@objectstack/plugin-sharing 4.0.1

package/dist/index.mjs

@@ -0,0 +1,942 @@
+// src/index.ts
+import { SysRecordShare as SysRecordShare2, SysSharingRule as SysSharingRule2 } from "@objectstack/platform-objects/security";
+import { SysDepartment as SysDepartment2, SysDepartmentMember as SysDepartmentMember2 } from "@objectstack/platform-objects/identity";
+
+// src/sharing-service.ts
+function makeShareId() {
+  const g = globalThis;
+  if (g.crypto?.randomUUID) return `shr_${g.crypto.randomUUID()}`;
+  return `shr_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+}
+var SYSTEM_CTX = { isSystem: true, roles: [], permissions: [] };
+var OWNER_FIELD = "owner_id";
+function effectiveSharingModel(schema) {
+  const m = schema?.sharingModel ?? schema?.security?.sharingModel;
+  if (m === "private") return "private";
+  if (m === "read") return "read";
+  return "public";
+}
+function hasOwnerField(schema) {
+  return Boolean(schema?.fields && OWNER_FIELD in schema.fields);
+}
+var SharingService = class {
+  constructor(options) {
+    this.engine = options.engine;
+    this.bypassObjects = /* @__PURE__ */ new Set([
+      "sys_record_share",
+      "sys_user",
+      "sys_organization",
+      "sys_member",
+      "sys_role",
+      "sys_permission_set",
+      "sys_user_permission_set",
+      "sys_role_permission_set",
+      ...options.bypassObjects ?? []
+    ]);
+  }
+  /**
+   * Build a `FilterCondition` restricting `find` to records the caller
+   * may see. Returns `null` when no filter should be applied.
+   */
+  async buildReadFilter(object, context) {
+    if (this.shouldBypass(object, context)) return null;
+    const schema = this.engine.getSchema?.(object);
+    if (!schema) return null;
+    if (effectiveSharingModel(schema) !== "private") return null;
+    if (!hasOwnerField(schema)) return null;
+    if (!context.userId) {
+      return { id: "__deny_all__" };
+    }
+    const grants = await this.engine.find("sys_record_share", {
+      filter: {
+        object_name: object,
+        recipient_type: "user",
+        recipient_id: context.userId
+      },
+      fields: ["record_id", "access_level"],
+      limit: 5e3,
+      context: SYSTEM_CTX
+    });
+    const grantedIds = Array.isArray(grants) ? grants.map((g) => String(g.record_id)).filter(Boolean) : [];
+    if (grantedIds.length === 0) {
+      return { [OWNER_FIELD]: context.userId };
+    }
+    return {
+      $or: [
+        { [OWNER_FIELD]: context.userId },
+        { id: { $in: grantedIds } }
+      ]
+    };
+  }
+  /**
+   * Return `true` if the caller may edit `(object, recordId)`. Always
+   * `true` for system context, public objects, and objects without an
+   * owner field.
+   */
+  async canEdit(object, recordId, context) {
+    if (this.shouldBypass(object, context)) return true;
+    const schema = this.engine.getSchema?.(object);
+    if (!schema) return true;
+    const model = effectiveSharingModel(schema);
+    if (model === "public") return true;
+    if (!hasOwnerField(schema)) return true;
+    if (!context.userId) return false;
+    const own = await this.engine.find(object, {
+      filter: { id: recordId },
+      fields: ["id", OWNER_FIELD],
+      limit: 1,
+      context: SYSTEM_CTX
+    });
+    const owner = Array.isArray(own) && own[0] ? own[0][OWNER_FIELD] : void 0;
+    if (owner && String(owner) === String(context.userId)) return true;
+    const editGrants = await this.engine.find("sys_record_share", {
+      filter: {
+        object_name: object,
+        record_id: recordId,
+        recipient_type: "user",
+        recipient_id: context.userId,
+        access_level: { $in: ["edit", "full"] }
+      },
+      fields: ["id"],
+      limit: 1,
+      context: SYSTEM_CTX
+    });
+    return Array.isArray(editGrants) && editGrants.length > 0;
+  }
+  /**
+   * Upsert a share row. Returning the existing row when an identical
+   * grant already exists keeps the REST endpoint idempotent.
+   */
+  async grant(input, context) {
+    if (!input.object) throw new Error("VALIDATION_FAILED: object is required");
+    if (!input.recordId) throw new Error("VALIDATION_FAILED: recordId is required");
+    if (!input.recipientId) throw new Error("VALIDATION_FAILED: recipientId is required");
+    const recipientType = input.recipientType ?? "user";
+    const accessLevel = input.accessLevel ?? "read";
+    const source = input.source ?? "manual";
+    const existing = await this.engine.find("sys_record_share", {
+      filter: {
+        object_name: input.object,
+        record_id: input.recordId,
+        recipient_type: recipientType,
+        recipient_id: input.recipientId
+      },
+      limit: 1,
+      context: SYSTEM_CTX
+    });
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    if (Array.isArray(existing) && existing[0]) {
+      const row2 = existing[0];
+      const patch = {
+        id: row2.id,
+        access_level: accessLevel,
+        source,
+        source_id: input.sourceId ?? row2.source_id ?? null,
+        reason: input.reason ?? row2.reason ?? null,
+        updated_at: now
+      };
+      await this.engine.update("sys_record_share", patch, { context: SYSTEM_CTX });
+      return { ...row2, ...patch };
+    }
+    const id = makeShareId();
+    const row = {
+      id,
+      object_name: input.object,
+      record_id: input.recordId,
+      recipient_type: recipientType,
+      recipient_id: input.recipientId,
+      access_level: accessLevel,
+      source,
+      source_id: input.sourceId ?? null,
+      granted_by: context.userId ?? null,
+      reason: input.reason ?? null,
+      created_at: now,
+      updated_at: now
+    };
+    await this.engine.insert("sys_record_share", row, { context: SYSTEM_CTX });
+    return row;
+  }
+  /** Delete a share row by id. No-op when not found. */
+  async revoke(shareId, _context) {
+    if (!shareId) throw new Error("VALIDATION_FAILED: shareId is required");
+    await this.engine.delete("sys_record_share", {
+      where: { id: shareId },
+      context: SYSTEM_CTX
+    });
+  }
+  /** List share rows for `(object, recordId)`. */
+  async listShares(object, recordId, _context) {
+    const rows = await this.engine.find("sys_record_share", {
+      filter: { object_name: object, record_id: recordId },
+      orderBy: [{ field: "created_at", direction: "desc" }],
+      limit: 500,
+      context: SYSTEM_CTX
+    });
+    return Array.isArray(rows) ? rows : [];
+  }
+  // ── helpers ──────────────────────────────────────────────────────
+  shouldBypass(object, context) {
+    if (context?.isSystem) return true;
+    if (this.bypassObjects.has(object)) return true;
+    return false;
+  }
+};
+
+// src/team-graph.ts
+var SYSTEM_CTX2 = { isSystem: true, roles: [], permissions: [] };
+var TeamGraphService = class {
+  constructor(opts) {
+    var _a, _b, _c;
+    this.engine = opts.engine;
+    this.organizationId = opts.organizationId ?? null;
+    this.cache = opts.cache ?? {};
+    (_a = this.cache).expandUsers ?? (_a.expandUsers = /* @__PURE__ */ new Map());
+    (_b = this.cache).expandRole ?? (_b.expandRole = /* @__PURE__ */ new Map());
+    (_c = this.cache).manager ?? (_c.manager = /* @__PURE__ */ new Map());
+  }
+  async expandUsers(teamId) {
+    if (!teamId) return [];
+    const cached = this.cache.expandUsers.get(teamId);
+    if (cached) return cached;
+    let rows = [];
+    try {
+      rows = await this.engine.find("sys_team_member", {
+        filter: { team_id: teamId },
+        fields: ["user_id"],
+        limit: 1e4,
+        context: SYSTEM_CTX2
+      });
+    } catch {
+      rows = [];
+    }
+    const users = Array.from(new Set((rows ?? []).map((r) => String(r.user_id ?? "")).filter(Boolean)));
+    this.cache.expandUsers.set(teamId, users);
+    return users;
+  }
+  async expandRoleUsers(roleName, organizationId) {
+    if (!roleName) return [];
+    const key = `${organizationId ?? this.organizationId ?? "*"}::${roleName}`;
+    const cached = this.cache.expandRole.get(key);
+    if (cached) return cached;
+    const filter = { role: roleName };
+    const org = organizationId ?? this.organizationId;
+    if (org) filter.organization_id = org;
+    let rows = [];
+    try {
+      rows = await this.engine.find("sys_member", {
+        filter,
+        fields: ["user_id"],
+        limit: 1e4,
+        context: SYSTEM_CTX2
+      });
+    } catch {
+      rows = [];
+    }
+    const users = Array.from(new Set((rows ?? []).map((r) => String(r.user_id ?? "")).filter(Boolean)));
+    this.cache.expandRole.set(key, users);
+    return users;
+  }
+  async managerOf(userId, _organizationId) {
+    if (!userId) return null;
+    if (this.cache.manager.has(userId)) return this.cache.manager.get(userId) ?? null;
+    let row = null;
+    try {
+      const rows = await this.engine.find("sys_user", {
+        filter: { id: userId },
+        fields: ["id", "manager_id"],
+        limit: 1,
+        context: SYSTEM_CTX2
+      });
+      row = Array.isArray(rows) ? rows[0] : null;
+    } catch {
+      row = null;
+    }
+    const mgr = row?.manager_id ? String(row.manager_id) : null;
+    this.cache.manager.set(userId, mgr);
+    return mgr;
+  }
+};
+async function expandPrincipal(input, ctx) {
+  const t = input.type;
+  const v = String(input.value ?? "");
+  if (!v) return [];
+  if (t === "user") return [v];
+  if (t === "team") return ctx.team.expandUsers(v);
+  if (t === "department" || t === "dept") {
+    if (ctx.dept) return ctx.dept.expandUsers(v);
+    return [`${t}:${v}`];
+  }
+  if (t === "role") return ctx.team.expandRoleUsers(v, ctx.organizationId ?? void 0);
+  if (t === "field" && input.record) {
+    const fv = input.record[v];
+    return fv ? [String(fv)] : [];
+  }
+  if (t === "manager" && input.record) {
+    const subject = input.record[v] ?? input.record.owner_id;
+    if (!subject) return [];
+    const mgr = await ctx.team.managerOf(String(subject), ctx.organizationId ?? void 0);
+    return mgr ? [mgr] : [];
+  }
+  return [`${t}:${v}`];
+}
+
+// src/department-graph.ts
+var SYSTEM_CTX3 = { isSystem: true, roles: [], permissions: [] };
+var DepartmentGraphService = class {
+  constructor(opts) {
+    var _a, _b, _c;
+    this.engine = opts.engine;
+    this.organizationId = opts.organizationId ?? null;
+    this.cache = opts.cache ?? {};
+    (_a = this.cache).descendants ?? (_a.descendants = /* @__PURE__ */ new Map());
+    (_b = this.cache).expandUsers ?? (_b.expandUsers = /* @__PURE__ */ new Map());
+    (_c = this.cache).head ?? (_c.head = /* @__PURE__ */ new Map());
+    this.teamGraph = opts.teamGraph;
+  }
+  async descendants(departmentId) {
+    if (!departmentId) return [];
+    const cached = this.cache.descendants.get(departmentId);
+    if (cached) return cached;
+    let seedActive = true;
+    try {
+      const seedRows = await this.engine.find("sys_department", {
+        filter: this.orgScope({ id: departmentId }),
+        fields: ["id", "active"],
+        limit: 1,
+        context: SYSTEM_CTX3
+      });
+      const seedRow = Array.isArray(seedRows) ? seedRows[0] : null;
+      if (!seedRow) seedActive = false;
+      else if (seedRow.active === false) seedActive = false;
+    } catch {
+      seedActive = false;
+    }
+    if (!seedActive) {
+      this.cache.descendants.set(departmentId, []);
+      return [];
+    }
+    const seen = /* @__PURE__ */ new Set([departmentId]);
+    const queue = [departmentId];
+    while (queue.length) {
+      const parent = queue.shift();
+      let children = [];
+      try {
+        children = await this.engine.find("sys_department", {
+          filter: this.orgScope({ parent_department_id: parent, active: { $ne: false } }),
+          fields: ["id"],
+          limit: 1e3,
+          context: SYSTEM_CTX3
+        });
+      } catch {
+        children = [];
+      }
+      for (const c of children ?? []) {
+        const cid = String(c.id ?? "");
+        if (cid && !seen.has(cid)) {
+          seen.add(cid);
+          queue.push(cid);
+        }
+      }
+    }
+    const out = Array.from(seen);
+    this.cache.descendants.set(departmentId, out);
+    return out;
+  }
+  async expandUsers(departmentId) {
+    if (!departmentId) return [];
+    const cached = this.cache.expandUsers.get(departmentId);
+    if (cached) return cached;
+    const depts = await this.descendants(departmentId);
+    if (depts.length === 0) return [];
+    let rows = [];
+    try {
+      rows = await this.engine.find("sys_department_member", {
+        filter: { department_id: { $in: depts } },
+        fields: ["user_id"],
+        limit: 1e4,
+        context: SYSTEM_CTX3
+      });
+    } catch {
+      rows = [];
+    }
+    const users = Array.from(
+      new Set((rows ?? []).map((r) => String(r.user_id ?? "")).filter(Boolean))
+    );
+    this.cache.expandUsers.set(departmentId, users);
+    return users;
+  }
+  async headOf(departmentId) {
+    if (!departmentId) return null;
+    if (this.cache.head.has(departmentId)) return this.cache.head.get(departmentId) ?? null;
+    let row = null;
+    try {
+      const rows = await this.engine.find("sys_department", {
+        filter: { id: departmentId },
+        fields: ["id", "manager_user_id"],
+        limit: 1,
+        context: SYSTEM_CTX3
+      });
+      row = Array.isArray(rows) ? rows[0] : null;
+    } catch {
+      row = null;
+    }
+    const head = row?.manager_user_id ? String(row.manager_user_id) : null;
+    this.cache.head.set(departmentId, head);
+    return head;
+  }
+  async managerOf(userId, organizationId) {
+    if (this.teamGraph) return this.teamGraph.managerOf(userId, organizationId);
+    if (!userId) return null;
+    try {
+      const rows = await this.engine.find("sys_user", {
+        filter: { id: userId },
+        fields: ["id", "manager_id"],
+        limit: 1,
+        context: SYSTEM_CTX3
+      });
+      const row = Array.isArray(rows) ? rows[0] : null;
+      return row?.manager_id ? String(row.manager_id) : null;
+    } catch {
+      return null;
+    }
+  }
+  orgScope(filter) {
+    if (this.organizationId) return { ...filter, organization_id: this.organizationId };
+    return filter;
+  }
+};
+
+// src/sharing-rule-service.ts
+var SYSTEM_CTX4 = { isSystem: true, roles: [], permissions: [] };
+function uid(prefix) {
+  const g = globalThis;
+  if (g.crypto?.randomUUID) return `${prefix}_${g.crypto.randomUUID()}`;
+  return `${prefix}_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+}
+function parseCriteria(raw) {
+  if (raw == null || raw === "") return void 0;
+  if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    if (!trimmed) return void 0;
+    try {
+      return JSON.parse(trimmed);
+    } catch {
+      return void 0;
+    }
+  }
+  return raw;
+}
+function rowFromRule(row) {
+  return {
+    id: row.id,
+    organization_id: row.organization_id ?? null,
+    name: row.name,
+    label: row.label,
+    description: row.description ?? null,
+    object_name: row.object_name,
+    criteria: parseCriteria(row.criteria_json),
+    recipient_type: row.recipient_type,
+    recipient_id: row.recipient_id,
+    access_level: row.access_level,
+    active: row.active !== false,
+    created_at: row.created_at ?? void 0,
+    updated_at: row.updated_at ?? void 0
+  };
+}
+var SharingRuleService = class {
+  constructor(opts) {
+    this.engine = opts.engine;
+    this.sharing = opts.sharing;
+    this.logger = opts.logger;
+  }
+  async defineRule(input, context) {
+    if (!input.name) throw new Error("VALIDATION_FAILED: name is required");
+    if (!input.label) throw new Error("VALIDATION_FAILED: label is required");
+    if (!input.object) throw new Error("VALIDATION_FAILED: object is required");
+    if (!input.recipientType) throw new Error("VALIDATION_FAILED: recipientType is required");
+    if (!input.recipientId) throw new Error("VALIDATION_FAILED: recipientId is required");
+    const orgId = context?.organizationId ?? context?.tenantId ?? null;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const accessLevel = input.accessLevel ?? "read";
+    const active = input.active !== false;
+    const criteriaJson = input.criteria == null ? null : typeof input.criteria === "string" ? input.criteria : JSON.stringify(input.criteria);
+    const existing = await this.engine.find("sys_sharing_rule", {
+      filter: orgId ? { name: input.name, organization_id: orgId } : { name: input.name },
+      limit: 1,
+      context: SYSTEM_CTX4
+    });
+    if (Array.isArray(existing) && existing[0]) {
+      const row = existing[0];
+      const patch = {
+        id: row.id,
+        label: input.label,
+        description: input.description ?? null,
+        object_name: input.object,
+        criteria_json: criteriaJson,
+        recipient_type: input.recipientType,
+        recipient_id: input.recipientId,
+        access_level: accessLevel,
+        active,
+        updated_at: now
+      };
+      await this.engine.update("sys_sharing_rule", patch, { context: SYSTEM_CTX4 });
+      return rowFromRule({ ...row, ...patch });
+    }
+    const newRow = {
+      id: uid("srule"),
+      organization_id: orgId,
+      name: input.name,
+      label: input.label,
+      description: input.description ?? null,
+      object_name: input.object,
+      criteria_json: criteriaJson,
+      recipient_type: input.recipientType,
+      recipient_id: input.recipientId,
+      access_level: accessLevel,
+      active,
+      created_at: now,
+      updated_at: now
+    };
+    await this.engine.insert("sys_sharing_rule", newRow, { context: SYSTEM_CTX4 });
+    return rowFromRule(newRow);
+  }
+  async listRules(filter, context) {
+    const where = {};
+    if (filter.object) where.object_name = filter.object;
+    if (filter.activeOnly) where.active = true;
+    const orgId = context?.organizationId ?? context?.tenantId;
+    if (orgId) where.organization_id = orgId;
+    const rows = await this.engine.find("sys_sharing_rule", {
+      filter: where,
+      orderBy: [{ field: "name", direction: "asc" }],
+      limit: 1e3,
+      context: SYSTEM_CTX4
+    });
+    return Array.isArray(rows) ? rows.map(rowFromRule) : [];
+  }
+  async getRule(idOrName, context) {
+    if (!idOrName) return null;
+    const orgId = context?.organizationId ?? context?.tenantId;
+    const byId = await this.engine.find("sys_sharing_rule", {
+      filter: { id: idOrName },
+      limit: 1,
+      context: SYSTEM_CTX4
+    });
+    if (Array.isArray(byId) && byId[0]) return rowFromRule(byId[0]);
+    const byName = await this.engine.find("sys_sharing_rule", {
+      filter: orgId ? { name: idOrName, organization_id: orgId } : { name: idOrName },
+      limit: 1,
+      context: SYSTEM_CTX4
+    });
+    if (Array.isArray(byName) && byName[0]) return rowFromRule(byName[0]);
+    return null;
+  }
+  async deleteRule(idOrName, context) {
+    const row = await this.getRule(idOrName, context);
+    if (!row) return;
+    await this.engine.delete("sys_record_share", {
+      where: { source: "rule", source_id: row.id },
+      context: SYSTEM_CTX4
+    });
+    await this.engine.delete("sys_sharing_rule", {
+      where: { id: row.id },
+      context: SYSTEM_CTX4
+    });
+  }
+  async evaluateRule(idOrName, context) {
+    const rule = await this.getRule(idOrName, context);
+    if (!rule) throw new Error("RULE_NOT_FOUND");
+    if (!rule.active) {
+      const revoked = await this.purgeRuleGrants(rule.id);
+      return { ruleId: rule.id, matchedRecords: 0, expandedUsers: 0, grantsCreated: 0, grantsUpdated: 0, grantsRevoked: revoked };
+    }
+    const matches = await this.findMatchingRecords(rule);
+    const users = await this.expandRecipient(rule);
+    return this.reconcile(rule, matches, users);
+  }
+  async evaluateAllForRecord(object, recordId, context) {
+    const rules = await this.listRules({ object, activeOnly: true }, context);
+    if (rules.length === 0) return [];
+    const results = [];
+    for (const rule of rules) {
+      const match = await this.recordMatches(rule, recordId);
+      const users = match ? await this.expandRecipient(rule) : [];
+      results.push(await this.reconcileForRecord(rule, recordId, match, users));
+    }
+    return results;
+  }
+  // ── internals ─────────────────────────────────────────────────────
+  async findMatchingRecords(rule) {
+    const filter = rule.criteria ?? {};
+    try {
+      const rows = await this.engine.find(rule.object_name, {
+        filter,
+        fields: ["id"],
+        limit: 5e3,
+        context: SYSTEM_CTX4
+      });
+      return Array.isArray(rows) ? rows.map((r) => String(r.id)).filter(Boolean) : [];
+    } catch (err) {
+      this.logger?.warn?.("[sharing-rule] criteria query failed", { rule: rule.name, error: err?.message });
+      return [];
+    }
+  }
+  async recordMatches(rule, recordId) {
+    const filter = { ...rule.criteria ?? {}, id: recordId };
+    try {
+      const rows = await this.engine.find(rule.object_name, {
+        filter,
+        fields: ["id"],
+        limit: 1,
+        context: SYSTEM_CTX4
+      });
+      return Array.isArray(rows) && rows.length > 0;
+    } catch {
+      return false;
+    }
+  }
+  async expandRecipient(rule) {
+    const team = new TeamGraphService({
+      engine: this.engine,
+      organizationId: rule.organization_id ?? null
+    });
+    if (rule.recipient_type === "user") return [rule.recipient_id];
+    if (rule.recipient_type === "team") return team.expandUsers(rule.recipient_id);
+    if (rule.recipient_type === "department") {
+      const dept = new DepartmentGraphService({
+        engine: this.engine,
+        organizationId: rule.organization_id ?? null,
+        teamGraph: team
+      });
+      return dept.expandUsers(rule.recipient_id);
+    }
+    if (rule.recipient_type === "role") return team.expandRoleUsers(rule.recipient_id, rule.organization_id ?? void 0);
+    return [];
+  }
+  async reconcile(rule, matchedIds, users) {
+    const existing = await this.engine.find("sys_record_share", {
+      filter: { source: "rule", source_id: rule.id },
+      fields: ["id", "record_id", "recipient_id", "access_level"],
+      limit: 1e5,
+      context: SYSTEM_CTX4
+    });
+    const desired = /* @__PURE__ */ new Map();
+    for (const rid of matchedIds) {
+      for (const uId of users) desired.set(`${rid}::${uId}`, { record_id: rid, recipient_id: uId });
+    }
+    const existingMap = /* @__PURE__ */ new Map();
+    for (const row of existing ?? []) existingMap.set(`${row.record_id}::${row.recipient_id}`, row);
+    let created = 0;
+    let updated = 0;
+    let revoked = 0;
+    for (const [k, want] of desired.entries()) {
+      const cur = existingMap.get(k);
+      if (cur) {
+        if (cur.access_level !== rule.access_level) {
+          await this.sharing.grant(
+            {
+              object: rule.object_name,
+              recordId: want.record_id,
+              recipientType: "user",
+              recipientId: want.recipient_id,
+              accessLevel: rule.access_level,
+              source: "rule",
+              sourceId: rule.id,
+              reason: `rule:${rule.name}`
+            },
+            SYSTEM_CTX4
+          );
+          updated += 1;
+        }
+        existingMap.delete(k);
+      } else {
+        await this.sharing.grant(
+          {
+            object: rule.object_name,
+            recordId: want.record_id,
+            recipientType: "user",
+            recipientId: want.recipient_id,
+            accessLevel: rule.access_level,
+            source: "rule",
+            sourceId: rule.id,
+            reason: `rule:${rule.name}`
+          },
+          SYSTEM_CTX4
+        );
+        created += 1;
+      }
+    }
+    for (const [, stale] of existingMap.entries()) {
+      await this.sharing.revoke(stale.id, SYSTEM_CTX4);
+      revoked += 1;
+    }
+    return {
+      ruleId: rule.id,
+      matchedRecords: matchedIds.length,
+      expandedUsers: users.length,
+      grantsCreated: created,
+      grantsUpdated: updated,
+      grantsRevoked: revoked
+    };
+  }
+  async reconcileForRecord(rule, recordId, match, users) {
+    const existing = await this.engine.find("sys_record_share", {
+      filter: { source: "rule", source_id: rule.id, record_id: recordId },
+      fields: ["id", "record_id", "recipient_id", "access_level"],
+      limit: 1e3,
+      context: SYSTEM_CTX4
+    });
+    const existingMap = /* @__PURE__ */ new Map();
+    for (const row of existing ?? []) existingMap.set(String(row.recipient_id), row);
+    let created = 0;
+    let updated = 0;
+    let revoked = 0;
+    if (match) {
+      for (const userId of users) {
+        const cur = existingMap.get(userId);
+        if (cur) {
+          if (cur.access_level !== rule.access_level) {
+            await this.sharing.grant(
+              {
+                object: rule.object_name,
+                recordId,
+                recipientType: "user",
+                recipientId: userId,
+                accessLevel: rule.access_level,
+                source: "rule",
+                sourceId: rule.id,
+                reason: `rule:${rule.name}`
+              },
+              SYSTEM_CTX4
+            );
+            updated += 1;
+          }
+          existingMap.delete(userId);
+        } else {
+          await this.sharing.grant(
+            {
+              object: rule.object_name,
+              recordId,
+              recipientType: "user",
+              recipientId: userId,
+              accessLevel: rule.access_level,
+              source: "rule",
+              sourceId: rule.id,
+              reason: `rule:${rule.name}`
+            },
+            SYSTEM_CTX4
+          );
+          created += 1;
+        }
+      }
+    }
+    for (const [, stale] of existingMap.entries()) {
+      await this.sharing.revoke(stale.id, SYSTEM_CTX4);
+      revoked += 1;
+    }
+    return {
+      ruleId: rule.id,
+      matchedRecords: match ? 1 : 0,
+      expandedUsers: users.length,
+      grantsCreated: created,
+      grantsUpdated: updated,
+      grantsRevoked: revoked
+    };
+  }
+  async purgeRuleGrants(ruleId) {
+    const existing = await this.engine.find("sys_record_share", {
+      filter: { source: "rule", source_id: ruleId },
+      fields: ["id"],
+      limit: 1e5,
+      context: SYSTEM_CTX4
+    });
+    let revoked = 0;
+    for (const row of existing ?? []) {
+      await this.sharing.revoke(row.id, SYSTEM_CTX4);
+      revoked += 1;
+    }
+    return revoked;
+  }
+};
+
+// src/rule-hooks.ts
+var SYSTEM_CTX5 = { isSystem: true, roles: [], permissions: [] };
+var SHARING_RULE_HOOK_PACKAGE = "plugin-sharing:rules";
+function bindRuleHooks(engine, service, rules, logger) {
+  const objects = /* @__PURE__ */ new Set();
+  for (const r of rules) {
+    if (r.active === false) continue;
+    if (r.object_name) objects.add(r.object_name);
+  }
+  for (const objectName of objects) {
+    const handler = async (ctx) => {
+      if (ctx?.session?.isSystem) return;
+      try {
+        const data = ctx?.result ?? ctx?.input?.data ?? {};
+        const id = String(data?.id ?? ctx?.input?.id ?? "");
+        if (!id) return;
+        await service.evaluateAllForRecord(objectName, id, SYSTEM_CTX5);
+      } catch (err) {
+        logger?.warn?.("[sharing-rule] hook evaluation failed", { object: objectName, error: err?.message });
+      }
+    };
+    engine.registerHook("afterInsert", handler, { object: objectName, packageId: SHARING_RULE_HOOK_PACKAGE, priority: 180 });
+    engine.registerHook("afterUpdate", handler, { object: objectName, packageId: SHARING_RULE_HOOK_PACKAGE, priority: 180 });
+  }
+  logger?.info?.("[sharing-rule] hooks bound", { objects: Array.from(objects), ruleCount: rules.length });
+}
+function unbindAllRuleHooks(engine) {
+  return engine.unregisterHooksByPackage(SHARING_RULE_HOOK_PACKAGE);
+}
+
+// src/sharing-plugin.ts
+import { SysRecordShare, SysSharingRule } from "@objectstack/platform-objects/security";
+import { SysDepartment, SysDepartmentMember } from "@objectstack/platform-objects/identity";
+var SharingServicePlugin = class {
+  constructor(options = {}) {
+    this.name = "com.objectstack.service.sharing";
+    this.version = "1.0.0";
+    this.type = "standard";
+    this.dependencies = ["com.objectstack.engine.objectql"];
+    this.options = options;
+  }
+  async init(ctx) {
+    ctx.getService("manifest").register({
+      id: "com.objectstack.service.sharing",
+      name: "Sharing Service",
+      version: "1.0.0",
+      type: "plugin",
+      scope: "system",
+      defaultDatasource: "cloud",
+      namespace: "sys",
+      objects: [SysRecordShare, SysSharingRule, SysDepartment, SysDepartmentMember]
+    });
+    ctx.logger.info("SharingServicePlugin: schema registered");
+  }
+  async start(ctx) {
+    ctx.hook("kernel:ready", async () => {
+      let engine = null;
+      try {
+        engine = ctx.getService("objectql");
+      } catch {
+        try {
+          engine = ctx.getService("data");
+        } catch {
+        }
+      }
+      if (!engine) {
+        ctx.logger.warn("SharingServicePlugin: no ObjectQL engine \u2014 service NOT registered");
+        return;
+      }
+      this.service = new SharingService({
+        engine,
+        bypassObjects: this.options.bypassObjects
+      });
+      ctx.registerService("sharing", this.service);
+      if (this.options.enforce === false) {
+        ctx.logger.info("SharingServicePlugin: enforcement disabled (enforce=false)");
+        return;
+      }
+      const mw = buildSharingMiddleware(this.service);
+      if (typeof engine.registerMiddleware === "function") {
+        engine.registerMiddleware(mw, { object: "*" });
+        ctx.logger.info("SharingServicePlugin: enforcement middleware installed");
+      } else {
+        ctx.logger.warn("SharingServicePlugin: engine has no registerMiddleware \u2014 enforcement not applied");
+      }
+      try {
+        this.ruleService = new SharingRuleService({
+          engine,
+          sharing: this.service,
+          logger: ctx.logger
+        });
+        ctx.registerService("sharingRules", this.ruleService);
+        if (typeof engine.registerHook === "function" && typeof engine.unregisterHooksByPackage === "function") {
+          const rules = await this.ruleService.listRules({ activeOnly: true }, { isSystem: true });
+          unbindAllRuleHooks(engine);
+          bindRuleHooks(engine, this.ruleService, rules, ctx.logger);
+        } else {
+          ctx.logger.warn("SharingServicePlugin: engine has no hook API \u2014 sharing rule auto-evaluation disabled");
+        }
+      } catch (err) {
+        ctx.logger.warn("SharingServicePlugin: sharing-rule subsystem not started", { error: err?.message });
+      }
+    });
+  }
+};
+function buildSharingMiddleware(service) {
+  return async function sharingMiddleware(ctx, next) {
+    const op = ctx.operation;
+    const exec = ctx.context;
+    if (op === "find" || op === "findOne" || op === "count" || op === "aggregate") {
+      const filter = await service.buildReadFilter(ctx.object, exec ?? {});
+      if (filter) {
+        const ast = ctx.ast ?? {};
+        ast.where = composeAnd(ast.where, filter);
+        ast.filter = composeAnd(ast.filter, filter);
+        ctx.ast = ast;
+      }
+      return next();
+    }
+    if (op === "update" || op === "delete") {
+      const data = ctx.data;
+      const options = ctx.options;
+      const id = inferTargetId(data, options);
+      if (id != null) {
+        const ok = await service.canEdit(ctx.object, String(id), exec ?? {});
+        if (!ok) {
+          const err = new Error(
+            `FORBIDDEN: insufficient privileges to ${op} ${ctx.object} ${id}`
+          );
+          err.code = "FORBIDDEN";
+          err.status = 403;
+          throw err;
+        }
+      }
+      return next();
+    }
+    return next();
+  };
+}
+function composeAnd(existing, addition) {
+  if (existing == null) return addition;
+  if (addition == null) return existing;
+  if (typeof existing === "object" && existing !== null && !Array.isArray(existing) && typeof addition === "object" && addition !== null && !Array.isArray(addition)) {
+    const ex = existing;
+    if (Array.isArray(ex.$and)) {
+      return { $and: [...ex.$and, addition] };
+    }
+    return { $and: [existing, addition] };
+  }
+  return { $and: [existing, addition] };
+}
+function inferTargetId(data, options) {
+  if (data && typeof data === "object" && data.id != null) return data.id;
+  if (options && typeof options === "object") {
+    if (options.id != null) return options.id;
+    if (options.where && typeof options.where === "object" && options.where.id != null) {
+      return options.where.id;
+    }
+    if (options.filter && typeof options.filter === "object" && options.filter.id != null) {
+      return options.filter.id;
+    }
+  }
+  return void 0;
+}
+export {
+  DepartmentGraphService,
+  SHARING_RULE_HOOK_PACKAGE,
+  SharingRuleService,
+  SharingService,
+  SharingServicePlugin,
+  SysDepartment2 as SysDepartment,
+  SysDepartmentMember2 as SysDepartmentMember,
+  SysRecordShare2 as SysRecordShare,
+  SysSharingRule2 as SysSharingRule,
+  TeamGraphService,
+  bindRuleHooks,
+  buildSharingMiddleware,
+  expandPrincipal,
+  unbindAllRuleHooks
+};
+//# sourceMappingURL=index.mjs.map