@objectstack/plugin-org-scoping 7.0.0

package/dist/index.js

@@ -0,0 +1,626 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ORG_SCOPING_PLUGIN_ID: () => ORG_SCOPING_PLUGIN_ID,
+  ORG_SCOPING_PLUGIN_VERSION: () => ORG_SCOPING_PLUGIN_VERSION,
+  OrgScopingPlugin: () => OrgScopingPlugin,
+  claimOrphanOrgRows: () => claimOrphanOrgRows,
+  cloneOrgSeedData: () => cloneOrgSeedData,
+  ensureDefaultOrganization: () => ensureDefaultOrganization,
+  orgScopingObjects: () => orgScopingObjects,
+  orgScopingPluginManifestHeader: () => orgScopingPluginManifestHeader
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/claim-orphan-org-rows.ts
+var SYSTEM_CTX = { isSystem: true };
+function hasOrganizationField(schema) {
+  const fields = schema?.fields;
+  if (!fields) return false;
+  if (Array.isArray(fields)) {
+    return fields.some((f) => f?.name === "organization_id");
+  }
+  return Object.prototype.hasOwnProperty.call(fields, "organization_id");
+}
+async function claimOrphanOrgRows(ql, organizationId, options = {}) {
+  const logger = options.logger;
+  if (!ql || typeof ql.update !== "function" || typeof ql.find !== "function") {
+    return [];
+  }
+  const registry = ql.registry;
+  if (!registry || typeof registry.getAllObjects !== "function") {
+    logger?.warn?.("[org-scoping] claimOrphanOrgRows: registry unavailable");
+    return [];
+  }
+  const schemas = registry.getAllObjects();
+  const results = [];
+  for (const schema of schemas) {
+    if (!schema?.name) continue;
+    if (schema.managedBy) continue;
+    if (schema.name.startsWith("sys_")) continue;
+    if (!hasOrganizationField(schema)) continue;
+    try {
+      const orphans = await ql.find(
+        schema.name,
+        { where: { organization_id: null }, limit: 1e4, fields: ["id"] },
+        { context: SYSTEM_CTX }
+      );
+      const list = Array.isArray(orphans) ? orphans : Array.isArray(orphans?.records) ? orphans.records : [];
+      if (list.length === 0) continue;
+      let updated = 0;
+      for (const row of list) {
+        if (!row?.id) continue;
+        try {
+          await ql.update(
+            schema.name,
+            { id: row.id, organization_id: organizationId },
+            { context: SYSTEM_CTX }
+          );
+          updated += 1;
+        } catch (e) {
+          logger?.warn?.(`[org-scoping] claim failed for ${schema.name}:${row.id}`, {
+            error: e.message
+          });
+        }
+      }
+      if (updated > 0) {
+        results.push({ object: schema.name, count: updated });
+      }
+    } catch (e) {
+      logger?.warn?.(`[org-scoping] claim scan failed for ${schema.name}`, {
+        error: e.message
+      });
+    }
+  }
+  if (results.length > 0) {
+    const total = results.reduce((s, r) => s + r.count, 0);
+    logger?.info?.(`[org-scoping] claimed ${total} orphan seed row(s) for organization ${organizationId}`, {
+      breakdown: results
+    });
+  }
+  return results;
+}
+
+// src/clone-org-seed-data.ts
+var SYSTEM_CTX2 = { isSystem: true };
+var SKIP_COPY_FIELDS = /* @__PURE__ */ new Set([
+  "id",
+  "created_at",
+  "updated_at",
+  "organization_id"
+]);
+var SKIP_COPY_TYPES = /* @__PURE__ */ new Set(["formula", "summary"]);
+function fieldList(schema) {
+  const fields = schema?.fields;
+  if (!fields) return [];
+  if (Array.isArray(fields)) {
+    return fields.map((f) => ({
+      name: f?.name,
+      type: f?.type,
+      reference: f?.reference,
+      multiple: f?.multiple,
+      unique: f?.unique
+    }));
+  }
+  return Object.entries(fields).map(([name, f]) => ({
+    name,
+    type: f?.type,
+    reference: f?.reference,
+    multiple: f?.multiple,
+    unique: f?.unique
+  }));
+}
+function isLookupField(f) {
+  return (f.type === "lookup" || f.type === "master_detail" || f.type === "tree") && !!f.reference;
+}
+function hasOrgField(schema) {
+  return fieldList(schema).some((f) => f.name === "organization_id");
+}
+function shortId() {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-";
+  let out = "";
+  for (let i = 0; i < 16; i++) {
+    out += alphabet[Math.floor(Math.random() * alphabet.length)];
+  }
+  return out;
+}
+async function findDonorOrgId(ql) {
+  try {
+    const res = await ql.find(
+      "sys_organization",
+      { orderBy: { created_at: "asc" }, limit: 1, fields: ["id"] },
+      { context: SYSTEM_CTX2 }
+    );
+    const list = Array.isArray(res) ? res : Array.isArray(res?.records) ? res.records : [];
+    return list[0]?.id ?? null;
+  } catch {
+    return null;
+  }
+}
+async function cloneOrgSeedData(ql, targetOrgId, options = {}) {
+  const logger = options.logger;
+  if (!ql || typeof ql.find !== "function" || typeof ql.insert !== "function") {
+    return [];
+  }
+  const registry = ql.registry;
+  if (!registry || typeof registry.getAllObjects !== "function") {
+    logger?.warn?.("[org-scoping] cloneOrgSeedData: registry unavailable");
+    return [];
+  }
+  const donorOrgId = await findDonorOrgId(ql);
+  if (!donorOrgId) return [];
+  if (donorOrgId === targetOrgId) return [];
+  const schemas = registry.getAllObjects().filter(
+    (s) => s?.name && !s.managedBy && !s.name.startsWith("sys_") && hasOrgField(s)
+  );
+  const remap = {};
+  const summary = [];
+  const inserted = [];
+  for (const schema of schemas) {
+    const objectName = schema.name;
+    try {
+      const existing = await ql.find(
+        objectName,
+        { where: { organization_id: targetOrgId }, limit: 1, fields: ["id"] },
+        { context: SYSTEM_CTX2 }
+      );
+      const existingList = Array.isArray(existing) ? existing : Array.isArray(existing?.records) ? existing.records : [];
+      if (existingList.length > 0) {
+        continue;
+      }
+      const donorRows = await ql.find(
+        objectName,
+        { where: { organization_id: donorOrgId }, limit: 1e4 },
+        { context: SYSTEM_CTX2 }
+      );
+      const rows = Array.isArray(donorRows) ? donorRows : Array.isArray(donorRows?.records) ? donorRows.records : [];
+      if (rows.length === 0) continue;
+      const fields = fieldList(schema);
+      const lookups = fields.filter(isLookupField);
+      const uniqueFields = fields.filter((f) => f.unique && !SKIP_COPY_FIELDS.has(f.name));
+      const objectRemap = remap[objectName] ?? (remap[objectName] = {});
+      let cloned = 0;
+      for (const row of rows) {
+        const newId = shortId();
+        const data = { id: newId, organization_id: targetOrgId };
+        for (const f of fields) {
+          if (SKIP_COPY_FIELDS.has(f.name)) continue;
+          if (f.type && SKIP_COPY_TYPES.has(f.type)) continue;
+          if (row[f.name] === void 0) continue;
+          data[f.name] = row[f.name];
+        }
+        const suffix = `+${targetOrgId.slice(-6)}`;
+        for (const uf of uniqueFields) {
+          const v = data[uf.name];
+          if (typeof v !== "string" || !v) continue;
+          if (uf.type === "email" && v.includes("@")) {
+            const [local, domain] = v.split("@");
+            data[uf.name] = `clone-${targetOrgId.slice(-6)}-${local}@${domain}`;
+          } else {
+            data[uf.name] = `${v}${suffix}`;
+          }
+        }
+        try {
+          await ql.insert(objectName, data, { context: SYSTEM_CTX2 });
+          objectRemap[row.id] = newId;
+          inserted.push({ object: objectName, newId, record: data, lookups });
+          cloned++;
+        } catch (e) {
+          logger?.warn?.("[org-scoping] cloneOrgSeedData: insert failed", {
+            object: objectName,
+            error: e.message
+          });
+        }
+      }
+      if (cloned > 0) summary.push({ object: objectName, count: cloned });
+    } catch (e) {
+      logger?.warn?.("[org-scoping] cloneOrgSeedData: object failed", {
+        object: objectName,
+        error: e.message
+      });
+    }
+  }
+  for (const item of inserted) {
+    if (item.lookups.length === 0) continue;
+    const patch = {};
+    let dirty = false;
+    for (const f of item.lookups) {
+      const oldVal = item.record[f.name];
+      if (oldVal == null) continue;
+      const targetMap = remap[f.reference];
+      if (Array.isArray(oldVal)) {
+        const next = oldVal.map((v) => typeof v === "string" && targetMap?.[v] || null).filter((v) => v != null);
+        if (next.length !== oldVal.length || next.some((v, i) => v !== oldVal[i])) {
+          patch[f.name] = next.length > 0 ? next : null;
+          dirty = true;
+        }
+      } else if (typeof oldVal === "string") {
+        if (targetMap && targetMap[oldVal]) {
+          patch[f.name] = targetMap[oldVal];
+          dirty = true;
+        } else {
+          patch[f.name] = null;
+          dirty = true;
+        }
+      }
+    }
+    if (!dirty) continue;
+    try {
+      await ql.update(item.object, { id: item.newId, ...patch }, { context: SYSTEM_CTX2 });
+    } catch (e) {
+      logger?.warn?.("[org-scoping] cloneOrgSeedData: lookup remap failed", {
+        object: item.object,
+        id: item.newId,
+        error: e.message
+      });
+    }
+  }
+  return summary;
+}
+
+// src/ensure-default-organization.ts
+var SYSTEM_CTX3 = { isSystem: true };
+async function tryFind(ql, object, where, limit = 100) {
+  try {
+    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX3 });
+    return Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
+  } catch {
+    return [];
+  }
+}
+async function tryInsert(ql, object, data) {
+  try {
+    return await ql.insert(object, data, { context: SYSTEM_CTX3 });
+  } catch {
+    return null;
+  }
+}
+function genId(prefix) {
+  const rand = Math.random().toString(36).slice(2, 10);
+  const ts = Date.now().toString(36);
+  return `${prefix}_${ts}${rand}`;
+}
+async function ensureDefaultOrganization(ql, options = {}) {
+  const logger = options.logger;
+  if (!ql || typeof ql.find !== "function" || typeof ql.insert !== "function") {
+    return { defaultOrgCreated: false, memberCreated: false, reason: "no_admin" };
+  }
+  const adminPs = await tryFind(ql, "sys_permission_set", { name: "admin_full_access" }, 1);
+  if (adminPs.length === 0 || !adminPs[0].id) {
+    return { defaultOrgCreated: false, memberCreated: false, reason: "no_admin" };
+  }
+  const adminPsId = adminPs[0].id;
+  const adminGrants = await tryFind(
+    ql,
+    "sys_user_permission_set",
+    { permission_set_id: adminPsId, organization_id: null },
+    50
+  );
+  if (adminGrants.length === 0) {
+    return { defaultOrgCreated: false, memberCreated: false, reason: "no_admin" };
+  }
+  const sortedGrants = [...adminGrants].sort((a, b) => {
+    const ta = a.created_at ? new Date(a.created_at).getTime() : 0;
+    const tb = b.created_at ? new Date(b.created_at).getTime() : 0;
+    return ta - tb;
+  });
+  const adminUserId = sortedGrants[0]?.user_id;
+  if (!adminUserId) {
+    return { defaultOrgCreated: false, memberCreated: false, reason: "no_admin" };
+  }
+  const memberships = await tryFind(ql, "sys_member", { user_id: adminUserId }, 1);
+  if (memberships.length > 0) {
+    return {
+      defaultOrgCreated: false,
+      memberCreated: false,
+      reason: "admin_already_in_org"
+    };
+  }
+  let defaultOrgId;
+  let defaultOrgCreated = false;
+  const existingDefault = await tryFind(ql, "sys_organization", { slug: "default" }, 1);
+  if (existingDefault.length > 0 && existingDefault[0].id) {
+    defaultOrgId = String(existingDefault[0].id);
+  } else {
+    const newOrgId = genId("org");
+    const orgRow = await tryInsert(ql, "sys_organization", {
+      id: newOrgId,
+      name: "Default Organization",
+      slug: "default",
+      logo: null,
+      metadata: null
+    });
+    if (!orgRow) {
+      logger?.warn?.("[org-scoping] failed to create default organization for platform admin");
+      return { defaultOrgCreated: false, memberCreated: false, reason: "org_insert_failed" };
+    }
+    defaultOrgId = orgRow?.id ?? newOrgId;
+    defaultOrgCreated = true;
+  }
+  const memRow = await tryInsert(ql, "sys_member", {
+    id: genId("mem"),
+    organization_id: defaultOrgId,
+    user_id: adminUserId,
+    role: "owner"
+  });
+  if (!memRow) {
+    logger?.warn?.("[org-scoping] failed to bind platform admin to default organization");
+    return {
+      defaultOrgCreated,
+      defaultOrgId,
+      memberCreated: false,
+      reason: "member_insert_failed"
+    };
+  }
+  logger?.info?.(
+    `[org-scoping] bound platform admin to default organization (${defaultOrgId})`,
+    { userId: adminUserId, defaultOrgId }
+  );
+  return { defaultOrgCreated, defaultOrgId, memberCreated: true };
+}
+
+// src/manifest.ts
+var ORG_SCOPING_PLUGIN_ID = "com.objectstack.plugin-org-scoping";
+var ORG_SCOPING_PLUGIN_VERSION = "1.0.0";
+var orgScopingObjects = [];
+var orgScopingPluginManifestHeader = {
+  id: ORG_SCOPING_PLUGIN_ID,
+  namespace: "sys",
+  version: ORG_SCOPING_PLUGIN_VERSION,
+  type: "plugin",
+  scope: "system",
+  defaultDatasource: "cloud",
+  name: "Organization Scoping Plugin",
+  description: "Row-level Organization isolation: auto-stamps `organization_id` on insert from `ExecutionContext.tenantId`, replays seed datasets per new org, and bootstraps a default organization for the first platform admin."
+};
+
+// src/org-scoping-plugin.ts
+var OrgScopingPlugin = class {
+  constructor(options = {}) {
+    this.name = "com.objectstack.org-scoping";
+    this.type = "standard";
+    this.version = "1.0.0";
+    this.dependencies = ["com.objectstack.engine.objectql"];
+    /** Per-object field-name cache; same shape as SecurityPlugin's. */
+    this.fieldNamesCache = /* @__PURE__ */ new Map();
+    this.opts = {
+      ensureDefaultOrganization: options.ensureDefaultOrganization !== false
+    };
+  }
+  async init(ctx) {
+    ctx.logger.info("Initializing Org-Scoping Plugin...");
+    ctx.registerService("org-scoping", this);
+    ctx.getService("manifest").register({
+      ...orgScopingPluginManifestHeader,
+      objects: orgScopingObjects
+    });
+    ctx.logger.info("Org-Scoping Plugin initialized");
+  }
+  async start(ctx) {
+    ctx.logger.info("Starting Org-Scoping Plugin...");
+    let ql;
+    let metadata;
+    try {
+      ql = ctx.getService("objectql");
+      try {
+        metadata = ctx.getService("metadata");
+      } catch {
+        metadata = void 0;
+      }
+    } catch {
+      ctx.logger.warn(
+        "ObjectQL service not available, org-scoping middleware not registered"
+      );
+      return;
+    }
+    if (!ql || typeof ql.registerMiddleware !== "function") {
+      ctx.logger.warn(
+        "ObjectQL engine does not support middleware, org-scoping middleware not registered"
+      );
+      return;
+    }
+    ql.registerMiddleware(async (opCtx, next) => {
+      if (opCtx.context?.isSystem) return next();
+      if (opCtx.operation === "insert" && opCtx.data && typeof opCtx.data === "object" && !Array.isArray(opCtx.data) && opCtx.context?.tenantId) {
+        const fields = await this.getObjectFieldNames(metadata, opCtx.object, ql);
+        if (fields && fields.has("organization_id")) {
+          const data = opCtx.data;
+          if (data.organization_id == null || data.organization_id === "") {
+            data.organization_id = opCtx.context.tenantId;
+          }
+        }
+      }
+      await next();
+    });
+    ql.registerMiddleware(async (opCtx, next) => {
+      await next();
+      if (opCtx?.object !== "sys_organization" || opCtx?.operation !== "create" && opCtx?.operation !== "insert") {
+        return;
+      }
+      const newOrgId = opCtx?.result?.id ?? opCtx?.data?.id;
+      if (!newOrgId) return;
+      const kernel = ctx.kernel ?? ctx;
+      let datasets;
+      try {
+        const raw = kernel?.getService?.("seed-datasets");
+        if (Array.isArray(raw) && raw.length > 0) datasets = raw;
+      } catch {
+      }
+      let orgCount = 0;
+      try {
+        const allOrgs = await ql.find(
+          "sys_organization",
+          { limit: 2, fields: ["id"] },
+          { context: { isSystem: true } }
+        );
+        const list = Array.isArray(allOrgs) ? allOrgs : Array.isArray(allOrgs?.records) ? allOrgs.records : [];
+        orgCount = list.length;
+      } catch (e) {
+        ctx.logger.warn("[org-scoping] failed to count organizations", {
+          error: e.message
+        });
+      }
+      let replayed = false;
+      try {
+        const replayer = kernel?.getService?.("seed-replayer");
+        if (typeof replayer === "function") {
+          const summary = await replayer(newOrgId);
+          const total = (summary?.inserted ?? 0) + (summary?.updated ?? 0);
+          ctx.logger.info(
+            `[org-scoping] per-org seed replay for ${newOrgId}: +${summary?.inserted ?? 0} inserted, ${summary?.updated ?? 0} updated, ${summary?.errors?.length ?? 0} error(s)`,
+            {
+              organizationId: newOrgId,
+              errors: summary?.errors?.slice?.(0, 5)
+            }
+          );
+          if (total > 0) replayed = true;
+        } else if (datasets) {
+          ctx.logger.warn(
+            "[org-scoping] per-org seed: datasets present but no replayer registered",
+            { organizationId: newOrgId }
+          );
+        }
+      } catch (e) {
+        ctx.logger.warn(
+          "[org-scoping] per-org seed replay failed, falling back",
+          { organizationId: newOrgId, error: e.message }
+        );
+      }
+      if (replayed) return;
+      if (orgCount === 1) {
+        try {
+          const claims = await claimOrphanOrgRows(ql, newOrgId, { logger: ctx.logger });
+          if (claims.length > 0) {
+            const total = claims.reduce((s, c) => s + c.count, 0);
+            ctx.logger.info(
+              `[org-scoping] claimed ${total} orphan seed row(s) for first organization ${newOrgId}`,
+              { breakdown: claims }
+            );
+            return;
+          }
+        } catch (e) {
+          ctx.logger.warn("[org-scoping] claim-orphan-org-rows failed", {
+            error: e.message
+          });
+        }
+      }
+      if (orgCount > 1) {
+        try {
+          const summary = await cloneOrgSeedData(ql, newOrgId, { logger: ctx.logger });
+          if (summary.length > 0) {
+            const total = summary.reduce((s, c) => s + c.count, 0);
+            ctx.logger.info(
+              `[org-scoping] cloned ${total} seed row(s) for new organization ${newOrgId}`,
+              { breakdown: summary }
+            );
+          }
+        } catch (e) {
+          ctx.logger.warn("[org-scoping] clone-org-seed-data failed", {
+            organizationId: newOrgId,
+            error: e.message
+          });
+        }
+      }
+    });
+    if (this.opts.ensureDefaultOrganization) {
+      const runEnsure = async () => {
+        try {
+          const res = await ensureDefaultOrganization(ql, { logger: ctx.logger });
+          if (res.defaultOrgCreated) {
+            ctx.logger.info(
+              `[org-scoping] created Default Organization ${res.defaultOrgId} for platform admin`
+            );
+          }
+        } catch (e) {
+          ctx.logger.warn?.("[org-scoping] ensureDefaultOrganization failed", {
+            error: e.message
+          });
+        }
+      };
+      if (typeof ctx.hook === "function") {
+        ctx.hook("kernel:ready", runEnsure);
+      } else {
+        void runEnsure();
+      }
+      ql.registerMiddleware(async (opCtx, next) => {
+        await next();
+        if (opCtx?.object === "sys_user_permission_set" && (opCtx?.operation === "insert" || opCtx?.operation === "create")) {
+          await runEnsure();
+        }
+      });
+    }
+    ctx.logger.info("Org-Scoping middleware registered on ObjectQL engine");
+  }
+  async destroy() {
+  }
+  /**
+   * Resolve the column-name set for an object (mirrors SecurityPlugin's
+   * loader so the two plugins behave consistently). Returns `null` if
+   * the schema can't be loaded — caller skips injection.
+   */
+  async getObjectFieldNames(metadata, objectName, ql) {
+    if (this.fieldNamesCache.has(objectName)) {
+      return this.fieldNamesCache.get(objectName) ?? null;
+    }
+    const result = await this.loadObjectFieldNames(metadata, objectName, ql);
+    if (result) this.fieldNamesCache.set(objectName, result);
+    return result;
+  }
+  async loadObjectFieldNames(metadata, objectName, ql) {
+    try {
+      let obj = typeof ql?.getSchema === "function" ? ql.getSchema(objectName) : null;
+      if (!obj || !obj.fields) {
+        obj = await metadata?.get?.("object", objectName);
+      }
+      if (!obj || !obj.fields) return null;
+      const set = /* @__PURE__ */ new Set(["id"]);
+      if (Array.isArray(obj.fields)) {
+        for (const f of obj.fields) {
+          if (f?.name) set.add(String(f.name));
+        }
+      } else if (typeof obj.fields === "object") {
+        for (const key of Object.keys(obj.fields)) {
+          set.add(key);
+          const v = obj.fields[key];
+          if (v && typeof v === "object" && v.name) set.add(String(v.name));
+        }
+      } else {
+        return null;
+      }
+      return set;
+    } catch {
+      return null;
+    }
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ORG_SCOPING_PLUGIN_ID,
+  ORG_SCOPING_PLUGIN_VERSION,
+  OrgScopingPlugin,
+  claimOrphanOrgRows,
+  cloneOrgSeedData,
+  ensureDefaultOrganization,
+  orgScopingObjects,
+  orgScopingPluginManifestHeader
+});
+//# sourceMappingURL=index.js.map