npm - @open-mercato/enterprise - Versions diffs - 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6 - Mend

@open-mercato/enterprise 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

package/dist/modules/sso/api/config/route.js ADDED Viewed

@@ -0,0 +1,83 @@
+import { NextResponse } from "next/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { ssoConfigAdminCreateSchema, ssoConfigListQuerySchema } from "../../data/validators.js";
+import { resolveSsoAdminContext } from "../admin-context.js";
+import { handleSsoAdminApiError } from "../error-handler.js";
+const metadata = {
+  GET: { requireAuth: true, requireFeatures: ["sso.config.view"] },
+  POST: { requireAuth: true, requireFeatures: ["sso.config.manage"] }
+};
+async function GET(req) {
+  try {
+    const { scope } = await resolveSsoAdminContext(req);
+    const url = new URL(req.url);
+    const query = ssoConfigListQuerySchema.parse({
+      page: url.searchParams.get("page") ?? void 0,
+      pageSize: url.searchParams.get("pageSize") ?? void 0,
+      search: url.searchParams.get("search") ?? void 0,
+      organizationId: url.searchParams.get("organizationId") ?? void 0,
+      tenantId: url.searchParams.get("tenantId") ?? void 0
+    });
+    const container = await createRequestContainer();
+    const service = container.resolve("ssoConfigService");
+    const result = await service.list(scope, query);
+    return NextResponse.json({ ...result, isSuperAdmin: scope.isSuperAdmin });
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SSO Config API");
+  }
+}
+async function POST(req) {
+  try {
+    const { scope } = await resolveSsoAdminContext(req);
+    const body = await req.json();
+    const parsed = ssoConfigAdminCreateSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json({ error: "Invalid request", details: parsed.error.flatten() }, { status: 400 });
+    }
+    const container = await createRequestContainer();
+    const service = container.resolve("ssoConfigService");
+    const config = await service.create(scope, parsed.data);
+    return NextResponse.json(config, { status: 201 });
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SSO Config API");
+  }
+}
+const openApi = {
+  tag: "SSO",
+  summary: "SSO Configuration",
+  methods: {
+    GET: {
+      summary: "List SSO configurations",
+      description: "Returns paginated SSO configurations. Admins see their org only; superadmins see all.",
+      tags: ["SSO"],
+      responses: [{ status: 200, description: "Paginated list of SSO configs" }],
+      errors: [
+        { status: 401, description: "Unauthorized" },
+        { status: 403, description: "Forbidden \u2014 requires sso.config.view" }
+      ]
+    },
+    POST: {
+      summary: "Create SSO configuration",
+      description: "Creates a new SSO configuration for an organization. One config per org.",
+      tags: ["SSO"],
+      requestBody: {
+        contentType: "application/json",
+        schema: ssoConfigAdminCreateSchema
+      },
+      responses: [{ status: 201, description: "SSO config created" }],
+      errors: [
+        { status: 400, description: "Invalid input" },
+        { status: 401, description: "Unauthorized" },
+        { status: 403, description: "Forbidden \u2014 requires sso.config.manage" },
+        { status: 409, description: "Config already exists for this organization" }
+      ]
+    }
+  }
+};
+export {
+  GET,
+  POST,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/sso/api/config/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../src/modules/sso/api/config/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { SsoConfigService } from '../../services/ssoConfigService'\nimport { ssoConfigAdminCreateSchema, ssoConfigListQuerySchema } from '../../data/validators'\nimport { resolveSsoAdminContext } from '../admin-context'\nimport { handleSsoAdminApiError } from '../error-handler'\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['sso.config.view'] },\n  POST: { requireAuth: true, requireFeatures: ['sso.config.manage'] },\n}\n\nexport async function GET(req: Request) {\n  try {\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const url = new URL(req.url)\n    const query = ssoConfigListQuerySchema.parse({\n      page: url.searchParams.get('page') ?? undefined,\n      pageSize: url.searchParams.get('pageSize') ?? undefined,\n      search: url.searchParams.get('search') ?? undefined,\n      organizationId: url.searchParams.get('organizationId') ?? undefined,\n      tenantId: url.searchParams.get('tenantId') ?? undefined,\n    })\n\n    const container = await createRequestContainer()\n    const service = container.resolve<SsoConfigService>('ssoConfigService')\n    const result = await service.list(scope, query)\n\n    return NextResponse.json({ ...result, isSuperAdmin: scope.isSuperAdmin })\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SSO Config API')\n  }\n}\n\nexport async function POST(req: Request) {\n  try {\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const body = await req.json()\n    const parsed = ssoConfigAdminCreateSchema.safeParse(body)\n    if (!parsed.success) {\n      return NextResponse.json({ error: 'Invalid request', details: parsed.error.flatten() }, { status: 400 })\n    }\n\n    const container = await createRequestContainer()\n    const service = container.resolve<SsoConfigService>('ssoConfigService')\n    const config = await service.create(scope, parsed.data)\n\n    return NextResponse.json(config, { status: 201 })\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SSO Config API')\n  }\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'SSO',\n  summary: 'SSO Configuration',\n  methods: {\n    GET: {\n      summary: 'List SSO configurations',\n      description: 'Returns paginated SSO configurations. Admins see their org only; superadmins see all.',\n      tags: ['SSO'],\n      responses: [{ status: 200, description: 'Paginated list of SSO configs' }],\n      errors: [\n        { status: 401, description: 'Unauthorized' },\n        { status: 403, description: 'Forbidden \u2014 requires sso.config.view' },\n      ],\n    },\n    POST: {\n      summary: 'Create SSO configuration',\n      description: 'Creates a new SSO configuration for an organization. One config per org.',\n      tags: ['SSO'],\n      requestBody: {\n        contentType: 'application/json',\n        schema: ssoConfigAdminCreateSchema,\n      },\n      responses: [{ status: 201, description: 'SSO config created' }],\n      errors: [\n        { status: 400, description: 'Invalid input' },\n        { status: 401, description: 'Unauthorized' },\n        { status: 403, description: 'Forbidden \u2014 requires sso.config.manage' },\n        { status: 409, description: 'Config already exists for this organization' },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAEvC,SAAS,4BAA4B,gCAAgC;AACrE,SAAS,8BAA8B;AACvC,SAAS,8BAA8B;AAEhC,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACpE;AAEA,eAAsB,IAAI,KAAc;AACtC,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,UAAM,QAAQ,yBAAyB,MAAM;AAAA,MAC3C,MAAM,IAAI,aAAa,IAAI,MAAM,KAAK;AAAA,MACtC,UAAU,IAAI,aAAa,IAAI,UAAU,KAAK;AAAA,MAC9C,QAAQ,IAAI,aAAa,IAAI,QAAQ,KAAK;AAAA,MAC1C,gBAAgB,IAAI,aAAa,IAAI,gBAAgB,KAAK;AAAA,MAC1D,UAAU,IAAI,aAAa,IAAI,UAAU,KAAK;AAAA,IAChD,CAAC;AAED,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,UAAU,UAAU,QAA0B,kBAAkB;AACtE,UAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,KAAK;AAE9C,WAAO,aAAa,KAAK,EAAE,GAAG,QAAQ,cAAc,MAAM,aAAa,CAAC;AAAA,EAC1E,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,gBAAgB;AAAA,EACrD;AACF;AAEA,eAAsB,KAAK,KAAc;AACvC,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,UAAM,SAAS,2BAA2B,UAAU,IAAI;AACxD,QAAI,CAAC,OAAO,SAAS;AACnB,aAAO,aAAa,KAAK,EAAE,OAAO,mBAAmB,SAAS,OAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACzG;AAEA,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,UAAU,UAAU,QAA0B,kBAAkB;AACtE,UAAM,SAAS,MAAM,QAAQ,OAAO,OAAO,OAAO,IAAI;AAEtD,WAAO,aAAa,KAAK,QAAQ,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClD,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,gBAAgB;AAAA,EACrD;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,KAAK;AAAA,MACZ,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gCAAgC,CAAC;AAAA,MACzE,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,4CAAuC;AAAA,MACrE;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,KAAK;AAAA,MACZ,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,qBAAqB,CAAC;AAAA,MAC9D,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,gBAAgB;AAAA,QAC5C,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,8CAAyC;AAAA,QACrE,EAAE,QAAQ,KAAK,aAAa,8CAA8C;AAAA,MAC5E;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/sso/api/error-handler.js ADDED Viewed

@@ -0,0 +1,28 @@
+import { NextResponse } from "next/server";
+import { SsoAdminAuthError } from "./admin-context.js";
+import { SsoConfigError } from "../services/ssoConfigService.js";
+import { ScimTokenError } from "../services/scimTokenService.js";
+import { ScimServiceError } from "../services/scimService.js";
+import { scimJson, buildScimError } from "../lib/scim-response.js";
+function isSsoHttpError(err) {
+  return err instanceof SsoAdminAuthError || err instanceof SsoConfigError || err instanceof ScimTokenError || err instanceof ScimServiceError;
+}
+function handleSsoAdminApiError(err, label) {
+  if (isSsoHttpError(err)) {
+    return NextResponse.json({ error: err.message }, { status: err.statusCode });
+  }
+  console.error(`[${label}] Error:`, err);
+  return NextResponse.json({ error: "Internal server error" }, { status: 500 });
+}
+function handleScimApiError(err, label) {
+  if (err instanceof ScimServiceError) {
+    return scimJson(buildScimError(err.statusCode, err.message), err.statusCode);
+  }
+  console.error(`[${label}] Error:`, err);
+  return scimJson(buildScimError(500, "Internal server error"), 500);
+}
+export {
+  handleScimApiError,
+  handleSsoAdminApiError
+};
+//# sourceMappingURL=error-handler.js.map

package/dist/modules/sso/api/error-handler.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/api/error-handler.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { SsoAdminAuthError } from './admin-context'\nimport { SsoConfigError } from '../services/ssoConfigService'\nimport { ScimTokenError } from '../services/scimTokenService'\nimport { ScimServiceError } from '../services/scimService'\nimport { scimJson, buildScimError } from '../lib/scim-response'\n\ninterface SsoHttpError {\n  message: string\n  statusCode: number\n}\n\nfunction isSsoHttpError(err: unknown): err is SsoHttpError {\n  return (\n    err instanceof SsoAdminAuthError ||\n    err instanceof SsoConfigError ||\n    err instanceof ScimTokenError ||\n    err instanceof ScimServiceError\n  )\n}\n\nexport function handleSsoAdminApiError(err: unknown, label: string): NextResponse {\n  if (isSsoHttpError(err)) {\n    return NextResponse.json({ error: err.message }, { status: err.statusCode })\n  }\n  console.error(`[${label}] Error:`, err)\n  return NextResponse.json({ error: 'Internal server error' }, { status: 500 })\n}\n\nexport function handleScimApiError(err: unknown, label: string): Response {\n  if (err instanceof ScimServiceError) {\n    return scimJson(buildScimError(err.statusCode, err.message), err.statusCode)\n  }\n  console.error(`[${label}] Error:`, err)\n  return scimJson(buildScimError(500, 'Internal server error'), 500)\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,yBAAyB;AAClC,SAAS,sBAAsB;AAC/B,SAAS,sBAAsB;AAC/B,SAAS,wBAAwB;AACjC,SAAS,UAAU,sBAAsB;AAOzC,SAAS,eAAe,KAAmC;AACzD,SACE,eAAe,qBACf,eAAe,kBACf,eAAe,kBACf,eAAe;AAEnB;AAEO,SAAS,uBAAuB,KAAc,OAA6B;AAChF,MAAI,eAAe,GAAG,GAAG;AACvB,WAAO,aAAa,KAAK,EAAE,OAAO,IAAI,QAAQ,GAAG,EAAE,QAAQ,IAAI,WAAW,CAAC;AAAA,EAC7E;AACA,UAAQ,MAAM,IAAI,KAAK,YAAY,GAAG;AACtC,SAAO,aAAa,KAAK,EAAE,OAAO,wBAAwB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAC9E;AAEO,SAAS,mBAAmB,KAAc,OAAyB;AACxE,MAAI,eAAe,kBAAkB;AACnC,WAAO,SAAS,eAAe,IAAI,YAAY,IAAI,OAAO,GAAG,IAAI,UAAU;AAAA,EAC7E;AACA,UAAQ,MAAM,IAAI,KAAK,YAAY,GAAG;AACtC,SAAO,SAAS,eAAe,KAAK,uBAAuB,GAAG,GAAG;AACnE;",
+  "names": []
+}

package/dist/modules/sso/api/hrd/route.js ADDED Viewed

@@ -0,0 +1,52 @@
+import { NextResponse } from "next/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { hrdRequestSchema } from "../../data/validators.js";
+async function POST(req) {
+  try {
+    const body = await req.json();
+    const parsed = hrdRequestSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json({ error: "Invalid request" }, { status: 400 });
+    }
+    const container = await createRequestContainer();
+    const hrdService = container.resolve("hrdService");
+    const config = await hrdService.findActiveConfigByEmailDomain(parsed.data.email);
+    if (!config) {
+      return NextResponse.json({ hasSso: false });
+    }
+    return NextResponse.json({
+      hasSso: true,
+      configId: config.id,
+      protocol: config.protocol
+    });
+  } catch (err) {
+    console.error("[SSO HRD] Error:", err);
+    return NextResponse.json({ error: "Internal server error" }, { status: 500 });
+  }
+}
+const openApi = {
+  tag: "SSO",
+  summary: "Home Realm Discovery",
+  methods: {
+    POST: {
+      summary: "Check if email domain has SSO configured",
+      description: "Given an email address, determines if the associated organization has an active SSO configuration. Called from the login page before authentication.",
+      tags: ["SSO"],
+      requestBody: {
+        contentType: "application/json",
+        schema: hrdRequestSchema
+      },
+      responses: [
+        { status: 200, description: "HRD result" }
+      ],
+      errors: [
+        { status: 400, description: "Invalid request" }
+      ]
+    }
+  }
+};
+export {
+  POST,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/sso/api/hrd/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../src/modules/sso/api/hrd/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { HrdService } from '../../services/hrdService'\nimport { hrdRequestSchema } from '../../data/validators'\n\nexport async function POST(req: Request) {\n  try {\n    const body = await req.json()\n    const parsed = hrdRequestSchema.safeParse(body)\n\n    if (!parsed.success) {\n      return NextResponse.json({ error: 'Invalid request' }, { status: 400 })\n    }\n\n    const container = await createRequestContainer()\n    const hrdService = container.resolve<HrdService>('hrdService')\n    const config = await hrdService.findActiveConfigByEmailDomain(parsed.data.email)\n\n    if (!config) {\n      return NextResponse.json({ hasSso: false })\n    }\n\n    return NextResponse.json({\n      hasSso: true,\n      configId: config.id,\n      protocol: config.protocol,\n    })\n  } catch (err) {\n    console.error('[SSO HRD] Error:', err)\n    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })\n  }\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'SSO',\n  summary: 'Home Realm Discovery',\n  methods: {\n    POST: {\n      summary: 'Check if email domain has SSO configured',\n      description: 'Given an email address, determines if the associated organization has an active SSO configuration. Called from the login page before authentication.',\n      tags: ['SSO'],\n      requestBody: {\n        contentType: 'application/json',\n        schema: hrdRequestSchema,\n      },\n      responses: [\n        { status: 200, description: 'HRD result' },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid request' },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAEvC,SAAS,wBAAwB;AAEjC,eAAsB,KAAK,KAAc;AACvC,MAAI;AACF,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,UAAM,SAAS,iBAAiB,UAAU,IAAI;AAE9C,QAAI,CAAC,OAAO,SAAS;AACnB,aAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACxE;AAEA,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,aAAa,UAAU,QAAoB,YAAY;AAC7D,UAAM,SAAS,MAAM,WAAW,8BAA8B,OAAO,KAAK,KAAK;AAE/E,QAAI,CAAC,QAAQ;AACX,aAAO,aAAa,KAAK,EAAE,QAAQ,MAAM,CAAC;AAAA,IAC5C;AAEA,WAAO,aAAa,KAAK;AAAA,MACvB,QAAQ;AAAA,MACR,UAAU,OAAO;AAAA,MACjB,UAAU,OAAO;AAAA,IACnB,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,YAAQ,MAAM,oBAAoB,GAAG;AACrC,WAAO,aAAa,KAAK,EAAE,OAAO,wBAAwB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC9E;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,KAAK;AAAA,MACZ,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,aAAa;AAAA,MAC3C;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,kBAAkB;AAAA,MAChD;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/sso/api/initiate/route.js ADDED Viewed

@@ -0,0 +1,66 @@
+import { NextResponse } from "next/server";
+import { toAbsoluteUrl } from "@open-mercato/shared/lib/url";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { ssoInitiateSchema } from "../../data/validators.js";
+import { emitSsoEvent } from "../../events.js";
+function sanitizeReturnUrl(raw) {
+  const value = raw || "/backend";
+  if (!value.startsWith("/") || value.startsWith("//")) return "/backend";
+  try {
+    const parsed = new URL(value, "http://localhost");
+    if (parsed.origin !== "http://localhost") return "/backend";
+    return parsed.pathname + parsed.search + parsed.hash;
+  } catch {
+    return "/backend";
+  }
+}
+async function GET(req) {
+  try {
+    const url = new URL(req.url);
+    const configId = url.searchParams.get("configId");
+    const rawReturnUrl = url.searchParams.get("returnUrl");
+    const parsed = ssoInitiateSchema.safeParse({ configId, returnUrl: rawReturnUrl ?? void 0 });
+    if (!parsed.success || !parsed.data.configId) {
+      return NextResponse.redirect(toAbsoluteUrl(req, "/login?error=sso_missing_config"));
+    }
+    const returnUrl = sanitizeReturnUrl(rawReturnUrl);
+    const redirectUri = toAbsoluteUrl(req, "/api/sso/callback/oidc");
+    const container = await createRequestContainer();
+    const ssoService = container.resolve("ssoService");
+    const { redirectUrl, stateCookie } = await ssoService.initiateLogin(parsed.data.configId, returnUrl, redirectUri);
+    const res = NextResponse.redirect(redirectUrl);
+    res.cookies.set("sso_state", stateCookie, {
+      httpOnly: true,
+      path: "/",
+      sameSite: "lax",
+      secure: process.env.NODE_ENV !== "development",
+      maxAge: 300
+    });
+    return res;
+  } catch (err) {
+    console.error("[SSO Initiate] Error:", err);
+    void emitSsoEvent("sso.login.failed", {
+      reason: err instanceof Error ? err.message : "initiate_failed"
+    }).catch((e) => console.error("[SSO Event]", e));
+    return NextResponse.redirect(toAbsoluteUrl(req, "/login?error=sso_failed"));
+  }
+}
+const openApi = {
+  tag: "SSO",
+  summary: "Initiate SSO login",
+  methods: {
+    GET: {
+      summary: "Start SSO login flow",
+      description: "Redirects the browser to the configured IdP authorization endpoint. Sets an encrypted sso_state cookie for CSRF protection.",
+      tags: ["SSO"],
+      responses: [
+        { status: 302, description: "Redirect to IdP authorization endpoint", mediaType: "text/html" }
+      ]
+    }
+  }
+};
+export {
+  GET,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/sso/api/initiate/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../src/modules/sso/api/initiate/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { toAbsoluteUrl } from '@open-mercato/shared/lib/url'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { SsoService } from '../../services/ssoService'\nimport { ssoInitiateSchema } from '../../data/validators'\nimport { emitSsoEvent } from '../../events'\n\nfunction sanitizeReturnUrl(raw: string | null): string {\n  const value = raw || '/backend'\n  if (!value.startsWith('/') || value.startsWith('//')) return '/backend'\n  try {\n    const parsed = new URL(value, 'http://localhost')\n    if (parsed.origin !== 'http://localhost') return '/backend'\n    return parsed.pathname + parsed.search + parsed.hash\n  } catch {\n    return '/backend'\n  }\n}\n\nexport async function GET(req: Request) {\n  try {\n    const url = new URL(req.url)\n    const configId = url.searchParams.get('configId')\n    const rawReturnUrl = url.searchParams.get('returnUrl')\n\n    const parsed = ssoInitiateSchema.safeParse({ configId, returnUrl: rawReturnUrl ?? undefined })\n    if (!parsed.success || !parsed.data.configId) {\n      return NextResponse.redirect(toAbsoluteUrl(req, '/login?error=sso_missing_config'))\n    }\n\n    const returnUrl = sanitizeReturnUrl(rawReturnUrl)\n    const redirectUri = toAbsoluteUrl(req, '/api/sso/callback/oidc')\n    const container = await createRequestContainer()\n    const ssoService = container.resolve<SsoService>('ssoService')\n\n    const { redirectUrl, stateCookie } = await ssoService.initiateLogin(parsed.data.configId, returnUrl, redirectUri)\n\n    const res = NextResponse.redirect(redirectUrl)\n    res.cookies.set('sso_state', stateCookie, {\n      httpOnly: true,\n      path: '/',\n      sameSite: 'lax',\n      secure: process.env.NODE_ENV !== 'development',\n      maxAge: 300,\n    })\n    return res\n  } catch (err) {\n    console.error('[SSO Initiate] Error:', err)\n    void emitSsoEvent('sso.login.failed', {\n      reason: err instanceof Error ? err.message : 'initiate_failed',\n    }).catch((e) => console.error('[SSO Event]', e))\n    return NextResponse.redirect(toAbsoluteUrl(req, '/login?error=sso_failed'))\n  }\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'SSO',\n  summary: 'Initiate SSO login',\n  methods: {\n    GET: {\n      summary: 'Start SSO login flow',\n      description: 'Redirects the browser to the configured IdP authorization endpoint. Sets an encrypted sso_state cookie for CSRF protection.',\n      tags: ['SSO'],\n      responses: [\n        { status: 302, description: 'Redirect to IdP authorization endpoint', mediaType: 'text/html' },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,qBAAqB;AAC9B,SAAS,8BAA8B;AAEvC,SAAS,yBAAyB;AAClC,SAAS,oBAAoB;AAE7B,SAAS,kBAAkB,KAA4B;AACrD,QAAM,QAAQ,OAAO;AACrB,MAAI,CAAC,MAAM,WAAW,GAAG,KAAK,MAAM,WAAW,IAAI,EAAG,QAAO;AAC7D,MAAI;AACF,UAAM,SAAS,IAAI,IAAI,OAAO,kBAAkB;AAChD,QAAI,OAAO,WAAW,mBAAoB,QAAO;AACjD,WAAO,OAAO,WAAW,OAAO,SAAS,OAAO;AAAA,EAClD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,IAAI,KAAc;AACtC,MAAI;AACF,UAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,UAAM,WAAW,IAAI,aAAa,IAAI,UAAU;AAChD,UAAM,eAAe,IAAI,aAAa,IAAI,WAAW;AAErD,UAAM,SAAS,kBAAkB,UAAU,EAAE,UAAU,WAAW,gBAAgB,OAAU,CAAC;AAC7F,QAAI,CAAC,OAAO,WAAW,CAAC,OAAO,KAAK,UAAU;AAC5C,aAAO,aAAa,SAAS,cAAc,KAAK,iCAAiC,CAAC;AAAA,IACpF;AAEA,UAAM,YAAY,kBAAkB,YAAY;AAChD,UAAM,cAAc,cAAc,KAAK,wBAAwB;AAC/D,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,aAAa,UAAU,QAAoB,YAAY;AAE7D,UAAM,EAAE,aAAa,YAAY,IAAI,MAAM,WAAW,cAAc,OAAO,KAAK,UAAU,WAAW,WAAW;AAEhH,UAAM,MAAM,aAAa,SAAS,WAAW;AAC7C,QAAI,QAAQ,IAAI,aAAa,aAAa;AAAA,MACxC,UAAU;AAAA,MACV,MAAM;AAAA,MACN,UAAU;AAAA,MACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,MACjC,QAAQ;AAAA,IACV,CAAC;AACD,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,YAAQ,MAAM,yBAAyB,GAAG;AAC1C,SAAK,aAAa,oBAAoB;AAAA,MACpC,QAAQ,eAAe,QAAQ,IAAI,UAAU;AAAA,IAC/C,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAC/C,WAAO,aAAa,SAAS,cAAc,KAAK,yBAAyB,CAAC;AAAA,EAC5E;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,KAAK;AAAA,MACZ,WAAW;AAAA,QACT,EAAE,QAAQ,KAAK,aAAa,0CAA0C,WAAW,YAAY;AAAA,MAC/F;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/sso/api/scim/context.js ADDED Viewed

@@ -0,0 +1,68 @@
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { SsoConfig } from "../../data/entities.js";
+import { buildScimError, scimJson } from "../../lib/scim-response.js";
+async function resolveScimContext(req) {
+  const authHeader = req.headers.get("authorization");
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    return {
+      ok: false,
+      response: scimJson(
+        buildScimError(401, "Bearer token required"),
+        401
+      )
+    };
+  }
+  const rawToken = authHeader.slice(7);
+  if (!rawToken) {
+    return {
+      ok: false,
+      response: scimJson(buildScimError(401, "Bearer token required"), 401)
+    };
+  }
+  const container = await createRequestContainer();
+  const scimTokenService = container.resolve("scimTokenService");
+  const verified = await scimTokenService.verifyToken(rawToken);
+  if (!verified) {
+    return {
+      ok: false,
+      response: scimJson(buildScimError(401, "Invalid or revoked token"), 401)
+    };
+  }
+  const em = container.resolve("em");
+  const config = await em.findOne(SsoConfig, {
+    id: verified.ssoConfigId,
+    organizationId: verified.organizationId,
+    deletedAt: null
+  });
+  if (!config) {
+    return {
+      ok: false,
+      response: scimJson(buildScimError(403, "SSO configuration not found"), 403)
+    };
+  }
+  if (!config.isActive) {
+    return {
+      ok: false,
+      response: scimJson(buildScimError(403, "SSO configuration is not active"), 403)
+    };
+  }
+  if (config.jitEnabled) {
+    return {
+      ok: false,
+      response: scimJson(buildScimError(403, "SCIM provisioning is unavailable \u2014 JIT provisioning is enabled on this configuration"), 403)
+    };
+  }
+  return {
+    ok: true,
+    scope: {
+      ssoConfigId: config.id,
+      organizationId: config.organizationId,
+      tenantId: verified.tenantId,
+      config
+    }
+  };
+}
+export {
+  resolveScimContext
+};
+//# sourceMappingURL=context.js.map

package/dist/modules/sso/api/scim/context.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../src/modules/sso/api/scim/context.ts"],
+  "sourcesContent": ["import { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { ScimTokenService } from '../../services/scimTokenService'\nimport { SsoConfig } from '../../data/entities'\nimport { buildScimError, scimJson } from '../../lib/scim-response'\nimport type { EntityManager } from '@mikro-orm/postgresql'\n\nexport interface ScimScope {\n  ssoConfigId: string\n  organizationId: string\n  tenantId: string | null\n  config: SsoConfig\n}\n\nexport async function resolveScimContext(req: Request): Promise<\n  | { ok: true; scope: ScimScope }\n  | { ok: false; response: Response }\n> {\n  const authHeader = req.headers.get('authorization')\n  if (!authHeader || !authHeader.startsWith('Bearer ')) {\n    return {\n      ok: false,\n      response: scimJson(\n        buildScimError(401, 'Bearer token required'),\n        401,\n      ),\n    }\n  }\n\n  const rawToken = authHeader.slice(7)\n  if (!rawToken) {\n    return {\n      ok: false,\n      response: scimJson(buildScimError(401, 'Bearer token required'), 401),\n    }\n  }\n\n  const container = await createRequestContainer()\n  const scimTokenService = container.resolve<ScimTokenService>('scimTokenService')\n  const verified = await scimTokenService.verifyToken(rawToken)\n\n  if (!verified) {\n    return {\n      ok: false,\n      response: scimJson(buildScimError(401, 'Invalid or revoked token'), 401),\n    }\n  }\n\n  const em = container.resolve<EntityManager>('em')\n  const config = await em.findOne(SsoConfig, {\n    id: verified.ssoConfigId,\n    organizationId: verified.organizationId,\n    deletedAt: null,\n  })\n\n  if (!config) {\n    return {\n      ok: false,\n      response: scimJson(buildScimError(403, 'SSO configuration not found'), 403),\n    }\n  }\n\n  if (!config.isActive) {\n    return {\n      ok: false,\n      response: scimJson(buildScimError(403, 'SSO configuration is not active'), 403),\n    }\n  }\n\n  if (config.jitEnabled) {\n    return {\n      ok: false,\n      response: scimJson(buildScimError(403, 'SCIM provisioning is unavailable \u2014 JIT provisioning is enabled on this configuration'), 403),\n    }\n  }\n\n  return {\n    ok: true,\n    scope: {\n      ssoConfigId: config.id,\n      organizationId: config.organizationId,\n      tenantId: verified.tenantId,\n      config,\n    },\n  }\n}\n"],
+  "mappings": "AAAA,SAAS,8BAA8B;AAEvC,SAAS,iBAAiB;AAC1B,SAAS,gBAAgB,gBAAgB;AAUzC,eAAsB,mBAAmB,KAGvC;AACA,QAAM,aAAa,IAAI,QAAQ,IAAI,eAAe;AAClD,MAAI,CAAC,cAAc,CAAC,WAAW,WAAW,SAAS,GAAG;AACpD,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,UAAU;AAAA,QACR,eAAe,KAAK,uBAAuB;AAAA,QAC3C;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,WAAW,WAAW,MAAM,CAAC;AACnC,MAAI,CAAC,UAAU;AACb,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,UAAU,SAAS,eAAe,KAAK,uBAAuB,GAAG,GAAG;AAAA,IACtE;AAAA,EACF;AAEA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,mBAAmB,UAAU,QAA0B,kBAAkB;AAC/E,QAAM,WAAW,MAAM,iBAAiB,YAAY,QAAQ;AAE5D,MAAI,CAAC,UAAU;AACb,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,UAAU,SAAS,eAAe,KAAK,0BAA0B,GAAG,GAAG;AAAA,IACzE;AAAA,EACF;AAEA,QAAM,KAAK,UAAU,QAAuB,IAAI;AAChD,QAAM,SAAS,MAAM,GAAG,QAAQ,WAAW;AAAA,IACzC,IAAI,SAAS;AAAA,IACb,gBAAgB,SAAS;AAAA,IACzB,WAAW;AAAA,EACb,CAAC;AAED,MAAI,CAAC,QAAQ;AACX,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,UAAU,SAAS,eAAe,KAAK,6BAA6B,GAAG,GAAG;AAAA,IAC5E;AAAA,EACF;AAEA,MAAI,CAAC,OAAO,UAAU;AACpB,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,UAAU,SAAS,eAAe,KAAK,iCAAiC,GAAG,GAAG;AAAA,IAChF;AAAA,EACF;AAEA,MAAI,OAAO,YAAY;AACrB,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,UAAU,SAAS,eAAe,KAAK,2FAAsF,GAAG,GAAG;AAAA,IACrI;AAAA,EACF;AAEA,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,OAAO;AAAA,MACL,aAAa,OAAO;AAAA,MACpB,gBAAgB,OAAO;AAAA,MACvB,UAAU,SAAS;AAAA,MACnB;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/sso/api/scim/logs/route.js ADDED Viewed

@@ -0,0 +1,65 @@
+import { NextResponse } from "next/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { ScimProvisioningLog } from "../../../data/entities.js";
+import { resolveSsoAdminContext } from "../../admin-context.js";
+import { handleSsoAdminApiError } from "../../error-handler.js";
+const metadata = {
+  GET: { requireAuth: true, requireFeatures: ["sso.config.view"] }
+};
+async function GET(req) {
+  try {
+    const { scope } = await resolveSsoAdminContext(req);
+    const url = new URL(req.url);
+    const ssoConfigId = url.searchParams.get("ssoConfigId");
+    if (!ssoConfigId) {
+      return NextResponse.json({ error: "ssoConfigId is required" }, { status: 400 });
+    }
+    const where = { ssoConfigId };
+    if (!scope.isSuperAdmin && scope.organizationId) {
+      where.organizationId = scope.organizationId;
+    }
+    const container = await createRequestContainer();
+    const em = container.resolve("em");
+    const logs = await em.find(ScimProvisioningLog, where, {
+      orderBy: { createdAt: "desc" },
+      limit: 50
+    });
+    return NextResponse.json({
+      items: logs.map((log) => ({
+        id: log.id,
+        operation: log.operation,
+        resourceType: log.resourceType,
+        resourceId: log.resourceId,
+        scimExternalId: log.scimExternalId,
+        responseStatus: log.responseStatus,
+        errorMessage: log.errorMessage,
+        createdAt: log.createdAt.toISOString()
+      }))
+    });
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SCIM Logs API");
+  }
+}
+const openApi = {
+  tag: "SCIM",
+  summary: "SCIM Provisioning Logs",
+  methods: {
+    GET: {
+      summary: "List recent provisioning log entries",
+      description: "Returns the last 50 SCIM provisioning log entries for a given SSO config.",
+      tags: ["SSO", "SCIM"],
+      responses: [{ status: 200, description: "List of provisioning log entries" }],
+      errors: [
+        { status: 400, description: "Missing ssoConfigId" },
+        { status: 401, description: "Unauthorized" },
+        { status: 403, description: "Forbidden \u2014 requires sso.scim.manage" }
+      ]
+    }
+  }
+};
+export {
+  GET,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/sso/api/scim/logs/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../src/modules/sso/api/scim/logs/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { ScimProvisioningLog } from '../../../data/entities'\nimport { resolveSsoAdminContext } from '../../admin-context'\nimport { handleSsoAdminApiError } from '../../error-handler'\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['sso.config.view'] },\n}\n\nexport async function GET(req: Request) {\n  try {\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const url = new URL(req.url)\n    const ssoConfigId = url.searchParams.get('ssoConfigId')\n    if (!ssoConfigId) {\n      return NextResponse.json({ error: 'ssoConfigId is required' }, { status: 400 })\n    }\n\n    const where: Record<string, unknown> = { ssoConfigId }\n    if (!scope.isSuperAdmin && scope.organizationId) {\n      where.organizationId = scope.organizationId\n    }\n\n    const container = await createRequestContainer()\n    const em = container.resolve<EntityManager>('em')\n\n    const logs = await em.find(ScimProvisioningLog, where, {\n      orderBy: { createdAt: 'desc' },\n      limit: 50,\n    })\n\n    return NextResponse.json({\n      items: logs.map((log) => ({\n        id: log.id,\n        operation: log.operation,\n        resourceType: log.resourceType,\n        resourceId: log.resourceId,\n        scimExternalId: log.scimExternalId,\n        responseStatus: log.responseStatus,\n        errorMessage: log.errorMessage,\n        createdAt: log.createdAt.toISOString(),\n      })),\n    })\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SCIM Logs API')\n  }\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'SCIM',\n  summary: 'SCIM Provisioning Logs',\n  methods: {\n    GET: {\n      summary: 'List recent provisioning log entries',\n      description: 'Returns the last 50 SCIM provisioning log entries for a given SSO config.',\n      tags: ['SSO', 'SCIM'],\n      responses: [{ status: 200, description: 'List of provisioning log entries' }],\n      errors: [\n        { status: 400, description: 'Missing ssoConfigId' },\n        { status: 401, description: 'Unauthorized' },\n        { status: 403, description: 'Forbidden \u2014 requires sso.scim.manage' },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAEvC,SAAS,2BAA2B;AACpC,SAAS,8BAA8B;AACvC,SAAS,8BAA8B;AAEhC,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AACjE;AAEA,eAAsB,IAAI,KAAc;AACtC,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,UAAM,cAAc,IAAI,aAAa,IAAI,aAAa;AACtD,QAAI,CAAC,aAAa;AAChB,aAAO,aAAa,KAAK,EAAE,OAAO,0BAA0B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAChF;AAEA,UAAM,QAAiC,EAAE,YAAY;AACrD,QAAI,CAAC,MAAM,gBAAgB,MAAM,gBAAgB;AAC/C,YAAM,iBAAiB,MAAM;AAAA,IAC/B;AAEA,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,KAAK,UAAU,QAAuB,IAAI;AAEhD,UAAM,OAAO,MAAM,GAAG,KAAK,qBAAqB,OAAO;AAAA,MACrD,SAAS,EAAE,WAAW,OAAO;AAAA,MAC7B,OAAO;AAAA,IACT,CAAC;AAED,WAAO,aAAa,KAAK;AAAA,MACvB,OAAO,KAAK,IAAI,CAAC,SAAS;AAAA,QACxB,IAAI,IAAI;AAAA,QACR,WAAW,IAAI;AAAA,QACf,cAAc,IAAI;AAAA,QAClB,YAAY,IAAI;AAAA,QAChB,gBAAgB,IAAI;AAAA,QACpB,gBAAgB,IAAI;AAAA,QACpB,cAAc,IAAI;AAAA,QAClB,WAAW,IAAI,UAAU,YAAY;AAAA,MACvC,EAAE;AAAA,IACJ,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,eAAe;AAAA,EACpD;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,OAAO,MAAM;AAAA,MACpB,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,mCAAmC,CAAC;AAAA,MAC5E,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,sBAAsB;AAAA,QAClD,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,4CAAuC;AAAA,MACrE;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/sso/api/scim/tokens/[id]/route.js ADDED Viewed

@@ -0,0 +1,42 @@
+import { NextResponse } from "next/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { resolveSsoAdminContext } from "../../../admin-context.js";
+import { handleSsoAdminApiError } from "../../../error-handler.js";
+const metadata = {
+  DELETE: { requireAuth: true, requireFeatures: ["sso.scim.manage"] }
+};
+async function DELETE(req, ctx) {
+  try {
+    const { id } = await ctx.params;
+    const { scope } = await resolveSsoAdminContext(req);
+    const container = await createRequestContainer();
+    const service = container.resolve("scimTokenService");
+    await service.revokeToken(id, scope);
+    return NextResponse.json({ ok: true });
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SCIM Tokens API");
+  }
+}
+const openApi = {
+  tag: "SSO",
+  summary: "SCIM Token by ID",
+  methods: {
+    DELETE: {
+      summary: "Revoke SCIM token",
+      description: "Revokes (deactivates) a SCIM token. The token can no longer be used for authentication.",
+      tags: ["SSO", "SCIM"],
+      responses: [{ status: 200, description: "Token revoked" }],
+      errors: [
+        { status: 401, description: "Unauthorized" },
+        { status: 403, description: "Forbidden \u2014 requires sso.scim.manage" },
+        { status: 404, description: "Token not found" }
+      ]
+    }
+  }
+};
+export {
+  DELETE,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/sso/api/scim/tokens/[id]/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../src/modules/sso/api/scim/tokens/%5Bid%5D/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { ScimTokenService } from '../../../../services/scimTokenService'\nimport { resolveSsoAdminContext } from '../../../admin-context'\nimport { handleSsoAdminApiError } from '../../../error-handler'\n\nexport const metadata = {\n  DELETE: { requireAuth: true, requireFeatures: ['sso.scim.manage'] },\n}\n\ntype RouteContext = { params: Promise<{ id: string }> }\n\nexport async function DELETE(req: Request, ctx: RouteContext) {\n  try {\n    const { id } = await ctx.params\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const container = await createRequestContainer()\n    const service = container.resolve<ScimTokenService>('scimTokenService')\n    await service.revokeToken(id, scope)\n\n    return NextResponse.json({ ok: true })\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SCIM Tokens API')\n  }\n}\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'SSO',\n  summary: 'SCIM Token by ID',\n  methods: {\n    DELETE: {\n      summary: 'Revoke SCIM token',\n      description: 'Revokes (deactivates) a SCIM token. The token can no longer be used for authentication.',\n      tags: ['SSO', 'SCIM'],\n      responses: [{ status: 200, description: 'Token revoked' }],\n      errors: [\n        { status: 401, description: 'Unauthorized' },\n        { status: 403, description: 'Forbidden \u2014 requires sso.scim.manage' },\n        { status: 404, description: 'Token not found' },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAEvC,SAAS,8BAA8B;AACvC,SAAS,8BAA8B;AAEhC,MAAM,WAAW;AAAA,EACtB,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AACpE;AAIA,eAAsB,OAAO,KAAc,KAAmB;AAC5D,MAAI;AACF,UAAM,EAAE,GAAG,IAAI,MAAM,IAAI;AACzB,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,UAAU,UAAU,QAA0B,kBAAkB;AACtE,UAAM,QAAQ,YAAY,IAAI,KAAK;AAEnC,WAAO,aAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAAA,EACvC,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,iBAAiB;AAAA,EACtD;AACF;AAEO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,OAAO,MAAM;AAAA,MACpB,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,CAAC;AAAA,MACzD,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,4CAAuC;AAAA,QACnE,EAAE,QAAQ,KAAK,aAAa,kBAAkB;AAAA,MAChD;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/sso/api/scim/tokens/route.js ADDED Viewed

@@ -0,0 +1,83 @@
+import { NextResponse } from "next/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { createScimTokenSchema, scimTokenListSchema } from "../../../data/validators.js";
+import { resolveSsoAdminContext } from "../../admin-context.js";
+import { handleSsoAdminApiError } from "../../error-handler.js";
+const metadata = {
+  GET: { requireAuth: true, requireFeatures: ["sso.config.view"] },
+  POST: { requireAuth: true, requireFeatures: ["sso.scim.manage"] }
+};
+async function GET(req) {
+  try {
+    const { scope } = await resolveSsoAdminContext(req);
+    const url = new URL(req.url);
+    const parsed = scimTokenListSchema.safeParse({
+      ssoConfigId: url.searchParams.get("ssoConfigId") ?? void 0
+    });
+    if (!parsed.success) {
+      return NextResponse.json({ error: "Invalid request", details: parsed.error.flatten() }, { status: 400 });
+    }
+    const container = await createRequestContainer();
+    const service = container.resolve("scimTokenService");
+    const tokens = await service.listTokens(parsed.data.ssoConfigId, scope);
+    return NextResponse.json({ items: tokens });
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SCIM Tokens API");
+  }
+}
+async function POST(req) {
+  try {
+    const { scope } = await resolveSsoAdminContext(req);
+    const body = await req.json();
+    const parsed = createScimTokenSchema.safeParse(body);
+    if (!parsed.success) {
+      return NextResponse.json({ error: "Invalid request", details: parsed.error.flatten() }, { status: 400 });
+    }
+    const container = await createRequestContainer();
+    const service = container.resolve("scimTokenService");
+    const result = await service.generateToken(parsed.data.ssoConfigId, parsed.data.name, scope);
+    return NextResponse.json(result, { status: 201 });
+  } catch (err) {
+    return handleSsoAdminApiError(err, "SCIM Tokens API");
+  }
+}
+const openApi = {
+  tag: "SSO",
+  summary: "SCIM Token Management",
+  methods: {
+    GET: {
+      summary: "List SCIM tokens",
+      description: "Returns SCIM tokens for a given SSO config. Token hashes are never exposed.",
+      tags: ["SSO", "SCIM"],
+      responses: [{ status: 200, description: "List of SCIM tokens" }],
+      errors: [
+        { status: 400, description: "Missing or invalid ssoConfigId" },
+        { status: 401, description: "Unauthorized" },
+        { status: 403, description: "Forbidden \u2014 requires sso.scim.manage" }
+      ]
+    },
+    POST: {
+      summary: "Create SCIM token",
+      description: "Generates a new SCIM bearer token. The raw token is returned once and cannot be retrieved again.",
+      tags: ["SSO", "SCIM"],
+      requestBody: {
+        contentType: "application/json",
+        schema: createScimTokenSchema
+      },
+      responses: [{ status: 201, description: "SCIM token created \u2014 raw token included in response" }],
+      errors: [
+        { status: 400, description: "Invalid input" },
+        { status: 401, description: "Unauthorized" },
+        { status: 403, description: "Forbidden \u2014 requires sso.scim.manage" },
+        { status: 409, description: "Conflict \u2014 cannot create SCIM token while JIT is enabled" }
+      ]
+    }
+  }
+};
+export {
+  GET,
+  POST,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/sso/api/scim/tokens/route.js.map ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../src/modules/sso/api/scim/tokens/route.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { ScimTokenService } from '../../../services/scimTokenService'\nimport { createScimTokenSchema, scimTokenListSchema } from '../../../data/validators'\nimport { resolveSsoAdminContext } from '../../admin-context'\nimport { handleSsoAdminApiError } from '../../error-handler'\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['sso.config.view'] },\n  POST: { requireAuth: true, requireFeatures: ['sso.scim.manage'] },\n}\n\nexport async function GET(req: Request) {\n  try {\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const url = new URL(req.url)\n    const parsed = scimTokenListSchema.safeParse({\n      ssoConfigId: url.searchParams.get('ssoConfigId') ?? undefined,\n    })\n    if (!parsed.success) {\n      return NextResponse.json({ error: 'Invalid request', details: parsed.error.flatten() }, { status: 400 })\n    }\n\n    const container = await createRequestContainer()\n    const service = container.resolve<ScimTokenService>('scimTokenService')\n    const tokens = await service.listTokens(parsed.data.ssoConfigId, scope)\n\n    return NextResponse.json({ items: tokens })\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SCIM Tokens API')\n  }\n}\n\nexport async function POST(req: Request) {\n  try {\n    const { scope } = await resolveSsoAdminContext(req)\n\n    const body = await req.json()\n    const parsed = createScimTokenSchema.safeParse(body)\n    if (!parsed.success) {\n      return NextResponse.json({ error: 'Invalid request', details: parsed.error.flatten() }, { status: 400 })\n    }\n\n    const container = await createRequestContainer()\n    const service = container.resolve<ScimTokenService>('scimTokenService')\n    const result = await service.generateToken(parsed.data.ssoConfigId, parsed.data.name, scope)\n\n    return NextResponse.json(result, { status: 201 })\n  } catch (err) {\n    return handleSsoAdminApiError(err, 'SCIM Tokens API')\n  }\n}\n\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'SSO',\n  summary: 'SCIM Token Management',\n  methods: {\n    GET: {\n      summary: 'List SCIM tokens',\n      description: 'Returns SCIM tokens for a given SSO config. Token hashes are never exposed.',\n      tags: ['SSO', 'SCIM'],\n      responses: [{ status: 200, description: 'List of SCIM tokens' }],\n      errors: [\n        { status: 400, description: 'Missing or invalid ssoConfigId' },\n        { status: 401, description: 'Unauthorized' },\n        { status: 403, description: 'Forbidden \u2014 requires sso.scim.manage' },\n      ],\n    },\n    POST: {\n      summary: 'Create SCIM token',\n      description: 'Generates a new SCIM bearer token. The raw token is returned once and cannot be retrieved again.',\n      tags: ['SSO', 'SCIM'],\n      requestBody: {\n        contentType: 'application/json',\n        schema: createScimTokenSchema,\n      },\n      responses: [{ status: 201, description: 'SCIM token created \u2014 raw token included in response' }],\n      errors: [\n        { status: 400, description: 'Invalid input' },\n        { status: 401, description: 'Unauthorized' },\n        { status: 403, description: 'Forbidden \u2014 requires sso.scim.manage' },\n        { status: 409, description: 'Conflict \u2014 cannot create SCIM token while JIT is enabled' },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAE7B,SAAS,8BAA8B;AAEvC,SAAS,uBAAuB,2BAA2B;AAC3D,SAAS,8BAA8B;AACvC,SAAS,8BAA8B;AAEhC,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAAA,EAC/D,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,iBAAiB,EAAE;AAClE;AAEA,eAAsB,IAAI,KAAc;AACtC,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,MAAM,IAAI,IAAI,IAAI,GAAG;AAC3B,UAAM,SAAS,oBAAoB,UAAU;AAAA,MAC3C,aAAa,IAAI,aAAa,IAAI,aAAa,KAAK;AAAA,IACtD,CAAC;AACD,QAAI,CAAC,OAAO,SAAS;AACnB,aAAO,aAAa,KAAK,EAAE,OAAO,mBAAmB,SAAS,OAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACzG;AAEA,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,UAAU,UAAU,QAA0B,kBAAkB;AACtE,UAAM,SAAS,MAAM,QAAQ,WAAW,OAAO,KAAK,aAAa,KAAK;AAEtE,WAAO,aAAa,KAAK,EAAE,OAAO,OAAO,CAAC;AAAA,EAC5C,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,iBAAiB;AAAA,EACtD;AACF;AAEA,eAAsB,KAAK,KAAc;AACvC,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,uBAAuB,GAAG;AAElD,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,UAAM,SAAS,sBAAsB,UAAU,IAAI;AACnD,QAAI,CAAC,OAAO,SAAS;AACnB,aAAO,aAAa,KAAK,EAAE,OAAO,mBAAmB,SAAS,OAAO,MAAM,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACzG;AAEA,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,UAAU,UAAU,QAA0B,kBAAkB;AACtE,UAAM,SAAS,MAAM,QAAQ,cAAc,OAAO,KAAK,aAAa,OAAO,KAAK,MAAM,KAAK;AAE3F,WAAO,aAAa,KAAK,QAAQ,EAAE,QAAQ,IAAI,CAAC;AAAA,EAClD,SAAS,KAAK;AACZ,WAAO,uBAAuB,KAAK,iBAAiB;AAAA,EACtD;AACF;AAGO,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,OAAO,MAAM;AAAA,MACpB,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,sBAAsB,CAAC;AAAA,MAC/D,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,iCAAiC;AAAA,QAC7D,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,4CAAuC;AAAA,MACrE;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,MAAM,CAAC,OAAO,MAAM;AAAA,MACpB,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,2DAAsD,CAAC;AAAA,MAC/F,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,gBAAgB;AAAA,QAC5C,EAAE,QAAQ,KAAK,aAAa,eAAe;AAAA,QAC3C,EAAE,QAAQ,KAAK,aAAa,4CAAuC;AAAA,QACnE,EAAE,QAAQ,KAAK,aAAa,gEAA2D;AAAA,MACzF;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}