@api-client/core 0.18.24 → 0.18.26

package/src/runtime/modeling/Semantics.ts

@@ -0,0 +1,196 @@
+import { Jexl } from '@pawel-up/jexl/Jexl.js'
+import type { DomainEntity } from '../../modeling/DomainEntity.js'
+import {
+  type AppliedDataSemantic,
+  DataSemantics,
+  type SemanticCondition,
+  SemanticOperation,
+  SemanticType,
+} from '../../modeling/Semantics.js'
+import type { TransformFunction } from '@pawel-up/jexl'
+
+/**
+ * Cache for JEXL instances to avoid recreation overhead
+ */
+const jexlCache = new Map<string, Jexl>()
+
+/**
+ * Get or create a JEXL instance with optional custom transforms
+ */
+export function getJexlInstance(transforms?: Record<string, TransformFunction>): Jexl {
+  const cacheKey = transforms ? JSON.stringify(Object.keys(transforms).sort()) : 'default'
+
+  if (!jexlCache.has(cacheKey)) {
+    const jexl = new Jexl()
+    if (transforms) {
+      Object.entries(transforms).forEach(([name, fn]) => {
+        jexl.addTransform(name, fn)
+      })
+    }
+    jexlCache.set(cacheKey, jexl)
+  }
+
+  return jexlCache.get(cacheKey) as Jexl
+}
+
+/**
+ * Context object passed to semantic condition evaluation
+ */
+export interface SemanticExecutionContext {
+  /**
+   * The entity data being processed
+   */
+  entity: Record<string, unknown>
+  /**
+   * Current user context (if authenticated)
+   */
+  user?: {
+    id?: string
+    authenticated?: boolean
+    roles?: string[]
+    [key: string]: unknown
+  }
+  /**
+   * The current database operation
+   */
+  operation: SemanticOperation
+  /**
+   * Applied semantics with their field mappings
+   */
+  appliedSemantics: AppliedDataSemantic[]
+  /**
+   * Configuration for the current semantic being evaluated
+   */
+  config?: Record<string, unknown>
+}
+
+/**
+ * Builds a semantics object for JEXL evaluation that maps semantic types to actual field names.
+ *
+ * The resulting map should be used in JEXL expressions to reference semantic fields.
+ *
+ * @returns A map where keys are semantic type identifiers and values are the field names.
+ *
+ * @example
+ * const semanticFieldMap = buildSemanticFieldMap(entity);
+ * const result = await jexl.eval("semantics.CreatedTimestamp == null", {
+ *  semantics: semanticFieldMap,
+ *  ...
+ * }
+ */
+export function buildSemanticFieldMap(entity: DomainEntity): Record<string, string> {
+  const semanticFieldMap: Record<string, string> = {}
+
+  for (const property of entity.properties) {
+    if (!property.info.name) {
+      continue // Skip properties without a name
+    }
+    for (const semantic of property.semantics) {
+      // We use the truncated `semantic.id` as the key, e.g. 'Password' so that it is possible to do something like:
+      // `entity[semantics.Password] != null && !entity[semantics.Password].startsWith('$')`
+      // Where the `semantics` object is the object returned by this function and
+      // passed to the JEXL context.
+      const semanticKey = semantic.id.replace('Semantic#', '')
+      semanticFieldMap[semanticKey] = property.info.name
+    }
+  }
+  return semanticFieldMap
+}
+
+/**
+ * Evaluates a semantic condition against the execution context
+ * In a real implementation, this would use JEXL to evaluate the expression
+ *
+ * @param condition The semantic condition to evaluate
+ * @param context The execution context containing entity data, user info, etc.
+ * @param semanticFieldMap A map of semantic field names to their actual field names.
+ *                         Use the `buildSemanticFieldMap()` function to create this map.
+ * @param jexl Optional JEXL instance to use for evaluation, defaults to a cached instance.
+ * @returns A promise that resolves to true if the condition is met, false otherwise
+ */
+export function evaluateSemanticCondition(
+  condition: SemanticCondition,
+  context: SemanticExecutionContext,
+  semanticFieldMap: Record<string, string>,
+  jexl: Jexl = getJexlInstance()
+): Promise<boolean> {
+  // Build the evaluation context
+  const evalContext = {
+    entity: context.entity,
+    user: context.user,
+    operation: context.operation,
+    config: context.config,
+    semantics: semanticFieldMap,
+  }
+  return jexl.eval(condition.expression, evalContext)
+}
+
+/**
+ * Check if semantic should execute based on all its conditions
+ *
+ * @param semantic The semantic to check
+ * @param context The execution context containing entity data, user info, etc.
+ * @param semanticFieldMap A map of semantic field names to their actual field names.
+ *                         Use the `buildSemanticFieldMap()` function to create this map.
+ * @return A promise that resolves to true if all conditions are met, false otherwise
+ */
+export async function shouldSemanticExecute(
+  semantic: AppliedDataSemantic,
+  context: SemanticExecutionContext,
+  semanticFieldMap: Record<string, string>
+): Promise<boolean> {
+  const definition = DataSemantics[semantic.id]
+  const conditions = definition?.runtime?.conditions
+
+  if (!conditions || conditions.length === 0) {
+    return true
+  }
+
+  const results = await Promise.all(
+    conditions.map((condition) => evaluateSemanticCondition(condition, context, semanticFieldMap))
+  )
+  // All conditions must evaluate to true
+  return results.every((result) => result === true)
+}
+
+/**
+ * Helper to get the actual field name for a semantic type
+ */
+export function getFieldNameForSemantic(
+  semanticType: SemanticType,
+  semanticFieldMap: Record<string, string>
+): string | undefined {
+  const semanticKey = semanticType.replace('Semantic#', '')
+  return semanticFieldMap[semanticKey]
+}
+
+/**
+ * Validates that all semantic references in conditions are available
+ */
+export function validateSemanticConditions(
+  semantic: AppliedDataSemantic,
+  semanticFieldMap: Record<string, string>
+): string[] {
+  const definition = DataSemantics[semantic.id]
+  const conditions = definition?.runtime?.conditions || []
+  const errors: string[] = []
+
+  conditions.forEach((condition, index) => {
+    // Extract semantic references from the condition expression
+    // Look for patterns like "semantics.CreatedTimestamp" or "entity[semantics.Password]"
+    const semanticMatches = condition.expression.match(/semantics\.(\w+)/g)
+
+    if (semanticMatches) {
+      semanticMatches.forEach((match) => {
+        const semanticKey = match.replace('semantics.', '')
+        if (!semanticFieldMap[semanticKey]) {
+          errors.push(
+            `Condition ${index + 1} references semantic "${semanticKey}" but no field with that semantic was found`
+          )
+        }
+      })
+    }
+  })
+
+  return errors
+}

package/tests/unit/modeling/client_ip_address_semantic.spec.ts

@@ -0,0 +1,71 @@
+import { test } from '@japa/runner'
+import {
+  SemanticType,
+  DataSemantics,
+  isPropertySemantic,
+  SemanticCategory,
+  SemanticScope,
+  SemanticTiming,
+  SemanticOperation,
+} from '../../../src/modeling/Semantics.js'
+
+test.group('ClientIPAddress Semantic', () => {
+  test('should exist in SemanticType enum', ({ assert }) => {
+    assert.equal(SemanticType.ClientIPAddress, 'Semantic#ClientIPAddress')
+  })
+
+  test('should exist in DataSemantics registry', ({ assert }) => {
+    const semantic = DataSemantics[SemanticType.ClientIPAddress]
+    assert.isDefined(semantic)
+    assert.equal(semantic.id, SemanticType.ClientIPAddress)
+  })
+
+  test('should be a property semantic', ({ assert }) => {
+    const semantic = DataSemantics[SemanticType.ClientIPAddress]
+    assert.isTrue(isPropertySemantic(semantic))
+    assert.equal(semantic.scope, SemanticScope.Property)
+  })
+
+  test('should have correct display name and description', ({ assert }) => {
+    const semantic = DataSemantics[SemanticType.ClientIPAddress]
+    assert.equal(semantic.displayName, 'Client IP Address')
+    assert.equal(semantic.description, 'Automatically populated client IP address')
+  })
+
+  test('should be in Contact category', ({ assert }) => {
+    const semantic = DataSemantics[SemanticType.ClientIPAddress]
+    assert.equal(semantic.category, SemanticCategory.Contact)
+  })
+
+  test('should only apply to string data types', ({ assert }) => {
+    const semantic = DataSemantics[SemanticType.ClientIPAddress]
+    if (isPropertySemantic(semantic)) {
+      assert.deepEqual(semantic.applicableDataTypes, ['string'])
+    }
+  })
+
+  test('should not have configuration', ({ assert }) => {
+    const semantic = DataSemantics[SemanticType.ClientIPAddress]
+    assert.isFalse(semantic.hasConfig)
+  })
+
+  test('should have correct runtime configuration', ({ assert }) => {
+    const semantic = DataSemantics[SemanticType.ClientIPAddress]
+    const runtime = semantic.runtime
+
+    assert.equal(runtime.timing, SemanticTiming.Before)
+    assert.deepEqual(runtime.operations, [SemanticOperation.Create, SemanticOperation.Update])
+    assert.equal(runtime.priority, 95) // Low priority, populate after other validations
+    assert.equal(runtime.timeoutMs, 100) // Very fast operation
+  })
+
+  test('should have correct execution conditions', ({ assert }) => {
+    const semantic = DataSemantics[SemanticType.ClientIPAddress]
+    const conditions = semantic.runtime.conditions
+
+    assert.isDefined(conditions)
+    assert.lengthOf(conditions!, 1)
+    assert.equal(conditions![0].expression, 'entity[semantics.ClientIPAddress] == null')
+    assert.equal(conditions![0].description, 'Only set IP address if not already provided')
+  })
+})

package/tests/unit/modeling/definitions/password.spec.ts

@@ -77,8 +77,6 @@ test.group('Password Semantic Configuration', () => {
     assert.equal(DEFAULT_PASSWORD_CONFIG.requireNumbers, true)
     assert.equal(DEFAULT_PASSWORD_CONFIG.requireUppercase, true)
     assert.equal(DEFAULT_PASSWORD_CONFIG.requireLowercase, true)
-    assert.equal(DEFAULT_PASSWORD_CONFIG.encryptionAlgorithm, PasswordEncryptionAlgorithm.Bcrypt)
-    assert.equal(DEFAULT_PASSWORD_CONFIG.saltRounds, 12)
     assert.equal(DEFAULT_PASSWORD_CONFIG.maxAge, undefined)
     assert.equal(DEFAULT_PASSWORD_CONFIG.preventReuse, false)
     assert.equal(DEFAULT_PASSWORD_CONFIG.preventReuseCount, 5)

package/tests/unit/modeling/domain_entity_parents.spec.ts

@@ -141,6 +141,101 @@ test.group('DomainEntity.addParent()', () => {
     assert.isTrue(dataDomain.graph.hasEdge(entity2.key, entity1.key))
     assert.deepEqual(dataDomain.graph.edge(entity2.key, entity1.key), { type: 'parent' })
   })
+
+  test('adds a foreign domain parent to the entity', ({ assert }) => {
+    const dataDomain = new DataDomain()
+    const foreignDomain = new DataDomain({ key: 'external-domain' })
+    const model = dataDomain.addModel()
+    const entity = model.addEntity({ key: 'child-entity' })
+    const foreignModel = foreignDomain.addModel()
+    const foreignEntity = foreignModel.addEntity({ key: 'parent-entity' })
+    const foreignKey = `${foreignDomain.key}:${foreignEntity.key}`
+
+    // Register foreign domain and add foreign parent
+    foreignDomain.info.version = '1.0.0'
+    dataDomain.registerForeignDomain(foreignDomain)
+    entity.addParent('parent-entity', 'external-domain')
+
+    // Verify it was added correctly
+    assert.isTrue(dataDomain.graph.hasEdge(entity.key, foreignKey))
+    assert.deepEqual(dataDomain.graph.edge(entity.key, foreignKey), {
+      type: 'parent',
+      domain: 'external-domain',
+      foreign: true,
+    })
+    const parents = [...entity.listParents()]
+    assert.lengthOf(parents, 1)
+    assert.deepEqual(parents[0], foreignEntity)
+  })
+
+  test('throws an error if foreign domain parent does not exist', ({ assert }) => {
+    const dataDomain = new DataDomain()
+    const foreignDomain = new DataDomain({ key: 'external-domain' })
+    const model = dataDomain.addModel()
+    const entity = model.addEntity({ key: 'child-entity' })
+
+    // Register foreign domain without the parent entity
+    foreignDomain.info.version = '1.0.0'
+    dataDomain.registerForeignDomain(foreignDomain)
+
+    assert.throws(() => {
+      entity.addParent('non-existent-parent', 'external-domain')
+    }, 'Entity with key "non-existent-parent" not found in domain "external-domain"')
+  })
+
+  test('throws an error if foreign domain is not registered', ({ assert }) => {
+    const dataDomain = new DataDomain()
+    const model = dataDomain.addModel()
+    const entity = model.addEntity({ key: 'child-entity' })
+
+    assert.throws(() => {
+      entity.addParent('parent-entity', 'non-existent-domain')
+    }, 'Foreign domain non-existent-domain not found')
+  })
+
+  test('can add both local and foreign parents', ({ assert }) => {
+    const dataDomain = new DataDomain()
+    const foreignDomain = new DataDomain({ key: 'external-domain' })
+    const model = dataDomain.addModel()
+    const localParent = model.addEntity({ key: 'local-parent' })
+    const entity = model.addEntity({ key: 'child-entity' })
+    const foreignModel = foreignDomain.addModel()
+    const foreignEntity = foreignModel.addEntity({ key: 'foreign-parent' })
+    const foreignKey = `${foreignDomain.key}:${foreignEntity.key}`
+
+    // Register foreign domain and add both parents
+    foreignDomain.info.version = '1.0.0'
+    dataDomain.registerForeignDomain(foreignDomain)
+    entity.addParent(localParent.key)
+    entity.addParent('foreign-parent', 'external-domain')
+
+    // Verify both parents were added
+    assert.isTrue(dataDomain.graph.hasEdge(entity.key, localParent.key))
+    assert.isTrue(dataDomain.graph.hasEdge(entity.key, foreignKey))
+
+    const parents = [...entity.listParents()]
+    assert.lengthOf(parents, 2)
+    assert.deepInclude(parents, localParent)
+    assert.deepInclude(parents, foreignEntity)
+  })
+
+  test('throws an error if trying to add the same foreign parent twice', ({ assert }) => {
+    const dataDomain = new DataDomain()
+    const foreignDomain = new DataDomain({ key: 'external-domain' })
+    const model = dataDomain.addModel()
+    const entity = model.addEntity({ key: 'child-entity' })
+    const foreignModel = foreignDomain.addModel()
+    foreignModel.addEntity({ key: 'parent-entity' })
+
+    // Register foreign domain and add foreign parent
+    foreignDomain.info.version = '1.0.0'
+    dataDomain.registerForeignDomain(foreignDomain)
+    entity.addParent('parent-entity', 'external-domain')
+
+    assert.throws(() => {
+      entity.addParent('parent-entity', 'external-domain')
+    }, 'Parent parent-entity already exists')
+  })
 })
 
 test.group('DomainEntity.removeParent()', () => {
@@ -164,6 +259,121 @@ test.group('DomainEntity.removeParent()', () => {
     }, `Trying to remove a parent non-existent-entity from ${entity.key}, but it doesn't exist`)
   })
 
+  test('throws an error if foreign domain parent does not exist', ({ assert }) => {
+    const dataDomain = new DataDomain()
+    const model = dataDomain.addModel()
+    const entity = model.addEntity({ key: 'child-entity' })
+    assert.throws(() => {
+      entity.removeParent('non-existent-entity', 'external-domain')
+    }, `Foreign domain external-domain not found`)
+  })
+
+  test('throws an error if edge exists but is not a parent relationship', ({ assert }) => {
+    const dataDomain = new DataDomain()
+    const model = dataDomain.addModel()
+    const entity1 = model.addEntity({ key: 'entity1' })
+    const entity2 = model.addEntity({ key: 'entity2' })
+    // Create a non-parent edge
+    dataDomain.graph.setEdge(entity2.key, entity1.key, { type: 'association' })
+    assert.throws(() => {
+      entity2.removeParent(entity1.key)
+    }, `Edge between ${entity2.key} and entity1 exists but is not a parent relationship`)
+  })
+
+  test('throws an error if foreign domain edge exists but is not a parent relationship', ({ assert }) => {
+    const dataDomain = new DataDomain()
+    const foreignDomain = new DataDomain({ key: 'external-domain' })
+    const model = dataDomain.addModel()
+    const entity = model.addEntity({ key: 'child-entity' })
+    const foreignModel = foreignDomain.addModel()
+    const foreignEntity = foreignModel.addEntity({ key: 'parent-entity' })
+
+    // Register foreign domain and create a non-parent edge
+    foreignDomain.info.version = '1.0.0'
+    dataDomain.registerForeignDomain(foreignDomain)
+    const foreignKey = `${foreignDomain.key}:${foreignEntity.key}`
+    dataDomain.graph.setEdge(entity.key, foreignKey, { type: 'association' })
+
+    assert.throws(() => {
+      entity.removeParent('parent-entity', 'external-domain')
+    }, `Edge between child-entity and parent-entity in domain "external-domain" exists but is not a parent relationship`)
+  })
+
+  test('removes a foreign domain parent from the entity', ({ assert }) => {
+    const dataDomain = new DataDomain()
+    const foreignDomain = new DataDomain({ key: 'external-domain' })
+    const model = dataDomain.addModel()
+    const entity = model.addEntity({ key: 'child-entity' })
+    const foreignModel = foreignDomain.addModel()
+    const foreignEntity = foreignModel.addEntity({ key: 'parent-entity' })
+    const foreignKey = `${foreignDomain.key}:${foreignEntity.key}`
+
+    // Register foreign domain and add foreign parent
+    foreignDomain.info.version = '1.0.0'
+    dataDomain.registerForeignDomain(foreignDomain)
+    entity.addParent('parent-entity', 'external-domain')
+
+    // Verify it was added
+    assert.isTrue(dataDomain.graph.hasEdge(entity.key, foreignKey))
+    assert.deepEqual(dataDomain.graph.edge(entity.key, foreignKey), {
+      type: 'parent',
+      domain: 'external-domain',
+      foreign: true,
+    })
+
+    // Remove the foreign parent
+    entity.removeParent('parent-entity', 'external-domain')
+    assert.isFalse(dataDomain.graph.hasEdge(entity.key, foreignKey))
+  })
+
+  test('removes local parent while keeping foreign parent', ({ assert }) => {
+    const dataDomain = new DataDomain()
+    const foreignDomain = new DataDomain({ key: 'external-domain' })
+    const model = dataDomain.addModel()
+    const localParent = model.addEntity({ key: 'local-parent' })
+    const entity = model.addEntity({ key: 'child-entity' })
+    const foreignModel = foreignDomain.addModel()
+    const foreignEntity = foreignModel.addEntity({ key: 'foreign-parent' })
+    const foreignKey = `${foreignDomain.key}:${foreignEntity.key}`
+
+    // Register foreign domain and add both parents
+    foreignDomain.info.version = '1.0.0'
+    dataDomain.registerForeignDomain(foreignDomain)
+    entity.addParent(localParent.key)
+    entity.addParent('foreign-parent', 'external-domain')
+
+    // Remove only the local parent
+    entity.removeParent(localParent.key)
+
+    // Verify local parent is removed but foreign remains
+    assert.isFalse(dataDomain.graph.hasEdge(entity.key, localParent.key))
+    assert.isTrue(dataDomain.graph.hasEdge(entity.key, foreignKey))
+  })
+
+  test('removes foreign parent while keeping local parent', ({ assert }) => {
+    const dataDomain = new DataDomain()
+    const foreignDomain = new DataDomain({ key: 'external-domain' })
+    const model = dataDomain.addModel()
+    const localParent = model.addEntity({ key: 'local-parent' })
+    const entity = model.addEntity({ key: 'child-entity' })
+    const foreignModel = foreignDomain.addModel()
+    const foreignEntity = foreignModel.addEntity({ key: 'foreign-parent' })
+    const foreignKey = `${foreignDomain.key}:${foreignEntity.key}`
+
+    // Register foreign domain and add both parents
+    foreignDomain.info.version = '1.0.0'
+    dataDomain.registerForeignDomain(foreignDomain)
+    entity.addParent(localParent.key)
+    entity.addParent('foreign-parent', 'external-domain')
+
+    // Remove only the foreign parent
+    entity.removeParent('foreign-parent', 'external-domain')
+
+    // Verify foreign parent is removed but local remains
+    assert.isTrue(dataDomain.graph.hasEdge(entity.key, localParent.key))
+    assert.isFalse(dataDomain.graph.hasEdge(entity.key, foreignKey))
+  })
+
   test('notifies change', async ({ assert }) => {
     const dataDomain = new DataDomain()
     const model = dataDomain.addModel()
@@ -174,6 +384,22 @@ test.group('DomainEntity.removeParent()', () => {
     await assert.dispatches(dataDomain, 'change', { timeout: 20 })
   })
 
+  test('notifies change when removing foreign domain parent', async ({ assert }) => {
+    const dataDomain = new DataDomain()
+    const foreignDomain = new DataDomain({ key: 'external-domain' })
+    const model = dataDomain.addModel()
+    const entity = model.addEntity({ key: 'child-entity' })
+    const foreignModel = foreignDomain.addModel()
+    foreignModel.addEntity({ key: 'parent-entity' })
+
+    // Register foreign domain and add foreign parent
+    foreignDomain.info.version = '1.0.0'
+    dataDomain.registerForeignDomain(foreignDomain)
+    entity.addParent('parent-entity', 'external-domain')
+    entity.removeParent('parent-entity', 'external-domain')
+    await assert.dispatches(dataDomain, 'change', { timeout: 20 })
+  })
+
   test('removes the graph edge', ({ assert }) => {
     const dataDomain = new DataDomain()
     const model = dataDomain.addModel()
@@ -183,6 +409,23 @@ test.group('DomainEntity.removeParent()', () => {
     entity2.removeParent(entity1.key)
     assert.isFalse(dataDomain.graph.hasEdge(entity2.key, entity1.key))
   })
+
+  test('removes the foreign domain graph edge', ({ assert }) => {
+    const dataDomain = new DataDomain()
+    const foreignDomain = new DataDomain({ key: 'external-domain' })
+    const model = dataDomain.addModel()
+    const entity = model.addEntity({ key: 'child-entity' })
+    const foreignModel = foreignDomain.addModel()
+    foreignModel.addEntity({ key: 'parent-entity' })
+    const foreignKey = `${foreignDomain.key}:parent-entity`
+
+    // Register foreign domain and add foreign parent
+    foreignDomain.info.version = '1.0.0'
+    dataDomain.registerForeignDomain(foreignDomain)
+    entity.addParent('parent-entity', 'external-domain')
+    entity.removeParent('parent-entity', 'external-domain')
+    assert.isFalse(dataDomain.graph.hasEdge(entity.key, foreignKey))
+  })
 })
 
 test.group('DomainEntity.hasCircularParent()', () => {

package/tests/unit/modeling/semantic_runtime.spec.ts

@@ -0,0 +1,113 @@
+import { test } from '@japa/runner'
+import {
+  SemanticType,
+  SemanticTiming,
+  SemanticOperation,
+  getSemanticsForOperation,
+  canSemanticBeDisabled,
+  type AppliedDataSemantic,
+} from '../../../src/modeling/Semantics.js'
+
+test.group('Semantic Runtime Control', () => {
+  test('getSemanticsForOperation should filter semantics by operation and timing', ({ assert }) => {
+    const semantics: AppliedDataSemantic[] = [
+      { id: SemanticType.Password },
+      { id: SemanticType.CreatedTimestamp },
+      { id: SemanticType.UpdatedTimestamp },
+      { id: SemanticType.Status },
+      { id: SemanticType.Title },
+    ]
+
+    // Test CREATE operation with BEFORE timing
+    const createBeforeSemantics = getSemanticsForOperation(semantics, SemanticOperation.Create, SemanticTiming.Before)
+    const createBeforeTypes = createBeforeSemantics.map((s) => s.id)
+
+    assert.includeMembers(createBeforeTypes, [SemanticType.Password, SemanticType.CreatedTimestamp])
+    assert.notInclude(createBeforeTypes, SemanticType.UpdatedTimestamp) // Only runs on UPDATE
+    assert.notInclude(createBeforeTypes, SemanticType.Title) // No runtime operations
+
+    // Test UPDATE operation with BEFORE timing
+    const updateBeforeSemantics = getSemanticsForOperation(semantics, SemanticOperation.Update, SemanticTiming.Before)
+    const updateBeforeTypes = updateBeforeSemantics.map((s) => s.id)
+
+    assert.includeMembers(updateBeforeTypes, [SemanticType.Password, SemanticType.UpdatedTimestamp])
+    assert.notInclude(updateBeforeTypes, SemanticType.CreatedTimestamp) // Only runs on CREATE
+
+    // Test Status semantic runs on both CREATE and UPDATE
+    assert.include(createBeforeTypes, SemanticType.Status)
+    assert.include(updateBeforeTypes, SemanticType.Status)
+  })
+
+  test('getSemanticsForOperation should sort semantics by priority', ({ assert }) => {
+    const semantics: AppliedDataSemantic[] = [
+      { id: SemanticType.Password }, // priority: 10
+      { id: SemanticType.ResourceOwnerIdentifier }, // priority: 5
+      { id: SemanticType.UserRole }, // priority: 20
+    ]
+
+    const createSemantics = getSemanticsForOperation(semantics, SemanticOperation.Create, SemanticTiming.Before)
+
+    // Should be sorted by priority: ResourceOwnerIdentifier (5), Password (10), UserRole (20)
+    assert.equal(createSemantics[0].id, SemanticType.ResourceOwnerIdentifier)
+    assert.equal(createSemantics[1].id, SemanticType.Password)
+    assert.equal(createSemantics[2].id, SemanticType.UserRole)
+  })
+
+  test('getSemanticsForOperation should handle BOTH timing correctly', ({ assert }) => {
+    const semantics: AppliedDataSemantic[] = [
+      { id: SemanticType.Status }, // timing: Both
+      { id: SemanticType.Password }, // timing: Before
+    ]
+
+    const beforeSemantics = getSemanticsForOperation(semantics, SemanticOperation.Create, SemanticTiming.Before)
+    const afterSemantics = getSemanticsForOperation(semantics, SemanticOperation.Create, SemanticTiming.After)
+
+    // Status should appear in both BEFORE and AFTER
+    assert.equal(beforeSemantics.length, 2) // Status and Password
+    assert.equal(afterSemantics.length, 1) // Only Status
+    assert.equal(afterSemantics[0].id, SemanticType.Status)
+  })
+
+  test('canSemanticBeDisabled should check if semantic can be disabled', ({ assert }) => {
+    // Security semantics cannot be disabled
+    assert.isFalse(canSemanticBeDisabled(SemanticType.Password))
+    assert.isFalse(canSemanticBeDisabled(SemanticType.ResourceOwnerIdentifier))
+
+    // Other semantics can be disabled (default)
+    assert.isTrue(canSemanticBeDisabled(SemanticType.CreatedTimestamp))
+    assert.isTrue(canSemanticBeDisabled(SemanticType.Email))
+    assert.isTrue(canSemanticBeDisabled(SemanticType.Status))
+  })
+
+  test('getSemanticsForOperation should return empty array for semantics with no runtime', ({ assert }) => {
+    const semantics: AppliedDataSemantic[] = [
+      { id: SemanticType.Title }, // No runtime operations
+      { id: SemanticType.Description }, // No runtime operations
+      { id: SemanticType.User }, // No runtime operations
+    ]
+
+    const result = getSemanticsForOperation(semantics, SemanticOperation.Create, SemanticTiming.Before)
+    assert.lengthOf(result, 0)
+  })
+
+  test('getSemanticsForOperation should filter by specific operations', ({ assert }) => {
+    const semantics: AppliedDataSemantic[] = [
+      { id: SemanticType.CreatedTimestamp }, // Only CREATE
+      { id: SemanticType.UpdatedTimestamp }, // Only UPDATE
+      { id: SemanticType.DeletedTimestamp }, // Only DELETE
+    ]
+
+    const createSemantics = getSemanticsForOperation(semantics, SemanticOperation.Create, SemanticTiming.Before)
+    const updateSemantics = getSemanticsForOperation(semantics, SemanticOperation.Update, SemanticTiming.Before)
+    const deleteSemantics = getSemanticsForOperation(semantics, SemanticOperation.Delete, SemanticTiming.Before)
+
+    assert.lengthOf(createSemantics, 1)
+    assert.equal(createSemantics[0].id, SemanticType.CreatedTimestamp)
+
+    assert.lengthOf(updateSemantics, 1)
+    assert.equal(updateSemantics[0].id, SemanticType.UpdatedTimestamp)
+
+    assert.lengthOf(deleteSemantics, 1)
+    assert.equal(deleteSemantics[0].id, SemanticType.DeletedTimestamp)
+  })
+})