@objectstack/objectql 7.5.0 → 7.6.0

package/dist/index.d.mts

@@ -419,6 +419,7 @@ declare class ObjectStackProtocolImplementation implements ObjectStackProtocol {
             graphql?: string | undefined;
             packages?: string | undefined;
             workflow?: string | undefined;
+            approvals?: string | undefined;
             realtime?: string | undefined;
             notifications?: string | undefined;
             ai?: string | undefined;
@@ -549,14 +550,14 @@ declare class ObjectStackProtocolImplementation implements ObjectStackProtocol {
                     provider: "api";
                     read?: {
                         url: string;
-                        method: "GET" | "POST" | "PATCH" | "PUT" | "DELETE";
+                        method: "POST" | "PATCH" | "PUT" | "DELETE" | "GET";
                         headers?: Record<string, string> | undefined;
                         params?: Record<string, unknown> | undefined;
                         body?: unknown;
                     } | undefined;
                     write?: {
                         url: string;
-                        method: "GET" | "POST" | "PATCH" | "PUT" | "DELETE";
+                        method: "POST" | "PATCH" | "PUT" | "DELETE" | "GET";
                         headers?: Record<string, string> | undefined;
                         params?: Record<string, unknown> | undefined;
                         body?: unknown;
@@ -1849,7 +1850,7 @@ declare class ObjectQL implements IDataEngine {
      * **fail-closed** — the write throws rather than persist cleartext.
      *
      * Mirrors the Settings subsystem's ICryptoProvider wiring; the host (e.g.
-     * `serve`) injects `InMemoryCryptoProvider` in dev and a KMS/Vault-backed
+     * `serve`) injects `LocalCryptoProvider` in dev and a KMS/Vault-backed
      * provider in production.
      */
     setCryptoProvider(provider: ICryptoProvider): void;
@@ -2379,7 +2380,7 @@ declare function wrapDeclarativeHook(meta: Hook, handler: HookHandler, opts?: Wr
 
 interface FieldValidationError {
     field: string;
-    code: 'required' | 'min_length' | 'max_length' | 'min_value' | 'max_value' | 'invalid_email' | 'invalid_url' | 'invalid_phone' | 'invalid_number' | 'invalid_boolean' | 'invalid_date' | 'invalid_option' | 'invalid_transition' | 'rule_violation';
+    code: 'required' | 'min_length' | 'max_length' | 'min_value' | 'max_value' | 'invalid_email' | 'invalid_url' | 'invalid_phone' | 'invalid_number' | 'invalid_boolean' | 'invalid_date' | 'invalid_option' | 'invalid_transition' | 'rule_violation' | 'invalid_format' | 'invalid_json' | 'json_schema_violation';
     message: string;
     /** Allowed values for select/multiselect, when applicable. */
     options?: string[];

package/dist/index.d.ts

@@ -419,6 +419,7 @@ declare class ObjectStackProtocolImplementation implements ObjectStackProtocol {
             graphql?: string | undefined;
             packages?: string | undefined;
             workflow?: string | undefined;
+            approvals?: string | undefined;
             realtime?: string | undefined;
             notifications?: string | undefined;
             ai?: string | undefined;
@@ -549,14 +550,14 @@ declare class ObjectStackProtocolImplementation implements ObjectStackProtocol {
                     provider: "api";
                     read?: {
                         url: string;
-                        method: "GET" | "POST" | "PATCH" | "PUT" | "DELETE";
+                        method: "POST" | "PATCH" | "PUT" | "DELETE" | "GET";
                         headers?: Record<string, string> | undefined;
                         params?: Record<string, unknown> | undefined;
                         body?: unknown;
                     } | undefined;
                     write?: {
                         url: string;
-                        method: "GET" | "POST" | "PATCH" | "PUT" | "DELETE";
+                        method: "POST" | "PATCH" | "PUT" | "DELETE" | "GET";
                         headers?: Record<string, string> | undefined;
                         params?: Record<string, unknown> | undefined;
                         body?: unknown;
@@ -1849,7 +1850,7 @@ declare class ObjectQL implements IDataEngine {
      * **fail-closed** — the write throws rather than persist cleartext.
      *
      * Mirrors the Settings subsystem's ICryptoProvider wiring; the host (e.g.
-     * `serve`) injects `InMemoryCryptoProvider` in dev and a KMS/Vault-backed
+     * `serve`) injects `LocalCryptoProvider` in dev and a KMS/Vault-backed
      * provider in production.
      */
     setCryptoProvider(provider: ICryptoProvider): void;
@@ -2379,7 +2380,7 @@ declare function wrapDeclarativeHook(meta: Hook, handler: HookHandler, opts?: Wr
 
 interface FieldValidationError {
     field: string;
-    code: 'required' | 'min_length' | 'max_length' | 'min_value' | 'max_value' | 'invalid_email' | 'invalid_url' | 'invalid_phone' | 'invalid_number' | 'invalid_boolean' | 'invalid_date' | 'invalid_option' | 'invalid_transition' | 'rule_violation';
+    code: 'required' | 'min_length' | 'max_length' | 'min_value' | 'max_value' | 'invalid_email' | 'invalid_url' | 'invalid_phone' | 'invalid_number' | 'invalid_boolean' | 'invalid_date' | 'invalid_option' | 'invalid_transition' | 'rule_violation' | 'invalid_format' | 'invalid_json' | 'json_schema_violation';
     message: string;
     /** Allowed values for select/multiselect, when applicable. */
     options?: string[];

package/dist/index.js

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
@@ -5333,12 +5343,25 @@ function validateRecord(objectSchema, data, mode) {
 
 // src/validation/rule-validator.ts
 var import_formula2 = require("@objectstack/formula");
+var import_ajv = __toESM(require("ajv"));
+var ajv = new import_ajv.default({ allErrors: true, strict: false });
+var jsonSchemaCache = /* @__PURE__ */ new WeakMap();
 function needsPriorRecord(objectSchema) {
   const rules = objectSchema?.validations;
   if (!Array.isArray(rules)) return false;
-  return rules.some(
-    (r) => r != null && typeof r === "object" && (r.type === "state_machine" || r.type === "cross_field" || r.type === "script")
-  );
+  return rules.some((r) => ruleNeedsPrior(r));
+}
+function ruleNeedsPrior(r) {
+  if (r == null || typeof r !== "object") return false;
+  const type = r.type;
+  if (type === "state_machine" || type === "cross_field" || type === "script") {
+    return true;
+  }
+  if (type === "conditional") {
+    const c = r;
+    return ruleNeedsPrior(c.then) || ruleNeedsPrior(c.otherwise);
+  }
+  return false;
 }
 function toExpression(cond) {
   return typeof cond === "string" ? { dialect: "cel", source: cond } : cond;
@@ -5348,6 +5371,7 @@ function evaluateValidationRules(objectSchema, data, mode, opts = {}) {
   if (!Array.isArray(rules) || rules.length === 0 || !data) return;
   const previous = opts.previous ?? void 0;
   const merged = { ...previous ?? {}, ...data };
+  const ctx = { data, merged, previous, mode, logger: opts.logger };
   const errors = [];
   const ordered = rules.filter((r) => r != null && typeof r === "object").filter((r) => r.active !== false).filter((r) => {
     const events = r.events ?? ["insert", "update"];
@@ -5356,11 +5380,7 @@ function evaluateValidationRules(objectSchema, data, mode, opts = {}) {
   for (const rule of ordered) {
     let violation = null;
     try {
-      if (rule.type === "state_machine") {
-        violation = checkStateMachine(rule, mode, data, previous);
-      } else if (rule.type === "script" || rule.type === "cross_field") {
-        violation = checkPredicate(rule, merged, previous, opts.logger);
-      }
+      violation = evaluateRule(rule, ctx);
     } catch (err) {
       opts.logger?.warn?.(`Validation rule '${rule.name}' threw \u2014 skipped`, err);
       continue;
@@ -5377,6 +5397,23 @@ function evaluateValidationRules(objectSchema, data, mode, opts = {}) {
   }
   if (errors.length > 0) throw new ValidationError(errors);
 }
+function evaluateRule(rule, ctx) {
+  switch (rule.type) {
+    case "state_machine":
+      return checkStateMachine(rule, ctx.mode, ctx.data, ctx.previous);
+    case "script":
+    case "cross_field":
+      return checkPredicate(rule, ctx.merged, ctx.previous, ctx.logger);
+    case "format":
+      return checkFormat(rule, ctx.data, ctx.logger);
+    case "json_schema":
+      return checkJsonSchema(rule, ctx.data, ctx.logger);
+    case "conditional":
+      return checkConditional(rule, ctx);
+    default:
+      return null;
+  }
+}
 function checkStateMachine(rule, mode, data, previous) {
   if (mode === "insert" || !previous) return null;
   if (!(rule.field in data)) return null;
@@ -5416,6 +5453,99 @@ function checkPredicate(rule, record, previous, logger) {
   }
   return null;
 }
+var EMAIL_RE2 = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+var PHONE_RE2 = /^\+?[\d\s().-]{7,20}$/;
+function checkFormat(rule, data, logger) {
+  if (!(rule.field in data)) return null;
+  const value = data[rule.field];
+  if (value === null || value === void 0 || value === "") return null;
+  const str = String(value);
+  if (rule.regex) {
+    let re;
+    try {
+      re = new RegExp(rule.regex);
+    } catch {
+      logger?.warn?.(`Validation rule '${rule.name}' has an invalid regex \u2014 skipped`);
+      return null;
+    }
+    if (!re.test(str)) return formatViolation(rule);
+  }
+  if (rule.format && !matchesNamedFormat(rule.format, str)) {
+    return formatViolation(rule);
+  }
+  return null;
+}
+function matchesNamedFormat(format, str) {
+  switch (format) {
+    case "email":
+      return EMAIL_RE2.test(str);
+    case "phone":
+      return PHONE_RE2.test(str);
+    case "url":
+      try {
+        new URL(str);
+        return true;
+      } catch {
+        return false;
+      }
+    case "json":
+      try {
+        JSON.parse(str);
+        return true;
+      } catch {
+        return false;
+      }
+    default:
+      return true;
+  }
+}
+function formatViolation(rule) {
+  return { field: rule.field, code: "invalid_format", message: rule.message };
+}
+function checkJsonSchema(rule, data, logger) {
+  if (!(rule.field in data)) return null;
+  let value = data[rule.field];
+  if (value === null || value === void 0) return null;
+  if (typeof value === "string") {
+    try {
+      value = JSON.parse(value);
+    } catch {
+      return { field: rule.field, code: "invalid_json", message: rule.message };
+    }
+  }
+  let validate = jsonSchemaCache.get(rule.schema);
+  if (!validate) {
+    try {
+      validate = ajv.compile(rule.schema);
+    } catch (err) {
+      logger?.warn?.(
+        `Validation rule '${rule.name}' has an uncompilable JSON Schema \u2014 skipped`,
+        err
+      );
+      return null;
+    }
+    jsonSchemaCache.set(rule.schema, validate);
+  }
+  if (!validate(value)) {
+    return { field: rule.field, code: "json_schema_violation", message: rule.message };
+  }
+  return null;
+}
+function checkConditional(rule, ctx) {
+  const result = import_formula2.ExpressionEngine.evaluate(toExpression(rule.when), {
+    record: ctx.merged,
+    previous: ctx.previous ?? void 0
+  });
+  if (!result.ok) {
+    ctx.logger?.warn?.(
+      `Validation rule '${rule.name}' when-predicate failed to evaluate (${result.error.kind}: ${result.error.message}) \u2014 skipped`
+    );
+    return null;
+  }
+  const branch = result.value === true ? rule.then : rule.otherwise;
+  if (!branch || branch.active === false) return null;
+  return evaluateRule(branch, ctx);
+}
 function legalNextStates(objectSchema, field, currentState) {
   const rules = objectSchema?.validations;
   if (!Array.isArray(rules)) return null;
@@ -6376,7 +6506,7 @@ var _ObjectQL = class _ObjectQL {
    * **fail-closed** — the write throws rather than persist cleartext.
    *
    * Mirrors the Settings subsystem's ICryptoProvider wiring; the host (e.g.
-   * `serve`) injects `InMemoryCryptoProvider` in dev and a KMS/Vault-backed
+   * `serve`) injects `LocalCryptoProvider` in dev and a KMS/Vault-backed
    * provider in production.
    */
   setCryptoProvider(provider) {
@@ -6414,7 +6544,7 @@ var _ObjectQL = class _ObjectQL {
       }
       if (!this.cryptoProvider) {
         throw new Error(
-          `Cannot persist secret field "${object}.${field}": no CryptoProvider is registered. Wire one via engine.setCryptoProvider(...) (e.g. InMemoryCryptoProvider in dev, a KMS/Vault provider in production). Refusing to store cleartext (fail-closed).`
+          `Cannot persist secret field "${object}.${field}": no CryptoProvider is registered. Wire one via engine.setCryptoProvider(...) (e.g. LocalCryptoProvider in dev, a KMS/Vault provider in production). Refusing to store cleartext (fail-closed).`
         );
       }
       const plain = typeof value === "string" ? value : JSON.stringify(value);