npm - @objectstack/plugin-sharing - Versions diffs - 7.3.0 → 7.4.0 - Mend

@objectstack/plugin-sharing 7.3.0 → 7.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/.turbo/turbo-build.log +10 -10
package/CHANGELOG.md +83 -0
package/dist/index.d.mts +9703 -2
package/dist/index.d.ts +9703 -2
package/dist/index.js +1685 -6
package/dist/index.js.map +1 -1
package/dist/index.mjs +1690 -6
package/dist/index.mjs.map +1 -1
package/package.json +5 -5
package/scripts/i18n-extract.config.ts +31 -0
package/src/index.ts +1 -1
package/src/objects/index.ts +14 -0
package/src/objects/sys-record-share.object.ts +229 -0
package/src/objects/sys-share-link.object.ts +255 -0
package/src/objects/sys-sharing-rule.object.ts +190 -0
package/src/sharing-plugin.ts +31 -1
package/src/translations/en.objects.generated.ts +275 -0
package/src/translations/es-ES.objects.generated.ts +275 -0
package/src/translations/index.ts +23 -0
package/src/translations/ja-JP.objects.generated.ts +275 -0
package/src/translations/zh-CN.objects.generated.ts +275 -0

package/src/objects/sys-sharing-rule.object.ts ADDED Viewed

@@ -0,0 +1,190 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+import { ObjectSchema, Field } from '@objectstack/spec/data';
+/**
+ * sys_sharing_rule — Declarative record-sharing rule.
+ *
+ * Salesforce-style criteria-based sharing: "any record on object O that
+ * matches criteria C is granted access level A to recipient R". Rules
+ * are evaluated by `@objectstack/plugin-sharing` and materialise their
+ * grants as rows in `sys_record_share` with `source='rule'` and
+ * `source_id={rule.id}` so the evaluator can reconcile (delete + re-
+ * insert) on rule updates without touching manual grants.
+ *
+ * Evaluation triggers:
+ *   - `afterInsert` / `afterUpdate` on the target object (per-record,
+ *     incremental — the hot path).
+ *   - REST `POST /sharing/rules/:id/evaluate` (admin-initiated
+ *     bulk reconcile — used after rule edits).
+ *
+ * Criteria are stored as JSON (a normal `FilterCondition`) so the
+ * existing engine `find()` can do the matching natively. v1 supports
+ * simple `{field, op, value}` style filters; CEL predicates are a
+ * follow-up.
+ *
+ * @namespace sys
+ */
+export const SysSharingRule = ObjectSchema.create({
+  name: 'sys_sharing_rule',
+  label: 'Sharing Rule',
+  pluralLabel: 'Sharing Rules',
+  icon: 'shield-check',
+  isSystem: true,
+  managedBy: 'config',
+  // Sharing rules can now be authored visually via the Studio criteria
+  // builder (apps/studio/src/components/SharingCriteriaBuilder.tsx).
+  // We still recommend `defineSharingRule({...})` for repo-controlled
+  // baselines, but admins can safely create/edit/delete from the UI.
+  userActions: { create: true, edit: true, delete: true, import: false },
+  description: 'Declarative sharing rule that auto-materialises sys_record_share grants. Authored via defineSharingRule() in code or the Studio criteria builder.',
+  displayNameField: 'name',
+  titleFormat: '{label}',
+  compactLayout: ['name', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active'],
+  listViews: {
+    active: {
+      type: 'grid',
+      name: 'active',
+      label: 'Active',
+      data: { provider: 'object', object: 'sys_sharing_rule' },
+      columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'updated_at'],
+      filter: [{ field: 'active', operator: 'equals', value: true }],
+      sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],
+      pagination: { pageSize: 50 },
+    },
+    inactive: {
+      type: 'grid',
+      name: 'inactive',
+      label: 'Inactive',
+      data: { provider: 'object', object: 'sys_sharing_rule' },
+      columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'updated_at'],
+      filter: [{ field: 'active', operator: 'equals', value: false }],
+      sort: [{ field: 'label', order: 'asc' }],
+      pagination: { pageSize: 50 },
+    },
+    by_object: {
+      type: 'grid',
+      name: 'by_object',
+      label: 'By Object',
+      data: { provider: 'object', object: 'sys_sharing_rule' },
+      columns: ['object_name', 'label', 'recipient_type', 'access_level', 'active'],
+      sort: [{ field: 'object_name', order: 'asc' }, { field: 'label', order: 'asc' }],
+      grouping: { fields: [{ field: 'object_name', order: 'asc', collapsed: false }] },
+      pagination: { pageSize: 100 },
+    },
+    all_rules: {
+      type: 'grid',
+      name: 'all_rules',
+      label: 'All',
+      data: { provider: 'object', object: 'sys_sharing_rule' },
+      columns: ['label', 'object_name', 'recipient_type', 'recipient_id', 'access_level', 'active', 'updated_at'],
+      sort: [{ field: 'label', order: 'asc' }],
+      pagination: { pageSize: 50 },
+    },
+  },
+  fields: {
+    id: Field.text({ label: 'Rule ID', required: true, readonly: true, group: 'System' }),
+    organization_id: Field.lookup('sys_organization', {
+      label: 'Organization',
+      required: false,
+      group: 'System',
+      description: 'Tenant that owns this rule; null = global',
+    }),
+    name: Field.text({
+      label: 'Name',
+      required: true,
+      maxLength: 100,
+      description: 'Unique snake_case rule name',
+      group: 'Identity',
+    }),
+    label: Field.text({
+      label: 'Display Label',
+      required: true,
+      maxLength: 200,
+      group: 'Identity',
+    }),
+    description: Field.textarea({
+      label: 'Description',
+      required: false,
+      group: 'Identity',
+    }),
+    object_name: Field.text({
+      label: 'Object',
+      required: true,
+      maxLength: 100,
+      description: 'Short object name (e.g. opportunity, account)',
+      group: 'Target',
+    }),
+    criteria_json: Field.textarea({
+      label: 'Criteria (FilterCondition JSON)',
+      required: false,
+      description: 'JSON FilterCondition matched against records of object_name. Empty = match all.',
+      group: 'Target',
+    }),
+    recipient_type: Field.select(
+      ['user', 'team', 'department', 'role', 'queue'],
+      {
+        label: 'Recipient Type',
+        required: true,
+        defaultValue: 'department',
+        description: 'Kind of principal that receives access — expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth).',
+        group: 'Recipient',
+      },
+    ),
+    recipient_id: Field.text({
+      label: 'Recipient',
+      required: true,
+      maxLength: 200,
+      description: 'department id / team id / role name / queue name / user id depending on recipient_type',
+      group: 'Recipient',
+    }),
+    access_level: Field.select(
+      ['read', 'edit', 'full'],
+      {
+        label: 'Access Level',
+        required: true,
+        defaultValue: 'read',
+        group: 'Recipient',
+      },
+    ),
+    active: Field.boolean({
+      label: 'Active',
+      required: false,
+      defaultValue: true,
+      description: 'Only active rules participate in lifecycle evaluation',
+      group: 'Lifecycle',
+    }),
+    created_at: Field.datetime({
+      label: 'Created At',
+      required: true,
+      defaultValue: 'NOW()',
+      readonly: true,
+      group: 'System',
+    }),
+    updated_at: Field.datetime({
+      label: 'Updated At',
+      required: false,
+      group: 'System',
+    }),
+  },
+  indexes: [
+    { fields: ['object_name', 'active'] },
+    { fields: ['name'], unique: true },
+    { fields: ['organization_id'] },
+  ],
+});

package/src/sharing-plugin.ts CHANGED Viewed

@@ -3,7 +3,7 @@
 import type { Plugin, PluginContext } from '@objectstack/core';
 import type { EngineMiddleware, OperationContext } from '@objectstack/objectql';
 import type { IHttpServer } from '@objectstack/spec/contracts';
-import { SysRecordShare, SysSharingRule, SysShareLink } from '@objectstack/platform-objects/security';
+import { SysRecordShare, SysSharingRule, SysShareLink } from './objects/index.js';
 import { SysDepartment, SysDepartmentMember } from '@objectstack/platform-objects/identity';
 import { SharingService, type SharingEngine } from './sharing-service.js';
 import { SharingRuleService } from './sharing-rule-service.js';
@@ -89,7 +89,37 @@ export class SharingServicePlugin implements Plugin {
       defaultDatasource: 'cloud',
       namespace: 'sys',
       objects: [SysRecordShare, SysSharingRule, SysDepartment, SysDepartmentMember, SysShareLink],
+      // ADR-0029 D7 — contribute the sharing entries into the Setup app's
+      // `group_access_control` slot (priority 200 so they sit after plugin-
+      // security's Roles / Permission Sets). This plugin owns these objects (K2).
+      navigationContributions: [
+        {
+          app: 'setup',
+          group: 'group_access_control',
+          priority: 200,
+          items: [
+            { id: 'nav_sharing_rules', type: 'object', label: 'Sharing Rules', objectName: 'sys_sharing_rule', icon: 'share-2', requiresObject: 'sys_sharing_rule', requiredPermissions: ['manage_platform_settings'] },
+            { id: 'nav_record_shares', type: 'object', label: 'Record Shares', objectName: 'sys_record_share', icon: 'link', requiresObject: 'sys_record_share', requiredPermissions: ['manage_platform_settings'] },
+          ],
+        },
+      ],
     });
+    // ADR-0029 D8 — contribute this plugin's object translations to the i18n
+    // service on kernel:ready (the i18n plugin may register after this one).
+    if (typeof (ctx as any).hook === 'function') {
+      (ctx as any).hook('kernel:ready', async () => {
+        try {
+          const i18n = ctx.getService<any>('i18n');
+          if (i18n && typeof i18n.loadTranslations === 'function') {
+            const { SharingTranslations } = await import('./translations/index.js');
+            for (const [locale, data] of Object.entries(SharingTranslations)) {
+              i18n.loadTranslations(locale, data as Record<string, unknown>);
+            }
+          }
+        } catch { /* i18n optional */ }
+      });
+    }
     ctx.logger.info('SharingServicePlugin: schema registered');
   }

package/src/translations/en.objects.generated.ts ADDED Viewed

@@ -0,0 +1,275 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+/**
+ * Auto-generated by 'os i18n extract' for locale 'en'.
+ * Edit translations in place; re-run extract (with --merge) to fill new gaps.
+ * Do not hand-edit the structure — only the leaf string values.
+ */
+import type { TranslationData } from '@objectstack/spec/system';
+export const enObjects: NonNullable<TranslationData['objects']> = {
+  sys_record_share: {
+    label: "Record Share",
+    pluralLabel: "Record Shares",
+    description: "Per-record sharing grant — extends OWD with explicit access",
+    fields: {
+      id: {
+        label: "Share ID"
+      },
+      object_name: {
+        label: "Object",
+        help: "Short object name of the shared record"
+      },
+      record_id: {
+        label: "Record",
+        help: "Primary key of the shared record within object_name"
+      },
+      recipient_type: {
+        label: "Recipient Type",
+        help: "Kind of principal that holds the grant",
+        options: {
+          user: "user",
+          group: "group",
+          role: "role",
+          role_and_subordinates: "role_and_subordinates",
+          guest: "guest"
+        }
+      },
+      recipient_id: {
+        label: "Recipient",
+        help: "ID of the user/group/role that receives access"
+      },
+      access_level: {
+        label: "Access Level",
+        help: "What the recipient can do — read | edit | full (transfer/share/delete)",
+        options: {
+          read: "read",
+          edit: "edit",
+          full: "full"
+        }
+      },
+      source: {
+        label: "Source",
+        help: "Why this grant exists — used by the rule evaluator to reconcile",
+        options: {
+          manual: "manual",
+          rule: "rule",
+          team: "team",
+          inherited: "inherited"
+        }
+      },
+      source_id: {
+        label: "Source ID",
+        help: "Rule name / team id when source != manual"
+      },
+      granted_by: {
+        label: "Granted By",
+        help: "User that created the grant (manual only)"
+      },
+      reason: {
+        label: "Reason",
+        help: "Optional free-text explanation surfaced to the recipient"
+      },
+      created_at: {
+        label: "Created At"
+      },
+      updated_at: {
+        label: "Updated At"
+      }
+    },
+    _views: {
+      granted_to_me: {
+        label: "Granted to Me"
+      },
+      granted_by_me: {
+        label: "Granted by Me"
+      },
+      by_object: {
+        label: "By Object"
+      },
+      manual_grants: {
+        label: "Manual Grants"
+      },
+      rule_grants: {
+        label: "Rule Grants"
+      },
+      all_shares: {
+        label: "All"
+      }
+    }
+  },
+  sys_sharing_rule: {
+    label: "Sharing Rule",
+    pluralLabel: "Sharing Rules",
+    description: "Declarative sharing rule that auto-materialises sys_record_share grants. Authored via defineSharingRule() in code or the Studio criteria builder.",
+    fields: {
+      id: {
+        label: "Rule ID"
+      },
+      organization_id: {
+        label: "Organization",
+        help: "Tenant that owns this rule; null = global"
+      },
+      name: {
+        label: "Name",
+        help: "Unique snake_case rule name"
+      },
+      label: {
+        label: "Display Label"
+      },
+      description: {
+        label: "Description"
+      },
+      object_name: {
+        label: "Object",
+        help: "Short object name (e.g. opportunity, account)"
+      },
+      criteria_json: {
+        label: "Criteria (FilterCondition JSON)",
+        help: "JSON FilterCondition matched against records of object_name. Empty = match all."
+      },
+      recipient_type: {
+        label: "Recipient Type",
+        help: "Kind of principal that receives access — expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth).",
+        options: {
+          user: "user",
+          team: "team",
+          department: "department",
+          role: "role",
+          queue: "queue"
+        }
+      },
+      recipient_id: {
+        label: "Recipient",
+        help: "department id / team id / role name / queue name / user id depending on recipient_type"
+      },
+      access_level: {
+        label: "Access Level",
+        options: {
+          read: "read",
+          edit: "edit",
+          full: "full"
+        }
+      },
+      active: {
+        label: "Active",
+        help: "Only active rules participate in lifecycle evaluation"
+      },
+      created_at: {
+        label: "Created At"
+      },
+      updated_at: {
+        label: "Updated At"
+      }
+    },
+    _views: {
+      active: {
+        label: "Active"
+      },
+      inactive: {
+        label: "Inactive"
+      },
+      by_object: {
+        label: "By Object"
+      },
+      all_rules: {
+        label: "All"
+      }
+    }
+  },
+  sys_share_link: {
+    label: "Share Link",
+    pluralLabel: "Share Links",
+    description: "Opaque capability token granting access to a single record. Notion/Figma-style public link sharing.",
+    fields: {
+      id: {
+        label: "Link ID"
+      },
+      token: {
+        label: "Token",
+        help: "Opaque URL-safe random token (≥ 22 chars). The only secret in this row."
+      },
+      object_name: {
+        label: "Object",
+        help: "Short object name of the shared record (e.g. ai_conversation, contracts_contract)"
+      },
+      record_id: {
+        label: "Record",
+        help: "Primary key of the shared record within object_name"
+      },
+      permission: {
+        label: "Permission",
+        help: "What the link holder can do with the record",
+        options: {
+          view: "View",
+          comment: "Comment",
+          edit: "Edit"
+        }
+      },
+      audience: {
+        label: "Audience",
+        help: "Gating layer applied on top of the token check",
+        options: {
+          public: "Public (indexable)",
+          link_only: "Anyone with the link",
+          signed_in: "Signed-in users",
+          email: "Specific emails"
+        }
+      },
+      expires_at: {
+        label: "Expires At",
+        help: "When set, resolveToken returns null after this timestamp"
+      },
+      email_allowlist: {
+        label: "Email Allowlist",
+        help: "Lowercased addresses checked when audience=email"
+      },
+      password_hash: {
+        label: "Password Hash",
+        help: "Argon2/bcrypt hash. When set, the UI prompts for a password before rendering."
+      },
+      redact_fields: {
+        label: "Per-Link Redactions",
+        help: "Extra fields stripped from the response, on top of the object-default set"
+      },
+      label: {
+        label: "Label",
+        help: "Free-text shown in the share dialog (e.g. \"ACME Q3 contract\")"
+      },
+      revoked_at: {
+        label: "Revoked At",
+        help: "When set, the link is permanently disabled"
+      },
+      created_by: {
+        label: "Created By",
+        help: "Issuer of the link"
+      },
+      created_at: {
+        label: "Created At"
+      },
+      last_used_at: {
+        label: "Last Used At",
+        help: "Stamped by resolveToken; used by the dashboard to highlight active links"
+      },
+      use_count: {
+        label: "Use Count",
+        help: "Incremented by resolveToken on every successful resolution"
+      }
+    },
+    _views: {
+      active_links: {
+        label: "Active"
+      },
+      by_me: {
+        label: "Created by Me"
+      },
+      revoked: {
+        label: "Revoked"
+      },
+      all_links: {
+        label: "All"
+      }
+    }
+  }
+};