@objectstack/platform-objects 12.5.0 → 13.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -35,13 +35,14 @@ var SysUser = ObjectSchema.create({
35
35
  locations: ["list_toolbar"],
36
36
  type: "api",
37
37
  target: "/api/v1/auth/organization/invite-member",
38
- // Org invitations are a multi-org-only flow (the endpoint resolves
39
- // an active org that does not exist in single-org mode). Hide the
40
- // affordance unless multi-org is enabled matching the
41
- // `create_organization` gate on sys_organization. This action is the
42
- // most exposed of the set because the Users list is always reachable
43
- // in single-org, unlike the org/membership lists.
44
- visible: "features.multiOrgEnabled != false",
38
+ // Gated on the org CAPABILITY, not multi-org (ADR-0081 D1): the
39
+ // better-auth organization plugin is always mounted, and single-org
40
+ // mode now bootstraps a Default Organization (plugin-auth) so the
41
+ // endpoint's active-org resolution works there too. This is THE
42
+ // "add a teammate" affordance the Users list is always reachable
43
+ // and every add flows through better-auth invitations, never bespoke
44
+ // sys_user CRUD.
45
+ visible: "features.organization != false",
45
46
  successMessage: "Invitation sent",
46
47
  refreshAfter: true,
47
48
  params: [
@@ -930,6 +931,12 @@ var SysVerification = ObjectSchema.create({
930
931
  icon: "shield-check",
931
932
  isSystem: true,
932
933
  managedBy: "better-auth",
934
+ // [ADR-0066 D2/④] Secure-by-default: rows are LIVE one-time credentials
935
+ // (email/phone verification + password-reset tokens) — reading one is
936
+ // account takeover. Not covered by the wildcard `'*'` grant; admins retain
937
+ // access via the superuser bypass; better-auth reads via its adapter
938
+ // (system context), so verification flows are unaffected.
939
+ access: { default: "private" },
933
940
  // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,
934
941
  // but may add overlay row-level config. Use `no-overlay` if you need to
935
942
  // forbid sys_metadata overlays entirely.
@@ -1263,11 +1270,11 @@ var SysMember = ObjectSchema.create({
1263
1270
  locations: ["list_toolbar"],
1264
1271
  type: "api",
1265
1272
  target: "/api/v1/auth/organization/add-member",
1266
- // Org-membership mutations are multi-org-only: the better-auth
1267
- // endpoints resolve an active org that does not exist in single-org
1268
- // mode, so these actions would fail at the API. Gate every one on
1269
- // the multi-org flag (mirrors sys_organization.create_organization).
1270
- visible: "features.multiOrgEnabled != false",
1273
+ // Gated on the org CAPABILITY, not multi-org (ADR-0081 D1): the
1274
+ // better-auth endpoints resolve the session's active org, which
1275
+ // single-org mode now guarantees via plugin-auth's default-org
1276
+ // bootstrap. Same gate on every membership mutation below.
1277
+ visible: "features.organization != false",
1271
1278
  successMessage: "Member added",
1272
1279
  refreshAfter: true,
1273
1280
  params: [
@@ -1285,7 +1292,7 @@ var SysMember = ObjectSchema.create({
1285
1292
  type: "api",
1286
1293
  target: "/api/v1/auth/organization/update-member-role",
1287
1294
  recordIdParam: "memberId",
1288
- visible: "features.multiOrgEnabled != false",
1295
+ visible: "features.organization != false",
1289
1296
  successMessage: "Member role updated",
1290
1297
  refreshAfter: true,
1291
1298
  params: [
@@ -1302,7 +1309,7 @@ var SysMember = ObjectSchema.create({
1302
1309
  type: "api",
1303
1310
  target: "/api/v1/auth/organization/remove-member",
1304
1311
  recordIdParam: "memberIdOrEmail",
1305
- visible: "features.multiOrgEnabled != false",
1312
+ visible: "features.organization != false",
1306
1313
  confirmText: "Remove this member from the organization? They will lose access to all org resources.",
1307
1314
  successMessage: "Member removed",
1308
1315
  refreshAfter: true
@@ -1324,7 +1331,7 @@ var SysMember = ObjectSchema.create({
1324
1331
  target: "/api/v1/auth/organization/update-member-role",
1325
1332
  recordIdParam: "memberId",
1326
1333
  bodyExtra: { role: "owner" },
1327
- visible: "record.role != 'owner' && features.multiOrgEnabled != false",
1334
+ visible: "record.role != 'owner' && features.organization != false",
1328
1335
  confirmText: "Transfer ownership of this organization to the selected member? You will be demoted to admin and lose owner-only privileges.",
1329
1336
  successMessage: "Ownership transferred",
1330
1337
  refreshAfter: true
@@ -1432,7 +1439,7 @@ var SysInvitation = ObjectSchema.create({
1432
1439
  // sys_organization.create_organization). The recipient-side
1433
1440
  // accept/reject actions below stay record-gated — they are
1434
1441
  // unreachable in single-org anyway (no invitation rows exist).
1435
- visible: "features.multiOrgEnabled != false",
1442
+ visible: "features.organization != false",
1436
1443
  successMessage: "Invitation sent",
1437
1444
  refreshAfter: true,
1438
1445
  params: [
@@ -1450,7 +1457,7 @@ var SysInvitation = ObjectSchema.create({
1450
1457
  type: "api",
1451
1458
  target: "/api/v1/auth/organization/cancel-invitation",
1452
1459
  recordIdParam: "invitationId",
1453
- visible: "features.multiOrgEnabled != false",
1460
+ visible: "features.organization != false",
1454
1461
  confirmText: "Cancel this invitation? The recipient will no longer be able to accept it.",
1455
1462
  successMessage: "Invitation canceled",
1456
1463
  refreshAfter: true
@@ -1464,7 +1471,7 @@ var SysInvitation = ObjectSchema.create({
1464
1471
  type: "api",
1465
1472
  target: "/api/v1/auth/organization/invite-member",
1466
1473
  bodyExtra: { resend: true },
1467
- visible: "features.multiOrgEnabled != false",
1474
+ visible: "features.organization != false",
1468
1475
  successMessage: "Invitation resent",
1469
1476
  refreshAfter: true,
1470
1477
  params: [
@@ -1654,7 +1661,7 @@ var SysTeam = ObjectSchema.create({
1654
1661
  // Teams are nested inside organizations — a multi-org-only concept.
1655
1662
  // Gate every team mutation on the multi-org flag so the affordances
1656
1663
  // disappear in single-org (mirrors sys_organization.create_organization).
1657
- visible: "features.multiOrgEnabled != false",
1664
+ visible: "features.organization != false",
1658
1665
  successMessage: "Team created",
1659
1666
  refreshAfter: true,
1660
1667
  params: [
@@ -1675,7 +1682,7 @@ var SysTeam = ObjectSchema.create({
1675
1682
  target: "/api/v1/auth/organization/update-team",
1676
1683
  recordIdParam: "teamId",
1677
1684
  bodyShape: { wrap: "data" },
1678
- visible: "features.multiOrgEnabled != false",
1685
+ visible: "features.organization != false",
1679
1686
  successMessage: "Team updated",
1680
1687
  refreshAfter: true,
1681
1688
  params: [
@@ -1694,7 +1701,7 @@ var SysTeam = ObjectSchema.create({
1694
1701
  type: "api",
1695
1702
  target: "/api/v1/auth/organization/remove-team",
1696
1703
  recordIdParam: "teamId",
1697
- visible: "features.multiOrgEnabled != false",
1704
+ visible: "features.organization != false",
1698
1705
  confirmText: "Delete this team? Members will lose any team-scoped access. This cannot be undone.",
1699
1706
  successMessage: "Team deleted",
1700
1707
  refreshAfter: true
@@ -1808,7 +1815,7 @@ var SysTeamMember = ObjectSchema.create({
1808
1815
  // Team membership lives under organizations — multi-org-only. Gate
1809
1816
  // both mutations so they vanish in single-org (mirrors
1810
1817
  // sys_organization.create_organization).
1811
- visible: "features.multiOrgEnabled != false",
1818
+ visible: "features.organization != false",
1812
1819
  successMessage: "Team member added",
1813
1820
  refreshAfter: true,
1814
1821
  params: [
@@ -1829,7 +1836,7 @@ var SysTeamMember = ObjectSchema.create({
1829
1836
  locations: ["list_item"],
1830
1837
  type: "api",
1831
1838
  target: "/api/v1/auth/organization/remove-team-member",
1832
- visible: "features.multiOrgEnabled != false",
1839
+ visible: "features.organization != false",
1833
1840
  confirmText: "Remove this user from the team? They will lose any team-scoped access.",
1834
1841
  successMessage: "Team member removed",
1835
1842
  refreshAfter: true,
@@ -2067,7 +2074,7 @@ var SysBusinessUnitMember = ObjectSchema.create({
2067
2074
  managedBy: "platform",
2068
2075
  description: "User assignment to a business unit (matrix-org friendly, effective-dated).",
2069
2076
  titleFormat: "{user_id} in {business_unit_id}",
2070
- highlightFields: ["user_id", "business_unit_id", "role_in_business_unit", "is_primary"],
2077
+ highlightFields: ["user_id", "business_unit_id", "function_in_business_unit", "is_primary"],
2071
2078
  fields: {
2072
2079
  id: Field.text({
2073
2080
  label: "Member ID",
@@ -2085,10 +2092,10 @@ var SysBusinessUnitMember = ObjectSchema.create({
2085
2092
  required: true,
2086
2093
  group: "Assignment"
2087
2094
  }),
2088
- role_in_business_unit: Field.select(
2095
+ function_in_business_unit: Field.select(
2089
2096
  ["member", "lead", "deputy"],
2090
2097
  {
2091
- label: "Role in Business Unit",
2098
+ label: "Function in Business Unit",
2092
2099
  required: false,
2093
2100
  defaultValue: "member",
2094
2101
  description: "`lead` is the day-to-day head; `deputy` may stand in for the lead in approval routing.",
@@ -2492,6 +2499,12 @@ var SysDeviceCode = ObjectSchema.create({
2492
2499
  icon: "key-round",
2493
2500
  isSystem: true,
2494
2501
  managedBy: "better-auth",
2502
+ // [ADR-0066 D2/④] Secure-by-default: rows are LIVE pending device-grant
2503
+ // codes — reading `user_code`/`device_code` lets an attacker hijack a
2504
+ // pending CLI login. Not covered by the wildcard `'*'` grant; admins retain
2505
+ // access via the superuser bypass; better-auth reads via its adapter
2506
+ // (system context), so the device-grant flow is unaffected.
2507
+ access: { default: "private" },
2495
2508
  // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,
2496
2509
  // but may add overlay row-level config. Use `no-overlay` if you need to
2497
2510
  // forbid sys_metadata overlays entirely.
@@ -3087,6 +3100,11 @@ var SysOauthAccessToken = ObjectSchema.create({
3087
3100
  icon: "ticket",
3088
3101
  isSystem: true,
3089
3102
  managedBy: "better-auth",
3103
+ // [ADR-0066 D2/④] Secure-by-default: rows are LIVE bearer credentials —
3104
+ // reading one is session hijack. Not covered by the wildcard `'*'` grant;
3105
+ // admins retain access via the superuser bypass; better-auth reads via its
3106
+ // adapter (system context), so OAuth flows are unaffected.
3107
+ access: { default: "private" },
3090
3108
  // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,
3091
3109
  // but may add overlay row-level config. Use `no-overlay` if you need to
3092
3110
  // forbid sys_metadata overlays entirely.
@@ -3173,6 +3191,11 @@ var SysOauthRefreshToken = ObjectSchema.create({
3173
3191
  icon: "refresh-cw",
3174
3192
  isSystem: true,
3175
3193
  managedBy: "better-auth",
3194
+ // [ADR-0066 D2/④] Secure-by-default: rows are LIVE long-lived credentials —
3195
+ // a refresh token mints new access tokens. Not covered by the wildcard `'*'`
3196
+ // grant; admins retain access via the superuser bypass; better-auth reads
3197
+ // via its adapter (system context), so OAuth flows are unaffected.
3198
+ access: { default: "private" },
3176
3199
  // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,
3177
3200
  // but may add overlay row-level config. Use `no-overlay` if you need to
3178
3201
  // forbid sys_metadata overlays entirely.
@@ -3331,6 +3354,13 @@ var SysJwks = ObjectSchema.create({
3331
3354
  icon: "key",
3332
3355
  isSystem: true,
3333
3356
  managedBy: "better-auth",
3357
+ // [ADR-0066 D2/④] Secure-by-default: rows are the environment's JWT SIGNING
3358
+ // KEYS (private key material). Not covered by the wildcard `'*'` grant — an
3359
+ // ordinary member gets 403 from the generic data layer. Platform admins
3360
+ // (viewAllRecords/modifyAllRecords) retain access via the posture-gated
3361
+ // superuser bypass; better-auth itself reads via its adapter (system
3362
+ // context), so token signing/verification is unaffected.
3363
+ access: { default: "private" },
3334
3364
  // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,
3335
3365
  // but may add overlay row-level config. Use `no-overlay` if you need to
3336
3366
  // forbid sys_metadata overlays entirely.
@@ -3644,6 +3674,14 @@ var SysScimProvider = ObjectSchema.create({
3644
3674
  icon: "users",
3645
3675
  isSystem: true,
3646
3676
  managedBy: "better-auth",
3677
+ // [ADR-0066 D3/④] Admin-only identity config carrying a live credential
3678
+ // (`scim_token` — the bearer external IdPs authenticate provisioning calls
3679
+ // with). Object-level capability gate, mirroring the sibling
3680
+ // `sys_sso_provider`: ordinary members are denied entirely (without it, the
3681
+ // `member_default` wildcard `'*': allowRead` would expose SCIM connections
3682
+ // to every authenticated user). better-auth's own endpoints read via a
3683
+ // system context, so SCIM provisioning is unaffected.
3684
+ requiredPermissions: ["manage_platform_settings"],
3647
3685
  // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema.
3648
3686
  protection: {
3649
3687
  lock: "full",