@objectstack/objectql 7.5.0 → 7.7.0

package/dist/index.mjs

@@ -41,7 +41,7 @@ function applySystemFields(schema, opts) {
   if (schema.managedBy === "better-auth") return schema;
   const sf = typeof schema.systemFields === "object" && schema.systemFields !== null ? schema.systemFields : void 0;
   const tenancyDisabled = schema.tenancy?.enabled === false;
-  const wantTenant = opts.multiTenant && sf?.tenant !== false && !tenancyDisabled;
+  const wantTenant = sf?.tenant !== false && !tenancyDisabled;
   const wantAudit = sf?.audit !== false;
   const additions = {};
   if (wantTenant && !schema.fields?.organization_id) {
@@ -50,11 +50,11 @@ function applySystemFields(schema, opts) {
       reference: "sys_organization",
       label: "Organization",
       required: false,
-      indexed: true,
+      indexed: opts.multiTenant,
       hidden: true,
       readonly: true,
       system: true,
-      description: "Tenant scope (auto-populated by SecurityPlugin on insert)."
+      description: "Tenant scope (auto-populated by org-scoping on insert; NULL on single-tenant stacks)."
     };
   }
   if (wantAudit) {
@@ -5279,12 +5279,25 @@ function validateRecord(objectSchema, data, mode) {
 
 // src/validation/rule-validator.ts
 import { ExpressionEngine as ExpressionEngine2 } from "@objectstack/formula";
+import Ajv from "ajv";
+var ajv = new Ajv({ allErrors: true, strict: false });
+var jsonSchemaCache = /* @__PURE__ */ new WeakMap();
 function needsPriorRecord(objectSchema) {
   const rules = objectSchema?.validations;
   if (!Array.isArray(rules)) return false;
-  return rules.some(
-    (r) => r != null && typeof r === "object" && (r.type === "state_machine" || r.type === "cross_field" || r.type === "script")
-  );
+  return rules.some((r) => ruleNeedsPrior(r));
+}
+function ruleNeedsPrior(r) {
+  if (r == null || typeof r !== "object") return false;
+  const type = r.type;
+  if (type === "state_machine" || type === "cross_field" || type === "script") {
+    return true;
+  }
+  if (type === "conditional") {
+    const c = r;
+    return ruleNeedsPrior(c.then) || ruleNeedsPrior(c.otherwise);
+  }
+  return false;
 }
 function toExpression(cond) {
   return typeof cond === "string" ? { dialect: "cel", source: cond } : cond;
@@ -5294,6 +5307,7 @@ function evaluateValidationRules(objectSchema, data, mode, opts = {}) {
   if (!Array.isArray(rules) || rules.length === 0 || !data) return;
   const previous = opts.previous ?? void 0;
   const merged = { ...previous ?? {}, ...data };
+  const ctx = { data, merged, previous, mode, logger: opts.logger };
   const errors = [];
   const ordered = rules.filter((r) => r != null && typeof r === "object").filter((r) => r.active !== false).filter((r) => {
     const events = r.events ?? ["insert", "update"];
@@ -5302,11 +5316,7 @@ function evaluateValidationRules(objectSchema, data, mode, opts = {}) {
   for (const rule of ordered) {
     let violation = null;
     try {
-      if (rule.type === "state_machine") {
-        violation = checkStateMachine(rule, mode, data, previous);
-      } else if (rule.type === "script" || rule.type === "cross_field") {
-        violation = checkPredicate(rule, merged, previous, opts.logger);
-      }
+      violation = evaluateRule(rule, ctx);
     } catch (err) {
       opts.logger?.warn?.(`Validation rule '${rule.name}' threw \u2014 skipped`, err);
       continue;
@@ -5323,6 +5333,23 @@ function evaluateValidationRules(objectSchema, data, mode, opts = {}) {
   }
   if (errors.length > 0) throw new ValidationError(errors);
 }
+function evaluateRule(rule, ctx) {
+  switch (rule.type) {
+    case "state_machine":
+      return checkStateMachine(rule, ctx.mode, ctx.data, ctx.previous);
+    case "script":
+    case "cross_field":
+      return checkPredicate(rule, ctx.merged, ctx.previous, ctx.logger);
+    case "format":
+      return checkFormat(rule, ctx.data, ctx.logger);
+    case "json_schema":
+      return checkJsonSchema(rule, ctx.data, ctx.logger);
+    case "conditional":
+      return checkConditional(rule, ctx);
+    default:
+      return null;
+  }
+}
 function checkStateMachine(rule, mode, data, previous) {
   if (mode === "insert" || !previous) return null;
   if (!(rule.field in data)) return null;
@@ -5362,6 +5389,99 @@ function checkPredicate(rule, record, previous, logger) {
   }
   return null;
 }
+var EMAIL_RE2 = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+var PHONE_RE2 = /^\+?[\d\s().-]{7,20}$/;
+function checkFormat(rule, data, logger) {
+  if (!(rule.field in data)) return null;
+  const value = data[rule.field];
+  if (value === null || value === void 0 || value === "") return null;
+  const str = String(value);
+  if (rule.regex) {
+    let re;
+    try {
+      re = new RegExp(rule.regex);
+    } catch {
+      logger?.warn?.(`Validation rule '${rule.name}' has an invalid regex \u2014 skipped`);
+      return null;
+    }
+    if (!re.test(str)) return formatViolation(rule);
+  }
+  if (rule.format && !matchesNamedFormat(rule.format, str)) {
+    return formatViolation(rule);
+  }
+  return null;
+}
+function matchesNamedFormat(format, str) {
+  switch (format) {
+    case "email":
+      return EMAIL_RE2.test(str);
+    case "phone":
+      return PHONE_RE2.test(str);
+    case "url":
+      try {
+        new URL(str);
+        return true;
+      } catch {
+        return false;
+      }
+    case "json":
+      try {
+        JSON.parse(str);
+        return true;
+      } catch {
+        return false;
+      }
+    default:
+      return true;
+  }
+}
+function formatViolation(rule) {
+  return { field: rule.field, code: "invalid_format", message: rule.message };
+}
+function checkJsonSchema(rule, data, logger) {
+  if (!(rule.field in data)) return null;
+  let value = data[rule.field];
+  if (value === null || value === void 0) return null;
+  if (typeof value === "string") {
+    try {
+      value = JSON.parse(value);
+    } catch {
+      return { field: rule.field, code: "invalid_json", message: rule.message };
+    }
+  }
+  let validate = jsonSchemaCache.get(rule.schema);
+  if (!validate) {
+    try {
+      validate = ajv.compile(rule.schema);
+    } catch (err) {
+      logger?.warn?.(
+        `Validation rule '${rule.name}' has an uncompilable JSON Schema \u2014 skipped`,
+        err
+      );
+      return null;
+    }
+    jsonSchemaCache.set(rule.schema, validate);
+  }
+  if (!validate(value)) {
+    return { field: rule.field, code: "json_schema_violation", message: rule.message };
+  }
+  return null;
+}
+function checkConditional(rule, ctx) {
+  const result = ExpressionEngine2.evaluate(toExpression(rule.when), {
+    record: ctx.merged,
+    previous: ctx.previous ?? void 0
+  });
+  if (!result.ok) {
+    ctx.logger?.warn?.(
+      `Validation rule '${rule.name}' when-predicate failed to evaluate (${result.error.kind}: ${result.error.message}) \u2014 skipped`
+    );
+    return null;
+  }
+  const branch = result.value === true ? rule.then : rule.otherwise;
+  if (!branch || branch.active === false) return null;
+  return evaluateRule(branch, ctx);
+}
 function legalNextStates(objectSchema, field, currentState) {
   const rules = objectSchema?.validations;
   if (!Array.isArray(rules)) return null;
@@ -6322,7 +6442,7 @@ var _ObjectQL = class _ObjectQL {
    * **fail-closed** — the write throws rather than persist cleartext.
    *
    * Mirrors the Settings subsystem's ICryptoProvider wiring; the host (e.g.
-   * `serve`) injects `InMemoryCryptoProvider` in dev and a KMS/Vault-backed
+   * `serve`) injects `LocalCryptoProvider` in dev and a KMS/Vault-backed
    * provider in production.
    */
   setCryptoProvider(provider) {
@@ -6360,7 +6480,7 @@ var _ObjectQL = class _ObjectQL {
       }
       if (!this.cryptoProvider) {
         throw new Error(
-          `Cannot persist secret field "${object}.${field}": no CryptoProvider is registered. Wire one via engine.setCryptoProvider(...) (e.g. InMemoryCryptoProvider in dev, a KMS/Vault provider in production). Refusing to store cleartext (fail-closed).`
+          `Cannot persist secret field "${object}.${field}": no CryptoProvider is registered. Wire one via engine.setCryptoProvider(...) (e.g. LocalCryptoProvider in dev, a KMS/Vault provider in production). Refusing to store cleartext (fail-closed).`
         );
       }
       const plain = typeof value === "string" ? value : JSON.stringify(value);
@@ -6894,7 +7014,11 @@ var _ObjectQL = class _ObjectQL {
     const driver = this.getDriver(object);
     let id = data.id;
     if (!id && options?.where && typeof options.where === "object" && "id" in options.where) {
-      id = options.where.id;
+      const whereId = options.where.id;
+      const t = typeof whereId;
+      if (whereId !== null && (t === "string" || t === "number" || t === "bigint")) {
+        id = whereId;
+      }
     }
     const opCtx = {
       object,
@@ -7619,6 +7743,12 @@ var MetadataFacade = class {
 
 // src/plugin.ts
 import { StorageNameMapping as StorageNameMapping2 } from "@objectstack/spec/system";
+import {
+  SysMetadataObject,
+  SysMetadataHistoryObject,
+  SysMetadataAuditObject,
+  SysViewDefinitionObject
+} from "@objectstack/metadata-core";
 function hasLoadMetaFromDb(service) {
   return typeof service === "object" && service !== null && typeof service["loadMetaFromDb"] === "function";
 }
@@ -7655,6 +7785,21 @@ var ObjectQLPlugin = class {
       ctx.logger.info("ObjectQL engine registered", {
         services: ["objectql", "data", "manifest"]
       });
+      if (this.environmentId === void 0) {
+        this.ql.registerApp({
+          id: "com.objectstack.metadata-objects",
+          name: "Metadata Platform Objects",
+          version: "1.0.0",
+          type: "plugin",
+          scope: "system",
+          objects: [
+            SysMetadataObject,
+            SysMetadataHistoryObject,
+            SysMetadataAuditObject,
+            SysViewDefinitionObject
+          ]
+        });
+      }
       const protocolShim = new ObjectStackProtocolImplementation(
         this.ql,
         () => ctx.getServices ? ctx.getServices() : /* @__PURE__ */ new Map(),