@objectstack/objectql 7.5.0 → 7.7.0

package/dist/index.d.mts

@@ -81,11 +81,13 @@ type RegistryLogLevel = 'debug' | 'info' | 'warn' | 'error' | 'silent';
  */
 interface SchemaRegistryOptions {
     /**
-     * Whether the host kernel runs in multi-tenant mode. When `true`, the
-     * registry auto-injects `organization_id` (lookup → sys_organization)
-     * into every registered user object that doesn't already declare it and
-     * isn't `managedBy` an external subsystem or explicitly opted-out via
-     * `systemFields: false`.
+     * Whether the host kernel runs in multi-tenant mode. The `organization_id`
+     * column itself is auto-injected regardless of this flag (lookup →
+     * sys_organization, on every registered object that doesn't already declare
+     * it, isn't `managedBy` an external subsystem, and hasn't opted out via
+     * `systemFields`/`tenancy.enabled:false`). When `true` the injected column
+     * is additionally INDEXED — single-tenant stacks skip the index since
+     * nothing ever filters by organization.
      *
      * Sourced from the `OS_MULTI_TENANT` env var when not explicitly set —
      * matches how the SecurityPlugin and CLI startup banner pick the mode.
@@ -107,9 +109,12 @@ interface SchemaRegistryOptions {
  * via the natural `{ ...sys, ...authored }` merge.
  *
  * Currently injects:
- *   - `organization_id` — multi-tenant deployments. Required-false (the
- *     SecurityPlugin populates it on insert; nullable rows are still
- *     filtered out by the `tenant_isolation` RLS USING clause).
+ *   - `organization_id` — always provisioned (unless the object opts out via
+ *     `systemFields`/`tenancy.enabled:false` or is `better-auth` managed) so
+ *     the column never depends on the global multi-tenant flag. Required-false;
+ *     org-scoping populates it on insert in multi-tenant mode, and it stays
+ *     NULL on single-tenant stacks. Only the column's INDEX is gated on
+ *     `multiTenant` (no per-tenant filtering exists single-tenant).
  *   - `created_at` / `created_by` / `updated_at` / `updated_by` — audit
  *     fields. Marked `system: true, readonly: true` so detail views can
  *     surface them in a dedicated "System Information" section while
@@ -419,6 +424,7 @@ declare class ObjectStackProtocolImplementation implements ObjectStackProtocol {
             graphql?: string | undefined;
             packages?: string | undefined;
             workflow?: string | undefined;
+            approvals?: string | undefined;
             realtime?: string | undefined;
             notifications?: string | undefined;
             ai?: string | undefined;
@@ -549,14 +555,14 @@ declare class ObjectStackProtocolImplementation implements ObjectStackProtocol {
                     provider: "api";
                     read?: {
                         url: string;
-                        method: "GET" | "POST" | "PATCH" | "PUT" | "DELETE";
+                        method: "POST" | "PATCH" | "PUT" | "DELETE" | "GET";
                         headers?: Record<string, string> | undefined;
                         params?: Record<string, unknown> | undefined;
                         body?: unknown;
                     } | undefined;
                     write?: {
                         url: string;
-                        method: "GET" | "POST" | "PATCH" | "PUT" | "DELETE";
+                        method: "POST" | "PATCH" | "PUT" | "DELETE" | "GET";
                         headers?: Record<string, string> | undefined;
                         params?: Record<string, unknown> | undefined;
                         body?: unknown;
@@ -1849,7 +1855,7 @@ declare class ObjectQL implements IDataEngine {
      * **fail-closed** — the write throws rather than persist cleartext.
      *
      * Mirrors the Settings subsystem's ICryptoProvider wiring; the host (e.g.
-     * `serve`) injects `InMemoryCryptoProvider` in dev and a KMS/Vault-backed
+     * `serve`) injects `LocalCryptoProvider` in dev and a KMS/Vault-backed
      * provider in production.
      */
     setCryptoProvider(provider: ICryptoProvider): void;
@@ -2379,7 +2385,7 @@ declare function wrapDeclarativeHook(meta: Hook, handler: HookHandler, opts?: Wr
 
 interface FieldValidationError {
     field: string;
-    code: 'required' | 'min_length' | 'max_length' | 'min_value' | 'max_value' | 'invalid_email' | 'invalid_url' | 'invalid_phone' | 'invalid_number' | 'invalid_boolean' | 'invalid_date' | 'invalid_option' | 'invalid_transition' | 'rule_violation';
+    code: 'required' | 'min_length' | 'max_length' | 'min_value' | 'max_value' | 'invalid_email' | 'invalid_url' | 'invalid_phone' | 'invalid_number' | 'invalid_boolean' | 'invalid_date' | 'invalid_option' | 'invalid_transition' | 'rule_violation' | 'invalid_format' | 'invalid_json' | 'json_schema_violation';
     message: string;
     /** Allowed values for select/multiselect, when applicable. */
     options?: string[];

package/dist/index.d.ts

@@ -81,11 +81,13 @@ type RegistryLogLevel = 'debug' | 'info' | 'warn' | 'error' | 'silent';
  */
 interface SchemaRegistryOptions {
     /**
-     * Whether the host kernel runs in multi-tenant mode. When `true`, the
-     * registry auto-injects `organization_id` (lookup → sys_organization)
-     * into every registered user object that doesn't already declare it and
-     * isn't `managedBy` an external subsystem or explicitly opted-out via
-     * `systemFields: false`.
+     * Whether the host kernel runs in multi-tenant mode. The `organization_id`
+     * column itself is auto-injected regardless of this flag (lookup →
+     * sys_organization, on every registered object that doesn't already declare
+     * it, isn't `managedBy` an external subsystem, and hasn't opted out via
+     * `systemFields`/`tenancy.enabled:false`). When `true` the injected column
+     * is additionally INDEXED — single-tenant stacks skip the index since
+     * nothing ever filters by organization.
      *
      * Sourced from the `OS_MULTI_TENANT` env var when not explicitly set —
      * matches how the SecurityPlugin and CLI startup banner pick the mode.
@@ -107,9 +109,12 @@ interface SchemaRegistryOptions {
  * via the natural `{ ...sys, ...authored }` merge.
  *
  * Currently injects:
- *   - `organization_id` — multi-tenant deployments. Required-false (the
- *     SecurityPlugin populates it on insert; nullable rows are still
- *     filtered out by the `tenant_isolation` RLS USING clause).
+ *   - `organization_id` — always provisioned (unless the object opts out via
+ *     `systemFields`/`tenancy.enabled:false` or is `better-auth` managed) so
+ *     the column never depends on the global multi-tenant flag. Required-false;
+ *     org-scoping populates it on insert in multi-tenant mode, and it stays
+ *     NULL on single-tenant stacks. Only the column's INDEX is gated on
+ *     `multiTenant` (no per-tenant filtering exists single-tenant).
  *   - `created_at` / `created_by` / `updated_at` / `updated_by` — audit
  *     fields. Marked `system: true, readonly: true` so detail views can
  *     surface them in a dedicated "System Information" section while
@@ -419,6 +424,7 @@ declare class ObjectStackProtocolImplementation implements ObjectStackProtocol {
             graphql?: string | undefined;
             packages?: string | undefined;
             workflow?: string | undefined;
+            approvals?: string | undefined;
             realtime?: string | undefined;
             notifications?: string | undefined;
             ai?: string | undefined;
@@ -549,14 +555,14 @@ declare class ObjectStackProtocolImplementation implements ObjectStackProtocol {
                     provider: "api";
                     read?: {
                         url: string;
-                        method: "GET" | "POST" | "PATCH" | "PUT" | "DELETE";
+                        method: "POST" | "PATCH" | "PUT" | "DELETE" | "GET";
                         headers?: Record<string, string> | undefined;
                         params?: Record<string, unknown> | undefined;
                         body?: unknown;
                     } | undefined;
                     write?: {
                         url: string;
-                        method: "GET" | "POST" | "PATCH" | "PUT" | "DELETE";
+                        method: "POST" | "PATCH" | "PUT" | "DELETE" | "GET";
                         headers?: Record<string, string> | undefined;
                         params?: Record<string, unknown> | undefined;
                         body?: unknown;
@@ -1849,7 +1855,7 @@ declare class ObjectQL implements IDataEngine {
      * **fail-closed** — the write throws rather than persist cleartext.
      *
      * Mirrors the Settings subsystem's ICryptoProvider wiring; the host (e.g.
-     * `serve`) injects `InMemoryCryptoProvider` in dev and a KMS/Vault-backed
+     * `serve`) injects `LocalCryptoProvider` in dev and a KMS/Vault-backed
      * provider in production.
      */
     setCryptoProvider(provider: ICryptoProvider): void;
@@ -2379,7 +2385,7 @@ declare function wrapDeclarativeHook(meta: Hook, handler: HookHandler, opts?: Wr
 
 interface FieldValidationError {
     field: string;
-    code: 'required' | 'min_length' | 'max_length' | 'min_value' | 'max_value' | 'invalid_email' | 'invalid_url' | 'invalid_phone' | 'invalid_number' | 'invalid_boolean' | 'invalid_date' | 'invalid_option' | 'invalid_transition' | 'rule_violation';
+    code: 'required' | 'min_length' | 'max_length' | 'min_value' | 'max_value' | 'invalid_email' | 'invalid_url' | 'invalid_phone' | 'invalid_number' | 'invalid_boolean' | 'invalid_date' | 'invalid_option' | 'invalid_transition' | 'rule_violation' | 'invalid_format' | 'invalid_json' | 'json_schema_violation';
     message: string;
     /** Allowed values for select/multiselect, when applicable. */
     options?: string[];

package/dist/index.js

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
@@ -100,7 +110,7 @@ function applySystemFields(schema, opts) {
   if (schema.managedBy === "better-auth") return schema;
   const sf = typeof schema.systemFields === "object" && schema.systemFields !== null ? schema.systemFields : void 0;
   const tenancyDisabled = schema.tenancy?.enabled === false;
-  const wantTenant = opts.multiTenant && sf?.tenant !== false && !tenancyDisabled;
+  const wantTenant = sf?.tenant !== false && !tenancyDisabled;
   const wantAudit = sf?.audit !== false;
   const additions = {};
   if (wantTenant && !schema.fields?.organization_id) {
@@ -109,11 +119,11 @@ function applySystemFields(schema, opts) {
       reference: "sys_organization",
       label: "Organization",
       required: false,
-      indexed: true,
+      indexed: opts.multiTenant,
       hidden: true,
       readonly: true,
       system: true,
-      description: "Tenant scope (auto-populated by SecurityPlugin on insert)."
+      description: "Tenant scope (auto-populated by org-scoping on insert; NULL on single-tenant stacks)."
     };
   }
   if (wantAudit) {
@@ -5333,12 +5343,25 @@ function validateRecord(objectSchema, data, mode) {
 
 // src/validation/rule-validator.ts
 var import_formula2 = require("@objectstack/formula");
+var import_ajv = __toESM(require("ajv"));
+var ajv = new import_ajv.default({ allErrors: true, strict: false });
+var jsonSchemaCache = /* @__PURE__ */ new WeakMap();
 function needsPriorRecord(objectSchema) {
   const rules = objectSchema?.validations;
   if (!Array.isArray(rules)) return false;
-  return rules.some(
-    (r) => r != null && typeof r === "object" && (r.type === "state_machine" || r.type === "cross_field" || r.type === "script")
-  );
+  return rules.some((r) => ruleNeedsPrior(r));
+}
+function ruleNeedsPrior(r) {
+  if (r == null || typeof r !== "object") return false;
+  const type = r.type;
+  if (type === "state_machine" || type === "cross_field" || type === "script") {
+    return true;
+  }
+  if (type === "conditional") {
+    const c = r;
+    return ruleNeedsPrior(c.then) || ruleNeedsPrior(c.otherwise);
+  }
+  return false;
 }
 function toExpression(cond) {
   return typeof cond === "string" ? { dialect: "cel", source: cond } : cond;
@@ -5348,6 +5371,7 @@ function evaluateValidationRules(objectSchema, data, mode, opts = {}) {
   if (!Array.isArray(rules) || rules.length === 0 || !data) return;
   const previous = opts.previous ?? void 0;
   const merged = { ...previous ?? {}, ...data };
+  const ctx = { data, merged, previous, mode, logger: opts.logger };
   const errors = [];
   const ordered = rules.filter((r) => r != null && typeof r === "object").filter((r) => r.active !== false).filter((r) => {
     const events = r.events ?? ["insert", "update"];
@@ -5356,11 +5380,7 @@ function evaluateValidationRules(objectSchema, data, mode, opts = {}) {
   for (const rule of ordered) {
     let violation = null;
     try {
-      if (rule.type === "state_machine") {
-        violation = checkStateMachine(rule, mode, data, previous);
-      } else if (rule.type === "script" || rule.type === "cross_field") {
-        violation = checkPredicate(rule, merged, previous, opts.logger);
-      }
+      violation = evaluateRule(rule, ctx);
     } catch (err) {
       opts.logger?.warn?.(`Validation rule '${rule.name}' threw \u2014 skipped`, err);
       continue;
@@ -5377,6 +5397,23 @@ function evaluateValidationRules(objectSchema, data, mode, opts = {}) {
   }
   if (errors.length > 0) throw new ValidationError(errors);
 }
+function evaluateRule(rule, ctx) {
+  switch (rule.type) {
+    case "state_machine":
+      return checkStateMachine(rule, ctx.mode, ctx.data, ctx.previous);
+    case "script":
+    case "cross_field":
+      return checkPredicate(rule, ctx.merged, ctx.previous, ctx.logger);
+    case "format":
+      return checkFormat(rule, ctx.data, ctx.logger);
+    case "json_schema":
+      return checkJsonSchema(rule, ctx.data, ctx.logger);
+    case "conditional":
+      return checkConditional(rule, ctx);
+    default:
+      return null;
+  }
+}
 function checkStateMachine(rule, mode, data, previous) {
   if (mode === "insert" || !previous) return null;
   if (!(rule.field in data)) return null;
@@ -5416,6 +5453,99 @@ function checkPredicate(rule, record, previous, logger) {
   }
   return null;
 }
+var EMAIL_RE2 = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+var PHONE_RE2 = /^\+?[\d\s().-]{7,20}$/;
+function checkFormat(rule, data, logger) {
+  if (!(rule.field in data)) return null;
+  const value = data[rule.field];
+  if (value === null || value === void 0 || value === "") return null;
+  const str = String(value);
+  if (rule.regex) {
+    let re;
+    try {
+      re = new RegExp(rule.regex);
+    } catch {
+      logger?.warn?.(`Validation rule '${rule.name}' has an invalid regex \u2014 skipped`);
+      return null;
+    }
+    if (!re.test(str)) return formatViolation(rule);
+  }
+  if (rule.format && !matchesNamedFormat(rule.format, str)) {
+    return formatViolation(rule);
+  }
+  return null;
+}
+function matchesNamedFormat(format, str) {
+  switch (format) {
+    case "email":
+      return EMAIL_RE2.test(str);
+    case "phone":
+      return PHONE_RE2.test(str);
+    case "url":
+      try {
+        new URL(str);
+        return true;
+      } catch {
+        return false;
+      }
+    case "json":
+      try {
+        JSON.parse(str);
+        return true;
+      } catch {
+        return false;
+      }
+    default:
+      return true;
+  }
+}
+function formatViolation(rule) {
+  return { field: rule.field, code: "invalid_format", message: rule.message };
+}
+function checkJsonSchema(rule, data, logger) {
+  if (!(rule.field in data)) return null;
+  let value = data[rule.field];
+  if (value === null || value === void 0) return null;
+  if (typeof value === "string") {
+    try {
+      value = JSON.parse(value);
+    } catch {
+      return { field: rule.field, code: "invalid_json", message: rule.message };
+    }
+  }
+  let validate = jsonSchemaCache.get(rule.schema);
+  if (!validate) {
+    try {
+      validate = ajv.compile(rule.schema);
+    } catch (err) {
+      logger?.warn?.(
+        `Validation rule '${rule.name}' has an uncompilable JSON Schema \u2014 skipped`,
+        err
+      );
+      return null;
+    }
+    jsonSchemaCache.set(rule.schema, validate);
+  }
+  if (!validate(value)) {
+    return { field: rule.field, code: "json_schema_violation", message: rule.message };
+  }
+  return null;
+}
+function checkConditional(rule, ctx) {
+  const result = import_formula2.ExpressionEngine.evaluate(toExpression(rule.when), {
+    record: ctx.merged,
+    previous: ctx.previous ?? void 0
+  });
+  if (!result.ok) {
+    ctx.logger?.warn?.(
+      `Validation rule '${rule.name}' when-predicate failed to evaluate (${result.error.kind}: ${result.error.message}) \u2014 skipped`
+    );
+    return null;
+  }
+  const branch = result.value === true ? rule.then : rule.otherwise;
+  if (!branch || branch.active === false) return null;
+  return evaluateRule(branch, ctx);
+}
 function legalNextStates(objectSchema, field, currentState) {
   const rules = objectSchema?.validations;
   if (!Array.isArray(rules)) return null;
@@ -6376,7 +6506,7 @@ var _ObjectQL = class _ObjectQL {
    * **fail-closed** — the write throws rather than persist cleartext.
    *
    * Mirrors the Settings subsystem's ICryptoProvider wiring; the host (e.g.
-   * `serve`) injects `InMemoryCryptoProvider` in dev and a KMS/Vault-backed
+   * `serve`) injects `LocalCryptoProvider` in dev and a KMS/Vault-backed
    * provider in production.
    */
   setCryptoProvider(provider) {
@@ -6414,7 +6544,7 @@ var _ObjectQL = class _ObjectQL {
       }
       if (!this.cryptoProvider) {
         throw new Error(
-          `Cannot persist secret field "${object}.${field}": no CryptoProvider is registered. Wire one via engine.setCryptoProvider(...) (e.g. InMemoryCryptoProvider in dev, a KMS/Vault provider in production). Refusing to store cleartext (fail-closed).`
+          `Cannot persist secret field "${object}.${field}": no CryptoProvider is registered. Wire one via engine.setCryptoProvider(...) (e.g. LocalCryptoProvider in dev, a KMS/Vault provider in production). Refusing to store cleartext (fail-closed).`
         );
       }
       const plain = typeof value === "string" ? value : JSON.stringify(value);
@@ -6948,7 +7078,11 @@ var _ObjectQL = class _ObjectQL {
     const driver = this.getDriver(object);
     let id = data.id;
     if (!id && options?.where && typeof options.where === "object" && "id" in options.where) {
-      id = options.where.id;
+      const whereId = options.where.id;
+      const t = typeof whereId;
+      if (whereId !== null && (t === "string" || t === "number" || t === "bigint")) {
+        id = whereId;
+      }
     }
     const opCtx = {
       object,
@@ -7673,6 +7807,7 @@ var MetadataFacade = class {
 
 // src/plugin.ts
 var import_system3 = require("@objectstack/spec/system");
+var import_metadata_core3 = require("@objectstack/metadata-core");
 function hasLoadMetaFromDb(service) {
   return typeof service === "object" && service !== null && typeof service["loadMetaFromDb"] === "function";
 }
@@ -7709,6 +7844,21 @@ var ObjectQLPlugin = class {
       ctx.logger.info("ObjectQL engine registered", {
         services: ["objectql", "data", "manifest"]
       });
+      if (this.environmentId === void 0) {
+        this.ql.registerApp({
+          id: "com.objectstack.metadata-objects",
+          name: "Metadata Platform Objects",
+          version: "1.0.0",
+          type: "plugin",
+          scope: "system",
+          objects: [
+            import_metadata_core3.SysMetadataObject,
+            import_metadata_core3.SysMetadataHistoryObject,
+            import_metadata_core3.SysMetadataAuditObject,
+            import_metadata_core3.SysViewDefinitionObject
+          ]
+        });
+      }
       const protocolShim = new ObjectStackProtocolImplementation(
         this.ql,
         () => ctx.getServices ? ctx.getServices() : /* @__PURE__ */ new Map(),