@objectstack/plugin-security 4.0.4 → 4.1.0

package/dist/index.js

@@ -21,11 +21,17 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var index_exports = {};
 __export(index_exports, {
   FieldMasker: () => FieldMasker,
+  PermissionDeniedError: () => PermissionDeniedError,
   PermissionEvaluator: () => PermissionEvaluator,
   RLSCompiler: () => RLSCompiler,
+  RLS_DENY_FILTER: () => RLS_DENY_FILTER,
+  SECURITY_PLUGIN_ID: () => SECURITY_PLUGIN_ID,
+  SECURITY_PLUGIN_VERSION: () => SECURITY_PLUGIN_VERSION,
   SecurityPlugin: () => SecurityPlugin,
-  SysPermissionSet: () => SysPermissionSet,
-  SysRole: () => SysRole
+  isPermissionDeniedError: () => isPermissionDeniedError,
+  securityDefaultPermissionSets: () => securityDefaultPermissionSets,
+  securityObjects: () => securityObjects,
+  securityPluginManifestHeader: () => securityPluginManifestHeader
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -48,7 +54,7 @@ var PermissionEvaluator = class {
     const permKey = OPERATION_TO_PERMISSION[operation];
     if (!permKey) return true;
     for (const ps of permissionSets) {
-      const objPerm = ps.objects?.[objectName];
+      const objPerm = ps.objects?.[objectName] ?? ps.objects?.["*"];
       if (objPerm) {
         if (["allowEdit", "allowDelete"].includes(permKey) && objPerm.modifyAllRecords) {
           return true;
@@ -85,31 +91,94 @@ var PermissionEvaluator = class {
     return result;
   }
   /**
-   * Resolve permission sets for a list of role names from metadata.
+   * Resolve permission sets for a list of identifier names from metadata.
+   *
+   * Identifiers are matched to `PermissionSet.name`. The names may be
+   * either role names (when `sys_role.name` is reused as a permission set
+   * name — common for default admin/member/viewer roles) or explicit
+   * permission set names supplied through `ExecutionContext.permissions[]`
+   * (resolved by `resolveExecutionContext` from `sys_user_permission_set`
+   * and `sys_role_permission_set`).
+   *
+   * Async because the underlying metadata service exposes `list()` as a
+   * Promise — synchronous iteration would silently yield zero results
+   * (the historical SecurityPlugin behaviour, masking all enforcement).
+   *
+   * `bootstrapPermissionSets` is a fallback list of plugin-owned permission
+   * sets (typically the platform defaults: admin_full_access /
+   * member_default / viewer_readonly) that are registered via
+   * `manifest.register({ permissions })` but do not currently propagate
+   * into the metadata service's `list()` index. Without this fallback,
+   * SecurityPlugin would never resolve the defaults and all enforcement
+   * would be silently disabled for authenticated requests.
    */
-  resolvePermissionSets(roles, metadataService) {
+  async resolvePermissionSets(identifiers, metadataService, bootstrapPermissionSets = [], dbLoader) {
+    if (identifiers.length === 0) return [];
     const result = [];
-    const allPermSets = metadataService.list?.("permissions") || [];
+    const seen = /* @__PURE__ */ new Set();
+    let allPermSets = [];
+    try {
+      const listed = metadataService?.list?.("permission") ?? metadataService?.list?.("permissions") ?? [];
+      allPermSets = typeof listed?.then === "function" ? await listed : listed;
+    } catch {
+      allPermSets = [];
+    }
+    if (!Array.isArray(allPermSets)) allPermSets = [];
+    const wanted = new Set(identifiers);
     for (const ps of allPermSets) {
-      if (roles.includes(ps.name)) {
+      if (wanted.has(ps.name) && !seen.has(ps.name)) {
+        seen.add(ps.name);
+        result.push(ps);
+      }
+    }
+    for (const ps of bootstrapPermissionSets) {
+      if (wanted.has(ps.name) && !seen.has(ps.name)) {
+        seen.add(ps.name);
         result.push(ps);
       }
     }
+    if (dbLoader) {
+      const unresolved = identifiers.filter((n) => !seen.has(n));
+      if (unresolved.length > 0) {
+        try {
+          const dbRows = await dbLoader(unresolved);
+          for (const ps of dbRows ?? []) {
+            if (ps?.name && !seen.has(ps.name)) {
+              seen.add(ps.name);
+              result.push(ps);
+            }
+          }
+        } catch {
+        }
+      }
+    }
     return result;
   }
 };
 
 // src/rls-compiler.ts
+var RLS_DENY_FILTER = Object.freeze({
+  id: "__rls_deny__:00000000-0000-0000-0000-000000000000"
+});
 var RLSCompiler = class {
   /**
    * Compile RLS policies into a query filter for the given user context.
    * Multiple policies for the same object/operation are OR-combined (any match allows access).
+   *
+   * Return-value semantics:
+   * - `null`   → no policies applicable → caller applies no RLS filter.
+   * - non-null → caller AND's it onto the existing where clause.
+   * - {@link RLS_DENY_FILTER} → policies were defined but none could be
+   *   compiled (e.g. wildcard `tenant_isolation` against a user with no
+   *   active organization). The caller must treat this as "deny by
+   *   default" — its `id` comparison naturally yields zero rows on
+   *   select/update/delete, which is the safe fail-closed answer.
    */
   compileFilter(policies, executionContext) {
     if (policies.length === 0) return null;
     const userCtx = {
       id: executionContext?.userId,
-      tenant_id: executionContext?.tenantId,
+      organization_id: executionContext?.tenantId,
       roles: executionContext?.roles
     };
     const filters = [];
@@ -120,7 +189,9 @@ var RLSCompiler = class {
         filters.push(filter);
       }
     }
-    if (filters.length === 0) return null;
+    if (filters.length === 0) {
+      return RLS_DENY_FILTER;
+    }
     if (filters.length === 1) return filters[0];
     return { $or: filters };
   }
@@ -138,7 +209,7 @@ var RLSCompiler = class {
     if (eqMatch) {
       const [, field, prop] = eqMatch;
       const value = userCtx[prop];
-      if (value === void 0) return null;
+      if (value === void 0 || value === null) return null;
       return { [field]: value };
     }
     const litMatch = expression.match(/^\s*(\w+)\s*=\s*'([^']*)'\s*$/);
@@ -150,7 +221,7 @@ var RLSCompiler = class {
     if (inMatch) {
       const [, field, prop] = inMatch;
       const value = userCtx[prop];
-      if (!Array.isArray(value)) return null;
+      if (!Array.isArray(value) || value.length === 0) return null;
       return { [field]: { $in: value } };
     }
     return null;
@@ -220,6 +291,40 @@ var FieldMasker = class {
     }
     return result;
   }
+  /**
+   * Detect which fields in the caller's write payload would touch a
+   * field they are not allowed to edit. Returns the set of offending
+   * field names (no duplicates, sorted for stable error messages).
+   *
+   * Used by the security middleware on insert/update to fail-closed
+   * with an explicit 403 rather than silently dropping fields — a
+   * silent drop hides the security boundary from honest clients
+   * (their update partially "doesn't save") and gives an attacker no
+   * negative signal that the field exists. Throwing makes the
+   * boundary observable in both directions.
+   *
+   * `data` may be a single record or an array of records (bulk insert);
+   * either way the returned list is the union across all rows.
+   *
+   * Fields without a permission entry pass through — permission sets
+   * are an allow-list at the field level only for fields they
+   * explicitly enumerate. Most objects do not declare per-field rules
+   * and remain fully editable.
+   */
+  detectForbiddenWrites(data, fieldPermissions) {
+    if (Object.keys(fieldPermissions).length === 0) return [];
+    const nonEditable = new Set(this.getNonEditableFields(fieldPermissions));
+    if (nonEditable.size === 0) return [];
+    const offenders = /* @__PURE__ */ new Set();
+    const rows = Array.isArray(data) ? data : [data];
+    for (const row of rows) {
+      if (!row || typeof row !== "object") continue;
+      for (const field of Object.keys(row)) {
+        if (nonEditable.has(field)) offenders.add(field);
+      }
+    }
+    return Array.from(offenders).sort();
+  }
   maskRecord(record, hiddenFields) {
     if (!record || typeof record !== "object") return record;
     const result = { ...record };
@@ -230,155 +335,487 @@ var FieldMasker = class {
   }
 };
 
-// src/objects/sys-role.object.ts
-var import_data = require("@objectstack/spec/data");
-var SysRole = import_data.ObjectSchema.create({
-  namespace: "sys",
-  name: "role",
-  label: "Role",
-  pluralLabel: "Roles",
-  icon: "shield",
-  isSystem: true,
-  description: "Role definitions for RBAC access control",
-  titleFormat: "{name}",
-  compactLayout: ["name", "label", "active"],
-  fields: {
-    id: import_data.Field.text({
-      label: "Role ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: import_data.Field.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: import_data.Field.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    name: import_data.Field.text({
-      label: "API Name",
-      required: true,
-      searchable: true,
-      maxLength: 100,
-      description: "Unique machine name for the role (e.g. admin, editor, viewer)"
-    }),
-    label: import_data.Field.text({
-      label: "Display Name",
-      required: true,
-      maxLength: 255
-    }),
-    description: import_data.Field.textarea({
-      label: "Description",
-      required: false
-    }),
-    permissions: import_data.Field.textarea({
-      label: "Permissions",
-      required: false,
-      description: "JSON-serialized array of permission strings"
-    }),
-    active: import_data.Field.boolean({
-      label: "Active",
-      defaultValue: true
-    }),
-    is_default: import_data.Field.boolean({
-      label: "Default Role",
-      defaultValue: false,
-      description: "Automatically assigned to new users"
-    })
-  },
-  indexes: [
-    { fields: ["name"], unique: true },
-    { fields: ["active"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: true
+// src/errors.ts
+var PermissionDeniedError = class extends Error {
+  constructor(message, details) {
+    super(message);
+    this.code = "PERMISSION_DENIED";
+    this.statusCode = 403;
+    this.name = "PermissionDeniedError";
+    this.details = details;
   }
-});
+};
+function isPermissionDeniedError(e) {
+  if (!e || typeof e !== "object") return false;
+  const anyE = e;
+  return anyE.name === "PermissionDeniedError" || anyE.code === "PERMISSION_DENIED" || typeof anyE.message === "string" && anyE.message.startsWith("[Security] Access denied");
+}
 
-// src/objects/sys-permission-set.object.ts
-var import_data2 = require("@objectstack/spec/data");
-var SysPermissionSet = import_data2.ObjectSchema.create({
-  namespace: "sys",
-  name: "permission_set",
-  label: "Permission Set",
-  pluralLabel: "Permission Sets",
-  icon: "lock",
-  isSystem: true,
-  description: "Named permission groupings for fine-grained access control",
-  titleFormat: "{name}",
-  compactLayout: ["name", "label", "active"],
-  fields: {
-    id: import_data2.Field.text({
-      label: "Permission Set ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: import_data2.Field.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: import_data2.Field.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    name: import_data2.Field.text({
-      label: "API Name",
-      required: true,
-      searchable: true,
-      maxLength: 100,
-      description: "Unique machine name for the permission set"
-    }),
-    label: import_data2.Field.text({
-      label: "Display Name",
-      required: true,
-      maxLength: 255
-    }),
-    description: import_data2.Field.textarea({
-      label: "Description",
-      required: false
-    }),
-    object_permissions: import_data2.Field.textarea({
-      label: "Object Permissions",
-      required: false,
-      description: "JSON-serialized object-level CRUD permissions"
-    }),
-    field_permissions: import_data2.Field.textarea({
-      label: "Field Permissions",
-      required: false,
-      description: "JSON-serialized field-level read/write permissions"
-    }),
-    active: import_data2.Field.boolean({
-      label: "Active",
-      defaultValue: true
-    })
-  },
-  indexes: [
-    { fields: ["name"], unique: true },
-    { fields: ["active"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: true
+// src/bootstrap-platform-admin.ts
+var SYSTEM_CTX = { isSystem: true };
+async function tryFind(ql, object, where, limit = 100) {
+  try {
+    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX });
+    return Array.isArray(rows) ? rows : [];
+  } catch {
+    return [];
   }
-});
+}
+async function tryInsert(ql, object, data) {
+  try {
+    return await ql.insert(object, data, { context: SYSTEM_CTX });
+  } catch {
+    return null;
+  }
+}
+function genId(prefix) {
+  const rand = Math.random().toString(36).slice(2, 10);
+  const ts = Date.now().toString(36);
+  return `${prefix}_${ts}${rand}`;
+}
+async function bootstrapPlatformAdmin(ql, bootstrapPermissionSets, options = {}) {
+  const logger = options.logger;
+  if (!ql || typeof ql.find !== "function" || typeof ql.insert !== "function") {
+    return { seeded: 0, adminPromoted: false, reason: "objectql_unavailable" };
+  }
+  const seeded = {};
+  for (const ps of bootstrapPermissionSets) {
+    if (!ps.name) continue;
+    const existing = await tryFind(ql, "sys_permission_set", { name: ps.name }, 1);
+    if (existing.length > 0 && existing[0].id) {
+      seeded[ps.name] = existing[0].id;
+      continue;
+    }
+    const id = genId("ps");
+    const created = await tryInsert(ql, "sys_permission_set", {
+      id,
+      name: ps.name,
+      label: ps.label ?? ps.name,
+      description: ps.description ?? null,
+      object_permissions: JSON.stringify(ps.objects ?? {}),
+      field_permissions: JSON.stringify(ps.fields ?? {}),
+      active: true
+    });
+    if (created?.id) seeded[ps.name] = created.id;
+    else if (created) seeded[ps.name] = id;
+  }
+  const seededCount = Object.keys(seeded).length;
+  const adminPsId = seeded["admin_full_access"];
+  if (!adminPsId) {
+    return { seeded: seededCount, adminPromoted: false, reason: "admin_permission_set_missing" };
+  }
+  const existingAdminLinks = await tryFind(
+    ql,
+    "sys_user_permission_set",
+    { permission_set_id: adminPsId },
+    5
+  );
+  if (existingAdminLinks.some((r) => !r.organization_id)) {
+    return { seeded: seededCount, adminPromoted: false, reason: "already_have_admin" };
+  }
+  const allUsers = await tryFind(ql, "sys_user", {}, 50);
+  if (allUsers.length === 0) {
+    logger?.info?.("[security] no users yet \u2014 first sign-up will be promoted to platform admin");
+    return { seeded: seededCount, adminPromoted: false, reason: "no_users" };
+  }
+  const sorted = [...allUsers].sort((a, b) => {
+    const ta = a.created_at ? new Date(a.created_at).getTime() : 0;
+    const tb = b.created_at ? new Date(b.created_at).getTime() : 0;
+    return ta - tb;
+  });
+  const target = sorted[0];
+  const inserted = await tryInsert(ql, "sys_user_permission_set", {
+    id: genId("ups"),
+    user_id: target.id,
+    permission_set_id: adminPsId,
+    organization_id: null,
+    granted_by: null
+  });
+  if (!inserted) {
+    logger?.warn?.(`[security] failed to grant admin_full_access to first user ${target.email ?? target.id}`);
+    return { seeded: seededCount, adminPromoted: false, reason: "insert_failed" };
+  }
+  logger?.info?.(`[security] first user promoted to platform admin: ${target.email ?? target.id}`);
+  return { seeded: seededCount, adminPromoted: true };
+}
+
+// src/claim-orphan-tenant-rows.ts
+var SYSTEM_CTX2 = { isSystem: true };
+function hasOrganizationField(schema) {
+  const fields = schema?.fields;
+  if (!fields) return false;
+  if (Array.isArray(fields)) {
+    return fields.some((f) => f?.name === "organization_id");
+  }
+  return Object.prototype.hasOwnProperty.call(fields, "organization_id");
+}
+async function claimOrphanTenantRows(ql, organizationId, options = {}) {
+  const logger = options.logger;
+  if (!ql || typeof ql.update !== "function" || typeof ql.find !== "function") {
+    return [];
+  }
+  const registry = ql.registry;
+  if (!registry || typeof registry.getAllObjects !== "function") {
+    logger?.warn?.("[security] claimOrphanTenantRows: registry unavailable");
+    return [];
+  }
+  const schemas = registry.getAllObjects();
+  const results = [];
+  for (const schema of schemas) {
+    if (!schema?.name) continue;
+    if (schema.managedBy) continue;
+    if (schema.name.startsWith("sys_")) continue;
+    if (!hasOrganizationField(schema)) continue;
+    try {
+      const orphans = await ql.find(
+        schema.name,
+        { where: { organization_id: null }, limit: 1e4, fields: ["id"] },
+        { context: SYSTEM_CTX2 }
+      );
+      const list = Array.isArray(orphans) ? orphans : Array.isArray(orphans?.records) ? orphans.records : [];
+      if (list.length === 0) continue;
+      let updated = 0;
+      for (const row of list) {
+        if (!row?.id) continue;
+        try {
+          await ql.update(
+            schema.name,
+            { id: row.id, organization_id: organizationId },
+            { context: SYSTEM_CTX2 }
+          );
+          updated += 1;
+        } catch (e) {
+          logger?.warn?.(`[security] claim failed for ${schema.name}:${row.id}`, {
+            error: e.message
+          });
+        }
+      }
+      if (updated > 0) {
+        results.push({ object: schema.name, count: updated });
+      }
+    } catch (e) {
+      logger?.warn?.(`[security] claim scan failed for ${schema.name}`, {
+        error: e.message
+      });
+    }
+  }
+  if (results.length > 0) {
+    const total = results.reduce((s, r) => s + r.count, 0);
+    logger?.info?.(`[security] claimed ${total} orphan seed row(s) for organization ${organizationId}`, {
+      breakdown: results
+    });
+  }
+  return results;
+}
+
+// src/clone-tenant-seed-data.ts
+var SYSTEM_CTX3 = { isSystem: true };
+var SKIP_COPY_FIELDS = /* @__PURE__ */ new Set([
+  "id",
+  "created_at",
+  "updated_at",
+  "organization_id"
+]);
+var SKIP_COPY_TYPES = /* @__PURE__ */ new Set(["formula", "summary"]);
+function fieldList(schema) {
+  const fields = schema?.fields;
+  if (!fields) return [];
+  if (Array.isArray(fields)) {
+    return fields.map((f) => ({
+      name: f?.name,
+      type: f?.type,
+      reference: f?.reference,
+      multiple: f?.multiple,
+      unique: f?.unique
+    }));
+  }
+  return Object.entries(fields).map(([name, f]) => ({
+    name,
+    type: f?.type,
+    reference: f?.reference,
+    multiple: f?.multiple,
+    unique: f?.unique
+  }));
+}
+function isLookupField(f) {
+  return (f.type === "lookup" || f.type === "master_detail" || f.type === "tree") && !!f.reference;
+}
+function hasOrgField(schema) {
+  return fieldList(schema).some((f) => f.name === "organization_id");
+}
+function shortId() {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-";
+  let out = "";
+  for (let i = 0; i < 16; i++) {
+    out += alphabet[Math.floor(Math.random() * alphabet.length)];
+  }
+  return out;
+}
+async function findDonorOrgId(ql) {
+  try {
+    const res = await ql.find(
+      "sys_organization",
+      { orderBy: { created_at: "asc" }, limit: 1, fields: ["id"] },
+      { context: SYSTEM_CTX3 }
+    );
+    const list = Array.isArray(res) ? res : Array.isArray(res?.records) ? res.records : [];
+    return list[0]?.id ?? null;
+  } catch {
+    return null;
+  }
+}
+async function cloneTenantSeedData(ql, targetOrgId, options = {}) {
+  const logger = options.logger;
+  if (!ql || typeof ql.find !== "function" || typeof ql.insert !== "function") {
+    return [];
+  }
+  const registry = ql.registry;
+  if (!registry || typeof registry.getAllObjects !== "function") {
+    logger?.warn?.("[security] cloneTenantSeedData: registry unavailable");
+    return [];
+  }
+  const donorOrgId = await findDonorOrgId(ql);
+  if (!donorOrgId) return [];
+  if (donorOrgId === targetOrgId) return [];
+  const schemas = registry.getAllObjects().filter(
+    (s) => s?.name && !s.managedBy && !s.name.startsWith("sys_") && hasOrgField(s)
+  );
+  const remap = {};
+  const summary = [];
+  const inserted = [];
+  for (const schema of schemas) {
+    const objectName = schema.name;
+    try {
+      const existing = await ql.find(
+        objectName,
+        { where: { organization_id: targetOrgId }, limit: 1, fields: ["id"] },
+        { context: SYSTEM_CTX3 }
+      );
+      const existingList = Array.isArray(existing) ? existing : Array.isArray(existing?.records) ? existing.records : [];
+      if (existingList.length > 0) {
+        continue;
+      }
+      const donorRows = await ql.find(
+        objectName,
+        { where: { organization_id: donorOrgId }, limit: 1e4 },
+        { context: SYSTEM_CTX3 }
+      );
+      const rows = Array.isArray(donorRows) ? donorRows : Array.isArray(donorRows?.records) ? donorRows.records : [];
+      if (rows.length === 0) continue;
+      const fields = fieldList(schema);
+      const lookups = fields.filter(isLookupField);
+      const uniqueFields = fields.filter((f) => f.unique && !SKIP_COPY_FIELDS.has(f.name));
+      const objectRemap = remap[objectName] ?? (remap[objectName] = {});
+      let cloned = 0;
+      for (const row of rows) {
+        const newId = shortId();
+        const data = { id: newId, organization_id: targetOrgId };
+        for (const f of fields) {
+          if (SKIP_COPY_FIELDS.has(f.name)) continue;
+          if (f.type && SKIP_COPY_TYPES.has(f.type)) continue;
+          if (row[f.name] === void 0) continue;
+          data[f.name] = row[f.name];
+        }
+        const suffix = `+${targetOrgId.slice(-6)}`;
+        for (const uf of uniqueFields) {
+          const v = data[uf.name];
+          if (typeof v !== "string" || !v) continue;
+          if (uf.type === "email" && v.includes("@")) {
+            const [local, domain] = v.split("@");
+            data[uf.name] = `clone-${targetOrgId.slice(-6)}-${local}@${domain}`;
+          } else {
+            data[uf.name] = `${v}${suffix}`;
+          }
+        }
+        try {
+          await ql.insert(objectName, data, { context: SYSTEM_CTX3 });
+          objectRemap[row.id] = newId;
+          inserted.push({ object: objectName, newId, record: data, lookups });
+          cloned++;
+        } catch (e) {
+          logger?.warn?.("[security] cloneTenantSeedData: insert failed", {
+            object: objectName,
+            error: e.message
+          });
+        }
+      }
+      if (cloned > 0) summary.push({ object: objectName, count: cloned });
+    } catch (e) {
+      logger?.warn?.("[security] cloneTenantSeedData: object failed", {
+        object: objectName,
+        error: e.message
+      });
+    }
+  }
+  for (const item of inserted) {
+    if (item.lookups.length === 0) continue;
+    const patch = {};
+    let dirty = false;
+    for (const f of item.lookups) {
+      const oldVal = item.record[f.name];
+      if (oldVal == null) continue;
+      const targetMap = remap[f.reference];
+      if (Array.isArray(oldVal)) {
+        const next = oldVal.map((v) => typeof v === "string" && targetMap?.[v] || null).filter((v) => v != null);
+        if (next.length !== oldVal.length || next.some((v, i) => v !== oldVal[i])) {
+          patch[f.name] = next.length > 0 ? next : null;
+          dirty = true;
+        }
+      } else if (typeof oldVal === "string") {
+        if (targetMap && targetMap[oldVal]) {
+          patch[f.name] = targetMap[oldVal];
+          dirty = true;
+        } else {
+          patch[f.name] = null;
+          dirty = true;
+        }
+      }
+    }
+    if (!dirty) continue;
+    try {
+      await ql.update(item.object, { id: item.newId, ...patch }, { context: SYSTEM_CTX3 });
+    } catch (e) {
+      logger?.warn?.("[security] cloneTenantSeedData: lookup remap failed", {
+        object: item.object,
+        id: item.newId,
+        error: e.message
+      });
+    }
+  }
+  return summary;
+}
+
+// src/ensure-user-has-organization.ts
+var SYSTEM_CTX4 = { isSystem: true };
+function genId2(prefix) {
+  const rand = Math.random().toString(36).slice(2, 10);
+  const ts = Date.now().toString(36);
+  return `${prefix}_${ts}${rand}`;
+}
+function slugify(input) {
+  return input.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 40) || "workspace";
+}
+function deriveBaseName(user) {
+  if (user.name && user.name.trim()) return user.name.trim();
+  if (user.email) {
+    const local = user.email.split("@")[0];
+    if (local) return local;
+  }
+  return user.id;
+}
+async function tryFind2(ql, object, where, limit = 1) {
+  try {
+    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX4 });
+    return Array.isArray(rows) ? rows : [];
+  } catch {
+    return [];
+  }
+}
+async function ensureUserHasOrganization(ql, user, options = {}) {
+  const logger = options.logger;
+  const cloneSeedData = options.cloneSeedData;
+  if (!ql || typeof ql.find !== "function" || typeof ql.insert !== "function") {
+    return { created: false, reason: "objectql_unavailable" };
+  }
+  if (!user?.id) return { created: false, reason: "invalid_user" };
+  const existing = await tryFind2(ql, "sys_member", { user_id: user.id }, 1);
+  if (existing.length > 0) {
+    return { created: false, reason: "already_member" };
+  }
+  const base = deriveBaseName(user);
+  const orgName = `${base}'s Workspace`;
+  const baseSlug = slugify(base);
+  let slug = `${baseSlug}-workspace`;
+  for (let attempt = 1; attempt <= 5; attempt += 1) {
+    const collision = await tryFind2(ql, "sys_organization", { slug }, 1);
+    if (collision.length === 0) break;
+    slug = `${baseSlug}-workspace-${attempt + 1}`;
+    if (attempt === 5) {
+      logger?.warn?.(
+        `[security] could not find a free slug for personal org of ${user.email ?? user.id}`
+      );
+      return { created: false, reason: "slug_exhausted" };
+    }
+  }
+  const orgId = genId2("org");
+  let orgRow = null;
+  try {
+    orgRow = await ql.insert(
+      "sys_organization",
+      { id: orgId, name: orgName, slug, logo: null, metadata: null },
+      { context: SYSTEM_CTX4 }
+    );
+  } catch (e) {
+    logger?.warn?.(`[security] failed to create personal org for ${user.email ?? user.id}`, {
+      error: e.message
+    });
+    return { created: false, reason: "org_insert_failed" };
+  }
+  const finalOrgId = orgRow?.id ?? orgId;
+  try {
+    await ql.insert(
+      "sys_member",
+      {
+        id: genId2("mem"),
+        organization_id: finalOrgId,
+        user_id: user.id,
+        role: "owner"
+      },
+      { context: SYSTEM_CTX4 }
+    );
+  } catch (e) {
+    logger?.warn?.(`[security] failed to create owner-member row for ${user.email ?? user.id}`, {
+      error: e.message
+    });
+    return { created: false, reason: "member_insert_failed", organizationId: finalOrgId };
+  }
+  logger?.info?.(
+    `[security] created personal organization "${orgName}" (${finalOrgId}) for ${user.email ?? user.id}`
+  );
+  if (cloneSeedData) {
+    try {
+      const summary = await cloneSeedData(ql, finalOrgId, { logger });
+      if (summary.length > 0) {
+        const total = summary.reduce((s, c) => s + c.count, 0);
+        logger?.info?.(
+          `[security] cloned ${total} seed row(s) into personal organization ${finalOrgId}`,
+          { breakdown: summary }
+        );
+      }
+    } catch (e) {
+      logger?.warn?.("[security] cloneTenantSeedData failed", {
+        error: e.message
+      });
+    }
+  }
+  return { created: true, organizationId: finalOrgId };
+}
+
+// src/manifest.ts
+var import_security = require("@objectstack/platform-objects/security");
+var SECURITY_PLUGIN_ID = "com.objectstack.plugin-security";
+var SECURITY_PLUGIN_VERSION = "1.0.0";
+var securityObjects = [
+  import_security.SysRole,
+  import_security.SysPermissionSet,
+  import_security.SysUserPermissionSet,
+  import_security.SysRolePermissionSet
+];
+var securityDefaultPermissionSets = import_security.defaultPermissionSets;
+var securityPluginManifestHeader = {
+  id: SECURITY_PLUGIN_ID,
+  namespace: "sys",
+  version: SECURITY_PLUGIN_VERSION,
+  type: "plugin",
+  scope: "system",
+  defaultDatasource: "cloud",
+  name: "Security Plugin",
+  description: "RBAC roles and permission sets for ObjectStack (Role, PermissionSet)"
+};
 
 // src/security-plugin.ts
 var SecurityPlugin = class {
-  constructor() {
+  constructor(options = {}) {
     this.name = "com.objectstack.security";
     this.type = "standard";
     this.version = "1.0.0";
@@ -386,35 +823,47 @@ var SecurityPlugin = class {
     this.permissionEvaluator = new PermissionEvaluator();
     this.rlsCompiler = new RLSCompiler();
     this.fieldMasker = new FieldMasker();
+    /**
+     * Per-object field-name cache. Populated lazily from the metadata
+     * service / ObjectQL registry on first access per object. Schemas are
+     * effectively immutable for the lifetime of the kernel today (hot
+     * reload tears the kernel down), so we don't bother with
+     * invalidation — a kernel restart drops the cache.
+     */
+    this.fieldNamesCache = /* @__PURE__ */ new Map();
+    /**
+     * Per-object cache of tenancy opt-out. `true` means the schema
+     * explicitly disabled multi-tenancy (`tenancy.enabled === false` or
+     * `systemFields.tenant === false`). Wildcard policies that target
+     * the conventional tenant column (`organization_id`) are treated as
+     * *not applicable* on these tables instead of triggering the
+     * field-missing deny sentinel — without this, every read of a
+     * cross-org catalog (e.g. `sys_package`, the Marketplace) returns
+     * zero rows.
+     */
+    this.tenancyDisabledCache = /* @__PURE__ */ new Map();
+    this.bootstrapPermissionSets = options.defaultPermissionSets ?? securityDefaultPermissionSets;
+    this.fallbackPermissionSet = options.fallbackPermissionSet === void 0 ? "member_default" : options.fallbackPermissionSet;
+    this.multiTenant = options.multiTenant !== false;
   }
   async init(ctx) {
     ctx.logger.info("Initializing Security Plugin...");
     ctx.registerService("security.permissions", this.permissionEvaluator);
     ctx.registerService("security.rls", this.rlsCompiler);
     ctx.registerService("security.fieldMasker", this.fieldMasker);
+    ctx.registerService("security.bootstrapPermissionSets", this.bootstrapPermissionSets);
+    ctx.registerService("security.fallbackPermissionSet", this.fallbackPermissionSet);
     ctx.getService("manifest").register({
-      id: "com.objectstack.security",
-      name: "Security",
-      version: "1.0.0",
-      type: "plugin",
-      namespace: "sys",
-      objects: [SysRole, SysPermissionSet]
+      ...securityPluginManifestHeader,
+      objects: securityObjects,
+      // Permission sets ride along on the manifest so the metadata service
+      // can resolve them by name when SecurityPlugin middleware queries
+      // `metadata.list('permissions')`.
+      permissions: this.bootstrapPermissionSets
+    });
+    ctx.logger.info("Security Plugin initialized", {
+      defaultPermissionSets: this.bootstrapPermissionSets.map((p) => p.name)
     });
-    try {
-      const setupNav = ctx.getService("setupNav");
-      if (setupNav) {
-        setupNav.contribute({
-          areaId: "area_administration",
-          items: [
-            { id: "nav_roles", type: "object", label: "Roles", objectName: "role", icon: "shield-check", order: 60 },
-            { id: "nav_permission_sets", type: "object", label: "Permission Sets", objectName: "permission_set", icon: "lock", order: 70 }
-          ]
-        });
-        ctx.logger.info("Security navigation items contributed to Setup App");
-      }
-    } catch {
-    }
-    ctx.logger.info("Security Plugin initialized");
   }
   async start(ctx) {
     ctx.logger.info("Starting Security Plugin...");
@@ -431,17 +880,55 @@ var SecurityPlugin = class {
       ctx.logger.warn("ObjectQL engine does not support middleware, security middleware not registered");
       return;
     }
+    const dbLoader = ql ? async (names) => {
+      let rows;
+      try {
+        rows = await ql.find(
+          "sys_permission_set",
+          { where: { name: { $in: names } }, limit: names.length },
+          { context: { isSystem: true } }
+        );
+      } catch {
+        rows = [];
+      }
+      const list = Array.isArray(rows) ? rows : rows?.records ?? [];
+      return list.map((r) => ({
+        name: r.name,
+        label: r.label,
+        objects: typeof r.object_permissions === "string" ? JSON.parse(r.object_permissions || "{}") : r.object_permissions ?? {},
+        fields: typeof r.field_permissions === "string" ? JSON.parse(r.field_permissions || "{}") : r.field_permissions ?? {}
+      }));
+    } : void 0;
     ql.registerMiddleware(async (opCtx, next) => {
       if (opCtx.context?.isSystem) {
         return next();
       }
       const roles = opCtx.context?.roles ?? [];
-      if (roles.length === 0 && !opCtx.context?.userId) {
+      const explicitPermissionSets = opCtx.context?.permissions ?? [];
+      if (roles.length === 0 && explicitPermissionSets.length === 0 && !opCtx.context?.userId) {
         return next();
       }
       let permissionSets = [];
       try {
-        permissionSets = this.permissionEvaluator.resolvePermissionSets(roles, metadata);
+        const requested = [...roles, ...explicitPermissionSets];
+        if (requested.length === 0 && opCtx.context?.userId && this.fallbackPermissionSet) {
+          requested.push(this.fallbackPermissionSet);
+        }
+        permissionSets = await this.permissionEvaluator.resolvePermissionSets(
+          requested,
+          metadata,
+          this.bootstrapPermissionSets,
+          dbLoader
+        );
+        if (permissionSets.length === 0 && opCtx.context?.userId && this.fallbackPermissionSet) {
+          const fallback = await this.permissionEvaluator.resolvePermissionSets(
+            [this.fallbackPermissionSet],
+            metadata,
+            this.bootstrapPermissionSets,
+            dbLoader
+          );
+          permissionSets = fallback;
+        }
       } catch (e) {
         return next();
       }
@@ -452,14 +939,71 @@ var SecurityPlugin = class {
           permissionSets
         );
         if (!allowed) {
-          throw new Error(
-            `[Security] Access denied: operation '${opCtx.operation}' on object '${opCtx.object}' is not permitted for roles [${roles.join(", ")}]`
+          throw new PermissionDeniedError(
+            `[Security] Access denied: operation '${opCtx.operation}' on object '${opCtx.object}' is not permitted for roles [${roles.join(", ")}]`,
+            { operation: opCtx.operation, object: opCtx.object, roles, permissionSets: explicitPermissionSets }
+          );
+        }
+      }
+      if ((opCtx.operation === "insert" || opCtx.operation === "update") && opCtx.data && permissionSets.length > 0) {
+        const fieldPerms = this.permissionEvaluator.getFieldPermissions(
+          opCtx.object,
+          permissionSets
+        );
+        if (Object.keys(fieldPerms).length > 0) {
+          const forbidden = this.fieldMasker.detectForbiddenWrites(
+            opCtx.data,
+            fieldPerms
           );
+          if (forbidden.length > 0) {
+            throw new PermissionDeniedError(
+              `[Security] Field write denied: not permitted to edit [${forbidden.join(", ")}] on '${opCtx.object}'`,
+              {
+                operation: opCtx.operation,
+                object: opCtx.object,
+                roles,
+                permissionSets: explicitPermissionSets,
+                forbiddenFields: forbidden
+              }
+            );
+          }
+        }
+      }
+      if (opCtx.operation === "insert" && opCtx.data && typeof opCtx.data === "object" && !Array.isArray(opCtx.data)) {
+        const needsTenant = this.multiTenant && !!opCtx.context?.tenantId;
+        const needsOwner = !!opCtx.context?.userId;
+        if (needsTenant || needsOwner) {
+          const fields = await this.getObjectFieldNames(metadata, opCtx.object, ql);
+          if (fields) {
+            const data = opCtx.data;
+            if (needsTenant && fields.has("organization_id") && (data.organization_id == null || data.organization_id === "")) {
+              data.organization_id = opCtx.context.tenantId;
+            }
+            if (needsOwner && fields.has("owner_id") && (data.owner_id == null || data.owner_id === "")) {
+              data.owner_id = opCtx.context.userId;
+            }
+          }
         }
       }
       const allRlsPolicies = this.collectRLSPolicies(permissionSets, opCtx.object, opCtx.operation);
       if (allRlsPolicies.length > 0 && opCtx.ast) {
-        const rlsFilter = this.rlsCompiler.compileFilter(allRlsPolicies, opCtx.context);
+        const objectFields = await this.getObjectFieldNames(metadata, opCtx.object, ql);
+        const tenancyDisabled = this.tenancyDisabledCache.get(opCtx.object) === true;
+        let dropped = 0;
+        const compilable = objectFields ? allRlsPolicies.filter((p) => {
+          const targetField = this.extractTargetField(p.using);
+          if (!targetField) return true;
+          if (objectFields.has(targetField)) return true;
+          if (tenancyDisabled && targetField === "organization_id") {
+            return false;
+          }
+          dropped++;
+          return false;
+        }) : allRlsPolicies;
+        let rlsFilter = this.rlsCompiler.compileFilter(compilable, opCtx.context);
+        if (rlsFilter == null && dropped > 0) {
+          rlsFilter = { ...RLS_DENY_FILTER };
+        }
         if (rlsFilter) {
           if (opCtx.ast.where) {
             opCtx.ast.where = { $and: [opCtx.ast.where, rlsFilter] };
@@ -477,6 +1021,139 @@ var SecurityPlugin = class {
       }
     });
     ctx.logger.info("Security middleware registered on ObjectQL engine");
+    let bootstrapRanOnce = false;
+    const runBootstrap = async () => {
+      try {
+        const report = await bootstrapPlatformAdmin(ql, this.bootstrapPermissionSets, {
+          logger: ctx.logger
+        });
+        bootstrapRanOnce = true;
+        ctx.logger.info("[security] platform bootstrap complete", report);
+        return report;
+      } catch (e) {
+        ctx.logger.warn("[security] platform bootstrap failed", { error: e.message });
+        return void 0;
+      }
+    };
+    if (typeof ctx.hook === "function") {
+      ctx.hook("kernel:ready", runBootstrap);
+    } else {
+      void runBootstrap();
+    }
+    ql.registerMiddleware(async (opCtx, next) => {
+      await next();
+      if (opCtx?.object === "sys_user" && (opCtx?.operation === "create" || opCtx?.operation === "insert")) {
+        if (bootstrapRanOnce) {
+          await runBootstrap();
+        }
+        if (this.multiTenant) {
+          const newUser = opCtx?.result ?? opCtx?.data;
+          if (newUser?.id) {
+            try {
+              await ensureUserHasOrganization(ql, newUser, {
+                logger: ctx.logger,
+                cloneSeedData: cloneTenantSeedData
+              });
+            } catch (e) {
+              ctx.logger.warn("[security] ensure-user-has-organization failed", {
+                error: e.message
+              });
+            }
+          }
+        }
+      }
+    });
+    if (this.multiTenant) {
+      ql.registerMiddleware(async (opCtx, next) => {
+        await next();
+        if (opCtx?.object !== "sys_organization" || opCtx?.operation !== "create" && opCtx?.operation !== "insert") {
+          return;
+        }
+        const newOrgId = opCtx?.result?.id ?? opCtx?.data?.id;
+        if (!newOrgId) return;
+        const kernel = ctx.kernel ?? ctx;
+        let datasets;
+        try {
+          const raw = kernel?.getService?.("seed-datasets");
+          if (Array.isArray(raw) && raw.length > 0) datasets = raw;
+        } catch {
+        }
+        let orgCount = 0;
+        try {
+          const allOrgs = await ql.find(
+            "sys_organization",
+            { limit: 2, fields: ["id"] },
+            { context: { isSystem: true } }
+          );
+          const list = Array.isArray(allOrgs) ? allOrgs : Array.isArray(allOrgs?.records) ? allOrgs.records : [];
+          orgCount = list.length;
+        } catch (e) {
+          ctx.logger.warn("[security] failed to count organizations", {
+            error: e.message
+          });
+        }
+        let replayed = false;
+        try {
+          const replayer = kernel?.getService?.("seed-replayer");
+          if (typeof replayer === "function") {
+            const summary = await replayer(newOrgId);
+            const total = (summary?.inserted ?? 0) + (summary?.updated ?? 0);
+            ctx.logger.info(
+              `[security] per-org seed replay for ${newOrgId}: +${summary?.inserted ?? 0} inserted, ${summary?.updated ?? 0} updated, ${summary?.errors?.length ?? 0} error(s)`,
+              {
+                organizationId: newOrgId,
+                errors: summary?.errors?.slice?.(0, 5)
+              }
+            );
+            if (total > 0) replayed = true;
+          } else if (datasets) {
+            ctx.logger.warn("[security] per-org seed: datasets present but no replayer registered", {
+              organizationId: newOrgId
+            });
+          }
+        } catch (e) {
+          ctx.logger.warn("[security] per-org seed replay failed, falling back", {
+            organizationId: newOrgId,
+            error: e.message
+          });
+        }
+        if (replayed) return;
+        if (orgCount === 1) {
+          try {
+            const claims = await claimOrphanTenantRows(ql, newOrgId, { logger: ctx.logger });
+            if (claims.length > 0) {
+              const total = claims.reduce((s, c) => s + c.count, 0);
+              ctx.logger.info(
+                `[security] claimed ${total} orphan seed row(s) for first organization ${newOrgId}`,
+                { breakdown: claims }
+              );
+              return;
+            }
+          } catch (e) {
+            ctx.logger.warn("[security] claim-orphan-tenant-rows failed", {
+              error: e.message
+            });
+          }
+        }
+        if (orgCount > 1) {
+          try {
+            const summary = await cloneTenantSeedData(ql, newOrgId, { logger: ctx.logger });
+            if (summary.length > 0) {
+              const total = summary.reduce((s, c) => s + c.count, 0);
+              ctx.logger.info(
+                `[security] cloned ${total} seed row(s) for new organization ${newOrgId}`,
+                { breakdown: summary }
+              );
+            }
+          } catch (e) {
+            ctx.logger.warn("[security] clone-tenant-seed-data failed", {
+              organizationId: newOrgId,
+              error: e.message
+            });
+          }
+        }
+      });
+    }
   }
   async destroy() {
   }
@@ -487,19 +1164,82 @@ var SecurityPlugin = class {
     const allPolicies = [];
     for (const ps of permissionSets) {
       if (ps.rowLevelSecurity) {
-        allPolicies.push(...ps.rowLevelSecurity);
+        for (const policy of ps.rowLevelSecurity) {
+          if (!this.multiTenant && policy.using && policy.using.includes("current_user.organization_id")) {
+            continue;
+          }
+          allPolicies.push(policy);
+        }
       }
     }
     return this.rlsCompiler.getApplicablePolicies(objectName, operation, allPolicies);
   }
+  /**
+   * Resolve the column-name set for an object (lowercased). Returns
+   * `null` if the schema can't be loaded — caller should fail-closed.
+   */
+  async getObjectFieldNames(metadata, objectName, ql) {
+    if (this.fieldNamesCache.has(objectName)) {
+      return this.fieldNamesCache.get(objectName) ?? null;
+    }
+    const result = await this.loadObjectFieldNames(metadata, objectName, ql);
+    if (result) {
+      this.fieldNamesCache.set(objectName, result);
+    }
+    return result;
+  }
+  async loadObjectFieldNames(metadata, objectName, ql) {
+    try {
+      let obj = typeof ql?.getSchema === "function" ? ql.getSchema(objectName) : null;
+      if (!obj || !obj.fields) {
+        obj = await metadata?.get?.("object", objectName);
+      }
+      if (!obj || !obj.fields) return null;
+      const tenancyDisabled = obj?.tenancy?.enabled === false || obj?.systemFields?.tenant === false;
+      this.tenancyDisabledCache.set(objectName, !!tenancyDisabled);
+      const set = /* @__PURE__ */ new Set(["id"]);
+      if (Array.isArray(obj.fields)) {
+        for (const f of obj.fields) {
+          if (f?.name) set.add(String(f.name));
+        }
+      } else if (typeof obj.fields === "object") {
+        for (const key of Object.keys(obj.fields)) {
+          set.add(key);
+          const v = obj.fields[key];
+          if (v && typeof v === "object" && v.name) set.add(String(v.name));
+        }
+      } else {
+        return null;
+      }
+      return set;
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Extract the left-hand field name from a simple RLS expression like
+   * `field = current_user.x` or `field IN (current_user.y)`. Returns
+   * `null` for unsupported shapes (in which case we keep the policy).
+   */
+  extractTargetField(using) {
+    if (!using) return null;
+    const m = using.match(/^\s*([a-z_][a-z0-9_]*)\s*(?:=|IN|in)(?=\s|\()/);
+    return m ? m[1] : null;
+  }
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   FieldMasker,
+  PermissionDeniedError,
   PermissionEvaluator,
   RLSCompiler,
+  RLS_DENY_FILTER,
+  SECURITY_PLUGIN_ID,
+  SECURITY_PLUGIN_VERSION,
   SecurityPlugin,
-  SysPermissionSet,
-  SysRole
+  isPermissionDeniedError,
+  securityDefaultPermissionSets,
+  securityObjects,
+  securityPluginManifestHeader
 });
 //# sourceMappingURL=index.js.map