@objectstack/plugin-approvals 4.0.1

package/dist/index.mjs

@@ -0,0 +1,1078 @@
+// src/index.ts
+import {
+  SysApprovalProcess as SysApprovalProcess2,
+  SysApprovalRequest as SysApprovalRequest2,
+  SysApprovalAction as SysApprovalAction2
+} from "@objectstack/platform-objects/audit";
+
+// src/approval-service.ts
+import { ApprovalProcessSchema } from "@objectstack/spec/automation";
+
+// src/action-executor.ts
+var SYSTEM_CTX = { isSystem: true, roles: [], permissions: [] };
+var noopLogger = {
+  info: () => {
+  },
+  warn: () => {
+  },
+  error: () => {
+  },
+  debug: () => {
+  }
+};
+var DEFAULT_WEBHOOK_TIMEOUT_MS = 5e3;
+async function executeActions(actions, ctx, opts) {
+  if (!Array.isArray(actions) || actions.length === 0) return;
+  const log = { ...noopLogger, ...opts.logger ?? {} };
+  for (const a of actions) {
+    try {
+      await runOne(a, ctx, opts, log);
+    } catch (err) {
+      log.error?.(`[approvals] action '${a?.type ?? "<unknown>"}' failed: ${err?.message ?? err}`, {
+        action: a,
+        trigger: ctx.trigger,
+        request_id: ctx.request?.id
+      });
+    }
+  }
+}
+async function runOne(action, ctx, opts, log) {
+  if (!action || typeof action !== "object") return;
+  switch (action.type) {
+    case "field_update":
+      return runFieldUpdate(action, ctx, opts, log);
+    case "inbox_notify":
+      return runInboxNotify(action, ctx, opts, log);
+    case "webhook":
+      return runWebhook(action, ctx, opts, log);
+    case "email_alert":
+    case "script":
+    case "connector_action":
+      log.warn?.(`[approvals] action type '${action.type}' is not implemented yet \u2014 skipping`, {
+        action_name: action.name,
+        trigger: ctx.trigger
+      });
+      return;
+    default:
+      log.warn?.(`[approvals] unknown action type '${action.type}' \u2014 skipping`);
+  }
+}
+async function runFieldUpdate(action, ctx, opts, log) {
+  const cfg = action.config ?? {};
+  const field = cfg.field;
+  if (!field) {
+    log.warn?.("[approvals] field_update missing config.field");
+    return;
+  }
+  const value = resolveValueToken(cfg.value, ctx);
+  const object = ctx.process?.object_name ?? ctx.process?.object;
+  const recordId = ctx.request?.record_id;
+  if (!object || !recordId) {
+    log.warn?.("[approvals] field_update missing object/record context");
+    return;
+  }
+  await opts.engine.update(
+    object,
+    { id: recordId, [field]: value },
+    { context: SYSTEM_CTX }
+  );
+  log.debug?.(`[approvals] field_update ${object}/${recordId} set ${field}`, { value });
+}
+function resolveValueToken(raw, ctx) {
+  if (typeof raw !== "string") return raw;
+  switch (raw) {
+    case "$status":
+      return ctx.request?.status ?? null;
+    case "$now":
+      return (/* @__PURE__ */ new Date()).toISOString();
+    case "$actor":
+      return ctx.actorId ?? null;
+    case "$comment":
+      return ctx.comment ?? null;
+    case "$step":
+      return ctx.request?.current_step ?? null;
+    case "$request_id":
+      return ctx.request?.id ?? null;
+    default:
+      return raw;
+  }
+}
+function interpolate(template, ctx) {
+  if (typeof template !== "string") return template;
+  return template.replace(/\{record_id\}/g, String(ctx.request?.record_id ?? "")).replace(/\{object\}/g, String(ctx.process?.object_name ?? ctx.process?.object ?? "")).replace(/\{status\}/g, String(ctx.request?.status ?? "")).replace(/\{step\}/g, String(ctx.request?.current_step ?? "")).replace(/\{actor\}/g, String(ctx.actorId ?? "")).replace(/\{comment\}/g, String(ctx.comment ?? "")).replace(/\{process\}/g, String(ctx.process?.name ?? ""));
+}
+async function runInboxNotify(action, ctx, opts, log) {
+  const cfg = action.config ?? {};
+  const recipients = resolveRecipients(cfg.to, ctx);
+  if (recipients.length === 0) {
+    log.debug?.("[approvals] inbox_notify resolved no recipients \u2014 skipping");
+    return;
+  }
+  const title = interpolate(cfg.title ?? "Approval update", ctx);
+  const body = interpolate(cfg.body ?? "", ctx);
+  const type = String(cfg.notificationType ?? "system");
+  const rawLink = cfg.link ? interpolate(String(cfg.link), ctx) : `/console/system/approvals?requestId=${encodeURIComponent(ctx.request?.id ?? "")}`;
+  const url = /^https?:\/\//i.test(rawLink) ? rawLink : null;
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  for (const recipient of recipients) {
+    try {
+      await opts.engine.insert(
+        "sys_notification",
+        {
+          id: `notif_${cryptoRandom()}`,
+          recipient_id: String(recipient),
+          type,
+          title,
+          body,
+          url,
+          is_read: false,
+          source_object: ctx.process?.object_name ?? ctx.process?.object ?? null,
+          source_id: ctx.request?.record_id ?? null,
+          created_at: now,
+          updated_at: now
+        },
+        { context: SYSTEM_CTX }
+      );
+    } catch (err) {
+      log.warn?.(`[approvals] inbox_notify insert failed for ${recipient}: ${err?.message ?? err}`);
+    }
+  }
+}
+function resolveRecipients(to, ctx) {
+  if (Array.isArray(to)) return to.map(String).filter(Boolean);
+  if (typeof to === "string") {
+    if (to === "submitter") return ctx.request?.submitter_id ? [String(ctx.request.submitter_id)] : [];
+    if (to === "pending_approvers") {
+      const list = ctx.request?.pending_approvers ?? [];
+      if (Array.isArray(list)) return list.map(String).filter(Boolean);
+      if (typeof list === "string") return list.split(",").map((s) => s.trim()).filter(Boolean);
+      return [];
+    }
+    return [to];
+  }
+  return [];
+}
+function cryptoRandom() {
+  const g = globalThis;
+  if (g.crypto?.randomUUID) return g.crypto.randomUUID();
+  return `${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 12)}`;
+}
+async function runWebhook(action, ctx, opts, log) {
+  const cfg = action.config ?? {};
+  const url = cfg.url;
+  if (!url) {
+    log.warn?.("[approvals] webhook missing config.url");
+    return;
+  }
+  const fetchImpl = opts.fetch ?? globalThis.fetch;
+  if (!fetchImpl) {
+    log.warn?.("[approvals] webhook skipped \u2014 no fetch implementation available");
+    return;
+  }
+  const timeoutMs = opts.webhookTimeoutMs ?? DEFAULT_WEBHOOK_TIMEOUT_MS;
+  const headers = { "Content-Type": "application/json", ...cfg.headers ?? {} };
+  const payload = {
+    trigger: ctx.trigger,
+    request: ctx.request,
+    step: ctx.step ? { name: ctx.step.name, index: ctx.request?.current_step_index } : null,
+    actor_id: ctx.actorId ?? null,
+    comment: ctx.comment ?? null,
+    process_name: ctx.process?.name,
+    object: ctx.process?.object_name ?? ctx.process?.object,
+    ...cfg.body && typeof cfg.body === "object" ? cfg.body : {}
+  };
+  const controller = globalThis.AbortController ? new globalThis.AbortController() : null;
+  const timer = setTimeout(() => controller?.abort(), timeoutMs);
+  try {
+    const res = await fetchImpl(url, {
+      method: cfg.method ?? "POST",
+      headers,
+      body: JSON.stringify(payload),
+      signal: controller?.signal
+    });
+    if (!res.ok) {
+      log.warn?.(`[approvals] webhook ${url} \u2192 ${res.status} ${res.statusText}`);
+    }
+  } catch (err) {
+    log.warn?.(`[approvals] webhook ${url} failed: ${err?.message ?? err}`);
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+// src/approval-service.ts
+var SYSTEM_CTX2 = { isSystem: true, roles: [], permissions: [] };
+function uid(prefix) {
+  const g = globalThis;
+  if (g.crypto?.randomUUID) return `${prefix}_${g.crypto.randomUUID()}`;
+  return `${prefix}_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+}
+function parseJson(raw, fallback) {
+  if (raw == null || raw === "") return fallback;
+  if (typeof raw === "string") {
+    try {
+      return JSON.parse(raw);
+    } catch {
+      return fallback;
+    }
+  }
+  return raw;
+}
+function csvSplit(raw) {
+  if (!raw) return [];
+  if (Array.isArray(raw)) return raw.map(String).filter(Boolean);
+  return String(raw).split(",").map((s) => s.trim()).filter(Boolean);
+}
+function rowFromProcess(row) {
+  return {
+    id: String(row.id),
+    name: String(row.name ?? ""),
+    label: String(row.label ?? ""),
+    object_name: String(row.object_name ?? ""),
+    description: row.description ?? void 0,
+    active: row.active !== false,
+    definition: parseJson(row.definition_json, {}),
+    created_at: row.created_at ?? void 0,
+    updated_at: row.updated_at ?? void 0
+  };
+}
+function rowFromRequest(row) {
+  return {
+    id: String(row.id),
+    organization_id: row.organization_id ?? void 0,
+    process_name: String(row.process_name ?? ""),
+    object_name: String(row.object_name ?? ""),
+    record_id: String(row.record_id ?? ""),
+    submitter_id: row.submitter_id ?? void 0,
+    submitter_comment: row.submitter_comment ?? void 0,
+    status: row.status ?? "pending",
+    current_step: row.current_step ?? void 0,
+    current_step_index: row.current_step_index ?? void 0,
+    pending_approvers: csvSplit(row.pending_approvers),
+    payload: parseJson(row.payload_json, void 0),
+    completed_at: row.completed_at ?? void 0,
+    created_at: row.created_at ?? void 0,
+    updated_at: row.updated_at ?? void 0
+  };
+}
+function rowFromAction(row) {
+  return {
+    id: String(row.id),
+    request_id: String(row.request_id),
+    step_name: row.step_name ?? void 0,
+    step_index: row.step_index ?? void 0,
+    action: row.action,
+    actor_id: row.actor_id ?? void 0,
+    comment: row.comment ?? void 0,
+    created_at: row.created_at ?? void 0
+  };
+}
+var ApprovalService = class {
+  constructor(opts) {
+    this.engine = opts.engine;
+    this.clock = opts.clock ?? { now: () => /* @__PURE__ */ new Date() };
+    this.logger = opts.logger;
+    this.fetchImpl = opts.fetch;
+    this.webhookTimeoutMs = opts.webhookTimeoutMs;
+    this.onRegistryChange = opts.onRegistryChange;
+  }
+  /** Allow the plugin to attach a hook re-binding callback after construction. */
+  setRegistryChangeHandler(handler) {
+    this.onRegistryChange = handler;
+  }
+  /**
+   * Expand the approvers on a step into user IDs by querying the graph
+   * tables for `team:` / `department:` / `role:` / `manager:` approver
+   * types. Falls back to a prefixed literal (`type:value`) when graph
+   * lookups produce nothing — so existing test fixtures and approver
+   * flows that rely on substring matching keep working.
+   *
+   * **Graph semantics (M10.17.1):**
+   *   - `team`       → flat members of `sys_team` (better-auth; no BFS)
+   *   - `department` → recursive BFS of `sys_department.parent_department_id`
+   *                    → members of every descendant via `sys_department_member`
+   *   - `role`       → users with `sys_member.role = value` in tenant
+   *   - `manager`    → `sys_user.manager_id` of `record[value] ?? record.owner_id`
+   *   - `field`      → literal user id stored in `record[value]`
+   *   - `user`       → literal value
+   */
+  async expandApprovers(step, record, organizationId) {
+    if (!step || !Array.isArray(step.approvers)) return [];
+    const out = [];
+    for (const a of step.approvers) {
+      if (!a) continue;
+      if (a.type === "user") {
+        out.push(String(a.value));
+        continue;
+      }
+      if (a.type === "field" && record) {
+        out.push(String(record[a.value] ?? ""));
+        continue;
+      }
+      try {
+        if (a.type === "team") {
+          const users = await this.expandTeamUsers(String(a.value));
+          if (users.length) {
+            for (const u of users) out.push(u);
+            continue;
+          }
+        } else if (a.type === "department" || a.type === "dept") {
+          const users = await this.expandDepartmentUsers(String(a.value), organizationId);
+          if (users.length) {
+            for (const u of users) out.push(u);
+            continue;
+          }
+        } else if (a.type === "role") {
+          const users = await this.expandRoleUsers(String(a.value), organizationId);
+          if (users.length) {
+            for (const u of users) out.push(u);
+            continue;
+          }
+        } else if (a.type === "manager" && record) {
+          const subject = record[a.value] ?? record.owner_id;
+          if (subject) {
+            const mgr = await this.lookupManager(String(subject));
+            if (mgr) {
+              out.push(mgr);
+              continue;
+            }
+          }
+        }
+      } catch {
+      }
+      out.push(`${a.type}:${a.value}`);
+    }
+    return out.filter(Boolean);
+  }
+  /** Flat team — `sys_team` is better-auth's collaboration grouping (no hierarchy). */
+  async expandTeamUsers(teamId) {
+    if (!teamId) return [];
+    let rows = [];
+    try {
+      rows = await this.engine.find("sys_team_member", {
+        filter: { team_id: teamId },
+        fields: ["user_id"],
+        limit: 1e4,
+        context: SYSTEM_CTX2
+      });
+    } catch {
+      rows = [];
+    }
+    return Array.from(new Set((rows ?? []).map((r) => String(r.user_id ?? "")).filter(Boolean)));
+  }
+  /** Recursive department — walks `sys_department.parent_department_id`. */
+  async expandDepartmentUsers(departmentId, organizationId) {
+    if (!departmentId) return [];
+    try {
+      const seed = await this.engine.find("sys_department", {
+        filter: organizationId ? { id: departmentId, organization_id: organizationId } : { id: departmentId },
+        fields: ["id", "active"],
+        limit: 1,
+        context: SYSTEM_CTX2
+      });
+      const seedRow = Array.isArray(seed) ? seed[0] : null;
+      if (!seedRow || seedRow.active === false) return [];
+    } catch {
+      return [];
+    }
+    const seen = /* @__PURE__ */ new Set([departmentId]);
+    const queue = [departmentId];
+    while (queue.length) {
+      const parent = queue.shift();
+      let kids = [];
+      try {
+        const filter = { parent_department_id: parent, active: { $ne: false } };
+        if (organizationId) filter.organization_id = organizationId;
+        kids = await this.engine.find("sys_department", { filter, fields: ["id"], limit: 1e3, context: SYSTEM_CTX2 });
+      } catch {
+        kids = [];
+      }
+      for (const k of kids ?? []) {
+        const kid = String(k.id ?? "");
+        if (kid && !seen.has(kid)) {
+          seen.add(kid);
+          queue.push(kid);
+        }
+      }
+    }
+    let rows = [];
+    try {
+      rows = await this.engine.find("sys_department_member", {
+        filter: { department_id: { $in: Array.from(seen) } },
+        fields: ["user_id"],
+        limit: 1e4,
+        context: SYSTEM_CTX2
+      });
+    } catch {
+      rows = [];
+    }
+    return Array.from(new Set((rows ?? []).map((r) => String(r.user_id ?? "")).filter(Boolean)));
+  }
+  async expandRoleUsers(roleName, organizationId) {
+    if (!roleName) return [];
+    const filter = { role: roleName };
+    if (organizationId) filter.organization_id = organizationId;
+    let rows = [];
+    try {
+      rows = await this.engine.find("sys_member", { filter, fields: ["user_id"], limit: 1e4, context: SYSTEM_CTX2 });
+    } catch {
+      rows = [];
+    }
+    return Array.from(new Set((rows ?? []).map((r) => String(r.user_id ?? "")).filter(Boolean)));
+  }
+  async lookupManager(userId) {
+    try {
+      const rows = await this.engine.find("sys_user", {
+        filter: { id: userId },
+        fields: ["id", "manager_id"],
+        limit: 1,
+        context: SYSTEM_CTX2
+      });
+      const row = Array.isArray(rows) ? rows[0] : null;
+      return row?.manager_id ? String(row.manager_id) : null;
+    } catch {
+      return null;
+    }
+  }
+  async notifyRegistryChanged() {
+    const cb = this.onRegistryChange ?? this.onRegistryChange;
+    if (!cb) return;
+    try {
+      await cb();
+    } catch (err) {
+      this.logger?.warn?.("[approvals] onRegistryChange handler failed", { error: err?.message });
+    }
+  }
+  /** Mirror request status onto `process.approvalStatusField` if configured. */
+  async syncStatusField(process, request) {
+    const field = process.definition?.approvalStatusField;
+    if (!field) return;
+    try {
+      await this.engine.update(
+        process.object_name,
+        { id: request.record_id, [field]: request.status },
+        { context: SYSTEM_CTX2 }
+      );
+    } catch (err) {
+      this.logger?.warn?.(`[approvals] syncStatusField failed: ${err?.message ?? err}`);
+    }
+  }
+  /** Convenience wrapper that funnels every action invocation through the executor. */
+  async runActions(actions, trigger, process, request, step, actorId, comment) {
+    if (!actions || actions.length === 0) return;
+    await executeActions(actions, {
+      trigger,
+      process: { ...process, object: process.object_name },
+      request,
+      step,
+      actorId: actorId ?? null,
+      comment: comment ?? null
+    }, {
+      engine: this.engine,
+      logger: this.logger,
+      fetch: this.fetchImpl,
+      webhookTimeoutMs: this.webhookTimeoutMs
+    });
+  }
+  // ── Process definitions ──────────────────────────────────────
+  async defineProcess(input, _context) {
+    if (!input.name) throw new Error("VALIDATION_FAILED: name is required");
+    if (!input.label) throw new Error("VALIDATION_FAILED: label is required");
+    if (!input.object) throw new Error("VALIDATION_FAILED: object is required");
+    if (!input.definition) throw new Error("VALIDATION_FAILED: definition is required");
+    const parsed = ApprovalProcessSchema.safeParse(input.definition);
+    if (!parsed.success) {
+      const msg = parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+      throw new Error(`VALIDATION_FAILED: ${msg}`);
+    }
+    const now = this.clock.now().toISOString();
+    const payload = {
+      name: input.name,
+      label: input.label,
+      object_name: input.object,
+      description: input.description ?? null,
+      active: input.active !== false,
+      definition_json: JSON.stringify(parsed.data),
+      updated_at: now
+    };
+    const existing = await this.engine.find("sys_approval_process", {
+      where: { name: input.name },
+      limit: 1,
+      context: SYSTEM_CTX2
+    });
+    if (Array.isArray(existing) && existing[0]) {
+      const id2 = existing[0].id;
+      await this.engine.update("sys_approval_process", { id: id2, ...payload }, { context: SYSTEM_CTX2 });
+      const row2 = rowFromProcess({ ...existing[0], ...payload, id: id2 });
+      await this.notifyRegistryChanged();
+      return row2;
+    }
+    const id = input.id ?? uid("apv");
+    const row = { id, ...payload, created_at: now };
+    await this.engine.insert("sys_approval_process", row, { context: SYSTEM_CTX2 });
+    const out = rowFromProcess(row);
+    await this.notifyRegistryChanged();
+    return out;
+  }
+  async listProcesses(filter, _context) {
+    const f = {};
+    if (filter?.object) f.object_name = filter.object;
+    if (filter?.activeOnly) f.active = true;
+    const rows = await this.engine.find("sys_approval_process", {
+      where: f,
+      limit: 500,
+      orderBy: [{ field: "updated_at", direction: "desc" }],
+      context: SYSTEM_CTX2
+    });
+    return Array.isArray(rows) ? rows.map(rowFromProcess) : [];
+  }
+  async getProcess(idOrName, _context) {
+    if (!idOrName) return null;
+    let rows = await this.engine.find("sys_approval_process", {
+      where: { id: idOrName },
+      limit: 1,
+      context: SYSTEM_CTX2
+    });
+    if (!Array.isArray(rows) || !rows[0]) {
+      rows = await this.engine.find("sys_approval_process", {
+        where: { name: idOrName },
+        limit: 1,
+        context: SYSTEM_CTX2
+      });
+    }
+    return Array.isArray(rows) && rows[0] ? rowFromProcess(rows[0]) : null;
+  }
+  async deleteProcess(idOrName, context) {
+    if (!idOrName) throw new Error("VALIDATION_FAILED: idOrName is required");
+    const proc = await this.getProcess(idOrName, context);
+    if (!proc) return;
+    await this.engine.delete("sys_approval_process", { where: { id: proc.id }, context: SYSTEM_CTX2 });
+    await this.notifyRegistryChanged();
+  }
+  // ── Requests ─────────────────────────────────────────────────
+  async submit(input, context) {
+    if (!input.object) throw new Error("VALIDATION_FAILED: object is required");
+    if (!input.recordId) throw new Error("VALIDATION_FAILED: recordId is required");
+    let process = null;
+    if (input.processName) {
+      process = await this.getProcess(input.processName, context);
+      if (process && !process.active) {
+        throw new Error(`NO_ACTIVE_PROCESS: process '${input.processName}' is not active`);
+      }
+    } else {
+      const list = await this.listProcesses({ object: input.object, activeOnly: true }, context);
+      process = list[0] ?? null;
+    }
+    if (!process) {
+      throw new Error(`NO_ACTIVE_PROCESS: no active approval process for object '${input.object}'`);
+    }
+    const existing = await this.engine.find("sys_approval_request", {
+      where: { object_name: input.object, record_id: input.recordId, status: "pending" },
+      limit: 1,
+      context: SYSTEM_CTX2
+    });
+    if (Array.isArray(existing) && existing[0]) {
+      throw new Error(`DUPLICATE_REQUEST: a pending approval already exists for ${input.object}/${input.recordId}`);
+    }
+    const steps = process.definition?.steps ?? [];
+    if (steps.length === 0) {
+      throw new Error("VALIDATION_FAILED: process definition has no steps");
+    }
+    const step0 = steps[0];
+    const ctxOrg = context?.organizationId ?? context?.tenantId ?? null;
+    const approvers = await this.expandApprovers(step0, input.payload, ctxOrg);
+    const now = this.clock.now().toISOString();
+    const id = uid("areq");
+    const row = {
+      id,
+      process_name: process.name,
+      object_name: input.object,
+      record_id: input.recordId,
+      submitter_id: input.submitterId ?? context.userId ?? null,
+      submitter_comment: input.comment ?? null,
+      status: "pending",
+      current_step: step0.name,
+      current_step_index: 0,
+      pending_approvers: approvers.join(","),
+      payload_json: input.payload != null ? JSON.stringify(input.payload) : null,
+      organization_id: ctxOrg,
+      created_at: now,
+      updated_at: now
+    };
+    await this.engine.insert("sys_approval_request", row, { context: SYSTEM_CTX2 });
+    await this.engine.insert("sys_approval_action", {
+      id: uid("aact"),
+      request_id: id,
+      organization_id: ctxOrg,
+      step_name: step0.name,
+      step_index: 0,
+      action: "submit",
+      actor_id: input.submitterId ?? context.userId ?? null,
+      comment: input.comment ?? null,
+      created_at: now
+    }, { context: SYSTEM_CTX2 });
+    const requestRow = rowFromRequest(row);
+    await this.syncStatusField(process, requestRow);
+    const definition = process.definition ?? {};
+    await this.runActions(
+      definition.onSubmit,
+      "submit",
+      process,
+      requestRow,
+      step0,
+      input.submitterId ?? context.userId ?? null,
+      input.comment ?? null
+    );
+    return requestRow;
+  }
+  async listRequests(filter, context) {
+    const f = {};
+    if (filter?.object) f.object_name = filter.object;
+    if (filter?.recordId) f.record_id = filter.recordId;
+    if (filter?.submitterId) f.submitter_id = filter.submitterId;
+    const tenantOrg = context?.organizationId ?? context?.tenantId;
+    if (tenantOrg) f.organization_id = tenantOrg;
+    let statusFilter;
+    if (Array.isArray(filter?.status)) statusFilter = filter.status;
+    else if (filter?.status) f.status = filter.status;
+    const rows = await this.engine.find("sys_approval_request", {
+      where: f,
+      limit: 500,
+      orderBy: [{ field: "updated_at", direction: "desc" }],
+      context: SYSTEM_CTX2
+    });
+    let list = Array.isArray(rows) ? rows.map(rowFromRequest) : [];
+    if (statusFilter) list = list.filter((r) => statusFilter.includes(r.status));
+    if (filter?.approverId) {
+      const target = filter.approverId;
+      list = list.filter((r) => (r.pending_approvers ?? []).includes(target));
+    }
+    return list;
+  }
+  async getRequest(requestId, context) {
+    if (!requestId) return null;
+    const where = { id: requestId };
+    const tenantOrg = context?.organizationId ?? context?.tenantId;
+    if (tenantOrg) where.organization_id = tenantOrg;
+    const rows = await this.engine.find("sys_approval_request", {
+      where,
+      limit: 1,
+      context: SYSTEM_CTX2
+    });
+    return Array.isArray(rows) && rows[0] ? rowFromRequest(rows[0]) : null;
+  }
+  async approve(requestId, input, context) {
+    const req = await this.getRequest(requestId, context);
+    if (!req) throw new Error(`REQUEST_NOT_FOUND: ${requestId}`);
+    if (req.status !== "pending") throw new Error(`INVALID_STATE: request is ${req.status}`);
+    if (!input?.actorId) throw new Error("VALIDATION_FAILED: actorId is required");
+    if (!context.isSystem && !(req.pending_approvers ?? []).includes(input.actorId)) {
+      throw new Error(`FORBIDDEN: actor '${input.actorId}' is not a pending approver`);
+    }
+    const process = await this.getProcess(req.process_name, context);
+    if (!process) throw new Error(`PROCESS_NOT_FOUND: ${req.process_name}`);
+    const steps = process.definition?.steps ?? [];
+    const stepIndex = req.current_step_index ?? 0;
+    const step = steps[stepIndex];
+    if (!step) throw new Error(`INVALID_STATE: step index ${stepIndex} out of range`);
+    const now = this.clock.now().toISOString();
+    await this.engine.insert("sys_approval_action", {
+      id: uid("aact"),
+      request_id: req.id,
+      organization_id: req.organization_id ?? null,
+      step_name: step.name,
+      step_index: stepIndex,
+      action: "approve",
+      actor_id: input.actorId,
+      comment: input.comment ?? null,
+      created_at: now
+    }, { context: SYSTEM_CTX2 });
+    if (step.behavior === "unanimous") {
+      const original = await this.expandApprovers(step, req.payload, req.organization_id ?? null);
+      const acts = await this.engine.find("sys_approval_action", {
+        where: { request_id: req.id, step_index: stepIndex, action: "approve" },
+        limit: 500,
+        context: SYSTEM_CTX2
+      });
+      const approved = new Set((acts ?? []).map((a) => String(a.actor_id ?? "")).filter(Boolean));
+      const stillPending = original.filter((a) => !approved.has(a));
+      if (stillPending.length > 0) {
+        await this.engine.update("sys_approval_request", {
+          id: req.id,
+          pending_approvers: stillPending.join(","),
+          updated_at: now
+        }, { context: SYSTEM_CTX2 });
+        const fresh2 = await this.getRequest(req.id, context);
+        return { request: fresh2, finalized: false };
+      }
+    }
+    if (stepIndex + 1 >= steps.length) {
+      await this.engine.update("sys_approval_request", {
+        id: req.id,
+        status: "approved",
+        pending_approvers: null,
+        completed_at: now,
+        updated_at: now
+      }, { context: SYSTEM_CTX2 });
+      const fresh2 = await this.getRequest(req.id, context);
+      await this.runActions(step?.onApprove, "step_approve", process, fresh2, step, input.actorId, input.comment);
+      await this.syncStatusField(process, fresh2);
+      await this.runActions(process.definition?.onFinalApprove, "final_approve", process, fresh2, step, input.actorId, input.comment);
+      return { request: fresh2, finalized: true };
+    }
+    const nextStep = steps[stepIndex + 1];
+    const nextApprovers = await this.expandApprovers(nextStep, req.payload, req.organization_id ?? null);
+    await this.engine.update("sys_approval_request", {
+      id: req.id,
+      current_step: nextStep.name,
+      current_step_index: stepIndex + 1,
+      pending_approvers: nextApprovers.join(","),
+      updated_at: now
+    }, { context: SYSTEM_CTX2 });
+    const fresh = await this.getRequest(req.id, context);
+    await this.runActions(step?.onApprove, "step_approve", process, fresh, step, input.actorId, input.comment);
+    return { request: fresh, finalized: false };
+  }
+  async reject(requestId, input, context) {
+    const req = await this.getRequest(requestId, context);
+    if (!req) throw new Error(`REQUEST_NOT_FOUND: ${requestId}`);
+    if (req.status !== "pending") throw new Error(`INVALID_STATE: request is ${req.status}`);
+    if (!input?.actorId) throw new Error("VALIDATION_FAILED: actorId is required");
+    if (!context.isSystem && !(req.pending_approvers ?? []).includes(input.actorId)) {
+      throw new Error(`FORBIDDEN: actor '${input.actorId}' is not a pending approver`);
+    }
+    const process = await this.getProcess(req.process_name, context);
+    if (!process) throw new Error(`PROCESS_NOT_FOUND: ${req.process_name}`);
+    const steps = process.definition?.steps ?? [];
+    const stepIndex = req.current_step_index ?? 0;
+    const step = steps[stepIndex];
+    const now = this.clock.now().toISOString();
+    await this.engine.insert("sys_approval_action", {
+      id: uid("aact"),
+      request_id: req.id,
+      organization_id: req.organization_id ?? null,
+      step_name: step?.name,
+      step_index: stepIndex,
+      action: "reject",
+      actor_id: input.actorId,
+      comment: input.comment ?? null,
+      created_at: now
+    }, { context: SYSTEM_CTX2 });
+    if (step?.rejectionBehavior === "back_to_previous" && stepIndex > 0) {
+      const prev = steps[stepIndex - 1];
+      const prevApprovers = await this.expandApprovers(prev, req.payload, req.organization_id ?? null);
+      await this.engine.update("sys_approval_request", {
+        id: req.id,
+        current_step: prev.name,
+        current_step_index: stepIndex - 1,
+        pending_approvers: prevApprovers.join(","),
+        updated_at: now
+      }, { context: SYSTEM_CTX2 });
+      const fresh2 = await this.getRequest(req.id, context);
+      await this.runActions(step?.onReject, "step_reject", process, fresh2, step, input.actorId, input.comment);
+      return { request: fresh2, finalized: false };
+    }
+    await this.engine.update("sys_approval_request", {
+      id: req.id,
+      status: "rejected",
+      pending_approvers: null,
+      completed_at: now,
+      updated_at: now
+    }, { context: SYSTEM_CTX2 });
+    const fresh = await this.getRequest(req.id, context);
+    await this.runActions(step?.onReject, "step_reject", process, fresh, step, input.actorId, input.comment);
+    await this.syncStatusField(process, fresh);
+    await this.runActions(process.definition?.onFinalReject, "final_reject", process, fresh, step, input.actorId, input.comment);
+    return { request: fresh, finalized: true };
+  }
+  async recall(requestId, input, context) {
+    const req = await this.getRequest(requestId, context);
+    if (!req) throw new Error(`REQUEST_NOT_FOUND: ${requestId}`);
+    if (req.status !== "pending") throw new Error(`INVALID_STATE: request is ${req.status}`);
+    if (!input?.actorId) throw new Error("VALIDATION_FAILED: actorId is required");
+    if (!context.isSystem && req.submitter_id && req.submitter_id !== input.actorId) {
+      throw new Error(`FORBIDDEN: only the submitter can recall this request`);
+    }
+    const now = this.clock.now().toISOString();
+    await this.engine.insert("sys_approval_action", {
+      id: uid("aact"),
+      request_id: req.id,
+      organization_id: req.organization_id ?? null,
+      step_name: req.current_step,
+      step_index: req.current_step_index,
+      action: "recall",
+      actor_id: input.actorId,
+      comment: input.comment ?? null,
+      created_at: now
+    }, { context: SYSTEM_CTX2 });
+    await this.engine.update("sys_approval_request", {
+      id: req.id,
+      status: "recalled",
+      pending_approvers: null,
+      completed_at: now,
+      updated_at: now
+    }, { context: SYSTEM_CTX2 });
+    const fresh = await this.getRequest(req.id, context);
+    const process = await this.getProcess(req.process_name, context);
+    if (process) {
+      await this.syncStatusField(process, fresh);
+      await this.runActions(process.definition?.onRecall, "recall", process, fresh, void 0, input.actorId, input.comment);
+    }
+    return { request: fresh, finalized: true };
+  }
+  async listActions(requestId, context) {
+    if (!requestId) return [];
+    const req = await this.getRequest(requestId, context);
+    if (!req) return [];
+    const rows = await this.engine.find("sys_approval_action", {
+      where: { request_id: requestId },
+      limit: 500,
+      orderBy: [{ field: "created_at", direction: "asc" }],
+      context: SYSTEM_CTX2
+    });
+    return Array.isArray(rows) ? rows.map(rowFromAction) : [];
+  }
+};
+
+// src/approvals-plugin.ts
+import {
+  SysApprovalProcess,
+  SysApprovalRequest,
+  SysApprovalAction
+} from "@objectstack/platform-objects/audit";
+
+// src/lifecycle-hooks.ts
+import { ExpressionEngine } from "@objectstack/formula";
+var APPROVALS_HOOK_PACKAGE = "plugin-approvals:auto";
+var SYSTEM_CTX3 = { isSystem: true, roles: [], permissions: [] };
+function evaluateCriteria(criteria, record, logger) {
+  if (criteria == null || criteria === "") return true;
+  let expr;
+  if (typeof criteria === "string") {
+    expr = { dialect: "cel", source: criteria };
+  } else if (typeof criteria === "object" && criteria.dialect) {
+    expr = criteria;
+  } else {
+    return true;
+  }
+  if (!expr.source || !expr.source.trim()) return true;
+  const r = ExpressionEngine.evaluate(expr, { record });
+  if (!r.ok) {
+    logger?.warn?.("[approvals] entryCriteria evaluation failed; skipping auto-submit", {
+      source: expr.source,
+      error: r.error.message
+    });
+    return false;
+  }
+  return Boolean(r.value);
+}
+async function hasPendingRequest(engine, objectName, recordId) {
+  try {
+    const rows = await engine.find("sys_approval_request", {
+      where: { object_name: objectName, record_id: String(recordId), status: "pending" },
+      limit: 1
+    });
+    return Array.isArray(rows) && rows.length > 0;
+  } catch {
+    return false;
+  }
+}
+function bindProcessHooks(engine, service, processes, logger) {
+  const byObject = /* @__PURE__ */ new Map();
+  for (const p of processes) {
+    if (!p.active && !p.is_active) continue;
+    if (!p.object_name) continue;
+    const list = byObject.get(p.object_name) ?? [];
+    list.push(p);
+    byObject.set(p.object_name, list);
+  }
+  for (const [objectName, procs] of byObject.entries()) {
+    engine.registerHook("afterInsert", async (ctx) => {
+      try {
+        const record = ctx?.result ?? ctx?.input?.data ?? {};
+        const id = String(record?.id ?? "");
+        if (!id) return;
+        for (const proc of procs) {
+          await tryAutoSubmit(engine, service, proc, objectName, id, record, ctx, logger);
+        }
+      } catch (err) {
+        logger?.warn?.("[approvals] afterInsert auto-trigger failed", { error: err?.message });
+      }
+    }, { object: objectName, packageId: APPROVALS_HOOK_PACKAGE, priority: 200 });
+    engine.registerHook("afterUpdate", async (ctx) => {
+      if (ctx?.session?.isSystem) return;
+      try {
+        const result = ctx?.result ?? {};
+        const id = String(ctx?.input?.id ?? result?.id ?? "");
+        if (!id) return;
+        const record = {
+          ...ctx?.previous ?? {},
+          ...result?.id ? result : {},
+          ...ctx?.input?.data ?? {},
+          id
+        };
+        for (const proc of procs) {
+          await tryAutoSubmit(engine, service, proc, objectName, id, record, ctx, logger);
+        }
+      } catch (err) {
+        logger?.warn?.("[approvals] afterUpdate auto-trigger failed", { error: err?.message });
+      }
+    }, { object: objectName, packageId: APPROVALS_HOOK_PACKAGE, priority: 200 });
+    const lockProcs = procs.filter((p) => p.definition?.lockRecord !== false);
+    if (lockProcs.length === 0) continue;
+    engine.registerHook("beforeUpdate", async (ctx) => {
+      const id = String(ctx?.input?.id ?? "");
+      if (!id) return;
+      const data = ctx?.input?.data ?? {};
+      const changedFields = Object.keys(data).filter((k) => k !== "id" && k !== "updated_at");
+      if (changedFields.length === 0) return;
+      if (ctx?.session?.isSystem) return;
+      const mirrorFields = /* @__PURE__ */ new Set();
+      for (const p of lockProcs) {
+        const f = p.definition?.approvalStatusField;
+        if (typeof f === "string" && f) mirrorFields.add(f);
+      }
+      const onlyMirror = changedFields.every((f) => mirrorFields.has(f));
+      if (onlyMirror) return;
+      const roles = ctx?.session?.roles ?? [];
+      if (Array.isArray(roles) && roles.includes("admin")) return;
+      const pending = await hasPendingRequest(engine, objectName, id);
+      if (!pending) return;
+      const err = new Error("RECORD_LOCKED: record is locked while an approval is in progress");
+      err.code = "RECORD_LOCKED";
+      err.statusCode = 409;
+      throw err;
+    }, { object: objectName, packageId: APPROVALS_HOOK_PACKAGE, priority: 50 });
+  }
+  logger?.info?.("[approvals] lifecycle hooks bound", {
+    objects: Array.from(byObject.keys()),
+    processCount: processes.length
+  });
+}
+function unbindAllHooks(engine) {
+  return engine.unregisterHooksByPackage(APPROVALS_HOOK_PACKAGE);
+}
+async function tryAutoSubmit(engine, service, process, objectName, recordId, record, ctx, logger) {
+  try {
+    const criteria = process.definition?.entryCriteria;
+    const passes = evaluateCriteria(criteria, record, logger);
+    if (!passes) return;
+    if (await hasPendingRequest(engine, objectName, recordId)) return;
+    const statusField = process.definition?.approvalStatusField;
+    if (statusField) {
+      const current = record?.[statusField];
+      if (current === "approved" || current === "rejected" || current === "recalled") return;
+    }
+    const submitterId = ctx?.session?.userId ?? null;
+    const submitterOrg = ctx?.session?.tenantId ?? ctx?.session?.organizationId ?? null;
+    await service.submit({
+      object: objectName,
+      recordId,
+      processName: process.name,
+      payload: record,
+      submitterId
+    }, { ...SYSTEM_CTX3, userId: submitterId ?? void 0, organizationId: submitterOrg ?? void 0, tenantId: submitterOrg ?? void 0 });
+    logger?.info?.("[approvals] auto-submitted approval", {
+      process: process.name,
+      object: objectName,
+      record: recordId
+    });
+  } catch (err) {
+    if (err?.code === "DUPLICATE_REQUEST") return;
+    logger?.warn?.("[approvals] auto-submit failed", {
+      process: process.name,
+      object: objectName,
+      record: recordId,
+      error: err?.message ?? String(err)
+    });
+  }
+}
+
+// src/approvals-plugin.ts
+var ApprovalsServicePlugin = class {
+  constructor(options = {}) {
+    this.name = "com.objectstack.service.approvals";
+    this.version = "1.0.0";
+    this.type = "standard";
+    this.dependencies = ["com.objectstack.engine.objectql"];
+    this.options = options;
+  }
+  async init(ctx) {
+    ctx.getService("manifest").register({
+      id: "com.objectstack.service.approvals",
+      name: "Approvals Service",
+      version: "1.0.0",
+      type: "plugin",
+      scope: "system",
+      defaultDatasource: "cloud",
+      namespace: "sys",
+      objects: [SysApprovalProcess, SysApprovalRequest, SysApprovalAction]
+    });
+    ctx.logger.info("ApprovalsServicePlugin: schemas registered");
+  }
+  async start(ctx) {
+    if (this.options.disableService) return;
+    let engine = null;
+    try {
+      engine = ctx.getService("objectql");
+    } catch {
+      try {
+        engine = ctx.getService("data");
+      } catch {
+      }
+    }
+    if (!engine) {
+      ctx.logger.warn("ApprovalsServicePlugin: no ObjectQL engine \u2014 service NOT registered");
+      return;
+    }
+    this.engine = engine;
+    this.logger = ctx.logger;
+    this.service = new ApprovalService({
+      engine,
+      logger: ctx.logger
+    });
+    if (!this.options.disableAutoHooks) {
+      this.service.setRegistryChangeHandler(() => this.rebindHooks());
+      const hookOn = ctx.hook ?? ctx.on;
+      if (typeof hookOn === "function") {
+        try {
+          hookOn.call(ctx, "kernel:ready", async () => {
+            await this.rebindHooks();
+          });
+        } catch {
+          await this.rebindHooks();
+        }
+      } else {
+        await this.rebindHooks();
+      }
+    }
+    ctx.registerService("approvals", this.service);
+    ctx.logger.info("ApprovalsServicePlugin: service registered");
+  }
+  async rebindHooks() {
+    if (!this.engine || !this.service) return;
+    try {
+      unbindAllHooks(this.engine);
+      const processes = await this.service.listProcesses({ activeOnly: true }, { isSystem: true, roles: [], permissions: [] });
+      bindProcessHooks(this.engine, this.service, processes, this.logger);
+    } catch (err) {
+      this.logger?.warn?.("[approvals] rebindHooks failed", { error: err?.message });
+    }
+  }
+  async stop(_ctx) {
+    if (this.engine) {
+      try {
+        unbindAllHooks(this.engine);
+      } catch {
+      }
+    }
+  }
+};
+export {
+  ApprovalService,
+  ApprovalsServicePlugin,
+  SysApprovalAction2 as SysApprovalAction,
+  SysApprovalProcess2 as SysApprovalProcess,
+  SysApprovalRequest2 as SysApprovalRequest
+};
+//# sourceMappingURL=index.mjs.map