@objectstack/platform-objects 6.8.1 → 7.0.0

package/dist/security/index.js

@@ -342,6 +342,24 @@ var SysPermissionSet = data.ObjectSchema.create({
       description: "JSON-serialized field-level read/write permissions",
       group: "Permissions"
     }),
+    system_permissions: data.Field.textarea({
+      label: "System Permissions",
+      required: false,
+      description: 'JSON-serialized array of system capability names (e.g. ["setup.access","studio.access","manage_users"])',
+      group: "Permissions"
+    }),
+    row_level_security: data.Field.textarea({
+      label: "Row-Level Security",
+      required: false,
+      description: "JSON-serialized array of row-level security policies (USING/CHECK clauses)",
+      group: "Permissions"
+    }),
+    tab_permissions: data.Field.textarea({
+      label: "Tab Permissions",
+      required: false,
+      description: "JSON-serialized map of app tab visibility (visible | hidden | default_on | default_off)",
+      group: "Permissions"
+    }),
     // ── Status ───────────────────────────────────────────────────
     active: data.Field.boolean({
       label: "Active",
@@ -827,6 +845,200 @@ var SysSharingRule = data.ObjectSchema.create({
     { fields: ["organization_id"] }
   ]
 });
+var SysShareLink = data.ObjectSchema.create({
+  name: "sys_share_link",
+  label: "Share Link",
+  pluralLabel: "Share Links",
+  icon: "link-2",
+  isSystem: true,
+  managedBy: "system",
+  description: "Opaque capability token granting access to a single record. Notion/Figma-style public link sharing.",
+  titleFormat: "{object_name}/{record_id} ({permission})",
+  compactLayout: ["object_name", "record_id", "permission", "audience", "expires_at", "revoked_at"],
+  listViews: {
+    active_links: {
+      type: "grid",
+      name: "active_links",
+      label: "Active",
+      data: { provider: "object", object: "sys_share_link" },
+      columns: ["object_name", "record_id", "permission", "audience", "expires_at", "use_count", "last_used_at"],
+      filter: [{ field: "revoked_at", operator: "isNull" }],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 100 }
+    },
+    by_me: {
+      type: "grid",
+      name: "by_me",
+      label: "Created by Me",
+      data: { provider: "object", object: "sys_share_link" },
+      columns: ["object_name", "record_id", "permission", "audience", "expires_at", "revoked_at"],
+      filter: [{ field: "created_by", operator: "equals", value: "{current_user_id}" }],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 100 }
+    },
+    revoked: {
+      type: "grid",
+      name: "revoked",
+      label: "Revoked",
+      data: { provider: "object", object: "sys_share_link" },
+      columns: ["object_name", "record_id", "revoked_at", "created_by"],
+      filter: [{ field: "revoked_at", operator: "isNotNull" }],
+      sort: [{ field: "revoked_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    all_links: {
+      type: "grid",
+      name: "all_links",
+      label: "All",
+      data: { provider: "object", object: "sys_share_link" },
+      columns: ["object_name", "record_id", "permission", "audience", "expires_at", "revoked_at", "created_at"],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 200 }
+    }
+  },
+  fields: {
+    id: data.Field.text({
+      label: "Link ID",
+      required: true,
+      readonly: true,
+      group: "System"
+    }),
+    // ── Token (the secret) ───────────────────────────────────────
+    token: data.Field.text({
+      label: "Token",
+      required: true,
+      maxLength: 64,
+      description: "Opaque URL-safe random token (\u2265 22 chars). The only secret in this row.",
+      group: "Token"
+    }),
+    // ── Target ───────────────────────────────────────────────────
+    object_name: data.Field.text({
+      label: "Object",
+      required: true,
+      maxLength: 100,
+      description: "Short object name of the shared record (e.g. ai_conversation, contracts_contract)",
+      group: "Target"
+    }),
+    record_id: data.Field.text({
+      label: "Record",
+      required: true,
+      maxLength: 100,
+      description: "Primary key of the shared record within object_name",
+      group: "Target"
+    }),
+    // ── Access Policy ────────────────────────────────────────────
+    permission: data.Field.select(
+      [
+        { label: "View", value: "view" },
+        { label: "Comment", value: "comment" },
+        { label: "Edit", value: "edit" }
+      ],
+      {
+        label: "Permission",
+        required: true,
+        defaultValue: "view",
+        description: "What the link holder can do with the record",
+        group: "Access Policy"
+      }
+    ),
+    audience: data.Field.select(
+      [
+        { label: "Public (indexable)", value: "public" },
+        { label: "Anyone with the link", value: "link_only" },
+        { label: "Signed-in users", value: "signed_in" },
+        { label: "Specific emails", value: "email" }
+      ],
+      {
+        label: "Audience",
+        required: true,
+        defaultValue: "link_only",
+        description: "Gating layer applied on top of the token check",
+        group: "Access Policy"
+      }
+    ),
+    expires_at: data.Field.datetime({
+      label: "Expires At",
+      description: "When set, resolveToken returns null after this timestamp",
+      group: "Access Policy"
+    }),
+    email_allowlist: data.Field.json({
+      label: "Email Allowlist",
+      description: "Lowercased addresses checked when audience=email",
+      group: "Access Policy"
+    }),
+    password_hash: data.Field.text({
+      label: "Password Hash",
+      maxLength: 256,
+      description: "Argon2/bcrypt hash. When set, the UI prompts for a password before rendering.",
+      group: "Access Policy"
+    }),
+    redact_fields: data.Field.json({
+      label: "Per-Link Redactions",
+      description: "Extra fields stripped from the response, on top of the object-default set",
+      group: "Access Policy"
+    }),
+    label: data.Field.text({
+      label: "Label",
+      maxLength: 200,
+      description: 'Free-text shown in the share dialog (e.g. "ACME Q3 contract")',
+      group: "Metadata"
+    }),
+    // ── Lifecycle ────────────────────────────────────────────────
+    revoked_at: data.Field.datetime({
+      label: "Revoked At",
+      readonly: true,
+      description: "When set, the link is permanently disabled",
+      group: "Lifecycle"
+    }),
+    created_by: data.Field.lookup("sys_user", {
+      label: "Created By",
+      readonly: true,
+      description: "Issuer of the link",
+      group: "Lifecycle"
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      required: true,
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "Lifecycle"
+    }),
+    last_used_at: data.Field.datetime({
+      label: "Last Used At",
+      readonly: true,
+      description: "Stamped by resolveToken; used by the dashboard to highlight active links",
+      group: "Lifecycle"
+    }),
+    use_count: data.Field.number({
+      label: "Use Count",
+      defaultValue: 0,
+      readonly: true,
+      description: "Incremented by resolveToken on every successful resolution",
+      group: "Lifecycle"
+    })
+  },
+  indexes: [
+    // Hot path: resolveToken — one row lookup per public request.
+    { fields: ["token"], unique: true },
+    // Management UI: "all links for this record".
+    { fields: ["object_name", "record_id"] },
+    // "Active links I issued".
+    { fields: ["created_by", "revoked_at"] },
+    // Reaper for expired rows (background sweep).
+    { fields: ["expires_at"] }
+  ],
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    // The /api/v1/share-links endpoints are the authoritative surface;
+    // the generic data API is exposed read-only for the admin grid.
+    apiMethods: ["get", "list"],
+    trash: false,
+    mru: false,
+    clone: false
+  }
+});
 var BETTER_AUTH_MANAGED_OBJECTS = [
   "sys_user",
   "sys_account",
@@ -867,7 +1079,176 @@ var defaultPermissionSets = [
         modifyAllRecords: true
       }
     },
-    systemPermissions: ["manage_users", "manage_metadata", "setup.access", "studio.access"]
+    systemPermissions: [
+      "manage_users",
+      "manage_metadata",
+      "manage_platform_settings",
+      "setup.access",
+      "studio.access"
+    ]
+  }),
+  // ── Organization Administrator ──────────────────────────────────────
+  //
+  // Third tier between platform admin (`admin_full_access`) and rank-and-file
+  // member. Lives at the *organization* scope: full CRUD on business
+  // objects within their org (governed by `tenant_isolation` RLS), plus
+  // `setup.access` so the Setup app shell is reachable.
+  //
+  // **Deliberately withheld** vs `admin_full_access`:
+  //   - `studio.access` — schema-design surfaces are platform-level (a
+  //     tenant cannot mutate the shared metadata) and Studio is hidden.
+  //   - `manage_metadata` — same reasoning.
+  //   - `manage_platform_settings` — global settings manifests
+  //     (mail / storage / AI / knowledge) and platform-only Setup pages
+  //     (sharing rules, audit logs, OAuth apps, JWKS, …) require this
+  //     and are hidden / 403'd for org admins. Tenant-scoped manifests
+  //     (`branding`, `feature_flags`) keep using `setup.access` so org
+  //     admins CAN configure their own org's branding.
+  //
+  // **Anti-escalation**: writes to the global RBAC tables
+  // (`sys_role`, `sys_permission_set`, `sys_role_permission_set`,
+  // `sys_user_permission_set`, `sys_user_role`) are denied. Allowing
+  // them would let an org admin bind `admin_full_access` (which has no
+  // RLS) to themselves and break out of tenant isolation. Reads are
+  // permitted so the Roles / Permission Sets nav entries still render.
+  //
+  // Auto-granted to every `sys_member` whose role contains `owner` or
+  // `admin` by `plugin-security/src/auto-org-admin-grant.ts`.
+  security.PermissionSetSchema.parse({
+    name: "organization_admin",
+    label: "Organization Administrator",
+    isProfile: true,
+    objects: {
+      "*": {
+        allowRead: true,
+        allowCreate: true,
+        allowEdit: true,
+        allowDelete: true,
+        viewAllRecords: true,
+        modifyAllRecords: true
+      },
+      // Identity tables — go through better-auth endpoints (invite,
+      // accept, remove-member, transfer, …) rather than raw CRUD.
+      ...denyWritesOnManagedObjects(),
+      // RBAC tables — read-only to prevent privilege escalation.
+      sys_role: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },
+      sys_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },
+      sys_role_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },
+      sys_user_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },
+      sys_user_role: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false }
+    },
+    systemPermissions: ["manage_org_users", "setup.access"],
+    rowLevelSecurity: [
+      {
+        name: "tenant_isolation",
+        object: "*",
+        operation: "all",
+        using: "organization_id = current_user.organization_id"
+      },
+      // ── better-auth system tables that lack `organization_id` and would
+      //    otherwise be denied by the wildcard policy. Same self-only
+      //    carve-outs as `member_default` — an org admin does not get to
+      //    inspect cross-tenant identity rows.
+      {
+        name: "sys_organization_self",
+        object: "sys_organization",
+        operation: "all",
+        using: "id = current_user.organization_id"
+      },
+      {
+        name: "sys_user_self",
+        object: "sys_user",
+        operation: "select",
+        using: "id = current_user.id"
+      },
+      {
+        name: "sys_user_org_members",
+        object: "sys_user",
+        operation: "select",
+        using: "id IN (current_user.org_user_ids)"
+      },
+      {
+        name: "sys_session_self",
+        object: "sys_session",
+        operation: "all",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_account_self",
+        object: "sys_account",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_team_member_self",
+        object: "sys_team_member",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_two_factor_self",
+        object: "sys_two_factor",
+        operation: "all",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_user_preference_self",
+        object: "sys_user_preference",
+        operation: "all",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_api_key_self",
+        object: "sys_api_key",
+        operation: "all",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_device_code_self",
+        object: "sys_device_code",
+        operation: "all",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_oauth_access_token_self",
+        object: "sys_oauth_access_token",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_oauth_refresh_token_self",
+        object: "sys_oauth_refresh_token",
+        operation: "select",
+        using: "user_id = current_user.id"
+      },
+      {
+        name: "sys_oauth_consent_self",
+        object: "sys_oauth_consent",
+        operation: "all",
+        using: "user_id = current_user.id"
+      },
+      // Org-scoped visibility for organization-owned identity-adjacent
+      // tables. Org admins may inspect their own org's invitations and
+      // memberships (read; writes still flow through better-auth).
+      {
+        name: "sys_member_org",
+        object: "sys_member",
+        operation: "select",
+        using: "organization_id = current_user.organization_id"
+      },
+      {
+        name: "sys_invitation_org",
+        object: "sys_invitation",
+        operation: "select",
+        using: "organization_id = current_user.organization_id"
+      },
+      {
+        name: "sys_team_org",
+        object: "sys_team",
+        operation: "select",
+        using: "organization_id = current_user.organization_id"
+      }
+    ]
   }),
   security.PermissionSetSchema.parse({
     name: "member_default",
@@ -1112,6 +1493,7 @@ exports.SysPermissionSet = SysPermissionSet;
 exports.SysRecordShare = SysRecordShare;
 exports.SysRole = SysRole;
 exports.SysRolePermissionSet = SysRolePermissionSet;
+exports.SysShareLink = SysShareLink;
 exports.SysSharingRule = SysSharingRule;
 exports.SysUserPermissionSet = SysUserPermissionSet;
 exports.defaultPermissionSets = defaultPermissionSets;