@open-mercato/shared 0.5.1-develop.2953.6647bb2c43 → 0.5.1-develop.2964.d5ac4a6ebb

package/dist/lib/version.js

@@ -1,4 +1,4 @@
-const APP_VERSION = "0.5.1-develop.2953.6647bb2c43";
+const APP_VERSION = "0.5.1-develop.2964.d5ac4a6ebb";
 const appVersion = APP_VERSION;
 export {
   APP_VERSION,

package/dist/lib/version.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/lib/version.ts"],
-  "sourcesContent": ["// Build-time generated version\nexport const APP_VERSION = '0.5.1-develop.2953.6647bb2c43'\nexport const appVersion = APP_VERSION\n"],
+  "sourcesContent": ["// Build-time generated version\nexport const APP_VERSION = '0.5.1-develop.2964.d5ac4a6ebb'\nexport const appVersion = APP_VERSION\n"],
   "mappings": "AACO,MAAM,cAAc;AACpB,MAAM,aAAa;",
   "names": []
 }

package/dist/security/enabledModulesRegistry.js

@@ -1,29 +1,73 @@
 import { getModules } from "../lib/modules/registry.js";
-function getOwningModuleId(featureId) {
-  const dot = featureId.indexOf(".");
-  return dot === -1 ? featureId : featureId.slice(0, dot);
+let cachedRegistry = null;
+let cachedModulesRef = null;
+function buildRegistry(modules) {
+  const enabledModuleIds = modules.map((mod) => mod.id);
+  const enabledModuleSet = new Set(enabledModuleIds);
+  const featureToModule = /* @__PURE__ */ new Map();
+  const prefixToModule = /* @__PURE__ */ new Map();
+  for (const mod of modules) {
+    const features = mod.features;
+    if (!Array.isArray(features)) continue;
+    for (const feature of features) {
+      if (!feature || typeof feature.id !== "string" || !feature.id) continue;
+      const declared = typeof feature.module === "string" && feature.module.length > 0 ? feature.module : mod.id;
+      featureToModule.set(feature.id, declared);
+      const dot = feature.id.indexOf(".");
+      if (dot > 0) {
+        const prefix = feature.id.slice(0, dot);
+        if (!prefixToModule.has(prefix)) prefixToModule.set(prefix, declared);
+      }
+    }
+  }
+  return { enabledModuleIds, enabledModuleSet, featureToModule, prefixToModule };
 }
-function safeGetEnabledModuleIds() {
+function getRegistry() {
   try {
-    return getModules().map((mod) => mod.id);
+    const modules = getModules();
+    if (cachedRegistry && cachedModulesRef === modules) return cachedRegistry;
+    cachedModulesRef = modules;
+    cachedRegistry = buildRegistry(modules);
+    return cachedRegistry;
   } catch {
     return null;
   }
 }
+function getOwningModuleId(featureId) {
+  const registry = getRegistry();
+  if (registry) {
+    const direct = registry.featureToModule.get(featureId);
+    if (direct) return direct;
+    if (featureId.endsWith(".*")) {
+      const prefix = featureId.slice(0, -2);
+      const fromPrefix = registry.prefixToModule.get(prefix);
+      if (fromPrefix) return fromPrefix;
+      return prefix;
+    }
+  }
+  const dot = featureId.indexOf(".");
+  return dot === -1 ? featureId : featureId.slice(0, dot);
+}
 function getEnabledModuleIds() {
-  return safeGetEnabledModuleIds() ?? [];
+  const registry = getRegistry();
+  return registry ? [...registry.enabledModuleIds] : [];
 }
 function filterGrantsByEnabledModules(granted) {
-  const enabledIds = safeGetEnabledModuleIds();
-  if (enabledIds === null) return [...granted];
-  const enabledSet = new Set(enabledIds);
+  const registry = getRegistry();
+  if (!registry) return [...granted];
+  const { enabledModuleIds, enabledModuleSet, prefixToModule } = registry;
   const result = [];
   for (const grant of granted) {
     if (grant === "*") {
-      for (const id of enabledIds) result.push(`${id}.*`);
+      for (const id of enabledModuleIds) result.push(`${id}.*`);
+      for (const [prefix, owningModule] of prefixToModule) {
+        if (!enabledModuleSet.has(prefix) && enabledModuleSet.has(owningModule)) {
+          result.push(`${prefix}.*`);
+        }
+      }
       continue;
     }
-    if (enabledSet.has(getOwningModuleId(grant))) result.push(grant);
+    if (enabledModuleSet.has(getOwningModuleId(grant))) result.push(grant);
   }
   return result;
 }

package/dist/security/enabledModulesRegistry.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/security/enabledModulesRegistry.ts"],
-  "sourcesContent": ["/**\n * Module-aware grant filtering.\n *\n * Features live under `<module>.<action>` (see AGENTS.md naming convention).\n * When a module is disabled in `modules.ts`, its routes/UI are absent but\n * roles may still carry the feature string. Anywhere we turn raw ACL\n * grants into \"what the user can currently act on\", we must drop grants\n * whose owning module is not enabled \u2014 otherwise stale grants re-open the\n * 404-class bug PR #1567 only partially fixed.\n *\n * This helper is server-only: it reads the enabled module set from the\n * bootstrapped module registry. The browser never imports it; instead,\n * server code pre-filters `BackendChromePayload.grantedFeatures` so\n * client-side `hasFeature` can stay a pure grant check.\n */\n\nimport { getModules } from '../lib/modules/registry'\n\nexport function getOwningModuleId(featureId: string): string {\n  const dot = featureId.indexOf('.')\n  return dot === -1 ? featureId : featureId.slice(0, dot)\n}\n\nfunction safeGetEnabledModuleIds(): string[] | null {\n  try {\n    return getModules().map((mod) => mod.id)\n  } catch {\n    return null\n  }\n}\n\nexport function getEnabledModuleIds(): string[] {\n  return safeGetEnabledModuleIds() ?? []\n}\n\n/**\n * Filters a raw granted-features list down to the grants whose owning\n * module is currently enabled. Expands `*` (superadmin) into one wildcard\n * per enabled module so the result is still safe to feed into a pure\n * `matchFeature` check. If the module registry is not populated (tests,\n * CLI), returns the input unchanged \u2014 preserves legacy behavior.\n */\nexport function filterGrantsByEnabledModules(granted: readonly string[]): string[] {\n  const enabledIds = safeGetEnabledModuleIds()\n  if (enabledIds === null) return [...granted]\n  const enabledSet = new Set(enabledIds)\n  const result: string[] = []\n  for (const grant of granted) {\n    if (grant === '*') {\n      for (const id of enabledIds) result.push(`${id}.*`)\n      continue\n    }\n    if (enabledSet.has(getOwningModuleId(grant))) result.push(grant)\n  }\n  return result\n}\n"],
-  "mappings": "AAgBA,SAAS,kBAAkB;AAEpB,SAAS,kBAAkB,WAA2B;AAC3D,QAAM,MAAM,UAAU,QAAQ,GAAG;AACjC,SAAO,QAAQ,KAAK,YAAY,UAAU,MAAM,GAAG,GAAG;AACxD;AAEA,SAAS,0BAA2C;AAClD,MAAI;AACF,WAAO,WAAW,EAAE,IAAI,CAAC,QAAQ,IAAI,EAAE;AAAA,EACzC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,sBAAgC;AAC9C,SAAO,wBAAwB,KAAK,CAAC;AACvC;AASO,SAAS,6BAA6B,SAAsC;AACjF,QAAM,aAAa,wBAAwB;AAC3C,MAAI,eAAe,KAAM,QAAO,CAAC,GAAG,OAAO;AAC3C,QAAM,aAAa,IAAI,IAAI,UAAU;AACrC,QAAM,SAAmB,CAAC;AAC1B,aAAW,SAAS,SAAS;AAC3B,QAAI,UAAU,KAAK;AACjB,iBAAW,MAAM,WAAY,QAAO,KAAK,GAAG,EAAE,IAAI;AAClD;AAAA,IACF;AACA,QAAI,WAAW,IAAI,kBAAkB,KAAK,CAAC,EAAG,QAAO,KAAK,KAAK;AAAA,EACjE;AACA,SAAO;AACT;",
+  "sourcesContent": ["/**\n * Module-aware grant filtering.\n *\n * Features live under `<module>.<action>` (see AGENTS.md naming convention).\n * When a module is disabled in `modules.ts`, its routes/UI are absent but\n * roles may still carry the feature string. Anywhere we turn raw ACL\n * grants into \"what the user can currently act on\", we must drop grants\n * whose owning module is not enabled \u2014 otherwise stale grants re-open the\n * 404-class bug PR #1567 only partially fixed.\n *\n * Owning-module resolution:\n * - Most features follow the convention so `id.split('.')[0]` matches the\n *   module id. For those, the prefix is correct.\n * - A few features (e.g. `analytics.view`) deliberately use a different\n *   namespace from their owning module. For those, the registry's declared\n *   `module` field on the `Module.features` entry is authoritative. We\n *   consult it first and fall back to the prefix only when the feature is\n *   unknown to the registry.\n *\n * This helper is server-only: it reads the enabled module set from the\n * bootstrapped module registry. The browser never imports it; instead,\n * server code pre-filters `BackendChromePayload.grantedFeatures` so\n * client-side `hasFeature` can stay a pure grant check.\n */\n\nimport { getModules } from '../lib/modules/registry'\nimport type { Module } from '../modules/registry'\n\ntype FeatureRegistry = {\n  enabledModuleIds: string[]\n  enabledModuleSet: Set<string>\n  featureToModule: Map<string, string>\n  prefixToModule: Map<string, string>\n}\n\nlet cachedRegistry: FeatureRegistry | null = null\nlet cachedModulesRef: readonly Module[] | null = null\n\nfunction buildRegistry(modules: readonly Module[]): FeatureRegistry {\n  const enabledModuleIds = modules.map((mod) => mod.id)\n  const enabledModuleSet = new Set(enabledModuleIds)\n  const featureToModule = new Map<string, string>()\n  const prefixToModule = new Map<string, string>()\n  for (const mod of modules) {\n    const features = mod.features\n    if (!Array.isArray(features)) continue\n    for (const feature of features) {\n      if (!feature || typeof feature.id !== 'string' || !feature.id) continue\n      const declared = typeof feature.module === 'string' && feature.module.length > 0\n        ? feature.module\n        : mod.id\n      featureToModule.set(feature.id, declared)\n      const dot = feature.id.indexOf('.')\n      if (dot > 0) {\n        const prefix = feature.id.slice(0, dot)\n        if (!prefixToModule.has(prefix)) prefixToModule.set(prefix, declared)\n      }\n    }\n  }\n  return { enabledModuleIds, enabledModuleSet, featureToModule, prefixToModule }\n}\n\nfunction getRegistry(): FeatureRegistry | null {\n  try {\n    const modules = getModules() as readonly Module[]\n    if (cachedRegistry && cachedModulesRef === modules) return cachedRegistry\n    cachedModulesRef = modules\n    cachedRegistry = buildRegistry(modules)\n    return cachedRegistry\n  } catch {\n    return null\n  }\n}\n\nexport function getOwningModuleId(featureId: string): string {\n  const registry = getRegistry()\n  if (registry) {\n    const direct = registry.featureToModule.get(featureId)\n    if (direct) return direct\n    if (featureId.endsWith('.*')) {\n      const prefix = featureId.slice(0, -2)\n      const fromPrefix = registry.prefixToModule.get(prefix)\n      if (fromPrefix) return fromPrefix\n      return prefix\n    }\n  }\n  const dot = featureId.indexOf('.')\n  return dot === -1 ? featureId : featureId.slice(0, dot)\n}\n\nexport function getEnabledModuleIds(): string[] {\n  const registry = getRegistry()\n  return registry ? [...registry.enabledModuleIds] : []\n}\n\n/**\n * Filters a raw granted-features list down to the grants whose owning\n * module is currently enabled. Expands `*` (superadmin) into one wildcard\n * per enabled module so the result is still safe to feed into a pure\n * `matchFeature` check, plus one wildcard per off-convention feature\n * prefix (e.g. `analytics.*`) whose declared owning module is enabled.\n * If the module registry is not populated (tests, CLI), returns the input\n * unchanged \u2014 preserves legacy behavior.\n */\nexport function filterGrantsByEnabledModules(granted: readonly string[]): string[] {\n  const registry = getRegistry()\n  if (!registry) return [...granted]\n  const { enabledModuleIds, enabledModuleSet, prefixToModule } = registry\n  const result: string[] = []\n  for (const grant of granted) {\n    if (grant === '*') {\n      for (const id of enabledModuleIds) result.push(`${id}.*`)\n      for (const [prefix, owningModule] of prefixToModule) {\n        if (!enabledModuleSet.has(prefix) && enabledModuleSet.has(owningModule)) {\n          result.push(`${prefix}.*`)\n        }\n      }\n      continue\n    }\n    if (enabledModuleSet.has(getOwningModuleId(grant))) result.push(grant)\n  }\n  return result\n}\n"],
+  "mappings": "AAyBA,SAAS,kBAAkB;AAU3B,IAAI,iBAAyC;AAC7C,IAAI,mBAA6C;AAEjD,SAAS,cAAc,SAA6C;AAClE,QAAM,mBAAmB,QAAQ,IAAI,CAAC,QAAQ,IAAI,EAAE;AACpD,QAAM,mBAAmB,IAAI,IAAI,gBAAgB;AACjD,QAAM,kBAAkB,oBAAI,IAAoB;AAChD,QAAM,iBAAiB,oBAAI,IAAoB;AAC/C,aAAW,OAAO,SAAS;AACzB,UAAM,WAAW,IAAI;AACrB,QAAI,CAAC,MAAM,QAAQ,QAAQ,EAAG;AAC9B,eAAW,WAAW,UAAU;AAC9B,UAAI,CAAC,WAAW,OAAO,QAAQ,OAAO,YAAY,CAAC,QAAQ,GAAI;AAC/D,YAAM,WAAW,OAAO,QAAQ,WAAW,YAAY,QAAQ,OAAO,SAAS,IAC3E,QAAQ,SACR,IAAI;AACR,sBAAgB,IAAI,QAAQ,IAAI,QAAQ;AACxC,YAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG;AAClC,UAAI,MAAM,GAAG;AACX,cAAM,SAAS,QAAQ,GAAG,MAAM,GAAG,GAAG;AACtC,YAAI,CAAC,eAAe,IAAI,MAAM,EAAG,gBAAe,IAAI,QAAQ,QAAQ;AAAA,MACtE;AAAA,IACF;AAAA,EACF;AACA,SAAO,EAAE,kBAAkB,kBAAkB,iBAAiB,eAAe;AAC/E;AAEA,SAAS,cAAsC;AAC7C,MAAI;AACF,UAAM,UAAU,WAAW;AAC3B,QAAI,kBAAkB,qBAAqB,QAAS,QAAO;AAC3D,uBAAmB;AACnB,qBAAiB,cAAc,OAAO;AACtC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,kBAAkB,WAA2B;AAC3D,QAAM,WAAW,YAAY;AAC7B,MAAI,UAAU;AACZ,UAAM,SAAS,SAAS,gBAAgB,IAAI,SAAS;AACrD,QAAI,OAAQ,QAAO;AACnB,QAAI,UAAU,SAAS,IAAI,GAAG;AAC5B,YAAM,SAAS,UAAU,MAAM,GAAG,EAAE;AACpC,YAAM,aAAa,SAAS,eAAe,IAAI,MAAM;AACrD,UAAI,WAAY,QAAO;AACvB,aAAO;AAAA,IACT;AAAA,EACF;AACA,QAAM,MAAM,UAAU,QAAQ,GAAG;AACjC,SAAO,QAAQ,KAAK,YAAY,UAAU,MAAM,GAAG,GAAG;AACxD;AAEO,SAAS,sBAAgC;AAC9C,QAAM,WAAW,YAAY;AAC7B,SAAO,WAAW,CAAC,GAAG,SAAS,gBAAgB,IAAI,CAAC;AACtD;AAWO,SAAS,6BAA6B,SAAsC;AACjF,QAAM,WAAW,YAAY;AAC7B,MAAI,CAAC,SAAU,QAAO,CAAC,GAAG,OAAO;AACjC,QAAM,EAAE,kBAAkB,kBAAkB,eAAe,IAAI;AAC/D,QAAM,SAAmB,CAAC;AAC1B,aAAW,SAAS,SAAS;AAC3B,QAAI,UAAU,KAAK;AACjB,iBAAW,MAAM,iBAAkB,QAAO,KAAK,GAAG,EAAE,IAAI;AACxD,iBAAW,CAAC,QAAQ,YAAY,KAAK,gBAAgB;AACnD,YAAI,CAAC,iBAAiB,IAAI,MAAM,KAAK,iBAAiB,IAAI,YAAY,GAAG;AACvE,iBAAO,KAAK,GAAG,MAAM,IAAI;AAAA,QAC3B;AAAA,MACF;AACA;AAAA,IACF;AACA,QAAI,iBAAiB,IAAI,kBAAkB,KAAK,CAAC,EAAG,QAAO,KAAK,KAAK;AAAA,EACvE;AACA,SAAO;AACT;",
   "names": []
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/shared",
-  "version": "0.5.1-develop.2953.6647bb2c43",
+  "version": "0.5.1-develop.2964.d5ac4a6ebb",
   "type": "module",
   "main": "./dist/index.js",
   "scripts": {
@@ -92,7 +92,7 @@
     "@mikro-orm/core": "^7.0.10",
     "@mikro-orm/decorators": "^7.0.10",
     "@mikro-orm/postgresql": "^7.0.10",
-    "@open-mercato/cache": "0.5.1-develop.2953.6647bb2c43",
+    "@open-mercato/cache": "0.5.1-develop.2964.d5ac4a6ebb",
     "dotenv": "^17.4.2",
     "rate-limiter-flexible": "^11.0.1",
     "reflect-metadata": "^0.2.2",

package/src/security/__tests__/enabledModulesRegistry.test.ts

@@ -17,11 +17,28 @@ describe('enabledModulesRegistry', () => {
     jest.resetAllMocks()
   })
 
-  it('derives the owning module from the feature id prefix', () => {
+  it('derives the owning module from the feature id prefix when the registry has no declarations', () => {
+    mockGetModules.mockReturnValue([{ id: 'auth' } as Module])
     expect(getOwningModuleId('ai_assistant.view')).toBe('ai_assistant')
     expect(getOwningModuleId('plain-feature')).toBe('plain-feature')
   })
 
+  it('uses the declared module from the registry for off-convention feature ids (e.g. analytics.view)', () => {
+    mockGetModules.mockReturnValue([
+      {
+        id: 'dashboards',
+        features: [
+          { id: 'dashboards.view', title: 'View dashboard', module: 'dashboards' },
+          { id: 'analytics.view', title: 'View analytics widgets', module: 'dashboards' },
+        ],
+      } as Module,
+      { id: 'auth' } as Module,
+    ])
+
+    expect(getOwningModuleId('analytics.view')).toBe('dashboards')
+    expect(getOwningModuleId('dashboards.view')).toBe('dashboards')
+  })
+
   it('reads enabled module ids from the registered module list', () => {
     mockGetModules.mockReturnValue([
       { id: 'auth' } as Module,
@@ -46,6 +63,28 @@ describe('enabledModulesRegistry', () => {
     ).toEqual(['auth.*', 'customer_accounts.view'])
   })
 
+  it('keeps an off-convention grant when its declared owning module is enabled', () => {
+    mockGetModules.mockReturnValue([
+      {
+        id: 'dashboards',
+        features: [
+          { id: 'analytics.view', title: 'View analytics widgets', module: 'dashboards' },
+        ],
+      } as Module,
+      { id: 'auth' } as Module,
+    ])
+
+    expect(
+      filterGrantsByEnabledModules(['analytics.view', 'auth.users.view', 'unknown.feature']),
+    ).toEqual(['analytics.view', 'auth.users.view'])
+  })
+
+  it('drops an off-convention grant when its declared owning module is disabled', () => {
+    mockGetModules.mockReturnValue([{ id: 'auth' } as Module])
+
+    expect(filterGrantsByEnabledModules(['analytics.view'])).toEqual([])
+  })
+
   it('expands the superadmin wildcard into enabled-module wildcards', () => {
     mockGetModules.mockReturnValue([
       { id: 'auth' } as Module,
@@ -55,6 +94,25 @@ describe('enabledModulesRegistry', () => {
     expect(filterGrantsByEnabledModules(['*'])).toEqual(['auth.*', 'customer_accounts.*'])
   })
 
+  it('also expands the superadmin wildcard to off-convention prefixes whose owning module is enabled', () => {
+    mockGetModules.mockReturnValue([
+      {
+        id: 'dashboards',
+        features: [
+          { id: 'dashboards.view', title: 'View dashboard', module: 'dashboards' },
+          { id: 'analytics.view', title: 'View analytics widgets', module: 'dashboards' },
+        ],
+      } as Module,
+      { id: 'auth' } as Module,
+    ])
+
+    expect(filterGrantsByEnabledModules(['*'])).toEqual([
+      'dashboards.*',
+      'auth.*',
+      'analytics.*',
+    ])
+  })
+
   it('falls back to the raw grant list when the module registry is unavailable', () => {
     mockGetModules.mockImplementation(() => {
       throw new Error('registry not initialized')

package/src/security/enabledModulesRegistry.ts

@@ -8,6 +8,15 @@
  * whose owning module is not enabled — otherwise stale grants re-open the
  * 404-class bug PR #1567 only partially fixed.
  *
+ * Owning-module resolution:
+ * - Most features follow the convention so `id.split('.')[0]` matches the
+ *   module id. For those, the prefix is correct.
+ * - A few features (e.g. `analytics.view`) deliberately use a different
+ *   namespace from their owning module. For those, the registry's declared
+ *   `module` field on the `Module.features` entry is authoritative. We
+ *   consult it first and fall back to the prefix only when the feature is
+ *   unknown to the registry.
+ *
  * This helper is server-only: it reads the enabled module set from the
  * bootstrapped module registry. The browser never imports it; instead,
  * server code pre-filters `BackendChromePayload.grantedFeatures` so
@@ -15,42 +24,100 @@
  */
 
 import { getModules } from '../lib/modules/registry'
+import type { Module } from '../modules/registry'
 
-export function getOwningModuleId(featureId: string): string {
-  const dot = featureId.indexOf('.')
-  return dot === -1 ? featureId : featureId.slice(0, dot)
+type FeatureRegistry = {
+  enabledModuleIds: string[]
+  enabledModuleSet: Set<string>
+  featureToModule: Map<string, string>
+  prefixToModule: Map<string, string>
+}
+
+let cachedRegistry: FeatureRegistry | null = null
+let cachedModulesRef: readonly Module[] | null = null
+
+function buildRegistry(modules: readonly Module[]): FeatureRegistry {
+  const enabledModuleIds = modules.map((mod) => mod.id)
+  const enabledModuleSet = new Set(enabledModuleIds)
+  const featureToModule = new Map<string, string>()
+  const prefixToModule = new Map<string, string>()
+  for (const mod of modules) {
+    const features = mod.features
+    if (!Array.isArray(features)) continue
+    for (const feature of features) {
+      if (!feature || typeof feature.id !== 'string' || !feature.id) continue
+      const declared = typeof feature.module === 'string' && feature.module.length > 0
+        ? feature.module
+        : mod.id
+      featureToModule.set(feature.id, declared)
+      const dot = feature.id.indexOf('.')
+      if (dot > 0) {
+        const prefix = feature.id.slice(0, dot)
+        if (!prefixToModule.has(prefix)) prefixToModule.set(prefix, declared)
+      }
+    }
+  }
+  return { enabledModuleIds, enabledModuleSet, featureToModule, prefixToModule }
 }
 
-function safeGetEnabledModuleIds(): string[] | null {
+function getRegistry(): FeatureRegistry | null {
   try {
-    return getModules().map((mod) => mod.id)
+    const modules = getModules() as readonly Module[]
+    if (cachedRegistry && cachedModulesRef === modules) return cachedRegistry
+    cachedModulesRef = modules
+    cachedRegistry = buildRegistry(modules)
+    return cachedRegistry
   } catch {
     return null
   }
 }
 
+export function getOwningModuleId(featureId: string): string {
+  const registry = getRegistry()
+  if (registry) {
+    const direct = registry.featureToModule.get(featureId)
+    if (direct) return direct
+    if (featureId.endsWith('.*')) {
+      const prefix = featureId.slice(0, -2)
+      const fromPrefix = registry.prefixToModule.get(prefix)
+      if (fromPrefix) return fromPrefix
+      return prefix
+    }
+  }
+  const dot = featureId.indexOf('.')
+  return dot === -1 ? featureId : featureId.slice(0, dot)
+}
+
 export function getEnabledModuleIds(): string[] {
-  return safeGetEnabledModuleIds() ?? []
+  const registry = getRegistry()
+  return registry ? [...registry.enabledModuleIds] : []
 }
 
 /**
  * Filters a raw granted-features list down to the grants whose owning
  * module is currently enabled. Expands `*` (superadmin) into one wildcard
  * per enabled module so the result is still safe to feed into a pure
- * `matchFeature` check. If the module registry is not populated (tests,
- * CLI), returns the input unchanged — preserves legacy behavior.
+ * `matchFeature` check, plus one wildcard per off-convention feature
+ * prefix (e.g. `analytics.*`) whose declared owning module is enabled.
+ * If the module registry is not populated (tests, CLI), returns the input
+ * unchanged — preserves legacy behavior.
  */
 export function filterGrantsByEnabledModules(granted: readonly string[]): string[] {
-  const enabledIds = safeGetEnabledModuleIds()
-  if (enabledIds === null) return [...granted]
-  const enabledSet = new Set(enabledIds)
+  const registry = getRegistry()
+  if (!registry) return [...granted]
+  const { enabledModuleIds, enabledModuleSet, prefixToModule } = registry
   const result: string[] = []
   for (const grant of granted) {
     if (grant === '*') {
-      for (const id of enabledIds) result.push(`${id}.*`)
+      for (const id of enabledModuleIds) result.push(`${id}.*`)
+      for (const [prefix, owningModule] of prefixToModule) {
+        if (!enabledModuleSet.has(prefix) && enabledModuleSet.has(owningModule)) {
+          result.push(`${prefix}.*`)
+        }
+      }
       continue
     }
-    if (enabledSet.has(getOwningModuleId(grant))) result.push(grant)
+    if (enabledModuleSet.has(getOwningModuleId(grant))) result.push(grant)
   }
   return result
 }