@jskit-ai/crud-server-generator 0.1.31 → 0.1.33

package/package.descriptor.mjs

@@ -1,7 +1,7 @@
 export default Object.freeze({
   packageVersion: 1,
   packageId: "@jskit-ai/crud-server-generator",
-  version: "0.1.31",
+  version: "0.1.33",
   kind: "generator",
   description: "CRUD server generator with routes, actions, and persistence scaffolding.",
   options: {
@@ -134,13 +134,13 @@ export default Object.freeze({
   mutations: {
     dependencies: {
       runtime: {
-        "@jskit-ai/auth-core": "0.1.22",
-        "@jskit-ai/crud-core": "0.1.31",
-        "@jskit-ai/database-runtime": "0.1.23",
-        "@jskit-ai/http-runtime": "0.1.22",
-        "@jskit-ai/kernel": "0.1.23",
-        "@jskit-ai/realtime": "0.1.22",
-        "@jskit-ai/users-core": "0.1.32",
+        "@jskit-ai/auth-core": "0.1.24",
+        "@jskit-ai/crud-core": "0.1.33",
+        "@jskit-ai/database-runtime": "0.1.25",
+        "@jskit-ai/http-runtime": "0.1.24",
+        "@jskit-ai/kernel": "0.1.25",
+        "@jskit-ai/realtime": "0.1.24",
+        "@jskit-ai/users-core": "0.1.35",
         "@local/${option:namespace|kebab}": "file:packages/${option:namespace|kebab}",
         "typebox": "^1.0.81"
       },
@@ -247,6 +247,18 @@ export default Object.freeze({
         }
       }
     ],
-    text: []
+    text: [
+      {
+        op: "append-text",
+        file: "config/roles.js",
+        position: "bottom",
+        skipIfContains: "\"crud.${option:namespace|snake}.list\"",
+        value:
+          "\nroleCatalog.roles.member.permissions.push(\n  \"crud.${option:namespace|snake}.list\",\n  \"crud.${option:namespace|snake}.view\",\n  \"crud.${option:namespace|snake}.create\",\n  \"crud.${option:namespace|snake}.update\",\n  \"crud.${option:namespace|snake}.delete\"\n);\n",
+        reason: "Grant generated CRUD action permissions to the default member role in the app-owned role catalog.",
+        category: "crud",
+        id: "crud-role-catalog-permissions-${option:namespace|snake}"
+      }
+    ]
   }
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jskit-ai/crud-server-generator",
-  "version": "0.1.31",
+  "version": "0.1.33",
   "type": "module",
   "scripts": {
     "test": "node --test"
@@ -13,11 +13,11 @@
   },
   "dependencies": {
     "@babel/parser": "^7.29.2",
-    "@jskit-ai/crud-core": "0.1.31",
-    "@jskit-ai/database-runtime": "0.1.23",
-    "@jskit-ai/http-runtime": "0.1.22",
-    "@jskit-ai/kernel": "0.1.23",
-    "@jskit-ai/users-core": "0.1.32",
+    "@jskit-ai/crud-core": "0.1.33",
+    "@jskit-ai/database-runtime": "0.1.25",
+    "@jskit-ai/http-runtime": "0.1.24",
+    "@jskit-ai/kernel": "0.1.25",
+    "@jskit-ai/users-core": "0.1.35",
     "recast": "^0.23.11",
     "typebox": "^1.0.81"
   }

package/src/server/buildTemplateContext.js

@@ -369,7 +369,9 @@ function renderResourceFieldSchema(column, { forOutput = false } = {}) {
   } else if (typeKind === "date") {
     schemaExpression = 'Type.String({ format: "date", minLength: 1 })';
   } else if (typeKind === "time") {
-    schemaExpression = 'Type.String({ format: "time", minLength: 1 })';
+    return column.nullable === true
+      ? "NULLABLE_HTML_TIME_STRING_SCHEMA"
+      : "HTML_TIME_STRING_SCHEMA";
   } else if (typeKind === "json") {
     schemaExpression = "Type.Any()";
   }
@@ -380,6 +382,17 @@ function renderResourceFieldSchema(column, { forOutput = false } = {}) {
   return schemaExpression;
 }
 
+function renderResourceValidatorsImport({ needsHtmlTimeSchemas = false } = {}) {
+  const imports = [
+    "normalizeObjectInput",
+    "createCursorListValidator"
+  ];
+  if (needsHtmlTimeSchemas) {
+    imports.push("HTML_TIME_STRING_SCHEMA", "NULLABLE_HTML_TIME_STRING_SCHEMA");
+  }
+  return `import {\n  ${imports.join(",\n  ")}\n} from "@jskit-ai/kernel/shared/validators";`;
+}
+
 function renderInputNormalizer(column) {
   const typeKind = String(column.typeKind || "");
   const nullable = column?.nullable === true;
@@ -1064,6 +1077,29 @@ function renderResourceFieldMetaPushLines(entries = []) {
   return sourceEntries.map((entry) => renderFieldMetaEntryLines(entry)).join("\n\n");
 }
 
+function renderRepositoryListConfigLines(snapshot = {}) {
+  const commentLines = [
+    "  // defaultLimit: 20,",
+    "  // maxLimit: 100,",
+    "  // searchColumns: [\"name\"],"
+  ];
+  const sourceColumns = Array.isArray(snapshot?.columns) ? snapshot.columns : [];
+  const hasCreatedAtColumn = sourceColumns.some((column = {}) => normalizeText(column?.name) === "created_at");
+  if (!hasCreatedAtColumn) {
+    return commentLines.join("\n");
+  }
+
+  return [
+    ...commentLines,
+    "  orderBy: [",
+    "    {",
+    "      column: \"created_at\",",
+    "      direction: \"desc\"",
+    "    }",
+    "  ]"
+  ].join("\n");
+}
+
 function buildReplacementsFromSnapshot({
   snapshot,
   resolvedOwnershipFilter
@@ -1090,6 +1126,7 @@ function buildReplacementsFromSnapshot({
   const needsNullableDateInput = writableColumns.some(
     (column) => column.typeKind === "date" && column.nullable === true
   );
+  const needsHtmlTimeSchemas = resourceColumns.some((column) => column.typeKind === "time");
   const needsDate = resourceColumns.some((column) => column.typeKind === "date");
   const needsJson = resourceColumns.some((column) => column.typeKind === "json");
   const needsNormalizeText = resourceColumns.some((column) =>
@@ -1107,6 +1144,9 @@ function buildReplacementsFromSnapshot({
     __JSKIT_CRUD_TABLE_NAME__: JSON.stringify(snapshot.tableName),
     __JSKIT_CRUD_ID_COLUMN__: JSON.stringify(snapshot.idColumn || DEFAULT_ID_COLUMN),
     __JSKIT_CRUD_RESOLVED_OWNERSHIP_FILTER__: resolvedOwnershipFilter,
+    __JSKIT_CRUD_RESOURCE_VALIDATORS_IMPORT__: renderResourceValidatorsImport({
+      needsHtmlTimeSchemas
+    }),
     __JSKIT_CRUD_RESOURCE_DATABASE_RUNTIME_IMPORT__: renderResourceDatabaseRuntimeImport({
       needsToIsoString: needsDateTimeOutput || needsDate,
       needsToDatabaseDateTimeUtc: needsDateTimeInput
@@ -1133,6 +1173,7 @@ function buildReplacementsFromSnapshot({
     __JSKIT_CRUD_RESOURCE_OUTPUT_NORMALIZATION_LINES__: renderResourceOutputNormalizationLines(outputColumns),
     __JSKIT_CRUD_RESOURCE_CREATE_REQUIRED_FIELDS__: JSON.stringify(createRequiredFieldKeys),
     __JSKIT_CRUD_RESOURCE_FIELD_META_PUSH_LINES__: renderResourceFieldMetaPushLines(fieldMetaEntries),
+    __JSKIT_CRUD_LIST_CONFIG_LINES__: renderRepositoryListConfigLines(snapshot),
     __JSKIT_CRUD_MIGRATION_COLUMN_LINES__: renderMigrationColumnLines(snapshot),
     __JSKIT_CRUD_MIGRATION_INDEX_LINES__: renderMigrationIndexLines(snapshot),
     __JSKIT_CRUD_MIGRATION_FOREIGN_KEY_LINES__: renderMigrationForeignKeyLines(snapshot)

package/templates/src/local-package/server/actions.js

@@ -1,8 +1,8 @@
 import {
-  cursorPaginationQueryValidator,
   recordIdParamsValidator
 } from "@jskit-ai/kernel/shared/validators";
 import {
+  createCrudCursorPaginationQueryValidator,
   listSearchQueryValidator,
   lookupIncludeQueryValidator,
   createCrudParentFilterQueryValidator
@@ -10,8 +10,17 @@ import {
 import { workspaceSlugParamsValidator } from "@jskit-ai/users-core/server/validators/routeParamsValidator";
 import { resource } from "../shared/${option:namespace|singular|camel}Resource.js";
 import { actionIds } from "./actionIds.js";
+import { LIST_CONFIG } from "./listConfig.js";
 
+const listCursorPaginationQueryValidator = createCrudCursorPaginationQueryValidator(LIST_CONFIG);
 const listParentFilterQueryValidator = createCrudParentFilterQueryValidator(resource);
+const actionPermissions = Object.freeze({
+  list: "crud.${option:namespace|snake}.list",
+  view: "crud.${option:namespace|snake}.view",
+  create: "crud.${option:namespace|snake}.create",
+  update: "crud.${option:namespace|snake}.update",
+  delete: "crud.${option:namespace|snake}.delete"
+});
 
 function requireActionSurface(surface = "") {
   const normalizedSurface = String(surface || "").trim().toLowerCase();
@@ -33,11 +42,12 @@ function createActions({ surface = "" } = {}) {
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
       permission: {
-        require: "authenticated"
+        require: "all",
+        permissions: [actionPermissions.list]
       },
       inputValidator: [
         workspaceSlugParamsValidator,
-        cursorPaginationQueryValidator,
+        listCursorPaginationQueryValidator,
         listSearchQueryValidator,
         listParentFilterQueryValidator,
         lookupIncludeQueryValidator
@@ -62,7 +72,8 @@ function createActions({ surface = "" } = {}) {
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
       permission: {
-        require: "authenticated"
+        require: "all",
+        permissions: [actionPermissions.view]
       },
       inputValidator: [workspaceSlugParamsValidator, recordIdParamsValidator, lookupIncludeQueryValidator],
       outputValidator: resource.operations.view.outputValidator,
@@ -86,7 +97,8 @@ function createActions({ surface = "" } = {}) {
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
       permission: {
-        require: "authenticated"
+        require: "all",
+        permissions: [actionPermissions.create]
       },
       inputValidator: [
         workspaceSlugParamsValidator,
@@ -114,7 +126,8 @@ function createActions({ surface = "" } = {}) {
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
       permission: {
-        require: "authenticated"
+        require: "all",
+        permissions: [actionPermissions.update]
       },
       inputValidator: [
         workspaceSlugParamsValidator,
@@ -143,7 +156,8 @@ function createActions({ surface = "" } = {}) {
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
       permission: {
-        require: "authenticated"
+        require: "all",
+        permissions: [actionPermissions.delete]
       },
       inputValidator: [workspaceSlugParamsValidator, recordIdParamsValidator],
       outputValidator: resource.operations.delete.outputValidator,

package/templates/src/local-package/server/listConfig.js

@@ -0,0 +1,5 @@
+const LIST_CONFIG = Object.freeze({
+__JSKIT_CRUD_LIST_CONFIG_LINES__
+});
+
+export { LIST_CONFIG };

package/templates/src/local-package/server/registerRoutes.js

@@ -1,12 +1,12 @@
 import { withStandardErrorResponses } from "@jskit-ai/http-runtime/shared/validators/errorResponses";
 import { normalizeSurfaceId } from "@jskit-ai/kernel/shared/surface/registry";
 import {
+  createCrudCursorPaginationQueryValidator,
   listSearchQueryValidator,
   lookupIncludeQueryValidator,
   createCrudParentFilterQueryValidator
 } from "@jskit-ai/crud-core/server/listQueryValidators";
 import {
-  cursorPaginationQueryValidator,
   recordIdParamsValidator
 } from "@jskit-ai/kernel/shared/validators";
 import { routeParamsValidator } from "@jskit-ai/users-core/server/validators/routeParamsValidator";
@@ -15,7 +15,9 @@ import { buildWorkspaceInputFromRouteParams } from "@jskit-ai/users-core/server/
 import { resolveApiBasePath } from "@jskit-ai/users-core/shared/support/usersApiPaths";
 import { actionIds } from "./actionIds.js";
 import { resource } from "../shared/${option:namespace|singular|camel}Resource.js";
+import { LIST_CONFIG } from "./listConfig.js";
 
+const listCursorPaginationQueryValidator = createCrudCursorPaginationQueryValidator(LIST_CONFIG);
 const listParentFilterQueryValidator = createCrudParentFilterQueryValidator(resource);
 
 function registerRoutes(
@@ -47,7 +49,7 @@ function registerRoutes(
       },
       paramsValidator: routeParamsValidator,
       queryValidator: [
-        cursorPaginationQueryValidator,
+        listCursorPaginationQueryValidator,
         listSearchQueryValidator,
         listParentFilterQueryValidator,
         lookupIncludeQueryValidator

package/templates/src/local-package/server/repository.js

@@ -3,18 +3,12 @@ import {
   crudRepositoryList,
   crudRepositoryFindById,
   crudRepositoryListByIds,
-  crudRepositoryListByForeignIds,
   crudRepositoryCreate,
   crudRepositoryUpdateById,
   crudRepositoryDeleteById
 } from "@jskit-ai/crud-core/server/repositoryMethods";
 import { resource } from "../shared/${option:namespace|singular|camel}Resource.js";
-
-const LIST_CONFIG = Object.freeze({
-  // defaultLimit: 20,
-  // maxLimit: 100,
-  // searchColumns: ["name"]
-});
+import { LIST_CONFIG } from "./listConfig.js";
 
 const repositoryRuntime = createCrudRepositoryRuntime(resource, {
   context: "${option:namespace|snake} repository",
@@ -22,10 +16,6 @@ const repositoryRuntime = createCrudRepositoryRuntime(resource, {
 });
 
 function createRepository(knex, options = {}) {
-  if (typeof knex !== "function") {
-    throw new TypeError("crudRepository requires knex.");
-  }
-
   async function list(query = {}, callOptions = {}) {
     return crudRepositoryList(repositoryRuntime, knex, query, options, callOptions);
   }
@@ -38,17 +28,6 @@ function createRepository(knex, options = {}) {
     return crudRepositoryListByIds(repositoryRuntime, knex, ids, options, callOptions);
   }
 
-  async function listByForeignIds(ids = [], foreignKey = "", callOptions = {}) {
-    return crudRepositoryListByForeignIds(
-      repositoryRuntime,
-      knex,
-      ids,
-      foreignKey,
-      options,
-      callOptions
-    );
-  }
-
   async function create(payload = {}, callOptions = {}) {
     return crudRepositoryCreate(repositoryRuntime, knex, payload, options, callOptions);
   }
@@ -65,7 +44,6 @@ function createRepository(knex, options = {}) {
     list,
     findById,
     listByIds,
-    listByForeignIds,
     create,
     updateById,
     deleteById

package/templates/src/local-package/server/service.js

@@ -1,12 +1,18 @@
-import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
 import { createCrudServiceEvents } from "@jskit-ai/crud-core/server/serviceEvents";
-import { createCrudFieldAccessRuntime } from "@jskit-ai/crud-core/server/fieldAccess";
+import {
+  createCrudServiceRuntime,
+  crudServiceListRecords,
+  crudServiceGetRecord,
+  crudServiceCreateRecord,
+  crudServiceUpdateRecord,
+  crudServiceDeleteRecord
+} from "@jskit-ai/crud-core/server/serviceMethods";
 import { resource } from "../shared/${option:namespace|singular|camel}Resource.js";
 
-const baseServiceEvents = createCrudServiceEvents(resource, {
+const serviceRuntime = createCrudServiceRuntime(resource, {
   context: "${option:namespace|camel}Service"
 });
-const fieldAccessRuntime = createCrudFieldAccessRuntime(resource, {
+const baseServiceEvents = createCrudServiceEvents(resource, {
   context: "${option:namespace|camel}Service"
 });
 
@@ -37,77 +43,24 @@ const DEFAULT_FIELD_ACCESS = Object.freeze({
 });
 
 function createService({ ${option:namespace|camel}Repository, fieldAccess = DEFAULT_FIELD_ACCESS } = {}) {
-  if (!${option:namespace|camel}Repository) {
-    throw new Error("${option:namespace|camel}Service requires ${option:namespace|camel}Repository.");
-  }
-
   async function listRecords(query = {}, options = {}) {
-    const result = await ${option:namespace|camel}Repository.list(query, options);
-    return fieldAccessRuntime.filterReadableListResult(result, fieldAccess, {
-      action: "list",
-      query,
-      options,
-      context: options?.context
-    });
+    return crudServiceListRecords(serviceRuntime, ${option:namespace|camel}Repository, fieldAccess, query, options);
   }
 
   async function getRecord(recordId, options = {}) {
-    const record = await ${option:namespace|camel}Repository.findById(recordId, options);
-    if (!record) {
-      throw new AppError(404, "Record not found.");
-    }
-    return fieldAccessRuntime.filterReadableRecord(record, fieldAccess, {
-      action: "view",
-      recordId,
-      options,
-      context: options?.context
-    });
+    return crudServiceGetRecord(serviceRuntime, ${option:namespace|camel}Repository, fieldAccess, recordId, options);
   }
 
   async function createRecord(payload = {}, options = {}) {
-    const writablePayload = await fieldAccessRuntime.enforceWritablePayload(payload, fieldAccess, {
-      action: "create",
-      payload,
-      options,
-      context: options?.context
-    });
-    const record = await ${option:namespace|camel}Repository.create(writablePayload, options);
-    if (!record) {
-      throw new Error("${option:namespace|camel}Service could not load the created record.");
-    }
-    return fieldAccessRuntime.filterReadableRecord(record, fieldAccess, {
-      action: "create",
-      options,
-      context: options?.context
-    });
+    return crudServiceCreateRecord(serviceRuntime, ${option:namespace|camel}Repository, fieldAccess, payload, options);
   }
 
   async function updateRecord(recordId, payload = {}, options = {}) {
-    const writablePayload = await fieldAccessRuntime.enforceWritablePayload(payload, fieldAccess, {
-      action: "update",
-      recordId,
-      payload,
-      options,
-      context: options?.context
-    });
-    const record = await ${option:namespace|camel}Repository.updateById(recordId, writablePayload, options);
-    if (!record) {
-      throw new AppError(404, "Record not found.");
-    }
-    return fieldAccessRuntime.filterReadableRecord(record, fieldAccess, {
-      action: "update",
-      recordId,
-      options,
-      context: options?.context
-    });
+    return crudServiceUpdateRecord(serviceRuntime, ${option:namespace|camel}Repository, fieldAccess, recordId, payload, options);
   }
 
   async function deleteRecord(recordId, options = {}) {
-    const deleted = await ${option:namespace|camel}Repository.deleteById(recordId, options);
-    if (!deleted) {
-      throw new AppError(404, "Record not found.");
-    }
-    return deleted;
+    return crudServiceDeleteRecord(serviceRuntime, ${option:namespace|camel}Repository, fieldAccess, recordId, options);
   }
 
   return Object.freeze({

package/templates/src/local-package/shared/crudResource.js

@@ -1,9 +1,6 @@
 import { Type } from "typebox";
 __JSKIT_CRUD_RESOURCE_DATABASE_RUNTIME_IMPORT__
-import {
-  normalizeObjectInput,
-  createCursorListValidator
-} from "@jskit-ai/kernel/shared/validators";
+__JSKIT_CRUD_RESOURCE_VALIDATORS_IMPORT__
 __JSKIT_CRUD_RESOURCE_NORMALIZE_SUPPORT_IMPORT__
 __JSKIT_CRUD_RESOURCE_JSON_IMPORT__
 

package/test/buildTemplateContext.test.js

@@ -9,8 +9,30 @@ import { buildTemplateContext, __testables } from "../src/server/buildTemplateCo
 function createSnapshot({
   tableName = "contacts",
   hasWorkspaceOwnerColumn = true,
-  hasUserOwnerColumn = true
+  hasUserOwnerColumn = true,
+  hasCreatedAtColumn = true
 } = {}) {
+  const createdAtColumn = hasCreatedAtColumn
+    ? [
+        Object.freeze({
+          name: "created_at",
+          key: "createdAt",
+          dataType: "datetime",
+          columnType: "datetime",
+          typeKind: "datetime",
+          nullable: false,
+          hasDefault: true,
+          defaultValue: "CURRENT_TIMESTAMP",
+          autoIncrement: false,
+          unsigned: false,
+          extra: "",
+          maxLength: null,
+          numericPrecision: null,
+          numericScale: null,
+          enumValues: Object.freeze([])
+        })
+      ]
+    : [];
   return Object.freeze({
     tableName,
     idColumn: "id",
@@ -86,6 +108,7 @@ function createSnapshot({
         numericScale: null,
         enumValues: Object.freeze([])
       }),
+      ...createdAtColumn,
       Object.freeze({
         name: "updated_at",
         key: "updatedAt",
@@ -223,6 +246,14 @@ test("buildReplacementsFromSnapshot builds deterministic template replacement pa
     replacements.__JSKIT_CRUD_RESOURCE_OUTPUT_NORMALIZATION_LINES__,
     /firstName: normalizeIfPresent\(source\.firstName, normalizeText\),/
   );
+  assert.match(
+    replacements.__JSKIT_CRUD_LIST_CONFIG_LINES__,
+    /orderBy: \[\s+{\s+column: "created_at",\s+direction: "desc"\s+}\s+\]/s
+  );
+  assert.match(
+    replacements.__JSKIT_CRUD_LIST_CONFIG_LINES__,
+    /\/\/ searchColumns: \["name"\],\s+orderBy:/s
+  );
   assert.doesNotMatch(
     replacements.__JSKIT_CRUD_RESOURCE_OUTPUT_NORMALIZATION_LINES__,
     /== null \?/
@@ -231,6 +262,20 @@ test("buildReplacementsFromSnapshot builds deterministic template replacement pa
   assert.equal(replacements.__JSKIT_CRUD_MIGRATION_FOREIGN_KEY_LINES__, "");
 });
 
+test("buildReplacementsFromSnapshot omits default list ordering when created_at is absent", () => {
+  const snapshot = createSnapshot({
+    hasCreatedAtColumn: false
+  });
+  const replacements = __testables.buildReplacementsFromSnapshot({
+    namespace: "contacts",
+    snapshot,
+    resolvedOwnershipFilter: "workspace_user"
+  });
+
+  assert.doesNotMatch(replacements.__JSKIT_CRUD_LIST_CONFIG_LINES__, /orderBy/);
+  assert.match(replacements.__JSKIT_CRUD_LIST_CONFIG_LINES__, /searchColumns/);
+});
+
 test("buildReplacementsFromSnapshot renders append-only field meta entries from foreign keys", () => {
   const snapshot = {
     ...createSnapshot(),
@@ -444,6 +489,7 @@ test("crud repository template defines explicit one-line CRUD methods over repos
     templateSource,
     /from "@jskit-ai\/crud-core\/server\/repositoryMethods";/
   );
+  assert.match(templateSource, /import \{ LIST_CONFIG \} from "\.\/listConfig\.js";/);
   assert.match(templateSource, /const repositoryRuntime = createCrudRepositoryRuntime\(/);
   assert.match(templateSource, /return crudRepositoryList\(repositoryRuntime, knex, query, options, callOptions\);/);
   assert.match(templateSource, /return crudRepositoryFindById\(repositoryRuntime, knex, recordId, options, callOptions\);/);
@@ -451,9 +497,31 @@ test("crud repository template defines explicit one-line CRUD methods over repos
   assert.match(templateSource, /return crudRepositoryCreate\(repositoryRuntime, knex, payload, options, callOptions\);/);
   assert.match(templateSource, /return crudRepositoryUpdateById\(repositoryRuntime, knex, recordId, patch, options, callOptions\);/);
   assert.match(templateSource, /return crudRepositoryDeleteById\(repositoryRuntime, knex, recordId, options, callOptions\);/);
+  assert.doesNotMatch(templateSource, /listByForeignIds/);
+  assert.doesNotMatch(templateSource, /crudRepository requires knex/);
 });
 
-test("crud service template defines explicit service methods and semi-explicit default events", async () => {
+test("crud actions and routes templates share LIST_CONFIG for cursor validation", async () => {
+  const testDirectory = path.dirname(fileURLToPath(import.meta.url));
+  const actionsTemplatePath = path.resolve(testDirectory, "..", "templates", "src", "local-package", "server", "actions.js");
+  const registerRoutesTemplatePath = path.resolve(testDirectory, "..", "templates", "src", "local-package", "server", "registerRoutes.js");
+  const listConfigTemplatePath = path.resolve(testDirectory, "..", "templates", "src", "local-package", "server", "listConfig.js");
+
+  const actionsTemplateSource = await readFile(actionsTemplatePath, "utf8");
+  const registerRoutesTemplateSource = await readFile(registerRoutesTemplatePath, "utf8");
+  const listConfigTemplateSource = await readFile(listConfigTemplatePath, "utf8");
+
+  assert.match(actionsTemplateSource, /createCrudCursorPaginationQueryValidator/);
+  assert.match(actionsTemplateSource, /import \{ LIST_CONFIG \} from "\.\/listConfig\.js";/);
+  assert.match(actionsTemplateSource, /const listCursorPaginationQueryValidator = createCrudCursorPaginationQueryValidator\(LIST_CONFIG\);/);
+  assert.match(registerRoutesTemplateSource, /createCrudCursorPaginationQueryValidator/);
+  assert.match(registerRoutesTemplateSource, /import \{ LIST_CONFIG \} from "\.\/listConfig\.js";/);
+  assert.match(registerRoutesTemplateSource, /const listCursorPaginationQueryValidator = createCrudCursorPaginationQueryValidator\(LIST_CONFIG\);/);
+  assert.match(listConfigTemplateSource, /const LIST_CONFIG = Object\.freeze\(\{/);
+  assert.match(listConfigTemplateSource, /__JSKIT_CRUD_LIST_CONFIG_LINES__/);
+});
+
+test("crud service template defines explicit service methods over shared service primitives and preserves overridable default events", async () => {
   const testDirectory = path.dirname(fileURLToPath(import.meta.url));
   const templatePath = path.resolve(testDirectory, "..", "templates", "src", "local-package", "server", "service.js");
   const templateSource = await readFile(templatePath, "utf8");
@@ -464,16 +532,81 @@ test("crud service template defines explicit service methods and semi-explicit d
   );
   assert.match(
     templateSource,
-    /from "@jskit-ai\/crud-core\/server\/fieldAccess";/
+    /from "@jskit-ai\/crud-core\/server\/serviceMethods";/
   );
-  assert.match(templateSource, /const baseServiceEvents = createCrudServiceEvents\(/);
-  assert.match(templateSource, /const fieldAccessRuntime = createCrudFieldAccessRuntime\(/);
+  assert.match(templateSource, /const serviceRuntime = createCrudServiceRuntime\(resource,/);
+  assert.match(templateSource, /const baseServiceEvents = createCrudServiceEvents\(resource,/);
   assert.match(templateSource, /const serviceEvents = Object\.freeze\(\{/);
   assert.match(templateSource, /createRecord: \[\.\.\.baseServiceEvents\.createRecord\],/);
+  assert.match(templateSource, /function createService\(\{ \$\{option:namespace\|camel\}Repository, fieldAccess = DEFAULT_FIELD_ACCESS \} = \{\}\)/);
   assert.match(templateSource, /async function listRecords\(query = \{\}, options = \{\}\)/);
-  assert.match(templateSource, /return fieldAccessRuntime\.filterReadableListResult\(result, fieldAccess, \{/);
-  assert.match(templateSource, /const writablePayload = await fieldAccessRuntime\.enforceWritablePayload\(payload, fieldAccess, \{/);
-  assert.match(templateSource, /throw new AppError\(404, "Record not found\."\);/);
+  assert.match(templateSource, /return crudServiceListRecords\(serviceRuntime, \$\{option:namespace\|camel\}Repository, fieldAccess, query, options\);/);
+  assert.match(templateSource, /async function updateRecord\(recordId, payload = \{\}, options = \{\}\)/);
+  assert.match(templateSource, /return crudServiceUpdateRecord\(serviceRuntime, \$\{option:namespace\|camel\}Repository, fieldAccess, recordId, payload, options\);/);
+  assert.match(templateSource, /return Object\.freeze\(\{/);
+});
+
+test("crud generator renders time columns with html-time-compatible schemas", async () => {
+  const testDirectory = path.dirname(fileURLToPath(import.meta.url));
+  const templatePath = path.resolve(testDirectory, "..", "src", "server", "buildTemplateContext.js");
+  const templateSource = await readFile(templatePath, "utf8");
+
+  assert.match(
+    templateSource,
+    /NULLABLE_HTML_TIME_STRING_SCHEMA/
+  );
+  assert.match(
+    templateSource,
+    /HTML_TIME_STRING_SCHEMA/
+  );
+  assert.doesNotMatch(templateSource, /format: "time"/);
+});
+
+test("buildReplacementsFromSnapshot uses shared framework time schemas in generated resources", () => {
+  const snapshot = createSnapshot({
+    tableName: "opening_hours"
+  });
+  const timeColumn = Object.freeze({
+    name: "from_time",
+    key: "fromTime",
+    dataType: "time",
+    columnType: "time",
+    typeKind: "time",
+    nullable: true,
+    hasDefault: false,
+    defaultValue: null,
+    autoIncrement: false,
+    unsigned: false,
+    extra: "",
+    maxLength: null,
+    numericPrecision: null,
+    numericScale: null,
+    enumValues: Object.freeze([])
+  });
+  const replacements = __testables.buildReplacementsFromSnapshot({
+    snapshot: {
+      ...snapshot,
+      columns: Object.freeze([...snapshot.columns, timeColumn])
+    },
+    resolvedOwnershipFilter: "workspace_user"
+  });
+
+  assert.match(
+    replacements.__JSKIT_CRUD_RESOURCE_VALIDATORS_IMPORT__,
+    /NULLABLE_HTML_TIME_STRING_SCHEMA/
+  );
+  assert.match(
+    replacements.__JSKIT_CRUD_RESOURCE_OUTPUT_SCHEMA_PROPERTIES__,
+    /fromTime: NULLABLE_HTML_TIME_STRING_SCHEMA/
+  );
+  assert.match(
+    replacements.__JSKIT_CRUD_RESOURCE_CREATE_SCHEMA_PROPERTIES__,
+    /fromTime: NULLABLE_HTML_TIME_STRING_SCHEMA/
+  );
+  assert.doesNotMatch(
+    replacements.__JSKIT_CRUD_RESOURCE_OUTPUT_SCHEMA_PROPERTIES__,
+    /Type\.String\(\{ pattern:/
+  );
 });
 
 test("crud provider template uses shared lookup provider helpers instead of inline wiring", async () => {

package/test/crudServerGuards.test.js

@@ -1,6 +1,7 @@
 import test, { after } from "node:test";
 import assert from "node:assert/strict";
 import { createTemplateServerFixture } from "../test-support/templateServerFixture.js";
+import descriptor from "../package.descriptor.mjs";
 
 const fixture = await createTemplateServerFixture();
 const { createActions } = await fixture.importServerModule("actions.js");
@@ -53,3 +54,37 @@ test("template createActions requires explicit surface", () => {
     /requires a non-empty surface/
   );
 });
+
+test("template createActions requires namespaced CRUD permissions by default", () => {
+  const actions = createActions({ surface: "admin" });
+
+  assert.deepEqual(
+    actions.map((action) => action.permission),
+    [
+      { require: "all", permissions: ["crud.customers.list"] },
+      { require: "all", permissions: ["crud.customers.view"] },
+      { require: "all", permissions: ["crud.customers.create"] },
+      { require: "all", permissions: ["crud.customers.update"] },
+      { require: "all", permissions: ["crud.customers.delete"] }
+    ]
+  );
+});
+
+test("crud generator appends member role grants for generated CRUD permissions", () => {
+  assert.deepEqual(
+    descriptor.mutations.text,
+    [
+      {
+        op: "append-text",
+        file: "config/roles.js",
+        position: "bottom",
+        skipIfContains: "\"crud.${option:namespace|snake}.list\"",
+        value:
+          "\nroleCatalog.roles.member.permissions.push(\n  \"crud.${option:namespace|snake}.list\",\n  \"crud.${option:namespace|snake}.view\",\n  \"crud.${option:namespace|snake}.create\",\n  \"crud.${option:namespace|snake}.update\",\n  \"crud.${option:namespace|snake}.delete\"\n);\n",
+        reason: "Grant generated CRUD action permissions to the default member role in the app-owned role catalog.",
+        category: "crud",
+        id: "crud-role-catalog-permissions-${option:namespace|snake}"
+      }
+    ]
+  );
+});

package/test/crudService.test.js

@@ -47,6 +47,7 @@ test("crudService delegates CRUD operations to the repository", async () => {
     ["list", { limit: 10 }],
     ["findById", 3],
     ["create", { textField: "Example", dateField: "2026-03-11", numberField: 3 }],
+    ["findById", 4],
     ["updateById", 4, { textField: "Changed" }],
     ["deleteById", 5]
   ]);
@@ -95,6 +96,48 @@ test("crudService exports default realtime events for create/update/delete", ()
   assert.equal(serviceEvents.deleteRecord[0].realtime.event, "customers.record.changed");
 });
 
+test("crudService passes existing records into patch normalization via the shared CRUD service", async () => {
+  const calls = [];
+  const service = createService({
+    customersRepository: {
+      async list() {
+        return { items: [], nextCursor: null };
+      },
+      async findById(recordId) {
+        calls.push(["findById", recordId]);
+        return {
+          id: recordId,
+          textField: "Existing",
+          dateField: "2026-03-11T00:00:00.000Z",
+          numberField: 3
+        };
+      },
+      async create(payload) {
+        return { id: 1, ...payload };
+      },
+      async updateById(recordId, payload) {
+        calls.push(["updateById", recordId, payload]);
+        return {
+          id: recordId,
+          textField: payload.textField || "",
+          dateField: "2026-03-11T00:00:00.000Z",
+          numberField: payload.numberField ?? 0
+        };
+      },
+      async deleteById(recordId) {
+        return { id: recordId, deleted: true };
+      }
+    }
+  });
+
+  await service.updateRecord(4, { textField: "Changed" }, {});
+
+  assert.deepEqual(calls, [
+    ["findById", 4],
+    ["updateById", 4, { textField: "Changed" }]
+  ]);
+});
+
 test("crudService supports optional fieldAccess hooks for writable filtering", async () => {
   const calls = [];
   const service = createService({

package/test-support/templateServerFixture.js

@@ -18,7 +18,15 @@ const TEMPLATE_REPLACEMENTS = Object.freeze([
   ["${option:namespace|camel}", CRUD_NAMESPACE.camel],
   ["${option:namespace|singular|camel}", CRUD_NAMESPACE.singularCamel],
   ["${option:namespace|pascal}", CRUD_NAMESPACE.pascal],
-  ["__JSKIT_CRUD_ID_COLUMN__", JSON.stringify("id")]
+  ["__JSKIT_CRUD_ID_COLUMN__", JSON.stringify("id")],
+  [
+    "__JSKIT_CRUD_LIST_CONFIG_LINES__",
+    [
+      "  // defaultLimit: 20,",
+      "  // maxLimit: 100,",
+      "  // searchColumns: [\"name\"],"
+    ].join("\n")
+  ]
 ]);
 
 function applyTemplateReplacements(sourceText = "") {
@@ -145,7 +153,7 @@ async function createTemplateServerFixture() {
   );
   await writeFile(path.join(sharedRoot, "customerResource.js"), buildResourceStubSource(), "utf8");
 
-  for (const fileName of ["actionIds.js", "actions.js", "registerRoutes.js", "repository.js", "service.js"]) {
+  for (const fileName of ["actionIds.js", "actions.js", "listConfig.js", "registerRoutes.js", "repository.js", "service.js"]) {
     await renderServerTemplateFile(serverRoot, fileName);
   }