create-mercato-app 0.4.9-develop-7afbe1e834 → 0.4.9-develop-94fb251ed3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-mercato-app",
-  "version": "0.4.9-develop-7afbe1e834",
+  "version": "0.4.9-develop-94fb251ed3",
   "type": "module",
   "description": "Create a new Open Mercato application",
   "main": "./dist/index.js",

package/template/.env.example

@@ -37,6 +37,27 @@ OM_ENABLE_ENTERPRISE_MODULES=false
 # Requires OM_ENABLE_ENTERPRISE_MODULES=true
 OM_ENABLE_ENTERPRISE_MODULES_SSO=false
 
+# Enterprise security module (MFA, passkeys, sudo)
+# Active when enterprise modules are enabled and the security module is installed.
+# Optional dedicated signing secret for MFA setup tokens.
+# Falls back to AUTH_JWT_SECRET, AUTH_SECRET, or JWT_SECRET when left blank.
+# Enable enterprise security module (default: false)
+# Requires OM_ENABLE_ENTERPRISE_MODULES=true
+OM_ENABLE_ENTERPRISE_MODULES_SECURITY=false
+
+# OM_SECURITY_MFA_SETUP_SECRET=change-me-mfa-setup-secret
+OM_SECURITY_TOTP_ISSUER=Open Mercato
+OM_SECURITY_TOTP_WINDOW=1
+OM_SECURITY_OTP_EXPIRY_SECONDS=600
+OM_SECURITY_OTP_MAX_ATTEMPTS=5
+OM_SECURITY_SUDO_DEFAULT_TTL=300
+OM_SECURITY_SUDO_MAX_TTL=1800
+OM_SECURITY_WEBAUTHN_RP_NAME=Open Mercato
+# Defaults to the hostname from APP_URL / NEXT_PUBLIC_APP_URL when left blank.
+OM_SECURITY_WEBAUTHN_RP_ID=
+OM_SECURITY_RECOVERY_CODE_COUNT=10
+OM_SECURITY_MFA_EMERGENCY_BYPASS=false
+
 # Admin email to notify about onboarding submissions
 ADMIN_EMAIL=ops@your-domain.com
 

package/template/src/app/(backend)/backend/[...slug]/page.tsx

@@ -4,6 +4,7 @@ import Link from 'next/link'
 import { findBackendMatch } from '@open-mercato/shared/modules/registry'
 import { modules } from '@/.mercato/generated/modules.generated'
 import { getAuthFromCookies } from '@open-mercato/shared/lib/auth/server'
+import type { AuthContext } from '@open-mercato/shared/lib/auth/server'
 import { ApplyBreadcrumb } from '@open-mercato/ui/backend/AppShell'
 import { AccessDeniedMessage } from '@open-mercato/ui/backend/detail'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
@@ -13,6 +14,8 @@ import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacS
 import { ComponentReplacementHandles, resolveRegisteredComponent } from '@open-mercato/shared/modules/widgets/component-registry'
 import type { Metadata } from 'next'
 import { resolveLocalizedTitleMetadata } from '@/lib/metadata'
+import { resolvePageMiddlewareRedirect } from '@open-mercato/shared/lib/middleware/page-executor'
+import { backendMiddlewareEntries } from '@/.mercato/generated/backend-middleware.generated'
 
 type Awaitable<T> = T | Promise<T>
 
@@ -52,8 +55,16 @@ export default async function BackendCatchAll(props: BackendParams) {
   const pathname = '/backend/' + (params.slug?.join('/') ?? '')
   const match = findBackendMatch(modules, pathname)
   if (!match) return notFound()
+  let auth: AuthContext = null
+  let container: Awaited<ReturnType<typeof createRequestContainer>> | null = null
+  const ensureContainer = async () => {
+    if (!container) {
+      container = await createRequestContainer()
+    }
+    return container
+  }
   if (match.route.requireAuth) {
-    const auth = await getAuthFromCookies()
+    auth = await getAuthFromCookies()
     if (!auth) redirect('/api/auth/session/refresh?redirect=' + encodeURIComponent(pathname))
     const required = match.route.requireRoles || []
     if (required.length) {
@@ -84,6 +95,21 @@ export default async function BackendCatchAll(props: BackendParams) {
       if (!ok) return renderAccessDenied()
     }
   }
+  const middlewareRedirect = await resolvePageMiddlewareRedirect({
+    entries: backendMiddlewareEntries,
+    context: {
+      pathname,
+      mode: 'backend',
+      routeMeta: {
+        requireAuth: match.route.requireAuth,
+        requireRoles: match.route.requireRoles,
+        requireFeatures: match.route.requireFeatures,
+      },
+      auth,
+      ensureContainer,
+    },
+  })
+  if (middlewareRedirect) redirect(middlewareRedirect)
   const pageHandle = ComponentReplacementHandles.page(pathname)
   const Component = resolveRegisteredComponent(pageHandle, match.route.Component)
 

package/template/src/app/(backend)/backend/page.tsx

@@ -1,10 +1,31 @@
 import { getAuthFromCookies } from '@open-mercato/shared/lib/auth/server'
 import { redirect } from 'next/navigation'
 import { DashboardScreen } from '@open-mercato/ui/backend/dashboard'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { resolvePageMiddlewareRedirect } from '@open-mercato/shared/lib/middleware/page-executor'
+import { backendMiddlewareEntries } from '@/.mercato/generated/backend-middleware.generated'
 
 export default async function BackendIndex() {
   const auth = await getAuthFromCookies()
   if (!auth) redirect('/api/auth/session/refresh?redirect=/backend')
+  let container: Awaited<ReturnType<typeof createRequestContainer>> | null = null
+  const ensureContainer = async () => {
+    if (!container) {
+      container = await createRequestContainer()
+    }
+    return container
+  }
+  const middlewareRedirect = await resolvePageMiddlewareRedirect({
+    entries: backendMiddlewareEntries,
+    context: {
+      pathname: '/backend',
+      mode: 'backend',
+      routeMeta: { requireAuth: true },
+      auth,
+      ensureContainer,
+    },
+  })
+  if (middlewareRedirect) redirect(middlewareRedirect)
   return (
     <div className="p-6 space-y-6">
       <DashboardScreen />

package/template/src/app/(frontend)/[...slug]/page.tsx

@@ -4,12 +4,15 @@ import { findFrontendMatch } from '@open-mercato/shared/modules/registry'
 import { modules } from '@/.mercato/generated/modules.generated'
 import { getAuthFromCookies } from '@open-mercato/shared/lib/auth/server'
 import { AccessDeniedMessage } from '@open-mercato/ui/backend/detail'
+import type { AuthContext } from '@open-mercato/shared/lib/auth/server'
 import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 import { hasAllFeatures } from '@open-mercato/shared/lib/auth/featureMatch'
 import type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'
 import type { Metadata } from 'next'
 import { resolveLocalizedTitleMetadata } from '@/lib/metadata'
+import { resolvePageMiddlewareRedirect } from '@open-mercato/shared/lib/middleware/page-executor'
+import { frontendMiddlewareEntries } from '@/.mercato/generated/frontend-middleware.generated'
 
 type FrontendParams = { params: Promise<{ slug: string[] }> }
 
@@ -68,8 +71,16 @@ export default async function SiteCatchAll({ params }: FrontendParams) {
   }
 
   // Staff auth gate
+  let auth: AuthContext = null
+  let container: Awaited<ReturnType<typeof createRequestContainer>> | null = null
+  const ensureContainer = async () => {
+    if (!container) {
+      container = await createRequestContainer()
+    }
+    return container
+  }
   if (match.route.requireAuth) {
-    const auth = await getAuthFromCookies()
+    auth = await getAuthFromCookies()
     if (!auth) redirect('/api/auth/session/refresh?redirect=' + encodeURIComponent(pathname))
     const required = match.route.requireRoles || []
     if (required.length) {
@@ -85,6 +96,21 @@ export default async function SiteCatchAll({ params }: FrontendParams) {
       if (!ok) return renderAccessDenied()
     }
   }
+  const middlewareRedirect = await resolvePageMiddlewareRedirect({
+    entries: frontendMiddlewareEntries,
+    context: {
+      pathname,
+      mode: 'frontend',
+      routeMeta: {
+        requireAuth: match.route.requireAuth,
+        requireRoles: match.route.requireRoles,
+        requireFeatures: match.route.requireFeatures,
+      },
+      auth,
+      ensureContainer,
+    },
+  })
+  if (middlewareRedirect) redirect(middlewareRedirect)
   const Component = match.route.Component
   return <Component params={match.params} />
 }

package/template/src/app/api/[...slug]/route.ts

@@ -1,6 +1,6 @@
 import { NextResponse, type NextRequest } from 'next/server'
 import { findApi, type HttpMethod } from '@open-mercato/shared/modules/registry'
-import { CrudHttpError } from '@open-mercato/shared/lib/crud/errors'
+import { isCrudHttpError } from '@open-mercato/shared/lib/crud/errors'
 import { modules } from '@/.mercato/generated/modules.generated'
 import { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'
 import { bootstrap } from '@/bootstrap'
@@ -135,7 +135,7 @@ async function checkAuthorization(
             const guardContainer = await ensureContainer()
             await enforceTenantSelection({ auth, container: guardContainer }, tenantCandidate)
           } catch (error) {
-            if (error instanceof CrudHttpError) {
+            if (isCrudHttpError(error)) {
               return NextResponse.json(error.body ?? { error: t('api.errors.forbidden', 'Forbidden') }, { status: error.status })
             }
             throw error

package/template/src/bootstrap.ts

@@ -53,11 +53,13 @@ import { messageTypes } from '@/.mercato/generated/message-types.generated'
 import { messageObjectTypes } from '@/.mercato/generated/message-objects.generated'
 import { registerMessageTypes } from '@open-mercato/core/modules/messages/lib/message-types-registry'
 import { registerMessageObjectTypes } from '@open-mercato/core/modules/messages/lib/message-objects-registry'
+import { runBootstrapRegistrations } from '@/.mercato/generated/bootstrap-registrations.generated'
 
 // Register event configs globally (similar to search)
 registerEventModuleConfigs(eventModuleConfigs)
 registerMessageTypes(messageTypes, { replace: true })
 registerMessageObjectTypes(messageObjectTypes, { replace: true })
+runBootstrapRegistrations()
 
 // Bootstrap factory from shared package
 import { createBootstrap, isBootstrapped } from '@open-mercato/shared/lib/bootstrap'

package/template/src/modules/example/__integration__/TC-UMES-003.spec.ts

@@ -615,8 +615,9 @@ test.describe('TC-UMES-003: Events & DOM Bridge', () => {
       await page.getByTestId('phase-d-run-probe').click()
 
       await expect(page.getByTestId('phase-d-status')).toContainText('ok')
-      await expect(page.getByTestId('phase-d-result')).toContainText(personId)
       await expect(page.getByTestId('phase-d-result')).toContainText('_example')
+      await expect(page.getByTestId('phase-d-result')).toContainText('selectedRecord')
+      await expect(page.getByTestId('phase-d-result')).toContainText('inspectedCount')
       await expect(page.getByTestId('phase-d-result')).toContainText('example.customer-todo-count')
     } finally {
       await deleteEntityIfExists(request, adminToken, '/api/customers/people', personId)

package/template/src/modules/example/api/notifications/route.ts

@@ -1,5 +1,6 @@
 import { z } from 'zod'
 import { resolveNotificationContext } from '@open-mercato/core/modules/notifications/lib/routeHelpers'
+import type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'
 import { resolveTranslations } from '@open-mercato/shared/lib/i18n/server'
 
 const emitNotificationSchema = z.object({
@@ -65,27 +66,23 @@ export async function POST(request: Request) {
   return Response.json({ id: notification.id }, { status: 201 })
 }
 
-export const openApi = {
-  POST: {
-    summary: 'Emit example actionable notification',
-    tags: ['Example'],
-    requestBody: {
-      required: false,
-      content: {
-        'application/json': {
-          schema: emitNotificationSchema,
-        },
+export const openApi: OpenApiRouteDoc = {
+  tag: 'Example',
+  methods: {
+    POST: {
+      summary: 'Emit example actionable notification',
+      tags: ['Example'],
+      requestBody: {
+        contentType: 'application/json',
+        schema: emitNotificationSchema.optional(),
       },
-    },
-    responses: {
-      201: {
-        description: 'Notification emitted',
-        content: {
-          'application/json': {
-            schema: z.object({ id: z.string().uuid() }),
-          },
+      responses: [
+        {
+          status: 201,
+          description: 'Notification emitted',
+          schema: z.object({ id: z.string().uuid() }),
         },
-      },
+      ],
     },
   },
 }