@open-mercato/core 0.6.5-develop.5382.1.f542de69af → 0.6.5

package/src/modules/attachments/AGENTS.md

@@ -0,0 +1,79 @@
+# Attachments Module — Agent Guidelines
+
+The `attachments` module owns file uploads, storage drivers, partitions, OCR, and
+the `attachments` table. Every attachment row carries a `tenant_id` /
+`organization_id` scope pair that governs cross-tenant access.
+
+## Scope & Access Policy
+
+`attachments.tenant_id` and `attachments.organization_id` are **nullable** at the
+DB level, but only two scope shapes are valid:
+
+| Shape | `tenant_id` | `organization_id` | Meaning | Who can read it |
+|-------|-------------|-------------------|---------|-----------------|
+| **Scoped** | set | set | Belongs to one tenant + org | Same-scope principals + superadmin |
+| **Global** | null | null | Legacy "global attachment" | Any authenticated principal (and unauthenticated only on a `is_public` partition) |
+| **Partial-null** ❌ | set / null | null / set | **Invalid — never create** | Nobody (fail-closed) except superadmin |
+
+The "both-or-neither" rule is the legitimate-unscoped use case referenced by
+[#2109](https://github.com/open-mercato/open-mercato/issues/2109): a fully-global
+(both-null) attachment is intentionally supported by `isSameScope`, so the columns
+cannot simply be made `NOT NULL` without breaking that semantic or backfilling a
+sentinel tenant onto legacy rows.
+
+### Why partial-null is dangerous
+
+`isSameScope` (`lib/access.ts`) deliberately **fails closed** on partial-null rows
+(#2107): a row with one scope column set and the other null matches no principal's
+auth and is unreadable by everyone except a superadmin. Such a row is therefore
+*dead data* — it can only ever leak through a future code path that reads or
+exports attachments **without** going through `checkAttachmentAccess` (a new export
+endpoint, webhook delivery, OCR worker, or migration backfill). That is exactly the
+fail-open class the access fix closed at read time; the creation guard closes it at
+write time.
+
+## Always
+
+- **MUST call `assertAttachmentScopeInvariant({ tenantId, organizationId })` from
+  `lib/access.ts` before persisting any new `Attachment` row.** It throws on a
+  partial-null scope and accepts both fully-scoped and fully-global rows. The
+  attachments upload route (`api/route.ts`) already guards its creation site.
+- **MUST gate every attachment read through `checkAttachmentAccess`** (`lib/access.ts`)
+  so tenant scoping and partition visibility are enforced consistently.
+- When copying/cloning attachments across records, **carry the source row's scope
+  pair as a unit** (both columns together) rather than overriding one column with a
+  possibly-null value.
+
+## Never
+
+- **Never create a partial-null attachment** (one scope column set, the other null).
+- **Never read or expose attachment rows without `checkAttachmentAccess`** — bypassing
+  it reintroduces the cross-tenant fail-open class.
+
+## Known cross-module creation paths
+
+These paths create `Attachment` rows from other modules and must preserve the
+both-or-neither invariant (audited for #2109):
+
+- `packages/core/src/modules/attachments/api/route.ts` — primary upload; scope comes
+  from authenticated request context (both set). **Guarded.**
+- `packages/core/src/modules/sync_excel/lib/upload-storage.ts` — both scopes are
+  required inputs (type-enforced). Safe.
+- `packages/core/src/modules/catalog/seed/examples.ts` — both scopes required on
+  `SeedScope`. Safe.
+- `packages/core/src/modules/catalog/commands/variants.ts` — clones variant media to
+  the product; inherits the source/variant scope pair (`?? null` only collapses to
+  the global both-null shape).
+- `packages/core/src/modules/messages/lib/attachments.ts`
+  (`copyAttachmentsForForwardMessages`) — copies forwarded message attachments and
+  accepts a nullable `targetOrganizationId` with a non-null `tenantId`. This is the
+  one path that can construct a partial-null row; copy the **source attachment's**
+  scope pair when wiring new callers, and apply the creation guard if this path is
+  refactored.
+
+## Validation Commands
+
+```bash
+yarn workspace @open-mercato/core test -- access
+yarn workspace @open-mercato/core build
+```

package/src/modules/attachments/api/route.ts

@@ -12,6 +12,7 @@ import { requestOcrProcessing } from '../lib/ocrQueue'
 import { StorageDriverFactory } from '../lib/drivers'
 import { OcrService, shouldUseLlmOcr } from '../lib/ocrService'
 import { clearAttachmentThumbnailCache } from '../lib/thumbnailCache'
+import { assertAttachmentScopeInvariant } from '../lib/access'
 import {
   mergeAttachmentMetadata,
   normalizeAttachmentAssignments,
@@ -421,6 +422,7 @@ export async function POST(req: Request) {
   }
   const metadata = mergeAttachmentMetadata(null, { assignments, tags })
   const attachmentId = randomUUID()
+  assertAttachmentScopeInvariant({ tenantId: auth.tenantId, organizationId: auth.orgId })
   const att = em.create(Attachment, {
     id: attachmentId,
     entityId,

package/src/modules/attachments/lib/access.ts

@@ -1,6 +1,42 @@
 import type { AuthContext } from '@open-mercato/shared/lib/auth/server'
 import type { Attachment, AttachmentPartition } from '../data/entities'
 
+export type AttachmentScope = {
+  tenantId?: string | null
+  organizationId?: string | null
+}
+
+function normalizeScopeValue(value: string | null | undefined): string | null {
+  if (typeof value !== 'string') return null
+  const trimmed = value.trim()
+  return trimmed.length > 0 ? trimmed : null
+}
+
+/**
+ * Enforce the attachments scope invariant at every creation boundary:
+ * an attachment is either fully **global** (both `tenant_id` and
+ * `organization_id` null) or fully **scoped** (both set) — never partial.
+ *
+ * `isSameScope` deliberately treats a partial-null row as inaccessible to
+ * every non-superadmin principal (fail-closed, #2107), so a partial-null row
+ * is dead data that can only ever leak through a future code path that skips
+ * the access check. Guarding creation keeps that class of fail-open bug from
+ * re-emerging (#2109). Call this before persisting any `Attachment`.
+ */
+export function assertAttachmentScopeInvariant(scope: AttachmentScope): void {
+  const tenantId = normalizeScopeValue(scope.tenantId)
+  const organizationId = normalizeScopeValue(scope.organizationId)
+  const tenantSet = tenantId !== null
+  const organizationSet = organizationId !== null
+  if (tenantSet !== organizationSet) {
+    const missing = tenantSet ? 'organization_id' : 'tenant_id'
+    throw new Error(
+      `[internal] Attachment scope invariant violated: ${missing} is null while the other scope column is set. ` +
+        'Attachments must be either fully scoped (both tenant_id and organization_id) or fully global (both null).',
+    )
+  }
+}
+
 export function isSuperAdminAuth(auth: AuthContext | null | undefined): boolean {
   if (!auth) return false
   if ((auth as any).isSuperAdmin === true) return true

package/src/modules/audit_logs/data/entities.ts

@@ -96,6 +96,7 @@ export class ActionLog {
 @Entity({ tableName: 'access_logs' })
 @Index({ name: 'access_logs_tenant_idx', properties: ['tenantId', 'createdAt'] })
 @Index({ name: 'access_logs_actor_idx', properties: ['actorUserId', 'createdAt'] })
+@Index({ name: 'access_logs_created_at_idx', properties: ['createdAt'] })
 export class AccessLog {
   @PrimaryKey({ type: 'uuid', defaultRaw: 'gen_random_uuid()' })
   id!: string

package/src/modules/audit_logs/migrations/.snapshot-open-mercato.json

@@ -208,6 +208,16 @@
           "primary": false,
           "unique": false
         },
+        {
+          "keyName": "access_logs_created_at_idx",
+          "columnNames": [
+            "created_at"
+          ],
+          "composite": false,
+          "constraint": false,
+          "primary": false,
+          "unique": false
+        },
         {
           "keyName": "access_logs_pkey",
           "columnNames": [

package/src/modules/audit_logs/migrations/Migration20260611104500.ts

@@ -0,0 +1,13 @@
+import { Migration } from '@mikro-orm/migrations';
+
+export class Migration20260611104500 extends Migration {
+
+  override up(): void | Promise<void> {
+    this.addSql(`create index "access_logs_created_at_idx" on "access_logs" ("created_at");`);
+  }
+
+  override down(): void | Promise<void> {
+    this.addSql(`drop index "access_logs_created_at_idx";`);
+  }
+
+}

package/src/modules/audit_logs/services/accessLogService.ts

@@ -20,10 +20,23 @@ function toPositiveNumber(value: string | undefined, fallback: number): number {
   return parsed
 }
 
+function toNonNegativeNumber(value: string | undefined, fallback: number): number {
+  if (value === undefined || value === '') return fallback
+  const parsed = Number(value)
+  if (!Number.isFinite(parsed) || parsed < 0) return fallback
+  return parsed
+}
+
 const CORE_RETENTION_DAYS = toPositiveNumber(process.env.AUDIT_LOGS_CORE_RETENTION_DAYS, 7)
 const NON_CORE_RETENTION_HOURS = toPositiveNumber(process.env.AUDIT_LOGS_NON_CORE_RETENTION_HOURS, 8)
 const CORE_RETENTION_MS = CORE_RETENTION_DAYS * 24 * 60 * 60 * 1000
 const NON_CORE_RETENTION_MS = NON_CORE_RETENTION_HOURS * 60 * 60 * 1000
+// Rotation runs after every successful write; without a gate that means two
+// DELETE statements per CRUD GET. Amortize to one rotation per interval per
+// process — `0` opts back into rotate-on-every-write (test harnesses).
+const ROTATE_INTERVAL_MS = toNonNegativeNumber(process.env.AUDIT_LOGS_ROTATE_INTERVAL_MS, 60_000)
+
+let lastRotatedAt: number | null = null
 const UUID_REGEX = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$/
 // Postgres has a hard limit of 65k bind parameters per statement. Each access
 // log row uses 10 bind values (see INSERT below), so 500 rows × 10 = 5 000
@@ -380,6 +393,8 @@ export class AccessLogService {
 
   private async rotate(fork: EntityManager) {
     const now = Date.now()
+    if (ROTATE_INTERVAL_MS > 0 && lastRotatedAt !== null && now - lastRotatedAt < ROTATE_INTERVAL_MS) return
+    lastRotatedAt = now
     const coreCutoff = new Date(now - CORE_RETENTION_MS)
     const nonCoreCutoff = new Date(now - NON_CORE_RETENTION_MS)
     try {

package/src/modules/auth/api/admin/nav.ts

@@ -69,6 +69,13 @@ const sectionGroupSchema = z.object({
 })
 
 const adminNavResponseSchema = z.object({
+  brand: z.object({
+    name: z.string().optional(),
+    logo: z.object({
+      src: z.string(),
+      alt: z.string().optional(),
+    }).nullable().optional(),
+  }).nullable().optional(),
   groups: z.array(
     z.object({
       id: z.string().optional(),
@@ -160,6 +167,8 @@ export async function GET(req: Request) {
         `nav:entities:${cacheScopeTenantId || 'null'}`,
         `nav:locale:${locale}`,
         `nav:sidebar:user:${auth.sub}`,
+        cacheScopeTenantId ? `nav:sidebar:tenant:${cacheScopeTenantId}` : undefined,
+        cacheScopeOrganizationId ? `nav:sidebar:organization:${cacheScopeOrganizationId}` : undefined,
         `nav:sidebar:scope:${auth.sub}:${cacheScopeTenantId || 'null'}:${cacheScopeOrganizationId || 'null'}:${locale}`,
         ...((Array.isArray(auth.roles) ? auth.roles : []).map((role) => `nav:sidebar:role:${role}`)),
       ].filter(Boolean) as string[]

package/src/modules/auth/api/login.ts

@@ -108,21 +108,21 @@ export async function POST(req: Request) {
     user = await auth.findUserByEmailAndTenant(parsed.data.email, tenantId)
   } else {
     const users = await auth.findUsersByEmail(parsed.data.email)
-    if (users.length > 1) {
-      return NextResponse.json({
-        ok: false,
-        error: translate('auth.login.errors.tenantRequired', 'Use the login link provided with your tenant activation to continue.'),
-      }, { status: 400 })
-    }
-    user = users[0] ?? null
-  }
-  if (!user || !user.passwordHash) {
-    void emitAuthEvent('auth.login.failed', { email: parsed.data.email, reason: 'invalid_credentials' }).catch(() => undefined)
-    return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid email or password') }, { status: 401 })
+    // Never disclose that an email is registered across multiple tenants — a
+    // password-independent 400-vs-401 response is an account/topology oracle
+    // (issue #2242). Treat an ambiguous match as no resolvable user and fall
+    // through to the uniform invalid-credentials path; tenant-selection
+    // guidance is delivered out-of-band via the activation/login link.
+    user = users.length === 1 ? users[0] : null
   }
+  // Always verify the password — verifyPassword runs a constant-time bcrypt
+  // comparison even when the user is missing or has no hash — so unknown-email,
+  // wrong-password, and multi-tenant cases return an identical 401 with
+  // identical latency.
   const ok = await auth.verifyPassword(user, parsed.data.password)
-  if (!ok) {
-    void emitAuthEvent('auth.login.failed', { email: parsed.data.email, reason: 'invalid_password' }).catch(() => undefined)
+  if (!user || !ok) {
+    const reason = user?.passwordHash ? 'invalid_password' : 'invalid_credentials'
+    void emitAuthEvent('auth.login.failed', { email: parsed.data.email, reason }).catch(() => undefined)
     return NextResponse.json({ ok: false, error: translate('auth.login.errors.invalidCredentials', 'Invalid email or password') }, { status: 401 })
   }
   // Optional role requirement

package/src/modules/auth/data/entities.ts

@@ -178,6 +178,8 @@ export class SidebarVariant {
 }
 
 @Entity({ tableName: 'user_roles' })
+@Index({ name: 'user_roles_user_id_idx', properties: ['user'] })
+@Index({ name: 'user_roles_role_id_idx', properties: ['role'] })
 export class UserRole {
   @PrimaryKey({ type: 'uuid', defaultRaw: 'gen_random_uuid()' })
   id!: string

package/src/modules/auth/i18n/de.json

@@ -43,7 +43,6 @@
   "auth.login.errors.invalidCredentials": "Ungültige E-Mail oder ungültiges Passwort",
   "auth.login.errors.permissionDenied": "Du hast keine Berechtigung, auf diesen Bereich zuzugreifen. Bitte wende dich an deine Administration.",
   "auth.login.errors.tenantInvalid": "Tenant nicht gefunden. Entferne die Tenant-Auswahl und versuche es erneut.",
-  "auth.login.errors.tenantRequired": "Nutze den Login-Link aus deiner Tenant-Aktivierung, um fortzufahren.",
   "auth.login.featureDenied": "Du hast keinen Zugriff auf diese Funktion ({feature}). Bitte wende dich an deine Administration.",
   "auth.login.forgotPassword": "Passwort vergessen?",
   "auth.login.loading": "Wird geladen ...",

package/src/modules/auth/i18n/en.json

@@ -43,7 +43,6 @@
   "auth.login.errors.invalidCredentials": "Invalid email or password",
   "auth.login.errors.permissionDenied": "You do not have permission to access this area. Please contact your administrator.",
   "auth.login.errors.tenantInvalid": "Tenant not found. Clear the tenant selection and try again.",
-  "auth.login.errors.tenantRequired": "Use the login link provided with your tenant activation to continue.",
   "auth.login.featureDenied": "You don't have access to this feature ({feature}). Please contact your administrator.",
   "auth.login.forgotPassword": "Forgot password?",
   "auth.login.loading": "Loading...",

package/src/modules/auth/i18n/es.json

@@ -43,7 +43,6 @@
   "auth.login.errors.invalidCredentials": "Correo electrónico o contraseña no válidos",
   "auth.login.errors.permissionDenied": "No tienes permiso para acceder a esta área. Ponte en contacto con tu administrador.",
   "auth.login.errors.tenantInvalid": "No se encontró el inquilino. Borra la selección e inténtalo de nuevo.",
-  "auth.login.errors.tenantRequired": "Usa el enlace de inicio de sesión proporcionado con la activación de tu inquilino para continuar.",
   "auth.login.featureDenied": "No tienes acceso a esta funcionalidad ({feature}). Ponte en contacto con tu administrador.",
   "auth.login.forgotPassword": "¿Olvidaste tu contraseña?",
   "auth.login.loading": "Cargando...",

package/src/modules/auth/i18n/pl.json

@@ -43,7 +43,6 @@
   "auth.login.errors.invalidCredentials": "Nieprawidłowy email lub hasło",
   "auth.login.errors.permissionDenied": "Nie masz uprawnień do tego obszaru. Skontaktuj się z administratorem.",
   "auth.login.errors.tenantInvalid": "Nie znaleziono najemcy. Wyczyść wybór i spróbuj ponownie.",
-  "auth.login.errors.tenantRequired": "Użyj linku logowania z aktywacji najemcy, aby kontynuować.",
   "auth.login.featureDenied": "Nie masz dostępu do tej funkcji ({feature}). Skontaktuj się z administratorem.",
   "auth.login.forgotPassword": "Nie pamiętasz hasła?",
   "auth.login.loading": "Ładowanie...",

package/src/modules/auth/lib/backendChrome.tsx

@@ -22,9 +22,15 @@ import { resolveRegisteredLucideIconNode } from '@open-mercato/ui/backend/icons/
 import { profilePathPrefixes, profileSections } from './profile-sections'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { filterGrantsByEnabledModules } from '@open-mercato/shared/security/enabledModulesRegistry'
-import { resolveFeatureCheckContext } from '@open-mercato/core/modules/directory/utils/organizationScope'
+import {
+  getSelectedOrganizationFromRequest,
+  resolveFeatureCheckContext,
+} from '@open-mercato/core/modules/directory/utils/organizationScope'
+import { isAllOrganizationsSelection } from '@open-mercato/core/modules/directory/constants'
+import { Organization } from '@open-mercato/core/modules/directory/data/entities'
 import { CustomEntity } from '@open-mercato/core/modules/entities/data/entities'
 import { Role } from '@open-mercato/core/modules/auth/data/entities'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 import {
   applySidebarPreference,
   loadFirstRoleSidebarPreference,
@@ -397,6 +403,35 @@ export async function resolveBackendChromePayload({
     ),
   )
 
+  const requestOrganizationId = request ? getSelectedOrganizationFromRequest(request) : null
+  const fallbackOrganizationId = selectedOrganizationId ?? requestOrganizationId ?? auth.orgId ?? null
+  const brandOrganizationId = scopedOrganizationId
+    ?? (fallbackOrganizationId && !isAllOrganizationsSelection(fallbackOrganizationId) ? fallbackOrganizationId : null)
+
+  let brand: BackendChromePayload['brand'] = null
+  if (brandOrganizationId && scopedTenantId) {
+    try {
+      const organization = await findOneWithDecryption(
+        em,
+        Organization,
+        { id: brandOrganizationId, tenant: scopedTenantId, deletedAt: null },
+        undefined,
+        { tenantId: scopedTenantId, organizationId: brandOrganizationId },
+      )
+      if (organization?.logoUrl) {
+        brand = {
+          name: organization.name,
+          logo: {
+            src: organization.logoUrl,
+            alt: `${organization.name} logo`,
+          },
+        }
+      }
+    } catch {
+      brand = null
+    }
+  }
+
   return {
     groups: appliedGroups.map(({ weight: _weight, ...group }) => group),
     settingsSections,
@@ -405,5 +440,6 @@ export async function resolveBackendChromePayload({
     profilePathPrefixes,
     grantedFeatures,
     roles: Array.isArray(auth.roles) ? auth.roles : [],
+    brand,
   }
 }

package/src/modules/auth/lib/consentIntegrity.ts

@@ -14,18 +14,21 @@ const DEV_ONLY_SECRET = 'om-consent-integrity-dev-only-secret'
 let missingSecretWarned = false
 
 function getSecret(): string {
-  const secret = process.env.CONSENT_INTEGRITY_SECRET || process.env.NEXTAUTH_SECRET
+  const secret = process.env.CONSENT_INTEGRITY_SECRET
+    || process.env.AUTH_SECRET
+    || process.env.NEXTAUTH_SECRET
+    || process.env.JWT_SECRET
   if (!secret) {
     if (process.env.NODE_ENV === 'production') {
       throw new Error(
-        '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set. ' +
+        '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set. ' +
         'Refusing to compute or verify consent integrity hashes in production without a real secret.',
       )
     }
     if (!missingSecretWarned) {
       missingSecretWarned = true
       console.warn(
-        '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/NEXTAUTH_SECRET set — ' +
+        '[consentIntegrity] No CONSENT_INTEGRITY_SECRET/AUTH_SECRET/NEXTAUTH_SECRET/JWT_SECRET set — ' +
         'using insecure dev-only default. Set a secret before deploying to production.',
       )
     }

package/src/modules/auth/migrations/.snapshot-open-mercato.json

@@ -1732,6 +1732,26 @@
         }
       },
       "indexes": [
+        {
+          "keyName": "user_roles_user_id_idx",
+          "columnNames": [
+            "user_id"
+          ],
+          "composite": false,
+          "constraint": false,
+          "primary": false,
+          "unique": false
+        },
+        {
+          "keyName": "user_roles_role_id_idx",
+          "columnNames": [
+            "role_id"
+          ],
+          "composite": false,
+          "constraint": false,
+          "primary": false,
+          "unique": false
+        },
         {
           "keyName": "user_roles_pkey",
           "columnNames": [

package/src/modules/auth/migrations/Migration20260611103000.ts

@@ -0,0 +1,21 @@
+import { Migration } from '@mikro-orm/migrations';
+
+// #2966: user_roles carries only its FK constraints and Postgres does not
+// auto-index FK columns, so RBAC scans it sequentially by user_id on every
+// ACL cache miss (rbacService super-admin check + ACL aggregation) and by
+// role_id on user-list filtering and role rename/delete guards. Index both
+// FK columns so these hot paths become index scans. The table is small
+// relative to search_tokens, so a plain (transactional) build is safe.
+export class Migration20260611103000 extends Migration {
+
+  override up(): void | Promise<void> {
+    this.addSql(`create index if not exists "user_roles_user_id_idx" on "user_roles" ("user_id");`);
+    this.addSql(`create index if not exists "user_roles_role_id_idx" on "user_roles" ("role_id");`);
+  }
+
+  override down(): void | Promise<void> {
+    this.addSql(`drop index if exists "user_roles_user_id_idx";`);
+    this.addSql(`drop index if exists "user_roles_role_id_idx";`);
+  }
+
+}

package/src/modules/auth/services/authService.ts

@@ -5,6 +5,13 @@ import { emailHashLookupValues } from '@open-mercato/core/modules/auth/lib/email
 import { generateAuthToken, hashAuthToken } from '@open-mercato/core/modules/auth/lib/tokenHash'
 import { findWithDecryption, findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
 
+// A fixed, valid bcrypt hash (cost 10) of a throwaway value no real password
+// can match. verifyPassword compares against it whenever the user is missing or
+// has no password hash, so a failed login spends the same bcrypt CPU time
+// regardless of whether the account exists — closing the timing side channel
+// for account enumeration (issue #2242).
+const TIMING_EQUALIZER_PASSWORD_HASH = '$2b$10$OcZrhmZpIzJOjkfwUrk7d.Nl0eHNzOvalBcBlt5Ran.4lj8R3HZg6'
+
 export class AuthService {
   constructor(private em: EntityManager) {}
 
@@ -48,9 +55,13 @@ export class AuthService {
     )
   }
 
-  async verifyPassword(user: User, password: string) {
-    if (!user.passwordHash) return false
-    return compare(password, user.passwordHash)
+  async verifyPassword(user: User | null, password: string) {
+    const storedHash = user?.passwordHash ?? null
+    // Always run a bcrypt comparison — against a fixed dummy hash when the user
+    // is absent or has no password — so login latency does not reveal whether
+    // the account exists (timing-based enumeration, issue #2242).
+    const matched = await compare(password, storedHash ?? TIMING_EQUALIZER_PASSWORD_HASH)
+    return storedHash !== null && matched
   }
 
   async updateLastLoginAt(user: User) {
@@ -70,7 +81,16 @@ export class AuthService {
       { populate: ['role'] },
       { tenantId: resolvedTenantId, organizationId: user.organizationId ?? null },
     )
-    return links.map((l) => l.role.name)
+    // A populated `role` can still be null when the link points at a soft-deleted
+    // role (the Role soft-delete filter suppresses hydration), e.g. an admin link
+    // orphaned by a re-seed during interrupted-provisioning recovery. Dropping such
+    // links keeps role resolution from throwing on the login / session-refresh hot
+    // path, mirroring resolveCanonicalStaffAuthContext in lib/sessionIntegrity.ts.
+    return links
+      .map((l) => l.role)
+      .filter((role): role is Role => !!role)
+      .map((role) => role.name)
+      .filter((name): name is string => typeof name === 'string' && name.trim().length > 0)
   }
 
 

package/src/modules/auth/services/rbacService.ts

@@ -4,6 +4,7 @@ import { getCurrentCacheTenant, runWithCacheTenant } from '@open-mercato/cache'
 import { UserAcl, RoleAcl, User, UserRole } from '@open-mercato/core/modules/auth/data/entities'
 import { ApiKey } from '@open-mercato/core/modules/api_keys/data/entities'
 import { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { buildOrgScopeUserCacheTag, buildOrgScopeTenantCacheTag } from '@open-mercato/core/modules/directory/utils/organizationScope'
 import { matchFeature as sharedMatchFeature, hasAllFeatures as sharedHasAllFeatures } from '@open-mercato/shared/lib/auth/featureMatch'
 import { filterGrantsByEnabledModules, getOwningModuleId, getEnabledModuleIds } from '@open-mercato/shared/security/enabledModulesRegistry'
 
@@ -130,7 +131,12 @@ export class RbacService {
    */
   async invalidateUserCache(userId: string): Promise<void> {
     this.globalSuperAdminCache.delete(userId)
-    await this.deleteCacheByTags([this.getUserTag(userId)])
+    // Also drop the directory OrganizationScope cache for this user. That scope's
+    // accessible-org set is derived from this user's ACL/role grants, so any
+    // permission change that invalidates the RBAC cache must invalidate the
+    // resolved scope too. This is the missing `org-scope:user:*` caller required
+    // before the cross-request scope TTL can be safely enabled (issue #2259).
+    await this.deleteCacheByTags([this.getUserTag(userId), buildOrgScopeUserCacheTag(userId)])
   }
 
   /**
@@ -142,7 +148,10 @@ export class RbacService {
    */
   async invalidateTenantCache(tenantId: string): Promise<void> {
     this.globalSuperAdminCache.clear()
-    await this.deleteCacheByTags([this.getTenantTag(tenantId)], [tenantId])
+    // Role ACL changes invalidate every user in the tenant; the resolved
+    // OrganizationScope for those users derives from the same grants, so drop
+    // the tenant-tagged scope entries alongside the RBAC ones (issue #2259).
+    await this.deleteCacheByTags([this.getTenantTag(tenantId), buildOrgScopeTenantCacheTag(tenantId)], [tenantId])
   }
 
   /**

package/src/modules/customer_accounts/backend/customer_accounts/settings/domain/components/Diagnostics.tsx

@@ -1,7 +1,6 @@
 "use client"
 
 import * as React from 'react'
-import { AlertTriangle } from 'lucide-react'
 import { Alert, AlertTitle, AlertDescription } from '@open-mercato/ui/primitives/alert'
 import { useT } from '@open-mercato/shared/lib/i18n/context'
 import type { DomainMappingRow } from './types'
@@ -15,7 +14,6 @@ export function DnsDiagnostics({ mapping }: DiagnosticsProps) {
   if (mapping.status !== 'dns_failed') return null
   return (
     <Alert variant="destructive">
-      <AlertTriangle className="h-4 w-4" aria-hidden />
       <AlertTitle>
         {t('customer_accounts.domainMapping.dns.diagnostics.title', 'DNS configuration issue')}
       </AlertTitle>
@@ -41,7 +39,6 @@ export function TlsDiagnostics({ mapping }: DiagnosticsProps) {
   if (mapping.status !== 'tls_failed') return null
   return (
     <Alert variant="warning">
-      <AlertTriangle className="h-4 w-4" aria-hidden />
       <AlertTitle>
         {t('customer_accounts.domainMapping.tls.diagnostics.title', 'SSL certificate issue')}
       </AlertTitle>