@objectstack/plugin-audit 4.0.4 → 4.1.0

package/dist/index.js

@@ -21,105 +21,274 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var index_exports = {};
 __export(index_exports, {
   AuditPlugin: () => AuditPlugin,
-  SysAuditLog: () => SysAuditLog
+  installAuditWriters: () => installAuditWriters
 });
 module.exports = __toCommonJS(index_exports);
 
-// src/objects/sys-audit-log.object.ts
-var import_data = require("@objectstack/spec/data");
-var SysAuditLog = import_data.ObjectSchema.create({
-  namespace: "sys",
-  name: "audit_log",
-  label: "Audit Log",
-  pluralLabel: "Audit Logs",
-  icon: "scroll-text",
-  isSystem: true,
-  description: "Immutable audit trail for platform events",
-  titleFormat: "{action} on {object_name} by {user_id}",
-  compactLayout: ["action", "object_name", "user_id", "created_at"],
-  fields: {
-    id: import_data.Field.text({
-      label: "Audit Log ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: import_data.Field.datetime({
-      label: "Timestamp",
-      required: true,
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    user_id: import_data.Field.text({
-      label: "User ID",
-      required: false,
-      description: "User who performed the action (null for system actions)"
-    }),
-    action: import_data.Field.select(["create", "update", "delete", "restore", "login", "logout", "permission_change", "config_change", "export", "import"], {
-      label: "Action",
-      required: true,
-      description: "Action type (snake_case). Values: create, update, delete, restore, login, logout, permission_change, config_change, export, import"
-    }),
-    object_name: import_data.Field.text({
-      label: "Object Name",
-      required: false,
-      maxLength: 255,
-      description: "Target object (e.g. sys_user, project_task)"
-    }),
-    record_id: import_data.Field.text({
-      label: "Record ID",
-      required: false,
-      description: "ID of the affected record"
-    }),
-    old_value: import_data.Field.textarea({
-      label: "Old Value",
-      required: false,
-      description: "JSON-serialized previous state"
-    }),
-    new_value: import_data.Field.textarea({
-      label: "New Value",
-      required: false,
-      description: "JSON-serialized new state"
-    }),
-    ip_address: import_data.Field.text({
-      label: "IP Address",
-      required: false,
-      maxLength: 45
-    }),
-    user_agent: import_data.Field.textarea({
-      label: "User Agent",
-      required: false
-    }),
-    tenant_id: import_data.Field.text({
-      label: "Tenant ID",
-      required: false,
-      description: "Tenant context for multi-tenant isolation"
-    }),
-    metadata: import_data.Field.textarea({
-      label: "Metadata",
-      required: false,
-      description: "JSON-serialized additional context"
-    })
-  },
-  indexes: [
-    { fields: ["created_at"] },
-    { fields: ["user_id"] },
-    { fields: ["object_name", "record_id"] },
-    { fields: ["action"] },
-    { fields: ["tenant_id"] }
-  ],
-  enable: {
-    trackHistory: false,
-    // Audit logs are themselves the audit trail
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ["get", "list"],
-    // Read-only — audit logs are immutable; creation happens via internal system hooks only
-    trash: false,
-    // Never soft-delete audit logs
-    mru: false,
-    clone: false
+// src/audit-plugin.ts
+var import_audit = require("@objectstack/platform-objects/audit");
+
+// src/audit-writers.ts
+var SKIP_OBJECTS = /* @__PURE__ */ new Set([
+  "sys_audit_log",
+  "sys_activity",
+  "sys_comment",
+  "sys_session",
+  "sys_presence",
+  "sys_account",
+  "sys_account_session",
+  "sys_account_verification",
+  "sys_account_account"
+]);
+var NOISE_FIELDS = /* @__PURE__ */ new Set([
+  "updated_at",
+  "updated_by",
+  "created_at",
+  "created_by"
+]);
+function actionFor(event) {
+  if (event === "afterInsert") return "create";
+  if (event === "afterUpdate") return "update";
+  if (event === "afterDelete") return "delete";
+  return null;
+}
+function activityTypeFor(action) {
+  return action === "create" ? "created" : action === "update" ? "updated" : "deleted";
+}
+function recordLabel(record, id) {
+  if (!record || typeof record !== "object") return id;
+  const candidates = ["name", "subject", "title", "full_name", "label", "first_name", "company", "email"];
+  for (const k of candidates) {
+    const v = record[k];
+    if (typeof v === "string" && v.trim()) return v.trim();
   }
-});
+  return id;
+}
+function diff(before, after) {
+  const oldOut = {};
+  const newOut = {};
+  const keys = /* @__PURE__ */ new Set([...Object.keys(before || {}), ...Object.keys(after || {})]);
+  for (const k of keys) {
+    if (NOISE_FIELDS.has(k)) continue;
+    const b = before?.[k];
+    const a = after?.[k];
+    if (safeStringify(b) !== safeStringify(a)) {
+      oldOut[k] = b ?? null;
+      newOut[k] = a ?? null;
+    }
+  }
+  return { old: oldOut, next: newOut };
+}
+function safeStringify(v) {
+  try {
+    return JSON.stringify(v);
+  } catch {
+    return String(v);
+  }
+}
+function installAuditWriters(engine, packageId = "com.objectstack.audit") {
+  if (!engine || typeof engine.registerHook !== "function") return;
+  if (typeof engine.unregisterHooksByPackage === "function") {
+    engine.unregisterHooksByPackage(packageId);
+  }
+  const captureBefore = async (ctx) => {
+    if (SKIP_OBJECTS.has(ctx.object)) return;
+    const id = ctx.input?.id;
+    if (!id) return;
+    try {
+      const trx = ctx.transaction;
+      const ql = ctx.ql ?? ctx.api?.engine;
+      if (ql?.findOne) {
+        const prev2 = await ql.findOne(ctx.object, {
+          where: { id },
+          context: { isSystem: true, ...trx ? { transaction: trx } : {} }
+        });
+        if (prev2) ctx.__previous = prev2;
+        return;
+      }
+      const api = ctx.api;
+      if (!api?.sudo) return;
+      const prev = await api.sudo().object(ctx.object).findOne({ where: { id } });
+      if (prev) ctx.__previous = prev;
+    } catch {
+    }
+  };
+  engine.registerHook("beforeUpdate", captureBefore, { packageId });
+  engine.registerHook("beforeDelete", captureBefore, { packageId });
+  const writeAudit = async (ctx) => {
+    if (SKIP_OBJECTS.has(ctx.object)) return;
+    const action = actionFor(ctx.event);
+    if (!action) return;
+    const api = ctx.api;
+    if (!api?.sudo) return;
+    const after = ctx.result;
+    const before = ctx.__previous ?? ctx.previous ?? null;
+    let recordId = typeof after === "object" && after?.id || typeof before === "object" && before?.id || ctx.input?.id;
+    if (recordId !== void 0) recordId = String(recordId);
+    const sess = ctx.session ?? {};
+    const userId = sess.userId;
+    const recordOrgId = typeof ctx.result?.organization_id === "string" && ctx.result.organization_id || typeof ctx.__previous?.organization_id === "string" && ctx.__previous.organization_id || void 0;
+    const tenantId = sess.tenantId ?? recordOrgId;
+    let oldValue = null;
+    let newValue = null;
+    if (action === "create") {
+      newValue = after && typeof after === "object" ? { ...after } : null;
+    } else if (action === "update") {
+      const d = diff(before || {}, after || {});
+      oldValue = d.old;
+      newValue = d.next;
+      if (Object.keys(newValue).length === 0) return;
+    } else if (action === "delete") {
+      oldValue = before && typeof before === "object" ? { ...before } : null;
+    }
+    const auditRow = {
+      action,
+      user_id: userId ?? null,
+      object_name: ctx.object,
+      record_id: recordId ?? null,
+      old_value: oldValue ? safeStringify(oldValue) : null,
+      new_value: newValue ? safeStringify(newValue) : null,
+      // `tenant_id` is the schema-declared "tenant context" lookup; the
+      // platform-default `organization_id` column is what RLS gates on
+      // (`organization_id = current_user.organization_id`). The audit
+      // writer runs through `api.sudo()` which bypasses the
+      // SecurityPlugin's auto-stamping of `organization_id`, so we
+      // stamp both columns explicitly here. Without `organization_id`,
+      // non-admin members would see 0 rows on Setup dashboards because
+      // RLS would deny every audit row as wrong-tenant.
+      organization_id: tenantId ?? null,
+      tenant_id: tenantId ?? null
+    };
+    const label = recordLabel(after ?? before, recordId ?? "");
+    const summary = action === "create" ? `Created ${ctx.object} "${label}"` : action === "update" ? `Updated ${ctx.object} "${label}"` : `Deleted ${ctx.object} "${label}"`;
+    const activityRow = {
+      type: activityTypeFor(action),
+      // Explicit ISO timestamp — `defaultValue: 'NOW()'` on the column
+      // isn't resolved by every driver and would otherwise leak the
+      // literal string "NOW()" into the row.
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      summary,
+      actor_id: userId ?? null,
+      object_name: ctx.object,
+      record_id: recordId ?? null,
+      record_label: label,
+      metadata: newValue || oldValue ? safeStringify({ old: oldValue, new: newValue }) : null,
+      // Same rationale as auditRow: stamp the tenant column so RLS
+      // matches the recipient's organization on read.
+      organization_id: tenantId ?? null
+    };
+    try {
+      const sys = api.sudo();
+      await sys.object("sys_audit_log").create(auditRow);
+      await sys.object("sys_activity").create(activityRow);
+      await writeAssignmentNotifications(sys, {
+        object: ctx.object,
+        recordId: recordId ?? null,
+        label,
+        action,
+        before,
+        after,
+        actorId: userId ?? null,
+        tenantId: tenantId ?? null
+      });
+    } catch (err) {
+      try {
+        engine.logger?.warn?.("Audit write failed", { object: ctx.object, action, err: String(err?.message ?? err) });
+      } catch {
+      }
+    }
+  };
+  engine.registerHook("afterInsert", writeAudit, { packageId });
+  engine.registerHook("afterUpdate", writeAudit, { packageId });
+  engine.registerHook("afterDelete", writeAudit, { packageId });
+  const writeCommentMentions = async (ctx) => {
+    if (ctx.object !== "sys_comment") return;
+    if (ctx.event !== "afterInsert") return;
+    const api = ctx.api;
+    if (!api?.sudo) return;
+    const row = ctx.result;
+    if (!row || typeof row !== "object") return;
+    let mentions = row.mentions;
+    if (typeof mentions === "string") {
+      try {
+        mentions = JSON.parse(mentions);
+      } catch {
+        mentions = null;
+      }
+    }
+    if (!Array.isArray(mentions) || mentions.length === 0) return;
+    const userIds = mentions.map((m) => typeof m === "string" ? m : m?.id).filter((id) => typeof id === "string" && id.length > 0);
+    if (userIds.length === 0) return;
+    const [source_object, source_id] = String(row.thread_id ?? "").split(":");
+    const actorId = row.author_id ?? null;
+    const actorName = row.author_name ?? null;
+    const bodyPreview = String(row.body ?? "").slice(0, 240);
+    const sess = ctx.session ?? {};
+    const tenantId = sess.tenantId ?? row.organization_id ?? null;
+    const sys = api.sudo();
+    for (const uid of userIds) {
+      if (uid === actorId) continue;
+      try {
+        await sys.object("sys_notification").create({
+          recipient_id: uid,
+          type: "mention",
+          title: actorName ? `${actorName} mentioned you` : "You were mentioned",
+          body: bodyPreview,
+          source_object: source_object || null,
+          source_id: source_id || null,
+          actor_id: actorId,
+          actor_name: actorName,
+          is_read: false,
+          // Stamp tenant so the recipient's RLS sees it (see writeAssignmentNotifications).
+          organization_id: tenantId
+        });
+      } catch (err) {
+        try {
+          engine.logger?.warn?.("Mention notification write failed", { uid, err: String(err?.message ?? err) });
+        } catch {
+        }
+      }
+    }
+  };
+  engine.registerHook("afterInsert", writeCommentMentions, { packageId });
+}
+var OWNER_FIELDS = ["owner_id", "assigned_to", "assignee_id", "owner", "assignee"];
+function pickOwner(rec) {
+  if (!rec || typeof rec !== "object") return null;
+  for (const f of OWNER_FIELDS) {
+    const v = rec[f];
+    if (typeof v === "string" && v.length > 0) return v;
+  }
+  return null;
+}
+async function writeAssignmentNotifications(sys, params) {
+  if (params.action === "delete") return;
+  if (!params.recordId) return;
+  const newOwner = pickOwner(params.after);
+  const oldOwner = pickOwner(params.before);
+  if (!newOwner) return;
+  if (params.action === "update" && newOwner === oldOwner) return;
+  if (newOwner === params.actorId) return;
+  try {
+    await sys.object("sys_notification").create({
+      recipient_id: newOwner,
+      type: "assignment",
+      title: `${params.object} "${params.label}" assigned to you`,
+      body: null,
+      source_object: params.object,
+      source_id: params.recordId,
+      actor_id: params.actorId,
+      actor_name: null,
+      is_read: false,
+      // Stamp organization_id so the recipient (who lives in the same
+      // tenant as the action) sees the notification through RLS. Without
+      // this, sys_notification rows insert with NULL organization_id and
+      // the recipient's `tenant_isolation` policy denies them.
+      organization_id: params.tenantId
+    });
+  } catch {
+  }
+}
 
 // src/audit-plugin.ts
 var AuditPlugin = class {
@@ -130,33 +299,52 @@ var AuditPlugin = class {
     this.dependencies = ["com.objectstack.engine.objectql"];
   }
   async init(ctx) {
+    process.stderr.write("[AuditPlugin] init() called\n");
     ctx.getService("manifest").register({
       id: "com.objectstack.audit",
       name: "Audit",
       version: "1.0.0",
       type: "plugin",
+      scope: "system",
+      defaultDatasource: "cloud",
       namespace: "sys",
-      objects: [SysAuditLog]
+      objects: [import_audit.SysAuditLog, import_audit.SysActivity, import_audit.SysComment, import_audit.SysAttachment, import_audit.SysNotification]
     });
-    try {
-      const setupNav = ctx.getService("setupNav");
-      if (setupNav) {
-        setupNav.contribute({
-          areaId: "area_system",
-          items: [
-            { id: "nav_audit_logs", type: "object", label: "Audit Logs", objectName: "audit_log", icon: "scroll-text", order: 10 }
-          ]
-        });
-        ctx.logger.info("Audit navigation items contributed to Setup App");
-      }
-    } catch {
-    }
     ctx.logger.info("Audit Plugin initialized");
   }
+  async start(ctx) {
+    process.stderr.write("[AuditPlugin] start() called, registering kernel:ready hook\n");
+    ctx.hook("kernel:ready", async () => {
+      process.stderr.write("[AuditPlugin] kernel:ready fired\n");
+      let engine = null;
+      try {
+        engine = ctx.getService("objectql");
+        process.stderr.write(`[AuditPlugin] objectql engine = ${engine ? "OK" : "null"} registerHook? ${typeof engine?.registerHook}
+`);
+      } catch (err) {
+        process.stderr.write(`[AuditPlugin] getService(objectql) threw: ${err.message}
+`);
+        try {
+          engine = ctx.getService("data");
+          process.stderr.write(`[AuditPlugin] data engine = ${engine ? "OK" : "null"}
+`);
+        } catch {
+        }
+      }
+      if (!engine) {
+        process.stderr.write("[AuditPlugin] NO ENGINE \u2014 bailing\n");
+        ctx.logger.warn("AuditPlugin: ObjectQL engine not available \u2014 audit writers NOT installed");
+        return;
+      }
+      installAuditWriters(engine, this.name);
+      process.stderr.write("[AuditPlugin] writers installed\n");
+      ctx.logger.info("AuditPlugin: audit + activity writers installed");
+    });
+  }
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AuditPlugin,
-  SysAuditLog
+  installAuditWriters
 });
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts","../src/objects/sys-audit-log.object.ts","../src/audit-plugin.ts"],"sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\n/**\n * @objectstack/plugin-audit\n *\n * Audit Plugin for ObjectStack\n * Provides the sys_audit_log system object definition for immutable audit trails.\n */\n\nexport { AuditPlugin } from './audit-plugin.js';\n\n// System Object Definitions (sys namespace)\nexport { SysAuditLog } from './objects/index.js';\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { ObjectSchema, Field } from '@objectstack/spec/data';\n\n/**\n * sys_audit_log — System Audit Log Object\n *\n * Immutable audit trail for all significant platform events.\n * Records who did what, when, and the before/after state.\n *\n * @namespace sys\n */\nexport const SysAuditLog = ObjectSchema.create({\n  namespace: 'sys',\n  name: 'audit_log',\n  label: 'Audit Log',\n  pluralLabel: 'Audit Logs',\n  icon: 'scroll-text',\n  isSystem: true,\n  description: 'Immutable audit trail for platform events',\n  titleFormat: '{action} on {object_name} by {user_id}',\n  compactLayout: ['action', 'object_name', 'user_id', 'created_at'],\n  \n  fields: {\n    id: Field.text({\n      label: 'Audit Log ID',\n      required: true,\n      readonly: true,\n    }),\n    \n    created_at: Field.datetime({\n      label: 'Timestamp',\n      required: true,\n      defaultValue: 'NOW()',\n      readonly: true,\n    }),\n    \n    user_id: Field.text({\n      label: 'User ID',\n      required: false,\n      description: 'User who performed the action (null for system actions)',\n    }),\n    \n    action: Field.select(['create', 'update', 'delete', 'restore', 'login', 'logout', 'permission_change', 'config_change', 'export', 'import'], {\n      label: 'Action',\n      required: true,\n      description: 'Action type (snake_case). Values: create, update, delete, restore, login, logout, permission_change, config_change, export, import',\n    }),\n    \n    object_name: Field.text({\n      label: 'Object Name',\n      required: false,\n      maxLength: 255,\n      description: 'Target object (e.g. sys_user, project_task)',\n    }),\n    \n    record_id: Field.text({\n      label: 'Record ID',\n      required: false,\n      description: 'ID of the affected record',\n    }),\n    \n    old_value: Field.textarea({\n      label: 'Old Value',\n      required: false,\n      description: 'JSON-serialized previous state',\n    }),\n    \n    new_value: Field.textarea({\n      label: 'New Value',\n      required: false,\n      description: 'JSON-serialized new state',\n    }),\n    \n    ip_address: Field.text({\n      label: 'IP Address',\n      required: false,\n      maxLength: 45,\n    }),\n    \n    user_agent: Field.textarea({\n      label: 'User Agent',\n      required: false,\n    }),\n    \n    tenant_id: Field.text({\n      label: 'Tenant ID',\n      required: false,\n      description: 'Tenant context for multi-tenant isolation',\n    }),\n    \n    metadata: Field.textarea({\n      label: 'Metadata',\n      required: false,\n      description: 'JSON-serialized additional context',\n    }),\n  },\n  \n  indexes: [\n    { fields: ['created_at'] },\n    { fields: ['user_id'] },\n    { fields: ['object_name', 'record_id'] },\n    { fields: ['action'] },\n    { fields: ['tenant_id'] },\n  ],\n  \n  enable: {\n    trackHistory: false, // Audit logs are themselves the audit trail\n    searchable: true,\n    apiEnabled: true,\n    apiMethods: ['get', 'list'], // Read-only — audit logs are immutable; creation happens via internal system hooks only\n    trash: false, // Never soft-delete audit logs\n    mru: false,\n    clone: false,\n  },\n});\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport type { Plugin, PluginContext } from '@objectstack/core';\nimport { SysAuditLog } from './objects/index.js';\n\n/**\n * AuditPlugin\n *\n * Registers the sys_audit_log system object with ObjectQL so it is\n * discoverable by the studio and available for CRUD operations.\n */\nexport class AuditPlugin implements Plugin {\n  name = 'com.objectstack.audit';\n  type = 'standard';\n  version = '1.0.0';\n  dependencies = ['com.objectstack.engine.objectql'];\n\n  async init(ctx: PluginContext): Promise<void> {\n    // Register audit system objects via the manifest service.\n    ctx.getService<{ register(m: any): void }>('manifest').register({\n      id: 'com.objectstack.audit',\n      name: 'Audit',\n      version: '1.0.0',\n      type: 'plugin',\n      namespace: 'sys',\n      objects: [SysAuditLog],\n    });\n\n    // Contribute navigation items to the Setup App (if SetupPlugin is loaded).\n    try {\n      const setupNav = ctx.getService<{ contribute(c: any): void }>('setupNav');\n      if (setupNav) {\n        setupNav.contribute({\n          areaId: 'area_system',\n          items: [\n            { id: 'nav_audit_logs', type: 'object', label: 'Audit Logs', objectName: 'audit_log', icon: 'scroll-text', order: 10 },\n          ],\n        });\n        ctx.logger.info('Audit navigation items contributed to Setup App');\n      }\n    } catch {\n      // SetupPlugin not loaded — skip silently\n    }\n\n    ctx.logger.info('Audit Plugin initialized');\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACEA,kBAAoC;AAU7B,IAAM,cAAc,yBAAa,OAAO;AAAA,EAC7C,WAAW;AAAA,EACX,MAAM;AAAA,EACN,OAAO;AAAA,EACP,aAAa;AAAA,EACb,MAAM;AAAA,EACN,UAAU;AAAA,EACV,aAAa;AAAA,EACb,aAAa;AAAA,EACb,eAAe,CAAC,UAAU,eAAe,WAAW,YAAY;AAAA,EAEhE,QAAQ;AAAA,IACN,IAAI,kBAAM,KAAK;AAAA,MACb,OAAO;AAAA,MACP,UAAU;AAAA,MACV,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,YAAY,kBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,cAAc;AAAA,MACd,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,SAAS,kBAAM,KAAK;AAAA,MAClB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,QAAQ,kBAAM,OAAO,CAAC,UAAU,UAAU,UAAU,WAAW,SAAS,UAAU,qBAAqB,iBAAiB,UAAU,QAAQ,GAAG;AAAA,MAC3I,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,aAAa,kBAAM,KAAK;AAAA,MACtB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,WAAW;AAAA,MACX,aAAa;AAAA,IACf,CAAC;AAAA,IAED,WAAW,kBAAM,KAAK;AAAA,MACpB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,WAAW,kBAAM,SAAS;AAAA,MACxB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,WAAW,kBAAM,SAAS;AAAA,MACxB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,YAAY,kBAAM,KAAK;AAAA,MACrB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,WAAW;AAAA,IACb,CAAC;AAAA,IAED,YAAY,kBAAM,SAAS;AAAA,MACzB,OAAO;AAAA,MACP,UAAU;AAAA,IACZ,CAAC;AAAA,IAED,WAAW,kBAAM,KAAK;AAAA,MACpB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,IAED,UAAU,kBAAM,SAAS;AAAA,MACvB,OAAO;AAAA,MACP,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AAAA,EACH;AAAA,EAEA,SAAS;AAAA,IACP,EAAE,QAAQ,CAAC,YAAY,EAAE;AAAA,IACzB,EAAE,QAAQ,CAAC,SAAS,EAAE;AAAA,IACtB,EAAE,QAAQ,CAAC,eAAe,WAAW,EAAE;AAAA,IACvC,EAAE,QAAQ,CAAC,QAAQ,EAAE;AAAA,IACrB,EAAE,QAAQ,CAAC,WAAW,EAAE;AAAA,EAC1B;AAAA,EAEA,QAAQ;AAAA,IACN,cAAc;AAAA;AAAA,IACd,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,YAAY,CAAC,OAAO,MAAM;AAAA;AAAA,IAC1B,OAAO;AAAA;AAAA,IACP,KAAK;AAAA,IACL,OAAO;AAAA,EACT;AACF,CAAC;;;ACxGM,IAAM,cAAN,MAAoC;AAAA,EAApC;AACL,gBAAO;AACP,gBAAO;AACP,mBAAU;AACV,wBAAe,CAAC,iCAAiC;AAAA;AAAA,EAEjD,MAAM,KAAK,KAAmC;AAE5C,QAAI,WAAuC,UAAU,EAAE,SAAS;AAAA,MAC9D,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,MACN,WAAW;AAAA,MACX,SAAS,CAAC,WAAW;AAAA,IACvB,CAAC;AAGD,QAAI;AACF,YAAM,WAAW,IAAI,WAAyC,UAAU;AACxE,UAAI,UAAU;AACZ,iBAAS,WAAW;AAAA,UAClB,QAAQ;AAAA,UACR,OAAO;AAAA,YACL,EAAE,IAAI,kBAAkB,MAAM,UAAU,OAAO,cAAc,YAAY,aAAa,MAAM,eAAe,OAAO,GAAG;AAAA,UACvH;AAAA,QACF,CAAC;AACD,YAAI,OAAO,KAAK,iDAAiD;AAAA,MACnE;AAAA,IACF,QAAQ;AAAA,IAER;AAEA,QAAI,OAAO,KAAK,0BAA0B;AAAA,EAC5C;AACF;","names":[]}
+{"version":3,"sources":["../src/index.ts","../src/audit-plugin.ts","../src/audit-writers.ts"],"sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\n/**\n * @objectstack/plugin-audit\n *\n * Audit Plugin for ObjectStack\n * Provides the sys_audit_log system object definition for immutable audit trails.\n */\n\nexport { AuditPlugin } from './audit-plugin.js';\nexport { installAuditWriters } from './audit-writers.js';\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport type { Plugin, PluginContext } from '@objectstack/core';\nimport type { IDataEngine } from '@objectstack/spec/contracts';\nimport { SysAuditLog, SysActivity, SysComment, SysAttachment, SysNotification } from '@objectstack/platform-objects/audit';\nimport { installAuditWriters } from './audit-writers.js';\n\n/**\n * AuditPlugin\n *\n * Registers the sys_audit_log / sys_activity / sys_comment system objects\n * and installs ObjectQL hook subscribers that automatically write audit\n * trail + activity stream rows on every data mutation.\n *\n * Implements ROADMAP M10.1 (CRM production-readiness).\n */\nexport class AuditPlugin implements Plugin {\n  name = 'com.objectstack.audit';\n  type = 'standard';\n  version = '1.0.0';\n  dependencies = ['com.objectstack.engine.objectql'];\n\n  async init(ctx: PluginContext): Promise<void> {\n    process.stderr.write('[AuditPlugin] init() called\\n');\n    // Register audit system objects via the manifest service.\n    ctx.getService<{ register(m: any): void }>('manifest').register({\n      id: 'com.objectstack.audit',\n      name: 'Audit',\n      version: '1.0.0',\n      type: 'plugin',\n      scope: 'system',\n      defaultDatasource: 'cloud',\n      namespace: 'sys',\n      objects: [SysAuditLog, SysActivity, SysComment, SysAttachment, SysNotification],\n    });\n\n    ctx.logger.info('Audit Plugin initialized');\n  }\n\n  async start(ctx: PluginContext): Promise<void> {\n    process.stderr.write('[AuditPlugin] start() called, registering kernel:ready hook\\n');\n    // ObjectQL engine is only resolvable after the kernel is ready.\n    ctx.hook('kernel:ready', async () => {\n      process.stderr.write('[AuditPlugin] kernel:ready fired\\n');\n      let engine: IDataEngine | null = null;\n      try {\n        engine = ctx.getService<IDataEngine>('objectql');\n        process.stderr.write(`[AuditPlugin] objectql engine = ${engine ? 'OK' : 'null'} registerHook? ${typeof (engine as any)?.registerHook}\\n`);\n      } catch (err) {\n        process.stderr.write(`[AuditPlugin] getService(objectql) threw: ${(err as Error).message}\\n`);\n        // Fallback alias used in some kernels.\n        try {\n          engine = ctx.getService<IDataEngine>('data');\n          process.stderr.write(`[AuditPlugin] data engine = ${engine ? 'OK' : 'null'}\\n`);\n        } catch { /* ignore */ }\n      }\n      if (!engine) {\n        process.stderr.write('[AuditPlugin] NO ENGINE — bailing\\n');\n        ctx.logger.warn('AuditPlugin: ObjectQL engine not available — audit writers NOT installed');\n        return;\n      }\n      installAuditWriters(engine as any, this.name);\n      process.stderr.write('[AuditPlugin] writers installed\\n');\n      ctx.logger.info('AuditPlugin: audit + activity writers installed');\n    });\n  }\n}\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport type { HookContext } from '@objectstack/spec/data';\nimport type { IDataEngine } from '@objectstack/spec/contracts';\n\n/**\n * Audit writer hook installer.\n *\n * Subscribes to the ObjectQL engine's wildcard `before*` / `after*` lifecycle\n * events and writes:\n *\n *  - `sys_audit_log` rows — immutable, compliance-grade entries with\n *    field-level `old_value` / `new_value` diffs.\n *  - `sys_activity` rows — denormalized, human-readable summaries shown\n *    in the dashboard recent-activity feed and per-record timelines.\n *\n * Skip rules avoid recursion and noise:\n *  - Never audit the audit/activity tables themselves.\n *  - Never audit session/presence/auth tables (high-frequency, low value).\n *  - Read-only operations (`afterFind`) are never audited.\n *\n * All writes go through `ctx.api.sudo()` so they bypass record-level\n * permissions and always succeed regardless of the calling user's RBAC.\n */\n\n/** Tables that are intentionally excluded from audit/activity writes. */\nconst SKIP_OBJECTS = new Set<string>([\n  'sys_audit_log',\n  'sys_activity',\n  'sys_comment',\n  'sys_session',\n  'sys_presence',\n  'sys_account',\n  'sys_account_session',\n  'sys_account_verification',\n  'sys_account_account',\n]);\n\n/** Fields that are noise in diffs (always change, never user-meaningful). */\nconst NOISE_FIELDS = new Set<string>([\n  'updated_at',\n  'updated_by',\n  'created_at',\n  'created_by',\n]);\n\n/** Action name produced from a HookContext.event string. */\nfunction actionFor(event: string): 'create' | 'update' | 'delete' | null {\n  if (event === 'afterInsert') return 'create';\n  if (event === 'afterUpdate') return 'update';\n  if (event === 'afterDelete') return 'delete';\n  return null;\n}\n\n/** Activity type produced from an audit action. */\nfunction activityTypeFor(action: 'create' | 'update' | 'delete'): 'created' | 'updated' | 'deleted' {\n  return action === 'create' ? 'created' : action === 'update' ? 'updated' : 'deleted';\n}\n\n/**\n * Compute the human-readable record label from a record by trying common\n * label fields. Falls back to record id.\n */\nfunction recordLabel(record: any, id: string): string {\n  if (!record || typeof record !== 'object') return id;\n  const candidates = ['name', 'subject', 'title', 'full_name', 'label', 'first_name', 'company', 'email'];\n  for (const k of candidates) {\n    const v = record[k];\n    if (typeof v === 'string' && v.trim()) return v.trim();\n  }\n  return id;\n}\n\n/**\n * Compute a shallow JSON diff between two records. Returns only keys whose\n * value changed (and ignores keys in `NOISE_FIELDS`). Both sides are\n * serialisable via `JSON.stringify` — values that fail to serialise are\n * coerced to `String(value)`.\n */\nfunction diff(before: Record<string, any>, after: Record<string, any>): { old: Record<string, any>; next: Record<string, any> } {\n  const oldOut: Record<string, any> = {};\n  const newOut: Record<string, any> = {};\n  const keys = new Set<string>([...Object.keys(before || {}), ...Object.keys(after || {})]);\n  for (const k of keys) {\n    if (NOISE_FIELDS.has(k)) continue;\n    const b = before?.[k];\n    const a = after?.[k];\n    if (safeStringify(b) !== safeStringify(a)) {\n      oldOut[k] = b ?? null;\n      newOut[k] = a ?? null;\n    }\n  }\n  return { old: oldOut, next: newOut };\n}\n\nfunction safeStringify(v: any): string {\n  try { return JSON.stringify(v); } catch { return String(v); }\n}\n\n/**\n * Install audit + activity writers on the given engine. Idempotent per\n * `packageId` — calling twice with the same id replaces the previous\n * registration.\n */\nexport function installAuditWriters(engine: any, packageId = 'com.objectstack.audit'): void {\n  if (!engine || typeof engine.registerHook !== 'function') return;\n\n  // Remove any prior installation so we can safely re-install on hot reload.\n  if (typeof engine.unregisterHooksByPackage === 'function') {\n    engine.unregisterHooksByPackage(packageId);\n  }\n\n  /**\n   * beforeUpdate / beforeDelete: capture \"previous\" snapshot via api.sudo()\n   * so we can compute the diff in the afterXxx hook. We attach the snapshot\n   * to the context (`(ctx as any).__previous`) since `HookContext.previous`\n   * is officially typed but not always populated by the engine itself.\n   */\n  const captureBefore = async (ctx: HookContext) => {\n    if (SKIP_OBJECTS.has(ctx.object)) return;\n    const id = (ctx.input as any)?.id;\n    if (!id) return; // bulk update/delete — too costly to snapshot every row here\n    try {\n      // Use the engine directly (not api.sudo) so we can thread the\n      // active transaction through. On drivers with single-connection\n      // pools (e.g. SQLite via knex) a sudo() findOne that does NOT\n      // carry the open transaction will deadlock for the full\n      // acquireConnectionTimeout (~60s) because the outer transaction\n      // holds the only connection.\n      const trx = (ctx as any).transaction;\n      const ql = (ctx as any).ql ?? (ctx as any).api?.engine;\n      if (ql?.findOne) {\n        const prev = await ql.findOne(ctx.object, {\n          where: { id },\n          context: { isSystem: true, ...(trx ? { transaction: trx } : {}) },\n        });\n        if (prev) (ctx as any).__previous = prev;\n        return;\n      }\n      const api: any = (ctx as any).api;\n      if (!api?.sudo) return;\n      const prev = await api.sudo().object(ctx.object).findOne({ where: { id } });\n      if (prev) (ctx as any).__previous = prev;\n    } catch {\n      /* ignore — best-effort */\n    }\n  };\n\n  engine.registerHook('beforeUpdate', captureBefore, { packageId });\n  engine.registerHook('beforeDelete', captureBefore, { packageId });\n\n  /**\n   * afterInsert / afterUpdate / afterDelete: write audit_log + activity rows.\n   * Errors are swallowed (logged) so user-facing CRUD is never broken by\n   * audit failures.\n   */\n  const writeAudit = async (ctx: HookContext) => {\n    if (SKIP_OBJECTS.has(ctx.object)) return;\n    const action = actionFor(ctx.event);\n    if (!action) return;\n\n    const api: any = (ctx as any).api;\n    if (!api?.sudo) return;\n\n    const after: any = ctx.result;\n    const before: any = (ctx as any).__previous ?? (ctx as any).previous ?? null;\n\n    // Resolve record id from after (insert/update) or before (delete) or input.\n    let recordId: string | undefined =\n      (typeof after === 'object' && after?.id) ||\n      (typeof before === 'object' && before?.id) ||\n      ((ctx.input as any)?.id);\n    if (recordId !== undefined) recordId = String(recordId);\n\n    const sess: any = (ctx as any).session ?? {};\n    const userId: string | undefined = sess.userId;\n    // Prefer the active session tenant, but fall back to the audited\n    // record's own `organization_id`. This matters in two cases:\n    //   1. Background jobs / unauthenticated sudo paths where the\n    //      session has no `tenantId` populated.\n    //   2. better-auth's `activeOrganizationId` cache miss on first\n    //      requests after sign-in, before the active-org has been set\n    //      on the session row.\n    // Without this fallback, audit rows are written with\n    // `organization_id=NULL` and the SecurityPlugin's RLS predicate\n    // (`organization_id = current_user.organization_id`) hides them\n    // forever — making the audit log UI appear permanently empty even\n    // though writes succeed.\n    const recordOrgId: string | undefined =\n      (typeof (ctx.result as any)?.organization_id === 'string' && (ctx.result as any).organization_id) ||\n      (typeof ((ctx as any).__previous as any)?.organization_id === 'string' && ((ctx as any).__previous as any).organization_id) ||\n      undefined;\n    const tenantId: string | undefined = sess.tenantId ?? recordOrgId;\n\n    let oldValue: Record<string, any> | null = null;\n    let newValue: Record<string, any> | null = null;\n    if (action === 'create') {\n      newValue = (after && typeof after === 'object') ? { ...after } : null;\n    } else if (action === 'update') {\n      const d = diff(before || {}, after || {});\n      oldValue = d.old;\n      newValue = d.next;\n      // If nothing meaningfully changed, skip the audit row to avoid noise.\n      if (Object.keys(newValue).length === 0) return;\n    } else if (action === 'delete') {\n      oldValue = before && typeof before === 'object' ? { ...before } : null;\n    }\n\n    const auditRow: Record<string, any> = {\n      action,\n      user_id: userId ?? null,\n      object_name: ctx.object,\n      record_id: recordId ?? null,\n      old_value: oldValue ? safeStringify(oldValue) : null,\n      new_value: newValue ? safeStringify(newValue) : null,\n      // `tenant_id` is the schema-declared \"tenant context\" lookup; the\n      // platform-default `organization_id` column is what RLS gates on\n      // (`organization_id = current_user.organization_id`). The audit\n      // writer runs through `api.sudo()` which bypasses the\n      // SecurityPlugin's auto-stamping of `organization_id`, so we\n      // stamp both columns explicitly here. Without `organization_id`,\n      // non-admin members would see 0 rows on Setup dashboards because\n      // RLS would deny every audit row as wrong-tenant.\n      organization_id: tenantId ?? null,\n      tenant_id: tenantId ?? null,\n    };\n\n    const label = recordLabel(after ?? before, recordId ?? '');\n    const summary =\n      action === 'create' ? `Created ${ctx.object} \"${label}\"` :\n      action === 'update' ? `Updated ${ctx.object} \"${label}\"` :\n                            `Deleted ${ctx.object} \"${label}\"`;\n\n    const activityRow: Record<string, any> = {\n      type: activityTypeFor(action),\n      // Explicit ISO timestamp — `defaultValue: 'NOW()'` on the column\n      // isn't resolved by every driver and would otherwise leak the\n      // literal string \"NOW()\" into the row.\n      timestamp: new Date().toISOString(),\n      summary,\n      actor_id: userId ?? null,\n      object_name: ctx.object,\n      record_id: recordId ?? null,\n      record_label: label,\n      metadata: newValue || oldValue ? safeStringify({ old: oldValue, new: newValue }) : null,\n      // Same rationale as auditRow: stamp the tenant column so RLS\n      // matches the recipient's organization on read.\n      organization_id: tenantId ?? null,\n    };\n\n    try {\n      const sys = api.sudo();\n      await sys.object('sys_audit_log').create(auditRow);\n      await sys.object('sys_activity').create(activityRow);\n      // M10.8: write per-user inbox notifications. Best-effort; never\n      // throws into the user-facing CRUD path. Covers two common cases:\n      //\n      //   1. Assignment — if owner_id / assigned_to was newly set (or\n      //      changed to a different user) on a non-system record, drop\n      //      a notification into the recipient's inbox so they can see\n      //      \"Lead X was assigned to you\" without polling the record.\n      //\n      //   2. (Comment mentions are handled separately by the sys_comment\n      //       hook below since SKIP_OBJECTS excludes it from this writer.)\n      await writeAssignmentNotifications(sys, {\n        object: ctx.object,\n        recordId: recordId ?? null,\n        label,\n        action,\n        before,\n        after,\n        actorId: userId ?? null,\n        tenantId: tenantId ?? null,\n      });\n    } catch (err) {\n      // Log via engine logger if available, but never throw.\n      try { (engine as any).logger?.warn?.('Audit write failed', { object: ctx.object, action, err: String((err as any)?.message ?? err) }); } catch {}\n    }\n  };\n\n  engine.registerHook('afterInsert', writeAudit, { packageId });\n  engine.registerHook('afterUpdate', writeAudit, { packageId });\n  engine.registerHook('afterDelete', writeAudit, { packageId });\n\n  /**\n   * M10.8: Dedicated hook on `sys_comment` afterInsert that parses the\n   * `mentions` JSON field and writes one sys_notification per mentioned\n   * user. Lives outside `writeAudit` because sys_comment is in\n   * SKIP_OBJECTS (we don't want audit/activity rows for comments —\n   * those have their own first-class feed).\n   */\n  const writeCommentMentions = async (ctx: HookContext) => {\n    if (ctx.object !== 'sys_comment') return;\n    if (ctx.event !== 'afterInsert') return;\n    const api: any = (ctx as any).api;\n    if (!api?.sudo) return;\n    const row: any = ctx.result;\n    if (!row || typeof row !== 'object') return;\n\n    // mentions is a JSON-string textarea on sys_comment. Accept either\n    // a raw array of user-ids [\"u1\",\"u2\"] or an array of objects\n    // [{ id: \"u1\" }, ...]; tolerate parse failures silently.\n    let mentions: any = row.mentions;\n    if (typeof mentions === 'string') {\n      try { mentions = JSON.parse(mentions); } catch { mentions = null; }\n    }\n    if (!Array.isArray(mentions) || mentions.length === 0) return;\n\n    const userIds = mentions\n      .map((m: any) => (typeof m === 'string' ? m : m?.id))\n      .filter((id: any) => typeof id === 'string' && id.length > 0);\n    if (userIds.length === 0) return;\n\n    const [source_object, source_id] = String(row.thread_id ?? '').split(':');\n    const actorId = row.author_id ?? null;\n    const actorName = row.author_name ?? null;\n    const bodyPreview = String(row.body ?? '').slice(0, 240);\n    const sess: any = (ctx as any).session ?? {};\n    const tenantId: string | null = sess.tenantId ?? row.organization_id ?? null;\n\n    const sys = api.sudo();\n    for (const uid of userIds) {\n      if (uid === actorId) continue; // don't notify the mention author\n      try {\n        await sys.object('sys_notification').create({\n          recipient_id: uid,\n          type: 'mention',\n          title: actorName ? `${actorName} mentioned you` : 'You were mentioned',\n          body: bodyPreview,\n          source_object: source_object || null,\n          source_id: source_id || null,\n          actor_id: actorId,\n          actor_name: actorName,\n          is_read: false,\n          // Stamp tenant so the recipient's RLS sees it (see writeAssignmentNotifications).\n          organization_id: tenantId,\n        });\n      } catch (err) {\n        try { (engine as any).logger?.warn?.('Mention notification write failed', { uid, err: String((err as any)?.message ?? err) }); } catch {}\n      }\n    }\n  };\n  engine.registerHook('afterInsert', writeCommentMentions, { packageId });\n}\n\n/**\n * Identify the assignee/owner field of a record. We accept several\n * conventional names so this works across CRM-style objects (owner_id,\n * assigned_to) and platform objects (recipient_id is handled separately).\n */\nconst OWNER_FIELDS = ['owner_id', 'assigned_to', 'assignee_id', 'owner', 'assignee'];\n\nfunction pickOwner(rec: any): string | null {\n  if (!rec || typeof rec !== 'object') return null;\n  for (const f of OWNER_FIELDS) {\n    const v = rec[f];\n    if (typeof v === 'string' && v.length > 0) return v;\n  }\n  return null;\n}\n\nasync function writeAssignmentNotifications(\n  sys: any,\n  params: {\n    object: string;\n    recordId: string | null;\n    label: string;\n    action: 'create' | 'update' | 'delete';\n    before: any;\n    after: any;\n    actorId: string | null;\n    tenantId: string | null;\n  },\n): Promise<void> {\n  if (params.action === 'delete') return;\n  if (!params.recordId) return;\n\n  const newOwner = pickOwner(params.after);\n  const oldOwner = pickOwner(params.before);\n  if (!newOwner) return;\n  if (params.action === 'update' && newOwner === oldOwner) return;\n  if (newOwner === params.actorId) return; // self-assignment is silent\n\n  try {\n    await sys.object('sys_notification').create({\n      recipient_id: newOwner,\n      type: 'assignment',\n      title: `${params.object} \"${params.label}\" assigned to you`,\n      body: null,\n      source_object: params.object,\n      source_id: params.recordId,\n      actor_id: params.actorId,\n      actor_name: null,\n      is_read: false,\n      // Stamp organization_id so the recipient (who lives in the same\n      // tenant as the action) sees the notification through RLS. Without\n      // this, sys_notification rows insert with NULL organization_id and\n      // the recipient's `tenant_isolation` policy denies them.\n      organization_id: params.tenantId,\n    });\n  } catch {\n    // best-effort; never throw into CRUD path\n  }\n}\n\n// Re-export for convenience.\nexport type { IDataEngine };\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACIA,mBAAqF;;;ACsBrF,IAAM,eAAe,oBAAI,IAAY;AAAA,EACnC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAGD,IAAM,eAAe,oBAAI,IAAY;AAAA,EACnC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAGD,SAAS,UAAU,OAAsD;AACvE,MAAI,UAAU,cAAe,QAAO;AACpC,MAAI,UAAU,cAAe,QAAO;AACpC,MAAI,UAAU,cAAe,QAAO;AACpC,SAAO;AACT;AAGA,SAAS,gBAAgB,QAA2E;AAClG,SAAO,WAAW,WAAW,YAAY,WAAW,WAAW,YAAY;AAC7E;AAMA,SAAS,YAAY,QAAa,IAAoB;AACpD,MAAI,CAAC,UAAU,OAAO,WAAW,SAAU,QAAO;AAClD,QAAM,aAAa,CAAC,QAAQ,WAAW,SAAS,aAAa,SAAS,cAAc,WAAW,OAAO;AACtG,aAAW,KAAK,YAAY;AAC1B,UAAM,IAAI,OAAO,CAAC;AAClB,QAAI,OAAO,MAAM,YAAY,EAAE,KAAK,EAAG,QAAO,EAAE,KAAK;AAAA,EACvD;AACA,SAAO;AACT;AAQA,SAAS,KAAK,QAA6B,OAAqF;AAC9H,QAAM,SAA8B,CAAC;AACrC,QAAM,SAA8B,CAAC;AACrC,QAAM,OAAO,oBAAI,IAAY,CAAC,GAAG,OAAO,KAAK,UAAU,CAAC,CAAC,GAAG,GAAG,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC;AACxF,aAAW,KAAK,MAAM;AACpB,QAAI,aAAa,IAAI,CAAC,EAAG;AACzB,UAAM,IAAI,SAAS,CAAC;AACpB,UAAM,IAAI,QAAQ,CAAC;AACnB,QAAI,cAAc,CAAC,MAAM,cAAc,CAAC,GAAG;AACzC,aAAO,CAAC,IAAI,KAAK;AACjB,aAAO,CAAC,IAAI,KAAK;AAAA,IACnB;AAAA,EACF;AACA,SAAO,EAAE,KAAK,QAAQ,MAAM,OAAO;AACrC;AAEA,SAAS,cAAc,GAAgB;AACrC,MAAI;AAAE,WAAO,KAAK,UAAU,CAAC;AAAA,EAAG,QAAQ;AAAE,WAAO,OAAO,CAAC;AAAA,EAAG;AAC9D;AAOO,SAAS,oBAAoB,QAAa,YAAY,yBAA+B;AAC1F,MAAI,CAAC,UAAU,OAAO,OAAO,iBAAiB,WAAY;AAG1D,MAAI,OAAO,OAAO,6BAA6B,YAAY;AACzD,WAAO,yBAAyB,SAAS;AAAA,EAC3C;AAQA,QAAM,gBAAgB,OAAO,QAAqB;AAChD,QAAI,aAAa,IAAI,IAAI,MAAM,EAAG;AAClC,UAAM,KAAM,IAAI,OAAe;AAC/B,QAAI,CAAC,GAAI;AACT,QAAI;AAOF,YAAM,MAAO,IAAY;AACzB,YAAM,KAAM,IAAY,MAAO,IAAY,KAAK;AAChD,UAAI,IAAI,SAAS;AACf,cAAMA,QAAO,MAAM,GAAG,QAAQ,IAAI,QAAQ;AAAA,UACxC,OAAO,EAAE,GAAG;AAAA,UACZ,SAAS,EAAE,UAAU,MAAM,GAAI,MAAM,EAAE,aAAa,IAAI,IAAI,CAAC,EAAG;AAAA,QAClE,CAAC;AACD,YAAIA,MAAM,CAAC,IAAY,aAAaA;AACpC;AAAA,MACF;AACA,YAAM,MAAY,IAAY;AAC9B,UAAI,CAAC,KAAK,KAAM;AAChB,YAAM,OAAO,MAAM,IAAI,KAAK,EAAE,OAAO,IAAI,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;AAC1E,UAAI,KAAM,CAAC,IAAY,aAAa;AAAA,IACtC,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,SAAO,aAAa,gBAAgB,eAAe,EAAE,UAAU,CAAC;AAChE,SAAO,aAAa,gBAAgB,eAAe,EAAE,UAAU,CAAC;AAOhE,QAAM,aAAa,OAAO,QAAqB;AAC7C,QAAI,aAAa,IAAI,IAAI,MAAM,EAAG;AAClC,UAAM,SAAS,UAAU,IAAI,KAAK;AAClC,QAAI,CAAC,OAAQ;AAEb,UAAM,MAAY,IAAY;AAC9B,QAAI,CAAC,KAAK,KAAM;AAEhB,UAAM,QAAa,IAAI;AACvB,UAAM,SAAe,IAAY,cAAe,IAAY,YAAY;AAGxE,QAAI,WACD,OAAO,UAAU,YAAY,OAAO,MACpC,OAAO,WAAW,YAAY,QAAQ,MACrC,IAAI,OAAe;AACvB,QAAI,aAAa,OAAW,YAAW,OAAO,QAAQ;AAEtD,UAAM,OAAa,IAAY,WAAW,CAAC;AAC3C,UAAM,SAA6B,KAAK;AAaxC,UAAM,cACH,OAAQ,IAAI,QAAgB,oBAAoB,YAAa,IAAI,OAAe,mBAChF,OAAS,IAAY,YAAoB,oBAAoB,YAAc,IAAY,WAAmB,mBAC3G;AACF,UAAM,WAA+B,KAAK,YAAY;AAEtD,QAAI,WAAuC;AAC3C,QAAI,WAAuC;AAC3C,QAAI,WAAW,UAAU;AACvB,iBAAY,SAAS,OAAO,UAAU,WAAY,EAAE,GAAG,MAAM,IAAI;AAAA,IACnE,WAAW,WAAW,UAAU;AAC9B,YAAM,IAAI,KAAK,UAAU,CAAC,GAAG,SAAS,CAAC,CAAC;AACxC,iBAAW,EAAE;AACb,iBAAW,EAAE;AAEb,UAAI,OAAO,KAAK,QAAQ,EAAE,WAAW,EAAG;AAAA,IAC1C,WAAW,WAAW,UAAU;AAC9B,iBAAW,UAAU,OAAO,WAAW,WAAW,EAAE,GAAG,OAAO,IAAI;AAAA,IACpE;AAEA,UAAM,WAAgC;AAAA,MACpC;AAAA,MACA,SAAS,UAAU;AAAA,MACnB,aAAa,IAAI;AAAA,MACjB,WAAW,YAAY;AAAA,MACvB,WAAW,WAAW,cAAc,QAAQ,IAAI;AAAA,MAChD,WAAW,WAAW,cAAc,QAAQ,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAShD,iBAAiB,YAAY;AAAA,MAC7B,WAAW,YAAY;AAAA,IACzB;AAEA,UAAM,QAAQ,YAAY,SAAS,QAAQ,YAAY,EAAE;AACzD,UAAM,UACJ,WAAW,WAAW,WAAW,IAAI,MAAM,KAAK,KAAK,MACrD,WAAW,WAAW,WAAW,IAAI,MAAM,KAAK,KAAK,MAC/B,WAAW,IAAI,MAAM,KAAK,KAAK;AAEvD,UAAM,cAAmC;AAAA,MACvC,MAAM,gBAAgB,MAAM;AAAA;AAAA;AAAA;AAAA,MAI5B,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MAClC;AAAA,MACA,UAAU,UAAU;AAAA,MACpB,aAAa,IAAI;AAAA,MACjB,WAAW,YAAY;AAAA,MACvB,cAAc;AAAA,MACd,UAAU,YAAY,WAAW,cAAc,EAAE,KAAK,UAAU,KAAK,SAAS,CAAC,IAAI;AAAA;AAAA;AAAA,MAGnF,iBAAiB,YAAY;AAAA,IAC/B;AAEA,QAAI;AACF,YAAM,MAAM,IAAI,KAAK;AACrB,YAAM,IAAI,OAAO,eAAe,EAAE,OAAO,QAAQ;AACjD,YAAM,IAAI,OAAO,cAAc,EAAE,OAAO,WAAW;AAWnD,YAAM,6BAA6B,KAAK;AAAA,QACtC,QAAQ,IAAI;AAAA,QACZ,UAAU,YAAY;AAAA,QACtB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,SAAS,UAAU;AAAA,QACnB,UAAU,YAAY;AAAA,MACxB,CAAC;AAAA,IACH,SAAS,KAAK;AAEZ,UAAI;AAAE,QAAC,OAAe,QAAQ,OAAO,sBAAsB,EAAE,QAAQ,IAAI,QAAQ,QAAQ,KAAK,OAAQ,KAAa,WAAW,GAAG,EAAE,CAAC;AAAA,MAAG,QAAQ;AAAA,MAAC;AAAA,IAClJ;AAAA,EACF;AAEA,SAAO,aAAa,eAAe,YAAY,EAAE,UAAU,CAAC;AAC5D,SAAO,aAAa,eAAe,YAAY,EAAE,UAAU,CAAC;AAC5D,SAAO,aAAa,eAAe,YAAY,EAAE,UAAU,CAAC;AAS5D,QAAM,uBAAuB,OAAO,QAAqB;AACvD,QAAI,IAAI,WAAW,cAAe;AAClC,QAAI,IAAI,UAAU,cAAe;AACjC,UAAM,MAAY,IAAY;AAC9B,QAAI,CAAC,KAAK,KAAM;AAChB,UAAM,MAAW,IAAI;AACrB,QAAI,CAAC,OAAO,OAAO,QAAQ,SAAU;AAKrC,QAAI,WAAgB,IAAI;AACxB,QAAI,OAAO,aAAa,UAAU;AAChC,UAAI;AAAE,mBAAW,KAAK,MAAM,QAAQ;AAAA,MAAG,QAAQ;AAAE,mBAAW;AAAA,MAAM;AAAA,IACpE;AACA,QAAI,CAAC,MAAM,QAAQ,QAAQ,KAAK,SAAS,WAAW,EAAG;AAEvD,UAAM,UAAU,SACb,IAAI,CAAC,MAAY,OAAO,MAAM,WAAW,IAAI,GAAG,EAAG,EACnD,OAAO,CAAC,OAAY,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AAC9D,QAAI,QAAQ,WAAW,EAAG;AAE1B,UAAM,CAAC,eAAe,SAAS,IAAI,OAAO,IAAI,aAAa,EAAE,EAAE,MAAM,GAAG;AACxE,UAAM,UAAU,IAAI,aAAa;AACjC,UAAM,YAAY,IAAI,eAAe;AACrC,UAAM,cAAc,OAAO,IAAI,QAAQ,EAAE,EAAE,MAAM,GAAG,GAAG;AACvD,UAAM,OAAa,IAAY,WAAW,CAAC;AAC3C,UAAM,WAA0B,KAAK,YAAY,IAAI,mBAAmB;AAExE,UAAM,MAAM,IAAI,KAAK;AACrB,eAAW,OAAO,SAAS;AACzB,UAAI,QAAQ,QAAS;AACrB,UAAI;AACF,cAAM,IAAI,OAAO,kBAAkB,EAAE,OAAO;AAAA,UAC1C,cAAc;AAAA,UACd,MAAM;AAAA,UACN,OAAO,YAAY,GAAG,SAAS,mBAAmB;AAAA,UAClD,MAAM;AAAA,UACN,eAAe,iBAAiB;AAAA,UAChC,WAAW,aAAa;AAAA,UACxB,UAAU;AAAA,UACV,YAAY;AAAA,UACZ,SAAS;AAAA;AAAA,UAET,iBAAiB;AAAA,QACnB,CAAC;AAAA,MACH,SAAS,KAAK;AACZ,YAAI;AAAE,UAAC,OAAe,QAAQ,OAAO,qCAAqC,EAAE,KAAK,KAAK,OAAQ,KAAa,WAAW,GAAG,EAAE,CAAC;AAAA,QAAG,QAAQ;AAAA,QAAC;AAAA,MAC1I;AAAA,IACF;AAAA,EACF;AACA,SAAO,aAAa,eAAe,sBAAsB,EAAE,UAAU,CAAC;AACxE;AAOA,IAAM,eAAe,CAAC,YAAY,eAAe,eAAe,SAAS,UAAU;AAEnF,SAAS,UAAU,KAAyB;AAC1C,MAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO;AAC5C,aAAW,KAAK,cAAc;AAC5B,UAAM,IAAI,IAAI,CAAC;AACf,QAAI,OAAO,MAAM,YAAY,EAAE,SAAS,EAAG,QAAO;AAAA,EACpD;AACA,SAAO;AACT;AAEA,eAAe,6BACb,KACA,QAUe;AACf,MAAI,OAAO,WAAW,SAAU;AAChC,MAAI,CAAC,OAAO,SAAU;AAEtB,QAAM,WAAW,UAAU,OAAO,KAAK;AACvC,QAAM,WAAW,UAAU,OAAO,MAAM;AACxC,MAAI,CAAC,SAAU;AACf,MAAI,OAAO,WAAW,YAAY,aAAa,SAAU;AACzD,MAAI,aAAa,OAAO,QAAS;AAEjC,MAAI;AACF,UAAM,IAAI,OAAO,kBAAkB,EAAE,OAAO;AAAA,MAC1C,cAAc;AAAA,MACd,MAAM;AAAA,MACN,OAAO,GAAG,OAAO,MAAM,KAAK,OAAO,KAAK;AAAA,MACxC,MAAM;AAAA,MACN,eAAe,OAAO;AAAA,MACtB,WAAW,OAAO;AAAA,MAClB,UAAU,OAAO;AAAA,MACjB,YAAY;AAAA,MACZ,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA,MAKT,iBAAiB,OAAO;AAAA,IAC1B,CAAC;AAAA,EACH,QAAQ;AAAA,EAER;AACF;;;ADnYO,IAAM,cAAN,MAAoC;AAAA,EAApC;AACL,gBAAO;AACP,gBAAO;AACP,mBAAU;AACV,wBAAe,CAAC,iCAAiC;AAAA;AAAA,EAEjD,MAAM,KAAK,KAAmC;AAC5C,YAAQ,OAAO,MAAM,+BAA+B;AAEpD,QAAI,WAAuC,UAAU,EAAE,SAAS;AAAA,MAC9D,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM;AAAA,MACN,OAAO;AAAA,MACP,mBAAmB;AAAA,MACnB,WAAW;AAAA,MACX,SAAS,CAAC,0BAAa,0BAAa,yBAAY,4BAAe,4BAAe;AAAA,IAChF,CAAC;AAED,QAAI,OAAO,KAAK,0BAA0B;AAAA,EAC5C;AAAA,EAEA,MAAM,MAAM,KAAmC;AAC7C,YAAQ,OAAO,MAAM,+DAA+D;AAEpF,QAAI,KAAK,gBAAgB,YAAY;AACnC,cAAQ,OAAO,MAAM,oCAAoC;AACzD,UAAI,SAA6B;AACjC,UAAI;AACF,iBAAS,IAAI,WAAwB,UAAU;AAC/C,gBAAQ,OAAO,MAAM,mCAAmC,SAAS,OAAO,MAAM,kBAAkB,OAAQ,QAAgB,YAAY;AAAA,CAAI;AAAA,MAC1I,SAAS,KAAK;AACZ,gBAAQ,OAAO,MAAM,6CAA8C,IAAc,OAAO;AAAA,CAAI;AAE5F,YAAI;AACF,mBAAS,IAAI,WAAwB,MAAM;AAC3C,kBAAQ,OAAO,MAAM,+BAA+B,SAAS,OAAO,MAAM;AAAA,CAAI;AAAA,QAChF,QAAQ;AAAA,QAAe;AAAA,MACzB;AACA,UAAI,CAAC,QAAQ;AACX,gBAAQ,OAAO,MAAM,0CAAqC;AAC1D,YAAI,OAAO,KAAK,+EAA0E;AAC1F;AAAA,MACF;AACA,0BAAoB,QAAe,KAAK,IAAI;AAC5C,cAAQ,OAAO,MAAM,mCAAmC;AACxD,UAAI,OAAO,KAAK,iDAAiD;AAAA,IACnE,CAAC;AAAA,EACH;AACF;","names":["prev"]}