@objectstack/service-datasource 7.6.0

package/dist/index.cjs

@@ -0,0 +1,995 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { newObj[key] = obj[key]; } } } newObj.default = obj; return newObj; } } function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } async function _asyncNullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return await rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }// src/external-datasource-service.ts
+
+
+
+
+var _data = require('@objectstack/spec/data');
+var BUILTIN_COLUMNS = /* @__PURE__ */ new Set(["id", "created_at", "updated_at"]);
+function parseQualified(raw) {
+  const idx = raw.indexOf(".");
+  if (idx === -1) return { name: raw };
+  return { schema: raw.slice(0, idx), name: raw.slice(idx + 1) };
+}
+function toObjectName(remoteName) {
+  const { name } = parseQualified(remoteName);
+  return name.replace(/[^a-zA-Z0-9_]/g, "_").replace(/^[^a-z_]/, (c) => `_${c.toLowerCase()}`).toLowerCase();
+}
+function toLabel(name) {
+  return name.split("_").filter(Boolean).map((w) => w.charAt(0).toUpperCase() + w.slice(1)).join(" ");
+}
+var ExternalDatasourceService = class {
+  constructor(config) {
+    this.config = config;
+  }
+  get logger() {
+    return this.config.logger;
+  }
+  findTable(schema, remoteName) {
+    const want = parseQualified(remoteName).name;
+    for (const table of Object.values(schema.tables)) {
+      if (table.name === remoteName) return table;
+      if (parseQualified(table.name).name === want) return table;
+    }
+    return void 0;
+  }
+  async listRemoteTables(datasource, opts) {
+    const [schema, ds] = await Promise.all([
+      this.config.introspect(datasource),
+      this.config.getDatasource(datasource)
+    ]);
+    const allowed = _optionalChain([ds, 'optionalAccess', _ => _.external, 'optionalAccess', _2 => _2.allowedSchemas]);
+    const tables = [];
+    for (const table of Object.values(schema.tables)) {
+      const { schema: tableSchema, name } = parseQualified(table.name);
+      if (_optionalChain([opts, 'optionalAccess', _3 => _3.schema]) && tableSchema && tableSchema !== opts.schema) continue;
+      if (allowed && tableSchema && !allowed.includes(tableSchema)) continue;
+      tables.push({ schema: tableSchema, name, columnCount: table.columns.length });
+    }
+    return tables;
+  }
+  async generateObjectDraft(datasource, remoteName, opts = {}) {
+    const schema = await this.config.introspect(datasource);
+    const table = this.findTable(schema, remoteName);
+    if (!table) {
+      throw new Error(
+        `Remote table '${remoteName}' not found on datasource '${datasource}'.`
+      );
+    }
+    const dialect = schema.dialect;
+    const matched = parseQualified(table.name);
+    const remoteSchema = _nullishCoalesce(opts.remoteSchema, () => ( matched.schema));
+    const resolvedRemoteName = matched.name;
+    const include = opts.includeColumns ? new Set(opts.includeColumns) : void 0;
+    const exclude = opts.excludeColumns ? new Set(opts.excludeColumns) : /* @__PURE__ */ new Set();
+    const pkOverride = opts.primaryKey ? new Set(opts.primaryKey) : void 0;
+    const fields = {};
+    const review = [];
+    for (const col of table.columns) {
+      if (include && !include.has(col.name)) continue;
+      if (exclude.has(col.name)) continue;
+      const fieldName = _nullishCoalesce(_optionalChain([opts, 'access', _4 => _4.rename, 'optionalAccess', _5 => _5[col.name]]), () => ( col.name));
+      const suggested = _data.suggestFieldType.call(void 0, col.type, dialect);
+      const fieldType = _nullishCoalesce(suggested, () => ( "text"));
+      if (!suggested) {
+        review.push({
+          column: col.name,
+          remoteType: col.type,
+          note: `unrecognised remote type \u2014 defaulted to 'text', verify`
+        });
+      } else if (_data.isCompatible.call(void 0, col.type, fieldType, dialect) === "lossy") {
+        review.push({
+          column: col.name,
+          remoteType: col.type,
+          note: `mapped lossy to '${fieldType}'`
+        });
+      }
+      const isPk = pkOverride ? pkOverride.has(col.name) : col.primaryKey;
+      fields[fieldName] = isPk ? { type: fieldType, primaryKey: true } : { type: fieldType };
+    }
+    const name = toObjectName(resolvedRemoteName);
+    const definition = {
+      name,
+      label: toLabel(name),
+      datasource,
+      external: {
+        ...remoteSchema ? { remoteSchema } : {},
+        remoteName: resolvedRemoteName
+      },
+      fields
+    };
+    return {
+      name,
+      datasource,
+      definition,
+      source: renderObjectSource(definition, fields, review),
+      review
+    };
+  }
+  async importObject(datasource, remoteName, opts = {}) {
+    if (!this.config.persistObject) {
+      throw new Error(
+        `importObject requires a writable metadata store, but none is wired (datasource '${datasource}'). This deployment may be GitOps-only \u2014 use 'os datasource introspect' and commit the generated *.object.ts instead.`
+      );
+    }
+    const draft = await this.generateObjectDraft(datasource, remoteName, opts);
+    const name = _nullishCoalesce(opts.name, () => ( draft.name));
+    const external = {
+      ...draft.definition.external,
+      ...opts.writable ? { writable: true } : {}
+    };
+    const definition = {
+      ...draft.definition,
+      name,
+      label: toLabel(name),
+      external
+    };
+    await this.config.persistObject(name, definition);
+    _optionalChain([this, 'access', _6 => _6.logger, 'optionalAccess', _7 => _7.info, 'optionalCall', _8 => _8(`importObject: persisted '${name}' from ${datasource}.${remoteName}`, {
+      writable: opts.writable === true,
+      review: draft.review.length
+    })]);
+    return { name, definition, review: draft.review };
+  }
+  async refreshCatalog(datasource) {
+    const schema = await this.config.introspect(datasource);
+    const catalog = _data.ExternalCatalogSchema.parse({
+      name: `${datasource}_catalog`,
+      datasource,
+      snapshotAt: (/* @__PURE__ */ new Date()).toISOString(),
+      dialect: schema.dialect,
+      tables: Object.values(schema.tables).map((t) => {
+        const { schema: s, name } = parseQualified(t.name);
+        return {
+          remoteSchema: s,
+          remoteName: name,
+          columns: t.columns.map((c) => ({
+            name: c.name,
+            sqlType: c.type,
+            nullable: c.nullable,
+            primaryKey: c.primaryKey,
+            suggestedFieldType: _data.suggestFieldType.call(void 0, c.type, schema.dialect)
+          }))
+        };
+      })
+    });
+    if (this.config.persistCatalog) {
+      try {
+        await this.config.persistCatalog(catalog);
+      } catch (err) {
+        _optionalChain([this, 'access', _9 => _9.logger, 'optionalAccess', _10 => _10.warn, 'optionalCall', _11 => _11(`refreshCatalog: failed to persist '${catalog.name}'`, err)]);
+      }
+    }
+    return catalog;
+  }
+  async validateObject(objectName) {
+    const obj = await this.config.getObject(objectName);
+    if (!obj) {
+      throw new Error(`Object '${objectName}' not found.`);
+    }
+    const datasource = _nullishCoalesce(obj.datasource, () => ( "default"));
+    const ds = await this.config.getDatasource(datasource);
+    if (!ds || !ds.schemaMode || ds.schemaMode === "managed") {
+      return { ok: true, datasource, object: objectName, diffs: [] };
+    }
+    const schema = await this.config.introspect(datasource);
+    const dialect = schema.dialect;
+    const remoteName = _nullishCoalesce(_optionalChain([obj, 'access', _12 => _12.external, 'optionalAccess', _13 => _13.remoteName]), () => ( obj.name));
+    const table = this.findTable(schema, remoteName);
+    const diffs = [];
+    if (!table) {
+      diffs.push({
+        kind: "missing_table",
+        remoteSchema: _optionalChain([obj, 'access', _14 => _14.external, 'optionalAccess', _15 => _15.remoteSchema]),
+        remoteName,
+        severity: "error"
+      });
+      return { ok: false, datasource, object: objectName, diffs };
+    }
+    const columnsByName = new Map(table.columns.map((c) => [c.name, c]));
+    const ignore = new Set(_nullishCoalesce(_optionalChain([obj, 'access', _16 => _16.external, 'optionalAccess', _17 => _17.ignoreColumns]), () => ( [])));
+    const fieldToRemote = /* @__PURE__ */ new Map();
+    for (const [remoteCol, fieldName] of Object.entries(_nullishCoalesce(_optionalChain([obj, 'access', _18 => _18.external, 'optionalAccess', _19 => _19.columnMap]), () => ( {})))) {
+      fieldToRemote.set(fieldName, remoteCol);
+    }
+    for (const [fieldName, field] of Object.entries(_nullishCoalesce(obj.fields, () => ( {})))) {
+      if (BUILTIN_COLUMNS.has(fieldName)) continue;
+      const remoteCol = _nullishCoalesce(fieldToRemote.get(fieldName), () => ( fieldName));
+      if (ignore.has(remoteCol)) continue;
+      const col = columnsByName.get(remoteCol);
+      if (!col) {
+        diffs.push({
+          kind: "missing_column",
+          remoteName,
+          column: remoteCol,
+          severity: "error"
+        });
+        continue;
+      }
+      const fieldType = _nullishCoalesce(field.type, () => ( "text"));
+      const compat = _data.isCompatible.call(void 0, col.type, fieldType, dialect);
+      if (compat === false) {
+        diffs.push({
+          kind: "type_mismatch",
+          remoteName,
+          column: remoteCol,
+          expected: fieldType,
+          actual: col.type,
+          severity: "error"
+        });
+      } else if (compat === "lossy") {
+        diffs.push({
+          kind: "type_mismatch",
+          remoteName,
+          column: remoteCol,
+          expected: fieldType,
+          actual: col.type,
+          severity: "warning"
+        });
+      }
+    }
+    const ok = !diffs.some((d) => d.severity === "error");
+    return { ok, datasource, object: objectName, diffs };
+  }
+  async validateAll() {
+    const objects = await this.config.listObjects();
+    const federated = objects.filter(
+      (o) => o.external !== void 0 || o.datasource && o.datasource !== "default"
+    );
+    const results = await Promise.all(
+      federated.map(
+        (o) => this.validateObject(o.name).catch((err) => {
+          _optionalChain([this, 'access', _20 => _20.logger, 'optionalAccess', _21 => _21.warn, 'call', _22 => _22(`validateObject('${o.name}') failed`, err)]);
+          return {
+            ok: false,
+            datasource: _nullishCoalesce(o.datasource, () => ( "default")),
+            object: o.name,
+            diffs: [
+              {
+                kind: "missing_table",
+                remoteName: _nullishCoalesce(_optionalChain([o, 'access', _23 => _23.external, 'optionalAccess', _24 => _24.remoteName]), () => ( o.name)),
+                actual: err instanceof Error ? err.message : String(err),
+                severity: "error"
+              }
+            ]
+          };
+        })
+      )
+    );
+    const ok = results.every((r) => r.ok);
+    return { ok, results };
+  }
+};
+function renderObjectSource(definition, fields, review) {
+  const reviewByColumn = new Map(review.map((r) => [r.column, r.note]));
+  const external = definition.external;
+  const fieldLines = Object.entries(fields).map(([fieldName, f]) => {
+    const note = reviewByColumn.get(fieldName);
+    const pk = f.primaryKey ? ", primaryKey: true" : "";
+    const comment = note ? ` // REVIEW: ${note}` : "";
+    return `    ${fieldName}: { type: '${f.type}'${pk} },${comment}`;
+  });
+  const externalLine = external.remoteSchema ? `  external: { remoteSchema: '${external.remoteSchema}', remoteName: '${external.remoteName}' },` : `  external: { remoteName: '${external.remoteName}' },`;
+  return [
+    `// Generated by \`os datasource introspect\` (ADR-0015). Review before committing.`,
+    `import type { ServiceObjectInput } from '@objectstack/spec/data';`,
+    ``,
+    `const ${definition.name}: ServiceObjectInput = {`,
+    `  name: '${definition.name}',`,
+    `  label: '${definition.label}',`,
+    `  datasource: '${definition.datasource}',`,
+    externalLine,
+    `  fields: {`,
+    ...fieldLines,
+    `  },`,
+    `};`,
+    ``,
+    `export default ${definition.name};`,
+    ``
+  ].join("\n");
+}
+
+// src/plugin.ts
+var ExternalDatasourceServicePlugin = class {
+  constructor(options = {}) {
+    this.name = "com.objectstack.service-external-datasource";
+    this.version = "1.0.0";
+    this.type = "standard";
+    this.dependencies = [];
+    this.options = options;
+  }
+  async init(ctx) {
+    const engine = safeGetService(ctx, "data");
+    const metadata = safeGetService(ctx, "metadata");
+    const introspect = _nullishCoalesce(this.options.introspect, () => ( (async (datasource) => {
+      if (_optionalChain([engine, 'optionalAccess', _25 => _25.introspectDatasource])) return engine.introspectDatasource(datasource);
+      const driver = _optionalChain([engine, 'optionalAccess', _26 => _26.getDatasourceDriver, 'optionalCall', _27 => _27(datasource)]);
+      if (_optionalChain([driver, 'optionalAccess', _28 => _28.introspectSchema])) return driver.introspectSchema();
+      throw new Error(
+        `Cannot introspect datasource '${datasource}': no driver introspection available.`
+      );
+    })));
+    const config = {
+      introspect,
+      getDatasource: async (n) => await _optionalChain([metadata, 'optionalAccess', _29 => _29.get, 'call', _30 => _30("datasource", n)]),
+      getObject: async (n) => _optionalChain([metadata, 'optionalAccess', _31 => _31.getObject]) ? await metadata.getObject(n) : await _optionalChain([metadata, 'optionalAccess', _32 => _32.get, 'call', _33 => _33("object", n)]),
+      listObjects: async () => await _asyncNullishCoalesce((_optionalChain([metadata, 'optionalAccess', _34 => _34.listObjects]) ? await metadata.listObjects() : await _optionalChain([metadata, 'optionalAccess', _35 => _35.list, 'optionalCall', _36 => _36("object")])), async () => ( [])),
+      // Persist the refreshed snapshot as an `external_catalog` metadata record
+      // so the boot gate + Studio's schema browser can read it without
+      // re-introspecting. No-op when the metadata service can't write.
+      ..._optionalChain([metadata, 'optionalAccess', _37 => _37.register]) ? {
+        persistCatalog: async (catalog) => {
+          await metadata.register("external_catalog", catalog.name, catalog);
+        },
+        // Runtime "Import as Object": persist a federated object so it's
+        // immediately queryable, no git commit required (ADR-0015 Addendum).
+        persistObject: async (name, definition) => {
+          await metadata.register("object", name, definition);
+        }
+      } : {},
+      logger: this.options.logger
+    };
+    this.service = new ExternalDatasourceService(config);
+    ctx.registerService("external-datasource", this.service);
+  }
+  async start(ctx) {
+    if (this.service) await ctx.trigger("external-datasource:ready", this.service);
+  }
+  async destroy() {
+    this.service = void 0;
+  }
+};
+function safeGetService(ctx, name) {
+  try {
+    return ctx.getService(name);
+  } catch (e) {
+    return void 0;
+  }
+}
+
+// src/datasource-admin-service.ts
+var NAME_RE = /^[a-z_][a-z0-9_]*$/;
+var DatasourceAdminService = class {
+  constructor(config) {
+    this.config = config;
+  }
+  get logger() {
+    return this.config.logger;
+  }
+  async listDatasources() {
+    const records = await this.config.listDatasourceRecords();
+    const byName = /* @__PURE__ */ new Map();
+    for (const rec of records) {
+      const slot = _nullishCoalesce(byName.get(rec.name), () => ( {}));
+      if (rec.origin === "runtime") slot.runtime = rec;
+      else slot.code = rec;
+      byName.set(rec.name, slot);
+    }
+    const summaries = [];
+    for (const [name, slot] of byName) {
+      const effective = _nullishCoalesce(slot.code, () => ( slot.runtime));
+      if (!effective) continue;
+      summaries.push({
+        name,
+        label: effective.label,
+        driver: effective.driver,
+        schemaMode: _nullishCoalesce(effective.schemaMode, () => ( "managed")),
+        origin: slot.code ? "code" : "runtime",
+        active: _nullishCoalesce(effective.active, () => ( true)),
+        status: "unvalidated",
+        ..._optionalChain([slot, 'access', _38 => _38.code, 'optionalAccess', _39 => _39.definedIn]) ? { definedIn: slot.code.definedIn } : {},
+        ...slot.code && slot.runtime ? { conflictsWithCode: true } : {}
+      });
+    }
+    return summaries;
+  }
+  async testConnection(input, secret) {
+    if (!_optionalChain([input, 'optionalAccess', _40 => _40.driver])) {
+      return { ok: false, error: "A driver is required to test a connection." };
+    }
+    const queryTimeoutMs = _optionalChain([input, 'access', _41 => _41.external, 'optionalAccess', _42 => _42.queryTimeoutMs]);
+    try {
+      return await this.config.probe({
+        driver: input.driver,
+        config: _nullishCoalesce(input.config, () => ( {})),
+        secret: _optionalChain([secret, 'optionalAccess', _43 => _43.value]),
+        external: input.external,
+        ...typeof queryTimeoutMs === "number" ? { timeoutMs: queryTimeoutMs } : {}
+      });
+    } catch (err) {
+      return { ok: false, error: err instanceof Error ? err.message : String(err) };
+    }
+  }
+  async createDatasource(input, secret) {
+    this.assertValidName(_optionalChain([input, 'optionalAccess', _44 => _44.name]));
+    if (!input.driver) throw new Error("A driver is required to create a datasource.");
+    const existing = await this.config.getDatasourceRecord(input.name);
+    if (existing) {
+      if (existing.origin === "code" || existing.origin === void 0) {
+        throw new Error(
+          `Cannot create datasource '${input.name}': a code-defined datasource owns this name (read-only).`
+        );
+      }
+      throw new Error(`Datasource '${input.name}' already exists.`);
+    }
+    const record = {
+      ...this.toRecord(input),
+      origin: "runtime"
+    };
+    if (secret) {
+      const credentialsRef = await this.config.writeSecret(secret, { name: input.name });
+      record.external = { ..._nullishCoalesce(record.external, () => ( {})), credentialsRef };
+    }
+    await this.config.putDatasourceRecord(record);
+    await this.tryRegisterPool(record);
+    return this.toSummary(record);
+  }
+  async updateDatasource(name, patch, secret) {
+    const existing = await this.config.getDatasourceRecord(name);
+    if (!existing) throw new Error(`Datasource '${name}' not found.`);
+    if (existing.origin !== "runtime") {
+      throw new Error(`Datasource '${name}' is code-defined and cannot be edited at runtime.`);
+    }
+    const merged = {
+      ...existing,
+      ...patch.label !== void 0 ? { label: patch.label } : {},
+      ...patch.driver !== void 0 ? { driver: patch.driver } : {},
+      ...patch.schemaMode !== void 0 ? { schemaMode: patch.schemaMode } : {},
+      ...patch.config !== void 0 ? { config: patch.config } : {},
+      ...patch.pool !== void 0 ? { pool: patch.pool } : {},
+      ...patch.active !== void 0 ? { active: patch.active } : {},
+      name: existing.name,
+      origin: "runtime"
+    };
+    if (patch.external !== void 0) {
+      merged.external = { ...patch.external, credentialsRef: _optionalChain([existing, 'access', _45 => _45.external, 'optionalAccess', _46 => _46.credentialsRef]) };
+    }
+    if (secret) {
+      const prevRef = _optionalChain([existing, 'access', _47 => _47.external, 'optionalAccess', _48 => _48.credentialsRef]);
+      const credentialsRef = await this.config.writeSecret(secret, { name });
+      merged.external = { ..._nullishCoalesce(merged.external, () => ( {})), credentialsRef };
+      if (prevRef && prevRef !== credentialsRef) await this.tryRemoveSecret(prevRef);
+    }
+    await this.config.putDatasourceRecord(merged);
+    await this.tryRegisterPool(merged);
+    return this.toSummary(merged);
+  }
+  async removeDatasource(name) {
+    const existing = await this.config.getDatasourceRecord(name);
+    if (!existing) throw new Error(`Datasource '${name}' not found.`);
+    if (existing.origin !== "runtime") {
+      throw new Error(`Datasource '${name}' is code-defined and cannot be removed at runtime.`);
+    }
+    const bound = await this.config.countBoundObjects(name);
+    if (bound > 0) {
+      throw new Error(
+        `Cannot remove datasource '${name}': ${bound} object(s) are still bound to it.`
+      );
+    }
+    await this.config.deleteDatasourceRecord(name);
+    if (_optionalChain([existing, 'access', _49 => _49.external, 'optionalAccess', _50 => _50.credentialsRef])) await this.tryRemoveSecret(existing.external.credentialsRef);
+    await this.tryUnregisterPool(name);
+  }
+  // --- internals -----------------------------------------------------------
+  assertValidName(name) {
+    if (!name || !NAME_RE.test(name)) {
+      throw new Error(
+        `Invalid datasource name '${_nullishCoalesce(name, () => ( ""))}': must match /^[a-z_][a-z0-9_]*$/.`
+      );
+    }
+  }
+  toRecord(input) {
+    return {
+      name: input.name,
+      ...input.label !== void 0 ? { label: input.label } : {},
+      driver: input.driver,
+      ...input.schemaMode !== void 0 ? { schemaMode: input.schemaMode } : {},
+      ...input.config !== void 0 ? { config: input.config } : {},
+      ...input.external !== void 0 ? { external: input.external } : {},
+      ...input.pool !== void 0 ? { pool: input.pool } : {},
+      ...input.active !== void 0 ? { active: input.active } : {}
+    };
+  }
+  toSummary(record) {
+    return {
+      name: record.name,
+      label: record.label,
+      driver: record.driver,
+      schemaMode: _nullishCoalesce(record.schemaMode, () => ( "managed")),
+      origin: _nullishCoalesce(record.origin, () => ( "runtime")),
+      active: _nullishCoalesce(record.active, () => ( true)),
+      status: "unvalidated"
+    };
+  }
+  async tryRegisterPool(record) {
+    try {
+      await _optionalChain([this, 'access', _51 => _51.config, 'access', _52 => _52.registerPool, 'optionalCall', _53 => _53(record)]);
+    } catch (err) {
+      _optionalChain([this, 'access', _54 => _54.logger, 'optionalAccess', _55 => _55.warn, 'call', _56 => _56(`registerPool('${record.name}') failed`, err)]);
+    }
+  }
+  async tryUnregisterPool(name) {
+    try {
+      await _optionalChain([this, 'access', _57 => _57.config, 'access', _58 => _58.unregisterPool, 'optionalCall', _59 => _59(name)]);
+    } catch (err) {
+      _optionalChain([this, 'access', _60 => _60.logger, 'optionalAccess', _61 => _61.warn, 'call', _62 => _62(`unregisterPool('${name}') failed`, err)]);
+    }
+  }
+  async tryRemoveSecret(credentialsRef) {
+    try {
+      await _optionalChain([this, 'access', _63 => _63.config, 'access', _64 => _64.removeSecret, 'optionalCall', _65 => _65(credentialsRef)]);
+    } catch (err) {
+      _optionalChain([this, 'access', _66 => _66.logger, 'optionalAccess', _67 => _67.warn, 'call', _68 => _68(`removeSecret('${credentialsRef}') failed`, err)]);
+    }
+  }
+};
+
+// src/datasource-admin-plugin.ts
+var _kernel = require('@objectstack/spec/kernel');
+var DatasourceAdminServicePlugin = class {
+  constructor(options = {}) {
+    this.name = "com.objectstack.service-datasource-admin";
+    this.version = "1.0.0";
+    this.type = "standard";
+    this.dependencies = [];
+    this.options = options;
+  }
+  async init(ctx) {
+    const logger = this.options.logger;
+    _kernel.registerMetadataTypeActions.call(void 0, "datasource", [
+      {
+        name: "test_connection",
+        label: "Test connection",
+        icon: "plug-zap",
+        type: "api",
+        target: "/api/v1/datasources/${ctx.recordId}/test",
+        method: "POST",
+        variant: "secondary",
+        refreshAfter: false,
+        locations: ["record_header", "list_item"]
+      }
+    ]);
+    const metadataOf = () => safeGetService2(ctx, "metadata");
+    const engineOf = () => safeGetService2(ctx, "data");
+    const factory = () => _nullishCoalesce(this.options.driverFactory, () => ( safeGetService2(ctx, "datasource-driver-factory")));
+    const config = {
+      probe: (input) => this.probe(factory(), input),
+      listDatasourceRecords: async () => {
+        const rows = await _asyncNullishCoalesce(await _optionalChain([metadataOf, 'call', _69 => _69(), 'optionalAccess', _70 => _70.list, 'call', _71 => _71("datasource")]), async () => ( []));
+        return rows.map((r) => ({ ...r, origin: _nullishCoalesce(r.origin, () => ( "code")) }));
+      },
+      getDatasourceRecord: async (name) => {
+        const row = await _optionalChain([metadataOf, 'call', _72 => _72(), 'optionalAccess', _73 => _73.get, 'call', _74 => _74("datasource", name)]);
+        return row ? { ...row, origin: _nullishCoalesce(row.origin, () => ( "code")) } : void 0;
+      },
+      putDatasourceRecord: async (record) => {
+        const metadata = metadataOf();
+        if (!_optionalChain([metadata, 'optionalAccess', _75 => _75.register])) {
+          throw new Error("Metadata service is unavailable; cannot persist datasource.");
+        }
+        await metadata.register("datasource", record.name, record);
+      },
+      deleteDatasourceRecord: async (name) => {
+        const metadata = metadataOf();
+        if (!_optionalChain([metadata, 'optionalAccess', _76 => _76.unregister])) {
+          throw new Error("Metadata service is unavailable; cannot remove datasource.");
+        }
+        await metadata.unregister("datasource", name);
+      },
+      writeSecret: async (input, hint) => {
+        const binder = this.options.secrets;
+        if (!_optionalChain([binder, 'optionalAccess', _77 => _77.bind])) {
+          throw new Error(
+            "No secret store configured: refusing to persist a datasource credential in cleartext. Wire a SecretBinder (CryptoProvider + sys_secret) into DatasourceAdminServicePlugin."
+          );
+        }
+        return binder.bind(input, hint);
+      },
+      removeSecret: async (ref) => {
+        await _optionalChain([this, 'access', _78 => _78.options, 'access', _79 => _79.secrets, 'optionalAccess', _80 => _80.unbind, 'optionalCall', _81 => _81(ref)]);
+      },
+      countBoundObjects: async (datasource) => {
+        const metadata = metadataOf();
+        const objects = await _asyncNullishCoalesce(await _asyncNullishCoalesce(await _optionalChain([metadata, 'optionalAccess', _82 => _82.listObjects, 'optionalCall', _83 => _83()]), async () => ( await _optionalChain([metadata, 'optionalAccess', _84 => _84.list, 'call', _85 => _85("object")]))), async () => ( []));
+        return objects.filter((o) => _optionalChain([o, 'optionalAccess', _86 => _86.datasource]) === datasource).length;
+      },
+      registerPool: async (record) => {
+        const f = factory();
+        const engine = engineOf();
+        if (!f || !_optionalChain([engine, 'optionalAccess', _87 => _87.registerDriver]) || !f.supports(record.driver)) return;
+        const credentialsRef = _optionalChain([record, 'access', _88 => _88.external, 'optionalAccess', _89 => _89.credentialsRef]);
+        const secret = credentialsRef ? await _optionalChain([this, 'access', _90 => _90.options, 'access', _91 => _91.secrets, 'optionalAccess', _92 => _92.resolve, 'optionalCall', _93 => _93(credentialsRef)]) : void 0;
+        const handle = await f.create({ ...this.toSpec(record), ...secret ? { secret } : {} });
+        if (typeof _optionalChain([handle, 'optionalAccess', _94 => _94.connect]) === "function") await handle.connect();
+        const engineDriver = _nullishCoalesce(handle.driver, () => ( handle));
+        try {
+          engineDriver.name = record.name;
+        } catch (e2) {
+        }
+        engine.registerDriver(engineDriver);
+        _optionalChain([engine, 'access', _95 => _95.registerDatasourceDef, 'optionalCall', _96 => _96({
+          name: record.name,
+          schemaMode: record.schemaMode,
+          external: record.external
+        })]);
+      },
+      unregisterPool: async (name) => {
+        const driver = _optionalChain([engineOf, 'call', _97 => _97(), 'optionalAccess', _98 => _98.getDriverByName, 'optionalCall', _99 => _99(name)]);
+        if (typeof _optionalChain([driver, 'optionalAccess', _100 => _100.disconnect]) === "function") await driver.disconnect();
+      },
+      logger
+    };
+    this.config = config;
+    this.service = new DatasourceAdminService(config);
+    ctx.registerService("datasource-admin", this.service);
+  }
+  async start(ctx) {
+    await this.rehydratePools();
+    if (this.service) await ctx.trigger("datasource-admin:ready", this.service);
+  }
+  /**
+   * Boot-time rehydration: list persisted runtime datasources and re-register
+   * each one's connection pool (driver build → connect → registerDriver),
+   * decrypting its `sys_secret` credential on the way via the configured
+   * `registerPool` (which resolves `credentialsRef`). Code-defined datasources
+   * are owned by the host stack's own boot path and skipped here. Entirely
+   * best-effort: a missing factory/engine, an unpersisted dev store (nothing
+   * to rehydrate), or a single failing pool never blocks boot.
+   */
+  async rehydratePools() {
+    const cfg = this.config;
+    if (!_optionalChain([cfg, 'optionalAccess', _101 => _101.registerPool]) || !cfg.listDatasourceRecords) return;
+    let records;
+    try {
+      records = await cfg.listDatasourceRecords();
+    } catch (err) {
+      _optionalChain([this, 'access', _102 => _102.options, 'access', _103 => _103.logger, 'optionalAccess', _104 => _104.warn, 'optionalCall', _105 => _105("datasource rehydrate: listing records failed", err)]);
+      return;
+    }
+    const runtime = records.filter((r) => r.origin === "runtime" && (_nullishCoalesce(r.active, () => ( true))));
+    if (runtime.length === 0) return;
+    let registered = 0;
+    for (const record of runtime) {
+      try {
+        await cfg.registerPool(record);
+        registered++;
+      } catch (err) {
+        _optionalChain([this, 'access', _106 => _106.options, 'access', _107 => _107.logger, 'optionalAccess', _108 => _108.warn, 'optionalCall', _109 => _109(`datasource rehydrate: pool '${record.name}' failed`, err)]);
+      }
+    }
+    _optionalChain([this, 'access', _110 => _110.options, 'access', _111 => _111.logger, 'optionalAccess', _112 => _112.info, 'optionalCall', _113 => _113(
+      `Rehydrated ${registered}/${runtime.length} runtime datasource pool(s) on boot`
+    )]);
+  }
+  async destroy() {
+    this.service = void 0;
+  }
+  // --- internals -----------------------------------------------------------
+  toSpec(record) {
+    return {
+      name: record.name,
+      driver: record.driver,
+      config: _nullishCoalesce(record.config, () => ( {})),
+      external: record.external,
+      pool: record.pool
+    };
+  }
+  /** Probe a connection via the driver factory: build → connect → ping → close. */
+  async probe(factory, input) {
+    if (!factory) {
+      return { ok: false, error: "No driver factory is registered to test connections." };
+    }
+    if (!factory.supports(input.driver)) {
+      return { ok: false, error: `No driver factory supports driver '${input.driver}'.` };
+    }
+    let driver;
+    try {
+      driver = await factory.create({
+        driver: input.driver,
+        config: input.config,
+        secret: input.secret,
+        external: input.external
+      });
+    } catch (err) {
+      return { ok: false, error: `Failed to build driver: ${errMsg(err)}` };
+    }
+    const startedAt = monotonicNow();
+    try {
+      if (typeof _optionalChain([driver, 'optionalAccess', _114 => _114.connect]) === "function") await driver.connect();
+      if (typeof _optionalChain([driver, 'optionalAccess', _115 => _115.ping]) === "function") await driver.ping();
+      else if (typeof _optionalChain([driver, 'optionalAccess', _116 => _116.checkHealth]) === "function") await driver.checkHealth();
+      else if (typeof _optionalChain([driver, 'optionalAccess', _117 => _117.introspectSchema]) === "function") await driver.introspectSchema();
+      const latencyMs = elapsedSince(startedAt);
+      let serverVersion;
+      try {
+        serverVersion = typeof _optionalChain([driver, 'optionalAccess', _118 => _118.serverVersion]) === "function" ? await driver.serverVersion() : void 0;
+      } catch (e3) {
+      }
+      return { ok: true, latencyMs, ...serverVersion ? { serverVersion } : {} };
+    } catch (err) {
+      return { ok: false, error: errMsg(err) };
+    } finally {
+      try {
+        if (typeof _optionalChain([driver, 'optionalAccess', _119 => _119.disconnect]) === "function") await driver.disconnect();
+      } catch (e4) {
+      }
+    }
+  }
+};
+function safeGetService2(ctx, name) {
+  try {
+    return ctx.getService(name);
+  } catch (e5) {
+    return void 0;
+  }
+}
+function errMsg(err) {
+  return err instanceof Error ? err.message : String(err);
+}
+function monotonicNow() {
+  const perf = globalThis.performance;
+  return typeof _optionalChain([perf, 'optionalAccess', _120 => _120.now]) === "function" ? perf.now() : 0;
+}
+function elapsedSince(startedAt) {
+  return Math.max(0, Math.round(monotonicNow() - startedAt));
+}
+
+// src/default-datasource-driver-factory.ts
+var DRIVER_ID_ALIASES = {
+  postgres: "postgres",
+  postgresql: "postgres",
+  pg: "postgres",
+  sqlite: "sqlite",
+  sqlite3: "sqlite",
+  "better-sqlite3": "sqlite",
+  mongodb: "mongodb",
+  mongo: "mongodb",
+  memory: "memory",
+  inmemory: "memory",
+  "in-memory": "memory"
+};
+function resolveKind(driverId) {
+  return DRIVER_ID_ALIASES[String(_nullishCoalesce(driverId, () => ( ""))).toLowerCase()];
+}
+function toHandle(driver, serverVersion) {
+  return {
+    connect: typeof _optionalChain([driver, 'optionalAccess', _121 => _121.connect]) === "function" ? () => driver.connect() : void 0,
+    disconnect: typeof _optionalChain([driver, 'optionalAccess', _122 => _122.disconnect]) === "function" ? () => driver.disconnect() : void 0,
+    checkHealth: typeof _optionalChain([driver, 'optionalAccess', _123 => _123.checkHealth]) === "function" ? () => driver.checkHealth() : void 0,
+    ping: typeof _optionalChain([driver, 'optionalAccess', _124 => _124.checkHealth]) === "function" ? () => driver.checkHealth() : void 0,
+    ...serverVersion ? { serverVersion } : {},
+    driver
+  };
+}
+function buildSqlConnection(spec, client) {
+  const cfg = _nullishCoalesce(spec.config, () => ( {}));
+  if (client === "better-sqlite3") {
+    const filename = _nullishCoalesce(_nullishCoalesce(_nullishCoalesce(cfg.filename, () => ( cfg.file)), () => ( cfg.database)), () => ( ":memory:"));
+    return { filename };
+  }
+  const url = _nullishCoalesce(cfg.url, () => ( cfg.connectionString));
+  if (url) {
+    return spec.secret ? { connectionString: url, password: spec.secret } : { connectionString: url };
+  }
+  return {
+    host: cfg.host,
+    port: cfg.port,
+    database: cfg.database,
+    user: _nullishCoalesce(cfg.user, () => ( cfg.username)),
+    ...spec.secret ? { password: spec.secret } : cfg.password ? { password: cfg.password } : {},
+    ...cfg.ssl != null ? { ssl: cfg.ssl } : {}
+  };
+}
+function buildMongoUrl(spec) {
+  const cfg = _nullishCoalesce(spec.config, () => ( {}));
+  const explicit = _nullishCoalesce(cfg.url, () => ( cfg.uri));
+  if (explicit) return explicit;
+  const host = _nullishCoalesce(cfg.host, () => ( "localhost"));
+  const port = _nullishCoalesce(cfg.port, () => ( 27017));
+  const db = _nullishCoalesce(cfg.database, () => ( ""));
+  const user = _nullishCoalesce(cfg.user, () => ( cfg.username));
+  const auth = user ? `${encodeURIComponent(user)}:${encodeURIComponent(_nullishCoalesce(spec.secret, () => ( "")))}@` : "";
+  return `mongodb://${auth}${host}:${port}/${db}`;
+}
+function createDefaultDatasourceDriverFactory() {
+  return {
+    supports(driverId) {
+      return resolveKind(driverId) !== void 0;
+    },
+    async create(spec) {
+      const kind = resolveKind(spec.driver);
+      if (!kind) {
+        throw new Error(`Unsupported driver id '${spec.driver}'.`);
+      }
+      const schemaMode = _nullishCoalesce(_optionalChain([spec, 'access', _125 => _125.external, 'optionalAccess', _126 => _126.schemaMode]), () => ( _optionalChain([spec, 'access', _127 => _127.config, 'optionalAccess', _128 => _128.schemaMode])));
+      if (kind === "postgres") {
+        const { SqlDriver } = await Promise.resolve().then(() => _interopRequireWildcard(require("@objectstack/driver-sql")));
+        const driver = new SqlDriver({
+          client: "pg",
+          connection: buildSqlConnection(spec, "pg"),
+          pool: { min: 0, max: 5 },
+          ...schemaMode ? { schemaMode } : {}
+        });
+        return toHandle(driver, () => sqlServerVersion(driver, "pg"));
+      }
+      if (kind === "sqlite") {
+        const { SqlDriver } = await Promise.resolve().then(() => _interopRequireWildcard(require("@objectstack/driver-sql")));
+        const driver = new SqlDriver({
+          client: "better-sqlite3",
+          connection: buildSqlConnection(spec, "better-sqlite3"),
+          useNullAsDefault: true,
+          ...schemaMode ? { schemaMode } : {}
+        });
+        return toHandle(driver, () => sqlServerVersion(driver, "sqlite"));
+      }
+      if (kind === "mongodb") {
+        let MongoDBDriver;
+        try {
+          ({ MongoDBDriver } = await Promise.resolve().then(() => _interopRequireWildcard(require("@objectstack/driver-mongodb"))));
+        } catch (err) {
+          throw new Error(
+            `mongodb driver requested but @objectstack/driver-mongodb is not installed (${_nullishCoalesce(_optionalChain([err, 'optionalAccess', _129 => _129.message]), () => ( err))}).`
+          );
+        }
+        const driver = new MongoDBDriver({ url: buildMongoUrl(spec) });
+        return toHandle(driver);
+      }
+      const { InMemoryDriver } = await Promise.resolve().then(() => _interopRequireWildcard(require("@objectstack/driver-memory")));
+      return toHandle(new InMemoryDriver());
+    }
+  };
+}
+async function sqlServerVersion(driver, client) {
+  if (typeof _optionalChain([driver, 'optionalAccess', _130 => _130.execute]) !== "function") return void 0;
+  try {
+    const sql = client === "pg" ? "SELECT version() AS v" : "SELECT sqlite_version() AS v";
+    const rows = await driver.execute(sql);
+    const first = Array.isArray(rows) ? rows[0] : Array.isArray(_optionalChain([rows, 'optionalAccess', _131 => _131.rows])) ? rows.rows[0] : rows;
+    const v = _nullishCoalesce(_nullishCoalesce(_optionalChain([first, 'optionalAccess', _132 => _132.v]), () => ( _optionalChain([first, 'optionalAccess', _133 => _133.version]))), () => ( _optionalChain([first, 'optionalAccess', _134 => _134["sqlite_version()"]])));
+    return typeof v === "string" ? v : void 0;
+  } catch (e6) {
+    return void 0;
+  }
+}
+
+// src/datasource-secret-binder.ts
+var REF_PREFIX = "sys_secret:";
+function toCredentialsRef(handleId) {
+  return `${REF_PREFIX}${handleId}`;
+}
+function parseCredentialsRef(ref) {
+  return _optionalChain([ref, 'optionalAccess', _135 => _135.startsWith, 'call', _136 => _136(REF_PREFIX)]) ? ref.slice(REF_PREFIX.length) : void 0;
+}
+function createDatasourceSecretBinder(deps) {
+  const { engine, cryptoProvider } = deps;
+  const defaultNamespace = _nullishCoalesce(deps.namespace, () => ( "datasource"));
+  return {
+    async bind(input, hint) {
+      const namespace = _nullishCoalesce(input.namespace, () => ( defaultNamespace));
+      const key = _nullishCoalesce(input.key, () => ( hint.name));
+      const handle = await cryptoProvider.encrypt(input.value, { namespace, key });
+      await engine.insert("sys_secret", {
+        id: handle.id,
+        namespace,
+        key,
+        kms_key_id: handle.kmsKeyId,
+        alg: handle.alg,
+        version: handle.version,
+        ciphertext: handle.ciphertext
+      });
+      return toCredentialsRef(handle.id);
+    },
+    async unbind(credentialsRef) {
+      const id = parseCredentialsRef(credentialsRef);
+      if (!id) return;
+      await engine.delete("sys_secret", { where: { id } });
+    },
+    async resolve(credentialsRef) {
+      const id = parseCredentialsRef(credentialsRef);
+      if (!id || typeof engine.find !== "function") return void 0;
+      try {
+        const result = await engine.find("sys_secret", {
+          where: { id },
+          limit: 1,
+          // Secrets are scoped through their owning datasource artefact, so
+          // skip the tenant-audit warning (mirrors SettingsService's store).
+          bypassTenantAudit: true
+        });
+        const rows = _nullishCoalesce((Array.isArray(result) ? result : _optionalChain([result, 'optionalAccess', _137 => _137.data])), () => ( []));
+        const row = rows[0];
+        if (!_optionalChain([row, 'optionalAccess', _138 => _138.ciphertext])) return void 0;
+        return await cryptoProvider.decrypt(
+          {
+            id: row.id,
+            kmsKeyId: row.kms_key_id,
+            alg: row.alg,
+            version: row.version,
+            ciphertext: row.ciphertext
+          },
+          { namespace: row.namespace, key: row.key }
+        );
+      } catch (e7) {
+        return void 0;
+      }
+    }
+  };
+}
+
+// src/admin-routes.ts
+function registerDatasourceAdminRoutes(server, ctx, basePath = "/api/v1") {
+  const root = `${basePath}/datasources`;
+  const adminService = () => {
+    try {
+      return ctx.getService("datasource-admin");
+    } catch (e8) {
+      return void 0;
+    }
+  };
+  const unavailable = (res) => res.status(503).json({ error: "datasource_admin_unavailable" });
+  const badRequest = (res, err) => res.status(400).json({ error: "datasource_admin_error", message: err instanceof Error ? err.message : String(err) });
+  const splitSecret = (body) => {
+    const { secret, ...draft } = _nullishCoalesce(body, () => ( {}));
+    const normalised = secret == null ? void 0 : typeof secret === "string" ? { value: secret } : secret;
+    return { draft, secret: normalised };
+  };
+  server.get(root, async (_req, res) => {
+    const svc = adminService();
+    if (!_optionalChain([svc, 'optionalAccess', _139 => _139.listDatasources])) return unavailable(res);
+    const datasources = await svc.listDatasources();
+    res.json({ datasources });
+  });
+  server.post(`${root}/test`, async (req, res) => {
+    const svc = adminService();
+    if (!_optionalChain([svc, 'optionalAccess', _140 => _140.testConnection])) return unavailable(res);
+    const { draft, secret } = splitSecret(req.body);
+    try {
+      const result = await svc.testConnection(draft, secret);
+      res.json({ result });
+    } catch (err) {
+      badRequest(res, err);
+    }
+  });
+  server.post(root, async (req, res) => {
+    const svc = adminService();
+    if (!_optionalChain([svc, 'optionalAccess', _141 => _141.createDatasource])) return unavailable(res);
+    const { draft, secret } = splitSecret(req.body);
+    try {
+      const datasource = await svc.createDatasource(draft, secret);
+      res.status(201).json({ datasource });
+    } catch (err) {
+      badRequest(res, err);
+    }
+  });
+  server.patch(`${root}/:name`, async (req, res) => {
+    const svc = adminService();
+    if (!_optionalChain([svc, 'optionalAccess', _142 => _142.updateDatasource])) return unavailable(res);
+    const { draft, secret } = splitSecret(req.body);
+    try {
+      const datasource = await svc.updateDatasource(req.params.name, draft, secret);
+      res.json({ datasource });
+    } catch (err) {
+      badRequest(res, err);
+    }
+  });
+  server.delete(`${root}/:name`, async (req, res) => {
+    const svc = adminService();
+    if (!_optionalChain([svc, 'optionalAccess', _143 => _143.removeDatasource])) return unavailable(res);
+    try {
+      await svc.removeDatasource(req.params.name);
+      res.status(204).end();
+    } catch (err) {
+      badRequest(res, err);
+    }
+  });
+}
+
+
+
+
+
+
+
+
+
+
+exports.DatasourceAdminService = DatasourceAdminService; exports.DatasourceAdminServicePlugin = DatasourceAdminServicePlugin; exports.ExternalDatasourceService = ExternalDatasourceService; exports.ExternalDatasourceServicePlugin = ExternalDatasourceServicePlugin; exports.createDatasourceSecretBinder = createDatasourceSecretBinder; exports.createDefaultDatasourceDriverFactory = createDefaultDatasourceDriverFactory; exports.parseCredentialsRef = parseCredentialsRef; exports.registerDatasourceAdminRoutes = registerDatasourceAdminRoutes; exports.toCredentialsRef = toCredentialsRef;
+//# sourceMappingURL=index.cjs.map