npm - @intranefr/superbackend - Versions diffs - 1.5.0 → 1.5.2 - Mend

@intranefr/superbackend 1.5.0 → 1.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (198) hide show

package/.env.example +15 -0
package/README.md +11 -0
package/analysis-only.skill +0 -0
package/index.js +23 -0
package/package.json +8 -2
package/src/admin/endpointRegistry.js +120 -0
package/src/controllers/admin.controller.js +90 -6
package/src/controllers/adminBlockDefinitions.controller.js +127 -0
package/src/controllers/adminBlockDefinitionsAi.controller.js +54 -0
package/src/controllers/adminCache.controller.js +342 -0
package/src/controllers/adminContextBlockDefinitions.controller.js +141 -0
package/src/controllers/adminCrons.controller.js +388 -0
package/src/controllers/adminDbBrowser.controller.js +124 -0
package/src/controllers/adminEjsVirtual.controller.js +13 -3
package/src/controllers/adminExperiments.controller.js +200 -0
package/src/controllers/adminHeadless.controller.js +9 -2
package/src/controllers/adminHealthChecks.controller.js +570 -0
package/src/controllers/adminI18n.controller.js +51 -29
package/src/controllers/adminLlm.controller.js +126 -2
package/src/controllers/adminPages.controller.js +720 -0
package/src/controllers/adminPagesContextBlocksAi.controller.js +54 -0
package/src/controllers/adminProxy.controller.js +113 -0
package/src/controllers/adminRateLimits.controller.js +138 -0
package/src/controllers/adminRbac.controller.js +803 -0
package/src/controllers/adminScripts.controller.js +126 -4
package/src/controllers/adminSeoConfig.controller.js +71 -48
package/src/controllers/blogAdmin.controller.js +279 -0
package/src/controllers/blogAiAdmin.controller.js +224 -0
package/src/controllers/blogAutomationAdmin.controller.js +141 -0
package/src/controllers/blogInternal.controller.js +26 -0
package/src/controllers/blogPublic.controller.js +89 -0
package/src/controllers/experiments.controller.js +85 -0
package/src/controllers/fileManager.controller.js +190 -0
package/src/controllers/fileManagerStoragePolicy.controller.js +23 -0
package/src/controllers/healthChecksPublic.controller.js +196 -0
package/src/controllers/internalExperiments.controller.js +17 -0
package/src/controllers/metrics.controller.js +64 -4
package/src/controllers/orgAdmin.controller.js +80 -0
package/src/helpers/mongooseHelper.js +258 -0
package/src/helpers/scriptBase.js +230 -0
package/src/helpers/scriptRunner.js +335 -0
package/src/middleware/rbac.js +62 -0
package/src/middleware.js +810 -48
package/src/models/BlockDefinition.js +27 -0
package/src/models/BlogAutomationLock.js +14 -0
package/src/models/BlogAutomationRun.js +39 -0
package/src/models/BlogPost.js +42 -0
package/src/models/CacheEntry.js +26 -0
package/src/models/ConsoleEntry.js +32 -0
package/src/models/ConsoleLog.js +23 -0
package/src/models/ContextBlockDefinition.js +33 -0
package/src/models/CronExecution.js +47 -0
package/src/models/CronJob.js +70 -0
package/src/models/Experiment.js +75 -0
package/src/models/ExperimentAssignment.js +23 -0
package/src/models/ExperimentEvent.js +26 -0
package/src/models/ExperimentMetricBucket.js +30 -0
package/src/models/ExternalDbConnection.js +49 -0
package/src/models/FileEntry.js +22 -0
package/src/models/GlobalSetting.js +1 -2
package/src/models/HealthAutoHealAttempt.js +57 -0
package/src/models/HealthCheck.js +132 -0
package/src/models/HealthCheckRun.js +51 -0
package/src/models/HealthIncident.js +49 -0
package/src/models/Page.js +95 -0
package/src/models/PageCollection.js +42 -0
package/src/models/ProxyEntry.js +66 -0
package/src/models/RateLimitCounter.js +19 -0
package/src/models/RateLimitMetricBucket.js +20 -0
package/src/models/RbacGrant.js +25 -0
package/src/models/RbacGroup.js +16 -0
package/src/models/RbacGroupMember.js +13 -0
package/src/models/RbacGroupRole.js +13 -0
package/src/models/RbacRole.js +25 -0
package/src/models/RbacUserRole.js +13 -0
package/src/models/ScriptDefinition.js +1 -0
package/src/models/Webhook.js +2 -0
package/src/routes/admin.routes.js +2 -0
package/src/routes/adminBlog.routes.js +21 -0
package/src/routes/adminBlogAi.routes.js +16 -0
package/src/routes/adminBlogAutomation.routes.js +27 -0
package/src/routes/adminCache.routes.js +20 -0
package/src/routes/adminConsoleManager.routes.js +302 -0
package/src/routes/adminCrons.routes.js +25 -0
package/src/routes/adminDbBrowser.routes.js +65 -0
package/src/routes/adminEjsVirtual.routes.js +2 -1
package/src/routes/adminExperiments.routes.js +29 -0
package/src/routes/adminHeadless.routes.js +2 -1
package/src/routes/adminHealthChecks.routes.js +28 -0
package/src/routes/adminI18n.routes.js +4 -3
package/src/routes/adminLlm.routes.js +4 -2
package/src/routes/adminPages.routes.js +55 -0
package/src/routes/adminProxy.routes.js +15 -0
package/src/routes/adminRateLimits.routes.js +17 -0
package/src/routes/adminRbac.routes.js +38 -0
package/src/routes/adminSeoConfig.routes.js +5 -4
package/src/routes/adminUiComponents.routes.js +2 -1
package/src/routes/blogInternal.routes.js +14 -0
package/src/routes/blogPublic.routes.js +9 -0
package/src/routes/experiments.routes.js +30 -0
package/src/routes/fileManager.routes.js +62 -0
package/src/routes/fileManagerStoragePolicy.routes.js +9 -0
package/src/routes/healthChecksPublic.routes.js +9 -0
package/src/routes/internalExperiments.routes.js +15 -0
package/src/routes/log.routes.js +43 -60
package/src/routes/metrics.routes.js +4 -2
package/src/routes/orgAdmin.routes.js +1 -0
package/src/routes/pages.routes.js +123 -0
package/src/routes/proxy.routes.js +46 -0
package/src/routes/rbac.routes.js +47 -0
package/src/routes/webhook.routes.js +2 -1
package/src/routes/workflows.routes.js +4 -0
package/src/services/blockDefinitionsAi.service.js +247 -0
package/src/services/blog.service.js +99 -0
package/src/services/blogAutomation.service.js +978 -0
package/src/services/blogCronsBootstrap.service.js +185 -0
package/src/services/blogPublishing.service.js +58 -0
package/src/services/cacheLayer.service.js +696 -0
package/src/services/consoleManager.service.js +738 -0
package/src/services/consoleOverride.service.js +7 -1
package/src/services/cronScheduler.service.js +350 -0
package/src/services/dbBrowser.service.js +536 -0
package/src/services/ejsVirtual.service.js +102 -32
package/src/services/experiments.service.js +273 -0
package/src/services/experimentsAggregation.service.js +308 -0
package/src/services/experimentsCronsBootstrap.service.js +118 -0
package/src/services/experimentsRetention.service.js +43 -0
package/src/services/experimentsWs.service.js +134 -0
package/src/services/fileManager.service.js +475 -0
package/src/services/fileManagerStoragePolicy.service.js +285 -0
package/src/services/globalSettings.service.js +15 -0
package/src/services/healthChecks.service.js +650 -0
package/src/services/healthChecksBootstrap.service.js +109 -0
package/src/services/healthChecksScheduler.service.js +106 -0
package/src/services/jsonConfigs.service.js +2 -2
package/src/services/llmDefaults.service.js +190 -0
package/src/services/migrationAssets/s3.js +2 -2
package/src/services/pages.service.js +602 -0
package/src/services/pagesContext.service.js +331 -0
package/src/services/pagesContextBlocksAi.service.js +349 -0
package/src/services/proxy.service.js +535 -0
package/src/services/rateLimiter.service.js +623 -0
package/src/services/rbac.service.js +212 -0
package/src/services/scriptsRunner.service.js +215 -15
package/src/services/uiComponentsAi.service.js +6 -19
package/src/services/workflow.service.js +23 -8
package/src/utils/orgRoles.js +14 -0
package/src/utils/rbac/engine.js +60 -0
package/src/utils/rbac/rightsRegistry.js +33 -0
package/views/admin-blog-automation.ejs +877 -0
package/views/admin-blog-edit.ejs +542 -0
package/views/admin-blog.ejs +399 -0
package/views/admin-cache.ejs +681 -0
package/views/admin-console-manager.ejs +680 -0
package/views/admin-crons.ejs +645 -0
package/views/admin-dashboard.ejs +28 -8
package/views/admin-db-browser.ejs +445 -0
package/views/admin-ejs-virtual.ejs +16 -10
package/views/admin-experiments.ejs +91 -0
package/views/admin-file-manager.ejs +942 -0
package/views/admin-health-checks.ejs +725 -0
package/views/admin-i18n.ejs +59 -5
package/views/admin-llm.ejs +99 -1
package/views/admin-organizations.ejs +163 -1
package/views/admin-pages.ejs +2424 -0
package/views/admin-proxy.ejs +491 -0
package/views/admin-rate-limiter.ejs +625 -0
package/views/admin-rbac.ejs +1331 -0
package/views/admin-scripts.ejs +597 -3
package/views/admin-seo-config.ejs +61 -7
package/views/admin-ui-components.ejs +57 -25
package/views/admin-workflows.ejs +7 -7
package/views/file-manager.ejs +866 -0
package/views/pages/blocks/contact.ejs +27 -0
package/views/pages/blocks/cta.ejs +18 -0
package/views/pages/blocks/faq.ejs +20 -0
package/views/pages/blocks/features.ejs +19 -0
package/views/pages/blocks/hero.ejs +13 -0
package/views/pages/blocks/html.ejs +5 -0
package/views/pages/blocks/image.ejs +14 -0
package/views/pages/blocks/testimonials.ejs +26 -0
package/views/pages/blocks/text.ejs +10 -0
package/views/pages/layouts/default.ejs +51 -0
package/views/pages/layouts/minimal.ejs +42 -0
package/views/pages/layouts/sidebar.ejs +54 -0
package/views/pages/partials/footer.ejs +13 -0
package/views/pages/partials/header.ejs +12 -0
package/views/pages/partials/sidebar.ejs +8 -0
package/views/pages/runtime/page.ejs +10 -0
package/views/pages/templates/article.ejs +20 -0
package/views/pages/templates/default.ejs +12 -0
package/views/pages/templates/landing.ejs +14 -0
package/views/pages/templates/listing.ejs +15 -0
package/views/partials/admin-image-upload-modal.ejs +221 -0
package/views/partials/dashboard/nav-items.ejs +12 -0
package/views/partials/dashboard/palette.ejs +5 -3
package/views/partials/llm-provider-model-picker.ejs +183 -0
package/src/routes/llmUi.routes.js +0 -26

package/src/services/rbac.service.js ADDED Viewed

@@ -0,0 +1,212 @@
+const mongoose = require('mongoose');
+const OrganizationMember = require('../models/OrganizationMember');
+const RbacUserRole = require('../models/RbacUserRole');
+const RbacGroup = require('../models/RbacGroup');
+const RbacGroupMember = require('../models/RbacGroupMember');
+const RbacGroupRole = require('../models/RbacGroupRole');
+const RbacGrant = require('../models/RbacGrant');
+const { matches } = require('../utils/rbac/engine');
+function normalizeId(input) {
+  if (!input) return null;
+  const str = String(input);
+  if (!mongoose.Types.ObjectId.isValid(str)) return null;
+  return new mongoose.Types.ObjectId(str);
+}
+function normalizeRight(input) {
+  return String(input || '').trim();
+}
+function buildExplainItem(grant, source) {
+  if (!grant) return null;
+  return {
+    source,
+    effect: grant.effect,
+    right: grant.right,
+    subjectType: grant.subjectType,
+    subjectId: String(grant.subjectId),
+    scopeType: grant.scopeType,
+    scopeId: grant.scopeId ? String(grant.scopeId) : null,
+    id: String(grant._id),
+  };
+}
+function extractMatches(grants, requiredRight) {
+  const denies = [];
+  const allows = [];
+  for (const g of grants || []) {
+    if (!g) continue;
+    if (!matches(requiredRight, g.right)) continue;
+    if (g.effect === 'deny') {
+      denies.push(g);
+    } else {
+      allows.push(g);
+    }
+  }
+  return { denies, allows };
+}
+async function getUserOrgIds(userId) {
+  const uid = normalizeId(userId);
+  if (!uid) return [];
+  const rows = await OrganizationMember.find({ userId: uid, status: 'active' }).select('orgId').lean();
+  return rows.map((r) => String(r.orgId));
+}
+async function getEffectiveGrants({ userId, orgId }) {
+  const uid = normalizeId(userId);
+  const oid = normalizeId(orgId);
+  if (!uid || !oid) {
+    return {
+      grants: [],
+      layers: { org: [], group: [], role: [], user: [] },
+      explain: [],
+      context: { roles: [], groups: [] },
+      orgMember: null,
+    };
+  }
+  const orgMember = await OrganizationMember.findOne({ userId: uid, orgId: oid, status: 'active' }).lean();
+  if (!orgMember) {
+    return {
+      grants: [],
+      layers: { org: [], group: [], role: [], user: [] },
+      explain: [],
+      context: { roles: [], groups: [] },
+      orgMember: null,
+    };
+  }
+  const [userRoleLinks, groupLinks, orgGrantsGlobal, orgGrantsOrg] = await Promise.all([
+    RbacUserRole.find({ userId: uid }).select('roleId').lean(),
+    RbacGroupMember.find({ userId: uid }).select('groupId').lean(),
+    RbacGrant.find({ subjectType: 'org', subjectId: oid, scopeType: 'global' }).lean(),
+    RbacGrant.find({ subjectType: 'org', subjectId: oid, scopeType: 'org', scopeId: oid }).lean(),
+  ]);
+  const directRoleIds = userRoleLinks.map((r) => r.roleId).filter(Boolean);
+  const groupIds = groupLinks.map((g) => g.groupId).filter(Boolean);
+  const groups = groupIds.length
+    ? await RbacGroup.find({ _id: { $in: groupIds }, status: 'active' }).select('_id isGlobal orgId').lean()
+    : [];
+  const allowedGroupIds = [];
+  for (const g of groups) {
+    if (g.isGlobal) {
+      allowedGroupIds.push(g._id);
+      continue;
+    }
+    if (g.orgId && String(g.orgId) === String(oid)) {
+      allowedGroupIds.push(g._id);
+    }
+  }
+  const groupRoleLinks = allowedGroupIds.length
+    ? await RbacGroupRole.find({ groupId: { $in: allowedGroupIds } }).select('groupId roleId').lean()
+    : [];
+  const groupRoleIds = groupRoleLinks.map((l) => l.roleId).filter(Boolean);
+  const effectiveRoleIds = Array.from(new Set([...directRoleIds, ...groupRoleIds]));
+  const [userGrantsGlobal, userGrantsOrg, roleGrantsGlobal, roleGrantsOrg, groupGrantsGlobal, groupGrantsOrg] = await Promise.all([
+    RbacGrant.find({ subjectType: 'user', subjectId: uid, scopeType: 'global' }).lean(),
+    RbacGrant.find({ subjectType: 'user', subjectId: uid, scopeType: 'org', scopeId: oid }).lean(),
+    effectiveRoleIds.length ? RbacGrant.find({ subjectType: 'role', subjectId: { $in: effectiveRoleIds }, scopeType: 'global' }).lean() : [],
+    effectiveRoleIds.length ? RbacGrant.find({ subjectType: 'role', subjectId: { $in: effectiveRoleIds }, scopeType: 'org', scopeId: oid }).lean() : [],
+    allowedGroupIds.length ? RbacGrant.find({ subjectType: 'group', subjectId: { $in: allowedGroupIds }, scopeType: 'global' }).lean() : [],
+    allowedGroupIds.length ? RbacGrant.find({ subjectType: 'group', subjectId: { $in: allowedGroupIds }, scopeType: 'org', scopeId: oid }).lean() : [],
+  ]);
+  const layers = {
+    org: [...orgGrantsGlobal, ...orgGrantsOrg],
+    group: [...groupGrantsGlobal, ...groupGrantsOrg],
+    role: [...roleGrantsGlobal, ...roleGrantsOrg],
+    user: [...userGrantsGlobal, ...userGrantsOrg],
+  };
+  const all = [...layers.org, ...layers.group, ...layers.role, ...layers.user];
+  const explain = [];
+  for (const g of userGrantsGlobal) explain.push(buildExplainItem(g, 'user:global'));
+  for (const g of userGrantsOrg) explain.push(buildExplainItem(g, 'user:org'));
+  for (const g of roleGrantsGlobal) explain.push(buildExplainItem(g, 'role:global'));
+  for (const g of roleGrantsOrg) explain.push(buildExplainItem(g, 'role:org'));
+  for (const g of groupGrantsGlobal) explain.push(buildExplainItem(g, 'group:global'));
+  for (const g of groupGrantsOrg) explain.push(buildExplainItem(g, 'group:org'));
+  for (const g of orgGrantsGlobal) explain.push(buildExplainItem(g, 'org:global'));
+  for (const g of orgGrantsOrg) explain.push(buildExplainItem(g, 'org:org'));
+  const context = {
+    groups: groups.map((g) => ({
+      id: String(g._id),
+      isGlobal: !!g.isGlobal,
+      orgId: g.orgId ? String(g.orgId) : null,
+    })),
+    roles: [
+      ...directRoleIds.map((rid) => ({ roleId: String(rid), source: 'user' })),
+      ...groupRoleLinks.map((l) => ({ roleId: String(l.roleId), source: 'group', groupId: String(l.groupId) })),
+    ],
+  };
+  return { grants: all, layers, explain: explain.filter(Boolean), context, orgMember };
+}
+async function checkRight({ userId, orgId, right }) {
+  const r = normalizeRight(right);
+  if (!r) {
+    return { allowed: false, reason: 'invalid_right', explain: [], context: null, decisionLayer: null };
+  }
+  const { layers, explain, context, orgMember } = await getEffectiveGrants({ userId, orgId });
+  if (!orgMember) {
+    return { allowed: false, reason: 'not_org_member', explain: [], context: null, decisionLayer: null };
+  }
+  const denyMatches = [];
+  for (const [layerName, grants] of Object.entries(layers || {})) {
+    const { denies } = extractMatches(grants, r);
+    for (const d of denies) denyMatches.push({ layerName, grant: d });
+  }
+  if (denyMatches.length) {
+    const matchedIds = new Set(denyMatches.map((m) => String(m.grant._id)));
+    const filteredExplain = explain.filter((e) => matchedIds.has(String(e.id)));
+    return {
+      allowed: false,
+      reason: 'denied',
+      decisionLayer: 'deny',
+      explain: filteredExplain,
+      context,
+    };
+  }
+  const allowPriority = ['org', 'group', 'role', 'user'];
+  for (const layer of allowPriority) {
+    const { allows } = extractMatches(layers?.[layer] || [], r);
+    if (!allows.length) continue;
+    const matchedIds = new Set(allows.map((a) => String(a._id)));
+    const filteredExplain = explain.filter((e) => matchedIds.has(String(e.id)));
+    return {
+      allowed: true,
+      reason: 'allowed',
+      decisionLayer: layer,
+      explain: filteredExplain,
+      context,
+    };
+  }
+  return { allowed: false, reason: 'no_match', explain: [], context, decisionLayer: null };
+}
+module.exports = {
+  getUserOrgIds,
+  getEffectiveGrants,
+  checkRight,
+};

package/src/services/scriptsRunner.service.js CHANGED Viewed

@@ -1,11 +1,76 @@
 const { EventEmitter } = require('events');
 const { spawn } = require('child_process');
 const { NodeVM } = require('vm2');
+const mongoose = require('mongoose');
 const ScriptRun = require('../models/ScriptRun');
+const { mongooseHelper } = require('../helpers/mongooseHelper');
 const MAX_TAIL_BYTES = 64 * 1024;
+ function isTruthyEnv(v) {
+   const s = String(v || '').trim().toLowerCase();
+   return s === '1' || s === 'true' || s === 'yes' || s === 'y' || s === 'on';
+ }
+ function shouldAutoWrapAsyncScripts() {
+   if (process.env.SCRIPT_AUTO_ASYNC_WRAP === undefined) return true;
+   return isTruthyEnv(process.env.SCRIPT_AUTO_ASYNC_WRAP);
+ }
+ function detectTopLevelAwait(code) {
+   const s = String(code || '');
+   if (!/\bawait\b/.test(s)) return false;
+   if (/^\s*\(\s*async\s*\(/.test(s)) return false;
+   if (/^\s*async\s+function\b/.test(s)) return false;
+   if (/\bmodule\.exports\b/.test(s) || /\bexports\./.test(s)) return false;
+   return true;
+ }
+ function wrapInAsyncIife(code) {
+   const body = String(code || '');
+   return [
+     '(async () => {',
+     body,
+     '})().catch((err) => {',
+     '  try { console.error(err && err.stack ? err.stack : err); } catch {}',
+     '});',
+     '',
+   ].join('\n');
+ }
+ function prepareVmCodeForExecution(code) {
+   const raw = String(code || '');
+   if (!shouldAutoWrapAsyncScripts()) return { code: raw, wrapped: false };
+   if (!detectTopLevelAwait(raw)) return { code: raw, wrapped: false };
+   return { code: wrapInAsyncIife(raw), wrapped: true };
+ }
+ function buildAwaitSyntaxHelpMessage() {
+   return [
+     'Your script uses `await` at top-level.',
+     'Wrap it in an async IIFE, or rely on auto-wrapping:',
+     '',
+     '(async () => {',
+     '  const count = await countCollectionDocuments("users");',
+     '  console.log("count:", count);',
+     '})();',
+     '',
+   ].join('\n');
+ }
+// Helper function to decode script content
+function decodeScriptContent(script, format) {
+  if (format === 'base64') {
+    try {
+      return Buffer.from(script, 'base64').toString('utf8');
+    } catch (err) {
+      throw new Error('Failed to decode base64 script content');
+    }
+  }
+  return script;
+}
 function nowIso() {
   return new Date().toISOString();
 }
@@ -114,24 +179,16 @@ async function startRun(scriptDef, options) {
           runId: runDoc._id,
           bus,
           command: 'bash',
-          args: ['-lc', scriptDef.script],
+          args: ['-lc', decodeScriptContent(scriptDef.script, scriptDef.scriptFormat)],
           env,
           cwd,
           timeoutMs,
         });
       } else if (scriptDef.type === 'node') {
         if (scriptDef.runner === 'vm2') {
-          exitCode = await runVm2({ runId: runDoc._id, bus, code: scriptDef.script, timeoutMs });
+          exitCode = await runVm2({ runId: runDoc._id, bus, code: decodeScriptContent(scriptDef.script, scriptDef.scriptFormat), timeoutMs });
         } else if (scriptDef.runner === 'host') {
-          exitCode = await runSpawned({
-            runId: runDoc._id,
-            bus,
-            command: 'node',
-            args: ['-e', scriptDef.script],
-            env,
-            cwd,
-            timeoutMs,
-          });
+          exitCode = await runHostWithDatabase({ runId: runDoc._id, bus, code: decodeScriptContent(scriptDef.script, scriptDef.scriptFormat), env, cwd, timeoutMs });
         } else {
           throw Object.assign(new Error('Invalid runner for node script'), { code: 'VALIDATION' });
         }
@@ -171,7 +228,7 @@ async function startRun(scriptDef, options) {
     }
   });
-  return { runId: String(runDoc._id) };
+  return runDoc;
 }
 async function runSpawned({ runId, bus, command, args, env, cwd, timeoutMs }) {
@@ -213,6 +270,144 @@ async function runSpawned({ runId, bus, command, args, env, cwd, timeoutMs }) {
   });
 }
+async function runHostWithDatabase({ runId, bus, code, env, cwd, timeoutMs }) {
+  let tail = '';
+  function pushLog(stream, line) {
+    const s = String(line || '');
+    tail = appendTail(tail, s);
+    bus.push({ type: 'log', ts: nowIso(), stream, line: s });
+    return ScriptRun.updateOne({ _id: runId }, { $set: { outputTail: tail } });
+  }
+  try {
+    // Use existing app connection if available, otherwise create new one
+    if (mongoose.connection.readyState !== 1) {
+      await pushLog('stdout', 'No existing connection found, establishing new connection...\n');
+      await mongooseHelper.connect();
+      // Wait for connection to be fully ready
+      await mongooseHelper.waitForConnection(5000);
+    } else {
+      await pushLog('stdout', 'Using existing app database connection\n');
+    }
+    // Validate connection is ready
+    if (mongoose.connection.readyState !== 1) {
+      throw new Error('Database connection is not ready');
+    }
+    const prepared = prepareVmCodeForExecution(code);
+    if (prepared.wrapped) {
+      await pushLog('stdout', 'Auto-wrapping script in async function (detected top-level await)\n');
+    }
+    // Create a VM with database context
+    const vm = new NodeVM({
+      console: 'inherit',
+      sandbox: {
+        // Expose pre-connected mongoose instance
+        mongoose: mongoose,
+        db: mongoose.connection.db,
+        // Expose helper functions
+        countCollectionDocuments: async (collectionName, query = {}) => {
+          try {
+            // Ensure connection is still valid
+            if (mongoose.connection.readyState !== 1) {
+              throw new Error('Database connection lost during operation');
+            }
+            const db = mongoose.connection.db;
+            if (!db) {
+              throw new Error('Database instance not available');
+            }
+            const collection = db.collection(collectionName);
+            const count = await collection.countDocuments(query);
+            return count;
+          } catch (error) {
+            throw new Error(`Failed to count documents in ${collectionName}: ${error.message}`);
+          }
+        },
+        // Expose connection status helper
+        getConnectionStatus: () => {
+          const readyStateMap = {
+            0: 'disconnected',
+            1: 'connected',
+            2: 'connecting',
+            3: 'disconnecting'
+          };
+          return {
+            readyState: mongoose.connection.readyState,
+            readyStateText: readyStateMap[mongoose.connection.readyState] || 'unknown',
+            host: mongoose.connection.host,
+            name: mongoose.connection.name,
+            hasActiveConnection: mongoose.connection.readyState === 1
+          };
+        },
+        // Expose models if available
+        models: mongoose.models || {},
+        // Global objects
+        JSON,
+        Date,
+        Math,
+        parseInt,
+        parseFloat,
+        String,
+        Number,
+        Object,
+        Array,
+        // Process environment
+        process: {
+          env: { ...process.env, ...env }
+        }
+      },
+      require: {
+        external: false,
+        builtin: ['util', 'path', 'os'], // Allow some basic built-ins
+      },
+      timeout: timeoutMs,
+      eval: false,
+      wasm: false,
+    });
+    // Set up console redirection
+    vm.on('console.log', (...args) => {
+      pushLog('stdout', args.map((a) => (typeof a === 'string' ? a : JSON.stringify(a))).join(' ') + '\n');
+    });
+    vm.on('console.error', (...args) => {
+      pushLog('stderr', args.map((a) => (typeof a === 'string' ? a : JSON.stringify(a))).join(' ') + '\n');
+    });
+    // Run the script code with better error handling
+    try {
+      vm.run(prepared.code, 'script.host.js');
+    } catch (vmError) {
+      const baseMsg = vmError?.message || 'Unknown VM error';
+      const help = baseMsg.includes('await is only valid in async functions') ? `\n\n${buildAwaitSyntaxHelpMessage()}` : '';
+      const errorMsg = `VM execution error: ${baseMsg}${help}`;
+      await pushLog('stderr', errorMsg + '\n');
+      return 1;
+    }
+    return 0;
+  } catch (err) {
+    const msg = err?.message || 'Host script error';
+    await pushLog('stderr', msg + '\n');
+    return 1;
+  } finally {
+    // Don't disconnect here - let mongooseHelper manage connection pooling
+    // The connection will be cleaned up when the helper decides
+  }
+}
 async function runVm2({ runId, bus, code, timeoutMs }) {
   let tail = '';
@@ -243,11 +438,16 @@ async function runVm2({ runId, bus, code, timeoutMs }) {
   });
   try {
-    vm.run(code, 'script.vm2.js');
+    const prepared = prepareVmCodeForExecution(code);
+    if (prepared.wrapped) {
+      await pushLog('stdout', 'Auto-wrapping script in async function (detected top-level await)\n');
+    }
+    vm.run(prepared.code, 'script.vm2.js');
     return 0;
   } catch (err) {
-    const msg = err?.message || 'vm2 error';
-    await pushLog('stderr', msg + '\n');
+    const baseMsg = err?.message || 'vm2 error';
+    const help = baseMsg.includes('await is only valid in async functions') ? `\n\n${buildAwaitSyntaxHelpMessage()}` : '';
+    await pushLog('stderr', baseMsg + help + '\n');
     return 1;
   }
 }

package/src/services/uiComponentsAi.service.js CHANGED Viewed

@@ -1,6 +1,6 @@
 const UiComponent = require('../models/UiComponent');
-const { getSettingValue } = require('./globalSettings.service');
 const llmService = require('./llm.service');
+const { resolveLlmProviderModel } = require('./llmDefaults.service');
 const { createAuditEvent } = require('./audit.service');
 const ALLOWED_FIELDS = new Set(['html', 'css', 'js', 'usageMarkdown']);
@@ -94,24 +94,11 @@ function computeWarnings(nextFields) {
 }
 async function resolveLlmDefaults({ providerKey, model }) {
-  const uiProvider = String(providerKey || '').trim();
-  const uiModel = String(model || '').trim();
-  const settingProvider = String(await getSettingValue('uiComponents.ai.providerKey', '') || '').trim();
-  const settingModel = String(await getSettingValue('uiComponents.ai.model', '') || '').trim();
-  const envProvider = String(process.env.DEFAULT_LLM_PROVIDER_KEY || '').trim();
-  const envModel = String(process.env.DEFAULT_LLM_MODEL || '').trim();
-  const resolvedProviderKey = uiProvider || settingProvider || envProvider;
-  if (!resolvedProviderKey) {
-    const err = new Error('Missing LLM providerKey (configure uiComponents.ai.providerKey or DEFAULT_LLM_PROVIDER_KEY, or send from UI)');
-    err.code = 'VALIDATION';
-    throw err;
-  }
-  const resolvedModel = uiModel || settingModel || envModel || 'x-ai/grok-code-fast-1';
-  return { providerKey: resolvedProviderKey, model: resolvedModel };
+  return resolveLlmProviderModel({
+    systemKey: 'uiComponents.proposeEdit',
+    providerKey,
+    model,
+  });
 }
 function buildSystemPrompt({ targets }) {

package/src/services/workflow.service.js CHANGED Viewed

@@ -1,7 +1,8 @@
 const Workflow = require('../models/Workflow');
 const WorkflowExecution = require('../models/WorkflowExecution');
-const llmService = require('./llm.service');
 const { NodeVM } = require('vm2');
+const llmService = require('./llm.service');
+const { resolveLlmProviderModel } = require('./llmDefaults.service');
 /**
  * Workflow Service
@@ -163,13 +164,27 @@ class WorkflowService {
   async handleLLM(node) {
     const prompt = this.interpolate(node.prompt);
-    const response = await llmService.callAdhoc({
-      providerKey: node.provider || 'openrouter',
-      messages: [{ role: 'user', content: prompt }]
-    }, {
-      model: node.model || 'minimax/minimax-m2.1',
-      temperature: node.temperature !== undefined ? parseFloat(node.temperature) : 0.7
-    });
+    const providerKeyRaw = node.provider;
+    const modelRaw = node.model;
+    const resolved = (!providerKeyRaw || !String(providerKeyRaw).trim() || !modelRaw || !String(modelRaw).trim())
+      ? await resolveLlmProviderModel({
+        systemKey: 'workflow.node.llm',
+        providerKey: providerKeyRaw,
+        model: modelRaw,
+      })
+      : { providerKey: String(providerKeyRaw).trim(), model: String(modelRaw || '').trim() };
+    const response = await llmService.callAdhoc(
+      {
+        providerKey: resolved.providerKey,
+        messages: [{ role: 'user', content: prompt }],
+      },
+      {
+        model: resolved.model || undefined,
+        temperature: node.temperature !== undefined ? parseFloat(node.temperature) : 0.7,
+      },
+    );
     return response.content;
   }

package/src/utils/orgRoles.js CHANGED Viewed

@@ -142,6 +142,18 @@ async function getOrgRoleLevel(role) {
   return hierarchy[r] || 0;
 }
+async function isRoleAtLeast(role, requiredRole) {
+  const level = await getOrgRoleLevel(role);
+  const requiredLevel = await getOrgRoleLevel(requiredRole);
+  return level >= requiredLevel;
+}
+async function isRoleHigherThan(role, otherRole) {
+  const level = await getOrgRoleLevel(role);
+  const otherLevel = await getOrgRoleLevel(otherRole);
+  return level > otherLevel;
+}
 function clearOrgRolesCache() {
   cached = null;
 }
@@ -152,5 +164,7 @@ module.exports = {
   getDefaultOrgRole,
   isValidOrgRole,
   getOrgRoleLevel,
+  isRoleAtLeast,
+  isRoleHigherThan,
   clearOrgRolesCache,
 };

package/src/utils/rbac/engine.js ADDED Viewed

@@ -0,0 +1,60 @@
+function normalizeRight(input) {
+  return String(input || '').trim();
+}
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+function patternToRegex(pattern) {
+  const parts = normalizeRight(pattern).split('*').map(escapeRegex);
+  return new RegExp('^' + parts.join('.*') + '$');
+}
+function matches(requiredRight, grantedPattern) {
+  const required = normalizeRight(requiredRight);
+  const pattern = normalizeRight(grantedPattern);
+  if (!required || !pattern) return false;
+  if (pattern === required) return true;
+  if (!pattern.includes('*')) return false;
+  return patternToRegex(pattern).test(required);
+}
+function evaluateEffects(entries, requiredRight) {
+  const required = normalizeRight(requiredRight);
+  if (!required) {
+    return { allowed: false, reason: 'invalid_required_right' };
+  }
+  const denies = [];
+  const allows = [];
+  for (const e of entries || []) {
+    if (!e) continue;
+    const right = normalizeRight(e.right);
+    const effect = normalizeRight(e.effect || 'allow');
+    if (!right) continue;
+    if (!matches(required, right)) continue;
+    if (effect === 'deny') {
+      denies.push(e);
+    } else {
+      allows.push(e);
+    }
+  }
+  if (denies.length) {
+    return { allowed: false, reason: 'denied', matched: denies };
+  }
+  if (allows.length) {
+    return { allowed: true, reason: 'allowed', matched: allows };
+  }
+  return { allowed: false, reason: 'no_match' };
+}
+module.exports = {
+  matches,
+  evaluateEffects,
+};

package/src/utils/rbac/rightsRegistry.js ADDED Viewed

@@ -0,0 +1,33 @@
+const DEFAULT_RIGHTS = [
+  'rbac:roles:read',
+  'rbac:roles:write',
+  'rbac:groups:read',
+  'rbac:groups:write',
+  'rbac:grants:read',
+  'rbac:grants:write',
+  'rbac:test',
+  'experiments:*',
+  'experiments:read',
+  'experiments:events:write',
+  'experiments:admin',
+  'file_manager:*',
+  'file_manager:access',
+  'file_manager:drives:read',
+  'file_manager:files:read',
+  'file_manager:files:upload',
+  'file_manager:files:download',
+  'file_manager:files:update',
+  'file_manager:files:delete',
+  'file_manager:files:share',
+  'backoffice:*',
+  'backoffice:dashboard:access',
+  '*',
+];
+function listRights() {
+  return Array.from(new Set(DEFAULT_RIGHTS)).sort();
+}
+module.exports = {
+  listRights,
+};