@open-mercato/storage-s3 0.6.2-canary.3404.1.2312fbb315

package/.turbo/turbo-build.log

@@ -0,0 +1,2 @@
+Found 16 entry points
+storage-s3 built successfully

package/build.mjs

@@ -0,0 +1,70 @@
+import * as esbuild from 'esbuild'
+import { glob } from 'glob'
+import { readFileSync, writeFileSync, existsSync } from 'node:fs'
+import { dirname, join } from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const __dirname = dirname(fileURLToPath(import.meta.url))
+
+const entryPoints = await glob('src/**/*.{ts,tsx}', {
+  cwd: __dirname,
+  ignore: ['**/__tests__/**', '**/*.test.ts', '**/*.test.tsx'],
+  absolute: true,
+})
+
+if (entryPoints.length === 0) {
+  console.error('No entry points found!')
+  process.exit(1)
+}
+
+console.log(`Found ${entryPoints.length} entry points`)
+
+const addJsExtension = {
+  name: 'add-js-extension',
+  setup(build) {
+    build.onEnd(async (result) => {
+      if (result.errors.length > 0) return
+      const outputFiles = await glob('dist/**/*.js', { cwd: __dirname, absolute: true })
+      for (const file of outputFiles) {
+        const fileDir = dirname(file)
+        let content = readFileSync(file, 'utf-8')
+        content = content.replace(
+          /from\s+["'](\.[^"']+)["']/g,
+          (match, path) => {
+            if (path.endsWith('.js') || path.endsWith('.json')) return match
+            const resolvedPath = join(fileDir, path)
+            if (existsSync(resolvedPath) && existsSync(join(resolvedPath, 'index.js'))) {
+              return `from "${path}/index.js"`
+            }
+            return `from "${path}.js"`
+          }
+        )
+        content = content.replace(
+          /import\s*\(\s*["'](\.[^"']+)["']\s*\)/g,
+          (match, path) => {
+            if (path.endsWith('.js') || path.endsWith('.json')) return match
+            const resolvedPath = join(fileDir, path)
+            if (existsSync(resolvedPath) && existsSync(join(resolvedPath, 'index.js'))) {
+              return `import("${path}/index.js")`
+            }
+            return `import("${path}.js")`
+          }
+        )
+        writeFileSync(file, content)
+      }
+    })
+  }
+}
+
+await esbuild.build({
+  entryPoints,
+  outdir: 'dist',
+  format: 'esm',
+  platform: 'node',
+  target: 'node18',
+  sourcemap: true,
+  jsx: 'automatic',
+  plugins: [addJsExtension],
+})
+
+console.log('storage-s3 built successfully')

package/dist/index.js

@@ -0,0 +1,2 @@
+export * from "./modules/storage_s3/integration.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/index.ts"],
+  "sourcesContent": ["export * from './modules/storage_s3/integration'\n"],
+  "mappings": "AAAA,cAAc;",
+  "names": []
+}

package/dist/modules/storage_s3/acl.js

@@ -0,0 +1,13 @@
+const features = [
+  {
+    id: "storage_providers.manage",
+    title: "Manage storage providers",
+    module: "storage_s3"
+  }
+];
+var acl_default = features;
+export {
+  acl_default as default,
+  features
+};
+//# sourceMappingURL=acl.js.map

package/dist/modules/storage_s3/acl.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/modules/storage_s3/acl.ts"],
+  "sourcesContent": ["export const features = [\n  {\n    id: 'storage_providers.manage',\n    title: 'Manage storage providers',\n    module: 'storage_s3',\n  },\n]\n\nexport default features\n"],
+  "mappings": "AAAO,MAAM,WAAW;AAAA,EACtB;AAAA,IACE,IAAI;AAAA,IACJ,OAAO;AAAA,IACP,QAAQ;AAAA,EACV;AACF;AAEA,IAAO,cAAQ;",
+  "names": []
+}

package/dist/modules/storage_s3/api/delete/storage-providers/s3/delete.js

@@ -0,0 +1,68 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { S3StorageDriver } from "../../../../lib/s3-driver.js";
+const metadata = {
+  path: "/storage-providers/s3/delete",
+  DELETE: { requireAuth: true, requireFeatures: ["storage_providers.manage"] }
+};
+const requestSchema = z.object({
+  key: z.string().min(1)
+});
+async function resolveDriver(tenantId, orgId) {
+  const { resolve } = await createRequestContainer();
+  const credentialsService = resolve("integrationCredentialsService");
+  const creds = await credentialsService.resolve("storage_s3", { tenantId, organizationId: orgId });
+  if (!creds) return null;
+  return new S3StorageDriver(creds);
+}
+function isKeyScoped(key, orgId, tenantId) {
+  const parts = key.split("/");
+  return parts.length >= 3 && parts[1] === `org_${orgId}` && parts[2] === `tenant_${tenantId}`;
+}
+async function DELETE(req) {
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.tenantId || !auth.orgId) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const json = await req.json().catch(() => null);
+  const parsed = requestSchema.safeParse(json);
+  if (!parsed.success) {
+    return NextResponse.json({ error: "Invalid payload" }, { status: 400 });
+  }
+  if (!isKeyScoped(parsed.data.key, auth.orgId, auth.tenantId)) {
+    return NextResponse.json({ error: "Access denied: key is not scoped to this tenant." }, { status: 403 });
+  }
+  const driver = await resolveDriver(auth.tenantId, auth.orgId);
+  if (!driver) {
+    return NextResponse.json({ error: "S3 integration is not configured." }, { status: 400 });
+  }
+  await driver.delete("", parsed.data.key);
+  return new NextResponse(null, { status: 204 });
+}
+var delete_default = DELETE;
+const openApi = {
+  tag: "Storage",
+  summary: "Delete file from S3",
+  methods: {
+    DELETE: {
+      summary: "Delete a file from S3 by key",
+      description: "Permanently removes the object at the given key from the configured S3 bucket.",
+      requestBody: { contentType: "application/json", schema: requestSchema },
+      responses: [{ status: 204, description: "File deleted", schema: z.null() }],
+      errors: [
+        { status: 400, description: "Invalid payload or S3 not configured", schema: z.object({ error: z.string() }) },
+        { status: 401, description: "Unauthorized", schema: z.object({ error: z.string() }) },
+        { status: 403, description: "Key not scoped to this tenant", schema: z.object({ error: z.string() }) }
+      ]
+    }
+  }
+};
+export {
+  DELETE,
+  delete_default as default,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=delete.js.map

package/dist/modules/storage_s3/api/delete/storage-providers/s3/delete.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../src/modules/storage_s3/api/delete/storage-providers/s3/delete.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { S3StorageDriver } from '../../../../lib/s3-driver'\n\nexport const metadata = {\n  path: '/storage-providers/s3/delete',\n  DELETE: { requireAuth: true, requireFeatures: ['storage_providers.manage'] },\n}\n\nconst requestSchema = z.object({\n  key: z.string().min(1),\n})\n\nasync function resolveDriver(tenantId: string, orgId: string): Promise<S3StorageDriver | null> {\n  const { resolve } = await createRequestContainer()\n  const credentialsService = resolve('integrationCredentialsService') as {\n    resolve(integrationId: string, scope: { tenantId: string; organizationId: string }): Promise<Record<string, unknown> | null>\n  }\n  const creds = await credentialsService.resolve('storage_s3', { tenantId, organizationId: orgId })\n  if (!creds) return null\n  return new S3StorageDriver(creds)\n}\n\nfunction isKeyScoped(key: string, orgId: string, tenantId: string): boolean {\n  const parts = key.split('/')\n  return parts.length >= 3 && parts[1] === `org_${orgId}` && parts[2] === `tenant_${tenantId}`\n}\n\nexport async function DELETE(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.tenantId || !auth.orgId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n\n  const json = await req.json().catch(() => null)\n  const parsed = requestSchema.safeParse(json)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid payload' }, { status: 400 })\n  }\n\n  if (!isKeyScoped(parsed.data.key, auth.orgId, auth.tenantId)) {\n    return NextResponse.json({ error: 'Access denied: key is not scoped to this tenant.' }, { status: 403 })\n  }\n\n  const driver = await resolveDriver(auth.tenantId, auth.orgId)\n  if (!driver) {\n    return NextResponse.json({ error: 'S3 integration is not configured.' }, { status: 400 })\n  }\n\n  await driver.delete('', parsed.data.key)\n  return new NextResponse(null, { status: 204 })\n}\n\nexport default DELETE\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Storage',\n  summary: 'Delete file from S3',\n  methods: {\n    DELETE: {\n      summary: 'Delete a file from S3 by key',\n      description: 'Permanently removes the object at the given key from the configured S3 bucket.',\n      requestBody: { contentType: 'application/json', schema: requestSchema },\n      responses: [{ status: 204, description: 'File deleted', schema: z.null() }],\n      errors: [\n        { status: 400, description: 'Invalid payload or S3 not configured', schema: z.object({ error: z.string() }) },\n        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },\n        { status: 403, description: 'Key not scoped to this tenant', schema: z.object({ error: z.string() }) },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,uBAAuB;AAEzB,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,0BAA0B,EAAE;AAC7E;AAEA,MAAM,gBAAgB,EAAE,OAAO;AAAA,EAC7B,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC;AACvB,CAAC;AAED,eAAe,cAAc,UAAkB,OAAgD;AAC7F,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,qBAAqB,QAAQ,+BAA+B;AAGlE,QAAM,QAAQ,MAAM,mBAAmB,QAAQ,cAAc,EAAE,UAAU,gBAAgB,MAAM,CAAC;AAChG,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO,IAAI,gBAAgB,KAAK;AAClC;AAEA,SAAS,YAAY,KAAa,OAAe,UAA2B;AAC1E,QAAM,QAAQ,IAAI,MAAM,GAAG;AAC3B,SAAO,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,OAAO,KAAK,MAAM,MAAM,CAAC,MAAM,UAAU,QAAQ;AAC5F;AAEA,eAAsB,OAAO,KAAc;AACzC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,YAAY,CAAC,KAAK,OAAO;AAClC,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,IAAI;AAC9C,QAAM,SAAS,cAAc,UAAU,IAAI;AAC3C,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxE;AAEA,MAAI,CAAC,YAAY,OAAO,KAAK,KAAK,KAAK,OAAO,KAAK,QAAQ,GAAG;AAC5D,WAAO,aAAa,KAAK,EAAE,OAAO,mDAAmD,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzG;AAEA,QAAM,SAAS,MAAM,cAAc,KAAK,UAAU,KAAK,KAAK;AAC5D,MAAI,CAAC,QAAQ;AACX,WAAO,aAAa,KAAK,EAAE,OAAO,oCAAoC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1F;AAEA,QAAM,OAAO,OAAO,IAAI,OAAO,KAAK,GAAG;AACvC,SAAO,IAAI,aAAa,MAAM,EAAE,QAAQ,IAAI,CAAC;AAC/C;AAEA,IAAO,iBAAQ;AAER,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,QAAQ;AAAA,MACN,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa,EAAE,aAAa,oBAAoB,QAAQ,cAAc;AAAA,MACtE,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,EAAE,KAAK,EAAE,CAAC;AAAA,MAC1E,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,QAC5G,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,QACpF,EAAE,QAAQ,KAAK,aAAa,iCAAiC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,MACvG;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/storage_s3/api/get/storage-providers/s3/download.js

@@ -0,0 +1,79 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { S3StorageDriver } from "../../../../lib/s3-driver.js";
+const metadata = {
+  path: "/storage-providers/s3/download",
+  GET: { requireAuth: true, requireFeatures: ["storage_providers.manage"] }
+};
+async function resolveDriver(tenantId, orgId) {
+  const { resolve } = await createRequestContainer();
+  const credentialsService = resolve("integrationCredentialsService");
+  const creds = await credentialsService.resolve("storage_s3", { tenantId, organizationId: orgId });
+  if (!creds) return null;
+  return new S3StorageDriver(creds);
+}
+function isKeyScoped(key, orgId, tenantId) {
+  const parts = key.split("/");
+  return parts.length >= 3 && parts[1] === `org_${orgId}` && parts[2] === `tenant_${tenantId}`;
+}
+async function GET(req) {
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.tenantId || !auth.orgId) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const key = new URL(req.url).searchParams.get("key");
+  if (!key) {
+    return NextResponse.json({ error: "key query param is required" }, { status: 400 });
+  }
+  if (!isKeyScoped(key, auth.orgId, auth.tenantId)) {
+    return NextResponse.json({ error: "Access denied: key is not scoped to this tenant." }, { status: 403 });
+  }
+  const driver = await resolveDriver(auth.tenantId, auth.orgId);
+  if (!driver) {
+    return NextResponse.json({ error: "S3 integration is not configured." }, { status: 400 });
+  }
+  let buffer;
+  let contentType;
+  try {
+    const result = await driver.read("", key);
+    buffer = result.buffer;
+    contentType = result.contentType;
+  } catch {
+    return NextResponse.json({ error: "File not found" }, { status: 404 });
+  }
+  return new NextResponse(new Uint8Array(buffer), {
+    status: 200,
+    headers: {
+      "Content-Type": contentType ?? "application/octet-stream",
+      "Content-Length": String(buffer.length)
+    }
+  });
+}
+var download_default = GET;
+const openApi = {
+  tag: "Storage",
+  summary: "Download file from S3",
+  methods: {
+    GET: {
+      summary: "Download a file from S3 by key",
+      description: "Streams the file content for the given S3 key. Requires storage_providers.manage feature.",
+      query: z.object({ key: z.string().describe("S3 object key") }),
+      responses: [{ status: 200, description: "File content stream", schema: z.any() }],
+      errors: [
+        { status: 400, description: "Missing key or S3 not configured", schema: z.object({ error: z.string() }) },
+        { status: 401, description: "Unauthorized", schema: z.object({ error: z.string() }) },
+        { status: 403, description: "Key not scoped to this tenant", schema: z.object({ error: z.string() }) },
+        { status: 404, description: "File not found", schema: z.object({ error: z.string() }) }
+      ]
+    }
+  }
+};
+export {
+  GET,
+  download_default as default,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=download.js.map

package/dist/modules/storage_s3/api/get/storage-providers/s3/download.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../src/modules/storage_s3/api/get/storage-providers/s3/download.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { S3StorageDriver } from '../../../../lib/s3-driver'\n\nexport const metadata = {\n  path: '/storage-providers/s3/download',\n  GET: { requireAuth: true, requireFeatures: ['storage_providers.manage'] },\n}\n\nasync function resolveDriver(tenantId: string, orgId: string): Promise<S3StorageDriver | null> {\n  const { resolve } = await createRequestContainer()\n  const credentialsService = resolve('integrationCredentialsService') as {\n    resolve(integrationId: string, scope: { tenantId: string; organizationId: string }): Promise<Record<string, unknown> | null>\n  }\n  const creds = await credentialsService.resolve('storage_s3', { tenantId, organizationId: orgId })\n  if (!creds) return null\n  return new S3StorageDriver(creds)\n}\n\nfunction isKeyScoped(key: string, orgId: string, tenantId: string): boolean {\n  const parts = key.split('/')\n  return parts.length >= 3 && parts[1] === `org_${orgId}` && parts[2] === `tenant_${tenantId}`\n}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.tenantId || !auth.orgId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n\n  const key = new URL(req.url).searchParams.get('key')\n  if (!key) {\n    return NextResponse.json({ error: 'key query param is required' }, { status: 400 })\n  }\n\n  if (!isKeyScoped(key, auth.orgId, auth.tenantId)) {\n    return NextResponse.json({ error: 'Access denied: key is not scoped to this tenant.' }, { status: 403 })\n  }\n\n  const driver = await resolveDriver(auth.tenantId, auth.orgId)\n  if (!driver) {\n    return NextResponse.json({ error: 'S3 integration is not configured.' }, { status: 400 })\n  }\n\n  let buffer: Buffer\n  let contentType: string | undefined\n  try {\n    const result = await driver.read('', key)\n    buffer = result.buffer\n    contentType = result.contentType\n  } catch {\n    return NextResponse.json({ error: 'File not found' }, { status: 404 })\n  }\n\n  return new NextResponse(new Uint8Array(buffer), {\n    status: 200,\n    headers: {\n      'Content-Type': contentType ?? 'application/octet-stream',\n      'Content-Length': String(buffer.length),\n    },\n  })\n}\n\nexport default GET\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Storage',\n  summary: 'Download file from S3',\n  methods: {\n    GET: {\n      summary: 'Download a file from S3 by key',\n      description: 'Streams the file content for the given S3 key. Requires storage_providers.manage feature.',\n      query: z.object({ key: z.string().describe('S3 object key') }),\n      responses: [{ status: 200, description: 'File content stream', schema: z.any() }],\n      errors: [\n        { status: 400, description: 'Missing key or S3 not configured', schema: z.object({ error: z.string() }) },\n        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },\n        { status: 403, description: 'Key not scoped to this tenant', schema: z.object({ error: z.string() }) },\n        { status: 404, description: 'File not found', schema: z.object({ error: z.string() }) },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,uBAAuB;AAEzB,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,0BAA0B,EAAE;AAC1E;AAEA,eAAe,cAAc,UAAkB,OAAgD;AAC7F,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,qBAAqB,QAAQ,+BAA+B;AAGlE,QAAM,QAAQ,MAAM,mBAAmB,QAAQ,cAAc,EAAE,UAAU,gBAAgB,MAAM,CAAC;AAChG,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO,IAAI,gBAAgB,KAAK;AAClC;AAEA,SAAS,YAAY,KAAa,OAAe,UAA2B;AAC1E,QAAM,QAAQ,IAAI,MAAM,GAAG;AAC3B,SAAO,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,OAAO,KAAK,MAAM,MAAM,CAAC,MAAM,UAAU,QAAQ;AAC5F;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,YAAY,CAAC,KAAK,OAAO;AAClC,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,aAAa,IAAI,KAAK;AACnD,MAAI,CAAC,KAAK;AACR,WAAO,aAAa,KAAK,EAAE,OAAO,8BAA8B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACpF;AAEA,MAAI,CAAC,YAAY,KAAK,KAAK,OAAO,KAAK,QAAQ,GAAG;AAChD,WAAO,aAAa,KAAK,EAAE,OAAO,mDAAmD,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzG;AAEA,QAAM,SAAS,MAAM,cAAc,KAAK,UAAU,KAAK,KAAK;AAC5D,MAAI,CAAC,QAAQ;AACX,WAAO,aAAa,KAAK,EAAE,OAAO,oCAAoC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1F;AAEA,MAAI;AACJ,MAAI;AACJ,MAAI;AACF,UAAM,SAAS,MAAM,OAAO,KAAK,IAAI,GAAG;AACxC,aAAS,OAAO;AAChB,kBAAc,OAAO;AAAA,EACvB,QAAQ;AACN,WAAO,aAAa,KAAK,EAAE,OAAO,iBAAiB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACvE;AAEA,SAAO,IAAI,aAAa,IAAI,WAAW,MAAM,GAAG;AAAA,IAC9C,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,gBAAgB,eAAe;AAAA,MAC/B,kBAAkB,OAAO,OAAO,MAAM;AAAA,IACxC;AAAA,EACF,CAAC;AACH;AAEA,IAAO,mBAAQ;AAER,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,eAAe,EAAE,CAAC;AAAA,MAC7D,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,uBAAuB,QAAQ,EAAE,IAAI,EAAE,CAAC;AAAA,MAChF,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,oCAAoC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,QACxG,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,QACpF,EAAE,QAAQ,KAAK,aAAa,iCAAiC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,QACrG,EAAE,QAAQ,KAAK,aAAa,kBAAkB,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,MACxF;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/storage_s3/api/get/storage-providers/s3/list.js

@@ -0,0 +1,87 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { S3StorageDriver } from "../../../../lib/s3-driver.js";
+const metadata = {
+  path: "/storage-providers/s3/list",
+  GET: { requireAuth: true, requireFeatures: ["storage_providers.manage"] }
+};
+const querySchema = z.object({
+  prefix: z.string().optional().default(""),
+  maxKeys: z.coerce.number().int().min(1).max(1e3).optional().default(100),
+  continuationToken: z.string().optional()
+});
+const fileSchema = z.object({
+  key: z.string(),
+  size: z.number().int(),
+  lastModified: z.string()
+});
+const responseSchema = z.object({
+  files: z.array(fileSchema),
+  truncated: z.boolean(),
+  nextContinuationToken: z.string().optional()
+});
+async function resolveDriver(tenantId, orgId) {
+  const { resolve } = await createRequestContainer();
+  const credentialsService = resolve("integrationCredentialsService");
+  const creds = await credentialsService.resolve("storage_s3", { tenantId, organizationId: orgId });
+  if (!creds) return null;
+  return new S3StorageDriver(creds);
+}
+async function GET(req) {
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.tenantId || !auth.orgId) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const params = Object.fromEntries(new URL(req.url).searchParams.entries());
+  const parsed = querySchema.safeParse(params);
+  if (!parsed.success) {
+    return NextResponse.json({ error: "Invalid query parameters" }, { status: 400 });
+  }
+  const tenantPrefix = `org_${auth.orgId}/tenant_${auth.tenantId}/`;
+  const userPrefix = parsed.data.prefix;
+  const effectivePrefix = userPrefix.includes(`org_${auth.orgId}/tenant_${auth.tenantId}`) ? userPrefix : tenantPrefix + userPrefix.replace(/^\//, "");
+  const driver = await resolveDriver(auth.tenantId, auth.orgId);
+  if (!driver) {
+    return NextResponse.json({ error: "S3 integration is not configured." }, { status: 400 });
+  }
+  const result = await driver.listObjects(
+    effectivePrefix,
+    parsed.data.maxKeys,
+    parsed.data.continuationToken
+  );
+  return NextResponse.json({
+    files: result.files.map((f) => ({
+      key: f.key,
+      size: f.size,
+      lastModified: f.lastModified.toISOString()
+    })),
+    truncated: result.truncated,
+    nextContinuationToken: result.nextContinuationToken
+  });
+}
+var list_default = GET;
+const openApi = {
+  tag: "Storage",
+  summary: "List S3 objects",
+  methods: {
+    GET: {
+      summary: "List files in S3 by prefix",
+      description: "Returns a paginated list of S3 objects scoped to the authenticated tenant namespace.",
+      query: querySchema,
+      responses: [{ status: 200, description: "File listing", schema: responseSchema }],
+      errors: [
+        { status: 400, description: "Invalid params or S3 not configured", schema: z.object({ error: z.string() }) },
+        { status: 401, description: "Unauthorized", schema: z.object({ error: z.string() }) }
+      ]
+    }
+  }
+};
+export {
+  GET,
+  list_default as default,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=list.js.map

package/dist/modules/storage_s3/api/get/storage-providers/s3/list.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../src/modules/storage_s3/api/get/storage-providers/s3/list.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { S3StorageDriver } from '../../../../lib/s3-driver'\n\nexport const metadata = {\n  path: '/storage-providers/s3/list',\n  GET: { requireAuth: true, requireFeatures: ['storage_providers.manage'] },\n}\n\nconst querySchema = z.object({\n  prefix: z.string().optional().default(''),\n  maxKeys: z.coerce.number().int().min(1).max(1000).optional().default(100),\n  continuationToken: z.string().optional(),\n})\n\nconst fileSchema = z.object({\n  key: z.string(),\n  size: z.number().int(),\n  lastModified: z.string(),\n})\n\nconst responseSchema = z.object({\n  files: z.array(fileSchema),\n  truncated: z.boolean(),\n  nextContinuationToken: z.string().optional(),\n})\n\nasync function resolveDriver(tenantId: string, orgId: string): Promise<S3StorageDriver | null> {\n  const { resolve } = await createRequestContainer()\n  const credentialsService = resolve('integrationCredentialsService') as {\n    resolve(integrationId: string, scope: { tenantId: string; organizationId: string }): Promise<Record<string, unknown> | null>\n  }\n  const creds = await credentialsService.resolve('storage_s3', { tenantId, organizationId: orgId })\n  if (!creds) return null\n  return new S3StorageDriver(creds)\n}\n\nexport async function GET(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.tenantId || !auth.orgId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n\n  const params = Object.fromEntries(new URL(req.url).searchParams.entries())\n  const parsed = querySchema.safeParse(params)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid query parameters' }, { status: 400 })\n  }\n\n  // Always scope list operations to the tenant namespace to prevent cross-tenant enumeration.\n  const tenantPrefix = `org_${auth.orgId}/tenant_${auth.tenantId}/`\n  const userPrefix = parsed.data.prefix\n  const effectivePrefix = userPrefix.includes(`org_${auth.orgId}/tenant_${auth.tenantId}`)\n    ? userPrefix\n    : tenantPrefix + userPrefix.replace(/^\\//, '')\n\n  const driver = await resolveDriver(auth.tenantId, auth.orgId)\n  if (!driver) {\n    return NextResponse.json({ error: 'S3 integration is not configured.' }, { status: 400 })\n  }\n\n  const result = await driver.listObjects(\n    effectivePrefix,\n    parsed.data.maxKeys,\n    parsed.data.continuationToken,\n  )\n\n  return NextResponse.json({\n    files: result.files.map((f) => ({\n      key: f.key,\n      size: f.size,\n      lastModified: f.lastModified.toISOString(),\n    })),\n    truncated: result.truncated,\n    nextContinuationToken: result.nextContinuationToken,\n  })\n}\n\nexport default GET\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Storage',\n  summary: 'List S3 objects',\n  methods: {\n    GET: {\n      summary: 'List files in S3 by prefix',\n      description: 'Returns a paginated list of S3 objects scoped to the authenticated tenant namespace.',\n      query: querySchema,\n      responses: [{ status: 200, description: 'File listing', schema: responseSchema }],\n      errors: [\n        { status: 400, description: 'Invalid params or S3 not configured', schema: z.object({ error: z.string() }) },\n        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,uBAAuB;AAEzB,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,0BAA0B,EAAE;AAC1E;AAEA,MAAM,cAAc,EAAE,OAAO;AAAA,EAC3B,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE;AAAA,EACxC,SAAS,EAAE,OAAO,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,GAAI,EAAE,SAAS,EAAE,QAAQ,GAAG;AAAA,EACxE,mBAAmB,EAAE,OAAO,EAAE,SAAS;AACzC,CAAC;AAED,MAAM,aAAa,EAAE,OAAO;AAAA,EAC1B,KAAK,EAAE,OAAO;AAAA,EACd,MAAM,EAAE,OAAO,EAAE,IAAI;AAAA,EACrB,cAAc,EAAE,OAAO;AACzB,CAAC;AAED,MAAM,iBAAiB,EAAE,OAAO;AAAA,EAC9B,OAAO,EAAE,MAAM,UAAU;AAAA,EACzB,WAAW,EAAE,QAAQ;AAAA,EACrB,uBAAuB,EAAE,OAAO,EAAE,SAAS;AAC7C,CAAC;AAED,eAAe,cAAc,UAAkB,OAAgD;AAC7F,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,qBAAqB,QAAQ,+BAA+B;AAGlE,QAAM,QAAQ,MAAM,mBAAmB,QAAQ,cAAc,EAAE,UAAU,gBAAgB,MAAM,CAAC;AAChG,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO,IAAI,gBAAgB,KAAK;AAClC;AAEA,eAAsB,IAAI,KAAc;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,YAAY,CAAC,KAAK,OAAO;AAClC,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,SAAS,OAAO,YAAY,IAAI,IAAI,IAAI,GAAG,EAAE,aAAa,QAAQ,CAAC;AACzE,QAAM,SAAS,YAAY,UAAU,MAAM;AAC3C,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,2BAA2B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjF;AAGA,QAAM,eAAe,OAAO,KAAK,KAAK,WAAW,KAAK,QAAQ;AAC9D,QAAM,aAAa,OAAO,KAAK;AAC/B,QAAM,kBAAkB,WAAW,SAAS,OAAO,KAAK,KAAK,WAAW,KAAK,QAAQ,EAAE,IACnF,aACA,eAAe,WAAW,QAAQ,OAAO,EAAE;AAE/C,QAAM,SAAS,MAAM,cAAc,KAAK,UAAU,KAAK,KAAK;AAC5D,MAAI,CAAC,QAAQ;AACX,WAAO,aAAa,KAAK,EAAE,OAAO,oCAAoC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1F;AAEA,QAAM,SAAS,MAAM,OAAO;AAAA,IAC1B;AAAA,IACA,OAAO,KAAK;AAAA,IACZ,OAAO,KAAK;AAAA,EACd;AAEA,SAAO,aAAa,KAAK;AAAA,IACvB,OAAO,OAAO,MAAM,IAAI,CAAC,OAAO;AAAA,MAC9B,KAAK,EAAE;AAAA,MACP,MAAM,EAAE;AAAA,MACR,cAAc,EAAE,aAAa,YAAY;AAAA,IAC3C,EAAE;AAAA,IACF,WAAW,OAAO;AAAA,IAClB,uBAAuB,OAAO;AAAA,EAChC,CAAC;AACH;AAEA,IAAO,eAAQ;AAER,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,SAAS;AAAA,MACT,aAAa;AAAA,MACb,OAAO;AAAA,MACP,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,eAAe,CAAC;AAAA,MAChF,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,uCAAuC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,QAC3G,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,MACtF;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/storage_s3/api/post/storage-providers/s3/signed-url.js

@@ -0,0 +1,77 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { S3StorageDriver } from "../../../../lib/s3-driver.js";
+const metadata = {
+  path: "/storage-providers/s3/signed-url",
+  POST: { requireAuth: true, requireFeatures: ["storage_providers.manage"] }
+};
+const requestSchema = z.object({
+  key: z.string().min(1),
+  operation: z.enum(["upload", "download"]),
+  expiresIn: z.number().int().min(60).max(604800).optional().default(3600),
+  contentType: z.string().optional()
+});
+const responseSchema = z.object({
+  url: z.string(),
+  expiresAt: z.string()
+});
+async function resolveDriver(tenantId, orgId) {
+  const { resolve } = await createRequestContainer();
+  const credentialsService = resolve("integrationCredentialsService");
+  const creds = await credentialsService.resolve("storage_s3", { tenantId, organizationId: orgId });
+  if (!creds) return null;
+  return new S3StorageDriver(creds);
+}
+function isKeyScoped(key, orgId, tenantId) {
+  const parts = key.split("/");
+  return parts.length >= 3 && parts[1] === `org_${orgId}` && parts[2] === `tenant_${tenantId}`;
+}
+async function POST(req) {
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.tenantId || !auth.orgId) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const json = await req.json().catch(() => null);
+  const parsed = requestSchema.safeParse(json);
+  if (!parsed.success) {
+    return NextResponse.json({ error: "Invalid payload" }, { status: 400 });
+  }
+  if (!isKeyScoped(parsed.data.key, auth.orgId, auth.tenantId)) {
+    return NextResponse.json({ error: "Access denied: key is not scoped to this tenant." }, { status: 403 });
+  }
+  const driver = await resolveDriver(auth.tenantId, auth.orgId);
+  if (!driver) {
+    return NextResponse.json({ error: "S3 integration is not configured." }, { status: 400 });
+  }
+  const { key, operation, expiresIn, contentType } = parsed.data;
+  const url = await driver.getSignedUrl(key, operation, expiresIn, contentType);
+  const expiresAt = new Date(Date.now() + expiresIn * 1e3).toISOString();
+  return NextResponse.json({ url, expiresAt });
+}
+var signed_url_default = POST;
+const openApi = {
+  tag: "Storage",
+  summary: "Generate S3 pre-signed URL",
+  methods: {
+    POST: {
+      summary: "Generate a pre-signed URL for direct browser upload or download",
+      description: "Returns a time-limited URL that allows a browser to directly upload or download a file from S3.",
+      requestBody: { contentType: "application/json", schema: requestSchema },
+      responses: [{ status: 200, description: "Pre-signed URL and expiry", schema: responseSchema }],
+      errors: [
+        { status: 400, description: "Invalid payload or S3 not configured", schema: z.object({ error: z.string() }) },
+        { status: 401, description: "Unauthorized", schema: z.object({ error: z.string() }) },
+        { status: 403, description: "Key not scoped to this tenant", schema: z.object({ error: z.string() }) }
+      ]
+    }
+  }
+};
+export {
+  POST,
+  signed_url_default as default,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=signed-url.js.map

package/dist/modules/storage_s3/api/post/storage-providers/s3/signed-url.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../src/modules/storage_s3/api/post/storage-providers/s3/signed-url.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { S3StorageDriver } from '../../../../lib/s3-driver'\n\nexport const metadata = {\n  path: '/storage-providers/s3/signed-url',\n  POST: { requireAuth: true, requireFeatures: ['storage_providers.manage'] },\n}\n\nconst requestSchema = z.object({\n  key: z.string().min(1),\n  operation: z.enum(['upload', 'download']),\n  expiresIn: z.number().int().min(60).max(604800).optional().default(3600),\n  contentType: z.string().optional(),\n})\n\nconst responseSchema = z.object({\n  url: z.string(),\n  expiresAt: z.string(),\n})\n\nasync function resolveDriver(tenantId: string, orgId: string): Promise<S3StorageDriver | null> {\n  const { resolve } = await createRequestContainer()\n  const credentialsService = resolve('integrationCredentialsService') as {\n    resolve(integrationId: string, scope: { tenantId: string; organizationId: string }): Promise<Record<string, unknown> | null>\n  }\n  const creds = await credentialsService.resolve('storage_s3', { tenantId, organizationId: orgId })\n  if (!creds) return null\n  return new S3StorageDriver(creds)\n}\n\nfunction isKeyScoped(key: string, orgId: string, tenantId: string): boolean {\n  const parts = key.split('/')\n  return parts.length >= 3 && parts[1] === `org_${orgId}` && parts[2] === `tenant_${tenantId}`\n}\n\nexport async function POST(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.tenantId || !auth.orgId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n\n  const json = await req.json().catch(() => null)\n  const parsed = requestSchema.safeParse(json)\n  if (!parsed.success) {\n    return NextResponse.json({ error: 'Invalid payload' }, { status: 400 })\n  }\n\n  if (!isKeyScoped(parsed.data.key, auth.orgId, auth.tenantId)) {\n    return NextResponse.json({ error: 'Access denied: key is not scoped to this tenant.' }, { status: 403 })\n  }\n\n  const driver = await resolveDriver(auth.tenantId, auth.orgId)\n  if (!driver) {\n    return NextResponse.json({ error: 'S3 integration is not configured.' }, { status: 400 })\n  }\n\n  const { key, operation, expiresIn, contentType } = parsed.data\n  const url = await driver.getSignedUrl(key, operation, expiresIn, contentType)\n  const expiresAt = new Date(Date.now() + expiresIn * 1000).toISOString()\n\n  return NextResponse.json({ url, expiresAt })\n}\n\nexport default POST\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Storage',\n  summary: 'Generate S3 pre-signed URL',\n  methods: {\n    POST: {\n      summary: 'Generate a pre-signed URL for direct browser upload or download',\n      description: 'Returns a time-limited URL that allows a browser to directly upload or download a file from S3.',\n      requestBody: { contentType: 'application/json', schema: requestSchema },\n      responses: [{ status: 200, description: 'Pre-signed URL and expiry', schema: responseSchema }],\n      errors: [\n        { status: 400, description: 'Invalid payload or S3 not configured', schema: z.object({ error: z.string() }) },\n        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },\n        { status: 403, description: 'Key not scoped to this tenant', schema: z.object({ error: z.string() }) },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,uBAAuB;AAEzB,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,0BAA0B,EAAE;AAC3E;AAEA,MAAM,gBAAgB,EAAE,OAAO;AAAA,EAC7B,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACrB,WAAW,EAAE,KAAK,CAAC,UAAU,UAAU,CAAC;AAAA,EACxC,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,IAAI,MAAM,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,EACvE,aAAa,EAAE,OAAO,EAAE,SAAS;AACnC,CAAC;AAED,MAAM,iBAAiB,EAAE,OAAO;AAAA,EAC9B,KAAK,EAAE,OAAO;AAAA,EACd,WAAW,EAAE,OAAO;AACtB,CAAC;AAED,eAAe,cAAc,UAAkB,OAAgD;AAC7F,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,qBAAqB,QAAQ,+BAA+B;AAGlE,QAAM,QAAQ,MAAM,mBAAmB,QAAQ,cAAc,EAAE,UAAU,gBAAgB,MAAM,CAAC;AAChG,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO,IAAI,gBAAgB,KAAK;AAClC;AAEA,SAAS,YAAY,KAAa,OAAe,UAA2B;AAC1E,QAAM,QAAQ,IAAI,MAAM,GAAG;AAC3B,SAAO,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,OAAO,KAAK,MAAM,MAAM,CAAC,MAAM,UAAU,QAAQ;AAC5F;AAEA,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,YAAY,CAAC,KAAK,OAAO;AAClC,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,IAAI;AAC9C,QAAM,SAAS,cAAc,UAAU,IAAI;AAC3C,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO,aAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxE;AAEA,MAAI,CAAC,YAAY,OAAO,KAAK,KAAK,KAAK,OAAO,KAAK,QAAQ,GAAG;AAC5D,WAAO,aAAa,KAAK,EAAE,OAAO,mDAAmD,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzG;AAEA,QAAM,SAAS,MAAM,cAAc,KAAK,UAAU,KAAK,KAAK;AAC5D,MAAI,CAAC,QAAQ;AACX,WAAO,aAAa,KAAK,EAAE,OAAO,oCAAoC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1F;AAEA,QAAM,EAAE,KAAK,WAAW,WAAW,YAAY,IAAI,OAAO;AAC1D,QAAM,MAAM,MAAM,OAAO,aAAa,KAAK,WAAW,WAAW,WAAW;AAC5E,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,YAAY,GAAI,EAAE,YAAY;AAEtE,SAAO,aAAa,KAAK,EAAE,KAAK,UAAU,CAAC;AAC7C;AAEA,IAAO,qBAAQ;AAER,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa,EAAE,aAAa,oBAAoB,QAAQ,cAAc;AAAA,MACtE,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,6BAA6B,QAAQ,eAAe,CAAC;AAAA,MAC7F,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,wCAAwC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,QAC5G,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,QACpF,EAAE,QAAQ,KAAK,aAAa,iCAAiC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,MACvG;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/storage_s3/api/post/storage-providers/s3/upload.js

@@ -0,0 +1,99 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { S3StorageDriver } from "../../../../lib/s3-driver.js";
+import { randomUUID } from "crypto";
+const metadata = {
+  path: "/storage-providers/s3/upload",
+  POST: { requireAuth: true, requireFeatures: ["storage_providers.manage"] }
+};
+const responseSchema = z.object({
+  key: z.string(),
+  bucket: z.string(),
+  size: z.number().int(),
+  contentType: z.string().optional()
+});
+function sanitizeFileName(name) {
+  return name.replace(/[^a-zA-Z0-9._-]/g, "_") || "upload";
+}
+function isKeyScoped(key, orgId, tenantId) {
+  const parts = key.split("/");
+  return parts.length >= 3 && parts[1] === `org_${orgId}` && parts[2] === `tenant_${tenantId}`;
+}
+async function resolveDriver(tenantId, orgId) {
+  const { resolve } = await createRequestContainer();
+  const credentialsService = resolve("integrationCredentialsService");
+  const creds = await credentialsService.resolve("storage_s3", { tenantId, organizationId: orgId });
+  if (!creds) return null;
+  return new S3StorageDriver(creds);
+}
+async function POST(req) {
+  const auth = await getAuthFromRequest(req);
+  if (!auth?.tenantId || !auth.orgId) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  const contentType = req.headers.get("content-type") ?? "";
+  if (!contentType.includes("multipart/form-data")) {
+    return NextResponse.json({ error: "Expected multipart/form-data" }, { status: 400 });
+  }
+  const form = await req.formData();
+  const file = form.get("file");
+  if (!file) {
+    return NextResponse.json({ error: "file field is required" }, { status: 400 });
+  }
+  const keyOverride = form.get("key") ? String(form.get("key")) : null;
+  const contentTypeHeader = form.get("contentType") ? String(form.get("contentType")) : file.type || void 0;
+  if (keyOverride !== null && !isKeyScoped(keyOverride, auth.orgId, auth.tenantId)) {
+    return NextResponse.json(
+      { error: "Access denied: key override is not scoped to this tenant." },
+      { status: 403 }
+    );
+  }
+  const driver = await resolveDriver(auth.tenantId, auth.orgId);
+  if (!driver) {
+    return NextResponse.json({ error: "S3 integration is not configured." }, { status: 400 });
+  }
+  const buffer = Buffer.from(await file.arrayBuffer());
+  const safeName = sanitizeFileName(file.name);
+  const key = keyOverride ?? `uploads/org_${auth.orgId}/tenant_${auth.tenantId}/${Date.now()}_${randomUUID().slice(0, 8)}_${safeName}`;
+  await driver.putObject(key, buffer, contentTypeHeader);
+  return NextResponse.json({
+    key,
+    bucket: driver.getBucket(),
+    size: buffer.length,
+    contentType: contentTypeHeader
+  });
+}
+var upload_default = POST;
+const openApi = {
+  tag: "Storage",
+  summary: "Upload file to S3",
+  methods: {
+    POST: {
+      summary: "Upload a file directly to S3",
+      description: "Uploads a file to the configured S3 bucket. Requires storage_providers.manage feature.",
+      requestBody: {
+        contentType: "multipart/form-data",
+        schema: z.object({
+          file: z.any().describe("File to upload"),
+          key: z.string().optional().describe("Optional S3 key override (must be scoped to org/tenant)"),
+          contentType: z.string().optional().describe("Optional content-type override")
+        })
+      },
+      responses: [{ status: 200, description: "Upload result", schema: responseSchema }],
+      errors: [
+        { status: 400, description: "Missing file or S3 not configured", schema: z.object({ error: z.string() }) },
+        { status: 401, description: "Unauthorized", schema: z.object({ error: z.string() }) },
+        { status: 403, description: "Key override not scoped to this tenant", schema: z.object({ error: z.string() }) }
+      ]
+    }
+  }
+};
+export {
+  POST,
+  upload_default as default,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=upload.js.map

package/dist/modules/storage_s3/api/post/storage-providers/s3/upload.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../src/modules/storage_s3/api/post/storage-providers/s3/upload.ts"],
+  "sourcesContent": ["import { NextResponse } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport { S3StorageDriver } from '../../../../lib/s3-driver'\nimport { randomUUID } from 'crypto'\n\nexport const metadata = {\n  path: '/storage-providers/s3/upload',\n  POST: { requireAuth: true, requireFeatures: ['storage_providers.manage'] },\n}\n\nconst responseSchema = z.object({\n  key: z.string(),\n  bucket: z.string(),\n  size: z.number().int(),\n  contentType: z.string().optional(),\n})\n\nfunction sanitizeFileName(name: string): string {\n  return name.replace(/[^a-zA-Z0-9._-]/g, '_') || 'upload'\n}\n\nfunction isKeyScoped(key: string, orgId: string, tenantId: string): boolean {\n  const parts = key.split('/')\n  return parts.length >= 3 && parts[1] === `org_${orgId}` && parts[2] === `tenant_${tenantId}`\n}\n\nasync function resolveDriver(\n  tenantId: string,\n  orgId: string,\n): Promise<S3StorageDriver | null> {\n  const { resolve } = await createRequestContainer()\n  const credentialsService = resolve('integrationCredentialsService') as {\n    resolve(integrationId: string, scope: { tenantId: string; organizationId: string }): Promise<Record<string, unknown> | null>\n  }\n  const creds = await credentialsService.resolve('storage_s3', { tenantId, organizationId: orgId })\n  if (!creds) return null\n  return new S3StorageDriver(creds)\n}\n\nexport async function POST(req: Request) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth?.tenantId || !auth.orgId) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n\n  const contentType = req.headers.get('content-type') ?? ''\n  if (!contentType.includes('multipart/form-data')) {\n    return NextResponse.json({ error: 'Expected multipart/form-data' }, { status: 400 })\n  }\n\n  const form = await req.formData()\n  const file = form.get('file') as File | null\n  if (!file) {\n    return NextResponse.json({ error: 'file field is required' }, { status: 400 })\n  }\n\n  const keyOverride = form.get('key') ? String(form.get('key')) : null\n  const contentTypeHeader = form.get('contentType') ? String(form.get('contentType')) : file.type || undefined\n\n  if (keyOverride !== null && !isKeyScoped(keyOverride, auth.orgId, auth.tenantId)) {\n    return NextResponse.json(\n      { error: 'Access denied: key override is not scoped to this tenant.' },\n      { status: 403 },\n    )\n  }\n\n  const driver = await resolveDriver(auth.tenantId, auth.orgId)\n  if (!driver) {\n    return NextResponse.json({ error: 'S3 integration is not configured.' }, { status: 400 })\n  }\n\n  const buffer = Buffer.from(await file.arrayBuffer())\n  const safeName = sanitizeFileName(file.name)\n  const key =\n    keyOverride ??\n    `uploads/org_${auth.orgId}/tenant_${auth.tenantId}/${Date.now()}_${randomUUID().slice(0, 8)}_${safeName}`\n\n  await driver.putObject(key, buffer, contentTypeHeader)\n\n  return NextResponse.json({\n    key,\n    bucket: driver.getBucket(),\n    size: buffer.length,\n    contentType: contentTypeHeader,\n  })\n}\n\nexport default POST\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'Storage',\n  summary: 'Upload file to S3',\n  methods: {\n    POST: {\n      summary: 'Upload a file directly to S3',\n      description: 'Uploads a file to the configured S3 bucket. Requires storage_providers.manage feature.',\n      requestBody: {\n        contentType: 'multipart/form-data',\n        schema: z.object({\n          file: z.any().describe('File to upload'),\n          key: z.string().optional().describe('Optional S3 key override (must be scoped to org/tenant)'),\n          contentType: z.string().optional().describe('Optional content-type override'),\n        }),\n      },\n      responses: [{ status: 200, description: 'Upload result', schema: responseSchema }],\n      errors: [\n        { status: 400, description: 'Missing file or S3 not configured', schema: z.object({ error: z.string() }) },\n        { status: 401, description: 'Unauthorized', schema: z.object({ error: z.string() }) },\n        { status: 403, description: 'Key override not scoped to this tenant', schema: z.object({ error: z.string() }) },\n      ],\n    },\n  },\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAoB;AAC7B,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AACvC,SAAS,uBAAuB;AAChC,SAAS,kBAAkB;AAEpB,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,0BAA0B,EAAE;AAC3E;AAEA,MAAM,iBAAiB,EAAE,OAAO;AAAA,EAC9B,KAAK,EAAE,OAAO;AAAA,EACd,QAAQ,EAAE,OAAO;AAAA,EACjB,MAAM,EAAE,OAAO,EAAE,IAAI;AAAA,EACrB,aAAa,EAAE,OAAO,EAAE,SAAS;AACnC,CAAC;AAED,SAAS,iBAAiB,MAAsB;AAC9C,SAAO,KAAK,QAAQ,oBAAoB,GAAG,KAAK;AAClD;AAEA,SAAS,YAAY,KAAa,OAAe,UAA2B;AAC1E,QAAM,QAAQ,IAAI,MAAM,GAAG;AAC3B,SAAO,MAAM,UAAU,KAAK,MAAM,CAAC,MAAM,OAAO,KAAK,MAAM,MAAM,CAAC,MAAM,UAAU,QAAQ;AAC5F;AAEA,eAAe,cACb,UACA,OACiC;AACjC,QAAM,EAAE,QAAQ,IAAI,MAAM,uBAAuB;AACjD,QAAM,qBAAqB,QAAQ,+BAA+B;AAGlE,QAAM,QAAQ,MAAM,mBAAmB,QAAQ,cAAc,EAAE,UAAU,gBAAgB,MAAM,CAAC;AAChG,MAAI,CAAC,MAAO,QAAO;AACnB,SAAO,IAAI,gBAAgB,KAAK;AAClC;AAEA,eAAsB,KAAK,KAAc;AACvC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM,YAAY,CAAC,KAAK,OAAO;AAClC,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,QAAM,cAAc,IAAI,QAAQ,IAAI,cAAc,KAAK;AACvD,MAAI,CAAC,YAAY,SAAS,qBAAqB,GAAG;AAChD,WAAO,aAAa,KAAK,EAAE,OAAO,+BAA+B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrF;AAEA,QAAM,OAAO,MAAM,IAAI,SAAS;AAChC,QAAM,OAAO,KAAK,IAAI,MAAM;AAC5B,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,OAAO,yBAAyB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC/E;AAEA,QAAM,cAAc,KAAK,IAAI,KAAK,IAAI,OAAO,KAAK,IAAI,KAAK,CAAC,IAAI;AAChE,QAAM,oBAAoB,KAAK,IAAI,aAAa,IAAI,OAAO,KAAK,IAAI,aAAa,CAAC,IAAI,KAAK,QAAQ;AAEnG,MAAI,gBAAgB,QAAQ,CAAC,YAAY,aAAa,KAAK,OAAO,KAAK,QAAQ,GAAG;AAChF,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,4DAA4D;AAAA,MACrE,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,cAAc,KAAK,UAAU,KAAK,KAAK;AAC5D,MAAI,CAAC,QAAQ;AACX,WAAO,aAAa,KAAK,EAAE,OAAO,oCAAoC,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC1F;AAEA,QAAM,SAAS,OAAO,KAAK,MAAM,KAAK,YAAY,CAAC;AACnD,QAAM,WAAW,iBAAiB,KAAK,IAAI;AAC3C,QAAM,MACJ,eACA,eAAe,KAAK,KAAK,WAAW,KAAK,QAAQ,IAAI,KAAK,IAAI,CAAC,IAAI,WAAW,EAAE,MAAM,GAAG,CAAC,CAAC,IAAI,QAAQ;AAEzG,QAAM,OAAO,UAAU,KAAK,QAAQ,iBAAiB;AAErD,SAAO,aAAa,KAAK;AAAA,IACvB;AAAA,IACA,QAAQ,OAAO,UAAU;AAAA,IACzB,MAAM,OAAO;AAAA,IACb,aAAa;AAAA,EACf,CAAC;AACH;AAEA,IAAO,iBAAQ;AAER,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,SAAS;AAAA,MACT,aAAa;AAAA,MACb,aAAa;AAAA,QACX,aAAa;AAAA,QACb,QAAQ,EAAE,OAAO;AAAA,UACf,MAAM,EAAE,IAAI,EAAE,SAAS,gBAAgB;AAAA,UACvC,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,yDAAyD;AAAA,UAC7F,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,gCAAgC;AAAA,QAC9E,CAAC;AAAA,MACH;AAAA,MACA,WAAW,CAAC,EAAE,QAAQ,KAAK,aAAa,iBAAiB,QAAQ,eAAe,CAAC;AAAA,MACjF,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,qCAAqC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,QACzG,EAAE,QAAQ,KAAK,aAAa,gBAAgB,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,QACpF,EAAE,QAAQ,KAAK,aAAa,0CAA0C,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE;AAAA,MAChH;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}