@objectstack/plugin-security 6.8.0 → 6.9.0

package/dist/index.mjs

@@ -339,6 +339,7 @@ function genId(prefix) {
 }
 async function bootstrapPlatformAdmin(ql, bootstrapPermissionSets, options = {}) {
   const logger = options.logger;
+  const multiTenant = options.multiTenant === true;
   if (!ql || typeof ql.find !== "function" || typeof ql.insert !== "function") {
     return { seeded: 0, adminPromoted: false, reason: "objectql_unavailable" };
   }
@@ -400,7 +401,48 @@ async function bootstrapPlatformAdmin(ql, bootstrapPermissionSets, options = {})
     return { seeded: seededCount, adminPromoted: false, reason: "insert_failed" };
   }
   logger?.info?.(`[security] first user promoted to platform admin: ${target.email ?? target.id}`);
-  return { seeded: seededCount, adminPromoted: true };
+  let defaultOrgCreated = false;
+  let defaultOrgId;
+  if (multiTenant) {
+    const memberships = await tryFind(ql, "sys_member", { user_id: target.id }, 1);
+    if (memberships.length === 0) {
+      const existingDefault = await tryFind(ql, "sys_organization", { slug: "default" }, 1);
+      if (existingDefault.length > 0 && existingDefault[0].id) {
+        defaultOrgId = String(existingDefault[0].id);
+      } else {
+        const newOrgId = genId("org");
+        const orgRow = await tryInsert(ql, "sys_organization", {
+          id: newOrgId,
+          name: "Default Organization",
+          slug: "default",
+          logo: null,
+          metadata: null
+        });
+        if (orgRow) {
+          defaultOrgId = orgRow?.id ?? newOrgId;
+          defaultOrgCreated = true;
+        } else {
+          logger?.warn?.("[security] failed to create default organization for platform admin");
+        }
+      }
+      if (defaultOrgId) {
+        const memRow = await tryInsert(ql, "sys_member", {
+          id: genId("mem"),
+          organization_id: defaultOrgId,
+          user_id: target.id,
+          role: "owner"
+        });
+        if (memRow) {
+          logger?.info?.(
+            `[security] bound platform admin to default organization (${defaultOrgId}): ${target.email ?? target.id}`
+          );
+        } else {
+          logger?.warn?.("[security] failed to bind platform admin to default organization");
+        }
+      }
+    }
+  }
+  return { seeded: seededCount, adminPromoted: true, defaultOrgCreated, defaultOrgId };
 }
 
 // src/claim-orphan-tenant-rows.ts
@@ -649,126 +691,6 @@ async function cloneTenantSeedData(ql, targetOrgId, options = {}) {
   return summary;
 }
 
-// src/ensure-user-has-organization.ts
-var SYSTEM_CTX4 = { isSystem: true };
-function genId2(prefix) {
-  const rand = Math.random().toString(36).slice(2, 10);
-  const ts = Date.now().toString(36);
-  return `${prefix}_${ts}${rand}`;
-}
-function slugify(input, fallback = "workspace") {
-  const cleaned = input.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 40);
-  return cleaned || fallback;
-}
-function deriveSlugFallback(user) {
-  if (user.email) {
-    const local = user.email.split("@")[0] ?? "";
-    const localSlug = local.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 40);
-    if (localSlug) return localSlug;
-  }
-  const idTail = user.id.replace(/[^a-z0-9]/gi, "").slice(-8).toLowerCase();
-  return idTail ? `user-${idTail}` : "user";
-}
-function deriveBaseName(user) {
-  if (user.name && user.name.trim()) return user.name.trim();
-  if (user.email) {
-    const local = user.email.split("@")[0];
-    if (local) return local;
-  }
-  return user.id;
-}
-async function tryFind2(ql, object, where, limit = 1) {
-  try {
-    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX4 });
-    return Array.isArray(rows) ? rows : [];
-  } catch {
-    return [];
-  }
-}
-async function ensureUserHasOrganization(ql, user, options = {}) {
-  const logger = options.logger;
-  const cloneSeedData = options.cloneSeedData;
-  if (!ql || typeof ql.find !== "function" || typeof ql.insert !== "function") {
-    return { created: false, reason: "objectql_unavailable" };
-  }
-  if (!user?.id) return { created: false, reason: "invalid_user" };
-  const existing = await tryFind2(ql, "sys_member", { user_id: user.id }, 1);
-  if (existing.length > 0) {
-    return { created: false, reason: "already_member" };
-  }
-  const base = deriveBaseName(user);
-  const orgName = `${base}'s Workspace`;
-  const slugFallback = deriveSlugFallback(user);
-  const baseSlug = slugify(base, slugFallback);
-  let slug = `${baseSlug}-workspace`;
-  for (let attempt = 1; attempt <= 5; attempt += 1) {
-    const collision = await tryFind2(ql, "sys_organization", { slug }, 1);
-    if (collision.length === 0) break;
-    slug = `${baseSlug}-workspace-${attempt + 1}`;
-    if (attempt === 5) {
-      logger?.warn?.(
-        `[security] could not find a free slug for personal org of ${user.email ?? user.id}`
-      );
-      return { created: false, reason: "slug_exhausted" };
-    }
-  }
-  const orgId = genId2("org");
-  let orgRow = null;
-  try {
-    orgRow = await ql.insert(
-      "sys_organization",
-      { id: orgId, name: orgName, slug, logo: null, metadata: null },
-      { context: SYSTEM_CTX4 }
-    );
-  } catch (e) {
-    logger?.warn?.(`[security] failed to create personal org for ${user.email ?? user.id}`, {
-      error: e.message
-    });
-    return { created: false, reason: "org_insert_failed" };
-  }
-  const finalOrgId = orgRow?.id ?? orgId;
-  try {
-    await ql.insert(
-      "sys_member",
-      {
-        id: genId2("mem"),
-        organization_id: finalOrgId,
-        user_id: user.id,
-        role: "owner"
-      },
-      { context: SYSTEM_CTX4 }
-    );
-  } catch (e) {
-    logger?.warn?.(`[security] failed to create owner-member row for ${user.email ?? user.id}`, {
-      error: e.message
-    });
-    return { created: false, reason: "member_insert_failed", organizationId: finalOrgId };
-  }
-  logger?.info?.(
-    `[security] created personal organization "${orgName}" (${finalOrgId}) for ${user.email ?? user.id}`
-  );
-  if (cloneSeedData) {
-    void cloneSeedData(ql, finalOrgId, { logger }).then(
-      (summary) => {
-        if (summary.length > 0) {
-          const total = summary.reduce((s, c) => s + c.count, 0);
-          logger?.info?.(
-            `[security] cloned ${total} seed row(s) into personal organization ${finalOrgId}`,
-            { breakdown: summary }
-          );
-        }
-      },
-      (e) => {
-        logger?.warn?.("[security] cloneTenantSeedData failed", {
-          organizationId: finalOrgId,
-          error: e.message
-        });
-      }
-    );
-  }
-  return { created: true, organizationId: finalOrgId };
-}
-
 // src/manifest.ts
 import {
   SysPermissionSet,
@@ -1009,7 +931,8 @@ var SecurityPlugin = class {
     const runBootstrap = async () => {
       try {
         const report = await bootstrapPlatformAdmin(ql, this.bootstrapPermissionSets, {
-          logger: ctx.logger
+          logger: ctx.logger,
+          multiTenant: this.multiTenant
         });
         bootstrapRanOnce = true;
         ctx.logger.info("[security] platform bootstrap complete", report);
@@ -1030,21 +953,6 @@ var SecurityPlugin = class {
         if (bootstrapRanOnce) {
           await runBootstrap();
         }
-        if (this.multiTenant) {
-          const newUser = opCtx?.result ?? opCtx?.data;
-          if (newUser?.id) {
-            try {
-              await ensureUserHasOrganization(ql, newUser, {
-                logger: ctx.logger,
-                cloneSeedData: cloneTenantSeedData
-              });
-            } catch (e) {
-              ctx.logger.warn("[security] ensure-user-has-organization failed", {
-                error: e.message
-              });
-            }
-          }
-        }
       }
     });
     if (this.multiTenant) {
@@ -1221,7 +1129,6 @@ export {
   SECURITY_PLUGIN_VERSION,
   SecurityPlugin,
   cloneTenantSeedData,
-  ensureUserHasOrganization,
   isPermissionDeniedError,
   securityDefaultPermissionSets,
   securityObjects,