@open-mercato/shared 0.6.4-develop.4371.1.8f3030407e → 0.6.4

package/dist/lib/crud/optimistic-lock-command.js

@@ -0,0 +1,109 @@
+import { CrudHttpError } from "./errors.js";
+import {
+  OPTIMISTIC_LOCK_CONFLICT_CODE,
+  OPTIMISTIC_LOCK_CONFLICT_ERROR,
+  OPTIMISTIC_LOCK_ENV_VAR,
+  OPTIMISTIC_LOCK_HEADER_NAME
+} from "./optimistic-lock-headers.js";
+import {
+  normalizeIsoToken,
+  parseOptimisticLockEnv
+} from "./optimistic-lock.js";
+function toIsoOrNull(value) {
+  if (value == null) return null;
+  if (value instanceof Date) {
+    const ms = value.getTime();
+    return Number.isFinite(ms) ? new Date(ms).toISOString() : null;
+  }
+  const trimmed = String(value).trim();
+  if (!trimmed) return null;
+  return normalizeIsoToken(trimmed);
+}
+function resolveConfig(envValue) {
+  return parseOptimisticLockEnv(envValue !== void 0 ? envValue : process.env[OPTIMISTIC_LOCK_ENV_VAR]);
+}
+function isResourceLockEnabled(config, resourceKind) {
+  if (config.mode === "off") return false;
+  if (config.mode === "all") return true;
+  return config.entities.has(resourceKind.toLowerCase());
+}
+function readOptimisticLockExpected(source) {
+  if (!source) return null;
+  const headers = source instanceof Headers ? source : source.headers instanceof Headers ? source.headers : null;
+  if (!headers) return null;
+  const direct = headers.get(OPTIMISTIC_LOCK_HEADER_NAME);
+  if (typeof direct === "string" && direct.trim().length > 0) return direct.trim();
+  return null;
+}
+function buildOptimisticLockConflictBody(currentIso, expectedIso) {
+  return {
+    error: OPTIMISTIC_LOCK_CONFLICT_ERROR,
+    code: OPTIMISTIC_LOCK_CONFLICT_CODE,
+    currentUpdatedAt: currentIso,
+    expectedUpdatedAt: expectedIso
+  };
+}
+function assertOptimisticLock(input) {
+  const config = resolveConfig(input.envValue);
+  if (!isResourceLockEnabled(config, input.resourceKind)) return;
+  const expectedIso = toIsoOrNull(input.expected);
+  if (expectedIso == null) return;
+  const currentIso = toIsoOrNull(input.current);
+  if (currentIso == null) return;
+  if (currentIso === expectedIso) return;
+  throw new CrudHttpError(409, buildOptimisticLockConflictBody(currentIso, expectedIso));
+}
+function enforceCommandOptimisticLock(input) {
+  const expected = input.expected !== void 0 && input.expected !== null ? input.expected : readOptimisticLockExpected(input.request ?? null);
+  assertOptimisticLock({
+    resourceKind: input.resourceKind,
+    resourceId: input.resourceId,
+    expected,
+    current: input.current,
+    envValue: input.envValue
+  });
+}
+function enforceRecordGoneIsConflict(input) {
+  const config = resolveConfig(input.envValue);
+  if (!isResourceLockEnabled(config, input.resourceKind)) return;
+  const clientSupplied = input.expected !== void 0 && input.expected !== null ? input.expected : readOptimisticLockExpected(input.request ?? null);
+  const expectedIso = toIsoOrNull(clientSupplied);
+  if (expectedIso == null) return;
+  throw new CrudHttpError(409, buildOptimisticLockConflictBody(expectedIso, expectedIso));
+}
+function createCommandOptimisticLockGuardService(options = {}) {
+  const resolveExpected = options.resolveExpected ?? null;
+  return {
+    async enforce(input) {
+      const config = resolveConfig(input.envValue);
+      if (!isResourceLockEnabled(config, input.resourceKind)) return;
+      const clientSupplied = input.expected !== void 0 && input.expected !== null ? input.expected : readOptimisticLockExpected(input.request ?? null);
+      const expectedFromHeader = toIsoOrNull(clientSupplied);
+      let expected = expectedFromHeader;
+      if (resolveExpected) {
+        const resolverInput = {
+          expectedFromHeader,
+          resourceKind: input.resourceKind,
+          resourceId: input.resourceId
+        };
+        expected = await resolveExpected(resolverInput);
+      }
+      assertOptimisticLock({
+        resourceKind: input.resourceKind,
+        resourceId: input.resourceId,
+        expected,
+        current: input.current,
+        envValue: input.envValue
+      });
+    }
+  };
+}
+export {
+  assertOptimisticLock,
+  buildOptimisticLockConflictBody,
+  createCommandOptimisticLockGuardService,
+  enforceCommandOptimisticLock,
+  enforceRecordGoneIsConflict,
+  readOptimisticLockExpected
+};
+//# sourceMappingURL=optimistic-lock-command.js.map

package/dist/lib/crud/optimistic-lock-command.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/crud/optimistic-lock-command.ts"],
+  "sourcesContent": ["/**\n * Generalist command-level OSS optimistic-locking helper.\n *\n * The CRUD guard (`optimistic-lock.ts` + `makeCrudRoute`) only protects\n * mutations that flow through the CRUD factory. Domain writes implemented via\n * the Command pattern \u2014 sales document sub-resources (lines, adjustments,\n * shipments, payments, returns), status transitions, quote\u2192order conversion,\n * etc. \u2014 run their own logic inside a command handler and never reach the CRUD\n * guard for the **aggregate** they mutate. This helper lets any command enforce\n * the same `updated_at` version check against an arbitrary target record\n * (typically the aggregate root, e.g. the parent order/quote) and fail with the\n * identical structured 409 the CRUD path returns.\n *\n * Contract (mirrors the CRUD guard so clients see one behavior):\n *   - The client sends the expected version via the\n *     `x-om-ext-optimistic-lock-expected-updated-at` header (or a command\n *     accepts it as a typed input field and passes it as `expected`).\n *   - The command loads the current record (it usually already does) and passes\n *     its `updated_at` as `current`.\n *   - On mismatch the helper throws `CrudHttpError(409, OptimisticLockConflictBody)`.\n *\n * Strictly additive: when no expected token is present (no header, no input\n * field) the helper is a no-op, so existing API consumers that don't send the\n * header keep working. Respects the same `OM_OPTIMISTIC_LOCK` env contract\n * (default ON; `off` disables; allow-list scopes by `resourceKind`).\n *\n * Spec: .ai/specs/2026-05-25-oss-optimistic-locking.md (\u00A7 command-level checks)\n *       .ai/specs/2026-05-28-optimistic-locking-coverage-completion.md (Phase 4)\n */\nimport { CrudHttpError } from './errors'\nimport {\n  OPTIMISTIC_LOCK_CONFLICT_CODE,\n  OPTIMISTIC_LOCK_CONFLICT_ERROR,\n  OPTIMISTIC_LOCK_ENV_VAR,\n  OPTIMISTIC_LOCK_HEADER_NAME,\n  type OptimisticLockConflictBody,\n} from './optimistic-lock-headers'\nimport {\n  normalizeIsoToken,\n  parseOptimisticLockEnv,\n  type OptimisticLockConfig,\n  type OptimisticLockResolverInput,\n  type ResolveExpectedUpdatedAt,\n} from './optimistic-lock'\n\nfunction toIsoOrNull(value: string | Date | null | undefined): string | null {\n  if (value == null) return null\n  if (value instanceof Date) {\n    const ms = value.getTime()\n    return Number.isFinite(ms) ? new Date(ms).toISOString() : null\n  }\n  const trimmed = String(value).trim()\n  if (!trimmed) return null\n  return normalizeIsoToken(trimmed)\n}\n\nfunction resolveConfig(envValue: string | null | undefined): OptimisticLockConfig {\n  return parseOptimisticLockEnv(envValue !== undefined ? envValue : process.env[OPTIMISTIC_LOCK_ENV_VAR])\n}\n\nfunction isResourceLockEnabled(config: OptimisticLockConfig, resourceKind: string): boolean {\n  if (config.mode === 'off') return false\n  if (config.mode === 'all') return true\n  return config.entities.has(resourceKind.toLowerCase())\n}\n\n/**\n * Extract the expected `updated_at` token from a request's headers (or a bare\n * `Headers` object). Returns the trimmed header value, or `null` when absent /\n * empty. Does NOT normalize \u2014 `assertOptimisticLock` normalizes both sides.\n */\nexport function readOptimisticLockExpected(\n  source: Request | Headers | null | undefined,\n): string | null {\n  if (!source) return null\n  const headers = source instanceof Headers\n    ? source\n    : (source as Request).headers instanceof Headers\n      ? (source as Request).headers\n      : null\n  if (!headers) return null\n  const direct = headers.get(OPTIMISTIC_LOCK_HEADER_NAME)\n  if (typeof direct === 'string' && direct.trim().length > 0) return direct.trim()\n  return null\n}\n\nexport function buildOptimisticLockConflictBody(\n  currentIso: string,\n  expectedIso: string,\n): OptimisticLockConflictBody {\n  return {\n    error: OPTIMISTIC_LOCK_CONFLICT_ERROR,\n    code: OPTIMISTIC_LOCK_CONFLICT_CODE,\n    currentUpdatedAt: currentIso,\n    expectedUpdatedAt: expectedIso,\n  }\n}\n\nexport type AssertOptimisticLockInput = {\n  resourceKind: string\n  resourceId: string\n  /** Client-provided expected version (header value or typed input field). */\n  expected: string | Date | null | undefined\n  /** Current version loaded from the DB (typically the aggregate root's `updatedAt`). */\n  current: string | Date | null | undefined\n  /** Override `OM_OPTIMISTIC_LOCK` (mostly for tests). */\n  envValue?: string | null\n}\n\n/**\n * Pure version assertion. Throws `CrudHttpError(409, OptimisticLockConflictBody)`\n * when the expected and current versions disagree.\n *\n * No-op (returns silently) when:\n *   - the env disables the guard for this `resourceKind`,\n *   - `expected` is missing / unparseable (strictly additive \u2014 clients that\n *     don't send the token are never blocked),\n *   - `current` is missing / unparseable (let the command's own 404 fire).\n */\nexport function assertOptimisticLock(input: AssertOptimisticLockInput): void {\n  const config = resolveConfig(input.envValue)\n  if (!isResourceLockEnabled(config, input.resourceKind)) return\n\n  const expectedIso = toIsoOrNull(input.expected)\n  if (expectedIso == null) return\n\n  const currentIso = toIsoOrNull(input.current)\n  if (currentIso == null) return\n\n  if (currentIso === expectedIso) return\n\n  throw new CrudHttpError(409, buildOptimisticLockConflictBody(currentIso, expectedIso))\n}\n\nexport type EnforceCommandOptimisticLockInput = {\n  resourceKind: string\n  resourceId: string\n  /** Current version loaded from the DB (the aggregate root's `updatedAt`). */\n  current: string | Date | null | undefined\n  /**\n   * Explicit expected version \u2014 wins over the request header. Use when the\n   * command accepts the token as a typed input field instead of (or in addition\n   * to) the extension header.\n   */\n  expected?: string | Date | null\n  /** Request whose headers carry the expected token (e.g. `ctx.request`). */\n  request?: Request | Headers | null\n  /** Override `OM_OPTIMISTIC_LOCK` (mostly for tests). */\n  envValue?: string | null\n}\n\n/**\n * Command-handler convenience: resolves the expected version from an explicit\n * override or the request header, then delegates to `assertOptimisticLock`.\n *\n * ```ts\n * enforceCommandOptimisticLock({\n *   resourceKind: 'sales.order',\n *   resourceId: order.id,\n *   current: order.updatedAt,\n *   request: ctx.request,\n * })\n * ```\n */\nexport function enforceCommandOptimisticLock(input: EnforceCommandOptimisticLockInput): void {\n  const expected = input.expected !== undefined && input.expected !== null\n    ? input.expected\n    : readOptimisticLockExpected(input.request ?? null)\n  assertOptimisticLock({\n    resourceKind: input.resourceKind,\n    resourceId: input.resourceId,\n    expected,\n    current: input.current,\n    envValue: input.envValue,\n  })\n}\n\nexport type EnforceRecordGoneIsConflictInput = {\n  resourceKind: string\n  resourceId: string\n  /** Explicit expected version \u2014 wins over the request header. */\n  expected?: string | Date | null\n  /** Request whose headers carry the expected token (e.g. `ctx.request`). */\n  request?: Request | Headers | null\n  /** Override `OM_OPTIMISTIC_LOCK` (mostly for tests). */\n  envValue?: string | null\n}\n\n/**\n * Command-handler convenience for the *concurrent-delete* race: when a command\n * cannot find its target record (it was deleted in another tab) AND the client\n * opted into optimistic locking (sent the expected-version header / token),\n * throw the SAME structured `CrudHttpError(409, OptimisticLockConflictBody)`\n * the version-mismatch path returns \u2014 so a stale modal save surfaces the unified\n * \"Record changed\" conflict bar instead of a bare, generic 404.\n *\n * Strictly additive and fail-open: a no-op (returns silently) when the env\n * disables the guard for `resourceKind`, or when no expected token is present\n * (plain API consumers that never sent the header keep their existing 404).\n * The caller MUST still throw its own 404 afterwards for that no-token path:\n *\n * ```ts\n * if (!interaction) {\n *   enforceRecordGoneIsConflict({ resourceKind: 'customers.interaction', resourceId: id, request: ctx.request })\n *   throw new CrudHttpError(404, { error: 'Interaction not found' })\n * }\n * ```\n *\n * The gone record has no current version, so `currentUpdatedAt` echoes the\n * expected token (the body is used only for the conflict-bar copy + diagnostics;\n * the client keys off `code`, not the timestamps).\n */\nexport function enforceRecordGoneIsConflict(input: EnforceRecordGoneIsConflictInput): void {\n  const config = resolveConfig(input.envValue)\n  if (!isResourceLockEnabled(config, input.resourceKind)) return\n  const clientSupplied = input.expected !== undefined && input.expected !== null\n    ? input.expected\n    : readOptimisticLockExpected(input.request ?? null)\n  const expectedIso = toIsoOrNull(clientSupplied)\n  if (expectedIso == null) return\n  throw new CrudHttpError(409, buildOptimisticLockConflictBody(expectedIso, expectedIso))\n}\n\n/**\n * DI-resolvable command-level optimistic-lock guard. This is the framework\n * seam that lets BOTH layers protect Command-pattern writes through one\n * contract:\n *\n *   - **OSS** registers the default service (header/explicit token compare \u2014\n *     identical to calling `enforceCommandOptimisticLock` directly).\n *   - **Enterprise** (`record_locks`) re-registers the same DI key with a\n *     `resolveExpected` that reads the held pessimistic lock's version, so a\n *     stale command write fails with the same structured 409 WITHOUT any\n *     command handler changing. Mirrors how enterprise already replaces the\n *     CRUD-path `crudMutationGuardService` (see `optimistic-lock.ts`).\n *\n * Command handlers depend only on this interface (resolved from the container),\n * never on a concrete implementation \u2014 that is what makes the next-PR\n * enterprise extension a pure DI swap.\n */\nexport type CommandOptimisticLockGuardService = {\n  /**\n   * Enforce the version check for a command-level mutation against an\n   * aggregate/record. Async because an enterprise resolver may load the\n   * expected token from a lock record. No-op (resolves silently) when the env\n   * disables the guard for `resourceKind` or when no expected token is\n   * resolved \u2014 strictly additive, exactly like {@link enforceCommandOptimisticLock}.\n   * Throws `CrudHttpError(409, OptimisticLockConflictBody)` on mismatch.\n   */\n  enforce: (input: EnforceCommandOptimisticLockInput) => Promise<void>\n}\n\nexport type CreateCommandOptimisticLockGuardServiceOptions = {\n  /**\n   * Override how the expected version is derived. Receives\n   * `{ expectedFromHeader, resourceKind, resourceId }` (where\n   * `expectedFromHeader` is the normalized client-supplied token \u2014 explicit\n   * input or request header) and returns the expected token (or `null` to\n   * skip). Defaults to \"use the client-supplied token\", which is the OSS\n   * behavior. The enterprise `record_locks` module plugs a lock-backed\n   * resolver here. Mirrors the CRUD guard's `resolveExpected`.\n   */\n  resolveExpected?: ResolveExpectedUpdatedAt\n}\n\n/**\n * Build a {@link CommandOptimisticLockGuardService}. With no options it is\n * behaviourally identical to {@link enforceCommandOptimisticLock} (header/\n * explicit compare), so the OSS default is a thin wrapper. Pass\n * `resolveExpected` to override token resolution (enterprise extension point).\n */\nexport function createCommandOptimisticLockGuardService(\n  options: CreateCommandOptimisticLockGuardServiceOptions = {},\n): CommandOptimisticLockGuardService {\n  const resolveExpected: ResolveExpectedUpdatedAt | null = options.resolveExpected ?? null\n  return {\n    async enforce(input: EnforceCommandOptimisticLockInput): Promise<void> {\n      const config = resolveConfig(input.envValue)\n      if (!isResourceLockEnabled(config, input.resourceKind)) return\n\n      const clientSupplied = input.expected !== undefined && input.expected !== null\n        ? input.expected\n        : readOptimisticLockExpected(input.request ?? null)\n      const expectedFromHeader = toIsoOrNull(clientSupplied)\n\n      let expected: string | null = expectedFromHeader\n      if (resolveExpected) {\n        const resolverInput: OptimisticLockResolverInput = {\n          expectedFromHeader,\n          resourceKind: input.resourceKind,\n          resourceId: input.resourceId,\n        }\n        expected = await resolveExpected(resolverInput)\n      }\n\n      assertOptimisticLock({\n        resourceKind: input.resourceKind,\n        resourceId: input.resourceId,\n        expected,\n        current: input.current,\n        envValue: input.envValue,\n      })\n    },\n  }\n}\n"],
+  "mappings": "AA6BA,SAAS,qBAAqB;AAC9B;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AACP;AAAA,EACE;AAAA,EACA;AAAA,OAIK;AAEP,SAAS,YAAY,OAAwD;AAC3E,MAAI,SAAS,KAAM,QAAO;AAC1B,MAAI,iBAAiB,MAAM;AACzB,UAAM,KAAK,MAAM,QAAQ;AACzB,WAAO,OAAO,SAAS,EAAE,IAAI,IAAI,KAAK,EAAE,EAAE,YAAY,IAAI;AAAA,EAC5D;AACA,QAAM,UAAU,OAAO,KAAK,EAAE,KAAK;AACnC,MAAI,CAAC,QAAS,QAAO;AACrB,SAAO,kBAAkB,OAAO;AAClC;AAEA,SAAS,cAAc,UAA2D;AAChF,SAAO,uBAAuB,aAAa,SAAY,WAAW,QAAQ,IAAI,uBAAuB,CAAC;AACxG;AAEA,SAAS,sBAAsB,QAA8B,cAA+B;AAC1F,MAAI,OAAO,SAAS,MAAO,QAAO;AAClC,MAAI,OAAO,SAAS,MAAO,QAAO;AAClC,SAAO,OAAO,SAAS,IAAI,aAAa,YAAY,CAAC;AACvD;AAOO,SAAS,2BACd,QACe;AACf,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,kBAAkB,UAC9B,SACC,OAAmB,mBAAmB,UACpC,OAAmB,UACpB;AACN,MAAI,CAAC,QAAS,QAAO;AACrB,QAAM,SAAS,QAAQ,IAAI,2BAA2B;AACtD,MAAI,OAAO,WAAW,YAAY,OAAO,KAAK,EAAE,SAAS,EAAG,QAAO,OAAO,KAAK;AAC/E,SAAO;AACT;AAEO,SAAS,gCACd,YACA,aAC4B;AAC5B,SAAO;AAAA,IACL,OAAO;AAAA,IACP,MAAM;AAAA,IACN,kBAAkB;AAAA,IAClB,mBAAmB;AAAA,EACrB;AACF;AAuBO,SAAS,qBAAqB,OAAwC;AAC3E,QAAM,SAAS,cAAc,MAAM,QAAQ;AAC3C,MAAI,CAAC,sBAAsB,QAAQ,MAAM,YAAY,EAAG;AAExD,QAAM,cAAc,YAAY,MAAM,QAAQ;AAC9C,MAAI,eAAe,KAAM;AAEzB,QAAM,aAAa,YAAY,MAAM,OAAO;AAC5C,MAAI,cAAc,KAAM;AAExB,MAAI,eAAe,YAAa;AAEhC,QAAM,IAAI,cAAc,KAAK,gCAAgC,YAAY,WAAW,CAAC;AACvF;AAgCO,SAAS,6BAA6B,OAAgD;AAC3F,QAAM,WAAW,MAAM,aAAa,UAAa,MAAM,aAAa,OAChE,MAAM,WACN,2BAA2B,MAAM,WAAW,IAAI;AACpD,uBAAqB;AAAA,IACnB,cAAc,MAAM;AAAA,IACpB,YAAY,MAAM;AAAA,IAClB;AAAA,IACA,SAAS,MAAM;AAAA,IACf,UAAU,MAAM;AAAA,EAClB,CAAC;AACH;AAqCO,SAAS,4BAA4B,OAA+C;AACzF,QAAM,SAAS,cAAc,MAAM,QAAQ;AAC3C,MAAI,CAAC,sBAAsB,QAAQ,MAAM,YAAY,EAAG;AACxD,QAAM,iBAAiB,MAAM,aAAa,UAAa,MAAM,aAAa,OACtE,MAAM,WACN,2BAA2B,MAAM,WAAW,IAAI;AACpD,QAAM,cAAc,YAAY,cAAc;AAC9C,MAAI,eAAe,KAAM;AACzB,QAAM,IAAI,cAAc,KAAK,gCAAgC,aAAa,WAAW,CAAC;AACxF;AAkDO,SAAS,wCACd,UAA0D,CAAC,GACxB;AACnC,QAAM,kBAAmD,QAAQ,mBAAmB;AACpF,SAAO;AAAA,IACL,MAAM,QAAQ,OAAyD;AACrE,YAAM,SAAS,cAAc,MAAM,QAAQ;AAC3C,UAAI,CAAC,sBAAsB,QAAQ,MAAM,YAAY,EAAG;AAExD,YAAM,iBAAiB,MAAM,aAAa,UAAa,MAAM,aAAa,OACtE,MAAM,WACN,2BAA2B,MAAM,WAAW,IAAI;AACpD,YAAM,qBAAqB,YAAY,cAAc;AAErD,UAAI,WAA0B;AAC9B,UAAI,iBAAiB;AACnB,cAAM,gBAA6C;AAAA,UACjD;AAAA,UACA,cAAc,MAAM;AAAA,UACpB,YAAY,MAAM;AAAA,QACpB;AACA,mBAAW,MAAM,gBAAgB,aAAa;AAAA,MAChD;AAEA,2BAAqB;AAAA,QACnB,cAAc,MAAM;AAAA,QACpB,YAAY,MAAM;AAAA,QAClB;AAAA,QACA,SAAS,MAAM;AAAA,QACf,UAAU,MAAM;AAAA,MAClB,CAAC;AAAA,IACH;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/lib/crud/optimistic-lock-headers.js

@@ -0,0 +1,15 @@
+const OPTIMISTIC_LOCK_MODULE_ID = "optimistic_lock";
+const OPTIMISTIC_LOCK_HEADER_NAME = "x-om-ext-optimistic-lock-expected-updated-at";
+const OPTIMISTIC_LOCK_CONFLICT_CODE = "optimistic_lock_conflict";
+const OPTIMISTIC_LOCK_CONFLICT_ERROR = "record_modified";
+const OPTIMISTIC_LOCK_ENV_VAR = "OM_OPTIMISTIC_LOCK";
+const OPTIMISTIC_LOCK_DEFAULT_PRIORITY = 50;
+export {
+  OPTIMISTIC_LOCK_CONFLICT_CODE,
+  OPTIMISTIC_LOCK_CONFLICT_ERROR,
+  OPTIMISTIC_LOCK_DEFAULT_PRIORITY,
+  OPTIMISTIC_LOCK_ENV_VAR,
+  OPTIMISTIC_LOCK_HEADER_NAME,
+  OPTIMISTIC_LOCK_MODULE_ID
+};
+//# sourceMappingURL=optimistic-lock-headers.js.map

package/dist/lib/crud/optimistic-lock-headers.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/crud/optimistic-lock-headers.ts"],
+  "sourcesContent": ["/**\n * Wire constants for the OSS opt-in optimistic-locking guard.\n *\n * The header name follows the project's extension-header convention\n * (`x-om-ext-<moduleId>-<key>`, see `umes/extension-headers.ts`). The\n * module id used by env opt-in is `optimistic_lock` (snake_case), but\n * the HTTP header itself uses dash-separated `optimistic-lock` because\n * many HTTP intermediaries (nginx, some fetch implementations) strip\n * underscored header names \u2014 see RFC 7230 \u00A73.2.6.\n *\n * Spec: .ai/specs/2026-05-25-oss-optimistic-locking.md \u00A73.2\n */\nexport const OPTIMISTIC_LOCK_MODULE_ID = 'optimistic_lock'\n\nexport const OPTIMISTIC_LOCK_HEADER_NAME = 'x-om-ext-optimistic-lock-expected-updated-at'\n\nexport const OPTIMISTIC_LOCK_CONFLICT_CODE = 'optimistic_lock_conflict'\n\nexport const OPTIMISTIC_LOCK_CONFLICT_ERROR = 'record_modified'\n\nexport const OPTIMISTIC_LOCK_ENV_VAR = 'OM_OPTIMISTIC_LOCK'\n\nexport const OPTIMISTIC_LOCK_DEFAULT_PRIORITY = 50\n\nexport type OptimisticLockConflictBody = {\n  error: typeof OPTIMISTIC_LOCK_CONFLICT_ERROR\n  code: typeof OPTIMISTIC_LOCK_CONFLICT_CODE\n  currentUpdatedAt: string\n  expectedUpdatedAt: string\n}\n"],
+  "mappings": "AAYO,MAAM,4BAA4B;AAElC,MAAM,8BAA8B;AAEpC,MAAM,gCAAgC;AAEtC,MAAM,iCAAiC;AAEvC,MAAM,0BAA0B;AAEhC,MAAM,mCAAmC;",
+  "names": []
+}

package/dist/lib/crud/optimistic-lock-store.js

@@ -0,0 +1,52 @@
+const GLOBAL_KEY = "__openMercatoOptimisticLockReaders__";
+function readGlobal() {
+  try {
+    const value = globalThis[GLOBAL_KEY];
+    if (value && typeof value === "object") {
+      return value;
+    }
+    return {};
+  } catch {
+    return {};
+  }
+}
+function writeGlobal(value) {
+  try {
+    ;
+    globalThis[GLOBAL_KEY] = value;
+  } catch {
+  }
+}
+function registerOptimisticLockReaders(readers) {
+  const existing = readGlobal();
+  writeGlobal({ ...existing, ...readers });
+}
+function registerOptimisticLockReaderIfAbsent(readers) {
+  const existing = readGlobal();
+  const next = { ...existing };
+  const written = [];
+  for (const [key, reader] of Object.entries(readers)) {
+    if (!(key in existing)) {
+      next[key] = reader;
+      written.push(key);
+    }
+  }
+  if (written.length > 0) writeGlobal(next);
+  return written;
+}
+function getAllOptimisticLockReaders() {
+  return readGlobal();
+}
+function clearOptimisticLockReadersForTests() {
+  try {
+    delete globalThis[GLOBAL_KEY];
+  } catch {
+  }
+}
+export {
+  clearOptimisticLockReadersForTests,
+  getAllOptimisticLockReaders,
+  registerOptimisticLockReaderIfAbsent,
+  registerOptimisticLockReaders
+};
+//# sourceMappingURL=optimistic-lock-store.js.map

package/dist/lib/crud/optimistic-lock-store.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/crud/optimistic-lock-store.ts"],
+  "sourcesContent": ["/**\n * Global registry of OSS optimistic-lock readers keyed by `resourceKind`.\n *\n * Multiple modules can contribute readers without conflicting on the\n * single Awilix `crudMutationGuardService` slot: each module calls\n * `registerOptimisticLockReaders({...})` from its `di.ts` at module-load\n * time, and any one of them can register the\n * `crudMutationGuardService` Awilix binding (Awilix replaces same-key\n * registrations, so the *last loaded* wins \u2014 but every binding points\n * to the same store-backed factory, so the resulting guard set is\n * identical regardless of order).\n *\n * Mirrors the `mutation-guard-store.ts` HMR-safe globalThis pattern.\n *\n * Spec: .ai/specs/2026-05-25-oss-optimistic-locking.md\n */\nimport type { OptimisticLockCurrentReader } from './optimistic-lock'\n\nconst GLOBAL_KEY = '__openMercatoOptimisticLockReaders__'\n\nfunction readGlobal(): Record<string, OptimisticLockCurrentReader> {\n  try {\n    const value = (globalThis as Record<string, unknown>)[GLOBAL_KEY]\n    if (value && typeof value === 'object') {\n      return value as Record<string, OptimisticLockCurrentReader>\n    }\n    return {}\n  } catch {\n    return {}\n  }\n}\n\nfunction writeGlobal(value: Record<string, OptimisticLockCurrentReader>): void {\n  try {\n    ;(globalThis as Record<string, unknown>)[GLOBAL_KEY] = value\n  } catch {\n    // ignore global assignment failures in restricted runtimes\n  }\n}\n\n/**\n * Register optimistic-lock readers for one or more `resourceKind` values.\n * Idempotent for same-key calls (later registration overrides earlier).\n */\nexport function registerOptimisticLockReaders(\n  readers: Record<string, OptimisticLockCurrentReader>,\n): void {\n  const existing = readGlobal()\n  writeGlobal({ ...existing, ...readers })\n}\n\n/**\n * Register optimistic-lock readers only for keys that have no reader yet.\n * Use this for fallback / generic registrations (e.g. the auto-registration\n * driven by `makeCrudRoute`) so module-level hand-wired readers \u2014 which\n * register first via `di.ts` \u2014 always win.\n *\n * Returns the set of keys that were actually written, which makes the helper\n * easy to assert on in tests and useful for diagnostics in callers.\n */\nexport function registerOptimisticLockReaderIfAbsent(\n  readers: Record<string, OptimisticLockCurrentReader>,\n): string[] {\n  const existing = readGlobal()\n  const next: Record<string, OptimisticLockCurrentReader> = { ...existing }\n  const written: string[] = []\n  for (const [key, reader] of Object.entries(readers)) {\n    if (!(key in existing)) {\n      next[key] = reader\n      written.push(key)\n    }\n  }\n  if (written.length > 0) writeGlobal(next)\n  return written\n}\n\nexport function getAllOptimisticLockReaders(): Record<string, OptimisticLockCurrentReader> {\n  return readGlobal()\n}\n\nexport function clearOptimisticLockReadersForTests(): void {\n  try {\n    delete (globalThis as Record<string, unknown>)[GLOBAL_KEY]\n  } catch {\n    // ignore\n  }\n}\n"],
+  "mappings": "AAkBA,MAAM,aAAa;AAEnB,SAAS,aAA0D;AACjE,MAAI;AACF,UAAM,QAAS,WAAuC,UAAU;AAChE,QAAI,SAAS,OAAO,UAAU,UAAU;AACtC,aAAO;AAAA,IACT;AACA,WAAO,CAAC;AAAA,EACV,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAEA,SAAS,YAAY,OAA0D;AAC7E,MAAI;AACF;AAAC,IAAC,WAAuC,UAAU,IAAI;AAAA,EACzD,QAAQ;AAAA,EAER;AACF;AAMO,SAAS,8BACd,SACM;AACN,QAAM,WAAW,WAAW;AAC5B,cAAY,EAAE,GAAG,UAAU,GAAG,QAAQ,CAAC;AACzC;AAWO,SAAS,qCACd,SACU;AACV,QAAM,WAAW,WAAW;AAC5B,QAAM,OAAoD,EAAE,GAAG,SAAS;AACxE,QAAM,UAAoB,CAAC;AAC3B,aAAW,CAAC,KAAK,MAAM,KAAK,OAAO,QAAQ,OAAO,GAAG;AACnD,QAAI,EAAE,OAAO,WAAW;AACtB,WAAK,GAAG,IAAI;AACZ,cAAQ,KAAK,GAAG;AAAA,IAClB;AAAA,EACF;AACA,MAAI,QAAQ,SAAS,EAAG,aAAY,IAAI;AACxC,SAAO;AACT;AAEO,SAAS,8BAA2E;AACzF,SAAO,WAAW;AACpB;AAEO,SAAS,qCAA2C;AACzD,MAAI;AACF,WAAQ,WAAuC,UAAU;AAAA,EAC3D,QAAQ;AAAA,EAER;AACF;",
+  "names": []
+}

package/dist/lib/crud/optimistic-lock.js

@@ -0,0 +1,172 @@
+import {
+  OPTIMISTIC_LOCK_CONFLICT_CODE,
+  OPTIMISTIC_LOCK_CONFLICT_ERROR,
+  OPTIMISTIC_LOCK_ENV_VAR,
+  OPTIMISTIC_LOCK_HEADER_NAME
+} from "./optimistic-lock-headers.js";
+import { getAllOptimisticLockReaders } from "./optimistic-lock-store.js";
+const OPTIMISTIC_LOCK_OFF_TOKENS = /* @__PURE__ */ new Set([
+  "off",
+  "false",
+  "0",
+  "no",
+  "disabled",
+  "none"
+]);
+function parseOptimisticLockEnv(raw) {
+  if (raw == null) return { mode: "all" };
+  const trimmed = String(raw).trim();
+  if (trimmed === "") return { mode: "all" };
+  const tokens = trimmed.split(",").map((token) => token.trim().toLowerCase()).filter((token) => token.length > 0);
+  if (tokens.length === 0) return { mode: "all" };
+  if (tokens.some((token) => OPTIMISTIC_LOCK_OFF_TOKENS.has(token))) return { mode: "off" };
+  if (tokens.includes("all")) return { mode: "all" };
+  return { mode: "allowlist", entities: new Set(tokens) };
+}
+const defaultResolveExpectedUpdatedAt = ({ expectedFromHeader }) => expectedFromHeader;
+function createGenericOptimisticLockReader(opts) {
+  const idField = opts.idField ?? "id";
+  const tenantField = opts.tenantField === null ? null : opts.tenantField ?? "tenantId";
+  const orgField = opts.orgField === null ? null : opts.orgField ?? "organizationId";
+  const softDeleteField = opts.softDeleteField === null ? null : opts.softDeleteField ?? "deletedAt";
+  const updatedAtField = opts.updatedAtField ?? "updatedAt";
+  const extraFilter = opts.extraFilter ?? {};
+  return async (em, { resourceId, tenantId, organizationId }) => {
+    const filter = { [idField]: resourceId };
+    if (tenantField) filter[tenantField] = tenantId;
+    if (orgField && organizationId) filter[orgField] = organizationId;
+    if (softDeleteField) filter[softDeleteField] = null;
+    for (const [key, value] of Object.entries(extraFilter)) filter[key] = value;
+    try {
+      const row = await em.findOne(opts.entity, filter, {
+        fields: [updatedAtField]
+      });
+      if (!row || typeof row !== "object") return null;
+      const value = row[updatedAtField];
+      if (value instanceof Date) return value.toISOString();
+      if (typeof value === "string" && value.length > 0) return value;
+      return null;
+    } catch {
+      return null;
+    }
+  };
+}
+function readHeader(headers, name) {
+  const direct = headers.get(name);
+  if (typeof direct === "string" && direct.trim().length > 0) return direct.trim();
+  return null;
+}
+function normalizeIsoToken(raw) {
+  const ms = Date.parse(raw);
+  if (!Number.isFinite(ms)) return null;
+  return new Date(ms).toISOString();
+}
+function buildConflictBody(currentIso, expectedIso) {
+  return {
+    error: OPTIMISTIC_LOCK_CONFLICT_ERROR,
+    code: OPTIMISTIC_LOCK_CONFLICT_CODE,
+    currentUpdatedAt: currentIso,
+    expectedUpdatedAt: expectedIso
+  };
+}
+function createOptimisticLockGuardService(opts) {
+  const envValue = opts.envValue !== void 0 ? opts.envValue : process.env[OPTIMISTIC_LOCK_ENV_VAR];
+  const config = parseOptimisticLockEnv(envValue);
+  const resolveExpected = opts.resolveExpected ?? defaultResolveExpectedUpdatedAt;
+  const debugEnabled = process.env.OM_OPTIMISTIC_LOCK_DEBUG === "1";
+  function isEntityEnabled(resourceKind) {
+    if (config.mode === "off") return false;
+    if (config.mode === "all") return true;
+    return config.entities.has(resourceKind.toLowerCase());
+  }
+  async function validateMutation(input) {
+    if (config.mode === "off") {
+      return { ok: true, shouldRunAfterSuccess: false };
+    }
+    if (input.operation !== "update" && input.operation !== "delete") {
+      return { ok: true, shouldRunAfterSuccess: false };
+    }
+    if (!isEntityEnabled(input.resourceKind)) {
+      return { ok: true, shouldRunAfterSuccess: false };
+    }
+    const readers = opts.readers ?? getAllOptimisticLockReaders();
+    const reader = readers[input.resourceKind];
+    if (!reader) {
+      return { ok: true, shouldRunAfterSuccess: false };
+    }
+    const expectedRaw = readHeader(input.requestHeaders, OPTIMISTIC_LOCK_HEADER_NAME);
+    const resolvedExpected = await resolveExpected({
+      expectedFromHeader: expectedRaw,
+      resourceKind: input.resourceKind,
+      resourceId: input.resourceId
+    });
+    if (resolvedExpected == null) {
+      return { ok: true, shouldRunAfterSuccess: false };
+    }
+    const expectedIso = normalizeIsoToken(resolvedExpected);
+    if (expectedIso == null) {
+      return { ok: true, shouldRunAfterSuccess: false };
+    }
+    const em = opts.getEm();
+    const currentRaw = await reader(em, {
+      resourceKind: input.resourceKind,
+      resourceId: input.resourceId,
+      tenantId: input.tenantId,
+      organizationId: input.organizationId ?? null
+    });
+    if (currentRaw == null) {
+      return { ok: true, shouldRunAfterSuccess: false };
+    }
+    const currentIso = normalizeIsoToken(currentRaw);
+    if (currentIso == null) {
+      return { ok: true, shouldRunAfterSuccess: false };
+    }
+    if (currentIso === expectedIso) {
+      if (debugEnabled) {
+        console.log("[optimistic-lock] match", {
+          resourceKind: input.resourceKind,
+          resourceId: input.resourceId,
+          operation: input.operation,
+          currentIso,
+          expectedIso
+        });
+      }
+      return { ok: true, shouldRunAfterSuccess: false };
+    }
+    if (debugEnabled) {
+      console.log("[optimistic-lock] CONFLICT", {
+        resourceKind: input.resourceKind,
+        resourceId: input.resourceId,
+        operation: input.operation,
+        tenantId: input.tenantId,
+        organizationId: input.organizationId ?? null,
+        expectedRaw: resolvedExpected,
+        expectedIso,
+        currentRaw,
+        currentIso
+      });
+    }
+    return {
+      ok: false,
+      status: 409,
+      body: buildConflictBody(currentIso, expectedIso)
+    };
+  }
+  async function afterMutationSuccess(_input) {
+  }
+  function getConfig() {
+    return config;
+  }
+  return {
+    validateMutation,
+    afterMutationSuccess,
+    getConfig
+  };
+}
+export {
+  createGenericOptimisticLockReader,
+  createOptimisticLockGuardService,
+  normalizeIsoToken,
+  parseOptimisticLockEnv
+};
+//# sourceMappingURL=optimistic-lock.js.map

package/dist/lib/crud/optimistic-lock.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/lib/crud/optimistic-lock.ts"],
+  "sourcesContent": ["/**\n * OSS optimistic-locking guard service.\n *\n * Registered as `crudMutationGuardService` (by the platform DI bootstrap and\n * by hand-wiring modules that override the default reader). Compares the\n * client-sent expected `updated_at` (carried via the extension header\n * defined in `optimistic-lock-headers.ts`) against the current DB\n * `updated_at` for the target entity; on mismatch returns HTTP 409 with the\n * structured `OptimisticLockConflictBody`.\n *\n * **Default ON** (Phase 14, 2026-05-27). Activate / scope / disable via\n * `OM_OPTIMISTIC_LOCK`:\n *   - unset / empty / whitespace    \u2192 ON for every CRUD entity (`{ mode: 'all' }`)\n *   - `all`                         \u2192 all entities (explicit form of the default)\n *   - `customers.company,sales.order` \u2192 allow-list (lowercased, trimmed, deduped)\n *   - `off` / `false` / `0` / `no` / `disabled` / `none` \u2192 fully disabled\n *\n * The guard is still strictly additive at runtime: clients that do not send\n * the `x-om-ext-optimistic-lock-expected-updated-at` header pass through\n * unchanged, so flipping the default to ON cannot introduce new 409s on\n * existing API consumers. Pages that opt into the round-trip (via\n * `CrudForm`'s `optimisticLockUpdatedAt` prop or by calling\n * `buildOptimisticLockHeader`) gain protection without any per-deployment\n * env change.\n *\n * Cannot be registered as a static `data/guards.ts` `MutationGuard` because\n * the static `validate(input)` receives only `MutationGuardInput` \u2014 no\n * container / em access. Stateful checks that need to read current DB state\n * MUST go through the DI service path (this file).\n *\n * Spec: .ai/specs/2026-05-25-oss-optimistic-locking.md\n */\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport type {\n  CrudMutationGuardValidateInput,\n  CrudMutationGuardValidationResult,\n  CrudMutationGuardAfterSuccessInput,\n} from './mutation-guard'\nimport {\n  OPTIMISTIC_LOCK_CONFLICT_CODE,\n  OPTIMISTIC_LOCK_CONFLICT_ERROR,\n  OPTIMISTIC_LOCK_ENV_VAR,\n  OPTIMISTIC_LOCK_HEADER_NAME,\n  type OptimisticLockConflictBody,\n} from './optimistic-lock-headers'\nimport { getAllOptimisticLockReaders } from './optimistic-lock-store'\n\nexport type OptimisticLockConfig =\n  | { mode: 'off' }\n  | { mode: 'all' }\n  | { mode: 'allowlist'; entities: ReadonlySet<string> }\n\n/**\n * Tokens (case-insensitive, single-token-only) that explicitly disable the\n * guard. Spelled out as a fixed set so tests can pin them; deliberately the\n * same shape `parseBooleanToken` recognises so operators can mirror existing\n * habit. Mixing an off-token with other entities is invalid input \u2014 we treat\n * any presence of an off-token in the comma list as a request to disable.\n */\nconst OPTIMISTIC_LOCK_OFF_TOKENS: ReadonlySet<string> = new Set([\n  'off',\n  'false',\n  '0',\n  'no',\n  'disabled',\n  'none',\n])\n\n/**\n * Pure parser for `OM_OPTIMISTIC_LOCK`. Exported separately so tests can\n * exercise the grammar without spinning up the full service.\n *\n * Default is **ON** (`{ mode: 'all' }`) \u2014 unset / empty / whitespace input\n * activates the guard for every CRUD entity. Operators opt out via\n * `OM_OPTIMISTIC_LOCK=off` (or `false` / `0` / `no` / `disabled` / `none`).\n */\nexport function parseOptimisticLockEnv(raw: string | undefined | null): OptimisticLockConfig {\n  if (raw == null) return { mode: 'all' }\n  const trimmed = String(raw).trim()\n  if (trimmed === '') return { mode: 'all' }\n\n  const tokens = trimmed\n    .split(',')\n    .map((token) => token.trim().toLowerCase())\n    .filter((token) => token.length > 0)\n\n  if (tokens.length === 0) return { mode: 'all' }\n  if (tokens.some((token) => OPTIMISTIC_LOCK_OFF_TOKENS.has(token))) return { mode: 'off' }\n  if (tokens.includes('all')) return { mode: 'all' }\n\n  return { mode: 'allowlist', entities: new Set(tokens) }\n}\n\nexport type OptimisticLockResolverInput = {\n  expectedFromHeader: string | null\n  resourceKind: string\n  resourceId: string\n}\n\n/**\n * Hook reserved for the enterprise `record_locks` module to override token\n * resolution (e.g. read the expected token from a lock record instead of\n * the request header). OSS keeps the default = \"what the client sent\".\n *\n * Documented as part of the enterprise extension contract; not used in OSS\n * itself.\n */\nexport type ResolveExpectedUpdatedAt = (\n  input: OptimisticLockResolverInput,\n) => Promise<string | null> | string | null\n\nconst defaultResolveExpectedUpdatedAt: ResolveExpectedUpdatedAt = ({ expectedFromHeader }) =>\n  expectedFromHeader\n\nexport type OptimisticLockCurrentReader = (\n  em: EntityManager,\n  input: { resourceKind: string; resourceId: string; tenantId: string; organizationId: string | null },\n) => Promise<string | null>\n\nexport type GenericOptimisticLockReaderOptions = {\n  /** MikroORM entity class. */\n  entity: unknown\n  /** Primary key field. Defaults to `id`. */\n  idField?: string\n  /** Tenant scope field. Defaults to `tenantId`. Pass `null` to skip tenant scoping (rare \u2014 only when the entity itself has no `tenantId` column). */\n  tenantField?: string | null\n  /** Organization scope field. Defaults to `organizationId`. Pass `null` to skip organization scoping. */\n  orgField?: string | null\n  /** Soft-delete column. Defaults to `deletedAt`. Pass `null` to skip the implicit not-deleted filter. */\n  softDeleteField?: string | null\n  /** Optional fixed filter merged into every query (e.g. `{ kind: 'company' }` for a discriminated table). */\n  extraFilter?: Record<string, unknown>\n  /** Optional ORM field name carrying the timestamp. Defaults to `updatedAt`. */\n  updatedAtField?: string\n}\n\n/**\n * Build a generic optimistic-lock reader for any ORM entity that follows the\n * platform conventions (`id` + `tenantId` + `organizationId` + `deletedAt` +\n * `updatedAt`). The reader projects only the timestamp column so PII never\n * materializes.\n *\n * Used by `makeCrudRoute` to auto-register one reader per CRUD route at\n * module-load time (see Phase 13 of the OSS optimistic-locking spec).\n * Module authors who need bespoke filtering (e.g. discriminator on a shared\n * table) keep registering their own reader via `registerOptimisticLockReaders`\n * \u2014 those hand-wired registrations win because they land first.\n *\n * Fail-open contract: if the underlying `findOne` throws (missing column,\n * schema drift, mid-migration) the reader returns `null`, which the guard\n * treats as \"entity already gone\" and lets the CRUD path's own 404 fire.\n * We MUST NOT throw out of the reader \u2014 that would 500 every mutation on\n * the affected entity instead of opting it out of the optimistic check.\n */\nexport function createGenericOptimisticLockReader(\n  opts: GenericOptimisticLockReaderOptions,\n): OptimisticLockCurrentReader {\n  const idField = opts.idField ?? 'id'\n  const tenantField = opts.tenantField === null ? null : opts.tenantField ?? 'tenantId'\n  const orgField = opts.orgField === null ? null : opts.orgField ?? 'organizationId'\n  const softDeleteField = opts.softDeleteField === null ? null : opts.softDeleteField ?? 'deletedAt'\n  const updatedAtField = opts.updatedAtField ?? 'updatedAt'\n  const extraFilter = opts.extraFilter ?? {}\n\n  return async (em, { resourceId, tenantId, organizationId }) => {\n    const filter: Record<string, unknown> = { [idField]: resourceId }\n    if (tenantField) filter[tenantField] = tenantId\n    if (orgField && organizationId) filter[orgField] = organizationId\n    if (softDeleteField) filter[softDeleteField] = null\n    for (const [key, value] of Object.entries(extraFilter)) filter[key] = value\n\n    try {\n      const row = await em.findOne(opts.entity as never, filter as never, {\n        fields: [updatedAtField] as never,\n      })\n      if (!row || typeof row !== 'object') return null\n      const value = (row as Record<string, unknown>)[updatedAtField]\n      if (value instanceof Date) return value.toISOString()\n      if (typeof value === 'string' && value.length > 0) return value\n      return null\n    } catch {\n      return null\n    }\n  }\n}\n\nexport type OptimisticLockGuardOptions = {\n  /** EntityManager resolver. Container-bound via DI in real usage. */\n  getEm: () => EntityManager\n  /**\n   * Maps `resourceKind` \u2192 reader that returns the current\n   * `updated_at` as an ISO string (or null when not found).\n   *\n   * The reader receives the EM so module authors can choose the\n   * right `findOne` shape for their entity (`findOneWithDecryption`\n   * when sensitive, plain `findOne` otherwise \u2014 but only requesting\n   * `updated_at` so no PII materializes).\n   *\n   * When omitted, the service pulls readers from the shared\n   * `optimistic-lock-store` (the recommended pattern for multi-module\n   * deployments \u2014 each module registers its own readers via\n   * `registerOptimisticLockReaders(...)` at module-load time).\n   */\n  readers?: Record<string, OptimisticLockCurrentReader>\n  /** Override env source (mostly for tests). Defaults to `process.env`. */\n  envValue?: string | null\n  /** Override the token resolver. Defaults to \"use the header value\". */\n  resolveExpected?: ResolveExpectedUpdatedAt\n}\n\nexport type OptimisticLockGuardService = {\n  validateMutation: (input: CrudMutationGuardValidateInput) => Promise<CrudMutationGuardValidationResult>\n  afterMutationSuccess: (input: CrudMutationGuardAfterSuccessInput) => Promise<void>\n  /** Exposed for tests / introspection. */\n  getConfig: () => OptimisticLockConfig\n}\n\nfunction readHeader(headers: Headers, name: string): string | null {\n  const direct = headers.get(name)\n  if (typeof direct === 'string' && direct.trim().length > 0) return direct.trim()\n  return null\n}\n\n/**\n * Normalize an `updated_at` token to a canonical ISO-8601 string, or `null`\n * when the input cannot be parsed. Exported so the command-level helper\n * (`optimistic-lock-command.ts`) compares timestamps with the EXACT same\n * normalization as the CRUD guard \u2014 otherwise the same instant could compare\n * unequal across the two paths.\n */\nexport function normalizeIsoToken(raw: string): string | null {\n  const ms = Date.parse(raw)\n  if (!Number.isFinite(ms)) return null\n  return new Date(ms).toISOString()\n}\n\nfunction buildConflictBody(currentIso: string, expectedIso: string): OptimisticLockConflictBody {\n  return {\n    error: OPTIMISTIC_LOCK_CONFLICT_ERROR,\n    code: OPTIMISTIC_LOCK_CONFLICT_CODE,\n    currentUpdatedAt: currentIso,\n    expectedUpdatedAt: expectedIso,\n  }\n}\n\n/**\n * Factory for the optimistic-lock guard service.\n *\n * Usage from a module's `di.ts`:\n *\n * ```ts\n * import { asFunction } from 'awilix'\n * import { createOptimisticLockGuardService } from '@open-mercato/shared/lib/crud/optimistic-lock'\n *\n * container.register({\n *   crudMutationGuardService: asFunction((cradle) => createOptimisticLockGuardService({\n *     getEm: () => cradle.em,\n *     readers: {\n *       'customers.company': async (em, { resourceId, tenantId }) => {\n *         const row = await em.findOne(Company, { id: resourceId, tenantId }, { fields: ['updatedAt'] })\n *         return row?.updatedAt ? row.updatedAt.toISOString() : null\n *       },\n *     },\n *   })).singleton(),\n * })\n * ```\n */\nexport function createOptimisticLockGuardService(\n  opts: OptimisticLockGuardOptions,\n): OptimisticLockGuardService {\n  const envValue = opts.envValue !== undefined ? opts.envValue : process.env[OPTIMISTIC_LOCK_ENV_VAR]\n  const config = parseOptimisticLockEnv(envValue)\n  const resolveExpected = opts.resolveExpected ?? defaultResolveExpectedUpdatedAt\n  const debugEnabled = process.env.OM_OPTIMISTIC_LOCK_DEBUG === '1'\n\n  function isEntityEnabled(resourceKind: string): boolean {\n    if (config.mode === 'off') return false\n    if (config.mode === 'all') return true\n    return config.entities.has(resourceKind.toLowerCase())\n  }\n\n  async function validateMutation(\n    input: CrudMutationGuardValidateInput,\n  ): Promise<CrudMutationGuardValidationResult> {\n    if (config.mode === 'off') {\n      return { ok: true, shouldRunAfterSuccess: false }\n    }\n    if (input.operation !== 'update' && input.operation !== 'delete') {\n      return { ok: true, shouldRunAfterSuccess: false }\n    }\n    if (!isEntityEnabled(input.resourceKind)) {\n      return { ok: true, shouldRunAfterSuccess: false }\n    }\n    const readers = opts.readers ?? getAllOptimisticLockReaders()\n    const reader = readers[input.resourceKind]\n    if (!reader) {\n      return { ok: true, shouldRunAfterSuccess: false }\n    }\n\n    const expectedRaw = readHeader(input.requestHeaders, OPTIMISTIC_LOCK_HEADER_NAME)\n    const resolvedExpected = await resolveExpected({\n      expectedFromHeader: expectedRaw,\n      resourceKind: input.resourceKind,\n      resourceId: input.resourceId,\n    })\n    if (resolvedExpected == null) {\n      return { ok: true, shouldRunAfterSuccess: false }\n    }\n\n    const expectedIso = normalizeIsoToken(resolvedExpected)\n    if (expectedIso == null) {\n      return { ok: true, shouldRunAfterSuccess: false }\n    }\n\n    const em = opts.getEm()\n    const currentRaw = await reader(em, {\n      resourceKind: input.resourceKind,\n      resourceId: input.resourceId,\n      tenantId: input.tenantId,\n      organizationId: input.organizationId ?? null,\n    })\n    if (currentRaw == null) {\n      return { ok: true, shouldRunAfterSuccess: false }\n    }\n    const currentIso = normalizeIsoToken(currentRaw)\n    if (currentIso == null) {\n      return { ok: true, shouldRunAfterSuccess: false }\n    }\n\n    if (currentIso === expectedIso) {\n      if (debugEnabled) {\n        // eslint-disable-next-line no-console\n        console.log('[optimistic-lock] match', {\n          resourceKind: input.resourceKind,\n          resourceId: input.resourceId,\n          operation: input.operation,\n          currentIso,\n          expectedIso,\n        })\n      }\n      return { ok: true, shouldRunAfterSuccess: false }\n    }\n\n    if (debugEnabled) {\n      // eslint-disable-next-line no-console\n      console.log('[optimistic-lock] CONFLICT', {\n        resourceKind: input.resourceKind,\n        resourceId: input.resourceId,\n        operation: input.operation,\n        tenantId: input.tenantId,\n        organizationId: input.organizationId ?? null,\n        expectedRaw: resolvedExpected,\n        expectedIso,\n        currentRaw,\n        currentIso,\n      })\n    }\n\n    return {\n      ok: false,\n      status: 409,\n      body: buildConflictBody(currentIso, expectedIso),\n    }\n  }\n\n  async function afterMutationSuccess(_input: CrudMutationGuardAfterSuccessInput): Promise<void> {\n    // no-op: optimistic check has no post-success cleanup\n  }\n\n  function getConfig(): OptimisticLockConfig {\n    return config\n  }\n\n  return {\n    validateMutation,\n    afterMutationSuccess,\n    getConfig,\n  }\n}\n"],
+  "mappings": "AAsCA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AACP,SAAS,mCAAmC;AAc5C,MAAM,6BAAkD,oBAAI,IAAI;AAAA,EAC9D;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAUM,SAAS,uBAAuB,KAAsD;AAC3F,MAAI,OAAO,KAAM,QAAO,EAAE,MAAM,MAAM;AACtC,QAAM,UAAU,OAAO,GAAG,EAAE,KAAK;AACjC,MAAI,YAAY,GAAI,QAAO,EAAE,MAAM,MAAM;AAEzC,QAAM,SAAS,QACZ,MAAM,GAAG,EACT,IAAI,CAAC,UAAU,MAAM,KAAK,EAAE,YAAY,CAAC,EACzC,OAAO,CAAC,UAAU,MAAM,SAAS,CAAC;AAErC,MAAI,OAAO,WAAW,EAAG,QAAO,EAAE,MAAM,MAAM;AAC9C,MAAI,OAAO,KAAK,CAAC,UAAU,2BAA2B,IAAI,KAAK,CAAC,EAAG,QAAO,EAAE,MAAM,MAAM;AACxF,MAAI,OAAO,SAAS,KAAK,EAAG,QAAO,EAAE,MAAM,MAAM;AAEjD,SAAO,EAAE,MAAM,aAAa,UAAU,IAAI,IAAI,MAAM,EAAE;AACxD;AAoBA,MAAM,kCAA4D,CAAC,EAAE,mBAAmB,MACtF;AA0CK,SAAS,kCACd,MAC6B;AAC7B,QAAM,UAAU,KAAK,WAAW;AAChC,QAAM,cAAc,KAAK,gBAAgB,OAAO,OAAO,KAAK,eAAe;AAC3E,QAAM,WAAW,KAAK,aAAa,OAAO,OAAO,KAAK,YAAY;AAClE,QAAM,kBAAkB,KAAK,oBAAoB,OAAO,OAAO,KAAK,mBAAmB;AACvF,QAAM,iBAAiB,KAAK,kBAAkB;AAC9C,QAAM,cAAc,KAAK,eAAe,CAAC;AAEzC,SAAO,OAAO,IAAI,EAAE,YAAY,UAAU,eAAe,MAAM;AAC7D,UAAM,SAAkC,EAAE,CAAC,OAAO,GAAG,WAAW;AAChE,QAAI,YAAa,QAAO,WAAW,IAAI;AACvC,QAAI,YAAY,eAAgB,QAAO,QAAQ,IAAI;AACnD,QAAI,gBAAiB,QAAO,eAAe,IAAI;AAC/C,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,WAAW,EAAG,QAAO,GAAG,IAAI;AAEtE,QAAI;AACF,YAAM,MAAM,MAAM,GAAG,QAAQ,KAAK,QAAiB,QAAiB;AAAA,QAClE,QAAQ,CAAC,cAAc;AAAA,MACzB,CAAC;AACD,UAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO;AAC5C,YAAM,QAAS,IAAgC,cAAc;AAC7D,UAAI,iBAAiB,KAAM,QAAO,MAAM,YAAY;AACpD,UAAI,OAAO,UAAU,YAAY,MAAM,SAAS,EAAG,QAAO;AAC1D,aAAO;AAAA,IACT,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACF;AAiCA,SAAS,WAAW,SAAkB,MAA6B;AACjE,QAAM,SAAS,QAAQ,IAAI,IAAI;AAC/B,MAAI,OAAO,WAAW,YAAY,OAAO,KAAK,EAAE,SAAS,EAAG,QAAO,OAAO,KAAK;AAC/E,SAAO;AACT;AASO,SAAS,kBAAkB,KAA4B;AAC5D,QAAM,KAAK,KAAK,MAAM,GAAG;AACzB,MAAI,CAAC,OAAO,SAAS,EAAE,EAAG,QAAO;AACjC,SAAO,IAAI,KAAK,EAAE,EAAE,YAAY;AAClC;AAEA,SAAS,kBAAkB,YAAoB,aAAiD;AAC9F,SAAO;AAAA,IACL,OAAO;AAAA,IACP,MAAM;AAAA,IACN,kBAAkB;AAAA,IAClB,mBAAmB;AAAA,EACrB;AACF;AAwBO,SAAS,iCACd,MAC4B;AAC5B,QAAM,WAAW,KAAK,aAAa,SAAY,KAAK,WAAW,QAAQ,IAAI,uBAAuB;AAClG,QAAM,SAAS,uBAAuB,QAAQ;AAC9C,QAAM,kBAAkB,KAAK,mBAAmB;AAChD,QAAM,eAAe,QAAQ,IAAI,6BAA6B;AAE9D,WAAS,gBAAgB,cAA+B;AACtD,QAAI,OAAO,SAAS,MAAO,QAAO;AAClC,QAAI,OAAO,SAAS,MAAO,QAAO;AAClC,WAAO,OAAO,SAAS,IAAI,aAAa,YAAY,CAAC;AAAA,EACvD;AAEA,iBAAe,iBACb,OAC4C;AAC5C,QAAI,OAAO,SAAS,OAAO;AACzB,aAAO,EAAE,IAAI,MAAM,uBAAuB,MAAM;AAAA,IAClD;AACA,QAAI,MAAM,cAAc,YAAY,MAAM,cAAc,UAAU;AAChE,aAAO,EAAE,IAAI,MAAM,uBAAuB,MAAM;AAAA,IAClD;AACA,QAAI,CAAC,gBAAgB,MAAM,YAAY,GAAG;AACxC,aAAO,EAAE,IAAI,MAAM,uBAAuB,MAAM;AAAA,IAClD;AACA,UAAM,UAAU,KAAK,WAAW,4BAA4B;AAC5D,UAAM,SAAS,QAAQ,MAAM,YAAY;AACzC,QAAI,CAAC,QAAQ;AACX,aAAO,EAAE,IAAI,MAAM,uBAAuB,MAAM;AAAA,IAClD;AAEA,UAAM,cAAc,WAAW,MAAM,gBAAgB,2BAA2B;AAChF,UAAM,mBAAmB,MAAM,gBAAgB;AAAA,MAC7C,oBAAoB;AAAA,MACpB,cAAc,MAAM;AAAA,MACpB,YAAY,MAAM;AAAA,IACpB,CAAC;AACD,QAAI,oBAAoB,MAAM;AAC5B,aAAO,EAAE,IAAI,MAAM,uBAAuB,MAAM;AAAA,IAClD;AAEA,UAAM,cAAc,kBAAkB,gBAAgB;AACtD,QAAI,eAAe,MAAM;AACvB,aAAO,EAAE,IAAI,MAAM,uBAAuB,MAAM;AAAA,IAClD;AAEA,UAAM,KAAK,KAAK,MAAM;AACtB,UAAM,aAAa,MAAM,OAAO,IAAI;AAAA,MAClC,cAAc,MAAM;AAAA,MACpB,YAAY,MAAM;AAAA,MAClB,UAAU,MAAM;AAAA,MAChB,gBAAgB,MAAM,kBAAkB;AAAA,IAC1C,CAAC;AACD,QAAI,cAAc,MAAM;AACtB,aAAO,EAAE,IAAI,MAAM,uBAAuB,MAAM;AAAA,IAClD;AACA,UAAM,aAAa,kBAAkB,UAAU;AAC/C,QAAI,cAAc,MAAM;AACtB,aAAO,EAAE,IAAI,MAAM,uBAAuB,MAAM;AAAA,IAClD;AAEA,QAAI,eAAe,aAAa;AAC9B,UAAI,cAAc;AAEhB,gBAAQ,IAAI,2BAA2B;AAAA,UACrC,cAAc,MAAM;AAAA,UACpB,YAAY,MAAM;AAAA,UAClB,WAAW,MAAM;AAAA,UACjB;AAAA,UACA;AAAA,QACF,CAAC;AAAA,MACH;AACA,aAAO,EAAE,IAAI,MAAM,uBAAuB,MAAM;AAAA,IAClD;AAEA,QAAI,cAAc;AAEhB,cAAQ,IAAI,8BAA8B;AAAA,QACxC,cAAc,MAAM;AAAA,QACpB,YAAY,MAAM;AAAA,QAClB,WAAW,MAAM;AAAA,QACjB,UAAU,MAAM;AAAA,QAChB,gBAAgB,MAAM,kBAAkB;AAAA,QACxC,aAAa;AAAA,QACb;AAAA,QACA;AAAA,QACA;AAAA,MACF,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,MAAM,kBAAkB,YAAY,WAAW;AAAA,IACjD;AAAA,EACF;AAEA,iBAAe,qBAAqB,QAA2D;AAAA,EAE/F;AAEA,WAAS,YAAkC;AACzC,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/lib/data/engine.js

@@ -389,7 +389,7 @@ class DefaultDataEngine {
         enrichedPayload.crudAction = action;
         if (coverageBaseDelta !== void 0) enrichedPayload.coverageBaseDelta = coverageBaseDelta;
         if (ctx.syncOrigin) enrichedPayload.syncOrigin = ctx.syncOrigin;
-        void bus.emitEvent("query_index.delete_one", enrichedPayload).catch((err) => {
+        await bus.emitEvent("query_index.delete_one", enrichedPayload).catch((err) => {
           console.error("[data-engine] query_index.delete_one emit failed", err);
         });
       } else {
@@ -403,7 +403,7 @@ class DefaultDataEngine {
         enrichedPayload.crudAction = action;
         if (coverageBaseDelta !== void 0) enrichedPayload.coverageBaseDelta = coverageBaseDelta;
         if (ctx.syncOrigin) enrichedPayload.syncOrigin = ctx.syncOrigin;
-        void bus.emitEvent("query_index.upsert_one", enrichedPayload).catch((err) => {
+        await bus.emitEvent("query_index.upsert_one", enrichedPayload).catch((err) => {
           console.error("[data-engine] query_index.upsert_one emit failed", err);
         });
       }