@open-mercato/shared 0.4.9-develop-fefbbe0979 → 0.4.9-develop-db9ecc46fc

package/dist/lib/auth/server.js

@@ -1,4 +1,4 @@
-import { cookies } from "next/headers";
+import { cookies } from "next/headers.js";
 import { verifyJwt } from "./jwt.js";
 const TENANT_COOKIE_NAME = "om_selected_tenant";
 const ORGANIZATION_COOKIE_NAME = "om_selected_org";

package/dist/lib/auth/server.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/lib/auth/server.ts"],
-  "sourcesContent": ["import { cookies } from 'next/headers'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { verifyJwt } from './jwt'\n\nconst TENANT_COOKIE_NAME = 'om_selected_tenant'\nconst ORGANIZATION_COOKIE_NAME = 'om_selected_org'\nconst ALL_ORGANIZATIONS_COOKIE_VALUE = '__all__'\nconst SUPERADMIN_ROLE = 'superadmin'\n\nexport type AuthContext = {\n  sub: string\n  tenantId: string | null\n  orgId: string | null\n  email?: string\n  roles?: string[]\n  isApiKey?: boolean\n  userId?: string\n  keyId?: string\n  keyName?: string\n  [k: string]: unknown\n} | null\n\ntype CookieOverride = { applied: boolean; value: string | null }\n\nfunction decodeCookieValue(raw: string | undefined): string | null {\n  if (raw === undefined) return null\n  try {\n    const decoded = decodeURIComponent(raw)\n    return decoded ?? null\n  } catch {\n    return raw ?? null\n  }\n}\n\nfunction readCookieFromHeader(header: string | null | undefined, name: string): string | undefined {\n  if (!header) return undefined\n  const parts = header.split(';')\n  for (const part of parts) {\n    const trimmed = part.trim()\n    if (trimmed.startsWith(`${name}=`)) {\n      return trimmed.slice(name.length + 1)\n    }\n  }\n  return undefined\n}\n\nfunction resolveTenantOverride(raw: string | undefined): CookieOverride {\n  if (raw === undefined) return { applied: false, value: null }\n  const decoded = decodeCookieValue(raw)\n  if (!decoded) return { applied: true, value: null }\n  const trimmed = decoded.trim()\n  if (!trimmed) return { applied: true, value: null }\n  return { applied: true, value: trimmed }\n}\n\nfunction resolveOrganizationOverride(raw: string | undefined): CookieOverride {\n  if (raw === undefined) return { applied: false, value: null }\n  const decoded = decodeCookieValue(raw)\n  if (!decoded || decoded === ALL_ORGANIZATIONS_COOKIE_VALUE) {\n    return { applied: true, value: null }\n  }\n  const trimmed = decoded.trim()\n  if (!trimmed || trimmed === ALL_ORGANIZATIONS_COOKIE_VALUE) {\n    return { applied: true, value: null }\n  }\n  return { applied: true, value: trimmed }\n}\n\nfunction isSuperAdminAuth(auth: AuthContext | null | undefined): boolean {\n  if (!auth) return false\n  if ((auth as Record<string, unknown>).isSuperAdmin === true) return true\n  const roles = Array.isArray(auth?.roles) ? auth.roles : []\n  return roles.some((role) => typeof role === 'string' && role.trim().toLowerCase() === SUPERADMIN_ROLE)\n}\n\nfunction applySuperAdminScope(\n  auth: AuthContext,\n  tenantCookie: string | undefined,\n  orgCookie: string | undefined\n): AuthContext {\n  if (!auth || !isSuperAdminAuth(auth)) return auth\n\n  const tenantOverride = resolveTenantOverride(tenantCookie)\n  const orgOverride = resolveOrganizationOverride(orgCookie)\n  if (!tenantOverride.applied && !orgOverride.applied) return auth\n\n  type MutableAuthContext = Exclude<AuthContext, null> & {\n    actorTenantId?: string | null\n    actorOrgId?: string | null\n  }\n  const baseAuth = auth as Exclude<AuthContext, null>\n  const next: MutableAuthContext = { ...baseAuth }\n  if (tenantOverride.applied) {\n    if (!('actorTenantId' in next)) next.actorTenantId = auth?.tenantId ?? null\n    next.tenantId = tenantOverride.value\n  }\n  if (orgOverride.applied) {\n    if (!('actorOrgId' in next)) next.actorOrgId = auth?.orgId ?? null\n    next.orgId = orgOverride.value\n  }\n  next.isSuperAdmin = true\n  const existingRoles = Array.isArray(next.roles) ? next.roles : []\n  if (!existingRoles.some((role) => typeof role === 'string' && role.trim().toLowerCase() === SUPERADMIN_ROLE)) {\n    next.roles = [...existingRoles, 'superadmin']\n  }\n  return next\n}\n\nasync function resolveApiKeyAuth(secret: string): Promise<AuthContext> {\n  if (!secret) return null\n  try {\n    const { createRequestContainer } = await import('@open-mercato/shared/lib/di/container')\n    const container = await createRequestContainer()\n    const em = (container.resolve('em') as EntityManager)\n    const { findApiKeyBySecret } = await import('@open-mercato/core/modules/api_keys/services/apiKeyService')\n    const { Role } = await import('@open-mercato/core/modules/auth/data/entities')\n\n    const record = await findApiKeyBySecret(em, secret)\n    if (!record) return null\n\n    const roleIds = Array.isArray(record.rolesJson)\n      ? record.rolesJson.filter((value): value is string => typeof value === 'string' && value.length > 0)\n      : []\n    const roles = roleIds.length\n      ? await em.find(Role, { id: { $in: roleIds } })\n      : []\n    const roleNames = roles.map((role) => role.name).filter((name): name is string => typeof name === 'string' && name.length > 0)\n\n    try {\n      record.lastUsedAt = new Date()\n      await em.persistAndFlush(record)\n    } catch {\n      // best-effort update; ignore write failures\n    }\n\n    // For session keys, use sessionUserId; for regular keys, use createdBy\n    const actualUserId = record.sessionUserId ?? record.createdBy ?? null\n\n    return {\n      sub: `api_key:${record.id}`,\n      tenantId: record.tenantId ?? null,\n      orgId: record.organizationId ?? null,\n      roles: roleNames,\n      isApiKey: true,\n      keyId: record.id,\n      keyName: record.name,\n      ...(actualUserId ? { userId: actualUserId } : {}),\n    }\n  } catch {\n    return null\n  }\n}\n\nfunction extractApiKey(req: Request): string | null {\n  const header = (req.headers.get('x-api-key') || '').trim()\n  if (header) return header\n  const authHeader = (req.headers.get('authorization') || '').trim()\n  if (authHeader.toLowerCase().startsWith('apikey ')) {\n    return authHeader.slice(7).trim()\n  }\n  return null\n}\n\nexport async function getAuthFromCookies(): Promise<AuthContext> {\n  const cookieStore = await cookies()\n  const token = cookieStore.get('auth_token')?.value\n  if (!token) return null\n  try {\n    const payload = verifyJwt(token) as AuthContext\n    if (!payload) return null\n    if ((payload as any).type === 'customer') return null\n    const tenantCookie = cookieStore.get(TENANT_COOKIE_NAME)?.value\n    const orgCookie = cookieStore.get(ORGANIZATION_COOKIE_NAME)?.value\n    return applySuperAdminScope(payload, tenantCookie, orgCookie)\n  } catch {\n    return null\n  }\n}\n\nexport async function getAuthFromRequest(req: Request): Promise<AuthContext> {\n  const cookieHeader = req.headers.get('cookie') || ''\n  const tenantCookie = readCookieFromHeader(cookieHeader, TENANT_COOKIE_NAME)\n  const orgCookie = readCookieFromHeader(cookieHeader, ORGANIZATION_COOKIE_NAME)\n  const authHeader = (req.headers.get('authorization') || '').trim()\n  let token: string | undefined\n  if (authHeader.toLowerCase().startsWith('bearer ')) token = authHeader.slice(7).trim()\n  if (!token) {\n    const match = cookieHeader.match(/(?:^|;\\s*)auth_token=([^;]+)/)\n    if (match) token = decodeURIComponent(match[1])\n  }\n  if (token) {\n    try {\n      const payload = verifyJwt(token) as AuthContext\n      if (payload && (payload as any).type === 'customer') return null\n      if (payload) return applySuperAdminScope(payload, tenantCookie, orgCookie)\n    } catch {\n      // fall back to API key detection\n    }\n  }\n\n  const apiKey = extractApiKey(req)\n  if (!apiKey) return null\n  const apiAuth = await resolveApiKeyAuth(apiKey)\n  if (!apiAuth) return null\n  return applySuperAdminScope(apiAuth, tenantCookie, orgCookie)\n}\n"],
+  "sourcesContent": ["import { cookies } from 'next/headers.js'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { verifyJwt } from './jwt'\n\nconst TENANT_COOKIE_NAME = 'om_selected_tenant'\nconst ORGANIZATION_COOKIE_NAME = 'om_selected_org'\nconst ALL_ORGANIZATIONS_COOKIE_VALUE = '__all__'\nconst SUPERADMIN_ROLE = 'superadmin'\n\nexport type AuthContext = {\n  sub: string\n  tenantId: string | null\n  orgId: string | null\n  email?: string\n  roles?: string[]\n  isApiKey?: boolean\n  userId?: string\n  keyId?: string\n  keyName?: string\n  [k: string]: unknown\n} | null\n\ntype CookieOverride = { applied: boolean; value: string | null }\n\nfunction decodeCookieValue(raw: string | undefined): string | null {\n  if (raw === undefined) return null\n  try {\n    const decoded = decodeURIComponent(raw)\n    return decoded ?? null\n  } catch {\n    return raw ?? null\n  }\n}\n\nfunction readCookieFromHeader(header: string | null | undefined, name: string): string | undefined {\n  if (!header) return undefined\n  const parts = header.split(';')\n  for (const part of parts) {\n    const trimmed = part.trim()\n    if (trimmed.startsWith(`${name}=`)) {\n      return trimmed.slice(name.length + 1)\n    }\n  }\n  return undefined\n}\n\nfunction resolveTenantOverride(raw: string | undefined): CookieOverride {\n  if (raw === undefined) return { applied: false, value: null }\n  const decoded = decodeCookieValue(raw)\n  if (!decoded) return { applied: true, value: null }\n  const trimmed = decoded.trim()\n  if (!trimmed) return { applied: true, value: null }\n  return { applied: true, value: trimmed }\n}\n\nfunction resolveOrganizationOverride(raw: string | undefined): CookieOverride {\n  if (raw === undefined) return { applied: false, value: null }\n  const decoded = decodeCookieValue(raw)\n  if (!decoded || decoded === ALL_ORGANIZATIONS_COOKIE_VALUE) {\n    return { applied: true, value: null }\n  }\n  const trimmed = decoded.trim()\n  if (!trimmed || trimmed === ALL_ORGANIZATIONS_COOKIE_VALUE) {\n    return { applied: true, value: null }\n  }\n  return { applied: true, value: trimmed }\n}\n\nfunction isSuperAdminAuth(auth: AuthContext | null | undefined): boolean {\n  if (!auth) return false\n  if ((auth as Record<string, unknown>).isSuperAdmin === true) return true\n  const roles = Array.isArray(auth?.roles) ? auth.roles : []\n  return roles.some((role) => typeof role === 'string' && role.trim().toLowerCase() === SUPERADMIN_ROLE)\n}\n\nfunction applySuperAdminScope(\n  auth: AuthContext,\n  tenantCookie: string | undefined,\n  orgCookie: string | undefined\n): AuthContext {\n  if (!auth || !isSuperAdminAuth(auth)) return auth\n\n  const tenantOverride = resolveTenantOverride(tenantCookie)\n  const orgOverride = resolveOrganizationOverride(orgCookie)\n  if (!tenantOverride.applied && !orgOverride.applied) return auth\n\n  type MutableAuthContext = Exclude<AuthContext, null> & {\n    actorTenantId?: string | null\n    actorOrgId?: string | null\n  }\n  const baseAuth = auth as Exclude<AuthContext, null>\n  const next: MutableAuthContext = { ...baseAuth }\n  if (tenantOverride.applied) {\n    if (!('actorTenantId' in next)) next.actorTenantId = auth?.tenantId ?? null\n    next.tenantId = tenantOverride.value\n  }\n  if (orgOverride.applied) {\n    if (!('actorOrgId' in next)) next.actorOrgId = auth?.orgId ?? null\n    next.orgId = orgOverride.value\n  }\n  next.isSuperAdmin = true\n  const existingRoles = Array.isArray(next.roles) ? next.roles : []\n  if (!existingRoles.some((role) => typeof role === 'string' && role.trim().toLowerCase() === SUPERADMIN_ROLE)) {\n    next.roles = [...existingRoles, 'superadmin']\n  }\n  return next\n}\n\nasync function resolveApiKeyAuth(secret: string): Promise<AuthContext> {\n  if (!secret) return null\n  try {\n    const { createRequestContainer } = await import('@open-mercato/shared/lib/di/container')\n    const container = await createRequestContainer()\n    const em = (container.resolve('em') as EntityManager)\n    const { findApiKeyBySecret } = await import('@open-mercato/core/modules/api_keys/services/apiKeyService')\n    const { Role } = await import('@open-mercato/core/modules/auth/data/entities')\n\n    const record = await findApiKeyBySecret(em, secret)\n    if (!record) return null\n\n    const roleIds = Array.isArray(record.rolesJson)\n      ? record.rolesJson.filter((value): value is string => typeof value === 'string' && value.length > 0)\n      : []\n    const roles = roleIds.length\n      ? await em.find(Role, { id: { $in: roleIds } })\n      : []\n    const roleNames = roles.map((role) => role.name).filter((name): name is string => typeof name === 'string' && name.length > 0)\n\n    try {\n      record.lastUsedAt = new Date()\n      await em.persistAndFlush(record)\n    } catch {\n      // best-effort update; ignore write failures\n    }\n\n    // For session keys, use sessionUserId; for regular keys, use createdBy\n    const actualUserId = record.sessionUserId ?? record.createdBy ?? null\n\n    return {\n      sub: `api_key:${record.id}`,\n      tenantId: record.tenantId ?? null,\n      orgId: record.organizationId ?? null,\n      roles: roleNames,\n      isApiKey: true,\n      keyId: record.id,\n      keyName: record.name,\n      ...(actualUserId ? { userId: actualUserId } : {}),\n    }\n  } catch {\n    return null\n  }\n}\n\nfunction extractApiKey(req: Request): string | null {\n  const header = (req.headers.get('x-api-key') || '').trim()\n  if (header) return header\n  const authHeader = (req.headers.get('authorization') || '').trim()\n  if (authHeader.toLowerCase().startsWith('apikey ')) {\n    return authHeader.slice(7).trim()\n  }\n  return null\n}\n\nexport async function getAuthFromCookies(): Promise<AuthContext> {\n  const cookieStore = await cookies()\n  const token = cookieStore.get('auth_token')?.value\n  if (!token) return null\n  try {\n    const payload = verifyJwt(token) as AuthContext\n    if (!payload) return null\n    if ((payload as any).type === 'customer') return null\n    const tenantCookie = cookieStore.get(TENANT_COOKIE_NAME)?.value\n    const orgCookie = cookieStore.get(ORGANIZATION_COOKIE_NAME)?.value\n    return applySuperAdminScope(payload, tenantCookie, orgCookie)\n  } catch {\n    return null\n  }\n}\n\nexport async function getAuthFromRequest(req: Request): Promise<AuthContext> {\n  const cookieHeader = req.headers.get('cookie') || ''\n  const tenantCookie = readCookieFromHeader(cookieHeader, TENANT_COOKIE_NAME)\n  const orgCookie = readCookieFromHeader(cookieHeader, ORGANIZATION_COOKIE_NAME)\n  const authHeader = (req.headers.get('authorization') || '').trim()\n  let token: string | undefined\n  if (authHeader.toLowerCase().startsWith('bearer ')) token = authHeader.slice(7).trim()\n  if (!token) {\n    const match = cookieHeader.match(/(?:^|;\\s*)auth_token=([^;]+)/)\n    if (match) token = decodeURIComponent(match[1])\n  }\n  if (token) {\n    try {\n      const payload = verifyJwt(token) as AuthContext\n      if (payload && (payload as any).type === 'customer') return null\n      if (payload) return applySuperAdminScope(payload, tenantCookie, orgCookie)\n    } catch {\n      // fall back to API key detection\n    }\n  }\n\n  const apiKey = extractApiKey(req)\n  if (!apiKey) return null\n  const apiAuth = await resolveApiKeyAuth(apiKey)\n  if (!apiAuth) return null\n  return applySuperAdminScope(apiAuth, tenantCookie, orgCookie)\n}\n"],
   "mappings": "AAAA,SAAS,eAAe;AAExB,SAAS,iBAAiB;AAE1B,MAAM,qBAAqB;AAC3B,MAAM,2BAA2B;AACjC,MAAM,iCAAiC;AACvC,MAAM,kBAAkB;AAiBxB,SAAS,kBAAkB,KAAwC;AACjE,MAAI,QAAQ,OAAW,QAAO;AAC9B,MAAI;AACF,UAAM,UAAU,mBAAmB,GAAG;AACtC,WAAO,WAAW;AAAA,EACpB,QAAQ;AACN,WAAO,OAAO;AAAA,EAChB;AACF;AAEA,SAAS,qBAAqB,QAAmC,MAAkC;AACjG,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,QAAQ,OAAO,MAAM,GAAG;AAC9B,aAAW,QAAQ,OAAO;AACxB,UAAM,UAAU,KAAK,KAAK;AAC1B,QAAI,QAAQ,WAAW,GAAG,IAAI,GAAG,GAAG;AAClC,aAAO,QAAQ,MAAM,KAAK,SAAS,CAAC;AAAA,IACtC;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,sBAAsB,KAAyC;AACtE,MAAI,QAAQ,OAAW,QAAO,EAAE,SAAS,OAAO,OAAO,KAAK;AAC5D,QAAM,UAAU,kBAAkB,GAAG;AACrC,MAAI,CAAC,QAAS,QAAO,EAAE,SAAS,MAAM,OAAO,KAAK;AAClD,QAAM,UAAU,QAAQ,KAAK;AAC7B,MAAI,CAAC,QAAS,QAAO,EAAE,SAAS,MAAM,OAAO,KAAK;AAClD,SAAO,EAAE,SAAS,MAAM,OAAO,QAAQ;AACzC;AAEA,SAAS,4BAA4B,KAAyC;AAC5E,MAAI,QAAQ,OAAW,QAAO,EAAE,SAAS,OAAO,OAAO,KAAK;AAC5D,QAAM,UAAU,kBAAkB,GAAG;AACrC,MAAI,CAAC,WAAW,YAAY,gCAAgC;AAC1D,WAAO,EAAE,SAAS,MAAM,OAAO,KAAK;AAAA,EACtC;AACA,QAAM,UAAU,QAAQ,KAAK;AAC7B,MAAI,CAAC,WAAW,YAAY,gCAAgC;AAC1D,WAAO,EAAE,SAAS,MAAM,OAAO,KAAK;AAAA,EACtC;AACA,SAAO,EAAE,SAAS,MAAM,OAAO,QAAQ;AACzC;AAEA,SAAS,iBAAiB,MAA+C;AACvE,MAAI,CAAC,KAAM,QAAO;AAClB,MAAK,KAAiC,iBAAiB,KAAM,QAAO;AACpE,QAAM,QAAQ,MAAM,QAAQ,MAAM,KAAK,IAAI,KAAK,QAAQ,CAAC;AACzD,SAAO,MAAM,KAAK,CAAC,SAAS,OAAO,SAAS,YAAY,KAAK,KAAK,EAAE,YAAY,MAAM,eAAe;AACvG;AAEA,SAAS,qBACP,MACA,cACA,WACa;AACb,MAAI,CAAC,QAAQ,CAAC,iBAAiB,IAAI,EAAG,QAAO;AAE7C,QAAM,iBAAiB,sBAAsB,YAAY;AACzD,QAAM,cAAc,4BAA4B,SAAS;AACzD,MAAI,CAAC,eAAe,WAAW,CAAC,YAAY,QAAS,QAAO;AAM5D,QAAM,WAAW;AACjB,QAAM,OAA2B,EAAE,GAAG,SAAS;AAC/C,MAAI,eAAe,SAAS;AAC1B,QAAI,EAAE,mBAAmB,MAAO,MAAK,gBAAgB,MAAM,YAAY;AACvE,SAAK,WAAW,eAAe;AAAA,EACjC;AACA,MAAI,YAAY,SAAS;AACvB,QAAI,EAAE,gBAAgB,MAAO,MAAK,aAAa,MAAM,SAAS;AAC9D,SAAK,QAAQ,YAAY;AAAA,EAC3B;AACA,OAAK,eAAe;AACpB,QAAM,gBAAgB,MAAM,QAAQ,KAAK,KAAK,IAAI,KAAK,QAAQ,CAAC;AAChE,MAAI,CAAC,cAAc,KAAK,CAAC,SAAS,OAAO,SAAS,YAAY,KAAK,KAAK,EAAE,YAAY,MAAM,eAAe,GAAG;AAC5G,SAAK,QAAQ,CAAC,GAAG,eAAe,YAAY;AAAA,EAC9C;AACA,SAAO;AACT;AAEA,eAAe,kBAAkB,QAAsC;AACrE,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI;AACF,UAAM,EAAE,uBAAuB,IAAI,MAAM,OAAO,uCAAuC;AACvF,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,KAAM,UAAU,QAAQ,IAAI;AAClC,UAAM,EAAE,mBAAmB,IAAI,MAAM,OAAO,4DAA4D;AACxG,UAAM,EAAE,KAAK,IAAI,MAAM,OAAO,+CAA+C;AAE7E,UAAM,SAAS,MAAM,mBAAmB,IAAI,MAAM;AAClD,QAAI,CAAC,OAAQ,QAAO;AAEpB,UAAM,UAAU,MAAM,QAAQ,OAAO,SAAS,IAC1C,OAAO,UAAU,OAAO,CAAC,UAA2B,OAAO,UAAU,YAAY,MAAM,SAAS,CAAC,IACjG,CAAC;AACL,UAAM,QAAQ,QAAQ,SAClB,MAAM,GAAG,KAAK,MAAM,EAAE,IAAI,EAAE,KAAK,QAAQ,EAAE,CAAC,IAC5C,CAAC;AACL,UAAM,YAAY,MAAM,IAAI,CAAC,SAAS,KAAK,IAAI,EAAE,OAAO,CAAC,SAAyB,OAAO,SAAS,YAAY,KAAK,SAAS,CAAC;AAE7H,QAAI;AACF,aAAO,aAAa,oBAAI,KAAK;AAC7B,YAAM,GAAG,gBAAgB,MAAM;AAAA,IACjC,QAAQ;AAAA,IAER;AAGA,UAAM,eAAe,OAAO,iBAAiB,OAAO,aAAa;AAEjE,WAAO;AAAA,MACL,KAAK,WAAW,OAAO,EAAE;AAAA,MACzB,UAAU,OAAO,YAAY;AAAA,MAC7B,OAAO,OAAO,kBAAkB;AAAA,MAChC,OAAO;AAAA,MACP,UAAU;AAAA,MACV,OAAO,OAAO;AAAA,MACd,SAAS,OAAO;AAAA,MAChB,GAAI,eAAe,EAAE,QAAQ,aAAa,IAAI,CAAC;AAAA,IACjD;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,cAAc,KAA6B;AAClD,QAAM,UAAU,IAAI,QAAQ,IAAI,WAAW,KAAK,IAAI,KAAK;AACzD,MAAI,OAAQ,QAAO;AACnB,QAAM,cAAc,IAAI,QAAQ,IAAI,eAAe,KAAK,IAAI,KAAK;AACjE,MAAI,WAAW,YAAY,EAAE,WAAW,SAAS,GAAG;AAClD,WAAO,WAAW,MAAM,CAAC,EAAE,KAAK;AAAA,EAClC;AACA,SAAO;AACT;AAEA,eAAsB,qBAA2C;AAC/D,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,QAAQ,YAAY,IAAI,YAAY,GAAG;AAC7C,MAAI,CAAC,MAAO,QAAO;AACnB,MAAI;AACF,UAAM,UAAU,UAAU,KAAK;AAC/B,QAAI,CAAC,QAAS,QAAO;AACrB,QAAK,QAAgB,SAAS,WAAY,QAAO;AACjD,UAAM,eAAe,YAAY,IAAI,kBAAkB,GAAG;AAC1D,UAAM,YAAY,YAAY,IAAI,wBAAwB,GAAG;AAC7D,WAAO,qBAAqB,SAAS,cAAc,SAAS;AAAA,EAC9D,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,mBAAmB,KAAoC;AAC3E,QAAM,eAAe,IAAI,QAAQ,IAAI,QAAQ,KAAK;AAClD,QAAM,eAAe,qBAAqB,cAAc,kBAAkB;AAC1E,QAAM,YAAY,qBAAqB,cAAc,wBAAwB;AAC7E,QAAM,cAAc,IAAI,QAAQ,IAAI,eAAe,KAAK,IAAI,KAAK;AACjE,MAAI;AACJ,MAAI,WAAW,YAAY,EAAE,WAAW,SAAS,EAAG,SAAQ,WAAW,MAAM,CAAC,EAAE,KAAK;AACrF,MAAI,CAAC,OAAO;AACV,UAAM,QAAQ,aAAa,MAAM,8BAA8B;AAC/D,QAAI,MAAO,SAAQ,mBAAmB,MAAM,CAAC,CAAC;AAAA,EAChD;AACA,MAAI,OAAO;AACT,QAAI;AACF,YAAM,UAAU,UAAU,KAAK;AAC/B,UAAI,WAAY,QAAgB,SAAS,WAAY,QAAO;AAC5D,UAAI,QAAS,QAAO,qBAAqB,SAAS,cAAc,SAAS;AAAA,IAC3E,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,QAAM,SAAS,cAAc,GAAG;AAChC,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,MAAM,kBAAkB,MAAM;AAC9C,MAAI,CAAC,QAAS,QAAO;AACrB,SAAO,qBAAqB,SAAS,cAAc,SAAS;AAC9D;",
   "names": []
 }

package/dist/lib/crud/custom-route-interceptor.js

@@ -0,0 +1,27 @@
+import { runApiInterceptorsAfter } from "./interceptor-runner.js";
+function normalizeIdentity(value) {
+  if (!value) return "";
+  return value;
+}
+async function runCustomRouteAfterInterceptors(args) {
+  return runApiInterceptorsAfter({
+    routePath: args.routePath,
+    method: args.method,
+    request: args.request,
+    response: args.response,
+    context: {
+      em: args.context.em,
+      container: args.context.container,
+      userId: normalizeIdentity(args.context.userId),
+      organizationId: normalizeIdentity(args.context.organizationId),
+      tenantId: normalizeIdentity(args.context.tenantId),
+      userFeatures: args.context.userFeatures ?? [],
+      extensionHeaders: args.context.extensionHeaders
+    },
+    metadataByInterceptor: args.metadataByInterceptor
+  });
+}
+export {
+  runCustomRouteAfterInterceptors
+};
+//# sourceMappingURL=custom-route-interceptor.js.map

package/dist/lib/crud/custom-route-interceptor.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/crud/custom-route-interceptor.ts"],
+  "sourcesContent": ["import type { InterceptorContext, InterceptorRequest, InterceptorResponse, ApiInterceptorMethod } from './api-interceptor'\nimport { runApiInterceptorsAfter, type RunInterceptorsAfterResult } from './interceptor-runner'\n\nexport type CustomRouteAfterInterceptorContext = {\n  em: InterceptorContext['em']\n  container: InterceptorContext['container']\n  userId?: string | null\n  organizationId?: string | null\n  tenantId?: string | null\n  userFeatures?: string[]\n  extensionHeaders?: InterceptorContext['extensionHeaders']\n}\n\ntype RunCustomRouteAfterInterceptorsArgs = {\n  routePath: string\n  method: ApiInterceptorMethod\n  request: InterceptorRequest\n  response: InterceptorResponse\n  context: CustomRouteAfterInterceptorContext\n  metadataByInterceptor?: Record<string, Record<string, unknown> | undefined>\n}\n\nfunction normalizeIdentity(value: string | null | undefined): string {\n  if (!value) return ''\n  return value\n}\n\nexport async function runCustomRouteAfterInterceptors(\n  args: RunCustomRouteAfterInterceptorsArgs,\n): Promise<RunInterceptorsAfterResult> {\n  return runApiInterceptorsAfter({\n    routePath: args.routePath,\n    method: args.method,\n    request: args.request,\n    response: args.response,\n    context: {\n      em: args.context.em,\n      container: args.context.container,\n      userId: normalizeIdentity(args.context.userId),\n      organizationId: normalizeIdentity(args.context.organizationId),\n      tenantId: normalizeIdentity(args.context.tenantId),\n      userFeatures: args.context.userFeatures ?? [],\n      extensionHeaders: args.context.extensionHeaders,\n    },\n    metadataByInterceptor: args.metadataByInterceptor,\n  })\n}\n"],
+  "mappings": "AACA,SAAS,+BAAgE;AAqBzE,SAAS,kBAAkB,OAA0C;AACnE,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO;AACT;AAEA,eAAsB,gCACpB,MACqC;AACrC,SAAO,wBAAwB;AAAA,IAC7B,WAAW,KAAK;AAAA,IAChB,QAAQ,KAAK;AAAA,IACb,SAAS,KAAK;AAAA,IACd,UAAU,KAAK;AAAA,IACf,SAAS;AAAA,MACP,IAAI,KAAK,QAAQ;AAAA,MACjB,WAAW,KAAK,QAAQ;AAAA,MACxB,QAAQ,kBAAkB,KAAK,QAAQ,MAAM;AAAA,MAC7C,gBAAgB,kBAAkB,KAAK,QAAQ,cAAc;AAAA,MAC7D,UAAU,kBAAkB,KAAK,QAAQ,QAAQ;AAAA,MACjD,cAAc,KAAK,QAAQ,gBAAgB,CAAC;AAAA,MAC5C,kBAAkB,KAAK,QAAQ;AAAA,IACjC;AAAA,IACA,uBAAuB,KAAK;AAAA,EAC9B,CAAC;AACH;",
+  "names": []
+}

package/dist/lib/crud/errors.js

@@ -1,11 +1,17 @@
-class CrudHttpError extends Error {
+var _a, _b;
+const CRUD_HTTP_ERROR_MARKER = Symbol.for("@open-mercato/CrudHttpError");
+class CrudHttpError extends (_b = Error, _a = CRUD_HTTP_ERROR_MARKER, _b) {
   constructor(status, body) {
     const normalizedBody = typeof body === "string" ? { error: body } : body ?? {};
     super(typeof body === "string" ? body : normalizedBody.error ?? "Request failed");
+    this[_a] = true;
     this.status = status;
     this.body = normalizedBody;
   }
 }
+function isCrudHttpError(err) {
+  return !!err && typeof err === "object" && err[CRUD_HTTP_ERROR_MARKER] === true;
+}
 function badRequest(message) {
   return new CrudHttpError(400, { error: message });
 }
@@ -24,6 +30,7 @@ export {
   assertFound,
   badRequest,
   forbidden,
+  isCrudHttpError,
   notFound
 };
 //# sourceMappingURL=errors.js.map

package/dist/lib/crud/errors.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/lib/crud/errors.ts"],
-  "sourcesContent": ["export class CrudHttpError extends Error {\n  status: number\n  body: Record<string, any>\n\n  constructor(status: number, body?: Record<string, any> | string) {\n    const normalizedBody = typeof body === 'string' ? { error: body } : body ?? {}\n    super(typeof body === 'string' ? body : normalizedBody.error ?? 'Request failed')\n    this.status = status\n    this.body = normalizedBody\n  }\n}\n\nexport function badRequest(message: string): CrudHttpError {\n  return new CrudHttpError(400, { error: message })\n}\n\nexport function forbidden(message = 'Forbidden'): CrudHttpError {\n  return new CrudHttpError(403, { error: message })\n}\n\nexport function notFound(message = 'Not found'): CrudHttpError {\n  return new CrudHttpError(404, { error: message })\n}\n\nexport function assertFound<T>(value: T | null | undefined, message: string): T {\n  if (!value) throw notFound(message)\n  return value\n}\n"],
-  "mappings": "AAAO,MAAM,sBAAsB,MAAM;AAAA,EAIvC,YAAY,QAAgB,MAAqC;AAC/D,UAAM,iBAAiB,OAAO,SAAS,WAAW,EAAE,OAAO,KAAK,IAAI,QAAQ,CAAC;AAC7E,UAAM,OAAO,SAAS,WAAW,OAAO,eAAe,SAAS,gBAAgB;AAChF,SAAK,SAAS;AACd,SAAK,OAAO;AAAA,EACd;AACF;AAEO,SAAS,WAAW,SAAgC;AACzD,SAAO,IAAI,cAAc,KAAK,EAAE,OAAO,QAAQ,CAAC;AAClD;AAEO,SAAS,UAAU,UAAU,aAA4B;AAC9D,SAAO,IAAI,cAAc,KAAK,EAAE,OAAO,QAAQ,CAAC;AAClD;AAEO,SAAS,SAAS,UAAU,aAA4B;AAC7D,SAAO,IAAI,cAAc,KAAK,EAAE,OAAO,QAAQ,CAAC;AAClD;AAEO,SAAS,YAAe,OAA6B,SAAoB;AAC9E,MAAI,CAAC,MAAO,OAAM,SAAS,OAAO;AAClC,SAAO;AACT;",
+  "sourcesContent": ["// Use Symbol.for so the marker survives module duplication across bundle boundaries\n// (same behaviour as globalThis-based registries used for DI registrars)\nconst CRUD_HTTP_ERROR_MARKER = Symbol.for('@open-mercato/CrudHttpError')\n\nexport class CrudHttpError extends Error {\n  readonly [CRUD_HTTP_ERROR_MARKER] = true\n  status: number\n  body: Record<string, any>\n\n  constructor(status: number, body?: Record<string, any> | string) {\n    const normalizedBody = typeof body === 'string' ? { error: body } : body ?? {}\n    super(typeof body === 'string' ? body : normalizedBody.error ?? 'Request failed')\n    this.status = status\n    this.body = normalizedBody\n  }\n}\n\n/**\n * Type-safe check for CrudHttpError that works across module/bundle boundaries.\n * Prefer this over `instanceof CrudHttpError` whenever the error may originate\n * from a different module bundle (e.g. enterprise packages, dynamic imports).\n */\nexport function isCrudHttpError(err: unknown): err is CrudHttpError {\n  return !!err && typeof err === 'object' && (err as Record<symbol, unknown>)[CRUD_HTTP_ERROR_MARKER] === true\n}\n\nexport function badRequest(message: string): CrudHttpError {\n  return new CrudHttpError(400, { error: message })\n}\n\nexport function forbidden(message = 'Forbidden'): CrudHttpError {\n  return new CrudHttpError(403, { error: message })\n}\n\nexport function notFound(message = 'Not found'): CrudHttpError {\n  return new CrudHttpError(404, { error: message })\n}\n\nexport function assertFound<T>(value: T | null | undefined, message: string): T {\n  if (!value) throw notFound(message)\n  return value\n}\n"],
+  "mappings": "AAAA;AAEA,MAAM,yBAAyB,OAAO,IAAI,6BAA6B;AAEhE,MAAM,uBAAsB,YACvB,6BADuB,IAAM;AAAA,EAKvC,YAAY,QAAgB,MAAqC;AAC/D,UAAM,iBAAiB,OAAO,SAAS,WAAW,EAAE,OAAO,KAAK,IAAI,QAAQ,CAAC;AAC7E,UAAM,OAAO,SAAS,WAAW,OAAO,eAAe,SAAS,gBAAgB;AANlF,SAAU,MAA0B;AAOlC,SAAK,SAAS;AACd,SAAK,OAAO;AAAA,EACd;AACF;AAOO,SAAS,gBAAgB,KAAoC;AAClE,SAAO,CAAC,CAAC,OAAO,OAAO,QAAQ,YAAa,IAAgC,sBAAsB,MAAM;AAC1G;AAEO,SAAS,WAAW,SAAgC;AACzD,SAAO,IAAI,cAAc,KAAK,EAAE,OAAO,QAAQ,CAAC;AAClD;AAEO,SAAS,UAAU,UAAU,aAA4B;AAC9D,SAAO,IAAI,cAAc,KAAK,EAAE,OAAO,QAAQ,CAAC;AAClD;AAEO,SAAS,SAAS,UAAU,aAA4B;AAC7D,SAAO,IAAI,cAAc,KAAK,EAAE,OAAO,QAAQ,CAAC;AAClD;AAEO,SAAS,YAAe,OAA6B,SAAoB;AAC9E,MAAI,CAAC,MAAO,OAAM,SAAS,OAAO;AAClC,SAAO;AACT;",
   "names": []
 }

package/dist/lib/crud/factory.js

@@ -20,7 +20,7 @@ import {
   loadCustomFieldDefinitionIndex
 } from "./custom-fields.js";
 import { serializeExport, normalizeExportFormat, defaultExportFilename, ensureColumns } from "./exporters.js";
-import { CrudHttpError } from "./errors.js";
+import { isCrudHttpError } from "./errors.js";
 import {
   buildCollectionTags,
   buildRecordTag,
@@ -243,7 +243,7 @@ function attachOperationHeader(res, logEntry) {
 }
 function handleError(err) {
   if (err instanceof Response) return err;
-  if (err instanceof CrudHttpError) return json(err.body, { status: err.status });
+  if (isCrudHttpError(err)) return json(err.body, { status: err.status });
   if (err instanceof z.ZodError) return json({ error: "Invalid input", details: err.issues }, { status: 400 });
   const message = err instanceof Error ? err.message : void 0;
   const stack = err instanceof Error ? err.stack : void 0;