@objectstack/plugin-sharing 9.10.0 → 9.11.0

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @objectstack/plugin-sharing@9.10.0 build /home/runner/work/framework/framework/packages/plugins/plugin-sharing
+> @objectstack/plugin-sharing@9.11.0 build /home/runner/work/framework/framework/packages/plugins/plugin-sharing
 > tsup --config ../../../tsup.config.ts
 
 CLI Building entry: src/index.ts
@@ -10,13 +10,13 @@
 CLI Cleaning output folder
 ESM Build start
 CJS Build start
-ESM dist/index.mjs     109.89 KB
-ESM dist/index.mjs.map 191.90 KB
-ESM ⚡️ Build success in 208ms
-CJS dist/index.js     111.86 KB
-CJS dist/index.js.map 191.93 KB
-CJS ⚡️ Build success in 249ms
+CJS dist/index.js     114.82 KB
+CJS dist/index.js.map 199.06 KB
+CJS ⚡️ Build success in 319ms
+ESM dist/index.mjs     112.85 KB
+ESM dist/index.mjs.map 199.03 KB
+ESM ⚡️ Build success in 326ms
 DTS Build start
-DTS ⚡️ Build success in 31225ms
-DTS dist/index.d.mts 403.23 KB
-DTS dist/index.d.ts  403.23 KB
+DTS ⚡️ Build success in 31341ms
+DTS dist/index.d.mts 403.41 KB
+DTS dist/index.d.ts  403.41 KB

package/CHANGELOG.md

@@ -1,5 +1,48 @@
 # @objectstack/plugin-sharing
 
+## 9.11.0
+
+### Minor Changes
+
+- 2365d07: feat(sharing): configurable role-hierarchy widening — `role_and_subordinates` recipient (ADR-0056 D6)
+
+  Role-hierarchy access widening ("a manager sees records shared with their team") is now
+  **implemented and configurable per sharing rule**, not a hardcoded no-op. The
+  `role_and_subordinates` recipient (declarable on `sys_sharing_rule.recipient_type`) expands,
+  at evaluation time, to the named role **plus every subordinate role** by walking the
+  `sys_role.parent` hierarchy via a new `RoleGraphService` (mirroring the department/team
+  graphs; cycle-safe). Previously `Role.parent` was declared but never consumed — a silent
+  no-op flagged by the ADR-0056 audit. This is the Salesforce "grant access using hierarchies"
+  model expressed declaratively: each rule chooses whether to roll up the hierarchy. Unit-proven
+  (role-graph traversal, subordinate-user expansion, cycle safety); the recipient is added to
+  the authoring select + the `SharingRuleRecipientType` contract.
+
+### Patch Changes
+
+- e7f6539: feat(spec,sharing): canonical OWD vocabulary on `object.sharingModel` (ADR-0056 D1)
+
+  Reconciles the Org-Wide-Default naming so authors use ONE vocabulary. `object.sharingModel`
+  now accepts the canonical OWD names — `private` | `public_read` | `public_read_write` |
+  `controlled_by_parent` — alongside the legacy `read` / `read_write` / `full` aliases (kept,
+  non-breaking). The sharing runtime maps them onto the three enforced behaviours
+  (`public_read` ≡ legacy `read` = everyone reads / owner writes; `public_read_write` =
+  unscoped). Unknown values remain rejected by the enum (authoring-time, fail-closed). The
+  showcase announcement now declares the canonical `public_read`, exercised end-to-end by the
+  public-read dogfood proof.
+
+- Updated dependencies [e7f6539]
+- Updated dependencies [2365d07]
+- Updated dependencies [6595b53]
+- Updated dependencies [fa8964d]
+- Updated dependencies [36138c7]
+- Updated dependencies [a8e4f3b]
+- Updated dependencies [4c213c2]
+- Updated dependencies [2afb612]
+  - @objectstack/spec@9.11.0
+  - @objectstack/objectql@9.11.0
+  - @objectstack/core@9.11.0
+  - @objectstack/platform-objects@9.11.0
+
 ## 9.10.0
 
 ### Patch Changes

package/dist/index.d.mts

@@ -661,7 +661,7 @@ declare const SysRecordShare: Omit<{
         clone: boolean;
         apiMethods?: ("search" | "create" | "import" | "delete" | "list" | "get" | "update" | "upsert" | "bulk" | "aggregate" | "history" | "restore" | "purge" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
@@ -3457,7 +3457,7 @@ declare const SysSharingRule: Omit<{
         clone: boolean;
         apiMethods?: ("search" | "create" | "import" | "delete" | "list" | "get" | "update" | "upsert" | "bulk" | "aggregate" | "history" | "restore" | "purge" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
@@ -6383,7 +6383,7 @@ declare const SysShareLink: Omit<{
         clone: boolean;
         apiMethods?: ("search" | "create" | "import" | "delete" | "list" | "get" | "update" | "upsert" | "bulk" | "aggregate" | "history" | "restore" | "purge" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;

package/dist/index.d.ts

@@ -661,7 +661,7 @@ declare const SysRecordShare: Omit<{
         clone: boolean;
         apiMethods?: ("search" | "create" | "import" | "delete" | "list" | "get" | "update" | "upsert" | "bulk" | "aggregate" | "history" | "restore" | "purge" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
@@ -3457,7 +3457,7 @@ declare const SysSharingRule: Omit<{
         clone: boolean;
         apiMethods?: ("search" | "create" | "import" | "delete" | "list" | "get" | "update" | "upsert" | "bulk" | "aggregate" | "history" | "restore" | "purge" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
@@ -6383,7 +6383,7 @@ declare const SysShareLink: Omit<{
         clone: boolean;
         apiMethods?: ("search" | "create" | "import" | "delete" | "list" | "get" | "update" | "upsert" | "bulk" | "aggregate" | "history" | "restore" | "purge" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;

package/dist/index.js

@@ -1448,12 +1448,12 @@ var SysSharingRule = import_data2.ObjectSchema.create({
       group: "Target"
     }),
     recipient_type: import_data2.Field.select(
-      ["user", "team", "department", "role", "queue"],
+      ["user", "team", "department", "role", "role_and_subordinates", "queue"],
       {
         label: "Recipient Type",
         required: true,
         defaultValue: "department",
-        description: "Kind of principal that receives access \u2014 expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth).",
+        description: "Kind of principal that receives access \u2014 expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth); `role` is the role's direct members; `role_and_subordinates` walks the sys_role.parent hierarchy to also include every subordinate role (ADR-0056 D6).",
         group: "Recipient"
       }
     ),
@@ -1711,7 +1711,7 @@ var OWNER_FIELD = "owner_id";
 function effectiveSharingModel(schema) {
   const m = schema?.sharingModel ?? schema?.security?.sharingModel;
   if (m === "private") return "private";
-  if (m === "read") return "read";
+  if (m === "read" || m === "public_read") return "read";
   return "public";
 }
 function hasOwnerField(schema) {
@@ -1978,8 +1978,77 @@ async function expandPrincipal(input, ctx) {
   return [`${t}:${v}`];
 }
 
-// src/department-graph.ts
+// src/role-graph.ts
 var SYSTEM_CTX3 = { isSystem: true, roles: [], permissions: [] };
+var RoleGraphService = class {
+  constructor(opts) {
+    var _a, _b;
+    this.engine = opts.engine;
+    this.organizationId = opts.organizationId ?? null;
+    this.cache = opts.cache ?? {};
+    (_a = this.cache).descendants ?? (_a.descendants = /* @__PURE__ */ new Map());
+    (_b = this.cache).expand ?? (_b.expand = /* @__PURE__ */ new Map());
+    this.teamGraph = opts.teamGraph ?? new TeamGraphService({ engine: this.engine, organizationId: this.organizationId });
+  }
+  /** Direct child roles of `roleName` (`sys_role.parent === roleName`). */
+  async childRoles(roleName) {
+    const filter = { parent: roleName };
+    if (this.organizationId) filter.organization_id = this.organizationId;
+    let rows = [];
+    try {
+      rows = await this.engine.find("sys_role", {
+        filter,
+        fields: ["name"],
+        limit: 5e3,
+        context: SYSTEM_CTX3
+      });
+    } catch {
+      rows = [];
+    }
+    return Array.from(new Set((rows ?? []).map((r) => String(r.name ?? "")).filter(Boolean)));
+  }
+  /** `roleName` plus every role beneath it in the hierarchy (BFS, cycle-safe). */
+  async descendantRoles(roleName) {
+    if (!roleName) return [];
+    const cached = this.cache.descendants.get(roleName);
+    if (cached) return cached;
+    const out = [];
+    const seen = /* @__PURE__ */ new Set();
+    const queue = [roleName];
+    while (queue.length) {
+      const r = queue.shift();
+      if (seen.has(r)) continue;
+      seen.add(r);
+      out.push(r);
+      for (const child of await this.childRoles(r)) {
+        if (!seen.has(child)) queue.push(child);
+      }
+    }
+    this.cache.descendants.set(roleName, out);
+    return out;
+  }
+  /** Users holding `roleName` OR any subordinate role (the `role_and_subordinates` set). */
+  async expandRoleAndSubordinates(roleName, organizationId) {
+    if (!roleName) return [];
+    const org = organizationId ?? this.organizationId ?? "*";
+    const key = `${org}::${roleName}`;
+    const cached = this.cache.expand.get(key);
+    if (cached) return cached;
+    const roles = await this.descendantRoles(roleName);
+    const users = /* @__PURE__ */ new Set();
+    for (const role of roles) {
+      for (const uid2 of await this.teamGraph.expandRoleUsers(role, organizationId ?? this.organizationId ?? void 0)) {
+        users.add(uid2);
+      }
+    }
+    const result = Array.from(users);
+    this.cache.expand.set(key, result);
+    return result;
+  }
+};
+
+// src/department-graph.ts
+var SYSTEM_CTX4 = { isSystem: true, roles: [], permissions: [] };
 var DepartmentGraphService = class {
   constructor(opts) {
     var _a, _b, _c;
@@ -2001,7 +2070,7 @@ var DepartmentGraphService = class {
         filter: this.orgScope({ id: departmentId }),
         fields: ["id", "active"],
         limit: 1,
-        context: SYSTEM_CTX3
+        context: SYSTEM_CTX4
       });
       const seedRow = Array.isArray(seedRows) ? seedRows[0] : null;
       if (!seedRow) seedActive = false;
@@ -2023,7 +2092,7 @@ var DepartmentGraphService = class {
           filter: this.orgScope({ parent_department_id: parent, active: { $ne: false } }),
           fields: ["id"],
           limit: 1e3,
-          context: SYSTEM_CTX3
+          context: SYSTEM_CTX4
         });
       } catch {
         children = [];
@@ -2052,7 +2121,7 @@ var DepartmentGraphService = class {
         filter: { department_id: { $in: depts } },
         fields: ["user_id"],
         limit: 1e4,
-        context: SYSTEM_CTX3
+        context: SYSTEM_CTX4
       });
     } catch {
       rows = [];
@@ -2072,7 +2141,7 @@ var DepartmentGraphService = class {
         filter: { id: departmentId },
         fields: ["id", "manager_user_id"],
         limit: 1,
-        context: SYSTEM_CTX3
+        context: SYSTEM_CTX4
       });
       row = Array.isArray(rows) ? rows[0] : null;
     } catch {
@@ -2090,7 +2159,7 @@ var DepartmentGraphService = class {
         filter: { id: userId },
         fields: ["id", "manager_id"],
         limit: 1,
-        context: SYSTEM_CTX3
+        context: SYSTEM_CTX4
       });
       const row = Array.isArray(rows) ? rows[0] : null;
       return row?.manager_id ? String(row.manager_id) : null;
@@ -2105,7 +2174,7 @@ var DepartmentGraphService = class {
 };
 
 // src/sharing-rule-service.ts
-var SYSTEM_CTX4 = { isSystem: true, roles: [], permissions: [] };
+var SYSTEM_CTX5 = { isSystem: true, roles: [], permissions: [] };
 function uid(prefix) {
   const g = globalThis;
   if (g.crypto?.randomUUID) return `${prefix}_${g.crypto.randomUUID()}`;
@@ -2161,7 +2230,7 @@ var SharingRuleService = class {
     const existing = await this.engine.find("sys_sharing_rule", {
       filter: orgId ? { name: input.name, organization_id: orgId } : { name: input.name },
       limit: 1,
-      context: SYSTEM_CTX4
+      context: SYSTEM_CTX5
     });
     if (Array.isArray(existing) && existing[0]) {
       const row = existing[0];
@@ -2177,7 +2246,7 @@ var SharingRuleService = class {
         active,
         updated_at: now
       };
-      await this.engine.update("sys_sharing_rule", patch, { context: SYSTEM_CTX4 });
+      await this.engine.update("sys_sharing_rule", patch, { context: SYSTEM_CTX5 });
       return rowFromRule({ ...row, ...patch });
     }
     const newRow = {
@@ -2195,7 +2264,7 @@ var SharingRuleService = class {
       created_at: now,
       updated_at: now
     };
-    await this.engine.insert("sys_sharing_rule", newRow, { context: SYSTEM_CTX4 });
+    await this.engine.insert("sys_sharing_rule", newRow, { context: SYSTEM_CTX5 });
     return rowFromRule(newRow);
   }
   async listRules(filter, context) {
@@ -2208,7 +2277,7 @@ var SharingRuleService = class {
       filter: where,
       orderBy: [{ field: "name", order: "asc" }],
       limit: 1e3,
-      context: SYSTEM_CTX4
+      context: SYSTEM_CTX5
     });
     return Array.isArray(rows) ? rows.map(rowFromRule) : [];
   }
@@ -2218,13 +2287,13 @@ var SharingRuleService = class {
     const byId = await this.engine.find("sys_sharing_rule", {
       filter: { id: idOrName },
       limit: 1,
-      context: SYSTEM_CTX4
+      context: SYSTEM_CTX5
     });
     if (Array.isArray(byId) && byId[0]) return rowFromRule(byId[0]);
     const byName = await this.engine.find("sys_sharing_rule", {
       filter: orgId ? { name: idOrName, organization_id: orgId } : { name: idOrName },
       limit: 1,
-      context: SYSTEM_CTX4
+      context: SYSTEM_CTX5
     });
     if (Array.isArray(byName) && byName[0]) return rowFromRule(byName[0]);
     return null;
@@ -2234,11 +2303,11 @@ var SharingRuleService = class {
     if (!row) return;
     await this.engine.delete("sys_record_share", {
       where: { source: "rule", source_id: row.id },
-      context: SYSTEM_CTX4
+      context: SYSTEM_CTX5
     });
     await this.engine.delete("sys_sharing_rule", {
       where: { id: row.id },
-      context: SYSTEM_CTX4
+      context: SYSTEM_CTX5
     });
   }
   async evaluateRule(idOrName, context) {
@@ -2271,7 +2340,7 @@ var SharingRuleService = class {
         filter,
         fields: ["id"],
         limit: 5e3,
-        context: SYSTEM_CTX4
+        context: SYSTEM_CTX5
       });
       return Array.isArray(rows) ? rows.map((r) => String(r.id)).filter(Boolean) : [];
     } catch (err) {
@@ -2286,7 +2355,7 @@ var SharingRuleService = class {
         filter,
         fields: ["id"],
         limit: 1,
-        context: SYSTEM_CTX4
+        context: SYSTEM_CTX5
       });
       return Array.isArray(rows) && rows.length > 0;
     } catch {
@@ -2309,6 +2378,14 @@ var SharingRuleService = class {
       return dept.expandUsers(rule.recipient_id);
     }
     if (rule.recipient_type === "role") return team.expandRoleUsers(rule.recipient_id, rule.organization_id ?? void 0);
+    if (rule.recipient_type === "role_and_subordinates") {
+      const roleGraph = new RoleGraphService({
+        engine: this.engine,
+        organizationId: rule.organization_id ?? null,
+        teamGraph: team
+      });
+      return roleGraph.expandRoleAndSubordinates(rule.recipient_id, rule.organization_id ?? void 0);
+    }
     return [];
   }
   async reconcile(rule, matchedIds, users) {
@@ -2316,7 +2393,7 @@ var SharingRuleService = class {
       filter: { source: "rule", source_id: rule.id },
       fields: ["id", "record_id", "recipient_id", "access_level"],
       limit: 1e5,
-      context: SYSTEM_CTX4
+      context: SYSTEM_CTX5
     });
     const desired = /* @__PURE__ */ new Map();
     for (const rid of matchedIds) {
@@ -2342,7 +2419,7 @@ var SharingRuleService = class {
               sourceId: rule.id,
               reason: `rule:${rule.name}`
             },
-            SYSTEM_CTX4
+            SYSTEM_CTX5
           );
           updated += 1;
         }
@@ -2359,13 +2436,13 @@ var SharingRuleService = class {
             sourceId: rule.id,
             reason: `rule:${rule.name}`
           },
-          SYSTEM_CTX4
+          SYSTEM_CTX5
         );
         created += 1;
       }
     }
     for (const [, stale] of existingMap.entries()) {
-      await this.sharing.revoke(stale.id, SYSTEM_CTX4);
+      await this.sharing.revoke(stale.id, SYSTEM_CTX5);
       revoked += 1;
     }
     return {
@@ -2382,7 +2459,7 @@ var SharingRuleService = class {
       filter: { source: "rule", source_id: rule.id, record_id: recordId },
       fields: ["id", "record_id", "recipient_id", "access_level"],
       limit: 1e3,
-      context: SYSTEM_CTX4
+      context: SYSTEM_CTX5
     });
     const existingMap = /* @__PURE__ */ new Map();
     for (const row of existing ?? []) existingMap.set(String(row.recipient_id), row);
@@ -2405,7 +2482,7 @@ var SharingRuleService = class {
                 sourceId: rule.id,
                 reason: `rule:${rule.name}`
               },
-              SYSTEM_CTX4
+              SYSTEM_CTX5
             );
             updated += 1;
           }
@@ -2422,14 +2499,14 @@ var SharingRuleService = class {
               sourceId: rule.id,
               reason: `rule:${rule.name}`
             },
-            SYSTEM_CTX4
+            SYSTEM_CTX5
           );
           created += 1;
         }
       }
     }
     for (const [, stale] of existingMap.entries()) {
-      await this.sharing.revoke(stale.id, SYSTEM_CTX4);
+      await this.sharing.revoke(stale.id, SYSTEM_CTX5);
       revoked += 1;
     }
     return {
@@ -2446,11 +2523,11 @@ var SharingRuleService = class {
       filter: { source: "rule", source_id: ruleId },
       fields: ["id"],
       limit: 1e5,
-      context: SYSTEM_CTX4
+      context: SYSTEM_CTX5
     });
     let revoked = 0;
     for (const row of existing ?? []) {
-      await this.sharing.revoke(row.id, SYSTEM_CTX4);
+      await this.sharing.revoke(row.id, SYSTEM_CTX5);
       revoked += 1;
     }
     return revoked;
@@ -2458,7 +2535,7 @@ var SharingRuleService = class {
 };
 
 // src/share-link-service.ts
-var SYSTEM_CTX5 = { isSystem: true, roles: [], permissions: [] };
+var SYSTEM_CTX6 = { isSystem: true, roles: [], permissions: [] };
 var TOKEN_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
 var TOKEN_LENGTH = 24;
 var DEFAULT_MAX_EXPIRY_DAYS = 365;
@@ -2598,7 +2675,7 @@ var ShareLinkService = class {
       where: { id: input.recordId },
       fields: ["id"],
       limit: 1,
-      context: SYSTEM_CTX5
+      context: SYSTEM_CTX6
     });
     if (!Array.isArray(exists) || exists.length === 0) {
       throw makeError(404, "RECORD_NOT_FOUND", `${input.object}/${input.recordId} does not exist`);
@@ -2624,7 +2701,7 @@ var ShareLinkService = class {
       last_used_at: null,
       use_count: 0
     };
-    await this.engine.insert("sys_share_link", row, { context: SYSTEM_CTX5 });
+    await this.engine.insert("sys_share_link", row, { context: SYSTEM_CTX6 });
     return row;
   }
   async revokeLink(idOrToken, _context) {
@@ -2634,7 +2711,7 @@ var ShareLinkService = class {
       where: filter,
       fields: ["id", "revoked_at"],
       limit: 1,
-      context: SYSTEM_CTX5
+      context: SYSTEM_CTX6
     });
     const row = Array.isArray(rows) ? rows[0] : void 0;
     if (!row) return;
@@ -2642,7 +2719,7 @@ var ShareLinkService = class {
     await this.engine.update(
       "sys_share_link",
       { id: row.id, revoked_at: (/* @__PURE__ */ new Date()).toISOString() },
-      { context: SYSTEM_CTX5 }
+      { context: SYSTEM_CTX6 }
     );
   }
   async listLinks(filter, context) {
@@ -2655,7 +2732,7 @@ var ShareLinkService = class {
       where,
       limit: 200,
       sort: [{ field: "created_at", order: "desc" }],
-      context: context.isSystem ? SYSTEM_CTX5 : context
+      context: context.isSystem ? SYSTEM_CTX6 : context
     });
     return Array.isArray(rows) ? rows : [];
   }
@@ -2664,7 +2741,7 @@ var ShareLinkService = class {
     const rows = await this.engine.find("sys_share_link", {
       where: { token },
       limit: 1,
-      context: SYSTEM_CTX5
+      context: SYSTEM_CTX6
     });
     const row = Array.isArray(rows) ? rows[0] : void 0;
     if (!row) return null;
@@ -2694,7 +2771,7 @@ var ShareLinkService = class {
           last_used_at: (/* @__PURE__ */ new Date()).toISOString(),
           use_count: (row.use_count ?? 0) + 1
         },
-        { context: SYSTEM_CTX5 }
+        { context: SYSTEM_CTX6 }
       );
     } catch {
     }
@@ -2703,7 +2780,7 @@ var ShareLinkService = class {
 };
 
 // src/share-link-routes.ts
-var SYSTEM_CTX6 = { isSystem: true, roles: [], permissions: [] };
+var SYSTEM_CTX7 = { isSystem: true, roles: [], permissions: [] };
 var defaultContext = (req) => {
   const header = (name) => {
     const v = req.headers?.[name];
@@ -2804,7 +2881,7 @@ function registerShareLinkRoutes(http, service, engine, opts = {}) {
         const probe = await engine.find("sys_share_link", {
           where: { token: req.params.token },
           limit: 1,
-          context: SYSTEM_CTX6
+          context: SYSTEM_CTX7
         });
         const row = Array.isArray(probe) && probe[0] ? probe[0] : null;
         if (row && !row.revoked_at && (!row.expires_at || Date.parse(row.expires_at) > Date.now())) {
@@ -2828,7 +2905,7 @@ function registerShareLinkRoutes(http, service, engine, opts = {}) {
       const rows = await engine.find(resolved.link.object_name, {
         where: { id: resolved.link.record_id },
         limit: 1,
-        context: SYSTEM_CTX6
+        context: SYSTEM_CTX7
       });
       const record = Array.isArray(rows) && rows[0] ? rows[0] : null;
       if (!record) {
@@ -2865,12 +2942,12 @@ function registerShareLinkRoutes(http, service, engine, opts = {}) {
         sendError(res, 400, "UNSUPPORTED", "This share link does not expose messages");
         return;
       }
-      const SYSTEM_CTX8 = { isSystem: true, roles: [], permissions: [] };
+      const SYSTEM_CTX9 = { isSystem: true, roles: [], permissions: [] };
       const rows = await engine.find("ai_messages", {
         where: { conversation_id: resolved.link.record_id },
         sort: [{ field: "created_at", order: "asc" }],
         limit: 500,
-        context: SYSTEM_CTX8
+        context: SYSTEM_CTX9
       });
       res.status(200).json({ data: rows ?? [] });
     } catch (err) {
@@ -2885,7 +2962,7 @@ function registerShareLinkRoutes(http, service, engine, opts = {}) {
 }
 
 // src/rule-hooks.ts
-var SYSTEM_CTX7 = { isSystem: true, roles: [], permissions: [] };
+var SYSTEM_CTX8 = { isSystem: true, roles: [], permissions: [] };
 var SHARING_RULE_HOOK_PACKAGE = "plugin-sharing:rules";
 function bindRuleHooks(engine, service, rules, logger) {
   const objects = /* @__PURE__ */ new Set();
@@ -2900,7 +2977,7 @@ function bindRuleHooks(engine, service, rules, logger) {
         const data = ctx?.result ?? ctx?.input?.data ?? {};
         const id = String(data?.id ?? ctx?.input?.id ?? "");
         if (!id) return;
-        await service.evaluateAllForRecord(objectName, id, SYSTEM_CTX7);
+        await service.evaluateAllForRecord(objectName, id, SYSTEM_CTX8);
       } catch (err) {
         logger?.warn?.("[sharing-rule] hook evaluation failed", { object: objectName, error: err?.message });
       }