@open-mercato/shared 0.4.2-canary-c02407ff85

package/build.mjs

@@ -0,0 +1,101 @@
+import * as esbuild from 'esbuild'
+import { glob } from 'glob'
+import { readFileSync, writeFileSync, existsSync } from 'node:fs'
+import { dirname, join } from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const __dirname = dirname(fileURLToPath(import.meta.url))
+
+// Read the package version at build time for injection
+const packageJson = JSON.parse(readFileSync(join(__dirname, 'package.json'), 'utf-8'))
+const packageVersion = packageJson.version
+
+// Plugin to inject version at build time (replaces version.ts content)
+const injectVersion = {
+  name: 'inject-version',
+  setup(build) {
+    build.onLoad({ filter: /lib\/version\.ts$/ }, async () => {
+      return {
+        contents: `// Build-time generated version
+export const APP_VERSION = '${packageVersion}'
+export const appVersion = APP_VERSION
+`,
+        loader: 'ts'
+      }
+    })
+  }
+}
+
+const entryPoints = await glob(join(__dirname, 'src/**/*.{ts,tsx}'), {
+  ignore: ['**/__tests__/**', '**/*.test.ts', '**/*.test.tsx']
+})
+
+// Plugin to add .js extension to relative imports
+const addJsExtension = {
+  name: 'add-js-extension',
+  setup(build) {
+    build.onEnd(async (result) => {
+      if (result.errors.length > 0) return
+      const outputFiles = await glob(join(__dirname, 'dist/**/*.js'))
+      for (const file of outputFiles) {
+        const fileDir = dirname(file)
+        let content = readFileSync(file, 'utf-8')
+        // Add .js to relative imports that don't have an extension
+        content = content.replace(
+          /from\s+["'](\.[^"']+)["']/g,
+          (match, path) => {
+            if (path.endsWith('.js') || path.endsWith('.json')) return match
+            // Check if it's a directory with index.js
+            const resolvedPath = join(fileDir, path)
+            if (existsSync(resolvedPath) && existsSync(join(resolvedPath, 'index.js'))) {
+              return `from "${path}/index.js"`
+            }
+            return `from "${path}.js"`
+          }
+        )
+        content = content.replace(
+          /import\s*\(\s*["'](\.[^"']+)["']\s*\)/g,
+          (match, path) => {
+            if (path.endsWith('.js') || path.endsWith('.json')) return match
+            // Check if it's a directory with index.js
+            const resolvedPath = join(fileDir, path)
+            if (existsSync(resolvedPath) && existsSync(join(resolvedPath, 'index.js'))) {
+              return `import("${path}/index.js")`
+            }
+            return `import("${path}.js")`
+          }
+        )
+        // Handle side-effect imports: import "./path" (no from clause)
+        content = content.replace(
+          /import\s+["'](\.[^"']+)["'];/g,
+          (match, path) => {
+            if (path.endsWith('.js') || path.endsWith('.json')) return match
+            // Check if it's a directory with index.js
+            const resolvedPath = join(fileDir, path)
+            if (existsSync(resolvedPath) && existsSync(join(resolvedPath, 'index.js'))) {
+              return `import "${path}/index.js";`
+            }
+            return `import "${path}.js";`
+          }
+        )
+        writeFileSync(file, content)
+      }
+    })
+  }
+}
+
+const outdir = join(__dirname, 'dist')
+
+await esbuild.build({
+  entryPoints,
+  outdir,
+  outbase: join(__dirname, 'src'),
+  format: 'esm',
+  platform: 'node',
+  target: 'node18',
+  sourcemap: true,
+  jsx: 'automatic',
+  plugins: [injectVersion, addJsExtension],
+})
+
+console.log('shared built successfully')

package/dist/index.js

@@ -0,0 +1 @@
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": [],
+  "sourcesContent": [],
+  "mappings": "",
+  "names": []
+}

package/dist/lib/api/crud.js

@@ -0,0 +1,47 @@
+function buildScopedWhere(base, scope) {
+  const where = { ...base };
+  const orgField = scope.orgField === null ? null : scope.orgField || "organizationId";
+  const tenantField = scope.tenantField === null ? null : scope.tenantField || "tenantId";
+  const softField = scope.softDeleteField === null ? null : scope.softDeleteField || "deletedAt";
+  if (orgField) {
+    if (scope.organizationIds !== void 0) {
+      const ids = (scope.organizationIds ?? []).filter((id) => typeof id === "string" && id.length > 0);
+      if (ids.length === 0) {
+        where[orgField] = { $in: [] };
+      } else if (ids.length === 1) {
+        where[orgField] = ids[0];
+      } else {
+        where[orgField] = { $in: ids };
+      }
+    } else if (scope.organizationId !== void 0) {
+      where[orgField] = scope.organizationId;
+    }
+  }
+  if (tenantField && scope.tenantId !== void 0) where[tenantField] = scope.tenantId;
+  if (softField) where[softField] = null;
+  return where;
+}
+function extractScopeFromAuth(auth) {
+  if (!auth) return {};
+  return { organizationId: auth.orgId ?? null, tenantId: auth.tenantId ?? null };
+}
+async function findOneScoped(em, entity, id, scope) {
+  const orgField = scope.orgField || "organizationId";
+  const tenantField = scope.tenantField || "tenantId";
+  const where = { id };
+  if (scope.organizationId != null) where[orgField] = scope.organizationId;
+  if (scope.tenantId != null) where[tenantField] = scope.tenantId;
+  return em.getRepository(entity).findOne(where);
+}
+async function softDelete(em, entity) {
+  ;
+  entity.deletedAt = /* @__PURE__ */ new Date();
+  await em.persistAndFlush(entity);
+}
+export {
+  buildScopedWhere,
+  extractScopeFromAuth,
+  findOneScoped,
+  softDelete
+};
+//# sourceMappingURL=crud.js.map

package/dist/lib/api/crud.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/api/crud.ts"],
+  "sourcesContent": ["import type { EntityManager } from '@mikro-orm/core'\n\ntype Scope = { organizationId?: string | null; organizationIds?: string[] | null; tenantId?: string | null }\n\nexport function buildScopedWhere(\n  base: Record<string, any>,\n  scope: Scope & { orgField?: string | null; tenantField?: string | null; softDeleteField?: string | null }\n): Record<string, any> {\n  const where: any = { ...base }\n  const orgField = scope.orgField === null ? null : (scope.orgField as string) || 'organizationId'\n  const tenantField = scope.tenantField === null ? null : (scope.tenantField as string) || 'tenantId'\n  const softField = scope.softDeleteField === null ? null : (scope.softDeleteField as string) || 'deletedAt'\n\n  if (orgField) {\n    if (scope.organizationIds !== undefined) {\n      const ids = (scope.organizationIds ?? []).filter((id): id is string => typeof id === 'string' && id.length > 0)\n      if (ids.length === 0) {\n        where[orgField] = { $in: [] }\n      } else if (ids.length === 1) {\n        where[orgField] = ids[0]\n      } else {\n        where[orgField] = { $in: ids }\n      }\n    } else if (scope.organizationId !== undefined) {\n      where[orgField] = scope.organizationId\n    }\n  }\n\n  if (tenantField && scope.tenantId !== undefined) where[tenantField] = scope.tenantId\n  if (softField) where[softField] = null\n  return where\n}\n\nexport function extractScopeFromAuth(auth: { orgId?: string | null; tenantId?: string | null } | null | undefined): { organizationId?: string | null; tenantId?: string | null } {\n  if (!auth) return {}\n  return { organizationId: auth.orgId ?? null, tenantId: auth.tenantId ?? null }\n}\n\nexport async function findOneScoped<T extends { id: string }>(\n  em: EntityManager,\n  entity: { new (): T },\n  id: string,\n  scope: Scope & { orgField?: keyof T; tenantField?: keyof T }\n): Promise<T | null> {\n  const orgField = (scope.orgField as string) || 'organizationId'\n  const tenantField = (scope.tenantField as string) || 'tenantId'\n  const where: any = { id }\n  if (scope.organizationId != null) where[orgField] = scope.organizationId\n  if (scope.tenantId != null) where[tenantField] = scope.tenantId\n  return em.getRepository(entity).findOne(where as any)\n}\n\nexport async function softDelete<T extends { deletedAt?: Date | null }>(\n  em: EntityManager,\n  entity: T\n): Promise<void> {\n  ;(entity as any).deletedAt = new Date()\n  await em.persistAndFlush(entity)\n}\n"],
+  "mappings": "AAIO,SAAS,iBACd,MACA,OACqB;AACrB,QAAM,QAAa,EAAE,GAAG,KAAK;AAC7B,QAAM,WAAW,MAAM,aAAa,OAAO,OAAQ,MAAM,YAAuB;AAChF,QAAM,cAAc,MAAM,gBAAgB,OAAO,OAAQ,MAAM,eAA0B;AACzF,QAAM,YAAY,MAAM,oBAAoB,OAAO,OAAQ,MAAM,mBAA8B;AAE/F,MAAI,UAAU;AACZ,QAAI,MAAM,oBAAoB,QAAW;AACvC,YAAM,OAAO,MAAM,mBAAmB,CAAC,GAAG,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AAC9G,UAAI,IAAI,WAAW,GAAG;AACpB,cAAM,QAAQ,IAAI,EAAE,KAAK,CAAC,EAAE;AAAA,MAC9B,WAAW,IAAI,WAAW,GAAG;AAC3B,cAAM,QAAQ,IAAI,IAAI,CAAC;AAAA,MACzB,OAAO;AACL,cAAM,QAAQ,IAAI,EAAE,KAAK,IAAI;AAAA,MAC/B;AAAA,IACF,WAAW,MAAM,mBAAmB,QAAW;AAC7C,YAAM,QAAQ,IAAI,MAAM;AAAA,IAC1B;AAAA,EACF;AAEA,MAAI,eAAe,MAAM,aAAa,OAAW,OAAM,WAAW,IAAI,MAAM;AAC5E,MAAI,UAAW,OAAM,SAAS,IAAI;AAClC,SAAO;AACT;AAEO,SAAS,qBAAqB,MAA4I;AAC/K,MAAI,CAAC,KAAM,QAAO,CAAC;AACnB,SAAO,EAAE,gBAAgB,KAAK,SAAS,MAAM,UAAU,KAAK,YAAY,KAAK;AAC/E;AAEA,eAAsB,cACpB,IACA,QACA,IACA,OACmB;AACnB,QAAM,WAAY,MAAM,YAAuB;AAC/C,QAAM,cAAe,MAAM,eAA0B;AACrD,QAAM,QAAa,EAAE,GAAG;AACxB,MAAI,MAAM,kBAAkB,KAAM,OAAM,QAAQ,IAAI,MAAM;AAC1D,MAAI,MAAM,YAAY,KAAM,OAAM,WAAW,IAAI,MAAM;AACvD,SAAO,GAAG,cAAc,MAAM,EAAE,QAAQ,KAAY;AACtD;AAEA,eAAsB,WACpB,IACA,QACe;AACf;AAAC,EAAC,OAAe,YAAY,oBAAI,KAAK;AACtC,QAAM,GAAG,gBAAgB,MAAM;AACjC;",
+  "names": []
+}

package/dist/lib/api/scoped.js

@@ -0,0 +1,140 @@
+import { CrudHttpError } from "@open-mercato/shared/lib/crud/errors";
+import { splitCustomFieldPayload } from "@open-mercato/shared/lib/crud/custom-fields";
+const DEFAULT_MESSAGES = {
+  tenantRequired: { key: "errors.tenant_required", fallback: "Tenant context is required." },
+  organizationRequired: { key: "errors.organization_required", fallback: "Organization context is required." },
+  idRequired: { key: "errors.id_required", fallback: "Record identifier is required." },
+  tenantForbidden: { key: "errors.tenant_forbidden", fallback: "You are not allowed to target this tenant." }
+};
+function resolveMessage(messages, key) {
+  const override = messages?.[key];
+  if (override && typeof override.key === "string" && override.key.length > 0) {
+    return {
+      key: override.key,
+      fallback: override.fallback ?? DEFAULT_MESSAGES[key].fallback
+    };
+  }
+  return DEFAULT_MESSAGES[key];
+}
+function withScopedPayload(payload, ctx, translate, options = {}) {
+  const requireOrganization = options.requireOrganization !== false;
+  const hasGlobalOrgAccess = ctx.organizationScope?.allowedIds === null;
+  const source = payload ? { ...payload } : {};
+  const tenantId = source?.tenantId ?? ctx.auth?.tenantId ?? null;
+  if (!tenantId) {
+    const msg = resolveMessage(options.messages, "tenantRequired");
+    throw new CrudHttpError(400, { error: translate(msg.key, msg.fallback) });
+  }
+  const resolvedOrg = source?.organizationId ?? ctx.selectedOrganizationId ?? ctx.auth?.orgId ?? null;
+  if (requireOrganization && !hasGlobalOrgAccess && !resolvedOrg) {
+    const msg = resolveMessage(options.messages, "organizationRequired");
+    throw new CrudHttpError(400, { error: translate(msg.key, msg.fallback) });
+  }
+  const scoped = {
+    ...source,
+    tenantId
+  };
+  if (resolvedOrg) scoped.organizationId = resolvedOrg;
+  return scoped;
+}
+function parseScopedCommandInput(schema, payload, ctx, translate, options = {}) {
+  const scoped = withScopedPayload(
+    payload && typeof payload === "object" ? payload : {},
+    ctx,
+    translate,
+    options
+  );
+  const actorTenantId = normalizeTenant(ctx.auth?.tenantId);
+  const requestedTenantId = normalizeTenant(scoped.tenantId);
+  const isSuperAdmin = authIsSuperAdmin(ctx.auth);
+  if (!isSuperAdmin) {
+    if (actorTenantId) {
+      if (!requestedTenantId || requestedTenantId !== actorTenantId) {
+        const msg = resolveMessage(options.messages, "tenantForbidden");
+        throw new CrudHttpError(403, { error: translate(msg.key, msg.fallback) });
+      }
+    } else if (requestedTenantId) {
+      const msg = resolveMessage(options.messages, "tenantForbidden");
+      throw new CrudHttpError(403, { error: translate(msg.key, msg.fallback) });
+    }
+  }
+  const { base, custom } = splitCustomFieldPayload(scoped);
+  const hasCustomFields = custom && Object.keys(custom).length > 0;
+  const candidates = hasCustomFields ? [base, { ...base, customFields: custom }] : [base];
+  let parsed;
+  let lastError;
+  for (const candidate of candidates) {
+    try {
+      parsed = schema.parse(candidate);
+      break;
+    } catch (err) {
+      lastError = err;
+    }
+  }
+  if (!parsed) {
+    if (lastError instanceof Error) throw lastError;
+    throw new CrudHttpError(400, { error: translate("errors.invalid_input", "Invalid input") });
+  }
+  const parsedWithCustom = hasCustomFields ? Object.assign({}, parsed, { customFields: custom }) : parsed;
+  return parsedWithCustom;
+}
+function normalizeTenant(candidate) {
+  if (typeof candidate === "string" && candidate.trim().length > 0) return candidate.trim();
+  return null;
+}
+function authIsSuperAdmin(auth) {
+  if (!auth) return false;
+  return auth.isSuperAdmin === true;
+}
+function requireRecordId(candidate, ctx, translate, options = {}) {
+  const fieldName = "id";
+  const id = typeof candidate === "string" ? candidate.trim() : candidate && typeof candidate === "object" ? typeof candidate[fieldName] === "string" ? String(candidate[fieldName]) : null : null;
+  if (id && id.length > 0) return id;
+  const msg = resolveMessage(options.messages, "idRequired");
+  throw new CrudHttpError(400, { error: translate(msg.key, msg.fallback) });
+}
+function resolveCrudRecordId(parsed, ctx, translate, options = {}) {
+  const fieldName = options.fieldName ?? "id";
+  const queryParam = options.queryParam ?? fieldName;
+  const tryRequire = (value) => {
+    try {
+      return requireRecordId(value, ctx, translate, options);
+    } catch {
+      return null;
+    }
+  };
+  if (parsed && typeof parsed === "object") {
+    const body = parsed.body;
+    const fromBody = body && typeof body === "object" ? tryRequire(body) : null;
+    if (fromBody) return fromBody;
+    const fallback = tryRequire(parsed);
+    if (fallback) return fallback;
+    const query = parsed.query;
+    if (query && typeof query === "object") {
+      const candidate = query[queryParam];
+      if (typeof candidate === "string" && candidate.trim().length > 0) return candidate.trim();
+    }
+  }
+  if (ctx.request instanceof Request) {
+    const value = new URL(ctx.request.url).searchParams.get(queryParam);
+    if (value && value.trim().length > 0) return value.trim();
+  }
+  const msg = resolveMessage(options.messages, "idRequired");
+  throw new CrudHttpError(400, { error: translate(msg.key, msg.fallback) });
+}
+function createScopedApiHelpers(baseOptions) {
+  return {
+    withScopedPayload: (payload, ctx, translate, options = {}) => withScopedPayload(payload, ctx, translate, { ...baseOptions, ...options }),
+    parseScopedCommandInput: (schema, payload, ctx, translate, options = {}) => parseScopedCommandInput(schema, payload, ctx, translate, { ...baseOptions, ...options }),
+    requireRecordId: (candidate, ctx, translate, options = {}) => requireRecordId(candidate, ctx, translate, { ...baseOptions, ...options }),
+    resolveCrudRecordId: (parsed, ctx, translate, options = {}) => resolveCrudRecordId(parsed, ctx, translate, { ...baseOptions, ...options })
+  };
+}
+export {
+  createScopedApiHelpers,
+  parseScopedCommandInput,
+  requireRecordId,
+  resolveCrudRecordId,
+  withScopedPayload
+};
+//# sourceMappingURL=scoped.js.map

package/dist/lib/api/scoped.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/api/scoped.ts"],
+  "sourcesContent": ["import type { CrudCtx } from '@open-mercato/shared/lib/crud/factory'\nimport { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'\nimport { splitCustomFieldPayload } from '@open-mercato/shared/lib/crud/custom-fields'\nimport type { CommandRuntimeContext } from '@open-mercato/shared/lib/commands'\nimport type { z } from 'zod'\n\nexport type ScopedContext = (CommandRuntimeContext | CrudCtx) & {\n  auth: { tenantId?: string | null; orgId?: string | null } | null\n  selectedOrganizationId?: string | null\n}\n\nexport type TranslateFn = (key: string, fallback?: string) => string\n\nexport type ScopedMessage = {\n  key: string\n  fallback: string\n}\n\nexport type ScopedPayloadMessages = {\n  tenantRequired?: ScopedMessage\n  organizationRequired?: ScopedMessage\n  idRequired?: ScopedMessage\n  tenantForbidden?: ScopedMessage\n}\n\nexport type ScopedPayloadOptions = {\n  requireOrganization?: boolean\n  messages?: ScopedPayloadMessages\n}\n\nconst DEFAULT_MESSAGES: Required<ScopedPayloadMessages> = {\n  tenantRequired: { key: 'errors.tenant_required', fallback: 'Tenant context is required.' },\n  organizationRequired: { key: 'errors.organization_required', fallback: 'Organization context is required.' },\n  idRequired: { key: 'errors.id_required', fallback: 'Record identifier is required.' },\n  tenantForbidden: { key: 'errors.tenant_forbidden', fallback: 'You are not allowed to target this tenant.' },\n}\n\nfunction resolveMessage(messages: ScopedPayloadMessages | undefined, key: keyof ScopedPayloadMessages): ScopedMessage {\n  const override = messages?.[key]\n  if (override && typeof override.key === 'string' && override.key.length > 0) {\n    return {\n      key: override.key,\n      fallback: override.fallback ?? DEFAULT_MESSAGES[key]!.fallback,\n    }\n  }\n  return DEFAULT_MESSAGES[key]!\n}\n\nexport function withScopedPayload<T extends Record<string, unknown>>(\n  payload: T | null | undefined,\n  ctx: ScopedContext,\n  translate: TranslateFn,\n  options: ScopedPayloadOptions = {}\n): T & { tenantId: string; organizationId?: string } {\n  const requireOrganization = options.requireOrganization !== false\n  const hasGlobalOrgAccess = ctx.organizationScope?.allowedIds === null\n  const source = payload ? { ...payload } : {}\n  const tenantId = (source as { tenantId?: string })?.tenantId ?? ctx.auth?.tenantId ?? null\n  if (!tenantId) {\n    const msg = resolveMessage(options.messages, 'tenantRequired')\n    throw new CrudHttpError(400, { error: translate(msg.key, msg.fallback) })\n  }\n\n  const resolvedOrg =\n    (source as { organizationId?: string })?.organizationId ??\n    ctx.selectedOrganizationId ??\n    ctx.auth?.orgId ??\n    null\n\n  if (requireOrganization && !hasGlobalOrgAccess && !resolvedOrg) {\n    const msg = resolveMessage(options.messages, 'organizationRequired')\n    throw new CrudHttpError(400, { error: translate(msg.key, msg.fallback) })\n  }\n\n  const scoped = {\n    ...source,\n    tenantId,\n  } as T & { tenantId: string; organizationId?: string }\n\n  if (resolvedOrg) scoped.organizationId = resolvedOrg\n\n  return scoped\n}\n\nexport function parseScopedCommandInput<TSchema extends z.ZodTypeAny>(\n  schema: TSchema,\n  payload: unknown,\n  ctx: ScopedContext,\n  translate: TranslateFn,\n  options: ScopedPayloadOptions = {}\n): z.infer<TSchema> & { customFields?: Record<string, unknown> } {\n  const scoped = withScopedPayload(\n    (payload && typeof payload === 'object' ? payload : {}) as Record<string, unknown>,\n    ctx,\n    translate,\n    options\n  )\n  const actorTenantId = normalizeTenant(ctx.auth?.tenantId)\n  const requestedTenantId = normalizeTenant(scoped.tenantId)\n  const isSuperAdmin = authIsSuperAdmin(ctx.auth)\n  if (!isSuperAdmin) {\n    if (actorTenantId) {\n      if (!requestedTenantId || requestedTenantId !== actorTenantId) {\n        const msg = resolveMessage(options.messages, 'tenantForbidden')\n        throw new CrudHttpError(403, { error: translate(msg.key, msg.fallback) })\n      }\n    } else if (requestedTenantId) {\n      const msg = resolveMessage(options.messages, 'tenantForbidden')\n      throw new CrudHttpError(403, { error: translate(msg.key, msg.fallback) })\n    }\n  }\n  const { base, custom } = splitCustomFieldPayload(scoped)\n  const hasCustomFields = custom && Object.keys(custom).length > 0\n  const candidates: Array<Record<string, unknown>> = hasCustomFields\n    ? [base, { ...base, customFields: custom }]\n    : [base]\n\n  let parsed: z.infer<TSchema> | undefined\n  let lastError: unknown\n  for (const candidate of candidates) {\n    try {\n      parsed = schema.parse(candidate) as z.infer<TSchema>\n      break\n    } catch (err) {\n      lastError = err\n    }\n  }\n  if (!parsed) {\n    if (lastError instanceof Error) throw lastError\n    throw new CrudHttpError(400, { error: translate('errors.invalid_input', 'Invalid input') })\n  }\n\n  const parsedWithCustom = hasCustomFields\n    ? Object.assign({}, parsed, { customFields: custom })\n    : parsed\n\n  return parsedWithCustom as z.infer<TSchema> & { customFields?: Record<string, unknown> }\n}\n\nfunction normalizeTenant(candidate: unknown): string | null {\n  if (typeof candidate === 'string' && candidate.trim().length > 0) return candidate.trim()\n  return null\n}\n\nfunction authIsSuperAdmin(auth: ScopedContext['auth']): boolean {\n  if (!auth) return false\n  return (auth as Record<string, unknown>).isSuperAdmin === true\n}\n\nexport function requireRecordId(\n  candidate: unknown,\n  ctx: ScopedContext,\n  translate: TranslateFn,\n  options: ScopedPayloadOptions = {}\n): string {\n  const fieldName = 'id'\n  const id =\n    typeof candidate === 'string'\n      ? candidate.trim()\n      : candidate && typeof candidate === 'object'\n        ? typeof (candidate as Record<string, unknown>)[fieldName] === 'string'\n          ? String((candidate as Record<string, unknown>)[fieldName])\n          : null\n        : null\n  if (id && id.length > 0) return id\n  const msg = resolveMessage(options.messages, 'idRequired')\n  throw new CrudHttpError(400, { error: translate(msg.key, msg.fallback) })\n}\n\nexport function resolveCrudRecordId(\n  parsed: unknown,\n  ctx: ScopedContext,\n  translate: TranslateFn,\n  options: ScopedPayloadOptions & { fieldName?: string; queryParam?: string } = {}\n): string {\n  const fieldName = options.fieldName ?? 'id'\n  const queryParam = options.queryParam ?? fieldName\n\n  const tryRequire = (value: unknown): string | null => {\n    try {\n      return requireRecordId(value, ctx, translate, options)\n    } catch {\n      return null\n    }\n  }\n\n  if (parsed && typeof parsed === 'object') {\n    const body = (parsed as Record<string, unknown>).body\n    const fromBody = body && typeof body === 'object' ? tryRequire(body) : null\n    if (fromBody) return fromBody\n\n    const fallback = tryRequire(parsed)\n    if (fallback) return fallback\n\n    const query = (parsed as Record<string, unknown>).query\n    if (query && typeof query === 'object') {\n      const candidate = (query as Record<string, unknown>)[queryParam]\n      if (typeof candidate === 'string' && candidate.trim().length > 0) return candidate.trim()\n    }\n  }\n\n  if (ctx.request instanceof Request) {\n    const value = new URL(ctx.request.url).searchParams.get(queryParam)\n    if (value && value.trim().length > 0) return value.trim()\n  }\n\n  const msg = resolveMessage(options.messages, 'idRequired')\n  throw new CrudHttpError(400, { error: translate(msg.key, msg.fallback) })\n}\n\nexport function createScopedApiHelpers(baseOptions?: ScopedPayloadOptions) {\n  return {\n    withScopedPayload: <T extends Record<string, unknown>>(\n      payload: T | null | undefined,\n      ctx: ScopedContext,\n      translate: TranslateFn,\n      options: ScopedPayloadOptions = {}\n    ) => withScopedPayload(payload, ctx, translate, { ...baseOptions, ...options }),\n    parseScopedCommandInput: <TSchema extends z.ZodTypeAny>(\n      schema: TSchema,\n      payload: unknown,\n      ctx: ScopedContext,\n      translate: TranslateFn,\n      options: ScopedPayloadOptions = {}\n    ) => parseScopedCommandInput(schema, payload, ctx, translate, { ...baseOptions, ...options }),\n    requireRecordId: (\n      candidate: unknown,\n      ctx: ScopedContext,\n      translate: TranslateFn,\n      options: ScopedPayloadOptions = {}\n    ) => requireRecordId(candidate, ctx, translate, { ...baseOptions, ...options }),\n    resolveCrudRecordId: (\n      parsed: unknown,\n      ctx: ScopedContext,\n      translate: TranslateFn,\n      options: ScopedPayloadOptions & { fieldName?: string; queryParam?: string } = {}\n    ) => resolveCrudRecordId(parsed, ctx, translate, { ...baseOptions, ...options }),\n  }\n}\n"],
+  "mappings": "AACA,SAAS,qBAAqB;AAC9B,SAAS,+BAA+B;AA4BxC,MAAM,mBAAoD;AAAA,EACxD,gBAAgB,EAAE,KAAK,0BAA0B,UAAU,8BAA8B;AAAA,EACzF,sBAAsB,EAAE,KAAK,gCAAgC,UAAU,oCAAoC;AAAA,EAC3G,YAAY,EAAE,KAAK,sBAAsB,UAAU,iCAAiC;AAAA,EACpF,iBAAiB,EAAE,KAAK,2BAA2B,UAAU,6CAA6C;AAC5G;AAEA,SAAS,eAAe,UAA6C,KAAiD;AACpH,QAAM,WAAW,WAAW,GAAG;AAC/B,MAAI,YAAY,OAAO,SAAS,QAAQ,YAAY,SAAS,IAAI,SAAS,GAAG;AAC3E,WAAO;AAAA,MACL,KAAK,SAAS;AAAA,MACd,UAAU,SAAS,YAAY,iBAAiB,GAAG,EAAG;AAAA,IACxD;AAAA,EACF;AACA,SAAO,iBAAiB,GAAG;AAC7B;AAEO,SAAS,kBACd,SACA,KACA,WACA,UAAgC,CAAC,GACkB;AACnD,QAAM,sBAAsB,QAAQ,wBAAwB;AAC5D,QAAM,qBAAqB,IAAI,mBAAmB,eAAe;AACjE,QAAM,SAAS,UAAU,EAAE,GAAG,QAAQ,IAAI,CAAC;AAC3C,QAAM,WAAY,QAAkC,YAAY,IAAI,MAAM,YAAY;AACtF,MAAI,CAAC,UAAU;AACb,UAAM,MAAM,eAAe,QAAQ,UAAU,gBAAgB;AAC7D,UAAM,IAAI,cAAc,KAAK,EAAE,OAAO,UAAU,IAAI,KAAK,IAAI,QAAQ,EAAE,CAAC;AAAA,EAC1E;AAEA,QAAM,cACH,QAAwC,kBACzC,IAAI,0BACJ,IAAI,MAAM,SACV;AAEF,MAAI,uBAAuB,CAAC,sBAAsB,CAAC,aAAa;AAC9D,UAAM,MAAM,eAAe,QAAQ,UAAU,sBAAsB;AACnE,UAAM,IAAI,cAAc,KAAK,EAAE,OAAO,UAAU,IAAI,KAAK,IAAI,QAAQ,EAAE,CAAC;AAAA,EAC1E;AAEA,QAAM,SAAS;AAAA,IACb,GAAG;AAAA,IACH;AAAA,EACF;AAEA,MAAI,YAAa,QAAO,iBAAiB;AAEzC,SAAO;AACT;AAEO,SAAS,wBACd,QACA,SACA,KACA,WACA,UAAgC,CAAC,GAC8B;AAC/D,QAAM,SAAS;AAAA,IACZ,WAAW,OAAO,YAAY,WAAW,UAAU,CAAC;AAAA,IACrD;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,gBAAgB,gBAAgB,IAAI,MAAM,QAAQ;AACxD,QAAM,oBAAoB,gBAAgB,OAAO,QAAQ;AACzD,QAAM,eAAe,iBAAiB,IAAI,IAAI;AAC9C,MAAI,CAAC,cAAc;AACjB,QAAI,eAAe;AACjB,UAAI,CAAC,qBAAqB,sBAAsB,eAAe;AAC7D,cAAM,MAAM,eAAe,QAAQ,UAAU,iBAAiB;AAC9D,cAAM,IAAI,cAAc,KAAK,EAAE,OAAO,UAAU,IAAI,KAAK,IAAI,QAAQ,EAAE,CAAC;AAAA,MAC1E;AAAA,IACF,WAAW,mBAAmB;AAC5B,YAAM,MAAM,eAAe,QAAQ,UAAU,iBAAiB;AAC9D,YAAM,IAAI,cAAc,KAAK,EAAE,OAAO,UAAU,IAAI,KAAK,IAAI,QAAQ,EAAE,CAAC;AAAA,IAC1E;AAAA,EACF;AACA,QAAM,EAAE,MAAM,OAAO,IAAI,wBAAwB,MAAM;AACvD,QAAM,kBAAkB,UAAU,OAAO,KAAK,MAAM,EAAE,SAAS;AAC/D,QAAM,aAA6C,kBAC/C,CAAC,MAAM,EAAE,GAAG,MAAM,cAAc,OAAO,CAAC,IACxC,CAAC,IAAI;AAET,MAAI;AACJ,MAAI;AACJ,aAAW,aAAa,YAAY;AAClC,QAAI;AACF,eAAS,OAAO,MAAM,SAAS;AAC/B;AAAA,IACF,SAAS,KAAK;AACZ,kBAAY;AAAA,IACd;AAAA,EACF;AACA,MAAI,CAAC,QAAQ;AACX,QAAI,qBAAqB,MAAO,OAAM;AACtC,UAAM,IAAI,cAAc,KAAK,EAAE,OAAO,UAAU,wBAAwB,eAAe,EAAE,CAAC;AAAA,EAC5F;AAEA,QAAM,mBAAmB,kBACrB,OAAO,OAAO,CAAC,GAAG,QAAQ,EAAE,cAAc,OAAO,CAAC,IAClD;AAEJ,SAAO;AACT;AAEA,SAAS,gBAAgB,WAAmC;AAC1D,MAAI,OAAO,cAAc,YAAY,UAAU,KAAK,EAAE,SAAS,EAAG,QAAO,UAAU,KAAK;AACxF,SAAO;AACT;AAEA,SAAS,iBAAiB,MAAsC;AAC9D,MAAI,CAAC,KAAM,QAAO;AAClB,SAAQ,KAAiC,iBAAiB;AAC5D;AAEO,SAAS,gBACd,WACA,KACA,WACA,UAAgC,CAAC,GACzB;AACR,QAAM,YAAY;AAClB,QAAM,KACJ,OAAO,cAAc,WACjB,UAAU,KAAK,IACf,aAAa,OAAO,cAAc,WAChC,OAAQ,UAAsC,SAAS,MAAM,WAC3D,OAAQ,UAAsC,SAAS,CAAC,IACxD,OACF;AACR,MAAI,MAAM,GAAG,SAAS,EAAG,QAAO;AAChC,QAAM,MAAM,eAAe,QAAQ,UAAU,YAAY;AACzD,QAAM,IAAI,cAAc,KAAK,EAAE,OAAO,UAAU,IAAI,KAAK,IAAI,QAAQ,EAAE,CAAC;AAC1E;AAEO,SAAS,oBACd,QACA,KACA,WACA,UAA8E,CAAC,GACvE;AACR,QAAM,YAAY,QAAQ,aAAa;AACvC,QAAM,aAAa,QAAQ,cAAc;AAEzC,QAAM,aAAa,CAAC,UAAkC;AACpD,QAAI;AACF,aAAO,gBAAgB,OAAO,KAAK,WAAW,OAAO;AAAA,IACvD,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAEA,MAAI,UAAU,OAAO,WAAW,UAAU;AACxC,UAAM,OAAQ,OAAmC;AACjD,UAAM,WAAW,QAAQ,OAAO,SAAS,WAAW,WAAW,IAAI,IAAI;AACvE,QAAI,SAAU,QAAO;AAErB,UAAM,WAAW,WAAW,MAAM;AAClC,QAAI,SAAU,QAAO;AAErB,UAAM,QAAS,OAAmC;AAClD,QAAI,SAAS,OAAO,UAAU,UAAU;AACtC,YAAM,YAAa,MAAkC,UAAU;AAC/D,UAAI,OAAO,cAAc,YAAY,UAAU,KAAK,EAAE,SAAS,EAAG,QAAO,UAAU,KAAK;AAAA,IAC1F;AAAA,EACF;AAEA,MAAI,IAAI,mBAAmB,SAAS;AAClC,UAAM,QAAQ,IAAI,IAAI,IAAI,QAAQ,GAAG,EAAE,aAAa,IAAI,UAAU;AAClE,QAAI,SAAS,MAAM,KAAK,EAAE,SAAS,EAAG,QAAO,MAAM,KAAK;AAAA,EAC1D;AAEA,QAAM,MAAM,eAAe,QAAQ,UAAU,YAAY;AACzD,QAAM,IAAI,cAAc,KAAK,EAAE,OAAO,UAAU,IAAI,KAAK,IAAI,QAAQ,EAAE,CAAC;AAC1E;AAEO,SAAS,uBAAuB,aAAoC;AACzE,SAAO;AAAA,IACL,mBAAmB,CACjB,SACA,KACA,WACA,UAAgC,CAAC,MAC9B,kBAAkB,SAAS,KAAK,WAAW,EAAE,GAAG,aAAa,GAAG,QAAQ,CAAC;AAAA,IAC9E,yBAAyB,CACvB,QACA,SACA,KACA,WACA,UAAgC,CAAC,MAC9B,wBAAwB,QAAQ,SAAS,KAAK,WAAW,EAAE,GAAG,aAAa,GAAG,QAAQ,CAAC;AAAA,IAC5F,iBAAiB,CACf,WACA,KACA,WACA,UAAgC,CAAC,MAC9B,gBAAgB,WAAW,KAAK,WAAW,EAAE,GAAG,aAAa,GAAG,QAAQ,CAAC;AAAA,IAC9E,qBAAqB,CACnB,QACA,KACA,WACA,UAA8E,CAAC,MAC5E,oBAAoB,QAAQ,KAAK,WAAW,EAAE,GAAG,aAAa,GAAG,QAAQ,CAAC;AAAA,EACjF;AACF;",
+  "names": []
+}

package/dist/lib/auth/jwt.js

@@ -0,0 +1,34 @@
+import crypto from "node:crypto";
+function base64url(input) {
+  return (typeof input === "string" ? Buffer.from(input) : input).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function signJwt(payload, secret = process.env.JWT_SECRET, expiresInSec = 60 * 60 * 8) {
+  if (!secret) throw new Error("JWT_SECRET is not set");
+  const header = { alg: "HS256", typ: "JWT" };
+  const now = Math.floor(Date.now() / 1e3);
+  const body = { iat: now, exp: now + expiresInSec, ...payload };
+  const encHeader = base64url(JSON.stringify(header));
+  const encBody = base64url(JSON.stringify(body));
+  const data = `${encHeader}.${encBody}`;
+  const sig = crypto.createHmac("sha256", secret).update(data).digest();
+  const encSig = base64url(sig);
+  return `${data}.${encSig}`;
+}
+function verifyJwt(token, secret = process.env.JWT_SECRET) {
+  if (!secret) throw new Error("JWT_SECRET is not set");
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  const [h, p, s] = parts;
+  const data = `${h}.${p}`;
+  const expected = base64url(crypto.createHmac("sha256", secret).update(data).digest());
+  if (!crypto.timingSafeEqual(Buffer.from(s), Buffer.from(expected))) return null;
+  const payload = JSON.parse(Buffer.from(p, "base64").toString("utf8"));
+  const now = Math.floor(Date.now() / 1e3);
+  if (payload.exp && now > payload.exp) return null;
+  return payload;
+}
+export {
+  signJwt,
+  verifyJwt
+};
+//# sourceMappingURL=jwt.js.map

package/dist/lib/auth/jwt.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/auth/jwt.ts"],
+  "sourcesContent": ["import crypto from 'node:crypto'\n\nfunction base64url(input: Buffer | string) {\n  return (typeof input === 'string' ? Buffer.from(input) : input)\n    .toString('base64')\n    .replace(/=/g, '')\n    .replace(/\\+/g, '-')\n    .replace(/\\//g, '_')\n}\n\nexport type JwtPayload = Record<string, any>\n\nexport function signJwt(payload: JwtPayload, secret = process.env.JWT_SECRET!, expiresInSec = 60 * 60 * 8) {\n  if (!secret) throw new Error('JWT_SECRET is not set')\n  const header = { alg: 'HS256', typ: 'JWT' }\n  const now = Math.floor(Date.now() / 1000)\n  const body = { iat: now, exp: now + expiresInSec, ...payload }\n  const encHeader = base64url(JSON.stringify(header))\n  const encBody = base64url(JSON.stringify(body))\n  const data = `${encHeader}.${encBody}`\n  const sig = crypto.createHmac('sha256', secret).update(data).digest()\n  const encSig = base64url(sig)\n  return `${data}.${encSig}`\n}\n\nexport function verifyJwt(token: string, secret = process.env.JWT_SECRET!) {\n  if (!secret) throw new Error('JWT_SECRET is not set')\n  const parts = token.split('.')\n  if (parts.length !== 3) return null\n  const [h, p, s] = parts\n  const data = `${h}.${p}`\n  const expected = base64url(crypto.createHmac('sha256', secret).update(data).digest())\n  if (!crypto.timingSafeEqual(Buffer.from(s), Buffer.from(expected))) return null\n  const payload = JSON.parse(Buffer.from(p, 'base64').toString('utf8'))\n  const now = Math.floor(Date.now() / 1000)\n  if (payload.exp && now > payload.exp) return null\n  return payload\n}\n\n"],
+  "mappings": "AAAA,OAAO,YAAY;AAEnB,SAAS,UAAU,OAAwB;AACzC,UAAQ,OAAO,UAAU,WAAW,OAAO,KAAK,KAAK,IAAI,OACtD,SAAS,QAAQ,EACjB,QAAQ,MAAM,EAAE,EAChB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG;AACvB;AAIO,SAAS,QAAQ,SAAqB,SAAS,QAAQ,IAAI,YAAa,eAAe,KAAK,KAAK,GAAG;AACzG,MAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,uBAAuB;AACpD,QAAM,SAAS,EAAE,KAAK,SAAS,KAAK,MAAM;AAC1C,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAM,OAAO,EAAE,KAAK,KAAK,KAAK,MAAM,cAAc,GAAG,QAAQ;AAC7D,QAAM,YAAY,UAAU,KAAK,UAAU,MAAM,CAAC;AAClD,QAAM,UAAU,UAAU,KAAK,UAAU,IAAI,CAAC;AAC9C,QAAM,OAAO,GAAG,SAAS,IAAI,OAAO;AACpC,QAAM,MAAM,OAAO,WAAW,UAAU,MAAM,EAAE,OAAO,IAAI,EAAE,OAAO;AACpE,QAAM,SAAS,UAAU,GAAG;AAC5B,SAAO,GAAG,IAAI,IAAI,MAAM;AAC1B;AAEO,SAAS,UAAU,OAAe,SAAS,QAAQ,IAAI,YAAa;AACzE,MAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,uBAAuB;AACpD,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,QAAM,CAAC,GAAG,GAAG,CAAC,IAAI;AAClB,QAAM,OAAO,GAAG,CAAC,IAAI,CAAC;AACtB,QAAM,WAAW,UAAU,OAAO,WAAW,UAAU,MAAM,EAAE,OAAO,IAAI,EAAE,OAAO,CAAC;AACpF,MAAI,CAAC,OAAO,gBAAgB,OAAO,KAAK,CAAC,GAAG,OAAO,KAAK,QAAQ,CAAC,EAAG,QAAO;AAC3E,QAAM,UAAU,KAAK,MAAM,OAAO,KAAK,GAAG,QAAQ,EAAE,SAAS,MAAM,CAAC;AACpE,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,MAAI,QAAQ,OAAO,MAAM,QAAQ,IAAK,QAAO;AAC7C,SAAO;AACT;",
+  "names": []
+}

package/dist/lib/auth/server.js

@@ -0,0 +1,157 @@
+import { cookies } from "next/headers";
+import { verifyJwt } from "./jwt.js";
+const TENANT_COOKIE_NAME = "om_selected_tenant";
+const ORGANIZATION_COOKIE_NAME = "om_selected_org";
+const ALL_ORGANIZATIONS_COOKIE_VALUE = "__all__";
+const SUPERADMIN_ROLE = "superadmin";
+function decodeCookieValue(raw) {
+  if (raw === void 0) return null;
+  try {
+    const decoded = decodeURIComponent(raw);
+    return decoded ?? null;
+  } catch {
+    return raw ?? null;
+  }
+}
+function readCookieFromHeader(header, name) {
+  if (!header) return void 0;
+  const parts = header.split(";");
+  for (const part of parts) {
+    const trimmed = part.trim();
+    if (trimmed.startsWith(`${name}=`)) {
+      return trimmed.slice(name.length + 1);
+    }
+  }
+  return void 0;
+}
+function resolveTenantOverride(raw) {
+  if (raw === void 0) return { applied: false, value: null };
+  const decoded = decodeCookieValue(raw);
+  if (!decoded) return { applied: true, value: null };
+  const trimmed = decoded.trim();
+  if (!trimmed) return { applied: true, value: null };
+  return { applied: true, value: trimmed };
+}
+function resolveOrganizationOverride(raw) {
+  if (raw === void 0) return { applied: false, value: null };
+  const decoded = decodeCookieValue(raw);
+  if (!decoded || decoded === ALL_ORGANIZATIONS_COOKIE_VALUE) {
+    return { applied: true, value: null };
+  }
+  const trimmed = decoded.trim();
+  if (!trimmed || trimmed === ALL_ORGANIZATIONS_COOKIE_VALUE) {
+    return { applied: true, value: null };
+  }
+  return { applied: true, value: trimmed };
+}
+function isSuperAdminAuth(auth) {
+  if (!auth) return false;
+  if (auth.isSuperAdmin === true) return true;
+  const roles = Array.isArray(auth?.roles) ? auth.roles : [];
+  return roles.some((role) => typeof role === "string" && role.trim().toLowerCase() === SUPERADMIN_ROLE);
+}
+function applySuperAdminScope(auth, tenantCookie, orgCookie) {
+  if (!auth || !isSuperAdminAuth(auth)) return auth;
+  const tenantOverride = resolveTenantOverride(tenantCookie);
+  const orgOverride = resolveOrganizationOverride(orgCookie);
+  if (!tenantOverride.applied && !orgOverride.applied) return auth;
+  const baseAuth = auth;
+  const next = { ...baseAuth };
+  if (tenantOverride.applied) {
+    if (!("actorTenantId" in next)) next.actorTenantId = auth?.tenantId ?? null;
+    next.tenantId = tenantOverride.value;
+  }
+  if (orgOverride.applied) {
+    if (!("actorOrgId" in next)) next.actorOrgId = auth?.orgId ?? null;
+    next.orgId = orgOverride.value;
+  }
+  next.isSuperAdmin = true;
+  const existingRoles = Array.isArray(next.roles) ? next.roles : [];
+  if (!existingRoles.some((role) => typeof role === "string" && role.trim().toLowerCase() === SUPERADMIN_ROLE)) {
+    next.roles = [...existingRoles, "superadmin"];
+  }
+  return next;
+}
+async function resolveApiKeyAuth(secret) {
+  if (!secret) return null;
+  try {
+    const { createRequestContainer } = await import("@open-mercato/shared/lib/di/container");
+    const container = await createRequestContainer();
+    const em = container.resolve("em");
+    const { findApiKeyBySecret } = await import("@open-mercato/core/modules/api_keys/services/apiKeyService");
+    const { Role } = await import("@open-mercato/core/modules/auth/data/entities");
+    const record = await findApiKeyBySecret(em, secret);
+    if (!record) return null;
+    const roleIds = Array.isArray(record.rolesJson) ? record.rolesJson.filter((value) => typeof value === "string" && value.length > 0) : [];
+    const roles = roleIds.length ? await em.find(Role, { id: { $in: roleIds } }) : [];
+    const roleNames = roles.map((role) => role.name).filter((name) => typeof name === "string" && name.length > 0);
+    try {
+      record.lastUsedAt = /* @__PURE__ */ new Date();
+      await em.persistAndFlush(record);
+    } catch {
+    }
+    return {
+      sub: `api_key:${record.id}`,
+      tenantId: record.tenantId ?? null,
+      orgId: record.organizationId ?? null,
+      roles: roleNames,
+      isApiKey: true,
+      keyId: record.id,
+      keyName: record.name
+    };
+  } catch {
+    return null;
+  }
+}
+function extractApiKey(req) {
+  const header = (req.headers.get("x-api-key") || "").trim();
+  if (header) return header;
+  const authHeader = (req.headers.get("authorization") || "").trim();
+  if (authHeader.toLowerCase().startsWith("apikey ")) {
+    return authHeader.slice(7).trim();
+  }
+  return null;
+}
+async function getAuthFromCookies() {
+  const cookieStore = await cookies();
+  const token = cookieStore.get("auth_token")?.value;
+  if (!token) return null;
+  try {
+    const payload = verifyJwt(token);
+    if (!payload) return null;
+    const tenantCookie = cookieStore.get(TENANT_COOKIE_NAME)?.value;
+    const orgCookie = cookieStore.get(ORGANIZATION_COOKIE_NAME)?.value;
+    return applySuperAdminScope(payload, tenantCookie, orgCookie);
+  } catch {
+    return null;
+  }
+}
+async function getAuthFromRequest(req) {
+  const cookieHeader = req.headers.get("cookie") || "";
+  const tenantCookie = readCookieFromHeader(cookieHeader, TENANT_COOKIE_NAME);
+  const orgCookie = readCookieFromHeader(cookieHeader, ORGANIZATION_COOKIE_NAME);
+  const authHeader = (req.headers.get("authorization") || "").trim();
+  let token;
+  if (authHeader.toLowerCase().startsWith("bearer ")) token = authHeader.slice(7).trim();
+  if (!token) {
+    const match = cookieHeader.match(/(?:^|;\s*)auth_token=([^;]+)/);
+    if (match) token = decodeURIComponent(match[1]);
+  }
+  if (token) {
+    try {
+      const payload = verifyJwt(token);
+      if (payload) return applySuperAdminScope(payload, tenantCookie, orgCookie);
+    } catch {
+    }
+  }
+  const apiKey = extractApiKey(req);
+  if (!apiKey) return null;
+  const apiAuth = await resolveApiKeyAuth(apiKey);
+  if (!apiAuth) return null;
+  return applySuperAdminScope(apiAuth, tenantCookie, orgCookie);
+}
+export {
+  getAuthFromCookies,
+  getAuthFromRequest
+};
+//# sourceMappingURL=server.js.map

package/dist/lib/auth/server.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/auth/server.ts"],
+  "sourcesContent": ["import { cookies } from 'next/headers'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { verifyJwt } from './jwt'\n\nconst TENANT_COOKIE_NAME = 'om_selected_tenant'\nconst ORGANIZATION_COOKIE_NAME = 'om_selected_org'\nconst ALL_ORGANIZATIONS_COOKIE_VALUE = '__all__'\nconst SUPERADMIN_ROLE = 'superadmin'\n\nexport type AuthContext = {\n  sub: string\n  tenantId: string | null\n  orgId: string | null\n  email?: string\n  roles?: string[]\n  isApiKey?: boolean\n  keyId?: string\n  keyName?: string\n  [k: string]: unknown\n} | null\n\ntype CookieOverride = { applied: boolean; value: string | null }\n\nfunction decodeCookieValue(raw: string | undefined): string | null {\n  if (raw === undefined) return null\n  try {\n    const decoded = decodeURIComponent(raw)\n    return decoded ?? null\n  } catch {\n    return raw ?? null\n  }\n}\n\nfunction readCookieFromHeader(header: string | null | undefined, name: string): string | undefined {\n  if (!header) return undefined\n  const parts = header.split(';')\n  for (const part of parts) {\n    const trimmed = part.trim()\n    if (trimmed.startsWith(`${name}=`)) {\n      return trimmed.slice(name.length + 1)\n    }\n  }\n  return undefined\n}\n\nfunction resolveTenantOverride(raw: string | undefined): CookieOverride {\n  if (raw === undefined) return { applied: false, value: null }\n  const decoded = decodeCookieValue(raw)\n  if (!decoded) return { applied: true, value: null }\n  const trimmed = decoded.trim()\n  if (!trimmed) return { applied: true, value: null }\n  return { applied: true, value: trimmed }\n}\n\nfunction resolveOrganizationOverride(raw: string | undefined): CookieOverride {\n  if (raw === undefined) return { applied: false, value: null }\n  const decoded = decodeCookieValue(raw)\n  if (!decoded || decoded === ALL_ORGANIZATIONS_COOKIE_VALUE) {\n    return { applied: true, value: null }\n  }\n  const trimmed = decoded.trim()\n  if (!trimmed || trimmed === ALL_ORGANIZATIONS_COOKIE_VALUE) {\n    return { applied: true, value: null }\n  }\n  return { applied: true, value: trimmed }\n}\n\nfunction isSuperAdminAuth(auth: AuthContext | null | undefined): boolean {\n  if (!auth) return false\n  if ((auth as Record<string, unknown>).isSuperAdmin === true) return true\n  const roles = Array.isArray(auth?.roles) ? auth.roles : []\n  return roles.some((role) => typeof role === 'string' && role.trim().toLowerCase() === SUPERADMIN_ROLE)\n}\n\nfunction applySuperAdminScope(\n  auth: AuthContext,\n  tenantCookie: string | undefined,\n  orgCookie: string | undefined\n): AuthContext {\n  if (!auth || !isSuperAdminAuth(auth)) return auth\n\n  const tenantOverride = resolveTenantOverride(tenantCookie)\n  const orgOverride = resolveOrganizationOverride(orgCookie)\n  if (!tenantOverride.applied && !orgOverride.applied) return auth\n\n  type MutableAuthContext = Exclude<AuthContext, null> & {\n    actorTenantId?: string | null\n    actorOrgId?: string | null\n  }\n  const baseAuth = auth as Exclude<AuthContext, null>\n  const next: MutableAuthContext = { ...baseAuth }\n  if (tenantOverride.applied) {\n    if (!('actorTenantId' in next)) next.actorTenantId = auth?.tenantId ?? null\n    next.tenantId = tenantOverride.value\n  }\n  if (orgOverride.applied) {\n    if (!('actorOrgId' in next)) next.actorOrgId = auth?.orgId ?? null\n    next.orgId = orgOverride.value\n  }\n  next.isSuperAdmin = true\n  const existingRoles = Array.isArray(next.roles) ? next.roles : []\n  if (!existingRoles.some((role) => typeof role === 'string' && role.trim().toLowerCase() === SUPERADMIN_ROLE)) {\n    next.roles = [...existingRoles, 'superadmin']\n  }\n  return next\n}\n\nasync function resolveApiKeyAuth(secret: string): Promise<AuthContext> {\n  if (!secret) return null\n  try {\n    const { createRequestContainer } = await import('@open-mercato/shared/lib/di/container')\n    const container = await createRequestContainer()\n    const em = (container.resolve('em') as EntityManager)\n    const { findApiKeyBySecret } = await import('@open-mercato/core/modules/api_keys/services/apiKeyService')\n    const { Role } = await import('@open-mercato/core/modules/auth/data/entities')\n\n    const record = await findApiKeyBySecret(em, secret)\n    if (!record) return null\n\n    const roleIds = Array.isArray(record.rolesJson)\n      ? record.rolesJson.filter((value): value is string => typeof value === 'string' && value.length > 0)\n      : []\n    const roles = roleIds.length\n      ? await em.find(Role, { id: { $in: roleIds } })\n      : []\n    const roleNames = roles.map((role) => role.name).filter((name): name is string => typeof name === 'string' && name.length > 0)\n\n    try {\n      record.lastUsedAt = new Date()\n      await em.persistAndFlush(record)\n    } catch {\n      // best-effort update; ignore write failures\n    }\n\n    return {\n      sub: `api_key:${record.id}`,\n      tenantId: record.tenantId ?? null,\n      orgId: record.organizationId ?? null,\n      roles: roleNames,\n      isApiKey: true,\n      keyId: record.id,\n      keyName: record.name,\n    }\n  } catch {\n    return null\n  }\n}\n\nfunction extractApiKey(req: Request): string | null {\n  const header = (req.headers.get('x-api-key') || '').trim()\n  if (header) return header\n  const authHeader = (req.headers.get('authorization') || '').trim()\n  if (authHeader.toLowerCase().startsWith('apikey ')) {\n    return authHeader.slice(7).trim()\n  }\n  return null\n}\n\nexport async function getAuthFromCookies(): Promise<AuthContext> {\n  const cookieStore = await cookies()\n  const token = cookieStore.get('auth_token')?.value\n  if (!token) return null\n  try {\n    const payload = verifyJwt(token) as AuthContext\n    if (!payload) return null\n    const tenantCookie = cookieStore.get(TENANT_COOKIE_NAME)?.value\n    const orgCookie = cookieStore.get(ORGANIZATION_COOKIE_NAME)?.value\n    return applySuperAdminScope(payload, tenantCookie, orgCookie)\n  } catch {\n    return null\n  }\n}\n\nexport async function getAuthFromRequest(req: Request): Promise<AuthContext> {\n  const cookieHeader = req.headers.get('cookie') || ''\n  const tenantCookie = readCookieFromHeader(cookieHeader, TENANT_COOKIE_NAME)\n  const orgCookie = readCookieFromHeader(cookieHeader, ORGANIZATION_COOKIE_NAME)\n  const authHeader = (req.headers.get('authorization') || '').trim()\n  let token: string | undefined\n  if (authHeader.toLowerCase().startsWith('bearer ')) token = authHeader.slice(7).trim()\n  if (!token) {\n    const match = cookieHeader.match(/(?:^|;\\s*)auth_token=([^;]+)/)\n    if (match) token = decodeURIComponent(match[1])\n  }\n  if (token) {\n    try {\n      const payload = verifyJwt(token) as AuthContext\n      if (payload) return applySuperAdminScope(payload, tenantCookie, orgCookie)\n    } catch {\n      // fall back to API key detection\n    }\n  }\n\n  const apiKey = extractApiKey(req)\n  if (!apiKey) return null\n  const apiAuth = await resolveApiKeyAuth(apiKey)\n  if (!apiAuth) return null\n  return applySuperAdminScope(apiAuth, tenantCookie, orgCookie)\n}\n"],
+  "mappings": "AAAA,SAAS,eAAe;AAExB,SAAS,iBAAiB;AAE1B,MAAM,qBAAqB;AAC3B,MAAM,2BAA2B;AACjC,MAAM,iCAAiC;AACvC,MAAM,kBAAkB;AAgBxB,SAAS,kBAAkB,KAAwC;AACjE,MAAI,QAAQ,OAAW,QAAO;AAC9B,MAAI;AACF,UAAM,UAAU,mBAAmB,GAAG;AACtC,WAAO,WAAW;AAAA,EACpB,QAAQ;AACN,WAAO,OAAO;AAAA,EAChB;AACF;AAEA,SAAS,qBAAqB,QAAmC,MAAkC;AACjG,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,QAAQ,OAAO,MAAM,GAAG;AAC9B,aAAW,QAAQ,OAAO;AACxB,UAAM,UAAU,KAAK,KAAK;AAC1B,QAAI,QAAQ,WAAW,GAAG,IAAI,GAAG,GAAG;AAClC,aAAO,QAAQ,MAAM,KAAK,SAAS,CAAC;AAAA,IACtC;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,sBAAsB,KAAyC;AACtE,MAAI,QAAQ,OAAW,QAAO,EAAE,SAAS,OAAO,OAAO,KAAK;AAC5D,QAAM,UAAU,kBAAkB,GAAG;AACrC,MAAI,CAAC,QAAS,QAAO,EAAE,SAAS,MAAM,OAAO,KAAK;AAClD,QAAM,UAAU,QAAQ,KAAK;AAC7B,MAAI,CAAC,QAAS,QAAO,EAAE,SAAS,MAAM,OAAO,KAAK;AAClD,SAAO,EAAE,SAAS,MAAM,OAAO,QAAQ;AACzC;AAEA,SAAS,4BAA4B,KAAyC;AAC5E,MAAI,QAAQ,OAAW,QAAO,EAAE,SAAS,OAAO,OAAO,KAAK;AAC5D,QAAM,UAAU,kBAAkB,GAAG;AACrC,MAAI,CAAC,WAAW,YAAY,gCAAgC;AAC1D,WAAO,EAAE,SAAS,MAAM,OAAO,KAAK;AAAA,EACtC;AACA,QAAM,UAAU,QAAQ,KAAK;AAC7B,MAAI,CAAC,WAAW,YAAY,gCAAgC;AAC1D,WAAO,EAAE,SAAS,MAAM,OAAO,KAAK;AAAA,EACtC;AACA,SAAO,EAAE,SAAS,MAAM,OAAO,QAAQ;AACzC;AAEA,SAAS,iBAAiB,MAA+C;AACvE,MAAI,CAAC,KAAM,QAAO;AAClB,MAAK,KAAiC,iBAAiB,KAAM,QAAO;AACpE,QAAM,QAAQ,MAAM,QAAQ,MAAM,KAAK,IAAI,KAAK,QAAQ,CAAC;AACzD,SAAO,MAAM,KAAK,CAAC,SAAS,OAAO,SAAS,YAAY,KAAK,KAAK,EAAE,YAAY,MAAM,eAAe;AACvG;AAEA,SAAS,qBACP,MACA,cACA,WACa;AACb,MAAI,CAAC,QAAQ,CAAC,iBAAiB,IAAI,EAAG,QAAO;AAE7C,QAAM,iBAAiB,sBAAsB,YAAY;AACzD,QAAM,cAAc,4BAA4B,SAAS;AACzD,MAAI,CAAC,eAAe,WAAW,CAAC,YAAY,QAAS,QAAO;AAM5D,QAAM,WAAW;AACjB,QAAM,OAA2B,EAAE,GAAG,SAAS;AAC/C,MAAI,eAAe,SAAS;AAC1B,QAAI,EAAE,mBAAmB,MAAO,MAAK,gBAAgB,MAAM,YAAY;AACvE,SAAK,WAAW,eAAe;AAAA,EACjC;AACA,MAAI,YAAY,SAAS;AACvB,QAAI,EAAE,gBAAgB,MAAO,MAAK,aAAa,MAAM,SAAS;AAC9D,SAAK,QAAQ,YAAY;AAAA,EAC3B;AACA,OAAK,eAAe;AACpB,QAAM,gBAAgB,MAAM,QAAQ,KAAK,KAAK,IAAI,KAAK,QAAQ,CAAC;AAChE,MAAI,CAAC,cAAc,KAAK,CAAC,SAAS,OAAO,SAAS,YAAY,KAAK,KAAK,EAAE,YAAY,MAAM,eAAe,GAAG;AAC5G,SAAK,QAAQ,CAAC,GAAG,eAAe,YAAY;AAAA,EAC9C;AACA,SAAO;AACT;AAEA,eAAe,kBAAkB,QAAsC;AACrE,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI;AACF,UAAM,EAAE,uBAAuB,IAAI,MAAM,OAAO,uCAAuC;AACvF,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,KAAM,UAAU,QAAQ,IAAI;AAClC,UAAM,EAAE,mBAAmB,IAAI,MAAM,OAAO,4DAA4D;AACxG,UAAM,EAAE,KAAK,IAAI,MAAM,OAAO,+CAA+C;AAE7E,UAAM,SAAS,MAAM,mBAAmB,IAAI,MAAM;AAClD,QAAI,CAAC,OAAQ,QAAO;AAEpB,UAAM,UAAU,MAAM,QAAQ,OAAO,SAAS,IAC1C,OAAO,UAAU,OAAO,CAAC,UAA2B,OAAO,UAAU,YAAY,MAAM,SAAS,CAAC,IACjG,CAAC;AACL,UAAM,QAAQ,QAAQ,SAClB,MAAM,GAAG,KAAK,MAAM,EAAE,IAAI,EAAE,KAAK,QAAQ,EAAE,CAAC,IAC5C,CAAC;AACL,UAAM,YAAY,MAAM,IAAI,CAAC,SAAS,KAAK,IAAI,EAAE,OAAO,CAAC,SAAyB,OAAO,SAAS,YAAY,KAAK,SAAS,CAAC;AAE7H,QAAI;AACF,aAAO,aAAa,oBAAI,KAAK;AAC7B,YAAM,GAAG,gBAAgB,MAAM;AAAA,IACjC,QAAQ;AAAA,IAER;AAEA,WAAO;AAAA,MACL,KAAK,WAAW,OAAO,EAAE;AAAA,MACzB,UAAU,OAAO,YAAY;AAAA,MAC7B,OAAO,OAAO,kBAAkB;AAAA,MAChC,OAAO;AAAA,MACP,UAAU;AAAA,MACV,OAAO,OAAO;AAAA,MACd,SAAS,OAAO;AAAA,IAClB;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,cAAc,KAA6B;AAClD,QAAM,UAAU,IAAI,QAAQ,IAAI,WAAW,KAAK,IAAI,KAAK;AACzD,MAAI,OAAQ,QAAO;AACnB,QAAM,cAAc,IAAI,QAAQ,IAAI,eAAe,KAAK,IAAI,KAAK;AACjE,MAAI,WAAW,YAAY,EAAE,WAAW,SAAS,GAAG;AAClD,WAAO,WAAW,MAAM,CAAC,EAAE,KAAK;AAAA,EAClC;AACA,SAAO;AACT;AAEA,eAAsB,qBAA2C;AAC/D,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,QAAQ,YAAY,IAAI,YAAY,GAAG;AAC7C,MAAI,CAAC,MAAO,QAAO;AACnB,MAAI;AACF,UAAM,UAAU,UAAU,KAAK;AAC/B,QAAI,CAAC,QAAS,QAAO;AACrB,UAAM,eAAe,YAAY,IAAI,kBAAkB,GAAG;AAC1D,UAAM,YAAY,YAAY,IAAI,wBAAwB,GAAG;AAC7D,WAAO,qBAAqB,SAAS,cAAc,SAAS;AAAA,EAC9D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,mBAAmB,KAAoC;AAC3E,QAAM,eAAe,IAAI,QAAQ,IAAI,QAAQ,KAAK;AAClD,QAAM,eAAe,qBAAqB,cAAc,kBAAkB;AAC1E,QAAM,YAAY,qBAAqB,cAAc,wBAAwB;AAC7E,QAAM,cAAc,IAAI,QAAQ,IAAI,eAAe,KAAK,IAAI,KAAK;AACjE,MAAI;AACJ,MAAI,WAAW,YAAY,EAAE,WAAW,SAAS,EAAG,SAAQ,WAAW,MAAM,CAAC,EAAE,KAAK;AACrF,MAAI,CAAC,OAAO;AACV,UAAM,QAAQ,aAAa,MAAM,8BAA8B;AAC/D,QAAI,MAAO,SAAQ,mBAAmB,MAAM,CAAC,CAAC;AAAA,EAChD;AACA,MAAI,OAAO;AACT,QAAI;AACF,YAAM,UAAU,UAAU,KAAK;AAC/B,UAAI,QAAS,QAAO,qBAAqB,SAAS,cAAc,SAAS;AAAA,IAC3E,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,QAAM,SAAS,cAAc,GAAG;AAChC,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,MAAM,kBAAkB,MAAM;AAC9C,MAAI,CAAC,QAAS,QAAO;AACrB,SAAO,qBAAqB,SAAS,cAAc,SAAS;AAC9D;",
+  "names": []
+}

package/dist/lib/boolean.js

@@ -0,0 +1,22 @@
+const TRUE_VALUES = /* @__PURE__ */ new Set(["1", "true", "yes", "y", "on", "enable", "enabled"]);
+const FALSE_VALUES = /* @__PURE__ */ new Set(["0", "false", "no", "n", "off", "disable", "disabled"]);
+function parseBooleanToken(raw) {
+  if (typeof raw !== "string") return null;
+  const trimmed = raw.trim();
+  if (!trimmed) return null;
+  const normalized = trimmed.toLowerCase();
+  if (TRUE_VALUES.has(normalized)) return true;
+  if (FALSE_VALUES.has(normalized)) return false;
+  return null;
+}
+function parseBooleanWithDefault(raw, fallback) {
+  const parsed = parseBooleanToken(raw);
+  return parsed === null ? fallback : parsed;
+}
+export {
+  FALSE_VALUES,
+  TRUE_VALUES,
+  parseBooleanToken,
+  parseBooleanWithDefault
+};
+//# sourceMappingURL=boolean.js.map

package/dist/lib/boolean.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/lib/boolean.ts"],
+  "sourcesContent": ["export const TRUE_VALUES = new Set(['1', 'true', 'yes', 'y', 'on', 'enable', 'enabled'])\nexport const FALSE_VALUES = new Set(['0', 'false', 'no', 'n', 'off', 'disable', 'disabled'])\n\nexport function parseBooleanToken(raw: string | null | undefined): boolean | null {\n  if (typeof raw !== 'string') return null\n  const trimmed = raw.trim()\n  if (!trimmed) return null\n  const normalized = trimmed.toLowerCase()\n  if (TRUE_VALUES.has(normalized)) return true\n  if (FALSE_VALUES.has(normalized)) return false\n  return null\n}\n\nexport function parseBooleanWithDefault(raw: string | null | undefined, fallback: boolean): boolean {\n  const parsed = parseBooleanToken(raw)\n  return parsed === null ? fallback : parsed\n}\n"],
+  "mappings": "AAAO,MAAM,cAAc,oBAAI,IAAI,CAAC,KAAK,QAAQ,OAAO,KAAK,MAAM,UAAU,SAAS,CAAC;AAChF,MAAM,eAAe,oBAAI,IAAI,CAAC,KAAK,SAAS,MAAM,KAAK,OAAO,WAAW,UAAU,CAAC;AAEpF,SAAS,kBAAkB,KAAgD;AAChF,MAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,QAAM,UAAU,IAAI,KAAK;AACzB,MAAI,CAAC,QAAS,QAAO;AACrB,QAAM,aAAa,QAAQ,YAAY;AACvC,MAAI,YAAY,IAAI,UAAU,EAAG,QAAO;AACxC,MAAI,aAAa,IAAI,UAAU,EAAG,QAAO;AACzC,SAAO;AACT;AAEO,SAAS,wBAAwB,KAAgC,UAA4B;AAClG,QAAM,SAAS,kBAAkB,GAAG;AACpC,SAAO,WAAW,OAAO,WAAW;AACtC;",
+  "names": []
+}