@objectstack/plugin-security 6.8.1 → 7.0.0

package/dist/index.mjs

@@ -358,6 +358,16 @@ async function bootstrapPlatformAdmin(ql, bootstrapPermissionSets, options = {})
       description: ps.description ?? null,
       object_permissions: JSON.stringify(ps.objects ?? {}),
       field_permissions: JSON.stringify(ps.fields ?? {}),
+      // Persist the remaining permset facets so the runtime resolver
+      // (rest-server.ts / resolve-execution-context.ts) can hydrate
+      // them back into ExecutionContext.systemPermissions etc. Without
+      // these the platform-admin promotion grants the right LINK row
+      // but the permission set itself carries no capabilities, so
+      // `setup.access` / `studio.access` never reach the app filter
+      // and the Setup app is invisible even to admin_full_access.
+      system_permissions: JSON.stringify(ps.systemPermissions ?? []),
+      row_level_security: JSON.stringify(ps.rowLevelSecurity ?? []),
+      tab_permissions: JSON.stringify(ps.tabPermissions ?? {}),
       active: true
     });
     if (created?.id) seeded[ps.name] = created.id;
@@ -403,370 +413,172 @@ async function bootstrapPlatformAdmin(ql, bootstrapPermissionSets, options = {})
   return { seeded: seededCount, adminPromoted: true };
 }
 
-// src/claim-orphan-tenant-rows.ts
+// src/auto-org-admin-grant.ts
 var SYSTEM_CTX2 = { isSystem: true };
-function hasOrganizationField(schema) {
-  const fields = schema?.fields;
-  if (!fields) return false;
-  if (Array.isArray(fields)) {
-    return fields.some((f) => f?.name === "organization_id");
-  }
-  return Object.prototype.hasOwnProperty.call(fields, "organization_id");
+var PERMISSION_SET_NAME = "organization_admin";
+function genId2(prefix) {
+  const rand = Math.random().toString(36).slice(2, 10);
+  const ts = Date.now().toString(36);
+  return `${prefix}_${ts}${rand}`;
 }
-async function claimOrphanTenantRows(ql, organizationId, options = {}) {
-  const logger = options.logger;
-  if (!ql || typeof ql.update !== "function" || typeof ql.find !== "function") {
-    return [];
-  }
-  const registry = ql.registry;
-  if (!registry || typeof registry.getAllObjects !== "function") {
-    logger?.warn?.("[security] claimOrphanTenantRows: registry unavailable");
+async function tryFind2(ql, object, where, limit = 50) {
+  try {
+    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX2 });
+    return Array.isArray(rows) ? rows : Array.isArray(rows?.records) ? rows.records : [];
+  } catch {
     return [];
   }
-  const schemas = registry.getAllObjects();
-  const results = [];
-  for (const schema of schemas) {
-    if (!schema?.name) continue;
-    if (schema.managedBy) continue;
-    if (schema.name.startsWith("sys_")) continue;
-    if (!hasOrganizationField(schema)) continue;
-    try {
-      const orphans = await ql.find(
-        schema.name,
-        { where: { organization_id: null }, limit: 1e4, fields: ["id"] },
-        { context: SYSTEM_CTX2 }
-      );
-      const list = Array.isArray(orphans) ? orphans : Array.isArray(orphans?.records) ? orphans.records : [];
-      if (list.length === 0) continue;
-      let updated = 0;
-      for (const row of list) {
-        if (!row?.id) continue;
-        try {
-          await ql.update(
-            schema.name,
-            { id: row.id, organization_id: organizationId },
-            { context: SYSTEM_CTX2 }
-          );
-          updated += 1;
-        } catch (e) {
-          logger?.warn?.(`[security] claim failed for ${schema.name}:${row.id}`, {
-            error: e.message
-          });
-        }
-      }
-      if (updated > 0) {
-        results.push({ object: schema.name, count: updated });
-      }
-    } catch (e) {
-      logger?.warn?.(`[security] claim scan failed for ${schema.name}`, {
-        error: e.message
-      });
-    }
-  }
-  if (results.length > 0) {
-    const total = results.reduce((s, r) => s + r.count, 0);
-    logger?.info?.(`[security] claimed ${total} orphan seed row(s) for organization ${organizationId}`, {
-      breakdown: results
-    });
-  }
-  return results;
-}
-
-// src/clone-tenant-seed-data.ts
-var SYSTEM_CTX3 = { isSystem: true };
-var SKIP_COPY_FIELDS = /* @__PURE__ */ new Set([
-  "id",
-  "created_at",
-  "updated_at",
-  "organization_id"
-]);
-var SKIP_COPY_TYPES = /* @__PURE__ */ new Set(["formula", "summary"]);
-function fieldList(schema) {
-  const fields = schema?.fields;
-  if (!fields) return [];
-  if (Array.isArray(fields)) {
-    return fields.map((f) => ({
-      name: f?.name,
-      type: f?.type,
-      reference: f?.reference,
-      multiple: f?.multiple,
-      unique: f?.unique
-    }));
-  }
-  return Object.entries(fields).map(([name, f]) => ({
-    name,
-    type: f?.type,
-    reference: f?.reference,
-    multiple: f?.multiple,
-    unique: f?.unique
-  }));
-}
-function isLookupField(f) {
-  return (f.type === "lookup" || f.type === "master_detail" || f.type === "tree") && !!f.reference;
-}
-function hasOrgField(schema) {
-  return fieldList(schema).some((f) => f.name === "organization_id");
 }
-function shortId() {
-  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-";
-  let out = "";
-  for (let i = 0; i < 16; i++) {
-    out += alphabet[Math.floor(Math.random() * alphabet.length)];
+async function tryInsert2(ql, object, data) {
+  try {
+    return await ql.insert(object, data, { context: SYSTEM_CTX2 });
+  } catch {
+    return null;
   }
-  return out;
 }
-async function findDonorOrgId(ql) {
+async function tryDelete(ql, object, id) {
   try {
-    const res = await ql.find(
-      "sys_organization",
-      { orderBy: { created_at: "asc" }, limit: 1, fields: ["id"] },
-      { context: SYSTEM_CTX3 }
-    );
-    const list = Array.isArray(res) ? res : Array.isArray(res?.records) ? res.records : [];
-    return list[0]?.id ?? null;
+    await ql.delete(object, id, { context: SYSTEM_CTX2 });
+    return true;
   } catch {
-    return null;
+    return false;
   }
 }
-async function cloneTenantSeedData(ql, targetOrgId, options = {}) {
+function parseRoles(raw) {
+  if (typeof raw !== "string") return [];
+  return raw.split(",").map((s) => s.trim().toLowerCase()).filter((s) => s.length > 0);
+}
+function isAdminRole(raw) {
+  const roles = parseRoles(raw);
+  return roles.includes("owner") || roles.includes("admin");
+}
+var permissionSetIdCache = /* @__PURE__ */ new WeakMap();
+async function resolvePermissionSetId(ql) {
+  const cached = permissionSetIdCache.get(ql);
+  if (cached) return cached;
+  const rows = await tryFind2(ql, "sys_permission_set", { name: PERMISSION_SET_NAME }, 1);
+  const id = rows[0]?.id;
+  if (typeof id === "string" && id.length > 0) {
+    permissionSetIdCache.set(ql, id);
+    return id;
+  }
+  return null;
+}
+async function reconcileOrgAdminGrant(ql, userId, orgId, options = {}) {
   const logger = options.logger;
   if (!ql || typeof ql.find !== "function" || typeof ql.insert !== "function") {
-    return [];
+    return { action: "skipped", reason: "objectql_unavailable" };
   }
-  const registry = ql.registry;
-  if (!registry || typeof registry.getAllObjects !== "function") {
-    logger?.warn?.("[security] cloneTenantSeedData: registry unavailable");
-    return [];
+  if (!userId || !orgId) {
+    return { action: "skipped", reason: "missing_keys" };
   }
-  const donorOrgId = await findDonorOrgId(ql);
-  if (!donorOrgId) return [];
-  if (donorOrgId === targetOrgId) return [];
-  const schemas = registry.getAllObjects().filter(
-    (s) => s?.name && !s.managedBy && !s.name.startsWith("sys_") && hasOrgField(s)
-  );
-  const remap = {};
-  const summary = [];
-  const inserted = [];
-  for (const schema of schemas) {
-    const objectName = schema.name;
-    try {
-      const existing = await ql.find(
-        objectName,
-        { where: { organization_id: targetOrgId }, limit: 1, fields: ["id"] },
-        { context: SYSTEM_CTX3 }
-      );
-      const existingList = Array.isArray(existing) ? existing : Array.isArray(existing?.records) ? existing.records : [];
-      if (existingList.length > 0) {
-        continue;
-      }
-      const donorRows = await ql.find(
-        objectName,
-        { where: { organization_id: donorOrgId }, limit: 1e4 },
-        { context: SYSTEM_CTX3 }
-      );
-      const rows = Array.isArray(donorRows) ? donorRows : Array.isArray(donorRows?.records) ? donorRows.records : [];
-      if (rows.length === 0) continue;
-      const fields = fieldList(schema);
-      const lookups = fields.filter(isLookupField);
-      const uniqueFields = fields.filter((f) => f.unique && !SKIP_COPY_FIELDS.has(f.name));
-      const objectRemap = remap[objectName] ?? (remap[objectName] = {});
-      let cloned = 0;
-      for (const row of rows) {
-        const newId = shortId();
-        const data = { id: newId, organization_id: targetOrgId };
-        for (const f of fields) {
-          if (SKIP_COPY_FIELDS.has(f.name)) continue;
-          if (f.type && SKIP_COPY_TYPES.has(f.type)) continue;
-          if (row[f.name] === void 0) continue;
-          data[f.name] = row[f.name];
-        }
-        const suffix = `+${targetOrgId.slice(-6)}`;
-        for (const uf of uniqueFields) {
-          const v = data[uf.name];
-          if (typeof v !== "string" || !v) continue;
-          if (uf.type === "email" && v.includes("@")) {
-            const [local, domain] = v.split("@");
-            data[uf.name] = `clone-${targetOrgId.slice(-6)}-${local}@${domain}`;
-          } else {
-            data[uf.name] = `${v}${suffix}`;
-          }
-        }
-        try {
-          await ql.insert(objectName, data, { context: SYSTEM_CTX3 });
-          objectRemap[row.id] = newId;
-          inserted.push({ object: objectName, newId, record: data, lookups });
-          cloned++;
-        } catch (e) {
-          logger?.warn?.("[security] cloneTenantSeedData: insert failed", {
-            object: objectName,
-            error: e.message
-          });
-        }
-      }
-      if (cloned > 0) summary.push({ object: objectName, count: cloned });
-    } catch (e) {
-      logger?.warn?.("[security] cloneTenantSeedData: object failed", {
-        object: objectName,
-        error: e.message
-      });
-    }
+  const permSetId = await resolvePermissionSetId(ql);
+  if (!permSetId) {
+    return { action: "skipped", reason: "permission_set_missing" };
   }
-  for (const item of inserted) {
-    if (item.lookups.length === 0) continue;
-    const patch = {};
-    let dirty = false;
-    for (const f of item.lookups) {
-      const oldVal = item.record[f.name];
-      if (oldVal == null) continue;
-      const targetMap = remap[f.reference];
-      if (Array.isArray(oldVal)) {
-        const next = oldVal.map((v) => typeof v === "string" && targetMap?.[v] || null).filter((v) => v != null);
-        if (next.length !== oldVal.length || next.some((v, i) => v !== oldVal[i])) {
-          patch[f.name] = next.length > 0 ? next : null;
-          dirty = true;
-        }
-      } else if (typeof oldVal === "string") {
-        if (targetMap && targetMap[oldVal]) {
-          patch[f.name] = targetMap[oldVal];
-          dirty = true;
-        } else {
-          patch[f.name] = null;
-          dirty = true;
-        }
+  const memberships = await tryFind2(
+    ql,
+    "sys_member",
+    { user_id: userId, organization_id: orgId },
+    10
+  );
+  const shouldGrant = memberships.some((m) => isAdminRole(m?.role));
+  const existingGrants = await tryFind2(
+    ql,
+    "sys_user_permission_set",
+    { user_id: userId, organization_id: orgId, permission_set_id: permSetId },
+    5
+  );
+  if (shouldGrant) {
+    if (existingGrants.length > 0) {
+      for (const extra of existingGrants.slice(1)) {
+        if (extra?.id) await tryDelete(ql, "sys_user_permission_set", String(extra.id));
       }
+      return { action: "noop" };
     }
-    if (!dirty) continue;
-    try {
-      await ql.update(item.object, { id: item.newId, ...patch }, { context: SYSTEM_CTX3 });
-    } catch (e) {
-      logger?.warn?.("[security] cloneTenantSeedData: lookup remap failed", {
-        object: item.object,
-        id: item.newId,
-        error: e.message
-      });
+    const created = await tryInsert2(ql, "sys_user_permission_set", {
+      id: genId2("ups"),
+      user_id: userId,
+      permission_set_id: permSetId,
+      organization_id: orgId,
+      granted_by: null
+    });
+    if (created) {
+      logger?.info?.("[security] granted organization_admin", { userId, orgId });
+      return { action: "granted" };
     }
+    return { action: "skipped", reason: "insert_failed" };
   }
-  return summary;
-}
-
-// src/ensure-user-has-organization.ts
-var SYSTEM_CTX4 = { isSystem: true };
-function genId2(prefix) {
-  const rand = Math.random().toString(36).slice(2, 10);
-  const ts = Date.now().toString(36);
-  return `${prefix}_${ts}${rand}`;
-}
-function slugify(input, fallback = "workspace") {
-  const cleaned = input.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 40);
-  return cleaned || fallback;
-}
-function deriveSlugFallback(user) {
-  if (user.email) {
-    const local = user.email.split("@")[0] ?? "";
-    const localSlug = local.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 40);
-    if (localSlug) return localSlug;
+  if (existingGrants.length === 0) {
+    return { action: "noop" };
   }
-  const idTail = user.id.replace(/[^a-z0-9]/gi, "").slice(-8).toLowerCase();
-  return idTail ? `user-${idTail}` : "user";
-}
-function deriveBaseName(user) {
-  if (user.name && user.name.trim()) return user.name.trim();
-  if (user.email) {
-    const local = user.email.split("@")[0];
-    if (local) return local;
+  let removed = 0;
+  for (const row of existingGrants) {
+    if (row?.id && await tryDelete(ql, "sys_user_permission_set", String(row.id))) {
+      removed += 1;
+    }
   }
-  return user.id;
-}
-async function tryFind2(ql, object, where, limit = 1) {
-  try {
-    const rows = await ql.find(object, { where, limit }, { context: SYSTEM_CTX4 });
-    return Array.isArray(rows) ? rows : [];
-  } catch {
-    return [];
+  if (removed > 0) {
+    logger?.info?.("[security] revoked organization_admin", { userId, orgId, removed });
+    return { action: "revoked" };
   }
+  return { action: "skipped", reason: "delete_failed" };
 }
-async function ensureUserHasOrganization(ql, user, options = {}) {
+async function backfillOrgAdminGrants(ql, options = {}) {
   const logger = options.logger;
-  const cloneSeedData = options.cloneSeedData;
-  if (!ql || typeof ql.find !== "function" || typeof ql.insert !== "function") {
-    return { created: false, reason: "objectql_unavailable" };
-  }
-  if (!user?.id) return { created: false, reason: "invalid_user" };
-  const existing = await tryFind2(ql, "sys_member", { user_id: user.id }, 1);
-  if (existing.length > 0) {
-    return { created: false, reason: "already_member" };
-  }
-  const base = deriveBaseName(user);
-  const orgName = `${base}'s Workspace`;
-  const slugFallback = deriveSlugFallback(user);
-  const baseSlug = slugify(base, slugFallback);
-  let slug = `${baseSlug}-workspace`;
-  for (let attempt = 1; attempt <= 5; attempt += 1) {
-    const collision = await tryFind2(ql, "sys_organization", { slug }, 1);
-    if (collision.length === 0) break;
-    slug = `${baseSlug}-workspace-${attempt + 1}`;
-    if (attempt === 5) {
-      logger?.warn?.(
-        `[security] could not find a free slug for personal org of ${user.email ?? user.id}`
-      );
-      return { created: false, reason: "slug_exhausted" };
-    }
-  }
-  const orgId = genId2("org");
-  let orgRow = null;
-  try {
-    orgRow = await ql.insert(
-      "sys_organization",
-      { id: orgId, name: orgName, slug, logo: null, metadata: null },
-      { context: SYSTEM_CTX4 }
-    );
-  } catch (e) {
-    logger?.warn?.(`[security] failed to create personal org for ${user.email ?? user.id}`, {
-      error: e.message
-    });
-    return { created: false, reason: "org_insert_failed" };
-  }
-  const finalOrgId = orgRow?.id ?? orgId;
-  try {
-    await ql.insert(
-      "sys_member",
-      {
-        id: genId2("mem"),
-        organization_id: finalOrgId,
-        user_id: user.id,
-        role: "owner"
-      },
-      { context: SYSTEM_CTX4 }
-    );
-  } catch (e) {
-    logger?.warn?.(`[security] failed to create owner-member row for ${user.email ?? user.id}`, {
-      error: e.message
-    });
-    return { created: false, reason: "member_insert_failed", organizationId: finalOrgId };
-  }
-  logger?.info?.(
-    `[security] created personal organization "${orgName}" (${finalOrgId}) for ${user.email ?? user.id}`
+  const limit = options.limit ?? 5e3;
+  const summary = { scanned: 0, granted: 0, revoked: 0, skipped: 0 };
+  if (!ql || typeof ql.find !== "function") return summary;
+  const permSetId = await resolvePermissionSetId(ql);
+  if (!permSetId) {
+    logger?.debug?.("[security] organization_admin backfill skipped \u2014 permission set missing");
+    return summary;
+  }
+  const members = await tryFind2(ql, "sys_member", {}, limit);
+  const seen = /* @__PURE__ */ new Set();
+  for (const m of members) {
+    const userId = String(m?.user_id ?? "");
+    const orgId = String(m?.organization_id ?? "");
+    if (!userId || !orgId) continue;
+    const key = `${userId}|${orgId}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    summary.scanned += 1;
+    const res = await reconcileOrgAdminGrant(ql, userId, orgId, { logger });
+    if (res.action === "granted") summary.granted += 1;
+    else if (res.action === "revoked") summary.revoked += 1;
+    else if (res.action === "skipped") summary.skipped += 1;
+  }
+  const allGrants = await tryFind2(
+    ql,
+    "sys_user_permission_set",
+    { permission_set_id: permSetId },
+    limit
   );
-  if (cloneSeedData) {
-    void cloneSeedData(ql, finalOrgId, { logger }).then(
-      (summary) => {
-        if (summary.length > 0) {
-          const total = summary.reduce((s, c) => s + c.count, 0);
-          logger?.info?.(
-            `[security] cloned ${total} seed row(s) into personal organization ${finalOrgId}`,
-            { breakdown: summary }
-          );
-        }
-      },
-      (e) => {
-        logger?.warn?.("[security] cloneTenantSeedData failed", {
-          organizationId: finalOrgId,
-          error: e.message
-        });
-      }
-    );
-  }
-  return { created: true, organizationId: finalOrgId };
+  for (const g of allGrants) {
+    const userId = String(g?.user_id ?? "");
+    const orgId = String(g?.organization_id ?? "");
+    if (!userId || !orgId) continue;
+    const key = `${userId}|${orgId}`;
+    if (seen.has(key)) continue;
+    const res = await reconcileOrgAdminGrant(ql, userId, orgId, { logger });
+    if (res.action === "revoked") summary.revoked += 1;
+  }
+  logger?.info?.("[security] organization_admin backfill complete", summary);
+  return summary;
+}
+function extractMemberPairs(opCtx) {
+  const out = /* @__PURE__ */ new Map();
+  const add = (userId, orgId) => {
+    if (typeof userId === "string" && typeof orgId === "string" && userId && orgId) {
+      out.set(`${userId}|${orgId}`, { userId, orgId });
+    }
+  };
+  add(opCtx?.result?.user_id, opCtx?.result?.organization_id);
+  add(opCtx?.data?.user_id, opCtx?.data?.organization_id);
+  add(opCtx?.before?.user_id, opCtx?.before?.organization_id);
+  add(opCtx?.existing?.user_id, opCtx?.existing?.organization_id);
+  return Array.from(out.values());
 }
 
 // src/manifest.ts
@@ -807,6 +619,15 @@ var SecurityPlugin = class {
     this.permissionEvaluator = new PermissionEvaluator();
     this.rlsCompiler = new RLSCompiler();
     this.fieldMasker = new FieldMasker();
+    /**
+     * Runtime probe — set in `start()` from
+     * `ctx.getService('org-scoping')`. When `false`, wildcard RLS
+     * policies that reference `current_user.organization_id` are
+     * stripped from the per-request policy set (saves the
+     * field-existence safety net cost on every find in single-tenant
+     * deployments). When `true`, the policies apply normally.
+     */
+    this.orgScopingEnabled = false;
     /**
      * Per-object field-name cache. Populated lazily from the metadata
      * service / ObjectQL registry on first access per object. Schemas are
@@ -828,7 +649,6 @@ var SecurityPlugin = class {
     this.tenancyDisabledCache = /* @__PURE__ */ new Map();
     this.bootstrapPermissionSets = options.defaultPermissionSets ?? securityDefaultPermissionSets;
     this.fallbackPermissionSet = options.fallbackPermissionSet === void 0 ? "member_default" : options.fallbackPermissionSet;
-    this.multiTenant = options.multiTenant !== false;
   }
   async init(ctx) {
     ctx.logger.info("Initializing Security Plugin...");
@@ -864,6 +684,21 @@ var SecurityPlugin = class {
       ctx.logger.warn("ObjectQL engine does not support middleware, security middleware not registered");
       return;
     }
+    try {
+      const orgScoping = ctx.getService("org-scoping");
+      this.orgScopingEnabled = !!orgScoping;
+    } catch {
+      this.orgScopingEnabled = false;
+    }
+    if (this.orgScopingEnabled) {
+      ctx.logger.info(
+        "[security] org-scoping plugin detected \u2014 wildcard `organization_id` RLS policies will apply"
+      );
+    } else {
+      ctx.logger.info(
+        "[security] org-scoping plugin not present \u2014 wildcard `organization_id` RLS policies will be stripped (single-tenant mode)"
+      );
+    }
     const dbLoader = ql ? async (names) => {
       let rows;
       try {
@@ -953,19 +788,12 @@ var SecurityPlugin = class {
           }
         }
       }
-      if (opCtx.operation === "insert" && opCtx.data && typeof opCtx.data === "object" && !Array.isArray(opCtx.data)) {
-        const needsTenant = this.multiTenant && !!opCtx.context?.tenantId;
-        const needsOwner = !!opCtx.context?.userId;
-        if (needsTenant || needsOwner) {
-          const fields = await this.getObjectFieldNames(metadata, opCtx.object, ql);
-          if (fields) {
-            const data = opCtx.data;
-            if (needsTenant && fields.has("organization_id") && (data.organization_id == null || data.organization_id === "")) {
-              data.organization_id = opCtx.context.tenantId;
-            }
-            if (needsOwner && fields.has("owner_id") && (data.owner_id == null || data.owner_id === "")) {
-              data.owner_id = opCtx.context.userId;
-            }
+      if (opCtx.operation === "insert" && opCtx.data && typeof opCtx.data === "object" && !Array.isArray(opCtx.data) && !!opCtx.context?.userId) {
+        const fields = await this.getObjectFieldNames(metadata, opCtx.object, ql);
+        if (fields) {
+          const data = opCtx.data;
+          if (fields.has("owner_id") && (data.owner_id == null || data.owner_id === "")) {
+            data.owner_id = opCtx.context.userId;
           }
         }
       }
@@ -1030,113 +858,41 @@ var SecurityPlugin = class {
         if (bootstrapRanOnce) {
           await runBootstrap();
         }
-        if (this.multiTenant) {
-          const newUser = opCtx?.result ?? opCtx?.data;
-          if (newUser?.id) {
-            try {
-              await ensureUserHasOrganization(ql, newUser, {
-                logger: ctx.logger,
-                cloneSeedData: cloneTenantSeedData
-              });
-            } catch (e) {
-              ctx.logger.warn("[security] ensure-user-has-organization failed", {
-                error: e.message
-              });
-            }
-          }
-        }
       }
     });
-    if (this.multiTenant) {
-      ql.registerMiddleware(async (opCtx, next) => {
-        await next();
-        if (opCtx?.object !== "sys_organization" || opCtx?.operation !== "create" && opCtx?.operation !== "insert") {
-          return;
-        }
-        const newOrgId = opCtx?.result?.id ?? opCtx?.data?.id;
-        if (!newOrgId) return;
-        const kernel = ctx.kernel ?? ctx;
-        let datasets;
-        try {
-          const raw = kernel?.getService?.("seed-datasets");
-          if (Array.isArray(raw) && raw.length > 0) datasets = raw;
-        } catch {
-        }
-        let orgCount = 0;
-        try {
-          const allOrgs = await ql.find(
-            "sys_organization",
-            { limit: 2, fields: ["id"] },
-            { context: { isSystem: true } }
-          );
-          const list = Array.isArray(allOrgs) ? allOrgs : Array.isArray(allOrgs?.records) ? allOrgs.records : [];
-          orgCount = list.length;
-        } catch (e) {
-          ctx.logger.warn("[security] failed to count organizations", {
-            error: e.message
-          });
-        }
-        let replayed = false;
+    ql.registerMiddleware(async (opCtx, next) => {
+      await next();
+      if (opCtx?.object !== "sys_member") return;
+      const op = opCtx?.operation;
+      if (op !== "insert" && op !== "create" && op !== "update" && op !== "delete" && op !== "remove") {
+        return;
+      }
+      const pairs = extractMemberPairs(opCtx);
+      for (const { userId, orgId } of pairs) {
         try {
-          const replayer = kernel?.getService?.("seed-replayer");
-          if (typeof replayer === "function") {
-            const summary = await replayer(newOrgId);
-            const total = (summary?.inserted ?? 0) + (summary?.updated ?? 0);
-            ctx.logger.info(
-              `[security] per-org seed replay for ${newOrgId}: +${summary?.inserted ?? 0} inserted, ${summary?.updated ?? 0} updated, ${summary?.errors?.length ?? 0} error(s)`,
-              {
-                organizationId: newOrgId,
-                errors: summary?.errors?.slice?.(0, 5)
-              }
-            );
-            if (total > 0) replayed = true;
-          } else if (datasets) {
-            ctx.logger.warn("[security] per-org seed: datasets present but no replayer registered", {
-              organizationId: newOrgId
-            });
-          }
+          await reconcileOrgAdminGrant(ql, userId, orgId, { logger: ctx.logger });
         } catch (e) {
-          ctx.logger.warn("[security] per-org seed replay failed, falling back", {
-            organizationId: newOrgId,
+          ctx.logger.warn?.("[security] org_admin reconcile failed", {
+            userId,
+            orgId,
             error: e.message
           });
         }
-        if (replayed) return;
-        if (orgCount === 1) {
-          try {
-            const claims = await claimOrphanTenantRows(ql, newOrgId, { logger: ctx.logger });
-            if (claims.length > 0) {
-              const total = claims.reduce((s, c) => s + c.count, 0);
-              ctx.logger.info(
-                `[security] claimed ${total} orphan seed row(s) for first organization ${newOrgId}`,
-                { breakdown: claims }
-              );
-              return;
-            }
-          } catch (e) {
-            ctx.logger.warn("[security] claim-orphan-tenant-rows failed", {
-              error: e.message
-            });
-          }
-        }
-        if (orgCount > 1) {
-          try {
-            const summary = await cloneTenantSeedData(ql, newOrgId, { logger: ctx.logger });
-            if (summary.length > 0) {
-              const total = summary.reduce((s, c) => s + c.count, 0);
-              ctx.logger.info(
-                `[security] cloned ${total} seed row(s) for new organization ${newOrgId}`,
-                { breakdown: summary }
-              );
-            }
-          } catch (e) {
-            ctx.logger.warn("[security] clone-tenant-seed-data failed", {
-              organizationId: newOrgId,
-              error: e.message
-            });
-          }
-        }
-      });
+      }
+    });
+    const runOrgAdminBackfill = async () => {
+      try {
+        await backfillOrgAdminGrants(ql, { logger: ctx.logger });
+      } catch (e) {
+        ctx.logger.warn?.("[security] organization_admin backfill failed", {
+          error: e.message
+        });
+      }
+    };
+    if (typeof ctx.hook === "function") {
+      ctx.hook("kernel:ready", runOrgAdminBackfill);
+    } else {
+      void runOrgAdminBackfill();
     }
   }
   async destroy() {
@@ -1149,7 +905,7 @@ var SecurityPlugin = class {
     for (const ps of permissionSets) {
       if (ps.rowLevelSecurity) {
         for (const policy of ps.rowLevelSecurity) {
-          if (!this.multiTenant && policy.using && policy.using.includes("current_user.organization_id")) {
+          if (!this.orgScopingEnabled && policy.using && policy.using.includes("current_user.organization_id")) {
             continue;
           }
           allPolicies.push(policy);
@@ -1220,9 +976,9 @@ export {
   SECURITY_PLUGIN_ID,
   SECURITY_PLUGIN_VERSION,
   SecurityPlugin,
-  cloneTenantSeedData,
-  ensureUserHasOrganization,
+  backfillOrgAdminGrants,
   isPermissionDeniedError,
+  reconcileOrgAdminGrant,
   securityDefaultPermissionSets,
   securityObjects,
   securityPluginManifestHeader