@objectstack/objectql 7.1.0 → 7.2.0

package/dist/index.mjs

@@ -454,7 +454,9 @@ var SchemaRegistry = class {
     const direct = collection.get(name);
     if (direct) return direct;
     for (const [key, item] of collection) {
-      if (key.endsWith(`:${name}`)) return item;
+      if (key.endsWith(`:${name}`)) {
+        return item;
+      }
     }
     return void 0;
   }
@@ -1306,6 +1308,12 @@ import { parseFilterAST, isFilterAST } from "@objectstack/spec/data";
 import { PLURAL_TO_SINGULAR as PLURAL_TO_SINGULAR3, SINGULAR_TO_PLURAL as SINGULAR_TO_PLURAL2 } from "@objectstack/spec/shared";
 import { METADATA_FORM_REGISTRY } from "@objectstack/spec/system";
 import { DEFAULT_METADATA_TYPE_REGISTRY as DEFAULT_METADATA_TYPE_REGISTRY2, getMetadataTypeSchema as getMetadataTypeSchema2 } from "@objectstack/spec/kernel";
+import {
+  extractProtection,
+  evaluateLockForWrite,
+  evaluateLockForDelete,
+  resolveLockState
+} from "@objectstack/spec/kernel";
 import { z } from "zod";
 
 // src/metadata-diagnostics.ts
@@ -1553,6 +1561,19 @@ function resolveOverlaySchema(type, _item) {
   const singular = PLURAL_TO_SINGULAR3[type] ?? type;
   return getMetadataTypeSchema2(singular) ?? null;
 }
+function mergeArtifactProtection(item, artifactItem) {
+  if (item === void 0 || item === null) return item;
+  if (artifactItem === void 0 || artifactItem === null) return item;
+  const a = artifactItem;
+  if (typeof a !== "object") return item;
+  const out = { ...item };
+  if (a._lock !== void 0) out._lock = a._lock;
+  if (a._lockReason !== void 0) out._lockReason = a._lockReason;
+  if (a._packageId !== void 0) out._packageId = a._packageId;
+  if (a._packageVersion !== void 0) out._packageVersion = a._packageVersion;
+  if (a._provenance !== void 0) out._provenance = a._provenance;
+  return out;
+}
 function simpleHash(str) {
   let hash = 0;
   for (let i = 0; i < str.length; i++) {
@@ -2044,6 +2065,7 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
     const includeWarnings = request.severity === "warning";
     const targetTypes = request.type ? [request.type] : DEFAULT_METADATA_TYPE_REGISTRY2.filter((e) => getMetadataTypeSchema2(e.type)).map((e) => e.type);
     const entries = [];
+    const stats = {};
     let scannedItems = 0;
     for (const t of targetTypes) {
       let listed;
@@ -2057,8 +2079,11 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
         continue;
       }
       const items = Array.isArray(listed?.items) ? listed.items : Array.isArray(listed) ? listed : [];
+      const pkgSet = /* @__PURE__ */ new Set();
       for (const item of items) {
         scannedItems += 1;
+        const pkg = item?._packageId ?? null;
+        if (pkg) pkgSet.add(pkg);
         const diag = item?._diagnostics ?? computeMetadataDiagnostics(t, item);
         if (!diag) continue;
         if (diag.valid && !includeWarnings) continue;
@@ -2069,12 +2094,14 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
           diagnostics: diag
         });
       }
+      stats[t] = { count: items.length, packages: [...pkgSet].sort() };
     }
     return {
       entries,
       total: entries.length,
       scannedTypes: targetTypes.length,
-      scannedItems
+      scannedItems,
+      stats
     };
   }
   async getMetaItems(request) {
@@ -2171,7 +2198,16 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
     }
     return {
       type: request.type,
-      items: decorateMetadataItems(request.type, items)
+      items: decorateMetadataItems(
+        request.type,
+        items.map((it) => {
+          const a = this.lookupArtifactItem(
+            request.type,
+            it?.name
+          );
+          return mergeArtifactProtection(it, a);
+        })
+      )
     };
   }
   async getMetaItem(request) {
@@ -2245,10 +2281,26 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
         if (alt) item = this.engine.registry.getItem(alt, request.name);
       }
     }
+    const artifactItem = this.lookupArtifactItem(request.type, request.name);
+    const decorated = decorateMetadataItem(
+      request.type,
+      mergeArtifactProtection(item, artifactItem)
+    );
+    const artifactBacked = this.isArtifactBacked(request.type, request.name);
+    const lockState = resolveLockState(decorated, artifactBacked);
     return {
       type: request.type,
       name: request.name,
-      item: decorateMetadataItem(request.type, item)
+      item: decorated,
+      lock: lockState.lock,
+      ...lockState.lockReason !== void 0 ? { lockReason: lockState.lockReason } : {},
+      ...lockState.lockSource !== void 0 ? { lockSource: lockState.lockSource } : {},
+      ...lockState.provenance !== void 0 ? { provenance: lockState.provenance } : {},
+      ...lockState.packageId !== void 0 ? { packageId: lockState.packageId } : {},
+      ...lockState.packageVersion !== void 0 ? { packageVersion: lockState.packageVersion } : {},
+      editable: lockState.editable,
+      deletable: lockState.deletable,
+      resettable: lockState.resettable
     };
   }
   /**
@@ -2328,6 +2380,9 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
     }
     const effective = overlay ?? code;
     const _diagnostics = effective !== null && effective !== void 0 ? computeMetadataDiagnostics(request.type, effective) : void 0;
+    const artifactBacked = this.isArtifactBacked(request.type, request.name);
+    const lockSource = code ?? overlay ?? {};
+    const lockState = resolveLockState(lockSource, artifactBacked);
     return {
       type: request.type,
       name: request.name,
@@ -2335,9 +2390,69 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
       overlay,
       overlayScope,
       effective,
-      ..._diagnostics ? { _diagnostics } : {}
+      ..._diagnostics ? { _diagnostics } : {},
+      lock: lockState.lock,
+      ...lockState.lockReason !== void 0 ? { lockReason: lockState.lockReason } : {},
+      ...lockState.lockSource !== void 0 ? { lockSource: lockState.lockSource } : {},
+      ...lockState.provenance !== void 0 ? { provenance: lockState.provenance } : {},
+      ...lockState.packageId !== void 0 ? { packageId: lockState.packageId } : {},
+      ...lockState.packageVersion !== void 0 ? { packageVersion: lockState.packageVersion } : {},
+      editable: lockState.editable,
+      deletable: lockState.deletable,
+      resettable: lockState.resettable
     };
   }
+  /**
+   * ADR-0010 §3.6 / Phase 4.1 — read the metadata-protection audit log
+   * for a single item. Returns the most-recent rows of
+   * `sys_metadata_audit` for this (type, name) tuple, sorted newest
+   * first. Refused (`denied`) and forced (`forced`) writes both appear
+   * here — they never reach the `history` endpoint, which only tracks
+   * successful body snapshots.
+   *
+   * The table is provisioned by `platform-objects` and is the
+   * compliance surface for the lock-enforcement story. When the
+   * environment has not yet provisioned the table (legacy install
+   * prior to ADR-0010) the call returns `{ events: [] }` instead of
+   * raising, keeping the Studio tab harmless.
+   */
+  async auditMetaItem(request) {
+    const singular = PLURAL_TO_SINGULAR3[request.type] ?? request.type;
+    const limit = Math.min(
+      Math.max(1, request.limit ?? 100),
+      500
+    );
+    try {
+      const where = {
+        type: singular,
+        name: request.name
+      };
+      const rows = await this.engine.find("sys_metadata_audit", {
+        where,
+        orderBy: [{ field: "occurred_at", direction: "desc" }],
+        limit
+      });
+      const events = (Array.isArray(rows) ? rows : []).map((r) => ({
+        id: r.id,
+        occurredAt: typeof r.occurred_at === "string" ? r.occurred_at : r.occurred_at instanceof Date ? r.occurred_at.toISOString() : String(r.occurred_at ?? ""),
+        actor: String(r.actor ?? "system"),
+        source: r.source ?? null,
+        operation: r.operation,
+        outcome: r.outcome,
+        code: String(r.code ?? ""),
+        lockState: r.lock_state ?? null,
+        lockOverridden: Boolean(r.lock_overridden),
+        requestId: r.request_id ?? null,
+        note: r.note ?? null
+      }));
+      return { events };
+    } catch (err) {
+      console.warn(
+        `[Protocol] auditMetaItem read failed for ${request.type}/${request.name}: ${err?.message ?? err}`
+      );
+      return { events: [] };
+    }
+  }
   async getUiView(request) {
     const schema = this.engine.registry.getObject(request.object);
     if (!schema) throw new Error(`Object ${request.object} not found`);
@@ -3273,6 +3388,158 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
     if (!item || !item._packageId) return false;
     return item._packageId !== "sys_metadata";
   }
+  // ───────────────────────────────────────────────────────────────────
+  // ADR-0010 — metadata protection (Phase 1: L3 item-level lock)
+  // ───────────────────────────────────────────────────────────────────
+  /**
+   * Look up an item from the artifact registry across both the requested
+   * type and its singular/plural twin. Returns `undefined` when the
+   * registry is unavailable or the item is not artifact-backed.
+   */
+  lookupArtifactItem(type, name) {
+    const registry = this.engine?.registry;
+    if (!registry || typeof registry.getItem !== "function") return void 0;
+    const singular = PLURAL_TO_SINGULAR3[type] ?? type;
+    return registry.getItem(singular, name) ?? registry.getItem(type, name);
+  }
+  /**
+   * Resolve the effective `_lock` for an item by consulting the
+   * artifact registry first, then the persisted overlay row. Artifact
+   * always wins — by design, an overlay cannot loosen a packaged
+   * lock (ADR-0010 §3.3).
+   *
+   * Returns `'none'` when nothing is locked, which is the common
+   * case. Safe to call when `environmentId` is undefined (control-
+   * plane bootstrap) — the lock check is only meaningful in tenant
+   * scope and the caller is expected to also gate on `environmentId`.
+   */
+  async getEffectiveLock(type, name, organizationId) {
+    const registry = this.engine?.registry;
+    const singular = PLURAL_TO_SINGULAR3[type] ?? type;
+    let artifactItem;
+    if (registry && typeof registry.getItem === "function") {
+      artifactItem = registry.getItem(singular, name) ?? registry.getItem(type, name);
+    }
+    if (artifactItem && artifactItem._packageId && artifactItem._packageId !== "sys_metadata") {
+      const p = extractProtection(artifactItem);
+      if (p.lock !== "none") {
+        return { lock: p.lock, lockReason: p.lockReason, lockSource: "artifact" };
+      }
+    }
+    try {
+      const where = {
+        type,
+        name,
+        state: "active",
+        organization_id: organizationId ?? null
+      };
+      const row = await this.engine.findOne("sys_metadata", { where });
+      if (row) {
+        const body = typeof row.metadata === "string" ? JSON.parse(row.metadata) : row.metadata;
+        const p = extractProtection(body);
+        if (p.lock !== "none") {
+          return { lock: p.lock, lockReason: p.lockReason, lockSource: "overlay" };
+        }
+      }
+    } catch {
+    }
+    return { lock: "none", lockReason: void 0, lockSource: void 0 };
+  }
+  /**
+   * Best-effort audit-row writer (ADR-0010 §3.6). Failures here are
+   * logged but never block the underlying decision: an environment
+   * without the audit table provisioned (legacy installs before this
+   * ADR landed) still answers normal API calls, just without the
+   * compliance trail. Phase 2 will make the audit table a hard
+   * dependency.
+   */
+  async recordMetadataAudit(entry) {
+    try {
+      await this.engine.insert("sys_metadata_audit", {
+        occurred_at: (/* @__PURE__ */ new Date()).toISOString(),
+        actor: entry.actor ?? "system",
+        source: entry.source ?? "protocol",
+        type: PLURAL_TO_SINGULAR3[entry.type] ?? entry.type,
+        name: entry.name,
+        organization_id: entry.organizationId ?? null,
+        operation: entry.operation,
+        outcome: entry.outcome,
+        code: entry.code,
+        lock_state: entry.lockState ?? "none",
+        lock_overridden: entry.lockOverridden ?? false,
+        request_id: entry.requestId ?? null,
+        note: entry.note ?? null
+      });
+    } catch (err) {
+      console.warn(
+        `[Protocol] sys_metadata_audit write failed for ${entry.type}/${entry.name}: ${err?.message ?? err}`
+      );
+    }
+  }
+  /**
+   * Phase 1 L3 enforcement for write operations (save / publish /
+   * rollback). Returns null on allow. Returns the structured `Error`
+   * the caller should `throw` on deny — also records the denial in
+   * the audit log so refused attempts are visible in compliance
+   * reports (refused writes never reach sys_metadata_history).
+   */
+  async assertLockAllowsWrite(args) {
+    if (this.environmentId === void 0) return null;
+    const state = await this.getEffectiveLock(args.type, args.name, args.organizationId ?? null);
+    const refusal = evaluateLockForWrite(state.lock);
+    if (!refusal) return null;
+    const reason = state.lockReason ?? refusal.reason;
+    const err = new Error(
+      `[item_locked] ${args.type}/${args.name} is locked (_lock=${state.lock}${state.lockSource ? `, source=${state.lockSource}` : ""}). ${reason} \u2014 See ADR-0010 \xA73.3.`
+    );
+    err.code = "item_locked";
+    err.status = 403;
+    err.lock = state.lock;
+    err.lockReason = reason;
+    await this.recordMetadataAudit({
+      type: args.type,
+      name: args.name,
+      organizationId: args.organizationId ?? null,
+      operation: args.operation,
+      outcome: "denied",
+      code: "item_locked",
+      lockState: state.lock,
+      actor: args.actor,
+      source: args.source ?? `protocol.${args.operation}MetaItem`,
+      requestId: args.requestId,
+      note: reason
+    });
+    return err;
+  }
+  /** Counterpart of {@link assertLockAllowsWrite} for delete. */
+  async assertLockAllowsDelete(args) {
+    if (this.environmentId === void 0) return null;
+    const state = await this.getEffectiveLock(args.type, args.name, args.organizationId ?? null);
+    const refusal = evaluateLockForDelete(state.lock);
+    if (!refusal) return null;
+    const reason = state.lockReason ?? refusal.reason;
+    const err = new Error(
+      `[item_locked] ${args.type}/${args.name} is locked (_lock=${state.lock}${state.lockSource ? `, source=${state.lockSource}` : ""}). ${reason} \u2014 See ADR-0010 \xA73.3.`
+    );
+    err.code = "item_locked";
+    err.status = 403;
+    err.lock = state.lock;
+    err.lockReason = reason;
+    await this.recordMetadataAudit({
+      type: args.type,
+      name: args.name,
+      organizationId: args.organizationId ?? null,
+      operation: "delete",
+      outcome: "denied",
+      code: "item_locked",
+      lockState: state.lock,
+      actor: args.actor,
+      source: args.source ?? "protocol.deleteMetaItem",
+      requestId: args.requestId,
+      note: reason
+    });
+    return err;
+  }
   /**
    * Mirror an object-type overlay write into the in-memory engine
    * registry so subsequent CRUD finds the new schema. Idempotent and
@@ -3319,6 +3586,15 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
         err.status = 403;
         throw err;
       }
+      const lockErr = await this.assertLockAllowsWrite({
+        type: request.type,
+        name: request.name,
+        ...request.organizationId ? { organizationId: request.organizationId } : {},
+        operation: "save",
+        ...request.actor ? { actor: request.actor } : {},
+        source: "protocol.saveMetaItem"
+      });
+      if (lockErr) throw lockErr;
     }
     const singularType = PLURAL_TO_SINGULAR3[request.type] ?? request.type;
     if (!request.force && (singularType === "object" || singularType === "field")) {
@@ -3400,6 +3676,17 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
         if (mode === "publish") {
           this.applyObjectRegistryMutation(request);
         }
+        await this.recordMetadataAudit({
+          type: request.type,
+          name: request.name,
+          organizationId: orgId,
+          operation: "save",
+          outcome: "allowed",
+          code: "ok",
+          ...request.actor ? { actor: request.actor } : {},
+          source: "protocol.saveMetaItem",
+          note: mode === "draft" ? "draft" : "active"
+        });
         return {
           success: true,
           version: result.version,
@@ -3522,6 +3809,15 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
       err.status = 403;
       throw err;
     }
+    const _publishLockErr = await this.assertLockAllowsWrite({
+      type: request.type,
+      name: request.name,
+      ...request.organizationId ? { organizationId: request.organizationId } : {},
+      operation: "publish",
+      ...request.actor ? { actor: request.actor } : {},
+      source: "protocol.publishMetaItem"
+    });
+    if (_publishLockErr) throw _publishLockErr;
     await this.ensureOverlayIndex();
     const orgId = request.organizationId ?? null;
     const repo = this.getOverlayRepo(orgId);
@@ -3589,6 +3885,15 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
       err.status = 403;
       throw err;
     }
+    const _rollbackLockErr = await this.assertLockAllowsWrite({
+      type: request.type,
+      name: request.name,
+      ...request.organizationId ? { organizationId: request.organizationId } : {},
+      operation: "rollback",
+      ...request.actor ? { actor: request.actor } : {},
+      source: "protocol.rollbackMetaItem"
+    });
+    if (_rollbackLockErr) throw _rollbackLockErr;
     await this.ensureOverlayIndex();
     const orgId = request.organizationId ?? null;
     const repo = this.getOverlayRepo(orgId);
@@ -3735,6 +4040,14 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
         err.status = 403;
         throw err;
       }
+      const lockErr = await this.assertLockAllowsDelete({
+        type: request.type,
+        name: request.name,
+        ...request.organizationId ? { organizationId: request.organizationId } : {},
+        ...request.actor ? { actor: request.actor } : {},
+        source: "protocol.deleteMetaItem"
+      });
+      if (lockErr) throw lockErr;
     }
     const singularTypeForRepo = PLURAL_TO_SINGULAR3[request.type] ?? request.type;
     const overlayAllowedForRepoDel = _ObjectStackProtocolImplementation.isOverlayAllowed(singularTypeForRepo);
@@ -3779,6 +4092,17 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
           } catch {
           }
         }
+        await this.recordMetadataAudit({
+          type: request.type,
+          name: request.name,
+          organizationId: orgId,
+          operation: "delete",
+          outcome: "allowed",
+          code: "ok",
+          ...request.actor ? { actor: request.actor } : {},
+          source: "protocol.deleteMetaItem",
+          note: targetState
+        });
         return {
           success: true,
           reset: true,