@open-mercato/enterprise 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6

package/src/modules/sso/migrations/Migration20260219000000_sso.ts

@@ -0,0 +1,21 @@
+import { Migration } from '@mikro-orm/migrations';
+
+export class Migration20260219000000_sso extends Migration {
+
+  override async up(): Promise<void> {
+    this.addSql(`create table "sso_configs" ("id" uuid not null default gen_random_uuid(), "tenant_id" uuid null, "organization_id" uuid not null, "protocol" text not null, "issuer" text null, "client_id" text null, "client_secret_enc" text null, "allowed_domains" jsonb not null default '[]', "jit_enabled" boolean not null default true, "auto_link_by_email" boolean not null default true, "is_active" boolean not null default false, "sso_required" boolean not null default false, "default_role_id" uuid null, "created_at" timestamptz not null, "updated_at" timestamptz not null, "deleted_at" timestamptz null, constraint "sso_configs_pkey" primary key ("id"));`);
+    this.addSql(`alter table "sso_configs" add constraint "sso_configs_organization_id_unique" unique ("organization_id");`);
+
+    this.addSql(`create table "sso_identities" ("id" uuid not null default gen_random_uuid(), "tenant_id" uuid null, "organization_id" uuid not null, "sso_config_id" uuid not null, "user_id" uuid not null, "idp_subject" text not null, "idp_email" text not null, "idp_name" text null, "idp_groups" jsonb not null default '[]', "provisioning_method" text not null, "first_login_at" timestamptz null, "last_login_at" timestamptz null, "created_at" timestamptz not null, "updated_at" timestamptz not null, "deleted_at" timestamptz null, constraint "sso_identities_pkey" primary key ("id"));`);
+    this.addSql(`alter table "sso_identities" add constraint "sso_identities_config_user_unique" unique ("sso_config_id", "user_id");`);
+    this.addSql(`alter table "sso_identities" add constraint "sso_identities_config_subject_unique" unique ("sso_config_id", "idp_subject");`);
+    this.addSql(`create index "sso_identities_config_id_idx" on "sso_identities" ("sso_config_id");`);
+    this.addSql(`create index "sso_identities_user_id_idx" on "sso_identities" ("user_id");`);
+  }
+
+  override async down(): Promise<void> {
+    this.addSql(`drop table if exists "sso_configs" cascade;`);
+    this.addSql(`drop table if exists "sso_identities" cascade;`);
+  }
+
+}

package/src/modules/sso/migrations/Migration20260222000000_sso_add_name.ts

@@ -0,0 +1,13 @@
+import { Migration } from '@mikro-orm/migrations';
+
+export class Migration20260222000000_sso_add_name extends Migration {
+
+  override async up(): Promise<void> {
+    this.addSql(`alter table "sso_configs" add column "name" text null;`);
+  }
+
+  override async down(): Promise<void> {
+    this.addSql(`alter table "sso_configs" drop column "name";`);
+  }
+
+}

package/src/modules/sso/migrations/Migration20260222000001_sso_partial_unique_org.ts

@@ -0,0 +1,15 @@
+import { Migration } from '@mikro-orm/migrations';
+
+export class Migration20260222000001_sso_partial_unique_org extends Migration {
+
+  override async up(): Promise<void> {
+    this.addSql(`alter table "sso_configs" drop constraint "sso_configs_organization_id_unique";`);
+    this.addSql(`create unique index "sso_configs_organization_id_unique" on "sso_configs" ("organization_id") where "deleted_at" is null;`);
+  }
+
+  override async down(): Promise<void> {
+    this.addSql(`drop index "sso_configs_organization_id_unique";`);
+    this.addSql(`alter table "sso_configs" add constraint "sso_configs_organization_id_unique" unique ("organization_id");`);
+  }
+
+}

package/src/modules/sso/migrations/Migration20260223000000_scim_tables.ts

@@ -0,0 +1,24 @@
+import { Migration } from '@mikro-orm/migrations';
+
+export class Migration20260223000000_scim_tables extends Migration {
+
+  override async up(): Promise<void> {
+    this.addSql(`create table "scim_tokens" ("id" uuid not null default gen_random_uuid(), "tenant_id" uuid null, "organization_id" uuid not null, "sso_config_id" uuid not null, "name" text not null, "token_hash" text not null, "token_prefix" text not null, "is_active" boolean not null default true, "created_by" uuid null, "created_at" timestamptz not null, "updated_at" timestamptz not null, constraint "scim_tokens_pkey" primary key ("id"));`);
+    this.addSql(`create index "scim_tokens_sso_config_id_idx" on "scim_tokens" ("sso_config_id");`);
+    this.addSql(`create index "scim_tokens_token_prefix_idx" on "scim_tokens" ("token_prefix");`);
+
+    this.addSql(`create table "sso_user_deactivations" ("id" uuid not null default gen_random_uuid(), "tenant_id" uuid null, "organization_id" uuid not null, "user_id" uuid not null, "sso_config_id" uuid not null, "deactivated_at" timestamptz not null, "reactivated_at" timestamptz null, "created_at" timestamptz not null, constraint "sso_user_deactivations_pkey" primary key ("id"));`);
+    this.addSql(`create index "sso_user_deactivations_user_id_idx" on "sso_user_deactivations" ("user_id");`);
+    this.addSql(`alter table "sso_user_deactivations" add constraint "sso_user_deactivations_user_config_unique" unique ("user_id", "sso_config_id");`);
+
+    this.addSql(`create table "scim_provisioning_log" ("id" uuid not null default gen_random_uuid(), "tenant_id" uuid null, "organization_id" uuid not null, "sso_config_id" uuid not null, "operation" text not null, "resource_type" text not null, "resource_id" uuid null, "scim_external_id" text null, "response_status" int not null, "error_message" text null, "created_at" timestamptz not null, constraint "scim_provisioning_log_pkey" primary key ("id"));`);
+    this.addSql(`create index "scim_provisioning_log_config_created_idx" on "scim_provisioning_log" ("sso_config_id", "created_at");`);
+  }
+
+  override async down(): Promise<void> {
+    this.addSql(`drop table if exists "scim_provisioning_log" cascade;`);
+    this.addSql(`drop table if exists "sso_user_deactivations" cascade;`);
+    this.addSql(`drop table if exists "scim_tokens" cascade;`);
+  }
+
+}

package/src/modules/sso/migrations/Migration20260224000000_sso_external_id.ts

@@ -0,0 +1,15 @@
+import { Migration } from '@mikro-orm/migrations';
+
+export class Migration20260224000000_sso_external_id extends Migration {
+
+  override async up(): Promise<void> {
+    this.addSql(`alter table "sso_identities" add column "external_id" text null;`);
+    this.addSql(`alter table "sso_identities" add constraint "sso_identities_config_external_id_unique" unique ("sso_config_id", "external_id");`);
+  }
+
+  override async down(): Promise<void> {
+    this.addSql(`alter table "sso_identities" drop constraint if exists "sso_identities_config_external_id_unique";`);
+    this.addSql(`alter table "sso_identities" drop column if exists "external_id";`);
+  }
+
+}

package/src/modules/sso/migrations/Migration20260224100000_sso_role_grants.ts

@@ -0,0 +1,18 @@
+import { Migration } from '@mikro-orm/migrations';
+
+export class Migration20260224100000_sso_role_grants extends Migration {
+
+  override async up(): Promise<void> {
+    this.addSql(`create table "sso_role_grants" ("id" uuid not null default gen_random_uuid(), "tenant_id" uuid null, "user_id" uuid not null, "role_id" uuid not null, "sso_config_id" uuid not null, "created_at" timestamptz not null, constraint "sso_role_grants_pkey" primary key ("id"));`);
+    this.addSql(`create index "sso_role_grants_user_id_idx" on "sso_role_grants" ("user_id");`);
+    this.addSql(`alter table "sso_role_grants" add constraint "sso_role_grants_user_role_config_unique" unique ("user_id", "role_id", "sso_config_id");`);
+
+    this.addSql(`alter table "sso_configs" add column "app_role_mappings" jsonb not null default '{}';`);
+  }
+
+  override async down(): Promise<void> {
+    this.addSql(`drop table if exists "sso_role_grants";`);
+    this.addSql(`alter table "sso_configs" drop column "app_role_mappings";`);
+  }
+
+}

package/src/modules/sso/migrations/Migration20260224200000_drop_default_role_id.ts

@@ -0,0 +1,13 @@
+import { Migration } from '@mikro-orm/migrations';
+
+export class Migration20260224200000_drop_default_role_id extends Migration {
+
+  override async up(): Promise<void> {
+    this.addSql(`alter table "sso_configs" drop column if exists "default_role_id";`);
+  }
+
+  override async down(): Promise<void> {
+    this.addSql(`alter table "sso_configs" add column "default_role_id" uuid null;`);
+  }
+
+}

package/src/modules/sso/migrations/Migration20260225000000_sso_identities_partial_unique.ts

@@ -0,0 +1,25 @@
+import { Migration } from '@mikro-orm/migrations';
+
+export class Migration20260225000000_sso_identities_partial_unique extends Migration {
+
+  override async up(): Promise<void> {
+    this.addSql(`alter table "sso_identities" drop constraint "sso_identities_config_user_unique";`);
+    this.addSql(`alter table "sso_identities" drop constraint "sso_identities_config_subject_unique";`);
+    this.addSql(`alter table "sso_identities" drop constraint "sso_identities_config_external_id_unique";`);
+
+    this.addSql(`create unique index "sso_identities_config_user_unique" on "sso_identities" ("sso_config_id", "user_id") where "deleted_at" is null;`);
+    this.addSql(`create unique index "sso_identities_config_subject_unique" on "sso_identities" ("sso_config_id", "idp_subject") where "deleted_at" is null;`);
+    this.addSql(`create unique index "sso_identities_config_external_id_unique" on "sso_identities" ("sso_config_id", "external_id") where "deleted_at" is null;`);
+  }
+
+  override async down(): Promise<void> {
+    this.addSql(`drop index "sso_identities_config_user_unique";`);
+    this.addSql(`drop index "sso_identities_config_subject_unique";`);
+    this.addSql(`drop index "sso_identities_config_external_id_unique";`);
+
+    this.addSql(`alter table "sso_identities" add constraint "sso_identities_config_user_unique" unique ("sso_config_id", "user_id");`);
+    this.addSql(`alter table "sso_identities" add constraint "sso_identities_config_subject_unique" unique ("sso_config_id", "idp_subject");`);
+    this.addSql(`alter table "sso_identities" add constraint "sso_identities_config_external_id_unique" unique ("sso_config_id", "external_id");`);
+  }
+
+}

package/src/modules/sso/migrations/Migration20260305000000_sso_role_grants_org_id.ts

@@ -0,0 +1,14 @@
+import { Migration } from '@mikro-orm/migrations';
+
+export class Migration20260305000000_sso_role_grants_org_id extends Migration {
+
+  override async up(): Promise<void> {
+    this.addSql(`alter table "sso_role_grants" add column "organization_id" uuid not null default '00000000-0000-0000-0000-000000000000';`);
+    this.addSql(`alter table "sso_role_grants" alter column "organization_id" drop default;`);
+  }
+
+  override async down(): Promise<void> {
+    this.addSql(`alter table "sso_role_grants" drop column "organization_id";`);
+  }
+
+}

package/src/modules/sso/services/accountLinkingService.ts

@@ -0,0 +1,386 @@
+import { EntityManager, type FilterQuery, type RequiredEntityData } from '@mikro-orm/postgresql'
+import { User, UserRole, Role } from '@open-mercato/core/modules/auth/data/entities'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'
+import { SsoConfig, SsoIdentity, SsoRoleGrant, ScimToken } from '../data/entities'
+import { emitSsoEvent } from '../events'
+import type { SsoIdentityPayload } from '../lib/types'
+
+export class AccountLinkingService {
+  constructor(private em: EntityManager) {}
+
+  async resolveUser(
+    config: SsoConfig,
+    idpPayload: SsoIdentityPayload,
+    tenantId: string,
+  ): Promise<{ user: User; identity: SsoIdentity }> {
+    const existing = await this.findExistingLink(config.id, idpPayload.subject, tenantId, config.organizationId)
+    if (existing) {
+      await this.assignRolesFromSso(this.em, existing.user, config, tenantId, idpPayload.groups)
+      return existing
+    }
+
+    if (idpPayload.emailVerified === false) {
+      throw new Error('IdP explicitly reported email as unverified — cannot link or provision account')
+    }
+
+    const emailDomain = idpPayload.email.split('@')[1]?.toLowerCase()
+    if (!emailDomain || !config.allowedDomains.some((d) => d.toLowerCase() === emailDomain)) {
+      throw new Error('Email domain is not in the allowed domains for this SSO configuration')
+    }
+
+    const emailLinked = config.autoLinkByEmail
+      ? await this.linkByEmail(config, idpPayload, tenantId)
+      : null
+    if (emailLinked) {
+      await this.assignRolesFromSso(this.em, emailLinked.user, config, tenantId, idpPayload.groups)
+      return emailLinked
+    }
+
+    if (config.jitEnabled) {
+      const scimActive = await this.em.count(ScimToken, { ssoConfigId: config.id, isActive: true }) > 0
+      if (scimActive) {
+        throw new Error('JIT provisioning is disabled because SCIM directory sync is active')
+      }
+      return this.jitProvision(config, idpPayload, tenantId)
+    }
+
+    throw new Error('No matching user found and JIT provisioning is disabled')
+  }
+
+  private async findExistingLink(
+    ssoConfigId: string,
+    idpSubject: string,
+    tenantId: string,
+    organizationId: string,
+  ): Promise<{ user: User; identity: SsoIdentity } | null> {
+    const identity = await findOneWithDecryption(
+      this.em,
+      SsoIdentity,
+      { ssoConfigId, idpSubject, deletedAt: null },
+      {},
+      { tenantId, organizationId },
+    )
+    if (!identity) return null
+
+    const user = await findOneWithDecryption(
+      this.em,
+      User,
+      { id: identity.userId, deletedAt: null },
+      {},
+      { tenantId, organizationId },
+    )
+    if (!user) {
+      identity.deletedAt = new Date()
+      await this.em.flush()
+      return null
+    }
+
+    identity.lastLoginAt = new Date()
+    await this.em.flush()
+
+    return { user, identity }
+  }
+
+  private async linkByEmail(
+    config: SsoConfig,
+    idpPayload: SsoIdentityPayload,
+    tenantId: string,
+  ): Promise<{ user: User; identity: SsoIdentity } | null> {
+    const emailHash = computeEmailHash(idpPayload.email)
+    const user = await findOneWithDecryption(
+      this.em,
+      User,
+      {
+        organizationId: config.organizationId,
+        deletedAt: null,
+        $or: [
+          { email: idpPayload.email },
+          { emailHash },
+        ],
+      } as FilterQuery<User>,
+      {},
+      { tenantId, organizationId: config.organizationId },
+    )
+    if (!user) return null
+
+    const now = new Date()
+    const identity = this.em.create(SsoIdentity, {
+      tenantId,
+      organizationId: config.organizationId,
+      ssoConfigId: config.id,
+      userId: user.id,
+      idpSubject: idpPayload.subject,
+      idpEmail: idpPayload.email,
+      idpName: idpPayload.name ?? null,
+      idpGroups: idpPayload.groups ?? [],
+      provisioningMethod: 'manual',
+      firstLoginAt: now,
+      lastLoginAt: now,
+      createdAt: now,
+      updatedAt: now,
+    } as RequiredEntityData<SsoIdentity>)
+    await this.em.persistAndFlush(identity)
+
+    void emitSsoEvent('sso.identity.linked', {
+      id: identity.id,
+      tenantId,
+      organizationId: config.organizationId,
+    }).catch((e) => console.error('[SSO Event]', e))
+
+    return { user, identity }
+  }
+
+  private async jitProvision(
+    config: SsoConfig,
+    idpPayload: SsoIdentityPayload,
+    tenantId: string,
+  ): Promise<{ user: User; identity: SsoIdentity }> {
+    return this.em.transactional(async (txEm) => {
+      const user = txEm.create(User, {
+        tenantId,
+        organizationId: config.organizationId,
+        email: idpPayload.email,
+        emailHash: computeEmailHash(idpPayload.email),
+        name: idpPayload.name ?? null,
+        passwordHash: null,
+        isConfirmed: true,
+        createdAt: new Date(),
+      })
+      await txEm.persistAndFlush(user)
+
+      await this.assignRolesFromSso(txEm, user, config, tenantId, idpPayload.groups)
+
+      const now = new Date()
+      const identity = txEm.create(SsoIdentity, {
+        tenantId,
+        organizationId: config.organizationId,
+        ssoConfigId: config.id,
+        userId: user.id,
+        idpSubject: idpPayload.subject,
+        idpEmail: idpPayload.email,
+        idpName: idpPayload.name ?? null,
+        idpGroups: idpPayload.groups ?? [],
+        provisioningMethod: 'jit',
+        firstLoginAt: now,
+        lastLoginAt: now,
+        createdAt: now,
+        updatedAt: now,
+      } as RequiredEntityData<SsoIdentity>)
+      await txEm.persistAndFlush(identity)
+
+      void emitSsoEvent('sso.identity.created', {
+        id: identity.id,
+        tenantId,
+        organizationId: config.organizationId,
+      }).catch((e) => console.error('[SSO Event]', e))
+
+      return { user, identity }
+    })
+  }
+
+  private async assignRolesFromSso(
+    em: EntityManager,
+    user: User,
+    config: SsoConfig,
+    tenantId: string,
+    idpGroups?: string[],
+  ): Promise<void> {
+    const hasMappings = config.appRoleMappings && Object.keys(config.appRoleMappings).length > 0
+    if (!hasMappings) return
+
+    await this.syncMappedRoles(em, user, config, tenantId, idpGroups)
+
+    const hasAnySsoRole = await em.findOne(SsoRoleGrant, {
+      userId: user.id,
+      ssoConfigId: config.id,
+    })
+    if (!hasAnySsoRole) {
+      throw new Error('No roles could be resolved from IdP groups — login denied. Configure role mappings or ensure the IdP sends matching group claims.')
+    }
+  }
+
+  /**
+   * Sync/replace SSO-sourced roles: on each login, SSO-managed roles are replaced
+   * with what the IdP sends, while manually-assigned roles are preserved.
+   */
+  private async syncMappedRoles(
+    em: EntityManager,
+    user: User,
+    config: SsoConfig,
+    tenantId: string,
+    idpGroups?: string[],
+  ): Promise<void> {
+    const resolvedTenantId = tenantId || user.tenantId || ''
+    if (!resolvedTenantId) return
+
+    const allRoles = await em.find(Role, { tenantId: resolvedTenantId, deletedAt: null } as FilterQuery<Role>)
+    const roleByNormalizedName = new Map<string, Role>()
+    for (const role of allRoles) {
+      const normalized = normalizeToken(role.name)
+      if (normalized) roleByNormalizedName.set(normalized, role)
+    }
+
+    // Resolve desired role IDs from IdP groups using merged mappings
+    const desiredRoleNames = resolveRoleNamesFromIdpGroups(idpGroups, config.appRoleMappings)
+    const desiredRoleIds = new Set<string>()
+    for (const roleName of desiredRoleNames) {
+      const role = roleByNormalizedName.get(roleName)
+      if (role) desiredRoleIds.add(role.id)
+    }
+
+    // Query current SSO grants for this user+config
+    const existingGrants = await em.find(SsoRoleGrant, {
+      userId: user.id,
+      ssoConfigId: config.id,
+    })
+    const existingGrantedRoleIds = new Set(existingGrants.map((g) => g.roleId))
+
+    // Compute diff
+    const toAdd = [...desiredRoleIds].filter((id) => !existingGrantedRoleIds.has(id))
+    const toRemove = existingGrants.filter((g) => !desiredRoleIds.has(g.roleId))
+
+    // Add new roles
+    for (const roleId of toAdd) {
+      const role = allRoles.find((r) => r.id === roleId)
+      if (!role) continue
+      await this.ensureUserRole(em, user, role)
+      const grant = em.create(SsoRoleGrant, {
+        tenantId: resolvedTenantId,
+        organizationId: config.organizationId,
+        userId: user.id,
+        roleId,
+        ssoConfigId: config.id,
+      } as RequiredEntityData<SsoRoleGrant>)
+      em.persist(grant)
+    }
+
+    // Remove stale SSO-sourced roles
+    for (const grant of toRemove) {
+      const userRole = await em.findOne(UserRole, {
+        user: user.id,
+        role: grant.roleId,
+        deletedAt: null,
+      } as FilterQuery<UserRole>)
+      if (userRole) {
+        em.remove(userRole)
+      }
+      em.remove(grant)
+    }
+
+    // Clean up orphaned soft-deleted UserRole rows (ghost rows from previous soft-delete logic)
+    const allUserRoles = await em.find(UserRole, { user: user.id } as FilterQuery<UserRole>)
+    for (const ur of allUserRoles) {
+      if (ur.deletedAt) {
+        em.remove(ur)
+      }
+    }
+
+    if (toAdd.length > 0 || toRemove.length > 0 || allUserRoles.some((ur) => ur.deletedAt)) {
+      await em.flush()
+    }
+  }
+
+  private async ensureUserRole(em: EntityManager, user: User, role: Role): Promise<void> {
+    const existingLink = await em.findOne(UserRole, {
+      user: user.id,
+      role: role.id,
+      deletedAt: null,
+    } as FilterQuery<UserRole>)
+    if (existingLink) return
+
+    const userRole = em.create(UserRole, { user, role, createdAt: new Date() })
+    await em.persistAndFlush(userRole)
+  }
+}
+
+function resolveRoleNamesFromIdpGroups(
+  idpGroups?: string[],
+  configMappings?: Record<string, string>,
+): string[] {
+  if (!Array.isArray(idpGroups) || idpGroups.length === 0) return []
+
+  const normalizedGroups = idpGroups
+    .map((group) => normalizeToken(group))
+    .filter((group): group is string => group !== null)
+  if (normalizedGroups.length === 0) return []
+
+  const mergedMappings = loadMergedMappings(configMappings)
+  const roleNames = new Set<string>()
+
+  for (const group of normalizedGroups) {
+    const mapped = mergedMappings.get(group)
+    if (mapped?.length) {
+      for (const role of mapped) roleNames.add(role)
+      continue
+    }
+
+    roleNames.add(group)
+    const segmented = group.split(/[\\/:]/).map((part) => normalizeToken(part)).filter((part): part is string => part !== null)
+    for (const candidate of segmented) {
+      roleNames.add(candidate)
+    }
+  }
+
+  return Array.from(roleNames)
+}
+
+function loadMergedMappings(configMappings?: Record<string, string>): Map<string, string[]> {
+  const envMappings = loadGroupRoleMappingsFromEnv()
+
+  // Per-config mappings take precedence over env var
+  if (configMappings && Object.keys(configMappings).length > 0) {
+    for (const [group, roleName] of Object.entries(configMappings)) {
+      const normalizedGroup = normalizeToken(group)
+      if (!normalizedGroup) continue
+      const normalizedRole = normalizeToken(roleName)
+      if (!normalizedRole) continue
+      envMappings.set(normalizedGroup, [normalizedRole])
+    }
+  }
+
+  return envMappings
+}
+
+function loadGroupRoleMappingsFromEnv(): Map<string, string[]> {
+  const raw = process.env.SSO_GROUP_ROLE_MAP
+  if (!raw) return new Map()
+
+  try {
+    const parsed = JSON.parse(raw) as Record<string, unknown>
+    const out = new Map<string, string[]>()
+    for (const [group, roleValue] of Object.entries(parsed)) {
+      const normalizedGroup = normalizeToken(group)
+      if (!normalizedGroup) continue
+      const roles = normalizeRoleList(roleValue)
+      if (roles.length > 0) out.set(normalizedGroup, roles)
+    }
+    return out
+  } catch {
+    return new Map()
+  }
+}
+
+function normalizeRoleList(value: unknown): string[] {
+  if (typeof value === 'string') {
+    const token = normalizeToken(value)
+    return token ? [token] : []
+  }
+
+  if (Array.isArray(value)) {
+    const out = new Set<string>()
+    for (const entry of value) {
+      const token = normalizeToken(entry)
+      if (token) out.add(token)
+    }
+    return Array.from(out)
+  }
+
+  return []
+}
+
+function normalizeToken(value: unknown): string | null {
+  if (typeof value !== 'string') return null
+  const normalized = value.trim().toLowerCase()
+  return normalized.length > 0 ? normalized : null
+}

package/src/modules/sso/services/hrdService.ts

@@ -0,0 +1,22 @@
+import { EntityManager } from '@mikro-orm/postgresql'
+import { SsoConfig } from '../data/entities'
+
+export class HrdService {
+  constructor(private em: EntityManager) {}
+
+  async findActiveConfigByEmailDomain(email: string): Promise<SsoConfig | null> {
+    const domain = email.split('@')[1]?.toLowerCase()
+    if (!domain) return null
+
+    const knex = this.em.getKnex()
+    const row = await knex('sso_configs')
+      .whereRaw("allowed_domains @> ?::jsonb", [JSON.stringify([domain])])
+      .where('is_active', true)
+      .whereNull('deleted_at')
+      .first()
+
+    if (!row) return null
+
+    return this.em.map(SsoConfig, row)
+  }
+}