@objectstack/platform-objects 5.0.0 → 5.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (25) hide show
  1. package/dist/apps/index.js +22 -12
  2. package/dist/apps/index.js.map +1 -1
  3. package/dist/apps/index.mjs +22 -12
  4. package/dist/apps/index.mjs.map +1 -1
  5. package/dist/audit/index.d.mts +228 -3
  6. package/dist/audit/index.d.ts +228 -3
  7. package/dist/audit/index.js +59 -4
  8. package/dist/audit/index.js.map +1 -1
  9. package/dist/audit/index.mjs +59 -4
  10. package/dist/audit/index.mjs.map +1 -1
  11. package/dist/index.js +106 -30
  12. package/dist/index.js.map +1 -1
  13. package/dist/index.mjs +106 -30
  14. package/dist/index.mjs.map +1 -1
  15. package/dist/metadata/index.d.mts +6 -186
  16. package/dist/metadata/index.d.ts +6 -186
  17. package/dist/metadata/index.js +3 -12
  18. package/dist/metadata/index.js.map +1 -1
  19. package/dist/metadata/index.mjs +3 -12
  20. package/dist/metadata/index.mjs.map +1 -1
  21. package/dist/security/index.js +22 -2
  22. package/dist/security/index.js.map +1 -1
  23. package/dist/security/index.mjs +22 -2
  24. package/dist/security/index.mjs.map +1 -1
  25. package/package.json +2 -2
package/dist/metadata/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/metadata/sys-metadata.object.ts","../../src/metadata/sys-metadata-history.object.ts"],"names":["ObjectSchema","Field"],"mappings":";;;AAgBO,IAAM,iBAAA,GAAoB,aAAa,MAAA,CAAO;AAAA,EACnD,IAAA,EAAM,cAAA;AAAA,EACN,KAAA,EAAO,iBAAA;AAAA,EACP,WAAA,EAAa,iBAAA;AAAA,EACb,IAAA,EAAM,UAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,+EAAA;AAAA,EAEb,MAAA,EAAQ;AAAA;AAAA,IAEN,EAAA,EAAI,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,IAAA,EAAM,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,IAAA,EAAM,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,SAAA,EAAW,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,SAAA;AAAA,MACd,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,UAAA,EAAY,MAAM,IAAA,CAAK;AAAA,MACrB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMD,kBAAA,EAAoB,KAAA,CAAM,MAAA,CAAO,qBAAA,EAAuB;AAAA,MACtD,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EACE;AAAA,KACH,CAAA;AAAA;AAAA,IAGD,YAAY,KAAA,CAAM,MAAA,CAAO,CAAC,SAAA,EAAW,UAAA,EAAY,MAAM,CAAA,EAAG;AAAA,MACxD,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,OAAO,KAAA,CAAM,MAAA,CAAO,CAAC,QAAA,EAAU,UAAA,EAAY,MAAM,CAAA,EAAG;AAAA,MAClD,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc;AAAA,KACf,CAAA;AAAA;AAAA,IAGD,QAAA,EAAU,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,OAAA,EAAS,MAAM,IAAA,CAAK;AAAA,MAClB,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,UAAU,KAAA,CAAM,MAAA,CAAO,CAAC,OAAA,EAAS,SAAS,CAAA,EAAG;AAAA,MAC3C,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc;AAAA,KACf,CAAA;AAAA;AAAA,IAGD,KAAA,EAAO,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,KAAA,EAAO,MAAM,MAAA,CAAO,CAAC,SAAS,QAAA,EAAU,UAAA,EAAY,YAAY,CAAA,EAAG;AAAA,MACjE,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc;AAAA,KACf,CAAA;AAAA;AAAA,IAGD,eAAA,EAAiB,KAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQD,UAAA,EAAY,KAAA,CAAM,MAAA,CAAO,aAAA,EAAe;AAAA,MACtC,KAAA,EAAO,sBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,OAAA,EAAS,MAAM,MAAA,CAAO;AAAA,MACpB,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc;AAAA,KACf,CAAA;AAAA;AAAA,IAGD,QAAA,EAAU,MAAM,IAAA,CAAK;AAAA,MACnB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQ,MAAM,MAAA,CAAO,CAAC,cAAc,UAAA,EAAY,KAAA,EAAO,WAAW,CAAA,EAAG;AAAA,MACnE,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,IAAA,EAAM,MAAM,QAAA,CAAS;AAAA,MACnB,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,UAAA,EAAY,KAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAY,KAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOP;AAAA,MACE,IAAA,EAAM,iCAAA;AAAA,MACN,MAAA,EAAQ,CAAC,MAAA,EAAQ,MAAA,EAAQ,iBAAiB,CAAA;AAAA,MAC1C,MAAA,EAAQ,IAAA;AAAA,MACR,OAAA,EAAS;AAAA,KACX;AAAA,IACA,EAAE,IAAA,EAAM,2BAAA,EAA6B,QAAQ,CAAC,iBAAA,EAAmB,MAAM,CAAA,EAAE;AAAA,IACzE,EAAE,MAAA,EAAQ,CAAC,MAAA,EAAQ,OAAO,CAAA,EAAE;AAAA,IAC5B,EAAE,MAAA,EAAQ,CAAC,oBAAoB,CAAA,EAAE;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAE;AAAA,IACpB,EAAE,MAAA,EAAQ,CAAC,WAAW,CAAA;AAAE,GAC1B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO;AAAA;AAEX,CAAC;ACxLM,IAAM,wBAAA,GAA2BA,aAAa,MAAA,CAAO;AAAA,EAC1D,IAAA,EAAM,sBAAA;AAAA,EACN,KAAA,EAAO,kBAAA;AAAA,EACP,WAAA,EAAa,kBAAA;AAAA,EACb,IAAA,EAAM,SAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,sEAAA;AAAA,EAEb,MAAA,EAAQ;AAAA;AAAA,IAEN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,SAAA,EAAWA,MAAM,MAAA,CAAO;AAAA,MACtB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQD,WAAA,EAAaA,MAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,OAAA,EAASA,MAAM,MAAA,CAAO;AAAA,MACpB,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,cAAA,EAAgBA,MAAM,MAAA,CAAO,CAAC,UAAU,QAAA,EAAU,SAAA,EAAW,QAAA,EAAU,QAAQ,CAAA,EAAG;AAAA,MAChF,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMD,QAAA,EAAUA,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,QAAA,EAAUA,MAAM,IAAA,CAAK;AAAA,MACnB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,iBAAA,EAAmBA,MAAM,IAAA,CAAK;AAAA,MAC5B,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOD,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACpC,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,mBAAmB,WAAW,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACzD,EAAE,QAAQ,CAAC,iBAAA,EAAmB,QAAQ,MAAA,EAAQ,SAAS,CAAA,EAAG,MAAA,EAAQ,IAAA,EAAK;AAAA,IACvE,EAAE,MAAA,EAAQ,CAAC,mBAAmB,MAAA,EAAQ,MAAA,EAAQ,aAAa,CAAA,EAAE;AAAA,IAC7D,EAAE,MAAA,EAAQ,CAAC,MAAA,EAAQ,MAAM,CAAA,EAAE;AAAA,IAC3B,EAAE,MAAA,EAAQ,CAAC,aAAa,CAAA,EAAE;AAAA,IAC1B,EAAE,MAAA,EAAQ,CAAC,gBAAgB,CAAA;AAAE,GAC/B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,CAAC,KAAA,EAAO,MAAM,CAAA;AAAA,IAC1B,KAAA,EAAO;AAAA;AAEX,CAAC","file":"index.mjs","sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_metadata — System Metadata Object\n *\n * Canonical ObjectStack object definition for the metadata persistence table.\n * Stores all platform-scope and user-scope metadata records (Objects, Views,\n * Flows, etc.) using the MetadataRecordSchema envelope.\n *\n * This is a system object (isSystem: true) — protected from deletion and\n * automatically provisioned by the DatabaseLoader on first use.\n *\n * @see MetadataRecordSchema in metadata-persistence.zod.ts\n */\nexport const SysMetadataObject = ObjectSchema.create({\n name: 'sys_metadata',\n label: 'System Metadata',\n pluralLabel: 'System Metadata',\n icon: 'settings',\n isSystem: true,\n // managedBy: 'system' — the metadata table backs every other config\n // object. Writing rows directly here bypasses the typed Zod APIs and\n // would let an admin inject malformed payloads. The \"All Metadata\"\n // menu is therefore a read-only debug surface (Export only); typed\n // edits flow through the dedicated per-type pages (Approval Process,\n // Sharing Rule, etc.).\n managedBy: 'system',\n description: 'Stores platform and user-scope metadata records (objects, views, flows, etc.)',\n\n fields: {\n /** Primary Key (UUID) */\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n }),\n\n /** Machine name — unique identifier used in code references */\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n maxLength: 255,\n }),\n\n /** Metadata type (e.g. \"object\", \"view\", \"flow\") */\n type: Field.text({\n label: 'Metadata Type',\n required: true,\n searchable: true,\n maxLength: 100,\n }),\n\n /** Namespace / module grouping (e.g. \"crm\", \"core\") */\n namespace: Field.text({\n label: 'Namespace',\n required: false,\n defaultValue: 'default',\n maxLength: 100,\n }),\n\n /** Package that owns/delivered this metadata (legacy string identifier, kept for compat) */\n package_id: Field.text({\n label: 'Package ID',\n required: false,\n maxLength: 255,\n description: 'Legacy package manifest ID string. Use package_version_id for new records.',\n }),\n\n /**\n * FK → sys_package_version (UUID). Set for metadata that belongs to a specific\n * package release snapshot. NULL = platform-built-in or environment override.\n */\n package_version_id: Field.lookup('sys_package_version', {\n label: 'Package Version',\n required: false,\n description:\n 'Foreign key to sys_package_version (UUID). Null = platform-built-in or env-level override.',\n }),\n\n /** Who manages this record: package, platform, or user */\n managed_by: Field.select(['package', 'platform', 'user'], {\n label: 'Managed By',\n required: false,\n }),\n\n /** Scope: system (code), platform (admin DB), user (personal DB) */\n scope: Field.select(['system', 'platform', 'user'], {\n label: 'Scope',\n required: true,\n defaultValue: 'platform',\n }),\n\n /** JSON payload — the actual metadata configuration */\n metadata: Field.textarea({\n label: 'Metadata',\n required: true,\n description: 'JSON-serialized metadata payload',\n }),\n\n /** Parent metadata name for extension/override */\n extends: Field.text({\n label: 'Extends',\n required: false,\n maxLength: 255,\n }),\n\n /** Merge strategy when extending parent metadata */\n strategy: Field.select(['merge', 'replace'], {\n label: 'Strategy',\n required: false,\n defaultValue: 'merge',\n }),\n\n /** Owner user ID (for user-scope items) */\n owner: Field.text({\n label: 'Owner',\n required: false,\n maxLength: 255,\n }),\n\n /** Lifecycle state */\n state: Field.select(['draft', 'active', 'archived', 'deprecated'], {\n label: 'State',\n required: false,\n defaultValue: 'active',\n }),\n\n /** Organization ID for multi-tenant isolation */\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n description: 'Organization for multi-tenant isolation.',\n }),\n\n /**\n * @deprecated ADR-0005 (revised 2026-05): per-env DBs replace per-project\n * isolation. `project_id` is no longer written by saveMetaItem and not\n * consulted by overlay reads. Kept for legacy rows; new writes leave it\n * NULL. Will be dropped in a future schema migration.\n */\n project_id: Field.lookup('sys_project', {\n label: 'Project (deprecated)',\n required: false,\n description: 'DEPRECATED. Use organization_id for tenant isolation.',\n }),\n\n /** Version number for optimistic concurrency */\n version: Field.number({\n label: 'Version',\n required: false,\n defaultValue: 1,\n }),\n\n /** Content checksum for change detection (e.g. `sha256:<64 hex>` = 71 chars) */\n checksum: Field.text({\n label: 'Checksum',\n required: false,\n maxLength: 71,\n }),\n\n /** Origin of this metadata record */\n source: Field.select(['filesystem', 'database', 'api', 'migration'], {\n label: 'Source',\n required: false,\n }),\n\n /** Classification tags (JSON array) */\n tags: Field.textarea({\n label: 'Tags',\n required: false,\n description: 'JSON-serialized array of classification tags',\n }),\n\n /** Audit fields */\n created_by: Field.lookup('sys_user', {\n label: 'Created By',\n required: false,\n readonly: true,\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n required: false,\n readonly: true,\n }),\n\n updated_by: Field.lookup('sys_user', {\n label: 'Updated By',\n required: false,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n }),\n },\n\n indexes: [\n // ADR-0005 (revised 2026-05): overlay uniqueness is scoped by\n // (type, name, organization_id), restricted to active rows so resets\n // / archived versions don't collide. project_id is deprecated and\n // not part of the discriminator. The runtime layer (protocol.ts\n // ensureOverlayIndex) issues a DROP-then-CREATE migration to\n // replace any pre-existing legacy composite index in-place.\n {\n name: 'idx_sys_metadata_overlay_active',\n fields: ['type', 'name', 'organization_id'],\n unique: true,\n partial: \"state = 'active'\",\n },\n { name: 'idx_sys_metadata_org_type', fields: ['organization_id', 'type'] },\n { fields: ['type', 'scope'] },\n { fields: ['package_version_id'] },\n { fields: ['state'] },\n { fields: ['namespace'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_metadata_history — Metadata Version History / Event Log\n *\n * Append-only durable log of every overlay change made through\n * `SysMetadataRepository.put` / `delete` (ADR-0008 §10 M1). Each row is a\n * single event in the per-organisation event log; rows are NEVER\n * mutated after insertion. The legacy `DatabaseLoader` writes the same\n * shape from its own put/restore code paths.\n *\n * ─────────────────────────────────────────────────────────────────────\n * Key design points (ADR-0008 §0 amendment + M1):\n *\n * • Keyed by `(organization_id, type, name)` only — `project_id` was\n * removed in the branch/project-removal amendment.\n *\n * • `event_seq` is the per-org monotonic event-log cursor. Producers\n * compute `MAX(event_seq) + 1 WHERE organization_id = X` inside the\n * same transaction as the parent `sys_metadata` write.\n *\n * • `version` is the per-(org,type,name) lineage counter. Producers\n * compute `MAX(version) + 1 WHERE organization_id = X AND type = T\n * AND name = N` so delete + recreate continues incrementing instead\n * of restarting at 1.\n *\n * • `metadata_id` is plain `text` (not a `lookup`) so DELETE rows can\n * keep the now-orphaned parent id for forensic auditing without a\n * foreign-key constraint blocking the hard delete.\n *\n * • `metadata` / `checksum` are nullable — DELETE rows have no body or\n * hash. Readers must tolerate null on both columns.\n *\n * • `source` records the producer ('sys-metadata-repo', 'fs',\n * 'studio', …) and feeds MetadataEvent.source on history() reads.\n *\n * Indexes are purpose-built for the two dominant read patterns:\n * 1. per-item history view → `(organization_id, type, name, version)`\n * 2. org-wide event replay → `(organization_id, event_seq)`\n * ─────────────────────────────────────────────────────────────────────\n */\nexport const SysMetadataHistoryObject = ObjectSchema.create({\n name: 'sys_metadata_history',\n label: 'Metadata History',\n pluralLabel: 'Metadata History',\n icon: 'history',\n isSystem: true,\n managedBy: 'system',\n description: 'Durable event log of metadata overlay changes (per-org, append-only)',\n\n fields: {\n /** Primary Key (UUID) */\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n }),\n\n /** Per-org monotonic event sequence (durable cursor for replay). */\n event_seq: Field.number({\n label: 'Event Seq',\n required: true,\n readonly: true,\n description: 'Per-organization monotonic event log cursor.',\n }),\n\n /**\n * Parent `sys_metadata.id` at insertion time (plain text, no FK).\n * Null for events whose parent row no longer exists (e.g. some\n * delete records). Forensic only — joins should go through\n * `(organization_id, type, name)`.\n */\n metadata_id: Field.text({\n label: 'Metadata ID',\n required: false,\n readonly: true,\n maxLength: 64,\n }),\n\n /** Machine name (denormalized for easier querying) */\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n readonly: true,\n maxLength: 255,\n }),\n\n /** Metadata type (denormalized for easier querying) */\n type: Field.text({\n label: 'Metadata Type',\n required: true,\n searchable: true,\n readonly: true,\n maxLength: 100,\n }),\n\n /** Per-(org,type,name) lineage counter at this snapshot. */\n version: Field.number({\n label: 'Version',\n required: true,\n readonly: true,\n }),\n\n /** Type of operation that created this history entry */\n operation_type: Field.select(['create', 'update', 'publish', 'revert', 'delete'], {\n label: 'Operation Type',\n required: true,\n readonly: true,\n }),\n\n /**\n * Historical metadata snapshot (JSON payload).\n * Null for `operation_type = 'delete'` — the row carries no body.\n */\n metadata: Field.textarea({\n label: 'Metadata',\n required: false,\n readonly: true,\n description: 'JSON-serialized metadata snapshot at this version (null for deletes).',\n }),\n\n /** SHA-256 checksum of metadata content (null for deletes). */\n checksum: Field.text({\n label: 'Checksum',\n required: false,\n readonly: true,\n maxLength: 80,\n }),\n\n /** Checksum of the previous version (null for the first event). */\n previous_checksum: Field.text({\n label: 'Previous Checksum',\n required: false,\n readonly: true,\n maxLength: 80,\n }),\n\n /** Human-readable description of changes (= MetadataEvent.message). */\n change_note: Field.textarea({\n label: 'Change Note',\n required: false,\n readonly: true,\n description: 'Description of what changed in this version.',\n }),\n\n /**\n * Producer of the event ('sys-metadata-repo', 'fs', 'studio',\n * 'api', …). Defaults to 'sys-metadata-repo' on the canonical\n * write path; preserved on history() reads as MetadataEvent.source.\n */\n source: Field.text({\n label: 'Source',\n required: false,\n readonly: true,\n maxLength: 64,\n }),\n\n /** Organization ID for multi-tenant isolation */\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n readonly: true,\n description: 'Organization for multi-tenant isolation.',\n }),\n\n /** User who made this change (= MetadataEvent.actor). */\n recorded_by: Field.lookup('sys_user', {\n label: 'Recorded By',\n required: false,\n readonly: true,\n }),\n\n /** When was this version recorded */\n recorded_at: Field.datetime({\n label: 'Recorded At',\n required: true,\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['organization_id', 'event_seq'], unique: true },\n { fields: ['organization_id', 'type', 'name', 'version'], unique: true },\n { fields: ['organization_id', 'type', 'name', 'recorded_at'] },\n { fields: ['type', 'name'] },\n { fields: ['recorded_at'] },\n { fields: ['operation_type'] },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list'],\n trash: false,\n },\n});\n"]}
1
+ {"version":3,"sources":["../../src/metadata/sys-metadata.object.ts","../../src/metadata/sys-metadata-history.object.ts"],"names":["ObjectSchema","Field"],"mappings":";;;AAgBO,IAAM,iBAAA,GAAoB,aAAa,MAAA,CAAO;AAAA,EACnD,IAAA,EAAM,cAAA;AAAA,EACN,KAAA,EAAO,iBAAA;AAAA,EACP,WAAA,EAAa,iBAAA;AAAA,EACb,IAAA,EAAM,UAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,+EAAA;AAAA,EAEb,MAAA,EAAQ;AAAA;AAAA,IAEN,EAAA,EAAI,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,IAAA,EAAM,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,IAAA,EAAM,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,SAAA,EAAW,MAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,SAAA;AAAA,MACd,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,UAAA,EAAY,MAAM,IAAA,CAAK;AAAA,MACrB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMD,kBAAA,EAAoB,KAAA,CAAM,MAAA,CAAO,qBAAA,EAAuB;AAAA,MACtD,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EACE;AAAA,KACH,CAAA;AAAA;AAAA,IAGD,YAAY,KAAA,CAAM,MAAA,CAAO,CAAC,SAAA,EAAW,UAAA,EAAY,MAAM,CAAA,EAAG;AAAA,MACxD,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,OAAO,KAAA,CAAM,MAAA,CAAO,CAAC,QAAA,EAAU,UAAA,EAAY,MAAM,CAAA,EAAG;AAAA,MAClD,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc;AAAA,KACf,CAAA;AAAA;AAAA,IAGD,QAAA,EAAU,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,OAAA,EAAS,MAAM,IAAA,CAAK;AAAA,MAClB,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,UAAU,KAAA,CAAM,MAAA,CAAO,CAAC,OAAA,EAAS,SAAS,CAAA,EAAG;AAAA,MAC3C,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc;AAAA,KACf,CAAA;AAAA;AAAA,IAGD,KAAA,EAAO,MAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,KAAA,EAAO,MAAM,MAAA,CAAO,CAAC,SAAS,QAAA,EAAU,UAAA,EAAY,YAAY,CAAA,EAAG;AAAA,MACjE,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc;AAAA,KACf,CAAA;AAAA;AAAA,IAGD,eAAA,EAAiB,KAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQD,UAAA,EAAY,KAAA,CAAM,MAAA,CAAO,aAAA,EAAe;AAAA,MACtC,KAAA,EAAO,sBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,OAAA,EAAS,MAAM,MAAA,CAAO;AAAA,MACpB,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc;AAAA,KACf,CAAA;AAAA;AAAA,IAGD,QAAA,EAAU,MAAM,IAAA,CAAK;AAAA,MACnB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQ,MAAM,MAAA,CAAO,CAAC,cAAc,UAAA,EAAY,KAAA,EAAO,WAAW,CAAA,EAAG;AAAA,MACnE,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,IAAA,EAAM,MAAM,QAAA,CAAS;AAAA,MACnB,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,UAAA,EAAY,KAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAY,KAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAY,MAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOP;AAAA,MACE,IAAA,EAAM,iCAAA;AAAA,MACN,MAAA,EAAQ,CAAC,MAAA,EAAQ,MAAA,EAAQ,iBAAiB,CAAA;AAAA,MAC1C,MAAA,EAAQ,IAAA;AAAA,MACR,OAAA,EAAS;AAAA,KACX;AAAA,IACA,EAAE,IAAA,EAAM,2BAAA,EAA6B,QAAQ,CAAC,iBAAA,EAAmB,MAAM,CAAA,EAAE;AAAA,IACzE,EAAE,MAAA,EAAQ,CAAC,MAAA,EAAQ,OAAO,CAAA,EAAE;AAAA,IAC5B,EAAE,MAAA,EAAQ,CAAC,oBAAoB,CAAA,EAAE;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAE;AAAA,IACpB,EAAE,MAAA,EAAQ,CAAC,WAAW,CAAA;AAAE,GAC1B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO;AAAA;AAEX,CAAC;ACzLM,IAAM,wBAAA,GAA2BA,aAAa,MAAA,CAAO;AAAA,EAC1D,IAAA,EAAM,sBAAA;AAAA,EACN,KAAA,EAAO,kBAAA;AAAA,EACP,WAAA,EAAa,kBAAA;AAAA,EACb,IAAA,EAAM,SAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,sEAAA;AAAA,EAEb,MAAA,EAAQ;AAAA;AAAA,IAEN,EAAA,EAAIC,MAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,SAAA,EAAWA,MAAM,MAAA,CAAO;AAAA,MACtB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,IAAA,EAAMA,MAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,OAAA,EAASA,MAAM,MAAA,CAAO;AAAA,MACpB,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,cAAA,EAAgBA,MAAM,MAAA,CAAO,CAAC,UAAU,QAAA,EAAU,SAAA,EAAW,QAAA,EAAU,QAAQ,CAAA,EAAG;AAAA,MAChF,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMD,QAAA,EAAUA,MAAM,QAAA,CAAS;AAAA,MACvB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,QAAA,EAAUA,MAAM,IAAA,CAAK;AAAA,MACnB,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,iBAAA,EAAmBA,MAAM,IAAA,CAAK;AAAA,MAC5B,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOD,MAAA,EAAQA,MAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW;AAAA,KACZ,CAAA;AAAA;AAAA,IAGD,eAAA,EAAiBA,KAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,KAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACpC,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,MAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,mBAAmB,WAAW,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACzD,EAAE,QAAQ,CAAC,iBAAA,EAAmB,QAAQ,MAAA,EAAQ,SAAS,CAAA,EAAG,MAAA,EAAQ,IAAA,EAAK;AAAA,IACvE,EAAE,MAAA,EAAQ,CAAC,mBAAmB,MAAA,EAAQ,MAAA,EAAQ,aAAa,CAAA,EAAE;AAAA;AAAA;AAAA,IAG7D,EAAE,MAAA,EAAQ,CAAC,mBAAmB,MAAA,EAAQ,MAAA,EAAQ,UAAU,CAAA,EAAE;AAAA,IAC1D,EAAE,MAAA,EAAQ,CAAC,MAAA,EAAQ,MAAM,CAAA,EAAE;AAAA,IAC3B,EAAE,MAAA,EAAQ,CAAC,aAAa,CAAA,EAAE;AAAA,IAC1B,EAAE,MAAA,EAAQ,CAAC,gBAAgB,CAAA;AAAE,GAC/B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,CAAC,KAAA,EAAO,MAAM,CAAA;AAAA,IAC1B,KAAA,EAAO;AAAA;AAEX,CAAC","file":"index.mjs","sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_metadata — System Metadata Object\n *\n * Canonical ObjectStack object definition for the metadata persistence table.\n * Stores all platform-scope and user-scope metadata records (Objects, Views,\n * Flows, etc.) using the MetadataRecordSchema envelope.\n *\n * This is a system object (isSystem: true) — protected from deletion and\n * automatically provisioned by the DatabaseLoader on first use.\n *\n * @see MetadataRecordSchema in metadata-persistence.zod.ts\n */\nexport const SysMetadataObject = ObjectSchema.create({\n name: 'sys_metadata',\n label: 'System Metadata',\n pluralLabel: 'System Metadata',\n icon: 'settings',\n isSystem: true,\n // managedBy: 'system' — the metadata table backs every other config\n // object. Writing rows directly here bypasses the typed Zod APIs and\n // would let an admin inject malformed payloads. The \"All Metadata\"\n // menu is therefore a read-only debug surface (Export only); typed\n // edits flow through the dedicated per-type pages (Approval Process,\n // Sharing Rule, etc.).\n managedBy: 'system',\n description: 'Stores platform and user-scope metadata records (objects, views, flows, etc.)',\n\n fields: {\n /** Primary Key (UUID) */\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n }),\n\n /** Machine name — unique identifier used in code references */\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n maxLength: 255,\n }),\n\n /** Metadata type (e.g. \"object\", \"view\", \"flow\") */\n type: Field.text({\n label: 'Metadata Type',\n required: true,\n searchable: true,\n maxLength: 100,\n }),\n\n /** Namespace / module grouping (e.g. \"crm\", \"core\") */\n namespace: Field.text({\n label: 'Namespace',\n required: false,\n defaultValue: 'default',\n maxLength: 100,\n }),\n\n /** Package that owns/delivered this metadata (legacy string identifier, kept for compat) */\n package_id: Field.text({\n label: 'Package ID',\n required: false,\n maxLength: 255,\n description: 'Legacy package manifest ID string. Use package_version_id for new records.',\n }),\n\n /**\n * FK → sys_package_version (UUID). Set for metadata that belongs to a specific\n * package release snapshot. NULL = platform-built-in or environment override.\n */\n package_version_id: Field.lookup('sys_package_version', {\n label: 'Package Version',\n required: false,\n description:\n 'Foreign key to sys_package_version (UUID). Null = platform-built-in or env-level override.',\n }),\n\n /** Who manages this record: package, platform, or user */\n managed_by: Field.select(['package', 'platform', 'user'], {\n label: 'Managed By',\n required: false,\n }),\n\n /** Scope: system (code), platform (admin DB), user (personal DB) */\n scope: Field.select(['system', 'platform', 'user'], {\n label: 'Scope',\n required: true,\n defaultValue: 'platform',\n }),\n\n /** JSON payload — the actual metadata configuration */\n metadata: Field.textarea({\n label: 'Metadata',\n required: true,\n description: 'JSON-serialized metadata payload',\n }),\n\n /** Parent metadata name for extension/override */\n extends: Field.text({\n label: 'Extends',\n required: false,\n maxLength: 255,\n }),\n\n /** Merge strategy when extending parent metadata */\n strategy: Field.select(['merge', 'replace'], {\n label: 'Strategy',\n required: false,\n defaultValue: 'merge',\n }),\n\n /** Owner user ID (for user-scope items) */\n owner: Field.text({\n label: 'Owner',\n required: false,\n maxLength: 255,\n }),\n\n /** Lifecycle state */\n state: Field.select(['draft', 'active', 'archived', 'deprecated'], {\n label: 'State',\n required: false,\n defaultValue: 'active',\n }),\n\n /** Organization ID for multi-tenant isolation */\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n description: 'Organization for multi-tenant isolation.',\n }),\n\n /**\n * @deprecated ADR-0005 (revised 2026-05): per-env DBs replace per-project\n * isolation. `project_id` is no longer written by saveMetaItem and not\n * consulted by overlay reads. Kept for legacy rows; new writes leave it\n * NULL. Will be dropped in a future schema migration.\n */\n project_id: Field.lookup('sys_project', {\n label: 'Project (deprecated)',\n required: false,\n description: 'DEPRECATED. Use organization_id for tenant isolation.',\n }),\n\n /** Version number for optimistic concurrency */\n version: Field.number({\n label: 'Version',\n required: false,\n defaultValue: 1,\n }),\n\n /** Content checksum for change detection (e.g. `sha256:<64 hex>` = 71 chars) */\n checksum: Field.text({\n label: 'Checksum',\n required: false,\n maxLength: 71,\n }),\n\n /** Origin of this metadata record */\n source: Field.select(['filesystem', 'database', 'api', 'migration'], {\n label: 'Source',\n required: false,\n }),\n\n /** Classification tags (JSON array) */\n tags: Field.textarea({\n label: 'Tags',\n required: false,\n description: 'JSON-serialized array of classification tags',\n }),\n\n /** Audit fields */\n created_by: Field.lookup('sys_user', {\n label: 'Created By',\n required: false,\n readonly: true,\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n required: false,\n readonly: true,\n }),\n\n updated_by: Field.lookup('sys_user', {\n label: 'Updated By',\n required: false,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n }),\n },\n\n indexes: [\n // ADR-0005 (revised 2026-05): overlay uniqueness is scoped by\n // (type, name, organization_id), restricted to active rows so resets\n // / archived versions don't collide. project_id is deprecated and\n // not part of the discriminator. The runtime layer (protocol.ts\n // ensureOverlayIndex) issues a DROP-then-CREATE migration to\n // replace any pre-existing legacy composite index in-place.\n {\n name: 'idx_sys_metadata_overlay_active',\n fields: ['type', 'name', 'organization_id'],\n unique: true,\n partial: \"state = 'active'\",\n },\n { name: 'idx_sys_metadata_org_type', fields: ['organization_id', 'type'] },\n { fields: ['type', 'scope'] },\n { fields: ['package_version_id'] },\n { fields: ['state'] },\n { fields: ['namespace'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_metadata_history — Metadata Version History / Event Log\n *\n * Append-only durable log of every overlay change made through\n * `SysMetadataRepository.put` / `delete` (ADR-0008 §10 M1). Each row is a\n * single event in the per-organisation event log; rows are NEVER\n * mutated after insertion. The legacy `DatabaseLoader` writes the same\n * shape from its own put/restore code paths.\n *\n * ─────────────────────────────────────────────────────────────────────\n * Key design points (ADR-0008 §0 amendment + M1):\n *\n * • Keyed by `(organization_id, type, name)` only — `project_id` was\n * removed in the branch/project-removal amendment. The original\n * `metadata_id` column (a downgraded plain-text version of the old\n * `sys_metadata.id` FK) was removed in the M1 follow-up — joins go\n * through `(organization_id, type, name, version)` exclusively.\n *\n * • `event_seq` is the per-org monotonic event-log cursor. Producers\n * compute `MAX(event_seq) + 1 WHERE organization_id = X` inside the\n * same transaction as the parent `sys_metadata` write.\n *\n * • `version` is the per-(org,type,name) lineage counter. Producers\n * compute `MAX(version) + 1 WHERE organization_id = X AND type = T\n * AND name = N` so delete + recreate continues incrementing instead\n * of restarting at 1.\n *\n * • `metadata` / `checksum` are nullable — DELETE rows have no body or\n * hash. Readers must tolerate null on both columns.\n *\n * • `source` records the producer ('sys-metadata-repo', 'fs',\n * 'studio', …) and feeds MetadataEvent.source on history() reads.\n *\n * Indexes are purpose-built for the two dominant read patterns:\n * 1. per-item history view → `(organization_id, type, name, version)`\n * 2. org-wide event replay → `(organization_id, event_seq)`\n * ─────────────────────────────────────────────────────────────────────\n */\nexport const SysMetadataHistoryObject = ObjectSchema.create({\n name: 'sys_metadata_history',\n label: 'Metadata History',\n pluralLabel: 'Metadata History',\n icon: 'history',\n isSystem: true,\n managedBy: 'system',\n description: 'Durable event log of metadata overlay changes (per-org, append-only)',\n\n fields: {\n /** Primary Key (UUID) */\n id: Field.text({\n label: 'ID',\n required: true,\n readonly: true,\n }),\n\n /** Per-org monotonic event sequence (durable cursor for replay). */\n event_seq: Field.number({\n label: 'Event Seq',\n required: true,\n readonly: true,\n description: 'Per-organization monotonic event log cursor.',\n }),\n\n /** Machine name (denormalized for easier querying) */\n name: Field.text({\n label: 'Name',\n required: true,\n searchable: true,\n readonly: true,\n maxLength: 255,\n }),\n\n /** Metadata type (denormalized for easier querying) */\n type: Field.text({\n label: 'Metadata Type',\n required: true,\n searchable: true,\n readonly: true,\n maxLength: 100,\n }),\n\n /** Per-(org,type,name) lineage counter at this snapshot. */\n version: Field.number({\n label: 'Version',\n required: true,\n readonly: true,\n }),\n\n /** Type of operation that created this history entry */\n operation_type: Field.select(['create', 'update', 'publish', 'revert', 'delete'], {\n label: 'Operation Type',\n required: true,\n readonly: true,\n }),\n\n /**\n * Historical metadata snapshot (JSON payload).\n * Null for `operation_type = 'delete'` — the row carries no body.\n */\n metadata: Field.textarea({\n label: 'Metadata',\n required: false,\n readonly: true,\n description: 'JSON-serialized metadata snapshot at this version (null for deletes).',\n }),\n\n /** SHA-256 checksum of metadata content (null for deletes). */\n checksum: Field.text({\n label: 'Checksum',\n required: false,\n readonly: true,\n maxLength: 80,\n }),\n\n /** Checksum of the previous version (null for the first event). */\n previous_checksum: Field.text({\n label: 'Previous Checksum',\n required: false,\n readonly: true,\n maxLength: 80,\n }),\n\n /** Human-readable description of changes (= MetadataEvent.message). */\n change_note: Field.textarea({\n label: 'Change Note',\n required: false,\n readonly: true,\n description: 'Description of what changed in this version.',\n }),\n\n /**\n * Producer of the event ('sys-metadata-repo', 'fs', 'studio',\n * 'api', …). Defaults to 'sys-metadata-repo' on the canonical\n * write path; preserved on history() reads as MetadataEvent.source.\n */\n source: Field.text({\n label: 'Source',\n required: false,\n readonly: true,\n maxLength: 64,\n }),\n\n /** Organization ID for multi-tenant isolation */\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n readonly: true,\n description: 'Organization for multi-tenant isolation.',\n }),\n\n /** User who made this change (= MetadataEvent.actor). */\n recorded_by: Field.lookup('sys_user', {\n label: 'Recorded By',\n required: false,\n readonly: true,\n }),\n\n /** When was this version recorded */\n recorded_at: Field.datetime({\n label: 'Recorded At',\n required: true,\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['organization_id', 'event_seq'], unique: true },\n { fields: ['organization_id', 'type', 'name', 'version'], unique: true },\n { fields: ['organization_id', 'type', 'name', 'recorded_at'] },\n // ADR-0009: getByHash() lookup — execution-pinned types resolve a\n // historical body by content hash via this index.\n { fields: ['organization_id', 'type', 'name', 'checksum'] },\n { fields: ['type', 'name'] },\n { fields: ['recorded_at'] },\n { fields: ['operation_type'] },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n apiMethods: ['get', 'list'],\n trash: false,\n },\n});\n"]}
package/dist/security/index.js CHANGED
@@ -790,6 +790,20 @@ var defaultPermissionSets = [
790
790
  operation: "select",
791
791
  using: "id = current_user.id"
792
792
  },
793
+ // Org collaborators: members can see other users in the same
794
+ // organization. Without this, owner/assignee lookups, @-mention
795
+ // suggestions, reviewer pickers and team-roster surfaces all
796
+ // collapse to just the current user. `org_user_ids` is
797
+ // pre-resolved by runtime/resolve-execution-context from
798
+ // `sys_member` for the active organization. Sensitive credential
799
+ // tables (`sys_account`, `sys_session`, `sys_api_key`, …) keep
800
+ // their stricter self-only carve-outs above.
801
+ {
802
+ name: "sys_user_org_members",
803
+ object: "sys_user",
804
+ operation: "select",
805
+ using: "id IN (current_user.org_user_ids)"
806
+ },
793
807
  {
794
808
  name: "sys_session_self",
795
809
  object: "sys_session",
@@ -887,8 +901,14 @@ var defaultPermissionSets = [
887
901
  operation: "select",
888
902
  using: "id = current_user.id"
889
903
  },
890
- // ── Per-user visibility on better-auth tables that lack
891
- // `organization_id` (matches the `member_default` carve-outs).
904
+ // Org collaborators (read-only): see `sys_user_org_members` in
905
+ // `member_default` for rationale.
906
+ {
907
+ name: "sys_user_org_members",
908
+ object: "sys_user",
909
+ operation: "select",
910
+ using: "id IN (current_user.org_user_ids)"
911
+ },
892
912
  {
893
913
  name: "sys_session_self",
894
914
  object: "sys_session",
package/dist/security/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/security/sys-role.object.ts","../../src/security/sys-permission-set.object.ts","../../src/security/sys-user-permission-set.object.ts","../../src/security/sys-role-permission-set.object.ts","../../src/security/sys-record-share.object.ts","../../src/security/sys-sharing-rule.object.ts","../../src/security/default-permission-sets.ts"],"names":["ObjectSchema","Field","PermissionSetSchema"],"mappings":";;;;;;AAYO,IAAM,OAAA,GAAUA,kBAAa,MAAA,CAAO;AAAA,EACzC,IAAA,EAAM,UAAA;AAAA,EACN,KAAA,EAAO,MAAA;AAAA,EACP,WAAA,EAAa,OAAA;AAAA,EACb,IAAA,EAAM,QAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,0CAAA;AAAA,EACb,gBAAA,EAAkB,OAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,aAAA,EAAe,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,EAEvD,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,cAAc,YAAY,CAAA;AAAA,MACrD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,eAAe,QAAQ,CAAA;AAAA,MAClD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MACjE,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,MACjD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAClE,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,SAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,QAAA,EAAU,cAAc,YAAY,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,KAAA,EAAOC,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,WAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,6CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,WAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,OAAA,CAAQ;AAAA,MACxB,KAAA,EAAO,cAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,WAAA,EAAa,qCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACxIM,IAAM,gBAAA,GAAmBD,kBAAa,MAAA,CAAO;AAAA,EAClD,IAAA,EAAM,oBAAA;AAAA,EACN,KAAA,EAAO,gBAAA;AAAA,EACP,WAAA,EAAa,iBAAA;AAAA,EACb,IAAA,EAAM,MAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,4DAAA;AAAA,EACb,gBAAA,EAAkB,OAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,aAAA,EAAe,CAAC,OAAA,EAAS,MAAA,EAAQ,QAAQ,CAAA;AAAA,EAEzC,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,eAAe,YAAY,CAAA;AAAA,MACtD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,YAAY,CAAA;AAAA,MACvC,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,cAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,MACjD,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,KAAA,EAAOC,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,WAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,4CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,kBAAA,EAAoBA,WAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,iBAAA,EAAmBA,WAAM,QAAA,CAAS;AAAA,MAChC,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,oDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,WAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACzHM,IAAM,oBAAA,GAAuBD,kBAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,yFAAA;AAAA,EACb,WAAA,EAAa,sCAAA;AAAA,EACb,aAAA,EAAe,CAAC,SAAA,EAAW,mBAAA,EAAqB,iBAAiB,CAAA;AAAA,EAEjE,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,UAAAA,CAAM,MAAA,CAAO,oBAAA,EAAsB;AAAA,MACpD,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,eAAA,EAAiBA,UAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,QAAQ,CAAC,SAAA,EAAW,qBAAqB,iBAAiB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAC5E,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAE,GAClC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC3EM,IAAM,oBAAA,GAAuBD,kBAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,aAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,mCAAA;AAAA,EACb,WAAA,EAAa,sCAAA;AAAA,EACb,aAAA,EAAe,CAAC,SAAA,EAAW,mBAAmB,CAAA;AAAA,EAE9C,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,UAAAA,CAAM,MAAA,CAAO,oBAAA,EAAsB;AAAA,MACpD,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,mBAAmB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACzD,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAE,GAClC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACzCM,IAAM,cAAA,GAAiBD,kBAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,OAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,kEAAA;AAAA,EACb,WAAA,EAAa,kEAAA;AAAA,EACb,eAAe,CAAC,aAAA,EAAe,WAAA,EAAa,cAAA,EAAgB,gBAAgB,QAAQ,CAAA;AAAA,EAEpF,SAAA,EAAW;AAAA,IACT,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,QAAA,EAAU,cAAc,YAAY,CAAA;AAAA,MAC1F,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,gBAAA,EAAkB,QAAA,EAAU,QAAA,EAAU,OAAO,MAAA,EAAO;AAAA,QAC7D,EAAE,KAAA,EAAO,cAAA,EAAgB,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OAC1E;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC5F,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,YAAA,EAAc,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OACxE;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC5F,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACrF,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,gBAAgB,cAAA,EAAgB,YAAA,EAAc,UAAU,YAAY,CAAA;AAAA,MAC1G,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,MACjE,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,WAAA,EAAa;AAAA,MACX,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,aAAa,YAAY,CAAA;AAAA,MAC/F,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,QAAA,EAAU,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAA,EAAQ,WAAW,GAAG,CAAA;AAAA,MAClF,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,WAAA,EAAa,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACnF,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,kBAAkB,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC9G,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,WAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,SAAA,EAAWA,WAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,qDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,gBAAgBA,UAAAA,CAAM,MAAA;AAAA,MACpB,CAAC,MAAA,EAAQ,OAAA,EAAS,MAAA,EAAQ,yBAAyB,OAAO,CAAA;AAAA,MAC1D;AAAA,QACE,KAAA,EAAO,gBAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,wCAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,YAAA,EAAcA,WAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,gDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAcA,UAAAA,CAAM,MAAA;AAAA,MAClB,CAAC,MAAA,EAAQ,MAAA,EAAQ,MAAM,CAAA;AAAA,MACvB;AAAA,QACE,KAAA,EAAO,cAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,6EAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA;AAAA,IAGA,QAAQA,UAAAA,CAAM,MAAA;AAAA,MACZ,CAAC,QAAA,EAAU,MAAA,EAAQ,MAAA,EAAQ,WAAW,CAAA;AAAA,MACtC;AAAA,QACE,KAAA,EAAO,QAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,QAAA;AAAA,QACd,WAAA,EAAa,sEAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,SAAA,EAAWA,WAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,WAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,0DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA;AAAA;AAAA;AAAA,IAIP,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,gBAAA,EAAkB,cAAc,CAAA,EAAE;AAAA;AAAA;AAAA,IAG5D,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,WAAW,CAAA,EAAE;AAAA;AAAA,IAEvC,EAAE,MAAA,EAAQ,CAAC,QAAA,EAAU,WAAW,CAAA;AAAE;AAEtC,CAAC;ACzMM,IAAM,cAAA,GAAiBD,kBAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,cAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAKX,WAAA,EAAa,EAAE,MAAA,EAAQ,IAAA,EAAM,MAAM,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAM;AAAA,EACrE,WAAA,EAAa,mJAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,eAAe,CAAC,MAAA,EAAQ,eAAe,gBAAA,EAAkB,cAAA,EAAgB,gBAAgB,QAAQ,CAAA;AAAA,EAEjG,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,OAAA,EAAS,eAAe,gBAAA,EAAkB,cAAA,EAAgB,gBAAgB,YAAY,CAAA;AAAA,MAChG,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,OAAA,EAAS,aAAA,EAAe,gBAAA,EAAkB,gBAAgB,YAAY,CAAA;AAAA,MAChF,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,OAAA,EAAS,gBAAA,EAAkB,gBAAgB,QAAQ,CAAA;AAAA,MAC5E,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MAC/E,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,OAAA,EAAS,aAAA,EAAe,kBAAkB,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC1G,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,UAAAA,CAAM,IAAA,CAAK,EAAE,KAAA,EAAO,SAAA,EAAW,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAEpF,eAAA,EAAiBA,UAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO,QAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,IAAA,EAAMA,WAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,6BAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,KAAA,EAAOA,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,WAAM,QAAA,CAAS;AAAA,MAC5B,KAAA,EAAO,iCAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,iFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,gBAAgBA,UAAAA,CAAM,MAAA;AAAA,MACpB,CAAC,MAAA,EAAQ,MAAA,EAAQ,YAAA,EAAc,QAAQ,OAAO,CAAA;AAAA,MAC9C;AAAA,QACE,KAAA,EAAO,gBAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,YAAA;AAAA,QACd,WAAA,EAAa,2KAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,YAAA,EAAcA,WAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAcA,UAAAA,CAAM,MAAA;AAAA,MAClB,CAAC,MAAA,EAAQ,MAAA,EAAQ,MAAM,CAAA;AAAA,MACvB;AAAA,QACE,KAAA,EAAO,cAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,MAAA,EAAQA,WAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa,uDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,QAAQ,CAAA,EAAE;AAAA,IACpC,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA;AAAE;AAElC,CAAC;ACvKD,IAAM,2BAAA,GAA8B;AAAA,EAClC,UAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,kBAAA;AAAA,EACA,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,aAAA;AAAA,EACA,gBAAA;AAAA,EACA,kBAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,uBAAA;AAAA,EACA,wBAAA;AAAA,EACA,yBAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,0BAAA,GAA6B,MAK7B,MAAA,CAAO,WAAA;AAAA,EACX,2BAAA,CAA4B,GAAA,CAAI,CAAC,IAAA,KAAS;AAAA,IACxC,IAAA;AAAA,IACA,EAAE,WAAW,IAAA,EAAM,WAAA,EAAa,OAAO,SAAA,EAAW,KAAA,EAAO,aAAa,KAAA;AAAM,GAC7E;AACH,CAAA;AA4BO,IAAM,qBAAA,GAAyC;AAAA,EACpDC,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,mBAAA;AAAA,IACN,KAAA,EAAO,kCAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,cAAA,EAAgB,IAAA;AAAA,QAChB,gBAAA,EAAkB;AAAA;AACpB,KACF;AAAA,IACA,iBAAA,EAAmB,CAAC,cAAA,EAAgB,iBAAA,EAAmB,cAAc;AAAA,GACtE,CAAA;AAAA,EACDA,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,gBAAA;AAAA,IACN,KAAA,EAAO,+BAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa;AAAA,OACf;AAAA;AAAA,MAEA,GAAG,0BAAA;AAA2B,KAChC;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,mBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD,CAAA;AAAA,EACDA,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,iBAAA;AAAA,IACN,KAAA,EAAO,yBAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,KAAA;AAAA,QACb,SAAA,EAAW,KAAA;AAAA,QACX,WAAA,EAAa;AAAA,OACf;AAAA;AAAA;AAAA;AAAA,MAIA,GAAG,0BAAA;AAA2B,KAChC;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA,MAGA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD;AACH","file":"index.js","sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_role — System Role Object\n *\n * RBAC role definition for the ObjectStack platform.\n * Roles group permissions and are assigned to users or members.\n *\n * @namespace sys\n */\nexport const SysRole = ObjectSchema.create({\n name: 'sys_role',\n label: 'Role',\n pluralLabel: 'Roles',\n icon: 'shield',\n isSystem: true,\n managedBy: 'config',\n description: 'Role definitions for RBAC access control',\n displayNameField: 'label',\n titleFormat: '{label}',\n compactLayout: ['label', 'name', 'active', 'is_default'],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'is_default', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n default_roles: {\n type: 'grid',\n name: 'default_roles',\n label: 'Default',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'description', 'active'],\n filter: [{ field: 'is_default', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n custom: {\n type: 'grid',\n name: 'custom',\n label: 'Custom',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'active', 'updated_at'],\n filter: [{ field: 'is_default', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n all_roles: {\n type: 'grid',\n name: 'all_roles',\n label: 'All',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'active', 'is_default', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n label: Field.text({\n label: 'Display Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n name: Field.text({\n label: 'API Name',\n required: true,\n searchable: true,\n maxLength: 100,\n description: 'Unique machine name for the role (e.g. admin, editor, viewer)',\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n // ── Configuration ────────────────────────────────────────────\n permissions: Field.textarea({\n label: 'Permissions',\n required: false,\n description: 'JSON-serialized array of permission strings',\n group: 'Configuration',\n }),\n\n // ── Status ───────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n defaultValue: true,\n group: 'Status',\n }),\n\n is_default: Field.boolean({\n label: 'Default Role',\n defaultValue: false,\n description: 'Automatically assigned to new users',\n group: 'Status',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Role ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['name'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_permission_set — System Permission Set Object\n *\n * Named groupings of fine-grained permissions.\n * Permission sets can be assigned to roles or directly to users\n * for granular access control.\n *\n * @namespace sys\n */\nexport const SysPermissionSet = ObjectSchema.create({\n name: 'sys_permission_set',\n label: 'Permission Set',\n pluralLabel: 'Permission Sets',\n icon: 'lock',\n isSystem: true,\n managedBy: 'config',\n description: 'Named permission groupings for fine-grained access control',\n displayNameField: 'label',\n titleFormat: '{label}',\n compactLayout: ['label', 'name', 'active'],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'description', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n all_permsets: {\n type: 'grid',\n name: 'all_permsets',\n label: 'All',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'active', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n label: Field.text({\n label: 'Display Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n name: Field.text({\n label: 'API Name',\n required: true,\n searchable: true,\n maxLength: 100,\n description: 'Unique machine name for the permission set',\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n // ── Permissions ──────────────────────────────────────────────\n object_permissions: Field.textarea({\n label: 'Object Permissions',\n required: false,\n description: 'JSON-serialized object-level CRUD permissions',\n group: 'Permissions',\n }),\n\n field_permissions: Field.textarea({\n label: 'Field Permissions',\n required: false,\n description: 'JSON-serialized field-level read/write permissions',\n group: 'Permissions',\n }),\n\n // ── Status ───────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n defaultValue: true,\n group: 'Status',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Permission Set ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['name'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_user_permission_set — User ↔ PermissionSet assignment.\n *\n * Salesforce-style additive permission grant: a user may be assigned any\n * number of `sys_permission_set` rows, optionally scoped to a specific\n * organization. The runtime resolver (`resolveExecutionContext` in\n * `@objectstack/runtime`) reads this table when building the per-request\n * `ExecutionContext.permissions[]`.\n *\n * Uniqueness is `(user_id, permission_set_id, organization_id)` so the\n * same permission set can be granted independently in each org context\n * the user belongs to.\n *\n * @namespace sys\n */\nexport const SysUserPermissionSet = ObjectSchema.create({\n name: 'sys_user_permission_set',\n label: 'User Permission Set',\n pluralLabel: 'User Permission Sets',\n icon: 'user-check',\n isSystem: true,\n managedBy: 'system',\n description: 'Direct assignment of a permission set to a user (optionally scoped to an organization).',\n titleFormat: '{user_id} → {permission_set_id}',\n compactLayout: ['user_id', 'permission_set_id', 'organization_id'],\n\n fields: {\n id: Field.text({\n label: 'Assignment ID',\n required: true,\n readonly: true,\n description: 'UUID of the assignment.',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n description: 'Foreign key to sys_user.',\n }),\n\n permission_set_id: Field.lookup('sys_permission_set', {\n label: 'Permission Set',\n required: true,\n description: 'Foreign key to sys_permission_set.',\n }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n description: 'Optional organization scope. NULL = applies in every org context.',\n }),\n\n granted_by: Field.lookup('sys_user', {\n label: 'Granted By',\n required: false,\n description: 'User who granted this permission set.',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['user_id', 'permission_set_id', 'organization_id'], unique: true },\n { fields: ['user_id'] },\n { fields: ['organization_id'] },\n { fields: ['permission_set_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_role_permission_set — Role ↔ PermissionSet binding.\n *\n * Allows administrators to compose a `sys_role` from one or more\n * `sys_permission_set` rows. At request time, the runtime resolver\n * (`resolveExecutionContext`) collects every permission set bound to\n * the user's roles via this table and injects their names into\n * `ExecutionContext.permissions[]` for downstream RBAC evaluation.\n *\n * @namespace sys\n */\nexport const SysRolePermissionSet = ObjectSchema.create({\n name: 'sys_role_permission_set',\n label: 'Role Permission Set',\n pluralLabel: 'Role Permission Sets',\n icon: 'shield-plus',\n isSystem: true,\n managedBy: 'system',\n description: 'Binds a permission set to a role.',\n titleFormat: '{role_id} → {permission_set_id}',\n compactLayout: ['role_id', 'permission_set_id'],\n\n fields: {\n id: Field.text({\n label: 'Binding ID',\n required: true,\n readonly: true,\n description: 'UUID of the role-permission-set binding.',\n }),\n\n role_id: Field.lookup('sys_role', {\n label: 'Role',\n required: true,\n description: 'Foreign key to sys_role.',\n }),\n\n permission_set_id: Field.lookup('sys_permission_set', {\n label: 'Permission Set',\n required: true,\n description: 'Foreign key to sys_permission_set.',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['role_id', 'permission_set_id'], unique: true },\n { fields: ['role_id'] },\n { fields: ['permission_set_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_record_share — Per-Record Sharing Grant\n *\n * Bridges the ownership-only baseline established by `object.sharingModel`\n * with the real-world need to delegate access to a single record. Each\n * row says: \"principal P has access level L on (object O, record R),\n * because of source S (manual grant or rule).\"\n *\n * Enforcement lives in `@objectstack/plugin-sharing`:\n * - For objects with `sharingModel: 'private'`, the engine middleware\n * AND-s `{$or:[{owner_id:userId},{id:{$in:[grantedRecordIds]}}]}`\n * into every `find` against that object.\n * - For objects with `sharingModel: 'private' | 'read'`, the same\n * middleware enforces edit/delete by checking ownership OR a share\n * row with `access_level in ('edit','full')`.\n *\n * Conventions:\n * - `object_name` is the short object name (e.g. `account`, `lead`).\n * - `recipient_type` mirrors `ShareRecipientType` from the spec\n * (`user` is enforced today; `group`/`role` are persisted for\n * forward-compatibility).\n * - `source = 'manual'` rows are created by a user via the REST\n * `POST /data/:object/:id/shares` endpoint. `source = 'rule'` rows\n * are materialised by the sharing-rule evaluator (future); the\n * `source_id` lets the evaluator reconcile stale grants.\n *\n * @namespace sys\n */\nexport const SysRecordShare = ObjectSchema.create({\n name: 'sys_record_share',\n label: 'Record Share',\n pluralLabel: 'Record Shares',\n icon: 'share',\n isSystem: true,\n managedBy: 'system',\n description: 'Per-record sharing grant — extends OWD with explicit access',\n titleFormat: '{object_name}/{record_id} → {recipient_id} ({access_level})',\n compactLayout: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source'],\n\n listViews: {\n granted_to_me: {\n type: 'grid',\n name: 'granted_to_me',\n label: 'Granted to Me',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'access_level', 'source', 'granted_by', 'created_at'],\n filter: [\n { field: 'recipient_type', operator: 'equals', value: 'user' },\n { field: 'recipient_id', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n granted_by_me: {\n type: 'grid',\n name: 'granted_by_me',\n label: 'Granted by Me',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source', 'created_at'],\n filter: [\n { field: 'granted_by', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n by_object: {\n type: 'grid',\n name: 'by_object',\n label: 'By Object',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source', 'created_at'],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n grouping: { fields: [{ field: 'object_name', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n manual_grants: {\n type: 'grid',\n name: 'manual_grants',\n label: 'Manual Grants',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'granted_by', 'reason', 'created_at'],\n filter: [{ field: 'source', operator: 'equals', value: 'manual' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n rule_grants: {\n type: 'grid',\n name: 'rule_grants',\n label: 'Rule Grants',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source_id', 'created_at'],\n filter: [{ field: 'source', operator: 'in', value: ['rule', 'team', 'inherited'] }],\n sort: [{ field: 'source_id', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_shares: {\n type: 'grid',\n name: 'all_shares',\n label: 'All',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_type', 'recipient_id', 'access_level', 'source', 'created_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n },\n\n fields: {\n id: Field.text({\n label: 'Share ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n // ── Target (which record is being shared) ────────────────────\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name of the shared record',\n group: 'Target',\n }),\n\n record_id: Field.text({\n label: 'Record',\n required: true,\n maxLength: 100,\n description: 'Primary key of the shared record within object_name',\n group: 'Target',\n }),\n\n // ── Recipient (who receives access) ──────────────────────────\n recipient_type: Field.select(\n ['user', 'group', 'role', 'role_and_subordinates', 'guest'],\n {\n label: 'Recipient Type',\n required: true,\n defaultValue: 'user',\n description: 'Kind of principal that holds the grant',\n group: 'Recipient',\n },\n ),\n\n recipient_id: Field.text({\n label: 'Recipient',\n required: true,\n maxLength: 100,\n description: 'ID of the user/group/role that receives access',\n group: 'Recipient',\n }),\n\n access_level: Field.select(\n ['read', 'edit', 'full'],\n {\n label: 'Access Level',\n required: true,\n defaultValue: 'read',\n description: 'What the recipient can do — read | edit | full (transfer/share/delete)',\n group: 'Recipient',\n },\n ),\n\n // ── Provenance ───────────────────────────────────────────────\n source: Field.select(\n ['manual', 'rule', 'team', 'inherited'],\n {\n label: 'Source',\n required: true,\n defaultValue: 'manual',\n description: 'Why this grant exists — used by the rule evaluator to reconcile',\n group: 'Provenance',\n },\n ),\n\n source_id: Field.text({\n label: 'Source ID',\n required: false,\n maxLength: 200,\n description: 'Rule name / team id when source != manual',\n group: 'Provenance',\n }),\n\n granted_by: Field.lookup('sys_user', {\n label: 'Granted By',\n required: false,\n description: 'User that created the grant (manual only)',\n group: 'Provenance',\n }),\n\n reason: Field.text({\n label: 'Reason',\n required: false,\n maxLength: 500,\n description: 'Optional free-text explanation surfaced to the recipient',\n group: 'Provenance',\n }),\n\n // ── Lifecycle ────────────────────────────────────────────────\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n group: 'System',\n }),\n },\n\n indexes: [\n // Hot path: \"all records visible to user U on object O\" — the\n // middleware reads (object_name, recipient_type, recipient_id) to\n // build the `id IN (...)` predicate on every find.\n { fields: ['object_name', 'recipient_type', 'recipient_id'] },\n // \"all grants on this record\" — used by the share-management UI\n // and by canEdit() to look up explicit grants.\n { fields: ['object_name', 'record_id'] },\n // Reconciliation key for rule-driven shares.\n { fields: ['source', 'source_id'] },\n ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_sharing_rule — Declarative record-sharing rule.\n *\n * Salesforce-style criteria-based sharing: \"any record on object O that\n * matches criteria C is granted access level A to recipient R\". Rules\n * are evaluated by `@objectstack/plugin-sharing` and materialise their\n * grants as rows in `sys_record_share` with `source='rule'` and\n * `source_id={rule.id}` so the evaluator can reconcile (delete + re-\n * insert) on rule updates without touching manual grants.\n *\n * Evaluation triggers:\n * - `afterInsert` / `afterUpdate` on the target object (per-record,\n * incremental — the hot path).\n * - REST `POST /sharing/rules/:id/evaluate` (admin-initiated\n * bulk reconcile — used after rule edits).\n *\n * Criteria are stored as JSON (a normal `FilterCondition`) so the\n * existing engine `find()` can do the matching natively. v1 supports\n * simple `{field, op, value}` style filters; CEL predicates are a\n * follow-up.\n *\n * @namespace sys\n */\nexport const SysSharingRule = ObjectSchema.create({\n name: 'sys_sharing_rule',\n label: 'Sharing Rule',\n pluralLabel: 'Sharing Rules',\n icon: 'shield-check',\n isSystem: true,\n managedBy: 'config',\n // Sharing rules can now be authored visually via the Studio criteria\n // builder (apps/studio/src/components/SharingCriteriaBuilder.tsx).\n // We still recommend `defineSharingRule({...})` for repo-controlled\n // baselines, but admins can safely create/edit/delete from the UI.\n userActions: { create: true, edit: true, delete: true, import: false },\n description: 'Declarative sharing rule that auto-materialises sys_record_share grants. Authored via defineSharingRule() in code or the Studio criteria builder.',\n displayNameField: 'name',\n titleFormat: '{label}',\n compactLayout: ['name', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active'],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n by_object: {\n type: 'grid',\n name: 'by_object',\n label: 'By Object',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['object_name', 'label', 'recipient_type', 'access_level', 'active'],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],\n grouping: { fields: [{ field: 'object_name', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n all_rules: {\n type: 'grid',\n name: 'all_rules',\n label: 'All',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n id: Field.text({ label: 'Rule ID', required: true, readonly: true, group: 'System' }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n group: 'System',\n description: 'Tenant that owns this rule; null = global',\n }),\n\n name: Field.text({\n label: 'Name',\n required: true,\n maxLength: 100,\n description: 'Unique snake_case rule name',\n group: 'Identity',\n }),\n\n label: Field.text({\n label: 'Display Label',\n required: true,\n maxLength: 200,\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name (e.g. opportunity, account)',\n group: 'Target',\n }),\n\n criteria_json: Field.textarea({\n label: 'Criteria (FilterCondition JSON)',\n required: false,\n description: 'JSON FilterCondition matched against records of object_name. Empty = match all.',\n group: 'Target',\n }),\n\n recipient_type: Field.select(\n ['user', 'team', 'department', 'role', 'queue'],\n {\n label: 'Recipient Type',\n required: true,\n defaultValue: 'department',\n description: 'Kind of principal that receives access — expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth).',\n group: 'Recipient',\n },\n ),\n\n recipient_id: Field.text({\n label: 'Recipient',\n required: true,\n maxLength: 200,\n description: 'department id / team id / role name / queue name / user id depending on recipient_type',\n group: 'Recipient',\n }),\n\n access_level: Field.select(\n ['read', 'edit', 'full'],\n {\n label: 'Access Level',\n required: true,\n defaultValue: 'read',\n group: 'Recipient',\n },\n ),\n\n active: Field.boolean({\n label: 'Active',\n required: false,\n defaultValue: true,\n description: 'Only active rules participate in lifecycle evaluation',\n group: 'Lifecycle',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['object_name', 'active'] },\n { fields: ['name'], unique: true },\n { fields: ['organization_id'] },\n ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { PermissionSetSchema, type PermissionSet } from '@objectstack/spec/security';\n\n/**\n * Identity tables managed by the better-auth plugin (see\n * `packages/platform-objects/src/identity/`). Mutations to these tables\n * MUST flow through the better-auth API endpoints (sign-up, password\n * reset, organization invite/remove-member, api-key/create, …) rather\n * than the generic CRUD pipeline so that password hashing, token\n * signing, email verification, invitation flows and scope hashing all\n * fire correctly.\n *\n * The default member/viewer permission sets therefore explicitly DENY\n * `allowCreate / allowEdit / allowDelete` on these objects while still\n * permitting reads (subject to the rest of the RLS chain). Admin\n * permission sets keep their `*` wildcard so they can rescue data\n * directly when needed.\n *\n * Each entry mirrors the `managedBy: 'better-auth'` flag declared on\n * the corresponding object schema in `packages/platform-objects/src/identity/`.\n */\nconst BETTER_AUTH_MANAGED_OBJECTS = [\n 'sys_user',\n 'sys_account',\n 'sys_session',\n 'sys_organization',\n 'sys_member',\n 'sys_invitation',\n 'sys_team',\n 'sys_team_member',\n 'sys_api_key',\n 'sys_two_factor',\n 'sys_verification',\n 'sys_jwks',\n 'sys_device_code',\n 'sys_oauth_application',\n 'sys_oauth_access_token',\n 'sys_oauth_refresh_token',\n 'sys_oauth_consent',\n] as const;\n\nconst denyWritesOnManagedObjects = (): Record<string, {\n allowRead: boolean;\n allowCreate: boolean;\n allowEdit: boolean;\n allowDelete: boolean;\n}> => Object.fromEntries(\n BETTER_AUTH_MANAGED_OBJECTS.map((name) => [\n name,\n { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n ]),\n);\n\n/**\n * Default permission sets seeded by the platform.\n *\n * These are referenced by name (`admin_full_access`, `member_default`,\n * `viewer_readonly`) from `sys_role_permission_set` rows or assigned\n * directly to users via `sys_user_permission_set`.\n *\n * The runtime SecurityPlugin reads these via the metadata service when a\n * permission set name appears in the request `ExecutionContext.permissions[]`.\n *\n * Each entry is run through `PermissionSetSchema.parse(...)` so Zod fills\n * in the boolean/`priority`/`enabled` defaults — keeping the literal\n * source readable while still satisfying the strict output type.\n *\n * `objects: { '*': … }` uses the wildcard sentinel honoured by\n * `PermissionEvaluator` — admins do not need an explicit row per object.\n * Per-object entries fully override the wildcard for that object (see\n * `PermissionEvaluator.checkObjectPermission` — lookup, not merge).\n *\n * RLS policies use the canonical `current_user.*` placeholders compiled\n * by `RLSCompiler`. The active organization is exposed under\n * `current_user.organization_id` (sourced from\n * `ExecutionContext.tenantId` at request time) — there is no rewrite\n * step or `tenantField` indirection in SecurityPlugin. Schemas with a\n * different physical tenant column should fork these defaults.\n */\nexport const defaultPermissionSets: PermissionSet[] = [\n PermissionSetSchema.parse({\n name: 'admin_full_access',\n label: 'Administrator — Full Access',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n viewAllRecords: true,\n modifyAllRecords: true,\n },\n },\n systemPermissions: ['manage_users', 'manage_metadata', 'setup.access'],\n }),\n PermissionSetSchema.parse({\n name: 'member_default',\n label: 'Member — Standard Access',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n },\n // Identity tables are managed by better-auth — no direct writes.\n ...denyWritesOnManagedObjects(),\n },\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'all',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'owner_only_writes',\n object: '*',\n operation: 'update',\n using: 'owner_id = current_user.id',\n },\n {\n name: 'owner_only_deletes',\n object: '*',\n operation: 'delete',\n using: 'owner_id = current_user.id',\n },\n // ── better-auth system tables that lack `organization_id` and would\n // otherwise be left unprotected by the wildcard rule above. ────\n //\n // The security plugin's RLS injector treats wildcard policies that\n // target a missing field as `RLS_DENY_FILTER` (zero rows) unless a\n // per-object policy contributes an alternate match. Each `*_self`\n // policy below restores per-user visibility on a better-auth table\n // that has `user_id` but no `organization_id`. Tables without\n // `user_id` (`sys_verification`, `sys_jwks`, empty `sys_passkey`)\n // stay DENY for non-admins by design — only platform admins (via\n // `admin_full_access`, which has no RLS) should inspect them.\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'all',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n ],\n }),\n PermissionSetSchema.parse({\n name: 'viewer_readonly',\n label: 'Viewer — Read-Only',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: false,\n allowEdit: false,\n allowDelete: false,\n },\n // Belt-and-suspenders: explicit deny on managed objects even though\n // the wildcard already denies — keeps the policy readable when\n // future relaxations might widen the wildcard.\n ...denyWritesOnManagedObjects(),\n },\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'select',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n // ── Per-user visibility on better-auth tables that lack\n // `organization_id` (matches the `member_default` carve-outs).\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n ],\n }),\n];\n"]}
1
+ {"version":3,"sources":["../../src/security/sys-role.object.ts","../../src/security/sys-permission-set.object.ts","../../src/security/sys-user-permission-set.object.ts","../../src/security/sys-role-permission-set.object.ts","../../src/security/sys-record-share.object.ts","../../src/security/sys-sharing-rule.object.ts","../../src/security/default-permission-sets.ts"],"names":["ObjectSchema","Field","PermissionSetSchema"],"mappings":";;;;;;AAYO,IAAM,OAAA,GAAUA,kBAAa,MAAA,CAAO;AAAA,EACzC,IAAA,EAAM,UAAA;AAAA,EACN,KAAA,EAAO,MAAA;AAAA,EACP,WAAA,EAAa,OAAA;AAAA,EACb,IAAA,EAAM,QAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,0CAAA;AAAA,EACb,gBAAA,EAAkB,OAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,aAAA,EAAe,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,EAEvD,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,cAAc,YAAY,CAAA;AAAA,MACrD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,eAAe,QAAQ,CAAA;AAAA,MAClD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MACjE,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,MACjD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAClE,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,SAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,QAAA,EAAU,cAAc,YAAY,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,KAAA,EAAOC,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,WAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,6CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,WAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,OAAA,CAAQ;AAAA,MACxB,KAAA,EAAO,cAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,WAAA,EAAa,qCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACxIM,IAAM,gBAAA,GAAmBD,kBAAa,MAAA,CAAO;AAAA,EAClD,IAAA,EAAM,oBAAA;AAAA,EACN,KAAA,EAAO,gBAAA;AAAA,EACP,WAAA,EAAa,iBAAA;AAAA,EACb,IAAA,EAAM,MAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,4DAAA;AAAA,EACb,gBAAA,EAAkB,OAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,aAAA,EAAe,CAAC,OAAA,EAAS,MAAA,EAAQ,QAAQ,CAAA;AAAA,EAEzC,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,eAAe,YAAY,CAAA;AAAA,MACtD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,YAAY,CAAA;AAAA,MACvC,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,cAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,MACjD,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,KAAA,EAAOC,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,WAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,4CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,kBAAA,EAAoBA,WAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,iBAAA,EAAmBA,WAAM,QAAA,CAAS;AAAA,MAChC,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,oDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,WAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACzHM,IAAM,oBAAA,GAAuBD,kBAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,yFAAA;AAAA,EACb,WAAA,EAAa,sCAAA;AAAA,EACb,aAAA,EAAe,CAAC,SAAA,EAAW,mBAAA,EAAqB,iBAAiB,CAAA;AAAA,EAEjE,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,UAAAA,CAAM,MAAA,CAAO,oBAAA,EAAsB;AAAA,MACpD,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,eAAA,EAAiBA,UAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,QAAQ,CAAC,SAAA,EAAW,qBAAqB,iBAAiB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAC5E,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAE,GAClC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC3EM,IAAM,oBAAA,GAAuBD,kBAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,aAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,mCAAA;AAAA,EACb,WAAA,EAAa,sCAAA;AAAA,EACb,aAAA,EAAe,CAAC,SAAA,EAAW,mBAAmB,CAAA;AAAA,EAE9C,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,UAAAA,CAAM,MAAA,CAAO,oBAAA,EAAsB;AAAA,MACpD,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,mBAAmB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACzD,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAE,GAClC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACzCM,IAAM,cAAA,GAAiBD,kBAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,OAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,kEAAA;AAAA,EACb,WAAA,EAAa,kEAAA;AAAA,EACb,eAAe,CAAC,aAAA,EAAe,WAAA,EAAa,cAAA,EAAgB,gBAAgB,QAAQ,CAAA;AAAA,EAEpF,SAAA,EAAW;AAAA,IACT,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,QAAA,EAAU,cAAc,YAAY,CAAA;AAAA,MAC1F,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,gBAAA,EAAkB,QAAA,EAAU,QAAA,EAAU,OAAO,MAAA,EAAO;AAAA,QAC7D,EAAE,KAAA,EAAO,cAAA,EAAgB,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OAC1E;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC5F,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,YAAA,EAAc,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OACxE;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC5F,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACrF,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,gBAAgB,cAAA,EAAgB,YAAA,EAAc,UAAU,YAAY,CAAA;AAAA,MAC1G,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,MACjE,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,WAAA,EAAa;AAAA,MACX,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,aAAa,YAAY,CAAA;AAAA,MAC/F,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,QAAA,EAAU,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAA,EAAQ,WAAW,GAAG,CAAA;AAAA,MAClF,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,WAAA,EAAa,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACnF,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,kBAAkB,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC9G,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,WAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,SAAA,EAAWA,WAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,qDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,gBAAgBA,UAAAA,CAAM,MAAA;AAAA,MACpB,CAAC,MAAA,EAAQ,OAAA,EAAS,MAAA,EAAQ,yBAAyB,OAAO,CAAA;AAAA,MAC1D;AAAA,QACE,KAAA,EAAO,gBAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,wCAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,YAAA,EAAcA,WAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,gDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAcA,UAAAA,CAAM,MAAA;AAAA,MAClB,CAAC,MAAA,EAAQ,MAAA,EAAQ,MAAM,CAAA;AAAA,MACvB;AAAA,QACE,KAAA,EAAO,cAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,6EAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA;AAAA,IAGA,QAAQA,UAAAA,CAAM,MAAA;AAAA,MACZ,CAAC,QAAA,EAAU,MAAA,EAAQ,MAAA,EAAQ,WAAW,CAAA;AAAA,MACtC;AAAA,QACE,KAAA,EAAO,QAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,QAAA;AAAA,QACd,WAAA,EAAa,sEAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,SAAA,EAAWA,WAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,WAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,0DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA;AAAA;AAAA;AAAA,IAIP,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,gBAAA,EAAkB,cAAc,CAAA,EAAE;AAAA;AAAA;AAAA,IAG5D,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,WAAW,CAAA,EAAE;AAAA;AAAA,IAEvC,EAAE,MAAA,EAAQ,CAAC,QAAA,EAAU,WAAW,CAAA;AAAE;AAEtC,CAAC;ACzMM,IAAM,cAAA,GAAiBD,kBAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,cAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAKX,WAAA,EAAa,EAAE,MAAA,EAAQ,IAAA,EAAM,MAAM,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAM;AAAA,EACrE,WAAA,EAAa,mJAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,eAAe,CAAC,MAAA,EAAQ,eAAe,gBAAA,EAAkB,cAAA,EAAgB,gBAAgB,QAAQ,CAAA;AAAA,EAEjG,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,OAAA,EAAS,eAAe,gBAAA,EAAkB,cAAA,EAAgB,gBAAgB,YAAY,CAAA;AAAA,MAChG,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,OAAA,EAAS,aAAA,EAAe,gBAAA,EAAkB,gBAAgB,YAAY,CAAA;AAAA,MAChF,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,OAAA,EAAS,gBAAA,EAAkB,gBAAgB,QAAQ,CAAA;AAAA,MAC5E,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MAC/E,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,OAAA,EAAS,aAAA,EAAe,kBAAkB,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC1G,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,UAAAA,CAAM,IAAA,CAAK,EAAE,KAAA,EAAO,SAAA,EAAW,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAEpF,eAAA,EAAiBA,UAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO,QAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,IAAA,EAAMA,WAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,6BAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,KAAA,EAAOA,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,WAAM,QAAA,CAAS;AAAA,MAC5B,KAAA,EAAO,iCAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,iFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,gBAAgBA,UAAAA,CAAM,MAAA;AAAA,MACpB,CAAC,MAAA,EAAQ,MAAA,EAAQ,YAAA,EAAc,QAAQ,OAAO,CAAA;AAAA,MAC9C;AAAA,QACE,KAAA,EAAO,gBAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,YAAA;AAAA,QACd,WAAA,EAAa,2KAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,YAAA,EAAcA,WAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAcA,UAAAA,CAAM,MAAA;AAAA,MAClB,CAAC,MAAA,EAAQ,MAAA,EAAQ,MAAM,CAAA;AAAA,MACvB;AAAA,QACE,KAAA,EAAO,cAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,MAAA,EAAQA,WAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa,uDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,QAAQ,CAAA,EAAE;AAAA,IACpC,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA;AAAE;AAElC,CAAC;ACvKD,IAAM,2BAAA,GAA8B;AAAA,EAClC,UAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,kBAAA;AAAA,EACA,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,aAAA;AAAA,EACA,gBAAA;AAAA,EACA,kBAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,uBAAA;AAAA,EACA,wBAAA;AAAA,EACA,yBAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,0BAAA,GAA6B,MAK7B,MAAA,CAAO,WAAA;AAAA,EACX,2BAAA,CAA4B,GAAA,CAAI,CAAC,IAAA,KAAS;AAAA,IACxC,IAAA;AAAA,IACA,EAAE,WAAW,IAAA,EAAM,WAAA,EAAa,OAAO,SAAA,EAAW,KAAA,EAAO,aAAa,KAAA;AAAM,GAC7E;AACH,CAAA;AA4BO,IAAM,qBAAA,GAAyC;AAAA,EACpDC,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,mBAAA;AAAA,IACN,KAAA,EAAO,kCAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,cAAA,EAAgB,IAAA;AAAA,QAChB,gBAAA,EAAkB;AAAA;AACpB,KACF;AAAA,IACA,iBAAA,EAAmB,CAAC,cAAA,EAAgB,iBAAA,EAAmB,cAAc;AAAA,GACtE,CAAA;AAAA,EACDA,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,gBAAA;AAAA,IACN,KAAA,EAAO,+BAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa;AAAA,OACf;AAAA;AAAA,MAEA,GAAG,0BAAA;AAA2B,KAChC;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,mBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD,CAAA;AAAA,EACDA,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,iBAAA;AAAA,IACN,KAAA,EAAO,yBAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,KAAA;AAAA,QACb,SAAA,EAAW,KAAA;AAAA,QACX,WAAA,EAAa;AAAA,OACf;AAAA;AAAA;AAAA;AAAA,MAIA,GAAG,0BAAA;AAA2B,KAChC;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA,MAGA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD;AACH","file":"index.js","sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_role — System Role Object\n *\n * RBAC role definition for the ObjectStack platform.\n * Roles group permissions and are assigned to users or members.\n *\n * @namespace sys\n */\nexport const SysRole = ObjectSchema.create({\n name: 'sys_role',\n label: 'Role',\n pluralLabel: 'Roles',\n icon: 'shield',\n isSystem: true,\n managedBy: 'config',\n description: 'Role definitions for RBAC access control',\n displayNameField: 'label',\n titleFormat: '{label}',\n compactLayout: ['label', 'name', 'active', 'is_default'],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'is_default', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n default_roles: {\n type: 'grid',\n name: 'default_roles',\n label: 'Default',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'description', 'active'],\n filter: [{ field: 'is_default', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n custom: {\n type: 'grid',\n name: 'custom',\n label: 'Custom',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'active', 'updated_at'],\n filter: [{ field: 'is_default', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n all_roles: {\n type: 'grid',\n name: 'all_roles',\n label: 'All',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'active', 'is_default', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n label: Field.text({\n label: 'Display Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n name: Field.text({\n label: 'API Name',\n required: true,\n searchable: true,\n maxLength: 100,\n description: 'Unique machine name for the role (e.g. admin, editor, viewer)',\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n // ── Configuration ────────────────────────────────────────────\n permissions: Field.textarea({\n label: 'Permissions',\n required: false,\n description: 'JSON-serialized array of permission strings',\n group: 'Configuration',\n }),\n\n // ── Status ───────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n defaultValue: true,\n group: 'Status',\n }),\n\n is_default: Field.boolean({\n label: 'Default Role',\n defaultValue: false,\n description: 'Automatically assigned to new users',\n group: 'Status',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Role ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['name'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_permission_set — System Permission Set Object\n *\n * Named groupings of fine-grained permissions.\n * Permission sets can be assigned to roles or directly to users\n * for granular access control.\n *\n * @namespace sys\n */\nexport const SysPermissionSet = ObjectSchema.create({\n name: 'sys_permission_set',\n label: 'Permission Set',\n pluralLabel: 'Permission Sets',\n icon: 'lock',\n isSystem: true,\n managedBy: 'config',\n description: 'Named permission groupings for fine-grained access control',\n displayNameField: 'label',\n titleFormat: '{label}',\n compactLayout: ['label', 'name', 'active'],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'description', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n all_permsets: {\n type: 'grid',\n name: 'all_permsets',\n label: 'All',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'active', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n label: Field.text({\n label: 'Display Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n name: Field.text({\n label: 'API Name',\n required: true,\n searchable: true,\n maxLength: 100,\n description: 'Unique machine name for the permission set',\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n // ── Permissions ──────────────────────────────────────────────\n object_permissions: Field.textarea({\n label: 'Object Permissions',\n required: false,\n description: 'JSON-serialized object-level CRUD permissions',\n group: 'Permissions',\n }),\n\n field_permissions: Field.textarea({\n label: 'Field Permissions',\n required: false,\n description: 'JSON-serialized field-level read/write permissions',\n group: 'Permissions',\n }),\n\n // ── Status ───────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n defaultValue: true,\n group: 'Status',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Permission Set ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['name'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_user_permission_set — User ↔ PermissionSet assignment.\n *\n * Salesforce-style additive permission grant: a user may be assigned any\n * number of `sys_permission_set` rows, optionally scoped to a specific\n * organization. The runtime resolver (`resolveExecutionContext` in\n * `@objectstack/runtime`) reads this table when building the per-request\n * `ExecutionContext.permissions[]`.\n *\n * Uniqueness is `(user_id, permission_set_id, organization_id)` so the\n * same permission set can be granted independently in each org context\n * the user belongs to.\n *\n * @namespace sys\n */\nexport const SysUserPermissionSet = ObjectSchema.create({\n name: 'sys_user_permission_set',\n label: 'User Permission Set',\n pluralLabel: 'User Permission Sets',\n icon: 'user-check',\n isSystem: true,\n managedBy: 'system',\n description: 'Direct assignment of a permission set to a user (optionally scoped to an organization).',\n titleFormat: '{user_id} → {permission_set_id}',\n compactLayout: ['user_id', 'permission_set_id', 'organization_id'],\n\n fields: {\n id: Field.text({\n label: 'Assignment ID',\n required: true,\n readonly: true,\n description: 'UUID of the assignment.',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n description: 'Foreign key to sys_user.',\n }),\n\n permission_set_id: Field.lookup('sys_permission_set', {\n label: 'Permission Set',\n required: true,\n description: 'Foreign key to sys_permission_set.',\n }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n description: 'Optional organization scope. NULL = applies in every org context.',\n }),\n\n granted_by: Field.lookup('sys_user', {\n label: 'Granted By',\n required: false,\n description: 'User who granted this permission set.',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['user_id', 'permission_set_id', 'organization_id'], unique: true },\n { fields: ['user_id'] },\n { fields: ['organization_id'] },\n { fields: ['permission_set_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_role_permission_set — Role ↔ PermissionSet binding.\n *\n * Allows administrators to compose a `sys_role` from one or more\n * `sys_permission_set` rows. At request time, the runtime resolver\n * (`resolveExecutionContext`) collects every permission set bound to\n * the user's roles via this table and injects their names into\n * `ExecutionContext.permissions[]` for downstream RBAC evaluation.\n *\n * @namespace sys\n */\nexport const SysRolePermissionSet = ObjectSchema.create({\n name: 'sys_role_permission_set',\n label: 'Role Permission Set',\n pluralLabel: 'Role Permission Sets',\n icon: 'shield-plus',\n isSystem: true,\n managedBy: 'system',\n description: 'Binds a permission set to a role.',\n titleFormat: '{role_id} → {permission_set_id}',\n compactLayout: ['role_id', 'permission_set_id'],\n\n fields: {\n id: Field.text({\n label: 'Binding ID',\n required: true,\n readonly: true,\n description: 'UUID of the role-permission-set binding.',\n }),\n\n role_id: Field.lookup('sys_role', {\n label: 'Role',\n required: true,\n description: 'Foreign key to sys_role.',\n }),\n\n permission_set_id: Field.lookup('sys_permission_set', {\n label: 'Permission Set',\n required: true,\n description: 'Foreign key to sys_permission_set.',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['role_id', 'permission_set_id'], unique: true },\n { fields: ['role_id'] },\n { fields: ['permission_set_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_record_share — Per-Record Sharing Grant\n *\n * Bridges the ownership-only baseline established by `object.sharingModel`\n * with the real-world need to delegate access to a single record. Each\n * row says: \"principal P has access level L on (object O, record R),\n * because of source S (manual grant or rule).\"\n *\n * Enforcement lives in `@objectstack/plugin-sharing`:\n * - For objects with `sharingModel: 'private'`, the engine middleware\n * AND-s `{$or:[{owner_id:userId},{id:{$in:[grantedRecordIds]}}]}`\n * into every `find` against that object.\n * - For objects with `sharingModel: 'private' | 'read'`, the same\n * middleware enforces edit/delete by checking ownership OR a share\n * row with `access_level in ('edit','full')`.\n *\n * Conventions:\n * - `object_name` is the short object name (e.g. `account`, `lead`).\n * - `recipient_type` mirrors `ShareRecipientType` from the spec\n * (`user` is enforced today; `group`/`role` are persisted for\n * forward-compatibility).\n * - `source = 'manual'` rows are created by a user via the REST\n * `POST /data/:object/:id/shares` endpoint. `source = 'rule'` rows\n * are materialised by the sharing-rule evaluator (future); the\n * `source_id` lets the evaluator reconcile stale grants.\n *\n * @namespace sys\n */\nexport const SysRecordShare = ObjectSchema.create({\n name: 'sys_record_share',\n label: 'Record Share',\n pluralLabel: 'Record Shares',\n icon: 'share',\n isSystem: true,\n managedBy: 'system',\n description: 'Per-record sharing grant — extends OWD with explicit access',\n titleFormat: '{object_name}/{record_id} → {recipient_id} ({access_level})',\n compactLayout: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source'],\n\n listViews: {\n granted_to_me: {\n type: 'grid',\n name: 'granted_to_me',\n label: 'Granted to Me',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'access_level', 'source', 'granted_by', 'created_at'],\n filter: [\n { field: 'recipient_type', operator: 'equals', value: 'user' },\n { field: 'recipient_id', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n granted_by_me: {\n type: 'grid',\n name: 'granted_by_me',\n label: 'Granted by Me',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source', 'created_at'],\n filter: [\n { field: 'granted_by', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n by_object: {\n type: 'grid',\n name: 'by_object',\n label: 'By Object',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source', 'created_at'],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n grouping: { fields: [{ field: 'object_name', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n manual_grants: {\n type: 'grid',\n name: 'manual_grants',\n label: 'Manual Grants',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'granted_by', 'reason', 'created_at'],\n filter: [{ field: 'source', operator: 'equals', value: 'manual' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n rule_grants: {\n type: 'grid',\n name: 'rule_grants',\n label: 'Rule Grants',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source_id', 'created_at'],\n filter: [{ field: 'source', operator: 'in', value: ['rule', 'team', 'inherited'] }],\n sort: [{ field: 'source_id', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_shares: {\n type: 'grid',\n name: 'all_shares',\n label: 'All',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_type', 'recipient_id', 'access_level', 'source', 'created_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n },\n\n fields: {\n id: Field.text({\n label: 'Share ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n // ── Target (which record is being shared) ────────────────────\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name of the shared record',\n group: 'Target',\n }),\n\n record_id: Field.text({\n label: 'Record',\n required: true,\n maxLength: 100,\n description: 'Primary key of the shared record within object_name',\n group: 'Target',\n }),\n\n // ── Recipient (who receives access) ──────────────────────────\n recipient_type: Field.select(\n ['user', 'group', 'role', 'role_and_subordinates', 'guest'],\n {\n label: 'Recipient Type',\n required: true,\n defaultValue: 'user',\n description: 'Kind of principal that holds the grant',\n group: 'Recipient',\n },\n ),\n\n recipient_id: Field.text({\n label: 'Recipient',\n required: true,\n maxLength: 100,\n description: 'ID of the user/group/role that receives access',\n group: 'Recipient',\n }),\n\n access_level: Field.select(\n ['read', 'edit', 'full'],\n {\n label: 'Access Level',\n required: true,\n defaultValue: 'read',\n description: 'What the recipient can do — read | edit | full (transfer/share/delete)',\n group: 'Recipient',\n },\n ),\n\n // ── Provenance ───────────────────────────────────────────────\n source: Field.select(\n ['manual', 'rule', 'team', 'inherited'],\n {\n label: 'Source',\n required: true,\n defaultValue: 'manual',\n description: 'Why this grant exists — used by the rule evaluator to reconcile',\n group: 'Provenance',\n },\n ),\n\n source_id: Field.text({\n label: 'Source ID',\n required: false,\n maxLength: 200,\n description: 'Rule name / team id when source != manual',\n group: 'Provenance',\n }),\n\n granted_by: Field.lookup('sys_user', {\n label: 'Granted By',\n required: false,\n description: 'User that created the grant (manual only)',\n group: 'Provenance',\n }),\n\n reason: Field.text({\n label: 'Reason',\n required: false,\n maxLength: 500,\n description: 'Optional free-text explanation surfaced to the recipient',\n group: 'Provenance',\n }),\n\n // ── Lifecycle ────────────────────────────────────────────────\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n group: 'System',\n }),\n },\n\n indexes: [\n // Hot path: \"all records visible to user U on object O\" — the\n // middleware reads (object_name, recipient_type, recipient_id) to\n // build the `id IN (...)` predicate on every find.\n { fields: ['object_name', 'recipient_type', 'recipient_id'] },\n // \"all grants on this record\" — used by the share-management UI\n // and by canEdit() to look up explicit grants.\n { fields: ['object_name', 'record_id'] },\n // Reconciliation key for rule-driven shares.\n { fields: ['source', 'source_id'] },\n ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_sharing_rule — Declarative record-sharing rule.\n *\n * Salesforce-style criteria-based sharing: \"any record on object O that\n * matches criteria C is granted access level A to recipient R\". Rules\n * are evaluated by `@objectstack/plugin-sharing` and materialise their\n * grants as rows in `sys_record_share` with `source='rule'` and\n * `source_id={rule.id}` so the evaluator can reconcile (delete + re-\n * insert) on rule updates without touching manual grants.\n *\n * Evaluation triggers:\n * - `afterInsert` / `afterUpdate` on the target object (per-record,\n * incremental — the hot path).\n * - REST `POST /sharing/rules/:id/evaluate` (admin-initiated\n * bulk reconcile — used after rule edits).\n *\n * Criteria are stored as JSON (a normal `FilterCondition`) so the\n * existing engine `find()` can do the matching natively. v1 supports\n * simple `{field, op, value}` style filters; CEL predicates are a\n * follow-up.\n *\n * @namespace sys\n */\nexport const SysSharingRule = ObjectSchema.create({\n name: 'sys_sharing_rule',\n label: 'Sharing Rule',\n pluralLabel: 'Sharing Rules',\n icon: 'shield-check',\n isSystem: true,\n managedBy: 'config',\n // Sharing rules can now be authored visually via the Studio criteria\n // builder (apps/studio/src/components/SharingCriteriaBuilder.tsx).\n // We still recommend `defineSharingRule({...})` for repo-controlled\n // baselines, but admins can safely create/edit/delete from the UI.\n userActions: { create: true, edit: true, delete: true, import: false },\n description: 'Declarative sharing rule that auto-materialises sys_record_share grants. Authored via defineSharingRule() in code or the Studio criteria builder.',\n displayNameField: 'name',\n titleFormat: '{label}',\n compactLayout: ['name', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active'],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n by_object: {\n type: 'grid',\n name: 'by_object',\n label: 'By Object',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['object_name', 'label', 'recipient_type', 'access_level', 'active'],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],\n grouping: { fields: [{ field: 'object_name', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n all_rules: {\n type: 'grid',\n name: 'all_rules',\n label: 'All',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n id: Field.text({ label: 'Rule ID', required: true, readonly: true, group: 'System' }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n group: 'System',\n description: 'Tenant that owns this rule; null = global',\n }),\n\n name: Field.text({\n label: 'Name',\n required: true,\n maxLength: 100,\n description: 'Unique snake_case rule name',\n group: 'Identity',\n }),\n\n label: Field.text({\n label: 'Display Label',\n required: true,\n maxLength: 200,\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name (e.g. opportunity, account)',\n group: 'Target',\n }),\n\n criteria_json: Field.textarea({\n label: 'Criteria (FilterCondition JSON)',\n required: false,\n description: 'JSON FilterCondition matched against records of object_name. Empty = match all.',\n group: 'Target',\n }),\n\n recipient_type: Field.select(\n ['user', 'team', 'department', 'role', 'queue'],\n {\n label: 'Recipient Type',\n required: true,\n defaultValue: 'department',\n description: 'Kind of principal that receives access — expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth).',\n group: 'Recipient',\n },\n ),\n\n recipient_id: Field.text({\n label: 'Recipient',\n required: true,\n maxLength: 200,\n description: 'department id / team id / role name / queue name / user id depending on recipient_type',\n group: 'Recipient',\n }),\n\n access_level: Field.select(\n ['read', 'edit', 'full'],\n {\n label: 'Access Level',\n required: true,\n defaultValue: 'read',\n group: 'Recipient',\n },\n ),\n\n active: Field.boolean({\n label: 'Active',\n required: false,\n defaultValue: true,\n description: 'Only active rules participate in lifecycle evaluation',\n group: 'Lifecycle',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['object_name', 'active'] },\n { fields: ['name'], unique: true },\n { fields: ['organization_id'] },\n ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { PermissionSetSchema, type PermissionSet } from '@objectstack/spec/security';\n\n/**\n * Identity tables managed by the better-auth plugin (see\n * `packages/platform-objects/src/identity/`). Mutations to these tables\n * MUST flow through the better-auth API endpoints (sign-up, password\n * reset, organization invite/remove-member, api-key/create, …) rather\n * than the generic CRUD pipeline so that password hashing, token\n * signing, email verification, invitation flows and scope hashing all\n * fire correctly.\n *\n * The default member/viewer permission sets therefore explicitly DENY\n * `allowCreate / allowEdit / allowDelete` on these objects while still\n * permitting reads (subject to the rest of the RLS chain). Admin\n * permission sets keep their `*` wildcard so they can rescue data\n * directly when needed.\n *\n * Each entry mirrors the `managedBy: 'better-auth'` flag declared on\n * the corresponding object schema in `packages/platform-objects/src/identity/`.\n */\nconst BETTER_AUTH_MANAGED_OBJECTS = [\n 'sys_user',\n 'sys_account',\n 'sys_session',\n 'sys_organization',\n 'sys_member',\n 'sys_invitation',\n 'sys_team',\n 'sys_team_member',\n 'sys_api_key',\n 'sys_two_factor',\n 'sys_verification',\n 'sys_jwks',\n 'sys_device_code',\n 'sys_oauth_application',\n 'sys_oauth_access_token',\n 'sys_oauth_refresh_token',\n 'sys_oauth_consent',\n] as const;\n\nconst denyWritesOnManagedObjects = (): Record<string, {\n allowRead: boolean;\n allowCreate: boolean;\n allowEdit: boolean;\n allowDelete: boolean;\n}> => Object.fromEntries(\n BETTER_AUTH_MANAGED_OBJECTS.map((name) => [\n name,\n { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n ]),\n);\n\n/**\n * Default permission sets seeded by the platform.\n *\n * These are referenced by name (`admin_full_access`, `member_default`,\n * `viewer_readonly`) from `sys_role_permission_set` rows or assigned\n * directly to users via `sys_user_permission_set`.\n *\n * The runtime SecurityPlugin reads these via the metadata service when a\n * permission set name appears in the request `ExecutionContext.permissions[]`.\n *\n * Each entry is run through `PermissionSetSchema.parse(...)` so Zod fills\n * in the boolean/`priority`/`enabled` defaults — keeping the literal\n * source readable while still satisfying the strict output type.\n *\n * `objects: { '*': … }` uses the wildcard sentinel honoured by\n * `PermissionEvaluator` — admins do not need an explicit row per object.\n * Per-object entries fully override the wildcard for that object (see\n * `PermissionEvaluator.checkObjectPermission` — lookup, not merge).\n *\n * RLS policies use the canonical `current_user.*` placeholders compiled\n * by `RLSCompiler`. The active organization is exposed under\n * `current_user.organization_id` (sourced from\n * `ExecutionContext.tenantId` at request time) — there is no rewrite\n * step or `tenantField` indirection in SecurityPlugin. Schemas with a\n * different physical tenant column should fork these defaults.\n */\nexport const defaultPermissionSets: PermissionSet[] = [\n PermissionSetSchema.parse({\n name: 'admin_full_access',\n label: 'Administrator — Full Access',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n viewAllRecords: true,\n modifyAllRecords: true,\n },\n },\n systemPermissions: ['manage_users', 'manage_metadata', 'setup.access'],\n }),\n PermissionSetSchema.parse({\n name: 'member_default',\n label: 'Member — Standard Access',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n },\n // Identity tables are managed by better-auth — no direct writes.\n ...denyWritesOnManagedObjects(),\n },\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'all',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'owner_only_writes',\n object: '*',\n operation: 'update',\n using: 'owner_id = current_user.id',\n },\n {\n name: 'owner_only_deletes',\n object: '*',\n operation: 'delete',\n using: 'owner_id = current_user.id',\n },\n // ── better-auth system tables that lack `organization_id` and would\n // otherwise be left unprotected by the wildcard rule above. ────\n //\n // The security plugin's RLS injector treats wildcard policies that\n // target a missing field as `RLS_DENY_FILTER` (zero rows) unless a\n // per-object policy contributes an alternate match. Each `*_self`\n // policy below restores per-user visibility on a better-auth table\n // that has `user_id` but no `organization_id`. Tables without\n // `user_id` (`sys_verification`, `sys_jwks`, empty `sys_passkey`)\n // stay DENY for non-admins by design — only platform admins (via\n // `admin_full_access`, which has no RLS) should inspect them.\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'all',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n // Org collaborators: members can see other users in the same\n // organization. Without this, owner/assignee lookups, @-mention\n // suggestions, reviewer pickers and team-roster surfaces all\n // collapse to just the current user. `org_user_ids` is\n // pre-resolved by runtime/resolve-execution-context from\n // `sys_member` for the active organization. Sensitive credential\n // tables (`sys_account`, `sys_session`, `sys_api_key`, …) keep\n // their stricter self-only carve-outs above.\n {\n name: 'sys_user_org_members',\n object: 'sys_user',\n operation: 'select',\n using: 'id IN (current_user.org_user_ids)',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n ],\n }),\n PermissionSetSchema.parse({\n name: 'viewer_readonly',\n label: 'Viewer — Read-Only',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: false,\n allowEdit: false,\n allowDelete: false,\n },\n // Belt-and-suspenders: explicit deny on managed objects even though\n // the wildcard already denies — keeps the policy readable when\n // future relaxations might widen the wildcard.\n ...denyWritesOnManagedObjects(),\n },\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'select',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n // Org collaborators (read-only): see `sys_user_org_members` in\n // `member_default` for rationale.\n {\n name: 'sys_user_org_members',\n object: 'sys_user',\n operation: 'select',\n using: 'id IN (current_user.org_user_ids)',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n ],\n }),\n];\n"]}
package/dist/security/index.mjs CHANGED
@@ -788,6 +788,20 @@ var defaultPermissionSets = [
788
788
  operation: "select",
789
789
  using: "id = current_user.id"
790
790
  },
791
+ // Org collaborators: members can see other users in the same
792
+ // organization. Without this, owner/assignee lookups, @-mention
793
+ // suggestions, reviewer pickers and team-roster surfaces all
794
+ // collapse to just the current user. `org_user_ids` is
795
+ // pre-resolved by runtime/resolve-execution-context from
796
+ // `sys_member` for the active organization. Sensitive credential
797
+ // tables (`sys_account`, `sys_session`, `sys_api_key`, …) keep
798
+ // their stricter self-only carve-outs above.
799
+ {
800
+ name: "sys_user_org_members",
801
+ object: "sys_user",
802
+ operation: "select",
803
+ using: "id IN (current_user.org_user_ids)"
804
+ },
791
805
  {
792
806
  name: "sys_session_self",
793
807
  object: "sys_session",
@@ -885,8 +899,14 @@ var defaultPermissionSets = [
885
899
  operation: "select",
886
900
  using: "id = current_user.id"
887
901
  },
888
- // ── Per-user visibility on better-auth tables that lack
889
- // `organization_id` (matches the `member_default` carve-outs).
902
+ // Org collaborators (read-only): see `sys_user_org_members` in
903
+ // `member_default` for rationale.
904
+ {
905
+ name: "sys_user_org_members",
906
+ object: "sys_user",
907
+ operation: "select",
908
+ using: "id IN (current_user.org_user_ids)"
909
+ },
890
910
  {
891
911
  name: "sys_session_self",
892
912
  object: "sys_session",