@open-mercato/enterprise 0.6.5-develop.4882.1.901c3aa813 → 0.6.5-develop.5033.1.c970204a3f

package/src/modules/security/api/enforcement/[id]/route.ts

@@ -2,14 +2,48 @@ import { NextResponse } from 'next/server'
 import { z } from 'zod'
 import type { CommandBus } from '@open-mercato/shared/lib/commands'
 import { updateEnforcementPolicySchema } from '../../../data/validators'
+import { EnforcementScope } from '../../../data/entities'
+import type { MfaEnforcementPolicy } from '../../../data/entities'
+import type { UpdateEnforcementPolicyInput } from '../../../data/validators'
 import { buildSecurityOpenApi, securityErrorSchema } from '../../openapi'
 import { securityApiError } from '../../i18n'
-import { mapEnforcementError, resolveEnforcementContext } from '../_shared'
+import {
+  assertActorOwnsEnforcementScope,
+  mapEnforcementError,
+  resolveEnforcementContext,
+  type EnforcementRequestContext,
+} from '../_shared'
 
 const paramsSchema = z.object({
   id: z.string().uuid(),
 })
 
+function scopeIdFromPolicy(policy: {
+  scope: EnforcementScope
+  tenantId?: string | null
+  organizationId?: string | null
+}): string | null {
+  if (policy.scope === EnforcementScope.TENANT) {
+    return policy.tenantId ?? null
+  }
+  if (policy.scope === EnforcementScope.ORGANISATION) {
+    if (!policy.tenantId || !policy.organizationId) return null
+    return `${policy.tenantId}:${policy.organizationId}`
+  }
+  return null
+}
+
+async function assertActorOwnsRequestedPolicyScope(
+  context: EnforcementRequestContext,
+  current: MfaEnforcementPolicy,
+  data: UpdateEnforcementPolicyInput,
+): Promise<void> {
+  const scope = data.scope ?? current.scope
+  const tenantId = data.tenantId ?? current.tenantId ?? null
+  const organizationId = data.organizationId ?? current.organizationId ?? null
+  await assertActorOwnsEnforcementScope(context, scope, scopeIdFromPolicy({ scope, tenantId, organizationId }))
+}
+
 const okResponseSchema = z.object({
   ok: z.literal(true),
 })
@@ -41,6 +75,13 @@ export async function PUT(req: Request, context: { params: Promise<{ id: string
   }
 
   try {
+    const policy = await requestContext.enforcementService.getPolicyById(params.data.id)
+    if (!policy) {
+      return securityApiError(404, 'Enforcement policy not found')
+    }
+    await assertActorOwnsEnforcementScope(requestContext, policy.scope, scopeIdFromPolicy(policy))
+    await assertActorOwnsRequestedPolicyScope(requestContext, policy, parsedBody.data)
+
     const commandBus = requestContext.container.resolve<CommandBus>('commandBus')
     const { result } = await commandBus.execute('security.enforcement.update', {
       input: {
@@ -65,6 +106,12 @@ export async function DELETE(req: Request, context: { params: Promise<{ id: stri
   }
 
   try {
+    const policy = await requestContext.enforcementService.getPolicyById(params.data.id)
+    if (!policy) {
+      return securityApiError(404, 'Enforcement policy not found')
+    }
+    await assertActorOwnsEnforcementScope(requestContext, policy.scope, scopeIdFromPolicy(policy))
+
     const commandBus = requestContext.container.resolve<CommandBus>('commandBus')
     const { result } = await commandBus.execute('security.enforcement.delete', {
       input: { id: params.data.id },
@@ -92,6 +139,7 @@ export const openApi = buildSecurityOpenApi({
       errors: [
         { status: 400, description: 'Invalid input', schema: securityErrorSchema },
         { status: 401, description: 'Unauthorized', schema: securityErrorSchema },
+        { status: 403, description: 'Not authorized for the requested scope', schema: securityErrorSchema },
         { status: 404, description: 'Policy not found', schema: securityErrorSchema },
         { status: 409, description: 'Conflict', schema: securityErrorSchema },
       ],
@@ -105,6 +153,7 @@ export const openApi = buildSecurityOpenApi({
       errors: [
         { status: 400, description: 'Invalid policy id', schema: securityErrorSchema },
         { status: 401, description: 'Unauthorized', schema: securityErrorSchema },
+        { status: 403, description: 'Not authorized for the requested scope', schema: securityErrorSchema },
         { status: 404, description: 'Policy not found', schema: securityErrorSchema },
       ],
     },

package/src/modules/security/api/enforcement/_shared.ts

@@ -2,16 +2,23 @@ import { NextResponse } from 'next/server'
 import type { EntityManager } from '@mikro-orm/postgresql'
 import type { CommandRuntimeContext } from '@open-mercato/shared/lib/commands'
 import { Organization, Tenant } from '@open-mercato/core/modules/directory/data/entities'
-import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
+import { CrudHttpError, forbidden } from '@open-mercato/shared/lib/crud/errors'
 import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
-import type { MfaEnforcementPolicy } from '../../data/entities'
+import { enforceTenantSelection, resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
+import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
+import { EnforcementScope, type MfaEnforcementPolicy } from '../../data/entities'
 import type { MfaEnforcementServiceError, MfaEnforcementService } from '../../services/MfaEnforcementService'
 import { localizeSecurityApiBody, securityApiError } from '../i18n'
 
 type RequestContainer = Awaited<ReturnType<typeof createRequestContainer>>
 type Auth = NonNullable<Awaited<ReturnType<typeof getAuthFromRequest>>>
 
+export type EnforcementActorContext = {
+  tenantId: string | null
+  isSuperAdmin: boolean
+}
+
 export type EnforcementRequestContext = {
   auth: Auth
   container: RequestContainer
@@ -41,6 +48,80 @@ export async function resolveEnforcementContext(req: Request): Promise<Enforceme
   }
 }
 
+function normalizeNullableString(value: unknown): string | null {
+  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null
+}
+
+function normalizeOrganizationList(values: unknown): string[] | null {
+  if (values === null || values === undefined) return null
+  if (!Array.isArray(values)) return null
+  const result: string[] = []
+  for (const value of values) {
+    if (typeof value !== 'string') continue
+    const trimmed = value.trim()
+    if (trimmed) result.push(trimmed)
+  }
+  return result
+}
+
+export async function resolveActorContext(ctx: EnforcementRequestContext): Promise<EnforcementActorContext> {
+  const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
+  return {
+    tenantId: normalizeNullableString(ctx.auth.tenantId),
+    isSuperAdmin,
+  }
+}
+
+async function assertActorOwnsOrganization(
+  ctx: EnforcementRequestContext,
+  organizationId: string,
+): Promise<void> {
+  const rbacService = ctx.container.resolve<RbacService>('rbacService')
+  const acl = await rbacService.loadAcl(ctx.auth.sub, {
+    tenantId: normalizeNullableString(ctx.auth.tenantId),
+    organizationId: normalizeNullableString(ctx.auth.orgId),
+  })
+  const organizations = normalizeOrganizationList(acl?.organizations)
+  if (organizations === null || organizations.includes('__all__')) return
+  if (!organizations.includes(organizationId)) {
+    throw forbidden('Not authorized to target this organization.')
+  }
+}
+
+export async function assertActorOwnsEnforcementScope(
+  ctx: EnforcementRequestContext,
+  scope: EnforcementScope,
+  scopeId: string | null | undefined,
+): Promise<void> {
+  if (scope === EnforcementScope.PLATFORM) {
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
+    if (!isSuperAdmin) {
+      throw forbidden('Platform scope requires platform administrator privileges.')
+    }
+    return
+  }
+
+  if (scope === EnforcementScope.TENANT) {
+    await enforceTenantSelection({ auth: ctx.auth, container: ctx.container }, scopeId)
+    return
+  }
+
+  const normalizedScopeId = normalizeNullableString(scopeId)
+  if (!normalizedScopeId) {
+    throw new CrudHttpError(400, { error: "organisation scopeId must use '<tenantId>:<organizationId>' format" })
+  }
+  const [tenantId, organizationId] = normalizedScopeId.split(':')
+  if (!tenantId || !organizationId) {
+    throw new CrudHttpError(400, { error: "organisation scopeId must use '<tenantId>:<organizationId>' format" })
+  }
+
+  await enforceTenantSelection({ auth: ctx.auth, container: ctx.container }, tenantId)
+
+  const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
+  if (isSuperAdmin) return
+  await assertActorOwnsOrganization(ctx, organizationId)
+}
+
 export async function mapEnforcementError(error: unknown): Promise<NextResponse> {
   if (error instanceof CrudHttpError) {
     return NextResponse.json(await localizeSecurityApiBody(error.body), { status: error.status })

package/src/modules/security/api/enforcement/compliance/route.ts

@@ -3,7 +3,12 @@ import { z } from 'zod'
 import { EnforcementScope } from '../../../data/entities'
 import { buildSecurityOpenApi, securityErrorSchema } from '../../openapi'
 import { securityApiError } from '../../i18n'
-import { mapEnforcementError, resolveEnforcementContext } from '../_shared'
+import {
+  assertActorOwnsEnforcementScope,
+  mapEnforcementError,
+  resolveActorContext,
+  resolveEnforcementContext,
+} from '../_shared'
 
 const complianceQuerySchema = z.object({
   scope: z.nativeEnum(EnforcementScope).default(EnforcementScope.PLATFORM),
@@ -37,9 +42,12 @@ export async function GET(req: Request) {
   }
 
   try {
+    await assertActorOwnsEnforcementScope(context, parsedQuery.data.scope, parsedQuery.data.scopeId)
+    const actor = await resolveActorContext(context)
     const report = await context.enforcementService.getComplianceReport(
       parsedQuery.data.scope,
       parsedQuery.data.scopeId,
+      actor,
     )
     return NextResponse.json({
       scope: parsedQuery.data.scope,
@@ -63,6 +71,7 @@ export const openApi = buildSecurityOpenApi({
       errors: [
         { status: 400, description: 'Invalid query parameters', schema: securityErrorSchema },
         { status: 401, description: 'Unauthorized', schema: securityErrorSchema },
+        { status: 403, description: 'Not authorized for the requested scope', schema: securityErrorSchema },
       ],
     },
   },

package/src/modules/security/api/enforcement/route.ts

@@ -5,7 +5,13 @@ import { enforcementPolicySchema } from '../../data/validators'
 import { EnforcementScope } from '../../data/entities'
 import { buildSecurityOpenApi, securityErrorSchema } from '../openapi'
 import { securityApiError } from '../i18n'
-import { attachPolicyScopeNames, mapEnforcementError, resolveEnforcementContext } from './_shared'
+import {
+  assertActorOwnsEnforcementScope,
+  attachPolicyScopeNames,
+  mapEnforcementError,
+  resolveActorContext,
+  resolveEnforcementContext,
+} from './_shared'
 
 const enforcementPolicyResponseSchema = z.object({
   id: z.string().uuid(),
@@ -52,7 +58,8 @@ export async function GET(req: Request) {
       return securityApiError(400, 'Invalid query parameters', { issues: parsedQuery.error.issues })
     }
 
-    const policies = await context.enforcementService.listPolicies(parsedQuery.data)
+    const actor = await resolveActorContext(context)
+    const policies = await context.enforcementService.listPolicies(parsedQuery.data, actor)
     return NextResponse.json({
       items: await attachPolicyScopeNames(context.container, policies),
     })
@@ -78,6 +85,11 @@ export async function POST(req: Request) {
   }
 
   try {
+    await assertActorOwnsEnforcementScope(
+      context,
+      parsedBody.data.scope,
+      scopeIdFromPolicyInput(parsedBody.data),
+    )
     const commandBus = context.container.resolve<CommandBus>('commandBus')
     const { result } = await commandBus.execute('security.enforcement.create', {
       input: parsedBody.data,
@@ -89,6 +101,21 @@ export async function POST(req: Request) {
   }
 }
 
+function scopeIdFromPolicyInput(data: {
+  scope: EnforcementScope
+  tenantId?: string | null
+  organizationId?: string | null
+}): string | null {
+  if (data.scope === EnforcementScope.TENANT) {
+    return data.tenantId ?? null
+  }
+  if (data.scope === EnforcementScope.ORGANISATION) {
+    if (!data.tenantId || !data.organizationId) return null
+    return `${data.tenantId}:${data.organizationId}`
+  }
+  return null
+}
+
 export const openApi = buildSecurityOpenApi({
   summary: 'Enforcement policy routes',
   methods: {
@@ -115,6 +142,7 @@ export const openApi = buildSecurityOpenApi({
       errors: [
         { status: 400, description: 'Invalid payload', schema: securityErrorSchema },
         { status: 401, description: 'Unauthorized', schema: securityErrorSchema },
+        { status: 403, description: 'Not authorized for the requested scope', schema: securityErrorSchema },
         { status: 409, description: 'Conflict', schema: securityErrorSchema },
       ],
     },

package/src/modules/security/api/mfa/prepare/route.ts

@@ -15,7 +15,7 @@ const responseSchema = z.object({
 })
 
 export const metadata = {
-  POST: { requireAuth: true },
+  POST: { requireAuth: true, rateLimit: { points: 20, duration: 60, keyPrefix: 'security_mfa_prepare' } },
 }
 
 export async function POST(req: Request) {

package/src/modules/security/api/mfa/recovery/route.ts

@@ -15,7 +15,7 @@ const responseSchema = z.object({
 })
 
 export const metadata = {
-  POST: { requireAuth: true },
+  POST: { requireAuth: true, rateLimit: { points: 10, duration: 60, keyPrefix: 'security_mfa_recovery' } },
 }
 
 export async function POST(req: Request) {

package/src/modules/security/api/mfa/verify/route.ts

@@ -17,7 +17,7 @@ const responseSchema = z.object({
 })
 
 export const metadata = {
-  POST: { requireAuth: true },
+  POST: { requireAuth: true, rateLimit: { points: 10, duration: 60, keyPrefix: 'security_mfa_verify' } },
 }
 
 export async function POST(req: Request) {

package/src/modules/security/api/users/[id]/mfa/reset/route.ts

@@ -3,7 +3,11 @@ import { z } from 'zod'
 import type { CommandBus } from '@open-mercato/shared/lib/commands'
 import { buildSecurityOpenApi, securityErrorSchema } from '../../../../openapi'
 import { securityApiError } from '../../../../i18n'
-import { mapSecurityUsersError, resolveSecurityUsersContext } from '../../../_shared'
+import {
+  assertActorCanAccessSecurityUserTarget,
+  mapSecurityUsersError,
+  resolveSecurityUsersContext,
+} from '../../../_shared'
 import { requireSudo } from '../../../../../lib/sudo-middleware'
 
 const paramsSchema = z.object({
@@ -44,6 +48,7 @@ export async function POST(req: Request, routeContext: { params: Promise<{ id: s
   }
 
   try {
+    await assertActorCanAccessSecurityUserTarget(context, parsedParams.data.id)
     await requireSudo(req, 'security.admin.mfa.reset')
     const commandBus = context.container.resolve<CommandBus>('commandBus')
     const { result } = await commandBus.execute('security.admin.mfa.reset', {

package/src/modules/security/api/users/[id]/mfa/status/route.ts

@@ -2,7 +2,12 @@ import { NextResponse } from 'next/server'
 import { z } from 'zod'
 import { buildSecurityOpenApi, securityErrorSchema } from '../../../../openapi'
 import { securityApiError } from '../../../../i18n'
-import { mapSecurityUsersError, resolveSecurityUsersContext } from '../../../_shared'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
+import {
+  assertActorCanAccessSecurityUserTarget,
+  mapSecurityUsersError,
+  resolveSecurityUsersContext,
+} from '../../../_shared'
 
 const paramsSchema = z.object({
   id: z.string().uuid(),
@@ -35,7 +40,12 @@ export async function GET(req: Request, routeContext: { params: Promise<{ id: st
   }
 
   try {
-    const status = await context.mfaAdminService.getUserMfaStatus(parsedParams.data.id)
+    await assertActorCanAccessSecurityUserTarget(context, parsedParams.data.id)
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: context.auth, container: context.container })
+    const status = await context.mfaAdminService.getUserMfaStatus(parsedParams.data.id, {
+      tenantId: context.auth.tenantId ?? null,
+      isSuperAdmin,
+    })
     return NextResponse.json({
       ...status,
       methods: status.methods.map((method) => ({
@@ -60,6 +70,7 @@ export const openApi = buildSecurityOpenApi({
       errors: [
         { status: 400, description: 'Invalid user id', schema: securityErrorSchema },
         { status: 401, description: 'Unauthorized', schema: securityErrorSchema },
+        { status: 403, description: 'Not authorized to access this user', schema: securityErrorSchema },
         { status: 404, description: 'User not found', schema: securityErrorSchema },
       ],
     },

package/src/modules/security/api/users/_shared.ts

@@ -1,8 +1,13 @@
 import { NextResponse } from 'next/server'
-import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
+import type { EntityManager, FilterQuery } from '@mikro-orm/postgresql'
+import { CrudHttpError, forbidden } from '@open-mercato/shared/lib/crud/errors'
 import type { CommandRuntimeContext } from '@open-mercato/shared/lib/commands'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
+import { findOneWithDecryption } from '@open-mercato/shared/lib/encryption/find'
+import { enforceTenantSelection, resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
+import { User } from '@open-mercato/core/modules/auth/data/entities'
+import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
 import { isSudoRequiredError } from '../../lib/sudo-middleware'
 import type { MfaAdminService, MfaAdminServiceError } from '../../services/MfaAdminService'
 import { localizeSecurityApiBody, securityApiError } from '../i18n'
@@ -41,6 +46,69 @@ export async function resolveSecurityUsersContext(
   }
 }
 
+function normalizeNullableString(value: unknown): string | null {
+  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null
+}
+
+function normalizeOrganizationList(values: unknown): string[] | null {
+  if (values === null || values === undefined) return null
+  if (!Array.isArray(values)) return null
+  const result: string[] = []
+  for (const value of values) {
+    if (typeof value !== 'string') continue
+    const trimmed = value.trim()
+    if (trimmed) result.push(trimmed)
+  }
+  return result
+}
+
+export async function assertActorCanAccessSecurityUserTarget(
+  ctx: SecurityUsersRequestContext,
+  targetUserId: string,
+): Promise<void> {
+  const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
+  if (isSuperAdmin) return
+
+  const em = ctx.container.resolve<EntityManager>('em')
+  const target = await findOneWithDecryption(
+    em,
+    User,
+    { id: targetUserId, deletedAt: null } as FilterQuery<User>,
+    {},
+    { tenantId: null, organizationId: null },
+  )
+  if (!target) {
+    throw new CrudHttpError(404, { error: 'User not found' })
+  }
+
+  const actorTenantId = normalizeNullableString(ctx.auth.tenantId)
+  const targetTenantId = normalizeNullableString((target as { tenantId?: string | null }).tenantId)
+  if (!targetTenantId || targetTenantId !== actorTenantId) {
+    throw new CrudHttpError(404, { error: 'User not found' })
+  }
+
+  const rbacService = ctx.container.resolve<RbacService>('rbacService')
+  const acl = await rbacService.loadAcl(ctx.auth.sub, {
+    tenantId: actorTenantId,
+    organizationId: normalizeNullableString(ctx.auth.orgId),
+  })
+  const organizations = normalizeOrganizationList(acl?.organizations)
+  if (organizations !== null && !organizations.includes('__all__')) {
+    const targetOrganizationId = normalizeNullableString((target as { organizationId?: string | null }).organizationId)
+    if (!targetOrganizationId || !organizations.includes(targetOrganizationId)) {
+      throw forbidden('Not authorized to access this user.')
+    }
+  }
+}
+
+export async function assertActorOwnsTenantScope(
+  ctx: SecurityUsersRequestContext,
+  requestedTenantId: string | null | undefined,
+): Promise<string | null> {
+  const resolved = await enforceTenantSelection({ auth: ctx.auth, container: ctx.container }, requestedTenantId)
+  return resolved ?? ctx.auth.tenantId ?? null
+}
+
 export async function mapSecurityUsersError(error: unknown): Promise<NextResponse> {
   if (error instanceof CrudHttpError) {
     return NextResponse.json(await localizeSecurityApiBody(error.body), { status: error.status })

package/src/modules/security/api/users/mfa/compliance/route.ts

@@ -2,7 +2,12 @@ import { NextResponse } from 'next/server'
 import { z } from 'zod'
 import { buildSecurityOpenApi, securityErrorSchema } from '../../../openapi'
 import { securityApiError } from '../../../i18n'
-import { mapSecurityUsersError, resolveSecurityUsersContext } from '../../_shared'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
+import {
+  assertActorOwnsTenantScope,
+  mapSecurityUsersError,
+  resolveSecurityUsersContext,
+} from '../../_shared'
 
 const querySchema = z.object({
   tenantId: z.string().uuid().optional(),
@@ -37,13 +42,16 @@ export async function GET(req: Request) {
     return securityApiError(400, 'Invalid query parameters', { issues: parsedQuery.error.issues })
   }
 
-  const tenantId = parsedQuery.data.tenantId ?? context.auth.tenantId ?? null
-  if (!tenantId) {
-    return securityApiError(400, 'Tenant context is required.')
-  }
-
   try {
-    const items = await context.mfaAdminService.bulkComplianceCheck(tenantId)
+    const tenantId = await assertActorOwnsTenantScope(context, parsedQuery.data.tenantId)
+    if (!tenantId) {
+      return securityApiError(400, 'Tenant context is required.')
+    }
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: context.auth, container: context.container })
+    const items = await context.mfaAdminService.bulkComplianceCheck(tenantId, {
+      tenantId: context.auth.tenantId ?? null,
+      isSuperAdmin,
+    })
     return NextResponse.json({ items })
   } catch (error) {
     return await mapSecurityUsersError(error)
@@ -62,6 +70,7 @@ export const openApi = buildSecurityOpenApi({
       errors: [
         { status: 400, description: 'Invalid query or missing tenant context', schema: securityErrorSchema },
         { status: 401, description: 'Unauthorized', schema: securityErrorSchema },
+        { status: 403, description: 'Not authorized for the requested tenant scope', schema: securityErrorSchema },
       ],
     },
   },

package/src/modules/security/commands/createEnforcementPolicy.ts

@@ -2,6 +2,7 @@ import { z } from 'zod'
 import { registerCommand } from '@open-mercato/shared/lib/commands'
 import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import { enforcementPolicySchema } from '../data/validators'
 import type { MfaEnforcementService } from '../services/MfaEnforcementService'
 
@@ -34,8 +35,12 @@ registerCommand({
     }
 
     const enforcementService = ctx.container.resolve<MfaEnforcementService>('mfaEnforcementService')
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
     try {
-      const policy = await enforcementService.createPolicy(parsed.data, ctx.auth.sub)
+      const policy = await enforcementService.createPolicy(parsed.data, ctx.auth.sub, {
+        tenantId: ctx.auth.tenantId ?? null,
+        isSuperAdmin,
+      })
       return { id: policy.id }
     } catch (error) {
       if (isEnforcementServiceError(error)) {

package/src/modules/security/commands/deleteEnforcementPolicy.ts

@@ -2,6 +2,7 @@ import { z } from 'zod'
 import { registerCommand } from '@open-mercato/shared/lib/commands'
 import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import type { MfaEnforcementService } from '../services/MfaEnforcementService'
 
 export const commandId = 'security.enforcement.delete'
@@ -35,8 +36,12 @@ registerCommand({
     }
 
     const enforcementService = ctx.container.resolve<MfaEnforcementService>('mfaEnforcementService')
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
     try {
-      await enforcementService.deletePolicy(parsed.data.id)
+      await enforcementService.deletePolicy(parsed.data.id, {
+        tenantId: ctx.auth.tenantId ?? null,
+        isSuperAdmin,
+      })
       return { ok: true as const }
     } catch (error) {
       if (isEnforcementServiceError(error)) {

package/src/modules/security/commands/resetUserMfa.ts

@@ -2,6 +2,7 @@ import { z } from 'zod'
 import { registerCommand } from '@open-mercato/shared/lib/commands'
 import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import type { MfaAdminService } from '../services/MfaAdminService'
 
 export const commandId = 'security.admin.mfa.reset'
@@ -36,8 +37,12 @@ registerCommand({
     }
 
     const mfaAdminService = ctx.container.resolve<MfaAdminService>('mfaAdminService')
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
     try {
-      await mfaAdminService.resetUserMfa(ctx.auth.sub, parsed.data.userId, parsed.data.reason)
+      await mfaAdminService.resetUserMfa(ctx.auth.sub, parsed.data.userId, parsed.data.reason, {
+        tenantId: ctx.auth.tenantId ?? null,
+        isSuperAdmin,
+      })
       return { ok: true as const }
     } catch (error) {
       if (isMfaAdminServiceError(error)) {

package/src/modules/security/commands/updateEnforcementPolicy.ts

@@ -2,6 +2,7 @@ import { z } from 'zod'
 import { registerCommand } from '@open-mercato/shared/lib/commands'
 import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
+import { resolveIsSuperAdmin } from '@open-mercato/core/modules/auth/lib/tenantAccess'
 import { updateEnforcementPolicySchema } from '../data/validators'
 import type { MfaEnforcementService } from '../services/MfaEnforcementService'
 
@@ -37,8 +38,12 @@ registerCommand({
     }
 
     const enforcementService = ctx.container.resolve<MfaEnforcementService>('mfaEnforcementService')
+    const isSuperAdmin = await resolveIsSuperAdmin({ auth: ctx.auth, container: ctx.container })
     try {
-      await enforcementService.updatePolicy(parsed.data.id, parsed.data.data, ctx.auth.sub)
+      await enforcementService.updatePolicy(parsed.data.id, parsed.data.data, ctx.auth.sub, {
+        tenantId: ctx.auth.tenantId ?? null,
+        isSuperAdmin,
+      })
       return { ok: true as const }
     } catch (error) {
       if (isEnforcementServiceError(error)) {