql(`create index if not exists "user_roles_role_id_idx" on "user_roles" ("role_id");`);
+  }
+  down() {
+    this.addSql(`drop index if exists "user_roles_user_id_idx";`);
+    this.addSql(`drop index if exists "user_roles_role_id_idx";`);
+  }
+}
+export {
+  Migration20260611103000
+};
+//# sourceMappingURL=Migration20260611103000.js.map

package/dist/modules/auth/migrations/Migration20260611103000.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/auth/migrations/Migration20260611103000.ts"],
+  "sourcesContent": ["import { Migration } from '@mikro-orm/migrations';\n\n// #2966: user_roles carries only its FK constraints and Postgres does not\n// auto-index FK columns, so RBAC scans it sequentially by user_id on every\n// ACL cache miss (rbacService super-admin check + ACL aggregation) and by\n// role_id on user-list filtering and role rename/delete guards. Index both\n// FK columns so these hot paths become index scans. The table is small\n// relative to search_tokens, so a plain (transactional) build is safe.\nexport class Migration20260611103000 extends Migration {\n\n  override up(): void | Promise<void> {\n    this.addSql(`create index if not exists \"user_roles_user_id_idx\" on \"user_roles\" (\"user_id\");`);\n    this.addSql(`create index if not exists \"user_roles_role_id_idx\" on \"user_roles\" (\"role_id\");`);\n  }\n\n  override down(): void | Promise<void> {\n    this.addSql(`drop index if exists \"user_roles_user_id_idx\";`);\n    this.addSql(`drop index if exists \"user_roles_role_id_idx\";`);\n  }\n\n}\n"],
+  "mappings": "AAAA,SAAS,iBAAiB;AAQnB,MAAM,gCAAgC,UAAU;AAAA,EAE5C,KAA2B;AAClC,SAAK,OAAO,kFAAkF;AAC9F,SAAK,OAAO,kFAAkF;AAAA,EAChG;AAAA,EAES,OAA6B;AACpC,SAAK,OAAO,gDAAgD;AAC5D,SAAK,OAAO,gDAAgD;AAAA,EAC9D;AAEF;",
+  "names": []
+}

package/dist/modules/auth/services/authService.js

@@ -3,6 +3,7 @@ import { User, UserRole, Session, PasswordReset } from "@open-mercato/core/modul
 import { emailHashLookupValues } from "@open-mercato/core/modules/auth/lib/emailHash";
 import { generateAuthToken, hashAuthToken } from "@open-mercato/core/modules/auth/lib/tokenHash";
 import { findWithDecryption, findOneWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+const TIMING_EQUALIZER_PASSWORD_HASH = "$2b$10$OcZrhmZpIzJOjkfwUrk7d.Nl0eHNzOvalBcBlt5Ran.4lj8R3HZg6";
 class AuthService {
   constructor(em) {
     this.em = em;
@@ -45,8 +46,9 @@ class AuthService {
     );
   }
   async verifyPassword(user, password) {
-    if (!user.passwordHash) return false;
-    return compare(password, user.passwordHash);
+    const storedHash = user?.passwordHash ?? null;
+    const matched = await compare(password, storedHash ?? TIMING_EQUALIZER_PASSWORD_HASH);
+    return storedHash !== null && matched;
   }
   async updateLastLoginAt(user) {
     const now = /* @__PURE__ */ new Date();
@@ -63,7 +65,7 @@ class AuthService {
       { populate: ["role"] },
       { tenantId: resolvedTenantId, organizationId: user.organizationId ?? null }
     );
-    return links.map((l) => l.role.name);
+    return links.map((l) => l.role).filter((role) => !!role).map((role) => role.name).filter((name) => typeof name === "string" && name.trim().length > 0);
   }
   async createSession(user, expiresAt) {
     const rawToken = generateAuthToken();

package/dist/modules/auth/services/authService.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/services/authService.ts"],
-  "sourcesContent": ["import { EntityManager } from '@mikro-orm/postgresql'\nimport { compare, hash } from 'bcryptjs'\nimport { User, Role, UserRole, Session, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport { emailHashLookupValues } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { generateAuthToken, hashAuthToken } from '@open-mercato/core/modules/auth/lib/tokenHash'\nimport { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\nexport class AuthService {\n  constructor(private em: EntityManager) {}\n\n  async findUserByEmail(email: string) {\n    const emailHashes = emailHashLookupValues(email)\n    return findOneWithDecryption(this.em, User, {\n      deletedAt: null,\n      $or: [\n        { email },\n        { emailHash: { $in: emailHashes } },\n      ],\n    } as any)\n  }\n\n  async findUsersByEmail(email: string) {\n    const emailHashes = emailHashLookupValues(email)\n    return findWithDecryption(this.em, User, {\n      deletedAt: null,\n      $or: [\n        { email },\n        { emailHash: { $in: emailHashes } },\n      ],\n    } as any)\n  }\n\n  async findUserByEmailAndTenant(email: string, tenantId: string) {\n    const emailHashes = emailHashLookupValues(email)\n    return findOneWithDecryption(\n      this.em,\n      User,\n      {\n        tenantId,\n        deletedAt: null,\n        $or: [\n          { email },\n          { emailHash: { $in: emailHashes } },\n        ],\n      } as any,\n      undefined,\n      { tenantId },\n    )\n  }\n\n  async verifyPassword(user: User, password: string) {\n    if (!user.passwordHash) return false\n    return compare(password, user.passwordHash)\n  }\n\n  async updateLastLoginAt(user: User) {\n    const now = new Date()\n    // Use native update to avoid flushing unrelated entities that might be pending in this EM\n    await this.em.nativeUpdate(User, { id: user.id }, { lastLoginAt: now })\n    user.lastLoginAt = now\n  }\n\n  async getUserRoles(user: User, tenantId?: string | null): Promise<string[]> {\n    const resolvedTenantId = tenantId ?? user.tenantId ?? null\n    if (!resolvedTenantId) return []\n    const links = await findWithDecryption(\n      this.em,\n      UserRole,\n      { user, deletedAt: null, role: { tenantId: resolvedTenantId, deletedAt: null } as any },\n      { populate: ['role'] },\n      { tenantId: resolvedTenantId, organizationId: user.organizationId ?? null },\n    )\n    return links.map((l) => l.role.name)\n  }\n\n\n  async createSession(user: User, expiresAt: Date): Promise<{ session: Session; token: string }> {\n    const rawToken = generateAuthToken()\n    const tokenHash = hashAuthToken(rawToken)\n    const sess = this.em.create(Session as any, { user, token: tokenHash, expiresAt, createdAt: new Date() } as any)\n    await this.em.persist(sess).flush()\n    return { session: sess as Session, token: rawToken }\n  }\n\n  async deleteSessionByToken(token: string) {\n    const hashedToken = hashAuthToken(token)\n    await this.em.nativeDelete(Session, { token: hashedToken })\n  }\n\n  async deleteSessionById(sessionId: string) {\n    await this.em.nativeDelete(Session, { id: sessionId })\n  }\n\n  async findActiveSessionById(sessionId: string): Promise<Session | null> {\n    const session = await this.em.findOne(Session, { id: sessionId, deletedAt: null })\n    if (!session) return null\n    if (session.expiresAt.getTime() < Date.now()) return null\n    return session\n  }\n\n  async deleteAllUserSessions(userId: string) {\n    await this.em.nativeDelete(Session, { user: userId })\n  }\n\n  async refreshFromSessionToken(token: string) {\n    const now = new Date()\n    const hashedToken = hashAuthToken(token)\n    const sess = await this.em.findOne(Session, { token: hashedToken })\n    if (!sess || sess.expiresAt <= now) return null\n    const user = await findOneWithDecryption(this.em, User, { id: sess.user.id, deletedAt: null })\n    if (!user) return null\n    const roles = await this.getUserRoles(user, user.tenantId ?? null)\n    return { user, roles, session: sess }\n  }\n\n  async requestPasswordReset(email: string) {\n    const user = await this.findUserByEmail(email)\n    if (!user) return null\n    const rawToken = generateAuthToken()\n    const tokenHash = hashAuthToken(rawToken)\n    const expiresAt = new Date(Date.now() + 60 * 60 * 1000)\n    const row = this.em.create(PasswordReset as any, { user, token: tokenHash, expiresAt, createdAt: new Date() } as any)\n    await this.em.persist(row).flush()\n    return { user, token: rawToken }\n  }\n\n  async confirmPasswordReset(token: string, newPassword: string): Promise<User | null> {\n    const now = new Date()\n    const hashedToken = hashAuthToken(token)\n    const row = await this.em.findOne(PasswordReset, { token: hashedToken })\n    if (!row || (row.usedAt && row.usedAt <= now) || row.expiresAt <= now) return null\n\n    // Atomic compare-and-set: only mark used if still unused \u2014 prevents token replay under concurrency\n    const affected = await this.em.nativeUpdate(\n      PasswordReset,\n      { id: row.id, usedAt: null },\n      { usedAt: now },\n    )\n    if (affected === 0) return null\n\n    const user = await findOneWithDecryption(this.em, User, { id: row.user.id, deletedAt: null })\n    if (!user) return null\n    user.passwordHash = await hash(newPassword, 10)\n    await this.em.flush()\n    await this.deleteAllUserSessions(String(user.id))\n    return user\n  }\n}\n"],
-  "mappings": "AACA,SAAS,SAAS,YAAY;AAC9B,SAAS,MAAY,UAAU,SAAS,qBAAqB;AAC7D,SAAS,6BAA6B;AACtC,SAAS,mBAAmB,qBAAqB;AACjD,SAAS,oBAAoB,6BAA6B;AAEnD,MAAM,YAAY;AAAA,EACvB,YAAoB,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAExC,MAAM,gBAAgB,OAAe;AACnC,UAAM,cAAc,sBAAsB,KAAK;AAC/C,WAAO,sBAAsB,KAAK,IAAI,MAAM;AAAA,MAC1C,WAAW;AAAA,MACX,KAAK;AAAA,QACH,EAAE,MAAM;AAAA,QACR,EAAE,WAAW,EAAE,KAAK,YAAY,EAAE;AAAA,MACpC;AAAA,IACF,CAAQ;AAAA,EACV;AAAA,EAEA,MAAM,iBAAiB,OAAe;AACpC,UAAM,cAAc,sBAAsB,KAAK;AAC/C,WAAO,mBAAmB,KAAK,IAAI,MAAM;AAAA,MACvC,WAAW;AAAA,MACX,KAAK;AAAA,QACH,EAAE,MAAM;AAAA,QACR,EAAE,WAAW,EAAE,KAAK,YAAY,EAAE;AAAA,MACpC;AAAA,IACF,CAAQ;AAAA,EACV;AAAA,EAEA,MAAM,yBAAyB,OAAe,UAAkB;AAC9D,UAAM,cAAc,sBAAsB,KAAK;AAC/C,WAAO;AAAA,MACL,KAAK;AAAA,MACL;AAAA,MACA;AAAA,QACE;AAAA,QACA,WAAW;AAAA,QACX,KAAK;AAAA,UACH,EAAE,MAAM;AAAA,UACR,EAAE,WAAW,EAAE,KAAK,YAAY,EAAE;AAAA,QACpC;AAAA,MACF;AAAA,MACA;AAAA,MACA,EAAE,SAAS;AAAA,IACb;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,MAAY,UAAkB;AACjD,QAAI,CAAC,KAAK,aAAc,QAAO;AAC/B,WAAO,QAAQ,UAAU,KAAK,YAAY;AAAA,EAC5C;AAAA,EAEA,MAAM,kBAAkB,MAAY;AAClC,UAAM,MAAM,oBAAI,KAAK;AAErB,UAAM,KAAK,GAAG,aAAa,MAAM,EAAE,IAAI,KAAK,GAAG,GAAG,EAAE,aAAa,IAAI,CAAC;AACtE,SAAK,cAAc;AAAA,EACrB;AAAA,EAEA,MAAM,aAAa,MAAY,UAA6C;AAC1E,UAAM,mBAAmB,YAAY,KAAK,YAAY;AACtD,QAAI,CAAC,iBAAkB,QAAO,CAAC;AAC/B,UAAM,QAAQ,MAAM;AAAA,MAClB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,MAAM,WAAW,MAAM,MAAM,EAAE,UAAU,kBAAkB,WAAW,KAAK,EAAS;AAAA,MACtF,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,MACrB,EAAE,UAAU,kBAAkB,gBAAgB,KAAK,kBAAkB,KAAK;AAAA,IAC5E;AACA,WAAO,MAAM,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI;AAAA,EACrC;AAAA,EAGA,MAAM,cAAc,MAAY,WAA+D;AAC7F,UAAM,WAAW,kBAAkB;AACnC,UAAM,YAAY,cAAc,QAAQ;AACxC,UAAM,OAAO,KAAK,GAAG,OAAO,SAAgB,EAAE,MAAM,OAAO,WAAW,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAQ;AAC/G,UAAM,KAAK,GAAG,QAAQ,IAAI,EAAE,MAAM;AAClC,WAAO,EAAE,SAAS,MAAiB,OAAO,SAAS;AAAA,EACrD;AAAA,EAEA,MAAM,qBAAqB,OAAe;AACxC,UAAM,cAAc,cAAc,KAAK;AACvC,UAAM,KAAK,GAAG,aAAa,SAAS,EAAE,OAAO,YAAY,CAAC;AAAA,EAC5D;AAAA,EAEA,MAAM,kBAAkB,WAAmB;AACzC,UAAM,KAAK,GAAG,aAAa,SAAS,EAAE,IAAI,UAAU,CAAC;AAAA,EACvD;AAAA,EAEA,MAAM,sBAAsB,WAA4C;AACtE,UAAM,UAAU,MAAM,KAAK,GAAG,QAAQ,SAAS,EAAE,IAAI,WAAW,WAAW,KAAK,CAAC;AACjF,QAAI,CAAC,QAAS,QAAO;AACrB,QAAI,QAAQ,UAAU,QAAQ,IAAI,KAAK,IAAI,EAAG,QAAO;AACrD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,sBAAsB,QAAgB;AAC1C,UAAM,KAAK,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAAA,EACtD;AAAA,EAEA,MAAM,wBAAwB,OAAe;AAC3C,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,cAAc,cAAc,KAAK;AACvC,UAAM,OAAO,MAAM,KAAK,GAAG,QAAQ,SAAS,EAAE,OAAO,YAAY,CAAC;AAClE,QAAI,CAAC,QAAQ,KAAK,aAAa,IAAK,QAAO;AAC3C,UAAM,OAAO,MAAM,sBAAsB,KAAK,IAAI,MAAM,EAAE,IAAI,KAAK,KAAK,IAAI,WAAW,KAAK,CAAC;AAC7F,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,QAAQ,MAAM,KAAK,aAAa,MAAM,KAAK,YAAY,IAAI;AACjE,WAAO,EAAE,MAAM,OAAO,SAAS,KAAK;AAAA,EACtC;AAAA,EAEA,MAAM,qBAAqB,OAAe;AACxC,UAAM,OAAO,MAAM,KAAK,gBAAgB,KAAK;AAC7C,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,WAAW,kBAAkB;AACnC,UAAM,YAAY,cAAc,QAAQ;AACxC,UAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,GAAI;AACtD,UAAM,MAAM,KAAK,GAAG,OAAO,eAAsB,EAAE,MAAM,OAAO,WAAW,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAQ;AACpH,UAAM,KAAK,GAAG,QAAQ,GAAG,EAAE,MAAM;AACjC,WAAO,EAAE,MAAM,OAAO,SAAS;AAAA,EACjC;AAAA,EAEA,MAAM,qBAAqB,OAAe,aAA2C;AACnF,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,cAAc,cAAc,KAAK;AACvC,UAAM,MAAM,MAAM,KAAK,GAAG,QAAQ,eAAe,EAAE,OAAO,YAAY,CAAC;AACvE,QAAI,CAAC,OAAQ,IAAI,UAAU,IAAI,UAAU,OAAQ,IAAI,aAAa,IAAK,QAAO;AAG9E,UAAM,WAAW,MAAM,KAAK,GAAG;AAAA,MAC7B;AAAA,MACA,EAAE,IAAI,IAAI,IAAI,QAAQ,KAAK;AAAA,MAC3B,EAAE,QAAQ,IAAI;AAAA,IAChB;AACA,QAAI,aAAa,EAAG,QAAO;AAE3B,UAAM,OAAO,MAAM,sBAAsB,KAAK,IAAI,MAAM,EAAE,IAAI,IAAI,KAAK,IAAI,WAAW,KAAK,CAAC;AAC5F,QAAI,CAAC,KAAM,QAAO;AAClB,SAAK,eAAe,MAAM,KAAK,aAAa,EAAE;AAC9C,UAAM,KAAK,GAAG,MAAM;AACpB,UAAM,KAAK,sBAAsB,OAAO,KAAK,EAAE,CAAC;AAChD,WAAO;AAAA,EACT;AACF;",
+  "sourcesContent": ["import { EntityManager } from '@mikro-orm/postgresql'\nimport { compare, hash } from 'bcryptjs'\nimport { User, Role, UserRole, Session, PasswordReset } from '@open-mercato/core/modules/auth/data/entities'\nimport { emailHashLookupValues } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { generateAuthToken, hashAuthToken } from '@open-mercato/core/modules/auth/lib/tokenHash'\nimport { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\n// A fixed, valid bcrypt hash (cost 10) of a throwaway value no real password\n// can match. verifyPassword compares against it whenever the user is missing or\n// has no password hash, so a failed login spends the same bcrypt CPU time\n// regardless of whether the account exists \u2014 closing the timing side channel\n// for account enumeration (issue #2242).\nconst TIMING_EQUALIZER_PASSWORD_HASH = '$2b$10$OcZrhmZpIzJOjkfwUrk7d.Nl0eHNzOvalBcBlt5Ran.4lj8R3HZg6'\n\nexport class AuthService {\n  constructor(private em: EntityManager) {}\n\n  async findUserByEmail(email: string) {\n    const emailHashes = emailHashLookupValues(email)\n    return findOneWithDecryption(this.em, User, {\n      deletedAt: null,\n      $or: [\n        { email },\n        { emailHash: { $in: emailHashes } },\n      ],\n    } as any)\n  }\n\n  async findUsersByEmail(email: string) {\n    const emailHashes = emailHashLookupValues(email)\n    return findWithDecryption(this.em, User, {\n      deletedAt: null,\n      $or: [\n        { email },\n        { emailHash: { $in: emailHashes } },\n      ],\n    } as any)\n  }\n\n  async findUserByEmailAndTenant(email: string, tenantId: string) {\n    const emailHashes = emailHashLookupValues(email)\n    return findOneWithDecryption(\n      this.em,\n      User,\n      {\n        tenantId,\n        deletedAt: null,\n        $or: [\n          { email },\n          { emailHash: { $in: emailHashes } },\n        ],\n      } as any,\n      undefined,\n      { tenantId },\n    )\n  }\n\n  async verifyPassword(user: User | null, password: string) {\n    const storedHash = user?.passwordHash ?? null\n    // Always run a bcrypt comparison \u2014 against a fixed dummy hash when the user\n    // is absent or has no password \u2014 so login latency does not reveal whether\n    // the account exists (timing-based enumeration, issue #2242).\n    const matched = await compare(password, storedHash ?? TIMING_EQUALIZER_PASSWORD_HASH)\n    return storedHash !== null && matched\n  }\n\n  async updateLastLoginAt(user: User) {\n    const now = new Date()\n    // Use native update to avoid flushing unrelated entities that might be pending in this EM\n    await this.em.nativeUpdate(User, { id: user.id }, { lastLoginAt: now })\n    user.lastLoginAt = now\n  }\n\n  async getUserRoles(user: User, tenantId?: string | null): Promise<string[]> {\n    const resolvedTenantId = tenantId ?? user.tenantId ?? null\n    if (!resolvedTenantId) return []\n    const links = await findWithDecryption(\n      this.em,\n      UserRole,\n      { user, deletedAt: null, role: { tenantId: resolvedTenantId, deletedAt: null } as any },\n      { populate: ['role'] },\n      { tenantId: resolvedTenantId, organizationId: user.organizationId ?? null },\n    )\n    // A populated `role` can still be null when the link points at a soft-deleted\n    // role (the Role soft-delete filter suppresses hydration), e.g. an admin link\n    // orphaned by a re-seed during interrupted-provisioning recovery. Dropping such\n    // links keeps role resolution from throwing on the login / session-refresh hot\n    // path, mirroring resolveCanonicalStaffAuthContext in lib/sessionIntegrity.ts.\n    return links\n      .map((l) => l.role)\n      .filter((role): role is Role => !!role)\n      .map((role) => role.name)\n      .filter((name): name is string => typeof name === 'string' && name.trim().length > 0)\n  }\n\n\n  async createSession(user: User, expiresAt: Date): Promise<{ session: Session; token: string }> {\n    const rawToken = generateAuthToken()\n    const tokenHash = hashAuthToken(rawToken)\n    const sess = this.em.create(Session as any, { user, token: tokenHash, expiresAt, createdAt: new Date() } as any)\n    await this.em.persist(sess).flush()\n    return { session: sess as Session, token: rawToken }\n  }\n\n  async deleteSessionByToken(token: string) {\n    const hashedToken = hashAuthToken(token)\n    await this.em.nativeDelete(Session, { token: hashedToken })\n  }\n\n  async deleteSessionById(sessionId: string) {\n    await this.em.nativeDelete(Session, { id: sessionId })\n  }\n\n  async findActiveSessionById(sessionId: string): Promise<Session | null> {\n    const session = await this.em.findOne(Session, { id: sessionId, deletedAt: null })\n    if (!session) return null\n    if (session.expiresAt.getTime() < Date.now()) return null\n    return session\n  }\n\n  async deleteAllUserSessions(userId: string) {\n    await this.em.nativeDelete(Session, { user: userId })\n  }\n\n  async refreshFromSessionToken(token: string) {\n    const now = new Date()\n    const hashedToken = hashAuthToken(token)\n    const sess = await this.em.findOne(Session, { token: hashedToken })\n    if (!sess || sess.expiresAt <= now) return null\n    const user = await findOneWithDecryption(this.em, User, { id: sess.user.id, deletedAt: null })\n    if (!user) return null\n    const roles = await this.getUserRoles(user, user.tenantId ?? null)\n    return { user, roles, session: sess }\n  }\n\n  async requestPasswordReset(email: string) {\n    const user = await this.findUserByEmail(email)\n    if (!user) return null\n    const rawToken = generateAuthToken()\n    const tokenHash = hashAuthToken(rawToken)\n    const expiresAt = new Date(Date.now() + 60 * 60 * 1000)\n    const row = this.em.create(PasswordReset as any, { user, token: tokenHash, expiresAt, createdAt: new Date() } as any)\n    await this.em.persist(row).flush()\n    return { user, token: rawToken }\n  }\n\n  async confirmPasswordReset(token: string, newPassword: string): Promise<User | null> {\n    const now = new Date()\n    const hashedToken = hashAuthToken(token)\n    const row = await this.em.findOne(PasswordReset, { token: hashedToken })\n    if (!row || (row.usedAt && row.usedAt <= now) || row.expiresAt <= now) return null\n\n    // Atomic compare-and-set: only mark used if still unused \u2014 prevents token replay under concurrency\n    const affected = await this.em.nativeUpdate(\n      PasswordReset,\n      { id: row.id, usedAt: null },\n      { usedAt: now },\n    )\n    if (affected === 0) return null\n\n    const user = await findOneWithDecryption(this.em, User, { id: row.user.id, deletedAt: null })\n    if (!user) return null\n    user.passwordHash = await hash(newPassword, 10)\n    await this.em.flush()\n    await this.deleteAllUserSessions(String(user.id))\n    return user\n  }\n}\n"],
+  "mappings": "AACA,SAAS,SAAS,YAAY;AAC9B,SAAS,MAAY,UAAU,SAAS,qBAAqB;AAC7D,SAAS,6BAA6B;AACtC,SAAS,mBAAmB,qBAAqB;AACjD,SAAS,oBAAoB,6BAA6B;AAO1D,MAAM,iCAAiC;AAEhC,MAAM,YAAY;AAAA,EACvB,YAAoB,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAExC,MAAM,gBAAgB,OAAe;AACnC,UAAM,cAAc,sBAAsB,KAAK;AAC/C,WAAO,sBAAsB,KAAK,IAAI,MAAM;AAAA,MAC1C,WAAW;AAAA,MACX,KAAK;AAAA,QACH,EAAE,MAAM;AAAA,QACR,EAAE,WAAW,EAAE,KAAK,YAAY,EAAE;AAAA,MACpC;AAAA,IACF,CAAQ;AAAA,EACV;AAAA,EAEA,MAAM,iBAAiB,OAAe;AACpC,UAAM,cAAc,sBAAsB,KAAK;AAC/C,WAAO,mBAAmB,KAAK,IAAI,MAAM;AAAA,MACvC,WAAW;AAAA,MACX,KAAK;AAAA,QACH,EAAE,MAAM;AAAA,QACR,EAAE,WAAW,EAAE,KAAK,YAAY,EAAE;AAAA,MACpC;AAAA,IACF,CAAQ;AAAA,EACV;AAAA,EAEA,MAAM,yBAAyB,OAAe,UAAkB;AAC9D,UAAM,cAAc,sBAAsB,KAAK;AAC/C,WAAO;AAAA,MACL,KAAK;AAAA,MACL;AAAA,MACA;AAAA,QACE;AAAA,QACA,WAAW;AAAA,QACX,KAAK;AAAA,UACH,EAAE,MAAM;AAAA,UACR,EAAE,WAAW,EAAE,KAAK,YAAY,EAAE;AAAA,QACpC;AAAA,MACF;AAAA,MACA;AAAA,MACA,EAAE,SAAS;AAAA,IACb;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,MAAmB,UAAkB;AACxD,UAAM,aAAa,MAAM,gBAAgB;AAIzC,UAAM,UAAU,MAAM,QAAQ,UAAU,cAAc,8BAA8B;AACpF,WAAO,eAAe,QAAQ;AAAA,EAChC;AAAA,EAEA,MAAM,kBAAkB,MAAY;AAClC,UAAM,MAAM,oBAAI,KAAK;AAErB,UAAM,KAAK,GAAG,aAAa,MAAM,EAAE,IAAI,KAAK,GAAG,GAAG,EAAE,aAAa,IAAI,CAAC;AACtE,SAAK,cAAc;AAAA,EACrB;AAAA,EAEA,MAAM,aAAa,MAAY,UAA6C;AAC1E,UAAM,mBAAmB,YAAY,KAAK,YAAY;AACtD,QAAI,CAAC,iBAAkB,QAAO,CAAC;AAC/B,UAAM,QAAQ,MAAM;AAAA,MAClB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,MAAM,WAAW,MAAM,MAAM,EAAE,UAAU,kBAAkB,WAAW,KAAK,EAAS;AAAA,MACtF,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,MACrB,EAAE,UAAU,kBAAkB,gBAAgB,KAAK,kBAAkB,KAAK;AAAA,IAC5E;AAMA,WAAO,MACJ,IAAI,CAAC,MAAM,EAAE,IAAI,EACjB,OAAO,CAAC,SAAuB,CAAC,CAAC,IAAI,EACrC,IAAI,CAAC,SAAS,KAAK,IAAI,EACvB,OAAO,CAAC,SAAyB,OAAO,SAAS,YAAY,KAAK,KAAK,EAAE,SAAS,CAAC;AAAA,EACxF;AAAA,EAGA,MAAM,cAAc,MAAY,WAA+D;AAC7F,UAAM,WAAW,kBAAkB;AACnC,UAAM,YAAY,cAAc,QAAQ;AACxC,UAAM,OAAO,KAAK,GAAG,OAAO,SAAgB,EAAE,MAAM,OAAO,WAAW,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAQ;AAC/G,UAAM,KAAK,GAAG,QAAQ,IAAI,EAAE,MAAM;AAClC,WAAO,EAAE,SAAS,MAAiB,OAAO,SAAS;AAAA,EACrD;AAAA,EAEA,MAAM,qBAAqB,OAAe;AACxC,UAAM,cAAc,cAAc,KAAK;AACvC,UAAM,KAAK,GAAG,aAAa,SAAS,EAAE,OAAO,YAAY,CAAC;AAAA,EAC5D;AAAA,EAEA,MAAM,kBAAkB,WAAmB;AACzC,UAAM,KAAK,GAAG,aAAa,SAAS,EAAE,IAAI,UAAU,CAAC;AAAA,EACvD;AAAA,EAEA,MAAM,sBAAsB,WAA4C;AACtE,UAAM,UAAU,MAAM,KAAK,GAAG,QAAQ,SAAS,EAAE,IAAI,WAAW,WAAW,KAAK,CAAC;AACjF,QAAI,CAAC,QAAS,QAAO;AACrB,QAAI,QAAQ,UAAU,QAAQ,IAAI,KAAK,IAAI,EAAG,QAAO;AACrD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,sBAAsB,QAAgB;AAC1C,UAAM,KAAK,GAAG,aAAa,SAAS,EAAE,MAAM,OAAO,CAAC;AAAA,EACtD;AAAA,EAEA,MAAM,wBAAwB,OAAe;AAC3C,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,cAAc,cAAc,KAAK;AACvC,UAAM,OAAO,MAAM,KAAK,GAAG,QAAQ,SAAS,EAAE,OAAO,YAAY,CAAC;AAClE,QAAI,CAAC,QAAQ,KAAK,aAAa,IAAK,QAAO;AAC3C,UAAM,OAAO,MAAM,sBAAsB,KAAK,IAAI,MAAM,EAAE,IAAI,KAAK,KAAK,IAAI,WAAW,KAAK,CAAC;AAC7F,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,QAAQ,MAAM,KAAK,aAAa,MAAM,KAAK,YAAY,IAAI;AACjE,WAAO,EAAE,MAAM,OAAO,SAAS,KAAK;AAAA,EACtC;AAAA,EAEA,MAAM,qBAAqB,OAAe;AACxC,UAAM,OAAO,MAAM,KAAK,gBAAgB,KAAK;AAC7C,QAAI,CAAC,KAAM,QAAO;AAClB,UAAM,WAAW,kBAAkB;AACnC,UAAM,YAAY,cAAc,QAAQ;AACxC,UAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,GAAI;AACtD,UAAM,MAAM,KAAK,GAAG,OAAO,eAAsB,EAAE,MAAM,OAAO,WAAW,WAAW,WAAW,oBAAI,KAAK,EAAE,CAAQ;AACpH,UAAM,KAAK,GAAG,QAAQ,GAAG,EAAE,MAAM;AACjC,WAAO,EAAE,MAAM,OAAO,SAAS;AAAA,EACjC;AAAA,EAEA,MAAM,qBAAqB,OAAe,aAA2C;AACnF,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,cAAc,cAAc,KAAK;AACvC,UAAM,MAAM,MAAM,KAAK,GAAG,QAAQ,eAAe,EAAE,OAAO,YAAY,CAAC;AACvE,QAAI,CAAC,OAAQ,IAAI,UAAU,IAAI,UAAU,OAAQ,IAAI,aAAa,IAAK,QAAO;AAG9E,UAAM,WAAW,MAAM,KAAK,GAAG;AAAA,MAC7B;AAAA,MACA,EAAE,IAAI,IAAI,IAAI,QAAQ,KAAK;AAAA,MAC3B,EAAE,QAAQ,IAAI;AAAA,IAChB;AACA,QAAI,aAAa,EAAG,QAAO;AAE3B,UAAM,OAAO,MAAM,sBAAsB,KAAK,IAAI,MAAM,EAAE,IAAI,IAAI,KAAK,IAAI,WAAW,KAAK,CAAC;AAC5F,QAAI,CAAC,KAAM,QAAO;AAClB,SAAK,eAAe,MAAM,KAAK,aAAa,EAAE;AAC9C,UAAM,KAAK,GAAG,MAAM;AACpB,UAAM,KAAK,sBAAsB,OAAO,KAAK,EAAE,CAAC;AAChD,WAAO;AAAA,EACT;AACF;",
   "names": []
 }

package/dist/modules/auth/services/rbacService.js

@@ -2,6 +2,7 @@ import { getCurrentCacheTenant, runWithCacheTenant } from "@open-mercato/cache";
 import { UserAcl, RoleAcl, User, UserRole } from "@open-mercato/core/modules/auth/data/entities";
 import { ApiKey } from "@open-mercato/core/modules/api_keys/data/entities";
 import { findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
+import { buildOrgScopeUserCacheTag, buildOrgScopeTenantCacheTag } from "@open-mercato/core/modules/directory/utils/organizationScope";
 import { matchFeature as sharedMatchFeature, hasAllFeatures as sharedHasAllFeatures } from "@open-mercato/shared/lib/auth/featureMatch";
 import { filterGrantsByEnabledModules, getOwningModuleId, getEnabledModuleIds } from "@open-mercato/shared/security/enabledModulesRegistry";
 function isAclData(value) {
@@ -106,7 +107,7 @@ class RbacService {
    */
   async invalidateUserCache(userId) {
     this.globalSuperAdminCache.delete(userId);
-    await this.deleteCacheByTags([this.getUserTag(userId)]);
+    await this.deleteCacheByTags([this.getUserTag(userId), buildOrgScopeUserCacheTag(userId)]);
   }
   /**
    * Invalidates cached ACL data for all users within a specific tenant.
@@ -117,7 +118,7 @@ class RbacService {
    */
   async invalidateTenantCache(tenantId) {
     this.globalSuperAdminCache.clear();
-    await this.deleteCacheByTags([this.getTenantTag(tenantId)], [tenantId]);
+    await this.deleteCacheByTags([this.getTenantTag(tenantId), buildOrgScopeTenantCacheTag(tenantId)], [tenantId]);
   }
   /**
    * Invalidates cached ACL data for all users within a specific organization.

package/dist/modules/auth/services/rbacService.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/auth/services/rbacService.ts"],
-  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport type { CacheStrategy } from '@open-mercato/cache'\nimport { getCurrentCacheTenant, runWithCacheTenant } from '@open-mercato/cache'\nimport { UserAcl, RoleAcl, User, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { ApiKey } from '@open-mercato/core/modules/api_keys/data/entities'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { matchFeature as sharedMatchFeature, hasAllFeatures as sharedHasAllFeatures } from '@open-mercato/shared/lib/auth/featureMatch'\nimport { filterGrantsByEnabledModules, getOwningModuleId, getEnabledModuleIds } from '@open-mercato/shared/security/enabledModulesRegistry'\n\ninterface AclData {\n  isSuperAdmin: boolean\n  features: string[]\n  organizations: string[] | null\n}\n\nfunction isAclData(value: unknown): value is AclData {\n  if (typeof value !== 'object' || value === null) return false\n  const record = value as Partial<AclData>\n  if (typeof record.isSuperAdmin !== 'boolean') return false\n  if (!Array.isArray(record.features) || record.features.some((feature) => typeof feature !== 'string')) return false\n  if (record.organizations !== null && record.organizations !== undefined) {\n    if (!Array.isArray(record.organizations)) return false\n    if (record.organizations.some((org) => typeof org !== 'string')) return false\n  }\n  return true\n}\n\nexport class RbacService {\n  private cacheTtlMs: number = 5 * 60 * 1000 // 5 minutes default\n  private cache: CacheStrategy | null = null\n  private globalSuperAdminCache = new Map<string, boolean>()\n\n  constructor(private em: EntityManager, cache?: CacheStrategy) {\n    this.cache = cache || null\n  }\n\n  /**\n   * Set cache TTL in milliseconds\n   * @param ttlMs - Time to live in milliseconds\n   */\n  setCacheTtl(ttlMs: number) {\n    this.cacheTtlMs = ttlMs\n  }\n\n  /**\n   * Checks if a required feature is satisfied by a granted feature permission.\n   * \n   * Wildcard patterns:\n   * - `*` (global wildcard): Grants access to all features\n   * - `prefix.*` (module wildcard): Grants access to all features starting with `prefix.`\n   *   and also the exact prefix itself (e.g., `entities.*` matches both `entities` and `entities.records.view`)\n   * - Exact match: Feature must match exactly (e.g., `users.view` only matches `users.view`)\n   * \n   * @param required - The feature being requested (e.g., 'entities.records.view')\n   * @param granted - The feature permission granted (e.g., 'entities.*' or '*')\n   * @returns true if the granted permission satisfies the required feature\n   * \n   * @example\n   * matchFeature('users.view', '*') // true - global wildcard\n   * matchFeature('entities.records.view', 'entities.*') // true - module wildcard\n   * matchFeature('entities', 'entities.*') // true - exact prefix match\n   * matchFeature('users.view', 'entities.*') // false - different module\n   * matchFeature('users.view', 'users.view') // true - exact match\n   */\n  private matchFeature(required: string, granted: string): boolean {\n    return sharedMatchFeature(required, granted)\n  }\n\n  public hasAllFeatures(required: string[], granted: string[]): boolean {\n    return sharedHasAllFeatures(required, granted)\n  }\n\n  private roleAclAllowsOrganization(acl: RoleAcl, organizationId: string | null | undefined): boolean {\n    if (!organizationId) return true\n    const organizations = Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null\n    if (!organizations || !organizations.length || organizations.includes('__all__')) return true\n    return organizations.includes(organizationId)\n  }\n\n  private getCacheKey(userId: string, scope: { tenantId: string | null; organizationId: string | null }): string {\n    return `rbac:${userId}:${scope.tenantId || 'null'}:${scope.organizationId || 'null'}`\n  }\n\n  private getUserTag(userId: string): string {\n    return `rbac:user:${userId}`\n  }\n\n  private getTenantTag(tenantId: string): string {\n    return `rbac:tenant:${tenantId}`\n  }\n\n  private getOrganizationTag(organizationId: string): string {\n    return `rbac:org:${organizationId}`\n  }\n\n  private async getFromCache(cacheKey: string): Promise<AclData | null> {\n    if (!this.cache) return null\n    const cached = await this.cache.get(cacheKey)\n    if (!cached) return null\n    return isAclData(cached) ? cached : null\n  }\n\n  private async setCache(cacheKey: string, data: AclData, userId: string, scope: { tenantId: string | null; organizationId: string | null }): Promise<void> {\n    if (!this.cache) return\n\n    const tags = [\n      this.getUserTag(userId),\n      'rbac:all'\n    ]\n\n    if (scope.tenantId) {\n      tags.push(this.getTenantTag(scope.tenantId))\n    }\n\n    if (scope.organizationId) {\n      tags.push(this.getOrganizationTag(scope.organizationId))\n    }\n\n    await this.cache.set(cacheKey, data, {\n      ttl: this.cacheTtlMs,\n      tags\n    })\n  }\n\n  /**\n   * Invalidates cached ACL data for a specific user across all tenants and organizations.\n   * Call this when a user's roles or user-specific ACL is modified.\n   * \n   * @param userId - The ID of the user whose cache should be invalidated\n   */\n  async invalidateUserCache(userId: string): Promise<void> {\n    this.globalSuperAdminCache.delete(userId)\n    await this.deleteCacheByTags([this.getUserTag(userId)])\n  }\n\n  /**\n   * Invalidates cached ACL data for all users within a specific tenant.\n   * Call this when a role's ACL is modified, since roles are tenant-scoped\n   * and affect all users in that tenant who have that role.\n   * \n   * @param tenantId - The ID of the tenant whose cache should be invalidated\n   */\n  async invalidateTenantCache(tenantId: string): Promise<void> {\n    this.globalSuperAdminCache.clear()\n    await this.deleteCacheByTags([this.getTenantTag(tenantId)], [tenantId])\n  }\n\n  /**\n   * Invalidates cached ACL data for all users within a specific organization.\n   * Call this when organization-level permissions or visibility changes.\n   * \n   * @param organizationId - The ID of the organization whose cache should be invalidated\n   */\n  async invalidateOrganizationCache(organizationId: string): Promise<void> {\n    await this.deleteCacheByTags([this.getOrganizationTag(organizationId)])\n  }\n\n  /**\n   * Clears all cached ACL data.\n   * Use this for bulk operations or system-wide ACL changes.\n   */\n  async invalidateAllCache(): Promise<void> {\n    this.globalSuperAdminCache.clear()\n    await this.deleteCacheByTags(['rbac:all'])\n  }\n\n  private async deleteCacheByTags(tags: string[], tenantHints?: Array<string | null>): Promise<void> {\n    if (!this.cache) return\n    const contexts = new Set<string | null>()\n    const current = getCurrentCacheTenant()\n    contexts.add(current ?? null)\n    contexts.add(null)\n    if (Array.isArray(tenantHints)) {\n      for (const hint of tenantHints) {\n        contexts.add(hint ?? null)\n      }\n    }\n    for (const ctx of contexts) {\n      if (ctx === current) {\n        await this.cache.deleteByTags(tags)\n      } else {\n        await runWithCacheTenant(ctx, async () => {\n          await this.cache!.deleteByTags(tags)\n        })\n      }\n    }\n  }\n\n  private async isGlobalSuperAdmin(userId: string): Promise<boolean> {\n    if (this.globalSuperAdminCache.has(userId)) return this.globalSuperAdminCache.get(userId)!\n    const em = this.em.fork()\n    const userSuper = await em.findOne(UserAcl, { user: userId as any, isSuperAdmin: true })\n    if (userSuper && (userSuper as any).isSuperAdmin) {\n      this.globalSuperAdminCache.set(userId, true)\n      return true\n    }\n    const links = await findWithDecryption(\n      em,\n      UserRole,\n      { user: userId as any },\n      { populate: ['role'] },\n      { tenantId: null, organizationId: null },\n    )\n    const linkList = Array.isArray(links) ? links : []\n    if (!linkList.length) {\n      this.globalSuperAdminCache.set(userId, false)\n      return false\n    }\n    const roleIds = Array.from(new Set(linkList.map((link) => {\n      const role = link.role as any\n      return role?.id ? String(role.id) : null\n    }).filter((id): id is string => typeof id === 'string' && id.length > 0)))\n    if (!roleIds.length) {\n      this.globalSuperAdminCache.set(userId, false)\n      return false\n    }\n    const roleSuper = await em.findOne(RoleAcl, { isSuperAdmin: true, role: { $in: roleIds as any } } as any)\n    const result = !!(roleSuper && (roleSuper as any).isSuperAdmin)\n    this.globalSuperAdminCache.set(userId, result)\n    return result\n  }\n\n  /**\n   * Loads the Access Control List (ACL) for a user within a given scope.\n   * \n   * The ACL resolution follows this priority:\n   * 1. Per-user ACL (UserAcl) - if exists, use it exclusively\n   * 2. Aggregated role ACLs (RoleAcl) - combine permissions from all user's roles\n   * \n   * Results are cached for performance (default 5 minutes TTL).\n   * Cache is automatically invalidated when ACL-related data changes.\n   * \n   * @param userId - The ID of the user\n   * @param scope - The tenant and organization context for ACL evaluation\n   * @returns An object containing:\n   *   - isSuperAdmin: If true, user has unrestricted access to all features\n   *   - features: Array of feature strings (may include wildcards like 'entities.*')\n   *   - organizations: Array of organization IDs user can access, or null for all organizations\n   * \n   * @example\n   * const acl = await rbacService.loadAcl('user-123', { tenantId: 'tenant-1', organizationId: 'org-1' })\n   * // Returns: { isSuperAdmin: false, features: ['users.view', 'entities.*'], organizations: ['org-1', 'org-2'] }\n   */\n  async loadAcl(userId: string, scope: { tenantId: string | null; organizationId: string | null }): Promise<{\n    isSuperAdmin: boolean\n    features: string[]\n    organizations: string[] | null\n  }> {\n    const cacheKey = this.getCacheKey(userId, scope)\n    const cached = await this.getFromCache(cacheKey)\n    if (cached) return cached\n\n    if (!userId.startsWith('api_key:')) {\n      if (await this.isGlobalSuperAdmin(userId)) {\n        const result = { isSuperAdmin: true, features: ['*'], organizations: null }\n        await this.setCache(cacheKey, result, userId, scope)\n        return result\n      }\n    }\n\n    if (userId.startsWith('api_key:')) {\n      const apiKeyId = userId.slice('api_key:'.length)\n      const em = this.em.fork()\n      const key = await em.findOne(ApiKey, { id: apiKeyId, deletedAt: null })\n      if (!key || (key.expiresAt && key.expiresAt.getTime() < Date.now())) {\n        const result = { isSuperAdmin: false, features: [], organizations: null }\n        await this.setCache(cacheKey, result, userId, scope)\n        return result\n      }\n      const tenantId = scope.tenantId || key.tenantId || null\n      const roleIds = Array.isArray(key.rolesJson) ? key.rolesJson.filter(Boolean) : []\n      let isSuper = false\n      const features: string[] = []\n      let organizations: string[] | null = key.organizationId ? [key.organizationId] : null\n      if (tenantId && roleIds.length) {\n        const racls = await em.find(RoleAcl, { tenantId, role: { $in: roleIds as any } } as any)\n        for (const acl of racls) {\n          isSuper = isSuper || !!acl.isSuperAdmin\n          if (Array.isArray(acl.featuresJson)) {\n            for (const f of acl.featuresJson) if (!features.includes(f)) features.push(f)\n          }\n          if (organizations !== null) {\n            if (acl.organizationsJson == null) {\n              organizations = null\n            } else if (Array.isArray(acl.organizationsJson) && acl.organizationsJson.includes('__all__')) {\n              organizations = null\n            } else {\n              organizations = Array.from(new Set([...(organizations || []), ...acl.organizationsJson]))\n            }\n          }\n        }\n      }\n      const result = { isSuperAdmin: isSuper, features, organizations }\n      await this.setCache(cacheKey, result, userId, scope)\n      return result\n    }\n\n    // Use a forked EntityManager to avoid inheriting an aborted transaction from callers\n    const em = this.em.fork()\n    const user = await em.findOne(User, { id: userId })\n    if (!user) {\n      const result = { isSuperAdmin: false, features: [], organizations: null }\n      await this.setCache(cacheKey, result, userId, scope)\n      return result\n    }\n    const tenantId = scope.tenantId || user.tenantId || null\n    const orgId = scope.organizationId || user.organizationId || null\n\n    if (!tenantId) {\n      const result = { isSuperAdmin: false, features: [], organizations: null }\n      await this.setCache(cacheKey, result, userId, scope)\n      return result\n    }\n\n    // Per-user ACL first\n    const uacl = await em.findOne(UserAcl, { user: userId as any, tenantId })\n    if (uacl) {\n      const result = {\n        isSuperAdmin: !!uacl.isSuperAdmin,\n        features: Array.isArray(uacl.featuresJson) ? (uacl.featuresJson as string[]) : [],\n        organizations: Array.isArray(uacl.organizationsJson) ? (uacl.organizationsJson as string[]) : null,\n      }\n      await this.setCache(cacheKey, result, userId, scope)\n      return result\n    }\n\n    // Aggregate role ACLs\n    const links = await findWithDecryption(\n      em,\n      UserRole,\n      { user: userId as any, role: { tenantId } } as any,\n      { populate: ['role'] },\n      { tenantId, organizationId: orgId },\n    )\n    const linkList = Array.isArray(links) ? links : []\n    const roleIds = linkList.map((l) => (l.role as any)?.id).filter(Boolean)\n    let isSuper = false\n    const features: string[] = []\n    let organizations: string[] | null = []\n    if (roleIds.length) {\n      const racls = await em.find(RoleAcl, { tenantId, role: { $in: roleIds as any } } as any, {})\n      const roleAcls = Array.isArray(racls) ? racls : []\n      for (const r of roleAcls) {\n        isSuper = isSuper || !!r.isSuperAdmin\n        if (Array.isArray(r.featuresJson)) for (const f of r.featuresJson) if (!features.includes(f)) features.push(f)\n        if (organizations !== null) {\n          if (r.organizationsJson == null) organizations = null\n          else if (Array.isArray(r.organizationsJson) && r.organizationsJson.includes('__all__')) organizations = null\n          else organizations = Array.from(new Set([...(organizations || []), ...r.organizationsJson]))\n        }\n      }\n    }\n    if (organizations && orgId && !organizations.includes(orgId) && !organizations.includes('__all__')) {\n      // Out-of-scope org; caller will enforce\n    }\n    const result = { isSuperAdmin: isSuper, features, organizations }\n    await this.setCache(cacheKey, result, userId, scope)\n    return result\n  }\n\n  /**\n   * Returns the user's granted feature strings for a given scope.\n   *\n   * Used by infrastructure that needs the raw grant list rather than a yes/no\n   * authorization check (for example response enrichers gating themselves with\n   * `features: [...]`). Callers MUST apply wildcard-aware matching against the\n   * returned array \u2014 grants like `module.*` or `*` are part of the ACL contract.\n   *\n   * @param userId - The ID of the user\n   * @param scope - The tenant and organization context for ACL evaluation\n   * @returns Array of feature strings (may include wildcards); empty array when\n   *          the user has no grants in scope\n   */\n  async getGrantedFeatures(\n    userId: string,\n    scope: { tenantId: string | null; organizationId: string | null },\n  ): Promise<string[]> {\n    const acl = await this.loadAcl(userId, scope)\n    return Array.isArray(acl.features) ? acl.features : []\n  }\n\n  /**\n   * Checks whether any tenant role grants a feature.\n   *\n   * This supports non-user runtimes such as scheduler workers that execute with\n   * tenant scope but without an authenticated user.\n   */\n  async tenantHasFeature(\n    tenantId: string | null | undefined,\n    feature: string,\n    opts?: { organizationId?: string | null },\n  ): Promise<boolean> {\n    if (!tenantId || !feature) return false\n\n    const enabledIds = getEnabledModuleIds()\n    if (enabledIds.length && !enabledIds.includes(getOwningModuleId(feature))) return false\n\n    const em = this.em.fork()\n    const roleAcls = await em.find(RoleAcl, { tenantId, deletedAt: null } as any, {})\n    const list = Array.isArray(roleAcls) ? roleAcls : []\n    const organizationId = opts?.organizationId ?? null\n\n    for (const acl of list) {\n      if (!this.roleAclAllowsOrganization(acl, organizationId)) continue\n      if (acl.isSuperAdmin) return true\n      const grants = Array.isArray(acl.featuresJson) ? acl.featuresJson : []\n      if (this.hasAllFeatures([feature], filterGrantsByEnabledModules(grants))) return true\n    }\n\n    return false\n  }\n\n  /**\n   * Checks if a user has all required features within a given scope.\n   *\n   * This is the primary authorization check method used throughout the application.\n   * It combines feature checking with organization visibility validation.\n   *\n   * Authorization logic:\n   * 1. No features required \u2192 always returns true\n   * 2. User is super admin \u2192 always returns true\n   * 3. Organization restriction check: If the user's ACL has a restricted organization list\n   *    and the requested organization is not in that list \u2192 returns false\n   * 4. Feature matching: User must have all required features (supports wildcards)\n   *\n   * @param userId - The ID of the user\n   * @param required - Array of feature strings to check (e.g., ['users.view', 'users.edit'])\n   * @param scope - The tenant and organization context for authorization\n   * @returns true if the user has all required features and organization access, false otherwise\n   *\n   * @example\n   * // Check if user can view and edit users\n   * const canManageUsers = await rbacService.userHasAllFeatures(\n   *   'user-123',\n   *   ['users.view', 'users.edit'],\n   *   { tenantId: 'tenant-1', organizationId: 'org-1' }\n   * )\n   *\n   * @example\n   * // Check with wildcard features\n   * const canAccessEntities = await rbacService.userHasAllFeatures(\n   *   'user-123',\n   *   ['entities.records.view'],\n   *   { tenantId: 'tenant-1', organizationId: 'org-1' }\n   * )\n   * // Returns true if user has 'entities.*', '*', or 'entities.records.view'\n   */\n  async userHasAllFeatures(userId: string, required: string[], scope: { tenantId: string | null; organizationId: string | null }): Promise<boolean> {\n    if (!required.length) return true\n    const acl = await this.loadAcl(userId, scope)\n    if (acl.isSuperAdmin) {\n      const enabledIds = getEnabledModuleIds()\n      if (!enabledIds.length) return true\n      const enabledSet = new Set(enabledIds)\n      return required.every((feature) => enabledSet.has(getOwningModuleId(feature)))\n    }\n    if (acl.organizations && scope.organizationId && !acl.organizations.includes(scope.organizationId) && !acl.organizations.includes('__all__')) return false\n    return this.hasAllFeatures(required, filterGrantsByEnabledModules(acl.features))\n  }\n}\n"],
-  "mappings": "AAEA,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,SAAS,SAAS,MAAM,gBAAgB;AACjD,SAAS,cAAc;AACvB,SAAS,0BAA0B;AACnC,SAAS,gBAAgB,oBAAoB,kBAAkB,4BAA4B;AAC3F,SAAS,8BAA8B,mBAAmB,2BAA2B;AAQrF,SAAS,UAAU,OAAkC;AACnD,MAAI,OAAO,UAAU,YAAY,UAAU,KAAM,QAAO;AACxD,QAAM,SAAS;AACf,MAAI,OAAO,OAAO,iBAAiB,UAAW,QAAO;AACrD,MAAI,CAAC,MAAM,QAAQ,OAAO,QAAQ,KAAK,OAAO,SAAS,KAAK,CAAC,YAAY,OAAO,YAAY,QAAQ,EAAG,QAAO;AAC9G,MAAI,OAAO,kBAAkB,QAAQ,OAAO,kBAAkB,QAAW;AACvE,QAAI,CAAC,MAAM,QAAQ,OAAO,aAAa,EAAG,QAAO;AACjD,QAAI,OAAO,cAAc,KAAK,CAAC,QAAQ,OAAO,QAAQ,QAAQ,EAAG,QAAO;AAAA,EAC1E;AACA,SAAO;AACT;AAEO,MAAM,YAAY;AAAA,EAKvB,YAAoB,IAAmB,OAAuB;AAA1C;AAJpB,SAAQ,aAAqB,IAAI,KAAK;AACtC;AAAA,SAAQ,QAA8B;AACtC,SAAQ,wBAAwB,oBAAI,IAAqB;AAGvD,SAAK,QAAQ,SAAS;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,YAAY,OAAe;AACzB,SAAK,aAAa;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBQ,aAAa,UAAkB,SAA0B;AAC/D,WAAO,mBAAmB,UAAU,OAAO;AAAA,EAC7C;AAAA,EAEO,eAAe,UAAoB,SAA4B;AACpE,WAAO,qBAAqB,UAAU,OAAO;AAAA,EAC/C;AAAA,EAEQ,0BAA0B,KAAc,gBAAoD;AAClG,QAAI,CAAC,eAAgB,QAAO;AAC5B,UAAM,gBAAgB,MAAM,QAAQ,IAAI,iBAAiB,IAAI,IAAI,oBAAoB;AACrF,QAAI,CAAC,iBAAiB,CAAC,cAAc,UAAU,cAAc,SAAS,SAAS,EAAG,QAAO;AACzF,WAAO,cAAc,SAAS,cAAc;AAAA,EAC9C;AAAA,EAEQ,YAAY,QAAgB,OAA2E;AAC7G,WAAO,QAAQ,MAAM,IAAI,MAAM,YAAY,MAAM,IAAI,MAAM,kBAAkB,MAAM;AAAA,EACrF;AAAA,EAEQ,WAAW,QAAwB;AACzC,WAAO,aAAa,MAAM;AAAA,EAC5B;AAAA,EAEQ,aAAa,UAA0B;AAC7C,WAAO,eAAe,QAAQ;AAAA,EAChC;AAAA,EAEQ,mBAAmB,gBAAgC;AACzD,WAAO,YAAY,cAAc;AAAA,EACnC;AAAA,EAEA,MAAc,aAAa,UAA2C;AACpE,QAAI,CAAC,KAAK,MAAO,QAAO;AACxB,UAAM,SAAS,MAAM,KAAK,MAAM,IAAI,QAAQ;AAC5C,QAAI,CAAC,OAAQ,QAAO;AACpB,WAAO,UAAU,MAAM,IAAI,SAAS;AAAA,EACtC;AAAA,EAEA,MAAc,SAAS,UAAkB,MAAe,QAAgB,OAAkF;AACxJ,QAAI,CAAC,KAAK,MAAO;AAEjB,UAAM,OAAO;AAAA,MACX,KAAK,WAAW,MAAM;AAAA,MACtB;AAAA,IACF;AAEA,QAAI,MAAM,UAAU;AAClB,WAAK,KAAK,KAAK,aAAa,MAAM,QAAQ,CAAC;AAAA,IAC7C;AAEA,QAAI,MAAM,gBAAgB;AACxB,WAAK,KAAK,KAAK,mBAAmB,MAAM,cAAc,CAAC;AAAA,IACzD;AAEA,UAAM,KAAK,MAAM,IAAI,UAAU,MAAM;AAAA,MACnC,KAAK,KAAK;AAAA,MACV;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,oBAAoB,QAA+B;AACvD,SAAK,sBAAsB,OAAO,MAAM;AACxC,UAAM,KAAK,kBAAkB,CAAC,KAAK,WAAW,MAAM,CAAC,CAAC;AAAA,EACxD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,sBAAsB,UAAiC;AAC3D,SAAK,sBAAsB,MAAM;AACjC,UAAM,KAAK,kBAAkB,CAAC,KAAK,aAAa,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC;AAAA,EACxE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,4BAA4B,gBAAuC;AACvE,UAAM,KAAK,kBAAkB,CAAC,KAAK,mBAAmB,cAAc,CAAC,CAAC;AAAA,EACxE;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,qBAAoC;AACxC,SAAK,sBAAsB,MAAM;AACjC,UAAM,KAAK,kBAAkB,CAAC,UAAU,CAAC;AAAA,EAC3C;AAAA,EAEA,MAAc,kBAAkB,MAAgB,aAAmD;AACjG,QAAI,CAAC,KAAK,MAAO;AACjB,UAAM,WAAW,oBAAI,IAAmB;AACxC,UAAM,UAAU,sBAAsB;AACtC,aAAS,IAAI,WAAW,IAAI;AAC5B,aAAS,IAAI,IAAI;AACjB,QAAI,MAAM,QAAQ,WAAW,GAAG;AAC9B,iBAAW,QAAQ,aAAa;AAC9B,iBAAS,IAAI,QAAQ,IAAI;AAAA,MAC3B;AAAA,IACF;AACA,eAAW,OAAO,UAAU;AAC1B,UAAI,QAAQ,SAAS;AACnB,cAAM,KAAK,MAAM,aAAa,IAAI;AAAA,MACpC,OAAO;AACL,cAAM,mBAAmB,KAAK,YAAY;AACxC,gBAAM,KAAK,MAAO,aAAa,IAAI;AAAA,QACrC,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAc,mBAAmB,QAAkC;AACjE,QAAI,KAAK,sBAAsB,IAAI,MAAM,EAAG,QAAO,KAAK,sBAAsB,IAAI,MAAM;AACxF,UAAM,KAAK,KAAK,GAAG,KAAK;AACxB,UAAM,YAAY,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,QAAe,cAAc,KAAK,CAAC;AACvF,QAAI,aAAc,UAAkB,cAAc;AAChD,WAAK,sBAAsB,IAAI,QAAQ,IAAI;AAC3C,aAAO;AAAA,IACT;AACA,UAAM,QAAQ,MAAM;AAAA,MAClB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,OAAc;AAAA,MACtB,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,MACrB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,IACzC;AACA,UAAM,WAAW,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC;AACjD,QAAI,CAAC,SAAS,QAAQ;AACpB,WAAK,sBAAsB,IAAI,QAAQ,KAAK;AAC5C,aAAO;AAAA,IACT;AACA,UAAM,UAAU,MAAM,KAAK,IAAI,IAAI,SAAS,IAAI,CAAC,SAAS;AACxD,YAAM,OAAO,KAAK;AAClB,aAAO,MAAM,KAAK,OAAO,KAAK,EAAE,IAAI;AAAA,IACtC,CAAC,EAAE,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC,CAAC,CAAC;AACzE,QAAI,CAAC,QAAQ,QAAQ;AACnB,WAAK,sBAAsB,IAAI,QAAQ,KAAK;AAC5C,aAAO;AAAA,IACT;AACA,UAAM,YAAY,MAAM,GAAG,QAAQ,SAAS,EAAE,cAAc,MAAM,MAAM,EAAE,KAAK,QAAe,EAAE,CAAQ;AACxG,UAAM,SAAS,CAAC,EAAE,aAAc,UAAkB;AAClD,SAAK,sBAAsB,IAAI,QAAQ,MAAM;AAC7C,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuBA,MAAM,QAAQ,QAAgB,OAI3B;AACD,UAAM,WAAW,KAAK,YAAY,QAAQ,KAAK;AAC/C,UAAM,SAAS,MAAM,KAAK,aAAa,QAAQ;AAC/C,QAAI,OAAQ,QAAO;AAEnB,QAAI,CAAC,OAAO,WAAW,UAAU,GAAG;AAClC,UAAI,MAAM,KAAK,mBAAmB,MAAM,GAAG;AACzC,cAAMA,UAAS,EAAE,cAAc,MAAM,UAAU,CAAC,GAAG,GAAG,eAAe,KAAK;AAC1E,cAAM,KAAK,SAAS,UAAUA,SAAQ,QAAQ,KAAK;AACnD,eAAOA;AAAA,MACT;AAAA,IACF;AAEA,QAAI,OAAO,WAAW,UAAU,GAAG;AACjC,YAAM,WAAW,OAAO,MAAM,WAAW,MAAM;AAC/C,YAAMC,MAAK,KAAK,GAAG,KAAK;AACxB,YAAM,MAAM,MAAMA,IAAG,QAAQ,QAAQ,EAAE,IAAI,UAAU,WAAW,KAAK,CAAC;AACtE,UAAI,CAAC,OAAQ,IAAI,aAAa,IAAI,UAAU,QAAQ,IAAI,KAAK,IAAI,GAAI;AACnE,cAAMD,UAAS,EAAE,cAAc,OAAO,UAAU,CAAC,GAAG,eAAe,KAAK;AACxE,cAAM,KAAK,SAAS,UAAUA,SAAQ,QAAQ,KAAK;AACnD,eAAOA;AAAA,MACT;AACA,YAAME,YAAW,MAAM,YAAY,IAAI,YAAY;AACnD,YAAMC,WAAU,MAAM,QAAQ,IAAI,SAAS,IAAI,IAAI,UAAU,OAAO,OAAO,IAAI,CAAC;AAChF,UAAIC,WAAU;AACd,YAAMC,YAAqB,CAAC;AAC5B,UAAIC,iBAAiC,IAAI,iBAAiB,CAAC,IAAI,cAAc,IAAI;AACjF,UAAIJ,aAAYC,SAAQ,QAAQ;AAC9B,cAAM,QAAQ,MAAMF,IAAG,KAAK,SAAS,EAAE,UAAAC,WAAU,MAAM,EAAE,KAAKC,SAAe,EAAE,CAAQ;AACvF,mBAAW,OAAO,OAAO;AACvB,UAAAC,WAAUA,YAAW,CAAC,CAAC,IAAI;AAC3B,cAAI,MAAM,QAAQ,IAAI,YAAY,GAAG;AACnC,uBAAW,KAAK,IAAI,aAAc,KAAI,CAACC,UAAS,SAAS,CAAC,EAAG,CAAAA,UAAS,KAAK,CAAC;AAAA,UAC9E;AACA,cAAIC,mBAAkB,MAAM;AAC1B,gBAAI,IAAI,qBAAqB,MAAM;AACjC,cAAAA,iBAAgB;AAAA,YAClB,WAAW,MAAM,QAAQ,IAAI,iBAAiB,KAAK,IAAI,kBAAkB,SAAS,SAAS,GAAG;AAC5F,cAAAA,iBAAgB;AAAA,YAClB,OAAO;AACL,cAAAA,iBAAgB,MAAM,KAAK,oBAAI,IAAI,CAAC,GAAIA,kBAAiB,CAAC,GAAI,GAAG,IAAI,iBAAiB,CAAC,CAAC;AAAA,YAC1F;AAAA,UACF;AAAA,QACF;AAAA,MACF;AACA,YAAMN,UAAS,EAAE,cAAcI,UAAS,UAAAC,WAAU,eAAAC,eAAc;AAChE,YAAM,KAAK,SAAS,UAAUN,SAAQ,QAAQ,KAAK;AACnD,aAAOA;AAAA,IACT;AAGA,UAAM,KAAK,KAAK,GAAG,KAAK;AACxB,UAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,CAAC;AAClD,QAAI,CAAC,MAAM;AACT,YAAMA,UAAS,EAAE,cAAc,OAAO,UAAU,CAAC,GAAG,eAAe,KAAK;AACxE,YAAM,KAAK,SAAS,UAAUA,SAAQ,QAAQ,KAAK;AACnD,aAAOA;AAAA,IACT;AACA,UAAM,WAAW,MAAM,YAAY,KAAK,YAAY;AACpD,UAAM,QAAQ,MAAM,kBAAkB,KAAK,kBAAkB;AAE7D,QAAI,CAAC,UAAU;AACb,YAAMA,UAAS,EAAE,cAAc,OAAO,UAAU,CAAC,GAAG,eAAe,KAAK;AACxE,YAAM,KAAK,SAAS,UAAUA,SAAQ,QAAQ,KAAK;AACnD,aAAOA;AAAA,IACT;AAGA,UAAM,OAAO,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,QAAe,SAAS,CAAC;AACxE,QAAI,MAAM;AACR,YAAMA,UAAS;AAAA,QACb,cAAc,CAAC,CAAC,KAAK;AAAA,QACrB,UAAU,MAAM,QAAQ,KAAK,YAAY,IAAK,KAAK,eAA4B,CAAC;AAAA,QAChF,eAAe,MAAM,QAAQ,KAAK,iBAAiB,IAAK,KAAK,oBAAiC;AAAA,MAChG;AACA,YAAM,KAAK,SAAS,UAAUA,SAAQ,QAAQ,KAAK;AACnD,aAAOA;AAAA,IACT;AAGA,UAAM,QAAQ,MAAM;AAAA,MAClB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,QAAe,MAAM,EAAE,SAAS,EAAE;AAAA,MAC1C,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,MACrB,EAAE,UAAU,gBAAgB,MAAM;AAAA,IACpC;AACA,UAAM,WAAW,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC;AACjD,UAAM,UAAU,SAAS,IAAI,CAAC,MAAO,EAAE,MAAc,EAAE,EAAE,OAAO,OAAO;AACvE,QAAI,UAAU;AACd,UAAM,WAAqB,CAAC;AAC5B,QAAI,gBAAiC,CAAC;AACtC,QAAI,QAAQ,QAAQ;AAClB,YAAM,QAAQ,MAAM,GAAG,KAAK,SAAS,EAAE,UAAU,MAAM,EAAE,KAAK,QAAe,EAAE,GAAU,CAAC,CAAC;AAC3F,YAAM,WAAW,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC;AACjD,iBAAW,KAAK,UAAU;AACxB,kBAAU,WAAW,CAAC,CAAC,EAAE;AACzB,YAAI,MAAM,QAAQ,EAAE,YAAY;AAAG,qBAAW,KAAK,EAAE,aAAc,KAAI,CAAC,SAAS,SAAS,CAAC,EAAG,UAAS,KAAK,CAAC;AAAA;AAC7G,YAAI,kBAAkB,MAAM;AAC1B,cAAI,EAAE,qBAAqB,KAAM,iBAAgB;AAAA,mBACxC,MAAM,QAAQ,EAAE,iBAAiB,KAAK,EAAE,kBAAkB,SAAS,SAAS,EAAG,iBAAgB;AAAA,cACnG,iBAAgB,MAAM,KAAK,oBAAI,IAAI,CAAC,GAAI,iBAAiB,CAAC,GAAI,GAAG,EAAE,iBAAiB,CAAC,CAAC;AAAA,QAC7F;AAAA,MACF;AAAA,IACF;AACA,QAAI,iBAAiB,SAAS,CAAC,cAAc,SAAS,KAAK,KAAK,CAAC,cAAc,SAAS,SAAS,GAAG;AAAA,IAEpG;AACA,UAAM,SAAS,EAAE,cAAc,SAAS,UAAU,cAAc;AAChE,UAAM,KAAK,SAAS,UAAU,QAAQ,QAAQ,KAAK;AACnD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAM,mBACJ,QACA,OACmB;AACnB,UAAM,MAAM,MAAM,KAAK,QAAQ,QAAQ,KAAK;AAC5C,WAAO,MAAM,QAAQ,IAAI,QAAQ,IAAI,IAAI,WAAW,CAAC;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,iBACJ,UACA,SACA,MACkB;AAClB,QAAI,CAAC,YAAY,CAAC,QAAS,QAAO;AAElC,UAAM,aAAa,oBAAoB;AACvC,QAAI,WAAW,UAAU,CAAC,WAAW,SAAS,kBAAkB,OAAO,CAAC,EAAG,QAAO;AAElF,UAAM,KAAK,KAAK,GAAG,KAAK;AACxB,UAAM,WAAW,MAAM,GAAG,KAAK,SAAS,EAAE,UAAU,WAAW,KAAK,GAAU,CAAC,CAAC;AAChF,UAAM,OAAO,MAAM,QAAQ,QAAQ,IAAI,WAAW,CAAC;AACnD,UAAM,iBAAiB,MAAM,kBAAkB;AAE/C,eAAW,OAAO,MAAM;AACtB,UAAI,CAAC,KAAK,0BAA0B,KAAK,cAAc,EAAG;AAC1D,UAAI,IAAI,aAAc,QAAO;AAC7B,YAAM,SAAS,MAAM,QAAQ,IAAI,YAAY,IAAI,IAAI,eAAe,CAAC;AACrE,UAAI,KAAK,eAAe,CAAC,OAAO,GAAG,6BAA6B,MAAM,CAAC,EAAG,QAAO;AAAA,IACnF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqCA,MAAM,mBAAmB,QAAgB,UAAoB,OAAqF;AAChJ,QAAI,CAAC,SAAS,OAAQ,QAAO;AAC7B,UAAM,MAAM,MAAM,KAAK,QAAQ,QAAQ,KAAK;AAC5C,QAAI,IAAI,cAAc;AACpB,YAAM,aAAa,oBAAoB;AACvC,UAAI,CAAC,WAAW,OAAQ,QAAO;AAC/B,YAAM,aAAa,IAAI,IAAI,UAAU;AACrC,aAAO,SAAS,MAAM,CAAC,YAAY,WAAW,IAAI,kBAAkB,OAAO,CAAC,CAAC;AAAA,IAC/E;AACA,QAAI,IAAI,iBAAiB,MAAM,kBAAkB,CAAC,IAAI,cAAc,SAAS,MAAM,cAAc,KAAK,CAAC,IAAI,cAAc,SAAS,SAAS,EAAG,QAAO;AACrJ,WAAO,KAAK,eAAe,UAAU,6BAA6B,IAAI,QAAQ,CAAC;AAAA,EACjF;AACF;",
+  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/postgresql'\nimport type { CacheStrategy } from '@open-mercato/cache'\nimport { getCurrentCacheTenant, runWithCacheTenant } from '@open-mercato/cache'\nimport { UserAcl, RoleAcl, User, UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { ApiKey } from '@open-mercato/core/modules/api_keys/data/entities'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { buildOrgScopeUserCacheTag, buildOrgScopeTenantCacheTag } from '@open-mercato/core/modules/directory/utils/organizationScope'\nimport { matchFeature as sharedMatchFeature, hasAllFeatures as sharedHasAllFeatures } from '@open-mercato/shared/lib/auth/featureMatch'\nimport { filterGrantsByEnabledModules, getOwningModuleId, getEnabledModuleIds } from '@open-mercato/shared/security/enabledModulesRegistry'\n\ninterface AclData {\n  isSuperAdmin: boolean\n  features: string[]\n  organizations: string[] | null\n}\n\nfunction isAclData(value: unknown): value is AclData {\n  if (typeof value !== 'object' || value === null) return false\n  const record = value as Partial<AclData>\n  if (typeof record.isSuperAdmin !== 'boolean') return false\n  if (!Array.isArray(record.features) || record.features.some((feature) => typeof feature !== 'string')) return false\n  if (record.organizations !== null && record.organizations !== undefined) {\n    if (!Array.isArray(record.organizations)) return false\n    if (record.organizations.some((org) => typeof org !== 'string')) return false\n  }\n  return true\n}\n\nexport class RbacService {\n  private cacheTtlMs: number = 5 * 60 * 1000 // 5 minutes default\n  private cache: CacheStrategy | null = null\n  private globalSuperAdminCache = new Map<string, boolean>()\n\n  constructor(private em: EntityManager, cache?: CacheStrategy) {\n    this.cache = cache || null\n  }\n\n  /**\n   * Set cache TTL in milliseconds\n   * @param ttlMs - Time to live in milliseconds\n   */\n  setCacheTtl(ttlMs: number) {\n    this.cacheTtlMs = ttlMs\n  }\n\n  /**\n   * Checks if a required feature is satisfied by a granted feature permission.\n   * \n   * Wildcard patterns:\n   * - `*` (global wildcard): Grants access to all features\n   * - `prefix.*` (module wildcard): Grants access to all features starting with `prefix.`\n   *   and also the exact prefix itself (e.g., `entities.*` matches both `entities` and `entities.records.view`)\n   * - Exact match: Feature must match exactly (e.g., `users.view` only matches `users.view`)\n   * \n   * @param required - The feature being requested (e.g., 'entities.records.view')\n   * @param granted - The feature permission granted (e.g., 'entities.*' or '*')\n   * @returns true if the granted permission satisfies the required feature\n   * \n   * @example\n   * matchFeature('users.view', '*') // true - global wildcard\n   * matchFeature('entities.records.view', 'entities.*') // true - module wildcard\n   * matchFeature('entities', 'entities.*') // true - exact prefix match\n   * matchFeature('users.view', 'entities.*') // false - different module\n   * matchFeature('users.view', 'users.view') // true - exact match\n   */\n  private matchFeature(required: string, granted: string): boolean {\n    return sharedMatchFeature(required, granted)\n  }\n\n  public hasAllFeatures(required: string[], granted: string[]): boolean {\n    return sharedHasAllFeatures(required, granted)\n  }\n\n  private roleAclAllowsOrganization(acl: RoleAcl, organizationId: string | null | undefined): boolean {\n    if (!organizationId) return true\n    const organizations = Array.isArray(acl.organizationsJson) ? acl.organizationsJson : null\n    if (!organizations || !organizations.length || organizations.includes('__all__')) return true\n    return organizations.includes(organizationId)\n  }\n\n  private getCacheKey(userId: string, scope: { tenantId: string | null; organizationId: string | null }): string {\n    return `rbac:${userId}:${scope.tenantId || 'null'}:${scope.organizationId || 'null'}`\n  }\n\n  private getUserTag(userId: string): string {\n    return `rbac:user:${userId}`\n  }\n\n  private getTenantTag(tenantId: string): string {\n    return `rbac:tenant:${tenantId}`\n  }\n\n  private getOrganizationTag(organizationId: string): string {\n    return `rbac:org:${organizationId}`\n  }\n\n  private async getFromCache(cacheKey: string): Promise<AclData | null> {\n    if (!this.cache) return null\n    const cached = await this.cache.get(cacheKey)\n    if (!cached) return null\n    return isAclData(cached) ? cached : null\n  }\n\n  private async setCache(cacheKey: string, data: AclData, userId: string, scope: { tenantId: string | null; organizationId: string | null }): Promise<void> {\n    if (!this.cache) return\n\n    const tags = [\n      this.getUserTag(userId),\n      'rbac:all'\n    ]\n\n    if (scope.tenantId) {\n      tags.push(this.getTenantTag(scope.tenantId))\n    }\n\n    if (scope.organizationId) {\n      tags.push(this.getOrganizationTag(scope.organizationId))\n    }\n\n    await this.cache.set(cacheKey, data, {\n      ttl: this.cacheTtlMs,\n      tags\n    })\n  }\n\n  /**\n   * Invalidates cached ACL data for a specific user across all tenants and organizations.\n   * Call this when a user's roles or user-specific ACL is modified.\n   * \n   * @param userId - The ID of the user whose cache should be invalidated\n   */\n  async invalidateUserCache(userId: string): Promise<void> {\n    this.globalSuperAdminCache.delete(userId)\n    // Also drop the directory OrganizationScope cache for this user. That scope's\n    // accessible-org set is derived from this user's ACL/role grants, so any\n    // permission change that invalidates the RBAC cache must invalidate the\n    // resolved scope too. This is the missing `org-scope:user:*` caller required\n    // before the cross-request scope TTL can be safely enabled (issue #2259).\n    await this.deleteCacheByTags([this.getUserTag(userId), buildOrgScopeUserCacheTag(userId)])\n  }\n\n  /**\n   * Invalidates cached ACL data for all users within a specific tenant.\n   * Call this when a role's ACL is modified, since roles are tenant-scoped\n   * and affect all users in that tenant who have that role.\n   * \n   * @param tenantId - The ID of the tenant whose cache should be invalidated\n   */\n  async invalidateTenantCache(tenantId: string): Promise<void> {\n    this.globalSuperAdminCache.clear()\n    // Role ACL changes invalidate every user in the tenant; the resolved\n    // OrganizationScope for those users derives from the same grants, so drop\n    // the tenant-tagged scope entries alongside the RBAC ones (issue #2259).\n    await this.deleteCacheByTags([this.getTenantTag(tenantId), buildOrgScopeTenantCacheTag(tenantId)], [tenantId])\n  }\n\n  /**\n   * Invalidates cached ACL data for all users within a specific organization.\n   * Call this when organization-level permissions or visibility changes.\n   * \n   * @param organizationId - The ID of the organization whose cache should be invalidated\n   */\n  async invalidateOrganizationCache(organizationId: string): Promise<void> {\n    await this.deleteCacheByTags([this.getOrganizationTag(organizationId)])\n  }\n\n  /**\n   * Clears all cached ACL data.\n   * Use this for bulk operations or system-wide ACL changes.\n   */\n  async invalidateAllCache(): Promise<void> {\n    this.globalSuperAdminCache.clear()\n    await this.deleteCacheByTags(['rbac:all'])\n  }\n\n  private async deleteCacheByTags(tags: string[], tenantHints?: Array<string | null>): Promise<void> {\n    if (!this.cache) return\n    const contexts = new Set<string | null>()\n    const current = getCurrentCacheTenant()\n    contexts.add(current ?? null)\n    contexts.add(null)\n    if (Array.isArray(tenantHints)) {\n      for (const hint of tenantHints) {\n        contexts.add(hint ?? null)\n      }\n    }\n    for (const ctx of contexts) {\n      if (ctx === current) {\n        await this.cache.deleteByTags(tags)\n      } else {\n        await runWithCacheTenant(ctx, async () => {\n          await this.cache!.deleteByTags(tags)\n        })\n      }\n    }\n  }\n\n  private async isGlobalSuperAdmin(userId: string): Promise<boolean> {\n    if (this.globalSuperAdminCache.has(userId)) return this.globalSuperAdminCache.get(userId)!\n    const em = this.em.fork()\n    const userSuper = await em.findOne(UserAcl, { user: userId as any, isSuperAdmin: true })\n    if (userSuper && (userSuper as any).isSuperAdmin) {\n      this.globalSuperAdminCache.set(userId, true)\n      return true\n    }\n    const links = await findWithDecryption(\n      em,\n      UserRole,\n      { user: userId as any },\n      { populate: ['role'] },\n      { tenantId: null, organizationId: null },\n    )\n    const linkList = Array.isArray(links) ? links : []\n    if (!linkList.length) {\n      this.globalSuperAdminCache.set(userId, false)\n      return false\n    }\n    const roleIds = Array.from(new Set(linkList.map((link) => {\n      const role = link.role as any\n      return role?.id ? String(role.id) : null\n    }).filter((id): id is string => typeof id === 'string' && id.length > 0)))\n    if (!roleIds.length) {\n      this.globalSuperAdminCache.set(userId, false)\n      return false\n    }\n    const roleSuper = await em.findOne(RoleAcl, { isSuperAdmin: true, role: { $in: roleIds as any } } as any)\n    const result = !!(roleSuper && (roleSuper as any).isSuperAdmin)\n    this.globalSuperAdminCache.set(userId, result)\n    return result\n  }\n\n  /**\n   * Loads the Access Control List (ACL) for a user within a given scope.\n   * \n   * The ACL resolution follows this priority:\n   * 1. Per-user ACL (UserAcl) - if exists, use it exclusively\n   * 2. Aggregated role ACLs (RoleAcl) - combine permissions from all user's roles\n   * \n   * Results are cached for performance (default 5 minutes TTL).\n   * Cache is automatically invalidated when ACL-related data changes.\n   * \n   * @param userId - The ID of the user\n   * @param scope - The tenant and organization context for ACL evaluation\n   * @returns An object containing:\n   *   - isSuperAdmin: If true, user has unrestricted access to all features\n   *   - features: Array of feature strings (may include wildcards like 'entities.*')\n   *   - organizations: Array of organization IDs user can access, or null for all organizations\n   * \n   * @example\n   * const acl = await rbacService.loadAcl('user-123', { tenantId: 'tenant-1', organizationId: 'org-1' })\n   * // Returns: { isSuperAdmin: false, features: ['users.view', 'entities.*'], organizations: ['org-1', 'org-2'] }\n   */\n  async loadAcl(userId: string, scope: { tenantId: string | null; organizationId: string | null }): Promise<{\n    isSuperAdmin: boolean\n    features: string[]\n    organizations: string[] | null\n  }> {\n    const cacheKey = this.getCacheKey(userId, scope)\n    const cached = await this.getFromCache(cacheKey)\n    if (cached) return cached\n\n    if (!userId.startsWith('api_key:')) {\n      if (await this.isGlobalSuperAdmin(userId)) {\n        const result = { isSuperAdmin: true, features: ['*'], organizations: null }\n        await this.setCache(cacheKey, result, userId, scope)\n        return result\n      }\n    }\n\n    if (userId.startsWith('api_key:')) {\n      const apiKeyId = userId.slice('api_key:'.length)\n      const em = this.em.fork()\n      const key = await em.findOne(ApiKey, { id: apiKeyId, deletedAt: null })\n      if (!key || (key.expiresAt && key.expiresAt.getTime() < Date.now())) {\n        const result = { isSuperAdmin: false, features: [], organizations: null }\n        await this.setCache(cacheKey, result, userId, scope)\n        return result\n      }\n      const tenantId = scope.tenantId || key.tenantId || null\n      const roleIds = Array.isArray(key.rolesJson) ? key.rolesJson.filter(Boolean) : []\n      let isSuper = false\n      const features: string[] = []\n      let organizations: string[] | null = key.organizationId ? [key.organizationId] : null\n      if (tenantId && roleIds.length) {\n        const racls = await em.find(RoleAcl, { tenantId, role: { $in: roleIds as any } } as any)\n        for (const acl of racls) {\n          isSuper = isSuper || !!acl.isSuperAdmin\n          if (Array.isArray(acl.featuresJson)) {\n            for (const f of acl.featuresJson) if (!features.includes(f)) features.push(f)\n          }\n          if (organizations !== null) {\n            if (acl.organizationsJson == null) {\n              organizations = null\n            } else if (Array.isArray(acl.organizationsJson) && acl.organizationsJson.includes('__all__')) {\n              organizations = null\n            } else {\n              organizations = Array.from(new Set([...(organizations || []), ...acl.organizationsJson]))\n            }\n          }\n        }\n      }\n      const result = { isSuperAdmin: isSuper, features, organizations }\n      await this.setCache(cacheKey, result, userId, scope)\n      return result\n    }\n\n    // Use a forked EntityManager to avoid inheriting an aborted transaction from callers\n    const em = this.em.fork()\n    const user = await em.findOne(User, { id: userId })\n    if (!user) {\n      const result = { isSuperAdmin: false, features: [], organizations: null }\n      await this.setCache(cacheKey, result, userId, scope)\n      return result\n    }\n    const tenantId = scope.tenantId || user.tenantId || null\n    const orgId = scope.organizationId || user.organizationId || null\n\n    if (!tenantId) {\n      const result = { isSuperAdmin: false, features: [], organizations: null }\n      await this.setCache(cacheKey, result, userId, scope)\n      return result\n    }\n\n    // Per-user ACL first\n    const uacl = await em.findOne(UserAcl, { user: userId as any, tenantId })\n    if (uacl) {\n      const result = {\n        isSuperAdmin: !!uacl.isSuperAdmin,\n        features: Array.isArray(uacl.featuresJson) ? (uacl.featuresJson as string[]) : [],\n        organizations: Array.isArray(uacl.organizationsJson) ? (uacl.organizationsJson as string[]) : null,\n      }\n      await this.setCache(cacheKey, result, userId, scope)\n      return result\n    }\n\n    // Aggregate role ACLs\n    const links = await findWithDecryption(\n      em,\n      UserRole,\n      { user: userId as any, role: { tenantId } } as any,\n      { populate: ['role'] },\n      { tenantId, organizationId: orgId },\n    )\n    const linkList = Array.isArray(links) ? links : []\n    const roleIds = linkList.map((l) => (l.role as any)?.id).filter(Boolean)\n    let isSuper = false\n    const features: string[] = []\n    let organizations: string[] | null = []\n    if (roleIds.length) {\n      const racls = await em.find(RoleAcl, { tenantId, role: { $in: roleIds as any } } as any, {})\n      const roleAcls = Array.isArray(racls) ? racls : []\n      for (const r of roleAcls) {\n        isSuper = isSuper || !!r.isSuperAdmin\n        if (Array.isArray(r.featuresJson)) for (const f of r.featuresJson) if (!features.includes(f)) features.push(f)\n        if (organizations !== null) {\n          if (r.organizationsJson == null) organizations = null\n          else if (Array.isArray(r.organizationsJson) && r.organizationsJson.includes('__all__')) organizations = null\n          else organizations = Array.from(new Set([...(organizations || []), ...r.organizationsJson]))\n        }\n      }\n    }\n    if (organizations && orgId && !organizations.includes(orgId) && !organizations.includes('__all__')) {\n      // Out-of-scope org; caller will enforce\n    }\n    const result = { isSuperAdmin: isSuper, features, organizations }\n    await this.setCache(cacheKey, result, userId, scope)\n    return result\n  }\n\n  /**\n   * Returns the user's granted feature strings for a given scope.\n   *\n   * Used by infrastructure that needs the raw grant list rather than a yes/no\n   * authorization check (for example response enrichers gating themselves with\n   * `features: [...]`). Callers MUST apply wildcard-aware matching against the\n   * returned array \u2014 grants like `module.*` or `*` are part of the ACL contract.\n   *\n   * @param userId - The ID of the user\n   * @param scope - The tenant and organization context for ACL evaluation\n   * @returns Array of feature strings (may include wildcards); empty array when\n   *          the user has no grants in scope\n   */\n  async getGrantedFeatures(\n    userId: string,\n    scope: { tenantId: string | null; organizationId: string | null },\n  ): Promise<string[]> {\n    const acl = await this.loadAcl(userId, scope)\n    return Array.isArray(acl.features) ? acl.features : []\n  }\n\n  /**\n   * Checks whether any tenant role grants a feature.\n   *\n   * This supports non-user runtimes such as scheduler workers that execute with\n   * tenant scope but without an authenticated user.\n   */\n  async tenantHasFeature(\n    tenantId: string | null | undefined,\n    feature: string,\n    opts?: { organizationId?: string | null },\n  ): Promise<boolean> {\n    if (!tenantId || !feature) return false\n\n    const enabledIds = getEnabledModuleIds()\n    if (enabledIds.length && !enabledIds.includes(getOwningModuleId(feature))) return false\n\n    const em = this.em.fork()\n    const roleAcls = await em.find(RoleAcl, { tenantId, deletedAt: null } as any, {})\n    const list = Array.isArray(roleAcls) ? roleAcls : []\n    const organizationId = opts?.organizationId ?? null\n\n    for (const acl of list) {\n      if (!this.roleAclAllowsOrganization(acl, organizationId)) continue\n      if (acl.isSuperAdmin) return true\n      const grants = Array.isArray(acl.featuresJson) ? acl.featuresJson : []\n      if (this.hasAllFeatures([feature], filterGrantsByEnabledModules(grants))) return true\n    }\n\n    return false\n  }\n\n  /**\n   * Checks if a user has all required features within a given scope.\n   *\n   * This is the primary authorization check method used throughout the application.\n   * It combines feature checking with organization visibility validation.\n   *\n   * Authorization logic:\n   * 1. No features required \u2192 always returns true\n   * 2. User is super admin \u2192 always returns true\n   * 3. Organization restriction check: If the user's ACL has a restricted organization list\n   *    and the requested organization is not in that list \u2192 returns false\n   * 4. Feature matching: User must have all required features (supports wildcards)\n   *\n   * @param userId - The ID of the user\n   * @param required - Array of feature strings to check (e.g., ['users.view', 'users.edit'])\n   * @param scope - The tenant and organization context for authorization\n   * @returns true if the user has all required features and organization access, false otherwise\n   *\n   * @example\n   * // Check if user can view and edit users\n   * const canManageUsers = await rbacService.userHasAllFeatures(\n   *   'user-123',\n   *   ['users.view', 'users.edit'],\n   *   { tenantId: 'tenant-1', organizationId: 'org-1' }\n   * )\n   *\n   * @example\n   * // Check with wildcard features\n   * const canAccessEntities = await rbacService.userHasAllFeatures(\n   *   'user-123',\n   *   ['entities.records.view'],\n   *   { tenantId: 'tenant-1', organizationId: 'org-1' }\n   * )\n   * // Returns true if user has 'entities.*', '*', or 'entities.records.view'\n   */\n  async userHasAllFeatures(userId: string, required: string[], scope: { tenantId: string | null; organizationId: string | null }): Promise<boolean> {\n    if (!required.length) return true\n    const acl = await this.loadAcl(userId, scope)\n    if (acl.isSuperAdmin) {\n      const enabledIds = getEnabledModuleIds()\n      if (!enabledIds.length) return true\n      const enabledSet = new Set(enabledIds)\n      return required.every((feature) => enabledSet.has(getOwningModuleId(feature)))\n    }\n    if (acl.organizations && scope.organizationId && !acl.organizations.includes(scope.organizationId) && !acl.organizations.includes('__all__')) return false\n    return this.hasAllFeatures(required, filterGrantsByEnabledModules(acl.features))\n  }\n}\n"],
+  "mappings": "AAEA,SAAS,uBAAuB,0BAA0B;AAC1D,SAAS,SAAS,SAAS,MAAM,gBAAgB;AACjD,SAAS,cAAc;AACvB,SAAS,0BAA0B;AACnC,SAAS,2BAA2B,mCAAmC;AACvE,SAAS,gBAAgB,oBAAoB,kBAAkB,4BAA4B;AAC3F,SAAS,8BAA8B,mBAAmB,2BAA2B;AAQrF,SAAS,UAAU,OAAkC;AACnD,MAAI,OAAO,UAAU,YAAY,UAAU,KAAM,QAAO;AACxD,QAAM,SAAS;AACf,MAAI,OAAO,OAAO,iBAAiB,UAAW,QAAO;AACrD,MAAI,CAAC,MAAM,QAAQ,OAAO,QAAQ,KAAK,OAAO,SAAS,KAAK,CAAC,YAAY,OAAO,YAAY,QAAQ,EAAG,QAAO;AAC9G,MAAI,OAAO,kBAAkB,QAAQ,OAAO,kBAAkB,QAAW;AACvE,QAAI,CAAC,MAAM,QAAQ,OAAO,aAAa,EAAG,QAAO;AACjD,QAAI,OAAO,cAAc,KAAK,CAAC,QAAQ,OAAO,QAAQ,QAAQ,EAAG,QAAO;AAAA,EAC1E;AACA,SAAO;AACT;AAEO,MAAM,YAAY;AAAA,EAKvB,YAAoB,IAAmB,OAAuB;AAA1C;AAJpB,SAAQ,aAAqB,IAAI,KAAK;AACtC;AAAA,SAAQ,QAA8B;AACtC,SAAQ,wBAAwB,oBAAI,IAAqB;AAGvD,SAAK,QAAQ,SAAS;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,YAAY,OAAe;AACzB,SAAK,aAAa;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBQ,aAAa,UAAkB,SAA0B;AAC/D,WAAO,mBAAmB,UAAU,OAAO;AAAA,EAC7C;AAAA,EAEO,eAAe,UAAoB,SAA4B;AACpE,WAAO,qBAAqB,UAAU,OAAO;AAAA,EAC/C;AAAA,EAEQ,0BAA0B,KAAc,gBAAoD;AAClG,QAAI,CAAC,eAAgB,QAAO;AAC5B,UAAM,gBAAgB,MAAM,QAAQ,IAAI,iBAAiB,IAAI,IAAI,oBAAoB;AACrF,QAAI,CAAC,iBAAiB,CAAC,cAAc,UAAU,cAAc,SAAS,SAAS,EAAG,QAAO;AACzF,WAAO,cAAc,SAAS,cAAc;AAAA,EAC9C;AAAA,EAEQ,YAAY,QAAgB,OAA2E;AAC7G,WAAO,QAAQ,MAAM,IAAI,MAAM,YAAY,MAAM,IAAI,MAAM,kBAAkB,MAAM;AAAA,EACrF;AAAA,EAEQ,WAAW,QAAwB;AACzC,WAAO,aAAa,MAAM;AAAA,EAC5B;AAAA,EAEQ,aAAa,UAA0B;AAC7C,WAAO,eAAe,QAAQ;AAAA,EAChC;AAAA,EAEQ,mBAAmB,gBAAgC;AACzD,WAAO,YAAY,cAAc;AAAA,EACnC;AAAA,EAEA,MAAc,aAAa,UAA2C;AACpE,QAAI,CAAC,KAAK,MAAO,QAAO;AACxB,UAAM,SAAS,MAAM,KAAK,MAAM,IAAI,QAAQ;AAC5C,QAAI,CAAC,OAAQ,QAAO;AACpB,WAAO,UAAU,MAAM,IAAI,SAAS;AAAA,EACtC;AAAA,EAEA,MAAc,SAAS,UAAkB,MAAe,QAAgB,OAAkF;AACxJ,QAAI,CAAC,KAAK,MAAO;AAEjB,UAAM,OAAO;AAAA,MACX,KAAK,WAAW,MAAM;AAAA,MACtB;AAAA,IACF;AAEA,QAAI,MAAM,UAAU;AAClB,WAAK,KAAK,KAAK,aAAa,MAAM,QAAQ,CAAC;AAAA,IAC7C;AAEA,QAAI,MAAM,gBAAgB;AACxB,WAAK,KAAK,KAAK,mBAAmB,MAAM,cAAc,CAAC;AAAA,IACzD;AAEA,UAAM,KAAK,MAAM,IAAI,UAAU,MAAM;AAAA,MACnC,KAAK,KAAK;AAAA,MACV;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,oBAAoB,QAA+B;AACvD,SAAK,sBAAsB,OAAO,MAAM;AAMxC,UAAM,KAAK,kBAAkB,CAAC,KAAK,WAAW,MAAM,GAAG,0BAA0B,MAAM,CAAC,CAAC;AAAA,EAC3F;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,sBAAsB,UAAiC;AAC3D,SAAK,sBAAsB,MAAM;AAIjC,UAAM,KAAK,kBAAkB,CAAC,KAAK,aAAa,QAAQ,GAAG,4BAA4B,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC;AAAA,EAC/G;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,4BAA4B,gBAAuC;AACvE,UAAM,KAAK,kBAAkB,CAAC,KAAK,mBAAmB,cAAc,CAAC,CAAC;AAAA,EACxE;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,qBAAoC;AACxC,SAAK,sBAAsB,MAAM;AACjC,UAAM,KAAK,kBAAkB,CAAC,UAAU,CAAC;AAAA,EAC3C;AAAA,EAEA,MAAc,kBAAkB,MAAgB,aAAmD;AACjG,QAAI,CAAC,KAAK,MAAO;AACjB,UAAM,WAAW,oBAAI,IAAmB;AACxC,UAAM,UAAU,sBAAsB;AACtC,aAAS,IAAI,WAAW,IAAI;AAC5B,aAAS,IAAI,IAAI;AACjB,QAAI,MAAM,QAAQ,WAAW,GAAG;AAC9B,iBAAW,QAAQ,aAAa;AAC9B,iBAAS,IAAI,QAAQ,IAAI;AAAA,MAC3B;AAAA,IACF;AACA,eAAW,OAAO,UAAU;AAC1B,UAAI,QAAQ,SAAS;AACnB,cAAM,KAAK,MAAM,aAAa,IAAI;AAAA,MACpC,OAAO;AACL,cAAM,mBAAmB,KAAK,YAAY;AACxC,gBAAM,KAAK,MAAO,aAAa,IAAI;AAAA,QACrC,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAc,mBAAmB,QAAkC;AACjE,QAAI,KAAK,sBAAsB,IAAI,MAAM,EAAG,QAAO,KAAK,sBAAsB,IAAI,MAAM;AACxF,UAAM,KAAK,KAAK,GAAG,KAAK;AACxB,UAAM,YAAY,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,QAAe,cAAc,KAAK,CAAC;AACvF,QAAI,aAAc,UAAkB,cAAc;AAChD,WAAK,sBAAsB,IAAI,QAAQ,IAAI;AAC3C,aAAO;AAAA,IACT;AACA,UAAM,QAAQ,MAAM;AAAA,MAClB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,OAAc;AAAA,MACtB,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,MACrB,EAAE,UAAU,MAAM,gBAAgB,KAAK;AAAA,IACzC;AACA,UAAM,WAAW,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC;AACjD,QAAI,CAAC,SAAS,QAAQ;AACpB,WAAK,sBAAsB,IAAI,QAAQ,KAAK;AAC5C,aAAO;AAAA,IACT;AACA,UAAM,UAAU,MAAM,KAAK,IAAI,IAAI,SAAS,IAAI,CAAC,SAAS;AACxD,YAAM,OAAO,KAAK;AAClB,aAAO,MAAM,KAAK,OAAO,KAAK,EAAE,IAAI;AAAA,IACtC,CAAC,EAAE,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC,CAAC,CAAC;AACzE,QAAI,CAAC,QAAQ,QAAQ;AACnB,WAAK,sBAAsB,IAAI,QAAQ,KAAK;AAC5C,aAAO;AAAA,IACT;AACA,UAAM,YAAY,MAAM,GAAG,QAAQ,SAAS,EAAE,cAAc,MAAM,MAAM,EAAE,KAAK,QAAe,EAAE,CAAQ;AACxG,UAAM,SAAS,CAAC,EAAE,aAAc,UAAkB;AAClD,SAAK,sBAAsB,IAAI,QAAQ,MAAM;AAC7C,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuBA,MAAM,QAAQ,QAAgB,OAI3B;AACD,UAAM,WAAW,KAAK,YAAY,QAAQ,KAAK;AAC/C,UAAM,SAAS,MAAM,KAAK,aAAa,QAAQ;AAC/C,QAAI,OAAQ,QAAO;AAEnB,QAAI,CAAC,OAAO,WAAW,UAAU,GAAG;AAClC,UAAI,MAAM,KAAK,mBAAmB,MAAM,GAAG;AACzC,cAAMA,UAAS,EAAE,cAAc,MAAM,UAAU,CAAC,GAAG,GAAG,eAAe,KAAK;AAC1E,cAAM,KAAK,SAAS,UAAUA,SAAQ,QAAQ,KAAK;AACnD,eAAOA;AAAA,MACT;AAAA,IACF;AAEA,QAAI,OAAO,WAAW,UAAU,GAAG;AACjC,YAAM,WAAW,OAAO,MAAM,WAAW,MAAM;AAC/C,YAAMC,MAAK,KAAK,GAAG,KAAK;AACxB,YAAM,MAAM,MAAMA,IAAG,QAAQ,QAAQ,EAAE,IAAI,UAAU,WAAW,KAAK,CAAC;AACtE,UAAI,CAAC,OAAQ,IAAI,aAAa,IAAI,UAAU,QAAQ,IAAI,KAAK,IAAI,GAAI;AACnE,cAAMD,UAAS,EAAE,cAAc,OAAO,UAAU,CAAC,GAAG,eAAe,KAAK;AACxE,cAAM,KAAK,SAAS,UAAUA,SAAQ,QAAQ,KAAK;AACnD,eAAOA;AAAA,MACT;AACA,YAAME,YAAW,MAAM,YAAY,IAAI,YAAY;AACnD,YAAMC,WAAU,MAAM,QAAQ,IAAI,SAAS,IAAI,IAAI,UAAU,OAAO,OAAO,IAAI,CAAC;AAChF,UAAIC,WAAU;AACd,YAAMC,YAAqB,CAAC;AAC5B,UAAIC,iBAAiC,IAAI,iBAAiB,CAAC,IAAI,cAAc,IAAI;AACjF,UAAIJ,aAAYC,SAAQ,QAAQ;AAC9B,cAAM,QAAQ,MAAMF,IAAG,KAAK,SAAS,EAAE,UAAAC,WAAU,MAAM,EAAE,KAAKC,SAAe,EAAE,CAAQ;AACvF,mBAAW,OAAO,OAAO;AACvB,UAAAC,WAAUA,YAAW,CAAC,CAAC,IAAI;AAC3B,cAAI,MAAM,QAAQ,IAAI,YAAY,GAAG;AACnC,uBAAW,KAAK,IAAI,aAAc,KAAI,CAACC,UAAS,SAAS,CAAC,EAAG,CAAAA,UAAS,KAAK,CAAC;AAAA,UAC9E;AACA,cAAIC,mBAAkB,MAAM;AAC1B,gBAAI,IAAI,qBAAqB,MAAM;AACjC,cAAAA,iBAAgB;AAAA,YAClB,WAAW,MAAM,QAAQ,IAAI,iBAAiB,KAAK,IAAI,kBAAkB,SAAS,SAAS,GAAG;AAC5F,cAAAA,iBAAgB;AAAA,YAClB,OAAO;AACL,cAAAA,iBAAgB,MAAM,KAAK,oBAAI,IAAI,CAAC,GAAIA,kBAAiB,CAAC,GAAI,GAAG,IAAI,iBAAiB,CAAC,CAAC;AAAA,YAC1F;AAAA,UACF;AAAA,QACF;AAAA,MACF;AACA,YAAMN,UAAS,EAAE,cAAcI,UAAS,UAAAC,WAAU,eAAAC,eAAc;AAChE,YAAM,KAAK,SAAS,UAAUN,SAAQ,QAAQ,KAAK;AACnD,aAAOA;AAAA,IACT;AAGA,UAAM,KAAK,KAAK,GAAG,KAAK;AACxB,UAAM,OAAO,MAAM,GAAG,QAAQ,MAAM,EAAE,IAAI,OAAO,CAAC;AAClD,QAAI,CAAC,MAAM;AACT,YAAMA,UAAS,EAAE,cAAc,OAAO,UAAU,CAAC,GAAG,eAAe,KAAK;AACxE,YAAM,KAAK,SAAS,UAAUA,SAAQ,QAAQ,KAAK;AACnD,aAAOA;AAAA,IACT;AACA,UAAM,WAAW,MAAM,YAAY,KAAK,YAAY;AACpD,UAAM,QAAQ,MAAM,kBAAkB,KAAK,kBAAkB;AAE7D,QAAI,CAAC,UAAU;AACb,YAAMA,UAAS,EAAE,cAAc,OAAO,UAAU,CAAC,GAAG,eAAe,KAAK;AACxE,YAAM,KAAK,SAAS,UAAUA,SAAQ,QAAQ,KAAK;AACnD,aAAOA;AAAA,IACT;AAGA,UAAM,OAAO,MAAM,GAAG,QAAQ,SAAS,EAAE,MAAM,QAAe,SAAS,CAAC;AACxE,QAAI,MAAM;AACR,YAAMA,UAAS;AAAA,QACb,cAAc,CAAC,CAAC,KAAK;AAAA,QACrB,UAAU,MAAM,QAAQ,KAAK,YAAY,IAAK,KAAK,eAA4B,CAAC;AAAA,QAChF,eAAe,MAAM,QAAQ,KAAK,iBAAiB,IAAK,KAAK,oBAAiC;AAAA,MAChG;AACA,YAAM,KAAK,SAAS,UAAUA,SAAQ,QAAQ,KAAK;AACnD,aAAOA;AAAA,IACT;AAGA,UAAM,QAAQ,MAAM;AAAA,MAClB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,QAAe,MAAM,EAAE,SAAS,EAAE;AAAA,MAC1C,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,MACrB,EAAE,UAAU,gBAAgB,MAAM;AAAA,IACpC;AACA,UAAM,WAAW,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC;AACjD,UAAM,UAAU,SAAS,IAAI,CAAC,MAAO,EAAE,MAAc,EAAE,EAAE,OAAO,OAAO;AACvE,QAAI,UAAU;AACd,UAAM,WAAqB,CAAC;AAC5B,QAAI,gBAAiC,CAAC;AACtC,QAAI,QAAQ,QAAQ;AAClB,YAAM,QAAQ,MAAM,GAAG,KAAK,SAAS,EAAE,UAAU,MAAM,EAAE,KAAK,QAAe,EAAE,GAAU,CAAC,CAAC;AAC3F,YAAM,WAAW,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC;AACjD,iBAAW,KAAK,UAAU;AACxB,kBAAU,WAAW,CAAC,CAAC,EAAE;AACzB,YAAI,MAAM,QAAQ,EAAE,YAAY;AAAG,qBAAW,KAAK,EAAE,aAAc,KAAI,CAAC,SAAS,SAAS,CAAC,EAAG,UAAS,KAAK,CAAC;AAAA;AAC7G,YAAI,kBAAkB,MAAM;AAC1B,cAAI,EAAE,qBAAqB,KAAM,iBAAgB;AAAA,mBACxC,MAAM,QAAQ,EAAE,iBAAiB,KAAK,EAAE,kBAAkB,SAAS,SAAS,EAAG,iBAAgB;AAAA,cACnG,iBAAgB,MAAM,KAAK,oBAAI,IAAI,CAAC,GAAI,iBAAiB,CAAC,GAAI,GAAG,EAAE,iBAAiB,CAAC,CAAC;AAAA,QAC7F;AAAA,MACF;AAAA,IACF;AACA,QAAI,iBAAiB,SAAS,CAAC,cAAc,SAAS,KAAK,KAAK,CAAC,cAAc,SAAS,SAAS,GAAG;AAAA,IAEpG;AACA,UAAM,SAAS,EAAE,cAAc,SAAS,UAAU,cAAc;AAChE,UAAM,KAAK,SAAS,UAAU,QAAQ,QAAQ,KAAK;AACnD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAM,mBACJ,QACA,OACmB;AACnB,UAAM,MAAM,MAAM,KAAK,QAAQ,QAAQ,KAAK;AAC5C,WAAO,MAAM,QAAQ,IAAI,QAAQ,IAAI,IAAI,WAAW,CAAC;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,iBACJ,UACA,SACA,MACkB;AAClB,QAAI,CAAC,YAAY,CAAC,QAAS,QAAO;AAElC,UAAM,aAAa,oBAAoB;AACvC,QAAI,WAAW,UAAU,CAAC,WAAW,SAAS,kBAAkB,OAAO,CAAC,EAAG,QAAO;AAElF,UAAM,KAAK,KAAK,GAAG,KAAK;AACxB,UAAM,WAAW,MAAM,GAAG,KAAK,SAAS,EAAE,UAAU,WAAW,KAAK,GAAU,CAAC,CAAC;AAChF,UAAM,OAAO,MAAM,QAAQ,QAAQ,IAAI,WAAW,CAAC;AACnD,UAAM,iBAAiB,MAAM,kBAAkB;AAE/C,eAAW,OAAO,MAAM;AACtB,UAAI,CAAC,KAAK,0BAA0B,KAAK,cAAc,EAAG;AAC1D,UAAI,IAAI,aAAc,QAAO;AAC7B,YAAM,SAAS,MAAM,QAAQ,IAAI,YAAY,IAAI,IAAI,eAAe,CAAC;AACrE,UAAI,KAAK,eAAe,CAAC,OAAO,GAAG,6BAA6B,MAAM,CAAC,EAAG,QAAO;AAAA,IACnF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqCA,MAAM,mBAAmB,QAAgB,UAAoB,OAAqF;AAChJ,QAAI,CAAC,SAAS,OAAQ,QAAO;AAC7B,UAAM,MAAM,MAAM,KAAK,QAAQ,QAAQ,KAAK;AAC5C,QAAI,IAAI,cAAc;AACpB,YAAM,aAAa,oBAAoB;AACvC,UAAI,CAAC,WAAW,OAAQ,QAAO;AAC/B,YAAM,aAAa,IAAI,IAAI,UAAU;AACrC,aAAO,SAAS,MAAM,CAAC,YAAY,WAAW,IAAI,kBAAkB,OAAO,CAAC,CAAC;AAAA,IAC/E;AACA,QAAI,IAAI,iBAAiB,MAAM,kBAAkB,CAAC,IAAI,cAAc,SAAS,MAAM,cAAc,KAAK,CAAC,IAAI,cAAc,SAAS,SAAS,EAAG,QAAO;AACrJ,WAAO,KAAK,eAAe,UAAU,6BAA6B,IAAI,QAAQ,CAAC;AAAA,EACjF;AACF;",
   "names": ["result", "em", "tenantId", "roleIds", "isSuper", "features", "organizations"]
 }

package/dist/modules/catalog/ai-tools/configuration-pack.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/catalog/ai-tools/configuration-pack.ts"],
-  "sourcesContent": ["/**\n * `catalog.list_option_schemas` + `catalog.list_unit_conversions` (Phase 1\n * WS-C, Step 3.10).\n *\n * Product-configuration surface: option schemas (variant axes) and unit\n * conversions (UoM factors).\n *\n * Phase 3c of `.ai/specs/2026-04-27-ai-tools-api-backed-dry-refactor.md`:\n * both tools are now API-backed wrappers over the documented CRUD list\n * routes (`GET /api/catalog/option-schemas` and\n * `GET /api/catalog/product-unit-conversions`). Tool names, schemas,\n * requiredFeatures, and output shapes are unchanged.\n */\nimport { z } from 'zod'\nimport { defineApiBackedAiTool } from '@open-mercato/ai-assistant/modules/ai_assistant/lib/api-backed-tool'\nimport type {\n  AiApiOperationRequest,\n  AiToolExecutionContext,\n} from '@open-mercato/ai-assistant/modules/ai_assistant/lib/ai-api-operation-runner'\nimport { assertTenantScope, type CatalogAiToolDefinition, type CatalogToolContext } from './types'\n\nconst listOptionSchemasInput = z\n  .object({\n    limit: z.number().int().min(1).max(100).optional().describe('Max rows (default 50, max 100).'),\n    offset: z.number().int().min(0).optional().describe('Rows to skip (default 0).'),\n  })\n  .passthrough()\n\ntype ListOptionSchemasInput = z.infer<typeof listOptionSchemasInput>\n\ntype ListOptionSchemasApiItem = {\n  id?: string\n  code?: string | null\n  name?: string | null\n  description?: string | null\n  schema?: unknown\n  metadata?: unknown\n  is_active?: boolean | null\n  isActive?: boolean | null\n  organization_id?: string | null\n  organizationId?: string | null\n  tenant_id?: string | null\n  tenantId?: string | null\n  created_at?: string | null\n  createdAt?: string | null\n}\n\ntype ListOptionSchemasApiResponse = {\n  items?: ListOptionSchemasApiItem[]\n  total?: number\n}\n\ntype ListOptionSchemasOutput = {\n  items: Array<Record<string, unknown>>\n  total: number\n  limit: number\n  offset: number\n}\n\nconst listOptionSchemasTool = defineApiBackedAiTool<\n  ListOptionSchemasInput,\n  ListOptionSchemasApiResponse,\n  ListOptionSchemasOutput\n>({\n  name: 'catalog.list_option_schemas',\n  displayName: 'List option schemas',\n  description:\n    'List product option schemas (variant axes, e.g. size/color definitions) for the caller tenant + organization.',\n  inputSchema: listOptionSchemasInput,\n  requiredFeatures: ['catalog.products.view'],\n  toOperation: (input, ctx) => {\n    assertTenantScope(ctx as unknown as CatalogToolContext)\n    const limit = input.limit ?? 50\n    const offset = input.offset ?? 0\n    const page = Math.floor(offset / limit) + 1\n    const operation: AiApiOperationRequest = {\n      method: 'GET',\n      path: '/catalog/option-schemas',\n      query: { page, pageSize: limit },\n    }\n    return operation\n  },\n  mapResponse: (response, input) => {\n    const limit = input.limit ?? 50\n    const offset = input.offset ?? 0\n    const data = (response.data ?? {}) as ListOptionSchemasApiResponse\n    const rawItems: ListOptionSchemasApiItem[] = Array.isArray(data.items) ? data.items : []\n    return {\n      items: rawItems.map((row) => {\n        const createdAtRaw = row.created_at ?? row.createdAt ?? null\n        const createdAt = createdAtRaw ? new Date(String(createdAtRaw)).toISOString() : null\n        return {\n          id: row.id,\n          code: row.code,\n          name: row.name,\n          description: row.description ?? null,\n          schema: row.schema,\n          metadata: row.metadata ?? null,\n          isActive: !!(row.is_active ?? row.isActive),\n          organizationId: row.organization_id ?? row.organizationId ?? null,\n          tenantId: row.tenant_id ?? row.tenantId ?? null,\n          createdAt,\n        }\n      }),\n      total: typeof data.total === 'number' ? data.total : 0,\n      limit,\n      offset,\n    }\n  },\n}) as unknown as CatalogAiToolDefinition\n\nconst listUnitConversionsInput = z\n  .object({\n    productId: z.string().uuid().optional().describe('Restrict to unit conversions for this product.'),\n    limit: z.number().int().min(1).max(100).optional().describe('Max rows (default 50, max 100).'),\n    offset: z.number().int().min(0).optional().describe('Rows to skip (default 0).'),\n  })\n  .passthrough()\n\ntype ListUnitConversionsInput = z.infer<typeof listUnitConversionsInput>\n\ntype ListUnitConversionsApiItem = {\n  id?: string\n  product_id?: string | null\n  productId?: string | null\n  unit_code?: string | null\n  unitCode?: string | null\n  to_base_factor?: string | number | null\n  toBaseFactor?: string | number | null\n  sort_order?: number | null\n  sortOrder?: number | null\n  is_active?: boolean | null\n  isActive?: boolean | null\n  metadata?: unknown\n  organization_id?: string | null\n  organizationId?: string | null\n  tenant_id?: string | null\n  tenantId?: string | null\n  created_at?: string | null\n  createdAt?: string | null\n}\n\ntype ListUnitConversionsApiResponse = {\n  items?: ListUnitConversionsApiItem[]\n  total?: number\n}\n\ntype ListUnitConversionsOutput = {\n  items: Array<Record<string, unknown>>\n  total: number\n  limit: number\n  offset: number\n}\n\nconst listUnitConversionsTool = defineApiBackedAiTool<\n  ListUnitConversionsInput,\n  ListUnitConversionsApiResponse,\n  ListUnitConversionsOutput\n>({\n  name: 'catalog.list_unit_conversions',\n  displayName: 'List unit conversions',\n  description:\n    'List product unit conversions (alternate units with `toBaseFactor`) for the caller tenant + organization. Optionally narrow by product.',\n  inputSchema: listUnitConversionsInput,\n  requiredFeatures: ['catalog.products.view'],\n  toOperation: (input, ctx) => {\n    assertTenantScope(ctx as unknown as CatalogToolContext)\n    const limit = input.limit ?? 50\n    const offset = input.offset ?? 0\n    const page = Math.floor(offset / limit) + 1\n    const query: Record<string, string | number | boolean | null | undefined> = {\n      page,\n      pageSize: limit,\n    }\n    if (input.productId) query.productId = input.productId\n    const operation: AiApiOperationRequest = {\n      method: 'GET',\n      path: '/catalog/product-unit-conversions',\n      query,\n    }\n    return operation\n  },\n  mapResponse: (response, input) => {\n    const limit = input.limit ?? 50\n    const offset = input.offset ?? 0\n    const data = (response.data ?? {}) as ListUnitConversionsApiResponse\n    const rawItems: ListUnitConversionsApiItem[] = Array.isArray(data.items) ? data.items : []\n    return {\n      items: rawItems.map((row) => {\n        const createdAtRaw = row.created_at ?? row.createdAt ?? null\n        const createdAt = createdAtRaw ? new Date(String(createdAtRaw)).toISOString() : null\n        const toBaseFactor = row.to_base_factor ?? row.toBaseFactor ?? null\n        return {\n          id: row.id,\n          unitCode: row.unit_code ?? row.unitCode ?? null,\n          toBaseFactor: toBaseFactor === null ? null : String(toBaseFactor),\n          sortOrder: row.sort_order ?? row.sortOrder ?? 0,\n          isActive: !!(row.is_active ?? row.isActive),\n          productId: row.product_id ?? row.productId ?? null,\n          metadata: row.metadata ?? null,\n          organizationId: row.organization_id ?? row.organizationId ?? null,\n          tenantId: row.tenant_id ?? row.tenantId ?? null,\n          createdAt,\n        }\n      }),\n      total: typeof data.total === 'number' ? data.total : 0,\n      limit,\n      offset,\n    }\n  },\n}) as unknown as CatalogAiToolDefinition\n\nexport const configurationAiTools: CatalogAiToolDefinition[] = [\n  listOptionSchemasTool,\n  listUnitConversionsTool,\n]\n\nexport default configurationAiTools\n"],
+  "sourcesContent": ["/**\n * `catalog.list_option_schemas` + `catalog.list_unit_conversions` (Phase 1\n * WS-C, Step 3.10).\n *\n * Product-configuration surface: option schemas (variant axes) and unit\n * conversions (UoM factors).\n *\n * Phase 3c of `.ai/specs/implemented/2026-04-27-ai-tools-api-backed-dry-refactor.md`:\n * both tools are now API-backed wrappers over the documented CRUD list\n * routes (`GET /api/catalog/option-schemas` and\n * `GET /api/catalog/product-unit-conversions`). Tool names, schemas,\n * requiredFeatures, and output shapes are unchanged.\n */\nimport { z } from 'zod'\nimport { defineApiBackedAiTool } from '@open-mercato/ai-assistant/modules/ai_assistant/lib/api-backed-tool'\nimport type {\n  AiApiOperationRequest,\n  AiToolExecutionContext,\n} from '@open-mercato/ai-assistant/modules/ai_assistant/lib/ai-api-operation-runner'\nimport { assertTenantScope, type CatalogAiToolDefinition, type CatalogToolContext } from './types'\n\nconst listOptionSchemasInput = z\n  .object({\n    limit: z.number().int().min(1).max(100).optional().describe('Max rows (default 50, max 100).'),\n    offset: z.number().int().min(0).optional().describe('Rows to skip (default 0).'),\n  })\n  .passthrough()\n\ntype ListOptionSchemasInput = z.infer<typeof listOptionSchemasInput>\n\ntype ListOptionSchemasApiItem = {\n  id?: string\n  code?: string | null\n  name?: string | null\n  description?: string | null\n  schema?: unknown\n  metadata?: unknown\n  is_active?: boolean | null\n  isActive?: boolean | null\n  organization_id?: string | null\n  organizationId?: string | null\n  tenant_id?: string | null\n  tenantId?: string | null\n  created_at?: string | null\n  createdAt?: string | null\n}\n\ntype ListOptionSchemasApiResponse = {\n  items?: ListOptionSchemasApiItem[]\n  total?: number\n}\n\ntype ListOptionSchemasOutput = {\n  items: Array<Record<string, unknown>>\n  total: number\n  limit: number\n  offset: number\n}\n\nconst listOptionSchemasTool = defineApiBackedAiTool<\n  ListOptionSchemasInput,\n  ListOptionSchemasApiResponse,\n  ListOptionSchemasOutput\n>({\n  name: 'catalog.list_option_schemas',\n  displayName: 'List option schemas',\n  description:\n    'List product option schemas (variant axes, e.g. size/color definitions) for the caller tenant + organization.',\n  inputSchema: listOptionSchemasInput,\n  requiredFeatures: ['catalog.products.view'],\n  toOperation: (input, ctx) => {\n    assertTenantScope(ctx as unknown as CatalogToolContext)\n    const limit = input.limit ?? 50\n    const offset = input.offset ?? 0\n    const page = Math.floor(offset / limit) + 1\n    const operation: AiApiOperationRequest = {\n      method: 'GET',\n      path: '/catalog/option-schemas',\n      query: { page, pageSize: limit },\n    }\n    return operation\n  },\n  mapResponse: (response, input) => {\n    const limit = input.limit ?? 50\n    const offset = input.offset ?? 0\n    const data = (response.data ?? {}) as ListOptionSchemasApiResponse\n    const rawItems: ListOptionSchemasApiItem[] = Array.isArray(data.items) ? data.items : []\n    return {\n      items: rawItems.map((row) => {\n        const createdAtRaw = row.created_at ?? row.createdAt ?? null\n        const createdAt = createdAtRaw ? new Date(String(createdAtRaw)).toISOString() : null\n        return {\n          id: row.id,\n          code: row.code,\n          name: row.name,\n          description: row.description ?? null,\n          schema: row.schema,\n          metadata: row.metadata ?? null,\n          isActive: !!(row.is_active ?? row.isActive),\n          organizationId: row.organization_id ?? row.organizationId ?? null,\n          tenantId: row.tenant_id ?? row.tenantId ?? null,\n          createdAt,\n        }\n      }),\n      total: typeof data.total === 'number' ? data.total : 0,\n      limit,\n      offset,\n    }\n  },\n}) as unknown as CatalogAiToolDefinition\n\nconst listUnitConversionsInput = z\n  .object({\n    productId: z.string().uuid().optional().describe('Restrict to unit conversions for this product.'),\n    limit: z.number().int().min(1).max(100).optional().describe('Max rows (default 50, max 100).'),\n    offset: z.number().int().min(0).optional().describe('Rows to skip (default 0).'),\n  })\n  .passthrough()\n\ntype ListUnitConversionsInput = z.infer<typeof listUnitConversionsInput>\n\ntype ListUnitConversionsApiItem = {\n  id?: string\n  product_id?: string | null\n  productId?: string | null\n  unit_code?: string | null\n  unitCode?: string | null\n  to_base_factor?: string | number | null\n  toBaseFactor?: string | number | null\n  sort_order?: number | null\n  sortOrder?: number | null\n  is_active?: boolean | null\n  isActive?: boolean | null\n  metadata?: unknown\n  organization_id?: string | null\n  organizationId?: string | null\n  tenant_id?: string | null\n  tenantId?: string | null\n  created_at?: string | null\n  createdAt?: string | null\n}\n\ntype ListUnitConversionsApiResponse = {\n  items?: ListUnitConversionsApiItem[]\n  total?: number\n}\n\ntype ListUnitConversionsOutput = {\n  items: Array<Record<string, unknown>>\n  total: number\n  limit: number\n  offset: number\n}\n\nconst listUnitConversionsTool = defineApiBackedAiTool<\n  ListUnitConversionsInput,\n  ListUnitConversionsApiResponse,\n  ListUnitConversionsOutput\n>({\n  name: 'catalog.list_unit_conversions',\n  displayName: 'List unit conversions',\n  description:\n    'List product unit conversions (alternate units with `toBaseFactor`) for the caller tenant + organization. Optionally narrow by product.',\n  inputSchema: listUnitConversionsInput,\n  requiredFeatures: ['catalog.products.view'],\n  toOperation: (input, ctx) => {\n    assertTenantScope(ctx as unknown as CatalogToolContext)\n    const limit = input.limit ?? 50\n    const offset = input.offset ?? 0\n    const page = Math.floor(offset / limit) + 1\n    const query: Record<string, string | number | boolean | null | undefined> = {\n      page,\n      pageSize: limit,\n    }\n    if (input.productId) query.productId = input.productId\n    const operation: AiApiOperationRequest = {\n      method: 'GET',\n      path: '/catalog/product-unit-conversions',\n      query,\n    }\n    return operation\n  },\n  mapResponse: (response, input) => {\n    const limit = input.limit ?? 50\n    const offset = input.offset ?? 0\n    const data = (response.data ?? {}) as ListUnitConversionsApiResponse\n    const rawItems: ListUnitConversionsApiItem[] = Array.isArray(data.items) ? data.items : []\n    return {\n      items: rawItems.map((row) => {\n        const createdAtRaw = row.created_at ?? row.createdAt ?? null\n        const createdAt = createdAtRaw ? new Date(String(createdAtRaw)).toISOString() : null\n        const toBaseFactor = row.to_base_factor ?? row.toBaseFactor ?? null\n        return {\n          id: row.id,\n          unitCode: row.unit_code ?? row.unitCode ?? null,\n          toBaseFactor: toBaseFactor === null ? null : String(toBaseFactor),\n          sortOrder: row.sort_order ?? row.sortOrder ?? 0,\n          isActive: !!(row.is_active ?? row.isActive),\n          productId: row.product_id ?? row.productId ?? null,\n          metadata: row.metadata ?? null,\n          organizationId: row.organization_id ?? row.organizationId ?? null,\n          tenantId: row.tenant_id ?? row.tenantId ?? null,\n          createdAt,\n        }\n      }),\n      total: typeof data.total === 'number' ? data.total : 0,\n      limit,\n      offset,\n    }\n  },\n}) as unknown as CatalogAiToolDefinition\n\nexport const configurationAiTools: CatalogAiToolDefinition[] = [\n  listOptionSchemasTool,\n  listUnitConversionsTool,\n]\n\nexport default configurationAiTools\n"],
   "mappings": "AAaA,SAAS,SAAS;AAClB,SAAS,6BAA6B;AAKtC,SAAS,yBAAgF;AAEzF,MAAM,yBAAyB,EAC5B,OAAO;AAAA,EACN,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS,EAAE,SAAS,iCAAiC;AAAA,EAC7F,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,SAAS,EAAE,SAAS,2BAA2B;AACjF,CAAC,EACA,YAAY;AAiCf,MAAM,wBAAwB,sBAI5B;AAAA,EACA,MAAM;AAAA,EACN,aAAa;AAAA,EACb,aACE;AAAA,EACF,aAAa;AAAA,EACb,kBAAkB,CAAC,uBAAuB;AAAA,EAC1C,aAAa,CAAC,OAAO,QAAQ;AAC3B,sBAAkB,GAAoC;AACtD,UAAM,QAAQ,MAAM,SAAS;AAC7B,UAAM,SAAS,MAAM,UAAU;AAC/B,UAAM,OAAO,KAAK,MAAM,SAAS,KAAK,IAAI;AAC1C,UAAM,YAAmC;AAAA,MACvC,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,OAAO,EAAE,MAAM,UAAU,MAAM;AAAA,IACjC;AACA,WAAO;AAAA,EACT;AAAA,EACA,aAAa,CAAC,UAAU,UAAU;AAChC,UAAM,QAAQ,MAAM,SAAS;AAC7B,UAAM,SAAS,MAAM,UAAU;AAC/B,UAAM,OAAQ,SAAS,QAAQ,CAAC;AAChC,UAAM,WAAuC,MAAM,QAAQ,KAAK,KAAK,IAAI,KAAK,QAAQ,CAAC;AACvF,WAAO;AAAA,MACL,OAAO,SAAS,IAAI,CAAC,QAAQ;AAC3B,cAAM,eAAe,IAAI,cAAc,IAAI,aAAa;AACxD,cAAM,YAAY,eAAe,IAAI,KAAK,OAAO,YAAY,CAAC,EAAE,YAAY,IAAI;AAChF,eAAO;AAAA,UACL,IAAI,IAAI;AAAA,UACR,MAAM,IAAI;AAAA,UACV,MAAM,IAAI;AAAA,UACV,aAAa,IAAI,eAAe;AAAA,UAChC,QAAQ,IAAI;AAAA,UACZ,UAAU,IAAI,YAAY;AAAA,UAC1B,UAAU,CAAC,EAAE,IAAI,aAAa,IAAI;AAAA,UAClC,gBAAgB,IAAI,mBAAmB,IAAI,kBAAkB;AAAA,UAC7D,UAAU,IAAI,aAAa,IAAI,YAAY;AAAA,UAC3C;AAAA,QACF;AAAA,MACF,CAAC;AAAA,MACD,OAAO,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ;AAAA,MACrD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF,CAAC;AAED,MAAM,2BAA2B,EAC9B,OAAO;AAAA,EACN,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,gDAAgD;AAAA,EACjG,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS,EAAE,SAAS,iCAAiC;AAAA,EAC7F,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,SAAS,EAAE,SAAS,2BAA2B;AACjF,CAAC,EACA,YAAY;AAqCf,MAAM,0BAA0B,sBAI9B;AAAA,EACA,MAAM;AAAA,EACN,aAAa;AAAA,EACb,aACE;AAAA,EACF,aAAa;AAAA,EACb,kBAAkB,CAAC,uBAAuB;AAAA,EAC1C,aAAa,CAAC,OAAO,QAAQ;AAC3B,sBAAkB,GAAoC;AACtD,UAAM,QAAQ,MAAM,SAAS;AAC7B,UAAM,SAAS,MAAM,UAAU;AAC/B,UAAM,OAAO,KAAK,MAAM,SAAS,KAAK,IAAI;AAC1C,UAAM,QAAsE;AAAA,MAC1E;AAAA,MACA,UAAU;AAAA,IACZ;AACA,QAAI,MAAM,UAAW,OAAM,YAAY,MAAM;AAC7C,UAAM,YAAmC;AAAA,MACvC,QAAQ;AAAA,MACR,MAAM;AAAA,MACN;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EACA,aAAa,CAAC,UAAU,UAAU;AAChC,UAAM,QAAQ,MAAM,SAAS;AAC7B,UAAM,SAAS,MAAM,UAAU;AAC/B,UAAM,OAAQ,SAAS,QAAQ,CAAC;AAChC,UAAM,WAAyC,MAAM,QAAQ,KAAK,KAAK,IAAI,KAAK,QAAQ,CAAC;AACzF,WAAO;AAAA,MACL,OAAO,SAAS,IAAI,CAAC,QAAQ;AAC3B,cAAM,eAAe,IAAI,cAAc,IAAI,aAAa;AACxD,cAAM,YAAY,eAAe,IAAI,KAAK,OAAO,YAAY,CAAC,EAAE,YAAY,IAAI;AAChF,cAAM,eAAe,IAAI,kBAAkB,IAAI,gBAAgB;AAC/D,eAAO;AAAA,UACL,IAAI,IAAI;AAAA,UACR,UAAU,IAAI,aAAa,IAAI,YAAY;AAAA,UAC3C,cAAc,iBAAiB,OAAO,OAAO,OAAO,YAAY;AAAA,UAChE,WAAW,IAAI,cAAc,IAAI,aAAa;AAAA,UAC9C,UAAU,CAAC,EAAE,IAAI,aAAa,IAAI;AAAA,UAClC,WAAW,IAAI,cAAc,IAAI,aAAa;AAAA,UAC9C,UAAU,IAAI,YAAY;AAAA,UAC1B,gBAAgB,IAAI,mBAAmB,IAAI,kBAAkB;AAAA,UAC7D,UAAU,IAAI,aAAa,IAAI,YAAY;AAAA,UAC3C;AAAA,QACF;AAAA,MACF,CAAC;AAAA,MACD,OAAO,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ;AAAA,MACrD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF,CAAC;AAEM,MAAM,uBAAkD;AAAA,EAC7D;AAAA,EACA;AACF;AAEA,IAAO,6BAAQ;",
   "names": []
 }