@objectstack/rest 9.7.0 → 9.9.0

package/dist/index.d.cts

@@ -299,6 +299,25 @@ declare class RestServer {
      * requests (they're internal-only), so they cannot bypass this gate.
      */
     private enforceAuth;
+    /**
+     * Enforce object-level API exposure (ObjectSchema `enable.apiEnabled` /
+     * `enable.apiMethods`) on the REST data surface — the *external* API boundary
+     * only. Internal callers (hooks, flows, raw objectql) are unaffected, which is
+     * the point: `apiEnabled` controls automatic API exposure, not data access.
+     *
+     * - `enable.apiEnabled === false` → object hidden from the API (404, so its
+     *   existence isn't revealed).
+     * - `enable.apiMethods` (non-empty whitelist) → unlisted operations rejected (405).
+     *
+     * Default-allow: objects with no `enable` block (or `apiEnabled` unset/true and
+     * no `apiMethods` whitelist) behave exactly as before — no regression. Unknown
+     * objects fall through to the normal 404 path. A metadata-read failure does not
+     * block (the data call itself needs the same metadata and will surface the
+     * error). Returns `true` when the request was blocked (response already sent).
+     *
+     * See ADR-0049 (#1889): shipping a non-enforcing `apiEnabled` is false security.
+     */
+    private enforceApiAccess;
     /**
      * Resolve the request's execution context (RBAC/RLS/FLS) by looking up
      * the better-auth session via the project's `auth` service. Returns
@@ -432,11 +451,13 @@ declare class RestServer {
     private registerCrudEndpoints;
     /**
      * Register object-specific action endpoints that don't fit the
-     * generic CRUD shape. These are domain operations (Salesforce
-     * convertLead, etc.) where the protocol implementation does its own
-     * multi-record orchestration and we just need a thin HTTP route.
+     * generic CRUD shape — domain operations where the protocol does its
+     * own orchestration and we just need a thin HTTP route.
      *
-     * POST {basePath}/data/lead/:id/convert — M10.6 lead conversion.
+     * POST {basePath}/data/:object/:id/clone — record clone (gated by
+     * `enable.clone`). This is object-agnostic by design: it works for any
+     * authored object regardless of namespace, unlike a hardcoded
+     * per-object route would.
      */
     private registerDataActionEndpoints;
     /**

package/dist/index.d.ts

@@ -299,6 +299,25 @@ declare class RestServer {
      * requests (they're internal-only), so they cannot bypass this gate.
      */
     private enforceAuth;
+    /**
+     * Enforce object-level API exposure (ObjectSchema `enable.apiEnabled` /
+     * `enable.apiMethods`) on the REST data surface — the *external* API boundary
+     * only. Internal callers (hooks, flows, raw objectql) are unaffected, which is
+     * the point: `apiEnabled` controls automatic API exposure, not data access.
+     *
+     * - `enable.apiEnabled === false` → object hidden from the API (404, so its
+     *   existence isn't revealed).
+     * - `enable.apiMethods` (non-empty whitelist) → unlisted operations rejected (405).
+     *
+     * Default-allow: objects with no `enable` block (or `apiEnabled` unset/true and
+     * no `apiMethods` whitelist) behave exactly as before — no regression. Unknown
+     * objects fall through to the normal 404 path. A metadata-read failure does not
+     * block (the data call itself needs the same metadata and will surface the
+     * error). Returns `true` when the request was blocked (response already sent).
+     *
+     * See ADR-0049 (#1889): shipping a non-enforcing `apiEnabled` is false security.
+     */
+    private enforceApiAccess;
     /**
      * Resolve the request's execution context (RBAC/RLS/FLS) by looking up
      * the better-auth session via the project's `auth` service. Returns
@@ -432,11 +451,13 @@ declare class RestServer {
     private registerCrudEndpoints;
     /**
      * Register object-specific action endpoints that don't fit the
-     * generic CRUD shape. These are domain operations (Salesforce
-     * convertLead, etc.) where the protocol implementation does its own
-     * multi-record orchestration and we just need a thin HTTP route.
+     * generic CRUD shape — domain operations where the protocol does its
+     * own orchestration and we just need a thin HTTP route.
      *
-     * POST {basePath}/data/lead/:id/convert — M10.6 lead conversion.
+     * POST {basePath}/data/:object/:id/clone — record clone (gated by
+     * `enable.clone`). This is object-agnostic by design: it works for any
+     * authored object regardless of namespace, unlike a hardcoded
+     * per-object route would.
      */
     private registerDataActionEndpoints;
     /**

package/dist/index.js

@@ -218,6 +218,18 @@ function isMetaEnvelope(value) {
   return !!value && typeof value === "object" && typeof value.type === "string" && typeof value.name === "string" && value.item != null && typeof value.item === "object" && !Array.isArray(value.item);
 }
 function mapDataError(error, object) {
+  if (error?.code === "DELETE_RESTRICTED") {
+    return {
+      status: 409,
+      body: {
+        error: error?.message ?? "Cannot delete: dependent records exist",
+        code: "DELETE_RESTRICTED",
+        ...error?.dependentObject ? { dependentObject: error.dependentObject } : {},
+        ...typeof error?.dependentCount === "number" ? { dependentCount: error.dependentCount } : {},
+        ...object ? { object } : {}
+      }
+    };
+  }
   if (error?.code === "CONCURRENT_UPDATE" || error?.name === "ConcurrentUpdateError") {
     return {
       status: 409,
@@ -627,6 +639,60 @@ var RestServer = class {
     });
     return true;
   }
+  /**
+   * Enforce object-level API exposure (ObjectSchema `enable.apiEnabled` /
+   * `enable.apiMethods`) on the REST data surface — the *external* API boundary
+   * only. Internal callers (hooks, flows, raw objectql) are unaffected, which is
+   * the point: `apiEnabled` controls automatic API exposure, not data access.
+   *
+   * - `enable.apiEnabled === false` → object hidden from the API (404, so its
+   *   existence isn't revealed).
+   * - `enable.apiMethods` (non-empty whitelist) → unlisted operations rejected (405).
+   *
+   * Default-allow: objects with no `enable` block (or `apiEnabled` unset/true and
+   * no `apiMethods` whitelist) behave exactly as before — no regression. Unknown
+   * objects fall through to the normal 404 path. A metadata-read failure does not
+   * block (the data call itself needs the same metadata and will surface the
+   * error). Returns `true` when the request was blocked (response already sent).
+   *
+   * See ADR-0049 (#1889): shipping a non-enforcing `apiEnabled` is false security.
+   */
+  async enforceApiAccess(req, res, p, environmentId, operation) {
+    const objectName = req?.params?.object;
+    if (!objectName) return false;
+    let enable;
+    try {
+      const r = await p.getMetaItems?.({
+        type: "object",
+        ...environmentId ? { environmentId } : {}
+      });
+      const items = Array.isArray(r?.items) ? r.items : Array.isArray(r) ? r : [];
+      const obj = items.find((o) => o?.name === objectName);
+      if (!obj) return false;
+      enable = obj.enable;
+    } catch {
+      return false;
+    }
+    if (!enable) return false;
+    if (enable.apiEnabled === false) {
+      res.status(404).json({
+        error: `Object '${objectName}' is not exposed via the API`,
+        code: "OBJECT_API_DISABLED",
+        object: objectName
+      });
+      return true;
+    }
+    if (Array.isArray(enable.apiMethods) && enable.apiMethods.length > 0 && !enable.apiMethods.includes(operation)) {
+      res.status(405).json({
+        error: `API operation '${operation}' is not allowed on object '${objectName}'`,
+        code: "OBJECT_API_METHOD_NOT_ALLOWED",
+        object: objectName,
+        allowed: enable.apiMethods
+      });
+      return true;
+    }
+    return false;
+  }
   /**
    * Resolve the request's execution context (RBAC/RLS/FLS) by looking up
    * the better-auth session via the project's `auth` service. Returns
@@ -2078,6 +2144,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "list")) return;
             const result = await p.findData({
               object: req.params.object,
               query: req.query,
@@ -2112,6 +2179,7 @@ var RestServer = class {
             const { select, expand } = req.query || {};
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "get")) return;
             const result = await p.getData({
               object: req.params.object,
               id: req.params.id,
@@ -2143,6 +2211,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "create")) return;
             const result = await p.createData({
               object: req.params.object,
               data: req.body,
@@ -2172,6 +2241,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "list")) return;
             const result = await p.findData({
               object: req.params.object,
               query: req.body || {},
@@ -2209,6 +2279,7 @@ var RestServer = class {
               const { expectedVersion: _drop, ...rest } = data;
               data = rest;
             }
+            if (await this.enforceApiAccess(req, res, p, environmentId, "update")) return;
             const result = await p.updateData({
               object: req.params.object,
               id: req.params.id,
@@ -2243,6 +2314,7 @@ var RestServer = class {
             const ifMatchHeader = req.headers?.["if-match"] ?? req.headers?.["If-Match"];
             const queryVersion = req.query && typeof req.query === "object" ? req.query.expectedVersion : void 0;
             const expectedVersion = queryVersion ?? ifMatchHeader;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "delete")) return;
             const result = await p.deleteData({
               object: req.params.object,
               id: req.params.id,
@@ -2266,11 +2338,13 @@ var RestServer = class {
   }
   /**
    * Register object-specific action endpoints that don't fit the
-   * generic CRUD shape. These are domain operations (Salesforce
-   * convertLead, etc.) where the protocol implementation does its own
-   * multi-record orchestration and we just need a thin HTTP route.
+   * generic CRUD shape — domain operations where the protocol does its
+   * own orchestration and we just need a thin HTTP route.
    *
-   * POST {basePath}/data/lead/:id/convert — M10.6 lead conversion.
+   * POST {basePath}/data/:object/:id/clone — record clone (gated by
+   * `enable.clone`). This is object-agnostic by design: it works for any
+   * authored object regardless of namespace, unlike a hardcoded
+   * per-object route would.
    */
   registerDataActionEndpoints(basePath) {
     const isScoped = basePath.includes("/environments/:environmentId");
@@ -2278,37 +2352,38 @@ var RestServer = class {
     const dataPath = `${basePath}${crud.dataPrefix}`;
     this.routeManager.register({
       method: "POST",
-      path: `${dataPath}/lead/:id/convert`,
+      path: `${dataPath}/:object/:id/clone`,
       handler: async (req, res) => {
         try {
           const environmentId = isScoped ? req.params?.environmentId : void 0;
           const p = await this.resolveProtocol(environmentId, req);
           const context = await this.resolveExecCtx(environmentId, req);
           if (this.enforceAuth(req, res, context)) return;
-          const convertLead = p.convertLead;
-          if (typeof convertLead !== "function") {
-            res.status(501).json({ code: "NOT_IMPLEMENTED", error: "Lead convert not supported by this protocol" });
+          if (await this.enforceApiAccess(req, res, p, environmentId, "create")) return;
+          const cloneData = p.cloneData;
+          if (typeof cloneData !== "function") {
+            res.status(501).json({ code: "NOT_IMPLEMENTED", error: "Clone not supported by this protocol" });
             return;
           }
           const body = req.body ?? {};
-          const result = await convertLead.call(p, {
-            leadId: req.params.id,
-            accountId: body.accountId,
-            contactId: body.contactId,
-            createOpportunity: body.createOpportunity,
-            opportunity: body.opportunity,
-            convertedStatus: body.convertedStatus,
+          const overrides = body && typeof body === "object" && "overrides" in body ? body.overrides : body;
+          const result = await cloneData.call(p, {
+            object: req.params.object,
+            id: req.params.id,
+            ...overrides && typeof overrides === "object" ? { overrides } : {},
+            ...environmentId ? { environmentId } : {},
             ...context ? { context } : {}
           });
-          res.json(result);
+          res.status(201).json(result);
         } catch (error) {
-          logError("[REST] Unhandled error:", error);
-          sendError(res, error, "lead");
+          const status = typeof error?.status === "number" ? error.status : mapDataError(error, req.params?.object).status;
+          if (!isExpectedDataStatus(status) && error?.code !== "VALIDATION_FAILED") logError("[REST] Unhandled error:", error);
+          sendError(res, error, req.params?.object);
         }
       },
       metadata: {
-        summary: "Convert a Lead into Account + Contact (+ optional Opportunity)",
-        tags: ["data", "lead"]
+        summary: "Clone a record (gated by enable.clone)",
+        tags: ["data", "clone"]
       }
     });
     this.routeManager.register({
@@ -2325,6 +2400,7 @@ var RestServer = class {
             res.status(400).json({ code: "INVALID_REQUEST", error: "object is required" });
             return;
           }
+          if (await this.enforceApiAccess(req, res, p, environmentId, "import")) return;
           const body = req.body ?? {};
           const dryRun = body.dryRun === true;
           const mapping = body.mapping ?? {};
@@ -2408,6 +2484,7 @@ var RestServer = class {
             res.status(400).json({ code: "INVALID_REQUEST", error: "object is required" });
             return;
           }
+          if (await this.enforceApiAccess(req, res, p, environmentId, "export")) return;
           const q = req.query ?? {};
           const format = String(q.format ?? "csv").toLowerCase() === "json" ? "json" : "csv";
           const HARD_CAP = 5e4;
@@ -2706,6 +2783,9 @@ var RestServer = class {
             }
           }
         }
+        if (view.viewKind === "form" && view.config && typeof view.config === "object" && view.config.sharing) {
+          candidates.push({ form: view.config, key: view.name });
+        }
         for (const c of candidates) {
           const sharing = c.form?.sharing;
           if (!sharing || sharing.allowAnonymous !== true) continue;
@@ -3929,6 +4009,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "bulk")) return;
             const result = await p.batchData({
               object: req.params.object,
               request: req.body,
@@ -3957,6 +4038,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "create")) return;
             const result = await p.createManyData({
               object: req.params.object,
               records: req.body || [],
@@ -3985,6 +4067,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "update")) return;
             const result = await p.updateManyData({
               object: req.params.object,
               ...req.body,
@@ -4013,6 +4096,7 @@ var RestServer = class {
             const p = await this.resolveProtocol(environmentId, req);
             const context = await this.resolveExecCtx(environmentId, req);
             if (this.enforceAuth(req, res, context)) return;
+            if (await this.enforceApiAccess(req, res, p, environmentId, "delete")) return;
             const result = await p.deleteManyData({
               object: req.params.object,
               ...req.body,