piper-utils 1.1.65 → 1.1.67

package/bin/main.js

@@ -7,6 +7,35 @@
 /***/},
 /***/59(module){module.exports=require("dayjs/plugin/customParseFormat");
 /***/},
+/***/62(__unused_webpack_module,exports,__webpack_require__){Object.defineProperty(exports,"__esModule",{value:!0}),exports.ensurePartnerScope=
+/**
+ * Lazy-load partner scope from Dynamo. Populates partnerBusinessId and
+ * businessIds on the access object, then caches for the request lifetime.
+ *
+ * No-op for non-partner access objects or if already loaded.
+ *
+ * @param {object} access - Access object from resolveAccess.
+ * @param {{ getPartnerById: Function }} deps - Injected so piper-utils stays DB-agnostic.
+ * @returns {object} The same access object, now populated.
+ */
+async function ensurePartnerScope(access,{getPartnerById}){if(!access||"partner"!==access.level)return access;if(null!==access.businessIds&&void 0!==access.businessIds)return access;try{const partner=await getPartnerById(access.partnerId);access.businessIds=partner?.businessIds||[],access.partnerBusinessId=partner?.partnerBusinessId||null}catch(err){console.error("partnerAccess: failed to load partner for scoping:",err),access.businessIds=[],access.partnerBusinessId=null}return access}
+/***/,exports.resolveAccess=
+/**
+ * Resolve the caller's access level from the Lambda event.
+ * Synchronous — reads JWT claims only, no Dynamo lookups.
+ *
+ * Returns an access object:
+ *   { level: 'global' }                              — super user or local/test env
+ *   { level: 'partner', partnerId, partnerBusinessId: null, businessIds: null }
+ *   { level: 'standard', businessIds: string[] }
+ *
+ * Partner fields (partnerBusinessId, businessIds) start null and are
+ * lazy-loaded by ensurePartnerScope on first use.
+ *
+ * @param {object} event - Lambda event with Cognito authorizer claims.
+ * @returns {object} Access object.
+ */
+function resolveAccess(event){if((0,_accessRightsUtils.isSuperUser)(event))return{level:"global"};const env=process.env.BUILD_ENV;if("local"===env||"test"===env)return{level:"global"};const partnerId=(0,_accessRightsUtils.isPartnerUser)(event);if(partnerId)return{level:"partner",partnerId,partnerBusinessId:null,businessIds:null};const arBusinessIds=(0,_accessRightsUtils.getAccessRightsInfo)(event),businessIds=Object.keys(arBusinessIds);if(businessIds.length>0)return{level:"standard",businessIds};throw _errorCodes.errorList.unauthorized};var _accessRightsUtils=__webpack_require__(673),_errorCodes=__webpack_require__(953)},
 /***/64(__unused_webpack_module,exports,__webpack_require__){Object.defineProperty(exports,"__esModule",{value:!0}),exports.default=void 0;var _libDynamodb=__webpack_require__(515),_clientDynamodb=__webpack_require__(929);const dynamoUtil={get:params=>
 /**
  * @param {{TableName:string, Key:{key:string}}} params
@@ -17,6 +46,307 @@ async function get(params){return _libDynamodb.DynamoDBDocument.from(new _client
 /***/,exports.handleEvents=function handleEvents(event,transformer,errorHandlerPerFile,shouldSkipFailedFolders=!1,userImportTypes){if(!event||!event.Records)return _bluebird.default.resolve();let hasErrors=!1;return _bluebird.default.map(event.Records,record=>{const snsInfo=JSON.parse(_lodash.default.get(record,"Sns.Message","{}")),s3Bucket=snsInfo.bucket,files=snsInfo.files||[];return _bluebird.default.map(files,file=>{let path=decodeURIComponent(file);if(path)return(0,_handleFile.handleFile)(path,s3Bucket,transformer,{shouldSkipFailedFolders,userImportTypes}).catch(err=>{errorHandlerPerFile&&!errorHandlerPerFile(err,path)&&(console.error("HANDLE-FILE-CATCH: ",err),hasErrors=!0)})})}).then(()=>{if(hasErrors)throw new Error("ERROR: HANDLE-FILE")})};var _handleFile=__webpack_require__(876),_lodash=_interopRequireDefault(__webpack_require__(825)),_bluebird=_interopRequireDefault(__webpack_require__(564));function _interopRequireDefault(e){return e&&e.__esModule?e:{default:e}}},
 /***/137(module){module.exports=require("dayjs/plugin/utc.js");
 /***/},
+/***/165(__unused_webpack_module,exports,__webpack_require__){Object.defineProperty(exports,"__esModule",{value:!0}),exports.assertCanWriteBookBusiness=
+/**
+ * Assert the caller can write to a business in their portfolio.
+ * For partner: businessId must be in the businessIds array.
+ *
+ *   global   → allow
+ *   standard → allow (handled elsewhere via checkWriteAccess)
+ *   partner  → businessId must be in portfolio; throws if not
+ *
+ * @param {object} access     - Access object from resolveAccess.
+ * @param {string} businessId - The businessId being written to.
+ * @param {{ getPartnerById: Function }} deps
+ */
+async function assertCanWriteBookBusiness(access,businessId,{getPartnerById}={}){if(!access)throw _errorCodes.errorList.unauthorized;if("global"===access.level)return;if("standard"===access.level)return;if("partner"===access.level){if(!businessId)throw{..._errorCodes.errorList.invalidRequest,message:"businessId is required"};if(await(0,_accessContext.ensurePartnerScope)(access,{getPartnerById}),!(access.businessIds||[]).includes(businessId))throw _errorCodes.errorList.unauthorized;return}throw _errorCodes.errorList.unauthorized}
+/**
+ * Assert the caller can write to a business in the union of own + portfolio.
+ * For partner: businessId must be partnerBusinessId OR in businessIds[].
+ * Used by ticket write paths.
+ *
+ *   global   → allow
+ *   standard → allow (handled elsewhere via checkWriteAccess)
+ *   partner  → businessId must be in [partnerBusinessId, ...businessIds]
+ *
+ * @param {object} access     - Access object from resolveAccess.
+ * @param {string} businessId - The businessId being written to.
+ * @param {{ getPartnerById: Function }} deps
+ */,exports.assertCanWriteBookUnionOwn=async function assertCanWriteBookUnionOwn(access,businessId,{getPartnerById}={}){if(!access)throw _errorCodes.errorList.unauthorized;if("global"===access.level)return;if("standard"===access.level)return;if("partner"===access.level){if(!businessId)throw{..._errorCodes.errorList.invalidRequest,message:"businessId is required"};await(0,_accessContext.ensurePartnerScope)(access,{getPartnerById});if(!_lodash.default.uniq([access.partnerBusinessId,...access.businessIds||[]].filter(Boolean)).includes(businessId))throw _errorCodes.errorList.unauthorized;return}throw _errorCodes.errorList.unauthorized}
+/**
+ * Auto-stamp body.businessId from the partner's own business if missing.
+ * No-op for non-partner users or if body.businessId is already set.
+ *
+ * @param {object} access - Access object from resolveAccess.
+ * @param {object} body   - Request body to mutate.
+ * @param {{ getPartnerById: Function }} deps
+ */,exports.assertCanWriteOwnBusiness=
+/**
+ * Assert the caller can write to their own business.
+ * For partner: businessId must equal partnerBusinessId.
+ *
+ *   global   → allow
+ *   partner  → businessId must equal partnerBusinessId; throws if not
+ *   standard → throws (CRM routes gate standard users before reaching this)
+ *
+ * @param {object} access     - Access object from resolveAccess.
+ * @param {string} businessId - The businessId being written to.
+ * @param {{ getPartnerById: Function }} deps
+ */
+async function assertCanWriteOwnBusiness(access,businessId,{getPartnerById}={}){if(!access)throw _errorCodes.errorList.unauthorized;if("global"===access.level)return;if("partner"===access.level){if(await(0,_accessContext.ensurePartnerScope)(access,{getPartnerById}),!access.partnerBusinessId)throw{..._errorCodes.errorList.partnerNotConfigured};if(businessId!==access.partnerBusinessId)throw _errorCodes.errorList.unauthorized;return}throw _errorCodes.errorList.unauthorized},exports.stampOwnBusinessId=async function stampOwnBusinessId(access,body,{getPartnerById}={}){if(!access||"partner"!==access.level)return;if(body.businessId)return;await(0,_accessContext.ensurePartnerScope)(access,{getPartnerById}),body.businessId=access.partnerBusinessId}
+/***/;var _lodash=function _interopRequireDefault(e){return e&&e.__esModule?e:{default:e}}(__webpack_require__(825)),_accessContext=__webpack_require__(62),_errorCodes=__webpack_require__(953)},
+/***/179(__unused_webpack_module,exports,__webpack_require__){Object.defineProperty(exports,"__esModule",{value:!0}),exports.attachAudit=
+/**
+ * Define a sibling `<ModelName>Audit` table for the given Sequelize model and
+ * wire the four lifecycle hooks (`afterCreate`, `afterUpsert`, `afterUpdate`,
+ * `afterDestroy`) that record changes into it.
+ *
+ * Call this **once per model at boot time** from inside the model's
+ * `dbSetup()` function. It is idempotent — calling it again for a model that
+ * already has an audit table attached is a no-op.
+ *
+ * The audit table has no foreign key into any user table; the username of the
+ * person who made the change is stamped onto each row from the JWT (set by
+ * {@link bindAuditRequest}). This keeps the audit util portable across domain
+ * services that own different user models.
+ *
+ * @example
+ * // src/customer/customer.js
+ * Customer.dbSetup = async function () {
+ *     await attachAudit(Customer);
+ * };
+ *
+ * @param {import('sequelize').ModelStatic<any>} model the Sequelize model to audit
+ * @returns {Promise<void>} resolves when the audit table's `sync()` completes
+ * @see {@link bindAuditRequest} - per-request setup that turns audit on
+ * @see {@link getAuditModel} - retrieve the audit model from the parent
+ * @see {@link getAuditFilter} - build a filter for an audit history query
+ */
+async function attachAudit(model){if(auditModels[model.name])return;const auditModel=model.sequelize.define(model.name+"Audit",function getAuditSchema(model){const DataTypes=model.sequelize.Sequelize;return{field:{type:DataTypes.STRING,allowNull:!1},type:DataTypes.STRING,valueOld:DataTypes.STRING,valueNew:DataTypes.STRING,changedByUser:{type:DataTypes.STRING,allowNull:!1},businessId:{type:DataTypes.STRING,allowNull:!1}}}
+/**
+ * Internal hook factory. Returns the async function that Sequelize invokes on
+ * each create/upsert/update/destroy. Reads its per-request state from
+ * {@link modelOptions}; emits zero rows when audit is disabled for the model.
+ *
+ * Sensitive fields inside JSON values (token, password, secret, key,
+ * credential, auth, securityCode, cvv, pin, ssn) are masked as
+ * `***************` before being persisted. String values longer than 255
+ * characters are truncated.
+ *
+ * Exported only so tests can drive the hook directly. Application code should
+ * never call this — use {@link attachAudit}.
+ *
+ * @param {string} modelName name of the parent Sequelize model
+ * @returns {(modelInfo: any, options: { type?: string, transaction?: import('sequelize').Transaction }) => Promise<void>}
+ *   the hook function Sequelize will call on each lifecycle event
+ */(model),{updatedAt:!1,freezeTableName:!0});return auditModel.belongsTo(model,{foreignKey:{allowNull:!0},onDelete:"SET NULL"}),auditModels[model.name]=auditModel,model.addHook("afterCreate",auditMe(model.name)),model.addHook("afterUpsert",auditMe(model.name)),model.addHook("afterUpdate",auditMe(model.name)),model.addHook("afterDestroy",auditMe(model.name)),auditModel.sync()}
+/**
+ * Bind per-request audit context for one or more models. Call this **once at
+ * the top of each route handler** that mutates an audited model.
+ *
+ * Resolves the acting user from the JWT claims on the event
+ * (via {@link getCurrentUser}) and reads the company `auditEnabled` flag from
+ * the `custom:SET` claim (via {@link getCompanySettings}). If the company has
+ * `auditEnabled: false` then no rows will be written for the bound models on
+ * this request.
+ *
+ * Audit is **off by default** for any model that has not been bound this
+ * request — a route that omits this call writes no audit rows.
+ *
+ * @example
+ * // src/customer/customerRoutes.js
+ * export async function updateCustomer(event) {
+ *     checkModule('customer', event);
+ *     const businessId = checkWriteAccess(event);
+ *     bindAuditRequest(event, businessId, [Customer]);
+ *     // ...mutate Customer here; rows are written automatically by hooks
+ * }
+ *
+ * @example
+ * // Bind several models in one call when a handler touches more than one
+ * bindAuditRequest(event, businessId, [Order, Payment, Receivable]);
+ *
+ * @param {import('aws-lambda').APIGatewayProxyEvent} event API Gateway event
+ *   with `requestContext.authorizer.claims` (must include `email` and
+ *   optionally `custom:UID`, `custom:SET`)
+ * @param {string|number} businessId business id this request acts on; stamped
+ *   onto every audit row written for the bound models
+ * @param {Array<import('sequelize').ModelStatic<any>>} models Sequelize models
+ *   to enable audit on for the duration of this request
+ * @returns {void}
+ * @see {@link bindAuditRequestForUser} - the equivalent for non-JWT contexts
+ *   (webhooks, integration crons, Cognito triggers)
+ * @see {@link attachAudit} - one-time setup that creates the audit table
+ */,exports.auditMe=auditMe,exports.auditModels=void 0,exports.bindAuditRequest=function bindAuditRequest(event,businessId,models){const user=(0,_requestResponse.getCurrentUser)(event),auditEnabled=!!((0,_accessRightsUtils.getCompanySettings)(event)||{}).auditEnabled;_lodash.default.forEach(models,model=>{modelOptions[model.name]={user,businessId,auditEnabled}})}
+/**
+ * Bind per-request audit context for **system-driven flows** that do not carry
+ * an API Gateway JWT — for example, payment-gateway webhooks, integration
+ * crons (QuickBooks/Inbox/etc.), Cognito triggers, or batch jobs.
+ *
+ * Use {@link bindAuditRequest} instead whenever you have a JWT-authenticated
+ * API event; that path automatically resolves the user and the company's
+ * `auditEnabled` flag from claims.
+ *
+ * @example
+ * // payment webhook from the gateway — no JWT, but we still want audit
+ * import { systemUser } from '../user/user.js';
+ *
+ * export async function webhook(event) {
+ *     const businessId = event.queryStringParameters.businessId;
+ *     bindAuditRequestForUser(systemUser, businessId, [Order, Payment]);
+ *     // ...mutate Order/Payment; audit rows are written by hooks
+ * }
+ *
+ * @example
+ * // turn audit OFF explicitly for a system flow that should not be audited
+ * bindAuditRequestForUser(systemUser, businessId, [Order], { auditEnabled: false });
+ *
+ * @param {{ username: string, id?: number }} user identity stamped onto each
+ *   audit row's `changedByUser` field. Conventionally the `systemUser`
+ *   constant exported from your service's user model
+ * @param {string|number} businessId business id this flow is acting on
+ * @param {Array<import('sequelize').ModelStatic<any>>} models Sequelize models
+ *   to enable audit on
+ * @param {{ auditEnabled?: boolean }} [opts] when `auditEnabled` is `false`,
+ *   binds context but suppresses writes; defaults to `true`
+ * @returns {void}
+ * @see {@link bindAuditRequest} - the JWT-driven equivalent for API handlers
+ */,exports.bindAuditRequestForUser=function bindAuditRequestForUser(user,businessId,models,opts={}){const auditEnabled=!1!==opts.auditEnabled;_lodash.default.forEach(models,model=>{modelOptions[model.name]={user,businessId,auditEnabled}})}
+/**
+ * Get the `<ModelName>Audit` Sequelize model that {@link attachAudit} created
+ * for a parent model. Returns `undefined` if audit was never attached.
+ *
+ * @example
+ * const audits = await findAll(getAuditModel(Customer), filter);
+ *
+ * @param {import('sequelize').ModelStatic<any>} model parent Sequelize model
+ * @returns {import('sequelize').ModelStatic<any> | undefined} the audit model,
+ *   or `undefined` if {@link attachAudit} has not been called for this model
+ * @see {@link getAuditFilter} - companion filter builder for history queries
+ */,exports.decrementWithAudit=
+/**
+ * Decrement an integer field on a Sequelize instance and write a matching
+ * audit row in the same call. Useful for inventory adjustments and other
+ * counter-style fields where Sequelize's plain `model.decrement()` would
+ * bypass the `afterUpdate` hook.
+ *
+ * The acting user and businessId come from whatever
+ * {@link bindAuditRequest} / {@link bindAuditRequestForUser} was called for
+ * this request. If audit is disabled for the model, the decrement still
+ * happens but no audit row is written.
+ *
+ * @example
+ * // release inventory on order release
+ * await decrementWithAudit('inventory', inventoryEntry, 'quantity', {
+ *     by: item.quantity,
+ *     transaction: t
+ * });
+ *
+ * @param {string} modelName name of the parent model (e.g. `'inventory'`)
+ * @param {import('sequelize').Model} model the Sequelize instance to mutate
+ * @param {string} field the integer/decimal field to decrement
+ * @param {{ by?: number, transaction?: import('sequelize').Transaction }} args
+ *   passed straight through to Sequelize's `decrement()`; transaction is also
+ *   propagated to the audit write
+ * @returns {Promise<import('sequelize').Model>} the updated instance (with
+ *   `_changed` set on it so internal hooks can observe the change)
+ * @see {@link incrementWithAudit} - the +1 counterpart
+ */
+async function decrementWithAudit(modelName,model,field,args){const r=await model.decrement(field,args);r._changed=[field];const options={};args.transaction&&(options.transaction=args.transaction);return await auditMe(modelName)(r,options),r}
+/**
+ * Increment an integer field on a Sequelize instance and write a matching
+ * audit row in the same call. The mirror of {@link decrementWithAudit}.
+ *
+ * @example
+ * // restock from a receivable
+ * await incrementWithAudit('inventory', inventoryEntry, 'quantity', {
+ *     by: item.quantity,
+ *     transaction: t
+ * });
+ *
+ * @param {string} modelName name of the parent model (e.g. `'inventory'`)
+ * @param {import('sequelize').Model} model the Sequelize instance to mutate
+ * @param {string} field the integer/decimal field to increment
+ * @param {{ by?: number, transaction?: import('sequelize').Transaction }} args
+ *   passed straight through to Sequelize's `increment()`; transaction is also
+ *   propagated to the audit write
+ * @returns {Promise<import('sequelize').Model>} the updated instance
+ * @see {@link decrementWithAudit} - the -1 counterpart
+ */,exports.getAuditFilter=
+/**
+ * Build a Sequelize `findAll`-style filter for an audit-history query, scoped
+ * to the businesses the caller is allowed to read (resolved from
+ * {@link accessRightsUtils}).
+ *
+ * The returned filter joins the parent model so callers can render `oldValue`
+ * → `newValue` rows in the UI alongside the parent record.
+ *
+ * @example
+ * // GET /customer/{id}/audit
+ * export async function getCustomerAudit(event) {
+ *     bindAuditRequest(event, userDefaultBid(event), [Customer]);
+ *     const filter = getAuditFilter(Customer, event.pathParameters.id, {
+ *         event,
+ *         offset: 0,
+ *         limit: 10
+ *     });
+ *     const audits = await findAll(getAuditModel(Customer), filter);
+ *     return success(audits);
+ * }
+ *
+ * @param {import('sequelize').ModelStatic<any>} modelToFilter the parent model
+ *   whose history is being fetched
+ * @param {string|number} id parent record id
+ * @param {{ event: import('aws-lambda').APIGatewayProxyEvent, offset?: number, limit?: number }} options
+ *   `event` is required (drives business-id scoping); `offset` and `limit`
+ *   are pagination passthroughs
+ * @returns {{ where: Object, include: Array<{ model: Object }>, order: Array, offset?: number, limit?: number }}
+ *   a Sequelize `findAll`-compatible filter
+ * @see {@link getAuditModel} - call to get the audit model to query against
+ */
+function getAuditFilter(modelToFilter,id,options){const filter={where:{businessId:(0,_accessRightsUtils.accessRightsUtils)(options.event)},include:[{model:modelToFilter}],order:[["createdAt","DESC"]]};return filter.where[modelToFilter.name+"Id"]=id,{...filter,...options}},exports.getAuditModel=function getAuditModel(model){return auditModels[model.name]},exports.incrementWithAudit=async function incrementWithAudit(modelName,model,field,args){const r=await model.increment(field,args);r._changed=[field];const options={};args.transaction&&(options.transaction=args.transaction);return await auditMe(modelName)(r,options),r}
+/***/,exports.modelOptions=void 0;var _lodash=_interopRequireDefault(__webpack_require__(825)),_bluebird=_interopRequireDefault(__webpack_require__(564)),_requestResponse=__webpack_require__(859),_accessRightsUtils=__webpack_require__(673);function _interopRequireDefault(e){return e&&e.__esModule?e:{default:e}}
+/**
+ * @file Audit logging for Sequelize models. Each parent model gets a sibling
+ * `<ModelName>Audit` table that records every field-level change made through
+ * Sequelize hooks (afterCreate / afterUpsert / afterUpdate / afterDestroy).
+ *
+ * Typical wiring in a domain service:
+ *
+ * 1. At model `dbSetup` (one-time, at boot):
+ *    `await attachAudit(MyModel);`
+ *
+ * 2. At the top of each route handler that mutates the model:
+ *    `bindAuditRequest(event, businessId, [MyModel]);`
+ *
+ * 3. To list audit history for a record:
+ *    `const filter = getAuditFilter(MyModel, id, { event, offset, limit });`
+ *    `const audits = await findAll(getAuditModel(MyModel), filter);`
+ *
+ * Audit is **off by default** for any model whose request hasn't been bound —
+ * so cron lambdas, untouched endpoints, and unit tests will not write audit
+ * rows unless they explicitly opt in. The on/off switch comes from the
+ * `custom:SET.auditEnabled` JWT claim resolved by {@link getCompanySettings}.
+ *
+ * The user identity stamped on each row is read from the JWT via
+ * {@link getCurrentUser}; `changedByUser` stores `claims.email`. There is
+ * intentionally no foreign key back to a User table — domain services must
+ * not read across other services' databases.
+ */
+/**
+ * Registry of `<ModelName>Audit` Sequelize models, keyed by parent model name.
+ * Populated by {@link attachAudit}. Exported for tests; do not mutate from app code.
+ *
+ * @type {Object<string, import('sequelize').ModelStatic<any>>}
+ */const auditModels=exports.auditModels={},modelOptions=exports.modelOptions={},SENSITIVE_FIELDS_PATTERN=/"(token|password|secret|key|credential|auth|securityCode|cvv|pin|ssn)":\s*"[^"]*"/gi;
+/**
+ * Per-model per-request audit context, keyed by parent model name. Populated by
+ * {@link bindAuditRequest} or {@link bindAuditRequestForUser}. A model with no
+ * entry here (or with `auditEnabled === false`) will not write any audit rows.
+ * Exported for tests; do not mutate from app code.
+ *
+ * @type {Object<string, { user: { username: string, id?: number }, businessId: string|number, auditEnabled: boolean }>}
+ */function auditMe(modelName){return async(modelInfo,options)=>{_lodash.default.isArray(modelInfo)&&(modelInfo=modelInfo[0]);const opts=modelOptions[modelName];if(!opts||!opts.auditEnabled)return;const auditModel=auditModels[modelName],writeAuditRow=async(field,type,valueOld,valueNew)=>{const data={field,type,valueOld:String(valueOld).substring(0,255),valueNew:String(valueNew).substring(0,255),businessId:opts.businessId,changedByUser:opts.user.username};data[modelName+"Id"]=modelInfo.dataValues.id;const newOptions={};return options.transaction&&(newOptions.transaction=options.transaction),auditModel.create(data,newOptions)},checkAudit=async(field,type="INITIAL",valueOld,valueNew)=>{if(!_lodash.default.isEqual(valueOld,valueNew)){if(_lodash.default.isString(valueOld)&&_lodash.default.isString(valueNew)&&(type="INSERT"),_lodash.default.isArray(valueOld)||_lodash.default.isArray(valueNew)){let oldString=JSON.stringify(valueOld||[]),newString=JSON.stringify(valueNew||[]);return oldString=oldString.replace(SENSITIVE_FIELDS_PATTERN,'"$1":"***************"').substring(0,255),newString=newString.replace(SENSITIVE_FIELDS_PATTERN,'"$1":"***************"').substring(0,255),writeAuditRow(field,"UPDATE",oldString,newString)}return _lodash.default.isObject(valueOld)||_lodash.default.isObject(valueNew)?(_lodash.default.forEach(valueOld,(valueSub,keySub)=>{checkAudit(field+" "+keySub,"DELETED",valueSub||"",(valueNew||{})[keySub]||"")}),void _lodash.default.forEach(valueNew,(valueSub,keySub)=>{checkAudit(field+" "+keySub,"INSERT",(valueOld||{})[keySub]||"",valueSub||"")})):writeAuditRow(field,type,valueOld,valueNew)}};return _bluebird.default.map([...modelInfo._changed],async field=>{const valueOld=modelInfo._previousDataValues[field]||"",valueNew=modelInfo.dataValues[field]||"";await checkAudit(field,options.type,valueOld,valueNew)})}}},
 /***/183(__unused_webpack_module,exports,__webpack_require__){Object.defineProperty(exports,"__esModule",{value:!0}),exports.watchBucket=
 /**
  * bucket watcher watches a s3 bucket and publishes events to a sns topic, this allows you to process files in s3 with a some transformer function
@@ -39,6 +369,22 @@ return(0,_publishEvents.publishEvents)(dynamoConfigTable,dynamoConfigKey,s3Bucke
 // this used to throw, but the throw raised useless alarms, I believed turing throw in to a return was ok
 return;if(startsWithDirect)return console.log("-------\x3eDIRECT WRITE FIRE"),(0,_handleEvents.handleDirectS3WriteEvent)(event,transformer,errorHandlerPerFile,shouldSkipFailedFolders,userImportTypes)}}
 /***/;var _publishEvents=__webpack_require__(864),_handleEvents=__webpack_require__(95),_lodash=function _interopRequireDefault(e){return e&&e.__esModule?e:{default:e}}(__webpack_require__(825))},
+/***/189(__unused_webpack_module,exports,__webpack_require__){Object.defineProperty(exports,"__esModule",{value:!0}),exports.requireCrmAccess=
+/**
+ * Gate: CRM routes — rejects standard users. Super and partner pass.
+ * @param {object} access - Access object from resolveAccess.
+ */
+function requireCrmAccess(access){if(!access)throw _errorCodes.errorList.unauthorized;if("standard"===access.level)throw _errorCodes.errorList.unauthorized}
+/**
+ * Gate: Ticket routes — all three user types pass. Only rejects null access.
+ * @param {object} access - Access object from resolveAccess.
+ */,exports.requireSuper=
+/**
+ * Gate: Super-only routes — throws unless global.
+ * @param {object} access - Access object from resolveAccess.
+ */
+function requireSuper(access){if(!access||"global"!==access.level)throw _errorCodes.errorList.unauthorized}
+/***/,exports.requireTicketAccess=function requireTicketAccess(access){if(!access)throw _errorCodes.errorList.unauthorized};var _errorCodes=__webpack_require__(953)},
 /***/207(__unused_webpack_module,exports,__webpack_require__){Object.defineProperty(exports,"__esModule",{value:!0}),exports.addFiltersFromSchema=addFiltersFromSchema,exports.defaultFilters=
 /**
  * Create an object with default filters for a given sequeliaze Schema Object, and set of sub schemas
@@ -156,8 +502,74 @@ let parsed;try{parsed=JSON.parse(query[qKey])}catch(e){return}if(parsed&&"object
 /***/},
 /***/394(module){module.exports=require("dayjs/plugin/isSameOrBefore");
 /***/},
+/***/513(__unused_webpack_module,exports,__webpack_require__){Object.defineProperty(exports,"__esModule",{value:!0}),exports.scopeToBookUnionOwn=
+/**
+ * Scope to the union of partnerBusinessId + businessIds.
+ * Use for tickets — partner sees own tickets + portfolio merchants' tickets.
+ *
+ *   global   → deletes where.businessId
+ *   partner  → sets where.businessId = [partnerBusinessId, ...businessIds]
+ *   standard → sets where.businessId = access.businessIds
+ *              (explicitly handled here because ticket routes may not call
+ *               createFilters before scoping, e.g. delete/resolve handlers)
+ *
+ * @param {object} where  - Sequelize WHERE clause to mutate.
+ * @param {object} access - Access object from resolveAccess.
+ * @param {{ getPartnerById: Function }} deps
+ */
+async function scopeToBookUnionOwn(where,access,{getPartnerById}={}){if(!access)throw _errorCodes.errorList.unauthorized;if("global"===access.level)return void delete where.businessId;if("partner"===access.level){await(0,_accessContext.ensurePartnerScope)(access,{getPartnerById});const ids=_lodash.default.uniq([access.partnerBusinessId,...access.businessIds||[]].filter(Boolean));return void(where.businessId=ids)}if("standard"===access.level)return void(where.businessId=access.businessIds)}
+/***/,exports.scopeToOwnBusiness=
+/**
+ * Scope a WHERE clause to the partner's own business (partnerBusinessId).
+ * Use for "mine" resources: deal, activity, application, template.
+ *
+ *   global   → deletes where.businessId (super sees everything)
+ *   partner  → sets where.businessId = partnerBusinessId
+ *              throws partnerNotConfigured if partnerBusinessId is missing
+ *   standard → no-op (createFilters already handled)
+ *
+ * @param {object} where  - Sequelize WHERE clause to mutate.
+ * @param {object} access - Access object from resolveAccess.
+ * @param {{ getPartnerById: Function }} deps
+ */
+async function scopeToOwnBusiness(where,access,{getPartnerById}={}){if(!access)throw _errorCodes.errorList.unauthorized;if("global"===access.level)return void delete where.businessId;if("partner"===access.level){if(await(0,_accessContext.ensurePartnerScope)(access,{getPartnerById}),!access.partnerBusinessId)throw _errorCodes.errorList.partnerNotConfigured;return void(where.businessId=access.partnerBusinessId)}
+// standard → no-op (createFilters already injected from JWT)
+}
+/**
+ * Scope a WHERE clause to the partner's portfolio (businessIds array).
+ * Use for "book" resources (future transaction lists, merchant inbox views).
+ *
+ *   global   → deletes where.businessId
+ *   partner  → sets where.businessId = businessIds[]
+ *   standard → no-op
+ *
+ * @param {object} where  - Sequelize WHERE clause to mutate.
+ * @param {object} access - Access object from resolveAccess.
+ * @param {{ getPartnerById: Function }} deps
+ */,exports.scopeToPartnerBook=async function scopeToPartnerBook(where,access,{getPartnerById}={}){if(!access)throw _errorCodes.errorList.unauthorized;if("global"===access.level)return void delete where.businessId;if("partner"===access.level)return await(0,_accessContext.ensurePartnerScope)(access,{getPartnerById}),void(where.businessId=access.businessIds||[]);
+// standard → no-op
+};var _lodash=function _interopRequireDefault(e){return e&&e.__esModule?e:{default:e}}(__webpack_require__(825)),_accessContext=__webpack_require__(62),_errorCodes=__webpack_require__(953)},
 /***/515(module){module.exports=require("@aws-sdk/lib-dynamodb");
 /***/},
+/***/539(__unused_webpack_module,exports,__webpack_require__){Object.defineProperty(exports,"__esModule",{value:!0}),exports.createAccessHelpers=
+/**
+ * Factory that pre-binds getPartnerById into all scope/assert/stamp helpers.
+ * Bind once at module level, then call without repeating the injection:
+ *
+ *   import { createAccessHelpers } from 'piper-utils';
+ *   import { getPartnerById } from '../partner/partner.js';
+ *
+ *   const {
+ *       scopeToOwnBusiness,
+ *       stampOwnBusinessId,
+ *       assertCanWriteOwnBusiness
+ *   } = createAccessHelpers({ getPartnerById });
+ *
+ * @param {{ getPartnerById: Function }} deps
+ * @returns {object} Pre-bound helpers.
+ */
+function createAccessHelpers({getPartnerById}){const deps={getPartnerById};return{ensurePartnerScope:access=>(0,_accessContext.ensurePartnerScope)(access,deps),scopeToOwnBusiness:(where,access)=>(0,_accessScope.scopeToOwnBusiness)(where,access,deps),scopeToPartnerBook:(where,access)=>(0,_accessScope.scopeToPartnerBook)(where,access,deps),scopeToBookUnionOwn:(where,access)=>(0,_accessScope.scopeToBookUnionOwn)(where,access,deps),assertCanWriteOwnBusiness:(access,businessId)=>(0,_accessWrites.assertCanWriteOwnBusiness)(access,businessId,deps),assertCanWriteBookBusiness:(access,businessId)=>(0,_accessWrites.assertCanWriteBookBusiness)(access,businessId,deps),assertCanWriteBookUnionOwn:(access,businessId)=>(0,_accessWrites.assertCanWriteBookUnionOwn)(access,businessId,deps),stampOwnBusinessId:(access,body)=>(0,_accessWrites.stampOwnBusinessId)(access,body,deps)}}
+/***/;var _accessContext=__webpack_require__(62),_accessScope=__webpack_require__(513),_accessWrites=__webpack_require__(165)},
 /***/564(module){module.exports=require("bluebird");
 /***/},
 /***/673(__unused_webpack_module,exports,__webpack_require__){Object.defineProperty(exports,"__esModule",{value:!0}),exports.accessRightsUtils=accessRightsUtils,exports.checkIsSuper=
@@ -410,7 +822,7 @@ const usersImports=Object.values(userImportTypes),items=path.split("/"),fileName
 /***/},
 /***/929(module){module.exports=require("@aws-sdk/client-dynamodb");
 /***/},
-/***/953(__unused_webpack_module,exports){Object.defineProperty(exports,"__esModule",{value:!0}),exports.errorList=void 0;exports.errorList={invalidInventoryReleaseRequest:{message:"NOT ENOUGH INVENTORY TO FULFILL RELEASE",errorCode:"4010",statusCode:400},alreadyReleased:{message:"ALREADY RELEASED",errorCode:"4011",statusCode:400},alreadyReceived:{message:"RECEIVABLE ALREADY RECEIVED",errorCode:"4012",statusCode:400},invalidItemsRequest:{message:"VALID ITEMS MUST BE INCLUDED",errorCode:"4013",statusCode:400},invalidID:{message:"ID is invalid",errorCode:"4014",statusCode:400},invalidReceivable:{message:"MUST CONTAIN AT LEAST ONE RECEIVABLE",errorCode:"4015",statusCode:400},invalidRequest:{message:"INVALID REQUEST DATA",errorCode:"4016",statusCode:400},invalidAPIKey:{message:"INVALID REQUEST - API MAY KEY INVALID",errorCode:"4017",statusCode:400},qbCreationError:{message:"QUICKBOOKS ERROR - ERROR CREATING OBJECT IN QUICKBOOKS",errorCode:"4018",statusCode:400},cannotReopen:{message:"CANNOT REOPEN - THE ORDER HAS ALREADY BEEN OPENED",errorCode:"4018",statusCode:400},invalidDateFormat:{message:"INVALID DATE FORMAT",errorCode:"4019",statusCode:400},invalidStartDate:{message:"INVALID START DATE",errorCode:"4020",statusCode:400},invalidEndDate:{message:"INVALID END DATE",errorCode:"4021",statusCode:400},invalidOrderStatus:{message:"UNABLE TO EDIT ORDER ITEMS UNLESS THE ORDER IS IN ESTIMATE STATUS",errorCode:"4022",statusCode:400},invalidPaymentStatus:{message:"UNABLE TO UPDATE PAYMENT STATUS PAYMENT MUST BE OPEN",errorCode:"4023",statusCode:400},invalidReleaseStatus:{message:"UNABLE TO UPDATE RELEASE, STATUS RELEASE MUST BE OPEN",errorCode:"4024",statusCode:400},invalidReceivableStatus:{message:"UNABLE TO UPDATE RECEIVABLE, STATUS RECEIVABLE MUST BE OPEN",errorCode:"40025",statusCode:400},invalidJson:{message:"INVALID JSON",errorCode:"4005",statusCode:400},invalidFilter:{message:"INVALID FILTER",errorCode:"4026",statusCode:400},invalidUserNameUpdate:{message:"UNABLE TO UPDATE USERNAME",errorCode:"4027",statusCode:400},imageSizeLimit:{message:"IMAGE SIZE LIMIT 100KB EXCEEDED",errorCode:"4028",statusCode:400},unauthorized:{message:"UNAUTHORIZED",errorCode:"4111",statusCode:401},notFound:{message:"ITEM NOT FOUND",errorCode:"4004",statusCode:404},emailRequired:{message:"NO EMAIL PROVIDED, CHECK CUSTOMER EMAIL",errorCode:"4004",statusCode:404},mobilePhoneRequired:{message:"NO MOBILE PHONE PROVIDED, CHECK CUSTOMER CONTACTS",errorCode:"4004",statusCode:404},invalidCadenceType:{message:"INVALID CADENCE TYPE",errorCode:"5001",statusCode:500}};
+/***/953(__unused_webpack_module,exports){Object.defineProperty(exports,"__esModule",{value:!0}),exports.errorList=void 0;exports.errorList={invalidInventoryReleaseRequest:{message:"NOT ENOUGH INVENTORY TO FULFILL RELEASE",errorCode:"4010",statusCode:400},alreadyReleased:{message:"ALREADY RELEASED",errorCode:"4011",statusCode:400},alreadyReceived:{message:"RECEIVABLE ALREADY RECEIVED",errorCode:"4012",statusCode:400},invalidItemsRequest:{message:"VALID ITEMS MUST BE INCLUDED",errorCode:"4013",statusCode:400},invalidID:{message:"ID is invalid",errorCode:"4014",statusCode:400},invalidReceivable:{message:"MUST CONTAIN AT LEAST ONE RECEIVABLE",errorCode:"4015",statusCode:400},invalidRequest:{message:"INVALID REQUEST DATA",errorCode:"4016",statusCode:400},invalidAPIKey:{message:"INVALID REQUEST - API MAY KEY INVALID",errorCode:"4017",statusCode:400},qbCreationError:{message:"QUICKBOOKS ERROR - ERROR CREATING OBJECT IN QUICKBOOKS",errorCode:"4018",statusCode:400},cannotReopen:{message:"CANNOT REOPEN - THE ORDER HAS ALREADY BEEN OPENED",errorCode:"4018",statusCode:400},invalidDateFormat:{message:"INVALID DATE FORMAT",errorCode:"4019",statusCode:400},invalidStartDate:{message:"INVALID START DATE",errorCode:"4020",statusCode:400},invalidEndDate:{message:"INVALID END DATE",errorCode:"4021",statusCode:400},invalidOrderStatus:{message:"UNABLE TO EDIT ORDER ITEMS UNLESS THE ORDER IS IN ESTIMATE STATUS",errorCode:"4022",statusCode:400},invalidPaymentStatus:{message:"UNABLE TO UPDATE PAYMENT STATUS PAYMENT MUST BE OPEN",errorCode:"4023",statusCode:400},invalidReleaseStatus:{message:"UNABLE TO UPDATE RELEASE, STATUS RELEASE MUST BE OPEN",errorCode:"4024",statusCode:400},invalidReceivableStatus:{message:"UNABLE TO UPDATE RECEIVABLE, STATUS RECEIVABLE MUST BE OPEN",errorCode:"40025",statusCode:400},invalidJson:{message:"INVALID JSON",errorCode:"4005",statusCode:400},invalidFilter:{message:"INVALID FILTER",errorCode:"4026",statusCode:400},invalidUserNameUpdate:{message:"UNABLE TO UPDATE USERNAME",errorCode:"4027",statusCode:400},imageSizeLimit:{message:"IMAGE SIZE LIMIT 100KB EXCEEDED",errorCode:"4028",statusCode:400},unauthorized:{message:"UNAUTHORIZED",errorCode:"4111",statusCode:401},notFound:{message:"ITEM NOT FOUND",errorCode:"4004",statusCode:404},emailRequired:{message:"NO EMAIL PROVIDED, CHECK CUSTOMER EMAIL",errorCode:"4004",statusCode:404},mobilePhoneRequired:{message:"NO MOBILE PHONE PROVIDED, CHECK CUSTOMER CONTACTS",errorCode:"4004",statusCode:404},invalidCadenceType:{message:"INVALID CADENCE TYPE",errorCode:"5001",statusCode:500},partnerNotConfigured:{message:"Partner has no partnerBusinessId configured. Contact support.",errorCode:"4310",statusCode:400}};
 /***/},
 /***/981(__unused_webpack_module,exports){
 /**
@@ -464,6 +876,6 @@ function createIncludes(event,objectFilters){const query=_lodash.default.get(eve
 /******/
 /************************************************************************/var __webpack_exports__={};
 // This entry needs to be wrapped in an IIFE because it uses a non-standard name for the exports (exports).
-(()=>{var exports=__webpack_exports__;Object.defineProperty(exports,"__esModule",{value:!0}),exports.watchBucket=exports.userDefaultBid=exports.successHtml=exports.success=exports.runMigrations=exports.publishEvents=exports.parseEvent=exports.parseBody=exports.isSystemUser=exports.isSuperUser=exports.isPartnerUser=exports.handleFile=exports.getModuleInfo=exports.getEffectivePartnerId=exports.getDefaultBusinessIDInfo=exports.getCurrentUserNameFromCognitoEvent=exports.getCurrentUser=exports.getCompanySettings=exports.getBusinessesInfo=exports.getBelongsToPartnerId=exports.getAccessRightsInfo=exports.findAll=exports.failure=exports.enrichEventWithPartnerAccess=exports.defaultFilters=exports.createSort=exports.createIncludes=exports.createFilters=exports.checkWriteAccess=exports.checkModule=exports.checkIsSuper=exports.accessRightsUtils=void 0;var _handleFile=__webpack_require__(876),_watchBucket=__webpack_require__(183),_publishEvents=__webpack_require__(864),_createIncludes=__webpack_require__(982),_createFilters=__webpack_require__(288),_createSort=__webpack_require__(835),_findAll=__webpack_require__(981),_accessRightsUtils=__webpack_require__(673),_requestResponse=__webpack_require__(859),_migrations=__webpack_require__(871),_defaultFilters=__webpack_require__(207);exports.handleFile=_handleFile.handleFile,exports.watchBucket=_watchBucket.watchBucket,exports.publishEvents=_publishEvents.publishEvents,exports.createFilters=_createFilters.createFilters,exports.createIncludes=_createIncludes.createIncludes,exports.createSort=_createSort.createSort,exports.findAll=_findAll.findAll,exports.checkModule=_accessRightsUtils.checkModule,exports.checkIsSuper=_accessRightsUtils.checkIsSuper,exports.getAccessRightsInfo=_accessRightsUtils.getAccessRightsInfo,exports.getDefaultBusinessIDInfo=_accessRightsUtils.getDefaultBusinessIDInfo,exports.getModuleInfo=_accessRightsUtils.getModuleInfo,exports.failure=_requestResponse.failure,exports.success=_requestResponse.success,exports.runMigrations=_migrations.runMigrations,exports.getCurrentUser=_requestResponse.getCurrentUser,exports.successHtml=_requestResponse.successHtml,exports.getCurrentUserNameFromCognitoEvent=_requestResponse.getCurrentUserNameFromCognitoEvent,exports.defaultFilters=_defaultFilters.defaultFilters,exports.accessRightsUtils=_accessRightsUtils.accessRightsUtils,exports.parseBody=_requestResponse.parseBody,exports.parseEvent=_requestResponse.parseEvent,exports.getBusinessesInfo=_accessRightsUtils.getBusinessesInfo,exports.userDefaultBid=_accessRightsUtils.userDefaultBid,exports.checkWriteAccess=_accessRightsUtils.checkWriteAccess,exports.isSystemUser=_accessRightsUtils.isSystemUser,exports.isSuperUser=_accessRightsUtils.isSuperUser,exports.isPartnerUser=_accessRightsUtils.isPartnerUser,exports.getBelongsToPartnerId=_accessRightsUtils.getBelongsToPartnerId,exports.getEffectivePartnerId=_accessRightsUtils.getEffectivePartnerId,exports.enrichEventWithPartnerAccess=_accessRightsUtils.enrichEventWithPartnerAccess,exports.getCompanySettings=_accessRightsUtils.getCompanySettings})();var __webpack_export_target__=exports;for(var __webpack_i__ in __webpack_exports__)__webpack_export_target__[__webpack_i__]=__webpack_exports__[__webpack_i__];__webpack_exports__.__esModule&&Object.defineProperty(__webpack_export_target__,"__esModule",{value:!0})
+(()=>{var exports=__webpack_exports__;Object.defineProperty(exports,"__esModule",{value:!0}),exports.watchBucket=exports.userDefaultBid=exports.successHtml=exports.success=exports.stampOwnBusinessId=exports.scopeToPartnerBook=exports.scopeToOwnBusiness=exports.scopeToBookUnionOwn=exports.runMigrations=exports.resolveAccess=exports.requireTicketAccess=exports.requireSuper=exports.requireCrmAccess=exports.publishEvents=exports.parseEvent=exports.parseBody=exports.isSystemUser=exports.isSuperUser=exports.isPartnerUser=exports.incrementWithAudit=exports.handleFile=exports.getModuleInfo=exports.getEffectivePartnerId=exports.getDefaultBusinessIDInfo=exports.getCurrentUserNameFromCognitoEvent=exports.getCurrentUser=exports.getCompanySettings=exports.getBusinessesInfo=exports.getBelongsToPartnerId=exports.getAuditModel=exports.getAuditFilter=exports.getAccessRightsInfo=exports.findAll=exports.failure=exports.ensurePartnerScope=exports.enrichEventWithPartnerAccess=exports.defaultFilters=exports.decrementWithAudit=exports.createSort=exports.createIncludes=exports.createFilters=exports.createAccessHelpers=exports.checkWriteAccess=exports.checkModule=exports.checkIsSuper=exports.bindAuditRequestForUser=exports.bindAuditRequest=exports.attachAudit=exports.assertCanWriteOwnBusiness=exports.assertCanWriteBookUnionOwn=exports.assertCanWriteBookBusiness=exports.accessRightsUtils=void 0;var _handleFile=__webpack_require__(876),_watchBucket=__webpack_require__(183),_publishEvents=__webpack_require__(864),_createIncludes=__webpack_require__(982),_createFilters=__webpack_require__(288),_createSort=__webpack_require__(835),_findAll=__webpack_require__(981),_accessRightsUtils=__webpack_require__(673),_requestResponse=__webpack_require__(859),_migrations=__webpack_require__(871),_defaultFilters=__webpack_require__(207),_accessContext=__webpack_require__(62),_accessGates=__webpack_require__(189),_accessScope=__webpack_require__(513),_accessWrites=__webpack_require__(165),_createAccessHelpers=__webpack_require__(539),_audit=__webpack_require__(179);exports.handleFile=_handleFile.handleFile,exports.watchBucket=_watchBucket.watchBucket,exports.publishEvents=_publishEvents.publishEvents,exports.createFilters=_createFilters.createFilters,exports.createIncludes=_createIncludes.createIncludes,exports.createSort=_createSort.createSort,exports.findAll=_findAll.findAll,exports.checkModule=_accessRightsUtils.checkModule,exports.checkIsSuper=_accessRightsUtils.checkIsSuper,exports.getAccessRightsInfo=_accessRightsUtils.getAccessRightsInfo,exports.getDefaultBusinessIDInfo=_accessRightsUtils.getDefaultBusinessIDInfo,exports.getModuleInfo=_accessRightsUtils.getModuleInfo,exports.failure=_requestResponse.failure,exports.success=_requestResponse.success,exports.runMigrations=_migrations.runMigrations,exports.getCurrentUser=_requestResponse.getCurrentUser,exports.successHtml=_requestResponse.successHtml,exports.getCurrentUserNameFromCognitoEvent=_requestResponse.getCurrentUserNameFromCognitoEvent,exports.defaultFilters=_defaultFilters.defaultFilters,exports.accessRightsUtils=_accessRightsUtils.accessRightsUtils,exports.parseBody=_requestResponse.parseBody,exports.parseEvent=_requestResponse.parseEvent,exports.getBusinessesInfo=_accessRightsUtils.getBusinessesInfo,exports.userDefaultBid=_accessRightsUtils.userDefaultBid,exports.checkWriteAccess=_accessRightsUtils.checkWriteAccess,exports.isSystemUser=_accessRightsUtils.isSystemUser,exports.isSuperUser=_accessRightsUtils.isSuperUser,exports.isPartnerUser=_accessRightsUtils.isPartnerUser,exports.getBelongsToPartnerId=_accessRightsUtils.getBelongsToPartnerId,exports.getEffectivePartnerId=_accessRightsUtils.getEffectivePartnerId,exports.enrichEventWithPartnerAccess=_accessRightsUtils.enrichEventWithPartnerAccess,exports.getCompanySettings=_accessRightsUtils.getCompanySettings,exports.resolveAccess=_accessContext.resolveAccess,exports.ensurePartnerScope=_accessContext.ensurePartnerScope,exports.requireCrmAccess=_accessGates.requireCrmAccess,exports.requireTicketAccess=_accessGates.requireTicketAccess,exports.requireSuper=_accessGates.requireSuper,exports.scopeToOwnBusiness=_accessScope.scopeToOwnBusiness,exports.scopeToPartnerBook=_accessScope.scopeToPartnerBook,exports.scopeToBookUnionOwn=_accessScope.scopeToBookUnionOwn,exports.assertCanWriteOwnBusiness=_accessWrites.assertCanWriteOwnBusiness,exports.assertCanWriteBookBusiness=_accessWrites.assertCanWriteBookBusiness,exports.assertCanWriteBookUnionOwn=_accessWrites.assertCanWriteBookUnionOwn,exports.stampOwnBusinessId=_accessWrites.stampOwnBusinessId,exports.createAccessHelpers=_createAccessHelpers.createAccessHelpers,exports.attachAudit=_audit.attachAudit,exports.bindAuditRequest=_audit.bindAuditRequest,exports.bindAuditRequestForUser=_audit.bindAuditRequestForUser,exports.decrementWithAudit=_audit.decrementWithAudit,exports.getAuditFilter=_audit.getAuditFilter,exports.getAuditModel=_audit.getAuditModel,exports.incrementWithAudit=_audit.incrementWithAudit})();var __webpack_export_target__=exports;for(var __webpack_i__ in __webpack_exports__)__webpack_export_target__[__webpack_i__]=__webpack_exports__[__webpack_i__];__webpack_exports__.__esModule&&Object.defineProperty(__webpack_export_target__,"__esModule",{value:!0})
 /******/})();
 //# sourceMappingURL=main.js.map