@objectstack/runtime 9.9.1 → 9.10.0

package/dist/index.d.cts

@@ -230,30 +230,6 @@ declare class AppPlugin implements Plugin {
     init: (ctx: PluginContext) => Promise<void>;
     start: (ctx: PluginContext) => Promise<void>;
     stop: (ctx: PluginContext) => Promise<void>;
-    /**
-     * Resolve the identity bound to `os.user` / `os.org` for seed CEL values.
-     *
-     * On a fresh boot there are zero users until the first human sign-up
-     * (which the SeedLoader runs *before*), so identity-derived seeds like
-     * `owner_id: cel`os.user.id`` had nothing to resolve against and were
-     * dropped silently. To make seeds deterministic and self-sufficient we
-     * upsert a single non-loginable **system user** (`usr_system`) and bind
-     * it as `os.user`.
-     *
-     * Why a dedicated system user rather than the login admin:
-     *  - `sys_user` is better-auth-managed and schema-locked (ADR-0010); the
-     *    password lives in `sys_account`, so a *loginable* admin can only be
-     *    minted through better-auth (the CLI does this via HTTP sign-up after
-     *    boot). A raw insert here would bypass those invariants.
-     *  - `usr_system` is an owner identity only (no credential row), analogous
-     *    to Salesforce's "Automated Process" user. The human admin is created
-     *    independently and need not be the seed owner.
-     *
-     * Idempotent: matches by the stable id, inserts once, reuses thereafter.
-     * Failures are non-fatal (logged) — records that actually need `os.user`
-     * then fail loudly in the loader with an actionable message.
-     */
-    private ensureSeedIdentity;
     /**
      * Emit a kernel hook so the control-plane `AppCatalogService` can
      * upsert / delete the corresponding `sys_app` row. Silently no-ops

package/dist/index.d.ts

@@ -230,30 +230,6 @@ declare class AppPlugin implements Plugin {
     init: (ctx: PluginContext) => Promise<void>;
     start: (ctx: PluginContext) => Promise<void>;
     stop: (ctx: PluginContext) => Promise<void>;
-    /**
-     * Resolve the identity bound to `os.user` / `os.org` for seed CEL values.
-     *
-     * On a fresh boot there are zero users until the first human sign-up
-     * (which the SeedLoader runs *before*), so identity-derived seeds like
-     * `owner_id: cel`os.user.id`` had nothing to resolve against and were
-     * dropped silently. To make seeds deterministic and self-sufficient we
-     * upsert a single non-loginable **system user** (`usr_system`) and bind
-     * it as `os.user`.
-     *
-     * Why a dedicated system user rather than the login admin:
-     *  - `sys_user` is better-auth-managed and schema-locked (ADR-0010); the
-     *    password lives in `sys_account`, so a *loginable* admin can only be
-     *    minted through better-auth (the CLI does this via HTTP sign-up after
-     *    boot). A raw insert here would bypass those invariants.
-     *  - `usr_system` is an owner identity only (no credential row), analogous
-     *    to Salesforce's "Automated Process" user. The human admin is created
-     *    independently and need not be the seed owner.
-     *
-     * Idempotent: matches by the stable id, inserts once, reuses thereafter.
-     * Failures are non-fatal (logged) — records that actually need `os.user`
-     * then fail loudly in the loader with an actionable message.
-     */
-    private ensureSeedIdentity;
     /**
      * Emit a kernel hook so the control-plane `AppCatalogService` can
      * upsert / delete the corresponding `sys_app` row. Silently no-ops

package/dist/index.js

@@ -205,7 +205,7 @@ var init_package_state_store = __esm({
 import {
   newAsyncContext
 } from "quickjs-emscripten";
-function installApiMethod(vm, parent, method, objectName, ctx, caps, required, origin) {
+function installApiMethod(vm, parent, method, objectName, ctx, caps, required, origin, txState) {
   const fn = vm.newFunction(method, (...argHandles) => {
     if (!caps.has(required)) {
       throw new SandboxError(
@@ -220,7 +220,8 @@ function installApiMethod(vm, parent, method, objectName, ctx, caps, required, o
     const deferred = vm.newPromise();
     void (async () => {
       try {
-        const proxy = apiAny.object(objectName);
+        const source = txState.api ?? apiAny;
+        const proxy = source.object(objectName);
         const m = proxy[method];
         if (typeof m !== "function") {
           throw new SandboxError(`ctx.api.object('${objectName}').${method} not implemented`);
@@ -365,8 +366,9 @@ var init_quickjs_runner = __esm({
         const start = Date.now();
         const deadline = start + args.timeoutMs;
         runtime.setInterruptHandler(() => Date.now() > deadline);
+        const txState = { api: null, handle: null, open: false };
         try {
-          this.installCtx(vm, args.ctx, new Set(args.capabilities), args.origin);
+          this.installCtx(vm, args.ctx, new Set(args.capabilities), args.origin, txState);
           if (args.isExpression) {
             const wrapped2 = `globalThis.__result = JSON.stringify((function(){ return (${args.source}); })());`;
             const result = vm.evalCode(wrapped2);
@@ -429,6 +431,16 @@ var init_quickjs_runner = __esm({
             pumps++;
           }
         } finally {
+          if (txState.open && txState.handle != null) {
+            const apiTx = args.ctx.api;
+            const rollback = apiTx?.rollbackTransaction;
+            if (typeof rollback === "function") {
+              try {
+                await rollback.call(apiTx, txState.handle);
+              } catch {
+              }
+            }
+          }
           vm.dispose();
         }
       }
@@ -441,7 +453,7 @@ var init_quickjs_runner = __esm({
        * {@link installApiMethod}) so they may return Promises (real ObjectQL
        * `find/count/insert/...` are async) without asyncify's single-unwind limit.
        */
-      installCtx(vm, ctx, caps, origin) {
+      installCtx(vm, ctx, caps, origin, txState) {
         setGlobalJson(vm, "__input", ctx.input);
         setGlobalJson(vm, "__previous", ctx.previous);
         const ctxObj = vm.newObject();
@@ -476,12 +488,70 @@ var init_quickjs_runner = __esm({
           const wrap = vm.newObject();
           const READ = ["find", "findOne", "count", "aggregate"];
           const WRITE = ["insert", "update", "delete", "updateMany", "deleteMany", "upsert"];
-          for (const m of READ) installApiMethod(vm, wrap, m, objectName, ctx, caps, "api.read", origin);
-          for (const m of WRITE) installApiMethod(vm, wrap, m, objectName, ctx, caps, "api.write", origin);
+          for (const m of READ) installApiMethod(vm, wrap, m, objectName, ctx, caps, "api.read", origin, txState);
+          for (const m of WRITE) installApiMethod(vm, wrap, m, objectName, ctx, caps, "api.write", origin, txState);
           return wrap;
         });
         vm.setProp(apiObj, "object", objectFn);
         objectFn.dispose();
+        const apiTx = ctx.api;
+        const installTxLeaf = (name, run) => {
+          const fn = vm.newFunction(name, () => {
+            if (!caps.has("api.transaction")) {
+              throw new SandboxError(
+                `capability 'api.transaction' not granted to ${origin.kind} '${origin.name}' (called ctx.api.transaction)`
+              );
+            }
+            const deferred = vm.newPromise();
+            void (async () => {
+              try {
+                await run();
+                if (!vm.alive) return;
+                deferred.resolve(vm.undefined);
+              } catch (err) {
+                if (!vm.alive) return;
+                const errH = err instanceof Error ? vm.newError({ name: err.name || "Error", message: err.message }) : vm.newError({ name: "Error", message: String(err) });
+                deferred.reject(errH);
+                errH.dispose();
+              }
+            })();
+            return deferred.handle;
+          });
+          vm.setProp(apiObj, name, fn);
+          fn.dispose();
+        };
+        installTxLeaf("__txBegin", async () => {
+          if (txState.open) throw new SandboxError("nested ctx.api.transaction is not supported");
+          const begin = apiTx?.beginTransaction;
+          if (typeof begin === "function") {
+            const r = await begin.call(apiTx) ?? null;
+            if (r) {
+              txState.api = r.ctx;
+              txState.handle = r.handle;
+            }
+          }
+          txState.open = true;
+        });
+        installTxLeaf("__txCommit", async () => {
+          const { handle, open } = txState;
+          txState.api = null;
+          txState.handle = null;
+          txState.open = false;
+          const commit = apiTx?.commitTransaction;
+          if (open && handle != null && typeof commit === "function") {
+            await commit.call(apiTx, handle);
+          }
+        });
+        installTxLeaf("__txRollback", async () => {
+          const { handle, open } = txState;
+          txState.api = null;
+          txState.handle = null;
+          txState.open = false;
+          const rollback = apiTx?.rollbackTransaction;
+          if (open && handle != null && typeof rollback === "function") {
+            await rollback.call(apiTx, handle);
+          }
+        });
         vm.setProp(ctxObj, "api", apiObj);
         apiObj.dispose();
         const logObj = vm.newObject();
@@ -514,6 +584,25 @@ var init_quickjs_runner = __esm({
         cryptoObj.dispose();
         vm.setProp(vm.global, "__ctx", ctxObj);
         ctxObj.dispose();
+        const sugar = vm.evalCode(
+          `__ctx.api.transaction = async function (fn) {
+         await __ctx.api.__txBegin();
+         try {
+           var r = await fn();
+           await __ctx.api.__txCommit();
+           return r;
+         } catch (e) {
+           await __ctx.api.__txRollback();
+           throw e;
+         }
+       };`
+        );
+        if (sugar.error) {
+          const msg = vm.dump(sugar.error);
+          sugar.error.dispose();
+          throw new SandboxError(`failed to install ctx.api.transaction: ${formatErr(msg)}`);
+        }
+        sugar.value.dispose();
       }
     };
     SandboxError = class extends Error {
@@ -714,7 +803,6 @@ __export(app_plugin_exports, {
   collectBundleHooks: () => collectBundleHooks
 });
 import { readEnvWithDeprecation } from "@objectstack/types";
-import { SystemUserId } from "@objectstack/spec/system";
 function collectBundleHooks(bundle) {
   const out = [];
   const seen = /* @__PURE__ */ new Set();
@@ -1045,7 +1133,7 @@ var init_app_plugin = __esm({
               ...d,
               object: d.object
             }));
-            const seedIdentity = await this.ensureSeedIdentity(ql, ctx.logger);
+            const seedIdentity = void 0;
             try {
               const kernel = ctx.kernel;
               const existing = (() => {
@@ -1088,10 +1176,10 @@ var init_app_plugin = __esm({
                     defaultMode: "upsert",
                     multiPass: true,
                     organizationId,
-                    // Bind os.user (system identity) and os.org (this
-                    // tenant) so identity-derived seed values resolve
-                    // per-org. org.id falls back to organizationId
-                    // inside the loader when identity.org is absent.
+                    // `os.org` is derived from organizationId inside
+                    // the loader. `seedIdentity` (os.user) is undefined
+                    // unless a seed embeds `cel`os.user.id`` — see the
+                    // lazy guard where it is resolved.
                     identity: seedIdentity
                   }
                 });
@@ -1251,64 +1339,6 @@ var init_app_plugin = __esm({
         this.name = `plugin.app.${appId}`;
         this.version = sys?.version;
       }
-      /**
-       * Resolve the identity bound to `os.user` / `os.org` for seed CEL values.
-       *
-       * On a fresh boot there are zero users until the first human sign-up
-       * (which the SeedLoader runs *before*), so identity-derived seeds like
-       * `owner_id: cel`os.user.id`` had nothing to resolve against and were
-       * dropped silently. To make seeds deterministic and self-sufficient we
-       * upsert a single non-loginable **system user** (`usr_system`) and bind
-       * it as `os.user`.
-       *
-       * Why a dedicated system user rather than the login admin:
-       *  - `sys_user` is better-auth-managed and schema-locked (ADR-0010); the
-       *    password lives in `sys_account`, so a *loginable* admin can only be
-       *    minted through better-auth (the CLI does this via HTTP sign-up after
-       *    boot). A raw insert here would bypass those invariants.
-       *  - `usr_system` is an owner identity only (no credential row), analogous
-       *    to Salesforce's "Automated Process" user. The human admin is created
-       *    independently and need not be the seed owner.
-       *
-       * Idempotent: matches by the stable id, inserts once, reuses thereafter.
-       * Failures are non-fatal (logged) — records that actually need `os.user`
-       * then fail loudly in the loader with an actionable message.
-       */
-      async ensureSeedIdentity(ql, logger) {
-        const SYSTEM_USER_ID = SystemUserId.SYSTEM;
-        const SYSTEM_USER_EMAIL = "system@objectstack.local";
-        const identity = { user: { id: SYSTEM_USER_ID, role: "system", email: SYSTEM_USER_EMAIL } };
-        const opts = { context: { isSystem: true } };
-        try {
-          const existing = await ql.find(
-            "sys_user",
-            { where: { id: SYSTEM_USER_ID }, limit: 1 },
-            opts
-          );
-          if (Array.isArray(existing) && existing.length > 0) {
-            return identity;
-          }
-          await ql.insert(
-            "sys_user",
-            {
-              id: SYSTEM_USER_ID,
-              name: "System",
-              email: SYSTEM_USER_EMAIL,
-              email_verified: true,
-              role: "system"
-            },
-            opts
-          );
-          logger.info(
-            `[Seeder] Provisioned deterministic system user (${SYSTEM_USER_ID}) as seed owner \u2014 binds os.user for identity-derived seed values`
-          );
-        } catch (err) {
-          logger.warn("[Seeder] Failed to ensure system seed user; os.user-dependent seeds may be dropped", {
-            error: err?.message ?? String(err)
-          });
-        }
-        return identity;
-      }
       /**
        * Emit a kernel hook so the control-plane `AppCatalogService` can
        * upsert / delete the corresponding `sys_app` row. Silently no-ops