@objectstack/platform-objects 7.0.0 → 7.2.0

package/dist/index.mjs

@@ -10,6 +10,9 @@ var SysUser = ObjectSchema.create({
   icon: "user",
   isSystem: true,
   managedBy: "better-auth",
+  // ADR-0010 — identity table is managed by better-auth, schema must not drift.
+  _lock: "full",
+  _lockReason: "Identity table managed by better-auth \u2014 see ADR-0010.",
   description: "User accounts for authentication",
   displayNameField: "name",
   titleFormat: "{name}",
@@ -601,7 +604,7 @@ var SysAccount = ObjectSchema.create({
       mode: "create",
       locations: ["list_toolbar"],
       type: "url",
-      target: "/api/v1/auth/sign-in/social?provider=${param.provider}&callbackURL=${ctx.origin}/apps/account/sys_account",
+      target: "/api/v1/auth/sign-in/social?provider=${param.provider}&callbackURL=${ctx.origin}/_console/apps/account/sys_account",
       params: [
         {
           name: "provider",
@@ -2395,7 +2398,7 @@ var SysOauthApplication = ObjectSchema.create({
       locations: ["list_toolbar"],
       type: "api",
       method: "POST",
-      target: "/api/v1/auth/oauth2/register",
+      target: "/api/v1/auth/sys-oauth-application/register",
       refreshAfter: true,
       params: [
         { name: "name", label: "Application Name", type: "text", required: true },
@@ -4204,6 +4207,16 @@ var defaultPermissionSets = [
         operation: "all",
         using: "user_id = current_user.id"
       },
+      // OAuth applications a user has registered themselves (self-service
+      // developer flow exposed in the Account app's Developer section).
+      // `sys_oauth_application` has no `organization_id` so the wildcard
+      // `tenant_isolation` policy would otherwise deny every row.
+      {
+        name: "sys_oauth_application_self",
+        object: "sys_oauth_application",
+        operation: "all",
+        using: "user_id = current_user.id"
+      },
       // Org-scoped visibility for organization-owned identity-adjacent
       // tables. Org admins may inspect their own org's invitations and
       // memberships (read; writes still flow through better-auth).
@@ -4356,6 +4369,16 @@ var defaultPermissionSets = [
         object: "sys_oauth_consent",
         operation: "all",
         using: "user_id = current_user.id"
+      },
+      // OAuth applications a user has registered themselves (Account →
+      // Developer → OAuth Applications). `sys_oauth_application` has no
+      // `organization_id`, so without this carve-out the wildcard
+      // `tenant_isolation` policy returns zero rows even for the owner.
+      {
+        name: "sys_oauth_application_self",
+        object: "sys_oauth_application",
+        operation: "all",
+        using: "user_id = current_user.id"
       }
     ]
   }),
@@ -6902,6 +6925,135 @@ var SysMetadataHistoryObject = ObjectSchema.create({
     trash: false
   }
 });
+var SysMetadataAuditObject = ObjectSchema.create({
+  name: "sys_metadata_audit",
+  label: "Metadata Audit",
+  pluralLabel: "Metadata Audit",
+  icon: "shield-check",
+  isSystem: true,
+  managedBy: "append-only",
+  description: "Append-only audit trail of metadata write decisions (ADR-0010).",
+  fields: {
+    /** Primary Key (UUID) */
+    id: Field.text({
+      label: "ID",
+      required: true,
+      readonly: true
+    }),
+    /** When the decision was made (ISO-8601 UTC). */
+    occurred_at: Field.datetime({
+      label: "Occurred At",
+      required: true,
+      readonly: true
+    }),
+    /** Acting principal (user id, system id, or 'system'). */
+    actor: Field.text({
+      label: "Actor",
+      required: true,
+      readonly: true,
+      maxLength: 255,
+      description: 'Acting principal \u2014 user id, system id, or "system".'
+    }),
+    /** Code path that produced the decision (e.g. `protocol.saveMetaItem`). */
+    source: Field.text({
+      label: "Source",
+      required: false,
+      readonly: true,
+      maxLength: 128
+    }),
+    /** Metadata type (singular, e.g. `app`, `object`, `view`). */
+    type: Field.text({
+      label: "Metadata Type",
+      required: true,
+      readonly: true,
+      searchable: true,
+      maxLength: 100
+    }),
+    /** Item machine name. */
+    name: Field.text({
+      label: "Name",
+      required: true,
+      readonly: true,
+      searchable: true,
+      maxLength: 255
+    }),
+    /** Organization for multi-tenant filtering. NULL for env-wide writes. */
+    organization_id: Field.lookup("sys_organization", {
+      label: "Organization",
+      required: false,
+      readonly: true
+    }),
+    /** Operation kind. */
+    operation: Field.select(["save", "publish", "rollback", "delete", "reset"], {
+      label: "Operation",
+      required: true,
+      readonly: true
+    }),
+    /** Decision outcome — allowed, denied (refused), or forced (bypassed via override). */
+    outcome: Field.select(["allowed", "denied", "forced"], {
+      label: "Outcome",
+      required: true,
+      readonly: true
+    }),
+    /**
+     * Machine-readable code for the decision:
+     *  - on `allowed`: `'ok'`
+     *  - on `denied`: `'not_overridable'` | `'not_creatable'` |
+     *    `'item_locked'` | `'invalid_metadata'` | `'destructive_change'` |
+     *    `'metadata_conflict'`
+     *  - on `forced`: `'lock_override'` (Phase 3)
+     */
+    code: Field.text({
+      label: "Code",
+      required: true,
+      readonly: true,
+      maxLength: 64
+    }),
+    /**
+     * Lock state observed at the time of the decision (`none` if the
+     * item carried no `_lock`). Captured even on `allowed` rows so
+     * later compliance queries can see "what was the lock state when
+     * this write succeeded".
+     */
+    lock_state: Field.select(["none", "no-overlay", "no-delete", "full"], {
+      label: "Lock State",
+      required: false,
+      readonly: true
+    }),
+    /** True when the write succeeded by bypassing a lock (Phase 3). */
+    lock_overridden: Field.boolean({
+      label: "Lock Overridden",
+      required: false,
+      readonly: true
+    }),
+    /** Optional request correlation id for tracing. */
+    request_id: Field.text({
+      label: "Request ID",
+      required: false,
+      readonly: true,
+      maxLength: 128
+    }),
+    /** Optional free-form context (e.g. brief diff summary). */
+    note: Field.textarea({
+      label: "Note",
+      required: false,
+      readonly: true
+    })
+  },
+  indexes: [
+    { fields: ["organization_id", "occurred_at"] },
+    { fields: ["type", "name", "occurred_at"] },
+    { fields: ["actor", "occurred_at"] },
+    { fields: ["outcome"] }
+  ],
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list"],
+    trash: false
+  }
+});
 var SysSetting = ObjectSchema.create({
   name: "sys_setting",
   label: "Setting",
@@ -7295,6 +7447,9 @@ var SETUP_APP = {
   icon: "settings",
   active: true,
   isDefault: false,
+  // ADR-0010 — core admin UI must not be overlay-edited or deleted.
+  _lock: "full",
+  _lockReason: "Core admin UI shipped by @objectstack/platform-objects \u2014 see ADR-0010.",
   branding: {
     primaryColor: "#475569"
     // Slate-600 — neutral admin palette
@@ -7785,21 +7940,20 @@ var ACCOUNT_APP = {
   // manage their own 2FA / linked accounts / personal OAuth apps. RLS on
   // each object scopes rows to the caller.
   navigation: [
-    // Profile is the canonical landing — name, email, avatar, verification
-    // status. Uses `type: 'object' + recordId: '{current_user_id}'` so it
-    // resolves to the sys_user record page; the slotted SysUserDetailPage
-    // (kind: 'slotted', isDefault: true) tailors that page into a proper
-    // self-service profile (highlight chips, grouped detail sections, no
-    // Discussion thread) without losing the record-context features
-    // (related lists, header actions, RLS-aware edit).
+    // Profile is the canonical landing — a hand-written React settings card
+    // (Vercel/Linear style) registered in the Console SPA as
+    // `account:profile_card`. The renderer reads the current user via
+    // `useAuth()` and writes via `client.auth.updateUser`, so there is no
+    // sys_user record context here — this is intentional. The admin-facing
+    // sys_user record page (see `pages/sys-user.page.ts`) stays focused on
+    // record browsing (Identity/Audit fields, related lists, admin actions)
+    // and is reached through Setup, never from the Account App.
     {
       id: "nav_account_profile",
-      type: "object",
+      type: "component",
       label: "Profile",
-      objectName: "sys_user",
-      recordId: "{current_user_id}",
-      icon: "user-circle",
-      requiresObject: "sys_user"
+      componentRef: "account:profile_card",
+      icon: "user-circle"
     },
     // --- Inbox & work assigned to me -----------------------------------
     // Notifications, approvals waiting on me, and the orgs I belong to.
@@ -7903,16 +8057,14 @@ var ACCOUNT_APP = {
           requiresObject: "sys_oauth_application"
         }
       ]
-    },
-    {
-      id: "nav_account_preferences",
-      type: "object",
-      label: "Preferences",
-      objectName: "sys_user_preference",
-      viewName: "mine",
-      icon: "sliders-horizontal",
-      requiresObject: "sys_user_preference"
     }
+    // Note: `sys_user_preference` is intentionally NOT exposed in the
+    // Account App. It's an internal key-value store the UI uses for state
+    // like `ui.recent`, `ui.favorites`, theme, sidebar collapse — not
+    // a user-curatable settings surface. A future
+    // `account:preferences_card` React component should provide the
+    // curated theme / locale / timezone / notifications toggles when we
+    // need them; until then there is no nav entry.
   ]
 };
 var SystemOverviewDashboard = Dashboard.create({
@@ -11131,8 +11283,7 @@ var en = {
         nav_account_linked: { label: "Linked Accounts" },
         nav_account_sessions: { label: "Active Sessions" },
         nav_account_api_keys: { label: "API Keys" },
-        nav_account_oauth_apps: { label: "OAuth Applications" },
-        nav_account_preferences: { label: "Preferences" }
+        nav_account_oauth_apps: { label: "OAuth Applications" }
       }
     },
     setup: {
@@ -14343,8 +14494,7 @@ var zhCN = {
         nav_account_linked: { label: "\u5DF2\u5173\u8054\u8D26\u6237" },
         nav_account_sessions: { label: "\u6D3B\u52A8\u4F1A\u8BDD" },
         nav_account_api_keys: { label: "API \u5BC6\u94A5" },
-        nav_account_oauth_apps: { label: "OAuth \u5E94\u7528" },
-        nav_account_preferences: { label: "\u504F\u597D\u8BBE\u7F6E" }
+        nav_account_oauth_apps: { label: "OAuth \u5E94\u7528" }
       }
     },
     setup: {
@@ -17516,8 +17666,7 @@ var jaJP = {
         nav_account_linked: { label: "\u9023\u643A\u30A2\u30AB\u30A6\u30F3\u30C8" },
         nav_account_sessions: { label: "\u30A2\u30AF\u30C6\u30A3\u30D6\u30BB\u30C3\u30B7\u30E7\u30F3" },
         nav_account_api_keys: { label: "API \u30AD\u30FC" },
-        nav_account_oauth_apps: { label: "OAuth \u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3" },
-        nav_account_preferences: { label: "\u74B0\u5883\u8A2D\u5B9A" }
+        nav_account_oauth_apps: { label: "OAuth \u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3" }
       }
     },
     setup: {
@@ -20689,8 +20838,7 @@ var esES = {
         nav_account_linked: { label: "Cuentas vinculadas" },
         nav_account_sessions: { label: "Sesiones activas" },
         nav_account_api_keys: { label: "Claves API" },
-        nav_account_oauth_apps: { label: "Aplicaciones OAuth" },
-        nav_account_preferences: { label: "Preferencias" }
+        nav_account_oauth_apps: { label: "Aplicaciones OAuth" }
       }
     },
     setup: {
@@ -25987,6 +26135,6 @@ function createPlatformObjectsPlugin() {
   return new PlatformObjectsPlugin();
 }
 
-export { ACCOUNT_APP, MetadataFormsTranslations, PlatformObjectsPlugin, SETUP_APP, STUDIO_APP, SetupAppTranslations, SysAccount, SysActivity, SysApiKey, SysApprovalAction, SysApprovalProcess, SysApprovalRequest, SysAttachment, SysAuditLog, SysComment, SysDepartment, SysDepartmentMember, SysDeviceCode, SysEmail, SysEmailTemplate, SysInvitation, SysJob, SysJobQueue, SysJobRun, SysJwks, SysMember, SysMetadataObject as SysMetadata, SysMetadataHistoryObject, SysMetadataObject, SysNotification, SysOauthAccessToken, SysOauthApplication, SysOauthConsent, SysOauthRefreshToken, SysOrganization, SysOrganizationDetailPage, SysPermissionSet, SysPresence, SysRecordShare, SysReportSchedule, SysRole, SysRolePermissionSet, SysSavedReport, SysSecret, SysSession, SysSetting, SysSettingAudit, SysShareLink, SysSharingRule, SysTeam, SysTeamMember, SysTwoFactor, SysUser, SysUserDetailPage, SysUserPermissionSet, SysUserPreference, SysVerification, SysWebhook, SystemOverviewDashboard, createPlatformObjectsPlugin, defaultPermissionSets, en, esES, jaJP, zhCN };
+export { ACCOUNT_APP, MetadataFormsTranslations, PlatformObjectsPlugin, SETUP_APP, STUDIO_APP, SetupAppTranslations, SysAccount, SysActivity, SysApiKey, SysApprovalAction, SysApprovalProcess, SysApprovalRequest, SysAttachment, SysAuditLog, SysComment, SysDepartment, SysDepartmentMember, SysDeviceCode, SysEmail, SysEmailTemplate, SysInvitation, SysJob, SysJobQueue, SysJobRun, SysJwks, SysMember, SysMetadataObject as SysMetadata, SysMetadataAuditObject, SysMetadataHistoryObject, SysMetadataObject, SysNotification, SysOauthAccessToken, SysOauthApplication, SysOauthConsent, SysOauthRefreshToken, SysOrganization, SysOrganizationDetailPage, SysPermissionSet, SysPresence, SysRecordShare, SysReportSchedule, SysRole, SysRolePermissionSet, SysSavedReport, SysSecret, SysSession, SysSetting, SysSettingAudit, SysShareLink, SysSharingRule, SysTeam, SysTeamMember, SysTwoFactor, SysUser, SysUserDetailPage, SysUserPermissionSet, SysUserPreference, SysVerification, SysWebhook, SystemOverviewDashboard, createPlatformObjectsPlugin, defaultPermissionSets, en, esES, jaJP, zhCN };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map