@jskit-ai/crud-server-generator 0.1.30 → 0.1.32

package/templates/src/local-package/server/actions.js

@@ -1,8 +1,8 @@
 import {
-  cursorPaginationQueryValidator,
   recordIdParamsValidator
 } from "@jskit-ai/kernel/shared/validators";
 import {
+  createCrudCursorPaginationQueryValidator,
   listSearchQueryValidator,
   lookupIncludeQueryValidator,
   createCrudParentFilterQueryValidator
@@ -10,8 +10,17 @@ import {
 import { workspaceSlugParamsValidator } from "@jskit-ai/users-core/server/validators/routeParamsValidator";
 import { resource } from "../shared/${option:namespace|singular|camel}Resource.js";
 import { actionIds } from "./actionIds.js";
+import { LIST_CONFIG } from "./listConfig.js";
 
+const listCursorPaginationQueryValidator = createCrudCursorPaginationQueryValidator(LIST_CONFIG);
 const listParentFilterQueryValidator = createCrudParentFilterQueryValidator(resource);
+const actionPermissions = Object.freeze({
+  list: "crud.${option:namespace|snake}.list",
+  view: "crud.${option:namespace|snake}.view",
+  create: "crud.${option:namespace|snake}.create",
+  update: "crud.${option:namespace|snake}.update",
+  delete: "crud.${option:namespace|snake}.delete"
+});
 
 function requireActionSurface(surface = "") {
   const normalizedSurface = String(surface || "").trim().toLowerCase();
@@ -33,11 +42,12 @@ function createActions({ surface = "" } = {}) {
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
       permission: {
-        require: "authenticated"
+        require: "all",
+        permissions: [actionPermissions.list]
       },
       inputValidator: [
         workspaceSlugParamsValidator,
-        cursorPaginationQueryValidator,
+        listCursorPaginationQueryValidator,
         listSearchQueryValidator,
         listParentFilterQueryValidator,
         lookupIncludeQueryValidator
@@ -62,10 +72,11 @@ function createActions({ surface = "" } = {}) {
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
       permission: {
-        require: "authenticated"
+        require: "all",
+        permissions: [actionPermissions.view]
       },
       inputValidator: [workspaceSlugParamsValidator, recordIdParamsValidator, lookupIncludeQueryValidator],
-      outputValidator: ${option:namespace|singular|camel}Resource.operations.view.outputValidator,
+      outputValidator: resource.operations.view.outputValidator,
       idempotency: "none",
       audit: {
         actionName: actionIds.view
@@ -86,7 +97,8 @@ function createActions({ surface = "" } = {}) {
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
       permission: {
-        require: "authenticated"
+        require: "all",
+        permissions: [actionPermissions.create]
       },
       inputValidator: [
         workspaceSlugParamsValidator,
@@ -114,7 +126,8 @@ function createActions({ surface = "" } = {}) {
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
       permission: {
-        require: "authenticated"
+        require: "all",
+        permissions: [actionPermissions.update]
       },
       inputValidator: [
         workspaceSlugParamsValidator,
@@ -143,7 +156,8 @@ function createActions({ surface = "" } = {}) {
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
       permission: {
-        require: "authenticated"
+        require: "all",
+        permissions: [actionPermissions.delete]
       },
       inputValidator: [workspaceSlugParamsValidator, recordIdParamsValidator],
       outputValidator: resource.operations.delete.outputValidator,

package/templates/src/local-package/server/listConfig.js

@@ -0,0 +1,5 @@
+const LIST_CONFIG = Object.freeze({
+__JSKIT_CRUD_LIST_CONFIG_LINES__
+});
+
+export { LIST_CONFIG };

package/templates/src/local-package/server/registerRoutes.js

@@ -1,12 +1,12 @@
 import { withStandardErrorResponses } from "@jskit-ai/http-runtime/shared/validators/errorResponses";
 import { normalizeSurfaceId } from "@jskit-ai/kernel/shared/surface/registry";
 import {
+  createCrudCursorPaginationQueryValidator,
   listSearchQueryValidator,
   lookupIncludeQueryValidator,
   createCrudParentFilterQueryValidator
 } from "@jskit-ai/crud-core/server/listQueryValidators";
 import {
-  cursorPaginationQueryValidator,
   recordIdParamsValidator
 } from "@jskit-ai/kernel/shared/validators";
 import { routeParamsValidator } from "@jskit-ai/users-core/server/validators/routeParamsValidator";
@@ -15,7 +15,9 @@ import { buildWorkspaceInputFromRouteParams } from "@jskit-ai/users-core/server/
 import { resolveApiBasePath } from "@jskit-ai/users-core/shared/support/usersApiPaths";
 import { actionIds } from "./actionIds.js";
 import { resource } from "../shared/${option:namespace|singular|camel}Resource.js";
+import { LIST_CONFIG } from "./listConfig.js";
 
+const listCursorPaginationQueryValidator = createCrudCursorPaginationQueryValidator(LIST_CONFIG);
 const listParentFilterQueryValidator = createCrudParentFilterQueryValidator(resource);
 
 function registerRoutes(
@@ -47,7 +49,7 @@ function registerRoutes(
       },
       paramsValidator: routeParamsValidator,
       queryValidator: [
-        cursorPaginationQueryValidator,
+        listCursorPaginationQueryValidator,
         listSearchQueryValidator,
         listParentFilterQueryValidator,
         lookupIncludeQueryValidator

package/templates/src/local-package/server/repository.js

@@ -8,12 +8,7 @@ import {
   crudRepositoryDeleteById
 } from "@jskit-ai/crud-core/server/repositoryMethods";
 import { resource } from "../shared/${option:namespace|singular|camel}Resource.js";
-
-const LIST_CONFIG = Object.freeze({
-  // defaultLimit: 20,
-  // maxLimit: 100,
-  // searchColumns: ["name"]
-});
+import { LIST_CONFIG } from "./listConfig.js";
 
 const repositoryRuntime = createCrudRepositoryRuntime(resource, {
   context: "${option:namespace|snake} repository",
@@ -21,10 +16,6 @@ const repositoryRuntime = createCrudRepositoryRuntime(resource, {
 });
 
 function createRepository(knex, options = {}) {
-  if (typeof knex !== "function") {
-    throw new TypeError("crudRepository requires knex.");
-  }
-
   async function list(query = {}, callOptions = {}) {
     return crudRepositoryList(repositoryRuntime, knex, query, options, callOptions);
   }

package/templates/src/local-package/server/service.js

@@ -1,12 +1,18 @@
-import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
 import { createCrudServiceEvents } from "@jskit-ai/crud-core/server/serviceEvents";
-import { createCrudFieldAccessRuntime } from "@jskit-ai/crud-core/server/fieldAccess";
+import {
+  createCrudServiceRuntime,
+  crudServiceListRecords,
+  crudServiceGetRecord,
+  crudServiceCreateRecord,
+  crudServiceUpdateRecord,
+  crudServiceDeleteRecord
+} from "@jskit-ai/crud-core/server/serviceMethods";
 import { resource } from "../shared/${option:namespace|singular|camel}Resource.js";
 
-const baseServiceEvents = createCrudServiceEvents(resource, {
+const serviceRuntime = createCrudServiceRuntime(resource, {
   context: "${option:namespace|camel}Service"
 });
-const fieldAccessRuntime = createCrudFieldAccessRuntime(resource, {
+const baseServiceEvents = createCrudServiceEvents(resource, {
   context: "${option:namespace|camel}Service"
 });
 
@@ -37,77 +43,24 @@ const DEFAULT_FIELD_ACCESS = Object.freeze({
 });
 
 function createService({ ${option:namespace|camel}Repository, fieldAccess = DEFAULT_FIELD_ACCESS } = {}) {
-  if (!${option:namespace|camel}Repository) {
-    throw new Error("${option:namespace|camel}Service requires ${option:namespace|camel}Repository.");
-  }
-
   async function listRecords(query = {}, options = {}) {
-    const result = await ${option:namespace|camel}Repository.list(query, options);
-    return fieldAccessRuntime.filterReadableListResult(result, fieldAccess, {
-      action: "list",
-      query,
-      options,
-      context: options?.context
-    });
+    return crudServiceListRecords(serviceRuntime, ${option:namespace|camel}Repository, fieldAccess, query, options);
   }
 
   async function getRecord(recordId, options = {}) {
-    const record = await ${option:namespace|camel}Repository.findById(recordId, options);
-    if (!record) {
-      throw new AppError(404, "Record not found.");
-    }
-    return fieldAccessRuntime.filterReadableRecord(record, fieldAccess, {
-      action: "view",
-      recordId,
-      options,
-      context: options?.context
-    });
+    return crudServiceGetRecord(serviceRuntime, ${option:namespace|camel}Repository, fieldAccess, recordId, options);
   }
 
   async function createRecord(payload = {}, options = {}) {
-    const writablePayload = await fieldAccessRuntime.enforceWritablePayload(payload, fieldAccess, {
-      action: "create",
-      payload,
-      options,
-      context: options?.context
-    });
-    const record = await ${option:namespace|camel}Repository.create(writablePayload, options);
-    if (!record) {
-      throw new Error("${option:namespace|camel}Service could not load the created record.");
-    }
-    return fieldAccessRuntime.filterReadableRecord(record, fieldAccess, {
-      action: "create",
-      options,
-      context: options?.context
-    });
+    return crudServiceCreateRecord(serviceRuntime, ${option:namespace|camel}Repository, fieldAccess, payload, options);
   }
 
   async function updateRecord(recordId, payload = {}, options = {}) {
-    const writablePayload = await fieldAccessRuntime.enforceWritablePayload(payload, fieldAccess, {
-      action: "update",
-      recordId,
-      payload,
-      options,
-      context: options?.context
-    });
-    const record = await ${option:namespace|camel}Repository.updateById(recordId, writablePayload, options);
-    if (!record) {
-      throw new AppError(404, "Record not found.");
-    }
-    return fieldAccessRuntime.filterReadableRecord(record, fieldAccess, {
-      action: "update",
-      recordId,
-      options,
-      context: options?.context
-    });
+    return crudServiceUpdateRecord(serviceRuntime, ${option:namespace|camel}Repository, fieldAccess, recordId, payload, options);
   }
 
   async function deleteRecord(recordId, options = {}) {
-    const deleted = await ${option:namespace|camel}Repository.deleteById(recordId, options);
-    if (!deleted) {
-      throw new AppError(404, "Record not found.");
-    }
-    return deleted;
+    return crudServiceDeleteRecord(serviceRuntime, ${option:namespace|camel}Repository, fieldAccess, recordId, options);
   }
 
   return Object.freeze({

package/templates/src/local-package/shared/crudResource.js

@@ -1,9 +1,6 @@
 import { Type } from "typebox";
 __JSKIT_CRUD_RESOURCE_DATABASE_RUNTIME_IMPORT__
-import {
-  normalizeObjectInput,
-  createCursorListValidator
-} from "@jskit-ai/kernel/shared/validators";
+__JSKIT_CRUD_RESOURCE_VALIDATORS_IMPORT__
 __JSKIT_CRUD_RESOURCE_NORMALIZE_SUPPORT_IMPORT__
 __JSKIT_CRUD_RESOURCE_JSON_IMPORT__
 
@@ -138,4 +135,21 @@ export { resource };
 // @jskit-contract crud.resource.field-meta.${option:namespace|snake}.v1
 void RESOURCE_FIELD_META;
 
+// Example 1:n collection hydration:
+// RESOURCE_FIELD_META.push({
+//   key: "pets",
+//   relation: {
+//     kind: "collection",
+//     namespace: "pets",
+//     foreignKey: "customerId",
+//     parentValueKey: "id",
+//     hydrateOnList: false, // list: opt-in with include=pets
+//     hydrateOnView: true // view: hydrated by default
+//   }
+// });
+//
+// To hydrate child lookups too, request nested include paths:
+// - include=pets
+// - include=pets,pets.breedId
+
 __JSKIT_CRUD_RESOURCE_FIELD_META_PUSH_LINES__

package/templates/src/local-package/shared/index.js

@@ -1,3 +1,3 @@
 export {
-  ${option:namespace|singular|camel}Resource
+  resource
 } from "./${option:namespace|singular|camel}Resource.js";

package/test/addFieldSubcommand.test.js

@@ -86,7 +86,7 @@ export { resource };
 `;
 
 async function withTempApp(run) {
-  const appRoot = await mkdtemp(path.join(tmpdir(), "crud-server-add-field-"));
+  const appRoot = await mkdtemp(path.join(tmpdir(), "crud-server-scaffold-field-"));
   try {
     await run(appRoot);
   } finally {
@@ -129,14 +129,14 @@ function createSnapshot() {
   };
 }
 
-test("add-field patches CRUD resource file using DB snapshot metadata", async () => {
+test("scaffold-field patches CRUD resource file using DB snapshot metadata", async () => {
   await withTempApp(async (appRoot) => {
     const resourceFile = "packages/contacts/src/shared/contactResource.js";
     await writeAppFile(appRoot, resourceFile, RESOURCE_SOURCE);
 
     const result = await runGeneratorSubcommand({
       appRoot,
-      subcommand: "add-field",
+      subcommand: "scaffold-field",
       args: ["categoryId", resourceFile],
       options: {},
       resolveSnapshot: async () => createSnapshot()
@@ -157,7 +157,7 @@ test("add-field patches CRUD resource file using DB snapshot metadata", async ()
 
     const secondRun = await runGeneratorSubcommand({
       appRoot,
-      subcommand: "add-field",
+      subcommand: "scaffold-field",
       args: ["categoryId", resourceFile],
       options: {},
       resolveSnapshot: async () => createSnapshot()

package/test/buildTemplateContext.test.js

@@ -9,8 +9,30 @@ import { buildTemplateContext, __testables } from "../src/server/buildTemplateCo
 function createSnapshot({
   tableName = "contacts",
   hasWorkspaceOwnerColumn = true,
-  hasUserOwnerColumn = true
+  hasUserOwnerColumn = true,
+  hasCreatedAtColumn = true
 } = {}) {
+  const createdAtColumn = hasCreatedAtColumn
+    ? [
+        Object.freeze({
+          name: "created_at",
+          key: "createdAt",
+          dataType: "datetime",
+          columnType: "datetime",
+          typeKind: "datetime",
+          nullable: false,
+          hasDefault: true,
+          defaultValue: "CURRENT_TIMESTAMP",
+          autoIncrement: false,
+          unsigned: false,
+          extra: "",
+          maxLength: null,
+          numericPrecision: null,
+          numericScale: null,
+          enumValues: Object.freeze([])
+        })
+      ]
+    : [];
   return Object.freeze({
     tableName,
     idColumn: "id",
@@ -86,6 +108,7 @@ function createSnapshot({
         numericScale: null,
         enumValues: Object.freeze([])
       }),
+      ...createdAtColumn,
       Object.freeze({
         name: "updated_at",
         key: "updatedAt",
@@ -223,6 +246,14 @@ test("buildReplacementsFromSnapshot builds deterministic template replacement pa
     replacements.__JSKIT_CRUD_RESOURCE_OUTPUT_NORMALIZATION_LINES__,
     /firstName: normalizeIfPresent\(source\.firstName, normalizeText\),/
   );
+  assert.match(
+    replacements.__JSKIT_CRUD_LIST_CONFIG_LINES__,
+    /orderBy: \[\s+{\s+column: "created_at",\s+direction: "desc"\s+}\s+\]/s
+  );
+  assert.match(
+    replacements.__JSKIT_CRUD_LIST_CONFIG_LINES__,
+    /\/\/ searchColumns: \["name"\],\s+orderBy:/s
+  );
   assert.doesNotMatch(
     replacements.__JSKIT_CRUD_RESOURCE_OUTPUT_NORMALIZATION_LINES__,
     /== null \?/
@@ -231,6 +262,20 @@ test("buildReplacementsFromSnapshot builds deterministic template replacement pa
   assert.equal(replacements.__JSKIT_CRUD_MIGRATION_FOREIGN_KEY_LINES__, "");
 });
 
+test("buildReplacementsFromSnapshot omits default list ordering when created_at is absent", () => {
+  const snapshot = createSnapshot({
+    hasCreatedAtColumn: false
+  });
+  const replacements = __testables.buildReplacementsFromSnapshot({
+    namespace: "contacts",
+    snapshot,
+    resolvedOwnershipFilter: "workspace_user"
+  });
+
+  assert.doesNotMatch(replacements.__JSKIT_CRUD_LIST_CONFIG_LINES__, /orderBy/);
+  assert.match(replacements.__JSKIT_CRUD_LIST_CONFIG_LINES__, /searchColumns/);
+});
+
 test("buildReplacementsFromSnapshot renders append-only field meta entries from foreign keys", () => {
   const snapshot = {
     ...createSnapshot(),
@@ -285,6 +330,47 @@ test("buildReplacementsFromSnapshot renders append-only field meta entries from
   assert.match(replacements.__JSKIT_CRUD_MIGRATION_FOREIGN_KEY_LINES__, /table\.foreign\(\["vet_id"\]/);
 });
 
+test("buildReplacementsFromSnapshot renders enum field meta options as select controls", () => {
+  const baseSnapshot = createSnapshot({
+    hasWorkspaceOwnerColumn: false,
+    hasUserOwnerColumn: false
+  });
+  const snapshot = {
+    ...baseSnapshot,
+    columns: Object.freeze([
+      ...baseSnapshot.columns,
+      Object.freeze({
+        name: "temperament",
+        key: "temperament",
+        dataType: "enum",
+        columnType: "enum('relaxed','friendly_excitable','unknown')",
+        typeKind: "string",
+        nullable: false,
+        hasDefault: false,
+        defaultValue: null,
+        autoIncrement: false,
+        unsigned: false,
+        extra: "",
+        maxLength: null,
+        numericPrecision: null,
+        numericScale: null,
+        enumValues: Object.freeze(["relaxed", "friendly_excitable", "unknown"])
+      })
+    ])
+  };
+
+  const replacements = __testables.buildReplacementsFromSnapshot({
+    snapshot,
+    resolvedOwnershipFilter: "public"
+  });
+
+  assert.match(replacements.__JSKIT_CRUD_RESOURCE_FIELD_META_PUSH_LINES__, /key: "temperament"/);
+  assert.match(replacements.__JSKIT_CRUD_RESOURCE_FIELD_META_PUSH_LINES__, /formControl: "select"/);
+  assert.match(replacements.__JSKIT_CRUD_RESOURCE_FIELD_META_PUSH_LINES__, /options: \[/);
+  assert.match(replacements.__JSKIT_CRUD_RESOURCE_FIELD_META_PUSH_LINES__, /"value": "friendly_excitable"/);
+  assert.match(replacements.__JSKIT_CRUD_RESOURCE_FIELD_META_PUSH_LINES__, /"label": "Friendly Excitable"/);
+});
+
 test("renderMigrationColumnLine ignores SQL NULL string defaults", () => {
   const line = __testables.renderMigrationColumnLine(
     {
@@ -403,6 +489,7 @@ test("crud repository template defines explicit one-line CRUD methods over repos
     templateSource,
     /from "@jskit-ai\/crud-core\/server\/repositoryMethods";/
   );
+  assert.match(templateSource, /import \{ LIST_CONFIG \} from "\.\/listConfig\.js";/);
   assert.match(templateSource, /const repositoryRuntime = createCrudRepositoryRuntime\(/);
   assert.match(templateSource, /return crudRepositoryList\(repositoryRuntime, knex, query, options, callOptions\);/);
   assert.match(templateSource, /return crudRepositoryFindById\(repositoryRuntime, knex, recordId, options, callOptions\);/);
@@ -410,9 +497,31 @@ test("crud repository template defines explicit one-line CRUD methods over repos
   assert.match(templateSource, /return crudRepositoryCreate\(repositoryRuntime, knex, payload, options, callOptions\);/);
   assert.match(templateSource, /return crudRepositoryUpdateById\(repositoryRuntime, knex, recordId, patch, options, callOptions\);/);
   assert.match(templateSource, /return crudRepositoryDeleteById\(repositoryRuntime, knex, recordId, options, callOptions\);/);
+  assert.doesNotMatch(templateSource, /listByForeignIds/);
+  assert.doesNotMatch(templateSource, /crudRepository requires knex/);
 });
 
-test("crud service template defines explicit service methods and semi-explicit default events", async () => {
+test("crud actions and routes templates share LIST_CONFIG for cursor validation", async () => {
+  const testDirectory = path.dirname(fileURLToPath(import.meta.url));
+  const actionsTemplatePath = path.resolve(testDirectory, "..", "templates", "src", "local-package", "server", "actions.js");
+  const registerRoutesTemplatePath = path.resolve(testDirectory, "..", "templates", "src", "local-package", "server", "registerRoutes.js");
+  const listConfigTemplatePath = path.resolve(testDirectory, "..", "templates", "src", "local-package", "server", "listConfig.js");
+
+  const actionsTemplateSource = await readFile(actionsTemplatePath, "utf8");
+  const registerRoutesTemplateSource = await readFile(registerRoutesTemplatePath, "utf8");
+  const listConfigTemplateSource = await readFile(listConfigTemplatePath, "utf8");
+
+  assert.match(actionsTemplateSource, /createCrudCursorPaginationQueryValidator/);
+  assert.match(actionsTemplateSource, /import \{ LIST_CONFIG \} from "\.\/listConfig\.js";/);
+  assert.match(actionsTemplateSource, /const listCursorPaginationQueryValidator = createCrudCursorPaginationQueryValidator\(LIST_CONFIG\);/);
+  assert.match(registerRoutesTemplateSource, /createCrudCursorPaginationQueryValidator/);
+  assert.match(registerRoutesTemplateSource, /import \{ LIST_CONFIG \} from "\.\/listConfig\.js";/);
+  assert.match(registerRoutesTemplateSource, /const listCursorPaginationQueryValidator = createCrudCursorPaginationQueryValidator\(LIST_CONFIG\);/);
+  assert.match(listConfigTemplateSource, /const LIST_CONFIG = Object\.freeze\(\{/);
+  assert.match(listConfigTemplateSource, /__JSKIT_CRUD_LIST_CONFIG_LINES__/);
+});
+
+test("crud service template defines explicit service methods over shared service primitives and preserves overridable default events", async () => {
   const testDirectory = path.dirname(fileURLToPath(import.meta.url));
   const templatePath = path.resolve(testDirectory, "..", "templates", "src", "local-package", "server", "service.js");
   const templateSource = await readFile(templatePath, "utf8");
@@ -423,16 +532,81 @@ test("crud service template defines explicit service methods and semi-explicit d
   );
   assert.match(
     templateSource,
-    /from "@jskit-ai\/crud-core\/server\/fieldAccess";/
+    /from "@jskit-ai\/crud-core\/server\/serviceMethods";/
   );
-  assert.match(templateSource, /const baseServiceEvents = createCrudServiceEvents\(/);
-  assert.match(templateSource, /const fieldAccessRuntime = createCrudFieldAccessRuntime\(/);
+  assert.match(templateSource, /const serviceRuntime = createCrudServiceRuntime\(resource,/);
+  assert.match(templateSource, /const baseServiceEvents = createCrudServiceEvents\(resource,/);
   assert.match(templateSource, /const serviceEvents = Object\.freeze\(\{/);
   assert.match(templateSource, /createRecord: \[\.\.\.baseServiceEvents\.createRecord\],/);
+  assert.match(templateSource, /function createService\(\{ \$\{option:namespace\|camel\}Repository, fieldAccess = DEFAULT_FIELD_ACCESS \} = \{\}\)/);
   assert.match(templateSource, /async function listRecords\(query = \{\}, options = \{\}\)/);
-  assert.match(templateSource, /return fieldAccessRuntime\.filterReadableListResult\(result, fieldAccess, \{/);
-  assert.match(templateSource, /const writablePayload = await fieldAccessRuntime\.enforceWritablePayload\(payload, fieldAccess, \{/);
-  assert.match(templateSource, /throw new AppError\(404, "Record not found\."\);/);
+  assert.match(templateSource, /return crudServiceListRecords\(serviceRuntime, \$\{option:namespace\|camel\}Repository, fieldAccess, query, options\);/);
+  assert.match(templateSource, /async function updateRecord\(recordId, payload = \{\}, options = \{\}\)/);
+  assert.match(templateSource, /return crudServiceUpdateRecord\(serviceRuntime, \$\{option:namespace\|camel\}Repository, fieldAccess, recordId, payload, options\);/);
+  assert.match(templateSource, /return Object\.freeze\(\{/);
+});
+
+test("crud generator renders time columns with html-time-compatible schemas", async () => {
+  const testDirectory = path.dirname(fileURLToPath(import.meta.url));
+  const templatePath = path.resolve(testDirectory, "..", "src", "server", "buildTemplateContext.js");
+  const templateSource = await readFile(templatePath, "utf8");
+
+  assert.match(
+    templateSource,
+    /NULLABLE_HTML_TIME_STRING_SCHEMA/
+  );
+  assert.match(
+    templateSource,
+    /HTML_TIME_STRING_SCHEMA/
+  );
+  assert.doesNotMatch(templateSource, /format: "time"/);
+});
+
+test("buildReplacementsFromSnapshot uses shared framework time schemas in generated resources", () => {
+  const snapshot = createSnapshot({
+    tableName: "opening_hours"
+  });
+  const timeColumn = Object.freeze({
+    name: "from_time",
+    key: "fromTime",
+    dataType: "time",
+    columnType: "time",
+    typeKind: "time",
+    nullable: true,
+    hasDefault: false,
+    defaultValue: null,
+    autoIncrement: false,
+    unsigned: false,
+    extra: "",
+    maxLength: null,
+    numericPrecision: null,
+    numericScale: null,
+    enumValues: Object.freeze([])
+  });
+  const replacements = __testables.buildReplacementsFromSnapshot({
+    snapshot: {
+      ...snapshot,
+      columns: Object.freeze([...snapshot.columns, timeColumn])
+    },
+    resolvedOwnershipFilter: "workspace_user"
+  });
+
+  assert.match(
+    replacements.__JSKIT_CRUD_RESOURCE_VALIDATORS_IMPORT__,
+    /NULLABLE_HTML_TIME_STRING_SCHEMA/
+  );
+  assert.match(
+    replacements.__JSKIT_CRUD_RESOURCE_OUTPUT_SCHEMA_PROPERTIES__,
+    /fromTime: NULLABLE_HTML_TIME_STRING_SCHEMA/
+  );
+  assert.match(
+    replacements.__JSKIT_CRUD_RESOURCE_CREATE_SCHEMA_PROPERTIES__,
+    /fromTime: NULLABLE_HTML_TIME_STRING_SCHEMA/
+  );
+  assert.doesNotMatch(
+    replacements.__JSKIT_CRUD_RESOURCE_OUTPUT_SCHEMA_PROPERTIES__,
+    /Type\.String\(\{ pattern:/
+  );
 });
 
 test("crud provider template uses shared lookup provider helpers instead of inline wiring", async () => {
@@ -445,6 +619,9 @@ test("crud provider template uses shared lookup provider helpers instead of inli
     /from "@jskit-ai\/crud-core\/server\/lookupProviders";/
   );
   assert.match(templateSource, /resolveLookupProvider: createCrudLookupProviderResolver\(scope\)/);
-  assert.match(templateSource, /return createCrudLookupProvider\(scope\.make\("repository\.\$\{option:namespace\|snake\}"\)\);/);
+  assert.match(
+    templateSource,
+    /return createCrudLookupProvider\(scope\.make\("repository\.\$\{option:namespace\|snake\}"\), \{\s*ownershipFilter: crudPolicy\.ownershipFilter\s*\}\);/
+  );
   assert.doesNotMatch(templateSource, /normalizePathname\(relation\.apiPath\)/);
 });

package/test/crudServerGuards.test.js

@@ -1,6 +1,7 @@
 import test, { after } from "node:test";
 import assert from "node:assert/strict";
 import { createTemplateServerFixture } from "../test-support/templateServerFixture.js";
+import descriptor from "../package.descriptor.mjs";
 
 const fixture = await createTemplateServerFixture();
 const { createActions } = await fixture.importServerModule("actions.js");
@@ -53,3 +54,37 @@ test("template createActions requires explicit surface", () => {
     /requires a non-empty surface/
   );
 });
+
+test("template createActions requires namespaced CRUD permissions by default", () => {
+  const actions = createActions({ surface: "admin" });
+
+  assert.deepEqual(
+    actions.map((action) => action.permission),
+    [
+      { require: "all", permissions: ["crud.customers.list"] },
+      { require: "all", permissions: ["crud.customers.view"] },
+      { require: "all", permissions: ["crud.customers.create"] },
+      { require: "all", permissions: ["crud.customers.update"] },
+      { require: "all", permissions: ["crud.customers.delete"] }
+    ]
+  );
+});
+
+test("crud generator appends member role grants for generated CRUD permissions", () => {
+  assert.deepEqual(
+    descriptor.mutations.text,
+    [
+      {
+        op: "append-text",
+        file: "config/roles.js",
+        position: "bottom",
+        skipIfContains: "\"crud.${option:namespace|snake}.list\"",
+        value:
+          "\nroleCatalog.roles.member.permissions.push(\n  \"crud.${option:namespace|snake}.list\",\n  \"crud.${option:namespace|snake}.view\",\n  \"crud.${option:namespace|snake}.create\",\n  \"crud.${option:namespace|snake}.update\",\n  \"crud.${option:namespace|snake}.delete\"\n);\n",
+        reason: "Grant generated CRUD action permissions to the default member role in the app-owned role catalog.",
+        category: "crud",
+        id: "crud-role-catalog-permissions-${option:namespace|snake}"
+      }
+    ]
+  );
+});