@objectstack/plugin-sharing 4.0.1

package/dist/index.d.ts

@@ -0,0 +1,290 @@
+export { SysRecordShare, SysSharingRule } from '@objectstack/platform-objects/security';
+export { SysDepartment, SysDepartmentMember } from '@objectstack/platform-objects/identity';
+import { ISharingService, SharingExecutionContext, GrantShareInput, RecordShare, ISharingRuleService, DefineSharingRuleInput, SharingRuleRow, SharingRuleEvaluationResult, ITeamGraphService, IDepartmentGraphService } from '@objectstack/spec/contracts';
+export { DefineSharingRuleInput, GrantShareInput, IDepartmentGraphService, ISharingRuleService, ISharingService, ITeamGraphService, RecordShare, ShareAccessLevel, ShareRecipientType, ShareSource, SharingExecutionContext, SharingRuleEvaluationResult, SharingRuleRecipientType, SharingRuleRow } from '@objectstack/spec/contracts';
+import { Plugin, PluginContext } from '@objectstack/core';
+import { EngineMiddleware } from '@objectstack/objectql';
+
+/**
+ * Shape of the data engine the service actually needs. Kept narrow so
+ * unit tests can pass an in-memory fake without depending on the full
+ * ObjectQL engine class.
+ */
+interface SharingEngine {
+    find(object: string, options?: any): Promise<any[]>;
+    findOne?(object: string, options?: any): Promise<any>;
+    insert(object: string, data: any, options?: any): Promise<any>;
+    update(object: string, idOrData: any, dataOrOptions?: any, options?: any): Promise<any>;
+    delete(object: string, options?: any): Promise<any>;
+    getSchema?(object: string): any | undefined;
+}
+interface SharingServiceOptions {
+    engine: SharingEngine;
+    /** Object names that bypass sharing — typically platform internals. */
+    bypassObjects?: string[];
+}
+/**
+ * Default `ISharingService` implementation.
+ *
+ * Stores every grant in `sys_record_share`. The plugin layer registers
+ * an engine middleware that calls `buildReadFilter` / `canEdit` so that
+ * neither this class nor its callers need to know about middleware
+ * plumbing.
+ */
+declare class SharingService implements ISharingService {
+    private readonly engine;
+    private readonly bypassObjects;
+    constructor(options: SharingServiceOptions);
+    /**
+     * Build a `FilterCondition` restricting `find` to records the caller
+     * may see. Returns `null` when no filter should be applied.
+     */
+    buildReadFilter(object: string, context: SharingExecutionContext): Promise<unknown | null>;
+    /**
+     * Return `true` if the caller may edit `(object, recordId)`. Always
+     * `true` for system context, public objects, and objects without an
+     * owner field.
+     */
+    canEdit(object: string, recordId: string, context: SharingExecutionContext): Promise<boolean>;
+    /**
+     * Upsert a share row. Returning the existing row when an identical
+     * grant already exists keeps the REST endpoint idempotent.
+     */
+    grant(input: GrantShareInput, context: SharingExecutionContext): Promise<RecordShare>;
+    /** Delete a share row by id. No-op when not found. */
+    revoke(shareId: string, _context: SharingExecutionContext): Promise<void>;
+    /** List share rows for `(object, recordId)`. */
+    listShares(object: string, recordId: string, _context: SharingExecutionContext): Promise<RecordShare[]>;
+    private shouldBypass;
+}
+
+interface SharingRuleServiceOptions {
+    engine: SharingEngine;
+    sharing: SharingService;
+    logger?: {
+        info?: Function;
+        warn?: Function;
+        error?: Function;
+        debug?: Function;
+    };
+}
+/**
+ * Default {@link ISharingRuleService} implementation.
+ *
+ * Stores rule definitions in `sys_sharing_rule` and materialises grants
+ * as `sys_record_share` rows with `source='rule'` and `source_id={ruleId}`
+ * so reconcile can diff old grants vs fresh evaluation results without
+ * touching manual / team-derived shares.
+ */
+declare class SharingRuleService implements ISharingRuleService {
+    private readonly engine;
+    private readonly sharing;
+    private readonly logger?;
+    constructor(opts: SharingRuleServiceOptions);
+    defineRule(input: DefineSharingRuleInput, context: SharingExecutionContext): Promise<SharingRuleRow>;
+    listRules(filter: {
+        object?: string;
+        activeOnly?: boolean;
+    }, context: SharingExecutionContext): Promise<SharingRuleRow[]>;
+    getRule(idOrName: string, context: SharingExecutionContext): Promise<SharingRuleRow | null>;
+    deleteRule(idOrName: string, context: SharingExecutionContext): Promise<void>;
+    evaluateRule(idOrName: string, context: SharingExecutionContext): Promise<SharingRuleEvaluationResult>;
+    evaluateAllForRecord(object: string, recordId: string, context: SharingExecutionContext): Promise<SharingRuleEvaluationResult[]>;
+    private findMatchingRecords;
+    private recordMatches;
+    private expandRecipient;
+    private reconcile;
+    private reconcileForRecord;
+    private purgeRuleGrants;
+}
+
+type Cache = {
+    expandUsers?: Map<string, string[]>;
+    expandRole?: Map<string, string[]>;
+    manager?: Map<string, string | null>;
+};
+interface TeamGraphOptions {
+    engine: SharingEngine;
+    /** Optional tenant scope; null means cross-tenant lookups. */
+    organizationId?: string | null;
+    /** Optional shared cache across one evaluator pass. */
+    cache?: Cache;
+}
+/**
+ * Default {@link ITeamGraphService} implementation backed by
+ * `sys_team` + `sys_team_member` (better-auth's flat collaboration
+ * grouping) plus `sys_member.role` for tenant role expansion.
+ *
+ * **This service does NOT walk a hierarchy.** Teams here are flat —
+ * the enterprise org chart lives in `sys_department` and is served by
+ * {@link DepartmentGraphService}.
+ *
+ * All queries elevate to {@link SYSTEM_CTX} since the graph is platform
+ * metadata; callers (sharing rule evaluator, approval engine) own their
+ * own enforcement.
+ */
+declare class TeamGraphService implements ITeamGraphService {
+    private readonly engine;
+    private readonly organizationId;
+    private readonly cache;
+    constructor(opts: TeamGraphOptions);
+    expandUsers(teamId: string): Promise<string[]>;
+    expandRoleUsers(roleName: string, organizationId?: string): Promise<string[]>;
+    managerOf(userId: string, _organizationId?: string): Promise<string | null>;
+}
+/**
+ * Convenience helper used by the sharing-rule evaluator + approval
+ * engine: expand an approver / recipient descriptor of the form
+ * `{type, value}` into a flat list of user IDs by routing to the
+ * appropriate graph service.
+ *
+ * `team` → flat team members (this service).
+ * `department` → recursive department members (delegated; requires a
+ *   {@link IDepartmentGraphService} instance passed in `opts.dept`).
+ * `role` → tenant role members.
+ * `manager` → submitter's manager via `record[value] ?? record.owner_id`.
+ * `field` → literal user id stored in `record[value]`.
+ * `user` → literal value.
+ * Anything else echoes `type:value` for back-compat with legacy
+ * substring-match approver flows.
+ */
+declare function expandPrincipal(input: {
+    type: string;
+    value: string;
+    record?: any;
+}, ctx: {
+    team: TeamGraphService;
+    dept?: {
+        expandUsers(id: string): Promise<string[]>;
+    };
+    organizationId?: string | null;
+}): Promise<string[]>;
+
+type DeptCache = {
+    descendants?: Map<string, string[]>;
+    expandUsers?: Map<string, string[]>;
+    head?: Map<string, string | null>;
+};
+interface DepartmentGraphOptions {
+    engine: SharingEngine;
+    /** Optional tenant scope; null means cross-tenant lookups. */
+    organizationId?: string | null;
+    /** Optional shared cache across one evaluator pass. */
+    cache?: DeptCache;
+    /**
+     * Optional team-graph instance to share role / manager lookups with —
+     * department graph proxies `managerOf` through so callers only need one
+     * service.
+     */
+    teamGraph?: TeamGraphService;
+}
+/**
+ * Default {@link IDepartmentGraphService} implementation.
+ *
+ * Walks `sys_department.parent_department_id` for hierarchy and
+ * `sys_department_member` for member expansion. Treats the optional
+ * `active` flag as a hard filter (inactive departments contribute no
+ * members and stop BFS descent into their subtrees).
+ *
+ * Reuses {@link TeamGraphService.managerOf} for user-level manager
+ * lookup so callers can use this single service in approval / sharing
+ * pipelines.
+ */
+declare class DepartmentGraphService implements IDepartmentGraphService {
+    private readonly engine;
+    private readonly organizationId;
+    private readonly cache;
+    private readonly teamGraph?;
+    constructor(opts: DepartmentGraphOptions);
+    descendants(departmentId: string): Promise<string[]>;
+    expandUsers(departmentId: string): Promise<string[]>;
+    headOf(departmentId: string): Promise<string | null>;
+    managerOf(userId: string, organizationId?: string): Promise<string | null>;
+    private orgScope;
+}
+
+declare const SHARING_RULE_HOOK_PACKAGE = "plugin-sharing:rules";
+interface MinimalEngine {
+    registerHook(event: string, handler: (ctx: any) => any | Promise<any>, options?: {
+        object?: string | string[];
+        priority?: number;
+        packageId?: string;
+    }): void;
+    unregisterHooksByPackage(packageId: string): number;
+}
+interface MinimalLogger {
+    info?: (msg: any, ...rest: any[]) => void;
+    warn?: (msg: any, ...rest: any[]) => void;
+}
+/**
+ * Bind afterInsert/afterUpdate hooks for every distinct object_name in
+ * `rules`. Each hook calls `service.evaluateAllForRecord(object, id, …)`
+ * with SYSTEM_CTX so the evaluator can write `sys_record_share` rows
+ * without being blocked by its own enforcement.
+ *
+ * Caller is responsible for invoking {@link unbindAllRuleHooks} before
+ * re-binding when the rule set changes.
+ */
+declare function bindRuleHooks(engine: MinimalEngine, service: SharingRuleService, rules: SharingRuleRow[], logger?: MinimalLogger): void;
+declare function unbindAllRuleHooks(engine: MinimalEngine): number;
+
+interface SharingPluginOptions {
+    /** Extra object names that bypass sharing entirely. */
+    bypassObjects?: string[];
+    /**
+     * Disable enforcement (read filter + canEdit) while still registering
+     * the schema + service. Useful in development to flip enforcement on
+     * via env var without rebuilding.
+     */
+    enforce?: boolean;
+}
+/**
+ * SharingServicePlugin — registers `sys_record_share`, the `sharing`
+ * service, and the engine middleware that enforces
+ * `object.sharingModel`.
+ *
+ * Enforcement is opt-in per object:
+ *
+ *   - `sharingModel: 'private'` → reads filtered to `(owner_id == me) OR
+ *     (record explicitly shared with me)`. Writes require ownership or
+ *     an `edit`/`full` share.
+ *   - `sharingModel: 'read'` → reads unrestricted; writes gated as
+ *     above (typical "everyone can see, only owner can edit").
+ *   - any other value (or no value) → no enforcement. This keeps
+ *     existing CRM behaviour identical until admins explicitly enable
+ *     sharing on a per-object basis.
+ *
+ * @example
+ * ```ts
+ * import { SharingServicePlugin } from '@objectstack/plugin-sharing';
+ *
+ * kernel.use(new SharingServicePlugin());
+ *
+ * // Mark an object private — middleware enforces from this point on.
+ * defineObject({
+ *   name: 'account',
+ *   sharingModel: 'private',
+ *   fields: { owner_id: Field.lookup('sys_user'), ... },
+ * });
+ * ```
+ */
+declare class SharingServicePlugin implements Plugin {
+    name: string;
+    version: string;
+    type: string;
+    dependencies: string[];
+    private readonly options;
+    private service?;
+    private ruleService?;
+    constructor(options?: SharingPluginOptions);
+    init(ctx: PluginContext): Promise<void>;
+    start(ctx: PluginContext): Promise<void>;
+}
+/**
+ * Build the engine middleware that injects read filters and gates
+ * write operations. Exported so it can be unit-tested without booting
+ * a kernel.
+ */
+declare function buildSharingMiddleware(service: SharingService): EngineMiddleware;
+
+export { type DepartmentGraphOptions, DepartmentGraphService, SHARING_RULE_HOOK_PACKAGE, type SharingEngine, type SharingPluginOptions, SharingRuleService, type SharingRuleServiceOptions, SharingService, type SharingServiceOptions, SharingServicePlugin, type TeamGraphOptions, TeamGraphService, bindRuleHooks, buildSharingMiddleware, expandPrincipal, unbindAllRuleHooks };