@jskit-ai/crud-server-generator 0.1.41 → 0.1.43

package/templates/src/local-package/server/actions.js

@@ -7,20 +7,14 @@ import {
   lookupIncludeQueryValidator,
   createCrudParentFilterQueryValidator
 } from "@jskit-ai/crud-core/server/listQueryValidators";
-import { workspaceSlugParamsValidator } from "@jskit-ai/users-core/server/validators/routeParamsValidator";
 import { resource } from "../shared/${option:namespace|singular|camel}Resource.js";
 import { actionIds } from "./actionIds.js";
 import { LIST_CONFIG } from "./listConfig.js";
+__JSKIT_CRUD_ACTION_WORKSPACE_VALIDATOR_IMPORT__
 
 const listCursorPaginationQueryValidator = createCrudCursorPaginationQueryValidator(LIST_CONFIG);
 const listParentFilterQueryValidator = createCrudParentFilterQueryValidator(resource);
-const actionPermissions = Object.freeze({
-  list: "crud.${option:namespace|snake}.list",
-  view: "crud.${option:namespace|snake}.view",
-  create: "crud.${option:namespace|snake}.create",
-  update: "crud.${option:namespace|snake}.update",
-  delete: "crud.${option:namespace|snake}.delete"
-});
+__JSKIT_CRUD_ACTION_PERMISSION_SUPPORT__
 
 function requireActionSurface(surface = "") {
   const normalizedSurface = String(surface || "").trim().toLowerCase();
@@ -41,17 +35,8 @@ function createActions({ surface = "" } = {}) {
       kind: "query",
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
-      permission: {
-        require: "all",
-        permissions: [actionPermissions.list]
-      },
-      inputValidator: [
-        workspaceSlugParamsValidator,
-        listCursorPaginationQueryValidator,
-        listSearchQueryValidator,
-        listParentFilterQueryValidator,
-        lookupIncludeQueryValidator
-      ],
+      permission: __JSKIT_CRUD_LIST_ACTION_PERMISSION__,
+      inputValidator: __JSKIT_CRUD_LIST_ACTION_INPUT_VALIDATOR__,
       outputValidator: resource.operations.list.outputValidator,
       idempotency: "none",
       audit: {
@@ -71,11 +56,8 @@ function createActions({ surface = "" } = {}) {
       kind: "query",
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
-      permission: {
-        require: "all",
-        permissions: [actionPermissions.view]
-      },
-      inputValidator: [workspaceSlugParamsValidator, recordIdParamsValidator, lookupIncludeQueryValidator],
+      permission: __JSKIT_CRUD_VIEW_ACTION_PERMISSION__,
+      inputValidator: __JSKIT_CRUD_VIEW_ACTION_INPUT_VALIDATOR__,
       outputValidator: resource.operations.view.outputValidator,
       idempotency: "none",
       audit: {
@@ -96,16 +78,8 @@ function createActions({ surface = "" } = {}) {
       kind: "command",
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
-      permission: {
-        require: "all",
-        permissions: [actionPermissions.create]
-      },
-      inputValidator: [
-        workspaceSlugParamsValidator,
-        {
-          payload: resource.operations.create.bodyValidator
-        }
-      ],
+      permission: __JSKIT_CRUD_CREATE_ACTION_PERMISSION__,
+      inputValidator: __JSKIT_CRUD_CREATE_ACTION_INPUT_VALIDATOR__,
       outputValidator: resource.operations.create.outputValidator,
       idempotency: "optional",
       audit: {
@@ -125,17 +99,8 @@ function createActions({ surface = "" } = {}) {
       kind: "command",
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
-      permission: {
-        require: "all",
-        permissions: [actionPermissions.update]
-      },
-      inputValidator: [
-        workspaceSlugParamsValidator,
-        recordIdParamsValidator,
-        {
-          patch: resource.operations.patch.bodyValidator
-        }
-      ],
+      permission: __JSKIT_CRUD_UPDATE_ACTION_PERMISSION__,
+      inputValidator: __JSKIT_CRUD_UPDATE_ACTION_INPUT_VALIDATOR__,
       outputValidator: resource.operations.patch.outputValidator,
       idempotency: "optional",
       audit: {
@@ -155,11 +120,8 @@ function createActions({ surface = "" } = {}) {
       kind: "command",
       channels: ["api", "automation", "internal"],
       surfaces: [actionSurface],
-      permission: {
-        require: "all",
-        permissions: [actionPermissions.delete]
-      },
-      inputValidator: [workspaceSlugParamsValidator, recordIdParamsValidator],
+      permission: __JSKIT_CRUD_DELETE_ACTION_PERMISSION__,
+      inputValidator: __JSKIT_CRUD_DELETE_ACTION_INPUT_VALIDATOR__,
       outputValidator: resource.operations.delete.outputValidator,
       idempotency: "optional",
       audit: {

package/templates/src/local-package/server/registerRoutes.js

@@ -9,13 +9,12 @@ import {
 import {
   recordIdParamsValidator
 } from "@jskit-ai/kernel/shared/validators";
-import { routeParamsValidator } from "@jskit-ai/users-core/server/validators/routeParamsValidator";
 import { checkRouteVisibility } from "@jskit-ai/users-core/shared/support/usersVisibility";
-import { buildWorkspaceInputFromRouteParams } from "@jskit-ai/users-core/server/support/workspaceRouteInput";
 import { resolveApiBasePath } from "@jskit-ai/users-core/shared/support/usersApiPaths";
 import { actionIds } from "./actionIds.js";
 import { resource } from "../shared/${option:namespace|singular|camel}Resource.js";
 import { LIST_CONFIG } from "./listConfig.js";
+__JSKIT_CRUD_ROUTE_WORKSPACE_SUPPORT_IMPORTS__
 
 const listCursorPaginationQueryValidator = createCrudCursorPaginationQueryValidator(LIST_CONFIG);
 const listParentFilterQueryValidator = createCrudParentFilterQueryValidator(resource);
@@ -25,14 +24,13 @@ function registerRoutes(
   {
     routeOwnershipFilter = "public",
     routeSurface = "",
-    routeSurfaceRequiresWorkspace = false,
     routeRelativePath = ""
   } = {}
 ) {
   const router = app.make("jskit.http.router");
   const normalizedRouteSurface = normalizeSurfaceId(routeSurface);
   const routeBase = resolveApiBasePath({
-    surfaceRequiresWorkspace: routeSurfaceRequiresWorkspace === true,
+    surfaceRequiresWorkspace: __JSKIT_CRUD_ROUTE_SURFACE_REQUIRES_WORKSPACE__,
     relativePath: routeRelativePath
   });
 
@@ -47,7 +45,7 @@ function registerRoutes(
         tags: ["crud"],
         summary: "List records."
       },
-      paramsValidator: routeParamsValidator,
+__JSKIT_CRUD_LIST_ROUTE_PARAMS_VALIDATOR_LINE__
       queryValidator: [
         listCursorPaginationQueryValidator,
         listSearchQueryValidator,
@@ -60,8 +58,7 @@ function registerRoutes(
     },
     async function (request, reply) {
       const listInput = {
-        ...buildWorkspaceInputFromRouteParams(request.input.params),
-        ...(request.input.query || {})
+__JSKIT_CRUD_LIST_ROUTE_INPUT_LINES__
       };
       const response = await request.executeAction({
         actionId: actionIds.list,
@@ -82,7 +79,7 @@ function registerRoutes(
         tags: ["crud"],
         summary: "View a record."
       },
-      paramsValidator: [routeParamsValidator, recordIdParamsValidator],
+__JSKIT_CRUD_VIEW_ROUTE_PARAMS_VALIDATOR_LINE__
       queryValidator: [lookupIncludeQueryValidator],
       responseValidators: withStandardErrorResponses({
         200: resource.operations.view.outputValidator
@@ -92,9 +89,7 @@ function registerRoutes(
       const response = await request.executeAction({
         actionId: actionIds.view,
         input: {
-          ...buildWorkspaceInputFromRouteParams(request.input.params),
-          recordId: request.input.params.recordId,
-          ...(request.input.query || {})
+__JSKIT_CRUD_VIEW_ROUTE_INPUT_LINES__
         }
       });
       reply.code(200).send(response);
@@ -112,7 +107,7 @@ function registerRoutes(
         tags: ["crud"],
         summary: "Create a record."
       },
-      paramsValidator: routeParamsValidator,
+__JSKIT_CRUD_CREATE_ROUTE_PARAMS_VALIDATOR_LINE__
       bodyValidator: resource.operations.create.bodyValidator,
       responseValidators: withStandardErrorResponses(
         {
@@ -125,8 +120,7 @@ function registerRoutes(
       const response = await request.executeAction({
         actionId: actionIds.create,
         input: {
-          ...buildWorkspaceInputFromRouteParams(request.input.params),
-          payload: request.input.body
+__JSKIT_CRUD_CREATE_ROUTE_INPUT_LINES__
         }
       });
       reply.code(201).send(response);
@@ -144,7 +138,7 @@ function registerRoutes(
         tags: ["crud"],
         summary: "Update a record."
       },
-      paramsValidator: [routeParamsValidator, recordIdParamsValidator],
+__JSKIT_CRUD_UPDATE_ROUTE_PARAMS_VALIDATOR_LINE__
       bodyValidator: resource.operations.patch.bodyValidator,
       responseValidators: withStandardErrorResponses(
         {
@@ -157,9 +151,7 @@ function registerRoutes(
       const response = await request.executeAction({
         actionId: actionIds.update,
         input: {
-          ...buildWorkspaceInputFromRouteParams(request.input.params),
-          recordId: request.input.params.recordId,
-          patch: request.input.body
+__JSKIT_CRUD_UPDATE_ROUTE_INPUT_LINES__
         }
       });
       reply.code(200).send(response);
@@ -177,7 +169,7 @@ function registerRoutes(
         tags: ["crud"],
         summary: "Delete a record."
       },
-      paramsValidator: [routeParamsValidator, recordIdParamsValidator],
+__JSKIT_CRUD_DELETE_ROUTE_PARAMS_VALIDATOR_LINE__
       responseValidators: withStandardErrorResponses({
         200: resource.operations.delete.outputValidator
       })
@@ -186,8 +178,7 @@ function registerRoutes(
       const response = await request.executeAction({
         actionId: actionIds.delete,
         input: {
-          ...buildWorkspaceInputFromRouteParams(request.input.params),
-          recordId: request.input.params.recordId
+__JSKIT_CRUD_DELETE_ROUTE_INPUT_LINES__
         }
       });
       reply.code(200).send(response);

package/test/buildTemplateContext.test.js

@@ -1,10 +1,11 @@
 import assert from "node:assert/strict";
-import { readFile } from "node:fs/promises";
+import { mkdir, mkdtemp, readFile, rm, writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
 import path from "node:path";
 import test from "node:test";
 import { fileURLToPath } from "node:url";
 
-import { buildTemplateContext, __testables } from "../src/server/buildTemplateContext.js";
+import { __testables } from "../src/server/buildTemplateContext.js";
 
 function createSnapshot({
   tableName = "contacts",
@@ -152,6 +153,22 @@ function createSnapshot({
   });
 }
 
+async function withTempApp(run, publicConfigSource) {
+  const appRoot = await mkdtemp(path.join(tmpdir(), "crud-server-generator-"));
+  try {
+    await mkdir(path.join(appRoot, "config"), { recursive: true });
+    await writeFile(
+      path.join(appRoot, "package.json"),
+      `${JSON.stringify({ name: "crud-server-generator-test-app", private: true, type: "module" }, null, 2)}\n`,
+      "utf8"
+    );
+    await writeFile(path.join(appRoot, "config", "public.js"), publicConfigSource, "utf8");
+    return await run(appRoot);
+  } finally {
+    await rm(appRoot, { recursive: true, force: true });
+  }
+}
+
 test("resolveOwnershipFilterForGeneration infers ownership filter for table introspection mode", () => {
   const snapshotBoth = createSnapshot({
     hasWorkspaceIdColumn: true,
@@ -218,15 +235,19 @@ test("resolveOwnershipFilterForGeneration rejects explicit ownership filters whe
   );
 });
 
-test("buildTemplateContext requires table-name", async () => {
-  await assert.rejects(
-    buildTemplateContext({
-      appRoot: process.cwd(),
-      options: {
-        namespace: "contacts"
-      }
+test("resolveCrudGenerationTableName defaults table-name from namespace", () => {
+  assert.equal(
+    __testables.resolveCrudGenerationTableName({
+      namespace: "contacts"
     }),
-    /requires option "table-name"/
+    "contacts"
+  );
+  assert.equal(
+    __testables.resolveCrudGenerationTableName({
+      namespace: "contacts",
+      "table-name": "customer_contacts"
+    }),
+    "customer_contacts"
   );
 });
 
@@ -235,12 +256,51 @@ test("buildReplacementsFromSnapshot builds deterministic template replacement pa
   const replacements = __testables.buildReplacementsFromSnapshot({
     namespace: "contacts",
     snapshot,
-    resolvedOwnershipFilter: "workspace_user"
+    resolvedOwnershipFilter: "workspace_user",
+    surfaceRequiresWorkspace: true
   });
 
   assert.equal(replacements.__JSKIT_CRUD_TABLE_NAME__, "\"contacts\"");
   assert.equal(replacements.__JSKIT_CRUD_ID_COLUMN__, "\"id\"");
+  assert.equal(replacements.__JSKIT_CRUD_SURFACE_ID__, "\"\"");
   assert.equal(replacements.__JSKIT_CRUD_RESOLVED_OWNERSHIP_FILTER__, "workspace_user");
+  assert.match(
+    replacements.__JSKIT_CRUD_ACTION_PERMISSION_SUPPORT__,
+    /const actionPermissions = Object\.freeze\(\{/
+  );
+  assert.match(
+    replacements.__JSKIT_CRUD_ACTION_PERMISSION_SUPPORT__,
+    /"crud\.contacts\.delete"/
+  );
+  assert.equal(
+    replacements.__JSKIT_CRUD_LIST_ACTION_PERMISSION__,
+    '{ require: "all", permissions: [actionPermissions.list] }'
+  );
+  assert.match(
+    replacements.__JSKIT_CRUD_ACTION_WORKSPACE_VALIDATOR_IMPORT__,
+    /workspaceSlugParamsValidator/
+  );
+  assert.match(
+    replacements.__JSKIT_CRUD_ROUTE_WORKSPACE_SUPPORT_IMPORTS__,
+    /buildWorkspaceInputFromRouteParams/
+  );
+  assert.equal(replacements.__JSKIT_CRUD_ROUTE_SURFACE_REQUIRES_WORKSPACE__, "true");
+  assert.equal(
+    replacements.__JSKIT_CRUD_LIST_ACTION_INPUT_VALIDATOR__,
+    "[workspaceSlugParamsValidator, listCursorPaginationQueryValidator, listSearchQueryValidator, listParentFilterQueryValidator, lookupIncludeQueryValidator]"
+  );
+  assert.equal(
+    replacements.__JSKIT_CRUD_VIEW_ROUTE_PARAMS_VALIDATOR_LINE__,
+    "      paramsValidator: [routeParamsValidator, recordIdParamsValidator],"
+  );
+  assert.match(
+    replacements.__JSKIT_CRUD_ROLE_CATALOG_PERMISSION_GRANTS__,
+    /roleCatalog\.roles\.member\.permissions\.push\(/
+  );
+  assert.match(
+    replacements.__JSKIT_CRUD_ROLE_CATALOG_PERMISSION_GRANTS__,
+    /"crud\.contacts\.delete"/
+  );
   assert.match(replacements.__JSKIT_CRUD_MIGRATION_COLUMN_LINES__, /table\.bigIncrements\("id"\)/);
   assert.match(replacements.__JSKIT_CRUD_MIGRATION_COLUMN_LINES__, /table\.string\("first_name", 160\)/);
   assert.equal(replacements.__JSKIT_CRUD_RESOURCE_FIELD_META_PUSH_LINES__, "");
@@ -282,6 +342,129 @@ test("buildReplacementsFromSnapshot builds deterministic template replacement pa
   assert.equal(replacements.__JSKIT_CRUD_MIGRATION_FOREIGN_KEY_LINES__, "");
 });
 
+test("buildReplacementsFromSnapshot omits named permissions and role grants when disabled", () => {
+  const replacements = __testables.buildReplacementsFromSnapshot({
+    namespace: "contacts",
+    snapshot: createSnapshot({
+      hasWorkspaceIdColumn: false,
+      hasUserIdColumn: false
+    }),
+    resolvedOwnershipFilter: "public",
+    surfaceRequiresWorkspace: false
+  });
+
+  assert.match(
+    replacements.__JSKIT_CRUD_ACTION_PERMISSION_SUPPORT__,
+    /const authenticatedPermission = Object\.freeze\(\{/
+  );
+  assert.equal(replacements.__JSKIT_CRUD_SURFACE_ID__, "\"\"");
+  assert.equal(replacements.__JSKIT_CRUD_LIST_ACTION_PERMISSION__, "authenticatedPermission");
+  assert.equal(replacements.__JSKIT_CRUD_DELETE_ACTION_PERMISSION__, "authenticatedPermission");
+  assert.equal(replacements.__JSKIT_CRUD_ROLE_CATALOG_PERMISSION_GRANTS__, "");
+  assert.equal(replacements.__JSKIT_CRUD_ACTION_WORKSPACE_VALIDATOR_IMPORT__, "");
+  assert.equal(replacements.__JSKIT_CRUD_ROUTE_WORKSPACE_SUPPORT_IMPORTS__, "");
+  assert.equal(replacements.__JSKIT_CRUD_ROUTE_SURFACE_REQUIRES_WORKSPACE__, "false");
+  assert.equal(
+    replacements.__JSKIT_CRUD_CREATE_ACTION_INPUT_VALIDATOR__,
+    "{ payload: resource.operations.create.bodyValidator }"
+  );
+  assert.equal(replacements.__JSKIT_CRUD_LIST_ROUTE_PARAMS_VALIDATOR_LINE__, "");
+  assert.equal(
+    replacements.__JSKIT_CRUD_VIEW_ROUTE_PARAMS_VALIDATOR_LINE__,
+    "      paramsValidator: recordIdParamsValidator,"
+  );
+  assert.equal(
+    replacements.__JSKIT_CRUD_VIEW_ROUTE_INPUT_LINES__,
+    [
+      "          recordId: request.input.params.recordId,",
+      "          ...(request.input.query || {})"
+    ].join("\n")
+  );
+});
+
+test("resolveCrudSurfaceRequiresWorkspace follows surface workspace requirements from app config", async () => {
+  await withTempApp(
+    async (appRoot) => {
+      assert.equal(
+        await __testables.resolveCrudSurfaceRequiresWorkspace({
+          appRoot,
+          options: {
+            namespace: "contacts",
+            surface: "home",
+            "ownership-filter": "auto"
+          }
+        }),
+        false
+      );
+
+      assert.equal(
+        await __testables.resolveCrudSurfaceRequiresWorkspace({
+          appRoot,
+          options: {
+            namespace: "contacts",
+            surface: "admin",
+            "ownership-filter": "auto"
+          }
+        }),
+        true
+      );
+    },
+    `export const config = {
+  surfaceDefinitions: {
+    home: { id: "home", enabled: true, requiresAuth: true, requiresWorkspace: false },
+    admin: { id: "admin", enabled: true, requiresAuth: true, requiresWorkspace: true }
+  }
+};
+`
+  );
+});
+
+test("resolveCrudGenerationSurfaceId defaults home for non-workspace apps", async () => {
+  await withTempApp(
+    async (appRoot) => {
+      assert.equal(
+        await __testables.resolveCrudGenerationSurfaceId({
+          appRoot,
+          options: {
+            namespace: "contacts"
+          }
+        }),
+        "home"
+      );
+    },
+    `export const config = {
+  surfaceDefinitions: {
+    home: { id: "home", enabled: true, requiresAuth: false, requiresWorkspace: false },
+    console: { id: "console", enabled: true, requiresAuth: true, requiresWorkspace: false }
+  }
+};
+`
+  );
+});
+
+test("resolveCrudGenerationSurfaceId requires explicit surface for workspace-capable apps", async () => {
+  await withTempApp(
+    async (appRoot) => {
+      await assert.rejects(
+        __testables.resolveCrudGenerationSurfaceId({
+          appRoot,
+          options: {
+            namespace: "contacts"
+          }
+        }),
+        /requires option "surface"/
+      );
+    },
+    `export const config = {
+  surfaceDefinitions: {
+    home: { id: "home", enabled: true, requiresAuth: false, requiresWorkspace: false },
+    admin: { id: "admin", enabled: true, requiresAuth: true, requiresWorkspace: true }
+  }
+};
+`
+  );
+});
+
 test("buildReplacementsFromSnapshot omits default list ordering when created_at is absent", () => {
   const snapshot = createSnapshot({
     hasCreatedAtColumn: false
@@ -336,6 +519,7 @@ test("buildReplacementsFromSnapshot renders append-only field meta entries from
   };
 
   const replacements = __testables.buildReplacementsFromSnapshot({
+    namespace: "contacts",
     snapshot,
     resolvedOwnershipFilter: "workspace_user"
   });
@@ -380,6 +564,7 @@ test("buildReplacementsFromSnapshot renders enum field meta options as select co
   };
 
   const replacements = __testables.buildReplacementsFromSnapshot({
+    namespace: "contacts",
     snapshot,
     resolvedOwnershipFilter: "public"
   });
@@ -493,6 +678,7 @@ test("buildReplacementsFromSnapshot preserves custom collations, hash unique ind
     hasUserIdColumn: false
   });
   const replacements = __testables.buildReplacementsFromSnapshot({
+    namespace: "services",
     snapshot: {
       ...snapshot,
       columns: Object.freeze([
@@ -668,6 +854,10 @@ test("crud actions and routes templates share LIST_CONFIG for cursor validation"
   assert.match(actionsTemplateSource, /createCrudCursorPaginationQueryValidator/);
   assert.match(actionsTemplateSource, /import \{ LIST_CONFIG \} from "\.\/listConfig\.js";/);
   assert.match(actionsTemplateSource, /const listCursorPaginationQueryValidator = createCrudCursorPaginationQueryValidator\(LIST_CONFIG\);/);
+  assert.match(actionsTemplateSource, /__JSKIT_CRUD_ACTION_PERMISSION_SUPPORT__/);
+  assert.match(actionsTemplateSource, /__JSKIT_CRUD_LIST_ACTION_PERMISSION__/);
+  assert.doesNotMatch(actionsTemplateSource, /ACTIONS_REQUIRE_NAMED_PERMISSIONS/);
+  assert.doesNotMatch(actionsTemplateSource, /createActionPermission/);
   assert.match(registerRoutesTemplateSource, /createCrudCursorPaginationQueryValidator/);
   assert.match(registerRoutesTemplateSource, /import \{ LIST_CONFIG \} from "\.\/listConfig\.js";/);
   assert.match(registerRoutesTemplateSource, /const listCursorPaginationQueryValidator = createCrudCursorPaginationQueryValidator\(LIST_CONFIG\);/);
@@ -738,6 +928,7 @@ test("buildReplacementsFromSnapshot uses shared framework time schemas in genera
     enumValues: Object.freeze([])
   });
   const replacements = __testables.buildReplacementsFromSnapshot({
+    namespace: "opening-hours",
     snapshot: {
       ...snapshot,
       columns: Object.freeze([...snapshot.columns, timeColumn])

package/test/crudServerGuards.test.js

@@ -1,14 +1,20 @@
 import test, { after } from "node:test";
 import assert from "node:assert/strict";
+import { recordIdParamsValidator } from "@jskit-ai/kernel/shared/validators";
 import { createTemplateServerFixture } from "../test-support/templateServerFixture.js";
-import descriptor from "../package.descriptor.mjs";
 
 const fixture = await createTemplateServerFixture();
+const nonWorkspaceFixture = await createTemplateServerFixture({
+  surfaceRequiresWorkspace: false,
+  requiresNamedPermissions: false
+});
 const { createActions } = await fixture.importServerModule("actions.js");
 const { createRepository } = await fixture.importServerModule("repository.js");
+const { createActions: createNonWorkspaceActions } = await nonWorkspaceFixture.importServerModule("actions.js");
 
 after(async () => {
   await fixture.cleanup();
+  await nonWorkspaceFixture.cleanup();
 });
 
 test("template createRepository defaults tableName from resource metadata", () => {
@@ -70,21 +76,18 @@ test("template createActions requires namespaced CRUD permissions by default", (
   );
 });
 
-test("crud generator appends member role grants for generated CRUD permissions", () => {
-  assert.deepEqual(
-    descriptor.mutations.text,
-    [
-      {
-        op: "append-text",
-        file: "config/roles.js",
-        position: "bottom",
-        skipIfContains: "\"crud.${option:namespace|snake}.list\"",
-        value:
-          "\nroleCatalog.roles.member.permissions.push(\n  \"crud.${option:namespace|snake}.list\",\n  \"crud.${option:namespace|snake}.view\",\n  \"crud.${option:namespace|snake}.create\",\n  \"crud.${option:namespace|snake}.update\",\n  \"crud.${option:namespace|snake}.delete\"\n);\n",
-        reason: "Grant generated CRUD action permissions to the default member role in the app-owned role catalog.",
-        category: "crud",
-        id: "crud-role-catalog-permissions-${option:namespace|snake}"
-      }
-    ]
-  );
+test("template createActions omits workspace validators for non-workspace generation", () => {
+  const actions = createNonWorkspaceActions({ surface: "home" });
+
+  assert.equal(Array.isArray(actions[0].inputValidator), true);
+  assert.equal(actions[0].inputValidator.length, 4);
+  assert.equal(Array.isArray(actions[1].inputValidator), true);
+  assert.equal(actions[1].inputValidator.length, 2);
+  assert.equal(actions[1].inputValidator[0], recordIdParamsValidator);
+  assert.deepEqual(Object.keys(actions[2].inputValidator), ["payload"]);
+  assert.equal(Array.isArray(actions[3].inputValidator), true);
+  assert.equal(actions[3].inputValidator.length, 2);
+  assert.equal(actions[3].inputValidator[0], recordIdParamsValidator);
+  assert.equal(actions[4].inputValidator, recordIdParamsValidator);
+  assert.equal(actions[0].permission.require, "authenticated");
 });

package/test/packageDescriptor.test.js

@@ -5,6 +5,17 @@ import descriptor from "../package.descriptor.mjs";
 test("crud-server-generator surface option validates against enabled surface ids", () => {
   assert.equal(descriptor.kind, "generator");
   assert.equal(descriptor.options?.surface?.validationType, "enabled-surface-id");
+  assert.equal(descriptor.options?.surface?.required, false);
+  assert.equal(descriptor.options?.["ownership-filter"]?.validationType, "enum");
+  assert.deepEqual(
+    descriptor.options?.["ownership-filter"]?.allowedValues,
+    ["auto", "public", "user", "workspace", "workspace_user"]
+  );
+  assert.equal(descriptor.options?.["table-name"]?.required, false);
+  assert.equal(
+    descriptor.options?.["table-name"]?.defaultFromOptionTemplate,
+    "${option:namespace}"
+  );
   assert.equal(descriptor.metadata?.generatorSubcommands?.scaffold?.optionNames?.includes("surface"), true);
   assert.equal(descriptor.metadata?.generatorSubcommands?.scaffold?.optionNames?.includes("force"), true);
   assert.equal(descriptor.metadata?.generatorSubcommands?.scaffold?.createTarget?.pathTemplate, "packages/${option:namespace|kebab}");
@@ -24,3 +35,29 @@ test("crud-server-generator installs listConfig alongside server templates", ()
     export: "buildTemplateContext"
   });
 });
+
+test("crud-server-generator wires action and role mutations through template context", () => {
+  const files = descriptor.mutations?.files || [];
+  const actionsTemplate = files.find((entry) => entry.from === "templates/src/local-package/server/actions.js");
+  const routesTemplate = files.find((entry) => entry.from === "templates/src/local-package/server/registerRoutes.js");
+  const roleGrantMutation = (descriptor.mutations?.text || []).find((entry) => entry.file === "config/roles.js");
+
+  assert.ok(actionsTemplate);
+  assert.deepEqual(actionsTemplate.templateContext, {
+    entrypoint: "src/server/buildTemplateContext.js",
+    export: "buildTemplateContext"
+  });
+
+  assert.ok(routesTemplate);
+  assert.deepEqual(routesTemplate.templateContext, {
+    entrypoint: "src/server/buildTemplateContext.js",
+    export: "buildTemplateContext"
+  });
+
+  assert.ok(roleGrantMutation);
+  assert.equal(roleGrantMutation.value, "__JSKIT_CRUD_ROLE_CATALOG_PERMISSION_GRANTS__");
+  assert.deepEqual(roleGrantMutation.templateContext, {
+    entrypoint: "src/server/buildTemplateContext.js",
+    export: "buildTemplateContext"
+  });
+});