npm - @open-mercato/enterprise - Versions diffs - 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6 - Mend

@open-mercato/enterprise 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

package/dist/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
 const enterprisePackage = {
   id: "enterprise",
   description: "Optional enterprise overlays and modules for Open Mercato.",
-  modules: ["security", "record_locks"]
+  modules: ["security", "sso", "record_locks"]
 };
 var index_default = enterprisePackage;
 export {

package/dist/index.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../src/index.ts"],
-  "sourcesContent": ["export const enterprisePackage = {\n  id: 'enterprise',\n  description: 'Optional enterprise overlays and modules for Open Mercato.',\n  modules: ['security', 'record_locks'],\n} as const\n\nexport default enterprisePackage\n"],
-  "mappings": "AAAO,MAAM,oBAAoB;AAAA,EAC/B,IAAI;AAAA,EACJ,aAAa;AAAA,EACb,SAAS,CAAC,YAAY,cAAc;AACtC;AAEA,IAAO,gBAAQ;",
+  "sourcesContent": ["export const enterprisePackage = {\n  id: 'enterprise',\n  description: 'Optional enterprise overlays and modules for Open Mercato.',\n  modules: ['security', 'sso','record_locks'],\n} as const\n\nexport default enterprisePackage\n"],
+  "mappings": "AAAO,MAAM,oBAAoB;AAAA,EAC/B,IAAI;AAAA,EACJ,aAAa;AAAA,EACb,SAAS,CAAC,YAAY,OAAM,cAAc;AAC5C;AAEA,IAAO,gBAAQ;",
   "names": []
 }

package/dist/modules/sso/acl.js ADDED Viewed

@@ -0,0 +1,11 @@
+const features = [
+  { id: "sso.config.view", title: "View SSO configuration", module: "sso" },
+  { id: "sso.config.manage", title: "Manage SSO configuration", module: "sso" },
+  { id: "sso.scim.manage", title: "Manage SCIM provisioning tokens", module: "sso" }
+];
+var acl_default = features;
+export {
+  acl_default as default,
+  features
+};
+//# sourceMappingURL=acl.js.map

package/dist/modules/sso/acl.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/modules/sso/acl.ts"],
+  "sourcesContent": ["export const features = [\n  { id: 'sso.config.view', title: 'View SSO configuration', module: 'sso' },\n  { id: 'sso.config.manage', title: 'Manage SSO configuration', module: 'sso' },\n  { id: 'sso.scim.manage', title: 'Manage SCIM provisioning tokens', module: 'sso' },\n]\n\nexport default features\n"],
+  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB,EAAE,IAAI,mBAAmB,OAAO,0BAA0B,QAAQ,MAAM;AAAA,EACxE,EAAE,IAAI,qBAAqB,OAAO,4BAA4B,QAAQ,MAAM;AAAA,EAC5E,EAAE,IAAI,mBAAmB,OAAO,mCAAmC,QAAQ,MAAM;AACnF;AAEA,IAAO,cAAQ;",
+  "names": []
+}

package/dist/modules/sso/api/admin-context.js ADDED Viewed

@@ -0,0 +1,27 @@
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+async function resolveSsoAdminContext(req) {
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.sub) throw new SsoAdminAuthError("Unauthorized", 401);
+  const isSuperAdmin = !!auth.isSuperAdmin;
+  const url = new URL(req.url);
+  return {
+    auth,
+    scope: {
+      isSuperAdmin,
+      organizationId: isSuperAdmin ? url.searchParams.get("organizationId") ?? null : auth.orgId ?? null,
+      tenantId: isSuperAdmin ? url.searchParams.get("tenantId") ?? null : auth.tenantId ?? null
+    }
+  };
+}
+class SsoAdminAuthError extends Error {
+  constructor(message, statusCode) {
+    super(message);
+    this.statusCode = statusCode;
+    this.name = "SsoAdminAuthError";
+  }
+}
+export {
+  SsoAdminAuthError,
+  resolveSsoAdminContext
+};
+//# sourceMappingURL=admin-context.js.map

package/dist/modules/sso/api/admin-context.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/api/admin-context.ts"],
+  "sourcesContent": ["import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport type { SsoAdminScope } from '../services/ssoConfigService'\n\nexport async function resolveSsoAdminContext(req: Request): Promise<{\n  auth: Awaited<ReturnType<typeof getAuthFromRequest>>\n  scope: SsoAdminScope\n}> {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.sub) throw new SsoAdminAuthError('Unauthorized', 401)\n\n  const isSuperAdmin = !!(auth as Record<string, unknown>).isSuperAdmin\n  const url = new URL(req.url)\n\n  return {\n    auth,\n    scope: {\n      isSuperAdmin,\n      organizationId: isSuperAdmin\n        ? url.searchParams.get('organizationId') ?? null\n        : auth.orgId ?? null,\n      tenantId: isSuperAdmin\n        ? url.searchParams.get('tenantId') ?? null\n        : auth.tenantId ?? null,\n    },\n  }\n}\n\nexport class SsoAdminAuthError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode: number,\n  ) {\n    super(message)\n    this.name = 'SsoAdminAuthError'\n  }\n}\n"],
+  "mappings": "AAAA,SAAS,0BAA0B;AAGnC,eAAsB,uBAAuB,KAG1C;AACD,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,IAAK,OAAM,IAAI,kBAAkB,gBAAgB,GAAG;AAE/D,QAAM,eAAe,CAAC,CAAE,KAAiC;AACzD,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAE3B,SAAO;AAAA,IACL;AAAA,IACA,OAAO;AAAA,MACL;AAAA,MACA,gBAAgB,eACZ,IAAI,aAAa,IAAI,gBAAgB,KAAK,OAC1C,KAAK,SAAS;AAAA,MAClB,UAAU,eACN,IAAI,aAAa,IAAI,UAAU,KAAK,OACpC,KAAK,YAAY;AAAA,IACvB;AAAA,EACF;AACF;AAEO,MAAM,0BAA0B,MAAM;AAAA,EAC3C,YACE,SACgB,YAChB;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;",
+  "names": []
+}

package/dist/modules/sso/api/callback/oidc/route.js ADDED Viewed

@@ -0,0 +1,103 @@
+import { NextResponse } from "next/server";
+import { toAbsoluteUrl } from "@open-mercato/shared/lib/url";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { emitSsoEvent } from "../../../events.js";
+function parseCookie(req, name) {
+  const cookie = req.headers.get("cookie") || "";
+  const m = cookie.match(new RegExp("(?:^|;\\s*)" + name + "=([^;]+)"));
+  return m ? decodeURIComponent(m[1]) : null;
+}
+async function handleCallback(req) {
+  try {
+    const url = new URL(req.url);
+    const callbackParams = {};
+    url.searchParams.forEach((value, key) => {
+      callbackParams[key] = value;
+    });
+    if (req.method === "POST") {
+      const contentType = req.headers.get("content-type") || "";
+      if (contentType.includes("application/x-www-form-urlencoded")) {
+        const form = await req.formData();
+        form.forEach((value, key) => {
+          callbackParams[key] = String(value);
+        });
+      }
+    }
+    const stateCookie = parseCookie(req, "sso_state");
+    if (!stateCookie) {
+      return NextResponse.redirect(toAbsoluteUrl(req, "/login?error=sso_state_missing"));
+    }
+    if (callbackParams.error) {
+      void emitSsoEvent("sso.login.failed", {
+        reason: callbackParams.error
+      }).catch((e) => console.error("[SSO Event]", e));
+      return NextResponse.redirect(toAbsoluteUrl(req, "/login?error=sso_idp_error"));
+    }
+    if (!callbackParams.code || !callbackParams.state) {
+      return NextResponse.redirect(toAbsoluteUrl(req, "/login?error=sso_missing_params"));
+    }
+    const redirectUri = toAbsoluteUrl(req, "/api/sso/callback/oidc");
+    const container = await createRequestContainer();
+    const ssoService = container.resolve("ssoService");
+    const result = await ssoService.handleOidcCallback(callbackParams, stateCookie, redirectUri);
+    const res = NextResponse.redirect(toAbsoluteUrl(req, result.redirectUrl));
+    res.cookies.set("auth_token", result.token, {
+      httpOnly: true,
+      path: "/",
+      sameSite: "lax",
+      secure: process.env.NODE_ENV !== "development",
+      maxAge: 60 * 60 * 8
+    });
+    res.cookies.set("session_token", result.sessionToken, {
+      httpOnly: true,
+      path: "/",
+      sameSite: "lax",
+      secure: process.env.NODE_ENV !== "development",
+      expires: result.sessionExpiresAt
+    });
+    res.cookies.set("sso_state", "", { path: "/", maxAge: 0 });
+    return res;
+  } catch (err) {
+    console.error("[SSO Callback] Error:", err);
+    void emitSsoEvent("sso.login.failed", {
+      reason: err instanceof Error ? err.message : "callback_failed"
+    }).catch((e) => console.error("[SSO Event]", e));
+    const message = err instanceof Error ? err.message : "";
+    const errorCode = message.includes("email is not verified") ? "sso_email_not_verified" : "sso_failed";
+    return NextResponse.redirect(toAbsoluteUrl(req, `/login?error=${errorCode}`));
+  }
+}
+async function GET(req) {
+  return handleCallback(req);
+}
+async function POST(req) {
+  return handleCallback(req);
+}
+const openApi = {
+  tag: "SSO",
+  summary: "OIDC callback",
+  methods: {
+    GET: {
+      summary: "Handle OIDC callback (GET)",
+      description: "Receives the authorization code from the IdP, exchanges it for tokens, resolves the user, and issues auth cookies.",
+      tags: ["SSO"],
+      responses: [
+        { status: 302, description: "Redirect to application with auth cookies set", mediaType: "text/html" }
+      ]
+    },
+    POST: {
+      summary: "Handle OIDC callback (POST)",
+      description: "Some IdPs send the callback as a POST (form_post response mode). Handles the same flow as the GET variant.",
+      tags: ["SSO"],
+      responses: [
+        { status: 302, description: "Redirect to application with auth cookies set", mediaType: "text/html" }
+      ]
+    }
+  }
+};
+export {
+  GET,
+  POST,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/sso/api/callback/oidc/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../src/modules/sso/api/callback/oidc/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { toAbsoluteUrl } from '@open-mercato/shared/lib/url'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { SsoService } from '../../../services/ssoService'\nimport { emitSsoEvent } from '../../../events'\n\nfunction parseCookie(req: Request, name: string): string | null {\n  const cookie = req.headers.get('cookie') || ''\n  const m = cookie.match(new RegExp('(?:^|;\\\\s*)' + name + '=([^;]+)'))\n  return m ? decodeURIComponent(m[1]) : null\n}\n\nasync function handleCallback(req: Request): Promise<NextResponse> {\n  try {\n    const url = new URL(req.url)\n    const callbackParams: Record<string, string> = {}\n    url.searchParams.forEach((value, key) => {\n      callbackParams[key] = value\n    })\n\n    if (req.method === 'POST') {\n      const contentType = req.headers.get('content-type') || ''\n      if (contentType.includes('application/x-www-form-urlencoded')) {\n        const form = await req.formData()\n        form.forEach((value, key) => {\n          callbackParams[key] = String(value)\n        })\n      }\n    }\n\n    const stateCookie = parseCookie(req, 'sso_state')\n    if (!stateCookie) {\n      return NextResponse.redirect(toAbsoluteUrl(req, '/login?error=sso_state_missing'))\n    }\n\n    if (callbackParams.error) {\n      void emitSsoEvent('sso.login.failed', {\n        reason: callbackParams.error,\n      }).catch((e) => console.error('[SSO Event]', e))\n      return NextResponse.redirect(toAbsoluteUrl(req, '/login?error=sso_idp_error'))\n    }\n\n    if (!callbackParams.code || !callbackParams.state) {\n      return NextResponse.redirect(toAbsoluteUrl(req, '/login?error=sso_missing_params'))\n    }\n\n    const redirectUri = toAbsoluteUrl(req, '/api/sso/callback/oidc')\n    const container = await createRequestContainer()\n    const ssoService = container.resolve<SsoService>('ssoService')\n\n    const result = await ssoService.handleOidcCallback(callbackParams, stateCookie, redirectUri)\n\n    const res = NextResponse.redirect(toAbsoluteUrl(req, result.redirectUrl))\n\n    res.cookies.set('auth_token', result.token, {\n      httpOnly: true,\n      path: '/',\n      sameSite: 'lax',\n      secure: process.env.NODE_ENV !== 'development',\n      maxAge: 60 * 60 * 8,\n    })\n\n    res.cookies.set('session_token', result.sessionToken, {\n      httpOnly: true,\n      path: '/',\n      sameSite: 'lax',\n      secure: process.env.NODE_ENV !== 'development',\n      expires: result.sessionExpiresAt,\n    })\n\n    res.cookies.set('sso_state', '', { path: '/', maxAge: 0 })\n\n    return res\n  } catch (err) {\n    console.error('[SSO Callback] Error:', err)\n    void emitSsoEvent('sso.login.failed', {\n      reason: err instanceof Error ? err.message : 'callback_failed',\n    }).catch((e) => console.error('[SSO Event]', e))\n    const message = err instanceof Error ? err.message : ''\n    const errorCode = message.includes('email is not verified') ? 'sso_email_not_verified' : 'sso_failed'\n    return NextResponse.redirect(toAbsoluteUrl(req, `/login?error=${errorCode}`))\n  }\n}\n\nexport async function GET(req: Request) {\n  return handleCallback(req)\n}\n\nexport async function POST(req: Request) {\n  return handleCallback(req)\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'SSO',\n  summary: 'OIDC callback',\n  methods: {\n    GET: {\n      summary: 'Handle OIDC callback (GET)',\n      description: 'Receives the authorization code from the IdP, exchanges it for tokens, resolves the user, and issues auth cookies.',\n      tags: ['SSO'],\n      responses: [\n        { status: 302, description: 'Redirect to application with auth cookies set', mediaType: 'text/html' },\n      ],\n    },\n    POST: {\n      summary: 'Handle OIDC callback (POST)',\n      description: 'Some IdPs send the callback as a POST (form_post response mode). Handles the same flow as the GET variant.',\n      tags: ['SSO'],\n      responses: [\n        { status: 302, description: 'Redirect to application with auth cookies set', mediaType: 'text/html' },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,qBAAqB;AAC9B,SAAS,8BAA8B;AAEvC,SAAS,oBAAoB;AAE7B,SAAS,YAAY,KAAc,MAA6B;AAC9D,QAAM,SAAS,IAAI,QAAQ,IAAI,QAAQ,KAAK;AAC5C,QAAM,IAAI,OAAO,MAAM,IAAI,OAAO,gBAAgB,OAAO,UAAU,CAAC;AACpE,SAAO,IAAI,mBAAmB,EAAE,CAAC,CAAC,IAAI;AACxC;AAEA,eAAe,eAAe,KAAqC;AACjE,MAAI;AACF,UAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,UAAM,iBAAyC,CAAC;AAChD,QAAI,aAAa,QAAQ,CAAC,OAAO,QAAQ;AACvC,qBAAe,GAAG,IAAI;AAAA,IACxB,CAAC;AAED,QAAI,IAAI,WAAW,QAAQ;AACzB,YAAM,cAAc,IAAI,QAAQ,IAAI,cAAc,KAAK;AACvD,UAAI,YAAY,SAAS,mCAAmC,GAAG;AAC7D,cAAM,OAAO,MAAM,IAAI,SAAS;AAChC,aAAK,QAAQ,CAAC,OAAO,QAAQ;AAC3B,yBAAe,GAAG,IAAI,OAAO,KAAK;AAAA,QACpC,CAAC;AAAA,MACH;AAAA,IACF;AAEA,UAAM,cAAc,YAAY,KAAK,WAAW;AAChD,QAAI,CAAC,aAAa;AAChB,aAAO,aAAa,SAAS,cAAc,KAAK,gCAAgC,CAAC;AAAA,IACnF;AAEA,QAAI,eAAe,OAAO;AACxB,WAAK,aAAa,oBAAoB;AAAA,QACpC,QAAQ,eAAe;AAAA,MACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAC/C,aAAO,aAAa,SAAS,cAAc,KAAK,4BAA4B,CAAC;AAAA,IAC/E;AAEA,QAAI,CAAC,eAAe,QAAQ,CAAC,eAAe,OAAO;AACjD,aAAO,aAAa,SAAS,cAAc,KAAK,iCAAiC,CAAC;AAAA,IACpF;AAEA,UAAM,cAAc,cAAc,KAAK,wBAAwB;AAC/D,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,aAAa,UAAU,QAAoB,YAAY;AAE7D,UAAM,SAAS,MAAM,WAAW,mBAAmB,gBAAgB,aAAa,WAAW;AAE3F,UAAM,MAAM,aAAa,SAAS,cAAc,KAAK,OAAO,WAAW,CAAC;AAExE,QAAI,QAAQ,IAAI,cAAc,OAAO,OAAO;AAAA,MAC1C,UAAU;AAAA,MACV,MAAM;AAAA,MACN,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,QAAQ,KAAK,KAAK;AAAA,IACpB,CAAC;AAED,QAAI,QAAQ,IAAI,iBAAiB,OAAO,cAAc;AAAA,MACpD,UAAU;AAAA,MACV,MAAM;AAAA,MACN,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,SAAS,OAAO;AAAA,IAClB,CAAC;AAED,QAAI,QAAQ,IAAI,aAAa,IAAI,EAAE,MAAM,KAAK,QAAQ,EAAE,CAAC;AAEzD,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,YAAQ,MAAM,yBAAyB,GAAG;AAC1C,SAAK,aAAa,oBAAoB;AAAA,MACpC,QAAQ,eAAe,QAAQ,IAAI,UAAU;AAAA,IAC/C,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAC/C,UAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,UAAM,YAAY,QAAQ,SAAS,uBAAuB,IAAI,2BAA2B;AACzF,WAAO,aAAa,SAAS,cAAc,KAAK,gBAAgB,SAAS,EAAE,CAAC;AAAA,EAC9E;AACF;AAEA,eAAsB,IAAI,KAAc;AACtC,SAAO,eAAe,GAAG;AAC3B;AAEA,eAAsB,KAAK,KAAc;AACvC,SAAO,eAAe,GAAG;AAC3B;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,KAAK;AAAA,MACZ,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,iDAAiD,WAAW,YAAY;AAAA,MACtG;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,KAAK;AAAA,MACZ,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,iDAAiD,WAAW,YAAY;AAAA,MACtG;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/sso/api/config/[id]/activate/route.js ADDED Viewed

@@ -0,0 +1,49 @@
+import { NextResponse } from "next/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { ssoActivateSchema } from "../../../../data/validators.js";
+import { resolveSsoAdminContext } from "../../../admin-context.js";
+import { handleSsoAdminApiError } from "../../../error-handler.js";
+const metadata = {
+  POST: { requireAuth: true, requireFeatures: ["sso.config.manage"] }
+};
+async function POST(req, ctx) {
+  try {
+    const { id } = await ctx.params;
+    const { scope } = await resolveSsoAdminContext(req);
+    const body = await req.json();
+    const parsed = ssoActivateSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json({ error: "Invalid request" }, { status: 400 });
+    }
+    const container = await createRequestContainer();
+    const service = container.resolve("ssoConfigService");
+    const config = await service.activate(scope, id, parsed.data.active);
+    return NextResponse.json(config);
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SSO Config API");
+  }
+}
+const openApi = {
+  tag: "SSO",
+  summary: "Activate/Deactivate SSO Configuration",
+  methods: {
+    POST: {
+      summary: "Activate or deactivate SSO configuration",
+      description: "Activation requires at least one domain and a successful OIDC discovery test.",
+      tags: ["SSO"],
+      requestBody: { contentType: "application/json", schema: ssoActivateSchema },
+      responses: [{ status: 200, description: "Config activation status updated" }],
+      errors: [
+        { status: 400, description: "Activation failed \u2014 no domains or discovery failed" },
+        { status: 401, description: "Unauthorized" },
+        { status: 404, description: "Config not found" }
+      ]
+    }
+  }
+};
+export {
+  POST,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/sso/api/config/[id]/activate/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../src/modules/sso/api/config/%5Bid%5D/activate/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { SsoConfigService } from '../../../../services/ssoConfigService'\nimport { ssoActivateSchema } from '../../../../data/validators'\nimport { resolveSsoAdminContext } from '../../../admin-context'\nimport { handleSsoAdminApiError } from '../../../error-handler'\n\ntype RouteContext = { params: Promise<{ id: string }> }\n\nexport const metadata = {\n  POST: { requireAuth: true, requireFeatures: ['sso.config.manage'] },\n}\n\nexport async function POST(req: Request, ctx: RouteContext) {\n  try {\n    const { id } = await ctx.params\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const body = await req.json()\n    const parsed = ssoActivateSchema.safeParse(body)\n    if (!parsed.success) {\n      return NextResponse.json({ error: 'Invalid request' }, { status: 400 })\n    }\n\n    const container = await createRequestContainer()\n    const service = container.resolve<SsoConfigService>('ssoConfigService')\n    const config = await service.activate(scope, id, parsed.data.active)\n\n    return NextResponse.json(config)\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SSO Config API')\n  }\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'SSO',\n  summary: 'Activate/Deactivate SSO Configuration',\n  methods: {\n    POST: {\n      summary: 'Activate or deactivate SSO configuration',\n      description: 'Activation requires at least one domain and a successful OIDC discovery test.',\n      tags: ['SSO'],\n      requestBody: { contentType: 'application/json', schema: ssoActivateSchema },\n      responses: [{ status: 200, description: 'Config activation status updated' }],\n      errors: [\n        { status: 400, description: 'Activation failed \u2014 no domains or discovery failed' },\n        { status: 401, description: 'Unauthorized' },\n        { status: 404, description: 'Config not found' },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAEvC,SAAS,yBAAyB;AAClC,SAAS,8BAA8B;AACvC,SAAS,8BAA8B;AAIhC,MAAM,WAAW;AAAA,EACtB,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACpE;AAEA,eAAsB,KAAK,KAAc,KAAmB;AAC1D,MAAI;AACF,UAAM,EAAE,GAAG,IAAI,MAAM,IAAI;AACzB,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,UAAM,SAAS,kBAAkB,UAAU,IAAI;AAC/C,QAAI,CAAC,OAAO,SAAS;AACnB,aAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACxE;AAEA,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,UAAU,UAAU,QAA0B,kBAAkB;AACtE,UAAM,SAAS,MAAM,QAAQ,SAAS,OAAO,IAAI,OAAO,KAAK,MAAM;AAEnE,WAAO,aAAa,KAAK,MAAM;AAAA,EACjC,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,gBAAgB;AAAA,EACrD;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,KAAK;AAAA,MACZ,aAAa,EAAE,aAAa,oBAAoB,QAAQ,kBAAkB;AAAA,MAC1E,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,mCAAmC,CAAC;AAAA,MAC5E,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,0DAAqD;AAAA,QACjF,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,mBAAmB;AAAA,MACjD;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/sso/api/config/[id]/domains/route.js ADDED Viewed

@@ -0,0 +1,96 @@
+import { NextResponse } from "next/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { ssoDomainAddSchema } from "../../../../data/validators.js";
+import { resolveSsoAdminContext } from "../../../admin-context.js";
+import { handleSsoAdminApiError } from "../../../error-handler.js";
+const metadata = {
+  GET: { requireAuth: true, requireFeatures: ["sso.config.view"] },
+  POST: { requireAuth: true, requireFeatures: ["sso.config.manage"] },
+  DELETE: { requireAuth: true, requireFeatures: ["sso.config.manage"] }
+};
+async function GET(req, ctx) {
+  try {
+    const { id } = await ctx.params;
+    const { scope } = await resolveSsoAdminContext(req);
+    const container = await createRequestContainer();
+    const service = container.resolve("ssoConfigService");
+    const config = await service.getById(scope, id);
+    if (!config) {
+      return NextResponse.json({ error: "SSO configuration not found" }, { status: 404 });
+    }
+    return NextResponse.json({ domains: config.allowedDomains });
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SSO Config API");
+  }
+}
+async function POST(req, ctx) {
+  try {
+    const { id } = await ctx.params;
+    const { scope } = await resolveSsoAdminContext(req);
+    const body = await req.json();
+    const parsed = ssoDomainAddSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json({ error: "Invalid request", details: parsed.error.flatten() }, { status: 400 });
+    }
+    const container = await createRequestContainer();
+    const service = container.resolve("ssoConfigService");
+    const config = await service.addDomain(scope, id, parsed.data.domain);
+    return NextResponse.json({ domains: config.allowedDomains });
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SSO Config API");
+  }
+}
+async function DELETE(req, ctx) {
+  try {
+    const { id } = await ctx.params;
+    const { scope } = await resolveSsoAdminContext(req);
+    const url = new URL(req.url);
+    const domain = url.searchParams.get("domain");
+    if (!domain) {
+      return NextResponse.json({ error: "Missing domain query parameter" }, { status: 400 });
+    }
+    const container = await createRequestContainer();
+    const service = container.resolve("ssoConfigService");
+    const config = await service.removeDomain(scope, id, domain);
+    return NextResponse.json({ domains: config.allowedDomains });
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SSO Config API");
+  }
+}
+const openApi = {
+  tag: "SSO",
+  summary: "SSO Domain Management",
+  methods: {
+    GET: {
+      summary: "List allowed domains",
+      tags: ["SSO"],
+      responses: [{ status: 200, description: "List of allowed domains" }],
+      errors: [{ status: 404, description: "Config not found" }]
+    },
+    POST: {
+      summary: "Add an allowed domain",
+      tags: ["SSO"],
+      requestBody: { contentType: "application/json", schema: ssoDomainAddSchema },
+      responses: [{ status: 200, description: "Domain added" }],
+      errors: [
+        { status: 400, description: "Invalid domain or limit reached" },
+        { status: 404, description: "Config not found" }
+      ]
+    },
+    DELETE: {
+      summary: "Remove an allowed domain",
+      description: "Pass domain as query parameter: ?domain=example.com",
+      tags: ["SSO"],
+      responses: [{ status: 200, description: "Domain removed" }],
+      errors: [{ status: 404, description: "Config not found" }]
+    }
+  }
+};
+export {
+  DELETE,
+  GET,
+  POST,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/sso/api/config/[id]/domains/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../src/modules/sso/api/config/%5Bid%5D/domains/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { SsoConfigService } from '../../../../services/ssoConfigService'\nimport { ssoDomainAddSchema } from '../../../../data/validators'\nimport { resolveSsoAdminContext } from '../../../admin-context'\nimport { handleSsoAdminApiError } from '../../../error-handler'\n\ntype RouteContext = { params: Promise<{ id: string }> }\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['sso.config.view'] },\n  POST: { requireAuth: true, requireFeatures: ['sso.config.manage'] },\n  DELETE: { requireAuth: true, requireFeatures: ['sso.config.manage'] },\n}\n\nexport async function GET(req: Request, ctx: RouteContext) {\n  try {\n    const { id } = await ctx.params\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const container = await createRequestContainer()\n    const service = container.resolve<SsoConfigService>('ssoConfigService')\n    const config = await service.getById(scope, id)\n\n    if (!config) {\n      return NextResponse.json({ error: 'SSO configuration not found' }, { status: 404 })\n    }\n\n    return NextResponse.json({ domains: config.allowedDomains })\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SSO Config API')\n  }\n}\n\nexport async function POST(req: Request, ctx: RouteContext) {\n  try {\n    const { id } = await ctx.params\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const body = await req.json()\n    const parsed = ssoDomainAddSchema.safeParse(body)\n    if (!parsed.success) {\n      return NextResponse.json({ error: 'Invalid request', details: parsed.error.flatten() }, { status: 400 })\n    }\n\n    const container = await createRequestContainer()\n    const service = container.resolve<SsoConfigService>('ssoConfigService')\n    const config = await service.addDomain(scope, id, parsed.data.domain)\n\n    return NextResponse.json({ domains: config.allowedDomains })\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SSO Config API')\n  }\n}\n\nexport async function DELETE(req: Request, ctx: RouteContext) {\n  try {\n    const { id } = await ctx.params\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const url = new URL(req.url)\n    const domain = url.searchParams.get('domain')\n    if (!domain) {\n      return NextResponse.json({ error: 'Missing domain query parameter' }, { status: 400 })\n    }\n\n    const container = await createRequestContainer()\n    const service = container.resolve<SsoConfigService>('ssoConfigService')\n    const config = await service.removeDomain(scope, id, domain)\n\n    return NextResponse.json({ domains: config.allowedDomains })\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SSO Config API')\n  }\n}\n\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'SSO',\n  summary: 'SSO Domain Management',\n  methods: {\n    GET: {\n      summary: 'List allowed domains',\n      tags: ['SSO'],\n      responses: [{ status: 200, description: 'List of allowed domains' }],\n      errors: [{ status: 404, description: 'Config not found' }],\n    },\n    POST: {\n      summary: 'Add an allowed domain',\n      tags: ['SSO'],\n      requestBody: { contentType: 'application/json', schema: ssoDomainAddSchema },\n      responses: [{ status: 200, description: 'Domain added' }],\n      errors: [\n        { status: 400, description: 'Invalid domain or limit reached' },\n        { status: 404, description: 'Config not found' },\n      ],\n    },\n    DELETE: {\n      summary: 'Remove an allowed domain',\n      description: 'Pass domain as query parameter: ?domain=example.com',\n      tags: ['SSO'],\n      responses: [{ status: 200, description: 'Domain removed' }],\n      errors: [{ status: 404, description: 'Config not found' }],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAEvC,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,8BAA8B;AAIhC,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AAAA,EAClE,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACtE;AAEA,eAAsB,IAAI,KAAc,KAAmB;AACzD,MAAI;AACF,UAAM,EAAE,GAAG,IAAI,MAAM,IAAI;AACzB,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,UAAU,UAAU,QAA0B,kBAAkB;AACtE,UAAM,SAAS,MAAM,QAAQ,QAAQ,OAAO,EAAE;AAE9C,QAAI,CAAC,QAAQ;AACX,aAAO,aAAa,KAAK,EAAE,OAAO,8BAA8B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACpF;AAEA,WAAO,aAAa,KAAK,EAAE,SAAS,OAAO,eAAe,CAAC;AAAA,EAC7D,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,gBAAgB;AAAA,EACrD;AACF;AAEA,eAAsB,KAAK,KAAc,KAAmB;AAC1D,MAAI;AACF,UAAM,EAAE,GAAG,IAAI,MAAM,IAAI;AACzB,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,UAAM,SAAS,mBAAmB,UAAU,IAAI;AAChD,QAAI,CAAC,OAAO,SAAS;AACnB,aAAO,aAAa,KAAK,EAAE,OAAO,mBAAmB,SAAS,OAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACzG;AAEA,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,UAAU,UAAU,QAA0B,kBAAkB;AACtE,UAAM,SAAS,MAAM,QAAQ,UAAU,OAAO,IAAI,OAAO,KAAK,MAAM;AAEpE,WAAO,aAAa,KAAK,EAAE,SAAS,OAAO,eAAe,CAAC;AAAA,EAC7D,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,gBAAgB;AAAA,EACrD;AACF;AAEA,eAAsB,OAAO,KAAc,KAAmB;AAC5D,MAAI;AACF,UAAM,EAAE,GAAG,IAAI,MAAM,IAAI;AACzB,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,UAAM,SAAS,IAAI,aAAa,IAAI,QAAQ;AAC5C,QAAI,CAAC,QAAQ;AACX,aAAO,aAAa,KAAK,EAAE,OAAO,iCAAiC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACvF;AAEA,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,UAAU,UAAU,QAA0B,kBAAkB;AACtE,UAAM,SAAS,MAAM,QAAQ,aAAa,OAAO,IAAI,MAAM;AAE3D,WAAO,aAAa,KAAK,EAAE,SAAS,OAAO,eAAe,CAAC;AAAA,EAC7D,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,gBAAgB;AAAA,EACrD;AACF;AAGO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,MAAM,CAAC,KAAK;AAAA,MACZ,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,0BAA0B,CAAC;AAAA,MACnE,QAAQ,CAAC,EAAE,QAAQ,KAAK,aAAa,mBAAmB,CAAC;AAAA,IAC3D;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,MAAM,CAAC,KAAK;AAAA,MACZ,aAAa,EAAE,aAAa,oBAAoB,QAAQ,mBAAmB;AAAA,MAC3E,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,eAAe,CAAC;AAAA,MACxD,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,kCAAkC;AAAA,QAC9D,EAAE,QAAQ,KAAK,aAAa,mBAAmB;AAAA,MACjD;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,KAAK;AAAA,MACZ,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,iBAAiB,CAAC;AAAA,MAC1D,QAAQ,CAAC,EAAE,QAAQ,KAAK,aAAa,mBAAmB,CAAC;AAAA,IAC3D;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/sso/api/config/[id]/route.js ADDED Viewed

@@ -0,0 +1,103 @@
+import { NextResponse } from "next/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { ssoConfigAdminUpdateSchema } from "../../../data/validators.js";
+import { resolveSsoAdminContext } from "../../admin-context.js";
+import { handleSsoAdminApiError } from "../../error-handler.js";
+import { ScimToken } from "../../../data/entities.js";
+const metadata = {
+  GET: { requireAuth: true, requireFeatures: ["sso.config.view"] },
+  PUT: { requireAuth: true, requireFeatures: ["sso.config.manage"] },
+  DELETE: { requireAuth: true, requireFeatures: ["sso.config.manage"] }
+};
+async function GET(req, ctx) {
+  try {
+    const { id } = await ctx.params;
+    const { scope } = await resolveSsoAdminContext(req);
+    const container = await createRequestContainer();
+    const service = container.resolve("ssoConfigService");
+    const config = await service.getById(scope, id);
+    if (!config) {
+      return NextResponse.json({ error: "SSO configuration not found" }, { status: 404 });
+    }
+    const em = container.resolve("em");
+    const activeScimCount = await em.count(ScimToken, { ssoConfigId: id, isActive: true });
+    return NextResponse.json({ ...config, hasActiveScimTokens: activeScimCount > 0 });
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SSO Config API");
+  }
+}
+async function PUT(req, ctx) {
+  try {
+    const { id } = await ctx.params;
+    const { scope } = await resolveSsoAdminContext(req);
+    const body = await req.json();
+    const parsed = ssoConfigAdminUpdateSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json({ error: "Invalid request", details: parsed.error.flatten() }, { status: 400 });
+    }
+    const container = await createRequestContainer();
+    const service = container.resolve("ssoConfigService");
+    const config = await service.update(scope, id, parsed.data);
+    return NextResponse.json(config);
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SSO Config API");
+  }
+}
+async function DELETE(req, ctx) {
+  try {
+    const { id } = await ctx.params;
+    const { scope } = await resolveSsoAdminContext(req);
+    const container = await createRequestContainer();
+    const service = container.resolve("ssoConfigService");
+    await service.delete(scope, id);
+    return NextResponse.json({ ok: true });
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SSO Config API");
+  }
+}
+const openApi = {
+  tag: "SSO",
+  summary: "SSO Configuration Detail",
+  methods: {
+    GET: {
+      summary: "Get SSO configuration by ID",
+      tags: ["SSO"],
+      responses: [{ status: 200, description: "SSO config detail" }],
+      errors: [
+        { status: 401, description: "Unauthorized" },
+        { status: 404, description: "Config not found" }
+      ]
+    },
+    PUT: {
+      summary: "Update SSO configuration",
+      tags: ["SSO"],
+      requestBody: { contentType: "application/json", schema: ssoConfigAdminUpdateSchema },
+      responses: [{ status: 200, description: "SSO config updated" }],
+      errors: [
+        { status: 400, description: "Invalid input" },
+        { status: 401, description: "Unauthorized" },
+        { status: 404, description: "Config not found" },
+        { status: 409, description: "Conflict \u2014 JIT and SCIM are mutually exclusive" }
+      ]
+    },
+    DELETE: {
+      summary: "Delete SSO configuration",
+      description: "Soft-deletes the config. Must be deactivated first.",
+      tags: ["SSO"],
+      responses: [{ status: 200, description: "Config deleted" }],
+      errors: [
+        { status: 400, description: "Cannot delete active config" },
+        { status: 401, description: "Unauthorized" },
+        { status: 404, description: "Config not found" }
+      ]
+    }
+  }
+};
+export {
+  DELETE,
+  GET,
+  PUT,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/sso/api/config/[id]/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../src/modules/sso/api/config/%5Bid%5D/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { SsoConfigService } from '../../../services/ssoConfigService'\nimport { ssoConfigAdminUpdateSchema } from '../../../data/validators'\nimport { resolveSsoAdminContext } from '../../admin-context'\nimport { handleSsoAdminApiError } from '../../error-handler'\nimport { ScimToken } from '../../../data/entities'\nimport type { EntityManager } from '@mikro-orm/postgresql'\n\ntype RouteContext = { params: Promise<{ id: string }> }\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['sso.config.view'] },\n  PUT: { requireAuth: true, requireFeatures: ['sso.config.manage'] },\n  DELETE: { requireAuth: true, requireFeatures: ['sso.config.manage'] },\n}\n\nexport async function GET(req: Request, ctx: RouteContext) {\n  try {\n    const { id } = await ctx.params\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const container = await createRequestContainer()\n    const service = container.resolve<SsoConfigService>('ssoConfigService')\n    const config = await service.getById(scope, id)\n\n    if (!config) {\n      return NextResponse.json({ error: 'SSO configuration not found' }, { status: 404 })\n    }\n\n    const em = container.resolve<EntityManager>('em')\n    const activeScimCount = await em.count(ScimToken, { ssoConfigId: id, isActive: true })\n\n    return NextResponse.json({ ...config, hasActiveScimTokens: activeScimCount > 0 })\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SSO Config API')\n  }\n}\n\nexport async function PUT(req: Request, ctx: RouteContext) {\n  try {\n    const { id } = await ctx.params\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const body = await req.json()\n    const parsed = ssoConfigAdminUpdateSchema.safeParse(body)\n    if (!parsed.success) {\n      return NextResponse.json({ error: 'Invalid request', details: parsed.error.flatten() }, { status: 400 })\n    }\n\n    const container = await createRequestContainer()\n    const service = container.resolve<SsoConfigService>('ssoConfigService')\n    const config = await service.update(scope, id, parsed.data)\n\n    return NextResponse.json(config)\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SSO Config API')\n  }\n}\n\nexport async function DELETE(req: Request, ctx: RouteContext) {\n  try {\n    const { id } = await ctx.params\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const container = await createRequestContainer()\n    const service = container.resolve<SsoConfigService>('ssoConfigService')\n    await service.delete(scope, id)\n\n    return NextResponse.json({ ok: true })\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SSO Config API')\n  }\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'SSO',\n  summary: 'SSO Configuration Detail',\n  methods: {\n    GET: {\n      summary: 'Get SSO configuration by ID',\n      tags: ['SSO'],\n      responses: [{ status: 200, description: 'SSO config detail' }],\n      errors: [\n        { status: 401, description: 'Unauthorized' },\n        { status: 404, description: 'Config not found' },\n      ],\n    },\n    PUT: {\n      summary: 'Update SSO configuration',\n      tags: ['SSO'],\n      requestBody: { contentType: 'application/json', schema: ssoConfigAdminUpdateSchema },\n      responses: [{ status: 200, description: 'SSO config updated' }],\n      errors: [\n        { status: 400, description: 'Invalid input' },\n        { status: 401, description: 'Unauthorized' },\n        { status: 404, description: 'Config not found' },\n        { status: 409, description: 'Conflict \u2014 JIT and SCIM are mutually exclusive' },\n      ],\n    },\n    DELETE: {\n      summary: 'Delete SSO configuration',\n      description: 'Soft-deletes the config. Must be deactivated first.',\n      tags: ['SSO'],\n      responses: [{ status: 200, description: 'Config deleted' }],\n      errors: [\n        { status: 400, description: 'Cannot delete active config' },\n        { status: 401, description: 'Unauthorized' },\n        { status: 404, description: 'Config not found' },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAEvC,SAAS,kCAAkC;AAC3C,SAAS,8BAA8B;AACvC,SAAS,8BAA8B;AACvC,SAAS,iBAAiB;AAKnB,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AAAA,EACjE,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACtE;AAEA,eAAsB,IAAI,KAAc,KAAmB;AACzD,MAAI;AACF,UAAM,EAAE,GAAG,IAAI,MAAM,IAAI;AACzB,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,UAAU,UAAU,QAA0B,kBAAkB;AACtE,UAAM,SAAS,MAAM,QAAQ,QAAQ,OAAO,EAAE;AAE9C,QAAI,CAAC,QAAQ;AACX,aAAO,aAAa,KAAK,EAAE,OAAO,8BAA8B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACpF;AAEA,UAAM,KAAK,UAAU,QAAuB,IAAI;AAChD,UAAM,kBAAkB,MAAM,GAAG,MAAM,WAAW,EAAE,aAAa,IAAI,UAAU,KAAK,CAAC;AAErF,WAAO,aAAa,KAAK,EAAE,GAAG,QAAQ,qBAAqB,kBAAkB,EAAE,CAAC;AAAA,EAClF,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,gBAAgB;AAAA,EACrD;AACF;AAEA,eAAsB,IAAI,KAAc,KAAmB;AACzD,MAAI;AACF,UAAM,EAAE,GAAG,IAAI,MAAM,IAAI;AACzB,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,UAAM,SAAS,2BAA2B,UAAU,IAAI;AACxD,QAAI,CAAC,OAAO,SAAS;AACnB,aAAO,aAAa,KAAK,EAAE,OAAO,mBAAmB,SAAS,OAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACzG;AAEA,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,UAAU,UAAU,QAA0B,kBAAkB;AACtE,UAAM,SAAS,MAAM,QAAQ,OAAO,OAAO,IAAI,OAAO,IAAI;AAE1D,WAAO,aAAa,KAAK,MAAM;AAAA,EACjC,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,gBAAgB;AAAA,EACrD;AACF;AAEA,eAAsB,OAAO,KAAc,KAAmB;AAC5D,MAAI;AACF,UAAM,EAAE,GAAG,IAAI,MAAM,IAAI;AACzB,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,UAAU,UAAU,QAA0B,kBAAkB;AACtE,UAAM,QAAQ,OAAO,OAAO,EAAE;AAE9B,WAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAAA,EACvC,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,gBAAgB;AAAA,EACrD;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,MAAM,CAAC,KAAK;AAAA,MACZ,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,oBAAoB,CAAC;AAAA,MAC7D,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,mBAAmB;AAAA,MACjD;AAAA,IACF;AAAA,IACA,KAAK;AAAA,MACH,SAAS;AAAA,MACT,MAAM,CAAC,KAAK;AAAA,MACZ,aAAa,EAAE,aAAa,oBAAoB,QAAQ,2BAA2B;AAAA,MACnF,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,qBAAqB,CAAC;AAAA,MAC9D,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,gBAAgB;AAAA,QAC5C,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,mBAAmB;AAAA,QAC/C,EAAE,QAAQ,KAAK,aAAa,sDAAiD;AAAA,MAC/E;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,KAAK;AAAA,MACZ,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,iBAAiB,CAAC;AAAA,MAC1D,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,8BAA8B;AAAA,QAC1D,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,mBAAmB;AAAA,MACjD;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/sso/api/config/[id]/test/route.js ADDED Viewed

@@ -0,0 +1,41 @@
+import { NextResponse } from "next/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { resolveSsoAdminContext } from "../../../admin-context.js";
+import { handleSsoAdminApiError } from "../../../error-handler.js";
+const metadata = {
+  POST: { requireAuth: true, requireFeatures: ["sso.config.manage"] }
+};
+async function POST(req, ctx) {
+  try {
+    const { id } = await ctx.params;
+    const { scope } = await resolveSsoAdminContext(req);
+    const container = await createRequestContainer();
+    const service = container.resolve("ssoConfigService");
+    const result = await service.testConnection(scope, id);
+    return NextResponse.json(result);
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SSO Config API");
+  }
+}
+const openApi = {
+  tag: "SSO",
+  summary: "Test SSO Connection",
+  methods: {
+    POST: {
+      summary: "Test OIDC discovery",
+      description: "Verifies that the issuer URL is reachable and returns a valid OIDC discovery document. Does not verify client credentials.",
+      tags: ["SSO"],
+      responses: [{ status: 200, description: "Test result with ok/error" }],
+      errors: [
+        { status: 401, description: "Unauthorized" },
+        { status: 404, description: "Config not found" }
+      ]
+    }
+  }
+};
+export {
+  POST,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/sso/api/config/[id]/test/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../src/modules/sso/api/config/%5Bid%5D/test/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { SsoConfigService } from '../../../../services/ssoConfigService'\nimport { resolveSsoAdminContext } from '../../../admin-context'\nimport { handleSsoAdminApiError } from '../../../error-handler'\n\ntype RouteContext = { params: Promise<{ id: string }> }\n\nexport const metadata = {\n  POST: { requireAuth: true, requireFeatures: ['sso.config.manage'] },\n}\n\nexport async function POST(req: Request, ctx: RouteContext) {\n  try {\n    const { id } = await ctx.params\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const container = await createRequestContainer()\n    const service = container.resolve<SsoConfigService>('ssoConfigService')\n    const result = await service.testConnection(scope, id)\n\n    return NextResponse.json(result)\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SSO Config API')\n  }\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'SSO',\n  summary: 'Test SSO Connection',\n  methods: {\n    POST: {\n      summary: 'Test OIDC discovery',\n      description: 'Verifies that the issuer URL is reachable and returns a valid OIDC discovery document. Does not verify client credentials.',\n      tags: ['SSO'],\n      responses: [{ status: 200, description: 'Test result with ok/error' }],\n      errors: [\n        { status: 401, description: 'Unauthorized' },\n        { status: 404, description: 'Config not found' },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAEvC,SAAS,8BAA8B;AACvC,SAAS,8BAA8B;AAIhC,MAAM,WAAW;AAAA,EACtB,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACpE;AAEA,eAAsB,KAAK,KAAc,KAAmB;AAC1D,MAAI;AACF,UAAM,EAAE,GAAG,IAAI,MAAM,IAAI;AACzB,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,UAAU,UAAU,QAA0B,kBAAkB;AACtE,UAAM,SAAS,MAAM,QAAQ,eAAe,OAAO,EAAE;AAErD,WAAO,aAAa,KAAK,MAAM;AAAA,EACjC,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,gBAAgB;AAAA,EACrD;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,KAAK;AAAA,MACZ,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,4BAA4B,CAAC;AAAA,MACrE,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,mBAAmB;AAAA,MACjD;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}