@byline/admin 3.10.1 → 3.11.1

package/dist/abilities.js

@@ -1,3 +1,4 @@
+import { registerAdminActivityAbilities } from "./modules/admin-activity/abilities.js";
 import { registerAdminPermissionsAbilities } from "./modules/admin-permissions/abilities.js";
 import { registerAdminRolesAbilities } from "./modules/admin-roles/abilities.js";
 import { registerAdminUsersAbilities } from "./modules/admin-users/abilities.js";
@@ -5,5 +6,6 @@ function registerAdminAbilities(registry) {
     registerAdminUsersAbilities(registry);
     registerAdminRolesAbilities(registry);
     registerAdminPermissionsAbilities(registry);
+    registerAdminActivityAbilities(registry);
 }
 export { registerAdminAbilities };

package/dist/exports-parity.test.node.d.ts

@@ -0,0 +1,8 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+export {};

package/dist/index.d.ts

@@ -24,6 +24,7 @@ export { registerAdminAbilities } from './abilities.js';
 export { assertAdminActor, requireAdminActor } from './lib/assert-admin-actor.js';
 export { type Command, type CreateCommandAuthSpec, type CreateCommandHandlerArgs, type CreateCommandSpec, createCommand, } from './lib/create-command.js';
 export * from './modules/admin-account/index.js';
+export * from './modules/admin-activity/index.js';
 export * from './modules/admin-permissions/index.js';
 export * from './modules/admin-roles/index.js';
 export * from './modules/admin-users/index.js';

package/dist/index.js

@@ -1,4 +1,5 @@
 export * from "./modules/admin-account/index.js";
+export * from "./modules/admin-activity/index.js";
 export * from "./modules/admin-permissions/index.js";
 export * from "./modules/admin-roles/index.js";
 export * from "./modules/admin-users/index.js";

package/dist/modules/admin-activity/abilities.d.ts

@@ -0,0 +1,31 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import type { AbilityRegistry } from '@byline/auth';
+/**
+ * Ability keys for the admin-activity module (docs/AUDIT.md — Workstream 4).
+ *
+ * `read` gates the system-wide activity area — the `/admin/activity` report
+ * over the version-stream + audit-log union. It is deliberately a **separate**
+ * ability from any collection's `collections.<path>.read`: the activity feed is
+ * not reachable transitively from a content ability, so an auditor role can be
+ * granted visibility into who-changed-what without being granted read (let
+ * alone write) access to the documents themselves.
+ *
+ * Read-only by design — there is no write counterpart. The audit log is
+ * append-only and is written by the lifecycle write-points, never edited.
+ */
+export declare const ADMIN_ACTIVITY_ABILITIES: {
+    readonly read: "admin.activity.read";
+};
+export type AdminActivityAbilityKey = (typeof ADMIN_ACTIVITY_ABILITIES)[keyof typeof ADMIN_ACTIVITY_ABILITIES];
+/**
+ * Called from `registerAdminAbilities(registry)` at package level, which
+ * fans out to every admin module's registrar so the webapp wiring stays a
+ * single line.
+ */
+export declare function registerAdminActivityAbilities(registry: AbilityRegistry): void;

package/dist/modules/admin-activity/abilities.js

@@ -0,0 +1,13 @@
+const ADMIN_ACTIVITY_ABILITIES = {
+    read: 'admin.activity.read'
+};
+function registerAdminActivityAbilities(registry) {
+    registry.register({
+        key: ADMIN_ACTIVITY_ABILITIES.read,
+        label: 'Read system activity',
+        description: "View the system-wide activity report — content saves and audit-log events (status / path / locale changes, deletions) across all collections.",
+        group: 'admin.activity',
+        source: 'admin'
+    });
+}
+export { ADMIN_ACTIVITY_ABILITIES, registerAdminActivityAbilities };

package/dist/modules/admin-activity/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * `@byline/admin/admin-activity` — the system-wide activity area
+ * (docs/AUDIT.md — Workstream 4).
+ *
+ * Unlike the other admin modules this one owns no table and no AdminStore
+ * repository: the activity feed is a read over the document db adapter's
+ * version stream + audit log (`IAuditQueries.findAuditLog`), assembled at the
+ * host transport layer. This module contributes only the `admin.activity.read`
+ * ability — registered at `initBylineCore()` time through the `AbilityRegistry`
+ * — so the feed is grantable independently of any content ability.
+ */
+export { ADMIN_ACTIVITY_ABILITIES, type AdminActivityAbilityKey, registerAdminActivityAbilities, } from './abilities.js';

package/dist/modules/admin-activity/index.js

@@ -0,0 +1 @@
+export { ADMIN_ACTIVITY_ABILITIES, registerAdminActivityAbilities } from "./abilities.js";

package/package.json

@@ -2,7 +2,7 @@
   "name": "@byline/admin",
   "private": false,
   "license": "MPL-2.0",
-  "version": "3.10.1",
+  "version": "3.11.1",
   "engines": {
     "node": ">=20.9.0"
   },
@@ -47,6 +47,11 @@
       "import": "./dist/modules/auth/index.js",
       "require": "./dist/modules/auth/index.js"
     },
+    "./admin-activity": {
+      "types": "./dist/modules/admin-activity/index.d.ts",
+      "import": "./dist/modules/admin-activity/index.js",
+      "require": "./dist/modules/admin-activity/index.js"
+    },
     "./admin-users": {
       "types": "./dist/modules/admin-users/index.d.ts",
       "import": "./dist/modules/admin-users/index.js",
@@ -146,10 +151,10 @@
     "uuid": "^14.0.0",
     "zod": "^4.4.3",
     "zod-form-data": "^3.0.1",
-    "@byline/auth": "3.10.1",
-    "@byline/core": "3.10.1",
-    "@byline/i18n": "3.10.1",
-    "@byline/ui": "3.10.1"
+    "@byline/auth": "3.11.1",
+    "@byline/ui": "3.11.1",
+    "@byline/core": "3.11.1",
+    "@byline/i18n": "3.11.1"
   },
   "peerDependencies": {
     "react": "^19.0.0",

package/src/abilities.ts

@@ -8,6 +8,7 @@
 
 import type { AbilityRegistry } from '@byline/auth'
 
+import { registerAdminActivityAbilities } from './modules/admin-activity/abilities.js'
 import { registerAdminPermissionsAbilities } from './modules/admin-permissions/abilities.js'
 import { registerAdminRolesAbilities } from './modules/admin-roles/abilities.js'
 import { registerAdminUsersAbilities } from './modules/admin-users/abilities.js'
@@ -28,5 +29,6 @@ export function registerAdminAbilities(registry: AbilityRegistry): void {
   registerAdminUsersAbilities(registry)
   registerAdminRolesAbilities(registry)
   registerAdminPermissionsAbilities(registry)
+  registerAdminActivityAbilities(registry)
   // registerAccountAbilities(registry) — added when that module lands
 }

package/src/exports-parity.test.node.ts

@@ -0,0 +1,50 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+
+/**
+ * Guard against `publishConfig.exports` drift.
+ *
+ * `@byline/admin` carries a `publishConfig.exports` block that npm uses to
+ * **override** the top-level `exports` at publish time. The workspace and dev
+ * builds resolve through the top-level `exports` (or source), so a subpath
+ * added there but forgotten in `publishConfig.exports` typechecks and builds
+ * locally yet is **missing from the published package** — surfacing only as a
+ * downstream consumer's build error ("X is not exported …"). That is exactly
+ * how `./admin-activity` slipped through in v3.11.0.
+ *
+ * This test fails the moment the two blocks drift, so the gap is caught in
+ * `pnpm test` / CI rather than in a production Docker build.
+ */
+
+import { readFileSync } from 'node:fs'
+import { dirname, resolve } from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+import { describe, expect, it } from 'vitest'
+
+const pkgPath = resolve(dirname(fileURLToPath(import.meta.url)), '../package.json')
+const pkg = JSON.parse(readFileSync(pkgPath, 'utf8')) as {
+  exports: Record<string, unknown>
+  publishConfig?: { exports?: Record<string, unknown> }
+}
+
+describe('package.json export parity', () => {
+  it('every top-level export subpath is also declared in publishConfig.exports', () => {
+    const publishExports = pkg.publishConfig?.exports
+    // If there is no override, the top-level exports ship as-is — nothing to check.
+    if (publishExports == null) return
+
+    const missing = Object.keys(pkg.exports).filter((key) => !(key in publishExports))
+    expect(
+      missing,
+      `publishConfig.exports is missing subpath(s) present in the top-level exports: ${missing.join(
+        ', '
+      )}. The published package would not expose them — add them to BOTH blocks.`
+    ).toEqual([])
+  })
+})

package/src/index.ts

@@ -32,6 +32,7 @@ export {
   createCommand,
 } from './lib/create-command.js'
 export * from './modules/admin-account/index.js'
+export * from './modules/admin-activity/index.js'
 export * from './modules/admin-permissions/index.js'
 export * from './modules/admin-roles/index.js'
 export * from './modules/admin-users/index.js'

package/src/modules/admin-activity/abilities.ts

@@ -0,0 +1,46 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+
+import type { AbilityRegistry } from '@byline/auth'
+
+/**
+ * Ability keys for the admin-activity module (docs/AUDIT.md — Workstream 4).
+ *
+ * `read` gates the system-wide activity area — the `/admin/activity` report
+ * over the version-stream + audit-log union. It is deliberately a **separate**
+ * ability from any collection's `collections.<path>.read`: the activity feed is
+ * not reachable transitively from a content ability, so an auditor role can be
+ * granted visibility into who-changed-what without being granted read (let
+ * alone write) access to the documents themselves.
+ *
+ * Read-only by design — there is no write counterpart. The audit log is
+ * append-only and is written by the lifecycle write-points, never edited.
+ */
+export const ADMIN_ACTIVITY_ABILITIES = {
+  read: 'admin.activity.read',
+} as const
+
+export type AdminActivityAbilityKey =
+  (typeof ADMIN_ACTIVITY_ABILITIES)[keyof typeof ADMIN_ACTIVITY_ABILITIES]
+
+/**
+ * Called from `registerAdminAbilities(registry)` at package level, which
+ * fans out to every admin module's registrar so the webapp wiring stays a
+ * single line.
+ */
+export function registerAdminActivityAbilities(registry: AbilityRegistry): void {
+  registry.register({
+    key: ADMIN_ACTIVITY_ABILITIES.read,
+    label: 'Read system activity',
+    description:
+      'View the system-wide activity report — content saves and audit-log ' +
+      'events (status / path / locale changes, deletions) across all collections.',
+    group: 'admin.activity',
+    source: 'admin',
+  })
+}

package/src/modules/admin-activity/index.ts

@@ -0,0 +1,25 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+
+/**
+ * `@byline/admin/admin-activity` — the system-wide activity area
+ * (docs/AUDIT.md — Workstream 4).
+ *
+ * Unlike the other admin modules this one owns no table and no AdminStore
+ * repository: the activity feed is a read over the document db adapter's
+ * version stream + audit log (`IAuditQueries.findAuditLog`), assembled at the
+ * host transport layer. This module contributes only the `admin.activity.read`
+ * ability — registered at `initBylineCore()` time through the `AbilityRegistry`
+ * — so the feed is grantable independently of any content ability.
+ */
+
+export {
+  ADMIN_ACTIVITY_ABILITIES,
+  type AdminActivityAbilityKey,
+  registerAdminActivityAbilities,
+} from './abilities.js'