@objectstack/spec 2.0.4 → 2.0.5

package/dist/security/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/security/permission.zod.ts","../../src/shared/identifiers.zod.ts","../../src/security/rls.zod.ts","../../src/security/sharing.zod.ts","../../src/security/territory.zod.ts","../../src/security/policy.zod.ts"],"sourcesContent":["// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { z } from 'zod';\nimport { SnakeCaseIdentifierSchema } from '../shared/identifiers.zod';\nimport { RowLevelSecurityPolicySchema } from './rls.zod';\n\n/**\n * Entity (Object) Level Permissions\n * Defines CRUD + VAMA (View All / Modify All) + Lifecycle access.\n * \n * Refined with enterprise data lifecycle controls:\n * - Transfer (Ownership change)\n * - Restore (Soft delete recovery)\n * - Purge (Hard delete / Compliance)\n */\nexport const ObjectPermissionSchema = z.object({\n  /** C: Create */\n  allowCreate: z.boolean().default(false).describe('Create permission'),\n  /** R: Read (Owned records or Shared records) */\n  allowRead: z.boolean().default(false).describe('Read permission'),\n  /** U: Edit (Owned records or Shared records) */\n  allowEdit: z.boolean().default(false).describe('Edit permission'),\n  /** D: Delete (Owned records or Shared records) */\n  allowDelete: z.boolean().default(false).describe('Delete permission'),\n  \n  /** Lifecycle Operations */\n  allowTransfer: z.boolean().default(false).describe('Change record ownership'),\n  allowRestore: z.boolean().default(false).describe('Restore from trash (Undelete)'),\n  allowPurge: z.boolean().default(false).describe('Permanently delete (Hard Delete/GDPR)'),\n\n  /** \n   * View All Records: Super-user read access. \n   * Bypasses Sharing Rules and Ownership checks.\n   * Equivalent to Microsoft Dataverse \"Organization\" level read access.\n   */\n  viewAllRecords: z.boolean().default(false).describe('View All Data (Bypass Sharing)'),\n  \n  /** \n   * Modify All Records: Super-user write access. \n   * Bypasses Sharing Rules and Ownership checks.\n   * Equivalent to Microsoft Dataverse \"Organization\" level write access.\n   */\n  modifyAllRecords: z.boolean().default(false).describe('Modify All Data (Bypass Sharing)'),\n});\n\n/**\n * Field Level Security (FLS)\n */\nexport const FieldPermissionSchema = z.object({\n  /** Can see this field */\n  readable: z.boolean().default(true).describe('Field read access'),\n  /** Can edit this field */\n  editable: z.boolean().default(false).describe('Field edit access'),\n});\n\n/**\n * Permission Set Schema\n * Defines a collection of permissions that can be assigned to users.\n * \n * DIFFERENTIATION:\n * - Profile: The ONE primary functional definition of a user (e.g. Standard User).\n * - Permission Set: Add-on capabilities assigned to users (e.g. Export Reports).\n * - Role: (Defined in src/system/role.zod.ts) Defines data visibility hierarchy.\n * \n * **NAMING CONVENTION:**\n * Permission set names MUST be lowercase snake_case to prevent security issues.\n * \n * @example Good permission set names\n * - 'read_only'\n * - 'system_admin'\n * - 'standard_user'\n * - 'api_access'\n * \n * @example Bad permission set names (will be rejected)\n * - 'ReadOnly' (camelCase)\n * - 'SystemAdmin' (mixed case)\n * - 'Read Only' (spaces)\n */\nexport const PermissionSetSchema = z.object({\n  /** Unique permission set name */\n  name: SnakeCaseIdentifierSchema.describe('Permission set unique name (lowercase snake_case)'),\n  \n  /** Display label */\n  label: z.string().optional().describe('Display label'),\n  \n  /** Is this a Profile? (Base set for a user) */\n  isProfile: z.boolean().default(false).describe('Whether this is a user profile'),\n  \n  /** Object Permissions Map: <entity_name> -> permissions */\n  objects: z.record(z.string(), ObjectPermissionSchema).describe('Entity permissions'),\n  \n  /** Field Permissions Map: <entity_name>.<field_name> -> permissions */\n  fields: z.record(z.string(), FieldPermissionSchema).optional().describe('Field level security'),\n  \n  /** System permissions (e.g., \"manage_users\") */\n  systemPermissions: z.array(z.string()).optional().describe('System level capabilities'),\n  \n  /** \n   * Row-Level Security Rules\n   * \n   * Row-level security policies that filter records based on user context.\n   * These rules are applied in addition to object-level permissions.\n   * \n   * Uses the canonical RLS protocol from rls.zod.ts for comprehensive\n   * row-level security features including PostgreSQL-style USING and CHECK clauses.\n   * \n   * @see {@link RowLevelSecurityPolicySchema} for full RLS specification\n   * @see {@link file://./rls.zod.ts} for comprehensive RLS documentation\n   * \n   * @example Multi-tenant isolation\n   * ```typescript\n   * rls: [{\n   *   name: 'tenant_filter',\n   *   object: 'account',\n   *   operation: 'select',\n   *   using: 'tenant_id = current_user.tenant_id'\n   * }]\n   * ```\n   */\n  rowLevelSecurity: z.array(RowLevelSecurityPolicySchema).optional()\n    .describe('Row-level security policies (see rls.zod.ts for full spec)'),\n  \n  /**\n   * Context-Based Access Control Variables\n   * \n   * Custom context variables that can be referenced in RLS rules.\n   * These variables are evaluated at runtime based on the user's session.\n   * \n   * Common context variables:\n   * - `current_user.id` - Current user ID\n   * - `current_user.tenant_id` - User's tenant/organization ID\n   * - `current_user.department` - User's department\n   * - `current_user.role` - User's role\n   * - `current_user.region` - User's geographic region\n   * \n   * @example Custom context\n   * ```typescript\n   * contextVariables: {\n   *   allowed_regions: ['US', 'EU'],\n   *   access_level: 2,\n   *   custom_attribute: 'value'\n   * }\n   * ```\n   */\n  contextVariables: z.record(z.string(), z.unknown()).optional().describe('Context variables for RLS evaluation'),\n});\n\nexport type PermissionSet = z.infer<typeof PermissionSetSchema>;\nexport type ObjectPermission = z.infer<typeof ObjectPermissionSchema>;\nexport type FieldPermission = z.infer<typeof FieldPermissionSchema>;\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { z } from 'zod';\n\n/**\n * System Identifier Schema\n * \n * Universal naming convention for all machine identifiers (API Names) in ObjectStack.\n * Enforces lowercase with underscores or dots to ensure:\n * - Cross-platform compatibility (case-insensitive filesystems)\n * - URL-friendliness (no encoding needed)\n * - Database consistency (no collation issues)\n * - Security (no case-sensitivity bugs in permission checks)\n * \n * **Applies to all metadata that acts as a machine identifier:**\n * - Object names (tables/collections)\n * - Field names\n * - Role names\n * - Permission set names\n * - Action/trigger names\n * - Event keys\n * - App IDs\n * - Menu/page IDs\n * - Select option values\n * - Workflow names\n * - Webhook names\n * \n * **Naming Convention Summary:**\n * | Type | Pattern | Example |\n * |------|---------|---------|\n * | Machine ID | snake_case | `crm_account`, `btn_submit`, `role_admin` |\n * | Event keys | dot.notation | `user.login`, `order.created` |\n * | Labels | Any case | `Client Account`, `Submit Form` |\n * \n * @example Valid identifiers\n * - 'account'\n * - 'crm_account'\n * - 'user_profile'\n * - 'order.created' (for events)\n * - 'api_v2_endpoint'\n * \n * @example Invalid identifiers (will be rejected)\n * - 'Account' (uppercase)\n * - 'CrmAccount' (camelCase)\n * - 'crm-account' (kebab-case - use underscore instead)\n * - 'user profile' (spaces)\n */\nexport const SystemIdentifierSchema = z\n  .string()\n  .min(2, { message: 'System identifier must be at least 2 characters' })\n  .regex(/^[a-z][a-z0-9_.]*$/, {\n    message:\n      'System identifier must be lowercase, starting with a letter, and may contain letters, numbers, underscores, or dots (e.g., \"user_profile\" or \"order.created\")',\n  })\n  .describe('System identifier (lowercase with underscores or dots)');\n\n/**\n * Strict Snake Case Identifier\n * \n * More restrictive than SystemIdentifierSchema - only allows underscores (no dots).\n * Use this for identifiers that should NOT contain dots (e.g., database table/column names).\n * \n * @example Valid\n * - 'account'\n * - 'crm_account'\n * - 'user_profile'\n * \n * @example Invalid\n * - 'user.profile' (dots not allowed)\n * - 'UserProfile' (uppercase)\n */\nexport const SnakeCaseIdentifierSchema = z\n  .string()\n  .min(2, { message: 'Identifier must be at least 2 characters' })\n  .regex(/^[a-z][a-z0-9_]*$/, {\n    message:\n      'Identifier must be lowercase snake_case, starting with a letter, and may contain only letters, numbers, and underscores (e.g., \"user_profile\")',\n  })\n  .describe('Snake case identifier (lowercase with underscores only)');\n\n/**\n * Event Name Identifier\n * \n * Specialized identifier for event names that encourages dot notation.\n * Used in event-driven systems, message queues, and webhooks.\n * \n * Pattern: `namespace.action` or `entity.event_type`\n * \n * @example Valid\n * - 'user.created'\n * - 'order.paid'\n * - 'user.login_success'\n * - 'alarm.high_cpu'\n * \n * @example Invalid\n * - 'UserCreated' (camelCase)\n * - 'user_created' (should use dots for namespacing)\n */\nexport const EventNameSchema = z\n  .string()\n  .min(3, { message: 'Event name must be at least 3 characters' })\n  .regex(/^[a-z][a-z0-9_.]*$/, {\n    message:\n      'Event name must be lowercase with dots for namespacing (e.g., \"user.created\", \"order.paid\")',\n  })\n  .describe('Event name (lowercase with dot notation for namespacing)');\n\n/**\n * Type Exports\n */\nexport type SystemIdentifier = z.infer<typeof SystemIdentifierSchema>;\nexport type SnakeCaseIdentifier = z.infer<typeof SnakeCaseIdentifierSchema>;\nexport type EventName = z.infer<typeof EventNameSchema>;\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { z } from 'zod';\n\n/**\n * # Row-Level Security (RLS) Protocol\n * \n * Implements fine-grained record-level access control inspired by PostgreSQL RLS\n * and Salesforce Criteria-Based Sharing Rules.\n * \n * ## Overview\n * \n * Row-Level Security (RLS) allows you to control which rows users can access\n * in database tables based on their identity and role. Unlike object-level\n * permissions (CRUD), RLS provides record-level filtering.\n * \n * ## Use Cases\n * \n * 1. **Multi-Tenant Data Isolation**\n *    - Users only see records from their organization\n *    - `using: \"tenant_id = current_user.tenant_id\"`\n * \n * 2. **Ownership-Based Access**\n *    - Users only see records they own\n *    - `using: \"owner_id = current_user.id\"`\n * \n * 3. **Department-Based Access**\n *    - Users only see records from their department\n *    - `using: \"department = current_user.department\"`\n * \n * 4. **Regional Access Control**\n *    - Sales reps only see accounts in their territory\n *    - `using: \"region IN (current_user.assigned_regions)\"`\n * \n * 5. **Time-Based Access**\n *    - Users can only access active records\n *    - `using: \"status = 'active' AND expiry_date > NOW()\"`\n * \n * ## PostgreSQL RLS Comparison\n * \n * PostgreSQL RLS Example:\n * ```sql\n * CREATE POLICY tenant_isolation ON accounts\n *   FOR SELECT\n *   USING (tenant_id = current_setting('app.current_tenant_id')::uuid);\n * \n * CREATE POLICY account_insert ON accounts\n *   FOR INSERT\n *   WITH CHECK (tenant_id = current_setting('app.current_tenant_id')::uuid);\n * ```\n * \n * ObjectStack RLS Equivalent:\n * ```typescript\n * {\n *   name: 'tenant_isolation',\n *   object: 'account',\n *   operation: 'select',\n *   using: 'tenant_id = current_user.tenant_id'\n * }\n * ```\n * \n * ## Salesforce Sharing Rules Comparison\n * \n * Salesforce uses \"Sharing Rules\" and \"Role Hierarchy\" for record-level access.\n * ObjectStack RLS provides similar functionality with more flexibility.\n * \n * Salesforce:\n * - Criteria-Based Sharing: Share records matching criteria with users/roles\n * - Owner-Based Sharing: Share records based on owner's role\n * - Manual Sharing: Individual record sharing\n * \n * ObjectStack RLS:\n * - More flexible formula-based conditions\n * - Direct SQL-like syntax\n * - Supports complex logic with AND/OR/NOT\n * \n * ## Best Practices\n * \n * 1. **Always Define SELECT Policy**: Control what users can view\n * 2. **Define INSERT/UPDATE CHECK Policies**: Prevent data leakage\n * 3. **Use Role-Based Policies**: Apply different rules to different roles\n * 4. **Test Thoroughly**: RLS can have complex interactions\n * 5. **Monitor Performance**: Complex RLS policies can impact query performance\n * \n * ## Security Considerations\n * \n * 1. **Defense in Depth**: RLS is one layer; use with object permissions\n * 2. **Default Deny**: If no policy matches, access is denied\n * 3. **Policy Precedence**: More permissive policy wins (OR logic)\n * 4. **Context Variables**: Ensure current_user context is always set\n * \n * @see https://www.postgresql.org/docs/current/ddl-rowsecurity.html\n * @see https://help.salesforce.com/s/articleView?id=sf.security_sharing_rules.htm\n */\n\n/**\n * RLS Operation Enum\n * Specifies which database operation this policy applies to.\n * \n * - **select**: Controls which rows can be read (SELECT queries)\n * - **insert**: Controls which rows can be inserted (INSERT statements)\n * - **update**: Controls which rows can be updated (UPDATE statements)\n * - **delete**: Controls which rows can be deleted (DELETE statements)\n * - **all**: Shorthand for all operations (equivalent to defining 4 separate policies)\n */\nexport const RLSOperation = z.enum(['select', 'insert', 'update', 'delete', 'all']);\n\nexport type RLSOperation = z.infer<typeof RLSOperation>;\n\n/**\n * Row-Level Security Policy Schema\n * \n * Defines a single RLS policy that filters records based on conditions.\n * Multiple policies can be defined for the same object, and they are\n * combined with OR logic (union of results).\n * \n * @example Multi-Tenant Isolation\n * ```typescript\n * {\n *   name: 'tenant_isolation',\n *   label: 'Multi-Tenant Data Isolation',\n *   object: 'account',\n *   operation: 'select',\n *   using: 'tenant_id = current_user.tenant_id',\n *   enabled: true\n * }\n * ```\n * \n * @example Owner-Based Access\n * ```typescript\n * {\n *   name: 'owner_access',\n *   label: 'Users Can View Their Own Records',\n *   object: 'opportunity',\n *   operation: 'select',\n *   using: 'owner_id = current_user.id',\n *   enabled: true\n * }\n * ```\n * \n * @example Manager Can View Team Records\n * ```typescript\n * {\n *   name: 'manager_team_access',\n *   label: 'Managers Can View Team Records',\n *   object: 'task',\n *   operation: 'select',\n *   using: 'assigned_to_id IN (SELECT id FROM users WHERE manager_id = current_user.id)',\n *   roles: ['manager', 'director'],\n *   enabled: true\n * }\n * ```\n * \n * @example Prevent Cross-Tenant Data Insertion\n * ```typescript\n * {\n *   name: 'tenant_insert_check',\n *   label: 'Prevent Cross-Tenant Data Creation',\n *   object: 'account',\n *   operation: 'insert',\n *   check: 'tenant_id = current_user.tenant_id',\n *   enabled: true\n * }\n * ```\n * \n * @example Regional Sales Access\n * ```typescript\n * {\n *   name: 'regional_sales_access',\n *   label: 'Sales Reps Access Regional Accounts',\n *   object: 'account',\n *   operation: 'select',\n *   using: 'region = current_user.region OR region IS NULL',\n *   roles: ['sales_rep'],\n *   enabled: true\n * }\n * ```\n * \n * @example Time-Based Access Control\n * ```typescript\n * {\n *   name: 'active_records_only',\n *   label: 'Users Only Access Active Records',\n *   object: 'contract',\n *   operation: 'select',\n *   using: 'status = \"active\" AND start_date <= NOW() AND end_date >= NOW()',\n *   enabled: true\n * }\n * ```\n * \n * @example Hierarchical Access (Role-Based)\n * ```typescript\n * {\n *   name: 'executive_full_access',\n *   label: 'Executives See All Records',\n *   object: 'account',\n *   operation: 'all',\n *   using: '1 = 1', // Always true - see everything\n *   roles: ['ceo', 'cfo', 'cto'],\n *   enabled: true\n * }\n * ```\n */\nexport const RowLevelSecurityPolicySchema = z.object({\n  /**\n   * Unique identifier for this policy.\n   * Must be unique within the object.\n   * Use snake_case following ObjectStack naming conventions.\n   * \n   * @example \"tenant_isolation\", \"owner_access\", \"manager_team_view\"\n   */\n  name: z.string()\n    .regex(/^[a-z_][a-z0-9_]*$/)\n    .describe('Policy unique identifier (snake_case)'),\n\n  /**\n   * Human-readable label for the policy.\n   * Used in admin UI and logs.\n   * \n   * @example \"Multi-Tenant Data Isolation\", \"Owner-Based Access\"\n   */\n  label: z.string()\n    .optional()\n    .describe('Human-readable policy label'),\n\n  /**\n   * Description explaining what this policy does and why.\n   * Helps with governance and compliance.\n   * \n   * @example \"Ensures users can only access records from their own tenant organization\"\n   */\n  description: z.string()\n    .optional()\n    .describe('Policy description and business justification'),\n\n  /**\n   * Target object (table) this policy applies to.\n   * Must reference a valid ObjectStack object name.\n   * \n   * @example \"account\", \"opportunity\", \"contact\", \"custom_object\"\n   */\n  object: z.string()\n    .describe('Target object name'),\n\n  /**\n   * Database operation(s) this policy applies to.\n   * \n   * - **select**: Controls read access (SELECT queries)\n   * - **insert**: Controls insert access (INSERT statements)\n   * - **update**: Controls update access (UPDATE statements)\n   * - **delete**: Controls delete access (DELETE statements)\n   * - **all**: Applies to all operations\n   * \n   * @example \"select\" - Most common, controls what users can view\n   * @example \"all\" - Apply same rule to all operations\n   */\n  operation: RLSOperation\n    .describe('Database operation this policy applies to'),\n\n  /**\n   * USING clause - Filter condition for SELECT/UPDATE/DELETE.\n   * \n   * This is a SQL-like expression evaluated for each row.\n   * Only rows where this expression returns TRUE are accessible.\n   * \n   * **Note**: For INSERT-only policies, USING is not required (only CHECK is needed).\n   * For SELECT/UPDATE/DELETE operations, USING is required.\n   * \n   * **Security Note**: RLS conditions are executed at the database level with\n   * parameterized queries. The implementation must use prepared statements\n   * to prevent SQL injection. Never concatenate user input directly into\n   * RLS conditions.\n   * \n   * **SQL Dialect**: Compatible with PostgreSQL SQL syntax. Implementations\n   * may adapt to other databases (MySQL, SQL Server, etc.) but should maintain\n   * semantic equivalence.\n   * \n   * Available context variables:\n   * - `current_user.id` - Current user's ID\n   * - `current_user.tenant_id` - Current user's tenant (maps to `tenantId` in RLSUserContext)\n   * - `current_user.role` - Current user's role\n   * - `current_user.department` - Current user's department\n   * - `current_user.*` - Any custom user field\n   * - `NOW()` - Current timestamp\n   * - `CURRENT_DATE` - Current date\n   * - `CURRENT_TIME` - Current time\n   * \n   * **Context Variable Mapping**: The RLSUserContext schema uses camelCase (e.g., `tenantId`),\n   * but expressions use snake_case with `current_user.` prefix (e.g., `current_user.tenant_id`).\n   * Implementations must handle this mapping.\n   * \n   * Supported operators:\n   * - Comparison: =, !=, <, >, <=, >=, <> (not equal)\n   * - Logical: AND, OR, NOT\n   * - NULL checks: IS NULL, IS NOT NULL\n   * - Set operations: IN, NOT IN\n   * - String: LIKE, NOT LIKE, ILIKE (case-insensitive)\n   * - Pattern matching: ~ (regex), !~ (not regex)\n   * - Subqueries: (SELECT ...)\n   * - Array operations: ANY, ALL\n   * \n   * **Prohibited**: Dynamic SQL, DDL statements, DML statements (INSERT/UPDATE/DELETE)\n   * \n   * @example \"tenant_id = current_user.tenant_id\"\n   * @example \"owner_id = current_user.id OR created_by = current_user.id\"\n   * @example \"department IN (SELECT department FROM user_departments WHERE user_id = current_user.id)\"\n   * @example \"status = 'active' AND expiry_date > NOW()\"\n   */\n  using: z.string()\n    .optional()\n    .describe('Filter condition for SELECT/UPDATE/DELETE (PostgreSQL SQL WHERE clause syntax with parameterized context variables). Optional for INSERT-only policies.'),\n\n  /**\n   * CHECK clause - Validation for INSERT/UPDATE operations.\n   * \n   * Similar to USING but applies to new/modified rows.\n   * Prevents users from creating/updating rows they wouldn't be able to see.\n   * \n   * **Default Behavior**: If not specified, implementations should use the\n   * USING clause as the CHECK clause. This ensures data integrity by preventing\n   * users from creating records they cannot view.\n   * \n   * Use cases:\n   * - Prevent cross-tenant data creation\n   * - Enforce mandatory field values\n   * - Validate data integrity rules\n   * - Restrict certain operations (e.g., only allow creating \"draft\" status)\n   * \n   * @example \"tenant_id = current_user.tenant_id\"\n   * @example \"status IN ('draft', 'pending')\" - Only allow certain statuses\n   * @example \"created_by = current_user.id\" - Must be the creator\n   */\n  check: z.string()\n    .optional()\n    .describe('Validation condition for INSERT/UPDATE (defaults to USING clause if not specified - enforced at application level)'),\n\n  /**\n   * Restrict this policy to specific roles.\n   * If specified, only users with these roles will have this policy applied.\n   * If omitted, policy applies to all users (except those with bypassRLS permission).\n   * \n   * Role names must match defined roles in the system.\n   * \n   * @example [\"sales_rep\", \"account_manager\"]\n   * @example [\"employee\"] - Apply to all employees\n   * @example [\"guest\"] - Special restrictions for guests\n   */\n  roles: z.array(z.string())\n    .optional()\n    .describe('Roles this policy applies to (omit for all roles)'),\n\n  /**\n   * Whether this policy is currently active.\n   * Disabled policies are not evaluated.\n   * Useful for temporary policy changes without deletion.\n   * \n   * @default true\n   */\n  enabled: z.boolean()\n    .default(true)\n    .describe('Whether this policy is active'),\n\n  /**\n   * Policy priority for conflict resolution.\n   * Higher numbers = higher priority.\n   * When multiple policies apply, the most permissive wins (OR logic).\n   * Priority is only used for ordering evaluation (performance).\n   * \n   * @default 0\n   */\n  priority: z.number()\n    .int()\n    .default(0)\n    .describe('Policy evaluation priority (higher = evaluated first)'),\n\n  /**\n   * Tags for policy categorization and reporting.\n   * Useful for governance, compliance, and auditing.\n   * \n   * @example [\"compliance\", \"gdpr\", \"pci\"]\n   * @example [\"multi-tenant\", \"security\"]\n   */\n  tags: z.array(z.string())\n    .optional()\n    .describe('Policy categorization tags'),\n}).superRefine((data, ctx) => {\n  // Ensure at least one of USING or CHECK is provided\n  if (!data.using && !data.check) {\n    ctx.addIssue({\n      code: z.ZodIssueCode.custom,\n      message: 'At least one of \"using\" or \"check\" must be specified. For SELECT/UPDATE/DELETE operations, provide \"using\". For INSERT operations, provide \"check\".',\n    });\n  }\n  \n  // For non-insert operations, USING should typically be present\n  // This is a soft warning through documentation, not enforced here\n  // since 'all' and mixed operation types are valid\n});\n\n/**\n * RLS Configuration Schema\n * \n * Global configuration for the Row-Level Security system.\n * Defines how RLS is enforced across the entire platform.\n */\nexport const RLSConfigSchema = z.object({\n  /**\n   * Global RLS enable/disable flag.\n   * When false, all RLS policies are ignored (use with caution!).\n   * \n   * @default true\n   */\n  enabled: z.boolean()\n    .default(true)\n    .describe('Enable RLS enforcement globally'),\n\n  /**\n   * Default behavior when no policies match.\n   * \n   * - **deny**: Deny access (secure default)\n   * - **allow**: Allow access (permissive mode, not recommended)\n   * \n   * @default \"deny\"\n   */\n  defaultPolicy: z.enum(['deny', 'allow'])\n    .default('deny')\n    .describe('Default action when no policies match'),\n\n  /**\n   * Whether to allow superusers to bypass RLS.\n   * Superusers include system administrators and service accounts.\n   * \n   * @default true\n   */\n  allowSuperuserBypass: z.boolean()\n    .default(true)\n    .describe('Allow superusers to bypass RLS'),\n\n  /**\n   * List of roles that can bypass RLS.\n   * Users with these roles see all records regardless of policies.\n   * \n   * @example [\"system_admin\", \"data_auditor\"]\n   */\n  bypassRoles: z.array(z.string())\n    .optional()\n    .describe('Roles that bypass RLS (see all data)'),\n\n  /**\n   * Whether to log RLS policy evaluations.\n   * Useful for debugging and auditing.\n   * Can impact performance if enabled globally.\n   * \n   * @default false\n   */\n  logEvaluations: z.boolean()\n    .default(false)\n    .describe('Log RLS policy evaluations for debugging'),\n\n  /**\n   * Cache RLS policy evaluation results.\n   * Can improve performance for frequently accessed records.\n   * Cache is invalidated when policies change or user context changes.\n   * \n   * @default true\n   */\n  cacheResults: z.boolean()\n    .default(true)\n    .describe('Cache RLS evaluation results'),\n\n  /**\n   * Cache TTL in seconds.\n   * How long to cache RLS evaluation results.\n   * \n   * @default 300 (5 minutes)\n   */\n  cacheTtlSeconds: z.number()\n    .int()\n    .positive()\n    .default(300)\n    .describe('Cache TTL in seconds'),\n\n  /**\n   * Performance optimization: Pre-fetch user context.\n   * Load user context once per request instead of per-query.\n   * \n   * @default true\n   */\n  prefetchUserContext: z.boolean()\n    .default(true)\n    .describe('Pre-fetch user context for performance'),\n});\n\n/**\n * User Context Schema\n * \n * Represents the current user's context for RLS evaluation.\n * This data is used to evaluate USING and CHECK clauses.\n */\nexport const RLSUserContextSchema = z.object({\n  /**\n   * User ID\n   */\n  id: z.string()\n    .describe('User ID'),\n\n  /**\n   * User email\n   */\n  email: z.string()\n    .email()\n    .optional()\n    .describe('User email'),\n\n  /**\n   * Tenant/Organization ID\n   */\n  tenantId: z.string()\n    .optional()\n    .describe('Tenant/Organization ID'),\n\n  /**\n   * User role(s)\n   */\n  role: z.union([\n    z.string(),\n    z.array(z.string()),\n  ])\n    .optional()\n    .describe('User role(s)'),\n\n  /**\n   * User department\n   */\n  department: z.string()\n    .optional()\n    .describe('User department'),\n\n  /**\n   * Additional custom attributes\n   * Can include any custom user fields for RLS evaluation\n   */\n  attributes: z.record(z.string(), z.unknown())\n    .optional()\n    .describe('Additional custom user attributes'),\n});\n\n/**\n * RLS Policy Evaluation Result\n * \n * Result of evaluating an RLS policy for a specific record.\n * Used for debugging and audit logging.\n */\nexport const RLSEvaluationResultSchema = z.object({\n  /**\n   * Policy name that was evaluated\n   */\n  policyName: z.string()\n    .describe('Policy name'),\n\n  /**\n   * Whether access was granted\n   */\n  granted: z.boolean()\n    .describe('Whether access was granted'),\n\n  /**\n   * Evaluation duration in milliseconds\n   */\n  durationMs: z.number()\n    .optional()\n    .describe('Evaluation duration in milliseconds'),\n\n  /**\n   * Error message if evaluation failed\n   */\n  error: z.string()\n    .optional()\n    .describe('Error message if evaluation failed'),\n\n  /**\n   * Evaluated USING clause result\n   */\n  usingResult: z.boolean()\n    .optional()\n    .describe('USING clause evaluation result'),\n\n  /**\n   * Evaluated CHECK clause result (for INSERT/UPDATE)\n   */\n  checkResult: z.boolean()\n    .optional()\n    .describe('CHECK clause evaluation result'),\n});\n\n/**\n * Type exports\n */\nexport type RowLevelSecurityPolicy = z.infer<typeof RowLevelSecurityPolicySchema>;\nexport type RLSConfig = z.infer<typeof RLSConfigSchema>;\nexport type RLSUserContext = z.infer<typeof RLSUserContextSchema>;\nexport type RLSEvaluationResult = z.infer<typeof RLSEvaluationResultSchema>;\n\n/**\n * Helper factory for creating RLS policies\n */\nexport const RLS = {\n  /**\n   * Create a simple owner-based policy\n   */\n  ownerPolicy: (object: string, ownerField: string = 'owner_id'): RowLevelSecurityPolicy => ({\n    name: `${object}_owner_access`,\n    label: `Owner Access for ${object}`,\n    object,\n    operation: 'all',\n    using: `${ownerField} = current_user.id`,\n    enabled: true,\n    priority: 0,\n  }),\n\n  /**\n   * Create a tenant isolation policy\n   */\n  tenantPolicy: (object: string, tenantField: string = 'tenant_id'): RowLevelSecurityPolicy => ({\n    name: `${object}_tenant_isolation`,\n    label: `Tenant Isolation for ${object}`,\n    object,\n    operation: 'all',\n    using: `${tenantField} = current_user.tenant_id`,\n    check: `${tenantField} = current_user.tenant_id`,\n    enabled: true,\n    priority: 0,\n  }),\n\n  /**\n   * Create a role-based policy\n   */\n  rolePolicy: (object: string, roles: string[], condition: string): RowLevelSecurityPolicy => ({\n    name: `${object}_${roles.join('_')}_access`,\n    label: `${roles.join(', ')} Access for ${object}`,\n    object,\n    operation: 'select',\n    using: condition,\n    roles,\n    enabled: true,\n    priority: 0,\n  }),\n\n  /**\n   * Create a permissive policy (allow all for specific roles)\n   */\n  allowAllPolicy: (object: string, roles: string[]): RowLevelSecurityPolicy => ({\n    name: `${object}_${roles.join('_')}_full_access`,\n    label: `Full Access for ${roles.join(', ')}`,\n    object,\n    operation: 'all',\n    using: '1 = 1', // Always true\n    roles,\n    enabled: true,\n    priority: 0,\n  }),\n} as const;\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { z } from 'zod';\n\n/**\n * Organization-Wide Defaults (OWD)\n * The baseline security posture for an object.\n */\nexport const OWDModel = z.enum([\n  'private',               // Only owner can see\n  'public_read',           // Everyone can see, owner can edit\n  'public_read_write',     // Everyone can see and edit\n  'controlled_by_parent'   // Access derived from parent record (Master-Detail)\n]);\n\n/**\n * Sharing Rule Type\n * How is the data shared?\n */\nexport const SharingRuleType = z.enum([\n  'owner',        // Based on record ownership (Role Hierarchy)\n  'criteria',     // Based on field values (e.g. Status = 'Open')\n]);\n\n/**\n * Sharing Level\n * What access is granted?\n */\nexport const SharingLevel = z.enum([\n  'read',      // Read Only\n  'edit',      // Read / Write\n  'full'       // Full Access (Transfer, Share, Delete)\n]);\n\n/**\n * Recipient Type \n * Who receives the access?\n */\nexport const ShareRecipientType = z.enum([\n  'user',\n  'group',\n  'role',\n  'role_and_subordinates',\n  'guest' // for public sharing\n]);\n\n/**\n * Base Sharing Rule\n * Common metadata for all sharing strategies.\n */\nconst BaseSharingRuleSchema = z.object({\n  // Identification\n  name: z.string().regex(/^[a-z_][a-z0-9_]*$/).describe('Unique rule name (snake_case)'),\n  label: z.string().optional().describe('Human-readable label'),\n  description: z.string().optional().describe('Administrative notes'),\n  \n  // Scope\n  object: z.string().describe('Target Object Name'),\n  active: z.boolean().default(true),\n  \n  // Access\n  accessLevel: SharingLevel.default('read'),\n  \n  // Recipient (Whom to share with)\n  sharedWith: z.object({\n    type: ShareRecipientType,\n    value: z.string().describe('ID or Code of the User/Group/Role'),\n  }).describe('The recipient of the shared access'),\n});\n\n/**\n * 1. Criteria-Based Sharing Rule\n * Share records that meet specific field criteria.\n */\nexport const CriteriaSharingRuleSchema = BaseSharingRuleSchema.extend({\n  type: z.literal('criteria'),\n  condition: z.string().describe('Formula condition (e.g. \"department = \\'Sales\\'\")'),\n});\n\n/**\n * 2. Owner-Based Sharing Rule\n * Share records owned by a specific group of users.\n */\nexport const OwnerSharingRuleSchema = BaseSharingRuleSchema.extend({\n  type: z.literal('owner'),\n  ownedBy: z.object({\n    type: ShareRecipientType,\n    value: z.string(),\n  }).describe('Source group/role whose records are being shared'),\n});\n\n/**\n * Master Sharing Rule Schema\n */\nexport const SharingRuleSchema = z.discriminatedUnion('type', [\n  CriteriaSharingRuleSchema,\n  OwnerSharingRuleSchema\n]);\n\nexport type SharingRule = z.infer<typeof SharingRuleSchema>;\nexport type CriteriaSharingRule = z.infer<typeof CriteriaSharingRuleSchema>;\nexport type OwnerSharingRule = z.infer<typeof OwnerSharingRuleSchema>;\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { z } from 'zod';\nimport { SnakeCaseIdentifierSchema } from '../shared/identifiers.zod';\n\n/**\n * Territory Management Protocol\n * Defines a matrix reporting structure that exists parallel to the Role Hierarchy.\n * \n * USE CASE:\n * - Enterprise Sales Teams (Geo-based: \"EMEA\", \"APAC\")\n * - Industry Verticals (Industry-based: \"Healthcare\", \"Financial\")\n * - Strategic Accounts (Account-based: \"Strategic Accounts\")\n * \n * DIFFERENCE FROM ROLE:\n * - Role: Hierarchy of PEOPLE (Who reports to whom). Stable. HR-driven.\n * - Territory: Hierarchy of ACCOUNTS/REVENUE (Who owns which market). Flexible. Sales-driven.\n * - One User can be assigned to MANY Territories (Matrix).\n * - One User has only ONE Role (Tree).\n */\n\nexport const TerritoryType = z.enum([\n  'geography',      // Region/Country/City\n  'industry',       // Vertical\n  'named_account',  // Key Accounts\n  'product_line'    // Product Specialty\n]);\n\n/**\n * Territory Model Schema\n * A container for a version of territory planning.\n * (e.g. \"Fiscal Year 2024 Planning\" vs \"Fiscal Year 2025 Planning\")\n */\nexport const TerritoryModelSchema = z.object({\n  name: z.string().describe('Model Name (e.g. FY24 Planning)'),\n  state: z.enum(['planning', 'active', 'archived']).default('planning'),\n  startDate: z.string().optional(),\n  endDate: z.string().optional(),\n});\n\n/**\n * Territory Node Schema\n * A single node in the territory tree.\n * \n * **NAMING CONVENTION:**\n * Territory names are machine identifiers and must be lowercase snake_case.\n * \n * @example Good territory names\n * - 'west_coast'\n * - 'emea_region'\n * - 'healthcare_vertical'\n * - 'strategic_accounts'\n * \n * @example Bad territory names (will be rejected)\n * - 'WestCoast' (PascalCase)\n * - 'West Coast' (spaces)\n */\nexport const TerritorySchema = z.object({\n  /** Identity */\n  name: SnakeCaseIdentifierSchema.describe('Territory unique name (lowercase snake_case)'),\n  label: z.string().describe('Territory Label (e.g. \"West Coast\")'),\n  \n  /** Structure */\n  modelId: z.string().describe('Belongs to which Territory Model'),\n  parent: z.string().optional().describe('Parent Territory'),\n  type: TerritoryType.default('geography'),\n  \n  /** \n   * Assignment Rules (The \"Magic\")\n   * How do accounts automatically fall into this territory?\n   * e.g. \"BillingCountry = 'US' AND BillingState = 'CA'\"\n   */\n  assignmentRule: z.string().optional().describe('Criteria based assignment rule'),\n  \n  /**\n   * User Assignment\n   * Users assigned to work this territory.\n   */\n  assignedUsers: z.array(z.string()).optional(),\n  \n  /** Access Level */\n  accountAccess: z.enum(['read', 'edit']).default('read'),\n  opportunityAccess: z.enum(['read', 'edit']).default('read'),\n  caseAccess: z.enum(['read', 'edit']).default('read'),\n});\n\nexport type Territory = z.infer<typeof TerritorySchema>;\nexport type TerritoryModel = z.infer<typeof TerritoryModelSchema>;\n","// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.\n\nimport { z } from 'zod';\n\n/**\n * Password Complexity Policy\n */\nexport const PasswordPolicySchema = z.object({\n  minLength: z.number().default(8),\n  requireUppercase: z.boolean().default(true),\n  requireLowercase: z.boolean().default(true),\n  requireNumbers: z.boolean().default(true),\n  requireSymbols: z.boolean().default(false),\n  expirationDays: z.number().optional().describe('Force password change every X days'),\n  historyCount: z.number().default(3).describe('Prevent reusing last X passwords'),\n});\n\n/**\n * Network Access Policy (IP Whitelisting)\n */\nexport const NetworkPolicySchema = z.object({\n  trustedRanges: z.array(z.string()).describe('CIDR ranges allowed to access (e.g. 10.0.0.0/8)'),\n  blockUnknown: z.boolean().default(false).describe('Block all IPs not in trusted ranges'),\n  vpnRequired: z.boolean().default(false),\n});\n\n/**\n * Session Policy\n */\nexport const SessionPolicySchema = z.object({\n  idleTimeout: z.number().default(30).describe('Minutes before idle session logout'),\n  absoluteTimeout: z.number().default(480).describe('Max session duration (minutes)'),\n  forceMfa: z.boolean().default(false).describe('Require 2FA for all users'),\n});\n\n/**\n * Audit Retention Policy\n */\nexport const AuditPolicySchema = z.object({\n  logRetentionDays: z.number().default(180),\n  sensitiveFields: z.array(z.string()).describe('Fields to redact in logs (e.g. password, ssn)'),\n  captureRead: z.boolean().default(false).describe('Log read access (High volume!)'),\n});\n\n/**\n * Security Policy Schema\n * \"The Cloud Compliance Contract\"\n */\nexport const PolicySchema = z.object({\n  name: z.string().regex(/^[a-z_][a-z0-9_]*$/).describe('Policy Name'),\n  \n  password: PasswordPolicySchema.optional(),\n  network: NetworkPolicySchema.optional(),\n  session: SessionPolicySchema.optional(),\n  audit: AuditPolicySchema.optional(),\n\n  /** Assignment */\n  isDefault: z.boolean().default(false).describe('Apply to all users by default'),\n  assignedProfiles: z.array(z.string()).optional().describe('Apply to specific profiles'),\n});\n\nexport type Policy = z.infer<typeof PolicySchema>;\n"],"mappings":";AAEA,SAAS,KAAAA,UAAS;;;ACAlB,SAAS,SAAS;AA6CX,IAAM,yBAAyB,EACnC,OAAO,EACP,IAAI,GAAG,EAAE,SAAS,kDAAkD,CAAC,EACrE,MAAM,sBAAsB;AAAA,EAC3B,SACE;AACJ,CAAC,EACA,SAAS,wDAAwD;AAiB7D,IAAM,4BAA4B,EACtC,OAAO,EACP,IAAI,GAAG,EAAE,SAAS,2CAA2C,CAAC,EAC9D,MAAM,qBAAqB;AAAA,EAC1B,SACE;AACJ,CAAC,EACA,SAAS,yDAAyD;AAoB9D,IAAM,kBAAkB,EAC5B,OAAO,EACP,IAAI,GAAG,EAAE,SAAS,2CAA2C,CAAC,EAC9D,MAAM,sBAAsB;AAAA,EAC3B,SACE;AACJ,CAAC,EACA,SAAS,0DAA0D;;;ACvGtE,SAAS,KAAAC,UAAS;AAuGX,IAAM,eAAeA,GAAE,KAAK,CAAC,UAAU,UAAU,UAAU,UAAU,KAAK,CAAC;AAkG3E,IAAM,+BAA+BA,GAAE,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQnD,MAAMA,GAAE,OAAO,EACZ,MAAM,oBAAoB,EAC1B,SAAS,uCAAuC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQnD,OAAOA,GAAE,OAAO,EACb,SAAS,EACT,SAAS,6BAA6B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQzC,aAAaA,GAAE,OAAO,EACnB,SAAS,EACT,SAAS,+CAA+C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQ3D,QAAQA,GAAE,OAAO,EACd,SAAS,oBAAoB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAchC,WAAW,aACR,SAAS,2CAA2C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmDvD,OAAOA,GAAE,OAAO,EACb,SAAS,EACT,SAAS,yJAAyJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBrK,OAAOA,GAAE,OAAO,EACb,SAAS,EACT,SAAS,oHAAoH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAahI,OAAOA,GAAE,MAAMA,GAAE,OAAO,CAAC,EACtB,SAAS,EACT,SAAS,mDAAmD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAS/D,SAASA,GAAE,QAAQ,EAChB,QAAQ,IAAI,EACZ,SAAS,+BAA+B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU3C,UAAUA,GAAE,OAAO,EAChB,IAAI,EACJ,QAAQ,CAAC,EACT,SAAS,uDAAuD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASnE,MAAMA,GAAE,MAAMA,GAAE,OAAO,CAAC,EACrB,SAAS,EACT,SAAS,4BAA4B;AAC1C,CAAC,EAAE,YAAY,CAAC,MAAM,QAAQ;AAE5B,MAAI,CAAC,KAAK,SAAS,CAAC,KAAK,OAAO;AAC9B,QAAI,SAAS;AAAA,MACX,MAAMA,GAAE,aAAa;AAAA,MACrB,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AAKF,CAAC;AAQM,IAAM,kBAAkBA,GAAE,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOtC,SAASA,GAAE,QAAQ,EAChB,QAAQ,IAAI,EACZ,SAAS,iCAAiC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU7C,eAAeA,GAAE,KAAK,CAAC,QAAQ,OAAO,CAAC,EACpC,QAAQ,MAAM,EACd,SAAS,uCAAuC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQnD,sBAAsBA,GAAE,QAAQ,EAC7B,QAAQ,IAAI,EACZ,SAAS,gCAAgC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQ5C,aAAaA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAC5B,SAAS,EACT,SAAS,sCAAsC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASlD,gBAAgBA,GAAE,QAAQ,EACvB,QAAQ,KAAK,EACb,SAAS,0CAA0C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAStD,cAAcA,GAAE,QAAQ,EACrB,QAAQ,IAAI,EACZ,SAAS,8BAA8B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQ1C,iBAAiBA,GAAE,OAAO,EACvB,IAAI,EACJ,SAAS,EACT,QAAQ,GAAG,EACX,SAAS,sBAAsB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQlC,qBAAqBA,GAAE,QAAQ,EAC5B,QAAQ,IAAI,EACZ,SAAS,wCAAwC;AACtD,CAAC;AAQM,IAAM,uBAAuBA,GAAE,OAAO;AAAA;AAAA;AAAA;AAAA,EAI3C,IAAIA,GAAE,OAAO,EACV,SAAS,SAAS;AAAA;AAAA;AAAA;AAAA,EAKrB,OAAOA,GAAE,OAAO,EACb,MAAM,EACN,SAAS,EACT,SAAS,YAAY;AAAA;AAAA;AAAA;AAAA,EAKxB,UAAUA,GAAE,OAAO,EAChB,SAAS,EACT,SAAS,wBAAwB;AAAA;AAAA;AAAA;AAAA,EAKpC,MAAMA,GAAE,MAAM;AAAA,IACZA,GAAE,OAAO;AAAA,IACTA,GAAE,MAAMA,GAAE,OAAO,CAAC;AAAA,EACpB,CAAC,EACE,SAAS,EACT,SAAS,cAAc;AAAA;AAAA;AAAA;AAAA,EAK1B,YAAYA,GAAE,OAAO,EAClB,SAAS,EACT,SAAS,iBAAiB;AAAA;AAAA;AAAA;AAAA;AAAA,EAM7B,YAAYA,GAAE,OAAOA,GAAE,OAAO,GAAGA,GAAE,QAAQ,CAAC,EACzC,SAAS,EACT,SAAS,mCAAmC;AACjD,CAAC;AAQM,IAAM,4BAA4BA,GAAE,OAAO;AAAA;AAAA;AAAA;AAAA,EAIhD,YAAYA,GAAE,OAAO,EAClB,SAAS,aAAa;AAAA;AAAA;AAAA;AAAA,EAKzB,SAASA,GAAE,QAAQ,EAChB,SAAS,4BAA4B;AAAA;AAAA;AAAA;AAAA,EAKxC,YAAYA,GAAE,OAAO,EAClB,SAAS,EACT,SAAS,qCAAqC;AAAA;AAAA;AAAA;AAAA,EAKjD,OAAOA,GAAE,OAAO,EACb,SAAS,EACT,SAAS,oCAAoC;AAAA;AAAA;AAAA;AAAA,EAKhD,aAAaA,GAAE,QAAQ,EACpB,SAAS,EACT,SAAS,gCAAgC;AAAA;AAAA;AAAA;AAAA,EAK5C,aAAaA,GAAE,QAAQ,EACpB,SAAS,EACT,SAAS,gCAAgC;AAC9C,CAAC;AAaM,IAAM,MAAM;AAAA;AAAA;AAAA;AAAA,EAIjB,aAAa,CAAC,QAAgB,aAAqB,gBAAwC;AAAA,IACzF,MAAM,GAAG,MAAM;AAAA,IACf,OAAO,oBAAoB,MAAM;AAAA,IACjC;AAAA,IACA,WAAW;AAAA,IACX,OAAO,GAAG,UAAU;AAAA,IACpB,SAAS;AAAA,IACT,UAAU;AAAA,EACZ;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,CAAC,QAAgB,cAAsB,iBAAyC;AAAA,IAC5F,MAAM,GAAG,MAAM;AAAA,IACf,OAAO,wBAAwB,MAAM;AAAA,IACrC;AAAA,IACA,WAAW;AAAA,IACX,OAAO,GAAG,WAAW;AAAA,IACrB,OAAO,GAAG,WAAW;AAAA,IACrB,SAAS;AAAA,IACT,UAAU;AAAA,EACZ;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,CAAC,QAAgB,OAAiB,eAA+C;AAAA,IAC3F,MAAM,GAAG,MAAM,IAAI,MAAM,KAAK,GAAG,CAAC;AAAA,IAClC,OAAO,GAAG,MAAM,KAAK,IAAI,CAAC,eAAe,MAAM;AAAA,IAC/C;AAAA,IACA,WAAW;AAAA,IACX,OAAO;AAAA,IACP;AAAA,IACA,SAAS;AAAA,IACT,UAAU;AAAA,EACZ;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAgB,CAAC,QAAgB,WAA6C;AAAA,IAC5E,MAAM,GAAG,MAAM,IAAI,MAAM,KAAK,GAAG,CAAC;AAAA,IAClC,OAAO,mBAAmB,MAAM,KAAK,IAAI,CAAC;AAAA,IAC1C;AAAA,IACA,WAAW;AAAA,IACX,OAAO;AAAA;AAAA,IACP;AAAA,IACA,SAAS;AAAA,IACT,UAAU;AAAA,EACZ;AACF;;;AFtoBO,IAAM,yBAAyBC,GAAE,OAAO;AAAA;AAAA,EAE7C,aAAaA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,mBAAmB;AAAA;AAAA,EAEpE,WAAWA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,iBAAiB;AAAA;AAAA,EAEhE,WAAWA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,iBAAiB;AAAA;AAAA,EAEhE,aAAaA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,mBAAmB;AAAA;AAAA,EAGpE,eAAeA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,yBAAyB;AAAA,EAC5E,cAAcA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,+BAA+B;AAAA,EACjF,YAAYA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,uCAAuC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOvF,gBAAgBA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,gCAAgC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOpF,kBAAkBA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,kCAAkC;AAC1F,CAAC;AAKM,IAAM,wBAAwBA,GAAE,OAAO;AAAA;AAAA,EAE5C,UAAUA,GAAE,QAAQ,EAAE,QAAQ,IAAI,EAAE,SAAS,mBAAmB;AAAA;AAAA,EAEhE,UAAUA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,mBAAmB;AACnE,CAAC;AAyBM,IAAM,sBAAsBA,GAAE,OAAO;AAAA;AAAA,EAE1C,MAAM,0BAA0B,SAAS,mDAAmD;AAAA;AAAA,EAG5F,OAAOA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,eAAe;AAAA;AAAA,EAGrD,WAAWA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,gCAAgC;AAAA;AAAA,EAG/E,SAASA,GAAE,OAAOA,GAAE,OAAO,GAAG,sBAAsB,EAAE,SAAS,oBAAoB;AAAA;AAAA,EAGnF,QAAQA,GAAE,OAAOA,GAAE,OAAO,GAAG,qBAAqB,EAAE,SAAS,EAAE,SAAS,sBAAsB;AAAA;AAAA,EAG9F,mBAAmBA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS,2BAA2B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBtF,kBAAkBA,GAAE,MAAM,4BAA4B,EAAE,SAAS,EAC9D,SAAS,4DAA4D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBxE,kBAAkBA,GAAE,OAAOA,GAAE,OAAO,GAAGA,GAAE,QAAQ,CAAC,EAAE,SAAS,EAAE,SAAS,sCAAsC;AAChH,CAAC;;;AG/ID,SAAS,KAAAC,UAAS;AAMX,IAAM,WAAWA,GAAE,KAAK;AAAA,EAC7B;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AACF,CAAC;AAMM,IAAM,kBAAkBA,GAAE,KAAK;AAAA,EACpC;AAAA;AAAA,EACA;AAAA;AACF,CAAC;AAMM,IAAM,eAAeA,GAAE,KAAK;AAAA,EACjC;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AACF,CAAC;AAMM,IAAM,qBAAqBA,GAAE,KAAK;AAAA,EACvC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AACF,CAAC;AAMD,IAAM,wBAAwBA,GAAE,OAAO;AAAA;AAAA,EAErC,MAAMA,GAAE,OAAO,EAAE,MAAM,oBAAoB,EAAE,SAAS,+BAA+B;AAAA,EACrF,OAAOA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,sBAAsB;AAAA,EAC5D,aAAaA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,sBAAsB;AAAA;AAAA,EAGlE,QAAQA,GAAE,OAAO,EAAE,SAAS,oBAAoB;AAAA,EAChD,QAAQA,GAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAGhC,aAAa,aAAa,QAAQ,MAAM;AAAA;AAAA,EAGxC,YAAYA,GAAE,OAAO;AAAA,IACnB,MAAM;AAAA,IACN,OAAOA,GAAE,OAAO,EAAE,SAAS,mCAAmC;AAAA,EAChE,CAAC,EAAE,SAAS,oCAAoC;AAClD,CAAC;AAMM,IAAM,4BAA4B,sBAAsB,OAAO;AAAA,EACpE,MAAMA,GAAE,QAAQ,UAAU;AAAA,EAC1B,WAAWA,GAAE,OAAO,EAAE,SAAS,iDAAmD;AACpF,CAAC;AAMM,IAAM,yBAAyB,sBAAsB,OAAO;AAAA,EACjE,MAAMA,GAAE,QAAQ,OAAO;AAAA,EACvB,SAASA,GAAE,OAAO;AAAA,IAChB,MAAM;AAAA,IACN,OAAOA,GAAE,OAAO;AAAA,EAClB,CAAC,EAAE,SAAS,kDAAkD;AAChE,CAAC;AAKM,IAAM,oBAAoBA,GAAE,mBAAmB,QAAQ;AAAA,EAC5D;AAAA,EACA;AACF,CAAC;;;AC/FD,SAAS,KAAAC,UAAS;AAmBX,IAAM,gBAAgBC,GAAE,KAAK;AAAA,EAClC;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AACF,CAAC;AAOM,IAAM,uBAAuBA,GAAE,OAAO;AAAA,EAC3C,MAAMA,GAAE,OAAO,EAAE,SAAS,iCAAiC;AAAA,EAC3D,OAAOA,GAAE,KAAK,CAAC,YAAY,UAAU,UAAU,CAAC,EAAE,QAAQ,UAAU;AAAA,EACpE,WAAWA,GAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,SAASA,GAAE,OAAO,EAAE,SAAS;AAC/B,CAAC;AAmBM,IAAM,kBAAkBA,GAAE,OAAO;AAAA;AAAA,EAEtC,MAAM,0BAA0B,SAAS,8CAA8C;AAAA,EACvF,OAAOA,GAAE,OAAO,EAAE,SAAS,qCAAqC;AAAA;AAAA,EAGhE,SAASA,GAAE,OAAO,EAAE,SAAS,kCAAkC;AAAA,EAC/D,QAAQA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,kBAAkB;AAAA,EACzD,MAAM,cAAc,QAAQ,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOvC,gBAAgBA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,gCAAgC;AAAA;AAAA;AAAA;AAAA;AAAA,EAM/E,eAAeA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS;AAAA;AAAA,EAG5C,eAAeA,GAAE,KAAK,CAAC,QAAQ,MAAM,CAAC,EAAE,QAAQ,MAAM;AAAA,EACtD,mBAAmBA,GAAE,KAAK,CAAC,QAAQ,MAAM,CAAC,EAAE,QAAQ,MAAM;AAAA,EAC1D,YAAYA,GAAE,KAAK,CAAC,QAAQ,MAAM,CAAC,EAAE,QAAQ,MAAM;AACrD,CAAC;;;AClFD,SAAS,KAAAC,UAAS;AAKX,IAAM,uBAAuBA,GAAE,OAAO;AAAA,EAC3C,WAAWA,GAAE,OAAO,EAAE,QAAQ,CAAC;AAAA,EAC/B,kBAAkBA,GAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,EAC1C,kBAAkBA,GAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,EAC1C,gBAAgBA,GAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,EACxC,gBAAgBA,GAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,EACzC,gBAAgBA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,oCAAoC;AAAA,EACnF,cAAcA,GAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,SAAS,kCAAkC;AACjF,CAAC;AAKM,IAAM,sBAAsBA,GAAE,OAAO;AAAA,EAC1C,eAAeA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS,iDAAiD;AAAA,EAC7F,cAAcA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,qCAAqC;AAAA,EACvF,aAAaA,GAAE,QAAQ,EAAE,QAAQ,KAAK;AACxC,CAAC;AAKM,IAAM,sBAAsBA,GAAE,OAAO;AAAA,EAC1C,aAAaA,GAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,oCAAoC;AAAA,EACjF,iBAAiBA,GAAE,OAAO,EAAE,QAAQ,GAAG,EAAE,SAAS,gCAAgC;AAAA,EAClF,UAAUA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,2BAA2B;AAC3E,CAAC;AAKM,IAAM,oBAAoBA,GAAE,OAAO;AAAA,EACxC,kBAAkBA,GAAE,OAAO,EAAE,QAAQ,GAAG;AAAA,EACxC,iBAAiBA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS,+CAA+C;AAAA,EAC7F,aAAaA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,gCAAgC;AACnF,CAAC;AAMM,IAAM,eAAeA,GAAE,OAAO;AAAA,EACnC,MAAMA,GAAE,OAAO,EAAE,MAAM,oBAAoB,EAAE,SAAS,aAAa;AAAA,EAEnE,UAAU,qBAAqB,SAAS;AAAA,EACxC,SAAS,oBAAoB,SAAS;AAAA,EACtC,SAAS,oBAAoB,SAAS;AAAA,EACtC,OAAO,kBAAkB,SAAS;AAAA;AAAA,EAGlC,WAAWA,GAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,+BAA+B;AAAA,EAC9E,kBAAkBA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS,4BAA4B;AACxF,CAAC;","names":["z","z","z","z","z","z","z"]}

package/json-schema/data/BaseEngineOptions.json

@@ -0,0 +1,49 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "type": "object",
+  "properties": {
+    "context": {
+      "type": "object",
+      "properties": {
+        "userId": {
+          "type": "string"
+        },
+        "tenantId": {
+          "type": "string"
+        },
+        "roles": {
+          "default": [],
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "permissions": {
+          "default": [],
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "isSystem": {
+          "default": false,
+          "type": "boolean"
+        },
+        "accessToken": {
+          "type": "string"
+        },
+        "transaction": {},
+        "traceId": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "roles",
+        "permissions",
+        "isSystem"
+      ],
+      "additionalProperties": false
+    }
+  },
+  "additionalProperties": false
+}

package/json-schema/data/DataEngineAggregateOptions.json

@@ -2,6 +2,48 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "type": "object",
   "properties": {
+    "context": {
+      "type": "object",
+      "properties": {
+        "userId": {
+          "type": "string"
+        },
+        "tenantId": {
+          "type": "string"
+        },
+        "roles": {
+          "default": [],
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "permissions": {
+          "default": [],
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "isSystem": {
+          "default": false,
+          "type": "boolean"
+        },
+        "accessToken": {
+          "type": "string"
+        },
+        "transaction": {},
+        "traceId": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "roles",
+        "permissions",
+        "isSystem"
+      ],
+      "additionalProperties": false
+    },
     "filter": {
       "anyOf": [
         {

package/json-schema/data/DataEngineAggregateRequest.json

@@ -12,6 +12,48 @@
     "query": {
       "type": "object",
       "properties": {
+        "context": {
+          "type": "object",
+          "properties": {
+            "userId": {
+              "type": "string"
+            },
+            "tenantId": {
+              "type": "string"
+            },
+            "roles": {
+              "default": [],
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            },
+            "permissions": {
+              "default": [],
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            },
+            "isSystem": {
+              "default": false,
+              "type": "boolean"
+            },
+            "accessToken": {
+              "type": "string"
+            },
+            "transaction": {},
+            "traceId": {
+              "type": "string"
+            }
+          },
+          "required": [
+            "roles",
+            "permissions",
+            "isSystem"
+          ],
+          "additionalProperties": false
+        },
         "filter": {
           "anyOf": [
             {

package/json-schema/data/DataEngineBatchRequest.json

@@ -23,6 +23,48 @@
               "query": {
                 "type": "object",
                 "properties": {
+                  "context": {
+                    "type": "object",
+                    "properties": {
+                      "userId": {
+                        "type": "string"
+                      },
+                      "tenantId": {
+                        "type": "string"
+                      },
+                      "roles": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "permissions": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "isSystem": {
+                        "default": false,
+                        "type": "boolean"
+                      },
+                      "accessToken": {
+                        "type": "string"
+                      },
+                      "transaction": {},
+                      "traceId": {
+                        "type": "string"
+                      }
+                    },
+                    "required": [
+                      "roles",
+                      "permissions",
+                      "isSystem"
+                    ],
+                    "additionalProperties": false
+                  },
                   "filter": {
                     "anyOf": [
                       {
@@ -149,6 +191,48 @@
               "query": {
                 "type": "object",
                 "properties": {
+                  "context": {
+                    "type": "object",
+                    "properties": {
+                      "userId": {
+                        "type": "string"
+                      },
+                      "tenantId": {
+                        "type": "string"
+                      },
+                      "roles": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "permissions": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "isSystem": {
+                        "default": false,
+                        "type": "boolean"
+                      },
+                      "accessToken": {
+                        "type": "string"
+                      },
+                      "transaction": {},
+                      "traceId": {
+                        "type": "string"
+                      }
+                    },
+                    "required": [
+                      "roles",
+                      "permissions",
+                      "isSystem"
+                    ],
+                    "additionalProperties": false
+                  },
                   "filter": {
                     "anyOf": [
                       {
@@ -296,6 +380,48 @@
               "options": {
                 "type": "object",
                 "properties": {
+                  "context": {
+                    "type": "object",
+                    "properties": {
+                      "userId": {
+                        "type": "string"
+                      },
+                      "tenantId": {
+                        "type": "string"
+                      },
+                      "roles": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "permissions": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "isSystem": {
+                        "default": false,
+                        "type": "boolean"
+                      },
+                      "accessToken": {
+                        "type": "string"
+                      },
+                      "transaction": {},
+                      "traceId": {
+                        "type": "string"
+                      }
+                    },
+                    "required": [
+                      "roles",
+                      "permissions",
+                      "isSystem"
+                    ],
+                    "additionalProperties": false
+                  },
                   "returning": {
                     "default": true,
                     "type": "boolean"
@@ -343,6 +469,48 @@
               "options": {
                 "type": "object",
                 "properties": {
+                  "context": {
+                    "type": "object",
+                    "properties": {
+                      "userId": {
+                        "type": "string"
+                      },
+                      "tenantId": {
+                        "type": "string"
+                      },
+                      "roles": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "permissions": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "isSystem": {
+                        "default": false,
+                        "type": "boolean"
+                      },
+                      "accessToken": {
+                        "type": "string"
+                      },
+                      "transaction": {},
+                      "traceId": {
+                        "type": "string"
+                      }
+                    },
+                    "required": [
+                      "roles",
+                      "permissions",
+                      "isSystem"
+                    ],
+                    "additionalProperties": false
+                  },
                   "filter": {
                     "anyOf": [
                       {
@@ -406,6 +574,48 @@
               "options": {
                 "type": "object",
                 "properties": {
+                  "context": {
+                    "type": "object",
+                    "properties": {
+                      "userId": {
+                        "type": "string"
+                      },
+                      "tenantId": {
+                        "type": "string"
+                      },
+                      "roles": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "permissions": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "isSystem": {
+                        "default": false,
+                        "type": "boolean"
+                      },
+                      "accessToken": {
+                        "type": "string"
+                      },
+                      "transaction": {},
+                      "traceId": {
+                        "type": "string"
+                      }
+                    },
+                    "required": [
+                      "roles",
+                      "permissions",
+                      "isSystem"
+                    ],
+                    "additionalProperties": false
+                  },
                   "filter": {
                     "anyOf": [
                       {
@@ -449,6 +659,48 @@
               "query": {
                 "type": "object",
                 "properties": {
+                  "context": {
+                    "type": "object",
+                    "properties": {
+                      "userId": {
+                        "type": "string"
+                      },
+                      "tenantId": {
+                        "type": "string"
+                      },
+                      "roles": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "permissions": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "isSystem": {
+                        "default": false,
+                        "type": "boolean"
+                      },
+                      "accessToken": {
+                        "type": "string"
+                      },
+                      "transaction": {},
+                      "traceId": {
+                        "type": "string"
+                      }
+                    },
+                    "required": [
+                      "roles",
+                      "permissions",
+                      "isSystem"
+                    ],
+                    "additionalProperties": false
+                  },
                   "filter": {
                     "anyOf": [
                       {
@@ -488,6 +740,48 @@
               "query": {
                 "type": "object",
                 "properties": {
+                  "context": {
+                    "type": "object",
+                    "properties": {
+                      "userId": {
+                        "type": "string"
+                      },
+                      "tenantId": {
+                        "type": "string"
+                      },
+                      "roles": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "permissions": {
+                        "default": [],
+                        "type": "array",
+                        "items": {
+                          "type": "string"
+                        }
+                      },
+                      "isSystem": {
+                        "default": false,
+                        "type": "boolean"
+                      },
+                      "accessToken": {
+                        "type": "string"
+                      },
+                      "transaction": {},
+                      "traceId": {
+                        "type": "string"
+                      }
+                    },
+                    "required": [
+                      "roles",
+                      "permissions",
+                      "isSystem"
+                    ],
+                    "additionalProperties": false
+                  },
                   "filter": {
                     "anyOf": [
                       {

package/json-schema/data/DataEngineCountOptions.json

@@ -2,6 +2,48 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "type": "object",
   "properties": {
+    "context": {
+      "type": "object",
+      "properties": {
+        "userId": {
+          "type": "string"
+        },
+        "tenantId": {
+          "type": "string"
+        },
+        "roles": {
+          "default": [],
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "permissions": {
+          "default": [],
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "isSystem": {
+          "default": false,
+          "type": "boolean"
+        },
+        "accessToken": {
+          "type": "string"
+        },
+        "transaction": {},
+        "traceId": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "roles",
+        "permissions",
+        "isSystem"
+      ],
+      "additionalProperties": false
+    },
     "filter": {
       "anyOf": [
         {