@objectstack/platform-objects 7.1.0 → 7.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/dist/apps/index.d.mts +12 -0
  2. package/dist/apps/index.d.ts +12 -0
  3. package/dist/apps/index.js +48 -16
  4. package/dist/apps/index.js.map +1 -1
  5. package/dist/apps/index.mjs +48 -16
  6. package/dist/apps/index.mjs.map +1 -1
  7. package/dist/audit/index.d.mts +240 -48
  8. package/dist/audit/index.d.ts +240 -48
  9. package/dist/identity/index.d.mts +386 -61
  10. package/dist/identity/index.d.ts +386 -61
  11. package/dist/identity/index.js +135 -1
  12. package/dist/identity/index.js.map +1 -1
  13. package/dist/identity/index.mjs +135 -1
  14. package/dist/identity/index.mjs.map +1 -1
  15. package/dist/index.d.mts +1 -1
  16. package/dist/index.d.ts +1 -1
  17. package/dist/index.js +327 -17
  18. package/dist/index.js.map +1 -1
  19. package/dist/index.mjs +327 -18
  20. package/dist/index.mjs.map +1 -1
  21. package/dist/integration/index.d.mts +15 -3
  22. package/dist/integration/index.d.ts +15 -3
  23. package/dist/metadata/index.d.mts +3264 -7
  24. package/dist/metadata/index.d.ts +3264 -7
  25. package/dist/metadata/index.js +130 -0
  26. package/dist/metadata/index.js.map +1 -1
  27. package/dist/metadata/index.mjs +130 -1
  28. package/dist/metadata/index.mjs.map +1 -1
  29. package/dist/security/index.d.mts +115 -21
  30. package/dist/security/index.d.ts +115 -21
  31. package/dist/security/index.js +14 -0
  32. package/dist/security/index.js.map +1 -1
  33. package/dist/security/index.mjs +14 -0
  34. package/dist/security/index.mjs.map +1 -1
  35. package/dist/system/index.d.mts +45 -9
  36. package/dist/system/index.d.ts +45 -9
  37. package/package.json +2 -2
package/dist/security/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/security/sys-role.object.ts","../../src/security/sys-permission-set.object.ts","../../src/security/sys-user-permission-set.object.ts","../../src/security/sys-role-permission-set.object.ts","../../src/security/sys-record-share.object.ts","../../src/security/sys-sharing-rule.object.ts","../../src/security/sys-share-link.object.ts","../../src/security/default-permission-sets.ts"],"names":["ObjectSchema","Field","PermissionSetSchema"],"mappings":";;;;;;AAYO,IAAM,OAAA,GAAUA,kBAAa,MAAA,CAAO;AAAA,EACzC,IAAA,EAAM,UAAA;AAAA,EACN,KAAA,EAAO,MAAA;AAAA,EACP,WAAA,EAAa,OAAA;AAAA,EACb,IAAA,EAAM,QAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,0CAAA;AAAA,EACb,gBAAA,EAAkB,OAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,aAAA,EAAe,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASvD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,4BAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,cAAA,EAAgB,gBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,iBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,4BAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,KAAA,EAAM;AAAA,MAC3B,WAAA,EAAa,6HAAA;AAAA,MACb,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,kBAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,4BAAA;AAAA,MACR,SAAA,EAAW,EAAE,UAAA,EAAY,IAAA,EAAK;AAAA,MAC9B,WAAA,EAAa,0EAAA;AAAA,MACb,cAAA,EAAgB,sBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA,MAKE,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,uBAAA;AAAA,MACR,SAAA,EAAW,EAAE,UAAA,EAAY,KAAA,EAAO,QAAQ,IAAA,EAAK;AAAA,MAC7C,cAAA,EAAgB,aAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,OAAA,EAAS,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QACzE,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,cAAA,EAAgB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,gCAAA,EAAiC;AAAA,QAChH,EAAE,KAAA,EAAO,aAAA,EAAe,cAAA,EAAgB,IAAA,EAAK;AAAA,QAC7C,EAAE,KAAA,EAAO,aAAA,EAAe,cAAA,EAAgB,IAAA;AAAK;AAC/C;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,cAAc,YAAY,CAAA;AAAA,MACrD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,eAAe,QAAQ,CAAA;AAAA,MAClD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MACjE,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,MACjD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAClE,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,SAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,QAAA,EAAU,cAAc,YAAY,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,KAAA,EAAOC,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,WAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,6CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,WAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,OAAA,CAAQ;AAAA,MACxB,KAAA,EAAO,cAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,WAAA,EAAa,qCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACtNM,IAAM,gBAAA,GAAmBD,kBAAa,MAAA,CAAO;AAAA,EAClD,IAAA,EAAM,oBAAA;AAAA,EACN,KAAA,EAAO,gBAAA;AAAA,EACP,WAAA,EAAa,iBAAA;AAAA,EACb,IAAA,EAAM,MAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,4DAAA;AAAA,EACb,gBAAA,EAAkB,OAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,aAAA,EAAe,CAAC,OAAA,EAAS,MAAA,EAAQ,QAAQ,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQzC,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,sCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,cAAA,EAAgB,0BAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,sCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,KAAA,EAAM;AAAA,MAC3B,WAAA,EAAa,iHAAA;AAAA,MACb,cAAA,EAAgB,4BAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,KAAA,EAAO,OAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,iCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,cAAA,EAAgB,uBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,OAAA,EAAS,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QACzE,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,cAAA,EAAgB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,gCAAA,EAAiC;AAAA,QAChH,EAAE,KAAA,EAAO,aAAA,EAAe,cAAA,EAAgB,IAAA,EAAK;AAAA,QAC7C,EAAE,KAAA,EAAO,oBAAA,EAAsB,cAAA,EAAgB,IAAA,EAAK;AAAA,QACpD,EAAE,KAAA,EAAO,mBAAA,EAAqB,cAAA,EAAgB,IAAA;AAAK;AACrD;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,eAAe,YAAY,CAAA;AAAA,MACtD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,YAAY,CAAA;AAAA,MACvC,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,cAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,MACjD,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,KAAA,EAAOC,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,WAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,4CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,kBAAA,EAAoBA,WAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,iBAAA,EAAmBA,WAAM,QAAA,CAAS;AAAA,MAChC,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,oDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,kBAAA,EAAoBA,WAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yGAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,kBAAA,EAAoBA,WAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,4EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,WAAM,QAAA,CAAS;AAAA,MAC9B,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,WAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACzMM,IAAM,oBAAA,GAAuBD,kBAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,yFAAA;AAAA,EACb,WAAA,EAAa,sCAAA;AAAA,EACb,aAAA,EAAe,CAAC,SAAA,EAAW,mBAAA,EAAqB,iBAAiB,CAAA;AAAA,EAEjE,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,UAAAA,CAAM,MAAA,CAAO,oBAAA,EAAsB;AAAA,MACpD,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,eAAA,EAAiBA,UAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,QAAQ,CAAC,SAAA,EAAW,qBAAqB,iBAAiB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAC5E,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAE,GAClC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC3EM,IAAM,oBAAA,GAAuBD,kBAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,aAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,mCAAA;AAAA,EACb,WAAA,EAAa,sCAAA;AAAA,EACb,aAAA,EAAe,CAAC,SAAA,EAAW,mBAAmB,CAAA;AAAA,EAE9C,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,UAAAA,CAAM,MAAA,CAAO,oBAAA,EAAsB;AAAA,MACpD,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,mBAAmB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACzD,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAE,GAClC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACzCM,IAAM,cAAA,GAAiBD,kBAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,OAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,kEAAA;AAAA,EACb,WAAA,EAAa,kEAAA;AAAA,EACb,eAAe,CAAC,aAAA,EAAe,WAAA,EAAa,cAAA,EAAgB,gBAAgB,QAAQ,CAAA;AAAA,EAEpF,SAAA,EAAW;AAAA,IACT,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,QAAA,EAAU,cAAc,YAAY,CAAA;AAAA,MAC1F,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,gBAAA,EAAkB,QAAA,EAAU,QAAA,EAAU,OAAO,MAAA,EAAO;AAAA,QAC7D,EAAE,KAAA,EAAO,cAAA,EAAgB,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OAC1E;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC5F,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,YAAA,EAAc,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OACxE;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC5F,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACrF,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,gBAAgB,cAAA,EAAgB,YAAA,EAAc,UAAU,YAAY,CAAA;AAAA,MAC1G,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,MACjE,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,WAAA,EAAa;AAAA,MACX,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,aAAa,YAAY,CAAA;AAAA,MAC/F,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,QAAA,EAAU,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAA,EAAQ,WAAW,GAAG,CAAA;AAAA,MAClF,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,WAAA,EAAa,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACnF,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,kBAAkB,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC9G,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,WAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,SAAA,EAAWA,WAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,qDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,gBAAgBA,UAAAA,CAAM,MAAA;AAAA,MACpB,CAAC,MAAA,EAAQ,OAAA,EAAS,MAAA,EAAQ,yBAAyB,OAAO,CAAA;AAAA,MAC1D;AAAA,QACE,KAAA,EAAO,gBAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,wCAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,YAAA,EAAcA,WAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,gDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAcA,UAAAA,CAAM,MAAA;AAAA,MAClB,CAAC,MAAA,EAAQ,MAAA,EAAQ,MAAM,CAAA;AAAA,MACvB;AAAA,QACE,KAAA,EAAO,cAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,6EAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA;AAAA,IAGA,QAAQA,UAAAA,CAAM,MAAA;AAAA,MACZ,CAAC,QAAA,EAAU,MAAA,EAAQ,MAAA,EAAQ,WAAW,CAAA;AAAA,MACtC;AAAA,QACE,KAAA,EAAO,QAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,QAAA;AAAA,QACd,WAAA,EAAa,sEAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,SAAA,EAAWA,WAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,WAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,0DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA;AAAA;AAAA;AAAA,IAIP,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,gBAAA,EAAkB,cAAc,CAAA,EAAE;AAAA;AAAA;AAAA,IAG5D,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,WAAW,CAAA,EAAE;AAAA;AAAA,IAEvC,EAAE,MAAA,EAAQ,CAAC,QAAA,EAAU,WAAW,CAAA;AAAE;AAEtC,CAAC;ACzMM,IAAM,cAAA,GAAiBD,kBAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,cAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAKX,WAAA,EAAa,EAAE,MAAA,EAAQ,IAAA,EAAM,MAAM,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAM;AAAA,EACrE,WAAA,EAAa,mJAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,eAAe,CAAC,MAAA,EAAQ,eAAe,gBAAA,EAAkB,cAAA,EAAgB,gBAAgB,QAAQ,CAAA;AAAA,EAEjG,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,OAAA,EAAS,eAAe,gBAAA,EAAkB,cAAA,EAAgB,gBAAgB,YAAY,CAAA;AAAA,MAChG,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,OAAA,EAAS,aAAA,EAAe,gBAAA,EAAkB,gBAAgB,YAAY,CAAA;AAAA,MAChF,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,OAAA,EAAS,gBAAA,EAAkB,gBAAgB,QAAQ,CAAA;AAAA,MAC5E,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MAC/E,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,OAAA,EAAS,aAAA,EAAe,kBAAkB,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC1G,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,UAAAA,CAAM,IAAA,CAAK,EAAE,KAAA,EAAO,SAAA,EAAW,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAEpF,eAAA,EAAiBA,UAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO,QAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,IAAA,EAAMA,WAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,6BAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,KAAA,EAAOA,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,WAAM,QAAA,CAAS;AAAA,MAC5B,KAAA,EAAO,iCAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,iFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,gBAAgBA,UAAAA,CAAM,MAAA;AAAA,MACpB,CAAC,MAAA,EAAQ,MAAA,EAAQ,YAAA,EAAc,QAAQ,OAAO,CAAA;AAAA,MAC9C;AAAA,QACE,KAAA,EAAO,gBAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,YAAA;AAAA,QACd,WAAA,EAAa,2KAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,YAAA,EAAcA,WAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAcA,UAAAA,CAAM,MAAA;AAAA,MAClB,CAAC,MAAA,EAAQ,MAAA,EAAQ,MAAM,CAAA;AAAA,MACvB;AAAA,QACE,KAAA,EAAO,cAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,MAAA,EAAQA,WAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa,uDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,QAAQ,CAAA,EAAE;AAAA,IACpC,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA;AAAE;AAElC,CAAC;ACnJM,IAAM,YAAA,GAAeD,kBAAa,MAAA,CAAO;AAAA,EAC9C,IAAA,EAAM,gBAAA;AAAA,EACN,KAAA,EAAO,YAAA;AAAA,EACP,WAAA,EAAa,aAAA;AAAA,EACb,IAAA,EAAM,QAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,qGAAA;AAAA,EACb,WAAA,EAAa,0CAAA;AAAA,EACb,eAAe,CAAC,aAAA,EAAe,aAAa,YAAA,EAAc,UAAA,EAAY,cAAc,YAAY,CAAA;AAAA,EAEhG,SAAA,EAAW;AAAA,IACT,YAAA,EAAc;AAAA,MACZ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,cAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,cAAc,UAAA,EAAY,YAAA,EAAc,aAAa,cAAc,CAAA;AAAA,MACzG,QAAQ,CAAC,EAAE,OAAO,YAAA,EAAc,QAAA,EAAU,UAAU,CAAA;AAAA,MACpD,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,KAAA,EAAO;AAAA,MACL,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,OAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,SAAS,CAAC,aAAA,EAAe,aAAa,YAAA,EAAc,UAAA,EAAY,cAAc,YAAY,CAAA;AAAA,MAC1F,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAChF,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,cAAc,YAAY,CAAA;AAAA,MAChE,QAAQ,CAAC,EAAE,OAAO,YAAA,EAAc,QAAA,EAAU,aAAa,CAAA;AAAA,MACvD,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,cAAc,UAAA,EAAY,YAAA,EAAc,cAAc,YAAY,CAAA;AAAA,MACxG,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,KAAA,EAAOA,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,WAAA,EAAa,8EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,WAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,mFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,SAAA,EAAWA,WAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,qDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,YAAYA,UAAAA,CAAM,MAAA;AAAA,MAChB;AAAA,QACE,EAAE,KAAA,EAAO,MAAA,EAAW,KAAA,EAAO,MAAA,EAAO;AAAA,QAClC,EAAE,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,SAAA,EAAU;AAAA,QACrC,EAAE,KAAA,EAAO,MAAA,EAAW,KAAA,EAAO,MAAA;AAAO,OACpC;AAAA,MACA;AAAA,QACE,KAAA,EAAO,YAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,6CAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,UAAUA,UAAAA,CAAM,MAAA;AAAA,MACd;AAAA,QACE,EAAE,KAAA,EAAO,oBAAA,EAAsB,KAAA,EAAO,QAAA,EAAS;AAAA,QAC/C,EAAE,KAAA,EAAO,sBAAA,EAAwB,KAAA,EAAO,WAAA,EAAY;AAAA,QACpD,EAAE,KAAA,EAAO,iBAAA,EAAmB,KAAA,EAAO,WAAA,EAAY;AAAA,QAC/C,EAAE,KAAA,EAAO,iBAAA,EAAmB,KAAA,EAAO,OAAA;AAAQ,OAC7C;AAAA,MACA;AAAA,QACE,KAAA,EAAO,UAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,WAAA;AAAA,QACd,WAAA,EAAa,gDAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,WAAA,EAAa,0DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,WAAM,IAAA,CAAK;AAAA,MAC1B,KAAA,EAAO,iBAAA;AAAA,MACP,WAAA,EAAa,kDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,WAAM,IAAA,CAAK;AAAA,MACxB,KAAA,EAAO,eAAA;AAAA,MACP,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,WAAM,IAAA,CAAK;AAAA,MACxB,KAAA,EAAO,qBAAA;AAAA,MACP,WAAA,EAAa,2EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,KAAA,EAAOA,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,4CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,oBAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,WAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,0EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,SAAA,EAAWA,WAAM,MAAA,CAAO;AAAA,MACtB,KAAA,EAAO,WAAA;AAAA,MACP,YAAA,EAAc,CAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,4DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA;AAAA,IAEP,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA;AAAA,IAElC,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,WAAW,CAAA,EAAE;AAAA;AAAA,IAEvC,EAAE,MAAA,EAAQ,CAAC,YAAA,EAAc,YAAY,CAAA,EAAE;AAAA;AAAA,IAEvC,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA;AAAE,GAC3B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA;AAAA;AAAA,IAGZ,UAAA,EAAY,CAAC,KAAA,EAAO,MAAM,CAAA;AAAA,IAC1B,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK,KAAA;AAAA,IACL,KAAA,EAAO;AAAA;AAEX,CAAC;ACxOD,IAAM,2BAAA,GAA8B;AAAA,EAClC,UAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,kBAAA;AAAA,EACA,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,aAAA;AAAA,EACA,gBAAA;AAAA,EACA,kBAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,uBAAA;AAAA,EACA,wBAAA;AAAA,EACA,yBAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,0BAAA,GAA6B,MAK7B,MAAA,CAAO,WAAA;AAAA,EACX,2BAAA,CAA4B,GAAA,CAAI,CAAC,IAAA,KAAS;AAAA,IACxC,IAAA;AAAA,IACA,EAAE,WAAW,IAAA,EAAM,WAAA,EAAa,OAAO,SAAA,EAAW,KAAA,EAAO,aAAa,KAAA;AAAM,GAC7E;AACH,CAAA;AA4BO,IAAM,qBAAA,GAAyC;AAAA,EACpDC,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,mBAAA;AAAA,IACN,KAAA,EAAO,kCAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,cAAA,EAAgB,IAAA;AAAA,QAChB,gBAAA,EAAkB;AAAA;AACpB,KACF;AAAA,IACA,iBAAA,EAAmB;AAAA,MACjB,cAAA;AAAA,MACA,iBAAA;AAAA,MACA,0BAAA;AAAA,MACA,cAAA;AAAA,MACA;AAAA;AACF,GACD,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BDA,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,oBAAA;AAAA,IACN,KAAA,EAAO,4BAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,cAAA,EAAgB,IAAA;AAAA,QAChB,gBAAA,EAAkB;AAAA,OACpB;AAAA;AAAA;AAAA,MAGA,GAAG,0BAAA,EAA2B;AAAA;AAAA,MAE9B,QAAA,EAAU,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA,EAAM;AAAA,MACtF,kBAAA,EAAoB,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA,EAAM;AAAA,MAChG,uBAAA,EAAyB,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA,EAAM;AAAA,MACrG,uBAAA,EAAyB,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA,EAAM;AAAA,MACrG,aAAA,EAAe,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA;AAAM,KAC7F;AAAA,IACA,iBAAA,EAAmB,CAAC,kBAAA,EAAoB,cAAc,CAAA;AAAA,IACtD,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA,MAKA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA,MAKA;AAAA,QACE,IAAA,EAAM,4BAAA;AAAA,QACN,MAAA,EAAQ,uBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA,MAIA;AAAA,QACE,IAAA,EAAM,gBAAA;AAAA,QACN,MAAA,EAAQ,YAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,cAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD,CAAA;AAAA,EACDA,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,gBAAA;AAAA,IACN,KAAA,EAAO,+BAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa;AAAA,OACf;AAAA;AAAA,MAEA,GAAG,0BAAA;AAA2B,KAChC;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,mBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA,MAKA;AAAA,QACE,IAAA,EAAM,4BAAA;AAAA,QACN,MAAA,EAAQ,uBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD,CAAA;AAAA,EACDA,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,iBAAA;AAAA,IACN,KAAA,EAAO,yBAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,KAAA;AAAA,QACb,SAAA,EAAW,KAAA;AAAA,QACX,WAAA,EAAa;AAAA,OACf;AAAA;AAAA;AAAA;AAAA,MAIA,GAAG,0BAAA;AAA2B,KAChC;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA,MAGA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD;AACH","file":"index.js","sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_role — System Role Object\n *\n * RBAC role definition for the ObjectStack platform.\n * Roles group permissions and are assigned to users or members.\n *\n * @namespace sys\n */\nexport const SysRole = ObjectSchema.create({\n name: 'sys_role',\n label: 'Role',\n pluralLabel: 'Roles',\n icon: 'shield',\n isSystem: true,\n managedBy: 'config',\n description: 'Role definitions for RBAC access control',\n displayNameField: 'label',\n titleFormat: '{label}',\n compactLayout: ['label', 'name', 'active', 'is_default'],\n\n // Custom actions — system roles drive RBAC and are edited rarely but\n // require the four high-frequency sysadmin affordances every IdP\n // (Salesforce, ServiceNow, Okta) ships: activate/deactivate (lifecycle\n // without losing assignments), mark default (auto-assign to new users),\n // and clone (template for new roles). All operations hit the generic\n // data CRUD endpoint exposed by `apiEnabled` — no custom server route\n // required because `managedBy: 'config'` allows direct mutation.\n actions: [\n {\n name: 'activate_role',\n label: 'Activate Role',\n icon: 'circle-check',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_role/{id}',\n bodyExtra: { active: true },\n successMessage: 'Role activated',\n refreshAfter: true,\n },\n {\n name: 'deactivate_role',\n label: 'Deactivate Role',\n icon: 'circle-off',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_role/{id}',\n bodyExtra: { active: false },\n confirmText: 'Deactivate this role? Users with the role keep their assignment but the role stops granting permissions until re-activated.',\n successMessage: 'Role deactivated',\n refreshAfter: true,\n },\n {\n name: 'set_default_role',\n label: 'Set as Default',\n icon: 'star',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_role/{id}',\n bodyExtra: { is_default: true },\n confirmText: 'Make this the default role for new users? Existing users are unaffected.',\n successMessage: 'Default role updated',\n refreshAfter: true,\n },\n {\n // Clone — POST a new sys_role row pre-filled from the source. The\n // dialog asks only for the new API name / label so the operator\n // can rename atomically; permissions JSON is copied wholesale via\n // defaultFromRow.\n name: 'clone_role',\n label: 'Clone Role',\n icon: 'copy',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/data/sys_role',\n bodyExtra: { is_default: false, active: true },\n successMessage: 'Role cloned',\n refreshAfter: true,\n params: [\n { name: 'label', label: 'New Display Name', type: 'text', required: true },\n { name: 'name', label: 'New API Name', type: 'text', required: true, helpText: 'Unique snake_case machine name' },\n { field: 'description', defaultFromRow: true },\n { field: 'permissions', defaultFromRow: true },\n ],\n },\n ],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'is_default', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n default_roles: {\n type: 'grid',\n name: 'default_roles',\n label: 'Default',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'description', 'active'],\n filter: [{ field: 'is_default', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n custom: {\n type: 'grid',\n name: 'custom',\n label: 'Custom',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'active', 'updated_at'],\n filter: [{ field: 'is_default', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n all_roles: {\n type: 'grid',\n name: 'all_roles',\n label: 'All',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'active', 'is_default', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n label: Field.text({\n label: 'Display Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n name: Field.text({\n label: 'API Name',\n required: true,\n searchable: true,\n maxLength: 100,\n description: 'Unique machine name for the role (e.g. admin, editor, viewer)',\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n // ── Configuration ────────────────────────────────────────────\n permissions: Field.textarea({\n label: 'Permissions',\n required: false,\n description: 'JSON-serialized array of permission strings',\n group: 'Configuration',\n }),\n\n // ── Status ───────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n defaultValue: true,\n group: 'Status',\n }),\n\n is_default: Field.boolean({\n label: 'Default Role',\n defaultValue: false,\n description: 'Automatically assigned to new users',\n group: 'Status',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Role ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['name'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_permission_set — System Permission Set Object\n *\n * Named groupings of fine-grained permissions.\n * Permission sets can be assigned to roles or directly to users\n * for granular access control.\n *\n * @namespace sys\n */\nexport const SysPermissionSet = ObjectSchema.create({\n name: 'sys_permission_set',\n label: 'Permission Set',\n pluralLabel: 'Permission Sets',\n icon: 'lock',\n isSystem: true,\n managedBy: 'config',\n description: 'Named permission groupings for fine-grained access control',\n displayNameField: 'label',\n titleFormat: '{label}',\n compactLayout: ['label', 'name', 'active'],\n\n // Custom actions — permission sets are templates assigned to roles or\n // users (via sys_role_permission_set / sys_user_permission_set). The\n // sysadmin operations that don't live on the parent-detail tabs are\n // lifecycle (activate/deactivate without losing assignments) and\n // clone (build a new permset by tweaking an existing one). Both hit\n // the generic data CRUD endpoint — managedBy: 'config' permits it.\n actions: [\n {\n name: 'activate_permission_set',\n label: 'Activate',\n icon: 'circle-check',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_permission_set/{id}',\n bodyExtra: { active: true },\n successMessage: 'Permission set activated',\n refreshAfter: true,\n },\n {\n name: 'deactivate_permission_set',\n label: 'Deactivate',\n icon: 'circle-off',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_permission_set/{id}',\n bodyExtra: { active: false },\n confirmText: 'Deactivate this permission set? Existing assignments stay in place but stop granting access until re-activated.',\n successMessage: 'Permission set deactivated',\n refreshAfter: true,\n },\n {\n name: 'clone_permission_set',\n label: 'Clone',\n icon: 'copy',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/data/sys_permission_set',\n bodyExtra: { active: true },\n successMessage: 'Permission set cloned',\n refreshAfter: true,\n params: [\n { name: 'label', label: 'New Display Name', type: 'text', required: true },\n { name: 'name', label: 'New API Name', type: 'text', required: true, helpText: 'Unique snake_case machine name' },\n { field: 'description', defaultFromRow: true },\n { field: 'object_permissions', defaultFromRow: true },\n { field: 'field_permissions', defaultFromRow: true },\n ],\n },\n ],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'description', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n all_permsets: {\n type: 'grid',\n name: 'all_permsets',\n label: 'All',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'active', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n label: Field.text({\n label: 'Display Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n name: Field.text({\n label: 'API Name',\n required: true,\n searchable: true,\n maxLength: 100,\n description: 'Unique machine name for the permission set',\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n // ── Permissions ──────────────────────────────────────────────\n object_permissions: Field.textarea({\n label: 'Object Permissions',\n required: false,\n description: 'JSON-serialized object-level CRUD permissions',\n group: 'Permissions',\n }),\n\n field_permissions: Field.textarea({\n label: 'Field Permissions',\n required: false,\n description: 'JSON-serialized field-level read/write permissions',\n group: 'Permissions',\n }),\n\n system_permissions: Field.textarea({\n label: 'System Permissions',\n required: false,\n description: 'JSON-serialized array of system capability names (e.g. [\"setup.access\",\"studio.access\",\"manage_users\"])',\n group: 'Permissions',\n }),\n\n row_level_security: Field.textarea({\n label: 'Row-Level Security',\n required: false,\n description: 'JSON-serialized array of row-level security policies (USING/CHECK clauses)',\n group: 'Permissions',\n }),\n\n tab_permissions: Field.textarea({\n label: 'Tab Permissions',\n required: false,\n description: 'JSON-serialized map of app tab visibility (visible | hidden | default_on | default_off)',\n group: 'Permissions',\n }),\n\n // ── Status ───────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n defaultValue: true,\n group: 'Status',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Permission Set ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['name'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_user_permission_set — User ↔ PermissionSet assignment.\n *\n * Salesforce-style additive permission grant: a user may be assigned any\n * number of `sys_permission_set` rows, optionally scoped to a specific\n * organization. The runtime resolver (`resolveExecutionContext` in\n * `@objectstack/runtime`) reads this table when building the per-request\n * `ExecutionContext.permissions[]`.\n *\n * Uniqueness is `(user_id, permission_set_id, organization_id)` so the\n * same permission set can be granted independently in each org context\n * the user belongs to.\n *\n * @namespace sys\n */\nexport const SysUserPermissionSet = ObjectSchema.create({\n name: 'sys_user_permission_set',\n label: 'User Permission Set',\n pluralLabel: 'User Permission Sets',\n icon: 'user-check',\n isSystem: true,\n managedBy: 'system',\n description: 'Direct assignment of a permission set to a user (optionally scoped to an organization).',\n titleFormat: '{user_id} → {permission_set_id}',\n compactLayout: ['user_id', 'permission_set_id', 'organization_id'],\n\n fields: {\n id: Field.text({\n label: 'Assignment ID',\n required: true,\n readonly: true,\n description: 'UUID of the assignment.',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n description: 'Foreign key to sys_user.',\n }),\n\n permission_set_id: Field.lookup('sys_permission_set', {\n label: 'Permission Set',\n required: true,\n description: 'Foreign key to sys_permission_set.',\n }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n description: 'Optional organization scope. NULL = applies in every org context.',\n }),\n\n granted_by: Field.lookup('sys_user', {\n label: 'Granted By',\n required: false,\n description: 'User who granted this permission set.',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['user_id', 'permission_set_id', 'organization_id'], unique: true },\n { fields: ['user_id'] },\n { fields: ['organization_id'] },\n { fields: ['permission_set_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_role_permission_set — Role ↔ PermissionSet binding.\n *\n * Allows administrators to compose a `sys_role` from one or more\n * `sys_permission_set` rows. At request time, the runtime resolver\n * (`resolveExecutionContext`) collects every permission set bound to\n * the user's roles via this table and injects their names into\n * `ExecutionContext.permissions[]` for downstream RBAC evaluation.\n *\n * @namespace sys\n */\nexport const SysRolePermissionSet = ObjectSchema.create({\n name: 'sys_role_permission_set',\n label: 'Role Permission Set',\n pluralLabel: 'Role Permission Sets',\n icon: 'shield-plus',\n isSystem: true,\n managedBy: 'system',\n description: 'Binds a permission set to a role.',\n titleFormat: '{role_id} → {permission_set_id}',\n compactLayout: ['role_id', 'permission_set_id'],\n\n fields: {\n id: Field.text({\n label: 'Binding ID',\n required: true,\n readonly: true,\n description: 'UUID of the role-permission-set binding.',\n }),\n\n role_id: Field.lookup('sys_role', {\n label: 'Role',\n required: true,\n description: 'Foreign key to sys_role.',\n }),\n\n permission_set_id: Field.lookup('sys_permission_set', {\n label: 'Permission Set',\n required: true,\n description: 'Foreign key to sys_permission_set.',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['role_id', 'permission_set_id'], unique: true },\n { fields: ['role_id'] },\n { fields: ['permission_set_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_record_share — Per-Record Sharing Grant\n *\n * Bridges the ownership-only baseline established by `object.sharingModel`\n * with the real-world need to delegate access to a single record. Each\n * row says: \"principal P has access level L on (object O, record R),\n * because of source S (manual grant or rule).\"\n *\n * Enforcement lives in `@objectstack/plugin-sharing`:\n * - For objects with `sharingModel: 'private'`, the engine middleware\n * AND-s `{$or:[{owner_id:userId},{id:{$in:[grantedRecordIds]}}]}`\n * into every `find` against that object.\n * - For objects with `sharingModel: 'private' | 'read'`, the same\n * middleware enforces edit/delete by checking ownership OR a share\n * row with `access_level in ('edit','full')`.\n *\n * Conventions:\n * - `object_name` is the short object name (e.g. `account`, `lead`).\n * - `recipient_type` mirrors `ShareRecipientType` from the spec\n * (`user` is enforced today; `group`/`role` are persisted for\n * forward-compatibility).\n * - `source = 'manual'` rows are created by a user via the REST\n * `POST /data/:object/:id/shares` endpoint. `source = 'rule'` rows\n * are materialised by the sharing-rule evaluator (future); the\n * `source_id` lets the evaluator reconcile stale grants.\n *\n * @namespace sys\n */\nexport const SysRecordShare = ObjectSchema.create({\n name: 'sys_record_share',\n label: 'Record Share',\n pluralLabel: 'Record Shares',\n icon: 'share',\n isSystem: true,\n managedBy: 'system',\n description: 'Per-record sharing grant — extends OWD with explicit access',\n titleFormat: '{object_name}/{record_id} → {recipient_id} ({access_level})',\n compactLayout: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source'],\n\n listViews: {\n granted_to_me: {\n type: 'grid',\n name: 'granted_to_me',\n label: 'Granted to Me',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'access_level', 'source', 'granted_by', 'created_at'],\n filter: [\n { field: 'recipient_type', operator: 'equals', value: 'user' },\n { field: 'recipient_id', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n granted_by_me: {\n type: 'grid',\n name: 'granted_by_me',\n label: 'Granted by Me',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source', 'created_at'],\n filter: [\n { field: 'granted_by', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n by_object: {\n type: 'grid',\n name: 'by_object',\n label: 'By Object',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source', 'created_at'],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n grouping: { fields: [{ field: 'object_name', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n manual_grants: {\n type: 'grid',\n name: 'manual_grants',\n label: 'Manual Grants',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'granted_by', 'reason', 'created_at'],\n filter: [{ field: 'source', operator: 'equals', value: 'manual' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n rule_grants: {\n type: 'grid',\n name: 'rule_grants',\n label: 'Rule Grants',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source_id', 'created_at'],\n filter: [{ field: 'source', operator: 'in', value: ['rule', 'team', 'inherited'] }],\n sort: [{ field: 'source_id', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_shares: {\n type: 'grid',\n name: 'all_shares',\n label: 'All',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_type', 'recipient_id', 'access_level', 'source', 'created_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n },\n\n fields: {\n id: Field.text({\n label: 'Share ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n // ── Target (which record is being shared) ────────────────────\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name of the shared record',\n group: 'Target',\n }),\n\n record_id: Field.text({\n label: 'Record',\n required: true,\n maxLength: 100,\n description: 'Primary key of the shared record within object_name',\n group: 'Target',\n }),\n\n // ── Recipient (who receives access) ──────────────────────────\n recipient_type: Field.select(\n ['user', 'group', 'role', 'role_and_subordinates', 'guest'],\n {\n label: 'Recipient Type',\n required: true,\n defaultValue: 'user',\n description: 'Kind of principal that holds the grant',\n group: 'Recipient',\n },\n ),\n\n recipient_id: Field.text({\n label: 'Recipient',\n required: true,\n maxLength: 100,\n description: 'ID of the user/group/role that receives access',\n group: 'Recipient',\n }),\n\n access_level: Field.select(\n ['read', 'edit', 'full'],\n {\n label: 'Access Level',\n required: true,\n defaultValue: 'read',\n description: 'What the recipient can do — read | edit | full (transfer/share/delete)',\n group: 'Recipient',\n },\n ),\n\n // ── Provenance ───────────────────────────────────────────────\n source: Field.select(\n ['manual', 'rule', 'team', 'inherited'],\n {\n label: 'Source',\n required: true,\n defaultValue: 'manual',\n description: 'Why this grant exists — used by the rule evaluator to reconcile',\n group: 'Provenance',\n },\n ),\n\n source_id: Field.text({\n label: 'Source ID',\n required: false,\n maxLength: 200,\n description: 'Rule name / team id when source != manual',\n group: 'Provenance',\n }),\n\n granted_by: Field.lookup('sys_user', {\n label: 'Granted By',\n required: false,\n description: 'User that created the grant (manual only)',\n group: 'Provenance',\n }),\n\n reason: Field.text({\n label: 'Reason',\n required: false,\n maxLength: 500,\n description: 'Optional free-text explanation surfaced to the recipient',\n group: 'Provenance',\n }),\n\n // ── Lifecycle ────────────────────────────────────────────────\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n group: 'System',\n }),\n },\n\n indexes: [\n // Hot path: \"all records visible to user U on object O\" — the\n // middleware reads (object_name, recipient_type, recipient_id) to\n // build the `id IN (...)` predicate on every find.\n { fields: ['object_name', 'recipient_type', 'recipient_id'] },\n // \"all grants on this record\" — used by the share-management UI\n // and by canEdit() to look up explicit grants.\n { fields: ['object_name', 'record_id'] },\n // Reconciliation key for rule-driven shares.\n { fields: ['source', 'source_id'] },\n ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_sharing_rule — Declarative record-sharing rule.\n *\n * Salesforce-style criteria-based sharing: \"any record on object O that\n * matches criteria C is granted access level A to recipient R\". Rules\n * are evaluated by `@objectstack/plugin-sharing` and materialise their\n * grants as rows in `sys_record_share` with `source='rule'` and\n * `source_id={rule.id}` so the evaluator can reconcile (delete + re-\n * insert) on rule updates without touching manual grants.\n *\n * Evaluation triggers:\n * - `afterInsert` / `afterUpdate` on the target object (per-record,\n * incremental — the hot path).\n * - REST `POST /sharing/rules/:id/evaluate` (admin-initiated\n * bulk reconcile — used after rule edits).\n *\n * Criteria are stored as JSON (a normal `FilterCondition`) so the\n * existing engine `find()` can do the matching natively. v1 supports\n * simple `{field, op, value}` style filters; CEL predicates are a\n * follow-up.\n *\n * @namespace sys\n */\nexport const SysSharingRule = ObjectSchema.create({\n name: 'sys_sharing_rule',\n label: 'Sharing Rule',\n pluralLabel: 'Sharing Rules',\n icon: 'shield-check',\n isSystem: true,\n managedBy: 'config',\n // Sharing rules can now be authored visually via the Studio criteria\n // builder (apps/studio/src/components/SharingCriteriaBuilder.tsx).\n // We still recommend `defineSharingRule({...})` for repo-controlled\n // baselines, but admins can safely create/edit/delete from the UI.\n userActions: { create: true, edit: true, delete: true, import: false },\n description: 'Declarative sharing rule that auto-materialises sys_record_share grants. Authored via defineSharingRule() in code or the Studio criteria builder.',\n displayNameField: 'name',\n titleFormat: '{label}',\n compactLayout: ['name', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active'],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n by_object: {\n type: 'grid',\n name: 'by_object',\n label: 'By Object',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['object_name', 'label', 'recipient_type', 'access_level', 'active'],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],\n grouping: { fields: [{ field: 'object_name', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n all_rules: {\n type: 'grid',\n name: 'all_rules',\n label: 'All',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n id: Field.text({ label: 'Rule ID', required: true, readonly: true, group: 'System' }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n group: 'System',\n description: 'Tenant that owns this rule; null = global',\n }),\n\n name: Field.text({\n label: 'Name',\n required: true,\n maxLength: 100,\n description: 'Unique snake_case rule name',\n group: 'Identity',\n }),\n\n label: Field.text({\n label: 'Display Label',\n required: true,\n maxLength: 200,\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name (e.g. opportunity, account)',\n group: 'Target',\n }),\n\n criteria_json: Field.textarea({\n label: 'Criteria (FilterCondition JSON)',\n required: false,\n description: 'JSON FilterCondition matched against records of object_name. Empty = match all.',\n group: 'Target',\n }),\n\n recipient_type: Field.select(\n ['user', 'team', 'department', 'role', 'queue'],\n {\n label: 'Recipient Type',\n required: true,\n defaultValue: 'department',\n description: 'Kind of principal that receives access — expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth).',\n group: 'Recipient',\n },\n ),\n\n recipient_id: Field.text({\n label: 'Recipient',\n required: true,\n maxLength: 200,\n description: 'department id / team id / role name / queue name / user id depending on recipient_type',\n group: 'Recipient',\n }),\n\n access_level: Field.select(\n ['read', 'edit', 'full'],\n {\n label: 'Access Level',\n required: true,\n defaultValue: 'read',\n group: 'Recipient',\n },\n ),\n\n active: Field.boolean({\n label: 'Active',\n required: false,\n defaultValue: true,\n description: 'Only active rules participate in lifecycle evaluation',\n group: 'Lifecycle',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['object_name', 'active'] },\n { fields: ['name'], unique: true },\n { fields: ['organization_id'] },\n ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_share_link — Capability-Token Public Share Links\n *\n * Each row authorises read (or write) access to ONE record of ONE\n * object via an opaque URL-safe token. Complements `sys_record_share`,\n * which models principal-based grants (share with a specific user /\n * team / role). A single record may have rows in both tables; the\n * union determines effective access.\n *\n * Lifecycle:\n *\n * 1. `IShareLinkService.createLink` validates the request against the\n * target object's `publicSharing` whitelist and inserts a row.\n * Token is a 24-char URL-safe random string.\n *\n * 2. `IShareLinkService.resolveToken` (called from the public\n * `/api/v1/share-links/:token` middleware on every request)\n * verifies the row is not revoked / not expired, applies audience\n * / password gates, increments `use_count` + `last_used_at`, and\n * returns the effective redaction set.\n *\n * 3. `IShareLinkService.revokeLink` stamps `revoked_at`. Rows are\n * preserved for audit; resolveToken returns null after revocation.\n *\n * Conventions:\n * - `object_name` is the short object name (`account`, `ai_conversation`, …)\n * - `record_id` is the primary key of the target record within object_name\n * - `audience` mirrors `ShareLinkAudience` in spec/contracts; the\n * middleware enforces additional gating per audience\n * - `redact_fields` overlays on top of the schema-default redaction\n * set declared on `object.publicSharing.redactFields`\n *\n * managedBy: 'system' — admins inspect via the audit grid but all\n * writes flow through `IShareLinkService` so the per-object opt-in,\n * expiry caps, and audit hooks fire.\n *\n * @namespace sys\n */\nexport const SysShareLink = ObjectSchema.create({\n name: 'sys_share_link',\n label: 'Share Link',\n pluralLabel: 'Share Links',\n icon: 'link-2',\n isSystem: true,\n managedBy: 'system',\n description: 'Opaque capability token granting access to a single record. Notion/Figma-style public link sharing.',\n titleFormat: '{object_name}/{record_id} ({permission})',\n compactLayout: ['object_name', 'record_id', 'permission', 'audience', 'expires_at', 'revoked_at'],\n\n listViews: {\n active_links: {\n type: 'grid',\n name: 'active_links',\n label: 'Active',\n data: { provider: 'object', object: 'sys_share_link' },\n columns: ['object_name', 'record_id', 'permission', 'audience', 'expires_at', 'use_count', 'last_used_at'],\n filter: [{ field: 'revoked_at', operator: 'isNull' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n by_me: {\n type: 'grid',\n name: 'by_me',\n label: 'Created by Me',\n data: { provider: 'object', object: 'sys_share_link' },\n columns: ['object_name', 'record_id', 'permission', 'audience', 'expires_at', 'revoked_at'],\n filter: [{ field: 'created_by', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n revoked: {\n type: 'grid',\n name: 'revoked',\n label: 'Revoked',\n data: { provider: 'object', object: 'sys_share_link' },\n columns: ['object_name', 'record_id', 'revoked_at', 'created_by'],\n filter: [{ field: 'revoked_at', operator: 'isNotNull' }],\n sort: [{ field: 'revoked_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_links: {\n type: 'grid',\n name: 'all_links',\n label: 'All',\n data: { provider: 'object', object: 'sys_share_link' },\n columns: ['object_name', 'record_id', 'permission', 'audience', 'expires_at', 'revoked_at', 'created_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 200 },\n },\n },\n\n fields: {\n id: Field.text({\n label: 'Link ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n // ── Token (the secret) ───────────────────────────────────────\n token: Field.text({\n label: 'Token',\n required: true,\n maxLength: 64,\n description: 'Opaque URL-safe random token (≥ 22 chars). The only secret in this row.',\n group: 'Token',\n }),\n\n // ── Target ───────────────────────────────────────────────────\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name of the shared record (e.g. ai_conversation, contracts_contract)',\n group: 'Target',\n }),\n\n record_id: Field.text({\n label: 'Record',\n required: true,\n maxLength: 100,\n description: 'Primary key of the shared record within object_name',\n group: 'Target',\n }),\n\n // ── Access Policy ────────────────────────────────────────────\n permission: Field.select(\n [\n { label: 'View', value: 'view' },\n { label: 'Comment', value: 'comment' },\n { label: 'Edit', value: 'edit' },\n ],\n {\n label: 'Permission',\n required: true,\n defaultValue: 'view',\n description: 'What the link holder can do with the record',\n group: 'Access Policy',\n },\n ),\n\n audience: Field.select(\n [\n { label: 'Public (indexable)', value: 'public' },\n { label: 'Anyone with the link', value: 'link_only' },\n { label: 'Signed-in users', value: 'signed_in' },\n { label: 'Specific emails', value: 'email' },\n ],\n {\n label: 'Audience',\n required: true,\n defaultValue: 'link_only',\n description: 'Gating layer applied on top of the token check',\n group: 'Access Policy',\n },\n ),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n description: 'When set, resolveToken returns null after this timestamp',\n group: 'Access Policy',\n }),\n\n email_allowlist: Field.json({\n label: 'Email Allowlist',\n description: 'Lowercased addresses checked when audience=email',\n group: 'Access Policy',\n }),\n\n password_hash: Field.text({\n label: 'Password Hash',\n maxLength: 256,\n description: 'Argon2/bcrypt hash. When set, the UI prompts for a password before rendering.',\n group: 'Access Policy',\n }),\n\n redact_fields: Field.json({\n label: 'Per-Link Redactions',\n description: 'Extra fields stripped from the response, on top of the object-default set',\n group: 'Access Policy',\n }),\n\n label: Field.text({\n label: 'Label',\n maxLength: 200,\n description: 'Free-text shown in the share dialog (e.g. \"ACME Q3 contract\")',\n group: 'Metadata',\n }),\n\n // ── Lifecycle ────────────────────────────────────────────────\n revoked_at: Field.datetime({\n label: 'Revoked At',\n readonly: true,\n description: 'When set, the link is permanently disabled',\n group: 'Lifecycle',\n }),\n\n created_by: Field.lookup('sys_user', {\n label: 'Created By',\n readonly: true,\n description: 'Issuer of the link',\n group: 'Lifecycle',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'Lifecycle',\n }),\n\n last_used_at: Field.datetime({\n label: 'Last Used At',\n readonly: true,\n description: 'Stamped by resolveToken; used by the dashboard to highlight active links',\n group: 'Lifecycle',\n }),\n\n use_count: Field.number({\n label: 'Use Count',\n defaultValue: 0,\n readonly: true,\n description: 'Incremented by resolveToken on every successful resolution',\n group: 'Lifecycle',\n }),\n },\n\n indexes: [\n // Hot path: resolveToken — one row lookup per public request.\n { fields: ['token'], unique: true },\n // Management UI: \"all links for this record\".\n { fields: ['object_name', 'record_id'] },\n // \"Active links I issued\".\n { fields: ['created_by', 'revoked_at'] },\n // Reaper for expired rows (background sweep).\n { fields: ['expires_at'] },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n // The /api/v1/share-links endpoints are the authoritative surface;\n // the generic data API is exposed read-only for the admin grid.\n apiMethods: ['get', 'list'],\n trash: false,\n mru: false,\n clone: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { PermissionSetSchema, type PermissionSet } from '@objectstack/spec/security';\n\n/**\n * Identity tables managed by the better-auth plugin (see\n * `packages/platform-objects/src/identity/`). Mutations to these tables\n * MUST flow through the better-auth API endpoints (sign-up, password\n * reset, organization invite/remove-member, api-key/create, …) rather\n * than the generic CRUD pipeline so that password hashing, token\n * signing, email verification, invitation flows and scope hashing all\n * fire correctly.\n *\n * The default member/viewer permission sets therefore explicitly DENY\n * `allowCreate / allowEdit / allowDelete` on these objects while still\n * permitting reads (subject to the rest of the RLS chain). Admin\n * permission sets keep their `*` wildcard so they can rescue data\n * directly when needed.\n *\n * Each entry mirrors the `managedBy: 'better-auth'` flag declared on\n * the corresponding object schema in `packages/platform-objects/src/identity/`.\n */\nconst BETTER_AUTH_MANAGED_OBJECTS = [\n 'sys_user',\n 'sys_account',\n 'sys_session',\n 'sys_organization',\n 'sys_member',\n 'sys_invitation',\n 'sys_team',\n 'sys_team_member',\n 'sys_api_key',\n 'sys_two_factor',\n 'sys_verification',\n 'sys_jwks',\n 'sys_device_code',\n 'sys_oauth_application',\n 'sys_oauth_access_token',\n 'sys_oauth_refresh_token',\n 'sys_oauth_consent',\n] as const;\n\nconst denyWritesOnManagedObjects = (): Record<string, {\n allowRead: boolean;\n allowCreate: boolean;\n allowEdit: boolean;\n allowDelete: boolean;\n}> => Object.fromEntries(\n BETTER_AUTH_MANAGED_OBJECTS.map((name) => [\n name,\n { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n ]),\n);\n\n/**\n * Default permission sets seeded by the platform.\n *\n * These are referenced by name (`admin_full_access`, `member_default`,\n * `viewer_readonly`) from `sys_role_permission_set` rows or assigned\n * directly to users via `sys_user_permission_set`.\n *\n * The runtime SecurityPlugin reads these via the metadata service when a\n * permission set name appears in the request `ExecutionContext.permissions[]`.\n *\n * Each entry is run through `PermissionSetSchema.parse(...)` so Zod fills\n * in the boolean/`priority`/`enabled` defaults — keeping the literal\n * source readable while still satisfying the strict output type.\n *\n * `objects: { '*': … }` uses the wildcard sentinel honoured by\n * `PermissionEvaluator` — admins do not need an explicit row per object.\n * Per-object entries fully override the wildcard for that object (see\n * `PermissionEvaluator.checkObjectPermission` — lookup, not merge).\n *\n * RLS policies use the canonical `current_user.*` placeholders compiled\n * by `RLSCompiler`. The active organization is exposed under\n * `current_user.organization_id` (sourced from\n * `ExecutionContext.tenantId` at request time) — there is no rewrite\n * step or `tenantField` indirection in SecurityPlugin. Schemas with a\n * different physical tenant column should fork these defaults.\n */\nexport const defaultPermissionSets: PermissionSet[] = [\n PermissionSetSchema.parse({\n name: 'admin_full_access',\n label: 'Administrator — Full Access',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n viewAllRecords: true,\n modifyAllRecords: true,\n },\n },\n systemPermissions: [\n 'manage_users',\n 'manage_metadata',\n 'manage_platform_settings',\n 'setup.access',\n 'studio.access',\n ],\n }),\n // ── Organization Administrator ──────────────────────────────────────\n //\n // Third tier between platform admin (`admin_full_access`) and rank-and-file\n // member. Lives at the *organization* scope: full CRUD on business\n // objects within their org (governed by `tenant_isolation` RLS), plus\n // `setup.access` so the Setup app shell is reachable.\n //\n // **Deliberately withheld** vs `admin_full_access`:\n // - `studio.access` — schema-design surfaces are platform-level (a\n // tenant cannot mutate the shared metadata) and Studio is hidden.\n // - `manage_metadata` — same reasoning.\n // - `manage_platform_settings` — global settings manifests\n // (mail / storage / AI / knowledge) and platform-only Setup pages\n // (sharing rules, audit logs, OAuth apps, JWKS, …) require this\n // and are hidden / 403'd for org admins. Tenant-scoped manifests\n // (`branding`, `feature_flags`) keep using `setup.access` so org\n // admins CAN configure their own org's branding.\n //\n // **Anti-escalation**: writes to the global RBAC tables\n // (`sys_role`, `sys_permission_set`, `sys_role_permission_set`,\n // `sys_user_permission_set`, `sys_user_role`) are denied. Allowing\n // them would let an org admin bind `admin_full_access` (which has no\n // RLS) to themselves and break out of tenant isolation. Reads are\n // permitted so the Roles / Permission Sets nav entries still render.\n //\n // Auto-granted to every `sys_member` whose role contains `owner` or\n // `admin` by `plugin-security/src/auto-org-admin-grant.ts`.\n PermissionSetSchema.parse({\n name: 'organization_admin',\n label: 'Organization Administrator',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n viewAllRecords: true,\n modifyAllRecords: true,\n },\n // Identity tables — go through better-auth endpoints (invite,\n // accept, remove-member, transfer, …) rather than raw CRUD.\n ...denyWritesOnManagedObjects(),\n // RBAC tables — read-only to prevent privilege escalation.\n sys_role: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n sys_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n sys_role_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n sys_user_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n sys_user_role: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n },\n systemPermissions: ['manage_org_users', 'setup.access'],\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'all',\n using: 'organization_id = current_user.organization_id',\n },\n // ── better-auth system tables that lack `organization_id` and would\n // otherwise be denied by the wildcard policy. Same self-only\n // carve-outs as `member_default` — an org admin does not get to\n // inspect cross-tenant identity rows.\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'all',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n {\n name: 'sys_user_org_members',\n object: 'sys_user',\n operation: 'select',\n using: 'id IN (current_user.org_user_ids)',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n // OAuth applications a user has registered themselves (self-service\n // developer flow exposed in the Account app's Developer section).\n // `sys_oauth_application` has no `organization_id` so the wildcard\n // `tenant_isolation` policy would otherwise deny every row.\n {\n name: 'sys_oauth_application_self',\n object: 'sys_oauth_application',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n // Org-scoped visibility for organization-owned identity-adjacent\n // tables. Org admins may inspect their own org's invitations and\n // memberships (read; writes still flow through better-auth).\n {\n name: 'sys_member_org',\n object: 'sys_member',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'sys_invitation_org',\n object: 'sys_invitation',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'sys_team_org',\n object: 'sys_team',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n ],\n }),\n PermissionSetSchema.parse({\n name: 'member_default',\n label: 'Member — Standard Access',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n },\n // Identity tables are managed by better-auth — no direct writes.\n ...denyWritesOnManagedObjects(),\n },\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'all',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'owner_only_writes',\n object: '*',\n operation: 'update',\n using: 'owner_id = current_user.id',\n },\n {\n name: 'owner_only_deletes',\n object: '*',\n operation: 'delete',\n using: 'owner_id = current_user.id',\n },\n // ── better-auth system tables that lack `organization_id` and would\n // otherwise be left unprotected by the wildcard rule above. ────\n //\n // The security plugin's RLS injector treats wildcard policies that\n // target a missing field as `RLS_DENY_FILTER` (zero rows) unless a\n // per-object policy contributes an alternate match. Each `*_self`\n // policy below restores per-user visibility on a better-auth table\n // that has `user_id` but no `organization_id`. Tables without\n // `user_id` (`sys_verification`, `sys_jwks`, empty `sys_passkey`)\n // stay DENY for non-admins by design — only platform admins (via\n // `admin_full_access`, which has no RLS) should inspect them.\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'all',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n // Org collaborators: members can see other users in the same\n // organization. Without this, owner/assignee lookups, @-mention\n // suggestions, reviewer pickers and team-roster surfaces all\n // collapse to just the current user. `org_user_ids` is\n // pre-resolved by runtime/resolve-execution-context from\n // `sys_member` for the active organization. Sensitive credential\n // tables (`sys_account`, `sys_session`, `sys_api_key`, …) keep\n // their stricter self-only carve-outs above.\n {\n name: 'sys_user_org_members',\n object: 'sys_user',\n operation: 'select',\n using: 'id IN (current_user.org_user_ids)',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n // OAuth applications a user has registered themselves (Account →\n // Developer → OAuth Applications). `sys_oauth_application` has no\n // `organization_id`, so without this carve-out the wildcard\n // `tenant_isolation` policy returns zero rows even for the owner.\n {\n name: 'sys_oauth_application_self',\n object: 'sys_oauth_application',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n ],\n }),\n PermissionSetSchema.parse({\n name: 'viewer_readonly',\n label: 'Viewer — Read-Only',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: false,\n allowEdit: false,\n allowDelete: false,\n },\n // Belt-and-suspenders: explicit deny on managed objects even though\n // the wildcard already denies — keeps the policy readable when\n // future relaxations might widen the wildcard.\n ...denyWritesOnManagedObjects(),\n },\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'select',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n // Org collaborators (read-only): see `sys_user_org_members` in\n // `member_default` for rationale.\n {\n name: 'sys_user_org_members',\n object: 'sys_user',\n operation: 'select',\n using: 'id IN (current_user.org_user_ids)',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n ],\n }),\n];\n"]}
1
+ {"version":3,"sources":["../../src/security/sys-role.object.ts","../../src/security/sys-permission-set.object.ts","../../src/security/sys-user-permission-set.object.ts","../../src/security/sys-role-permission-set.object.ts","../../src/security/sys-record-share.object.ts","../../src/security/sys-sharing-rule.object.ts","../../src/security/sys-share-link.object.ts","../../src/security/default-permission-sets.ts"],"names":["ObjectSchema","Field","PermissionSetSchema"],"mappings":";;;;;;AAYO,IAAM,OAAA,GAAUA,kBAAa,MAAA,CAAO;AAAA,EACzC,IAAA,EAAM,UAAA;AAAA,EACN,KAAA,EAAO,MAAA;AAAA,EACP,WAAA,EAAa,OAAA;AAAA,EACb,IAAA,EAAM,QAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA;AAAA;AAAA,EAGX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,YAAA;AAAA,IACN,MAAA,EAAQ,sDAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,0CAAA;AAAA,EACb,gBAAA,EAAkB,OAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,aAAA,EAAe,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASvD,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,4BAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,cAAA,EAAgB,gBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,iBAAA;AAAA,MACN,KAAA,EAAO,iBAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,4BAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,KAAA,EAAM;AAAA,MAC3B,WAAA,EAAa,6HAAA;AAAA,MACb,cAAA,EAAgB,kBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,kBAAA;AAAA,MACN,KAAA,EAAO,gBAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,4BAAA;AAAA,MACR,SAAA,EAAW,EAAE,UAAA,EAAY,IAAA,EAAK;AAAA,MAC9B,WAAA,EAAa,0EAAA;AAAA,MACb,cAAA,EAAgB,sBAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA;AAAA;AAAA;AAAA;AAAA,MAKE,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,uBAAA;AAAA,MACR,SAAA,EAAW,EAAE,UAAA,EAAY,KAAA,EAAO,QAAQ,IAAA,EAAK;AAAA,MAC7C,cAAA,EAAgB,aAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,OAAA,EAAS,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QACzE,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,cAAA,EAAgB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,gCAAA,EAAiC;AAAA,QAChH,EAAE,KAAA,EAAO,aAAA,EAAe,cAAA,EAAgB,IAAA,EAAK;AAAA,QAC7C,EAAE,KAAA,EAAO,aAAA,EAAe,cAAA,EAAgB,IAAA;AAAK;AAC/C;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,cAAc,YAAY,CAAA;AAAA,MACrD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,eAAe,QAAQ,CAAA;AAAA,MAClD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MACjE,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,MACjD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAClE,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,UAAA,EAAW;AAAA,MAC/C,SAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,QAAA,EAAU,cAAc,YAAY,CAAA;AAAA,MAC/D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,KAAA,EAAOC,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,WAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,6CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,WAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,OAAA,CAAQ;AAAA,MACxB,KAAA,EAAO,cAAA;AAAA,MACP,YAAA,EAAc,KAAA;AAAA,MACd,WAAA,EAAa,qCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC7NM,IAAM,gBAAA,GAAmBD,kBAAa,MAAA,CAAO;AAAA,EAClD,IAAA,EAAM,oBAAA;AAAA,EACN,KAAA,EAAO,gBAAA;AAAA,EACP,WAAA,EAAa,iBAAA;AAAA,EACb,IAAA,EAAM,MAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA;AAAA;AAAA,EAGX,UAAA,EAAY;AAAA,IACV,IAAA,EAAM,YAAA;AAAA,IACN,MAAA,EAAQ,sDAAA;AAAA,IACR,OAAA,EAAS;AAAA,GACX;AAAA,EACA,WAAA,EAAa,4DAAA;AAAA,EACb,gBAAA,EAAkB,OAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,aAAA,EAAe,CAAC,OAAA,EAAS,MAAA,EAAQ,QAAQ,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQzC,OAAA,EAAS;AAAA,IACP;AAAA,MACE,IAAA,EAAM,yBAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,cAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,sCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,cAAA,EAAgB,0BAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,2BAAA;AAAA,MACN,KAAA,EAAO,YAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,QAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,OAAA;AAAA,MACR,MAAA,EAAQ,sCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,KAAA,EAAM;AAAA,MAC3B,WAAA,EAAa,iHAAA;AAAA,MACb,cAAA,EAAgB,4BAAA;AAAA,MAChB,YAAA,EAAc;AAAA,KAChB;AAAA,IACA;AAAA,MACE,IAAA,EAAM,sBAAA;AAAA,MACN,KAAA,EAAO,OAAA;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,OAAA,EAAS,WAAA;AAAA,MACT,IAAA,EAAM,QAAA;AAAA,MACN,SAAA,EAAW,CAAC,WAAA,EAAa,eAAe,CAAA;AAAA,MACxC,IAAA,EAAM,KAAA;AAAA,MACN,MAAA,EAAQ,MAAA;AAAA,MACR,MAAA,EAAQ,iCAAA;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAQ,IAAA,EAAK;AAAA,MAC1B,cAAA,EAAgB,uBAAA;AAAA,MAChB,YAAA,EAAc,IAAA;AAAA,MACd,MAAA,EAAQ;AAAA,QACN,EAAE,MAAM,OAAA,EAAS,KAAA,EAAO,oBAAoB,IAAA,EAAM,MAAA,EAAQ,UAAU,IAAA,EAAK;AAAA,QACzE,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,cAAA,EAAgB,MAAM,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,gCAAA,EAAiC;AAAA,QAChH,EAAE,KAAA,EAAO,aAAA,EAAe,cAAA,EAAgB,IAAA,EAAK;AAAA,QAC7C,EAAE,KAAA,EAAO,oBAAA,EAAsB,cAAA,EAAgB,IAAA,EAAK;AAAA,QACpD,EAAE,KAAA,EAAO,mBAAA,EAAqB,cAAA,EAAgB,IAAA;AAAK;AACrD;AACF,GACF;AAAA,EAEA,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,eAAe,YAAY,CAAA;AAAA,MACtD,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,YAAY,CAAA;AAAA,MACvC,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,YAAA,EAAc;AAAA,MACZ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,cAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,oBAAA,EAAqB;AAAA,MACzD,OAAA,EAAS,CAAC,OAAA,EAAS,MAAA,EAAQ,UAAU,YAAY,CAAA;AAAA,MACjD,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA;AAAA,IAEN,KAAA,EAAOC,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,IAAA,EAAMA,WAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,UAAA,EAAY,IAAA;AAAA,MACZ,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,4CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,kBAAA,EAAoBA,WAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,iBAAA,EAAmBA,WAAM,QAAA,CAAS;AAAA,MAChC,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,oDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,kBAAA,EAAoBA,WAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yGAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,kBAAA,EAAoBA,WAAM,QAAA,CAAS;AAAA,MACjC,KAAA,EAAO,oBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,4EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,WAAM,QAAA,CAAS;AAAA,MAC9B,KAAA,EAAO,iBAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,yFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,MAAA,EAAQA,WAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,YAAA,EAAc,IAAA;AAAA,MACd,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,EAAA,EAAIA,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,mBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,QAAQ,CAAA;AAAE,GACvB;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AChNM,IAAM,oBAAA,GAAuBD,kBAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,YAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,yFAAA;AAAA,EACb,WAAA,EAAa,sCAAA;AAAA,EACb,aAAA,EAAe,CAAC,SAAA,EAAW,mBAAA,EAAqB,iBAAiB,CAAA;AAAA,EAEjE,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,UAAAA,CAAM,MAAA,CAAO,oBAAA,EAAsB;AAAA,MACpD,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,eAAA,EAAiBA,UAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,QAAQ,CAAC,SAAA,EAAW,qBAAqB,iBAAiB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IAC5E,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA,EAAE;AAAA,IAC9B,EAAE,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAE,GAClC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;AC3EM,IAAM,oBAAA,GAAuBD,kBAAa,MAAA,CAAO;AAAA,EACtD,IAAA,EAAM,yBAAA;AAAA,EACN,KAAA,EAAO,qBAAA;AAAA,EACP,WAAA,EAAa,sBAAA;AAAA,EACb,IAAA,EAAM,aAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,mCAAA;AAAA,EACb,WAAA,EAAa,sCAAA;AAAA,EACb,aAAA,EAAe,CAAC,SAAA,EAAW,mBAAmB,CAAA;AAAA,EAE9C,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,OAAA,EAASA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MAChC,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,iBAAA,EAAmBA,UAAAA,CAAM,MAAA,CAAO,oBAAA,EAAsB;AAAA,MACpD,KAAA,EAAO,gBAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU;AAAA,KACX;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,WAAW,mBAAmB,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACzD,EAAE,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAE;AAAA,IACtB,EAAE,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAE,GAClC;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,IAAA;AAAA,IACd,UAAA,EAAY,IAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA,IACZ,YAAY,CAAC,KAAA,EAAO,MAAA,EAAQ,QAAA,EAAU,UAAU,QAAQ,CAAA;AAAA,IACxD,KAAA,EAAO,IAAA;AAAA,IACP,GAAA,EAAK;AAAA;AAET,CAAC;ACzCM,IAAM,cAAA,GAAiBD,kBAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,OAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,kEAAA;AAAA,EACb,WAAA,EAAa,kEAAA;AAAA,EACb,eAAe,CAAC,aAAA,EAAe,WAAA,EAAa,cAAA,EAAgB,gBAAgB,QAAQ,CAAA;AAAA,EAEpF,SAAA,EAAW;AAAA,IACT,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,QAAA,EAAU,cAAc,YAAY,CAAA;AAAA,MAC1F,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,gBAAA,EAAkB,QAAA,EAAU,QAAA,EAAU,OAAO,MAAA,EAAO;AAAA,QAC7D,EAAE,KAAA,EAAO,cAAA,EAAgB,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OAC1E;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC5F,MAAA,EAAQ;AAAA,QACN,EAAE,KAAA,EAAO,YAAA,EAAc,QAAA,EAAU,QAAA,EAAU,OAAO,mBAAA;AAAoB,OACxE;AAAA,MACA,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC5F,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACrF,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,aAAA,EAAe;AAAA,MACb,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,eAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,gBAAgB,cAAA,EAAgB,YAAA,EAAc,UAAU,YAAY,CAAA;AAAA,MAC1G,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,MACjE,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,WAAA,EAAa;AAAA,MACX,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,aAAA;AAAA,MACN,KAAA,EAAO,aAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,aAAa,cAAA,EAAgB,cAAA,EAAgB,aAAa,YAAY,CAAA;AAAA,MAC/F,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,QAAA,EAAU,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,CAAC,MAAA,EAAQ,MAAA,EAAQ,WAAW,GAAG,CAAA;AAAA,MAClF,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,WAAA,EAAa,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MACnF,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,YAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,kBAAkB,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC9G,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,UAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,WAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wCAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,SAAA,EAAWA,WAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,qDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,gBAAgBA,UAAAA,CAAM,MAAA;AAAA,MACpB,CAAC,MAAA,EAAQ,OAAA,EAAS,MAAA,EAAQ,yBAAyB,OAAO,CAAA;AAAA,MAC1D;AAAA,QACE,KAAA,EAAO,gBAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,wCAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,YAAA,EAAcA,WAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,gDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAcA,UAAAA,CAAM,MAAA;AAAA,MAClB,CAAC,MAAA,EAAQ,MAAA,EAAQ,MAAM,CAAA;AAAA,MACvB;AAAA,QACE,KAAA,EAAO,cAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,6EAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA;AAAA,IAGA,QAAQA,UAAAA,CAAM,MAAA;AAAA,MACZ,CAAC,QAAA,EAAU,MAAA,EAAQ,MAAA,EAAQ,WAAW,CAAA;AAAA,MACtC;AAAA,QACE,KAAA,EAAO,QAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,QAAA;AAAA,QACd,WAAA,EAAa,sEAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,SAAA,EAAWA,WAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,2CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,MAAA,EAAQA,WAAM,IAAA,CAAK;AAAA,MACjB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,0DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA;AAAA;AAAA;AAAA,IAIP,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,gBAAA,EAAkB,cAAc,CAAA,EAAE;AAAA;AAAA;AAAA,IAG5D,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,WAAW,CAAA,EAAE;AAAA;AAAA,IAEvC,EAAE,MAAA,EAAQ,CAAC,QAAA,EAAU,WAAW,CAAA;AAAE;AAEtC,CAAC;ACzMM,IAAM,cAAA,GAAiBD,kBAAa,MAAA,CAAO;AAAA,EAChD,IAAA,EAAM,kBAAA;AAAA,EACN,KAAA,EAAO,cAAA;AAAA,EACP,WAAA,EAAa,eAAA;AAAA,EACb,IAAA,EAAM,cAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAKX,WAAA,EAAa,EAAE,MAAA,EAAQ,IAAA,EAAM,MAAM,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAM;AAAA,EACrE,WAAA,EAAa,mJAAA;AAAA,EACb,gBAAA,EAAkB,MAAA;AAAA,EAClB,WAAA,EAAa,SAAA;AAAA,EACb,eAAe,CAAC,MAAA,EAAQ,eAAe,gBAAA,EAAkB,cAAA,EAAgB,gBAAgB,QAAQ,CAAA;AAAA,EAEjG,SAAA,EAAW;AAAA,IACT,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,OAAA,EAAS,eAAe,gBAAA,EAAkB,cAAA,EAAgB,gBAAgB,YAAY,CAAA;AAAA,MAChG,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,IAAA,EAAM,CAAA;AAAA,MAC7D,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,UAAA;AAAA,MACN,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,OAAA,EAAS,aAAA,EAAe,gBAAA,EAAkB,gBAAgB,YAAY,CAAA;AAAA,MAChF,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,UAAU,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,MAC9D,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,WAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,SAAS,CAAC,aAAA,EAAe,OAAA,EAAS,gBAAA,EAAkB,gBAAgB,QAAQ,CAAA;AAAA,MAC5E,IAAA,EAAM,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAM,EAAG,EAAE,KAAA,EAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MAC/E,QAAA,EAAU,EAAE,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAO,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,CAAA,EAAE;AAAA,MAC/E,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,kBAAA,EAAmB;AAAA,MACvD,OAAA,EAAS,CAAC,OAAA,EAAS,aAAA,EAAe,kBAAkB,cAAA,EAAgB,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,MAC1G,MAAM,CAAC,EAAE,OAAO,OAAA,EAAS,KAAA,EAAO,OAAO,CAAA;AAAA,MACvC,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG;AAC7B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,UAAAA,CAAM,IAAA,CAAK,EAAE,KAAA,EAAO,SAAA,EAAW,QAAA,EAAU,IAAA,EAAM,QAAA,EAAU,IAAA,EAAM,KAAA,EAAO,QAAA,EAAU,CAAA;AAAA,IAEpF,eAAA,EAAiBA,UAAAA,CAAM,MAAA,CAAO,kBAAA,EAAoB;AAAA,MAChD,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO,QAAA;AAAA,MACP,WAAA,EAAa;AAAA,KACd,CAAA;AAAA,IAED,IAAA,EAAMA,WAAM,IAAA,CAAK;AAAA,MACf,KAAA,EAAO,MAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,6BAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,KAAA,EAAOA,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,eAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,QAAA,CAAS;AAAA,MAC1B,KAAA,EAAO,aAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,WAAA,EAAaA,WAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,WAAM,QAAA,CAAS;AAAA,MAC5B,KAAA,EAAO,iCAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,WAAA,EAAa,iFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,gBAAgBA,UAAAA,CAAM,MAAA;AAAA,MACpB,CAAC,MAAA,EAAQ,MAAA,EAAQ,YAAA,EAAc,QAAQ,OAAO,CAAA;AAAA,MAC9C;AAAA,QACE,KAAA,EAAO,gBAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,YAAA;AAAA,QACd,WAAA,EAAa,2KAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,YAAA,EAAcA,WAAM,IAAA,CAAK;AAAA,MACvB,KAAA,EAAO,WAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,wFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,cAAcA,UAAAA,CAAM,MAAA;AAAA,MAClB,CAAC,MAAA,EAAQ,MAAA,EAAQ,MAAM,CAAA;AAAA,MACvB;AAAA,QACE,KAAA,EAAO,cAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,MAAA,EAAQA,WAAM,OAAA,CAAQ;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,YAAA,EAAc,IAAA;AAAA,MACd,WAAA,EAAa,uDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,KAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA,IACP,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,QAAQ,CAAA,EAAE;AAAA,IACpC,EAAE,MAAA,EAAQ,CAAC,MAAM,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA,IACjC,EAAE,MAAA,EAAQ,CAAC,iBAAiB,CAAA;AAAE;AAElC,CAAC;ACnJM,IAAM,YAAA,GAAeD,kBAAa,MAAA,CAAO;AAAA,EAC9C,IAAA,EAAM,gBAAA;AAAA,EACN,KAAA,EAAO,YAAA;AAAA,EACP,WAAA,EAAa,aAAA;AAAA,EACb,IAAA,EAAM,QAAA;AAAA,EACN,QAAA,EAAU,IAAA;AAAA,EACV,SAAA,EAAW,QAAA;AAAA,EACX,WAAA,EAAa,qGAAA;AAAA,EACb,WAAA,EAAa,0CAAA;AAAA,EACb,eAAe,CAAC,aAAA,EAAe,aAAa,YAAA,EAAc,UAAA,EAAY,cAAc,YAAY,CAAA;AAAA,EAEhG,SAAA,EAAW;AAAA,IACT,YAAA,EAAc;AAAA,MACZ,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,cAAA;AAAA,MACN,KAAA,EAAO,QAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,cAAc,UAAA,EAAY,YAAA,EAAc,aAAa,cAAc,CAAA;AAAA,MACzG,QAAQ,CAAC,EAAE,OAAO,YAAA,EAAc,QAAA,EAAU,UAAU,CAAA;AAAA,MACpD,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,KAAA,EAAO;AAAA,MACL,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,OAAA;AAAA,MACN,KAAA,EAAO,eAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,SAAS,CAAC,aAAA,EAAe,aAAa,YAAA,EAAc,UAAA,EAAY,cAAc,YAAY,CAAA;AAAA,MAC1F,MAAA,EAAQ,CAAC,EAAE,KAAA,EAAO,cAAc,QAAA,EAAU,QAAA,EAAU,KAAA,EAAO,mBAAA,EAAqB,CAAA;AAAA,MAChF,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI,KAC9B;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,KAAA,EAAO,SAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,cAAc,YAAY,CAAA;AAAA,MAChE,QAAQ,CAAC,EAAE,OAAO,YAAA,EAAc,QAAA,EAAU,aAAa,CAAA;AAAA,MACvD,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,EAAA;AAAG,KAC7B;AAAA,IACA,SAAA,EAAW;AAAA,MACT,IAAA,EAAM,MAAA;AAAA,MACN,IAAA,EAAM,WAAA;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,EAAE,QAAA,EAAU,QAAA,EAAU,QAAQ,gBAAA,EAAiB;AAAA,MACrD,OAAA,EAAS,CAAC,aAAA,EAAe,WAAA,EAAa,cAAc,UAAA,EAAY,YAAA,EAAc,cAAc,YAAY,CAAA;AAAA,MACxG,MAAM,CAAC,EAAE,OAAO,YAAA,EAAc,KAAA,EAAO,QAAQ,CAAA;AAAA,MAC7C,UAAA,EAAY,EAAE,QAAA,EAAU,GAAA;AAAI;AAC9B,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,EAAA,EAAIC,WAAM,IAAA,CAAK;AAAA,MACb,KAAA,EAAO,SAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,KAAA,EAAOA,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,EAAA;AAAA,MACX,WAAA,EAAa,8EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,WAAA,EAAaA,WAAM,IAAA,CAAK;AAAA,MACtB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,mFAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,SAAA,EAAWA,WAAM,IAAA,CAAK;AAAA,MACpB,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,qDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,YAAYA,UAAAA,CAAM,MAAA;AAAA,MAChB;AAAA,QACE,EAAE,KAAA,EAAO,MAAA,EAAW,KAAA,EAAO,MAAA,EAAO;AAAA,QAClC,EAAE,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,SAAA,EAAU;AAAA,QACrC,EAAE,KAAA,EAAO,MAAA,EAAW,KAAA,EAAO,MAAA;AAAO,OACpC;AAAA,MACA;AAAA,QACE,KAAA,EAAO,YAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,MAAA;AAAA,QACd,WAAA,EAAa,6CAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,UAAUA,UAAAA,CAAM,MAAA;AAAA,MACd;AAAA,QACE,EAAE,KAAA,EAAO,oBAAA,EAAsB,KAAA,EAAO,QAAA,EAAS;AAAA,QAC/C,EAAE,KAAA,EAAO,sBAAA,EAAwB,KAAA,EAAO,WAAA,EAAY;AAAA,QACpD,EAAE,KAAA,EAAO,iBAAA,EAAmB,KAAA,EAAO,WAAA,EAAY;AAAA,QAC/C,EAAE,KAAA,EAAO,iBAAA,EAAmB,KAAA,EAAO,OAAA;AAAQ,OAC7C;AAAA,MACA;AAAA,QACE,KAAA,EAAO,UAAA;AAAA,QACP,QAAA,EAAU,IAAA;AAAA,QACV,YAAA,EAAc,WAAA;AAAA,QACd,WAAA,EAAa,gDAAA;AAAA,QACb,KAAA,EAAO;AAAA;AACT,KACF;AAAA,IAEA,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,WAAA,EAAa,0DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,eAAA,EAAiBA,WAAM,IAAA,CAAK;AAAA,MAC1B,KAAA,EAAO,iBAAA;AAAA,MACP,WAAA,EAAa,kDAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,WAAM,IAAA,CAAK;AAAA,MACxB,KAAA,EAAO,eAAA;AAAA,MACP,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,aAAA,EAAeA,WAAM,IAAA,CAAK;AAAA,MACxB,KAAA,EAAO,qBAAA;AAAA,MACP,WAAA,EAAa,2EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,KAAA,EAAOA,WAAM,IAAA,CAAK;AAAA,MAChB,KAAA,EAAO,OAAA;AAAA,MACP,SAAA,EAAW,GAAA;AAAA,MACX,WAAA,EAAa,+DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA;AAAA,IAGD,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,4CAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,UAAAA,CAAM,MAAA,CAAO,UAAA,EAAY;AAAA,MACnC,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,oBAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,UAAA,EAAYA,WAAM,QAAA,CAAS;AAAA,MACzB,KAAA,EAAO,YAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,YAAA,EAAc,OAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,YAAA,EAAcA,WAAM,QAAA,CAAS;AAAA,MAC3B,KAAA,EAAO,cAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,0EAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR,CAAA;AAAA,IAED,SAAA,EAAWA,WAAM,MAAA,CAAO;AAAA,MACtB,KAAA,EAAO,WAAA;AAAA,MACP,YAAA,EAAc,CAAA;AAAA,MACd,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa,4DAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACR;AAAA,GACH;AAAA,EAEA,OAAA,EAAS;AAAA;AAAA,IAEP,EAAE,MAAA,EAAQ,CAAC,OAAO,CAAA,EAAG,QAAQ,IAAA,EAAK;AAAA;AAAA,IAElC,EAAE,MAAA,EAAQ,CAAC,aAAA,EAAe,WAAW,CAAA,EAAE;AAAA;AAAA,IAEvC,EAAE,MAAA,EAAQ,CAAC,YAAA,EAAc,YAAY,CAAA,EAAE;AAAA;AAAA,IAEvC,EAAE,MAAA,EAAQ,CAAC,YAAY,CAAA;AAAE,GAC3B;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY,KAAA;AAAA,IACZ,UAAA,EAAY,IAAA;AAAA;AAAA;AAAA,IAGZ,UAAA,EAAY,CAAC,KAAA,EAAO,MAAM,CAAA;AAAA,IAC1B,KAAA,EAAO,KAAA;AAAA,IACP,GAAA,EAAK,KAAA;AAAA,IACL,KAAA,EAAO;AAAA;AAEX,CAAC;ACxOD,IAAM,2BAAA,GAA8B;AAAA,EAClC,UAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,kBAAA;AAAA,EACA,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,aAAA;AAAA,EACA,gBAAA;AAAA,EACA,kBAAA;AAAA,EACA,UAAA;AAAA,EACA,iBAAA;AAAA,EACA,uBAAA;AAAA,EACA,wBAAA;AAAA,EACA,yBAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,0BAAA,GAA6B,MAK7B,MAAA,CAAO,WAAA;AAAA,EACX,2BAAA,CAA4B,GAAA,CAAI,CAAC,IAAA,KAAS;AAAA,IACxC,IAAA;AAAA,IACA,EAAE,WAAW,IAAA,EAAM,WAAA,EAAa,OAAO,SAAA,EAAW,KAAA,EAAO,aAAa,KAAA;AAAM,GAC7E;AACH,CAAA;AA4BO,IAAM,qBAAA,GAAyC;AAAA,EACpDC,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,mBAAA;AAAA,IACN,KAAA,EAAO,kCAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,cAAA,EAAgB,IAAA;AAAA,QAChB,gBAAA,EAAkB;AAAA;AACpB,KACF;AAAA,IACA,iBAAA,EAAmB;AAAA,MACjB,cAAA;AAAA,MACA,iBAAA;AAAA,MACA,0BAAA;AAAA,MACA,cAAA;AAAA,MACA;AAAA;AACF,GACD,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BDA,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,oBAAA;AAAA,IACN,KAAA,EAAO,4BAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,cAAA,EAAgB,IAAA;AAAA,QAChB,gBAAA,EAAkB;AAAA,OACpB;AAAA;AAAA;AAAA,MAGA,GAAG,0BAAA,EAA2B;AAAA;AAAA,MAE9B,QAAA,EAAU,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA,EAAM;AAAA,MACtF,kBAAA,EAAoB,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA,EAAM;AAAA,MAChG,uBAAA,EAAyB,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA,EAAM;AAAA,MACrG,uBAAA,EAAyB,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA,EAAM;AAAA,MACrG,aAAA,EAAe,EAAE,SAAA,EAAW,IAAA,EAAM,aAAa,KAAA,EAAO,SAAA,EAAW,KAAA,EAAO,WAAA,EAAa,KAAA;AAAM,KAC7F;AAAA,IACA,iBAAA,EAAmB,CAAC,kBAAA,EAAoB,cAAc,CAAA;AAAA,IACtD,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA,MAKA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA,MAKA;AAAA,QACE,IAAA,EAAM,4BAAA;AAAA,QACN,MAAA,EAAQ,uBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA,MAIA;AAAA,QACE,IAAA,EAAM,gBAAA;AAAA,QACN,MAAA,EAAQ,YAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,cAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD,CAAA;AAAA,EACDA,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,gBAAA;AAAA,IACN,KAAA,EAAO,+BAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,IAAA;AAAA,QACb,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa;AAAA,OACf;AAAA;AAAA,MAEA,GAAG,0BAAA;AAA2B,KAChC;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,mBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA;AAAA;AAAA,MAKA;AAAA,QACE,IAAA,EAAM,4BAAA;AAAA,QACN,MAAA,EAAQ,uBAAA;AAAA,QACR,SAAA,EAAW,KAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD,CAAA;AAAA,EACDA,6BAAoB,KAAA,CAAM;AAAA,IACxB,IAAA,EAAM,iBAAA;AAAA,IACN,KAAA,EAAO,yBAAA;AAAA,IACP,SAAA,EAAW,IAAA;AAAA,IACX,OAAA,EAAS;AAAA,MACP,GAAA,EAAK;AAAA,QACH,SAAA,EAAW,IAAA;AAAA,QACX,WAAA,EAAa,KAAA;AAAA,QACb,SAAA,EAAW,KAAA;AAAA,QACX,WAAA,EAAa;AAAA,OACf;AAAA;AAAA;AAAA;AAAA,MAIA,GAAG,0BAAA;AAA2B,KAChC;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,GAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,MAAA,EAAQ,kBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,eAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA;AAAA;AAAA,MAGA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,UAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qBAAA;AAAA,QACN,MAAA,EAAQ,gBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,0BAAA;AAAA,QACN,MAAA,EAAQ,qBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,MAAA,EAAQ,aAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sBAAA;AAAA,QACN,MAAA,EAAQ,iBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,6BAAA;AAAA,QACN,MAAA,EAAQ,wBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,8BAAA;AAAA,QACN,MAAA,EAAQ,yBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA,OACT;AAAA,MACA;AAAA,QACE,IAAA,EAAM,wBAAA;AAAA,QACN,MAAA,EAAQ,mBAAA;AAAA,QACR,SAAA,EAAW,QAAA;AAAA,QACX,KAAA,EAAO;AAAA;AACT;AACF,GACD;AACH","file":"index.js","sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_role — System Role Object\n *\n * RBAC role definition for the ObjectStack platform.\n * Roles group permissions and are assigned to users or members.\n *\n * @namespace sys\n */\nexport const SysRole = ObjectSchema.create({\n name: 'sys_role',\n label: 'Role',\n pluralLabel: 'Roles',\n icon: 'shield',\n isSystem: true,\n managedBy: 'config',\n // ADR-0010 §3.7 — RBAC primitive; tenants may add custom rows\n // (created via UI / API) but the schema itself is locked.\n protection: {\n lock: 'no-overlay',\n reason: 'RBAC schema is platform-defined — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Role definitions for RBAC access control',\n displayNameField: 'label',\n titleFormat: '{label}',\n compactLayout: ['label', 'name', 'active', 'is_default'],\n\n // Custom actions — system roles drive RBAC and are edited rarely but\n // require the four high-frequency sysadmin affordances every IdP\n // (Salesforce, ServiceNow, Okta) ships: activate/deactivate (lifecycle\n // without losing assignments), mark default (auto-assign to new users),\n // and clone (template for new roles). All operations hit the generic\n // data CRUD endpoint exposed by `apiEnabled` — no custom server route\n // required because `managedBy: 'config'` allows direct mutation.\n actions: [\n {\n name: 'activate_role',\n label: 'Activate Role',\n icon: 'circle-check',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_role/{id}',\n bodyExtra: { active: true },\n successMessage: 'Role activated',\n refreshAfter: true,\n },\n {\n name: 'deactivate_role',\n label: 'Deactivate Role',\n icon: 'circle-off',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_role/{id}',\n bodyExtra: { active: false },\n confirmText: 'Deactivate this role? Users with the role keep their assignment but the role stops granting permissions until re-activated.',\n successMessage: 'Role deactivated',\n refreshAfter: true,\n },\n {\n name: 'set_default_role',\n label: 'Set as Default',\n icon: 'star',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_role/{id}',\n bodyExtra: { is_default: true },\n confirmText: 'Make this the default role for new users? Existing users are unaffected.',\n successMessage: 'Default role updated',\n refreshAfter: true,\n },\n {\n // Clone — POST a new sys_role row pre-filled from the source. The\n // dialog asks only for the new API name / label so the operator\n // can rename atomically; permissions JSON is copied wholesale via\n // defaultFromRow.\n name: 'clone_role',\n label: 'Clone Role',\n icon: 'copy',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/data/sys_role',\n bodyExtra: { is_default: false, active: true },\n successMessage: 'Role cloned',\n refreshAfter: true,\n params: [\n { name: 'label', label: 'New Display Name', type: 'text', required: true },\n { name: 'name', label: 'New API Name', type: 'text', required: true, helpText: 'Unique snake_case machine name' },\n { field: 'description', defaultFromRow: true },\n { field: 'permissions', defaultFromRow: true },\n ],\n },\n ],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'is_default', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n default_roles: {\n type: 'grid',\n name: 'default_roles',\n label: 'Default',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'description', 'active'],\n filter: [{ field: 'is_default', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n custom: {\n type: 'grid',\n name: 'custom',\n label: 'Custom',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'active', 'updated_at'],\n filter: [{ field: 'is_default', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n all_roles: {\n type: 'grid',\n name: 'all_roles',\n label: 'All',\n data: { provider: 'object', object: 'sys_role' },\n columns: ['label', 'name', 'active', 'is_default', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n label: Field.text({\n label: 'Display Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n name: Field.text({\n label: 'API Name',\n required: true,\n searchable: true,\n maxLength: 100,\n description: 'Unique machine name for the role (e.g. admin, editor, viewer)',\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n // ── Configuration ────────────────────────────────────────────\n permissions: Field.textarea({\n label: 'Permissions',\n required: false,\n description: 'JSON-serialized array of permission strings',\n group: 'Configuration',\n }),\n\n // ── Status ───────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n defaultValue: true,\n group: 'Status',\n }),\n\n is_default: Field.boolean({\n label: 'Default Role',\n defaultValue: false,\n description: 'Automatically assigned to new users',\n group: 'Status',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Role ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['name'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_permission_set — System Permission Set Object\n *\n * Named groupings of fine-grained permissions.\n * Permission sets can be assigned to roles or directly to users\n * for granular access control.\n *\n * @namespace sys\n */\nexport const SysPermissionSet = ObjectSchema.create({\n name: 'sys_permission_set',\n label: 'Permission Set',\n pluralLabel: 'Permission Sets',\n icon: 'lock',\n isSystem: true,\n managedBy: 'config',\n // ADR-0010 §3.7 — RBAC primitive; tenants may add custom rows\n // (created via UI / API) but the schema itself is locked.\n protection: {\n lock: 'no-overlay',\n reason: 'RBAC schema is platform-defined — see ADR-0010.',\n docsUrl: 'https://docs.objectstack.ai/adr/0010-metadata-protection',\n },\n description: 'Named permission groupings for fine-grained access control',\n displayNameField: 'label',\n titleFormat: '{label}',\n compactLayout: ['label', 'name', 'active'],\n\n // Custom actions — permission sets are templates assigned to roles or\n // users (via sys_role_permission_set / sys_user_permission_set). The\n // sysadmin operations that don't live on the parent-detail tabs are\n // lifecycle (activate/deactivate without losing assignments) and\n // clone (build a new permset by tweaking an existing one). Both hit\n // the generic data CRUD endpoint — managedBy: 'config' permits it.\n actions: [\n {\n name: 'activate_permission_set',\n label: 'Activate',\n icon: 'circle-check',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_permission_set/{id}',\n bodyExtra: { active: true },\n successMessage: 'Permission set activated',\n refreshAfter: true,\n },\n {\n name: 'deactivate_permission_set',\n label: 'Deactivate',\n icon: 'circle-off',\n variant: 'danger',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'PATCH',\n target: '/api/v1/data/sys_permission_set/{id}',\n bodyExtra: { active: false },\n confirmText: 'Deactivate this permission set? Existing assignments stay in place but stop granting access until re-activated.',\n successMessage: 'Permission set deactivated',\n refreshAfter: true,\n },\n {\n name: 'clone_permission_set',\n label: 'Clone',\n icon: 'copy',\n variant: 'secondary',\n mode: 'custom',\n locations: ['list_item', 'record_header'],\n type: 'api',\n method: 'POST',\n target: '/api/v1/data/sys_permission_set',\n bodyExtra: { active: true },\n successMessage: 'Permission set cloned',\n refreshAfter: true,\n params: [\n { name: 'label', label: 'New Display Name', type: 'text', required: true },\n { name: 'name', label: 'New API Name', type: 'text', required: true, helpText: 'Unique snake_case machine name' },\n { field: 'description', defaultFromRow: true },\n { field: 'object_permissions', defaultFromRow: true },\n { field: 'field_permissions', defaultFromRow: true },\n ],\n },\n ],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'description', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n all_permsets: {\n type: 'grid',\n name: 'all_permsets',\n label: 'All',\n data: { provider: 'object', object: 'sys_permission_set' },\n columns: ['label', 'name', 'active', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n // ── Identity ─────────────────────────────────────────────────\n label: Field.text({\n label: 'Display Name',\n required: true,\n searchable: true,\n maxLength: 255,\n group: 'Identity',\n }),\n\n name: Field.text({\n label: 'API Name',\n required: true,\n searchable: true,\n maxLength: 100,\n description: 'Unique machine name for the permission set',\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n // ── Permissions ──────────────────────────────────────────────\n object_permissions: Field.textarea({\n label: 'Object Permissions',\n required: false,\n description: 'JSON-serialized object-level CRUD permissions',\n group: 'Permissions',\n }),\n\n field_permissions: Field.textarea({\n label: 'Field Permissions',\n required: false,\n description: 'JSON-serialized field-level read/write permissions',\n group: 'Permissions',\n }),\n\n system_permissions: Field.textarea({\n label: 'System Permissions',\n required: false,\n description: 'JSON-serialized array of system capability names (e.g. [\"setup.access\",\"studio.access\",\"manage_users\"])',\n group: 'Permissions',\n }),\n\n row_level_security: Field.textarea({\n label: 'Row-Level Security',\n required: false,\n description: 'JSON-serialized array of row-level security policies (USING/CHECK clauses)',\n group: 'Permissions',\n }),\n\n tab_permissions: Field.textarea({\n label: 'Tab Permissions',\n required: false,\n description: 'JSON-serialized map of app tab visibility (visible | hidden | default_on | default_off)',\n group: 'Permissions',\n }),\n\n // ── Status ───────────────────────────────────────────────────\n active: Field.boolean({\n label: 'Active',\n defaultValue: true,\n group: 'Status',\n }),\n\n // ── System ───────────────────────────────────────────────────\n id: Field.text({\n label: 'Permission Set ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['name'], unique: true },\n { fields: ['active'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: true,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_user_permission_set — User ↔ PermissionSet assignment.\n *\n * Salesforce-style additive permission grant: a user may be assigned any\n * number of `sys_permission_set` rows, optionally scoped to a specific\n * organization. The runtime resolver (`resolveExecutionContext` in\n * `@objectstack/runtime`) reads this table when building the per-request\n * `ExecutionContext.permissions[]`.\n *\n * Uniqueness is `(user_id, permission_set_id, organization_id)` so the\n * same permission set can be granted independently in each org context\n * the user belongs to.\n *\n * @namespace sys\n */\nexport const SysUserPermissionSet = ObjectSchema.create({\n name: 'sys_user_permission_set',\n label: 'User Permission Set',\n pluralLabel: 'User Permission Sets',\n icon: 'user-check',\n isSystem: true,\n managedBy: 'system',\n description: 'Direct assignment of a permission set to a user (optionally scoped to an organization).',\n titleFormat: '{user_id} → {permission_set_id}',\n compactLayout: ['user_id', 'permission_set_id', 'organization_id'],\n\n fields: {\n id: Field.text({\n label: 'Assignment ID',\n required: true,\n readonly: true,\n description: 'UUID of the assignment.',\n }),\n\n user_id: Field.lookup('sys_user', {\n label: 'User',\n required: true,\n description: 'Foreign key to sys_user.',\n }),\n\n permission_set_id: Field.lookup('sys_permission_set', {\n label: 'Permission Set',\n required: true,\n description: 'Foreign key to sys_permission_set.',\n }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n description: 'Optional organization scope. NULL = applies in every org context.',\n }),\n\n granted_by: Field.lookup('sys_user', {\n label: 'Granted By',\n required: false,\n description: 'User who granted this permission set.',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['user_id', 'permission_set_id', 'organization_id'], unique: true },\n { fields: ['user_id'] },\n { fields: ['organization_id'] },\n { fields: ['permission_set_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_role_permission_set — Role ↔ PermissionSet binding.\n *\n * Allows administrators to compose a `sys_role` from one or more\n * `sys_permission_set` rows. At request time, the runtime resolver\n * (`resolveExecutionContext`) collects every permission set bound to\n * the user's roles via this table and injects their names into\n * `ExecutionContext.permissions[]` for downstream RBAC evaluation.\n *\n * @namespace sys\n */\nexport const SysRolePermissionSet = ObjectSchema.create({\n name: 'sys_role_permission_set',\n label: 'Role Permission Set',\n pluralLabel: 'Role Permission Sets',\n icon: 'shield-plus',\n isSystem: true,\n managedBy: 'system',\n description: 'Binds a permission set to a role.',\n titleFormat: '{role_id} → {permission_set_id}',\n compactLayout: ['role_id', 'permission_set_id'],\n\n fields: {\n id: Field.text({\n label: 'Binding ID',\n required: true,\n readonly: true,\n description: 'UUID of the role-permission-set binding.',\n }),\n\n role_id: Field.lookup('sys_role', {\n label: 'Role',\n required: true,\n description: 'Foreign key to sys_role.',\n }),\n\n permission_set_id: Field.lookup('sys_permission_set', {\n label: 'Permission Set',\n required: true,\n description: 'Foreign key to sys_permission_set.',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n defaultValue: 'NOW()',\n readonly: true,\n }),\n },\n\n indexes: [\n { fields: ['role_id', 'permission_set_id'], unique: true },\n { fields: ['role_id'] },\n { fields: ['permission_set_id'] },\n ],\n\n enable: {\n trackHistory: true,\n searchable: true,\n apiEnabled: true,\n apiMethods: ['get', 'list', 'create', 'update', 'delete'],\n trash: true,\n mru: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_record_share — Per-Record Sharing Grant\n *\n * Bridges the ownership-only baseline established by `object.sharingModel`\n * with the real-world need to delegate access to a single record. Each\n * row says: \"principal P has access level L on (object O, record R),\n * because of source S (manual grant or rule).\"\n *\n * Enforcement lives in `@objectstack/plugin-sharing`:\n * - For objects with `sharingModel: 'private'`, the engine middleware\n * AND-s `{$or:[{owner_id:userId},{id:{$in:[grantedRecordIds]}}]}`\n * into every `find` against that object.\n * - For objects with `sharingModel: 'private' | 'read'`, the same\n * middleware enforces edit/delete by checking ownership OR a share\n * row with `access_level in ('edit','full')`.\n *\n * Conventions:\n * - `object_name` is the short object name (e.g. `account`, `lead`).\n * - `recipient_type` mirrors `ShareRecipientType` from the spec\n * (`user` is enforced today; `group`/`role` are persisted for\n * forward-compatibility).\n * - `source = 'manual'` rows are created by a user via the REST\n * `POST /data/:object/:id/shares` endpoint. `source = 'rule'` rows\n * are materialised by the sharing-rule evaluator (future); the\n * `source_id` lets the evaluator reconcile stale grants.\n *\n * @namespace sys\n */\nexport const SysRecordShare = ObjectSchema.create({\n name: 'sys_record_share',\n label: 'Record Share',\n pluralLabel: 'Record Shares',\n icon: 'share',\n isSystem: true,\n managedBy: 'system',\n description: 'Per-record sharing grant — extends OWD with explicit access',\n titleFormat: '{object_name}/{record_id} → {recipient_id} ({access_level})',\n compactLayout: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source'],\n\n listViews: {\n granted_to_me: {\n type: 'grid',\n name: 'granted_to_me',\n label: 'Granted to Me',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'access_level', 'source', 'granted_by', 'created_at'],\n filter: [\n { field: 'recipient_type', operator: 'equals', value: 'user' },\n { field: 'recipient_id', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n granted_by_me: {\n type: 'grid',\n name: 'granted_by_me',\n label: 'Granted by Me',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source', 'created_at'],\n filter: [\n { field: 'granted_by', operator: 'equals', value: '{current_user_id}' },\n ],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n by_object: {\n type: 'grid',\n name: 'by_object',\n label: 'By Object',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source', 'created_at'],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n grouping: { fields: [{ field: 'object_name', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n manual_grants: {\n type: 'grid',\n name: 'manual_grants',\n label: 'Manual Grants',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'granted_by', 'reason', 'created_at'],\n filter: [{ field: 'source', operator: 'equals', value: 'manual' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n rule_grants: {\n type: 'grid',\n name: 'rule_grants',\n label: 'Rule Grants',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_id', 'access_level', 'source_id', 'created_at'],\n filter: [{ field: 'source', operator: 'in', value: ['rule', 'team', 'inherited'] }],\n sort: [{ field: 'source_id', order: 'asc' }, { field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_shares: {\n type: 'grid',\n name: 'all_shares',\n label: 'All',\n data: { provider: 'object', object: 'sys_record_share' },\n columns: ['object_name', 'record_id', 'recipient_type', 'recipient_id', 'access_level', 'source', 'created_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n },\n\n fields: {\n id: Field.text({\n label: 'Share ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n // ── Target (which record is being shared) ────────────────────\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name of the shared record',\n group: 'Target',\n }),\n\n record_id: Field.text({\n label: 'Record',\n required: true,\n maxLength: 100,\n description: 'Primary key of the shared record within object_name',\n group: 'Target',\n }),\n\n // ── Recipient (who receives access) ──────────────────────────\n recipient_type: Field.select(\n ['user', 'group', 'role', 'role_and_subordinates', 'guest'],\n {\n label: 'Recipient Type',\n required: true,\n defaultValue: 'user',\n description: 'Kind of principal that holds the grant',\n group: 'Recipient',\n },\n ),\n\n recipient_id: Field.text({\n label: 'Recipient',\n required: true,\n maxLength: 100,\n description: 'ID of the user/group/role that receives access',\n group: 'Recipient',\n }),\n\n access_level: Field.select(\n ['read', 'edit', 'full'],\n {\n label: 'Access Level',\n required: true,\n defaultValue: 'read',\n description: 'What the recipient can do — read | edit | full (transfer/share/delete)',\n group: 'Recipient',\n },\n ),\n\n // ── Provenance ───────────────────────────────────────────────\n source: Field.select(\n ['manual', 'rule', 'team', 'inherited'],\n {\n label: 'Source',\n required: true,\n defaultValue: 'manual',\n description: 'Why this grant exists — used by the rule evaluator to reconcile',\n group: 'Provenance',\n },\n ),\n\n source_id: Field.text({\n label: 'Source ID',\n required: false,\n maxLength: 200,\n description: 'Rule name / team id when source != manual',\n group: 'Provenance',\n }),\n\n granted_by: Field.lookup('sys_user', {\n label: 'Granted By',\n required: false,\n description: 'User that created the grant (manual only)',\n group: 'Provenance',\n }),\n\n reason: Field.text({\n label: 'Reason',\n required: false,\n maxLength: 500,\n description: 'Optional free-text explanation surfaced to the recipient',\n group: 'Provenance',\n }),\n\n // ── Lifecycle ────────────────────────────────────────────────\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n group: 'System',\n }),\n },\n\n indexes: [\n // Hot path: \"all records visible to user U on object O\" — the\n // middleware reads (object_name, recipient_type, recipient_id) to\n // build the `id IN (...)` predicate on every find.\n { fields: ['object_name', 'recipient_type', 'recipient_id'] },\n // \"all grants on this record\" — used by the share-management UI\n // and by canEdit() to look up explicit grants.\n { fields: ['object_name', 'record_id'] },\n // Reconciliation key for rule-driven shares.\n { fields: ['source', 'source_id'] },\n ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_sharing_rule — Declarative record-sharing rule.\n *\n * Salesforce-style criteria-based sharing: \"any record on object O that\n * matches criteria C is granted access level A to recipient R\". Rules\n * are evaluated by `@objectstack/plugin-sharing` and materialise their\n * grants as rows in `sys_record_share` with `source='rule'` and\n * `source_id={rule.id}` so the evaluator can reconcile (delete + re-\n * insert) on rule updates without touching manual grants.\n *\n * Evaluation triggers:\n * - `afterInsert` / `afterUpdate` on the target object (per-record,\n * incremental — the hot path).\n * - REST `POST /sharing/rules/:id/evaluate` (admin-initiated\n * bulk reconcile — used after rule edits).\n *\n * Criteria are stored as JSON (a normal `FilterCondition`) so the\n * existing engine `find()` can do the matching natively. v1 supports\n * simple `{field, op, value}` style filters; CEL predicates are a\n * follow-up.\n *\n * @namespace sys\n */\nexport const SysSharingRule = ObjectSchema.create({\n name: 'sys_sharing_rule',\n label: 'Sharing Rule',\n pluralLabel: 'Sharing Rules',\n icon: 'shield-check',\n isSystem: true,\n managedBy: 'config',\n // Sharing rules can now be authored visually via the Studio criteria\n // builder (apps/studio/src/components/SharingCriteriaBuilder.tsx).\n // We still recommend `defineSharingRule({...})` for repo-controlled\n // baselines, but admins can safely create/edit/delete from the UI.\n userActions: { create: true, edit: true, delete: true, import: false },\n description: 'Declarative sharing rule that auto-materialises sys_record_share grants. Authored via defineSharingRule() in code or the Studio criteria builder.',\n displayNameField: 'name',\n titleFormat: '{label}',\n compactLayout: ['name', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active'],\n\n listViews: {\n active: {\n type: 'grid',\n name: 'active',\n label: 'Active',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: true }],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n inactive: {\n type: 'grid',\n name: 'inactive',\n label: 'Inactive',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'updated_at'],\n filter: [{ field: 'active', operator: 'equals', value: false }],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n by_object: {\n type: 'grid',\n name: 'by_object',\n label: 'By Object',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['object_name', 'label', 'recipient_type', 'access_level', 'active'],\n sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],\n grouping: { fields: [{ field: 'object_name', order: 'asc', collapsed: false }] },\n pagination: { pageSize: 100 },\n },\n all_rules: {\n type: 'grid',\n name: 'all_rules',\n label: 'All',\n data: { provider: 'object', object: 'sys_sharing_rule' },\n columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active', 'updated_at'],\n sort: [{ field: 'label', order: 'asc' }],\n pagination: { pageSize: 50 },\n },\n },\n\n fields: {\n id: Field.text({ label: 'Rule ID', required: true, readonly: true, group: 'System' }),\n\n organization_id: Field.lookup('sys_organization', {\n label: 'Organization',\n required: false,\n group: 'System',\n description: 'Tenant that owns this rule; null = global',\n }),\n\n name: Field.text({\n label: 'Name',\n required: true,\n maxLength: 100,\n description: 'Unique snake_case rule name',\n group: 'Identity',\n }),\n\n label: Field.text({\n label: 'Display Label',\n required: true,\n maxLength: 200,\n group: 'Identity',\n }),\n\n description: Field.textarea({\n label: 'Description',\n required: false,\n group: 'Identity',\n }),\n\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name (e.g. opportunity, account)',\n group: 'Target',\n }),\n\n criteria_json: Field.textarea({\n label: 'Criteria (FilterCondition JSON)',\n required: false,\n description: 'JSON FilterCondition matched against records of object_name. Empty = match all.',\n group: 'Target',\n }),\n\n recipient_type: Field.select(\n ['user', 'team', 'department', 'role', 'queue'],\n {\n label: 'Recipient Type',\n required: true,\n defaultValue: 'department',\n description: 'Kind of principal that receives access — expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth).',\n group: 'Recipient',\n },\n ),\n\n recipient_id: Field.text({\n label: 'Recipient',\n required: true,\n maxLength: 200,\n description: 'department id / team id / role name / queue name / user id depending on recipient_type',\n group: 'Recipient',\n }),\n\n access_level: Field.select(\n ['read', 'edit', 'full'],\n {\n label: 'Access Level',\n required: true,\n defaultValue: 'read',\n group: 'Recipient',\n },\n ),\n\n active: Field.boolean({\n label: 'Active',\n required: false,\n defaultValue: true,\n description: 'Only active rules participate in lifecycle evaluation',\n group: 'Lifecycle',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'System',\n }),\n\n updated_at: Field.datetime({\n label: 'Updated At',\n required: false,\n group: 'System',\n }),\n },\n\n indexes: [\n { fields: ['object_name', 'active'] },\n { fields: ['name'], unique: true },\n { fields: ['organization_id'] },\n ],\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_share_link — Capability-Token Public Share Links\n *\n * Each row authorises read (or write) access to ONE record of ONE\n * object via an opaque URL-safe token. Complements `sys_record_share`,\n * which models principal-based grants (share with a specific user /\n * team / role). A single record may have rows in both tables; the\n * union determines effective access.\n *\n * Lifecycle:\n *\n * 1. `IShareLinkService.createLink` validates the request against the\n * target object's `publicSharing` whitelist and inserts a row.\n * Token is a 24-char URL-safe random string.\n *\n * 2. `IShareLinkService.resolveToken` (called from the public\n * `/api/v1/share-links/:token` middleware on every request)\n * verifies the row is not revoked / not expired, applies audience\n * / password gates, increments `use_count` + `last_used_at`, and\n * returns the effective redaction set.\n *\n * 3. `IShareLinkService.revokeLink` stamps `revoked_at`. Rows are\n * preserved for audit; resolveToken returns null after revocation.\n *\n * Conventions:\n * - `object_name` is the short object name (`account`, `ai_conversation`, …)\n * - `record_id` is the primary key of the target record within object_name\n * - `audience` mirrors `ShareLinkAudience` in spec/contracts; the\n * middleware enforces additional gating per audience\n * - `redact_fields` overlays on top of the schema-default redaction\n * set declared on `object.publicSharing.redactFields`\n *\n * managedBy: 'system' — admins inspect via the audit grid but all\n * writes flow through `IShareLinkService` so the per-object opt-in,\n * expiry caps, and audit hooks fire.\n *\n * @namespace sys\n */\nexport const SysShareLink = ObjectSchema.create({\n name: 'sys_share_link',\n label: 'Share Link',\n pluralLabel: 'Share Links',\n icon: 'link-2',\n isSystem: true,\n managedBy: 'system',\n description: 'Opaque capability token granting access to a single record. Notion/Figma-style public link sharing.',\n titleFormat: '{object_name}/{record_id} ({permission})',\n compactLayout: ['object_name', 'record_id', 'permission', 'audience', 'expires_at', 'revoked_at'],\n\n listViews: {\n active_links: {\n type: 'grid',\n name: 'active_links',\n label: 'Active',\n data: { provider: 'object', object: 'sys_share_link' },\n columns: ['object_name', 'record_id', 'permission', 'audience', 'expires_at', 'use_count', 'last_used_at'],\n filter: [{ field: 'revoked_at', operator: 'isNull' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n by_me: {\n type: 'grid',\n name: 'by_me',\n label: 'Created by Me',\n data: { provider: 'object', object: 'sys_share_link' },\n columns: ['object_name', 'record_id', 'permission', 'audience', 'expires_at', 'revoked_at'],\n filter: [{ field: 'created_by', operator: 'equals', value: '{current_user_id}' }],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 100 },\n },\n revoked: {\n type: 'grid',\n name: 'revoked',\n label: 'Revoked',\n data: { provider: 'object', object: 'sys_share_link' },\n columns: ['object_name', 'record_id', 'revoked_at', 'created_by'],\n filter: [{ field: 'revoked_at', operator: 'isNotNull' }],\n sort: [{ field: 'revoked_at', order: 'desc' }],\n pagination: { pageSize: 50 },\n },\n all_links: {\n type: 'grid',\n name: 'all_links',\n label: 'All',\n data: { provider: 'object', object: 'sys_share_link' },\n columns: ['object_name', 'record_id', 'permission', 'audience', 'expires_at', 'revoked_at', 'created_at'],\n sort: [{ field: 'created_at', order: 'desc' }],\n pagination: { pageSize: 200 },\n },\n },\n\n fields: {\n id: Field.text({\n label: 'Link ID',\n required: true,\n readonly: true,\n group: 'System',\n }),\n\n // ── Token (the secret) ───────────────────────────────────────\n token: Field.text({\n label: 'Token',\n required: true,\n maxLength: 64,\n description: 'Opaque URL-safe random token (≥ 22 chars). The only secret in this row.',\n group: 'Token',\n }),\n\n // ── Target ───────────────────────────────────────────────────\n object_name: Field.text({\n label: 'Object',\n required: true,\n maxLength: 100,\n description: 'Short object name of the shared record (e.g. ai_conversation, contracts_contract)',\n group: 'Target',\n }),\n\n record_id: Field.text({\n label: 'Record',\n required: true,\n maxLength: 100,\n description: 'Primary key of the shared record within object_name',\n group: 'Target',\n }),\n\n // ── Access Policy ────────────────────────────────────────────\n permission: Field.select(\n [\n { label: 'View', value: 'view' },\n { label: 'Comment', value: 'comment' },\n { label: 'Edit', value: 'edit' },\n ],\n {\n label: 'Permission',\n required: true,\n defaultValue: 'view',\n description: 'What the link holder can do with the record',\n group: 'Access Policy',\n },\n ),\n\n audience: Field.select(\n [\n { label: 'Public (indexable)', value: 'public' },\n { label: 'Anyone with the link', value: 'link_only' },\n { label: 'Signed-in users', value: 'signed_in' },\n { label: 'Specific emails', value: 'email' },\n ],\n {\n label: 'Audience',\n required: true,\n defaultValue: 'link_only',\n description: 'Gating layer applied on top of the token check',\n group: 'Access Policy',\n },\n ),\n\n expires_at: Field.datetime({\n label: 'Expires At',\n description: 'When set, resolveToken returns null after this timestamp',\n group: 'Access Policy',\n }),\n\n email_allowlist: Field.json({\n label: 'Email Allowlist',\n description: 'Lowercased addresses checked when audience=email',\n group: 'Access Policy',\n }),\n\n password_hash: Field.text({\n label: 'Password Hash',\n maxLength: 256,\n description: 'Argon2/bcrypt hash. When set, the UI prompts for a password before rendering.',\n group: 'Access Policy',\n }),\n\n redact_fields: Field.json({\n label: 'Per-Link Redactions',\n description: 'Extra fields stripped from the response, on top of the object-default set',\n group: 'Access Policy',\n }),\n\n label: Field.text({\n label: 'Label',\n maxLength: 200,\n description: 'Free-text shown in the share dialog (e.g. \"ACME Q3 contract\")',\n group: 'Metadata',\n }),\n\n // ── Lifecycle ────────────────────────────────────────────────\n revoked_at: Field.datetime({\n label: 'Revoked At',\n readonly: true,\n description: 'When set, the link is permanently disabled',\n group: 'Lifecycle',\n }),\n\n created_by: Field.lookup('sys_user', {\n label: 'Created By',\n readonly: true,\n description: 'Issuer of the link',\n group: 'Lifecycle',\n }),\n\n created_at: Field.datetime({\n label: 'Created At',\n required: true,\n defaultValue: 'NOW()',\n readonly: true,\n group: 'Lifecycle',\n }),\n\n last_used_at: Field.datetime({\n label: 'Last Used At',\n readonly: true,\n description: 'Stamped by resolveToken; used by the dashboard to highlight active links',\n group: 'Lifecycle',\n }),\n\n use_count: Field.number({\n label: 'Use Count',\n defaultValue: 0,\n readonly: true,\n description: 'Incremented by resolveToken on every successful resolution',\n group: 'Lifecycle',\n }),\n },\n\n indexes: [\n // Hot path: resolveToken — one row lookup per public request.\n { fields: ['token'], unique: true },\n // Management UI: \"all links for this record\".\n { fields: ['object_name', 'record_id'] },\n // \"Active links I issued\".\n { fields: ['created_by', 'revoked_at'] },\n // Reaper for expired rows (background sweep).\n { fields: ['expires_at'] },\n ],\n\n enable: {\n trackHistory: false,\n searchable: false,\n apiEnabled: true,\n // The /api/v1/share-links endpoints are the authoritative surface;\n // the generic data API is exposed read-only for the admin grid.\n apiMethods: ['get', 'list'],\n trash: false,\n mru: false,\n clone: false,\n },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { PermissionSetSchema, type PermissionSet } from '@objectstack/spec/security';\n\n/**\n * Identity tables managed by the better-auth plugin (see\n * `packages/platform-objects/src/identity/`). Mutations to these tables\n * MUST flow through the better-auth API endpoints (sign-up, password\n * reset, organization invite/remove-member, api-key/create, …) rather\n * than the generic CRUD pipeline so that password hashing, token\n * signing, email verification, invitation flows and scope hashing all\n * fire correctly.\n *\n * The default member/viewer permission sets therefore explicitly DENY\n * `allowCreate / allowEdit / allowDelete` on these objects while still\n * permitting reads (subject to the rest of the RLS chain). Admin\n * permission sets keep their `*` wildcard so they can rescue data\n * directly when needed.\n *\n * Each entry mirrors the `managedBy: 'better-auth'` flag declared on\n * the corresponding object schema in `packages/platform-objects/src/identity/`.\n */\nconst BETTER_AUTH_MANAGED_OBJECTS = [\n 'sys_user',\n 'sys_account',\n 'sys_session',\n 'sys_organization',\n 'sys_member',\n 'sys_invitation',\n 'sys_team',\n 'sys_team_member',\n 'sys_api_key',\n 'sys_two_factor',\n 'sys_verification',\n 'sys_jwks',\n 'sys_device_code',\n 'sys_oauth_application',\n 'sys_oauth_access_token',\n 'sys_oauth_refresh_token',\n 'sys_oauth_consent',\n] as const;\n\nconst denyWritesOnManagedObjects = (): Record<string, {\n allowRead: boolean;\n allowCreate: boolean;\n allowEdit: boolean;\n allowDelete: boolean;\n}> => Object.fromEntries(\n BETTER_AUTH_MANAGED_OBJECTS.map((name) => [\n name,\n { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n ]),\n);\n\n/**\n * Default permission sets seeded by the platform.\n *\n * These are referenced by name (`admin_full_access`, `member_default`,\n * `viewer_readonly`) from `sys_role_permission_set` rows or assigned\n * directly to users via `sys_user_permission_set`.\n *\n * The runtime SecurityPlugin reads these via the metadata service when a\n * permission set name appears in the request `ExecutionContext.permissions[]`.\n *\n * Each entry is run through `PermissionSetSchema.parse(...)` so Zod fills\n * in the boolean/`priority`/`enabled` defaults — keeping the literal\n * source readable while still satisfying the strict output type.\n *\n * `objects: { '*': … }` uses the wildcard sentinel honoured by\n * `PermissionEvaluator` — admins do not need an explicit row per object.\n * Per-object entries fully override the wildcard for that object (see\n * `PermissionEvaluator.checkObjectPermission` — lookup, not merge).\n *\n * RLS policies use the canonical `current_user.*` placeholders compiled\n * by `RLSCompiler`. The active organization is exposed under\n * `current_user.organization_id` (sourced from\n * `ExecutionContext.tenantId` at request time) — there is no rewrite\n * step or `tenantField` indirection in SecurityPlugin. Schemas with a\n * different physical tenant column should fork these defaults.\n */\nexport const defaultPermissionSets: PermissionSet[] = [\n PermissionSetSchema.parse({\n name: 'admin_full_access',\n label: 'Administrator — Full Access',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n viewAllRecords: true,\n modifyAllRecords: true,\n },\n },\n systemPermissions: [\n 'manage_users',\n 'manage_metadata',\n 'manage_platform_settings',\n 'setup.access',\n 'studio.access',\n ],\n }),\n // ── Organization Administrator ──────────────────────────────────────\n //\n // Third tier between platform admin (`admin_full_access`) and rank-and-file\n // member. Lives at the *organization* scope: full CRUD on business\n // objects within their org (governed by `tenant_isolation` RLS), plus\n // `setup.access` so the Setup app shell is reachable.\n //\n // **Deliberately withheld** vs `admin_full_access`:\n // - `studio.access` — schema-design surfaces are platform-level (a\n // tenant cannot mutate the shared metadata) and Studio is hidden.\n // - `manage_metadata` — same reasoning.\n // - `manage_platform_settings` — global settings manifests\n // (mail / storage / AI / knowledge) and platform-only Setup pages\n // (sharing rules, audit logs, OAuth apps, JWKS, …) require this\n // and are hidden / 403'd for org admins. Tenant-scoped manifests\n // (`branding`, `feature_flags`) keep using `setup.access` so org\n // admins CAN configure their own org's branding.\n //\n // **Anti-escalation**: writes to the global RBAC tables\n // (`sys_role`, `sys_permission_set`, `sys_role_permission_set`,\n // `sys_user_permission_set`, `sys_user_role`) are denied. Allowing\n // them would let an org admin bind `admin_full_access` (which has no\n // RLS) to themselves and break out of tenant isolation. Reads are\n // permitted so the Roles / Permission Sets nav entries still render.\n //\n // Auto-granted to every `sys_member` whose role contains `owner` or\n // `admin` by `plugin-security/src/auto-org-admin-grant.ts`.\n PermissionSetSchema.parse({\n name: 'organization_admin',\n label: 'Organization Administrator',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n viewAllRecords: true,\n modifyAllRecords: true,\n },\n // Identity tables — go through better-auth endpoints (invite,\n // accept, remove-member, transfer, …) rather than raw CRUD.\n ...denyWritesOnManagedObjects(),\n // RBAC tables — read-only to prevent privilege escalation.\n sys_role: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n sys_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n sys_role_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n sys_user_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n sys_user_role: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },\n },\n systemPermissions: ['manage_org_users', 'setup.access'],\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'all',\n using: 'organization_id = current_user.organization_id',\n },\n // ── better-auth system tables that lack `organization_id` and would\n // otherwise be denied by the wildcard policy. Same self-only\n // carve-outs as `member_default` — an org admin does not get to\n // inspect cross-tenant identity rows.\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'all',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n {\n name: 'sys_user_org_members',\n object: 'sys_user',\n operation: 'select',\n using: 'id IN (current_user.org_user_ids)',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n // OAuth applications a user has registered themselves (self-service\n // developer flow exposed in the Account app's Developer section).\n // `sys_oauth_application` has no `organization_id` so the wildcard\n // `tenant_isolation` policy would otherwise deny every row.\n {\n name: 'sys_oauth_application_self',\n object: 'sys_oauth_application',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n // Org-scoped visibility for organization-owned identity-adjacent\n // tables. Org admins may inspect their own org's invitations and\n // memberships (read; writes still flow through better-auth).\n {\n name: 'sys_member_org',\n object: 'sys_member',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'sys_invitation_org',\n object: 'sys_invitation',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'sys_team_org',\n object: 'sys_team',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n ],\n }),\n PermissionSetSchema.parse({\n name: 'member_default',\n label: 'Member — Standard Access',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: true,\n allowEdit: true,\n allowDelete: true,\n },\n // Identity tables are managed by better-auth — no direct writes.\n ...denyWritesOnManagedObjects(),\n },\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'all',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'owner_only_writes',\n object: '*',\n operation: 'update',\n using: 'owner_id = current_user.id',\n },\n {\n name: 'owner_only_deletes',\n object: '*',\n operation: 'delete',\n using: 'owner_id = current_user.id',\n },\n // ── better-auth system tables that lack `organization_id` and would\n // otherwise be left unprotected by the wildcard rule above. ────\n //\n // The security plugin's RLS injector treats wildcard policies that\n // target a missing field as `RLS_DENY_FILTER` (zero rows) unless a\n // per-object policy contributes an alternate match. Each `*_self`\n // policy below restores per-user visibility on a better-auth table\n // that has `user_id` but no `organization_id`. Tables without\n // `user_id` (`sys_verification`, `sys_jwks`, empty `sys_passkey`)\n // stay DENY for non-admins by design — only platform admins (via\n // `admin_full_access`, which has no RLS) should inspect them.\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'all',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n // Org collaborators: members can see other users in the same\n // organization. Without this, owner/assignee lookups, @-mention\n // suggestions, reviewer pickers and team-roster surfaces all\n // collapse to just the current user. `org_user_ids` is\n // pre-resolved by runtime/resolve-execution-context from\n // `sys_member` for the active organization. Sensitive credential\n // tables (`sys_account`, `sys_session`, `sys_api_key`, …) keep\n // their stricter self-only carve-outs above.\n {\n name: 'sys_user_org_members',\n object: 'sys_user',\n operation: 'select',\n using: 'id IN (current_user.org_user_ids)',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n // OAuth applications a user has registered themselves (Account →\n // Developer → OAuth Applications). `sys_oauth_application` has no\n // `organization_id`, so without this carve-out the wildcard\n // `tenant_isolation` policy returns zero rows even for the owner.\n {\n name: 'sys_oauth_application_self',\n object: 'sys_oauth_application',\n operation: 'all',\n using: 'user_id = current_user.id',\n },\n ],\n }),\n PermissionSetSchema.parse({\n name: 'viewer_readonly',\n label: 'Viewer — Read-Only',\n isProfile: true,\n objects: {\n '*': {\n allowRead: true,\n allowCreate: false,\n allowEdit: false,\n allowDelete: false,\n },\n // Belt-and-suspenders: explicit deny on managed objects even though\n // the wildcard already denies — keeps the policy readable when\n // future relaxations might widen the wildcard.\n ...denyWritesOnManagedObjects(),\n },\n rowLevelSecurity: [\n {\n name: 'tenant_isolation',\n object: '*',\n operation: 'select',\n using: 'organization_id = current_user.organization_id',\n },\n {\n name: 'sys_organization_self',\n object: 'sys_organization',\n operation: 'select',\n using: 'id = current_user.organization_id',\n },\n {\n name: 'sys_user_self',\n object: 'sys_user',\n operation: 'select',\n using: 'id = current_user.id',\n },\n // Org collaborators (read-only): see `sys_user_org_members` in\n // `member_default` for rationale.\n {\n name: 'sys_user_org_members',\n object: 'sys_user',\n operation: 'select',\n using: 'id IN (current_user.org_user_ids)',\n },\n {\n name: 'sys_session_self',\n object: 'sys_session',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_account_self',\n object: 'sys_account',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_team_member_self',\n object: 'sys_team_member',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_two_factor_self',\n object: 'sys_two_factor',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_user_preference_self',\n object: 'sys_user_preference',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_api_key_self',\n object: 'sys_api_key',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_device_code_self',\n object: 'sys_device_code',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_access_token_self',\n object: 'sys_oauth_access_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_refresh_token_self',\n object: 'sys_oauth_refresh_token',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n {\n name: 'sys_oauth_consent_self',\n object: 'sys_oauth_consent',\n operation: 'select',\n using: 'user_id = current_user.id',\n },\n ],\n }),\n];\n"]}
package/dist/security/index.mjs CHANGED
@@ -9,6 +9,13 @@ var SysRole = ObjectSchema.create({
9
9
  icon: "shield",
10
10
  isSystem: true,
11
11
  managedBy: "config",
12
+ // ADR-0010 §3.7 — RBAC primitive; tenants may add custom rows
13
+ // (created via UI / API) but the schema itself is locked.
14
+ protection: {
15
+ lock: "no-overlay",
16
+ reason: "RBAC schema is platform-defined \u2014 see ADR-0010.",
17
+ docsUrl: "https://docs.objectstack.ai/adr/0010-metadata-protection"
18
+ },
12
19
  description: "Role definitions for RBAC access control",
13
20
  displayNameField: "label",
14
21
  titleFormat: "{label}",
@@ -212,6 +219,13 @@ var SysPermissionSet = ObjectSchema.create({
212
219
  icon: "lock",
213
220
  isSystem: true,
214
221
  managedBy: "config",
222
+ // ADR-0010 §3.7 — RBAC primitive; tenants may add custom rows
223
+ // (created via UI / API) but the schema itself is locked.
224
+ protection: {
225
+ lock: "no-overlay",
226
+ reason: "RBAC schema is platform-defined \u2014 see ADR-0010.",
227
+ docsUrl: "https://docs.objectstack.ai/adr/0010-metadata-protection"
228
+ },
215
229
  description: "Named permission groupings for fine-grained access control",
216
230
  displayNameField: "label",
217
231
  titleFormat: "{label}",