@open-mercato/shared 0.4.2-canary-c02407ff85

package/src/lib/encryption/tenantDataEncryptionService.ts

@@ -0,0 +1,313 @@
+import type { EntityManager } from '@mikro-orm/postgresql'
+import type { CacheStrategy } from '@open-mercato/cache'
+import { decryptWithAesGcm, encryptWithAesGcm, hashForLookup } from './aes'
+import { createKmsService, type KmsService, type TenantDek } from './kms'
+import { isTenantDataEncryptionEnabled, isEncryptionDebugEnabled } from './toggles'
+import { EncryptionMap } from '@open-mercato/core/modules/entities/data/entities'
+
+export type EncryptedFieldRule = {
+  field: string
+  hashField?: string | null
+}
+
+export type EncryptionMapRecord = {
+  entityId: string
+  fields: EncryptedFieldRule[]
+}
+
+type MapCacheKey = {
+  entityId: string
+  tenantId: string | null
+  organizationId: string | null
+}
+
+const MAP_MISS_TTL_MS = 5 * 60 * 1000
+
+function cacheKey(key: MapCacheKey): string {
+  return [
+    'encmap',
+    key.entityId.toLowerCase(),
+    key.tenantId ?? 'null',
+    key.organizationId ?? 'null',
+  ].join(':')
+}
+
+function debug(event: string, payload: Record<string, unknown>) {
+  if (!isEncryptionDebugEnabled()) return
+  try {
+    // eslint-disable-next-line no-console
+    console.debug(`${event} [tenant-encryption]`, payload)
+  } catch {
+    // ignore
+  }
+}
+
+const toSnakeCase = (value: string): string =>
+  value.replace(/([A-Z])/g, '_$1').replace(/__/g, '_').toLowerCase()
+
+const toCamelCase = (value: string): string =>
+  value.replace(/_([a-z])/g, (_, c) => c.toUpperCase())
+
+function findKey(obj: Record<string, unknown>, key: string): string | null {
+  const candidates = [key, toSnakeCase(key), toCamelCase(key)]
+  for (const candidate of candidates) {
+    if (Object.prototype.hasOwnProperty.call(obj, candidate)) return candidate
+  }
+  return null
+}
+
+function isEncryptedPayload(value: unknown): boolean {
+  if (typeof value !== 'string') return false
+  const parts = value.split(':')
+  return parts.length === 4 && parts[3] === 'v1'
+}
+
+export class TenantDataEncryptionService {
+  private static globalMemoryCache = new Map<string, EncryptionMapRecord>()
+  private static globalInflightMaps = new Map<string, Promise<EncryptionMapRecord | null>>()
+  private static globalDekCache = new Map<string, TenantDek>()
+  private static globalMissCache = new Map<string, number>()
+  private readonly kms: KmsService
+  private readonly cache?: CacheStrategy
+  private readonly memoryCache = TenantDataEncryptionService.globalMemoryCache
+  private readonly dekCache = TenantDataEncryptionService.globalDekCache
+  private readonly inflightMaps = TenantDataEncryptionService.globalInflightMaps
+  private readonly missCache = TenantDataEncryptionService.globalMissCache
+
+  constructor(
+    private em: EntityManager,
+    opts?: { cache?: CacheStrategy; kms?: KmsService }
+  ) {
+    this.cache = opts?.cache
+    this.kms = opts?.kms ?? createKmsService()
+  }
+
+  isEnabled(): boolean {
+    return isTenantDataEncryptionEnabled() && this.kms.isHealthy()
+  }
+
+  async getDek(tenantId: string | null | undefined): Promise<TenantDek | null> {
+    if (!tenantId) return null
+    const cached = this.dekCache.get(tenantId)
+    if (cached) return cached
+    const dek = await this.kms.getTenantDek(tenantId)
+    if (!dek) {
+      debug('🔎 dek.miss', { tenantId })
+    } else {
+      debug('✅ dek.hit', { tenantId })
+    }
+    if (dek) this.dekCache.set(tenantId, dek)
+    return dek
+  }
+
+  private async resolveDekForEncrypt(tenantId: string | null): Promise<TenantDek | null> {
+    const existing = await this.getDek(tenantId)
+    if (existing || !tenantId) return existing ?? null
+    if (typeof this.kms.createTenantDek !== 'function') return existing ?? null
+    const created = await this.kms.createTenantDek(tenantId)
+    if (created) this.dekCache.set(tenantId, created)
+    return created ?? null
+  }
+
+  async createDek(tenantId: string): Promise<TenantDek | null> {
+    const dek = await this.kms.createTenantDek(tenantId)
+    if (dek) this.dekCache.set(tenantId, dek)
+    return dek
+  }
+
+  private async fetchMap(key: MapCacheKey): Promise<EncryptionMapRecord | null> {
+    // Bypass ORM lifecycle hooks to avoid recursive decrypt loops by querying directly.
+    const conn: any = (this.em as any)?.getConnection?.()
+    if (!conn || typeof conn.execute !== 'function') return null
+    const sql = `
+      select entity_id, fields_json
+      from encryption_maps
+      where entity_id = ?
+        and tenant_id is not distinct from ?
+        and organization_id is not distinct from ?
+        and is_active = true
+        and deleted_at is null
+      limit 1
+    `
+    const rows = await conn.execute(sql, [key.entityId, key.tenantId ?? null, key.organizationId ?? null])
+    const row = Array.isArray(rows) && rows.length ? rows[0] : null
+    if (!row) return null
+    return {
+      entityId: row.entity_id || row.entityId || key.entityId,
+      fields: Array.isArray(row.fields_json)
+        ? (row.fields_json as EncryptedFieldRule[])
+        : Array.isArray(row.fieldsJson)
+          ? (row.fieldsJson as EncryptedFieldRule[])
+          : [],
+    }
+  }
+
+  private async getMap(key: MapCacheKey): Promise<EncryptionMapRecord | null> {
+    const shouldSkipLookup = (tag: string) => {
+      const expiresAt = this.missCache.get(tag)
+      if (!expiresAt) return false
+      if (expiresAt > Date.now()) return true
+      this.missCache.delete(tag)
+      return false
+    }
+    const recordMiss = (tag: string) => {
+      this.missCache.set(tag, Date.now() + MAP_MISS_TTL_MS)
+    }
+
+    const candidates: MapCacheKey[] = [
+      key,
+      { entityId: key.entityId, tenantId: key.tenantId ?? null, organizationId: null },
+      { entityId: key.entityId, tenantId: null, organizationId: null },
+    ]
+    for (const candidate of candidates) {
+      const tag = cacheKey(candidate)
+      if (shouldSkipLookup(tag)) continue
+      if (this.inflightMaps.has(tag)) {
+        const pending = this.inflightMaps.get(tag)!
+        const resolved = await pending
+        if (resolved) return resolved
+      }
+      const mem = this.memoryCache.get(tag)
+      if (mem) return mem
+      if (this.cache && typeof this.cache.get === 'function') {
+        const cached = await this.cache.get(tag)
+        if (cached) return cached as EncryptionMapRecord
+      }
+      const pending = this.fetchMap(candidate)
+      this.inflightMaps.set(tag, pending)
+      const loaded = await pending
+      this.inflightMaps.delete(tag)
+      if (!loaded) {
+        recordMiss(tag)
+        debug('🔍 encmap.miss', {
+          entityId: candidate.entityId,
+          tenantId: candidate.tenantId,
+          organizationId: candidate.organizationId,
+        })
+        continue
+      }
+      this.missCache.delete(tag)
+      this.memoryCache.set(tag, loaded)
+      if (this.cache && typeof this.cache.set === 'function') {
+        await this.cache.set(tag, loaded, { ttl: 300 })
+      }
+      return loaded
+    }
+    return null
+  }
+
+  async invalidateMap(entityId: string, tenantId: string | null, organizationId: string | null): Promise<void> {
+    const tag = cacheKey({ entityId, tenantId, organizationId })
+    this.memoryCache.delete(tag)
+    this.inflightMaps.delete(tag)
+    this.missCache.delete(tag)
+    if (this.cache && typeof (this.cache as any).delete === 'function') {
+      await (this.cache as any).delete(tag)
+    }
+  }
+
+  private encryptFields(
+    obj: Record<string, unknown>,
+    fields: EncryptedFieldRule[],
+    dek: TenantDek
+  ): Record<string, unknown> {
+    const clone: Record<string, unknown> = { ...obj }
+    for (const rule of fields) {
+      const key = findKey(clone, rule.field)
+      if (!key) continue
+      const value = clone[key]
+      if (value === null || value === undefined) continue
+       // Avoid double-encrypting already encrypted payloads
+      if (isEncryptedPayload(value)) continue
+      const serialized = typeof value === 'string' ? value : JSON.stringify(value)
+      const payload = encryptWithAesGcm(serialized, dek.key)
+      clone[key] = payload.value
+      if (rule.hashField) {
+        const hashKey = findKey(clone, rule.hashField) ?? rule.hashField
+        clone[hashKey] = hashForLookup(serialized)
+      }
+    }
+    return clone
+  }
+
+  private decryptFields(
+    obj: Record<string, unknown>,
+    fields: EncryptedFieldRule[],
+    dek: TenantDek
+  ): Record<string, unknown> {
+    const clone: Record<string, unknown> = { ...obj }
+    const maybeDecrypt = (payload: string): string | null => {
+      const first = decryptWithAesGcm(payload, dek.key)
+      if (first === null) return null
+      // Handle accidental double-encryption: if the first pass still looks like a v1 payload, try once more.
+      const parts = first.split(':')
+      if (parts.length === 4 && parts[3] === 'v1') {
+        const second = decryptWithAesGcm(first, dek.key)
+        return second ?? first
+      }
+      return first
+    }
+    for (const rule of fields) {
+      const key = findKey(clone, rule.field)
+      if (!key) continue
+      const value = clone[key]
+      if (typeof value !== 'string') continue
+      const decrypted = maybeDecrypt(value)
+      if (decrypted === null) continue
+      try {
+        clone[key] = JSON.parse(decrypted)
+      } catch {
+        clone[key] = decrypted
+      }
+    }
+    return clone
+  }
+
+  async encryptEntityPayload(
+    entityId: string,
+    payload: Record<string, unknown>,
+    tenantId: string | null | undefined,
+    organizationId?: string | null
+  ): Promise<Record<string, unknown>> {
+    if (!this.isEnabled()) {
+      debug('⚪️ encrypt.skip.disabled', { entityId, tenantId })
+      return payload
+    }
+    const dek = await this.resolveDekForEncrypt(tenantId ?? null)
+    if (!dek) {
+      debug('⚠️ encrypt.skip.no-dek', { entityId, tenantId })
+      return payload
+    }
+    const map = await this.getMap({ entityId, tenantId: tenantId ?? null, organizationId: organizationId ?? null })
+    if (!map || !map.fields?.length) {
+      debug('⚪️ encrypt.skip.no-map', { entityId, tenantId })
+      return payload
+    }
+    debug('🔒 encrypt_entity', { entityId, tenantId, organizationId, fields: map.fields.length })
+    return this.encryptFields(payload, map.fields, dek)
+  }
+
+  async decryptEntityPayload(
+    entityId: string,
+    payload: Record<string, unknown>,
+    tenantId: string | null | undefined,
+    organizationId?: string | null
+  ): Promise<Record<string, unknown>> {
+    if (!isTenantDataEncryptionEnabled()) {
+      debug('⚪️ decrypt.skip.disabled', { entityId, tenantId })
+      return payload
+    }
+    const dek = await this.getDek(tenantId ?? null)
+    if (!dek) {
+      debug('⚠️ decrypt.skip.no-dek', { entityId, tenantId })
+      return payload
+    }
+    const map = await this.getMap({ entityId, tenantId: tenantId ?? null, organizationId: organizationId ?? null })
+    if (!map || !map.fields?.length) {
+      debug('⚪️ decrypt.skip.no-map', { entityId, tenantId })
+      return payload
+    }
+    debug('🔓 decrypt_entity', { entityId, tenantId, organizationId, fields: map.fields.length })
+    return this.decryptFields(payload, map.fields, dek)
+  }
+}

package/src/lib/encryption/toggles.ts

@@ -0,0 +1,15 @@
+import { parseBooleanToken } from '../boolean'
+
+export function isTenantDataEncryptionEnabled(): boolean {
+  const rawEnv = process.env.TENANT_DATA_ENCRYPTION
+  if (rawEnv === undefined) return true
+  const trimmed = rawEnv.trim()
+  if (!trimmed) return true
+  const parsed = parseBooleanToken(trimmed)
+  return parsed === null ? true : parsed
+}
+
+export function isEncryptionDebugEnabled(): boolean {
+  const parsed = parseBooleanToken(process.env.TENANT_DATA_ENCRYPTION_DEBUG ?? '')
+  return parsed === true
+}

package/src/lib/entities/naming.ts

@@ -0,0 +1,6 @@
+export function tableNameFromEntityId(entityId: string): string {
+  const [, name] = entityId.split(':')
+  if (!name) return ''
+  return name.endsWith('s') ? name : `${name}s`
+}
+

package/src/lib/entities/system-entities.ts

@@ -0,0 +1,43 @@
+const RESERVED_SYSTEM_ENTITY_TYPES = new Set<string>([
+  'entities:custom_entity',
+  'entities:custom_entity_storage',
+  'entities:custom_field_def',
+  'entities:custom_field_value',
+  'query_index:entity_index_row',
+  'query_index:entity_index_coverage',
+  'query_index:search_token',
+])
+
+export function isSystemEntitySelectable(entityId: string): boolean {
+  if (!entityId) return false
+  return !RESERVED_SYSTEM_ENTITY_TYPES.has(entityId)
+}
+
+export function flattenSystemEntityIds(
+  allEntities: Record<string, Record<string, string>>,
+  options?: { predicate?: (entityType: string) => boolean },
+): string[] {
+  if (!allEntities) return []
+  const predicate = options?.predicate || isSystemEntitySelectable
+  const seen = new Set<string>()
+  for (const bucket of Object.values(allEntities)) {
+    for (const id of Object.values(bucket ?? {})) {
+      if (typeof id !== 'string' || id.length === 0) continue
+      if (!predicate(id)) continue
+      seen.add(id)
+    }
+  }
+  return Array.from(seen).sort()
+}
+
+export function filterSelectableSystemEntityIds(entityIds: Iterable<string>): string[] {
+  const selected: string[] = []
+  for (const id of entityIds) {
+    if (isSystemEntitySelectable(id)) selected.push(id)
+  }
+  return selected
+}
+
+export function isReservedSystemEntityType(entityId: string): boolean {
+  return RESERVED_SYSTEM_ENTITY_TYPES.has(entityId)
+}

package/src/lib/frontend/organizationEvents.ts

@@ -0,0 +1,55 @@
+export const ORGANIZATION_SCOPE_CHANGED_EVENT = 'om:organization-scope-changed'
+
+export type OrganizationScopeChangedDetail = {
+  organizationId: string | null
+  tenantId: string | null
+}
+
+// Module-level state to track current scope and version
+let currentScope: OrganizationScopeChangedDetail = { 
+  organizationId: null, 
+  tenantId: null 
+}
+let currentVersion = 0
+
+export function getCurrentOrganizationScope(): OrganizationScopeChangedDetail {
+  return { ...currentScope }
+}
+
+export function getCurrentOrganizationScopeVersion(): number {
+  return currentVersion
+}
+
+export function emitOrganizationScopeChanged(detail: OrganizationScopeChangedDetail): void {
+  if (typeof window === 'undefined' || typeof CustomEvent === 'undefined') return
+  
+  // Detect actual changes
+  const hasChanged = 
+    currentScope.organizationId !== detail.organizationId ||
+    currentScope.tenantId !== detail.tenantId
+  
+  // Update module-level state
+  currentScope = { ...detail }
+  
+  // Increment version only if actual change detected
+  if (hasChanged) {
+    currentVersion++
+  }
+  
+  // Emit event
+  window.dispatchEvent(new CustomEvent<OrganizationScopeChangedDetail>(ORGANIZATION_SCOPE_CHANGED_EVENT, { detail }))
+}
+
+export function subscribeOrganizationScopeChanged(
+  handler: (detail: OrganizationScopeChangedDetail) => void
+): () => void {
+  if (typeof window === 'undefined') return () => {}
+  const listener = (event: Event) => {
+    const detail = (event as CustomEvent<OrganizationScopeChangedDetail>).detail ?? { organizationId: null, tenantId: null }
+    handler(detail)
+  }
+  window.addEventListener(ORGANIZATION_SCOPE_CHANGED_EVENT, listener as EventListener)
+  return () => {
+    window.removeEventListener(ORGANIZATION_SCOPE_CHANGED_EVENT, listener as EventListener)
+  }
+}

package/src/lib/frontend/useOrganizationScope.ts

@@ -0,0 +1,30 @@
+"use client"
+import * as React from 'react'
+import { 
+  subscribeOrganizationScopeChanged, 
+  getCurrentOrganizationScope,
+  getCurrentOrganizationScopeVersion,
+  type OrganizationScopeChangedDetail 
+} from './organizationEvents'
+
+export function useOrganizationScopeVersion(): number {
+  const [version, setVersion] = React.useState(getCurrentOrganizationScopeVersion)
+  React.useEffect(() => {
+    return subscribeOrganizationScopeChanged(() => {
+      setVersion(getCurrentOrganizationScopeVersion())
+    })
+  }, [])
+  return version
+}
+
+export function useOrganizationScopeDetail(): OrganizationScopeChangedDetail {
+  const [detail, setDetail] = React.useState<OrganizationScopeChangedDetail>(
+    getCurrentOrganizationScope
+  )
+  React.useEffect(() => {
+    return subscribeOrganizationScopeChanged((next) => {
+      setDetail(next)
+    })
+  }, [])
+  return detail
+}

package/src/lib/hotkeys/index.ts

@@ -0,0 +1,168 @@
+"use client"
+
+type HotkeyRegistration = {
+  combos: Set<string>
+  callback: (event: KeyboardEvent) => void
+  debounce: number
+  lastTriggered: number
+}
+
+const scopes = new Map<string, Set<HotkeyRegistration>>()
+
+const MODIFIER_SYNONYMS: Record<string, string> = {
+  cmd: 'meta',
+  command: 'meta',
+  option: 'alt',
+  opt: 'alt',
+  control: 'ctrl',
+  ctrl: 'ctrl',
+  shift: 'shift',
+  meta: 'meta',
+  alt: 'alt',
+}
+
+let listenersAttached = false
+
+const THIRTY_FPS_INTERVAL = 1000 / 30
+
+function normalizeToken(token: string): string {
+  const trimmed = token.trim().toLowerCase()
+  if (!trimmed) return ''
+  if (trimmed in MODIFIER_SYNONYMS) return MODIFIER_SYNONYMS[trimmed]
+  if (trimmed === 'return') return 'enter'
+  if (trimmed === 'space') return ' '
+  return trimmed
+}
+
+function serializeCombination(tokens: string[]): string {
+  const filtered = tokens.filter(Boolean)
+  filtered.sort()
+  return filtered.join('+')
+}
+
+function parseHotkeys(hotkeys: string): Set<string> {
+  return new Set(
+    hotkeys
+      .split(/\s+/)
+      .map((combo) =>
+        serializeCombination(
+          combo
+            .split('+')
+            .map(normalizeToken)
+            .filter(Boolean),
+        ),
+      )
+      .filter(Boolean),
+  )
+}
+
+function createRegistration(
+  hotkeys: string,
+  callback: (event: KeyboardEvent) => void,
+  debounce: number,
+): HotkeyRegistration {
+  const combos = parseHotkeys(hotkeys)
+  return {
+    combos,
+    callback,
+    debounce: Math.max(debounce, THIRTY_FPS_INTERVAL),
+    lastTriggered: 0,
+  }
+}
+
+function activeCombination(event: KeyboardEvent): string | null {
+  const keys: string[] = []
+  if (event.metaKey) keys.push('meta')
+  if (event.ctrlKey) keys.push('ctrl')
+  if (event.altKey) keys.push('alt')
+  if (event.shiftKey) keys.push('shift')
+
+  const key = normalizeToken(event.key)
+  if (key && !(key in MODIFIER_SYNONYMS)) {
+    keys.push(key.length === 1 ? key : normalizeToken(key))
+  } else if (keys.length === 0) {
+    // Ignore pure modifier presses
+    return null
+  }
+
+  return serializeCombination(keys)
+}
+
+function handleKeydown(event: KeyboardEvent) {
+  if (event.defaultPrevented) return
+  const combo = activeCombination(event)
+  if (!combo) return
+
+  const now = Date.now()
+  scopes.forEach((registrations) => {
+    registrations.forEach((registration) => {
+      if (!registration.combos.has(combo)) return
+      if (event.repeat && now - registration.lastTriggered < registration.debounce) return
+      if (now - registration.lastTriggered < registration.debounce) return
+      registration.lastTriggered = now
+      registration.callback(event)
+    })
+  })
+}
+
+function handleKeyup() {
+  // No-op placeholder for future extensibility (mirrors API pattern from article reference)
+}
+
+function ensureListeners() {
+  if (listenersAttached) return
+  if (typeof document === 'undefined') return
+  document.addEventListener('keydown', handleKeydown)
+  document.addEventListener('keyup', handleKeyup)
+  listenersAttached = true
+}
+
+function detachListenersIfIdle() {
+  if (!listenersAttached) return
+  if (scopes.size > 0) return
+  if (typeof document === 'undefined') return
+  document.removeEventListener('keydown', handleKeydown)
+  document.removeEventListener('keyup', handleKeyup)
+  listenersAttached = false
+}
+
+export function registerHotkey(
+  hotkeys: string,
+  scopeName: string,
+  callback: (event: KeyboardEvent) => void,
+  debounceTimeInMilliseconds = 150,
+) {
+  if (typeof document === 'undefined') {
+    return {
+      bind() {},
+      unbind() {},
+    }
+  }
+
+  const registration = createRegistration(hotkeys, callback, debounceTimeInMilliseconds)
+  let scope = scopes.get(scopeName)
+
+  const bind = () => {
+    if (!scope) {
+      scope = new Set()
+      scopes.set(scopeName, scope)
+    }
+    scope.add(registration)
+    ensureListeners()
+  }
+
+  const unbind = () => {
+    const existingScope = scopes.get(scopeName)
+    if (existingScope) {
+      existingScope.delete(registration)
+      if (existingScope.size === 0) {
+        scopes.delete(scopeName)
+      }
+    }
+    detachListenersIfIdle()
+  }
+
+  bind()
+
+  return { bind, unbind }
+}

package/src/lib/i18n/app-dictionaries.ts

@@ -0,0 +1,18 @@
+import type { Locale } from './config'
+
+type DictionaryLoader = (locale: Locale) => Promise<Record<string, unknown>>
+
+let _appDictionaryLoader: DictionaryLoader | null = null
+
+export function registerAppDictionaryLoader(loader: DictionaryLoader): void {
+  _appDictionaryLoader = loader
+}
+
+export async function loadAppDictionary(locale: Locale): Promise<Record<string, unknown>> {
+  if (!_appDictionaryLoader) return {}
+  try {
+    return await _appDictionaryLoader(locale)
+  } catch {
+    return {}
+  }
+}

package/src/lib/i18n/config.ts

@@ -0,0 +1,4 @@
+export type Locale = 'en' | 'pl' | 'es' | 'de'
+
+export const locales: Locale[] = ['en', 'pl', 'es', 'de']
+export const defaultLocale: Locale = 'en'