@objectstack/plugin-security 4.0.4 → 4.1.0

package/CHANGELOG.md

@@ -1,264 +0,0 @@
-# @objectstack/plugin-security
-
-## 4.0.4
-
-### Patch Changes
-
-- Updated dependencies [326b66b]
-  - @objectstack/spec@4.0.4
-  - @objectstack/core@4.0.4
-
-## 4.0.3
-
-### Patch Changes
-
-- @objectstack/spec@4.0.3
-- @objectstack/core@4.0.3
-
-## 4.0.2
-
-### Patch Changes
-
-- Updated dependencies [5f659e9]
-  - @objectstack/spec@4.0.2
-  - @objectstack/core@4.0.2
-
-## 4.0.0
-
-### Patch Changes
-
-- Updated dependencies [f08ffc3]
-- Updated dependencies [e0b0a78]
-  - @objectstack/spec@4.0.0
-  - @objectstack/core@4.0.0
-
-## 3.3.1
-
-### Patch Changes
-
-- @objectstack/spec@3.3.1
-- @objectstack/core@3.3.1
-
-## 3.3.0
-
-### Patch Changes
-
-- @objectstack/spec@3.3.0
-- @objectstack/core@3.3.0
-
-## 3.2.9
-
-### Patch Changes
-
-- @objectstack/spec@3.2.9
-- @objectstack/core@3.2.9
-
-## 3.2.8
-
-### Patch Changes
-
-- @objectstack/spec@3.2.8
-- @objectstack/core@3.2.8
-
-## 3.2.7
-
-### Patch Changes
-
-- @objectstack/spec@3.2.7
-- @objectstack/core@3.2.7
-
-## 3.2.6
-
-### Patch Changes
-
-- @objectstack/spec@3.2.6
-- @objectstack/core@3.2.6
-
-## 3.2.5
-
-### Patch Changes
-
-- @objectstack/spec@3.2.5
-- @objectstack/core@3.2.5
-
-## 3.2.4
-
-### Patch Changes
-
-- @objectstack/spec@3.2.4
-- @objectstack/core@3.2.4
-
-## 3.2.3
-
-### Patch Changes
-
-- @objectstack/spec@3.2.3
-- @objectstack/core@3.2.3
-
-## 3.2.2
-
-### Patch Changes
-
-- Updated dependencies [46defbb]
-  - @objectstack/spec@3.2.2
-  - @objectstack/core@3.2.2
-
-## 3.2.1
-
-### Patch Changes
-
-- Updated dependencies [850b546]
-  - @objectstack/spec@3.2.1
-  - @objectstack/core@3.2.1
-
-## 3.2.0
-
-### Patch Changes
-
-- Updated dependencies [5901c29]
-  - @objectstack/spec@3.2.0
-  - @objectstack/core@3.2.0
-
-## 3.1.1
-
-### Patch Changes
-
-- Updated dependencies [953d667]
-  - @objectstack/spec@3.1.1
-  - @objectstack/core@3.1.1
-
-## 3.1.0
-
-### Patch Changes
-
-- Updated dependencies [0088830]
-  - @objectstack/spec@3.1.0
-  - @objectstack/core@3.1.0
-
-## 3.0.11
-
-### Patch Changes
-
-- Updated dependencies [92d9d99]
-  - @objectstack/spec@3.0.11
-  - @objectstack/core@3.0.11
-
-## 3.0.10
-
-### Patch Changes
-
-- Updated dependencies [d1e5d31]
-  - @objectstack/spec@3.0.10
-  - @objectstack/core@3.0.10
-
-## 3.0.9
-
-### Patch Changes
-
-- Updated dependencies [15e0df6]
-  - @objectstack/spec@3.0.9
-  - @objectstack/core@3.0.9
-
-## 3.0.8
-
-### Patch Changes
-
-- Updated dependencies [5a968a2]
-  - @objectstack/spec@3.0.8
-  - @objectstack/core@3.0.8
-
-## 3.0.7
-
-### Patch Changes
-
-- Updated dependencies [0119bd7]
-- Updated dependencies [5426bdf]
-  - @objectstack/spec@3.0.7
-  - @objectstack/core@3.0.7
-
-## 3.0.6
-
-### Patch Changes
-
-- Updated dependencies [5df254c]
-  - @objectstack/spec@3.0.6
-  - @objectstack/core@3.0.6
-
-## 3.0.5
-
-### Patch Changes
-
-- Updated dependencies [23a4a68]
-  - @objectstack/spec@3.0.5
-  - @objectstack/core@3.0.5
-
-## 3.0.4
-
-### Patch Changes
-
-- Updated dependencies [d738987]
-  - @objectstack/spec@3.0.4
-  - @objectstack/core@3.0.4
-
-## 3.0.3
-
-### Patch Changes
-
-- c7267f6: Patch release for maintenance updates and improvements.
-- Updated dependencies [c7267f6]
-  - @objectstack/spec@3.0.3
-  - @objectstack/core@3.0.3
-
-## 3.0.2
-
-### Patch Changes
-
-- Updated dependencies [28985f5]
-  - @objectstack/spec@3.0.2
-  - @objectstack/core@3.0.2
-
-## 3.0.1
-
-### Patch Changes
-
-- Updated dependencies [389725a]
-  - @objectstack/spec@3.0.1
-  - @objectstack/core@3.0.1
-
-## 3.0.0
-
-### Major Changes
-
-- Release v3.0.0 — unified version bump for all ObjectStack packages.
-
-### Patch Changes
-
-- Updated dependencies
-  - @objectstack/spec@3.0.0
-  - @objectstack/core@3.0.0
-
-## 2.0.7
-
-### Patch Changes
-
-- Updated dependencies
-  - @objectstack/spec@2.0.7
-  - @objectstack/core@2.0.7
-
-## 2.0.6
-
-### Patch Changes
-
-- Patch release for maintenance and stability improvements
-- Updated dependencies
-  - @objectstack/spec@2.0.6
-  - @objectstack/core@2.0.6
-
-## 2.0.5
-
-### Patch Changes
-
-- Unify all package versions with a patch release
-- Updated dependencies
-  - @objectstack/spec@2.0.5
-  - @objectstack/core@2.0.5

package/src/field-masker.ts

@@ -1,75 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-
-import type { FieldPermission } from '@objectstack/spec/security';
-
-/**
- * FieldMasker
- * 
- * Applies field-level security by stripping restricted fields from query results.
- */
-export class FieldMasker {
-  /**
-   * Mask fields in query results based on field permissions.
-   * Removes fields that the user does not have read access to.
-   */
-  maskResults(
-    results: any | any[],
-    fieldPermissions: Record<string, FieldPermission>,
-    _objectName: string
-  ): any | any[] {
-    // If no field permissions defined, return results as-is
-    if (Object.keys(fieldPermissions).length === 0) return results;
-
-    // Get list of non-readable fields
-    const hiddenFields = Object.entries(fieldPermissions)
-      .filter(([, perm]) => !perm.readable)
-      .map(([field]) => field);
-
-    if (hiddenFields.length === 0) return results;
-
-    if (Array.isArray(results)) {
-      return results.map(record => this.maskRecord(record, hiddenFields));
-    }
-
-    return this.maskRecord(results, hiddenFields);
-  }
-
-  /**
-   * Get non-editable fields for use in write operations.
-   * Returns a list of field names that should be stripped from incoming data.
-   */
-  getNonEditableFields(
-    fieldPermissions: Record<string, FieldPermission>
-  ): string[] {
-    return Object.entries(fieldPermissions)
-      .filter(([, perm]) => !perm.editable)
-      .map(([field]) => field);
-  }
-
-  /**
-   * Strip non-editable fields from write data.
-   */
-  stripNonEditableFields(
-    data: Record<string, any>,
-    fieldPermissions: Record<string, FieldPermission>
-  ): Record<string, any> {
-    const nonEditable = this.getNonEditableFields(fieldPermissions);
-    if (nonEditable.length === 0) return data;
-
-    const result = { ...data };
-    for (const field of nonEditable) {
-      delete result[field];
-    }
-    return result;
-  }
-
-  private maskRecord(record: any, hiddenFields: string[]): any {
-    if (!record || typeof record !== 'object') return record;
-
-    const result = { ...record };
-    for (const field of hiddenFields) {
-      delete result[field];
-    }
-    return result;
-  }
-}

package/src/index.ts

@@ -1,16 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-
-/**
- * @objectstack/plugin-security
- * 
- * Security Plugin for ObjectStack
- * Provides RBAC, Row-Level Security (RLS), and Field-Level Security runtime.
- */
-
-export { SecurityPlugin } from './security-plugin.js';
-export { PermissionEvaluator } from './permission-evaluator.js';
-export { RLSCompiler } from './rls-compiler.js';
-export { FieldMasker } from './field-masker.js';
-
-// System Object Definitions (sys namespace)
-export { SysRole, SysPermissionSet } from './objects/index.js';

package/src/objects/index.ts

@@ -1,10 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-
-/**
- * Security Plugin — System Object Definitions (sys namespace)
- *
- * Canonical ObjectSchema definitions for security-related system objects.
- */
-
-export { SysRole } from './sys-role.object.js';
-export { SysPermissionSet } from './sys-permission-set.object.js';

package/src/objects/sys-permission-set.object.ts

@@ -1,94 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-
-import { ObjectSchema, Field } from '@objectstack/spec/data';
-
-/**
- * sys_permission_set — System Permission Set Object
- *
- * Named groupings of fine-grained permissions.
- * Permission sets can be assigned to roles or directly to users
- * for granular access control.
- *
- * @namespace sys
- */
-export const SysPermissionSet = ObjectSchema.create({
-  namespace: 'sys',
-  name: 'permission_set',
-  label: 'Permission Set',
-  pluralLabel: 'Permission Sets',
-  icon: 'lock',
-  isSystem: true,
-  description: 'Named permission groupings for fine-grained access control',
-  titleFormat: '{name}',
-  compactLayout: ['name', 'label', 'active'],
-  
-  fields: {
-    id: Field.text({
-      label: 'Permission Set ID',
-      required: true,
-      readonly: true,
-    }),
-    
-    created_at: Field.datetime({
-      label: 'Created At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    updated_at: Field.datetime({
-      label: 'Updated At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    name: Field.text({
-      label: 'API Name',
-      required: true,
-      searchable: true,
-      maxLength: 100,
-      description: 'Unique machine name for the permission set',
-    }),
-    
-    label: Field.text({
-      label: 'Display Name',
-      required: true,
-      maxLength: 255,
-    }),
-    
-    description: Field.textarea({
-      label: 'Description',
-      required: false,
-    }),
-    
-    object_permissions: Field.textarea({
-      label: 'Object Permissions',
-      required: false,
-      description: 'JSON-serialized object-level CRUD permissions',
-    }),
-    
-    field_permissions: Field.textarea({
-      label: 'Field Permissions',
-      required: false,
-      description: 'JSON-serialized field-level read/write permissions',
-    }),
-    
-    active: Field.boolean({
-      label: 'Active',
-      defaultValue: true,
-    }),
-  },
-  
-  indexes: [
-    { fields: ['name'], unique: true },
-    { fields: ['active'] },
-  ],
-  
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ['get', 'list', 'create', 'update', 'delete'],
-    trash: true,
-    mru: true,
-  },
-});

package/src/objects/sys-role.object.ts

@@ -1,93 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-
-import { ObjectSchema, Field } from '@objectstack/spec/data';
-
-/**
- * sys_role — System Role Object
- *
- * RBAC role definition for the ObjectStack platform.
- * Roles group permissions and are assigned to users or members.
- *
- * @namespace sys
- */
-export const SysRole = ObjectSchema.create({
-  namespace: 'sys',
-  name: 'role',
-  label: 'Role',
-  pluralLabel: 'Roles',
-  icon: 'shield',
-  isSystem: true,
-  description: 'Role definitions for RBAC access control',
-  titleFormat: '{name}',
-  compactLayout: ['name', 'label', 'active'],
-  
-  fields: {
-    id: Field.text({
-      label: 'Role ID',
-      required: true,
-      readonly: true,
-    }),
-    
-    created_at: Field.datetime({
-      label: 'Created At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    updated_at: Field.datetime({
-      label: 'Updated At',
-      defaultValue: 'NOW()',
-      readonly: true,
-    }),
-    
-    name: Field.text({
-      label: 'API Name',
-      required: true,
-      searchable: true,
-      maxLength: 100,
-      description: 'Unique machine name for the role (e.g. admin, editor, viewer)',
-    }),
-    
-    label: Field.text({
-      label: 'Display Name',
-      required: true,
-      maxLength: 255,
-    }),
-    
-    description: Field.textarea({
-      label: 'Description',
-      required: false,
-    }),
-    
-    permissions: Field.textarea({
-      label: 'Permissions',
-      required: false,
-      description: 'JSON-serialized array of permission strings',
-    }),
-    
-    active: Field.boolean({
-      label: 'Active',
-      defaultValue: true,
-    }),
-    
-    is_default: Field.boolean({
-      label: 'Default Role',
-      defaultValue: false,
-      description: 'Automatically assigned to new users',
-    }),
-  },
-  
-  indexes: [
-    { fields: ['name'], unique: true },
-    { fields: ['active'] },
-  ],
-  
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ['get', 'list', 'create', 'update', 'delete'],
-    trash: true,
-    mru: true,
-  },
-});

package/src/permission-evaluator.ts

@@ -1,112 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-
-import type { PermissionSet, ObjectPermission, FieldPermission } from '@objectstack/spec/security';
-
-/**
- * Operation type mapping to permission checks
- */
-const OPERATION_TO_PERMISSION: Record<string, keyof ObjectPermission> = {
-  find: 'allowRead',
-  findOne: 'allowRead',
-  count: 'allowRead',
-  aggregate: 'allowRead',
-  insert: 'allowCreate',
-  update: 'allowEdit',
-  delete: 'allowDelete',
-};
-
-/**
- * PermissionEvaluator
- * 
- * Runtime evaluator for PermissionSet definitions.
- * Resolves aggregated permissions from roles to concrete allow/deny decisions.
- */
-export class PermissionEvaluator {
-  /**
-   * Check if an operation is allowed on an object for the given permission sets.
-   * Uses "most permissive" merging: if ANY permission set allows, it's allowed.
-   */
-  checkObjectPermission(
-    operation: string,
-    objectName: string,
-    permissionSets: PermissionSet[]
-  ): boolean {
-    const permKey = OPERATION_TO_PERMISSION[operation];
-    if (!permKey) return true; // Unknown operations are allowed by default
-
-    for (const ps of permissionSets) {
-      const objPerm = ps.objects?.[objectName];
-      if (objPerm) {
-        // Check if modifyAllRecords is set (super-user bypass for write ops)
-        if (['allowEdit', 'allowDelete'].includes(permKey) && objPerm.modifyAllRecords) {
-          return true;
-        }
-        // Check if viewAllRecords is set (super-user bypass for read ops)
-        if (permKey === 'allowRead' && (objPerm.viewAllRecords || objPerm.modifyAllRecords)) {
-          return true;
-        }
-        // Check the specific permission
-        if (objPerm[permKey]) {
-          return true;
-        }
-      }
-    }
-
-    return false;
-  }
-
-  /**
-   * Get the merged field permissions for an object.
-   * Returns a map of field names to their effective permissions.
-   * Uses "most permissive" merging.
-   */
-  getFieldPermissions(
-    objectName: string,
-    permissionSets: PermissionSet[]
-  ): Record<string, FieldPermission> {
-    const result: Record<string, FieldPermission> = {};
-
-    for (const ps of permissionSets) {
-      if (!ps.fields) continue;
-
-      for (const [key, perm] of Object.entries(ps.fields)) {
-        // Field keys are in format: "object_name.field_name"
-        if (!key.startsWith(`${objectName}.`)) continue;
-        const fieldName = key.substring(objectName.length + 1);
-
-        if (!result[fieldName]) {
-          result[fieldName] = { readable: false, editable: false };
-        }
-
-        // Most permissive merge
-        if (perm.readable) result[fieldName].readable = true;
-        if (perm.editable) result[fieldName].editable = true;
-      }
-    }
-
-    return result;
-  }
-
-  /**
-   * Resolve permission sets for a list of role names from metadata.
-   */
-  resolvePermissionSets(
-    roles: string[],
-    metadataService: any
-  ): PermissionSet[] {
-    const result: PermissionSet[] = [];
-
-    // Get all permission sets from metadata
-    const allPermSets = metadataService.list?.('permissions') || [];
-
-    for (const ps of allPermSets) {
-      // A permission set is relevant if it's a profile assigned to any of the user's roles,
-      // or if the role name matches the permission set name
-      if (roles.includes(ps.name)) {
-        result.push(ps);
-      }
-    }
-
-    return result;
-  }
-}