@objectstack/platform-objects 12.6.0 → 14.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/dist/apps/index.d.mts +1 -1
  2. package/dist/apps/index.d.ts +1 -1
  3. package/dist/apps/index.js +38 -17
  4. package/dist/apps/index.js.map +1 -1
  5. package/dist/apps/index.mjs +38 -17
  6. package/dist/apps/index.mjs.map +1 -1
  7. package/dist/audit/index.d.mts +90 -30
  8. package/dist/audit/index.d.ts +90 -30
  9. package/dist/identity/index.d.mts +1057 -280
  10. package/dist/identity/index.d.ts +1057 -280
  11. package/dist/identity/index.js +184 -29
  12. package/dist/identity/index.js.map +1 -1
  13. package/dist/identity/index.mjs +184 -29
  14. package/dist/identity/index.mjs.map +1 -1
  15. package/dist/index.d.mts +1 -1
  16. package/dist/index.d.ts +1 -1
  17. package/dist/index.js +362 -335
  18. package/dist/index.js.map +1 -1
  19. package/dist/index.mjs +362 -336
  20. package/dist/index.mjs.map +1 -1
  21. package/dist/metadata-translations/index.js +20 -288
  22. package/dist/metadata-translations/index.js.map +1 -1
  23. package/dist/metadata-translations/index.mjs +20 -288
  24. package/dist/metadata-translations/index.mjs.map +1 -1
  25. package/dist/pages/index.d.mts +35 -4
  26. package/dist/pages/index.d.ts +35 -4
  27. package/dist/pages/index.js +112 -1
  28. package/dist/pages/index.js.map +1 -1
  29. package/dist/pages/index.mjs +112 -2
  30. package/dist/pages/index.mjs.map +1 -1
  31. package/dist/plugin.js +37 -300
  32. package/dist/plugin.js.map +1 -1
  33. package/dist/plugin.mjs +37 -300
  34. package/dist/plugin.mjs.map +1 -1
  35. package/dist/system/index.d.mts +30 -9
  36. package/dist/system/index.d.ts +30 -9
  37. package/dist/system/index.js +8 -0
  38. package/dist/system/index.js.map +1 -1
  39. package/dist/system/index.mjs +8 -0
  40. package/dist/system/index.mjs.map +1 -1
  41. package/package.json +3 -3
package/dist/index.mjs CHANGED
@@ -37,13 +37,14 @@ var SysUser = ObjectSchema.create({
37
37
  locations: ["list_toolbar"],
38
38
  type: "api",
39
39
  target: "/api/v1/auth/organization/invite-member",
40
- // Org invitations are a multi-org-only flow (the endpoint resolves
41
- // an active org that does not exist in single-org mode). Hide the
42
- // affordance unless multi-org is enabled matching the
43
- // `create_organization` gate on sys_organization. This action is the
44
- // most exposed of the set because the Users list is always reachable
45
- // in single-org, unlike the org/membership lists.
46
- visible: "features.multiOrgEnabled != false",
40
+ // Gated on the org CAPABILITY, not multi-org (ADR-0081 D1): the
41
+ // better-auth organization plugin is always mounted, and single-org
42
+ // mode now bootstraps a Default Organization (plugin-auth) so the
43
+ // endpoint's active-org resolution works there too. This is THE
44
+ // "add a teammate" affordance the Users list is always reachable
45
+ // and every add flows through better-auth invitations, never bespoke
46
+ // sys_user CRUD.
47
+ visible: "features.organization != false",
47
48
  successMessage: "Invitation sent",
48
49
  refreshAfter: true,
49
50
  params: [
@@ -102,6 +103,62 @@ var SysUser = ObjectSchema.create({
102
103
  successMessage: "Account unlocked",
103
104
  refreshAfter: true
104
105
  },
106
+ {
107
+ // #2766 V1 — a platform admin can add a login-capable teammate without
108
+ // the email-dependent invite flow. Hits the plugin-auth wrapper route
109
+ // (NOT better-auth's stock /admin/create-user): the wrapper runs the
110
+ // ADR-0068 admin gate, drives the better-auth pipeline (scrypt hash +
111
+ // credential sys_account), stamps must_change_password, and — when
112
+ // "Generate temporary password" is picked — returns the password ONCE
113
+ // in the response for the result dialog. It is never persisted or logged.
114
+ name: "create_user",
115
+ label: "Create User",
116
+ icon: "user-plus",
117
+ variant: "secondary",
118
+ locations: ["list_toolbar"],
119
+ type: "api",
120
+ target: "/api/v1/auth/admin/create-user",
121
+ visible: "features.admin == true",
122
+ successMessage: "User created",
123
+ refreshAfter: true,
124
+ params: [
125
+ // The endpoint requires email OR phone (phone-only users get a
126
+ // placeholder address; requires auth.plugins.phoneNumber).
127
+ { field: "email", required: false },
128
+ {
129
+ name: "phoneNumber",
130
+ label: "Phone Number",
131
+ type: "text",
132
+ required: false,
133
+ helpText: "Sign-in phone number (E.164, e.g. +8613800000000). Required when no email is given."
134
+ },
135
+ { field: "name", required: false },
136
+ {
137
+ name: "generatePassword",
138
+ label: "Generate Temporary Password",
139
+ type: "boolean",
140
+ required: false,
141
+ defaultValue: true
142
+ },
143
+ { name: "password", label: "Password (leave empty to generate)", type: "text", required: false },
144
+ {
145
+ name: "mustChangePassword",
146
+ label: "Require Password Change On First Login",
147
+ type: "boolean",
148
+ required: false,
149
+ defaultValue: true
150
+ }
151
+ ],
152
+ resultDialog: {
153
+ title: "User Created",
154
+ description: "Copy the temporary password now \u2014 it is shown only once and never stored.",
155
+ acknowledge: "I have saved this password",
156
+ fields: [
157
+ { path: "user.email", label: "Email", format: "text" },
158
+ { path: "temporaryPassword", label: "Temporary Password", format: "secret" }
159
+ ]
160
+ }
161
+ },
105
162
  {
106
163
  name: "set_user_password",
107
164
  label: "Set Password",
@@ -109,13 +166,40 @@ var SysUser = ObjectSchema.create({
109
166
  variant: "secondary",
110
167
  locations: ["list_item"],
111
168
  type: "api",
169
+ // #2766 V1 — same path as better-auth's stock route, but served by the
170
+ // plugin-auth wrapper registered ahead of the catch-all: it accepts the
171
+ // ADR-0068 platform-admin signals (the stock handler only honors the
172
+ // legacy role scalar), can mint a temporary password, and stamps
173
+ // must_change_password.
112
174
  target: "/api/v1/auth/admin/set-user-password",
113
175
  recordIdParam: "userId",
114
176
  successMessage: "Password updated",
115
177
  refreshAfter: false,
116
178
  params: [
117
- { name: "newPassword", label: "New Password", type: "text", required: true }
118
- ]
179
+ {
180
+ name: "generatePassword",
181
+ label: "Generate Temporary Password",
182
+ type: "boolean",
183
+ required: false,
184
+ defaultValue: false
185
+ },
186
+ { name: "newPassword", label: "New Password (leave empty to generate)", type: "text", required: false },
187
+ {
188
+ name: "mustChangePassword",
189
+ label: "Require Password Change On Next Login",
190
+ type: "boolean",
191
+ required: false,
192
+ defaultValue: true
193
+ }
194
+ ],
195
+ resultDialog: {
196
+ title: "Password Updated",
197
+ description: "If a temporary password was generated, copy it now \u2014 it is shown only once and never stored.",
198
+ acknowledge: "Done",
199
+ fields: [
200
+ { path: "temporaryPassword", label: "Temporary Password", format: "secret" }
201
+ ]
202
+ }
119
203
  },
120
204
  {
121
205
  name: "set_user_role",
@@ -434,6 +518,37 @@ var SysUser = ObjectSchema.create({
434
518
  group: "Admin",
435
519
  description: "Timestamp of the last password change. Backs password_expiry_days; system-managed."
436
520
  }),
521
+ // #2766 V1.5 — phone-number sign-in identifier (better-auth phoneNumber
522
+ // plugin, mapped via buildPhoneNumberPluginSchema). Unique when present;
523
+ // null for email-only accounts. Written through better-auth, not CRUD.
524
+ phone_number: Field.text({
525
+ label: "Phone Number",
526
+ required: false,
527
+ readonly: true,
528
+ searchable: true,
529
+ maxLength: 32,
530
+ group: "Account",
531
+ description: "Sign-in phone number (E.164 recommended). Unique per user; managed by better-auth when the phoneNumber plugin is enabled."
532
+ }),
533
+ phone_number_verified: Field.boolean({
534
+ label: "Phone Verified",
535
+ defaultValue: false,
536
+ readonly: true,
537
+ group: "Account",
538
+ description: "Whether the phone number has been verified (OTP verification requires SMS infrastructure; false until that ships). System-managed."
539
+ }),
540
+ // #2766 V1 — admin-issued "must change password on next sign-in" flag.
541
+ // Set by the /admin/create-user and /admin/set-user-password routes when
542
+ // a temporary password is issued; enforced through the ADR-0069 authGate
543
+ // (surfaces as PASSWORD_EXPIRED); cleared by stampPasswordChangedAt once
544
+ // the user completes a password change.
545
+ must_change_password: Field.boolean({
546
+ label: "Must Change Password",
547
+ defaultValue: false,
548
+ readonly: true,
549
+ group: "Admin",
550
+ description: "When true, the user is blocked (403 PASSWORD_EXPIRED) until they change their password. Stamped by the admin user-management routes; system-managed."
551
+ }),
437
552
  // ADR-0069 D3 — when enforced MFA first applied to this user; starts the
438
553
  // grace clock. Stamped lazily at session validation; system-managed.
439
554
  mfa_required_at: Field.datetime({
@@ -531,7 +646,10 @@ var SysUser = ObjectSchema.create({
531
646
  },
532
647
  indexes: [
533
648
  { fields: ["email"], unique: true },
534
- { fields: ["created_at"], unique: false }
649
+ { fields: ["created_at"], unique: false },
650
+ // #2766 V1.5 — phone sign-in identifier; unique when present (null for
651
+ // email-only accounts), also the upsert match key for identity import.
652
+ { fields: ["phone_number"], unique: true }
535
653
  ],
536
654
  enable: {
537
655
  trackHistory: true,
@@ -932,6 +1050,12 @@ var SysVerification = ObjectSchema.create({
932
1050
  icon: "shield-check",
933
1051
  isSystem: true,
934
1052
  managedBy: "better-auth",
1053
+ // [ADR-0066 D2/④] Secure-by-default: rows are LIVE one-time credentials
1054
+ // (email/phone verification + password-reset tokens) — reading one is
1055
+ // account takeover. Not covered by the wildcard `'*'` grant; admins retain
1056
+ // access via the superuser bypass; better-auth reads via its adapter
1057
+ // (system context), so verification flows are unaffected.
1058
+ access: { default: "private" },
935
1059
  // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,
936
1060
  // but may add overlay row-level config. Use `no-overlay` if you need to
937
1061
  // forbid sys_metadata overlays entirely.
@@ -1265,11 +1389,11 @@ var SysMember = ObjectSchema.create({
1265
1389
  locations: ["list_toolbar"],
1266
1390
  type: "api",
1267
1391
  target: "/api/v1/auth/organization/add-member",
1268
- // Org-membership mutations are multi-org-only: the better-auth
1269
- // endpoints resolve an active org that does not exist in single-org
1270
- // mode, so these actions would fail at the API. Gate every one on
1271
- // the multi-org flag (mirrors sys_organization.create_organization).
1272
- visible: "features.multiOrgEnabled != false",
1392
+ // Gated on the org CAPABILITY, not multi-org (ADR-0081 D1): the
1393
+ // better-auth endpoints resolve the session's active org, which
1394
+ // single-org mode now guarantees via plugin-auth's default-org
1395
+ // bootstrap. Same gate on every membership mutation below.
1396
+ visible: "features.organization != false",
1273
1397
  successMessage: "Member added",
1274
1398
  refreshAfter: true,
1275
1399
  params: [
@@ -1287,7 +1411,7 @@ var SysMember = ObjectSchema.create({
1287
1411
  type: "api",
1288
1412
  target: "/api/v1/auth/organization/update-member-role",
1289
1413
  recordIdParam: "memberId",
1290
- visible: "features.multiOrgEnabled != false",
1414
+ visible: "features.organization != false",
1291
1415
  successMessage: "Member role updated",
1292
1416
  refreshAfter: true,
1293
1417
  params: [
@@ -1304,7 +1428,7 @@ var SysMember = ObjectSchema.create({
1304
1428
  type: "api",
1305
1429
  target: "/api/v1/auth/organization/remove-member",
1306
1430
  recordIdParam: "memberIdOrEmail",
1307
- visible: "features.multiOrgEnabled != false",
1431
+ visible: "features.organization != false",
1308
1432
  confirmText: "Remove this member from the organization? They will lose access to all org resources.",
1309
1433
  successMessage: "Member removed",
1310
1434
  refreshAfter: true
@@ -1326,7 +1450,7 @@ var SysMember = ObjectSchema.create({
1326
1450
  target: "/api/v1/auth/organization/update-member-role",
1327
1451
  recordIdParam: "memberId",
1328
1452
  bodyExtra: { role: "owner" },
1329
- visible: "record.role != 'owner' && features.multiOrgEnabled != false",
1453
+ visible: "record.role != 'owner' && features.organization != false",
1330
1454
  confirmText: "Transfer ownership of this organization to the selected member? You will be demoted to admin and lose owner-only privileges.",
1331
1455
  successMessage: "Ownership transferred",
1332
1456
  refreshAfter: true
@@ -1434,7 +1558,7 @@ var SysInvitation = ObjectSchema.create({
1434
1558
  // sys_organization.create_organization). The recipient-side
1435
1559
  // accept/reject actions below stay record-gated — they are
1436
1560
  // unreachable in single-org anyway (no invitation rows exist).
1437
- visible: "features.multiOrgEnabled != false",
1561
+ visible: "features.organization != false",
1438
1562
  successMessage: "Invitation sent",
1439
1563
  refreshAfter: true,
1440
1564
  params: [
@@ -1452,7 +1576,7 @@ var SysInvitation = ObjectSchema.create({
1452
1576
  type: "api",
1453
1577
  target: "/api/v1/auth/organization/cancel-invitation",
1454
1578
  recordIdParam: "invitationId",
1455
- visible: "features.multiOrgEnabled != false",
1579
+ visible: "features.organization != false",
1456
1580
  confirmText: "Cancel this invitation? The recipient will no longer be able to accept it.",
1457
1581
  successMessage: "Invitation canceled",
1458
1582
  refreshAfter: true
@@ -1466,7 +1590,7 @@ var SysInvitation = ObjectSchema.create({
1466
1590
  type: "api",
1467
1591
  target: "/api/v1/auth/organization/invite-member",
1468
1592
  bodyExtra: { resend: true },
1469
- visible: "features.multiOrgEnabled != false",
1593
+ visible: "features.organization != false",
1470
1594
  successMessage: "Invitation resent",
1471
1595
  refreshAfter: true,
1472
1596
  params: [
@@ -1656,7 +1780,7 @@ var SysTeam = ObjectSchema.create({
1656
1780
  // Teams are nested inside organizations — a multi-org-only concept.
1657
1781
  // Gate every team mutation on the multi-org flag so the affordances
1658
1782
  // disappear in single-org (mirrors sys_organization.create_organization).
1659
- visible: "features.multiOrgEnabled != false",
1783
+ visible: "features.organization != false",
1660
1784
  successMessage: "Team created",
1661
1785
  refreshAfter: true,
1662
1786
  params: [
@@ -1677,7 +1801,7 @@ var SysTeam = ObjectSchema.create({
1677
1801
  target: "/api/v1/auth/organization/update-team",
1678
1802
  recordIdParam: "teamId",
1679
1803
  bodyShape: { wrap: "data" },
1680
- visible: "features.multiOrgEnabled != false",
1804
+ visible: "features.organization != false",
1681
1805
  successMessage: "Team updated",
1682
1806
  refreshAfter: true,
1683
1807
  params: [
@@ -1696,7 +1820,7 @@ var SysTeam = ObjectSchema.create({
1696
1820
  type: "api",
1697
1821
  target: "/api/v1/auth/organization/remove-team",
1698
1822
  recordIdParam: "teamId",
1699
- visible: "features.multiOrgEnabled != false",
1823
+ visible: "features.organization != false",
1700
1824
  confirmText: "Delete this team? Members will lose any team-scoped access. This cannot be undone.",
1701
1825
  successMessage: "Team deleted",
1702
1826
  refreshAfter: true
@@ -1810,7 +1934,7 @@ var SysTeamMember = ObjectSchema.create({
1810
1934
  // Team membership lives under organizations — multi-org-only. Gate
1811
1935
  // both mutations so they vanish in single-org (mirrors
1812
1936
  // sys_organization.create_organization).
1813
- visible: "features.multiOrgEnabled != false",
1937
+ visible: "features.organization != false",
1814
1938
  successMessage: "Team member added",
1815
1939
  refreshAfter: true,
1816
1940
  params: [
@@ -1831,7 +1955,7 @@ var SysTeamMember = ObjectSchema.create({
1831
1955
  locations: ["list_item"],
1832
1956
  type: "api",
1833
1957
  target: "/api/v1/auth/organization/remove-team-member",
1834
- visible: "features.multiOrgEnabled != false",
1958
+ visible: "features.organization != false",
1835
1959
  confirmText: "Remove this user from the team? They will lose any team-scoped access.",
1836
1960
  successMessage: "Team member removed",
1837
1961
  refreshAfter: true,
@@ -2069,7 +2193,7 @@ var SysBusinessUnitMember = ObjectSchema.create({
2069
2193
  managedBy: "platform",
2070
2194
  description: "User assignment to a business unit (matrix-org friendly, effective-dated).",
2071
2195
  titleFormat: "{user_id} in {business_unit_id}",
2072
- highlightFields: ["user_id", "business_unit_id", "role_in_business_unit", "is_primary"],
2196
+ highlightFields: ["user_id", "business_unit_id", "function_in_business_unit", "is_primary"],
2073
2197
  fields: {
2074
2198
  id: Field.text({
2075
2199
  label: "Member ID",
@@ -2087,10 +2211,10 @@ var SysBusinessUnitMember = ObjectSchema.create({
2087
2211
  required: true,
2088
2212
  group: "Assignment"
2089
2213
  }),
2090
- role_in_business_unit: Field.select(
2214
+ function_in_business_unit: Field.select(
2091
2215
  ["member", "lead", "deputy"],
2092
2216
  {
2093
- label: "Role in Business Unit",
2217
+ label: "Function in Business Unit",
2094
2218
  required: false,
2095
2219
  defaultValue: "member",
2096
2220
  description: "`lead` is the day-to-day head; `deputy` may stand in for the lead in approval routing.",
@@ -2494,6 +2618,12 @@ var SysDeviceCode = ObjectSchema.create({
2494
2618
  icon: "key-round",
2495
2619
  isSystem: true,
2496
2620
  managedBy: "better-auth",
2621
+ // [ADR-0066 D2/④] Secure-by-default: rows are LIVE pending device-grant
2622
+ // codes — reading `user_code`/`device_code` lets an attacker hijack a
2623
+ // pending CLI login. Not covered by the wildcard `'*'` grant; admins retain
2624
+ // access via the superuser bypass; better-auth reads via its adapter
2625
+ // (system context), so the device-grant flow is unaffected.
2626
+ access: { default: "private" },
2497
2627
  // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,
2498
2628
  // but may add overlay row-level config. Use `no-overlay` if you need to
2499
2629
  // forbid sys_metadata overlays entirely.
@@ -3089,6 +3219,11 @@ var SysOauthAccessToken = ObjectSchema.create({
3089
3219
  icon: "ticket",
3090
3220
  isSystem: true,
3091
3221
  managedBy: "better-auth",
3222
+ // [ADR-0066 D2/④] Secure-by-default: rows are LIVE bearer credentials —
3223
+ // reading one is session hijack. Not covered by the wildcard `'*'` grant;
3224
+ // admins retain access via the superuser bypass; better-auth reads via its
3225
+ // adapter (system context), so OAuth flows are unaffected.
3226
+ access: { default: "private" },
3092
3227
  // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,
3093
3228
  // but may add overlay row-level config. Use `no-overlay` if you need to
3094
3229
  // forbid sys_metadata overlays entirely.
@@ -3175,6 +3310,11 @@ var SysOauthRefreshToken = ObjectSchema.create({
3175
3310
  icon: "refresh-cw",
3176
3311
  isSystem: true,
3177
3312
  managedBy: "better-auth",
3313
+ // [ADR-0066 D2/④] Secure-by-default: rows are LIVE long-lived credentials —
3314
+ // a refresh token mints new access tokens. Not covered by the wildcard `'*'`
3315
+ // grant; admins retain access via the superuser bypass; better-auth reads
3316
+ // via its adapter (system context), so OAuth flows are unaffected.
3317
+ access: { default: "private" },
3178
3318
  // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,
3179
3319
  // but may add overlay row-level config. Use `no-overlay` if you need to
3180
3320
  // forbid sys_metadata overlays entirely.
@@ -3333,6 +3473,13 @@ var SysJwks = ObjectSchema.create({
3333
3473
  icon: "key",
3334
3474
  isSystem: true,
3335
3475
  managedBy: "better-auth",
3476
+ // [ADR-0066 D2/④] Secure-by-default: rows are the environment's JWT SIGNING
3477
+ // KEYS (private key material). Not covered by the wildcard `'*'` grant — an
3478
+ // ordinary member gets 403 from the generic data layer. Platform admins
3479
+ // (viewAllRecords/modifyAllRecords) retain access via the posture-gated
3480
+ // superuser bypass; better-auth itself reads via its adapter (system
3481
+ // context), so token signing/verification is unaffected.
3482
+ access: { default: "private" },
3336
3483
  // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,
3337
3484
  // but may add overlay row-level config. Use `no-overlay` if you need to
3338
3485
  // forbid sys_metadata overlays entirely.
@@ -3646,6 +3793,14 @@ var SysScimProvider = ObjectSchema.create({
3646
3793
  icon: "users",
3647
3794
  isSystem: true,
3648
3795
  managedBy: "better-auth",
3796
+ // [ADR-0066 D3/④] Admin-only identity config carrying a live credential
3797
+ // (`scim_token` — the bearer external IdPs authenticate provisioning calls
3798
+ // with). Object-level capability gate, mirroring the sibling
3799
+ // `sys_sso_provider`: ordinary members are denied entirely (without it, the
3800
+ // `member_default` wildcard `'*': allowRead` would expose SCIM connections
3801
+ // to every authenticated user). better-auth's own endpoints read via a
3802
+ // system context, so SCIM provisioning is unaffected.
3803
+ requiredPermissions: ["manage_platform_settings"],
3649
3804
  // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema.
3650
3805
  protection: {
3651
3806
  lock: "full",
@@ -4934,6 +5089,14 @@ var SysSecret = ObjectSchema.create({
4934
5089
  icon: "key",
4935
5090
  isSystem: true,
4936
5091
  managedBy: "system",
5092
+ // [ADR-0066 D2/④] Secure-by-default: the environment's encrypted-secrets
5093
+ // store (settings/datasource credentials). Not covered by the wildcard `'*'`
5094
+ // grant — ordinary members get 403 from the generic data layer. Platform
5095
+ // admins retain access via the posture-gated superuser bypass. Internal
5096
+ // readers are unaffected: `engine.resolveSecret` reads at DRIVER level,
5097
+ // SettingsService / the datasource secret-binder read with no principal
5098
+ // (middleware falls open for principal-less internal calls).
5099
+ access: { default: "private" },
4937
5100
  description: "Cipher store referenced by sys_setting handles. Never holds plaintext.",
4938
5101
  highlightFields: ["namespace", "key", "kms_key_id", "version", "rotated_at"],
4939
5102
  listViews: {
@@ -5281,21 +5444,33 @@ var SETUP_NAV_CONTRIBUTIONS = [
5281
5444
  priority: BASE_PRIORITY,
5282
5445
  items: [
5283
5446
  { id: "nav_users", type: "object", label: "Users", objectName: "sys_user", icon: "user" },
5447
+ // The ACTIVE organization's record page (Members / Invitations / Teams
5448
+ // tabs with the better-auth row actions), rendered inside the app shell
5449
+ // (ADR-0081). `{current_org_id}` resolves from the session's active
5450
+ // organization; unresolved (e.g. org-less admin before bootstrap) it
5451
+ // falls back to the sys_organization list — one row in single-org.
5452
+ { id: "nav_organization", type: "object", label: "Organization", objectName: "sys_organization", recordId: "{current_org_id}", icon: "building-2" },
5284
5453
  { id: "nav_business_units", type: "object", label: "Business Units", objectName: "sys_business_unit", icon: "building", requiresObject: "sys_business_unit" },
5285
- { id: "nav_teams", type: "object", label: "Teams", objectName: "sys_team", icon: "users-round", requiresService: "org-scoping" },
5454
+ // Teams / Invitations no longer gate on `org-scoping` (ADR-0081 D1):
5455
+ // the better-auth organization capability is always mounted, and
5456
+ // plugin-auth's single-org default-org bootstrap guarantees an org to
5457
+ // invite into — these are the OPEN member-management basics. Only the
5458
+ // org LIST below keeps the gate: browsing organizations is meaningful
5459
+ // only when more than one can exist (enterprise multi-org).
5460
+ { id: "nav_teams", type: "object", label: "Teams", objectName: "sys_team", icon: "users-round" },
5286
5461
  { id: "nav_organizations", type: "object", label: "Organizations", objectName: "sys_organization", icon: "building-2", requiresService: "org-scoping" },
5287
- { id: "nav_invitations", type: "object", label: "Invitations", objectName: "sys_invitation", icon: "mail", requiresService: "org-scoping" }
5462
+ { id: "nav_invitations", type: "object", label: "Invitations", objectName: "sys_invitation", icon: "mail" }
5288
5463
  ]
5289
5464
  },
5290
5465
  {
5291
5466
  app: "setup",
5292
5467
  group: "group_access_control",
5293
- // Priority 300 keeps API Keys after plugin-security's Roles / Permission
5468
+ // Priority 300 keeps API Keys after plugin-security's Positions / Permission
5294
5469
  // Sets (100) and plugin-sharing's Sharing Rules / Record Shares (200),
5295
5470
  // preserving the original menu order.
5296
5471
  priority: 300,
5297
5472
  items: [
5298
- // Roles / Permission Sets are contributed by @objectstack/plugin-security
5473
+ // Positions / Permission Sets are contributed by @objectstack/plugin-security
5299
5474
  // and Sharing Rules / Record Shares by @objectstack/plugin-sharing
5300
5475
  // (ADR-0029 K2). Only API Keys (sys_api_key, an identity object owned by
5301
5476
  // plugin-auth) remains a platform-objects base entry here.
@@ -5346,7 +5521,11 @@ var SETUP_NAV_CONTRIBUTIONS = [
5346
5521
  priority: BASE_PRIORITY,
5347
5522
  items: [
5348
5523
  { id: "nav_oauth_apps", type: "object", label: "OAuth Applications", objectName: "sys_oauth_application", icon: "app-window" },
5349
- { id: "nav_jwks", type: "object", label: "Signing Keys (JWKS)", objectName: "sys_jwks", icon: "key-round" },
5524
+ // nav_jwks is capability-gated (like nav_api_keys): sys_jwks is
5525
+ // `access.default:'private'` (ADR-0066 ④ — signing keys), so a
5526
+ // non-admin's list request 403s server-side; gating the nav item keeps
5527
+ // the menu honest instead of showing an entry that can only error.
5528
+ { id: "nav_jwks", type: "object", label: "Signing Keys (JWKS)", objectName: "sys_jwks", icon: "key-round", requiredPermissions: ["manage_platform_settings"] },
5350
5529
  // `sys_verification` (email/phone tokens) and `sys_device_code` (OAuth
5351
5530
  // device-grant codes) deliberately omit `list` from their `apiMethods`
5352
5531
  // (sensitive, ephemeral secrets — not browsable), so an object/list-view
@@ -6685,8 +6864,8 @@ var enObjects = {
6685
6864
  user_id: {
6686
6865
  label: "User"
6687
6866
  },
6688
- role_in_business_unit: {
6689
- label: "Role in Business Unit",
6867
+ function_in_business_unit: {
6868
+ label: "Function in Business Unit",
6690
6869
  help: "`lead` is the day-to-day head; `deputy` may stand in for the lead in approval routing.",
6691
6870
  options: {
6692
6871
  member: "member",
@@ -8638,12 +8817,13 @@ var en = {
8638
8817
  nav_marketplace_installed: { label: "Installed Apps" },
8639
8818
  // People & Organization
8640
8819
  nav_users: { label: "Users" },
8820
+ nav_organization: { label: "Organization" },
8641
8821
  nav_business_units: { label: "Business Units" },
8642
8822
  nav_teams: { label: "Teams" },
8643
8823
  nav_organizations: { label: "Organizations" },
8644
8824
  nav_invitations: { label: "Invitations" },
8645
8825
  // Access Control
8646
- nav_roles: { label: "Roles" },
8826
+ nav_positions: { label: "Positions" },
8647
8827
  nav_permission_sets: { label: "Permission Sets" },
8648
8828
  nav_sharing_rules: { label: "Sharing Rules" },
8649
8829
  nav_record_shares: { label: "Record Shares" },
@@ -9431,8 +9611,8 @@ var zhCNObjects = {
9431
9611
  user_id: {
9432
9612
  label: "\u7528\u6237"
9433
9613
  },
9434
- role_in_business_unit: {
9435
- label: "\u4E1A\u52A1\u5355\u5143\u5185\u89D2\u8272",
9614
+ function_in_business_unit: {
9615
+ label: "\u4E1A\u52A1\u5355\u5143\u5185\u804C\u80FD",
9436
9616
  help: "`lead` \u8868\u793A\u65E5\u5E38\u8D1F\u8D23\u4EBA\uFF1B`deputy` \u53EF\u5728\u5BA1\u6279\u8DEF\u7531\u4E2D\u4EE3\u66FF\u8D1F\u8D23\u4EBA\u3002",
9437
9617
  options: {
9438
9618
  member: "\u6210\u5458",
@@ -11381,16 +11561,18 @@ var zhCN = {
11381
11561
  group_advanced: { label: "\u9AD8\u7EA7" },
11382
11562
  nav_system_overview: { label: "\u7CFB\u7EDF\u6982\u89C8" },
11383
11563
  nav_users: { label: "\u7528\u6237" },
11564
+ nav_organization: { label: "\u7EC4\u7EC7" },
11384
11565
  nav_business_units: { label: "\u4E1A\u52A1\u5355\u5143" },
11385
11566
  nav_teams: { label: "\u56E2\u961F" },
11386
11567
  nav_organizations: { label: "\u7EC4\u7EC7" },
11387
11568
  nav_invitations: { label: "\u9080\u8BF7" },
11388
- nav_roles: { label: "\u89D2\u8272" },
11569
+ nav_positions: { label: "\u5C97\u4F4D" },
11389
11570
  nav_capabilities: { label: "\u80FD\u529B" },
11390
11571
  nav_permission_sets: { label: "\u6743\u9650\u96C6" },
11391
11572
  nav_sharing_rules: { label: "\u5171\u4EAB\u89C4\u5219" },
11392
11573
  nav_record_shares: { label: "\u8BB0\u5F55\u5171\u4EAB" },
11393
11574
  nav_api_keys: { label: "API \u5BC6\u94A5" },
11575
+ nav_connect_agent: { label: "\u8FDE\u63A5\u667A\u80FD\u4F53" },
11394
11576
  nav_approval_processes: { label: "\u5BA1\u6279\u6D41\u7A0B" },
11395
11577
  nav_approval_requests: { label: "\u5BA1\u6279\u7533\u8BF7" },
11396
11578
  nav_approval_actions: { label: "\u5BA1\u6279\u5386\u53F2" },
@@ -12140,8 +12322,8 @@ var jaJPObjects = {
12140
12322
  user_id: {
12141
12323
  label: "\u30E6\u30FC\u30B6\u30FC"
12142
12324
  },
12143
- role_in_business_unit: {
12144
- label: "\u30D3\u30B8\u30CD\u30B9\u30E6\u30CB\u30C3\u30C8\u5185\u30ED\u30FC\u30EB",
12325
+ function_in_business_unit: {
12326
+ label: "\u30D3\u30B8\u30CD\u30B9\u30E6\u30CB\u30C3\u30C8\u5185\u306E\u8077\u80FD",
12145
12327
  help: "`lead` \u306F\u65E5\u5E38\u306E\u8CAC\u4EFB\u8005\u3001`deputy` \u306F\u627F\u8A8D\u30EB\u30FC\u30C6\u30A3\u30F3\u30B0\u3067\u30EA\u30FC\u30C9\u306E\u4EE3\u7406\u3092\u52D9\u3081\u308B\u5834\u5408\u304C\u3042\u308A\u307E\u3059\u3002",
12146
12328
  options: {
12147
12329
  member: "\u30E1\u30F3\u30D0\u30FC",
@@ -14089,11 +14271,12 @@ var jaJP = {
14089
14271
  group_advanced: { label: "\u8A73\u7D30" },
14090
14272
  nav_system_overview: { label: "\u30B7\u30B9\u30C6\u30E0\u6982\u8981" },
14091
14273
  nav_users: { label: "\u30E6\u30FC\u30B6\u30FC" },
14274
+ nav_organization: { label: "\u7D44\u7E54" },
14092
14275
  nav_business_units: { label: "\u30D3\u30B8\u30CD\u30B9\u30E6\u30CB\u30C3\u30C8" },
14093
14276
  nav_teams: { label: "\u30C1\u30FC\u30E0" },
14094
14277
  nav_organizations: { label: "\u7D44\u7E54" },
14095
14278
  nav_invitations: { label: "\u62DB\u5F85" },
14096
- nav_roles: { label: "\u30ED\u30FC\u30EB" },
14279
+ nav_positions: { label: "\u30DD\u30B8\u30B7\u30E7\u30F3" },
14097
14280
  nav_permission_sets: { label: "\u6A29\u9650\u30BB\u30C3\u30C8" },
14098
14281
  nav_sharing_rules: { label: "\u5171\u6709\u30EB\u30FC\u30EB" },
14099
14282
  nav_record_shares: { label: "\u30EC\u30B3\u30FC\u30C9\u5171\u6709" },
@@ -14846,8 +15029,8 @@ var esESObjects = {
14846
15029
  user_id: {
14847
15030
  label: "Usuario"
14848
15031
  },
14849
- role_in_business_unit: {
14850
- label: "Rol en el departamento",
15032
+ function_in_business_unit: {
15033
+ label: "Funci\xF3n en la unidad de negocio",
14851
15034
  help: "`lead` es el responsable del d\xEDa a d\xEDa; `deputy` puede sustituir al responsable en el enrutamiento de aprobaciones.",
14852
15035
  options: {
14853
15036
  member: "Miembro",
@@ -16795,11 +16978,12 @@ var esES = {
16795
16978
  group_advanced: { label: "Avanzado" },
16796
16979
  nav_system_overview: { label: "Resumen del Sistema" },
16797
16980
  nav_users: { label: "Usuarios" },
16981
+ nav_organization: { label: "Organizaci\xF3n" },
16798
16982
  nav_business_units: { label: "Unidades de negocio" },
16799
16983
  nav_teams: { label: "Equipos" },
16800
16984
  nav_organizations: { label: "Organizaciones" },
16801
16985
  nav_invitations: { label: "Invitaciones" },
16802
- nav_roles: { label: "Roles" },
16986
+ nav_positions: { label: "Posiciones" },
16803
16987
  nav_permission_sets: { label: "Conjuntos de Permisos" },
16804
16988
  nav_sharing_rules: { label: "Reglas de Compartici\xF3n" },
16805
16989
  nav_record_shares: { label: "Registros Compartidos" },
@@ -17044,7 +17228,7 @@ var SysUserDetailPage = {
17044
17228
  },
17045
17229
  // ── Tabs: curated related lists ───────────────────────────────
17046
17230
  // Only the 4 lists that are semantically about THIS user account.
17047
- // Everything else (sys_role created_by, sys_email_template
17231
+ // Everything else (sys_position created_by, sys_email_template
17048
17232
  // updated_by, …) is incidental authorship metadata and would only
17049
17233
  // create noise.
17050
17234
  tabs: {
@@ -17053,6 +17237,38 @@ var SysUserDetailPage = {
17053
17237
  type: "line",
17054
17238
  position: "top",
17055
17239
  items: [
17240
+ {
17241
+ label: "Positions",
17242
+ icon: "shield-check",
17243
+ children: [
17244
+ {
17245
+ // [ADR-0090 D3] Position assignments (岗位分派) — pure SDUI:
17246
+ // the Add picker creates sys_user_position rows storing the
17247
+ // position's MACHINE NAME (valueField: 'name'), and every
17248
+ // server-side rule (the D12 delegated-admin gate, audience-
17249
+ // anchor rejection) surfaces its error in the dialog.
17250
+ type: "record:related_list",
17251
+ properties: {
17252
+ objectName: "sys_user_position",
17253
+ relationshipField: "user_id",
17254
+ columns: ["position", "business_unit_id", "granted_by", "created_at"],
17255
+ sort: [{ field: "created_at", order: "desc" }],
17256
+ limit: 25,
17257
+ showViewAll: true,
17258
+ title: "Positions",
17259
+ add: {
17260
+ picker: {
17261
+ object: "sys_position",
17262
+ valueField: "name",
17263
+ labelField: "label"
17264
+ },
17265
+ linkField: "position",
17266
+ label: "Assign position"
17267
+ }
17268
+ }
17269
+ }
17270
+ ]
17271
+ },
17056
17272
  {
17057
17273
  label: "Sessions",
17058
17274
  icon: "monitor",
@@ -17259,6 +17475,84 @@ var SysUserDetailPage = {
17259
17475
  }
17260
17476
  };
17261
17477
 
17478
+ // src/pages/sys-position.page.ts
17479
+ var SysPositionDetailPage = {
17480
+ name: "sys_position_detail",
17481
+ label: "Position",
17482
+ type: "record",
17483
+ object: "sys_position",
17484
+ template: "default",
17485
+ kind: "slotted",
17486
+ isDefault: true,
17487
+ regions: [],
17488
+ slots: {
17489
+ tabs: {
17490
+ type: "page:tabs",
17491
+ properties: {
17492
+ type: "line",
17493
+ position: "top",
17494
+ items: [
17495
+ {
17496
+ label: "Holders",
17497
+ icon: "users",
17498
+ children: [
17499
+ {
17500
+ type: "record:related_list",
17501
+ properties: {
17502
+ objectName: "sys_user_position",
17503
+ relationshipField: "position",
17504
+ relationshipValueField: "name",
17505
+ columns: ["user_id", "business_unit_id", "granted_by", "created_at"],
17506
+ sort: [{ field: "created_at", order: "desc" }],
17507
+ limit: 25,
17508
+ showViewAll: true,
17509
+ title: "Holders",
17510
+ add: {
17511
+ picker: {
17512
+ object: "sys_user",
17513
+ labelField: "name"
17514
+ },
17515
+ linkField: "user_id",
17516
+ label: "Assign user"
17517
+ }
17518
+ }
17519
+ }
17520
+ ]
17521
+ },
17522
+ {
17523
+ label: "Permission Sets",
17524
+ icon: "lock",
17525
+ children: [
17526
+ {
17527
+ type: "record:related_list",
17528
+ properties: {
17529
+ objectName: "sys_position_permission_set",
17530
+ relationshipField: "position_id",
17531
+ columns: ["permission_set_id", "created_at"],
17532
+ sort: [{ field: "created_at", order: "desc" }],
17533
+ limit: 25,
17534
+ showViewAll: true,
17535
+ title: "Permission Sets",
17536
+ add: {
17537
+ picker: {
17538
+ object: "sys_permission_set",
17539
+ labelField: "label"
17540
+ },
17541
+ linkField: "permission_set_id",
17542
+ label: "Bind permission set"
17543
+ }
17544
+ }
17545
+ }
17546
+ ]
17547
+ }
17548
+ ]
17549
+ }
17550
+ },
17551
+ // No Chatter feed on an RBAC primitive.
17552
+ discussion: []
17553
+ }
17554
+ };
17555
+
17262
17556
  // src/apps/translations/en.metadata-forms.generated.ts
17263
17557
  var enMetadataForms = {
17264
17558
  object: {
@@ -18564,69 +18858,6 @@ var enMetadataForms = {
18564
18858
  label: "Label",
18565
18859
  helpText: "Display label for admins"
18566
18860
  },
18567
- isProfile: {
18568
- label: "Is Profile",
18569
- helpText: "Profile = base set assigned to users. Permission Set = additive grant."
18570
- },
18571
- systemPermissions: {
18572
- label: "System Permissions",
18573
- helpText: "List of system capability keys"
18574
- },
18575
- objects: {
18576
- label: "Objects",
18577
- helpText: '{ "account": { allowRead: true, allowEdit: true, ... } }'
18578
- },
18579
- fields: {
18580
- label: "Fields",
18581
- helpText: '{ "account.amount": { readable: true, editable: false } }'
18582
- },
18583
- tabPermissions: {
18584
- label: "Tab Permissions",
18585
- helpText: '{ "app_crm": "visible", "app_admin": "hidden" }'
18586
- },
18587
- rowLevelSecurity: {
18588
- label: "Row Level Security",
18589
- helpText: "Array of RLS policies (see rls.zod.ts)"
18590
- },
18591
- contextVariables: {
18592
- label: "Context Variables",
18593
- helpText: "Custom variables referenced in RLS predicates"
18594
- }
18595
- }
18596
- },
18597
- profile: {
18598
- label: "Profile",
18599
- sections: {
18600
- identity: {
18601
- label: "Identity",
18602
- description: "Permission Sets stack on top of a Profile to grant additional access. Profiles are the base set assigned 1:1 to each user."
18603
- },
18604
- system_permissions: {
18605
- label: "System Permissions",
18606
- description: "High-level capabilities not tied to a specific object \u2014 e.g. manage_users, view_audit_logs."
18607
- },
18608
- object_and_field_permissions: {
18609
- label: "Object & Field Permissions",
18610
- description: "Per-object CRUD + per-field FLS. Edit via the matrix editor or paste JSON here."
18611
- },
18612
- tab_and_row_level_security: {
18613
- label: "Tab & Row-Level Security",
18614
- description: "Tab visibility, RLS policies, and custom context variables for predicate evaluation."
18615
- }
18616
- },
18617
- fields: {
18618
- name: {
18619
- label: "Name",
18620
- helpText: "Machine name (snake_case)"
18621
- },
18622
- label: {
18623
- label: "Label",
18624
- helpText: "Display label for admins"
18625
- },
18626
- isProfile: {
18627
- label: "Is Profile",
18628
- helpText: "Profile = base set assigned to users. Permission Set = additive grant."
18629
- },
18630
18861
  systemPermissions: {
18631
18862
  label: "System Permissions",
18632
18863
  helpText: "List of system capability keys"
@@ -18653,12 +18884,12 @@ var enMetadataForms = {
18653
18884
  }
18654
18885
  }
18655
18886
  },
18656
- role: {
18657
- label: "Role",
18887
+ position: {
18888
+ label: "Position",
18658
18889
  sections: {
18659
- role: {
18660
- label: "Role",
18661
- description: "Roles compose a hierarchy used for record sharing (sales VP \u2192 sales mgr \u2192 sales rep). Permissions themselves live on Permission Sets and Profiles."
18890
+ position: {
18891
+ label: "Position",
18892
+ description: "A position is a flat, assignable bundle of permission sets (e.g. sales_rep, sales_manager). Capability lives on permission sets; visibility depth lives on the business-unit tree."
18662
18893
  }
18663
18894
  },
18664
18895
  fields: {
@@ -18669,10 +18900,6 @@ var enMetadataForms = {
18669
18900
  label: {
18670
18901
  label: "Label"
18671
18902
  },
18672
- parent: {
18673
- label: "Parent",
18674
- helpText: "Parent role machine name (Reports To)"
18675
- },
18676
18903
  description: {
18677
18904
  label: "Description"
18678
18905
  }
@@ -20202,10 +20429,6 @@ var zhCNMetadataForms = {
20202
20429
  label: "\u663E\u793A\u540D\u79F0",
20203
20430
  helpText: "\u9762\u5411\u7BA1\u7406\u5458\u7684\u663E\u793A\u6807\u7B7E"
20204
20431
  },
20205
- isProfile: {
20206
- label: "\u662F\u5426\u914D\u7F6E\u6587\u4EF6",
20207
- helpText: "\u52FE\u9009\u540E\u4F5C\u4E3A\u5B8C\u6574\u914D\u7F6E\u6587\u4EF6\uFF08\u800C\u975E\u9644\u52A0\u6743\u9650\u96C6\uFF09"
20208
- },
20209
20432
  systemPermissions: {
20210
20433
  label: "\u7CFB\u7EDF\u6743\u9650",
20211
20434
  helpText: "\u5E94\u7528\u8BBF\u95EE\u3001API\u3001\u7BA1\u7406\u64CD\u4F5C"
@@ -20232,71 +20455,12 @@ var zhCNMetadataForms = {
20232
20455
  }
20233
20456
  }
20234
20457
  },
20235
- profile: {
20236
- label: "\u914D\u7F6E\u6587\u4EF6",
20458
+ position: {
20459
+ label: "\u5C97\u4F4D",
20237
20460
  sections: {
20238
- identity: {
20239
- label: "\u6807\u8BC6",
20240
- description: "\u6743\u9650\u96C6\u53E0\u52A0\u5728\u914D\u7F6E\u6587\u4EF6\u4E4B\u4E0A\u4EE5\u6388\u4E88\u989D\u5916\u7684\u8BBF\u95EE\u6743\u9650\u3002\u914D\u7F6E\u6587\u4EF6\u662F\u6309 1:1 \u5206\u914D\u7ED9\u6BCF\u4E2A\u7528\u6237\u7684\u57FA\u7840\u96C6\u5408\u3002"
20241
- },
20242
- system_permissions: {
20243
- label: "\u7CFB\u7EDF\u6743\u9650",
20244
- description: "\u4E0E\u7279\u5B9A\u5BF9\u8C61\u65E0\u5173\u7684\u9AD8\u7EA7\u80FD\u529B\u2014\u2014\u4F8B\u5982 manage_users\u3001view_audit_logs\u3002"
20245
- },
20246
- object_and_field_permissions: {
20247
- label: "\u5BF9\u8C61\u4E0E\u5B57\u6BB5\u6743\u9650",
20248
- description: "\u6309\u5BF9\u8C61\u7684\u589E\u5220\u6539\u67E5 + \u6309\u5B57\u6BB5\u7684\u5B57\u6BB5\u7EA7\u5B89\u5168\uFF08FLS\uFF09\u3002\u53EF\u901A\u8FC7\u77E9\u9635\u7F16\u8F91\u5668\u7F16\u8F91\uFF0C\u6216\u5728\u6B64\u5904\u7C98\u8D34 JSON\u3002"
20249
- },
20250
- tab_and_row_level_security: {
20251
- label: "\u6807\u7B7E\u9875\u4E0E\u884C\u7EA7\u5B89\u5168",
20252
- description: "\u6807\u7B7E\u9875\u53EF\u89C1\u6027\u3001RLS \u7B56\u7565\uFF0C\u4EE5\u53CA\u7528\u4E8E\u8C13\u8BCD\u6C42\u503C\u7684\u81EA\u5B9A\u4E49\u4E0A\u4E0B\u6587\u53D8\u91CF\u3002"
20253
- }
20254
- },
20255
- fields: {
20256
- name: {
20257
- label: "\u540D\u79F0",
20258
- helpText: "\u673A\u5668\u540D\uFF08snake_case\uFF09"
20259
- },
20260
- label: {
20261
- label: "\u663E\u793A\u540D\u79F0",
20262
- helpText: "\u9762\u5411\u7BA1\u7406\u5458\u663E\u793A\u7684\u6807\u7B7E"
20263
- },
20264
- isProfile: {
20265
- label: "\u662F\u5426\u914D\u7F6E\u6587\u4EF6",
20266
- helpText: "\u914D\u7F6E\u6587\u4EF6 = \u5206\u914D\u7ED9\u7528\u6237\u7684\u57FA\u7840\u96C6\u5408\u3002\u6743\u9650\u96C6 = \u9644\u52A0\u6388\u4E88\u3002"
20267
- },
20268
- systemPermissions: {
20269
- label: "\u7CFB\u7EDF\u6743\u9650",
20270
- helpText: "\u7CFB\u7EDF\u80FD\u529B\u952E\u5217\u8868"
20271
- },
20272
- objects: {
20273
- label: "\u5BF9\u8C61\u6743\u9650",
20274
- helpText: '\u793A\u4F8B\uFF1A{ "account": { allowRead: true, allowEdit: true, ... } }'
20275
- },
20276
- fields: {
20277
- label: "\u5B57\u6BB5",
20278
- helpText: '\u793A\u4F8B\uFF1A{ "account.amount": { readable: true, editable: false } }'
20279
- },
20280
- tabPermissions: {
20281
- label: "\u6807\u7B7E\u9875\u6743\u9650",
20282
- helpText: '\u793A\u4F8B\uFF1A{ "app_crm": "visible", "app_admin": "hidden" }'
20283
- },
20284
- rowLevelSecurity: {
20285
- label: "\u884C\u7EA7\u5B89\u5168",
20286
- helpText: "RLS \u7B56\u7565\u6570\u7EC4\uFF08\u53C2\u89C1 rls.zod.ts\uFF09"
20287
- },
20288
- contextVariables: {
20289
- label: "\u4E0A\u4E0B\u6587\u53D8\u91CF",
20290
- helpText: "RLS \u8C13\u8BCD\u4E2D\u5F15\u7528\u7684\u81EA\u5B9A\u4E49\u53D8\u91CF"
20291
- }
20292
- }
20293
- },
20294
- role: {
20295
- label: "\u89D2\u8272",
20296
- sections: {
20297
- role: {
20298
- label: "\u89D2\u8272\u5B9A\u4E49",
20299
- description: "\u89D2\u8272\u540D\u79F0\u4E0E\u7EE7\u627F\u5173\u7CFB"
20461
+ position: {
20462
+ label: "\u5C97\u4F4D",
20463
+ description: "\u5C97\u4F4D\u662F\u6241\u5E73\u7684\u3001\u53EF\u5206\u914D\u7684\u6743\u9650\u96C6\u7EC4\u5408(\u5982 sales_rep\u3001sales_manager)\u3002\u80FD\u529B\u5728\u6743\u9650\u96C6\u4E0A;\u53EF\u89C1\u8303\u56F4\u6DF1\u5EA6\u5728\u4E1A\u52A1\u5355\u5143\u6811\u4E0A\u3002"
20300
20464
  }
20301
20465
  },
20302
20466
  fields: {
@@ -20307,10 +20471,6 @@ var zhCNMetadataForms = {
20307
20471
  label: {
20308
20472
  label: "\u663E\u793A\u540D\u79F0"
20309
20473
  },
20310
- parent: {
20311
- label: "\u7236\u7EA7",
20312
- helpText: "\u7EE7\u627F\u7236\u89D2\u8272\u7684\u6743\u9650"
20313
- },
20314
20474
  description: {
20315
20475
  label: "\u63CF\u8FF0"
20316
20476
  }
@@ -21840,10 +22000,6 @@ var jaJPMetadataForms = {
21840
22000
  label: "\u8868\u793A\u540D",
21841
22001
  helpText: "\u7BA1\u7406\u8005\u5411\u3051\u8868\u793A\u30E9\u30D9\u30EB"
21842
22002
  },
21843
- isProfile: {
21844
- label: "\u30D7\u30ED\u30D5\u30A1\u30A4\u30EB\u304B",
21845
- helpText: "Profile = \u30E6\u30FC\u30B6\u30FC\u306B\u5272\u308A\u5F53\u3066\u308B\u57FA\u672C\u30BB\u30C3\u30C8\u3002Permission Set = \u8FFD\u52A0\u6A29\u9650\u3002"
21846
- },
21847
22003
  systemPermissions: {
21848
22004
  label: "\u30B7\u30B9\u30C6\u30E0\u6A29\u9650",
21849
22005
  helpText: "\u30B7\u30B9\u30C6\u30E0\u6A5F\u80FD\u30AD\u30FC\u306E\u30EA\u30B9\u30C8"
@@ -21870,71 +22026,12 @@ var jaJPMetadataForms = {
21870
22026
  }
21871
22027
  }
21872
22028
  },
21873
- profile: {
21874
- label: "\u30D7\u30ED\u30D5\u30A1\u30A4\u30EB",
22029
+ position: {
22030
+ label: "\u30DD\u30B8\u30B7\u30E7\u30F3",
21875
22031
  sections: {
21876
- identity: {
21877
- label: "ID",
21878
- description: "\u6A29\u9650\u30BB\u30C3\u30C8\u306F\u30D7\u30ED\u30D5\u30A1\u30A4\u30EB\u306B\u8FFD\u52A0\u30A2\u30AF\u30BB\u30B9\u6A29\u3092\u91CD\u306D\u308B\u3002\u30D7\u30ED\u30D5\u30A1\u30A4\u30EB\u306F\u5404\u30E6\u30FC\u30B6\u30FC\u306B 1:1 \u3067\u5272\u308A\u5F53\u3066\u308B\u57FA\u672C\u30BB\u30C3\u30C8\u3002"
21879
- },
21880
- system_permissions: {
21881
- label: "\u30B7\u30B9\u30C6\u30E0\u6A29\u9650",
21882
- description: "\u7279\u5B9A\u30AA\u30D6\u30B8\u30A7\u30AF\u30C8\u306B\u7D10\u3065\u304B\u306A\u3044\u9AD8\u30EC\u30D9\u30EB\u6A5F\u80FD \u2014 \u4F8B: manage_users, view_audit_logs\u3002"
21883
- },
21884
- object_and_field_permissions: {
21885
- label: "\u30AA\u30D6\u30B8\u30A7\u30AF\u30C8\u3068\u30D5\u30A3\u30FC\u30EB\u30C9\u6A29\u9650",
21886
- description: "\u30AA\u30D6\u30B8\u30A7\u30AF\u30C8\u5358\u4F4D\u306E CRUD + \u30D5\u30A3\u30FC\u30EB\u30C9\u5358\u4F4D\u306E FLS\u3002\u30DE\u30C8\u30EA\u30C3\u30AF\u30B9\u30A8\u30C7\u30A3\u30BF\u30FC\u3067\u7DE8\u96C6\u3001\u307E\u305F\u306F\u3053\u3053\u306B JSON \u3092\u8CBC\u308A\u4ED8\u3051\u3002"
21887
- },
21888
- tab_and_row_level_security: {
21889
- label: "\u30BF\u30D6\u3068\u884C\u30EC\u30D9\u30EB\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3",
21890
- description: "\u30BF\u30D6\u8868\u793A\u3001RLS \u30DD\u30EA\u30B7\u30FC\u3001\u8FF0\u8A9E\u8A55\u4FA1\u7528\u30AB\u30B9\u30BF\u30E0\u30B3\u30F3\u30C6\u30AD\u30B9\u30C8\u5909\u6570\u3002"
21891
- }
21892
- },
21893
- fields: {
21894
- name: {
21895
- label: "\u540D\u524D",
21896
- helpText: "\u30DE\u30B7\u30F3\u540D\uFF08snake_case\uFF09"
21897
- },
21898
- label: {
21899
- label: "\u8868\u793A\u540D",
21900
- helpText: "\u7BA1\u7406\u8005\u5411\u3051\u8868\u793A\u30E9\u30D9\u30EB"
21901
- },
21902
- isProfile: {
21903
- label: "\u30D7\u30ED\u30D5\u30A1\u30A4\u30EB\u304B",
21904
- helpText: "Profile = \u30E6\u30FC\u30B6\u30FC\u306B\u5272\u308A\u5F53\u3066\u308B\u57FA\u672C\u30BB\u30C3\u30C8\u3002Permission Set = \u8FFD\u52A0\u6A29\u9650\u3002"
21905
- },
21906
- systemPermissions: {
21907
- label: "\u30B7\u30B9\u30C6\u30E0\u6A29\u9650",
21908
- helpText: "\u30B7\u30B9\u30C6\u30E0\u6A5F\u80FD\u30AD\u30FC\u306E\u30EA\u30B9\u30C8"
21909
- },
21910
- objects: {
21911
- label: "\u30AA\u30D6\u30B8\u30A7\u30AF\u30C8\u6A29\u9650",
21912
- helpText: '\u4F8B: { "account": { allowRead: true, allowEdit: true, ... } }'
21913
- },
21914
- fields: {
21915
- label: "\u30D5\u30A3\u30FC\u30EB\u30C9",
21916
- helpText: '\u4F8B: { "account.amount": { readable: true, editable: false } }'
21917
- },
21918
- tabPermissions: {
21919
- label: "\u30BF\u30D6\u6A29\u9650",
21920
- helpText: '\u4F8B: { "app_crm": "visible", "app_admin": "hidden" }'
21921
- },
21922
- rowLevelSecurity: {
21923
- label: "\u884C\u30EC\u30D9\u30EB\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3",
21924
- helpText: "RLS \u30DD\u30EA\u30B7\u30FC\u306E\u914D\u5217\uFF08rls.zod.ts \u53C2\u7167\uFF09"
21925
- },
21926
- contextVariables: {
21927
- label: "\u30B3\u30F3\u30C6\u30AD\u30B9\u30C8\u5909\u6570",
21928
- helpText: "RLS \u8FF0\u8A9E\u3067\u53C2\u7167\u3059\u308B\u30AB\u30B9\u30BF\u30E0\u5909\u6570"
21929
- }
21930
- }
21931
- },
21932
- role: {
21933
- label: "\u30ED\u30FC\u30EB",
21934
- sections: {
21935
- role: {
21936
- label: "\u30ED\u30FC\u30EB",
21937
- description: "\u30ED\u30FC\u30EB\u306F\u30EC\u30B3\u30FC\u30C9\u5171\u6709\u306B\u4F7F\u3046\u968E\u5C64\u3092\u69CB\u6210\uFF08sales VP \u2192 sales mgr \u2192 sales rep\uFF09\u3002\u6A29\u9650\u81EA\u4F53\u306F Permission Sets \u3068 Profiles \u306B\u5B58\u5728\u3002"
22032
+ position: {
22033
+ label: "\u30DD\u30B8\u30B7\u30E7\u30F3",
22034
+ description: "\u30DD\u30B8\u30B7\u30E7\u30F3\u306F\u6A29\u9650\u30BB\u30C3\u30C8\u3092\u307E\u3068\u3081\u3066\u5272\u308A\u5F53\u3066\u308B\u30D5\u30E9\u30C3\u30C8\u306A\u5358\u4F4D(\u4F8B: sales_rep\u3001sales_manager)\u3002\u80FD\u529B\u306F\u6A29\u9650\u30BB\u30C3\u30C8\u306B\u3001\u53EF\u8996\u7BC4\u56F2\u306E\u6DF1\u3055\u306F\u30D3\u30B8\u30CD\u30B9\u30E6\u30CB\u30C3\u30C8\u30C4\u30EA\u30FC\u306B\u3042\u308A\u307E\u3059\u3002"
21938
22035
  }
21939
22036
  },
21940
22037
  fields: {
@@ -21945,10 +22042,6 @@ var jaJPMetadataForms = {
21945
22042
  label: {
21946
22043
  label: "\u8868\u793A\u540D"
21947
22044
  },
21948
- parent: {
21949
- label: "\u89AA",
21950
- helpText: "\u89AA\u30ED\u30FC\u30EB\u306E\u30DE\u30B7\u30F3\u540D\uFF08Reports To\uFF09"
21951
- },
21952
22045
  description: {
21953
22046
  label: "\u8AAC\u660E"
21954
22047
  }
@@ -23478,69 +23571,6 @@ var esESMetadataForms = {
23478
23571
  label: "Etiqueta",
23479
23572
  helpText: "Etiqueta mostrada para administradores"
23480
23573
  },
23481
- isProfile: {
23482
- label: "Es perfil",
23483
- helpText: "Profile = conjunto base asignado a usuarios. Permission Set = concesi\xF3n adicional."
23484
- },
23485
- systemPermissions: {
23486
- label: "Permisos del sistema",
23487
- helpText: "Lista de claves de capacidades del sistema"
23488
- },
23489
- objects: {
23490
- label: "Permisos de objeto",
23491
- helpText: 'Ejemplo: { "account": { allowRead: true, allowEdit: true, ... } }'
23492
- },
23493
- fields: {
23494
- label: "Campos",
23495
- helpText: 'Ejemplo: { "account.amount": { readable: true, editable: false } }'
23496
- },
23497
- tabPermissions: {
23498
- label: "Permisos de pesta\xF1a",
23499
- helpText: 'Ejemplo: { "app_crm": "visible", "app_admin": "hidden" }'
23500
- },
23501
- rowLevelSecurity: {
23502
- label: "Seguridad a nivel de fila",
23503
- helpText: "Array de pol\xEDticas RLS (ver rls.zod.ts)"
23504
- },
23505
- contextVariables: {
23506
- label: "Variables de contexto",
23507
- helpText: "Variables personalizadas referenciadas en predicados RLS"
23508
- }
23509
- }
23510
- },
23511
- profile: {
23512
- label: "Perfil",
23513
- sections: {
23514
- identity: {
23515
- label: "Identidad",
23516
- description: "Los conjuntos de permisos se apilan sobre un perfil para conceder acceso adicional. Los perfiles son el conjunto base asignado 1:1 a cada usuario."
23517
- },
23518
- system_permissions: {
23519
- label: "Permisos del sistema",
23520
- description: "Capacidades de alto nivel no vinculadas a un objeto espec\xEDfico \u2014 p. ej. manage_users, view_audit_logs."
23521
- },
23522
- object_and_field_permissions: {
23523
- label: "Permisos de objeto y campo",
23524
- description: "CRUD por objeto + FLS por campo. Edita mediante el editor matricial o pega JSON aqu\xED."
23525
- },
23526
- tab_and_row_level_security: {
23527
- label: "Pesta\xF1a y seguridad a nivel de fila",
23528
- description: "Visibilidad de pesta\xF1as, pol\xEDticas RLS y variables de contexto personalizadas para evaluar predicados."
23529
- }
23530
- },
23531
- fields: {
23532
- name: {
23533
- label: "Nombre",
23534
- helpText: "Nombre de m\xE1quina (snake_case)"
23535
- },
23536
- label: {
23537
- label: "Etiqueta",
23538
- helpText: "Etiqueta mostrada para administradores"
23539
- },
23540
- isProfile: {
23541
- label: "Es perfil",
23542
- helpText: "Profile = conjunto base asignado a usuarios. Permission Set = concesi\xF3n adicional."
23543
- },
23544
23574
  systemPermissions: {
23545
23575
  label: "Permisos del sistema",
23546
23576
  helpText: "Lista de claves de capacidades del sistema"
@@ -23567,12 +23597,12 @@ var esESMetadataForms = {
23567
23597
  }
23568
23598
  }
23569
23599
  },
23570
- role: {
23571
- label: "Rol",
23600
+ position: {
23601
+ label: "Posici\xF3n",
23572
23602
  sections: {
23573
- role: {
23574
- label: "Rol",
23575
- description: "Los roles componen una jerarqu\xEDa usada para compartir registros (sales VP \u2192 sales mgr \u2192 sales rep). Los permisos en s\xED residen en Permission Sets y Profiles."
23603
+ position: {
23604
+ label: "Posici\xF3n",
23605
+ description: "Una posici\xF3n es un conjunto plano y asignable de permission sets (p. ej. sales_rep, sales_manager). La capacidad reside en los permission sets; la profundidad de visibilidad en el \xE1rbol de unidades de negocio."
23576
23606
  }
23577
23607
  },
23578
23608
  fields: {
@@ -23583,10 +23613,6 @@ var esESMetadataForms = {
23583
23613
  label: {
23584
23614
  label: "Etiqueta"
23585
23615
  },
23586
- parent: {
23587
- label: "Padre",
23588
- helpText: "Nombre de m\xE1quina del rol padre (Reports To)"
23589
- },
23590
23616
  description: {
23591
23617
  label: "Descripci\xF3n"
23592
23618
  }
@@ -23868,6 +23894,6 @@ function createPlatformObjectsPlugin() {
23868
23894
  return new PlatformObjectsPlugin();
23869
23895
  }
23870
23896
 
23871
- export { ACCOUNT_APP, MetadataFormsTranslations, PlatformObjectsPlugin, SETUP_APP, SETUP_NAV_CONTRIBUTIONS, STUDIO_APP, SetupAppTranslations, SysAccount, SysApiKey, SysAttachment, SysBusinessUnit, SysBusinessUnitMember, SysDeviceCode, SysEmail, SysEmailTemplate, SysImportJob, SysInvitation, SysJob, SysJobQueue, SysJobRun, SysJwks, SysMember, SysNotification, SysOauthAccessToken, SysOauthApplication, SysOauthConsent, SysOauthRefreshToken, SysOrganization, SysOrganizationDetailPage, SysReportSchedule, SysSavedReport, SysScimProvider, SysSecret, SysSession, SysSetting, SysSettingAudit, SysSsoProvider, SysTeam, SysTeamMember, SysTwoFactor, SysUser, SysUserDetailPage, SysUserPreference, SysVerification, SystemOverviewDashboard, SystemOverviewDatasets, createPlatformObjectsPlugin, en, esES, jaJP, zhCN };
23897
+ export { ACCOUNT_APP, MetadataFormsTranslations, PlatformObjectsPlugin, SETUP_APP, SETUP_NAV_CONTRIBUTIONS, STUDIO_APP, SetupAppTranslations, SysAccount, SysApiKey, SysAttachment, SysBusinessUnit, SysBusinessUnitMember, SysDeviceCode, SysEmail, SysEmailTemplate, SysImportJob, SysInvitation, SysJob, SysJobQueue, SysJobRun, SysJwks, SysMember, SysNotification, SysOauthAccessToken, SysOauthApplication, SysOauthConsent, SysOauthRefreshToken, SysOrganization, SysOrganizationDetailPage, SysPositionDetailPage, SysReportSchedule, SysSavedReport, SysScimProvider, SysSecret, SysSession, SysSetting, SysSettingAudit, SysSsoProvider, SysTeam, SysTeamMember, SysTwoFactor, SysUser, SysUserDetailPage, SysUserPreference, SysVerification, SystemOverviewDashboard, SystemOverviewDatasets, createPlatformObjectsPlugin, en, esES, jaJP, zhCN };
23872
23898
  //# sourceMappingURL=index.mjs.map
23873
23899
  //# sourceMappingURL=index.mjs.map