@objectstack/platform-objects 4.0.5 → 4.1.0

package/dist/security/index.js

@@ -10,10 +10,52 @@ var SysRole = data.ObjectSchema.create({
   pluralLabel: "Roles",
   icon: "shield",
   isSystem: true,
+  managedBy: "config",
   description: "Role definitions for RBAC access control",
   displayNameField: "label",
   titleFormat: "{label}",
   compactLayout: ["label", "name", "active", "is_default"],
+  listViews: {
+    active: {
+      type: "grid",
+      name: "active",
+      label: "Active",
+      data: { provider: "object", object: "sys_role" },
+      columns: ["label", "name", "is_default", "updated_at"],
+      filter: [{ field: "active", operator: "equals", value: true }],
+      sort: [{ field: "label", order: "asc" }],
+      pagination: { pageSize: 50 }
+    },
+    default_roles: {
+      type: "grid",
+      name: "default_roles",
+      label: "Default",
+      data: { provider: "object", object: "sys_role" },
+      columns: ["label", "name", "description", "active"],
+      filter: [{ field: "is_default", operator: "equals", value: true }],
+      sort: [{ field: "label", order: "asc" }],
+      pagination: { pageSize: 50 }
+    },
+    custom: {
+      type: "grid",
+      name: "custom",
+      label: "Custom",
+      data: { provider: "object", object: "sys_role" },
+      columns: ["label", "name", "active", "updated_at"],
+      filter: [{ field: "is_default", operator: "equals", value: false }],
+      sort: [{ field: "label", order: "asc" }],
+      pagination: { pageSize: 50 }
+    },
+    all_roles: {
+      type: "grid",
+      name: "all_roles",
+      label: "All",
+      data: { provider: "object", object: "sys_role" },
+      columns: ["label", "name", "active", "is_default", "updated_at"],
+      sort: [{ field: "label", order: "asc" }],
+      pagination: { pageSize: 50 }
+    }
+  },
   fields: {
     // ── Identity ─────────────────────────────────────────────────
     label: data.Field.text({
@@ -94,10 +136,42 @@ var SysPermissionSet = data.ObjectSchema.create({
   pluralLabel: "Permission Sets",
   icon: "lock",
   isSystem: true,
+  managedBy: "config",
   description: "Named permission groupings for fine-grained access control",
   displayNameField: "label",
   titleFormat: "{label}",
   compactLayout: ["label", "name", "active"],
+  listViews: {
+    active: {
+      type: "grid",
+      name: "active",
+      label: "Active",
+      data: { provider: "object", object: "sys_permission_set" },
+      columns: ["label", "name", "description", "updated_at"],
+      filter: [{ field: "active", operator: "equals", value: true }],
+      sort: [{ field: "label", order: "asc" }],
+      pagination: { pageSize: 50 }
+    },
+    inactive: {
+      type: "grid",
+      name: "inactive",
+      label: "Inactive",
+      data: { provider: "object", object: "sys_permission_set" },
+      columns: ["label", "name", "updated_at"],
+      filter: [{ field: "active", operator: "equals", value: false }],
+      sort: [{ field: "label", order: "asc" }],
+      pagination: { pageSize: 50 }
+    },
+    all_permsets: {
+      type: "grid",
+      name: "all_permsets",
+      label: "All",
+      data: { provider: "object", object: "sys_permission_set" },
+      columns: ["label", "name", "active", "updated_at"],
+      sort: [{ field: "label", order: "asc" }],
+      pagination: { pageSize: 50 }
+    }
+  },
   fields: {
     // ── Identity ─────────────────────────────────────────────────
     label: data.Field.text({
@@ -178,6 +252,7 @@ var SysUserPermissionSet = data.ObjectSchema.create({
   pluralLabel: "User Permission Sets",
   icon: "user-check",
   isSystem: true,
+  managedBy: "system",
   description: "Direct assignment of a permission set to a user (optionally scoped to an organization).",
   titleFormat: "{user_id} \u2192 {permission_set_id}",
   compactLayout: ["user_id", "permission_set_id", "organization_id"],
@@ -240,6 +315,7 @@ var SysRolePermissionSet = data.ObjectSchema.create({
   pluralLabel: "Role Permission Sets",
   icon: "shield-plus",
   isSystem: true,
+  managedBy: "system",
   description: "Binds a permission set to a role.",
   titleFormat: "{role_id} \u2192 {permission_set_id}",
   compactLayout: ["role_id", "permission_set_id"],
@@ -285,6 +361,337 @@ var SysRolePermissionSet = data.ObjectSchema.create({
     mru: false
   }
 });
+var SysRecordShare = data.ObjectSchema.create({
+  name: "sys_record_share",
+  label: "Record Share",
+  pluralLabel: "Record Shares",
+  icon: "share",
+  isSystem: true,
+  managedBy: "system",
+  description: "Per-record sharing grant \u2014 extends OWD with explicit access",
+  titleFormat: "{object_name}/{record_id} \u2192 {recipient_id} ({access_level})",
+  compactLayout: ["object_name", "record_id", "recipient_id", "access_level", "source"],
+  listViews: {
+    granted_to_me: {
+      type: "grid",
+      name: "granted_to_me",
+      label: "Granted to Me",
+      data: { provider: "object", object: "sys_record_share" },
+      columns: ["object_name", "record_id", "access_level", "source", "granted_by", "created_at"],
+      filter: [
+        { field: "recipient_type", operator: "equals", value: "user" },
+        { field: "recipient_id", operator: "equals", value: "{current_user_id}" }
+      ],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    granted_by_me: {
+      type: "grid",
+      name: "granted_by_me",
+      label: "Granted by Me",
+      data: { provider: "object", object: "sys_record_share" },
+      columns: ["object_name", "record_id", "recipient_id", "access_level", "source", "created_at"],
+      filter: [
+        { field: "granted_by", operator: "equals", value: "{current_user_id}" }
+      ],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    by_object: {
+      type: "grid",
+      name: "by_object",
+      label: "By Object",
+      data: { provider: "object", object: "sys_record_share" },
+      columns: ["object_name", "record_id", "recipient_id", "access_level", "source", "created_at"],
+      sort: [{ field: "object_name", order: "asc" }, { field: "created_at", order: "desc" }],
+      grouping: { fields: [{ field: "object_name", order: "asc", collapsed: false }] },
+      pagination: { pageSize: 100 }
+    },
+    manual_grants: {
+      type: "grid",
+      name: "manual_grants",
+      label: "Manual Grants",
+      data: { provider: "object", object: "sys_record_share" },
+      columns: ["object_name", "record_id", "recipient_id", "access_level", "granted_by", "reason", "created_at"],
+      filter: [{ field: "source", operator: "equals", value: "manual" }],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    rule_grants: {
+      type: "grid",
+      name: "rule_grants",
+      label: "Rule Grants",
+      data: { provider: "object", object: "sys_record_share" },
+      columns: ["object_name", "record_id", "recipient_id", "access_level", "source_id", "created_at"],
+      filter: [{ field: "source", operator: "in", value: ["rule", "team", "inherited"] }],
+      sort: [{ field: "source_id", order: "asc" }, { field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    all_shares: {
+      type: "grid",
+      name: "all_shares",
+      label: "All",
+      data: { provider: "object", object: "sys_record_share" },
+      columns: ["object_name", "record_id", "recipient_type", "recipient_id", "access_level", "source", "created_at"],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 100 }
+    }
+  },
+  fields: {
+    id: data.Field.text({
+      label: "Share ID",
+      required: true,
+      readonly: true,
+      group: "System"
+    }),
+    // ── Target (which record is being shared) ────────────────────
+    object_name: data.Field.text({
+      label: "Object",
+      required: true,
+      maxLength: 100,
+      description: "Short object name of the shared record",
+      group: "Target"
+    }),
+    record_id: data.Field.text({
+      label: "Record",
+      required: true,
+      maxLength: 100,
+      description: "Primary key of the shared record within object_name",
+      group: "Target"
+    }),
+    // ── Recipient (who receives access) ──────────────────────────
+    recipient_type: data.Field.select(
+      ["user", "group", "role", "role_and_subordinates", "guest"],
+      {
+        label: "Recipient Type",
+        required: true,
+        defaultValue: "user",
+        description: "Kind of principal that holds the grant",
+        group: "Recipient"
+      }
+    ),
+    recipient_id: data.Field.text({
+      label: "Recipient",
+      required: true,
+      maxLength: 100,
+      description: "ID of the user/group/role that receives access",
+      group: "Recipient"
+    }),
+    access_level: data.Field.select(
+      ["read", "edit", "full"],
+      {
+        label: "Access Level",
+        required: true,
+        defaultValue: "read",
+        description: "What the recipient can do \u2014 read | edit | full (transfer/share/delete)",
+        group: "Recipient"
+      }
+    ),
+    // ── Provenance ───────────────────────────────────────────────
+    source: data.Field.select(
+      ["manual", "rule", "team", "inherited"],
+      {
+        label: "Source",
+        required: true,
+        defaultValue: "manual",
+        description: "Why this grant exists \u2014 used by the rule evaluator to reconcile",
+        group: "Provenance"
+      }
+    ),
+    source_id: data.Field.text({
+      label: "Source ID",
+      required: false,
+      maxLength: 200,
+      description: "Rule name / team id when source != manual",
+      group: "Provenance"
+    }),
+    granted_by: data.Field.lookup("sys_user", {
+      label: "Granted By",
+      required: false,
+      description: "User that created the grant (manual only)",
+      group: "Provenance"
+    }),
+    reason: data.Field.text({
+      label: "Reason",
+      required: false,
+      maxLength: 500,
+      description: "Optional free-text explanation surfaced to the recipient",
+      group: "Provenance"
+    }),
+    // ── Lifecycle ────────────────────────────────────────────────
+    created_at: data.Field.datetime({
+      label: "Created At",
+      required: true,
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      required: false,
+      group: "System"
+    })
+  },
+  indexes: [
+    // Hot path: "all records visible to user U on object O" — the
+    // middleware reads (object_name, recipient_type, recipient_id) to
+    // build the `id IN (...)` predicate on every find.
+    { fields: ["object_name", "recipient_type", "recipient_id"] },
+    // "all grants on this record" — used by the share-management UI
+    // and by canEdit() to look up explicit grants.
+    { fields: ["object_name", "record_id"] },
+    // Reconciliation key for rule-driven shares.
+    { fields: ["source", "source_id"] }
+  ]
+});
+var SysSharingRule = data.ObjectSchema.create({
+  name: "sys_sharing_rule",
+  label: "Sharing Rule",
+  pluralLabel: "Sharing Rules",
+  icon: "shield-check",
+  isSystem: true,
+  managedBy: "config",
+  // Sharing rules can now be authored visually via the Studio criteria
+  // builder (apps/studio/src/components/SharingCriteriaBuilder.tsx).
+  // We still recommend `defineSharingRule({...})` for repo-controlled
+  // baselines, but admins can safely create/edit/delete from the UI.
+  userActions: { create: true, edit: true, delete: true, import: false },
+  description: "Declarative sharing rule that auto-materialises sys_record_share grants. Authored via defineSharingRule() in code or the Studio criteria builder.",
+  displayNameField: "name",
+  titleFormat: "{label}",
+  compactLayout: ["name", "object_name", "recipient_type", "recipient_id", "access_level", "active"],
+  listViews: {
+    active: {
+      type: "grid",
+      name: "active",
+      label: "Active",
+      data: { provider: "object", object: "sys_sharing_rule" },
+      columns: ["label", "object_name", "recipient_type", "recipient_id", "access_level", "updated_at"],
+      filter: [{ field: "active", operator: "equals", value: true }],
+      sort: [{ field: "object_name", order: "asc" }, { field: "label", order: "asc" }],
+      pagination: { pageSize: 50 }
+    },
+    inactive: {
+      type: "grid",
+      name: "inactive",
+      label: "Inactive",
+      data: { provider: "object", object: "sys_sharing_rule" },
+      columns: ["label", "object_name", "recipient_type", "recipient_id", "updated_at"],
+      filter: [{ field: "active", operator: "equals", value: false }],
+      sort: [{ field: "label", order: "asc" }],
+      pagination: { pageSize: 50 }
+    },
+    by_object: {
+      type: "grid",
+      name: "by_object",
+      label: "By Object",
+      data: { provider: "object", object: "sys_sharing_rule" },
+      columns: ["object_name", "label", "recipient_type", "access_level", "active"],
+      sort: [{ field: "object_name", order: "asc" }, { field: "label", order: "asc" }],
+      grouping: { fields: [{ field: "object_name", order: "asc", collapsed: false }] },
+      pagination: { pageSize: 100 }
+    },
+    all_rules: {
+      type: "grid",
+      name: "all_rules",
+      label: "All",
+      data: { provider: "object", object: "sys_sharing_rule" },
+      columns: ["label", "object_name", "recipient_type", "recipient_id", "access_level", "active", "updated_at"],
+      sort: [{ field: "label", order: "asc" }],
+      pagination: { pageSize: 50 }
+    }
+  },
+  fields: {
+    id: data.Field.text({ label: "Rule ID", required: true, readonly: true, group: "System" }),
+    organization_id: data.Field.lookup("sys_organization", {
+      label: "Organization",
+      required: false,
+      group: "System",
+      description: "Tenant that owns this rule; null = global"
+    }),
+    name: data.Field.text({
+      label: "Name",
+      required: true,
+      maxLength: 100,
+      description: "Unique snake_case rule name",
+      group: "Identity"
+    }),
+    label: data.Field.text({
+      label: "Display Label",
+      required: true,
+      maxLength: 200,
+      group: "Identity"
+    }),
+    description: data.Field.textarea({
+      label: "Description",
+      required: false,
+      group: "Identity"
+    }),
+    object_name: data.Field.text({
+      label: "Object",
+      required: true,
+      maxLength: 100,
+      description: "Short object name (e.g. opportunity, account)",
+      group: "Target"
+    }),
+    criteria_json: data.Field.textarea({
+      label: "Criteria (FilterCondition JSON)",
+      required: false,
+      description: "JSON FilterCondition matched against records of object_name. Empty = match all.",
+      group: "Target"
+    }),
+    recipient_type: data.Field.select(
+      ["user", "team", "department", "role", "queue"],
+      {
+        label: "Recipient Type",
+        required: true,
+        defaultValue: "department",
+        description: "Kind of principal that receives access \u2014 expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth).",
+        group: "Recipient"
+      }
+    ),
+    recipient_id: data.Field.text({
+      label: "Recipient",
+      required: true,
+      maxLength: 200,
+      description: "department id / team id / role name / queue name / user id depending on recipient_type",
+      group: "Recipient"
+    }),
+    access_level: data.Field.select(
+      ["read", "edit", "full"],
+      {
+        label: "Access Level",
+        required: true,
+        defaultValue: "read",
+        group: "Recipient"
+      }
+    ),
+    active: data.Field.boolean({
+      label: "Active",
+      required: false,
+      defaultValue: true,
+      description: "Only active rules participate in lifecycle evaluation",
+      group: "Lifecycle"
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      required: true,
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      required: false,
+      group: "System"
+    })
+  },
+  indexes: [
+    { fields: ["object_name", "active"] },
+    { fields: ["name"], unique: true },
+    { fields: ["organization_id"] }
+  ]
+});
 var BETTER_AUTH_MANAGED_OBJECTS = [
   "sys_user",
   "sys_account",
@@ -362,6 +769,15 @@ var defaultPermissionSets = [
       },
       // ── better-auth system tables that lack `organization_id` and would
       //    otherwise be left unprotected by the wildcard rule above. ────
+      //
+      // The security plugin's RLS injector treats wildcard policies that
+      // target a missing field as `RLS_DENY_FILTER` (zero rows) unless a
+      // per-object policy contributes an alternate match. Each `*_self`
+      // policy below restores per-user visibility on a better-auth table
+      // that has `user_id` but no `organization_id`. Tables without
+      // `user_id` (`sys_verification`, `sys_jwks`, empty `sys_passkey`)
+      // stay DENY for non-admins by design — only platform admins (via
+      // `admin_full_access`, which has no RLS) should inspect them.
       {
         name: "sys_organization_self",
         object: "sys_organization",
@@ -373,6 +789,66 @@ var defaultPermissionSets = [
         object: "sys_user",
         operation: "select",
         using: "id = current_user.id"
+      },
+      {
+        name: "sys_session_self",
+        object: "sys_session",
+        operation: "all",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_account_self",
+        object: "sys_account",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_team_member_self",
+        object: "sys_team_member",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_two_factor_self",
+        object: "sys_two_factor",
+        operation: "all",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_user_preference_self",
+        object: "sys_user_preference",
+        operation: "all",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_api_key_self",
+        object: "sys_api_key",
+        operation: "all",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_device_code_self",
+        object: "sys_device_code",
+        operation: "all",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_oauth_access_token_self",
+        object: "sys_oauth_access_token",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_oauth_refresh_token_self",
+        object: "sys_oauth_refresh_token",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_oauth_consent_self",
+        object: "sys_oauth_consent",
+        operation: "all",
+        using: "user_id = current_user.id"
       }
     ]
   }),
@@ -410,14 +886,78 @@ var defaultPermissionSets = [
         object: "sys_user",
         operation: "select",
         using: "id = current_user.id"
+      },
+      // ── Per-user visibility on better-auth tables that lack
+      //    `organization_id` (matches the `member_default` carve-outs).
+      {
+        name: "sys_session_self",
+        object: "sys_session",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_account_self",
+        object: "sys_account",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_team_member_self",
+        object: "sys_team_member",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_two_factor_self",
+        object: "sys_two_factor",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_user_preference_self",
+        object: "sys_user_preference",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_api_key_self",
+        object: "sys_api_key",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_device_code_self",
+        object: "sys_device_code",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_oauth_access_token_self",
+        object: "sys_oauth_access_token",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_oauth_refresh_token_self",
+        object: "sys_oauth_refresh_token",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_oauth_consent_self",
+        object: "sys_oauth_consent",
+        operation: "select",
+        using: "user_id = current_user.id"
       }
     ]
   })
 ];
 
 exports.SysPermissionSet = SysPermissionSet;
+exports.SysRecordShare = SysRecordShare;
 exports.SysRole = SysRole;
 exports.SysRolePermissionSet = SysRolePermissionSet;
+exports.SysSharingRule = SysSharingRule;
 exports.SysUserPermissionSet = SysUserPermissionSet;
 exports.defaultPermissionSets = defaultPermissionSets;
 //# sourceMappingURL=index.js.map