@objectstack/spec 0.3.0 → 0.3.2

package/dist/system/tenant.zod.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant.zod.d.ts","sourceRoot":"","sources":["../../src/system/tenant.zod.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;;;;;;;;GAWG;AAEH;;;GAGG;AACH,eAAO,MAAM,oBAAoB,gEAI/B,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;GAGG;AACH,eAAO,MAAM,iBAAiB;IAC5B;;OAEG;;IAGH;;OAEG;;IAGH;;OAEG;;;;;;;;;;EAEH,CAAC;AAEH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAE5D;;;GAGG;AACH,eAAO,MAAM,YAAY;IACvB;;OAEG;;IAGH;;OAEG;;IAGH;;;OAGG;;IAGH;;;OAGG;;IAGH;;OAEG;;QA/CH;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAqCH,CAAC;AAEH,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAElD;;;;;GAKG;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AACH,eAAO,MAAM,+BAA+B;;IAG1C;;OAEG;;QAED;;WAEG;;QAGH;;WAEG;;QAOH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAGL,CAAC;AAEH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC;AAExF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,eAAO,MAAM,kCAAkC;;IAG7C;;OAEG;;QAED;;;;WAIG;;QAGH;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAOH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAGL,CAAC;AAEH,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kCAAkC,CAAC,CAAC;AAE9F;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+CG;AACH,eAAO,MAAM,oCAAoC;;IAG/C;;OAEG;;QAED;;;;WAIG;;QAGH;;WAEG;;QAOH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAOH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAGL,CAAC;AAEH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oCAAoC,CAAC,CAAC;AAElG;;;;;GAKG;AACH,eAAO,MAAM,2BAA2B;;IAzUtC;;OAEG;;QAED;;WAEG;;QAGH;;WAEG;;QAOH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAuDL;;OAEG;;QAED;;;;WAIG;;QAGH;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAOH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA0DL;;OAEG;;QAED;;;;WAIG;;QAGH;;WAEG;;QAOH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAOH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAiBL,CAAC;AAEH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEhF;;;GAGG;AACH,eAAO,MAAM,0BAA0B;IACrC;;OAEG;;QAED;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;IAIL;;OAEG;;QAED;;WAEG;;QAUH;;WAEG;;QAGH;;WAEG;;QAGH;;WAEG;;YAED;;eAEG;;YAGH;;eAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAIP,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC"}

package/dist/system/tenant.zod.js

@@ -0,0 +1,498 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TenantSecurityPolicySchema = exports.TenantIsolationConfigSchema = exports.DatabaseLevelIsolationStrategySchema = exports.SchemaLevelIsolationStrategySchema = exports.RowLevelIsolationStrategySchema = exports.TenantSchema = exports.TenantQuotaSchema = exports.TenantIsolationLevel = void 0;
+const zod_1 = require("zod");
+/**
+ * Tenant Schema (Multi-Tenant Architecture)
+ *
+ * Defines the tenant/tenancy model for ObjectStack SaaS deployments.
+ * Supports different levels of data isolation to meet varying security,
+ * performance, and compliance requirements.
+ *
+ * Isolation Levels:
+ * - shared_schema: All tenants share the same database and schema (row-level isolation)
+ * - isolated_schema: Tenants have separate schemas within a shared database
+ * - isolated_db: Each tenant has a completely separate database
+ */
+/**
+ * Tenant Isolation Level Enum
+ * Defines how tenant data is separated in the system
+ */
+exports.TenantIsolationLevel = zod_1.z.enum([
+    'shared_schema', // Shared DB, shared schema, row-level isolation (most economical)
+    'isolated_schema', // Shared DB, separate schema per tenant (balanced)
+    'isolated_db', // Separate database per tenant (maximum isolation)
+]);
+/**
+ * Tenant Quota Schema
+ * Defines resource limits and usage quotas for a tenant
+ */
+exports.TenantQuotaSchema = zod_1.z.object({
+    /**
+     * Maximum number of users allowed for this tenant
+     */
+    maxUsers: zod_1.z.number().int().positive().optional().describe('Maximum number of users'),
+    /**
+     * Maximum storage space in bytes
+     */
+    maxStorage: zod_1.z.number().int().positive().optional().describe('Maximum storage in bytes'),
+    /**
+     * API rate limit (requests per minute)
+     */
+    apiRateLimit: zod_1.z.number().int().positive().optional().describe('API requests per minute'),
+});
+/**
+ * Tenant Schema
+ * Represents a tenant in a multi-tenant SaaS deployment
+ */
+exports.TenantSchema = zod_1.z.object({
+    /**
+     * Unique tenant identifier
+     */
+    id: zod_1.z.string().describe('Unique tenant identifier'),
+    /**
+     * Tenant name (display name)
+     */
+    name: zod_1.z.string().describe('Tenant display name'),
+    /**
+     * Data isolation level for this tenant
+     * Determines how tenant data is segregated from other tenants
+     */
+    isolationLevel: exports.TenantIsolationLevel.describe('Data isolation strategy'),
+    /**
+     * Custom configurations and metadata specific to this tenant
+     * Can store tenant-specific settings, branding, features, etc.
+     */
+    customizations: zod_1.z.record(zod_1.z.any()).optional().describe('Tenant-specific customizations'),
+    /**
+     * Resource quotas and limits for this tenant
+     */
+    quotas: exports.TenantQuotaSchema.optional().describe('Resource quotas and limits'),
+});
+/**
+ * Tenant Isolation Strategy Documentation
+ *
+ * Comprehensive documentation of three isolation strategies for multi-tenant systems.
+ * Each strategy has different trade-offs in terms of security, cost, complexity, and compliance.
+ */
+/**
+ * Row-Level Isolation Strategy (shared_schema)
+ *
+ * Recommended for: Most SaaS applications, cost-sensitive deployments
+ *
+ * IMPLEMENTATION:
+ * - All tenants share the same database and schema
+ * - Each table includes a tenant_id column
+ * - PostgreSQL Row-Level Security (RLS) enforces isolation
+ * - Queries automatically filter by tenant_id via RLS policies
+ *
+ * ADVANTAGES:
+ * ✅ Simple backup and restore (single database)
+ * ✅ Cost-effective (shared resources, minimal overhead)
+ * ✅ Easy tenant migration (update tenant_id)
+ * ✅ Efficient resource utilization (connection pooling)
+ * ✅ Simple schema migrations (single schema to update)
+ * ✅ Lower operational complexity
+ *
+ * DISADVANTAGES:
+ * ❌ RLS misconfiguration can lead to data leakage
+ * ❌ Performance impact from RLS policy evaluation
+ * ❌ Noisy neighbor problem (one tenant can affect others)
+ * ❌ Cannot easily isolate tenant to different hardware
+ * ❌ Compliance challenges for regulated industries
+ *
+ * SECURITY CONSIDERATIONS:
+ * - Requires careful RLS policy configuration
+ * - Must validate tenant_id in all queries
+ * - Need comprehensive testing of RLS policies
+ * - Audit all database access patterns
+ * - Implement application-level validation as defense-in-depth
+ *
+ * EXAMPLE RLS POLICY (PostgreSQL):
+ * ```sql
+ * -- Example: Apply RLS policy to a table (e.g., "app_data")
+ * CREATE POLICY tenant_isolation ON app_data
+ *   USING (tenant_id = current_setting('app.current_tenant')::text);
+ *
+ * ALTER TABLE app_data ENABLE ROW LEVEL SECURITY;
+ * ```
+ */
+exports.RowLevelIsolationStrategySchema = zod_1.z.object({
+    strategy: zod_1.z.literal('shared_schema').describe('Row-level isolation strategy'),
+    /**
+     * Database configuration for row-level isolation
+     */
+    database: zod_1.z.object({
+        /**
+         * Whether to enable Row-Level Security (RLS)
+         */
+        enableRLS: zod_1.z.boolean().default(true).describe('Enable PostgreSQL Row-Level Security'),
+        /**
+         * Tenant context setting method
+         */
+        contextMethod: zod_1.z.enum([
+            'session_variable', // SET app.current_tenant = 'tenant_123'
+            'search_path', // SET search_path = tenant_123, public
+            'application_name', // SET application_name = 'tenant_123'
+        ]).default('session_variable').describe('How to set tenant context'),
+        /**
+         * Session variable name for tenant context
+         */
+        contextVariable: zod_1.z.string().default('app.current_tenant').describe('Session variable name'),
+        /**
+         * Whether to validate tenant_id at application level
+         */
+        applicationValidation: zod_1.z.boolean().default(true).describe('Application-level tenant validation'),
+    }).optional().describe('Database configuration'),
+    /**
+     * Performance optimization settings
+     */
+    performance: zod_1.z.object({
+        /**
+         * Whether to use partial indexes for tenant_id
+         */
+        usePartialIndexes: zod_1.z.boolean().default(true).describe('Use partial indexes per tenant'),
+        /**
+         * Whether to use table partitioning
+         */
+        usePartitioning: zod_1.z.boolean().default(false).describe('Use table partitioning by tenant_id'),
+        /**
+         * Connection pool size per tenant
+         */
+        poolSizePerTenant: zod_1.z.number().int().positive().optional().describe('Connection pool size per tenant'),
+    }).optional().describe('Performance settings'),
+});
+/**
+ * Schema-Level Isolation Strategy (isolated_schema)
+ *
+ * Recommended for: Enterprise SaaS, B2B platforms with compliance needs
+ *
+ * IMPLEMENTATION:
+ * - All tenants share the same database server
+ * - Each tenant has a separate database schema
+ * - Schema name typically: tenant_<tenant_id>
+ * - Application switches schema using SET search_path
+ *
+ * ADVANTAGES:
+ * ✅ Better isolation than row-level (schema boundaries)
+ * ✅ Easier to debug (separate schemas)
+ * ✅ Can grant different database permissions per schema
+ * ✅ Reduced risk of data leakage
+ * ✅ Performance isolation (indexes, statistics per schema)
+ * ✅ Simplified queries (no tenant_id filtering needed)
+ *
+ * DISADVANTAGES:
+ * ❌ More complex backups (must backup all schemas)
+ * ❌ Higher migration costs (schema changes across all tenants)
+ * ❌ Schema proliferation (PostgreSQL has limits)
+ * ❌ Connection overhead (switching schemas)
+ * ❌ More complex monitoring and maintenance
+ *
+ * SECURITY CONSIDERATIONS:
+ * - Ensure proper schema permissions (GRANT USAGE ON SCHEMA)
+ * - Validate schema name to prevent SQL injection
+ * - Implement connection-level schema switching
+ * - Audit schema access patterns
+ * - Prevent cross-schema queries in application
+ *
+ * EXAMPLE IMPLEMENTATION (PostgreSQL):
+ * ```sql
+ * -- Create tenant schema
+ * CREATE SCHEMA tenant_123;
+ *
+ * -- Grant access
+ * GRANT USAGE ON SCHEMA tenant_123 TO app_user;
+ *
+ * -- Switch to tenant schema
+ * SET search_path TO tenant_123, public;
+ * ```
+ */
+exports.SchemaLevelIsolationStrategySchema = zod_1.z.object({
+    strategy: zod_1.z.literal('isolated_schema').describe('Schema-level isolation strategy'),
+    /**
+     * Schema configuration
+     */
+    schema: zod_1.z.object({
+        /**
+         * Schema naming pattern
+         * Use {tenant_id} as placeholder (must contain only alphanumeric and underscores)
+         * The tenant_id will be sanitized before substitution to prevent SQL injection
+         */
+        namingPattern: zod_1.z.string().default('tenant_{tenant_id}').describe('Schema naming pattern'),
+        /**
+         * Whether to include public schema in search_path
+         */
+        includePublicSchema: zod_1.z.boolean().default(true).describe('Include public schema'),
+        /**
+         * Default schema for shared resources
+         */
+        sharedSchema: zod_1.z.string().default('public').describe('Schema for shared resources'),
+        /**
+         * Whether to automatically create schema on tenant creation
+         */
+        autoCreateSchema: zod_1.z.boolean().default(true).describe('Auto-create schema'),
+    }).optional().describe('Schema configuration'),
+    /**
+     * Migration configuration
+     */
+    migrations: zod_1.z.object({
+        /**
+         * Migration strategy
+         */
+        strategy: zod_1.z.enum([
+            'parallel', // Run migrations on all schemas in parallel
+            'sequential', // Run migrations one schema at a time
+            'on_demand', // Run migrations when tenant accesses system
+        ]).default('parallel').describe('Migration strategy'),
+        /**
+         * Maximum concurrent migrations
+         */
+        maxConcurrent: zod_1.z.number().int().positive().default(10).describe('Max concurrent migrations'),
+        /**
+         * Whether to rollback on first failure
+         */
+        rollbackOnError: zod_1.z.boolean().default(true).describe('Rollback on error'),
+    }).optional().describe('Migration configuration'),
+    /**
+     * Performance optimization settings
+     */
+    performance: zod_1.z.object({
+        /**
+         * Whether to use connection pooling per schema
+         */
+        poolPerSchema: zod_1.z.boolean().default(false).describe('Separate pool per schema'),
+        /**
+         * Schema cache TTL in seconds
+         */
+        schemaCacheTTL: zod_1.z.number().int().positive().default(3600).describe('Schema cache TTL'),
+    }).optional().describe('Performance settings'),
+});
+/**
+ * Database-Level Isolation Strategy (isolated_db)
+ *
+ * Recommended for: Regulated industries (healthcare, finance), strict compliance requirements
+ *
+ * IMPLEMENTATION:
+ * - Each tenant has a completely separate database
+ * - Database name typically: tenant_<tenant_id>
+ * - Requires separate connection pool per tenant
+ * - Complete physical and logical isolation
+ *
+ * ADVANTAGES:
+ * ✅ Perfect data isolation (strongest security)
+ * ✅ Meets strict regulatory requirements (HIPAA, SOX, PCI-DSS)
+ * ✅ Complete performance isolation (no noisy neighbors)
+ * ✅ Can place databases on different hardware
+ * ✅ Easy to backup/restore individual tenant
+ * ✅ Simplified compliance auditing per tenant
+ * ✅ Can apply different encryption keys per database
+ *
+ * DISADVANTAGES:
+ * ❌ Most expensive option (resource overhead)
+ * ❌ Complex database server management (many databases)
+ * ❌ Connection pool limits (max connections per server)
+ * ❌ Difficult cross-tenant analytics
+ * ❌ Higher operational complexity
+ * ❌ Schema migrations take longer (many databases)
+ *
+ * SECURITY CONSIDERATIONS:
+ * - Each database can have separate credentials
+ * - Enables per-tenant encryption at rest
+ * - Simplifies compliance and audit trails
+ * - Prevents any cross-tenant data access
+ * - Supports tenant-specific backup schedules
+ *
+ * EXAMPLE IMPLEMENTATION (PostgreSQL):
+ * ```sql
+ * -- Create tenant database
+ * CREATE DATABASE tenant_123
+ *   WITH OWNER = tenant_123_user
+ *   ENCODING = 'UTF8'
+ *   LC_COLLATE = 'en_US.UTF-8'
+ *   LC_CTYPE = 'en_US.UTF-8';
+ *
+ * -- Connect to tenant database
+ * \c tenant_123
+ * ```
+ */
+exports.DatabaseLevelIsolationStrategySchema = zod_1.z.object({
+    strategy: zod_1.z.literal('isolated_db').describe('Database-level isolation strategy'),
+    /**
+     * Database configuration
+     */
+    database: zod_1.z.object({
+        /**
+         * Database naming pattern
+         * Use {tenant_id} as placeholder (must contain only alphanumeric and underscores)
+         * The tenant_id will be sanitized before substitution to prevent SQL injection
+         */
+        namingPattern: zod_1.z.string().default('tenant_{tenant_id}').describe('Database naming pattern'),
+        /**
+         * Database server/cluster assignment strategy
+         */
+        serverStrategy: zod_1.z.enum([
+            'shared', // All tenant databases on same server
+            'sharded', // Tenant databases distributed across servers
+            'dedicated', // Each tenant gets dedicated server (enterprise)
+        ]).default('shared').describe('Server assignment strategy'),
+        /**
+         * Whether to use separate credentials per tenant
+         */
+        separateCredentials: zod_1.z.boolean().default(true).describe('Separate credentials per tenant'),
+        /**
+         * Whether to automatically create database on tenant creation
+         */
+        autoCreateDatabase: zod_1.z.boolean().default(true).describe('Auto-create database'),
+    }).optional().describe('Database configuration'),
+    /**
+     * Connection pooling configuration
+     */
+    connectionPool: zod_1.z.object({
+        /**
+         * Pool size per tenant database
+         */
+        poolSize: zod_1.z.number().int().positive().default(10).describe('Connection pool size'),
+        /**
+         * Maximum number of tenant pools to keep active
+         */
+        maxActivePools: zod_1.z.number().int().positive().default(100).describe('Max active pools'),
+        /**
+         * Idle pool timeout in seconds
+         */
+        idleTimeout: zod_1.z.number().int().positive().default(300).describe('Idle pool timeout'),
+        /**
+         * Whether to use connection pooler (PgBouncer, etc.)
+         */
+        usePooler: zod_1.z.boolean().default(true).describe('Use connection pooler'),
+    }).optional().describe('Connection pool configuration'),
+    /**
+     * Backup and restore configuration
+     */
+    backup: zod_1.z.object({
+        /**
+         * Backup strategy per tenant
+         */
+        strategy: zod_1.z.enum([
+            'individual', // Separate backup per tenant
+            'consolidated', // Combined backup with all tenants
+            'on_demand', // Backup only when requested
+        ]).default('individual').describe('Backup strategy'),
+        /**
+         * Backup frequency in hours
+         */
+        frequencyHours: zod_1.z.number().int().positive().default(24).describe('Backup frequency'),
+        /**
+         * Retention period in days
+         */
+        retentionDays: zod_1.z.number().int().positive().default(30).describe('Backup retention days'),
+    }).optional().describe('Backup configuration'),
+    /**
+     * Encryption configuration
+     */
+    encryption: zod_1.z.object({
+        /**
+         * Whether to use per-tenant encryption keys
+         */
+        perTenantKeys: zod_1.z.boolean().default(false).describe('Per-tenant encryption keys'),
+        /**
+         * Encryption algorithm
+         */
+        algorithm: zod_1.z.string().default('AES-256-GCM').describe('Encryption algorithm'),
+        /**
+         * Key management service
+         */
+        keyManagement: zod_1.z.enum(['aws_kms', 'azure_key_vault', 'gcp_kms', 'hashicorp_vault', 'custom']).optional().describe('Key management service'),
+    }).optional().describe('Encryption configuration'),
+});
+/**
+ * Tenant Isolation Configuration Schema
+ *
+ * Complete configuration for tenant isolation strategy.
+ * Supports all three isolation levels with detailed configuration options.
+ */
+exports.TenantIsolationConfigSchema = zod_1.z.discriminatedUnion('strategy', [
+    exports.RowLevelIsolationStrategySchema,
+    exports.SchemaLevelIsolationStrategySchema,
+    exports.DatabaseLevelIsolationStrategySchema,
+]);
+/**
+ * Tenant Security Policy Schema
+ * Defines security policies and compliance requirements for tenants
+ */
+exports.TenantSecurityPolicySchema = zod_1.z.object({
+    /**
+     * Encryption requirements
+     */
+    encryption: zod_1.z.object({
+        /**
+         * Require encryption at rest
+         */
+        atRest: zod_1.z.boolean().default(true).describe('Require encryption at rest'),
+        /**
+         * Require encryption in transit
+         */
+        inTransit: zod_1.z.boolean().default(true).describe('Require encryption in transit'),
+        /**
+         * Require field-level encryption for sensitive data
+         */
+        fieldLevel: zod_1.z.boolean().default(false).describe('Require field-level encryption'),
+    }).optional().describe('Encryption requirements'),
+    /**
+     * Access control requirements
+     */
+    accessControl: zod_1.z.object({
+        /**
+         * Require multi-factor authentication
+         */
+        requireMFA: zod_1.z.boolean().default(false).describe('Require MFA'),
+        /**
+         * Require SSO/SAML authentication
+         */
+        requireSSO: zod_1.z.boolean().default(false).describe('Require SSO'),
+        /**
+         * IP whitelist
+         */
+        ipWhitelist: zod_1.z.array(zod_1.z.string()).optional().describe('Allowed IP addresses'),
+        /**
+         * Session timeout in seconds
+         */
+        sessionTimeout: zod_1.z.number().int().positive().default(3600).describe('Session timeout'),
+    }).optional().describe('Access control requirements'),
+    /**
+     * Audit and compliance requirements
+     */
+    compliance: zod_1.z.object({
+        /**
+         * Compliance standards to enforce
+         */
+        standards: zod_1.z.array(zod_1.z.enum([
+            'sox',
+            'hipaa',
+            'gdpr',
+            'pci_dss',
+            'iso_27001',
+            'fedramp',
+        ])).optional().describe('Compliance standards'),
+        /**
+         * Require audit logging for all operations
+         */
+        requireAuditLog: zod_1.z.boolean().default(true).describe('Require audit logging'),
+        /**
+         * Audit log retention period in days
+         */
+        auditRetentionDays: zod_1.z.number().int().positive().default(365).describe('Audit retention days'),
+        /**
+         * Data residency requirements
+         */
+        dataResidency: zod_1.z.object({
+            /**
+             * Required geographic region
+             */
+            region: zod_1.z.string().optional().describe('Required region (e.g., US, EU, APAC)'),
+            /**
+             * Prohibited regions
+             */
+            excludeRegions: zod_1.z.array(zod_1.z.string()).optional().describe('Prohibited regions'),
+        }).optional().describe('Data residency requirements'),
+    }).optional().describe('Compliance requirements'),
+});

package/dist/system/webhook.zod.d.ts

@@ -36,8 +36,8 @@ export declare const WebhookSchema: z.ZodObject<{
     retryCount: number;
     isActive: boolean;
     label?: string | undefined;
-    secret?: string | undefined;
     headers?: Record<string, string> | undefined;
+    secret?: string | undefined;
     payloadFields?: string[] | undefined;
 }, {
     object: string;
@@ -45,9 +45,9 @@ export declare const WebhookSchema: z.ZodObject<{
     name: string;
     triggers: ("create" | "update" | "delete" | "api" | "undelete")[];
     label?: string | undefined;
-    secret?: string | undefined;
     method?: "GET" | "POST" | "PUT" | undefined;
     headers?: Record<string, string> | undefined;
+    secret?: string | undefined;
     payloadFields?: string[] | undefined;
     includeSession?: boolean | undefined;
     retryCount?: number | undefined;

package/dist/ui/action.zod.d.ts

@@ -6,7 +6,7 @@ import { z } from 'zod';
 export declare const ActionParamSchema: z.ZodObject<{
     name: z.ZodString;
     label: z.ZodString;
-    type: z.ZodEnum<["text", "textarea", "email", "url", "phone", "password", "markdown", "html", "richtext", "number", "currency", "percent", "date", "datetime", "time", "boolean", "select", "lookup", "master_detail", "image", "file", "avatar", "formula", "summary", "autonumber", "location", "address", "code", "color", "rating", "signature"]>;
+    type: z.ZodEnum<["text", "textarea", "email", "url", "phone", "password", "markdown", "html", "richtext", "number", "currency", "percent", "date", "datetime", "time", "boolean", "select", "lookup", "master_detail", "image", "file", "avatar", "formula", "summary", "autonumber", "location", "geolocation", "address", "code", "color", "rating", "slider", "signature", "qrcode"]>;
     required: z.ZodDefault<z.ZodBoolean>;
     options: z.ZodOptional<z.ZodArray<z.ZodObject<{
         label: z.ZodString;
@@ -19,7 +19,7 @@ export declare const ActionParamSchema: z.ZodObject<{
         label: string;
     }>, "many">>;
 }, "strip", z.ZodTypeAny, {
-    type: "number" | "boolean" | "text" | "textarea" | "email" | "url" | "phone" | "password" | "markdown" | "html" | "richtext" | "currency" | "percent" | "date" | "datetime" | "time" | "select" | "lookup" | "master_detail" | "image" | "file" | "avatar" | "formula" | "summary" | "autonumber" | "location" | "address" | "code" | "color" | "rating" | "signature";
+    type: "number" | "boolean" | "text" | "textarea" | "email" | "url" | "phone" | "password" | "markdown" | "html" | "richtext" | "currency" | "percent" | "date" | "datetime" | "time" | "select" | "lookup" | "master_detail" | "image" | "file" | "avatar" | "formula" | "summary" | "autonumber" | "location" | "geolocation" | "address" | "code" | "color" | "rating" | "slider" | "signature" | "qrcode";
     label: string;
     name: string;
     required: boolean;
@@ -28,7 +28,7 @@ export declare const ActionParamSchema: z.ZodObject<{
         label: string;
     }[] | undefined;
 }, {
-    type: "number" | "boolean" | "text" | "textarea" | "email" | "url" | "phone" | "password" | "markdown" | "html" | "richtext" | "currency" | "percent" | "date" | "datetime" | "time" | "select" | "lookup" | "master_detail" | "image" | "file" | "avatar" | "formula" | "summary" | "autonumber" | "location" | "address" | "code" | "color" | "rating" | "signature";
+    type: "number" | "boolean" | "text" | "textarea" | "email" | "url" | "phone" | "password" | "markdown" | "html" | "richtext" | "currency" | "percent" | "date" | "datetime" | "time" | "select" | "lookup" | "master_detail" | "image" | "file" | "avatar" | "formula" | "summary" | "autonumber" | "location" | "geolocation" | "address" | "code" | "color" | "rating" | "slider" | "signature" | "qrcode";
     label: string;
     name: string;
     options?: {
@@ -60,7 +60,7 @@ export declare const ActionSchema: z.ZodObject<{
     params: z.ZodOptional<z.ZodArray<z.ZodObject<{
         name: z.ZodString;
         label: z.ZodString;
-        type: z.ZodEnum<["text", "textarea", "email", "url", "phone", "password", "markdown", "html", "richtext", "number", "currency", "percent", "date", "datetime", "time", "boolean", "select", "lookup", "master_detail", "image", "file", "avatar", "formula", "summary", "autonumber", "location", "address", "code", "color", "rating", "signature"]>;
+        type: z.ZodEnum<["text", "textarea", "email", "url", "phone", "password", "markdown", "html", "richtext", "number", "currency", "percent", "date", "datetime", "time", "boolean", "select", "lookup", "master_detail", "image", "file", "avatar", "formula", "summary", "autonumber", "location", "geolocation", "address", "code", "color", "rating", "slider", "signature", "qrcode"]>;
         required: z.ZodDefault<z.ZodBoolean>;
         options: z.ZodOptional<z.ZodArray<z.ZodObject<{
             label: z.ZodString;
@@ -73,7 +73,7 @@ export declare const ActionSchema: z.ZodObject<{
             label: string;
         }>, "many">>;
     }, "strip", z.ZodTypeAny, {
-        type: "number" | "boolean" | "text" | "textarea" | "email" | "url" | "phone" | "password" | "markdown" | "html" | "richtext" | "currency" | "percent" | "date" | "datetime" | "time" | "select" | "lookup" | "master_detail" | "image" | "file" | "avatar" | "formula" | "summary" | "autonumber" | "location" | "address" | "code" | "color" | "rating" | "signature";
+        type: "number" | "boolean" | "text" | "textarea" | "email" | "url" | "phone" | "password" | "markdown" | "html" | "richtext" | "currency" | "percent" | "date" | "datetime" | "time" | "select" | "lookup" | "master_detail" | "image" | "file" | "avatar" | "formula" | "summary" | "autonumber" | "location" | "geolocation" | "address" | "code" | "color" | "rating" | "slider" | "signature" | "qrcode";
         label: string;
         name: string;
         required: boolean;
@@ -82,7 +82,7 @@ export declare const ActionSchema: z.ZodObject<{
             label: string;
         }[] | undefined;
     }, {
-        type: "number" | "boolean" | "text" | "textarea" | "email" | "url" | "phone" | "password" | "markdown" | "html" | "richtext" | "currency" | "percent" | "date" | "datetime" | "time" | "select" | "lookup" | "master_detail" | "image" | "file" | "avatar" | "formula" | "summary" | "autonumber" | "location" | "address" | "code" | "color" | "rating" | "signature";
+        type: "number" | "boolean" | "text" | "textarea" | "email" | "url" | "phone" | "password" | "markdown" | "html" | "richtext" | "currency" | "percent" | "date" | "datetime" | "time" | "select" | "lookup" | "master_detail" | "image" | "file" | "avatar" | "formula" | "summary" | "autonumber" | "location" | "geolocation" | "address" | "code" | "color" | "rating" | "slider" | "signature" | "qrcode";
         label: string;
         name: string;
         options?: {
@@ -104,7 +104,7 @@ export declare const ActionSchema: z.ZodObject<{
     refreshAfter: boolean;
     location?: any;
     params?: {
-        type: "number" | "boolean" | "text" | "textarea" | "email" | "url" | "phone" | "password" | "markdown" | "html" | "richtext" | "currency" | "percent" | "date" | "datetime" | "time" | "select" | "lookup" | "master_detail" | "image" | "file" | "avatar" | "formula" | "summary" | "autonumber" | "location" | "address" | "code" | "color" | "rating" | "signature";
+        type: "number" | "boolean" | "text" | "textarea" | "email" | "url" | "phone" | "password" | "markdown" | "html" | "richtext" | "currency" | "percent" | "date" | "datetime" | "time" | "select" | "lookup" | "master_detail" | "image" | "file" | "avatar" | "formula" | "summary" | "autonumber" | "location" | "geolocation" | "address" | "code" | "color" | "rating" | "slider" | "signature" | "qrcode";
         label: string;
         name: string;
         required: boolean;
@@ -125,7 +125,7 @@ export declare const ActionSchema: z.ZodObject<{
     name: string;
     location?: any;
     params?: {
-        type: "number" | "boolean" | "text" | "textarea" | "email" | "url" | "phone" | "password" | "markdown" | "html" | "richtext" | "currency" | "percent" | "date" | "datetime" | "time" | "select" | "lookup" | "master_detail" | "image" | "file" | "avatar" | "formula" | "summary" | "autonumber" | "location" | "address" | "code" | "color" | "rating" | "signature";
+        type: "number" | "boolean" | "text" | "textarea" | "email" | "url" | "phone" | "password" | "markdown" | "html" | "richtext" | "currency" | "percent" | "date" | "datetime" | "time" | "select" | "lookup" | "master_detail" | "image" | "file" | "avatar" | "formula" | "summary" | "autonumber" | "location" | "geolocation" | "address" | "code" | "color" | "rating" | "slider" | "signature" | "qrcode";
         label: string;
         name: string;
         options?: {