qdadm 0.36.0 → 0.38.0

package/src/debug/components/panels/AuthPanel.vue

@@ -1,8 +1,9 @@
 <script setup>
 /**
  * AuthPanel - Auth collector display with activity indicator
+ * Each event has its own timer and fades out before destruction
  */
-import { onMounted, computed } from 'vue'
+import { onMounted, ref, onUnmounted } from 'vue'
 import ObjectTree from '../ObjectTree.vue'
 
 const props = defineProps({
@@ -10,19 +11,101 @@ const props = defineProps({
   entries: { type: Array, required: true }
 })
 
-// Mark events as seen when panel is viewed (badge resets but events stay visible)
+// Local events with fade state
+const localEvents = ref([])
+const timers = new Map()
+let unsubscribe = null
+
+// Mark events as seen when panel is viewed
 onMounted(() => {
   props.collector.markSeen?.()
+  syncEvents()
+
+  // Subscribe to collector changes
+  if (props.collector.onNotify) {
+    unsubscribe = props.collector.onNotify(syncEvents)
+  }
+})
+
+onUnmounted(() => {
+  // Unsubscribe from collector
+  if (unsubscribe) unsubscribe()
+
+  // Clear all timers
+  for (const timer of timers.values()) {
+    clearTimeout(timer.fade)
+    clearTimeout(timer.destroy)
+  }
+  timers.clear()
 })
 
-// Get all recent events (stacked display)
-const recentEvents = computed(() => props.collector.getRecentEvents?.() || [])
+/**
+ * Sync local events with collector and setup timers
+ */
+function syncEvents() {
+  const collectorEvents = props.collector.getRecentEvents?.() || []
+  const ttl = props.collector._eventTtl || 60000
+  const fadeTime = 3000 // Start fading 3s before destruction
+  const now = Date.now()
+
+  // Add new events
+  for (const event of collectorEvents) {
+    if (!localEvents.value.find(e => e.id === event.id)) {
+      const age = now - event.timestamp.getTime()
+      const remaining = ttl - age
+
+      if (remaining > 0) {
+        const localEvent = { ...event, fading: false }
+        localEvents.value.unshift(localEvent)
+
+        // Setup fade timer
+        const fadeDelay = Math.max(0, remaining - fadeTime)
+        const fadeTimer = setTimeout(() => {
+          localEvent.fading = true
+        }, fadeDelay)
+
+        // Setup destroy timer
+        const destroyTimer = setTimeout(() => {
+          removeEvent(event.id)
+        }, remaining)
+
+        timers.set(event.id, { fade: fadeTimer, destroy: destroyTimer })
+      }
+    }
+  }
+
+  // Remove events that no longer exist in collector
+  const collectorIds = new Set(collectorEvents.map(e => e.id))
+  localEvents.value = localEvents.value.filter(e => {
+    if (!collectorIds.has(e.id)) {
+      clearEventTimers(e.id)
+      return false
+    }
+    return true
+  })
+}
+
+function removeEvent(id) {
+  clearEventTimers(id)
+  localEvents.value = localEvents.value.filter(e => e.id !== id)
+}
+
+function clearEventTimers(id) {
+  const timer = timers.get(id)
+  if (timer) {
+    clearTimeout(timer.fade)
+    clearTimeout(timer.destroy)
+    timers.delete(id)
+  }
+}
 
 function getIcon(type) {
   const icons = {
     user: 'pi-user',
+    impersonated: 'pi-user-edit',
     token: 'pi-key',
-    permissions: 'pi-shield',
+    'user-permissions': 'pi-shield',
+    permissions: 'pi-list',
     hierarchy: 'pi-sitemap',
     'role-permissions': 'pi-lock',
     adapter: 'pi-cog'
@@ -39,7 +122,8 @@ function getEventIcon(type) {
     login: 'pi-sign-in',
     logout: 'pi-sign-out',
     impersonate: 'pi-user-edit',
-    'impersonate-stop': 'pi-user'
+    'impersonate-stop': 'pi-user',
+    'login-error': 'pi-times-circle'
   }
   return icons[type] || 'pi-info-circle'
 }
@@ -53,8 +137,6 @@ function getEventLabel(event) {
     }
   }
   if (event.type === 'impersonate' && event.data) {
-    // Payload structure: { target: { username }, original: { username } }
-    // Or signal object: { data: { target: { username } } }
     const data = event.data.data || event.data
     const username = data.target?.username
       || data.username
@@ -70,11 +152,20 @@ function getEventLabel(event) {
       return `Back to ${username}`
     }
   }
+  if (event.type === 'login-error' && event.data) {
+    const username = event.data.username
+    const error = event.data.error || 'Invalid credentials'
+    if (username) {
+      return `Login failed: ${username} - ${error}`
+    }
+    return `Login failed: ${error}`
+  }
   const labels = {
     login: 'User logged in',
     logout: 'User logged out',
     impersonate: 'Impersonating user',
-    'impersonate-stop': 'Stopped impersonation'
+    'impersonate-stop': 'Stopped impersonation',
+    'login-error': 'Login failed'
   }
   return labels[event.type] || event.type
 }
@@ -83,8 +174,13 @@ function getEventLabel(event) {
 <template>
   <div class="auth-panel">
     <!-- Invariant entries (user, token, permissions, adapter) -->
-    <div v-for="(entry, idx) in entries" :key="idx" class="auth-item">
-      <div class="auth-header">
+    <div
+      v-for="(entry, idx) in entries"
+      :key="idx"
+      class="auth-item"
+      :class="{ 'auth-item--impersonated': entry.type === 'impersonated' }"
+    >
+      <div class="auth-header" :class="{ 'auth-header--impersonated': entry.type === 'impersonated' }">
         <i :class="['pi', getIcon(entry.type)]" />
         <span class="auth-label">{{ entry.label || entry.type }}</span>
       </div>
@@ -92,17 +188,19 @@ function getEventLabel(event) {
       <ObjectTree v-else-if="entry.data" :data="entry.data" :maxDepth="4" />
     </div>
 
-    <!-- Recent auth events (stacked below, newest first) -->
-    <div
-      v-for="event in recentEvents"
-      :key="event.id"
-      class="auth-activity"
-      :class="event.type"
-    >
-      <i :class="['pi', getEventIcon(event.type)]" />
-      <span>{{ getEventLabel(event) }}</span>
-      <span class="auth-time">{{ formatTime(event.timestamp) }}</span>
-    </div>
+    <!-- Recent auth events with individual timers -->
+    <TransitionGroup name="event">
+      <div
+        v-for="event in localEvents"
+        :key="event.id"
+        class="auth-activity"
+        :class="[event.type, { fading: event.fading }]"
+      >
+        <i :class="['pi', getEventIcon(event.type)]" />
+        <span>{{ getEventLabel(event) }}</span>
+        <span class="auth-time">{{ formatTime(event.timestamp) }}</span>
+      </div>
+    </TransitionGroup>
   </div>
 </template>
 
@@ -113,6 +211,7 @@ function getEventLabel(event) {
   flex-direction: column;
   gap: 8px;
 }
+
 /* Activity indicator */
 .auth-activity {
   display: flex;
@@ -122,8 +221,29 @@ function getEventLabel(event) {
   border-radius: 4px;
   font-size: 12px;
   font-weight: 600;
-  animation: pulse 2s ease-in-out infinite;
+  transition: opacity 3s ease-out, transform 0.3s ease-out;
+}
+
+.auth-activity.fading {
+  opacity: 0;
+}
+
+/* TransitionGroup animations */
+.event-enter-active {
+  transition: all 0.3s ease-out;
+}
+.event-leave-active {
+  transition: all 0.5s ease-in;
+}
+.event-enter-from {
+  opacity: 0;
+  transform: translateY(-10px);
 }
+.event-leave-to {
+  opacity: 0;
+  transform: translateY(30px);
+}
+
 .auth-activity.login {
   background: linear-gradient(90deg, rgba(34, 197, 94, 0.2) 0%, rgba(34, 197, 94, 0.05) 100%);
   border-left: 3px solid #22c55e;
@@ -144,21 +264,28 @@ function getEventLabel(event) {
   border-left: 3px solid #a1a1aa;
   color: #a1a1aa;
 }
+.auth-activity.login-error {
+  background: linear-gradient(90deg, rgba(239, 68, 68, 0.2) 0%, rgba(239, 68, 68, 0.05) 100%);
+  border-left: 3px solid #ef4444;
+  color: #ef4444;
+}
+
 .auth-time {
   margin-left: auto;
   font-size: 10px;
   opacity: 0.6;
   font-weight: 400;
 }
-@keyframes pulse {
-  0%, 100% { opacity: 1; }
-  50% { opacity: 0.7; }
-}
+
 .auth-item {
   background: #27272a;
   border-radius: 4px;
   padding: 8px;
 }
+.auth-item--impersonated {
+  background: linear-gradient(90deg, rgba(249, 115, 22, 0.15) 0%, rgba(249, 115, 22, 0.05) 100%);
+  border-left: 3px solid #f97316;
+}
 .auth-header {
   display: flex;
   align-items: center;
@@ -166,6 +293,9 @@ function getEventLabel(event) {
   margin-bottom: 6px;
   color: #10b981;
 }
+.auth-header--impersonated {
+  color: #f97316;
+}
 .auth-label {
   font-weight: 600;
 }

package/src/debug/components/panels/EntitiesPanel.vue

@@ -110,7 +110,7 @@ function getCapabilityLabel(cap) {
     <div v-if="entries[0]?.type === 'status'" class="entities-status">
       {{ entries[0].message }}
     </div>
-    <div v-else v-for="entity in entries" :key="entity.name" class="entity-item" :class="{ 'entity-active': entity.hasActivity }">
+    <div v-else v-for="entity in entries" :key="entity.name" class="entity-item" :class="{ 'entity-active': entity.hasActivity, 'entity-system': entity.system }">
       <div class="entity-header" @click="toggleExpand(entity.name)">
         <button class="entity-expand">
           <i :class="['pi', isExpanded(entity.name) ? 'pi-chevron-down' : 'pi-chevron-right']" />
@@ -353,6 +353,22 @@ function getCapabilityLabel(cap) {
   border-left-color: #f59e0b;
   background: linear-gradient(90deg, rgba(245, 158, 11, 0.1) 0%, #27272a 30%);
 }
+.entity-system {
+  border-left-color: #ef4444;
+  background: linear-gradient(90deg, rgba(239, 68, 68, 0.1) 0%, #27272a 30%);
+}
+.entity-system .entity-header {
+  color: #ef4444;
+}
+.entity-system .entity-header:hover {
+  color: #f87171;
+}
+.entity-system .entity-name::after {
+  content: ' (system)';
+  font-size: 9px;
+  color: #f87171;
+  font-weight: normal;
+}
 .entity-header {
   display: flex;
   align-items: center;

package/src/entity/EntityManager.js

@@ -60,8 +60,11 @@ export class EntityManager {
       readOnly = false,             // If true, canCreate/canUpdate/canDelete return false
       warmup = true,                // If true, cache is preloaded at boot via DeferredRegistry
       authSensitive,                // If true, auto-invalidate datalayer on auth events (auto-inferred from storage.requiresAuth if not set)
+      system = false,               // If true, marks entity as system-provided (roles, users)
       // Scope control
       scopeWhitelist = null,        // Array of scopes/modules that can bypass restrictions
+      // Ownership (for record-level access control)
+      isOwn = null,                 // (record, user) => boolean - check if user owns the record
       // Relations
       children = {},      // { roles: { entity: 'roles', endpoint?: ':id/roles' } }
       parent = null,      // { entity: 'users', foreignKey: 'user_id' }
@@ -88,10 +91,14 @@ export class EntityManager {
     this._warmup = warmup
     // Auto-infer authSensitive from storage.requiresAuth if not explicitly set
     this._authSensitive = authSensitive ?? this._getStorageRequiresAuth()
+    this._system = system
 
     // Scope control
     this._scopeWhitelist = scopeWhitelist
 
+    // Ownership
+    this._isOwn = isOwn
+
     // Relations
     this._children = children
     this._parent = parent
@@ -368,48 +375,54 @@ export class EntityManager {
   }
 
   /**
-   * Build permission string for an action based on entity_permissions config
+   * Build permission string for an entity action
+   *
+   * Format: entity:{name}:{action}
+   * Examples: entity:books:read, entity:users:create
    *
-   * The permission format depends on the security config:
-   * - entity_permissions: false → 'entity:read'
-   * - entity_permissions: true → 'books:read'
-   * - entity_permissions: ['books'] → 'books:read' for books, 'entity:read' for others
+   * Role permissions can use wildcards to match:
+   * - entity:*:read → read any entity
+   * - entity:books:* → any action on books
+   * - entity:** → all entity permissions
    *
    * @param {string} action - Action name (read, create, update, delete, list)
    * @returns {string} - Permission string
    * @private
    */
   _getPermissionString(action) {
-    const checker = this.authAdapter._securityChecker
-    if (!checker) return `entity:${action}`
-
-    const config = checker.entityPermissions
-    if (config === false) return `entity:${action}`
-    if (config === true) return `${this.name}:${action}`
-    if (Array.isArray(config) && config.includes(this.name)) {
-      return `${this.name}:${action}`
-    }
-    return `entity:${action}`
+    return `entity:${this.name}:${action}`
   }
 
   /**
-   * Check permission using isGranted() if security is configured
+   * Get the current authenticated user
    *
-   * Falls back to traditional canPerform()/canAccessRecord() if no SecurityChecker.
-   * This method respects the entity_permissions config for granular permissions.
+   * Tries authAdapter.getCurrentUser() first, then falls back to kernel's authAdapter.
    *
-   * @param {string} action - Action to check (read, create, update, delete, list)
-   * @param {object} [subject] - Optional subject for context-aware checks
-   * @returns {boolean}
+   * @returns {object|null} Current user or null
+   * @private
    */
-  checkPermission(action, subject = null) {
-    // If isGranted is available, use it
-    if (this.authAdapter.isGranted && this.authAdapter._securityChecker) {
-      const perm = this._getPermissionString(action)
-      return this.authAdapter.isGranted(perm, subject)
+  _getCurrentUser() {
+    // Try authAdapter.getCurrentUser() first (EntityAuthAdapter subclass)
+    if (typeof this.authAdapter?.getCurrentUser === 'function') {
+      try {
+        return this.authAdapter.getCurrentUser()
+      } catch {
+        // Fallback if not implemented
+      }
     }
-    // Fallback to traditional method
-    return this.canAccess(action, subject)
+    // Fallback to kernel's authAdapter
+    return this._orchestrator?.kernel?.options?.authAdapter?.getUser?.() ?? null
+  }
+
+  /**
+   * Check if SecurityChecker is configured via authAdapter
+   * Only returns true when adapter has _securityChecker set,
+   * allowing legacy canPerform() adapters to work correctly.
+   * @returns {boolean}
+   * @private
+   */
+  _hasSecurityChecker() {
+    return this.authAdapter?._securityChecker != null
   }
 
   /**
@@ -424,9 +437,22 @@ export class EntityManager {
    * Check if the current user can perform an action, optionally on a specific record
    *
    * This is the primary permission check method. It combines:
-   * 1. Local restrictions (readOnly, scopeWhitelist)
-   * 2. Scope check via AuthAdapter.canPerform() - can user do this action type?
-   * 3. Silo check via AuthAdapter.canAccessRecord() - can user access this record?
+   * 1. Local restrictions (readOnly)
+   * 2. Ownership check via isOwn callback (if configured)
+   * 3. Permission check via isGranted() (if SecurityChecker configured)
+   *    OR legacy canPerform()/canAccessRecord() fallback
+   *
+   * Permission format: entity:{name}:{action}
+   * Wildcard examples:
+   * - entity:*:read → can read any entity
+   * - entity:books:* → any action on books
+   * - entity:** → all entity permissions
+   *
+   * Ownership pattern:
+   * - Configure isOwn callback: (record, user) => boolean
+   * - When user owns a record, check entity-own:{entity}:{action} permission
+   * - Example: entity-own:loans:update allows owner to update their loans
+   * - Use entity-own:{entity}:** to allow all actions on owned records
    *
    * @param {string} action - Action to check: 'read', 'create', 'update', 'delete', 'list'
    * @param {object} [record] - Optional: specific record to check (for silo validation)
@@ -442,6 +468,16 @@ export class EntityManager {
    * manager.canAccess('read', item)   // Can user see this specific item?
    * manager.canAccess('update', item) // Can user edit this specific item?
    * manager.canAccess('delete', item) // Can user delete this specific item?
+   *
+   * @example
+   * // Ownership pattern with permissions
+   * const loansManager = new EntityManager({
+   *   name: 'loans',
+   *   isOwn: (record, user) => record.user_id === user?.id,
+   *   storage: loansStorage
+   * })
+   * // Role config: { permissions: ['entity-own:loans:**'] }
+   * loansManager.canAccess('update', myLoan)  // true if I own the loan
    */
   canAccess(action, record = null) {
     // 1. Check readOnly restriction for write actions
@@ -449,13 +485,31 @@ export class EntityManager {
       return false
     }
 
-    // 2. Scope check: can user perform this action on this entity type?
+    // 2. Ownership check: if user owns the record, check entity-own permission
+    if (record && this._isOwn && this._hasSecurityChecker()) {
+      const user = this._getCurrentUser()
+      if (user && this._isOwn(record, user)) {
+        // Owner - check entity-own:{entity}:{action} permission
+        const ownPerm = `entity-own:${this.name}:${action}`
+        if (this.authAdapter.isGranted(ownPerm, record)) {
+          return true
+        }
+      }
+    }
+
+    // 3. Use isGranted() with entity:name:action format when available
+    if (this._hasSecurityChecker()) {
+      const perm = this._getPermissionString(action)
+      return this.authAdapter.isGranted(perm, record)
+    }
+
+    // 4. Legacy fallback: canPerform() + canAccessRecord()
     const canPerformAction = this.authAdapter.canPerform(this.name, action)
     if (!canPerformAction) {
       return false
     }
 
-    // 3. Silo check: if record provided, can user access this specific record?
+    // 5. Silo check: if record provided, can user access this specific record?
     if (record !== null) {
       return this.authAdapter.canAccessRecord(this.name, record)
     }
@@ -485,6 +539,14 @@ export class EntityManager {
     return this._readOnly
   }
 
+  /**
+   * Check if entity is system-provided (roles, users)
+   * @returns {boolean}
+   */
+  get system() {
+    return this._system
+  }
+
   /**
    * Check if user can create new entities
    * Delegates to canAccess('create')
@@ -643,6 +705,91 @@ export class EntityManager {
       .map(([name, config]) => ({ name, ...config }))
   }
 
+  // ============ REFERENCE OPTIONS ============
+
+  /**
+   * Resolve reference options for a field
+   *
+   * If the field has a `reference` property, fetches data from the referenced
+   * entity and returns options array for select/dropdown.
+   *
+   * @param {string} fieldName - Field name
+   * @returns {Promise<Array<{label: string, value: any}>>} - Options array
+   *
+   * @example
+   * // Field config: { type: 'select', reference: { entity: 'roles', labelField: 'label' } }
+   * const options = await manager.resolveReferenceOptions('role')
+   * // Returns: [{ label: 'Admin', value: 'ROLE_ADMIN' }, { label: 'User', value: 'ROLE_USER' }]
+   */
+  async resolveReferenceOptions(fieldName) {
+    const fieldConfig = this._fields[fieldName]
+    if (!fieldConfig) {
+      console.warn(`[EntityManager:${this.name}] Unknown field '${fieldName}'`)
+      return []
+    }
+
+    // If field has static options, return them
+    if (fieldConfig.options && !fieldConfig.reference) {
+      return fieldConfig.options
+    }
+
+    // If no reference, return empty
+    if (!fieldConfig.reference) {
+      return []
+    }
+
+    // Need orchestrator to access other managers
+    if (!this._orchestrator) {
+      console.warn(`[EntityManager:${this.name}] No orchestrator, cannot resolve reference for '${fieldName}'`)
+      return fieldConfig.options || []
+    }
+
+    const { entity, labelField, valueField } = fieldConfig.reference
+    const refManager = this._orchestrator.get(entity)
+
+    if (!refManager) {
+      console.warn(`[EntityManager:${this.name}] Referenced entity '${entity}' not found`)
+      return fieldConfig.options || []
+    }
+
+    try {
+      // Fetch all items from referenced entity
+      const { items } = await refManager.list({ limit: 1000 })
+
+      // Build options array
+      const refLabelField = labelField || refManager.labelField || 'label'
+      const refValueField = valueField || refManager.idField || 'id'
+
+      return items.map(item => ({
+        label: item[refLabelField] ?? item[refValueField],
+        value: item[refValueField]
+      }))
+    } catch (error) {
+      console.error(`[EntityManager:${this.name}] Failed to resolve reference for '${fieldName}':`, error)
+      return fieldConfig.options || []
+    }
+  }
+
+  /**
+   * Resolve all reference options for form fields
+   *
+   * Returns a map of fieldName -> options for all fields with references.
+   *
+   * @returns {Promise<Map<string, Array<{label: string, value: any}>>>}
+   */
+  async resolveAllReferenceOptions() {
+    const optionsMap = new Map()
+
+    for (const [fieldName, fieldConfig] of Object.entries(this._fields)) {
+      if (fieldConfig.reference) {
+        const options = await this.resolveReferenceOptions(fieldName)
+        optionsMap.set(fieldName, options)
+      }
+    }
+
+    return optionsMap
+  }
+
   // ============ SEVERITY MAPS ============
 
   /**
@@ -1263,7 +1410,9 @@ export class EntityManager {
    */
   get isCacheEnabled() {
     if (this.effectiveThreshold <= 0) return false
-    if (this.storage?.supportsCaching === false) return false
+    // Check capabilities (instance getter or static)
+    const caps = this.storage?.capabilities || this.storage?.constructor?.capabilities
+    if (caps?.supportsCaching === false) return false
     if (!this.storageSupportsTotal) return false
     return true
   }