@objectstack/plugin-security 3.0.3 → 3.0.5

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @objectstack/plugin-security@3.0.3 build /home/runner/work/spec/spec/packages/plugins/plugin-security
+> @objectstack/plugin-security@3.0.5 build /home/runner/work/spec/spec/packages/plugins/plugin-security
 > tsup --config ../../../tsup.config.ts
 
 CLI Building entry: src/index.ts
@@ -10,13 +10,13 @@
 CLI Cleaning output folder
 ESM Build start
 CJS Build start
-ESM dist/index.mjs     9.76 KB
-ESM dist/index.mjs.map 21.06 KB
-ESM ⚡️ Build success in 57ms
 CJS dist/index.js     10.89 KB
 CJS dist/index.js.map 21.59 KB
-CJS ⚡️ Build success in 57ms
+CJS ⚡️ Build success in 74ms
+ESM dist/index.mjs     9.76 KB
+ESM dist/index.mjs.map 21.06 KB
+ESM ⚡️ Build success in 75ms
 DTS Build start
-DTS ⚡️ Build success in 7856ms
+DTS ⚡️ Build success in 8505ms
 DTS dist/index.d.mts 4.30 KB
 DTS dist/index.d.ts  4.30 KB

package/CHANGELOG.md

@@ -1,5 +1,21 @@
 # @objectstack/plugin-security
 
+## 3.0.5
+
+### Patch Changes
+
+- Updated dependencies [23a4a68]
+  - @objectstack/spec@3.0.5
+  - @objectstack/core@3.0.5
+
+## 3.0.4
+
+### Patch Changes
+
+- Updated dependencies [d738987]
+  - @objectstack/spec@3.0.4
+  - @objectstack/core@3.0.4
+
 ## 3.0.3
 
 ### Patch Changes

package/README.md

@@ -0,0 +1,48 @@
+# @objectstack/plugin-security
+
+Security Plugin for ObjectStack — RBAC, Row-Level Security (RLS), and Field-Level Security runtime.
+
+## Features
+
+- **RBAC Permission Evaluator**: Checks object-level CRUD permissions per user role with most-permissive merging across multiple roles.
+- **Row-Level Security (RLS)**: Compiles RLS policy expressions into ObjectQL query filters, automatically injected into all read operations.
+- **Field-Level Masking**: Strips non-readable fields from query results and identifies non-editable fields.
+- **ObjectQL Middleware Integration**: Hooks into the ObjectQL pipeline to enforce security transparently on every operation.
+- **System Bypass**: System-level operations skip security checks for internal workflows.
+
+## Usage
+
+```typescript
+import { SecurityPlugin } from '@objectstack/plugin-security';
+import { ObjectKernel } from '@objectstack/core';
+
+const kernel = new ObjectKernel({
+  plugins: [
+    new SecurityPlugin(),
+  ],
+});
+```
+
+### Exported Components
+
+```typescript
+import {
+  SecurityPlugin,
+  PermissionEvaluator,
+  RLSCompiler,
+  FieldMasker,
+} from '@objectstack/plugin-security';
+```
+
+## Architecture
+
+The plugin registers three core services and executes a 4-step security chain on every data operation:
+
+1. **Resolve Permission Sets** — Match user roles to permission set definitions from metadata.
+2. **Check Object Permissions** — Validate CRUD access (`allowRead`, `allowCreate`, `allowEdit`, `allowDelete`).
+3. **Inject RLS Filters** — Compile row-level policy expressions and merge them into the query.
+4. **Mask Fields** — Remove restricted fields from results based on field-level permissions.
+
+## License
+
+Apache-2.0 © ObjectStack

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@objectstack/plugin-security",
-  "version": "3.0.3",
+  "version": "3.0.5",
   "license": "Apache-2.0",
   "description": "Security Plugin for ObjectStack — RBAC, RLS, and Field-Level Security Runtime",
   "main": "dist/index.js",
@@ -13,8 +13,8 @@
     }
   },
   "dependencies": {
-    "@objectstack/core": "3.0.3",
-    "@objectstack/spec": "3.0.3"
+    "@objectstack/core": "3.0.5",
+    "@objectstack/spec": "3.0.5"
   },
   "devDependencies": {
     "@types/node": "^25.2.2",