@open-mercato/enterprise 0.6.4-develop.4371.1.8f3030407e → 0.6.4

package/dist/modules/sso/lib/errors.js

@@ -0,0 +1,21 @@
+var _a, _b;
+const EMAIL_NOT_VERIFIED_ERROR_MARKER = /* @__PURE__ */ Symbol.for("@open-mercato/sso/EmailNotVerifiedError");
+class EmailNotVerifiedError extends (_b = Error, _a = EMAIL_NOT_VERIFIED_ERROR_MARKER, _b) {
+  constructor(message, options) {
+    super(message, options);
+    this[_a] = true;
+    this.name = "EmailNotVerifiedError";
+  }
+}
+function isEmailNotVerifiedError(err) {
+  return !!err && typeof err === "object" && err[EMAIL_NOT_VERIFIED_ERROR_MARKER] === true;
+}
+function resolveSsoCallbackErrorCode(err) {
+  return isEmailNotVerifiedError(err) ? "sso_email_not_verified" : "sso_failed";
+}
+export {
+  EmailNotVerifiedError,
+  isEmailNotVerifiedError,
+  resolveSsoCallbackErrorCode
+};
+//# sourceMappingURL=errors.js.map

package/dist/modules/sso/lib/errors.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/modules/sso/lib/errors.ts"],
+  "sourcesContent": ["// Use Symbol.for so the marker survives module duplication across bundle\n// boundaries: the OIDC callback route and the account-linking service can be\n// bundled into separate chunks where `instanceof` silently returns false\n// (same rationale as isCrudHttpError in @open-mercato/shared).\nconst EMAIL_NOT_VERIFIED_ERROR_MARKER = Symbol.for('@open-mercato/sso/EmailNotVerifiedError')\n\nexport class EmailNotVerifiedError extends Error {\n  readonly [EMAIL_NOT_VERIFIED_ERROR_MARKER] = true\n\n  constructor(message: string, options?: { cause?: unknown }) {\n    super(message, options)\n    this.name = 'EmailNotVerifiedError'\n  }\n}\n\n/**\n * Type-safe check that works across module/bundle boundaries. Prefer this over\n * `instanceof EmailNotVerifiedError` because the SSO callback route may be\n * bundled separately from the service that throws the error.\n */\nexport function isEmailNotVerifiedError(err: unknown): err is EmailNotVerifiedError {\n  return !!err && typeof err === 'object' && (err as Record<symbol, unknown>)[EMAIL_NOT_VERIFIED_ERROR_MARKER] === true\n}\n\nexport type SsoCallbackErrorCode = 'sso_email_not_verified' | 'sso_failed'\n\n/**\n * Maps an error thrown during the OIDC callback to the login-page UX error code.\n * Keyed off the error type rather than a substring of the human-readable message,\n * which previously drifted out of sync and left `sso_email_not_verified`\n * unreachable (#2741).\n */\nexport function resolveSsoCallbackErrorCode(err: unknown): SsoCallbackErrorCode {\n  return isEmailNotVerifiedError(err) ? 'sso_email_not_verified' : 'sso_failed'\n}\n"],
+  "mappings": "AAAA;AAIA,MAAM,kCAAkC,uBAAO,IAAI,yCAAyC;AAErF,MAAM,+BAA8B,YAC/B,sCAD+B,IAAM;AAAA,EAG/C,YAAY,SAAiB,SAA+B;AAC1D,UAAM,SAAS,OAAO;AAHxB,SAAU,MAAmC;AAI3C,SAAK,OAAO;AAAA,EACd;AACF;AAOO,SAAS,wBAAwB,KAA4C;AAClF,SAAO,CAAC,CAAC,OAAO,OAAO,QAAQ,YAAa,IAAgC,+BAA+B,MAAM;AACnH;AAUO,SAAS,4BAA4B,KAAoC;AAC9E,SAAO,wBAAwB,GAAG,IAAI,2BAA2B;AACnE;",
+  "names": []
+}

package/dist/modules/sso/services/accountLinkingService.js

@@ -3,6 +3,7 @@ import { findOneWithDecryption } from "@open-mercato/shared/lib/encryption/find"
 import { computeEmailHash } from "@open-mercato/core/modules/auth/lib/emailHash";
 import { SsoIdentity, SsoRoleGrant, ScimToken } from "../data/entities.js";
 import { emitSsoEvent } from "../events.js";
+import { EmailNotVerifiedError } from "../lib/errors.js";
 class AccountLinkingService {
   constructor(em) {
     this.em = em;
@@ -14,7 +15,7 @@ class AccountLinkingService {
       return existing;
     }
     if (idpPayload.emailVerified === false) {
-      throw new Error("IdP explicitly reported email as unverified \u2014 cannot link or provision account");
+      throw new EmailNotVerifiedError("IdP explicitly reported email as unverified \u2014 cannot link or provision account");
     }
     const emailDomain = idpPayload.email.split("@")[1]?.toLowerCase();
     if (!emailDomain || !config.allowedDomains.some((d) => d.toLowerCase() === emailDomain)) {

package/dist/modules/sso/services/accountLinkingService.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/sso/services/accountLinkingService.ts"],
-  "sourcesContent": ["import { EntityManager, type FilterQuery, type RequiredEntityData } from '@mikro-orm/postgresql'\nimport { User, UserRole, Role } from '@open-mercato/core/modules/auth/data/entities'\nimport { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { SsoConfig, SsoIdentity, SsoRoleGrant, ScimToken } from '../data/entities'\nimport { emitSsoEvent } from '../events'\nimport type { SsoIdentityPayload } from '../lib/types'\n\nexport class AccountLinkingService {\n  constructor(private em: EntityManager) {}\n\n  async resolveUser(\n    config: SsoConfig,\n    idpPayload: SsoIdentityPayload,\n    tenantId: string,\n  ): Promise<{ user: User; identity: SsoIdentity }> {\n    const existing = await this.findExistingLink(config.id, idpPayload.subject, tenantId, config.organizationId)\n    if (existing) {\n      await this.assignRolesFromSso(this.em, existing.user, config, tenantId, idpPayload.groups)\n      return existing\n    }\n\n    if (idpPayload.emailVerified === false) {\n      throw new Error('IdP explicitly reported email as unverified \u2014 cannot link or provision account')\n    }\n\n    const emailDomain = idpPayload.email.split('@')[1]?.toLowerCase()\n    if (!emailDomain || !config.allowedDomains.some((d) => d.toLowerCase() === emailDomain)) {\n      throw new Error('Email domain is not in the allowed domains for this SSO configuration')\n    }\n\n    const emailLinked = config.autoLinkByEmail\n      ? await this.linkByEmail(config, idpPayload, tenantId)\n      : null\n    if (emailLinked) {\n      await this.assignRolesFromSso(this.em, emailLinked.user, config, tenantId, idpPayload.groups)\n      return emailLinked\n    }\n\n    if (config.jitEnabled) {\n      const scimActive = await this.em.count(ScimToken, { ssoConfigId: config.id, isActive: true }) > 0\n      if (scimActive) {\n        throw new Error('JIT provisioning is disabled because SCIM directory sync is active')\n      }\n      return this.jitProvision(config, idpPayload, tenantId)\n    }\n\n    throw new Error('No matching user found and JIT provisioning is disabled')\n  }\n\n  private async findExistingLink(\n    ssoConfigId: string,\n    idpSubject: string,\n    tenantId: string,\n    organizationId: string,\n  ): Promise<{ user: User; identity: SsoIdentity } | null> {\n    const identity = await findOneWithDecryption(\n      this.em,\n      SsoIdentity,\n      { ssoConfigId, idpSubject, deletedAt: null },\n      {},\n      { tenantId, organizationId },\n    )\n    if (!identity) return null\n\n    const user = await findOneWithDecryption(\n      this.em,\n      User,\n      { id: identity.userId, deletedAt: null },\n      {},\n      { tenantId, organizationId },\n    )\n    if (!user) {\n      identity.deletedAt = new Date()\n      await this.em.flush()\n      return null\n    }\n\n    identity.lastLoginAt = new Date()\n    await this.em.flush()\n\n    return { user, identity }\n  }\n\n  private async linkByEmail(\n    config: SsoConfig,\n    idpPayload: SsoIdentityPayload,\n    tenantId: string,\n  ): Promise<{ user: User; identity: SsoIdentity } | null> {\n    const emailHash = computeEmailHash(idpPayload.email)\n    const user = await findOneWithDecryption(\n      this.em,\n      User,\n      {\n        organizationId: config.organizationId,\n        deletedAt: null,\n        $or: [\n          { email: idpPayload.email },\n          { emailHash },\n        ],\n      } as FilterQuery<User>,\n      {},\n      { tenantId, organizationId: config.organizationId },\n    )\n    if (!user) return null\n\n    const now = new Date()\n    const identity = this.em.create(SsoIdentity, {\n      tenantId,\n      organizationId: config.organizationId,\n      ssoConfigId: config.id,\n      userId: user.id,\n      idpSubject: idpPayload.subject,\n      idpEmail: idpPayload.email,\n      idpName: idpPayload.name ?? null,\n      idpGroups: idpPayload.groups ?? [],\n      provisioningMethod: 'manual',\n      firstLoginAt: now,\n      lastLoginAt: now,\n      createdAt: now,\n      updatedAt: now,\n    } as RequiredEntityData<SsoIdentity>)\n    await this.em.persist(identity).flush()\n\n    void emitSsoEvent('sso.identity.linked', {\n      id: identity.id,\n      tenantId,\n      organizationId: config.organizationId,\n    }).catch((e) => console.error('[SSO Event]', e))\n\n    return { user, identity }\n  }\n\n  private async jitProvision(\n    config: SsoConfig,\n    idpPayload: SsoIdentityPayload,\n    tenantId: string,\n  ): Promise<{ user: User; identity: SsoIdentity }> {\n    return this.em.transactional(async (txEm) => {\n      const user = txEm.create(User, {\n        tenantId,\n        organizationId: config.organizationId,\n        email: idpPayload.email,\n        emailHash: computeEmailHash(idpPayload.email),\n        name: idpPayload.name ?? null,\n        passwordHash: null,\n        isConfirmed: true,\n        createdAt: new Date(),\n      })\n      await txEm.persist(user).flush()\n\n      await this.assignRolesFromSso(txEm, user, config, tenantId, idpPayload.groups)\n\n      const now = new Date()\n      const identity = txEm.create(SsoIdentity, {\n        tenantId,\n        organizationId: config.organizationId,\n        ssoConfigId: config.id,\n        userId: user.id,\n        idpSubject: idpPayload.subject,\n        idpEmail: idpPayload.email,\n        idpName: idpPayload.name ?? null,\n        idpGroups: idpPayload.groups ?? [],\n        provisioningMethod: 'jit',\n        firstLoginAt: now,\n        lastLoginAt: now,\n        createdAt: now,\n        updatedAt: now,\n      } as RequiredEntityData<SsoIdentity>)\n      await txEm.persist(identity).flush()\n\n      void emitSsoEvent('sso.identity.created', {\n        id: identity.id,\n        tenantId,\n        organizationId: config.organizationId,\n      }).catch((e) => console.error('[SSO Event]', e))\n\n      return { user, identity }\n    })\n  }\n\n  private async assignRolesFromSso(\n    em: EntityManager,\n    user: User,\n    config: SsoConfig,\n    tenantId: string,\n    idpGroups?: string[],\n  ): Promise<void> {\n    const hasMappings = config.appRoleMappings && Object.keys(config.appRoleMappings).length > 0\n    if (!hasMappings) return\n\n    await this.syncMappedRoles(em, user, config, tenantId, idpGroups)\n\n    const hasAnySsoRole = await em.findOne(SsoRoleGrant, {\n      userId: user.id,\n      ssoConfigId: config.id,\n    })\n    if (!hasAnySsoRole) {\n      throw new Error('No roles could be resolved from IdP groups \u2014 login denied. Configure role mappings or ensure the IdP sends matching group claims.')\n    }\n  }\n\n  /**\n   * Sync/replace SSO-sourced roles: on each login, SSO-managed roles are replaced\n   * with what the IdP sends, while manually-assigned roles are preserved.\n   */\n  private async syncMappedRoles(\n    em: EntityManager,\n    user: User,\n    config: SsoConfig,\n    tenantId: string,\n    idpGroups?: string[],\n  ): Promise<void> {\n    const resolvedTenantId = tenantId || user.tenantId || ''\n    if (!resolvedTenantId) return\n\n    const allRoles = await em.find(Role, { tenantId: resolvedTenantId, deletedAt: null } as FilterQuery<Role>)\n    const roleByNormalizedName = new Map<string, Role>()\n    for (const role of allRoles) {\n      const normalized = normalizeToken(role.name)\n      if (normalized) roleByNormalizedName.set(normalized, role)\n    }\n\n    // Resolve desired role IDs from IdP groups using merged mappings\n    const desiredRoleNames = resolveRoleNamesFromIdpGroups(idpGroups, config.appRoleMappings)\n    const desiredRoleIds = new Set<string>()\n    for (const roleName of desiredRoleNames) {\n      const role = roleByNormalizedName.get(roleName)\n      if (role) desiredRoleIds.add(role.id)\n    }\n\n    // Query current SSO grants for this user+config\n    const existingGrants = await em.find(SsoRoleGrant, {\n      userId: user.id,\n      ssoConfigId: config.id,\n    })\n    const existingGrantedRoleIds = new Set(existingGrants.map((g) => g.roleId))\n\n    // Compute diff\n    const toAdd = [...desiredRoleIds].filter((id) => !existingGrantedRoleIds.has(id))\n    const toRemove = existingGrants.filter((g) => !desiredRoleIds.has(g.roleId))\n\n    // Add new roles\n    for (const roleId of toAdd) {\n      const role = allRoles.find((r) => r.id === roleId)\n      if (!role) continue\n      await this.ensureUserRole(em, user, role)\n      const grant = em.create(SsoRoleGrant, {\n        tenantId: resolvedTenantId,\n        organizationId: config.organizationId,\n        userId: user.id,\n        roleId,\n        ssoConfigId: config.id,\n      } as RequiredEntityData<SsoRoleGrant>)\n      em.persist(grant)\n    }\n\n    // Remove stale SSO-sourced roles\n    for (const grant of toRemove) {\n      const userRole = await em.findOne(UserRole, {\n        user: user.id,\n        role: grant.roleId,\n        deletedAt: null,\n      } as FilterQuery<UserRole>)\n      if (userRole) {\n        em.remove(userRole)\n      }\n      em.remove(grant)\n    }\n\n    // Clean up orphaned soft-deleted UserRole rows (ghost rows from previous soft-delete logic)\n    const allUserRoles = await em.find(UserRole, { user: user.id } as FilterQuery<UserRole>)\n    for (const ur of allUserRoles) {\n      if (ur.deletedAt) {\n        em.remove(ur)\n      }\n    }\n\n    if (toAdd.length > 0 || toRemove.length > 0 || allUserRoles.some((ur) => ur.deletedAt)) {\n      await em.flush()\n    }\n  }\n\n  private async ensureUserRole(em: EntityManager, user: User, role: Role): Promise<void> {\n    const existingLink = await em.findOne(UserRole, {\n      user: user.id,\n      role: role.id,\n      deletedAt: null,\n    } as FilterQuery<UserRole>)\n    if (existingLink) return\n\n    const userRole = em.create(UserRole, { user, role, createdAt: new Date() })\n    await em.persist(userRole).flush()\n  }\n}\n\nfunction resolveRoleNamesFromIdpGroups(\n  idpGroups?: string[],\n  configMappings?: Record<string, string>,\n): string[] {\n  if (!Array.isArray(idpGroups) || idpGroups.length === 0) return []\n\n  const normalizedGroups = idpGroups\n    .map((group) => normalizeToken(group))\n    .filter((group): group is string => group !== null)\n  if (normalizedGroups.length === 0) return []\n\n  const mergedMappings = loadMergedMappings(configMappings)\n  const roleNames = new Set<string>()\n\n  for (const group of normalizedGroups) {\n    const mapped = mergedMappings.get(group)\n    if (mapped?.length) {\n      for (const role of mapped) roleNames.add(role)\n      continue\n    }\n\n    roleNames.add(group)\n    const segmented = group.split(/[\\\\/:]/).map((part) => normalizeToken(part)).filter((part): part is string => part !== null)\n    for (const candidate of segmented) {\n      roleNames.add(candidate)\n    }\n  }\n\n  return Array.from(roleNames)\n}\n\nfunction loadMergedMappings(configMappings?: Record<string, string>): Map<string, string[]> {\n  const envMappings = loadGroupRoleMappingsFromEnv()\n\n  // Per-config mappings take precedence over env var\n  if (configMappings && Object.keys(configMappings).length > 0) {\n    for (const [group, roleName] of Object.entries(configMappings)) {\n      const normalizedGroup = normalizeToken(group)\n      if (!normalizedGroup) continue\n      const normalizedRole = normalizeToken(roleName)\n      if (!normalizedRole) continue\n      envMappings.set(normalizedGroup, [normalizedRole])\n    }\n  }\n\n  return envMappings\n}\n\nfunction loadGroupRoleMappingsFromEnv(): Map<string, string[]> {\n  const raw = process.env.SSO_GROUP_ROLE_MAP\n  if (!raw) return new Map()\n\n  try {\n    const parsed = JSON.parse(raw) as Record<string, unknown>\n    const out = new Map<string, string[]>()\n    for (const [group, roleValue] of Object.entries(parsed)) {\n      const normalizedGroup = normalizeToken(group)\n      if (!normalizedGroup) continue\n      const roles = normalizeRoleList(roleValue)\n      if (roles.length > 0) out.set(normalizedGroup, roles)\n    }\n    return out\n  } catch {\n    return new Map()\n  }\n}\n\nfunction normalizeRoleList(value: unknown): string[] {\n  if (typeof value === 'string') {\n    const token = normalizeToken(value)\n    return token ? [token] : []\n  }\n\n  if (Array.isArray(value)) {\n    const out = new Set<string>()\n    for (const entry of value) {\n      const token = normalizeToken(entry)\n      if (token) out.add(token)\n    }\n    return Array.from(out)\n  }\n\n  return []\n}\n\nfunction normalizeToken(value: unknown): string | null {\n  if (typeof value !== 'string') return null\n  const normalized = value.trim().toLowerCase()\n  return normalized.length > 0 ? normalized : null\n}\n"],
-  "mappings": "AACA,SAAS,MAAM,UAAU,YAAY;AACrC,SAAS,6BAA6B;AACtC,SAAS,wBAAwB;AACjC,SAAoB,aAAa,cAAc,iBAAiB;AAChE,SAAS,oBAAoB;AAGtB,MAAM,sBAAsB;AAAA,EACjC,YAAoB,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAExC,MAAM,YACJ,QACA,YACA,UACgD;AAChD,UAAM,WAAW,MAAM,KAAK,iBAAiB,OAAO,IAAI,WAAW,SAAS,UAAU,OAAO,cAAc;AAC3G,QAAI,UAAU;AACZ,YAAM,KAAK,mBAAmB,KAAK,IAAI,SAAS,MAAM,QAAQ,UAAU,WAAW,MAAM;AACzF,aAAO;AAAA,IACT;AAEA,QAAI,WAAW,kBAAkB,OAAO;AACtC,YAAM,IAAI,MAAM,qFAAgF;AAAA,IAClG;AAEA,UAAM,cAAc,WAAW,MAAM,MAAM,GAAG,EAAE,CAAC,GAAG,YAAY;AAChE,QAAI,CAAC,eAAe,CAAC,OAAO,eAAe,KAAK,CAAC,MAAM,EAAE,YAAY,MAAM,WAAW,GAAG;AACvF,YAAM,IAAI,MAAM,uEAAuE;AAAA,IACzF;AAEA,UAAM,cAAc,OAAO,kBACvB,MAAM,KAAK,YAAY,QAAQ,YAAY,QAAQ,IACnD;AACJ,QAAI,aAAa;AACf,YAAM,KAAK,mBAAmB,KAAK,IAAI,YAAY,MAAM,QAAQ,UAAU,WAAW,MAAM;AAC5F,aAAO;AAAA,IACT;AAEA,QAAI,OAAO,YAAY;AACrB,YAAM,aAAa,MAAM,KAAK,GAAG,MAAM,WAAW,EAAE,aAAa,OAAO,IAAI,UAAU,KAAK,CAAC,IAAI;AAChG,UAAI,YAAY;AACd,cAAM,IAAI,MAAM,oEAAoE;AAAA,MACtF;AACA,aAAO,KAAK,aAAa,QAAQ,YAAY,QAAQ;AAAA,IACvD;AAEA,UAAM,IAAI,MAAM,yDAAyD;AAAA,EAC3E;AAAA,EAEA,MAAc,iBACZ,aACA,YACA,UACA,gBACuD;AACvD,UAAM,WAAW,MAAM;AAAA,MACrB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,aAAa,YAAY,WAAW,KAAK;AAAA,MAC3C,CAAC;AAAA,MACD,EAAE,UAAU,eAAe;AAAA,IAC7B;AACA,QAAI,CAAC,SAAU,QAAO;AAEtB,UAAM,OAAO,MAAM;AAAA,MACjB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,IAAI,SAAS,QAAQ,WAAW,KAAK;AAAA,MACvC,CAAC;AAAA,MACD,EAAE,UAAU,eAAe;AAAA,IAC7B;AACA,QAAI,CAAC,MAAM;AACT,eAAS,YAAY,oBAAI,KAAK;AAC9B,YAAM,KAAK,GAAG,MAAM;AACpB,aAAO;AAAA,IACT;AAEA,aAAS,cAAc,oBAAI,KAAK;AAChC,UAAM,KAAK,GAAG,MAAM;AAEpB,WAAO,EAAE,MAAM,SAAS;AAAA,EAC1B;AAAA,EAEA,MAAc,YACZ,QACA,YACA,UACuD;AACvD,UAAM,YAAY,iBAAiB,WAAW,KAAK;AACnD,UAAM,OAAO,MAAM;AAAA,MACjB,KAAK;AAAA,MACL;AAAA,MACA;AAAA,QACE,gBAAgB,OAAO;AAAA,QACvB,WAAW;AAAA,QACX,KAAK;AAAA,UACH,EAAE,OAAO,WAAW,MAAM;AAAA,UAC1B,EAAE,UAAU;AAAA,QACd;AAAA,MACF;AAAA,MACA,CAAC;AAAA,MACD,EAAE,UAAU,gBAAgB,OAAO,eAAe;AAAA,IACpD;AACA,QAAI,CAAC,KAAM,QAAO;AAElB,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,WAAW,KAAK,GAAG,OAAO,aAAa;AAAA,MAC3C;AAAA,MACA,gBAAgB,OAAO;AAAA,MACvB,aAAa,OAAO;AAAA,MACpB,QAAQ,KAAK;AAAA,MACb,YAAY,WAAW;AAAA,MACvB,UAAU,WAAW;AAAA,MACrB,SAAS,WAAW,QAAQ;AAAA,MAC5B,WAAW,WAAW,UAAU,CAAC;AAAA,MACjC,oBAAoB;AAAA,MACpB,cAAc;AAAA,MACd,aAAa;AAAA,MACb,WAAW;AAAA,MACX,WAAW;AAAA,IACb,CAAoC;AACpC,UAAM,KAAK,GAAG,QAAQ,QAAQ,EAAE,MAAM;AAEtC,SAAK,aAAa,uBAAuB;AAAA,MACvC,IAAI,SAAS;AAAA,MACb;AAAA,MACA,gBAAgB,OAAO;AAAA,IACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAE/C,WAAO,EAAE,MAAM,SAAS;AAAA,EAC1B;AAAA,EAEA,MAAc,aACZ,QACA,YACA,UACgD;AAChD,WAAO,KAAK,GAAG,cAAc,OAAO,SAAS;AAC3C,YAAM,OAAO,KAAK,OAAO,MAAM;AAAA,QAC7B;AAAA,QACA,gBAAgB,OAAO;AAAA,QACvB,OAAO,WAAW;AAAA,QAClB,WAAW,iBAAiB,WAAW,KAAK;AAAA,QAC5C,MAAM,WAAW,QAAQ;AAAA,QACzB,cAAc;AAAA,QACd,aAAa;AAAA,QACb,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC;AACD,YAAM,KAAK,QAAQ,IAAI,EAAE,MAAM;AAE/B,YAAM,KAAK,mBAAmB,MAAM,MAAM,QAAQ,UAAU,WAAW,MAAM;AAE7E,YAAM,MAAM,oBAAI,KAAK;AACrB,YAAM,WAAW,KAAK,OAAO,aAAa;AAAA,QACxC;AAAA,QACA,gBAAgB,OAAO;AAAA,QACvB,aAAa,OAAO;AAAA,QACpB,QAAQ,KAAK;AAAA,QACb,YAAY,WAAW;AAAA,QACvB,UAAU,WAAW;AAAA,QACrB,SAAS,WAAW,QAAQ;AAAA,QAC5B,WAAW,WAAW,UAAU,CAAC;AAAA,QACjC,oBAAoB;AAAA,QACpB,cAAc;AAAA,QACd,aAAa;AAAA,QACb,WAAW;AAAA,QACX,WAAW;AAAA,MACb,CAAoC;AACpC,YAAM,KAAK,QAAQ,QAAQ,EAAE,MAAM;AAEnC,WAAK,aAAa,wBAAwB;AAAA,QACxC,IAAI,SAAS;AAAA,QACb;AAAA,QACA,gBAAgB,OAAO;AAAA,MACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAE/C,aAAO,EAAE,MAAM,SAAS;AAAA,IAC1B,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,mBACZ,IACA,MACA,QACA,UACA,WACe;AACf,UAAM,cAAc,OAAO,mBAAmB,OAAO,KAAK,OAAO,eAAe,EAAE,SAAS;AAC3F,QAAI,CAAC,YAAa;AAElB,UAAM,KAAK,gBAAgB,IAAI,MAAM,QAAQ,UAAU,SAAS;AAEhE,UAAM,gBAAgB,MAAM,GAAG,QAAQ,cAAc;AAAA,MACnD,QAAQ,KAAK;AAAA,MACb,aAAa,OAAO;AAAA,IACtB,CAAC;AACD,QAAI,CAAC,eAAe;AAClB,YAAM,IAAI,MAAM,wIAAmI;AAAA,IACrJ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,gBACZ,IACA,MACA,QACA,UACA,WACe;AACf,UAAM,mBAAmB,YAAY,KAAK,YAAY;AACtD,QAAI,CAAC,iBAAkB;AAEvB,UAAM,WAAW,MAAM,GAAG,KAAK,MAAM,EAAE,UAAU,kBAAkB,WAAW,KAAK,CAAsB;AACzG,UAAM,uBAAuB,oBAAI,IAAkB;AACnD,eAAW,QAAQ,UAAU;AAC3B,YAAM,aAAa,eAAe,KAAK,IAAI;AAC3C,UAAI,WAAY,sBAAqB,IAAI,YAAY,IAAI;AAAA,IAC3D;AAGA,UAAM,mBAAmB,8BAA8B,WAAW,OAAO,eAAe;AACxF,UAAM,iBAAiB,oBAAI,IAAY;AACvC,eAAW,YAAY,kBAAkB;AACvC,YAAM,OAAO,qBAAqB,IAAI,QAAQ;AAC9C,UAAI,KAAM,gBAAe,IAAI,KAAK,EAAE;AAAA,IACtC;AAGA,UAAM,iBAAiB,MAAM,GAAG,KAAK,cAAc;AAAA,MACjD,QAAQ,KAAK;AAAA,MACb,aAAa,OAAO;AAAA,IACtB,CAAC;AACD,UAAM,yBAAyB,IAAI,IAAI,eAAe,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;AAG1E,UAAM,QAAQ,CAAC,GAAG,cAAc,EAAE,OAAO,CAAC,OAAO,CAAC,uBAAuB,IAAI,EAAE,CAAC;AAChF,UAAM,WAAW,eAAe,OAAO,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,MAAM,CAAC;AAG3E,eAAW,UAAU,OAAO;AAC1B,YAAM,OAAO,SAAS,KAAK,CAAC,MAAM,EAAE,OAAO,MAAM;AACjD,UAAI,CAAC,KAAM;AACX,YAAM,KAAK,eAAe,IAAI,MAAM,IAAI;AACxC,YAAM,QAAQ,GAAG,OAAO,cAAc;AAAA,QACpC,UAAU;AAAA,QACV,gBAAgB,OAAO;AAAA,QACvB,QAAQ,KAAK;AAAA,QACb;AAAA,QACA,aAAa,OAAO;AAAA,MACtB,CAAqC;AACrC,SAAG,QAAQ,KAAK;AAAA,IAClB;AAGA,eAAW,SAAS,UAAU;AAC5B,YAAM,WAAW,MAAM,GAAG,QAAQ,UAAU;AAAA,QAC1C,MAAM,KAAK;AAAA,QACX,MAAM,MAAM;AAAA,QACZ,WAAW;AAAA,MACb,CAA0B;AAC1B,UAAI,UAAU;AACZ,WAAG,OAAO,QAAQ;AAAA,MACpB;AACA,SAAG,OAAO,KAAK;AAAA,IACjB;AAGA,UAAM,eAAe,MAAM,GAAG,KAAK,UAAU,EAAE,MAAM,KAAK,GAAG,CAA0B;AACvF,eAAW,MAAM,cAAc;AAC7B,UAAI,GAAG,WAAW;AAChB,WAAG,OAAO,EAAE;AAAA,MACd;AAAA,IACF;AAEA,QAAI,MAAM,SAAS,KAAK,SAAS,SAAS,KAAK,aAAa,KAAK,CAAC,OAAO,GAAG,SAAS,GAAG;AACtF,YAAM,GAAG,MAAM;AAAA,IACjB;AAAA,EACF;AAAA,EAEA,MAAc,eAAe,IAAmB,MAAY,MAA2B;AACrF,UAAM,eAAe,MAAM,GAAG,QAAQ,UAAU;AAAA,MAC9C,MAAM,KAAK;AAAA,MACX,MAAM,KAAK;AAAA,MACX,WAAW;AAAA,IACb,CAA0B;AAC1B,QAAI,aAAc;AAElB,UAAM,WAAW,GAAG,OAAO,UAAU,EAAE,MAAM,MAAM,WAAW,oBAAI,KAAK,EAAE,CAAC;AAC1E,UAAM,GAAG,QAAQ,QAAQ,EAAE,MAAM;AAAA,EACnC;AACF;AAEA,SAAS,8BACP,WACA,gBACU;AACV,MAAI,CAAC,MAAM,QAAQ,SAAS,KAAK,UAAU,WAAW,EAAG,QAAO,CAAC;AAEjE,QAAM,mBAAmB,UACtB,IAAI,CAAC,UAAU,eAAe,KAAK,CAAC,EACpC,OAAO,CAAC,UAA2B,UAAU,IAAI;AACpD,MAAI,iBAAiB,WAAW,EAAG,QAAO,CAAC;AAE3C,QAAM,iBAAiB,mBAAmB,cAAc;AACxD,QAAM,YAAY,oBAAI,IAAY;AAElC,aAAW,SAAS,kBAAkB;AACpC,UAAM,SAAS,eAAe,IAAI,KAAK;AACvC,QAAI,QAAQ,QAAQ;AAClB,iBAAW,QAAQ,OAAQ,WAAU,IAAI,IAAI;AAC7C;AAAA,IACF;AAEA,cAAU,IAAI,KAAK;AACnB,UAAM,YAAY,MAAM,MAAM,QAAQ,EAAE,IAAI,CAAC,SAAS,eAAe,IAAI,CAAC,EAAE,OAAO,CAAC,SAAyB,SAAS,IAAI;AAC1H,eAAW,aAAa,WAAW;AACjC,gBAAU,IAAI,SAAS;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,MAAM,KAAK,SAAS;AAC7B;AAEA,SAAS,mBAAmB,gBAAgE;AAC1F,QAAM,cAAc,6BAA6B;AAGjD,MAAI,kBAAkB,OAAO,KAAK,cAAc,EAAE,SAAS,GAAG;AAC5D,eAAW,CAAC,OAAO,QAAQ,KAAK,OAAO,QAAQ,cAAc,GAAG;AAC9D,YAAM,kBAAkB,eAAe,KAAK;AAC5C,UAAI,CAAC,gBAAiB;AACtB,YAAM,iBAAiB,eAAe,QAAQ;AAC9C,UAAI,CAAC,eAAgB;AACrB,kBAAY,IAAI,iBAAiB,CAAC,cAAc,CAAC;AAAA,IACnD;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,+BAAsD;AAC7D,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,CAAC,IAAK,QAAO,oBAAI,IAAI;AAEzB,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,UAAM,MAAM,oBAAI,IAAsB;AACtC,eAAW,CAAC,OAAO,SAAS,KAAK,OAAO,QAAQ,MAAM,GAAG;AACvD,YAAM,kBAAkB,eAAe,KAAK;AAC5C,UAAI,CAAC,gBAAiB;AACtB,YAAM,QAAQ,kBAAkB,SAAS;AACzC,UAAI,MAAM,SAAS,EAAG,KAAI,IAAI,iBAAiB,KAAK;AAAA,IACtD;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO,oBAAI,IAAI;AAAA,EACjB;AACF;AAEA,SAAS,kBAAkB,OAA0B;AACnD,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,QAAQ,eAAe,KAAK;AAClC,WAAO,QAAQ,CAAC,KAAK,IAAI,CAAC;AAAA,EAC5B;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,UAAM,MAAM,oBAAI,IAAY;AAC5B,eAAW,SAAS,OAAO;AACzB,YAAM,QAAQ,eAAe,KAAK;AAClC,UAAI,MAAO,KAAI,IAAI,KAAK;AAAA,IAC1B;AACA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AAEA,SAAO,CAAC;AACV;AAEA,SAAS,eAAe,OAA+B;AACrD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,QAAM,aAAa,MAAM,KAAK,EAAE,YAAY;AAC5C,SAAO,WAAW,SAAS,IAAI,aAAa;AAC9C;",
+  "sourcesContent": ["import { EntityManager, type FilterQuery, type RequiredEntityData } from '@mikro-orm/postgresql'\nimport { User, UserRole, Role } from '@open-mercato/core/modules/auth/data/entities'\nimport { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'\nimport { computeEmailHash } from '@open-mercato/core/modules/auth/lib/emailHash'\nimport { SsoConfig, SsoIdentity, SsoRoleGrant, ScimToken } from '../data/entities'\nimport { emitSsoEvent } from '../events'\nimport { EmailNotVerifiedError } from '../lib/errors'\nimport type { SsoIdentityPayload } from '../lib/types'\n\nexport class AccountLinkingService {\n  constructor(private em: EntityManager) {}\n\n  async resolveUser(\n    config: SsoConfig,\n    idpPayload: SsoIdentityPayload,\n    tenantId: string,\n  ): Promise<{ user: User; identity: SsoIdentity }> {\n    const existing = await this.findExistingLink(config.id, idpPayload.subject, tenantId, config.organizationId)\n    if (existing) {\n      await this.assignRolesFromSso(this.em, existing.user, config, tenantId, idpPayload.groups)\n      return existing\n    }\n\n    if (idpPayload.emailVerified === false) {\n      throw new EmailNotVerifiedError('IdP explicitly reported email as unverified \u2014 cannot link or provision account')\n    }\n\n    const emailDomain = idpPayload.email.split('@')[1]?.toLowerCase()\n    if (!emailDomain || !config.allowedDomains.some((d) => d.toLowerCase() === emailDomain)) {\n      throw new Error('Email domain is not in the allowed domains for this SSO configuration')\n    }\n\n    const emailLinked = config.autoLinkByEmail\n      ? await this.linkByEmail(config, idpPayload, tenantId)\n      : null\n    if (emailLinked) {\n      await this.assignRolesFromSso(this.em, emailLinked.user, config, tenantId, idpPayload.groups)\n      return emailLinked\n    }\n\n    if (config.jitEnabled) {\n      const scimActive = await this.em.count(ScimToken, { ssoConfigId: config.id, isActive: true }) > 0\n      if (scimActive) {\n        throw new Error('JIT provisioning is disabled because SCIM directory sync is active')\n      }\n      return this.jitProvision(config, idpPayload, tenantId)\n    }\n\n    throw new Error('No matching user found and JIT provisioning is disabled')\n  }\n\n  private async findExistingLink(\n    ssoConfigId: string,\n    idpSubject: string,\n    tenantId: string,\n    organizationId: string,\n  ): Promise<{ user: User; identity: SsoIdentity } | null> {\n    const identity = await findOneWithDecryption(\n      this.em,\n      SsoIdentity,\n      { ssoConfigId, idpSubject, deletedAt: null },\n      {},\n      { tenantId, organizationId },\n    )\n    if (!identity) return null\n\n    const user = await findOneWithDecryption(\n      this.em,\n      User,\n      { id: identity.userId, deletedAt: null },\n      {},\n      { tenantId, organizationId },\n    )\n    if (!user) {\n      identity.deletedAt = new Date()\n      await this.em.flush()\n      return null\n    }\n\n    identity.lastLoginAt = new Date()\n    await this.em.flush()\n\n    return { user, identity }\n  }\n\n  private async linkByEmail(\n    config: SsoConfig,\n    idpPayload: SsoIdentityPayload,\n    tenantId: string,\n  ): Promise<{ user: User; identity: SsoIdentity } | null> {\n    const emailHash = computeEmailHash(idpPayload.email)\n    const user = await findOneWithDecryption(\n      this.em,\n      User,\n      {\n        organizationId: config.organizationId,\n        deletedAt: null,\n        $or: [\n          { email: idpPayload.email },\n          { emailHash },\n        ],\n      } as FilterQuery<User>,\n      {},\n      { tenantId, organizationId: config.organizationId },\n    )\n    if (!user) return null\n\n    const now = new Date()\n    const identity = this.em.create(SsoIdentity, {\n      tenantId,\n      organizationId: config.organizationId,\n      ssoConfigId: config.id,\n      userId: user.id,\n      idpSubject: idpPayload.subject,\n      idpEmail: idpPayload.email,\n      idpName: idpPayload.name ?? null,\n      idpGroups: idpPayload.groups ?? [],\n      provisioningMethod: 'manual',\n      firstLoginAt: now,\n      lastLoginAt: now,\n      createdAt: now,\n      updatedAt: now,\n    } as RequiredEntityData<SsoIdentity>)\n    await this.em.persist(identity).flush()\n\n    void emitSsoEvent('sso.identity.linked', {\n      id: identity.id,\n      tenantId,\n      organizationId: config.organizationId,\n    }).catch((e) => console.error('[SSO Event]', e))\n\n    return { user, identity }\n  }\n\n  private async jitProvision(\n    config: SsoConfig,\n    idpPayload: SsoIdentityPayload,\n    tenantId: string,\n  ): Promise<{ user: User; identity: SsoIdentity }> {\n    return this.em.transactional(async (txEm) => {\n      const user = txEm.create(User, {\n        tenantId,\n        organizationId: config.organizationId,\n        email: idpPayload.email,\n        emailHash: computeEmailHash(idpPayload.email),\n        name: idpPayload.name ?? null,\n        passwordHash: null,\n        isConfirmed: true,\n        createdAt: new Date(),\n      })\n      await txEm.persist(user).flush()\n\n      await this.assignRolesFromSso(txEm, user, config, tenantId, idpPayload.groups)\n\n      const now = new Date()\n      const identity = txEm.create(SsoIdentity, {\n        tenantId,\n        organizationId: config.organizationId,\n        ssoConfigId: config.id,\n        userId: user.id,\n        idpSubject: idpPayload.subject,\n        idpEmail: idpPayload.email,\n        idpName: idpPayload.name ?? null,\n        idpGroups: idpPayload.groups ?? [],\n        provisioningMethod: 'jit',\n        firstLoginAt: now,\n        lastLoginAt: now,\n        createdAt: now,\n        updatedAt: now,\n      } as RequiredEntityData<SsoIdentity>)\n      await txEm.persist(identity).flush()\n\n      void emitSsoEvent('sso.identity.created', {\n        id: identity.id,\n        tenantId,\n        organizationId: config.organizationId,\n      }).catch((e) => console.error('[SSO Event]', e))\n\n      return { user, identity }\n    })\n  }\n\n  private async assignRolesFromSso(\n    em: EntityManager,\n    user: User,\n    config: SsoConfig,\n    tenantId: string,\n    idpGroups?: string[],\n  ): Promise<void> {\n    const hasMappings = config.appRoleMappings && Object.keys(config.appRoleMappings).length > 0\n    if (!hasMappings) return\n\n    await this.syncMappedRoles(em, user, config, tenantId, idpGroups)\n\n    const hasAnySsoRole = await em.findOne(SsoRoleGrant, {\n      userId: user.id,\n      ssoConfigId: config.id,\n    })\n    if (!hasAnySsoRole) {\n      throw new Error('No roles could be resolved from IdP groups \u2014 login denied. Configure role mappings or ensure the IdP sends matching group claims.')\n    }\n  }\n\n  /**\n   * Sync/replace SSO-sourced roles: on each login, SSO-managed roles are replaced\n   * with what the IdP sends, while manually-assigned roles are preserved.\n   */\n  private async syncMappedRoles(\n    em: EntityManager,\n    user: User,\n    config: SsoConfig,\n    tenantId: string,\n    idpGroups?: string[],\n  ): Promise<void> {\n    const resolvedTenantId = tenantId || user.tenantId || ''\n    if (!resolvedTenantId) return\n\n    const allRoles = await em.find(Role, { tenantId: resolvedTenantId, deletedAt: null } as FilterQuery<Role>)\n    const roleByNormalizedName = new Map<string, Role>()\n    for (const role of allRoles) {\n      const normalized = normalizeToken(role.name)\n      if (normalized) roleByNormalizedName.set(normalized, role)\n    }\n\n    // Resolve desired role IDs from IdP groups using merged mappings\n    const desiredRoleNames = resolveRoleNamesFromIdpGroups(idpGroups, config.appRoleMappings)\n    const desiredRoleIds = new Set<string>()\n    for (const roleName of desiredRoleNames) {\n      const role = roleByNormalizedName.get(roleName)\n      if (role) desiredRoleIds.add(role.id)\n    }\n\n    // Query current SSO grants for this user+config\n    const existingGrants = await em.find(SsoRoleGrant, {\n      userId: user.id,\n      ssoConfigId: config.id,\n    })\n    const existingGrantedRoleIds = new Set(existingGrants.map((g) => g.roleId))\n\n    // Compute diff\n    const toAdd = [...desiredRoleIds].filter((id) => !existingGrantedRoleIds.has(id))\n    const toRemove = existingGrants.filter((g) => !desiredRoleIds.has(g.roleId))\n\n    // Add new roles\n    for (const roleId of toAdd) {\n      const role = allRoles.find((r) => r.id === roleId)\n      if (!role) continue\n      await this.ensureUserRole(em, user, role)\n      const grant = em.create(SsoRoleGrant, {\n        tenantId: resolvedTenantId,\n        organizationId: config.organizationId,\n        userId: user.id,\n        roleId,\n        ssoConfigId: config.id,\n      } as RequiredEntityData<SsoRoleGrant>)\n      em.persist(grant)\n    }\n\n    // Remove stale SSO-sourced roles\n    for (const grant of toRemove) {\n      const userRole = await em.findOne(UserRole, {\n        user: user.id,\n        role: grant.roleId,\n        deletedAt: null,\n      } as FilterQuery<UserRole>)\n      if (userRole) {\n        em.remove(userRole)\n      }\n      em.remove(grant)\n    }\n\n    // Clean up orphaned soft-deleted UserRole rows (ghost rows from previous soft-delete logic)\n    const allUserRoles = await em.find(UserRole, { user: user.id } as FilterQuery<UserRole>)\n    for (const ur of allUserRoles) {\n      if (ur.deletedAt) {\n        em.remove(ur)\n      }\n    }\n\n    if (toAdd.length > 0 || toRemove.length > 0 || allUserRoles.some((ur) => ur.deletedAt)) {\n      await em.flush()\n    }\n  }\n\n  private async ensureUserRole(em: EntityManager, user: User, role: Role): Promise<void> {\n    const existingLink = await em.findOne(UserRole, {\n      user: user.id,\n      role: role.id,\n      deletedAt: null,\n    } as FilterQuery<UserRole>)\n    if (existingLink) return\n\n    const userRole = em.create(UserRole, { user, role, createdAt: new Date() })\n    await em.persist(userRole).flush()\n  }\n}\n\nfunction resolveRoleNamesFromIdpGroups(\n  idpGroups?: string[],\n  configMappings?: Record<string, string>,\n): string[] {\n  if (!Array.isArray(idpGroups) || idpGroups.length === 0) return []\n\n  const normalizedGroups = idpGroups\n    .map((group) => normalizeToken(group))\n    .filter((group): group is string => group !== null)\n  if (normalizedGroups.length === 0) return []\n\n  const mergedMappings = loadMergedMappings(configMappings)\n  const roleNames = new Set<string>()\n\n  for (const group of normalizedGroups) {\n    const mapped = mergedMappings.get(group)\n    if (mapped?.length) {\n      for (const role of mapped) roleNames.add(role)\n      continue\n    }\n\n    roleNames.add(group)\n    const segmented = group.split(/[\\\\/:]/).map((part) => normalizeToken(part)).filter((part): part is string => part !== null)\n    for (const candidate of segmented) {\n      roleNames.add(candidate)\n    }\n  }\n\n  return Array.from(roleNames)\n}\n\nfunction loadMergedMappings(configMappings?: Record<string, string>): Map<string, string[]> {\n  const envMappings = loadGroupRoleMappingsFromEnv()\n\n  // Per-config mappings take precedence over env var\n  if (configMappings && Object.keys(configMappings).length > 0) {\n    for (const [group, roleName] of Object.entries(configMappings)) {\n      const normalizedGroup = normalizeToken(group)\n      if (!normalizedGroup) continue\n      const normalizedRole = normalizeToken(roleName)\n      if (!normalizedRole) continue\n      envMappings.set(normalizedGroup, [normalizedRole])\n    }\n  }\n\n  return envMappings\n}\n\nfunction loadGroupRoleMappingsFromEnv(): Map<string, string[]> {\n  const raw = process.env.SSO_GROUP_ROLE_MAP\n  if (!raw) return new Map()\n\n  try {\n    const parsed = JSON.parse(raw) as Record<string, unknown>\n    const out = new Map<string, string[]>()\n    for (const [group, roleValue] of Object.entries(parsed)) {\n      const normalizedGroup = normalizeToken(group)\n      if (!normalizedGroup) continue\n      const roles = normalizeRoleList(roleValue)\n      if (roles.length > 0) out.set(normalizedGroup, roles)\n    }\n    return out\n  } catch {\n    return new Map()\n  }\n}\n\nfunction normalizeRoleList(value: unknown): string[] {\n  if (typeof value === 'string') {\n    const token = normalizeToken(value)\n    return token ? [token] : []\n  }\n\n  if (Array.isArray(value)) {\n    const out = new Set<string>()\n    for (const entry of value) {\n      const token = normalizeToken(entry)\n      if (token) out.add(token)\n    }\n    return Array.from(out)\n  }\n\n  return []\n}\n\nfunction normalizeToken(value: unknown): string | null {\n  if (typeof value !== 'string') return null\n  const normalized = value.trim().toLowerCase()\n  return normalized.length > 0 ? normalized : null\n}\n"],
+  "mappings": "AACA,SAAS,MAAM,UAAU,YAAY;AACrC,SAAS,6BAA6B;AACtC,SAAS,wBAAwB;AACjC,SAAoB,aAAa,cAAc,iBAAiB;AAChE,SAAS,oBAAoB;AAC7B,SAAS,6BAA6B;AAG/B,MAAM,sBAAsB;AAAA,EACjC,YAAoB,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAExC,MAAM,YACJ,QACA,YACA,UACgD;AAChD,UAAM,WAAW,MAAM,KAAK,iBAAiB,OAAO,IAAI,WAAW,SAAS,UAAU,OAAO,cAAc;AAC3G,QAAI,UAAU;AACZ,YAAM,KAAK,mBAAmB,KAAK,IAAI,SAAS,MAAM,QAAQ,UAAU,WAAW,MAAM;AACzF,aAAO;AAAA,IACT;AAEA,QAAI,WAAW,kBAAkB,OAAO;AACtC,YAAM,IAAI,sBAAsB,qFAAgF;AAAA,IAClH;AAEA,UAAM,cAAc,WAAW,MAAM,MAAM,GAAG,EAAE,CAAC,GAAG,YAAY;AAChE,QAAI,CAAC,eAAe,CAAC,OAAO,eAAe,KAAK,CAAC,MAAM,EAAE,YAAY,MAAM,WAAW,GAAG;AACvF,YAAM,IAAI,MAAM,uEAAuE;AAAA,IACzF;AAEA,UAAM,cAAc,OAAO,kBACvB,MAAM,KAAK,YAAY,QAAQ,YAAY,QAAQ,IACnD;AACJ,QAAI,aAAa;AACf,YAAM,KAAK,mBAAmB,KAAK,IAAI,YAAY,MAAM,QAAQ,UAAU,WAAW,MAAM;AAC5F,aAAO;AAAA,IACT;AAEA,QAAI,OAAO,YAAY;AACrB,YAAM,aAAa,MAAM,KAAK,GAAG,MAAM,WAAW,EAAE,aAAa,OAAO,IAAI,UAAU,KAAK,CAAC,IAAI;AAChG,UAAI,YAAY;AACd,cAAM,IAAI,MAAM,oEAAoE;AAAA,MACtF;AACA,aAAO,KAAK,aAAa,QAAQ,YAAY,QAAQ;AAAA,IACvD;AAEA,UAAM,IAAI,MAAM,yDAAyD;AAAA,EAC3E;AAAA,EAEA,MAAc,iBACZ,aACA,YACA,UACA,gBACuD;AACvD,UAAM,WAAW,MAAM;AAAA,MACrB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,aAAa,YAAY,WAAW,KAAK;AAAA,MAC3C,CAAC;AAAA,MACD,EAAE,UAAU,eAAe;AAAA,IAC7B;AACA,QAAI,CAAC,SAAU,QAAO;AAEtB,UAAM,OAAO,MAAM;AAAA,MACjB,KAAK;AAAA,MACL;AAAA,MACA,EAAE,IAAI,SAAS,QAAQ,WAAW,KAAK;AAAA,MACvC,CAAC;AAAA,MACD,EAAE,UAAU,eAAe;AAAA,IAC7B;AACA,QAAI,CAAC,MAAM;AACT,eAAS,YAAY,oBAAI,KAAK;AAC9B,YAAM,KAAK,GAAG,MAAM;AACpB,aAAO;AAAA,IACT;AAEA,aAAS,cAAc,oBAAI,KAAK;AAChC,UAAM,KAAK,GAAG,MAAM;AAEpB,WAAO,EAAE,MAAM,SAAS;AAAA,EAC1B;AAAA,EAEA,MAAc,YACZ,QACA,YACA,UACuD;AACvD,UAAM,YAAY,iBAAiB,WAAW,KAAK;AACnD,UAAM,OAAO,MAAM;AAAA,MACjB,KAAK;AAAA,MACL;AAAA,MACA;AAAA,QACE,gBAAgB,OAAO;AAAA,QACvB,WAAW;AAAA,QACX,KAAK;AAAA,UACH,EAAE,OAAO,WAAW,MAAM;AAAA,UAC1B,EAAE,UAAU;AAAA,QACd;AAAA,MACF;AAAA,MACA,CAAC;AAAA,MACD,EAAE,UAAU,gBAAgB,OAAO,eAAe;AAAA,IACpD;AACA,QAAI,CAAC,KAAM,QAAO;AAElB,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,WAAW,KAAK,GAAG,OAAO,aAAa;AAAA,MAC3C;AAAA,MACA,gBAAgB,OAAO;AAAA,MACvB,aAAa,OAAO;AAAA,MACpB,QAAQ,KAAK;AAAA,MACb,YAAY,WAAW;AAAA,MACvB,UAAU,WAAW;AAAA,MACrB,SAAS,WAAW,QAAQ;AAAA,MAC5B,WAAW,WAAW,UAAU,CAAC;AAAA,MACjC,oBAAoB;AAAA,MACpB,cAAc;AAAA,MACd,aAAa;AAAA,MACb,WAAW;AAAA,MACX,WAAW;AAAA,IACb,CAAoC;AACpC,UAAM,KAAK,GAAG,QAAQ,QAAQ,EAAE,MAAM;AAEtC,SAAK,aAAa,uBAAuB;AAAA,MACvC,IAAI,SAAS;AAAA,MACb;AAAA,MACA,gBAAgB,OAAO;AAAA,IACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAE/C,WAAO,EAAE,MAAM,SAAS;AAAA,EAC1B;AAAA,EAEA,MAAc,aACZ,QACA,YACA,UACgD;AAChD,WAAO,KAAK,GAAG,cAAc,OAAO,SAAS;AAC3C,YAAM,OAAO,KAAK,OAAO,MAAM;AAAA,QAC7B;AAAA,QACA,gBAAgB,OAAO;AAAA,QACvB,OAAO,WAAW;AAAA,QAClB,WAAW,iBAAiB,WAAW,KAAK;AAAA,QAC5C,MAAM,WAAW,QAAQ;AAAA,QACzB,cAAc;AAAA,QACd,aAAa;AAAA,QACb,WAAW,oBAAI,KAAK;AAAA,MACtB,CAAC;AACD,YAAM,KAAK,QAAQ,IAAI,EAAE,MAAM;AAE/B,YAAM,KAAK,mBAAmB,MAAM,MAAM,QAAQ,UAAU,WAAW,MAAM;AAE7E,YAAM,MAAM,oBAAI,KAAK;AACrB,YAAM,WAAW,KAAK,OAAO,aAAa;AAAA,QACxC;AAAA,QACA,gBAAgB,OAAO;AAAA,QACvB,aAAa,OAAO;AAAA,QACpB,QAAQ,KAAK;AAAA,QACb,YAAY,WAAW;AAAA,QACvB,UAAU,WAAW;AAAA,QACrB,SAAS,WAAW,QAAQ;AAAA,QAC5B,WAAW,WAAW,UAAU,CAAC;AAAA,QACjC,oBAAoB;AAAA,QACpB,cAAc;AAAA,QACd,aAAa;AAAA,QACb,WAAW;AAAA,QACX,WAAW;AAAA,MACb,CAAoC;AACpC,YAAM,KAAK,QAAQ,QAAQ,EAAE,MAAM;AAEnC,WAAK,aAAa,wBAAwB;AAAA,QACxC,IAAI,SAAS;AAAA,QACb;AAAA,QACA,gBAAgB,OAAO;AAAA,MACzB,CAAC,EAAE,MAAM,CAAC,MAAM,QAAQ,MAAM,eAAe,CAAC,CAAC;AAE/C,aAAO,EAAE,MAAM,SAAS;AAAA,IAC1B,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,mBACZ,IACA,MACA,QACA,UACA,WACe;AACf,UAAM,cAAc,OAAO,mBAAmB,OAAO,KAAK,OAAO,eAAe,EAAE,SAAS;AAC3F,QAAI,CAAC,YAAa;AAElB,UAAM,KAAK,gBAAgB,IAAI,MAAM,QAAQ,UAAU,SAAS;AAEhE,UAAM,gBAAgB,MAAM,GAAG,QAAQ,cAAc;AAAA,MACnD,QAAQ,KAAK;AAAA,MACb,aAAa,OAAO;AAAA,IACtB,CAAC;AACD,QAAI,CAAC,eAAe;AAClB,YAAM,IAAI,MAAM,wIAAmI;AAAA,IACrJ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,gBACZ,IACA,MACA,QACA,UACA,WACe;AACf,UAAM,mBAAmB,YAAY,KAAK,YAAY;AACtD,QAAI,CAAC,iBAAkB;AAEvB,UAAM,WAAW,MAAM,GAAG,KAAK,MAAM,EAAE,UAAU,kBAAkB,WAAW,KAAK,CAAsB;AACzG,UAAM,uBAAuB,oBAAI,IAAkB;AACnD,eAAW,QAAQ,UAAU;AAC3B,YAAM,aAAa,eAAe,KAAK,IAAI;AAC3C,UAAI,WAAY,sBAAqB,IAAI,YAAY,IAAI;AAAA,IAC3D;AAGA,UAAM,mBAAmB,8BAA8B,WAAW,OAAO,eAAe;AACxF,UAAM,iBAAiB,oBAAI,IAAY;AACvC,eAAW,YAAY,kBAAkB;AACvC,YAAM,OAAO,qBAAqB,IAAI,QAAQ;AAC9C,UAAI,KAAM,gBAAe,IAAI,KAAK,EAAE;AAAA,IACtC;AAGA,UAAM,iBAAiB,MAAM,GAAG,KAAK,cAAc;AAAA,MACjD,QAAQ,KAAK;AAAA,MACb,aAAa,OAAO;AAAA,IACtB,CAAC;AACD,UAAM,yBAAyB,IAAI,IAAI,eAAe,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;AAG1E,UAAM,QAAQ,CAAC,GAAG,cAAc,EAAE,OAAO,CAAC,OAAO,CAAC,uBAAuB,IAAI,EAAE,CAAC;AAChF,UAAM,WAAW,eAAe,OAAO,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,MAAM,CAAC;AAG3E,eAAW,UAAU,OAAO;AAC1B,YAAM,OAAO,SAAS,KAAK,CAAC,MAAM,EAAE,OAAO,MAAM;AACjD,UAAI,CAAC,KAAM;AACX,YAAM,KAAK,eAAe,IAAI,MAAM,IAAI;AACxC,YAAM,QAAQ,GAAG,OAAO,cAAc;AAAA,QACpC,UAAU;AAAA,QACV,gBAAgB,OAAO;AAAA,QACvB,QAAQ,KAAK;AAAA,QACb;AAAA,QACA,aAAa,OAAO;AAAA,MACtB,CAAqC;AACrC,SAAG,QAAQ,KAAK;AAAA,IAClB;AAGA,eAAW,SAAS,UAAU;AAC5B,YAAM,WAAW,MAAM,GAAG,QAAQ,UAAU;AAAA,QAC1C,MAAM,KAAK;AAAA,QACX,MAAM,MAAM;AAAA,QACZ,WAAW;AAAA,MACb,CAA0B;AAC1B,UAAI,UAAU;AACZ,WAAG,OAAO,QAAQ;AAAA,MACpB;AACA,SAAG,OAAO,KAAK;AAAA,IACjB;AAGA,UAAM,eAAe,MAAM,GAAG,KAAK,UAAU,EAAE,MAAM,KAAK,GAAG,CAA0B;AACvF,eAAW,MAAM,cAAc;AAC7B,UAAI,GAAG,WAAW;AAChB,WAAG,OAAO,EAAE;AAAA,MACd;AAAA,IACF;AAEA,QAAI,MAAM,SAAS,KAAK,SAAS,SAAS,KAAK,aAAa,KAAK,CAAC,OAAO,GAAG,SAAS,GAAG;AACtF,YAAM,GAAG,MAAM;AAAA,IACjB;AAAA,EACF;AAAA,EAEA,MAAc,eAAe,IAAmB,MAAY,MAA2B;AACrF,UAAM,eAAe,MAAM,GAAG,QAAQ,UAAU;AAAA,MAC9C,MAAM,KAAK;AAAA,MACX,MAAM,KAAK;AAAA,MACX,WAAW;AAAA,IACb,CAA0B;AAC1B,QAAI,aAAc;AAElB,UAAM,WAAW,GAAG,OAAO,UAAU,EAAE,MAAM,MAAM,WAAW,oBAAI,KAAK,EAAE,CAAC;AAC1E,UAAM,GAAG,QAAQ,QAAQ,EAAE,MAAM;AAAA,EACnC;AACF;AAEA,SAAS,8BACP,WACA,gBACU;AACV,MAAI,CAAC,MAAM,QAAQ,SAAS,KAAK,UAAU,WAAW,EAAG,QAAO,CAAC;AAEjE,QAAM,mBAAmB,UACtB,IAAI,CAAC,UAAU,eAAe,KAAK,CAAC,EACpC,OAAO,CAAC,UAA2B,UAAU,IAAI;AACpD,MAAI,iBAAiB,WAAW,EAAG,QAAO,CAAC;AAE3C,QAAM,iBAAiB,mBAAmB,cAAc;AACxD,QAAM,YAAY,oBAAI,IAAY;AAElC,aAAW,SAAS,kBAAkB;AACpC,UAAM,SAAS,eAAe,IAAI,KAAK;AACvC,QAAI,QAAQ,QAAQ;AAClB,iBAAW,QAAQ,OAAQ,WAAU,IAAI,IAAI;AAC7C;AAAA,IACF;AAEA,cAAU,IAAI,KAAK;AACnB,UAAM,YAAY,MAAM,MAAM,QAAQ,EAAE,IAAI,CAAC,SAAS,eAAe,IAAI,CAAC,EAAE,OAAO,CAAC,SAAyB,SAAS,IAAI;AAC1H,eAAW,aAAa,WAAW;AACjC,gBAAU,IAAI,SAAS;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,MAAM,KAAK,SAAS;AAC7B;AAEA,SAAS,mBAAmB,gBAAgE;AAC1F,QAAM,cAAc,6BAA6B;AAGjD,MAAI,kBAAkB,OAAO,KAAK,cAAc,EAAE,SAAS,GAAG;AAC5D,eAAW,CAAC,OAAO,QAAQ,KAAK,OAAO,QAAQ,cAAc,GAAG;AAC9D,YAAM,kBAAkB,eAAe,KAAK;AAC5C,UAAI,CAAC,gBAAiB;AACtB,YAAM,iBAAiB,eAAe,QAAQ;AAC9C,UAAI,CAAC,eAAgB;AACrB,kBAAY,IAAI,iBAAiB,CAAC,cAAc,CAAC;AAAA,IACnD;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,+BAAsD;AAC7D,QAAM,MAAM,QAAQ,IAAI;AACxB,MAAI,CAAC,IAAK,QAAO,oBAAI,IAAI;AAEzB,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,UAAM,MAAM,oBAAI,IAAsB;AACtC,eAAW,CAAC,OAAO,SAAS,KAAK,OAAO,QAAQ,MAAM,GAAG;AACvD,YAAM,kBAAkB,eAAe,KAAK;AAC5C,UAAI,CAAC,gBAAiB;AACtB,YAAM,QAAQ,kBAAkB,SAAS;AACzC,UAAI,MAAM,SAAS,EAAG,KAAI,IAAI,iBAAiB,KAAK;AAAA,IACtD;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO,oBAAI,IAAI;AAAA,EACjB;AACF;AAEA,SAAS,kBAAkB,OAA0B;AACnD,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,QAAQ,eAAe,KAAK;AAClC,WAAO,QAAQ,CAAC,KAAK,IAAI,CAAC;AAAA,EAC5B;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,UAAM,MAAM,oBAAI,IAAY;AAC5B,eAAW,SAAS,OAAO;AACzB,YAAM,QAAQ,eAAe,KAAK;AAClC,UAAI,MAAO,KAAI,IAAI,KAAK;AAAA,IAC1B;AACA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AAEA,SAAO,CAAC;AACV;AAEA,SAAS,eAAe,OAA+B;AACrD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,QAAM,aAAa,MAAM,KAAK,EAAE,YAAY;AAC5C,SAAO,WAAW,SAAS,IAAI,aAAa;AAC9C;",
   "names": []
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/enterprise",
-  "version": "0.6.4-develop.4371.1.8f3030407e",
+  "version": "0.6.4",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -64,8 +64,8 @@
     }
   },
   "dependencies": {
-    "@open-mercato/core": "0.6.4-develop.4371.1.8f3030407e",
-    "@open-mercato/ui": "0.6.4-develop.4371.1.8f3030407e",
+    "@open-mercato/core": "0.6.4",
+    "@open-mercato/ui": "0.6.4",
     "@simplewebauthn/browser": "^13.3.0",
     "@simplewebauthn/server": "^13.3.1",
     "@simplewebauthn/types": "^12.0.0",
@@ -75,14 +75,14 @@
     "qrcode": "^1.5.4"
   },
   "peerDependencies": {
-    "@open-mercato/shared": "0.6.4-develop.4371.1.8f3030407e",
+    "@open-mercato/shared": "0.6.4",
     "react": "^19.0.0",
     "react-dom": "^19.0.0"
   },
   "devDependencies": {
-    "@open-mercato/shared": "0.6.4-develop.4371.1.8f3030407e",
+    "@open-mercato/shared": "0.6.4",
     "@types/jest": "^30.0.0",
-    "@types/react": "^19.2.16",
+    "@types/react": "^19.2.17",
     "@types/react-dom": "^19.2.3",
     "jest": "^30.4.2",
     "react": "19.2.7",
@@ -96,6 +96,5 @@
     "type": "git",
     "url": "https://github.com/open-mercato/open-mercato",
     "directory": "packages/enterprise"
-  },
-  "stableVersion": "0.6.3"
+  }
 }

package/src/modules/record_locks/widgets/injection/record-locking/widget.client.tsx

@@ -1226,7 +1226,7 @@ export default function RecordLockingWidget({
       }
       setIsConflictDialogOpen(false)
     }}>
-      <DialogContent>
+      <DialogContent data-testid="record-lock-conflict-dialog">
         <DialogHeader>
           <DialogTitle>
             {isRecordDeleted

package/src/modules/security/api/enforcement/[id]/route.ts

@@ -2,14 +2,48 @@ import { NextResponse } from 'next/server'
 import { z } from 'zod'
 import type { CommandBus } from '@open-mercato/shared/lib/commands'
 import { updateEnforcementPolicySchema } from '../../../data/validators'
+import { EnforcementScope } from '../../../data/entities'
+import type { MfaEnforcementPolicy } from '../../../data/entities'
+import type { UpdateEnforcementPolicyInput } from '../../../data/validators'
 import { buildSecurityOpenApi, securityErrorSchema } from '../../openapi'
 import { securityApiError } from '../../i18n'
-import { mapEnforcementError, resolveEnforcementContext } from '../_shared'
+import {
+  assertActorOwnsEnforcementScope,
+  mapEnforcementError,
+  resolveEnforcementContext,
+  type EnforcementRequestContext,
+} from '../_shared'
 
 const paramsSchema = z.object({
   id: z.string().uuid(),
 })
 
+function scopeIdFromPolicy(policy: {
+  scope: EnforcementScope
+  tenantId?: string | null
+  organizationId?: string | null
+}): string | null {
+  if (policy.scope === EnforcementScope.TENANT) {
+    return policy.tenantId ?? null
+  }
+  if (policy.scope === EnforcementScope.ORGANISATION) {
+    if (!policy.tenantId || !policy.organizationId) return null
+    return `${policy.tenantId}:${policy.organizationId}`
+  }
+  return null
+}
+
+async function assertActorOwnsRequestedPolicyScope(
+  context: EnforcementRequestContext,
+  current: MfaEnforcementPolicy,
+  data: UpdateEnforcementPolicyInput,
+): Promise<void> {
+  const scope = data.scope ?? current.scope
+  const tenantId = data.tenantId ?? current.tenantId ?? null
+  const organizationId = data.organizationId ?? current.organizationId ?? null
+  await assertActorOwnsEnforcementScope(context, scope, scopeIdFromPolicy({ scope, tenantId, organizationId }))
+}
+
 const okResponseSchema = z.object({
   ok: z.literal(true),
 })
@@ -41,6 +75,13 @@ export async function PUT(req: Request, context: { params: Promise<{ id: string
   }
 
   try {
+    const policy = await requestContext.enforcementService.getPolicyById(params.data.id)
+    if (!policy) {
+      return securityApiError(404, 'Enforcement policy not found')
+    }
+    await assertActorOwnsEnforcementScope(requestContext, policy.scope, scopeIdFromPolicy(policy))
+    await assertActorOwnsRequestedPolicyScope(requestContext, policy, parsedBody.data)
+
     const commandBus = requestContext.container.resolve<CommandBus>('commandBus')
     const { result } = await commandBus.execute('security.enforcement.update', {
       input: {
@@ -65,6 +106,12 @@ export async function DELETE(req: Request, context: { params: Promise<{ id: stri
   }
 
   try {
+    const policy = await requestContext.enforcementService.getPolicyById(params.data.id)
+    if (!policy) {
+      return securityApiError(404, 'Enforcement policy not found')
+    }
+    await assertActorOwnsEnforcementScope(requestContext, policy.scope, scopeIdFromPolicy(policy))
+
     const commandBus = requestContext.container.resolve<CommandBus>('commandBus')
     const { result } = await commandBus.execute('security.enforcement.delete', {
       input: { id: params.data.id },
@@ -92,6 +139,7 @@ export const openApi = buildSecurityOpenApi({
       errors: [
         { status: 400, description: 'Invalid input', schema: securityErrorSchema },
         { status: 401, description: 'Unauthorized', schema: securityErrorSchema },
+        { status: 403, description: 'Not authorized for the requested scope', schema: securityErrorSchema },
         { status: 404, description: 'Policy not found', schema: securityErrorSchema },
         { status: 409, description: 'Conflict', schema: securityErrorSchema },
       ],
@@ -105,6 +153,7 @@ export const openApi = buildSecurityOpenApi({
       errors: [
         { status: 400, description: 'Invalid policy id', schema: securityErrorSchema },
         { status: 401, description: 'Unauthorized', schema: securityErrorSchema },
+        { status: 403, description: 'Not authorized for the requested scope', schema: securityErrorSchema },
         { status: 404, description: 'Policy not found', schema: securityErrorSchema },
       ],
     },

package/src/modules/security/api/enforcement/_shared.ts

@@ -2,16 +2,23 @@ import { NextResponse } from 'next/server'
 import type { EntityManager } from '@mikro-orm/postgresql'
 import type { CommandRuntimeContext } from '@open-mercato/shared/lib/commands'
 import { Organization, Tenant } from '@open-mercato/core/modules/directory/data/entities'
-import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
+import { CrudHttpError, forbidden } from '@open-mercato/shared/lib/crud/errors'
 import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
-import type { MfaEnforcementPolicy } from '../../data/entities'
+import { enforceTenantSelection, resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
+import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
+import { EnforcementScope, type MfaEnforcementPolicy } from '../../data/entities'
 import type { MfaEnforcementServiceError, MfaEnforcementService } from '../../services/MfaEnforcementService'
 import { localizeSecurityApiBody, securityApiError } from '../i18n'
 
 type RequestContainer = Awaited<ReturnType<typeof createRequestContainer>>
 type Auth = NonNullable<Awaited<ReturnType<typeof getAuthFromRequest>>>
 
+export type EnforcementActorContext = {
+  tenantId: string | null
+  isSuperAdmin: boolean
+}
+
 export type EnforcementRequestContext = {
   auth: Auth
   container: RequestContainer
@@ -41,6 +48,80 @@ export async function resolveEnforcementContext(req: Request): Promise<Enforceme
   }
 }
 
+function normalizeNullableString(value: unknown): string | null {
+  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null
+}
+
+function normalizeOrganizationList(values: unknown): string[] | null {
+  if (values === null || values === undefined) return null
+  if (!Array.isArray(values)) return null
+  const result: string[] = []
+  for (const value of values) {
+    if (typeof value !== 'string') continue
+    const trimmed = value.trim()
+    if (trimmed) result.push(trimmed)
+  }
+  return result
+}
+
+export async function resolveActorContext(ctx: EnforcementRequestContext): Promise<EnforcementActorContext> {
+  const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
+  return {
+    tenantId: normalizeNullableString(ctx.auth.tenantId),
+    isSuperAdmin,
+  }
+}
+
+async function assertActorOwnsOrganization(
+  ctx: EnforcementRequestContext,
+  organizationId: string,
+): Promise<void> {
+  const rbacService = ctx.container.resolve<RbacService>('rbacService')
+  const acl = await rbacService.loadAcl(ctx.auth.sub, {
+    tenantId: normalizeNullableString(ctx.auth.tenantId),
+    organizationId: normalizeNullableString(ctx.auth.orgId),
+  })
+  const organizations = normalizeOrganizationList(acl?.organizations)
+  if (organizations === null || organizations.includes('__all__')) return
+  if (!organizations.includes(organizationId)) {
+    throw forbidden('Not authorized to target this organization.')
+  }
+}
+
+export async function assertActorOwnsEnforcementScope(
+  ctx: EnforcementRequestContext,
+  scope: EnforcementScope,
+  scopeId: string | null | undefined,
+): Promise<void> {
+  if (scope === EnforcementScope.PLATFORM) {
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
+    if (!isSuperAdmin) {
+      throw forbidden('Platform scope requires platform administrator privileges.')
+    }
+    return
+  }
+
+  if (scope === EnforcementScope.TENANT) {
+    await enforceTenantSelection({ auth: ctx.auth, container: ctx.container }, scopeId)
+    return
+  }
+
+  const normalizedScopeId = normalizeNullableString(scopeId)
+  if (!normalizedScopeId) {
+    throw new CrudHttpError(400, { error: "organisation scopeId must use '<tenantId>:<organizationId>' format" })
+  }
+  const [tenantId, organizationId] = normalizedScopeId.split(':')
+  if (!tenantId || !organizationId) {
+    throw new CrudHttpError(400, { error: "organisation scopeId must use '<tenantId>:<organizationId>' format" })
+  }
+
+  await enforceTenantSelection({ auth: ctx.auth, container: ctx.container }, tenantId)
+
+  const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
+  if (isSuperAdmin) return
+  await assertActorOwnsOrganization(ctx, organizationId)
+}
+
 export async function mapEnforcementError(error: unknown): Promise<NextResponse> {
   if (error instanceof CrudHttpError) {
     return NextResponse.json(await localizeSecurityApiBody(error.body), { status: error.status })

package/src/modules/security/api/enforcement/compliance/route.ts

@@ -3,7 +3,12 @@ import { z } from 'zod'
 import { EnforcementScope } from '../../../data/entities'
 import { buildSecurityOpenApi, securityErrorSchema } from '../../openapi'
 import { securityApiError } from '../../i18n'
-import { mapEnforcementError, resolveEnforcementContext } from '../_shared'
+import {
+  assertActorOwnsEnforcementScope,
+  mapEnforcementError,
+  resolveActorContext,
+  resolveEnforcementContext,
+} from '../_shared'
 
 const complianceQuerySchema = z.object({
   scope: z.nativeEnum(EnforcementScope).default(EnforcementScope.PLATFORM),
@@ -37,9 +42,12 @@ export async function GET(req: Request) {
   }
 
   try {
+    await assertActorOwnsEnforcementScope(context, parsedQuery.data.scope, parsedQuery.data.scopeId)
+    const actor = await resolveActorContext(context)
     const report = await context.enforcementService.getComplianceReport(
       parsedQuery.data.scope,
       parsedQuery.data.scopeId,
+      actor,
     )
     return NextResponse.json({
       scope: parsedQuery.data.scope,
@@ -63,6 +71,7 @@ export const openApi = buildSecurityOpenApi({
       errors: [
         { status: 400, description: 'Invalid query parameters', schema: securityErrorSchema },
         { status: 401, description: 'Unauthorized', schema: securityErrorSchema },
+        { status: 403, description: 'Not authorized for the requested scope', schema: securityErrorSchema },
       ],
     },
   },

package/src/modules/security/api/enforcement/route.ts

@@ -5,7 +5,13 @@ import { enforcementPolicySchema } from '../../data/validators'
 import { EnforcementScope } from '../../data/entities'
 import { buildSecurityOpenApi, securityErrorSchema } from '../openapi'
 import { securityApiError } from '../i18n'
-import { attachPolicyScopeNames, mapEnforcementError, resolveEnforcementContext } from './_shared'
+import {
+  assertActorOwnsEnforcementScope,
+  attachPolicyScopeNames,
+  mapEnforcementError,
+  resolveActorContext,
+  resolveEnforcementContext,
+} from './_shared'
 
 const enforcementPolicyResponseSchema = z.object({
   id: z.string().uuid(),
@@ -52,7 +58,8 @@ export async function GET(req: Request) {
       return securityApiError(400, 'Invalid query parameters', { issues: parsedQuery.error.issues })
     }
 
-    const policies = await context.enforcementService.listPolicies(parsedQuery.data)
+    const actor = await resolveActorContext(context)
+    const policies = await context.enforcementService.listPolicies(parsedQuery.data, actor)
     return NextResponse.json({
       items: await attachPolicyScopeNames(context.container, policies),
     })
@@ -78,6 +85,11 @@ export async function POST(req: Request) {
   }
 
   try {
+    await assertActorOwnsEnforcementScope(
+      context,
+      parsedBody.data.scope,
+      scopeIdFromPolicyInput(parsedBody.data),
+    )
     const commandBus = context.container.resolve<CommandBus>('commandBus')
     const { result } = await commandBus.execute('security.enforcement.create', {
       input: parsedBody.data,
@@ -89,6 +101,21 @@ export async function POST(req: Request) {
   }
 }
 
+function scopeIdFromPolicyInput(data: {
+  scope: EnforcementScope
+  tenantId?: string | null
+  organizationId?: string | null
+}): string | null {
+  if (data.scope === EnforcementScope.TENANT) {
+    return data.tenantId ?? null
+  }
+  if (data.scope === EnforcementScope.ORGANISATION) {
+    if (!data.tenantId || !data.organizationId) return null
+    return `${data.tenantId}:${data.organizationId}`
+  }
+  return null
+}
+
 export const openApi = buildSecurityOpenApi({
   summary: 'Enforcement policy routes',
   methods: {
@@ -115,6 +142,7 @@ export const openApi = buildSecurityOpenApi({
       errors: [
         { status: 400, description: 'Invalid payload', schema: securityErrorSchema },
         { status: 401, description: 'Unauthorized', schema: securityErrorSchema },
+        { status: 403, description: 'Not authorized for the requested scope', schema: securityErrorSchema },
         { status: 409, description: 'Conflict', schema: securityErrorSchema },
       ],
     },

package/src/modules/security/api/mfa/prepare/route.ts

@@ -15,7 +15,7 @@ const responseSchema = z.object({
 })
 
 export const metadata = {
-  POST: { requireAuth: true },
+  POST: { requireAuth: true, rateLimit: { points: 20, duration: 60, keyPrefix: 'security_mfa_prepare' } },
 }
 
 export async function POST(req: Request) {

package/src/modules/security/api/mfa/recovery/route.ts

@@ -15,7 +15,7 @@ const responseSchema = z.object({
 })
 
 export const metadata = {
-  POST: { requireAuth: true },
+  POST: { requireAuth: true, rateLimit: { points: 10, duration: 60, keyPrefix: 'security_mfa_recovery' } },
 }
 
 export async function POST(req: Request) {

package/src/modules/security/api/mfa/verify/route.ts

@@ -17,7 +17,7 @@ const responseSchema = z.object({
 })
 
 export const metadata = {
-  POST: { requireAuth: true },
+  POST: { requireAuth: true, rateLimit: { points: 10, duration: 60, keyPrefix: 'security_mfa_verify' } },
 }
 
 export async function POST(req: Request) {

package/src/modules/security/api/users/[id]/mfa/reset/route.ts

@@ -3,7 +3,11 @@ import { z } from 'zod'
 import type { CommandBus } from '@open-mercato/shared/lib/commands'
 import { buildSecurityOpenApi, securityErrorSchema } from '../../../../openapi'
 import { securityApiError } from '../../../../i18n'
-import { mapSecurityUsersError, resolveSecurityUsersContext } from '../../../_shared'
+import {
+  assertActorCanAccessSecurityUserTarget,
+  mapSecurityUsersError,
+  resolveSecurityUsersContext,
+} from '../../../_shared'
 import { requireSudo } from '../../../../../lib/sudo-middleware'
 
 const paramsSchema = z.object({
@@ -44,6 +48,7 @@ export async function POST(req: Request, routeContext: { params: Promise<{ id: s
   }
 
   try {
+    await assertActorCanAccessSecurityUserTarget(context, parsedParams.data.id)
     await requireSudo(req, 'security.admin.mfa.reset')
     const commandBus = context.container.resolve<CommandBus>('commandBus')
     const { result } = await commandBus.execute('security.admin.mfa.reset', {

package/src/modules/security/api/users/[id]/mfa/status/route.ts

@@ -2,7 +2,12 @@ import { NextResponse } from 'next/server'
 import { z } from 'zod'
 import { buildSecurityOpenApi, securityErrorSchema } from '../../../../openapi'
 import { securityApiError } from '../../../../i18n'
-import { mapSecurityUsersError, resolveSecurityUsersContext } from '../../../_shared'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
+import {
+  assertActorCanAccessSecurityUserTarget,
+  mapSecurityUsersError,
+  resolveSecurityUsersContext,
+} from '../../../_shared'
 
 const paramsSchema = z.object({
   id: z.string().uuid(),
@@ -35,7 +40,12 @@ export async function GET(req: Request, routeContext: { params: Promise<{ id: st
   }
 
   try {
-    const status = await context.mfaAdminService.getUserMfaStatus(parsedParams.data.id)
+    await assertActorCanAccessSecurityUserTarget(context, parsedParams.data.id)
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: context.auth, container: context.container })
+    const status = await context.mfaAdminService.getUserMfaStatus(parsedParams.data.id, {
+      tenantId: context.auth.tenantId ?? null,
+      isSuperAdmin,
+    })
     return NextResponse.json({
       ...status,
       methods: status.methods.map((method) => ({
@@ -60,6 +70,7 @@ export const openApi = buildSecurityOpenApi({
       errors: [
         { status: 400, description: 'Invalid user id', schema: securityErrorSchema },
         { status: 401, description: 'Unauthorized', schema: securityErrorSchema },
+        { status: 403, description: 'Not authorized to access this user', schema: securityErrorSchema },
         { status: 404, description: 'User not found', schema: securityErrorSchema },
       ],
     },