@objectstack/platform-objects 7.0.0 → 7.2.0

package/dist/index.d.mts

@@ -2,7 +2,7 @@ export { SysAccount, SysApiKey, SysDepartment, SysDepartmentMember, SysDeviceCod
 export { SysPermissionSet, SysRecordShare, SysRole, SysRolePermissionSet, SysShareLink, SysSharingRule, SysUserPermissionSet, defaultPermissionSets } from './security/index.mjs';
 export { SysActivity, SysApprovalAction, SysApprovalProcess, SysApprovalRequest, SysAttachment, SysAuditLog, SysComment, SysEmail, SysEmailTemplate, SysJob, SysJobQueue, SysJobRun, SysNotification, SysPresence, SysReportSchedule, SysSavedReport } from './audit/index.mjs';
 export { SysWebhook } from './integration/index.mjs';
-export { SysMetadata, SysMetadataHistoryObject, SysMetadata as SysMetadataObject } from './metadata/index.mjs';
+export { SysMetadata, SysMetadataAuditObject, SysMetadataHistoryObject, SysMetadata as SysMetadataObject } from './metadata/index.mjs';
 export { SysSecret, SysSetting, SysSettingAudit } from './system/index.mjs';
 export { ACCOUNT_APP, SETUP_APP, STUDIO_APP, SetupAppTranslations, SystemOverviewDashboard, en, esES, jaJP, zhCN } from './apps/index.mjs';
 export { SysOrganizationDetailPage, SysUserDetailPage } from './pages/index.mjs';

package/dist/index.d.ts

@@ -2,7 +2,7 @@ export { SysAccount, SysApiKey, SysDepartment, SysDepartmentMember, SysDeviceCod
 export { SysPermissionSet, SysRecordShare, SysRole, SysRolePermissionSet, SysShareLink, SysSharingRule, SysUserPermissionSet, defaultPermissionSets } from './security/index.js';
 export { SysActivity, SysApprovalAction, SysApprovalProcess, SysApprovalRequest, SysAttachment, SysAuditLog, SysComment, SysEmail, SysEmailTemplate, SysJob, SysJobQueue, SysJobRun, SysNotification, SysPresence, SysReportSchedule, SysSavedReport } from './audit/index.js';
 export { SysWebhook } from './integration/index.js';
-export { SysMetadata, SysMetadataHistoryObject, SysMetadata as SysMetadataObject } from './metadata/index.js';
+export { SysMetadata, SysMetadataAuditObject, SysMetadataHistoryObject, SysMetadata as SysMetadataObject } from './metadata/index.js';
 export { SysSecret, SysSetting, SysSettingAudit } from './system/index.js';
 export { ACCOUNT_APP, SETUP_APP, STUDIO_APP, SetupAppTranslations, SystemOverviewDashboard, en, esES, jaJP, zhCN } from './apps/index.js';
 export { SysOrganizationDetailPage, SysUserDetailPage } from './pages/index.js';

package/dist/index.js

@@ -12,6 +12,9 @@ var SysUser = data.ObjectSchema.create({
   icon: "user",
   isSystem: true,
   managedBy: "better-auth",
+  // ADR-0010 — identity table is managed by better-auth, schema must not drift.
+  _lock: "full",
+  _lockReason: "Identity table managed by better-auth \u2014 see ADR-0010.",
   description: "User accounts for authentication",
   displayNameField: "name",
   titleFormat: "{name}",
@@ -603,7 +606,7 @@ var SysAccount = data.ObjectSchema.create({
       mode: "create",
       locations: ["list_toolbar"],
       type: "url",
-      target: "/api/v1/auth/sign-in/social?provider=${param.provider}&callbackURL=${ctx.origin}/apps/account/sys_account",
+      target: "/api/v1/auth/sign-in/social?provider=${param.provider}&callbackURL=${ctx.origin}/_console/apps/account/sys_account",
       params: [
         {
           name: "provider",
@@ -2397,7 +2400,7 @@ var SysOauthApplication = data.ObjectSchema.create({
       locations: ["list_toolbar"],
       type: "api",
       method: "POST",
-      target: "/api/v1/auth/oauth2/register",
+      target: "/api/v1/auth/sys-oauth-application/register",
       refreshAfter: true,
       params: [
         { name: "name", label: "Application Name", type: "text", required: true },
@@ -4206,6 +4209,16 @@ var defaultPermissionSets = [
         operation: "all",
         using: "user_id = current_user.id"
       },
+      // OAuth applications a user has registered themselves (self-service
+      // developer flow exposed in the Account app's Developer section).
+      // `sys_oauth_application` has no `organization_id` so the wildcard
+      // `tenant_isolation` policy would otherwise deny every row.
+      {
+        name: "sys_oauth_application_self",
+        object: "sys_oauth_application",
+        operation: "all",
+        using: "user_id = current_user.id"
+      },
       // Org-scoped visibility for organization-owned identity-adjacent
       // tables. Org admins may inspect their own org's invitations and
       // memberships (read; writes still flow through better-auth).
@@ -4358,6 +4371,16 @@ var defaultPermissionSets = [
         object: "sys_oauth_consent",
         operation: "all",
         using: "user_id = current_user.id"
+      },
+      // OAuth applications a user has registered themselves (Account →
+      // Developer → OAuth Applications). `sys_oauth_application` has no
+      // `organization_id`, so without this carve-out the wildcard
+      // `tenant_isolation` policy returns zero rows even for the owner.
+      {
+        name: "sys_oauth_application_self",
+        object: "sys_oauth_application",
+        operation: "all",
+        using: "user_id = current_user.id"
       }
     ]
   }),
@@ -6904,6 +6927,135 @@ var SysMetadataHistoryObject = data.ObjectSchema.create({
     trash: false
   }
 });
+var SysMetadataAuditObject = data.ObjectSchema.create({
+  name: "sys_metadata_audit",
+  label: "Metadata Audit",
+  pluralLabel: "Metadata Audit",
+  icon: "shield-check",
+  isSystem: true,
+  managedBy: "append-only",
+  description: "Append-only audit trail of metadata write decisions (ADR-0010).",
+  fields: {
+    /** Primary Key (UUID) */
+    id: data.Field.text({
+      label: "ID",
+      required: true,
+      readonly: true
+    }),
+    /** When the decision was made (ISO-8601 UTC). */
+    occurred_at: data.Field.datetime({
+      label: "Occurred At",
+      required: true,
+      readonly: true
+    }),
+    /** Acting principal (user id, system id, or 'system'). */
+    actor: data.Field.text({
+      label: "Actor",
+      required: true,
+      readonly: true,
+      maxLength: 255,
+      description: 'Acting principal \u2014 user id, system id, or "system".'
+    }),
+    /** Code path that produced the decision (e.g. `protocol.saveMetaItem`). */
+    source: data.Field.text({
+      label: "Source",
+      required: false,
+      readonly: true,
+      maxLength: 128
+    }),
+    /** Metadata type (singular, e.g. `app`, `object`, `view`). */
+    type: data.Field.text({
+      label: "Metadata Type",
+      required: true,
+      readonly: true,
+      searchable: true,
+      maxLength: 100
+    }),
+    /** Item machine name. */
+    name: data.Field.text({
+      label: "Name",
+      required: true,
+      readonly: true,
+      searchable: true,
+      maxLength: 255
+    }),
+    /** Organization for multi-tenant filtering. NULL for env-wide writes. */
+    organization_id: data.Field.lookup("sys_organization", {
+      label: "Organization",
+      required: false,
+      readonly: true
+    }),
+    /** Operation kind. */
+    operation: data.Field.select(["save", "publish", "rollback", "delete", "reset"], {
+      label: "Operation",
+      required: true,
+      readonly: true
+    }),
+    /** Decision outcome — allowed, denied (refused), or forced (bypassed via override). */
+    outcome: data.Field.select(["allowed", "denied", "forced"], {
+      label: "Outcome",
+      required: true,
+      readonly: true
+    }),
+    /**
+     * Machine-readable code for the decision:
+     *  - on `allowed`: `'ok'`
+     *  - on `denied`: `'not_overridable'` | `'not_creatable'` |
+     *    `'item_locked'` | `'invalid_metadata'` | `'destructive_change'` |
+     *    `'metadata_conflict'`
+     *  - on `forced`: `'lock_override'` (Phase 3)
+     */
+    code: data.Field.text({
+      label: "Code",
+      required: true,
+      readonly: true,
+      maxLength: 64
+    }),
+    /**
+     * Lock state observed at the time of the decision (`none` if the
+     * item carried no `_lock`). Captured even on `allowed` rows so
+     * later compliance queries can see "what was the lock state when
+     * this write succeeded".
+     */
+    lock_state: data.Field.select(["none", "no-overlay", "no-delete", "full"], {
+      label: "Lock State",
+      required: false,
+      readonly: true
+    }),
+    /** True when the write succeeded by bypassing a lock (Phase 3). */
+    lock_overridden: data.Field.boolean({
+      label: "Lock Overridden",
+      required: false,
+      readonly: true
+    }),
+    /** Optional request correlation id for tracing. */
+    request_id: data.Field.text({
+      label: "Request ID",
+      required: false,
+      readonly: true,
+      maxLength: 128
+    }),
+    /** Optional free-form context (e.g. brief diff summary). */
+    note: data.Field.textarea({
+      label: "Note",
+      required: false,
+      readonly: true
+    })
+  },
+  indexes: [
+    { fields: ["organization_id", "occurred_at"] },
+    { fields: ["type", "name", "occurred_at"] },
+    { fields: ["actor", "occurred_at"] },
+    { fields: ["outcome"] }
+  ],
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list"],
+    trash: false
+  }
+});
 var SysSetting = data.ObjectSchema.create({
   name: "sys_setting",
   label: "Setting",
@@ -7297,6 +7449,9 @@ var SETUP_APP = {
   icon: "settings",
   active: true,
   isDefault: false,
+  // ADR-0010 — core admin UI must not be overlay-edited or deleted.
+  _lock: "full",
+  _lockReason: "Core admin UI shipped by @objectstack/platform-objects \u2014 see ADR-0010.",
   branding: {
     primaryColor: "#475569"
     // Slate-600 — neutral admin palette
@@ -7787,21 +7942,20 @@ var ACCOUNT_APP = {
   // manage their own 2FA / linked accounts / personal OAuth apps. RLS on
   // each object scopes rows to the caller.
   navigation: [
-    // Profile is the canonical landing — name, email, avatar, verification
-    // status. Uses `type: 'object' + recordId: '{current_user_id}'` so it
-    // resolves to the sys_user record page; the slotted SysUserDetailPage
-    // (kind: 'slotted', isDefault: true) tailors that page into a proper
-    // self-service profile (highlight chips, grouped detail sections, no
-    // Discussion thread) without losing the record-context features
-    // (related lists, header actions, RLS-aware edit).
+    // Profile is the canonical landing — a hand-written React settings card
+    // (Vercel/Linear style) registered in the Console SPA as
+    // `account:profile_card`. The renderer reads the current user via
+    // `useAuth()` and writes via `client.auth.updateUser`, so there is no
+    // sys_user record context here — this is intentional. The admin-facing
+    // sys_user record page (see `pages/sys-user.page.ts`) stays focused on
+    // record browsing (Identity/Audit fields, related lists, admin actions)
+    // and is reached through Setup, never from the Account App.
     {
       id: "nav_account_profile",
-      type: "object",
+      type: "component",
       label: "Profile",
-      objectName: "sys_user",
-      recordId: "{current_user_id}",
-      icon: "user-circle",
-      requiresObject: "sys_user"
+      componentRef: "account:profile_card",
+      icon: "user-circle"
     },
     // --- Inbox & work assigned to me -----------------------------------
     // Notifications, approvals waiting on me, and the orgs I belong to.
@@ -7905,16 +8059,14 @@ var ACCOUNT_APP = {
           requiresObject: "sys_oauth_application"
         }
       ]
-    },
-    {
-      id: "nav_account_preferences",
-      type: "object",
-      label: "Preferences",
-      objectName: "sys_user_preference",
-      viewName: "mine",
-      icon: "sliders-horizontal",
-      requiresObject: "sys_user_preference"
     }
+    // Note: `sys_user_preference` is intentionally NOT exposed in the
+    // Account App. It's an internal key-value store the UI uses for state
+    // like `ui.recent`, `ui.favorites`, theme, sidebar collapse — not
+    // a user-curatable settings surface. A future
+    // `account:preferences_card` React component should provide the
+    // curated theme / locale / timezone / notifications toggles when we
+    // need them; until then there is no nav entry.
   ]
 };
 var SystemOverviewDashboard = ui.Dashboard.create({
@@ -11133,8 +11285,7 @@ var en = {
         nav_account_linked: { label: "Linked Accounts" },
         nav_account_sessions: { label: "Active Sessions" },
         nav_account_api_keys: { label: "API Keys" },
-        nav_account_oauth_apps: { label: "OAuth Applications" },
-        nav_account_preferences: { label: "Preferences" }
+        nav_account_oauth_apps: { label: "OAuth Applications" }
       }
     },
     setup: {
@@ -14345,8 +14496,7 @@ var zhCN = {
         nav_account_linked: { label: "\u5DF2\u5173\u8054\u8D26\u6237" },
         nav_account_sessions: { label: "\u6D3B\u52A8\u4F1A\u8BDD" },
         nav_account_api_keys: { label: "API \u5BC6\u94A5" },
-        nav_account_oauth_apps: { label: "OAuth \u5E94\u7528" },
-        nav_account_preferences: { label: "\u504F\u597D\u8BBE\u7F6E" }
+        nav_account_oauth_apps: { label: "OAuth \u5E94\u7528" }
       }
     },
     setup: {
@@ -17518,8 +17668,7 @@ var jaJP = {
         nav_account_linked: { label: "\u9023\u643A\u30A2\u30AB\u30A6\u30F3\u30C8" },
         nav_account_sessions: { label: "\u30A2\u30AF\u30C6\u30A3\u30D6\u30BB\u30C3\u30B7\u30E7\u30F3" },
         nav_account_api_keys: { label: "API \u30AD\u30FC" },
-        nav_account_oauth_apps: { label: "OAuth \u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3" },
-        nav_account_preferences: { label: "\u74B0\u5883\u8A2D\u5B9A" }
+        nav_account_oauth_apps: { label: "OAuth \u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3" }
       }
     },
     setup: {
@@ -20691,8 +20840,7 @@ var esES = {
         nav_account_linked: { label: "Cuentas vinculadas" },
         nav_account_sessions: { label: "Sesiones activas" },
         nav_account_api_keys: { label: "Claves API" },
-        nav_account_oauth_apps: { label: "Aplicaciones OAuth" },
-        nav_account_preferences: { label: "Preferencias" }
+        nav_account_oauth_apps: { label: "Aplicaciones OAuth" }
       }
     },
     setup: {
@@ -26016,6 +26164,7 @@ exports.SysJobRun = SysJobRun;
 exports.SysJwks = SysJwks;
 exports.SysMember = SysMember;
 exports.SysMetadata = SysMetadataObject;
+exports.SysMetadataAuditObject = SysMetadataAuditObject;
 exports.SysMetadataHistoryObject = SysMetadataHistoryObject;
 exports.SysMetadataObject = SysMetadataObject;
 exports.SysNotification = SysNotification;