@objectstack/objectql 7.2.0 → 7.2.1

package/dist/index.mjs

@@ -1,7 +1,9 @@
 // src/registry.ts
 import { ObjectSchema } from "@objectstack/spec/data";
+import { readEnvWithDeprecation } from "@objectstack/types";
 import { ManifestSchema, InstalledPackageSchema } from "@objectstack/spec/kernel";
 import { AppSchema } from "@objectstack/spec/ui";
+import { applyProtection } from "@objectstack/spec/shared";
 var RESERVED_NAMESPACES = /* @__PURE__ */ new Set(["base", "system"]);
 var DEFAULT_OWNER_PRIORITY = 100;
 var DEFAULT_EXTENDER_PRIORITY = 200;
@@ -129,7 +131,7 @@ var SchemaRegistry = class {
     if (options.multiTenant !== void 0) {
       this.multiTenant = options.multiTenant;
     } else {
-      this.multiTenant = String(process.env.OS_MULTI_TENANT ?? "false").toLowerCase() !== "false";
+      this.multiTenant = String(readEnvWithDeprecation("OS_MULTI_ORG_ENABLED", "OS_MULTI_TENANT") ?? "false").toLowerCase() !== "false";
     }
   }
   get logLevel() {
@@ -231,6 +233,7 @@ var SchemaRegistry = class {
         contributors.splice(idx, 1);
       }
     }
+    applyProtection(schema, { packageId });
     const contributor = {
       packageId,
       namespace: namespace || "",
@@ -378,9 +381,7 @@ var SchemaRegistry = class {
     }
     const collection = this.metadata.get(type);
     const baseName = String(item[keyField]);
-    if (packageId) {
-      item._packageId = packageId;
-    }
+    applyProtection(item, { packageId });
     try {
       this.validate(type, item);
     } catch (e) {
@@ -629,8 +630,12 @@ var SchemaRegistry = class {
   }
 };
 
+// src/protocol.ts
+import { readEnvWithDeprecation as readEnvWithDeprecation3 } from "@objectstack/types";
+
 // src/sys-metadata-repository.ts
 import { hashSpec, ConflictError } from "@objectstack/metadata-core";
+import { readEnvWithDeprecation as readEnvWithDeprecation2 } from "@objectstack/types";
 import { DEFAULT_METADATA_TYPE_REGISTRY } from "@objectstack/spec/kernel";
 import { PLURAL_TO_SINGULAR, SINGULAR_TO_PLURAL } from "@objectstack/spec/shared";
 var OVERLAY_ALLOWED_TYPES = new Set(
@@ -645,7 +650,7 @@ var RUNTIME_CREATE_ALLOWED_TYPES = new Set(
 var _envWritableMetadataTypes = null;
 function envWritableMetadataTypes() {
   if (_envWritableMetadataTypes !== null) return _envWritableMetadataTypes;
-  const raw = typeof process !== "undefined" && process?.env?.OBJECTSTACK_METADATA_WRITABLE || "";
+  const raw = readEnvWithDeprecation2("OS_METADATA_WRITABLE", "OBJECTSTACK_METADATA_WRITABLE") || "";
   const set = /* @__PURE__ */ new Set();
   for (const tok of raw.split(",")) {
     const t = tok.trim();
@@ -1172,7 +1177,7 @@ var SysMetadataRepository = class {
    * at `(type, name)`. In that case we accept types with
    * `allowRuntimeCreate: true`, even when `allowOrgOverride` is false.
    *
-   * The env-var escape hatch (`OBJECTSTACK_METADATA_WRITABLE`) still
+   * The env-var escape hatch (`OS_METADATA_WRITABLE`) still
    * applies to BOTH intents, so operators can opt into artifact
    * overrides at runtime for emergency fixes.
    */
@@ -1197,7 +1202,7 @@ var SysMetadataRepository = class {
     const code = intent === "runtime-only" ? "not_creatable" : "not_overridable";
     const detail = intent === "runtime-only" ? `'${type}' has neither allowOrgOverride nor allowRuntimeCreate in the registry. ` : `'${type}' is not allowOrgOverride in the registry. `;
     const err = new Error(
-      `[${code}] ${detail}Overlay-allowed: ${Array.from(new Set(allowed)).join(", ") || "(none)"}. Set OBJECTSTACK_METADATA_WRITABLE to enable additional types at runtime.`
+      `[${code}] ${detail}Overlay-allowed: ${Array.from(new Set(allowed)).join(", ") || "(none)"}. Set OS_METADATA_WRITABLE to enable additional types at runtime.`
     );
     err.code = code;
     err.status = 403;
@@ -1569,6 +1574,8 @@ function mergeArtifactProtection(item, artifactItem) {
   const out = { ...item };
   if (a._lock !== void 0) out._lock = a._lock;
   if (a._lockReason !== void 0) out._lockReason = a._lockReason;
+  if (a._lockDocsUrl !== void 0) out._lockDocsUrl = a._lockDocsUrl;
+  if (a._lockSource !== void 0) out._lockSource = a._lockSource;
   if (a._packageId !== void 0) out._packageId = a._packageId;
   if (a._packageVersion !== void 0) out._packageVersion = a._packageVersion;
   if (a._provenance !== void 0) out._provenance = a._provenance;
@@ -2080,10 +2087,13 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
       }
       const items = Array.isArray(listed?.items) ? listed.items : Array.isArray(listed) ? listed : [];
       const pkgSet = /* @__PURE__ */ new Set();
+      let lockedCount = 0;
       for (const item of items) {
         scannedItems += 1;
         const pkg = item?._packageId ?? null;
         if (pkg) pkgSet.add(pkg);
+        const lock = item?._lock;
+        if (lock && lock !== "none") lockedCount += 1;
         const diag = item?._diagnostics ?? computeMetadataDiagnostics(t, item);
         if (!diag) continue;
         if (diag.valid && !includeWarnings) continue;
@@ -2094,7 +2104,7 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
           diagnostics: diag
         });
       }
-      stats[t] = { count: items.length, packages: [...pkgSet].sort() };
+      stats[t] = { count: items.length, locked: lockedCount, packages: [...pkgSet].sort() };
     }
     return {
       entries,
@@ -2295,6 +2305,7 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
       lock: lockState.lock,
       ...lockState.lockReason !== void 0 ? { lockReason: lockState.lockReason } : {},
       ...lockState.lockSource !== void 0 ? { lockSource: lockState.lockSource } : {},
+      ...lockState.lockDocsUrl !== void 0 ? { lockDocsUrl: lockState.lockDocsUrl } : {},
       ...lockState.provenance !== void 0 ? { provenance: lockState.provenance } : {},
       ...lockState.packageId !== void 0 ? { packageId: lockState.packageId } : {},
       ...lockState.packageVersion !== void 0 ? { packageVersion: lockState.packageVersion } : {},
@@ -2394,6 +2405,7 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
       lock: lockState.lock,
       ...lockState.lockReason !== void 0 ? { lockReason: lockState.lockReason } : {},
       ...lockState.lockSource !== void 0 ? { lockSource: lockState.lockSource } : {},
+      ...lockState.lockDocsUrl !== void 0 ? { lockDocsUrl: lockState.lockDocsUrl } : {},
       ...lockState.provenance !== void 0 ? { provenance: lockState.provenance } : {},
       ...lockState.packageId !== void 0 ? { packageId: lockState.packageId } : {},
       ...lockState.packageVersion !== void 0 ? { packageVersion: lockState.packageVersion } : {},
@@ -3326,7 +3338,7 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
   }
   static envWritableTypes() {
     if (this._envWritableTypes !== null) return this._envWritableTypes;
-    const raw = typeof process !== "undefined" && process?.env?.OBJECTSTACK_METADATA_WRITABLE || "";
+    const raw = readEnvWithDeprecation3("OS_METADATA_WRITABLE", "OBJECTSTACK_METADATA_WRITABLE") || "";
     const set = /* @__PURE__ */ new Set();
     for (const tok of raw.split(",")) {
       const t = tok.trim();
@@ -3572,7 +3584,7 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
       const artifactBacked = this.isArtifactBacked(request.type, request.name);
       if (artifactBacked && !overlayAllowed) {
         const err = new Error(
-          `[not_overridable] Metadata item '${request.type}/${request.name}' is provided by a code package and the type has not opted into per-org overlay writes (allowOrgOverride=false). Edit the source artifact and redeploy, or set OBJECTSTACK_METADATA_WRITABLE to grant a runtime escape hatch. See docs/adr/0005-metadata-customization-overlay.md.`
+          `[not_overridable] Metadata item '${request.type}/${request.name}' is provided by a code package and the type has not opted into per-org overlay writes (allowOrgOverride=false). Edit the source artifact and redeploy, or set OS_METADATA_WRITABLE to grant a runtime escape hatch. See docs/adr/0005-metadata-customization-overlay.md.`
         );
         err.code = "not_overridable";
         err.status = 403;
@@ -3622,6 +3634,18 @@ var _ObjectStackProtocolImplementation = class _ObjectStackProtocolImplementatio
         if (err?.code === "destructive_change") throw err;
       }
     }
+    {
+      const it = request.item;
+      const looksLikeLayeredEnvelope = it && typeof it === "object" && !Array.isArray(it) && "code" in it && "overlay" in it && "overlayScope" in it && "effective" in it;
+      if (looksLikeLayeredEnvelope) {
+        const err = new Error(
+          `[invalid_metadata] ${request.type}/${request.name}: the request body is a layered read envelope ({ code, overlay, overlayScope, effective }), not a metadata body. Unwrap and send the effective/overlay document instead \u2014 the layered shape is read-only (GET ?layers=true) and must never be persisted.`
+        );
+        err.code = "invalid_metadata";
+        err.status = 422;
+        throw err;
+      }
+    }
     {
       const schema = resolveOverlaySchema(request.type, request.item);
       if (schema) {
@@ -4419,7 +4443,7 @@ _ObjectStackProtocolImplementation.OVERLAY_ALLOWED_TYPES = (() => {
   return out;
 })();
 /**
- * Phase 3a-env-writable: parse `OBJECTSTACK_METADATA_WRITABLE` once.
+ * Phase 3a-env-writable: parse `OS_METADATA_WRITABLE` once.
  * Comma-separated singular type names. When the env var is set, the
  * listed types get treated as `allowOrgOverride: true` regardless of
  * their static registry entry. This is the runtime escape hatch admins