@objectstack/platform-objects 7.3.0 → 7.4.1

package/dist/security/index.js

@@ -1,1535 +1,4 @@
 'use strict';
 
-var data = require('@objectstack/spec/data');
-var security = require('@objectstack/spec/security');
-
-// src/security/sys-role.object.ts
-var SysRole = data.ObjectSchema.create({
-  name: "sys_role",
-  label: "Role",
-  pluralLabel: "Roles",
-  icon: "shield",
-  isSystem: true,
-  managedBy: "config",
-  // ADR-0010 §3.7 — RBAC primitive; tenants may add custom rows
-  // (created via UI / API) but the schema itself is locked.
-  protection: {
-    lock: "no-overlay",
-    reason: "RBAC schema is platform-defined \u2014 see ADR-0010.",
-    docsUrl: "https://docs.objectstack.ai/adr/0010-metadata-protection"
-  },
-  description: "Role definitions for RBAC access control",
-  displayNameField: "label",
-  titleFormat: "{label}",
-  compactLayout: ["label", "name", "active", "is_default"],
-  // Custom actions — system roles drive RBAC and are edited rarely but
-  // require the four high-frequency sysadmin affordances every IdP
-  // (Salesforce, ServiceNow, Okta) ships: activate/deactivate (lifecycle
-  // without losing assignments), mark default (auto-assign to new users),
-  // and clone (template for new roles). All operations hit the generic
-  // data CRUD endpoint exposed by `apiEnabled` — no custom server route
-  // required because `managedBy: 'config'` allows direct mutation.
-  actions: [
-    {
-      name: "activate_role",
-      label: "Activate Role",
-      icon: "circle-check",
-      variant: "secondary",
-      mode: "custom",
-      locations: ["list_item", "record_header"],
-      type: "api",
-      method: "PATCH",
-      target: "/api/v1/data/sys_role/{id}",
-      bodyExtra: { active: true },
-      successMessage: "Role activated",
-      refreshAfter: true
-    },
-    {
-      name: "deactivate_role",
-      label: "Deactivate Role",
-      icon: "circle-off",
-      variant: "danger",
-      mode: "custom",
-      locations: ["list_item", "record_header"],
-      type: "api",
-      method: "PATCH",
-      target: "/api/v1/data/sys_role/{id}",
-      bodyExtra: { active: false },
-      confirmText: "Deactivate this role? Users with the role keep their assignment but the role stops granting permissions until re-activated.",
-      successMessage: "Role deactivated",
-      refreshAfter: true
-    },
-    {
-      name: "set_default_role",
-      label: "Set as Default",
-      icon: "star",
-      variant: "secondary",
-      mode: "custom",
-      locations: ["list_item", "record_header"],
-      type: "api",
-      method: "PATCH",
-      target: "/api/v1/data/sys_role/{id}",
-      bodyExtra: { is_default: true },
-      confirmText: "Make this the default role for new users? Existing users are unaffected.",
-      successMessage: "Default role updated",
-      refreshAfter: true
-    },
-    {
-      // Clone — POST a new sys_role row pre-filled from the source. The
-      // dialog asks only for the new API name / label so the operator
-      // can rename atomically; permissions JSON is copied wholesale via
-      // defaultFromRow.
-      name: "clone_role",
-      label: "Clone Role",
-      icon: "copy",
-      variant: "secondary",
-      mode: "custom",
-      locations: ["list_item", "record_header"],
-      type: "api",
-      method: "POST",
-      target: "/api/v1/data/sys_role",
-      bodyExtra: { is_default: false, active: true },
-      successMessage: "Role cloned",
-      refreshAfter: true,
-      params: [
-        { name: "label", label: "New Display Name", type: "text", required: true },
-        { name: "name", label: "New API Name", type: "text", required: true, helpText: "Unique snake_case machine name" },
-        { field: "description", defaultFromRow: true },
-        { field: "permissions", defaultFromRow: true }
-      ]
-    }
-  ],
-  listViews: {
-    active: {
-      type: "grid",
-      name: "active",
-      label: "Active",
-      data: { provider: "object", object: "sys_role" },
-      columns: ["label", "name", "is_default", "updated_at"],
-      filter: [{ field: "active", operator: "equals", value: true }],
-      sort: [{ field: "label", order: "asc" }],
-      pagination: { pageSize: 50 }
-    },
-    default_roles: {
-      type: "grid",
-      name: "default_roles",
-      label: "Default",
-      data: { provider: "object", object: "sys_role" },
-      columns: ["label", "name", "description", "active"],
-      filter: [{ field: "is_default", operator: "equals", value: true }],
-      sort: [{ field: "label", order: "asc" }],
-      pagination: { pageSize: 50 }
-    },
-    custom: {
-      type: "grid",
-      name: "custom",
-      label: "Custom",
-      data: { provider: "object", object: "sys_role" },
-      columns: ["label", "name", "active", "updated_at"],
-      filter: [{ field: "is_default", operator: "equals", value: false }],
-      sort: [{ field: "label", order: "asc" }],
-      pagination: { pageSize: 50 }
-    },
-    all_roles: {
-      type: "grid",
-      name: "all_roles",
-      label: "All",
-      data: { provider: "object", object: "sys_role" },
-      columns: ["label", "name", "active", "is_default", "updated_at"],
-      sort: [{ field: "label", order: "asc" }],
-      pagination: { pageSize: 50 }
-    }
-  },
-  fields: {
-    // ── Identity ─────────────────────────────────────────────────
-    label: data.Field.text({
-      label: "Display Name",
-      required: true,
-      searchable: true,
-      maxLength: 255,
-      group: "Identity"
-    }),
-    name: data.Field.text({
-      label: "API Name",
-      required: true,
-      searchable: true,
-      maxLength: 100,
-      description: "Unique machine name for the role (e.g. admin, editor, viewer)",
-      group: "Identity"
-    }),
-    description: data.Field.textarea({
-      label: "Description",
-      required: false,
-      group: "Identity"
-    }),
-    // ── Configuration ────────────────────────────────────────────
-    permissions: data.Field.textarea({
-      label: "Permissions",
-      required: false,
-      description: "JSON-serialized array of permission strings",
-      group: "Configuration"
-    }),
-    // ── Status ───────────────────────────────────────────────────
-    active: data.Field.boolean({
-      label: "Active",
-      defaultValue: true,
-      group: "Status"
-    }),
-    is_default: data.Field.boolean({
-      label: "Default Role",
-      defaultValue: false,
-      description: "Automatically assigned to new users",
-      group: "Status"
-    }),
-    // ── System ───────────────────────────────────────────────────
-    id: data.Field.text({
-      label: "Role ID",
-      required: true,
-      readonly: true,
-      group: "System"
-    }),
-    created_at: data.Field.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true,
-      group: "System"
-    }),
-    updated_at: data.Field.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true,
-      group: "System"
-    })
-  },
-  indexes: [
-    { fields: ["name"], unique: true },
-    { fields: ["active"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: true
-  }
-});
-var SysPermissionSet = data.ObjectSchema.create({
-  name: "sys_permission_set",
-  label: "Permission Set",
-  pluralLabel: "Permission Sets",
-  icon: "lock",
-  isSystem: true,
-  managedBy: "config",
-  // ADR-0010 §3.7 — RBAC primitive; tenants may add custom rows
-  // (created via UI / API) but the schema itself is locked.
-  protection: {
-    lock: "no-overlay",
-    reason: "RBAC schema is platform-defined \u2014 see ADR-0010.",
-    docsUrl: "https://docs.objectstack.ai/adr/0010-metadata-protection"
-  },
-  description: "Named permission groupings for fine-grained access control",
-  displayNameField: "label",
-  titleFormat: "{label}",
-  compactLayout: ["label", "name", "active"],
-  // Custom actions — permission sets are templates assigned to roles or
-  // users (via sys_role_permission_set / sys_user_permission_set). The
-  // sysadmin operations that don't live on the parent-detail tabs are
-  // lifecycle (activate/deactivate without losing assignments) and
-  // clone (build a new permset by tweaking an existing one). Both hit
-  // the generic data CRUD endpoint — managedBy: 'config' permits it.
-  actions: [
-    {
-      name: "activate_permission_set",
-      label: "Activate",
-      icon: "circle-check",
-      variant: "secondary",
-      mode: "custom",
-      locations: ["list_item", "record_header"],
-      type: "api",
-      method: "PATCH",
-      target: "/api/v1/data/sys_permission_set/{id}",
-      bodyExtra: { active: true },
-      successMessage: "Permission set activated",
-      refreshAfter: true
-    },
-    {
-      name: "deactivate_permission_set",
-      label: "Deactivate",
-      icon: "circle-off",
-      variant: "danger",
-      mode: "custom",
-      locations: ["list_item", "record_header"],
-      type: "api",
-      method: "PATCH",
-      target: "/api/v1/data/sys_permission_set/{id}",
-      bodyExtra: { active: false },
-      confirmText: "Deactivate this permission set? Existing assignments stay in place but stop granting access until re-activated.",
-      successMessage: "Permission set deactivated",
-      refreshAfter: true
-    },
-    {
-      name: "clone_permission_set",
-      label: "Clone",
-      icon: "copy",
-      variant: "secondary",
-      mode: "custom",
-      locations: ["list_item", "record_header"],
-      type: "api",
-      method: "POST",
-      target: "/api/v1/data/sys_permission_set",
-      bodyExtra: { active: true },
-      successMessage: "Permission set cloned",
-      refreshAfter: true,
-      params: [
-        { name: "label", label: "New Display Name", type: "text", required: true },
-        { name: "name", label: "New API Name", type: "text", required: true, helpText: "Unique snake_case machine name" },
-        { field: "description", defaultFromRow: true },
-        { field: "object_permissions", defaultFromRow: true },
-        { field: "field_permissions", defaultFromRow: true }
-      ]
-    }
-  ],
-  listViews: {
-    active: {
-      type: "grid",
-      name: "active",
-      label: "Active",
-      data: { provider: "object", object: "sys_permission_set" },
-      columns: ["label", "name", "description", "updated_at"],
-      filter: [{ field: "active", operator: "equals", value: true }],
-      sort: [{ field: "label", order: "asc" }],
-      pagination: { pageSize: 50 }
-    },
-    inactive: {
-      type: "grid",
-      name: "inactive",
-      label: "Inactive",
-      data: { provider: "object", object: "sys_permission_set" },
-      columns: ["label", "name", "updated_at"],
-      filter: [{ field: "active", operator: "equals", value: false }],
-      sort: [{ field: "label", order: "asc" }],
-      pagination: { pageSize: 50 }
-    },
-    all_permsets: {
-      type: "grid",
-      name: "all_permsets",
-      label: "All",
-      data: { provider: "object", object: "sys_permission_set" },
-      columns: ["label", "name", "active", "updated_at"],
-      sort: [{ field: "label", order: "asc" }],
-      pagination: { pageSize: 50 }
-    }
-  },
-  fields: {
-    // ── Identity ─────────────────────────────────────────────────
-    label: data.Field.text({
-      label: "Display Name",
-      required: true,
-      searchable: true,
-      maxLength: 255,
-      group: "Identity"
-    }),
-    name: data.Field.text({
-      label: "API Name",
-      required: true,
-      searchable: true,
-      maxLength: 100,
-      description: "Unique machine name for the permission set",
-      group: "Identity"
-    }),
-    description: data.Field.textarea({
-      label: "Description",
-      required: false,
-      group: "Identity"
-    }),
-    // ── Permissions ──────────────────────────────────────────────
-    object_permissions: data.Field.textarea({
-      label: "Object Permissions",
-      required: false,
-      description: "JSON-serialized object-level CRUD permissions",
-      group: "Permissions"
-    }),
-    field_permissions: data.Field.textarea({
-      label: "Field Permissions",
-      required: false,
-      description: "JSON-serialized field-level read/write permissions",
-      group: "Permissions"
-    }),
-    system_permissions: data.Field.textarea({
-      label: "System Permissions",
-      required: false,
-      description: 'JSON-serialized array of system capability names (e.g. ["setup.access","studio.access","manage_users"])',
-      group: "Permissions"
-    }),
-    row_level_security: data.Field.textarea({
-      label: "Row-Level Security",
-      required: false,
-      description: "JSON-serialized array of row-level security policies (USING/CHECK clauses)",
-      group: "Permissions"
-    }),
-    tab_permissions: data.Field.textarea({
-      label: "Tab Permissions",
-      required: false,
-      description: "JSON-serialized map of app tab visibility (visible | hidden | default_on | default_off)",
-      group: "Permissions"
-    }),
-    // ── Status ───────────────────────────────────────────────────
-    active: data.Field.boolean({
-      label: "Active",
-      defaultValue: true,
-      group: "Status"
-    }),
-    // ── System ───────────────────────────────────────────────────
-    id: data.Field.text({
-      label: "Permission Set ID",
-      required: true,
-      readonly: true,
-      group: "System"
-    }),
-    created_at: data.Field.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true,
-      group: "System"
-    }),
-    updated_at: data.Field.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true,
-      group: "System"
-    })
-  },
-  indexes: [
-    { fields: ["name"], unique: true },
-    { fields: ["active"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: true
-  }
-});
-var SysUserPermissionSet = data.ObjectSchema.create({
-  name: "sys_user_permission_set",
-  label: "User Permission Set",
-  pluralLabel: "User Permission Sets",
-  icon: "user-check",
-  isSystem: true,
-  managedBy: "system",
-  description: "Direct assignment of a permission set to a user (optionally scoped to an organization).",
-  titleFormat: "{user_id} \u2192 {permission_set_id}",
-  compactLayout: ["user_id", "permission_set_id", "organization_id"],
-  fields: {
-    id: data.Field.text({
-      label: "Assignment ID",
-      required: true,
-      readonly: true,
-      description: "UUID of the assignment."
-    }),
-    user_id: data.Field.lookup("sys_user", {
-      label: "User",
-      required: true,
-      description: "Foreign key to sys_user."
-    }),
-    permission_set_id: data.Field.lookup("sys_permission_set", {
-      label: "Permission Set",
-      required: true,
-      description: "Foreign key to sys_permission_set."
-    }),
-    organization_id: data.Field.lookup("sys_organization", {
-      label: "Organization",
-      required: false,
-      description: "Optional organization scope. NULL = applies in every org context."
-    }),
-    granted_by: data.Field.lookup("sys_user", {
-      label: "Granted By",
-      required: false,
-      description: "User who granted this permission set."
-    }),
-    created_at: data.Field.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: data.Field.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    })
-  },
-  indexes: [
-    { fields: ["user_id", "permission_set_id", "organization_id"], unique: true },
-    { fields: ["user_id"] },
-    { fields: ["organization_id"] },
-    { fields: ["permission_set_id"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: false
-  }
-});
-var SysRolePermissionSet = data.ObjectSchema.create({
-  name: "sys_role_permission_set",
-  label: "Role Permission Set",
-  pluralLabel: "Role Permission Sets",
-  icon: "shield-plus",
-  isSystem: true,
-  managedBy: "system",
-  description: "Binds a permission set to a role.",
-  titleFormat: "{role_id} \u2192 {permission_set_id}",
-  compactLayout: ["role_id", "permission_set_id"],
-  fields: {
-    id: data.Field.text({
-      label: "Binding ID",
-      required: true,
-      readonly: true,
-      description: "UUID of the role-permission-set binding."
-    }),
-    role_id: data.Field.lookup("sys_role", {
-      label: "Role",
-      required: true,
-      description: "Foreign key to sys_role."
-    }),
-    permission_set_id: data.Field.lookup("sys_permission_set", {
-      label: "Permission Set",
-      required: true,
-      description: "Foreign key to sys_permission_set."
-    }),
-    created_at: data.Field.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: data.Field.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    })
-  },
-  indexes: [
-    { fields: ["role_id", "permission_set_id"], unique: true },
-    { fields: ["role_id"] },
-    { fields: ["permission_set_id"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: false
-  }
-});
-var SysRecordShare = data.ObjectSchema.create({
-  name: "sys_record_share",
-  label: "Record Share",
-  pluralLabel: "Record Shares",
-  icon: "share",
-  isSystem: true,
-  managedBy: "system",
-  description: "Per-record sharing grant \u2014 extends OWD with explicit access",
-  titleFormat: "{object_name}/{record_id} \u2192 {recipient_id} ({access_level})",
-  compactLayout: ["object_name", "record_id", "recipient_id", "access_level", "source"],
-  listViews: {
-    granted_to_me: {
-      type: "grid",
-      name: "granted_to_me",
-      label: "Granted to Me",
-      data: { provider: "object", object: "sys_record_share" },
-      columns: ["object_name", "record_id", "access_level", "source", "granted_by", "created_at"],
-      filter: [
-        { field: "recipient_type", operator: "equals", value: "user" },
-        { field: "recipient_id", operator: "equals", value: "{current_user_id}" }
-      ],
-      sort: [{ field: "created_at", order: "desc" }],
-      pagination: { pageSize: 50 }
-    },
-    granted_by_me: {
-      type: "grid",
-      name: "granted_by_me",
-      label: "Granted by Me",
-      data: { provider: "object", object: "sys_record_share" },
-      columns: ["object_name", "record_id", "recipient_id", "access_level", "source", "created_at"],
-      filter: [
-        { field: "granted_by", operator: "equals", value: "{current_user_id}" }
-      ],
-      sort: [{ field: "created_at", order: "desc" }],
-      pagination: { pageSize: 50 }
-    },
-    by_object: {
-      type: "grid",
-      name: "by_object",
-      label: "By Object",
-      data: { provider: "object", object: "sys_record_share" },
-      columns: ["object_name", "record_id", "recipient_id", "access_level", "source", "created_at"],
-      sort: [{ field: "object_name", order: "asc" }, { field: "created_at", order: "desc" }],
-      grouping: { fields: [{ field: "object_name", order: "asc", collapsed: false }] },
-      pagination: { pageSize: 100 }
-    },
-    manual_grants: {
-      type: "grid",
-      name: "manual_grants",
-      label: "Manual Grants",
-      data: { provider: "object", object: "sys_record_share" },
-      columns: ["object_name", "record_id", "recipient_id", "access_level", "granted_by", "reason", "created_at"],
-      filter: [{ field: "source", operator: "equals", value: "manual" }],
-      sort: [{ field: "created_at", order: "desc" }],
-      pagination: { pageSize: 50 }
-    },
-    rule_grants: {
-      type: "grid",
-      name: "rule_grants",
-      label: "Rule Grants",
-      data: { provider: "object", object: "sys_record_share" },
-      columns: ["object_name", "record_id", "recipient_id", "access_level", "source_id", "created_at"],
-      filter: [{ field: "source", operator: "in", value: ["rule", "team", "inherited"] }],
-      sort: [{ field: "source_id", order: "asc" }, { field: "created_at", order: "desc" }],
-      pagination: { pageSize: 50 }
-    },
-    all_shares: {
-      type: "grid",
-      name: "all_shares",
-      label: "All",
-      data: { provider: "object", object: "sys_record_share" },
-      columns: ["object_name", "record_id", "recipient_type", "recipient_id", "access_level", "source", "created_at"],
-      sort: [{ field: "created_at", order: "desc" }],
-      pagination: { pageSize: 100 }
-    }
-  },
-  fields: {
-    id: data.Field.text({
-      label: "Share ID",
-      required: true,
-      readonly: true,
-      group: "System"
-    }),
-    // ── Target (which record is being shared) ────────────────────
-    object_name: data.Field.text({
-      label: "Object",
-      required: true,
-      maxLength: 100,
-      description: "Short object name of the shared record",
-      group: "Target"
-    }),
-    record_id: data.Field.text({
-      label: "Record",
-      required: true,
-      maxLength: 100,
-      description: "Primary key of the shared record within object_name",
-      group: "Target"
-    }),
-    // ── Recipient (who receives access) ──────────────────────────
-    recipient_type: data.Field.select(
-      ["user", "group", "role", "role_and_subordinates", "guest"],
-      {
-        label: "Recipient Type",
-        required: true,
-        defaultValue: "user",
-        description: "Kind of principal that holds the grant",
-        group: "Recipient"
-      }
-    ),
-    recipient_id: data.Field.text({
-      label: "Recipient",
-      required: true,
-      maxLength: 100,
-      description: "ID of the user/group/role that receives access",
-      group: "Recipient"
-    }),
-    access_level: data.Field.select(
-      ["read", "edit", "full"],
-      {
-        label: "Access Level",
-        required: true,
-        defaultValue: "read",
-        description: "What the recipient can do \u2014 read | edit | full (transfer/share/delete)",
-        group: "Recipient"
-      }
-    ),
-    // ── Provenance ───────────────────────────────────────────────
-    source: data.Field.select(
-      ["manual", "rule", "team", "inherited"],
-      {
-        label: "Source",
-        required: true,
-        defaultValue: "manual",
-        description: "Why this grant exists \u2014 used by the rule evaluator to reconcile",
-        group: "Provenance"
-      }
-    ),
-    source_id: data.Field.text({
-      label: "Source ID",
-      required: false,
-      maxLength: 200,
-      description: "Rule name / team id when source != manual",
-      group: "Provenance"
-    }),
-    granted_by: data.Field.lookup("sys_user", {
-      label: "Granted By",
-      required: false,
-      description: "User that created the grant (manual only)",
-      group: "Provenance"
-    }),
-    reason: data.Field.text({
-      label: "Reason",
-      required: false,
-      maxLength: 500,
-      description: "Optional free-text explanation surfaced to the recipient",
-      group: "Provenance"
-    }),
-    // ── Lifecycle ────────────────────────────────────────────────
-    created_at: data.Field.datetime({
-      label: "Created At",
-      required: true,
-      defaultValue: "NOW()",
-      readonly: true,
-      group: "System"
-    }),
-    updated_at: data.Field.datetime({
-      label: "Updated At",
-      required: false,
-      group: "System"
-    })
-  },
-  indexes: [
-    // Hot path: "all records visible to user U on object O" — the
-    // middleware reads (object_name, recipient_type, recipient_id) to
-    // build the `id IN (...)` predicate on every find.
-    { fields: ["object_name", "recipient_type", "recipient_id"] },
-    // "all grants on this record" — used by the share-management UI
-    // and by canEdit() to look up explicit grants.
-    { fields: ["object_name", "record_id"] },
-    // Reconciliation key for rule-driven shares.
-    { fields: ["source", "source_id"] }
-  ]
-});
-var SysSharingRule = data.ObjectSchema.create({
-  name: "sys_sharing_rule",
-  label: "Sharing Rule",
-  pluralLabel: "Sharing Rules",
-  icon: "shield-check",
-  isSystem: true,
-  managedBy: "config",
-  // Sharing rules can now be authored visually via the Studio criteria
-  // builder (apps/studio/src/components/SharingCriteriaBuilder.tsx).
-  // We still recommend `defineSharingRule({...})` for repo-controlled
-  // baselines, but admins can safely create/edit/delete from the UI.
-  userActions: { create: true, edit: true, delete: true, import: false },
-  description: "Declarative sharing rule that auto-materialises sys_record_share grants. Authored via defineSharingRule() in code or the Studio criteria builder.",
-  displayNameField: "name",
-  titleFormat: "{label}",
-  compactLayout: ["name", "object_name", "recipient_type", "recipient_id", "access_level", "active"],
-  listViews: {
-    active: {
-      type: "grid",
-      name: "active",
-      label: "Active",
-      data: { provider: "object", object: "sys_sharing_rule" },
-      columns: ["label", "object_name", "recipient_type", "recipient_id", "access_level", "updated_at"],
-      filter: [{ field: "active", operator: "equals", value: true }],
-      sort: [{ field: "object_name", order: "asc" }, { field: "label", order: "asc" }],
-      pagination: { pageSize: 50 }
-    },
-    inactive: {
-      type: "grid",
-      name: "inactive",
-      label: "Inactive",
-      data: { provider: "object", object: "sys_sharing_rule" },
-      columns: ["label", "object_name", "recipient_type", "recipient_id", "updated_at"],
-      filter: [{ field: "active", operator: "equals", value: false }],
-      sort: [{ field: "label", order: "asc" }],
-      pagination: { pageSize: 50 }
-    },
-    by_object: {
-      type: "grid",
-      name: "by_object",
-      label: "By Object",
-      data: { provider: "object", object: "sys_sharing_rule" },
-      columns: ["object_name", "label", "recipient_type", "access_level", "active"],
-      sort: [{ field: "object_name", order: "asc" }, { field: "label", order: "asc" }],
-      grouping: { fields: [{ field: "object_name", order: "asc", collapsed: false }] },
-      pagination: { pageSize: 100 }
-    },
-    all_rules: {
-      type: "grid",
-      name: "all_rules",
-      label: "All",
-      data: { provider: "object", object: "sys_sharing_rule" },
-      columns: ["label", "object_name", "recipient_type", "recipient_id", "access_level", "active", "updated_at"],
-      sort: [{ field: "label", order: "asc" }],
-      pagination: { pageSize: 50 }
-    }
-  },
-  fields: {
-    id: data.Field.text({ label: "Rule ID", required: true, readonly: true, group: "System" }),
-    organization_id: data.Field.lookup("sys_organization", {
-      label: "Organization",
-      required: false,
-      group: "System",
-      description: "Tenant that owns this rule; null = global"
-    }),
-    name: data.Field.text({
-      label: "Name",
-      required: true,
-      maxLength: 100,
-      description: "Unique snake_case rule name",
-      group: "Identity"
-    }),
-    label: data.Field.text({
-      label: "Display Label",
-      required: true,
-      maxLength: 200,
-      group: "Identity"
-    }),
-    description: data.Field.textarea({
-      label: "Description",
-      required: false,
-      group: "Identity"
-    }),
-    object_name: data.Field.text({
-      label: "Object",
-      required: true,
-      maxLength: 100,
-      description: "Short object name (e.g. opportunity, account)",
-      group: "Target"
-    }),
-    criteria_json: data.Field.textarea({
-      label: "Criteria (FilterCondition JSON)",
-      required: false,
-      description: "JSON FilterCondition matched against records of object_name. Empty = match all.",
-      group: "Target"
-    }),
-    recipient_type: data.Field.select(
-      ["user", "team", "department", "role", "queue"],
-      {
-        label: "Recipient Type",
-        required: true,
-        defaultValue: "department",
-        description: "Kind of principal that receives access \u2014 expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth).",
-        group: "Recipient"
-      }
-    ),
-    recipient_id: data.Field.text({
-      label: "Recipient",
-      required: true,
-      maxLength: 200,
-      description: "department id / team id / role name / queue name / user id depending on recipient_type",
-      group: "Recipient"
-    }),
-    access_level: data.Field.select(
-      ["read", "edit", "full"],
-      {
-        label: "Access Level",
-        required: true,
-        defaultValue: "read",
-        group: "Recipient"
-      }
-    ),
-    active: data.Field.boolean({
-      label: "Active",
-      required: false,
-      defaultValue: true,
-      description: "Only active rules participate in lifecycle evaluation",
-      group: "Lifecycle"
-    }),
-    created_at: data.Field.datetime({
-      label: "Created At",
-      required: true,
-      defaultValue: "NOW()",
-      readonly: true,
-      group: "System"
-    }),
-    updated_at: data.Field.datetime({
-      label: "Updated At",
-      required: false,
-      group: "System"
-    })
-  },
-  indexes: [
-    { fields: ["object_name", "active"] },
-    { fields: ["name"], unique: true },
-    { fields: ["organization_id"] }
-  ]
-});
-var SysShareLink = data.ObjectSchema.create({
-  name: "sys_share_link",
-  label: "Share Link",
-  pluralLabel: "Share Links",
-  icon: "link-2",
-  isSystem: true,
-  managedBy: "system",
-  description: "Opaque capability token granting access to a single record. Notion/Figma-style public link sharing.",
-  titleFormat: "{object_name}/{record_id} ({permission})",
-  compactLayout: ["object_name", "record_id", "permission", "audience", "expires_at", "revoked_at"],
-  listViews: {
-    active_links: {
-      type: "grid",
-      name: "active_links",
-      label: "Active",
-      data: { provider: "object", object: "sys_share_link" },
-      columns: ["object_name", "record_id", "permission", "audience", "expires_at", "use_count", "last_used_at"],
-      filter: [{ field: "revoked_at", operator: "isNull" }],
-      sort: [{ field: "created_at", order: "desc" }],
-      pagination: { pageSize: 100 }
-    },
-    by_me: {
-      type: "grid",
-      name: "by_me",
-      label: "Created by Me",
-      data: { provider: "object", object: "sys_share_link" },
-      columns: ["object_name", "record_id", "permission", "audience", "expires_at", "revoked_at"],
-      filter: [{ field: "created_by", operator: "equals", value: "{current_user_id}" }],
-      sort: [{ field: "created_at", order: "desc" }],
-      pagination: { pageSize: 100 }
-    },
-    revoked: {
-      type: "grid",
-      name: "revoked",
-      label: "Revoked",
-      data: { provider: "object", object: "sys_share_link" },
-      columns: ["object_name", "record_id", "revoked_at", "created_by"],
-      filter: [{ field: "revoked_at", operator: "isNotNull" }],
-      sort: [{ field: "revoked_at", order: "desc" }],
-      pagination: { pageSize: 50 }
-    },
-    all_links: {
-      type: "grid",
-      name: "all_links",
-      label: "All",
-      data: { provider: "object", object: "sys_share_link" },
-      columns: ["object_name", "record_id", "permission", "audience", "expires_at", "revoked_at", "created_at"],
-      sort: [{ field: "created_at", order: "desc" }],
-      pagination: { pageSize: 200 }
-    }
-  },
-  fields: {
-    id: data.Field.text({
-      label: "Link ID",
-      required: true,
-      readonly: true,
-      group: "System"
-    }),
-    // ── Token (the secret) ───────────────────────────────────────
-    token: data.Field.text({
-      label: "Token",
-      required: true,
-      maxLength: 64,
-      description: "Opaque URL-safe random token (\u2265 22 chars). The only secret in this row.",
-      group: "Token"
-    }),
-    // ── Target ───────────────────────────────────────────────────
-    object_name: data.Field.text({
-      label: "Object",
-      required: true,
-      maxLength: 100,
-      description: "Short object name of the shared record (e.g. ai_conversation, contracts_contract)",
-      group: "Target"
-    }),
-    record_id: data.Field.text({
-      label: "Record",
-      required: true,
-      maxLength: 100,
-      description: "Primary key of the shared record within object_name",
-      group: "Target"
-    }),
-    // ── Access Policy ────────────────────────────────────────────
-    permission: data.Field.select(
-      [
-        { label: "View", value: "view" },
-        { label: "Comment", value: "comment" },
-        { label: "Edit", value: "edit" }
-      ],
-      {
-        label: "Permission",
-        required: true,
-        defaultValue: "view",
-        description: "What the link holder can do with the record",
-        group: "Access Policy"
-      }
-    ),
-    audience: data.Field.select(
-      [
-        { label: "Public (indexable)", value: "public" },
-        { label: "Anyone with the link", value: "link_only" },
-        { label: "Signed-in users", value: "signed_in" },
-        { label: "Specific emails", value: "email" }
-      ],
-      {
-        label: "Audience",
-        required: true,
-        defaultValue: "link_only",
-        description: "Gating layer applied on top of the token check",
-        group: "Access Policy"
-      }
-    ),
-    expires_at: data.Field.datetime({
-      label: "Expires At",
-      description: "When set, resolveToken returns null after this timestamp",
-      group: "Access Policy"
-    }),
-    email_allowlist: data.Field.json({
-      label: "Email Allowlist",
-      description: "Lowercased addresses checked when audience=email",
-      group: "Access Policy"
-    }),
-    password_hash: data.Field.text({
-      label: "Password Hash",
-      maxLength: 256,
-      description: "Argon2/bcrypt hash. When set, the UI prompts for a password before rendering.",
-      group: "Access Policy"
-    }),
-    redact_fields: data.Field.json({
-      label: "Per-Link Redactions",
-      description: "Extra fields stripped from the response, on top of the object-default set",
-      group: "Access Policy"
-    }),
-    label: data.Field.text({
-      label: "Label",
-      maxLength: 200,
-      description: 'Free-text shown in the share dialog (e.g. "ACME Q3 contract")',
-      group: "Metadata"
-    }),
-    // ── Lifecycle ────────────────────────────────────────────────
-    revoked_at: data.Field.datetime({
-      label: "Revoked At",
-      readonly: true,
-      description: "When set, the link is permanently disabled",
-      group: "Lifecycle"
-    }),
-    created_by: data.Field.lookup("sys_user", {
-      label: "Created By",
-      readonly: true,
-      description: "Issuer of the link",
-      group: "Lifecycle"
-    }),
-    created_at: data.Field.datetime({
-      label: "Created At",
-      required: true,
-      defaultValue: "NOW()",
-      readonly: true,
-      group: "Lifecycle"
-    }),
-    last_used_at: data.Field.datetime({
-      label: "Last Used At",
-      readonly: true,
-      description: "Stamped by resolveToken; used by the dashboard to highlight active links",
-      group: "Lifecycle"
-    }),
-    use_count: data.Field.number({
-      label: "Use Count",
-      defaultValue: 0,
-      readonly: true,
-      description: "Incremented by resolveToken on every successful resolution",
-      group: "Lifecycle"
-    })
-  },
-  indexes: [
-    // Hot path: resolveToken — one row lookup per public request.
-    { fields: ["token"], unique: true },
-    // Management UI: "all links for this record".
-    { fields: ["object_name", "record_id"] },
-    // "Active links I issued".
-    { fields: ["created_by", "revoked_at"] },
-    // Reaper for expired rows (background sweep).
-    { fields: ["expires_at"] }
-  ],
-  enable: {
-    trackHistory: false,
-    searchable: false,
-    apiEnabled: true,
-    // The /api/v1/share-links endpoints are the authoritative surface;
-    // the generic data API is exposed read-only for the admin grid.
-    apiMethods: ["get", "list"],
-    trash: false,
-    mru: false,
-    clone: false
-  }
-});
-var BETTER_AUTH_MANAGED_OBJECTS = [
-  "sys_user",
-  "sys_account",
-  "sys_session",
-  "sys_organization",
-  "sys_member",
-  "sys_invitation",
-  "sys_team",
-  "sys_team_member",
-  "sys_api_key",
-  "sys_two_factor",
-  "sys_verification",
-  "sys_jwks",
-  "sys_device_code",
-  "sys_oauth_application",
-  "sys_oauth_access_token",
-  "sys_oauth_refresh_token",
-  "sys_oauth_consent"
-];
-var denyWritesOnManagedObjects = () => Object.fromEntries(
-  BETTER_AUTH_MANAGED_OBJECTS.map((name) => [
-    name,
-    { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false }
-  ])
-);
-var defaultPermissionSets = [
-  security.PermissionSetSchema.parse({
-    name: "admin_full_access",
-    label: "Administrator \u2014 Full Access",
-    isProfile: true,
-    objects: {
-      "*": {
-        allowRead: true,
-        allowCreate: true,
-        allowEdit: true,
-        allowDelete: true,
-        viewAllRecords: true,
-        modifyAllRecords: true
-      }
-    },
-    systemPermissions: [
-      "manage_users",
-      "manage_metadata",
-      "manage_platform_settings",
-      "setup.access",
-      "studio.access"
-    ]
-  }),
-  // ── Organization Administrator ──────────────────────────────────────
-  //
-  // Third tier between platform admin (`admin_full_access`) and rank-and-file
-  // member. Lives at the *organization* scope: full CRUD on business
-  // objects within their org (governed by `tenant_isolation` RLS), plus
-  // `setup.access` so the Setup app shell is reachable.
-  //
-  // **Deliberately withheld** vs `admin_full_access`:
-  //   - `studio.access` — schema-design surfaces are platform-level (a
-  //     tenant cannot mutate the shared metadata) and Studio is hidden.
-  //   - `manage_metadata` — same reasoning.
-  //   - `manage_platform_settings` — global settings manifests
-  //     (mail / storage / AI / knowledge) and platform-only Setup pages
-  //     (sharing rules, audit logs, OAuth apps, JWKS, …) require this
-  //     and are hidden / 403'd for org admins. Tenant-scoped manifests
-  //     (`branding`, `feature_flags`) keep using `setup.access` so org
-  //     admins CAN configure their own org's branding.
-  //
-  // **Anti-escalation**: writes to the global RBAC tables
-  // (`sys_role`, `sys_permission_set`, `sys_role_permission_set`,
-  // `sys_user_permission_set`, `sys_user_role`) are denied. Allowing
-  // them would let an org admin bind `admin_full_access` (which has no
-  // RLS) to themselves and break out of tenant isolation. Reads are
-  // permitted so the Roles / Permission Sets nav entries still render.
-  //
-  // Auto-granted to every `sys_member` whose role contains `owner` or
-  // `admin` by `plugin-security/src/auto-org-admin-grant.ts`.
-  security.PermissionSetSchema.parse({
-    name: "organization_admin",
-    label: "Organization Administrator",
-    isProfile: true,
-    objects: {
-      "*": {
-        allowRead: true,
-        allowCreate: true,
-        allowEdit: true,
-        allowDelete: true,
-        viewAllRecords: true,
-        modifyAllRecords: true
-      },
-      // Identity tables — go through better-auth endpoints (invite,
-      // accept, remove-member, transfer, …) rather than raw CRUD.
-      ...denyWritesOnManagedObjects(),
-      // RBAC tables — read-only to prevent privilege escalation.
-      sys_role: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },
-      sys_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },
-      sys_role_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },
-      sys_user_permission_set: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false },
-      sys_user_role: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false }
-    },
-    systemPermissions: ["manage_org_users", "setup.access"],
-    rowLevelSecurity: [
-      {
-        name: "tenant_isolation",
-        object: "*",
-        operation: "all",
-        using: "organization_id = current_user.organization_id"
-      },
-      // ── better-auth system tables that lack `organization_id` and would
-      //    otherwise be denied by the wildcard policy. Same self-only
-      //    carve-outs as `member_default` — an org admin does not get to
-      //    inspect cross-tenant identity rows.
-      {
-        name: "sys_organization_self",
-        object: "sys_organization",
-        operation: "all",
-        using: "id = current_user.organization_id"
-      },
-      {
-        name: "sys_user_self",
-        object: "sys_user",
-        operation: "select",
-        using: "id = current_user.id"
-      },
-      {
-        name: "sys_user_org_members",
-        object: "sys_user",
-        operation: "select",
-        using: "id IN (current_user.org_user_ids)"
-      },
-      {
-        name: "sys_session_self",
-        object: "sys_session",
-        operation: "all",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_account_self",
-        object: "sys_account",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_team_member_self",
-        object: "sys_team_member",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_two_factor_self",
-        object: "sys_two_factor",
-        operation: "all",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_user_preference_self",
-        object: "sys_user_preference",
-        operation: "all",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_api_key_self",
-        object: "sys_api_key",
-        operation: "all",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_device_code_self",
-        object: "sys_device_code",
-        operation: "all",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_oauth_access_token_self",
-        object: "sys_oauth_access_token",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_oauth_refresh_token_self",
-        object: "sys_oauth_refresh_token",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_oauth_consent_self",
-        object: "sys_oauth_consent",
-        operation: "all",
-        using: "user_id = current_user.id"
-      },
-      // OAuth applications a user has registered themselves (self-service
-      // developer flow exposed in the Account app's Developer section).
-      // `sys_oauth_application` has no `organization_id` so the wildcard
-      // `tenant_isolation` policy would otherwise deny every row.
-      {
-        name: "sys_oauth_application_self",
-        object: "sys_oauth_application",
-        operation: "all",
-        using: "user_id = current_user.id"
-      },
-      // Org-scoped visibility for organization-owned identity-adjacent
-      // tables. Org admins may inspect their own org's invitations and
-      // memberships (read; writes still flow through better-auth).
-      {
-        name: "sys_member_org",
-        object: "sys_member",
-        operation: "select",
-        using: "organization_id = current_user.organization_id"
-      },
-      {
-        name: "sys_invitation_org",
-        object: "sys_invitation",
-        operation: "select",
-        using: "organization_id = current_user.organization_id"
-      },
-      {
-        name: "sys_team_org",
-        object: "sys_team",
-        operation: "select",
-        using: "organization_id = current_user.organization_id"
-      }
-    ]
-  }),
-  security.PermissionSetSchema.parse({
-    name: "member_default",
-    label: "Member \u2014 Standard Access",
-    isProfile: true,
-    objects: {
-      "*": {
-        allowRead: true,
-        allowCreate: true,
-        allowEdit: true,
-        allowDelete: true
-      },
-      // Identity tables are managed by better-auth — no direct writes.
-      ...denyWritesOnManagedObjects()
-    },
-    rowLevelSecurity: [
-      {
-        name: "tenant_isolation",
-        object: "*",
-        operation: "all",
-        using: "organization_id = current_user.organization_id"
-      },
-      {
-        name: "owner_only_writes",
-        object: "*",
-        operation: "update",
-        using: "owner_id = current_user.id"
-      },
-      {
-        name: "owner_only_deletes",
-        object: "*",
-        operation: "delete",
-        using: "owner_id = current_user.id"
-      },
-      // ── better-auth system tables that lack `organization_id` and would
-      //    otherwise be left unprotected by the wildcard rule above. ────
-      //
-      // The security plugin's RLS injector treats wildcard policies that
-      // target a missing field as `RLS_DENY_FILTER` (zero rows) unless a
-      // per-object policy contributes an alternate match. Each `*_self`
-      // policy below restores per-user visibility on a better-auth table
-      // that has `user_id` but no `organization_id`. Tables without
-      // `user_id` (`sys_verification`, `sys_jwks`, empty `sys_passkey`)
-      // stay DENY for non-admins by design — only platform admins (via
-      // `admin_full_access`, which has no RLS) should inspect them.
-      {
-        name: "sys_organization_self",
-        object: "sys_organization",
-        operation: "all",
-        using: "id = current_user.organization_id"
-      },
-      {
-        name: "sys_user_self",
-        object: "sys_user",
-        operation: "select",
-        using: "id = current_user.id"
-      },
-      // Org collaborators: members can see other users in the same
-      // organization. Without this, owner/assignee lookups, @-mention
-      // suggestions, reviewer pickers and team-roster surfaces all
-      // collapse to just the current user. `org_user_ids` is
-      // pre-resolved by runtime/resolve-execution-context from
-      // `sys_member` for the active organization. Sensitive credential
-      // tables (`sys_account`, `sys_session`, `sys_api_key`, …) keep
-      // their stricter self-only carve-outs above.
-      {
-        name: "sys_user_org_members",
-        object: "sys_user",
-        operation: "select",
-        using: "id IN (current_user.org_user_ids)"
-      },
-      {
-        name: "sys_session_self",
-        object: "sys_session",
-        operation: "all",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_account_self",
-        object: "sys_account",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_team_member_self",
-        object: "sys_team_member",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_two_factor_self",
-        object: "sys_two_factor",
-        operation: "all",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_user_preference_self",
-        object: "sys_user_preference",
-        operation: "all",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_api_key_self",
-        object: "sys_api_key",
-        operation: "all",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_device_code_self",
-        object: "sys_device_code",
-        operation: "all",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_oauth_access_token_self",
-        object: "sys_oauth_access_token",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_oauth_refresh_token_self",
-        object: "sys_oauth_refresh_token",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_oauth_consent_self",
-        object: "sys_oauth_consent",
-        operation: "all",
-        using: "user_id = current_user.id"
-      },
-      // OAuth applications a user has registered themselves (Account →
-      // Developer → OAuth Applications). `sys_oauth_application` has no
-      // `organization_id`, so without this carve-out the wildcard
-      // `tenant_isolation` policy returns zero rows even for the owner.
-      {
-        name: "sys_oauth_application_self",
-        object: "sys_oauth_application",
-        operation: "all",
-        using: "user_id = current_user.id"
-      }
-    ]
-  }),
-  security.PermissionSetSchema.parse({
-    name: "viewer_readonly",
-    label: "Viewer \u2014 Read-Only",
-    isProfile: true,
-    objects: {
-      "*": {
-        allowRead: true,
-        allowCreate: false,
-        allowEdit: false,
-        allowDelete: false
-      },
-      // Belt-and-suspenders: explicit deny on managed objects even though
-      // the wildcard already denies — keeps the policy readable when
-      // future relaxations might widen the wildcard.
-      ...denyWritesOnManagedObjects()
-    },
-    rowLevelSecurity: [
-      {
-        name: "tenant_isolation",
-        object: "*",
-        operation: "select",
-        using: "organization_id = current_user.organization_id"
-      },
-      {
-        name: "sys_organization_self",
-        object: "sys_organization",
-        operation: "select",
-        using: "id = current_user.organization_id"
-      },
-      {
-        name: "sys_user_self",
-        object: "sys_user",
-        operation: "select",
-        using: "id = current_user.id"
-      },
-      // Org collaborators (read-only): see `sys_user_org_members` in
-      // `member_default` for rationale.
-      {
-        name: "sys_user_org_members",
-        object: "sys_user",
-        operation: "select",
-        using: "id IN (current_user.org_user_ids)"
-      },
-      {
-        name: "sys_session_self",
-        object: "sys_session",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_account_self",
-        object: "sys_account",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_team_member_self",
-        object: "sys_team_member",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_two_factor_self",
-        object: "sys_two_factor",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_user_preference_self",
-        object: "sys_user_preference",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_api_key_self",
-        object: "sys_api_key",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_device_code_self",
-        object: "sys_device_code",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_oauth_access_token_self",
-        object: "sys_oauth_access_token",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_oauth_refresh_token_self",
-        object: "sys_oauth_refresh_token",
-        operation: "select",
-        using: "user_id = current_user.id"
-      },
-      {
-        name: "sys_oauth_consent_self",
-        object: "sys_oauth_consent",
-        operation: "select",
-        using: "user_id = current_user.id"
-      }
-    ]
-  })
-];
-
-exports.SysPermissionSet = SysPermissionSet;
-exports.SysRecordShare = SysRecordShare;
-exports.SysRole = SysRole;
-exports.SysRolePermissionSet = SysRolePermissionSet;
-exports.SysShareLink = SysShareLink;
-exports.SysSharingRule = SysSharingRule;
-exports.SysUserPermissionSet = SysUserPermissionSet;
-exports.defaultPermissionSets = defaultPermissionSets;
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map