diff --git a/.changeset/adr-0057-lifecycle-followups.md b/.changeset/adr-0057-lifecycle-followups.md deleted file mode 100644 index 58ebc77fd..000000000 --- a/.changeset/adr-0057-lifecycle-followups.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -'@objectstack/spec': minor -'@objectstack/cli': minor -'@objectstack/service-job': minor -'@objectstack/service-messaging': minor -'@objectstack/service-automation': patch -'@objectstack/platform-objects': patch ---- - -ADR-0057 data-lifecycle follow-ups (#2834): the per-plugin retention sweepers are retired, telemetry separation goes live in dev, and the lifecycle contract reaches the Studio. - -- **BREAKING (ships as minor per the launch-window convention)**: `JobRunRetention` / `NotificationRetention` and the `retentionDays` / `retentionSweepMs` options on `JobServicePlugin` / `MessagingServicePlugin` are removed. The platform LifecycleService enforces the same windows from the `lifecycle` declarations (`sys_job_run` 30d, notification pipeline 90d); tune them at runtime via the `lifecycle` settings namespace (`retention_overrides`, tenant-scoped). -- **Fix**: `sys_automation_run` no longer declares a blanket 30d lifecycle retention — that table interleaves live SUSPENDED runs (an approval may stay paused for months) with terminal history, and a blanket age reap could strand in-flight approvals. Bounding stays with the automation store's terminal-only sweep. -- **CLI**: `objectstack dev` now provisions a dedicated `telemetry` datasource (`.telemetry.db`) for file-backed SQLite primaries, so lifecycle-classed system data stops sharing the business dev DB (`OS_TELEMETRY_DB=0` opts out; `OS_TELEMETRY_DB=` opts in anywhere). New `os db clean` runs the one-time `VACUUM` that lets legacy files adopt `auto_vacuum=INCREMENTAL` and reports reclaimed bytes. -- **Studio**: the object metadata form exposes the `lifecycle` block (class + retention/TTL/rotation/archive/reclaim); metadata-forms i18n bundles regenerated with curated zh-CN translations. diff --git a/.changeset/agent-permission-doc-accuracy.md b/.changeset/agent-permission-doc-accuracy.md deleted file mode 100644 index 32a10192c..000000000 --- a/.changeset/agent-permission-doc-accuracy.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@objectstack/mcp': patch ---- - -Docs accuracy: correct how the MCP SKILL.md describes an agent's authority to match the shipped ADR-0090 D10 model. An OAuth-connected client is an **agent acting on behalf of** the signing-in user — every call is bounded by the **intersection** of the consent scopes and that user's own permissions/RLS (a `data:read` token can never write, even where the user could), not simply "runs as you". (Companion doc-only edits to `content/docs/ai/agents.mdx` and `docs/design/permission-model.md` correct the same framing and honestly mark the still-planned agent guardrails — the grant-ceiling lint, destructive-action co-sign, and double-signature audit provenance.) diff --git a/.changeset/analytics-query-rls-context.md b/.changeset/analytics-query-rls-context.md deleted file mode 100644 index 6a5c69ddf..000000000 --- a/.changeset/analytics-query-rls-context.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -'@objectstack/runtime': patch ---- - -**Security fix (#2852): `/analytics/query` and `/analytics/sql` now run scoped to the caller.** - -`handleAnalytics` dropped the request's execution context — `analyticsService.query(body)` was called with no context, so the analytics service's per-object read-scope provider (`getReadScope` → security `getReadFilter`) received `undefined` and applied **no tenant/RLS filter**. An authenticated caller could query analytics datasets and receive rows their row-level security would otherwise hide. - -Fix: thread `context.executionContext` into `analyticsService.query(…)` and `generateSql(…)` (both already accept it), so each object in the query is scoped by its per-object read filter. - -Note: the analytics read-scope provider (`getReadFilter`) does not yet apply the ADR-0090 D10 agent delegator intersection — latent today because analytics is not reachable over the OAuth `/mcp` surface; tracked in #2852 for when it is. diff --git a/.changeset/console-5da9905b30fc.md b/.changeset/console-5da9905b30fc.md deleted file mode 100644 index d1da7b261..000000000 --- a/.changeset/console-5da9905b30fc.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -"@objectstack/console": patch ---- - -Console (objectui) refreshed to `5da9905b30fc`. Frontend changes in this range: - -- fix(plugin-form): honor userActions.edit on managed objects, don't blanket-disable fields (ADR-0092 D4) (#2395) - -objectui range: `6fa8e6aeb67c...5da9905b30fc` diff --git a/.changeset/console-http-server-async.md b/.changeset/console-http-server-async.md deleted file mode 100644 index d8d560a36..000000000 --- a/.changeset/console-http-server-async.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -'@objectstack/cli': patch ---- - -fix(cli): resolve `http.server` asynchronously in the console / runtime-assets static plugins - -`createConsoleStaticPlugin` and `createRuntimeAssetsPlugin` fetched the -`http.server` service with the **synchronous** `ctx.getService('http.server')`. -When `http.server` is registered as an async factory (the console / -schema-migration boot path), that accessor throws -`Service 'http.server' is async - use await`; because the call sat outside -any try/catch, the throw escaped the plugin's `start()` and rolled back -kernel bootstrap — crashing the CONSOLE/migration boot -(`Plugin startup failed: com.objectstack.runtime-assets`). The runtime -`serve` path, where `http.server` is registered synchronously, was -unaffected, which is why only the control-plane migration boot broke. - -Resolve both plugins' `http.server` through a shared `resolveHttpServer` -helper that prefers the async accessor (`getServiceAsync`, which resolves a -sync- or async-registered service) and falls back to the sync one, mirroring -plugin-auth's async `cache` lookup. The helper never throws, so these -optional static-asset plugins skip cleanly when no HTTP server is present -instead of taking down boot. diff --git a/.changeset/d10-agent-action-caps.md b/.changeset/d10-agent-action-caps.md deleted file mode 100644 index 11fd2c575..000000000 --- a/.changeset/d10-agent-action-caps.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -'@objectstack/runtime': minor ---- - -ADR-0090 D10 (follow-up) — an MCP agent may now invoke the business **actions** its delegating user can run, gated by the `actions:execute` scope. Previously an agent principal carried no system capabilities, so any capability-gated action (`requiredPermissions`) was denied even when the user was entitled to it. - -`resolve-execution-context` now keeps the delegating user's `systemPermissions` on the agent context **only when the token carries `actions:execute`** (otherwise none — and the MCP tool surface already hides the action tools). The `actions:execute` scope is the user's explicit consent to let the agent act on their behalf, so the capability gate (`actionPermissionError`) is delegated accordingly. - -This never widens the agent's **data** reach: what an action reads or writes still flows through the object CRUD/FLS/RLS ceiling ∩ user intersection. A `data:read` agent that invokes a writing action is still blocked at the write; even a `data:write` agent cannot touch better-auth-managed tables; and capability-gated **object** access stays denied to the agent (that gate is driven by the resolved ceiling sets, which carry no capabilities). The residual is a capability-gated action whose effect is purely external (email, webhook) — exactly what `actions:execute` consents to. Tighter per-action agent scoping is the per-client-grants follow-up. diff --git a/.changeset/d10-agent-intersection.md b/.changeset/d10-agent-intersection.md deleted file mode 100644 index 7823d63ba..000000000 --- a/.changeset/d10-agent-intersection.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -'@objectstack/plugin-security': minor -'@objectstack/plugin-sharing': minor ---- - -ADR-0090 D10 — agent/service intersection runtime. When a request's principal acts `onBehalfOf` a user (an AI agent or a service acting for a person), the effective permission is now the INTERSECTION of the principal's own grants and the delegator's grants — never the union. Confused-deputy prevention: an over-privileged agent may never see or touch anything the user it stands in for could not, and vice-versa. Previously `principalKind:'agent'` / `onBehalfOf` was a P1 context shape the evaluator did not read. - -The intersection is applied at EVERY axis, gated on the presence of the delegation link so the ordinary (non-delegated) path is byte-identical: - -- **plugin-security** middleware — the delegator's effective permission sets are reconstructed once (fail-CLOSED if the delegator no longer exists — a dangling link is denied, not resolved to the additive baseline) and AND-composed into: the required-capability gate, object CRUD, field-level security (read mask + write forbid + predicate-oracle guard), the row-level `using` pre-image on by-id writes, the `check` post-image, and the RLS read-filter injection. View/Modify-All only survives when BOTH principals hold it. -- **plugin-sharing** middleware — the OWD/record-sharing owner-match is IDENTITY-scoped, so it re-runs the visibility filter (and `canEdit`) under the delegator's own identity + depth and AND-s it in. An agent with View-All acting on behalf of a plain member therefore sees exactly that member's own rows — not everyone's, and not nothing. -- **explain engine** — every layer reports the narrower verdict when `onBehalfOf` is set, so the D6 access explanation stays truthful for delegated principals; a dangling delegator is reported as a fail-closed deny. - -First-cut scope (documented in code + covered by tests): one delegation hop (the `onBehalfOf` shape carries a single delegator, and any single-hop intersection is a safe lower bound on a true multi-hop chain); tenant-scoped substitution bags (`tenantId`, `org_user_ids`, `email`) are inherited from the live principal, while person-specific membership bags left unresolved narrow rather than widen. The agent grant-ceiling lint (D10 rule 2) is a follow-up — the runtime intersection already caps the agent regardless of what its own sets carry, and a lint needs an agent-set designation convention that does not yet exist. diff --git a/.changeset/d10-producer-agent-principal.md b/.changeset/d10-producer-agent-principal.md deleted file mode 100644 index c311cd195..000000000 --- a/.changeset/d10-producer-agent-principal.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -'@objectstack/spec': minor -'@objectstack/plugin-security': minor -'@objectstack/runtime': minor ---- - -ADR-0090 D10 — activate the agent principal (OAuth → `principalKind:'agent'` + scope-derived ceiling). This wires the *producer* side of the D10 intersection that shipped in #2838, so it stops being dormant: an MCP request authenticated with an OAuth access token is now resolved as an AI **agent acting on behalf of** the human `sub`, and its effective permission is the intersection of a scope-derived capability ceiling AND the user's own grants. - -- **`resolve-execution-context` (producer)**: when a verified MCP OAuth token names an authorized client (`azp`), the request resolves to `principalKind:'agent'` with `onBehalfOf:{ userId }` (the human), and the agent's OWN grants are replaced by the scope-derived ceiling — `data:read` → read-only, `data:write` → full CRUD, neither → no data access. `userId` stays the human so owner-stamping and `current_user.*` RLS resolve to them; the user-derived `systemPermissions` are cleared so a cap-gated action can't ride the user's capabilities. A token without a client stays a `human` principal. -- **`plugin-security`**: three built-in ceiling sets (`mcp_agent_data_read` / `mcp_agent_data_write` / `mcp_agent_restricted`) — pure CRUD bits, no row-level security (all row/owner/tenant narrowing comes from the delegating user on the other side of the intersection). An `agent` principal skips the additive human baseline (`member_default`) — its grants are exactly its ceiling — and its fallback is the restricted (no-object-access) set, so a mis-resolved agent fails CLOSED, never open. -- **`spec`**: `MCP_AGENT_PERMISSION_SET_*` names + `scopesToAgentPermissionSets()`, single-sourced next to the OAuth scope constants. - -**Behaviour change (a security tightening).** Previously an MCP OAuth request executed with the FULL authority of the logged-in user, and scopes narrowed only the tool surface. Now the scope is also a real data-layer ceiling: a `data:read` token can never write ANY record, even via a crafted call, no matter what the user could do. This is strictly consistent with the existing contract that "a scope can never grant more than the user could do" — the intersection only ever narrows — and closes the gap where a compromised or confused agent could act with the user's full reach. - -Verified end-to-end: a `data:read` agent acting for a member who owns a record can read it but cannot edit or create; a `data:write` agent for the same user can. Producer mapping unit-tested in `@objectstack/runtime`; enforcement dogfooded against the served engine (`showcase-agent-scope-ceiling`). diff --git a/.changeset/explain-contract-shape-lock.md b/.changeset/explain-contract-shape-lock.md deleted file mode 100644 index dee821c04..000000000 --- a/.changeset/explain-contract-shape-lock.md +++ /dev/null @@ -1,12 +0,0 @@ ---- ---- - -test(spec): field-level contract lock for the public explain / access-matrix schemas. - -`api-surface.json` already guards the export NAMES; `explain.test.ts` now guards -the FIELD SHAPE (layer/verdict/operation enums, contributor kind + ADR-0091 D2 -lifecycle `state`, the ExplainDecision principal shape, and AccessMatrixEntry's -required crud/bypass bits + scopes). This makes explain a stable contract the -ADR-0091 L3 enterprise consumer (cloud recert UX / evidence export / break-glass -attribution) can depend on without drift fear. Test-only — no runtime change, -no release. diff --git a/.changeset/identity-write-guard.md b/.changeset/identity-write-guard.md deleted file mode 100644 index c3c2cdedb..000000000 --- a/.changeset/identity-write-guard.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -"@objectstack/plugin-auth": minor ---- - -feat(auth): identity write guard — `managedBy: 'better-auth'` is now enforced at the engine (ADR-0092 D2/D3/D6) - -Every object whose schema declares `managedBy: 'better-auth'` (`sys_user`, -`sys_member`, `sys_session`, `sys_api_key`, …) is now protected by engine -`beforeInsert` / `beforeUpdate` / `beforeDelete` hooks registered by -plugin-auth: **user-context** writes through the generic data path are -rejected fail-closed with `403 PERMISSION_DENIED`, closing the hole where a -wildcard admin permission set could raw-write any identity column (including -`email` and credential stamps) via the data API. Internal writes are -unaffected — the better-auth adapter, `isSystem` plugin/system contexts, and -the identity import keep working unchanged. - -The only opening is a per-object update whitelist -(`registerManagedUpdateWhitelist(object, fields)`): non-whitelisted fields are -stripped from the payload, and a payload that strips to nothing throws. The -first registration ships here: `sys_user → { name, image }` (pure profile -fields), backed by the new shared `SYS_USER_PROFILE_EDIT_FIELDS` / -`SYS_USER_IMPORT_UPDATE_FIELDS` constants — the import upsert's field -discipline is now derived from the same module (subset-by-construction, no -drift). - -After a guarded profile edit, an `afterUpdate` companion hook re-writes the -user's cached `{session, user}` snapshots in better-auth's secondary storage -(same TTL, mirror of better-auth's own `refreshUserSessions`) so session -reads stay coherent; it rewrites rather than deletes, and no-ops when no -secondary storage is wired. - -Migration note: server-side scripts that previously updated identity tables -with a **user** execution context must either run with a system context -(`{ isSystem: true }`) if they are genuinely internal, or move to the -dedicated auth endpoints (invite / create-user / set-user-password / ban / -better-auth APIs). Flows and automations that wrote non-profile `sys_user` -columns under a user identity are now filtered the same way. diff --git a/.changeset/import-dryrun-required-validation.md b/.changeset/import-dryrun-required-validation.md deleted file mode 100644 index 44bf66129..000000000 --- a/.changeset/import-dryrun-required-validation.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -'@objectstack/rest': patch ---- - -fix(rest): validate required fields in import dry-run to match the real insert - -The bulk-import dry run (`POST /data/:object/import`, `dryRun:true`) only ran cell -coercion and reported every coercible CREATE row as ok — so a row missing a required -NOT-NULL field with no default was green-lit, then died on the real insert with -`NOT NULL constraint failed`. The ImportWizard shows the dry-run result, so it -promised imports that then failed. - -Add a required-field pre-check to the shared import runner (CREATE rows only), -mirroring the engine's insert-time validation (`objectql/record-validator.ts` + -`applyFieldDefaults`): a required field is unsatisfied only when it has no value AND -no default; `system`/`readonly`/`autonumber` and the engine-owned lifecycle columns -are exempt. `ExportFieldMeta` gains `required`/`system`/`readonly`/`hasDefault` -(populated by `buildFieldMetaMap`). Applied to both dry-run and real paths so they -stay identical and a real insert returns a readable ` is required` instead of -a raw driver error; skipped when `runAutomations` is set (a beforeInsert hook may -populate the field). diff --git a/.changeset/import-users-none-policy.md b/.changeset/import-users-none-policy.md deleted file mode 100644 index ceafb3601..000000000 --- a/.changeset/import-users-none-policy.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -"@objectstack/plugin-auth": minor ---- - -feat(auth): `passwordPolicy: 'none'` is the identity import's new default — import provisions identity, not credentials - -`POST /api/v1/auth/admin/import-users` now supports (and defaults to) -`passwordPolicy: 'none'`: accounts are created without a credential record -(better-auth's optional-password create), so no password material is -generated, returned, or distributed at all. Users first sign in through a -channel — phone OTP, magic link, or a password-reset link — and the Console's -existing credential-less detection (`hasLocalPassword()` → set-initial-password) -nudges them to set a password afterwards. - -The `invite` policy also no longer mints a throwaway password: it creates the -same credential-less account and sends the set-your-password invitation -(better-auth's reset flow creates the credential record on first set). -`temporary` is unchanged and remains the fallback for deployments without -email/SMS infrastructure. - -Breaking-ish note: `passwordPolicy` was previously required — requests that -omitted it got a 400. They now succeed with the `none` behavior. diff --git a/.changeset/invitation-accept-url-console-base.md b/.changeset/invitation-accept-url-console-base.md deleted file mode 100644 index 4e6c71027..000000000 --- a/.changeset/invitation-accept-url-console-base.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -"@objectstack/plugin-auth": patch ---- - -fix(auth): invitation accept link is now an absolute URL under the Console base - -`sendInvitationEmail` built the accept URL straight from `config.baseUrl` with -no scheme guarantee and no UI mount prefix — `${baseUrl}/accept-invitation/`. -Two problems surfaced in real deployments: - -1. When `baseUrl` was a bare host (e.g. `cloud.objectos.ai`, no scheme), the - emailed link was relative-looking; email clients would not linkify it and - clicking it went nowhere. -2. The accept-invitation page is a Console SPA route mounted under `uiBasePath` - (default `/_console`) — the same router/basename as `/login`, `/register` - and `/oauth/consent`, and the exact link the Console itself generates for its - "copy invitation link" action (`${origin}${BASE_URL}accept-invitation/`). - The root-path link omitted that prefix, so it 404'd at the host root instead - of resolving to the page. - -The link is now built as -`${origin}${uiBasePath}/accept-invitation/` via a hardened -`getCanonicalOrigin()` that guarantees an absolute origin (prepends `https://` -when `baseUrl` has no scheme). The scheme hardening also applies to the OAuth -issuer / consent / device-flow URLs that share the helper. Deployments that -mount the Console elsewhere are honoured through the existing `uiBasePath` -config. diff --git a/.changeset/lifecycle-retention-onlywhen.md b/.changeset/lifecycle-retention-onlywhen.md deleted file mode 100644 index 854d44368..000000000 --- a/.changeset/lifecycle-retention-onlywhen.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -'@objectstack/spec': minor -'@objectstack/objectql': minor -'@objectstack/service-automation': minor ---- - -ADR-0057 (#2834): `retention.onlyWhen` status predicate — mixed tables can scope the age reap. - -- **spec**: `lifecycle.retention.onlyWhen` — a row filter (per-field equality or `{ $in: [...] }`) the retention window applies to; rows outside it are retained regardless of age. Rejected when combined with rotation `storage` (shard DROPs ignore filters) or `archive` (the Archiver moves rows by age alone). -- **objectql**: the LifecycleService Reaper merges `onlyWhen` into every retention delete, including tenant-override passes. -- **service-automation**: the run-history age sweep is now declarative — `sys_automation_run` declares `retention: { maxAge: '30d', onlyWhen: { status: { $in: ['completed', 'failed'] } } }` and the platform Reaper owns it; suspended (`paused`) runs never match. The plugin's own sweep loop is retired: `ObjectStoreSuspendedRunStore.pruneHistory`, the `DEFAULT_RUN_HISTORY_RETENTION_DAYS` export, and the `runHistoryRetentionDays` / `runHistorySweepMs` plugin options are removed (launch-window breaking-as-minor). The write-time per-flow overflow cap (`runHistoryMaxPerFlow`) stays. diff --git a/.changeset/me-permissions-wildcard-fold.md b/.changeset/me-permissions-wildcard-fold.md deleted file mode 100644 index 95b532624..000000000 --- a/.changeset/me-permissions-wildcard-fold.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -"@objectstack/plugin-hono-server": patch ---- - -fix(security): `/me/permissions` now reflects permission-set ∩ identity-write-guard, matching real server enforcement (ADR-0057 D10) - -The `/api/v1/auth/me/permissions` per-object map merged each permission set's -explicit `objects` entries most-permissively per key, but treated `'*'` and -named objects as independent keys — so a wildcard "Modify/View All Data" grant -was never propagated into a per-object entry another set explicitly denied. -That made the client's field-level security STRICTER than the server's actual -enforcement (`PermissionEvaluator.checkObjectPermission` allows as soon as any -set grants, including via the `'*'` modifyAll/viewAll super-user bypass, with -no deny-wins). - -The real effective answer for a user-context caller is `permission-set grant ∩ -identity-write-guard policy`, and the payload now computes both: - -1. `foldWildcardSuperUser` lifts each per-object entry's read/write bits when - the merged `'*'` is a super-user grant — fixing the false-NEGATIVE where a - platform admin (`admin_full_access` `'*': {modifyAllRecords}`) who also holds - `organization_admin` (explicit identity denies) resolved to - `sys_user.allowEdit:false` and a disabled edit form, though the server - accepts the write (`PATCH /data/sys_user {name}` → 200). -2. `clampManagedObjectWrites` re-clamps `managedBy: 'better-auth'` objects by - their write affordance — fixing the false-POSITIVE the fold would otherwise - introduce: the identity write guard (ADR-0092 D2) blocks user-context writes - on identity tables except where the object opted in (`userActions.edit`), so - `sys_member` / `sys_account` / `sys_session` stay `allowEdit:false` for the - admin (read stays granted). Only `better-auth` objects are clamped — the - guard covers only them; `system`/`config`/`append-only` objects have no such - guard and their permission-set result stands. - -Net: the Console's per-object FLS now equals real server enforcement — the -ADR-0092 D4 `sys_user` profile-edit affordance is unblocked for platform admins -(the guard still narrows the write to `{name, image}`), and no other identity -table is shown as editable when the guard would reject it. diff --git a/.changeset/phone-sms-i18n.md b/.changeset/phone-sms-i18n.md deleted file mode 100644 index 5613a2d46..000000000 --- a/.changeset/phone-sms-i18n.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -"@objectstack/plugin-auth": minor ---- - -feat(auth/i18n): localised, tenant-customisable phone SMS texts (#2815) - -The OTP and invitation SMS bodies were hard-coded English. They now resolve -in two layers: a `sys_notification_template` row for -`(auth.phone_otp | auth.phone_invite, channel 'sms', locale)` — editable in -Setup, seeded once with built-in en/zh rows, tenant edits never overwritten — -falling back to the bundled bilingual texts. The locale follows the -deployment default (`localization.locale` setting, live-rebound); per-user -locale is deferred until `sys_user` grows a locale column. The OTP wording -is purpose-neutral (one provider template covers sign-in and reset, and the -SMS reveals nothing about what the code unlocks). Template lookups are -best-effort — an outage never blocks an OTP send — and the no-OTP-in-logs -red line is unchanged. diff --git a/.changeset/settings-routes-verified-authz.md b/.changeset/settings-routes-verified-authz.md deleted file mode 100644 index fe214b868..000000000 --- a/.changeset/settings-routes-verified-authz.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -'@objectstack/service-settings': minor -'@objectstack/spec': minor -'@objectstack/plugin-security': patch ---- - -**Security fix (Critical): the settings HTTP routes no longer trust spoofable identity headers, and writes are now capability-gated.** - -Previously `GET/PUT/POST /api/settings/*` derived the caller's identity from `x-user-id` / `x-tenant-id` / `x-permissions` request headers (the route default), and `setMany` performed **no permission check** — so on a standard `os serve --server` deployment (settings + HTTP server composed by default, routes registered on the raw app with no auth middleware) an **unauthenticated** remote client could write tenant- or platform-scoped settings (including the auth security-policy, localization, and company manifests) and enumerate every namespace. - -Fixes: - -- **Verified identity.** `SettingsServicePlugin` now derives the caller's identity and capabilities from the platform's verified resolution (`resolveAuthzContext` — session cookie / API key / OAuth), never from request headers. The route default is now SECURE: it trusts no identity header and yields an anonymous, denied context. -- **Capability gates.** Manifest `readPermission` / `writePermission` are enforced for HTTP callers: reads of a protected namespace, writes, and actions require the declared capability (writes default to at least the read capability, never ungated). Enforced via a new `enforced` flag set only at the HTTP boundary — **in-process/boot callers (`kernel.getService('settings')`, seed) are unchanged** and keep full trusted access. -- Unauthenticated HTTP callers can no longer enumerate protected manifests or write; a `403 SETTINGS_FORBIDDEN` is returned when the capability is missing. - -**`setup.write` capability now real.** Enforcing the manifests' declared `writePermission` surfaced a modeling gap: `setup.write` (the write counterpart to `setup.access`, used by the branding / company / localization / feature-flag manifests) was referenced but never declared or granted — so under enforcement *nobody*, not even an admin, could write those namespaces. It is now a declared platform capability (`PLATFORM_CAPABILITIES`) held by `admin_full_access` and `organization_admin`, alongside `setup.access`. - -**Behaviour change:** a deployment that relied on the old header-trusted default must present a real verified session/API-key/OAuth credential (which the console already does). A custom integration may still inject its own `contextFromRequest`. - -Found by an adversarial security review of the request→ExecutionContext trust boundary. diff --git a/.changeset/share-link-routes-verified-authz.md b/.changeset/share-link-routes-verified-authz.md deleted file mode 100644 index ec4b67075..000000000 --- a/.changeset/share-link-routes-verified-authz.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -'@objectstack/plugin-sharing': minor -'@objectstack/spec': minor ---- - -**Security fix (#2851): the share-link HTTP routes no longer trust spoofable identity headers, and the service enforces ownership.** - -The raw-app share-link routes (`POST/GET/DELETE /api/v1/share-links`, registered by `SharingServicePlugin`) derived the caller from `x-user-id` / `x-tenant-id` request headers, and the service ignored the caller context on revoke. So a client could forge link attribution, enumerate another user's link tokens (`GET ?createdBy=` → tokens that resolve records under a system context, bypassing RLS), and revoke arbitrary users' links. - -Fixes: - -- **Verified identity.** `SharingServicePlugin` now derives the caller (and their positions/permissions) from the platform's verified resolution (`resolveAuthzContext` — session / API key / OAuth), never from headers. The route default is SECURE (anonymous). Create / list / revoke require a signed-in principal (401 otherwise); the public `/:token/resolve` route stays public (the token is the authorization) but keys its `audience: 'signed_in'` check off the verified session rather than a spoofable `x-user-id`. -- **List scoping.** `GET /api/v1/share-links` is forced to the caller's own links — a client can no longer pass `?createdBy=` to enumerate others' tokens. -- **Revoke ownership.** `revokeLink` now requires the caller to be the link's creator (system/internal callers bypass). Previously the caller context was ignored, so anyone could revoke any link (sharing DoS). -- **Create access check.** `createLink` verifies the record is visible to the caller (read under the caller's own RLS) before minting a link — you can only share a record you can actually see. Internal (system) callers are unchanged. - -`ShareLinkExecutionContext` gains optional `positions` / `permissions` so the record-access check evaluates the real principal. - -Found by an adversarial security review of the request→ExecutionContext trust boundary (companion to the settings-routes fix, #2848). diff --git a/.changeset/sso-resultdialog-inner-data-path.md b/.changeset/sso-resultdialog-inner-data-path.md deleted file mode 100644 index d68e03a2b..000000000 --- a/.changeset/sso-resultdialog-inner-data-path.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -'@objectstack/platform-objects': patch ---- - -`sys_sso_provider` domain-verification `resultDialog` paths now address the -inner `data` payload (`dnsRecordType`, not `data.dnsRecordType`), matching every -other object. Pairs with the objectui `apiHandler` envelope-unwrap fix -(objectui#2396) — the old `data.` prefix compensated for a runtime bug and would -blank the dialog once the runtime unwraps correctly. diff --git a/.changeset/sys-user-detail-header-actions.md b/.changeset/sys-user-detail-header-actions.md deleted file mode 100644 index c2a2d46d8..000000000 --- a/.changeset/sys-user-detail-header-actions.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'@objectstack/platform-objects': patch ---- - -`sys_user` account-management actions (Ban/Unban, Unlock Account, Set Password, Set Platform Role, Impersonate) now also surface on the user record-detail header (`record_header`, overflowing into the ⋯ "More" menu), not just the Users list row menu — so a platform admin can manage an account from an open user record without navigating back to the list. diff --git a/.changeset/sys-user-edit-affordance.md b/.changeset/sys-user-edit-affordance.md deleted file mode 100644 index acc496950..000000000 --- a/.changeset/sys-user-edit-affordance.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -"@objectstack/platform-objects": minor ---- - -feat(identity): open the standard Edit affordance on sys_user for profile fields (ADR-0092 D4) - -`sys_user` now sets `userActions: { edit: true }`, so the generic row-edit -form is available (create / import / delete stay off). The two profile fields -(`name`, `image`) are editable; every other column — `email`, `role`, ban -state, phone, and all system-managed stamps — is marked `readonly` so the -standard edit form renders it non-editable. - -This is safe because the server boundary is the identity write guard shipped -in the previous change (ADR-0092 D2): a user-context update to `sys_user` may -only touch `{name, image}` regardless of what any form submits; everything -else is stripped or rejected. The `readonly` flags here are UX only. - -The dedicated action dialogs are unaffected — `create_user` / `invite_user` / -`set_user_role` reference `email` and `role` as action **params** (their own -inputs), which do not inherit the field-level `readonly` and stay editable -(verified in the running Console). - -Note: the Console's record-form renderer must honor `userActions.edit` + -per-field `readonly` on `managedBy:'better-auth'` objects for the edit form to -be functional; that is an objectui-side change vendored via `objectui:refresh` -and tracked separately. diff --git a/examples/app-crm/CHANGELOG.md b/examples/app-crm/CHANGELOG.md index 48a3b7d83..657ead667 100644 --- a/examples/app-crm/CHANGELOG.md +++ b/examples/app-crm/CHANGELOG.md @@ -1,5 +1,19 @@ # @objectstack/example-crm +## 4.0.83 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [5f43f88] +- Updated dependencies [261aff5] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/runtime@14.5.0 + ## 4.0.82 ### Patch Changes diff --git a/examples/app-crm/package.json b/examples/app-crm/package.json index 6a4606ea8..cffa2e85a 100644 --- a/examples/app-crm/package.json +++ b/examples/app-crm/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/example-crm", - "version": "4.0.82", + "version": "4.0.83", "description": "Minimal CRM example — a smoke-test workspace that exercises the metadata loading pipeline (objects → views → app → dashboard → hook → flow → seed). For a full-featured enterprise CRM see https://github.com/objectstack-ai/hotcrm.", "license": "Apache-2.0", "private": true, diff --git a/examples/app-showcase/CHANGELOG.md b/examples/app-showcase/CHANGELOG.md index 7bdb8f55d..6c56ad954 100644 --- a/examples/app-showcase/CHANGELOG.md +++ b/examples/app-showcase/CHANGELOG.md @@ -1,5 +1,23 @@ # @objectstack/example-showcase +## 0.3.5 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [5f43f88] +- Updated dependencies [261aff5] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/runtime@14.5.0 + - @objectstack/cloud-connection@14.5.0 + - @objectstack/connector-rest@14.5.0 + - @objectstack/connector-slack@14.5.0 + - @objectstack/driver-sql@14.5.0 + ## 0.3.4 ### Patch Changes diff --git a/examples/app-showcase/package.json b/examples/app-showcase/package.json index 4ed0cceb9..c37c712d8 100644 --- a/examples/app-showcase/package.json +++ b/examples/app-showcase/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/example-showcase", - "version": "0.3.4", + "version": "0.3.5", "description": "Kitchen-sink showcase workspace — exercises every metadata type, every view type, every chart type, and the major end-to-end capability chains (security, automation, analytics). Built for demonstration, debugging, and coverage-driven verification.", "license": "Apache-2.0", "private": true, diff --git a/examples/app-todo/CHANGELOG.md b/examples/app-todo/CHANGELOG.md index 60d5a61f1..28a0207d7 100644 --- a/examples/app-todo/CHANGELOG.md +++ b/examples/app-todo/CHANGELOG.md @@ -1,5 +1,27 @@ # @objectstack/example-todo +## 4.0.83 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [e8cedec] +- Updated dependencies [5f43f88] +- Updated dependencies [261aff5] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/mcp@14.5.0 + - @objectstack/runtime@14.5.0 + - @objectstack/objectql@14.5.0 + - @objectstack/client@14.5.0 + - @objectstack/metadata@14.5.0 + - @objectstack/driver-sqlite-wasm@14.5.0 + - @objectstack/knowledge-memory@14.5.0 + - @objectstack/service-knowledge@14.5.0 + ## 4.0.82 ### Patch Changes diff --git a/examples/app-todo/package.json b/examples/app-todo/package.json index 2b06084ae..276bae91e 100644 --- a/examples/app-todo/package.json +++ b/examples/app-todo/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/example-todo", - "version": "4.0.82", + "version": "4.0.83", "description": "Example Todo App using ObjectStack Protocol", "license": "Apache-2.0", "private": true, diff --git a/examples/embed-objectql/CHANGELOG.md b/examples/embed-objectql/CHANGELOG.md index 2bc571d4e..bbade1b7a 100644 --- a/examples/embed-objectql/CHANGELOG.md +++ b/examples/embed-objectql/CHANGELOG.md @@ -1,5 +1,18 @@ # @objectstack/example-embed-objectql +## 0.0.23 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/objectql@14.5.0 + - @objectstack/driver-memory@14.5.0 + ## 0.0.22 ### Patch Changes diff --git a/examples/embed-objectql/package.json b/examples/embed-objectql/package.json index ec3974b21..dcdc679af 100644 --- a/examples/embed-objectql/package.json +++ b/examples/embed-objectql/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/example-embed-objectql", - "version": "0.0.22", + "version": "0.0.23", "private": true, "description": "Embed the ObjectQL engine as a plain library via @objectstack/objectql/core — no kernel, no plugins, no metadata protocol (ADR-0076).", "type": "module", diff --git a/packages/adapters/hono/CHANGELOG.md b/packages/adapters/hono/CHANGELOG.md index 332304023..6cf5832cb 100644 --- a/packages/adapters/hono/CHANGELOG.md +++ b/packages/adapters/hono/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/hono +## 14.5.0 + +### Patch Changes + +- Updated dependencies [5f43f88] +- Updated dependencies [261aff5] +- Updated dependencies [d79ca07] +- Updated dependencies [6da03ee] + - @objectstack/runtime@14.5.0 + - @objectstack/plugin-hono-server@14.5.0 + - @objectstack/types@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/adapters/hono/package.json b/packages/adapters/hono/package.json index 2d9fcff75..4eb6f3057 100644 --- a/packages/adapters/hono/package.json +++ b/packages/adapters/hono/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/hono", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "main": "dist/index.js", "types": "dist/index.d.ts", diff --git a/packages/apps/account/CHANGELOG.md b/packages/apps/account/CHANGELOG.md index d8850d8b4..b17330837 100644 --- a/packages/apps/account/CHANGELOG.md +++ b/packages/apps/account/CHANGELOG.md @@ -1,5 +1,20 @@ # @objectstack/account +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/apps/account/package.json b/packages/apps/account/package.json index f423c2ca0..f9b93606f 100644 --- a/packages/apps/account/package.json +++ b/packages/apps/account/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/account", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "ObjectStack Account — the end-user account/self-service console app, packaged as its own ObjectStack app package (ADR-0048: one app per package).", "main": "dist/index.js", diff --git a/packages/apps/setup/CHANGELOG.md b/packages/apps/setup/CHANGELOG.md index 8cf73072a..7c375797c 100644 --- a/packages/apps/setup/CHANGELOG.md +++ b/packages/apps/setup/CHANGELOG.md @@ -1,5 +1,20 @@ # @objectstack/setup +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/apps/setup/package.json b/packages/apps/setup/package.json index f3d1006ae..844ae8efb 100644 --- a/packages/apps/setup/package.json +++ b/packages/apps/setup/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/setup", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "ObjectStack Setup — the platform administration app, packaged as its own ObjectStack app package (ADR-0048: one app per package).", "main": "dist/index.js", diff --git a/packages/apps/studio/CHANGELOG.md b/packages/apps/studio/CHANGELOG.md index 9b92805c7..e40174ff3 100644 --- a/packages/apps/studio/CHANGELOG.md +++ b/packages/apps/studio/CHANGELOG.md @@ -1,5 +1,20 @@ # @objectstack/studio +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/apps/studio/package.json b/packages/apps/studio/package.json index 2a73e3bf7..171c578f8 100644 --- a/packages/apps/studio/package.json +++ b/packages/apps/studio/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/studio", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "ObjectStack Studio — the metadata builder app, packaged as its own ObjectStack app package (ADR-0048: one app per package).", "main": "dist/index.js", diff --git a/packages/cli/CHANGELOG.md b/packages/cli/CHANGELOG.md index db62aab94..3595aca33 100644 --- a/packages/cli/CHANGELOG.md +++ b/packages/cli/CHANGELOG.md @@ -1,5 +1,104 @@ # @objectstack/cli +## 14.5.0 + +### Minor Changes + +- 526805e: ADR-0057 data-lifecycle follow-ups (#2834): the per-plugin retention sweepers are retired, telemetry separation goes live in dev, and the lifecycle contract reaches the Studio. + + - **BREAKING (ships as minor per the launch-window convention)**: `JobRunRetention` / `NotificationRetention` and the `retentionDays` / `retentionSweepMs` options on `JobServicePlugin` / `MessagingServicePlugin` are removed. The platform LifecycleService enforces the same windows from the `lifecycle` declarations (`sys_job_run` 30d, notification pipeline 90d); tune them at runtime via the `lifecycle` settings namespace (`retention_overrides`, tenant-scoped). + - **Fix**: `sys_automation_run` no longer declares a blanket 30d lifecycle retention — that table interleaves live SUSPENDED runs (an approval may stay paused for months) with terminal history, and a blanket age reap could strand in-flight approvals. Bounding stays with the automation store's terminal-only sweep. + - **CLI**: `objectstack dev` now provisions a dedicated `telemetry` datasource (`.telemetry.db`) for file-backed SQLite primaries, so lifecycle-classed system data stops sharing the business dev DB (`OS_TELEMETRY_DB=0` opts out; `OS_TELEMETRY_DB=` opts in anywhere). New `os db clean` runs the one-time `VACUUM` that lets legacy files adopt `auto_vacuum=INCREMENTAL` and reports reclaimed bytes. + - **Studio**: the object metadata form exposes the `lifecycle` block (class + retention/TTL/rotation/archive/reclaim); metadata-forms i18n bundles regenerated with curated zh-CN translations. + +### Patch Changes + +- decd174: fix(cli): resolve `http.server` asynchronously in the console / runtime-assets static plugins + + `createConsoleStaticPlugin` and `createRuntimeAssetsPlugin` fetched the + `http.server` service with the **synchronous** `ctx.getService('http.server')`. + When `http.server` is registered as an async factory (the console / + schema-migration boot path), that accessor throws + `Service 'http.server' is async - use await`; because the call sat outside + any try/catch, the throw escaped the plugin's `start()` and rolled back + kernel bootstrap — crashing the CONSOLE/migration boot + (`Plugin startup failed: com.objectstack.runtime-assets`). The runtime + `serve` path, where `http.server` is registered synchronously, was + unaffected, which is why only the control-plane migration boot broke. + + Resolve both plugins' `http.server` through a shared `resolveHttpServer` + helper that prefers the async accessor (`getServiceAsync`, which resolves a + sync- or async-registered service) and falls back to the sync one, mirroring + plugin-auth's async `cache` lookup. The helper never throws, so these + optional static-asset plugins skip cleanly when no HTTP server is present + instead of taking down boot. + +- Updated dependencies [526805e] +- Updated dependencies [e8cedec] +- Updated dependencies [5f43f88] +- Updated dependencies [6da03ee] +- Updated dependencies [261aff5] +- Updated dependencies [f70eb2c] +- Updated dependencies [d79ca07] +- Updated dependencies [a348394] +- Updated dependencies [4d9dd7b] +- Updated dependencies [5bced2f] +- Updated dependencies [3fd87b2] +- Updated dependencies [33ebd34] +- Updated dependencies [6da03ee] +- Updated dependencies [e2c05d6] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/service-job@14.5.0 + - @objectstack/service-messaging@14.5.0 + - @objectstack/service-automation@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/mcp@14.5.0 + - @objectstack/runtime@14.5.0 + - @objectstack/console@14.5.0 + - @objectstack/plugin-security@14.5.0 + - @objectstack/plugin-sharing@14.5.0 + - @objectstack/plugin-auth@14.5.0 + - @objectstack/rest@14.5.0 + - @objectstack/objectql@14.5.0 + - @objectstack/plugin-hono-server@14.5.0 + - @objectstack/service-settings@14.5.0 + - @objectstack/account@14.5.0 + - @objectstack/setup@14.5.0 + - @objectstack/client@14.5.0 + - @objectstack/cloud-connection@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/formula@14.5.0 + - @objectstack/lint@14.5.0 + - @objectstack/metadata@14.5.0 + - @objectstack/observability@14.5.0 + - @objectstack/driver-memory@14.5.0 + - @objectstack/driver-mongodb@14.5.0 + - @objectstack/driver-sql@14.5.0 + - @objectstack/driver-sqlite-wasm@14.5.0 + - @objectstack/plugin-approvals@14.5.0 + - @objectstack/plugin-audit@14.5.0 + - @objectstack/plugin-email@14.5.0 + - @objectstack/plugin-reports@14.5.0 + - @objectstack/plugin-webhooks@14.5.0 + - @objectstack/service-analytics@14.5.0 + - @objectstack/service-cache@14.5.0 + - @objectstack/service-datasource@14.5.0 + - @objectstack/service-package@14.5.0 + - @objectstack/service-queue@14.5.0 + - @objectstack/service-realtime@14.5.0 + - @objectstack/service-sms@14.5.0 + - @objectstack/service-storage@14.5.0 + - @objectstack/trigger-api@14.5.0 + - @objectstack/trigger-record-change@14.5.0 + - @objectstack/trigger-schedule@14.5.0 + - @objectstack/types@14.5.0 + - @objectstack/verify@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/cli/package.json b/packages/cli/package.json index 4cef8a656..f4b877713 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/cli", - "version": "14.4.0", + "version": "14.5.0", "description": "Command Line Interface for ObjectStack Protocol", "main": "dist/index.js", "types": "dist/index.d.ts", diff --git a/packages/client-react/CHANGELOG.md b/packages/client-react/CHANGELOG.md index a70737cba..f662604d4 100644 --- a/packages/client-react/CHANGELOG.md +++ b/packages/client-react/CHANGELOG.md @@ -1,5 +1,18 @@ # @objectstack/client-react +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/client@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/client-react/package.json b/packages/client-react/package.json index be8a93765..7cf3a87ec 100644 --- a/packages/client-react/package.json +++ b/packages/client-react/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/client-react", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "React hooks for ObjectStack Client SDK", "main": "dist/index.js", diff --git a/packages/client/CHANGELOG.md b/packages/client/CHANGELOG.md index b38cf09a1..e055acea8 100644 --- a/packages/client/CHANGELOG.md +++ b/packages/client/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/client +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/client/package.json b/packages/client/package.json index c5a15691a..c4ebec2ce 100644 --- a/packages/client/package.json +++ b/packages/client/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/client", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Official Client SDK for ObjectStack Protocol", "main": "dist/index.js", diff --git a/packages/cloud-connection/CHANGELOG.md b/packages/cloud-connection/CHANGELOG.md index 77af2f543..306103071 100644 --- a/packages/cloud-connection/CHANGELOG.md +++ b/packages/cloud-connection/CHANGELOG.md @@ -1,5 +1,21 @@ # @objectstack/cloud-connection +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [5f43f88] +- Updated dependencies [261aff5] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/runtime@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/types@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/cloud-connection/package.json b/packages/cloud-connection/package.json index 304e6257a..6ddc5be81 100644 --- a/packages/cloud-connection/package.json +++ b/packages/cloud-connection/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/cloud-connection", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Runtime-side client for an ObjectStack cloud control plane — marketplace browse proxy, install-local, device-code binding, org catalog and installed views, and the /api/v1/runtime/config discovery endpoint. Open mechanism (ADR-0008): the hub service, plan policy, and entitlements stay server-side.", "type": "module", diff --git a/packages/connectors/connector-mcp/CHANGELOG.md b/packages/connectors/connector-mcp/CHANGELOG.md index f850b7e55..5afc87f80 100644 --- a/packages/connectors/connector-mcp/CHANGELOG.md +++ b/packages/connectors/connector-mcp/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/connector-mcp +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/connectors/connector-mcp/package.json b/packages/connectors/connector-mcp/package.json index 5e2d4d4eb..466610572 100644 --- a/packages/connectors/connector-mcp/package.json +++ b/packages/connectors/connector-mcp/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/connector-mcp", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Model Context Protocol (MCP) connector for ObjectStack — a generic adapter that turns any MCP server's tools into a connector's actions on the automation engine's connector registry (ADR-0024).", "main": "dist/index.js", diff --git a/packages/connectors/connector-openapi/CHANGELOG.md b/packages/connectors/connector-openapi/CHANGELOG.md index ec6e2538f..0041501f0 100644 --- a/packages/connectors/connector-openapi/CHANGELOG.md +++ b/packages/connectors/connector-openapi/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/connector-openapi +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/connectors/connector-openapi/package.json b/packages/connectors/connector-openapi/package.json index c7d3d8bfd..036edc41b 100644 --- a/packages/connectors/connector-openapi/package.json +++ b/packages/connectors/connector-openapi/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/connector-openapi", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "OpenAPI 3.x connector generator for ObjectStack — turns a declarative OpenAPI document into connector actions on the automation engine's registry, with a self-contained static-auth HTTP transport (ADR-0023).", "main": "dist/index.js", diff --git a/packages/connectors/connector-rest/CHANGELOG.md b/packages/connectors/connector-rest/CHANGELOG.md index 0ba2a43c3..5b2c5708c 100644 --- a/packages/connectors/connector-rest/CHANGELOG.md +++ b/packages/connectors/connector-rest/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/connector-rest +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/connectors/connector-rest/package.json b/packages/connectors/connector-rest/package.json index 700b5499e..6bb5f001d 100644 --- a/packages/connectors/connector-rest/package.json +++ b/packages/connectors/connector-rest/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/connector-rest", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Generic REST connector for ObjectStack — the reference concrete connector that registers a `request` action on the automation engine's connector registry (ADR-0018 §Addendum).", "main": "dist/index.js", diff --git a/packages/connectors/connector-slack/CHANGELOG.md b/packages/connectors/connector-slack/CHANGELOG.md index 4505e2fd2..f3d3b21ef 100644 --- a/packages/connectors/connector-slack/CHANGELOG.md +++ b/packages/connectors/connector-slack/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/connector-slack +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/connectors/connector-slack/package.json b/packages/connectors/connector-slack/package.json index 35684c5cb..9a4c31eb6 100644 --- a/packages/connectors/connector-slack/package.json +++ b/packages/connectors/connector-slack/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/connector-slack", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Slack Web API connector for ObjectStack — registers `chat.postMessage` / `chat.update` / `call` actions on the automation engine's connector registry (ADR-0018 §Addendum, ADR-0022).", "main": "dist/index.js", diff --git a/packages/console/CHANGELOG.md b/packages/console/CHANGELOG.md index 1a7859759..d5c83accd 100644 --- a/packages/console/CHANGELOG.md +++ b/packages/console/CHANGELOG.md @@ -1,5 +1,15 @@ # @objectstack/console +## 14.5.0 + +### Patch Changes + +- 6da03ee: Console (objectui) refreshed to `5da9905b30fc`. Frontend changes in this range: + + - fix(plugin-form): honor userActions.edit on managed objects, don't blanket-disable fields (ADR-0092 D4) (#2395) + + objectui range: `6fa8e6aeb67c...5da9905b30fc` + ## 14.4.0 ## 14.3.0 diff --git a/packages/console/package.json b/packages/console/package.json index 714dd65c6..9929855f3 100644 --- a/packages/console/package.json +++ b/packages/console/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/console", - "version": "14.4.0", + "version": "14.5.0", "description": "Prebuilt Console SPA pinned to this @objectstack/framework release. Source of truth: @object-ui/console (https://github.com/objectstack-ai/objectui).", "license": "Apache-2.0", "homepage": "https://github.com/objectstack-ai/framework/tree/main/packages/console", diff --git a/packages/core/CHANGELOG.md b/packages/core/CHANGELOG.md index f1457b861..621681f24 100644 --- a/packages/core/CHANGELOG.md +++ b/packages/core/CHANGELOG.md @@ -1,5 +1,16 @@ # @objectstack/core +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + ## 14.4.0 ### Minor Changes diff --git a/packages/core/package.json b/packages/core/package.json index 76728f167..813f74d2d 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/core", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Microkernel Core for ObjectStack", "type": "module", diff --git a/packages/create-objectstack/CHANGELOG.md b/packages/create-objectstack/CHANGELOG.md index 7a6364814..2def4f053 100644 --- a/packages/create-objectstack/CHANGELOG.md +++ b/packages/create-objectstack/CHANGELOG.md @@ -1,5 +1,7 @@ # create-objectstack +## 14.5.0 + ## 14.4.0 ## 14.3.0 diff --git a/packages/create-objectstack/package.json b/packages/create-objectstack/package.json index a8fb28f73..db88b3ae7 100644 --- a/packages/create-objectstack/package.json +++ b/packages/create-objectstack/package.json @@ -1,6 +1,6 @@ { "name": "create-objectstack", - "version": "14.4.0", + "version": "14.5.0", "description": "Create a new ObjectStack project — npx create-objectstack", "bin": { "create-objectstack": "./bin/create-objectstack.js" diff --git a/packages/dogfood/CHANGELOG.md b/packages/dogfood/CHANGELOG.md index 928e5a00e..341fa35b3 100644 --- a/packages/dogfood/CHANGELOG.md +++ b/packages/dogfood/CHANGELOG.md @@ -1,5 +1,22 @@ # @objectstack/dogfood +## 0.0.31 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [f70eb2c] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/plugin-security@14.5.0 + - @objectstack/objectql@14.5.0 + - @objectstack/example-crm@4.0.83 + - @objectstack/example-showcase@0.3.5 + - @objectstack/verify@14.5.0 + ## 0.0.30 ### Patch Changes diff --git a/packages/dogfood/package.json b/packages/dogfood/package.json index 4ed10b8e6..6c7cd3f71 100644 --- a/packages/dogfood/package.json +++ b/packages/dogfood/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/dogfood", - "version": "0.0.30", + "version": "0.0.31", "private": true, "license": "Apache-2.0", "description": "Dogfood regression gate — hand-written golden tests that boot real example apps through @objectstack/verify's in-process HTTP stack, pinning historical runtime regressions (#2018 timezone bucketing, #1994 cross-owner RLS, #2004 field fidelity) that static checks miss.", diff --git a/packages/downstream-contract/CHANGELOG.md b/packages/downstream-contract/CHANGELOG.md index 304623fe0..c666ccd00 100644 --- a/packages/downstream-contract/CHANGELOG.md +++ b/packages/downstream-contract/CHANGELOG.md @@ -1,5 +1,16 @@ # @objectstack/downstream-contract +## 0.0.29 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + ## 0.0.28 ### Patch Changes diff --git a/packages/downstream-contract/package.json b/packages/downstream-contract/package.json index 3fdabfac8..8fc8faf62 100644 --- a/packages/downstream-contract/package.json +++ b/packages/downstream-contract/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/downstream-contract", - "version": "0.0.28", + "version": "0.0.29", "description": "Frozen third-party consumer fixture — a backward-compatibility gate for @objectstack/spec. Authored the way an external project on a published release authors metadata; if a spec change breaks it, that change is breaking (#2035).", "license": "Apache-2.0", "private": true, diff --git a/packages/formula/CHANGELOG.md b/packages/formula/CHANGELOG.md index cd204853d..c5acd69e4 100644 --- a/packages/formula/CHANGELOG.md +++ b/packages/formula/CHANGELOG.md @@ -1,5 +1,16 @@ # @objectstack/formula +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/formula/package.json b/packages/formula/package.json index 990cc2cc0..b826e0e2d 100644 --- a/packages/formula/package.json +++ b/packages/formula/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/formula", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "ObjectStack canonical expression engine — CEL (cel-js) + ObjectStack stdlib + dialect registry", "main": "dist/index.js", diff --git a/packages/lint/CHANGELOG.md b/packages/lint/CHANGELOG.md index 7970f3006..42aad0fd3 100644 --- a/packages/lint/CHANGELOG.md +++ b/packages/lint/CHANGELOG.md @@ -1,5 +1,18 @@ # @objectstack/lint +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/formula@14.5.0 + - @objectstack/sdui-parser@14.5.0 + ## 14.4.0 ### Minor Changes diff --git a/packages/lint/package.json b/packages/lint/package.json index 8ba343904..35aadedf7 100644 --- a/packages/lint/package.json +++ b/packages/lint/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/lint", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Static, build-time validation for an ObjectStack metadata graph — dashboard widget bindings, CEL/predicate expressions, and more. Pure (stack) => Issue[] functions shared by the CLI's `os validate` and any other consumer (e.g. AI authoring). Depends on @objectstack/spec; never on a runtime.", "type": "module", diff --git a/packages/mcp/CHANGELOG.md b/packages/mcp/CHANGELOG.md index 2a0283c30..3ea3cd2d0 100644 --- a/packages/mcp/CHANGELOG.md +++ b/packages/mcp/CHANGELOG.md @@ -1,5 +1,19 @@ # @objectstack/plugin-mcp-server +## 14.5.0 + +### Patch Changes + +- e8cedec: Docs accuracy: correct how the MCP SKILL.md describes an agent's authority to match the shipped ADR-0090 D10 model. An OAuth-connected client is an **agent acting on behalf of** the signing-in user — every call is bounded by the **intersection** of the consent scopes and that user's own permissions/RLS (a `data:read` token can never write, even where the user could), not simply "runs as you". (Companion doc-only edits to `content/docs/ai/agents.mdx` and `docs/design/permission-model.md` correct the same framing and honestly mark the still-planned agent guardrails — the grant-ceiling lint, destructive-action co-sign, and double-signature audit provenance.) +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/types@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/mcp/package.json b/packages/mcp/package.json index 4d75bb9ee..bb9e45807 100644 --- a/packages/mcp/package.json +++ b/packages/mcp/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/mcp", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "ObjectStack as an MCP server — exposes your app's objects (and AI tools) over the Model Context Protocol (stdio + Streamable HTTP)", "type": "module", diff --git a/packages/metadata-core/CHANGELOG.md b/packages/metadata-core/CHANGELOG.md index 0d3e27773..cee55f80a 100644 --- a/packages/metadata-core/CHANGELOG.md +++ b/packages/metadata-core/CHANGELOG.md @@ -1,5 +1,16 @@ # @objectstack/metadata-core +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + ## 14.4.0 ### Minor Changes diff --git a/packages/metadata-core/package.json b/packages/metadata-core/package.json index e16b9649a..a67d13788 100644 --- a/packages/metadata-core/package.json +++ b/packages/metadata-core/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/metadata-core", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Metadata Repository contracts: types, canonicalization, errors, interface (ADR-0008).", "type": "module", diff --git a/packages/metadata-fs/CHANGELOG.md b/packages/metadata-fs/CHANGELOG.md index c48580ee8..b492aa951 100644 --- a/packages/metadata-fs/CHANGELOG.md +++ b/packages/metadata-fs/CHANGELOG.md @@ -1,5 +1,11 @@ # @objectstack/metadata-fs +## 14.5.0 + +### Patch Changes + +- @objectstack/metadata-core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/metadata-fs/package.json b/packages/metadata-fs/package.json index dc236a8f6..204c39e04 100644 --- a/packages/metadata-fs/package.json +++ b/packages/metadata-fs/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/metadata-fs", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "FileSystemRepository: Node-only Repository implementation backed by JSON files and a JSONL change log (ADR-0008).", "type": "module", diff --git a/packages/metadata-protocol/CHANGELOG.md b/packages/metadata-protocol/CHANGELOG.md index 1a2a110c4..cd858002f 100644 --- a/packages/metadata-protocol/CHANGELOG.md +++ b/packages/metadata-protocol/CHANGELOG.md @@ -1,5 +1,20 @@ # @objectstack/metadata-protocol +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/formula@14.5.0 + - @objectstack/metadata-core@14.5.0 + - @objectstack/types@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/metadata-protocol/package.json b/packages/metadata-protocol/package.json index 21a598044..c20f591e6 100644 --- a/packages/metadata-protocol/package.json +++ b/packages/metadata-protocol/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/metadata-protocol", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "ObjectStack metadata management protocol: sys_metadata CRUD, draft/publish, locks, package ownership, diagnostics (ADR-0076).", "type": "module", diff --git a/packages/metadata/CHANGELOG.md b/packages/metadata/CHANGELOG.md index cd6b3cb20..b572fd14b 100644 --- a/packages/metadata/CHANGELOG.md +++ b/packages/metadata/CHANGELOG.md @@ -1,5 +1,24 @@ # @objectstack/metadata +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/metadata-core@14.5.0 + - @objectstack/types@14.5.0 + - @objectstack/metadata-fs@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/metadata/package.json b/packages/metadata/package.json index 62a03e4af..cb87e2178 100644 --- a/packages/metadata/package.json +++ b/packages/metadata/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/metadata", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Metadata loading, saving, and persistence for ObjectStack", "type": "module", diff --git a/packages/objectql/CHANGELOG.md b/packages/objectql/CHANGELOG.md index a61f4d1e9..6d0f0f28e 100644 --- a/packages/objectql/CHANGELOG.md +++ b/packages/objectql/CHANGELOG.md @@ -1,5 +1,29 @@ # @objectstack/objectql +## 14.5.0 + +### Minor Changes + +- 33ebd34: ADR-0057 (#2834): `retention.onlyWhen` status predicate — mixed tables can scope the age reap. + + - **spec**: `lifecycle.retention.onlyWhen` — a row filter (per-field equality or `{ $in: [...] }`) the retention window applies to; rows outside it are retained regardless of age. Rejected when combined with rotation `storage` (shard DROPs ignore filters) or `archive` (the Archiver moves rows by age alone). + - **objectql**: the LifecycleService Reaper merges `onlyWhen` into every retention delete, including tenant-override passes. + - **service-automation**: the run-history age sweep is now declarative — `sys_automation_run` declares `retention: { maxAge: '30d', onlyWhen: { status: { $in: ['completed', 'failed'] } } }` and the platform Reaper owns it; suspended (`paused`) runs never match. The plugin's own sweep loop is retired: `ObjectStoreSuspendedRunStore.pruneHistory`, the `DEFAULT_RUN_HISTORY_RETENTION_DAYS` export, and the `runHistoryRetentionDays` / `runHistorySweepMs` plugin options are removed (launch-window breaking-as-minor). The write-time per-flow overflow cap (`runHistoryMaxPerFlow`) stays. + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/formula@14.5.0 + - @objectstack/metadata-core@14.5.0 + - @objectstack/metadata-protocol@14.5.0 + - @objectstack/types@14.5.0 + ## 14.4.0 ### Minor Changes diff --git a/packages/objectql/package.json b/packages/objectql/package.json index 45f26195f..5e0bd57ce 100644 --- a/packages/objectql/package.json +++ b/packages/objectql/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/objectql", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Isomorphic ObjectQL Engine for ObjectStack", "main": "dist/index.js", diff --git a/packages/observability/CHANGELOG.md b/packages/observability/CHANGELOG.md index 4deaf3dba..85c9fa47f 100644 --- a/packages/observability/CHANGELOG.md +++ b/packages/observability/CHANGELOG.md @@ -1,5 +1,16 @@ # @objectstack/observability +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/observability/package.json b/packages/observability/package.json index 409415437..cd7ba38ab 100644 --- a/packages/observability/package.json +++ b/packages/observability/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/observability", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Observability contracts and exporters for ObjectStack — MetricsRegistry, ErrorReporter, Logger plus noop/console/OTLP-HTTP exporters. Deployment-target neutral; runtime and services depend on this so the same instrumentation works on Cloudflare Workers, Node, and self-hosted Kubernetes.", "type": "module", diff --git a/packages/platform-objects/CHANGELOG.md b/packages/platform-objects/CHANGELOG.md index ec0f9b2af..d5f659be5 100644 --- a/packages/platform-objects/CHANGELOG.md +++ b/packages/platform-objects/CHANGELOG.md @@ -1,5 +1,55 @@ # @objectstack/platform-objects +## 14.5.0 + +### Minor Changes + +- 6da03ee: feat(identity): open the standard Edit affordance on sys_user for profile fields (ADR-0092 D4) + + `sys_user` now sets `userActions: { edit: true }`, so the generic row-edit + form is available (create / import / delete stay off). The two profile fields + (`name`, `image`) are editable; every other column — `email`, `role`, ban + state, phone, and all system-managed stamps — is marked `readonly` so the + standard edit form renders it non-editable. + + This is safe because the server boundary is the identity write guard shipped + in the previous change (ADR-0092 D2): a user-context update to `sys_user` may + only touch `{name, image}` regardless of what any form submits; everything + else is stripped or rejected. The `readonly` flags here are UX only. + + The dedicated action dialogs are unaffected — `create_user` / `invite_user` / + `set_user_role` reference `email` and `role` as action **params** (their own + inputs), which do not inherit the field-level `readonly` and stay editable + (verified in the running Console). + + Note: the Console's record-form renderer must honor `userActions.edit` + + per-field `readonly` on `managedBy:'better-auth'` objects for the edit form to + be functional; that is an objectui-side change vendored via `objectui:refresh` + and tracked separately. + +### Patch Changes + +- 526805e: ADR-0057 data-lifecycle follow-ups (#2834): the per-plugin retention sweepers are retired, telemetry separation goes live in dev, and the lifecycle contract reaches the Studio. + + - **BREAKING (ships as minor per the launch-window convention)**: `JobRunRetention` / `NotificationRetention` and the `retentionDays` / `retentionSweepMs` options on `JobServicePlugin` / `MessagingServicePlugin` are removed. The platform LifecycleService enforces the same windows from the `lifecycle` declarations (`sys_job_run` 30d, notification pipeline 90d); tune them at runtime via the `lifecycle` settings namespace (`retention_overrides`, tenant-scoped). + - **Fix**: `sys_automation_run` no longer declares a blanket 30d lifecycle retention — that table interleaves live SUSPENDED runs (an approval may stay paused for months) with terminal history, and a blanket age reap could strand in-flight approvals. Bounding stays with the automation store's terminal-only sweep. + - **CLI**: `objectstack dev` now provisions a dedicated `telemetry` datasource (`.telemetry.db`) for file-backed SQLite primaries, so lifecycle-classed system data stops sharing the business dev DB (`OS_TELEMETRY_DB=0` opts out; `OS_TELEMETRY_DB=` opts in anywhere). New `os db clean` runs the one-time `VACUUM` that lets legacy files adopt `auto_vacuum=INCREMENTAL` and reports reclaimed bytes. + - **Studio**: the object metadata form exposes the `lifecycle` block (class + retention/TTL/rotation/archive/reclaim); metadata-forms i18n bundles regenerated with curated zh-CN translations. + +- 8f23746: `sys_sso_provider` domain-verification `resultDialog` paths now address the + inner `data` payload (`dnsRecordType`, not `data.dnsRecordType`), matching every + other object. Pairs with the objectui `apiHandler` envelope-unwrap fix + (objectui#2396) — the old `data.` prefix compensated for a runtime bug and would + blank the dialog once the runtime unwraps correctly. +- b97af7e: `sys_user` account-management actions (Ban/Unban, Unlock Account, Set Password, Set Platform Role, Impersonate) now also surface on the user record-detail header (`record_header`, overflowing into the ⋯ "More" menu), not just the Users list row menu — so a platform admin can manage an account from an open user record without navigating back to the list. +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/metadata-core@14.5.0 + ## 14.4.0 ### Minor Changes diff --git a/packages/platform-objects/package.json b/packages/platform-objects/package.json index d2d9e2a69..6ae006b21 100644 --- a/packages/platform-objects/package.json +++ b/packages/platform-objects/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/platform-objects", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Core platform object schemas for ObjectStack — identity, security, audit, tenant, and metadata objects", "main": "dist/index.js", diff --git a/packages/plugins/driver-memory/CHANGELOG.md b/packages/plugins/driver-memory/CHANGELOG.md index 3640c5afc..93c998857 100644 --- a/packages/plugins/driver-memory/CHANGELOG.md +++ b/packages/plugins/driver-memory/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/driver-memory +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/plugins/driver-memory/package.json b/packages/plugins/driver-memory/package.json index 4fafa5893..7f18c1646 100644 --- a/packages/plugins/driver-memory/package.json +++ b/packages/plugins/driver-memory/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/driver-memory", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "In-Memory Driver for ObjectStack (Reference Implementation)", "main": "dist/index.js", diff --git a/packages/plugins/driver-mongodb/CHANGELOG.md b/packages/plugins/driver-mongodb/CHANGELOG.md index 83e2f9100..945b78bfb 100644 --- a/packages/plugins/driver-mongodb/CHANGELOG.md +++ b/packages/plugins/driver-mongodb/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/driver-mongodb +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/plugins/driver-mongodb/package.json b/packages/plugins/driver-mongodb/package.json index 0444598ba..7ec75ca95 100644 --- a/packages/plugins/driver-mongodb/package.json +++ b/packages/plugins/driver-mongodb/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/driver-mongodb", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "MongoDB Driver for ObjectStack - Native document database driver via official mongodb client", "main": "dist/index.js", diff --git a/packages/plugins/driver-sql/CHANGELOG.md b/packages/plugins/driver-sql/CHANGELOG.md index bfe7f8921..8479c24b8 100644 --- a/packages/plugins/driver-sql/CHANGELOG.md +++ b/packages/plugins/driver-sql/CHANGELOG.md @@ -1,5 +1,18 @@ # @objectstack/driver-sql +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/types@14.5.0 + ## 14.4.0 ### Minor Changes diff --git a/packages/plugins/driver-sql/package.json b/packages/plugins/driver-sql/package.json index 4764e6746..6a8826dcf 100644 --- a/packages/plugins/driver-sql/package.json +++ b/packages/plugins/driver-sql/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/driver-sql", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "SQL Driver for ObjectStack - Supports PostgreSQL, MySQL, SQLite via Knex", "main": "dist/index.js", diff --git a/packages/plugins/driver-sqlite-wasm/CHANGELOG.md b/packages/plugins/driver-sqlite-wasm/CHANGELOG.md index 6f595a908..184ddff82 100644 --- a/packages/plugins/driver-sqlite-wasm/CHANGELOG.md +++ b/packages/plugins/driver-sqlite-wasm/CHANGELOG.md @@ -1,5 +1,18 @@ # @objectstack/driver-sqlite-wasm +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/driver-sql@14.5.0 + ## 14.4.0 ### Minor Changes diff --git a/packages/plugins/driver-sqlite-wasm/package.json b/packages/plugins/driver-sqlite-wasm/package.json index e5121bbee..6ecd78785 100644 --- a/packages/plugins/driver-sqlite-wasm/package.json +++ b/packages/plugins/driver-sqlite-wasm/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/driver-sqlite-wasm", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "WASM SQLite Driver for ObjectStack — runs in browser/WebContainer (StackBlitz) without native bindings", "keywords": [ diff --git a/packages/plugins/embedder-openai/CHANGELOG.md b/packages/plugins/embedder-openai/CHANGELOG.md index fb6d19577..e6bb13973 100644 --- a/packages/plugins/embedder-openai/CHANGELOG.md +++ b/packages/plugins/embedder-openai/CHANGELOG.md @@ -1,5 +1,16 @@ # @objectstack/embedder-openai +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/plugins/embedder-openai/package.json b/packages/plugins/embedder-openai/package.json index 9aa7fff0b..49afbee91 100644 --- a/packages/plugins/embedder-openai/package.json +++ b/packages/plugins/embedder-openai/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/embedder-openai", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "OpenAI-compatible embedder for ObjectStack — works against OpenAI, 阿里通义 DashScope, 智谱 BigModel, 硅基流动 SiliconFlow, 火山引擎 Doubao, MiniMax, Ollama, and any drop-in OpenAI-shape endpoint.", "main": "dist/index.js", diff --git a/packages/plugins/knowledge-memory/CHANGELOG.md b/packages/plugins/knowledge-memory/CHANGELOG.md index 4e654d4f5..b7b41ab57 100644 --- a/packages/plugins/knowledge-memory/CHANGELOG.md +++ b/packages/plugins/knowledge-memory/CHANGELOG.md @@ -1,5 +1,18 @@ # @objectstack/knowledge-memory +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/service-knowledge@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/plugins/knowledge-memory/package.json b/packages/plugins/knowledge-memory/package.json index 9cd6d1358..609998c74 100644 --- a/packages/plugins/knowledge-memory/package.json +++ b/packages/plugins/knowledge-memory/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/knowledge-memory", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "In-memory knowledge adapter for ObjectStack (dev / test reference implementation).", "main": "dist/index.js", diff --git a/packages/plugins/knowledge-ragflow/CHANGELOG.md b/packages/plugins/knowledge-ragflow/CHANGELOG.md index fa695ed77..306778cb7 100644 --- a/packages/plugins/knowledge-ragflow/CHANGELOG.md +++ b/packages/plugins/knowledge-ragflow/CHANGELOG.md @@ -1,5 +1,18 @@ # @objectstack/knowledge-ragflow +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/service-knowledge@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/plugins/knowledge-ragflow/package.json b/packages/plugins/knowledge-ragflow/package.json index a72bbb6d4..07b98384b 100644 --- a/packages/plugins/knowledge-ragflow/package.json +++ b/packages/plugins/knowledge-ragflow/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/knowledge-ragflow", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "RAGFlow knowledge adapter for ObjectStack — production-grade RAG via the Apache 2.0 RAGFlow REST API.", "main": "dist/index.js", diff --git a/packages/plugins/plugin-approvals/CHANGELOG.md b/packages/plugins/plugin-approvals/CHANGELOG.md index 6738a38f3..ad34fabc3 100644 --- a/packages/plugins/plugin-approvals/CHANGELOG.md +++ b/packages/plugins/plugin-approvals/CHANGELOG.md @@ -1,5 +1,23 @@ # @objectstack/plugin-approvals +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/formula@14.5.0 + - @objectstack/metadata-core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/plugins/plugin-approvals/package.json b/packages/plugins/plugin-approvals/package.json index 91609f791..ac249fabb 100644 --- a/packages/plugins/plugin-approvals/package.json +++ b/packages/plugins/plugin-approvals/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/plugin-approvals", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Multi-step approval engine for ObjectStack — sys_approval_process + sys_approval_request + sys_approval_action + IApprovalService.", "main": "dist/index.js", diff --git a/packages/plugins/plugin-audit/CHANGELOG.md b/packages/plugins/plugin-audit/CHANGELOG.md index cd1912ec9..f723e4abb 100644 --- a/packages/plugins/plugin-audit/CHANGELOG.md +++ b/packages/plugins/plugin-audit/CHANGELOG.md @@ -1,5 +1,21 @@ # @objectstack/plugin-audit +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Minor Changes diff --git a/packages/plugins/plugin-audit/package.json b/packages/plugins/plugin-audit/package.json index ece416924..5cd602cb0 100644 --- a/packages/plugins/plugin-audit/package.json +++ b/packages/plugins/plugin-audit/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/plugin-audit", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Audit Plugin for ObjectStack — System audit log object and audit trail", "main": "dist/index.js", diff --git a/packages/plugins/plugin-auth/CHANGELOG.md b/packages/plugins/plugin-auth/CHANGELOG.md index 59527885a..1d5e5beb2 100644 --- a/packages/plugins/plugin-auth/CHANGELOG.md +++ b/packages/plugins/plugin-auth/CHANGELOG.md @@ -1,5 +1,117 @@ # Changelog +## 14.5.0 + +### Minor Changes + +- a348394: feat(auth): identity write guard — `managedBy: 'better-auth'` is now enforced at the engine (ADR-0092 D2/D3/D6) + + Every object whose schema declares `managedBy: 'better-auth'` (`sys_user`, + `sys_member`, `sys_session`, `sys_api_key`, …) is now protected by engine + `beforeInsert` / `beforeUpdate` / `beforeDelete` hooks registered by + plugin-auth: **user-context** writes through the generic data path are + rejected fail-closed with `403 PERMISSION_DENIED`, closing the hole where a + wildcard admin permission set could raw-write any identity column (including + `email` and credential stamps) via the data API. Internal writes are + unaffected — the better-auth adapter, `isSystem` plugin/system contexts, and + the identity import keep working unchanged. + + The only opening is a per-object update whitelist + (`registerManagedUpdateWhitelist(object, fields)`): non-whitelisted fields are + stripped from the payload, and a payload that strips to nothing throws. The + first registration ships here: `sys_user → { name, image }` (pure profile + fields), backed by the new shared `SYS_USER_PROFILE_EDIT_FIELDS` / + `SYS_USER_IMPORT_UPDATE_FIELDS` constants — the import upsert's field + discipline is now derived from the same module (subset-by-construction, no + drift). + + After a guarded profile edit, an `afterUpdate` companion hook re-writes the + user's cached `{session, user}` snapshots in better-auth's secondary storage + (same TTL, mirror of better-auth's own `refreshUserSessions`) so session + reads stay coherent; it rewrites rather than deletes, and no-ops when no + secondary storage is wired. + + Migration note: server-side scripts that previously updated identity tables + with a **user** execution context must either run with a system context + (`{ isSystem: true }`) if they are genuinely internal, or move to the + dedicated auth endpoints (invite / create-user / set-user-password / ban / + better-auth APIs). Flows and automations that wrote non-profile `sys_user` + columns under a user identity are now filtered the same way. + +- 5bced2f: feat(auth): `passwordPolicy: 'none'` is the identity import's new default — import provisions identity, not credentials + + `POST /api/v1/auth/admin/import-users` now supports (and defaults to) + `passwordPolicy: 'none'`: accounts are created without a credential record + (better-auth's optional-password create), so no password material is + generated, returned, or distributed at all. Users first sign in through a + channel — phone OTP, magic link, or a password-reset link — and the Console's + existing credential-less detection (`hasLocalPassword()` → set-initial-password) + nudges them to set a password afterwards. + + The `invite` policy also no longer mints a throwaway password: it creates the + same credential-less account and sends the set-your-password invitation + (better-auth's reset flow creates the credential record on first set). + `temporary` is unchanged and remains the fallback for deployments without + email/SMS infrastructure. + + Breaking-ish note: `passwordPolicy` was previously required — requests that + omitted it got a 400. They now succeed with the `none` behavior. + +- e2c05d6: feat(auth/i18n): localised, tenant-customisable phone SMS texts (#2815) + + The OTP and invitation SMS bodies were hard-coded English. They now resolve + in two layers: a `sys_notification_template` row for + `(auth.phone_otp | auth.phone_invite, channel 'sms', locale)` — editable in + Setup, seeded once with built-in en/zh rows, tenant edits never overwritten — + falling back to the bundled bilingual texts. The locale follows the + deployment default (`localization.locale` setting, live-rebound); per-user + locale is deferred until `sys_user` grows a locale column. The OTP wording + is purpose-neutral (one provider template covers sign-in and reset, and the + SMS reveals nothing about what the code unlocks). Template lookups are + best-effort — an outage never blocks an OTP send — and the no-OTP-in-logs + red line is unchanged. + +### Patch Changes + +- 3fd87b2: fix(auth): invitation accept link is now an absolute URL under the Console base + + `sendInvitationEmail` built the accept URL straight from `config.baseUrl` with + no scheme guarantee and no UI mount prefix — `${baseUrl}/accept-invitation/`. + Two problems surfaced in real deployments: + + 1. When `baseUrl` was a bare host (e.g. `cloud.objectos.ai`, no scheme), the + emailed link was relative-looking; email clients would not linkify it and + clicking it went nowhere. + 2. The accept-invitation page is a Console SPA route mounted under `uiBasePath` + (default `/_console`) — the same router/basename as `/login`, `/register` + and `/oauth/consent`, and the exact link the Console itself generates for its + "copy invitation link" action (`${origin}${BASE_URL}accept-invitation/`). + The root-path link omitted that prefix, so it 404'd at the host root instead + of resolving to the page. + + The link is now built as + `${origin}${uiBasePath}/accept-invitation/` via a hardened + `getCanonicalOrigin()` that guarantees an absolute origin (prepends `https://` + when `baseUrl` has no scheme). The scheme hardening also applies to the OAuth + issuer / consent / device-flow URLs that share the helper. Deployments that + mount the Console elsewhere are honoured through the existing `uiBasePath` + config. + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [4d9dd7b] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/rest@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/types@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/plugins/plugin-auth/package.json b/packages/plugins/plugin-auth/package.json index a8ef0de2c..de895991d 100644 --- a/packages/plugins/plugin-auth/package.json +++ b/packages/plugins/plugin-auth/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/plugin-auth", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Authentication & Identity Plugin for ObjectStack", "main": "dist/index.js", diff --git a/packages/plugins/plugin-dev/CHANGELOG.md b/packages/plugins/plugin-dev/CHANGELOG.md index 30070354d..9d1c55606 100644 --- a/packages/plugins/plugin-dev/CHANGELOG.md +++ b/packages/plugins/plugin-dev/CHANGELOG.md @@ -1,5 +1,37 @@ # @objectstack/plugin-dev +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [5f43f88] +- Updated dependencies [261aff5] +- Updated dependencies [f70eb2c] +- Updated dependencies [d79ca07] +- Updated dependencies [a348394] +- Updated dependencies [4d9dd7b] +- Updated dependencies [5bced2f] +- Updated dependencies [3fd87b2] +- Updated dependencies [33ebd34] +- Updated dependencies [6da03ee] +- Updated dependencies [e2c05d6] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/runtime@14.5.0 + - @objectstack/plugin-security@14.5.0 + - @objectstack/plugin-auth@14.5.0 + - @objectstack/rest@14.5.0 + - @objectstack/objectql@14.5.0 + - @objectstack/plugin-hono-server@14.5.0 + - @objectstack/account@14.5.0 + - @objectstack/setup@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/driver-memory@14.5.0 + - @objectstack/service-i18n@14.5.0 + - @objectstack/types@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/plugins/plugin-dev/package.json b/packages/plugins/plugin-dev/package.json index fd444df5a..b69f7ac82 100644 --- a/packages/plugins/plugin-dev/package.json +++ b/packages/plugins/plugin-dev/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/plugin-dev", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Development Mode Plugin for ObjectStack — auto-enables all services with in-memory implementations", "main": "dist/index.js", diff --git a/packages/plugins/plugin-email/CHANGELOG.md b/packages/plugins/plugin-email/CHANGELOG.md index b7528c07d..3e5d3a15a 100644 --- a/packages/plugins/plugin-email/CHANGELOG.md +++ b/packages/plugins/plugin-email/CHANGELOG.md @@ -1,5 +1,22 @@ # @objectstack/plugin-email +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/formula@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/plugins/plugin-email/package.json b/packages/plugins/plugin-email/package.json index 0a70e98ac..c7dac5f4d 100644 --- a/packages/plugins/plugin-email/package.json +++ b/packages/plugins/plugin-email/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/plugin-email", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Email service plugin for ObjectStack — IEmailService + transport-pluggable outbound delivery with sys_email persistence.", "main": "dist/index.js", diff --git a/packages/plugins/plugin-hono-server/CHANGELOG.md b/packages/plugins/plugin-hono-server/CHANGELOG.md index febdb64b4..497112bf8 100644 --- a/packages/plugins/plugin-hono-server/CHANGELOG.md +++ b/packages/plugins/plugin-hono-server/CHANGELOG.md @@ -1,5 +1,53 @@ # @objectstack/plugin-hono-server +## 14.5.0 + +### Patch Changes + +- 6da03ee: fix(security): `/me/permissions` now reflects permission-set ∩ identity-write-guard, matching real server enforcement (ADR-0057 D10) + + The `/api/v1/auth/me/permissions` per-object map merged each permission set's + explicit `objects` entries most-permissively per key, but treated `'*'` and + named objects as independent keys — so a wildcard "Modify/View All Data" grant + was never propagated into a per-object entry another set explicitly denied. + That made the client's field-level security STRICTER than the server's actual + enforcement (`PermissionEvaluator.checkObjectPermission` allows as soon as any + set grants, including via the `'*'` modifyAll/viewAll super-user bypass, with + no deny-wins). + + The real effective answer for a user-context caller is `permission-set grant ∩ +identity-write-guard policy`, and the payload now computes both: + + 1. `foldWildcardSuperUser` lifts each per-object entry's read/write bits when + the merged `'*'` is a super-user grant — fixing the false-NEGATIVE where a + platform admin (`admin_full_access` `'*': {modifyAllRecords}`) who also holds + `organization_admin` (explicit identity denies) resolved to + `sys_user.allowEdit:false` and a disabled edit form, though the server + accepts the write (`PATCH /data/sys_user {name}` → 200). + 2. `clampManagedObjectWrites` re-clamps `managedBy: 'better-auth'` objects by + their write affordance — fixing the false-POSITIVE the fold would otherwise + introduce: the identity write guard (ADR-0092 D2) blocks user-context writes + on identity tables except where the object opted in (`userActions.edit`), so + `sys_member` / `sys_account` / `sys_session` stay `allowEdit:false` for the + admin (read stays granted). Only `better-auth` objects are clamped — the + guard covers only them; `system`/`config`/`append-only` objects have no such + guard and their permission-set result stands. + + Net: the Console's per-object FLS now equals real server enforcement — the + ADR-0092 D4 `sys_user` profile-edit affordance is unblocked for platform admins + (the guard still narrows the write to `{name, image}`), and no other identity + table is shown as editable when the guard would reject it. + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/observability@14.5.0 + - @objectstack/types@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/plugins/plugin-hono-server/package.json b/packages/plugins/plugin-hono-server/package.json index d8e0c4e9a..92ebbd1ad 100644 --- a/packages/plugins/plugin-hono-server/package.json +++ b/packages/plugins/plugin-hono-server/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/plugin-hono-server", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Standard Hono Server Adapter for ObjectStack Runtime", "main": "dist/index.js", diff --git a/packages/plugins/plugin-reports/CHANGELOG.md b/packages/plugins/plugin-reports/CHANGELOG.md index 3b3676650..d7a651a01 100644 --- a/packages/plugins/plugin-reports/CHANGELOG.md +++ b/packages/plugins/plugin-reports/CHANGELOG.md @@ -1,5 +1,21 @@ # @objectstack/plugin-reports +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/plugins/plugin-reports/package.json b/packages/plugins/plugin-reports/package.json index b21255f5e..85f4d1e01 100644 --- a/packages/plugins/plugin-reports/package.json +++ b/packages/plugins/plugin-reports/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/plugin-reports", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Saved reports + scheduled email digests for ObjectStack — sys_saved_report + sys_report_schedule + IReportService.", "main": "dist/index.js", diff --git a/packages/plugins/plugin-security/CHANGELOG.md b/packages/plugins/plugin-security/CHANGELOG.md index 8fd70d77c..cceaa5621 100644 --- a/packages/plugins/plugin-security/CHANGELOG.md +++ b/packages/plugins/plugin-security/CHANGELOG.md @@ -1,5 +1,60 @@ # @objectstack/plugin-security +## 14.5.0 + +### Minor Changes + +- f70eb2c: ADR-0090 D10 — agent/service intersection runtime. When a request's principal acts `onBehalfOf` a user (an AI agent or a service acting for a person), the effective permission is now the INTERSECTION of the principal's own grants and the delegator's grants — never the union. Confused-deputy prevention: an over-privileged agent may never see or touch anything the user it stands in for could not, and vice-versa. Previously `principalKind:'agent'` / `onBehalfOf` was a P1 context shape the evaluator did not read. + + The intersection is applied at EVERY axis, gated on the presence of the delegation link so the ordinary (non-delegated) path is byte-identical: + + - **plugin-security** middleware — the delegator's effective permission sets are reconstructed once (fail-CLOSED if the delegator no longer exists — a dangling link is denied, not resolved to the additive baseline) and AND-composed into: the required-capability gate, object CRUD, field-level security (read mask + write forbid + predicate-oracle guard), the row-level `using` pre-image on by-id writes, the `check` post-image, and the RLS read-filter injection. View/Modify-All only survives when BOTH principals hold it. + - **plugin-sharing** middleware — the OWD/record-sharing owner-match is IDENTITY-scoped, so it re-runs the visibility filter (and `canEdit`) under the delegator's own identity + depth and AND-s it in. An agent with View-All acting on behalf of a plain member therefore sees exactly that member's own rows — not everyone's, and not nothing. + - **explain engine** — every layer reports the narrower verdict when `onBehalfOf` is set, so the D6 access explanation stays truthful for delegated principals; a dangling delegator is reported as a fail-closed deny. + + First-cut scope (documented in code + covered by tests): one delegation hop (the `onBehalfOf` shape carries a single delegator, and any single-hop intersection is a safe lower bound on a true multi-hop chain); tenant-scoped substitution bags (`tenantId`, `org_user_ids`, `email`) are inherited from the live principal, while person-specific membership bags left unresolved narrow rather than widen. The agent grant-ceiling lint (D10 rule 2) is a follow-up — the runtime intersection already caps the agent regardless of what its own sets carry, and a lint needs an agent-set designation convention that does not yet exist. + +- d79ca07: ADR-0090 D10 — activate the agent principal (OAuth → `principalKind:'agent'` + scope-derived ceiling). This wires the _producer_ side of the D10 intersection that shipped in #2838, so it stops being dormant: an MCP request authenticated with an OAuth access token is now resolved as an AI **agent acting on behalf of** the human `sub`, and its effective permission is the intersection of a scope-derived capability ceiling AND the user's own grants. + + - **`resolve-execution-context` (producer)**: when a verified MCP OAuth token names an authorized client (`azp`), the request resolves to `principalKind:'agent'` with `onBehalfOf:{ userId }` (the human), and the agent's OWN grants are replaced by the scope-derived ceiling — `data:read` → read-only, `data:write` → full CRUD, neither → no data access. `userId` stays the human so owner-stamping and `current_user.*` RLS resolve to them; the user-derived `systemPermissions` are cleared so a cap-gated action can't ride the user's capabilities. A token without a client stays a `human` principal. + - **`plugin-security`**: three built-in ceiling sets (`mcp_agent_data_read` / `mcp_agent_data_write` / `mcp_agent_restricted`) — pure CRUD bits, no row-level security (all row/owner/tenant narrowing comes from the delegating user on the other side of the intersection). An `agent` principal skips the additive human baseline (`member_default`) — its grants are exactly its ceiling — and its fallback is the restricted (no-object-access) set, so a mis-resolved agent fails CLOSED, never open. + - **`spec`**: `MCP_AGENT_PERMISSION_SET_*` names + `scopesToAgentPermissionSets()`, single-sourced next to the OAuth scope constants. + + **Behaviour change (a security tightening).** Previously an MCP OAuth request executed with the FULL authority of the logged-in user, and scopes narrowed only the tool surface. Now the scope is also a real data-layer ceiling: a `data:read` token can never write ANY record, even via a crafted call, no matter what the user could do. This is strictly consistent with the existing contract that "a scope can never grant more than the user could do" — the intersection only ever narrows — and closes the gap where a compromised or confused agent could act with the user's full reach. + + Verified end-to-end: a `data:read` agent acting for a member who owns a record can read it but cannot edit or create; a `data:write` agent for the same user can. Producer mapping unit-tested in `@objectstack/runtime`; enforcement dogfooded against the served engine (`showcase-agent-scope-ceiling`). + +### Patch Changes + +- c044f08: **Security fix (Critical): the settings HTTP routes no longer trust spoofable identity headers, and writes are now capability-gated.** + + Previously `GET/PUT/POST /api/settings/*` derived the caller's identity from `x-user-id` / `x-tenant-id` / `x-permissions` request headers (the route default), and `setMany` performed **no permission check** — so on a standard `os serve --server` deployment (settings + HTTP server composed by default, routes registered on the raw app with no auth middleware) an **unauthenticated** remote client could write tenant- or platform-scoped settings (including the auth security-policy, localization, and company manifests) and enumerate every namespace. + + Fixes: + + - **Verified identity.** `SettingsServicePlugin` now derives the caller's identity and capabilities from the platform's verified resolution (`resolveAuthzContext` — session cookie / API key / OAuth), never from request headers. The route default is now SECURE: it trusts no identity header and yields an anonymous, denied context. + - **Capability gates.** Manifest `readPermission` / `writePermission` are enforced for HTTP callers: reads of a protected namespace, writes, and actions require the declared capability (writes default to at least the read capability, never ungated). Enforced via a new `enforced` flag set only at the HTTP boundary — **in-process/boot callers (`kernel.getService('settings')`, seed) are unchanged** and keep full trusted access. + - Unauthenticated HTTP callers can no longer enumerate protected manifests or write; a `403 SETTINGS_FORBIDDEN` is returned when the capability is missing. + + **`setup.write` capability now real.** Enforcing the manifests' declared `writePermission` surfaced a modeling gap: `setup.write` (the write counterpart to `setup.access`, used by the branding / company / localization / feature-flag manifests) was referenced but never declared or granted — so under enforcement _nobody_, not even an admin, could write those namespaces. It is now a declared platform capability (`PLATFORM_CAPABILITIES`) held by `admin_full_access` and `organization_admin`, alongside `setup.access`. + + **Behaviour change:** a deployment that relied on the old header-trusted default must present a real verified session/API-key/OAuth credential (which the console already does). A custom integration may still inject its own `contextFromRequest`. + + Found by an adversarial security review of the request→ExecutionContext trust boundary. + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/formula@14.5.0 + ## 14.4.0 ### Minor Changes diff --git a/packages/plugins/plugin-security/package.json b/packages/plugins/plugin-security/package.json index d8cd5c25b..6d5ed10f9 100644 --- a/packages/plugins/plugin-security/package.json +++ b/packages/plugins/plugin-security/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/plugin-security", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Security Plugin for ObjectStack — RBAC, RLS, and Field-Level Security Runtime", "main": "dist/index.js", diff --git a/packages/plugins/plugin-sharing/CHANGELOG.md b/packages/plugins/plugin-sharing/CHANGELOG.md index ff97f4541..f410b43e7 100644 --- a/packages/plugins/plugin-sharing/CHANGELOG.md +++ b/packages/plugins/plugin-sharing/CHANGELOG.md @@ -1,5 +1,50 @@ # @objectstack/plugin-sharing +## 14.5.0 + +### Minor Changes + +- f70eb2c: ADR-0090 D10 — agent/service intersection runtime. When a request's principal acts `onBehalfOf` a user (an AI agent or a service acting for a person), the effective permission is now the INTERSECTION of the principal's own grants and the delegator's grants — never the union. Confused-deputy prevention: an over-privileged agent may never see or touch anything the user it stands in for could not, and vice-versa. Previously `principalKind:'agent'` / `onBehalfOf` was a P1 context shape the evaluator did not read. + + The intersection is applied at EVERY axis, gated on the presence of the delegation link so the ordinary (non-delegated) path is byte-identical: + + - **plugin-security** middleware — the delegator's effective permission sets are reconstructed once (fail-CLOSED if the delegator no longer exists — a dangling link is denied, not resolved to the additive baseline) and AND-composed into: the required-capability gate, object CRUD, field-level security (read mask + write forbid + predicate-oracle guard), the row-level `using` pre-image on by-id writes, the `check` post-image, and the RLS read-filter injection. View/Modify-All only survives when BOTH principals hold it. + - **plugin-sharing** middleware — the OWD/record-sharing owner-match is IDENTITY-scoped, so it re-runs the visibility filter (and `canEdit`) under the delegator's own identity + depth and AND-s it in. An agent with View-All acting on behalf of a plain member therefore sees exactly that member's own rows — not everyone's, and not nothing. + - **explain engine** — every layer reports the narrower verdict when `onBehalfOf` is set, so the D6 access explanation stays truthful for delegated principals; a dangling delegator is reported as a fail-closed deny. + + First-cut scope (documented in code + covered by tests): one delegation hop (the `onBehalfOf` shape carries a single delegator, and any single-hop intersection is a safe lower bound on a true multi-hop chain); tenant-scoped substitution bags (`tenantId`, `org_user_ids`, `email`) are inherited from the live principal, while person-specific membership bags left unresolved narrow rather than widen. The agent grant-ceiling lint (D10 rule 2) is a follow-up — the runtime intersection already caps the agent regardless of what its own sets carry, and a lint needs an agent-set designation convention that does not yet exist. + +- 01274eb: **Security fix (#2851): the share-link HTTP routes no longer trust spoofable identity headers, and the service enforces ownership.** + + The raw-app share-link routes (`POST/GET/DELETE /api/v1/share-links`, registered by `SharingServicePlugin`) derived the caller from `x-user-id` / `x-tenant-id` request headers, and the service ignored the caller context on revoke. So a client could forge link attribution, enumerate another user's link tokens (`GET ?createdBy=` → tokens that resolve records under a system context, bypassing RLS), and revoke arbitrary users' links. + + Fixes: + + - **Verified identity.** `SharingServicePlugin` now derives the caller (and their positions/permissions) from the platform's verified resolution (`resolveAuthzContext` — session / API key / OAuth), never from headers. The route default is SECURE (anonymous). Create / list / revoke require a signed-in principal (401 otherwise); the public `/:token/resolve` route stays public (the token is the authorization) but keys its `audience: 'signed_in'` check off the verified session rather than a spoofable `x-user-id`. + - **List scoping.** `GET /api/v1/share-links` is forced to the caller's own links — a client can no longer pass `?createdBy=` to enumerate others' tokens. + - **Revoke ownership.** `revokeLink` now requires the caller to be the link's creator (system/internal callers bypass). Previously the caller context was ignored, so anyone could revoke any link (sharing DoS). + - **Create access check.** `createLink` verifies the record is visible to the caller (read under the caller's own RLS) before minting a link — you can only share a record you can actually see. Internal (system) callers are unchanged. + + `ShareLinkExecutionContext` gains optional `positions` / `permissions` so the record-access check evaluates the real principal. + + Found by an adversarial security review of the request→ExecutionContext trust boundary (companion to the settings-routes fix, #2848). + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/objectql@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/formula@14.5.0 + ## 14.4.0 ### Minor Changes diff --git a/packages/plugins/plugin-sharing/package.json b/packages/plugins/plugin-sharing/package.json index ba73760f2..9044773db 100644 --- a/packages/plugins/plugin-sharing/package.json +++ b/packages/plugins/plugin-sharing/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/plugin-sharing", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Record-level sharing for ObjectStack — sys_record_share + middleware that enforces sharingModel + ISharingService.", "main": "dist/index.js", diff --git a/packages/plugins/plugin-webhooks/CHANGELOG.md b/packages/plugins/plugin-webhooks/CHANGELOG.md index 70c12aafd..1d61f9467 100644 --- a/packages/plugins/plugin-webhooks/CHANGELOG.md +++ b/packages/plugins/plugin-webhooks/CHANGELOG.md @@ -1,5 +1,18 @@ # @objectstack/plugin-webhooks +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/service-messaging@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/plugins/plugin-webhooks/package.json b/packages/plugins/plugin-webhooks/package.json index 53b0c1197..5df2a6199 100644 --- a/packages/plugins/plugin-webhooks/package.json +++ b/packages/plugins/plugin-webhooks/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/plugin-webhooks", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Persistent, cluster-aware webhook dispatcher. Durable outbox + per-partition cluster.lock for exactly-once-ish delivery across nodes. See content/docs/concepts/webhook-delivery.mdx.", "type": "module", diff --git a/packages/rest/CHANGELOG.md b/packages/rest/CHANGELOG.md index c7b663f40..a4f0a7a9d 100644 --- a/packages/rest/CHANGELOG.md +++ b/packages/rest/CHANGELOG.md @@ -1,5 +1,41 @@ # @objectstack/rest +## 14.5.0 + +### Patch Changes + +- 4d9dd7b: fix(rest): validate required fields in import dry-run to match the real insert + + The bulk-import dry run (`POST /data/:object/import`, `dryRun:true`) only ran cell + coercion and reported every coercible CREATE row as ok — so a row missing a required + NOT-NULL field with no default was green-lit, then died on the real insert with + `NOT NULL constraint failed`. The ImportWizard shows the dry-run result, so it + promised imports that then failed. + + Add a required-field pre-check to the shared import runner (CREATE rows only), + mirroring the engine's insert-time validation (`objectql/record-validator.ts` + + `applyFieldDefaults`): a required field is unsatisfied only when it has no value AND + no default; `system`/`readonly`/`autonumber` and the engine-owned lifecycle columns + are exempt. `ExportFieldMeta` gains `required`/`system`/`readonly`/`hasDefault` + (populated by `buildFieldMetaMap`). Applied to both dry-run and real paths so they + stay identical and a real insert returns a readable ` is required` instead of + a raw driver error; skipped when `runAutomations` is set (a beforeInsert hook may + populate the field). + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/service-package@14.5.0 + - @objectstack/types@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/rest/package.json b/packages/rest/package.json index abf45b296..648637de8 100644 --- a/packages/rest/package.json +++ b/packages/rest/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/rest", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "ObjectStack REST API Server - automatic REST endpoint generation from protocol", "type": "module", diff --git a/packages/runtime/CHANGELOG.md b/packages/runtime/CHANGELOG.md index 8c8193b61..3f1d5cb35 100644 --- a/packages/runtime/CHANGELOG.md +++ b/packages/runtime/CHANGELOG.md @@ -1,5 +1,63 @@ # @objectstack/runtime +## 14.5.0 + +### Minor Changes + +- 261aff5: ADR-0090 D10 (follow-up) — an MCP agent may now invoke the business **actions** its delegating user can run, gated by the `actions:execute` scope. Previously an agent principal carried no system capabilities, so any capability-gated action (`requiredPermissions`) was denied even when the user was entitled to it. + + `resolve-execution-context` now keeps the delegating user's `systemPermissions` on the agent context **only when the token carries `actions:execute`** (otherwise none — and the MCP tool surface already hides the action tools). The `actions:execute` scope is the user's explicit consent to let the agent act on their behalf, so the capability gate (`actionPermissionError`) is delegated accordingly. + + This never widens the agent's **data** reach: what an action reads or writes still flows through the object CRUD/FLS/RLS ceiling ∩ user intersection. A `data:read` agent that invokes a writing action is still blocked at the write; even a `data:write` agent cannot touch better-auth-managed tables; and capability-gated **object** access stays denied to the agent (that gate is driven by the resolved ceiling sets, which carry no capabilities). The residual is a capability-gated action whose effect is purely external (email, webhook) — exactly what `actions:execute` consents to. Tighter per-action agent scoping is the per-client-grants follow-up. + +- d79ca07: ADR-0090 D10 — activate the agent principal (OAuth → `principalKind:'agent'` + scope-derived ceiling). This wires the _producer_ side of the D10 intersection that shipped in #2838, so it stops being dormant: an MCP request authenticated with an OAuth access token is now resolved as an AI **agent acting on behalf of** the human `sub`, and its effective permission is the intersection of a scope-derived capability ceiling AND the user's own grants. + + - **`resolve-execution-context` (producer)**: when a verified MCP OAuth token names an authorized client (`azp`), the request resolves to `principalKind:'agent'` with `onBehalfOf:{ userId }` (the human), and the agent's OWN grants are replaced by the scope-derived ceiling — `data:read` → read-only, `data:write` → full CRUD, neither → no data access. `userId` stays the human so owner-stamping and `current_user.*` RLS resolve to them; the user-derived `systemPermissions` are cleared so a cap-gated action can't ride the user's capabilities. A token without a client stays a `human` principal. + - **`plugin-security`**: three built-in ceiling sets (`mcp_agent_data_read` / `mcp_agent_data_write` / `mcp_agent_restricted`) — pure CRUD bits, no row-level security (all row/owner/tenant narrowing comes from the delegating user on the other side of the intersection). An `agent` principal skips the additive human baseline (`member_default`) — its grants are exactly its ceiling — and its fallback is the restricted (no-object-access) set, so a mis-resolved agent fails CLOSED, never open. + - **`spec`**: `MCP_AGENT_PERMISSION_SET_*` names + `scopesToAgentPermissionSets()`, single-sourced next to the OAuth scope constants. + + **Behaviour change (a security tightening).** Previously an MCP OAuth request executed with the FULL authority of the logged-in user, and scopes narrowed only the tool surface. Now the scope is also a real data-layer ceiling: a `data:read` token can never write ANY record, even via a crafted call, no matter what the user could do. This is strictly consistent with the existing contract that "a scope can never grant more than the user could do" — the intersection only ever narrows — and closes the gap where a compromised or confused agent could act with the user's full reach. + + Verified end-to-end: a `data:read` agent acting for a member who owns a record can read it but cannot edit or create; a `data:write` agent for the same user can. Producer mapping unit-tested in `@objectstack/runtime`; enforcement dogfooded against the served engine (`showcase-agent-scope-ceiling`). + +### Patch Changes + +- 5f43f88: **Security fix (#2852): `/analytics/query` and `/analytics/sql` now run scoped to the caller.** + + `handleAnalytics` dropped the request's execution context — `analyticsService.query(body)` was called with no context, so the analytics service's per-object read-scope provider (`getReadScope` → security `getReadFilter`) received `undefined` and applied **no tenant/RLS filter**. An authenticated caller could query analytics datasets and receive rows their row-level security would otherwise hide. + + Fix: thread `context.executionContext` into `analyticsService.query(…)` and `generateSql(…)` (both already accept it), so each object in the query is scoped by its per-object read filter. + + Note: the analytics read-scope provider (`getReadFilter`) does not yet apply the ADR-0090 D10 agent delegator intersection — latent today because analytics is not reachable over the OAuth `/mcp` surface; tracked in #2852 for when it is. + +- Updated dependencies [526805e] +- Updated dependencies [f70eb2c] +- Updated dependencies [d79ca07] +- Updated dependencies [a348394] +- Updated dependencies [4d9dd7b] +- Updated dependencies [5bced2f] +- Updated dependencies [3fd87b2] +- Updated dependencies [33ebd34] +- Updated dependencies [e2c05d6] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/plugin-security@14.5.0 + - @objectstack/plugin-auth@14.5.0 + - @objectstack/rest@14.5.0 + - @objectstack/objectql@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/formula@14.5.0 + - @objectstack/metadata@14.5.0 + - @objectstack/observability@14.5.0 + - @objectstack/driver-memory@14.5.0 + - @objectstack/driver-sql@14.5.0 + - @objectstack/driver-sqlite-wasm@14.5.0 + - @objectstack/service-cluster@14.5.0 + - @objectstack/service-datasource@14.5.0 + - @objectstack/service-i18n@14.5.0 + - @objectstack/types@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/runtime/package.json b/packages/runtime/package.json index f26a11666..73a7007b4 100644 --- a/packages/runtime/package.json +++ b/packages/runtime/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/runtime", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "ObjectStack Core Runtime & Query Engine", "type": "module", diff --git a/packages/sdui-parser/CHANGELOG.md b/packages/sdui-parser/CHANGELOG.md index 151bdd9b6..a5c01b285 100644 --- a/packages/sdui-parser/CHANGELOG.md +++ b/packages/sdui-parser/CHANGELOG.md @@ -1,5 +1,7 @@ # @objectstack/sdui-parser +## 14.5.0 + ## 14.4.0 ## 14.3.0 diff --git a/packages/sdui-parser/package.json b/packages/sdui-parser/package.json index 9e1b0f2c3..615f939e9 100644 --- a/packages/sdui-parser/package.json +++ b/packages/sdui-parser/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/sdui-parser", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "ObjectStack constrained JSX-source → SDUI SchemaNode tree compiler (parse, never execute). Isomorphic, zero React. ADR-0080.", "main": "dist/index.js", diff --git a/packages/services/service-analytics/CHANGELOG.md b/packages/services/service-analytics/CHANGELOG.md index e3498f360..16a04d5ce 100644 --- a/packages/services/service-analytics/CHANGELOG.md +++ b/packages/services/service-analytics/CHANGELOG.md @@ -1,5 +1,17 @@ # Changelog — @objectstack/service-analytics +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-analytics/package.json b/packages/services/service-analytics/package.json index 20a22b31a..7444d6c7d 100644 --- a/packages/services/service-analytics/package.json +++ b/packages/services/service-analytics/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-analytics", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Analytics Service for ObjectStack — implements IAnalyticsService with multi-driver strategy pattern (NativeSQL, ObjectQL, InMemory)", "type": "module", diff --git a/packages/services/service-automation/CHANGELOG.md b/packages/services/service-automation/CHANGELOG.md index 0a2d03c96..5edede511 100644 --- a/packages/services/service-automation/CHANGELOG.md +++ b/packages/services/service-automation/CHANGELOG.md @@ -1,5 +1,33 @@ # @objectstack/service-automation +## 14.5.0 + +### Minor Changes + +- 33ebd34: ADR-0057 (#2834): `retention.onlyWhen` status predicate — mixed tables can scope the age reap. + + - **spec**: `lifecycle.retention.onlyWhen` — a row filter (per-field equality or `{ $in: [...] }`) the retention window applies to; rows outside it are retained regardless of age. Rejected when combined with rotation `storage` (shard DROPs ignore filters) or `archive` (the Archiver moves rows by age alone). + - **objectql**: the LifecycleService Reaper merges `onlyWhen` into every retention delete, including tenant-override passes. + - **service-automation**: the run-history age sweep is now declarative — `sys_automation_run` declares `retention: { maxAge: '30d', onlyWhen: { status: { $in: ['completed', 'failed'] } } }` and the platform Reaper owns it; suspended (`paused`) runs never match. The plugin's own sweep loop is retired: `ObjectStoreSuspendedRunStore.pruneHistory`, the `DEFAULT_RUN_HISTORY_RETENTION_DAYS` export, and the `runHistoryRetentionDays` / `runHistorySweepMs` plugin options are removed (launch-window breaking-as-minor). The write-time per-flow overflow cap (`runHistoryMaxPerFlow`) stays. + +### Patch Changes + +- 526805e: ADR-0057 data-lifecycle follow-ups (#2834): the per-plugin retention sweepers are retired, telemetry separation goes live in dev, and the lifecycle contract reaches the Studio. + + - **BREAKING (ships as minor per the launch-window convention)**: `JobRunRetention` / `NotificationRetention` and the `retentionDays` / `retentionSweepMs` options on `JobServicePlugin` / `MessagingServicePlugin` are removed. The platform LifecycleService enforces the same windows from the `lifecycle` declarations (`sys_job_run` 30d, notification pipeline 90d); tune them at runtime via the `lifecycle` settings namespace (`retention_overrides`, tenant-scoped). + - **Fix**: `sys_automation_run` no longer declares a blanket 30d lifecycle retention — that table interleaves live SUSPENDED runs (an approval may stay paused for months) with terminal history, and a blanket age reap could strand in-flight approvals. Bounding stays with the automation store's terminal-only sweep. + - **CLI**: `objectstack dev` now provisions a dedicated `telemetry` datasource (`.telemetry.db`) for file-backed SQLite primaries, so lifecycle-classed system data stops sharing the business dev DB (`OS_TELEMETRY_DB=0` opts out; `OS_TELEMETRY_DB=` opts in anywhere). New `os db clean` runs the one-time `VACUUM` that lets legacy files adopt `auto_vacuum=INCREMENTAL` and reports reclaimed bytes. + - **Studio**: the object metadata form exposes the `lifecycle` block (class + retention/TTL/rotation/archive/reclaim); metadata-forms i18n bundles regenerated with curated zh-CN translations. + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/formula@14.5.0 + ## 14.4.0 ### Minor Changes diff --git a/packages/services/service-automation/package.json b/packages/services/service-automation/package.json index 11a0bada9..a5974856c 100644 --- a/packages/services/service-automation/package.json +++ b/packages/services/service-automation/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-automation", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Automation Service for ObjectStack — implements IAutomationService with plugin-based DAG flow execution engine", "type": "module", diff --git a/packages/services/service-cache/CHANGELOG.md b/packages/services/service-cache/CHANGELOG.md index 7cc6e1e0e..0f5abb26c 100644 --- a/packages/services/service-cache/CHANGELOG.md +++ b/packages/services/service-cache/CHANGELOG.md @@ -1,5 +1,18 @@ # @objectstack/service-cache +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/observability@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-cache/package.json b/packages/services/service-cache/package.json index 700e99176..5f817c7b0 100644 --- a/packages/services/service-cache/package.json +++ b/packages/services/service-cache/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-cache", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Cache Service for ObjectStack — implements ICacheService with in-memory and Redis adapters", "type": "module", diff --git a/packages/services/service-cluster-redis/CHANGELOG.md b/packages/services/service-cluster-redis/CHANGELOG.md index f322c61a8..1ea321824 100644 --- a/packages/services/service-cluster-redis/CHANGELOG.md +++ b/packages/services/service-cluster-redis/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/service-cluster-redis +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/service-cluster@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-cluster-redis/package.json b/packages/services/service-cluster-redis/package.json index f535959d7..f634ce262 100644 --- a/packages/services/service-cluster-redis/package.json +++ b/packages/services/service-cluster-redis/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-cluster-redis", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Redis cluster driver for ObjectStack — implements IPubSub/ILock/IKV/ICounter against Redis using ioredis.", "type": "module", diff --git a/packages/services/service-cluster/CHANGELOG.md b/packages/services/service-cluster/CHANGELOG.md index cd24d91db..e65f89b71 100644 --- a/packages/services/service-cluster/CHANGELOG.md +++ b/packages/services/service-cluster/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/service-cluster +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-cluster/package.json b/packages/services/service-cluster/package.json index 0435f0968..92f30cc38 100644 --- a/packages/services/service-cluster/package.json +++ b/packages/services/service-cluster/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-cluster", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Cluster Service for ObjectStack — pluggable PubSub/Lock/KV/Counter primitives. Memory driver included; postgres/redis drivers ship separately.", "type": "module", diff --git a/packages/services/service-datasource/CHANGELOG.md b/packages/services/service-datasource/CHANGELOG.md index 1ddfbf7d2..91b7e12de 100644 --- a/packages/services/service-datasource/CHANGELOG.md +++ b/packages/services/service-datasource/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/service-external-datasource +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-datasource/package.json b/packages/services/service-datasource/package.json index 1515b2511..3428eb678 100644 --- a/packages/services/service-datasource/package.json +++ b/packages/services/service-datasource/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-datasource", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "The datasource service (ADR-0015): external-table federation (introspect/draft/import/validate) + runtime UI datasource lifecycle (list/test/create/update/remove + REST routes). Open-source mechanism; the tier line falls on which ICryptoProvider / driver factory a host injects.", "type": "module", diff --git a/packages/services/service-i18n/CHANGELOG.md b/packages/services/service-i18n/CHANGELOG.md index dba85f7d1..987c51485 100644 --- a/packages/services/service-i18n/CHANGELOG.md +++ b/packages/services/service-i18n/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/service-i18n +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-i18n/package.json b/packages/services/service-i18n/package.json index 1a8be0889..a3e559ec9 100644 --- a/packages/services/service-i18n/package.json +++ b/packages/services/service-i18n/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-i18n", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "I18n Service for ObjectStack — implements II18nService with file-based locale loading", "type": "module", diff --git a/packages/services/service-job/CHANGELOG.md b/packages/services/service-job/CHANGELOG.md index f346e4091..f78fb11f3 100644 --- a/packages/services/service-job/CHANGELOG.md +++ b/packages/services/service-job/CHANGELOG.md @@ -1,5 +1,30 @@ # @objectstack/service-job +## 14.5.0 + +### Minor Changes + +- 526805e: ADR-0057 data-lifecycle follow-ups (#2834): the per-plugin retention sweepers are retired, telemetry separation goes live in dev, and the lifecycle contract reaches the Studio. + + - **BREAKING (ships as minor per the launch-window convention)**: `JobRunRetention` / `NotificationRetention` and the `retentionDays` / `retentionSweepMs` options on `JobServicePlugin` / `MessagingServicePlugin` are removed. The platform LifecycleService enforces the same windows from the `lifecycle` declarations (`sys_job_run` 30d, notification pipeline 90d); tune them at runtime via the `lifecycle` settings namespace (`retention_overrides`, tenant-scoped). + - **Fix**: `sys_automation_run` no longer declares a blanket 30d lifecycle retention — that table interleaves live SUSPENDED runs (an approval may stay paused for months) with terminal history, and a blanket age reap could strand in-flight approvals. Bounding stays with the automation store's terminal-only sweep. + - **CLI**: `objectstack dev` now provisions a dedicated `telemetry` datasource (`.telemetry.db`) for file-backed SQLite primaries, so lifecycle-classed system data stops sharing the business dev DB (`OS_TELEMETRY_DB=0` opts out; `OS_TELEMETRY_DB=` opts in anywhere). New `os db clean` runs the one-time `VACUUM` that lets legacy files adopt `auto_vacuum=INCREMENTAL` and reports reclaimed bytes. + - **Studio**: the object metadata form exposes the `lifecycle` block (class + retention/TTL/rotation/archive/reclaim); metadata-forms i18n bundles regenerated with curated zh-CN translations. + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-job/package.json b/packages/services/service-job/package.json index d390c9c47..f8d4171f7 100644 --- a/packages/services/service-job/package.json +++ b/packages/services/service-job/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-job", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Job Service for ObjectStack — implements IJobService with setInterval and cron scheduling", "type": "module", diff --git a/packages/services/service-knowledge/CHANGELOG.md b/packages/services/service-knowledge/CHANGELOG.md index 5603c1ac3..b63e6f183 100644 --- a/packages/services/service-knowledge/CHANGELOG.md +++ b/packages/services/service-knowledge/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/service-knowledge +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-knowledge/package.json b/packages/services/service-knowledge/package.json index 9840f197c..d304ef54d 100644 --- a/packages/services/service-knowledge/package.json +++ b/packages/services/service-knowledge/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-knowledge", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Knowledge Service for ObjectStack — orchestrator implementing IKnowledgeService over pluggable IKnowledgeAdapter backends (RAGFlow, LlamaIndex, Dify, in-memory).", "type": "module", diff --git a/packages/services/service-messaging/CHANGELOG.md b/packages/services/service-messaging/CHANGELOG.md index b135a2e9d..9439014b7 100644 --- a/packages/services/service-messaging/CHANGELOG.md +++ b/packages/services/service-messaging/CHANGELOG.md @@ -1,5 +1,26 @@ # @objectstack/service-messaging +## 14.5.0 + +### Minor Changes + +- 526805e: ADR-0057 data-lifecycle follow-ups (#2834): the per-plugin retention sweepers are retired, telemetry separation goes live in dev, and the lifecycle contract reaches the Studio. + + - **BREAKING (ships as minor per the launch-window convention)**: `JobRunRetention` / `NotificationRetention` and the `retentionDays` / `retentionSweepMs` options on `JobServicePlugin` / `MessagingServicePlugin` are removed. The platform LifecycleService enforces the same windows from the `lifecycle` declarations (`sys_job_run` 30d, notification pipeline 90d); tune them at runtime via the `lifecycle` settings namespace (`retention_overrides`, tenant-scoped). + - **Fix**: `sys_automation_run` no longer declares a blanket 30d lifecycle retention — that table interleaves live SUSPENDED runs (an approval may stay paused for months) with terminal history, and a blanket age reap could strand in-flight approvals. Bounding stays with the automation store's terminal-only sweep. + - **CLI**: `objectstack dev` now provisions a dedicated `telemetry` datasource (`.telemetry.db`) for file-backed SQLite primaries, so lifecycle-classed system data stops sharing the business dev DB (`OS_TELEMETRY_DB=0` opts out; `OS_TELEMETRY_DB=` opts in anywhere). New `os db clean` runs the one-time `VACUUM` that lets legacy files adopt `auto_vacuum=INCREMENTAL` and reports reclaimed bytes. + - **Studio**: the object metadata form exposes the `lifecycle` block (class + retention/TTL/rotation/archive/reclaim); metadata-forms i18n bundles regenerated with curated zh-CN translations. + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Minor Changes diff --git a/packages/services/service-messaging/package.json b/packages/services/service-messaging/package.json index dff3ca90e..ba3459602 100644 --- a/packages/services/service-messaging/package.json +++ b/packages/services/service-messaging/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-messaging", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Messaging Service for ObjectStack — outbound notification dispatch (ADR-0012). Ships the MessagingChannel registry, emit() fan-out, and the always-on inbox channel; other channels (email/webhook/push/IM) plug in.", "type": "module", diff --git a/packages/services/service-package/CHANGELOG.md b/packages/services/service-package/CHANGELOG.md index 676eaa41e..361c55851 100644 --- a/packages/services/service-package/CHANGELOG.md +++ b/packages/services/service-package/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/service-package +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-package/package.json b/packages/services/service-package/package.json index 7b7f98c2d..b3331a060 100644 --- a/packages/services/service-package/package.json +++ b/packages/services/service-package/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-package", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Package management service for ObjectStack — publish, install, and manage packages", "type": "module", diff --git a/packages/services/service-queue/CHANGELOG.md b/packages/services/service-queue/CHANGELOG.md index 4f3374a07..d6eb0a075 100644 --- a/packages/services/service-queue/CHANGELOG.md +++ b/packages/services/service-queue/CHANGELOG.md @@ -1,5 +1,21 @@ # @objectstack/service-queue +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-queue/package.json b/packages/services/service-queue/package.json index 8abcbc8f9..68f2cb9ed 100644 --- a/packages/services/service-queue/package.json +++ b/packages/services/service-queue/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-queue", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Queue Service for ObjectStack — implements IQueueService with in-memory and durable DB-backed (sys_job_queue) adapters", "type": "module", diff --git a/packages/services/service-realtime/CHANGELOG.md b/packages/services/service-realtime/CHANGELOG.md index 8d98ec356..fcac18e73 100644 --- a/packages/services/service-realtime/CHANGELOG.md +++ b/packages/services/service-realtime/CHANGELOG.md @@ -1,5 +1,21 @@ # @objectstack/service-realtime +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-realtime/package.json b/packages/services/service-realtime/package.json index 67106fdec..a6b03ff02 100644 --- a/packages/services/service-realtime/package.json +++ b/packages/services/service-realtime/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-realtime", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Realtime Service for ObjectStack — implements IRealtimeService with WebSocket and in-memory pub/sub", "type": "module", diff --git a/packages/services/service-settings/CHANGELOG.md b/packages/services/service-settings/CHANGELOG.md index 819e1e6c9..f1061936c 100644 --- a/packages/services/service-settings/CHANGELOG.md +++ b/packages/services/service-settings/CHANGELOG.md @@ -1,5 +1,40 @@ # @objectstack/service-settings +## 14.5.0 + +### Minor Changes + +- c044f08: **Security fix (Critical): the settings HTTP routes no longer trust spoofable identity headers, and writes are now capability-gated.** + + Previously `GET/PUT/POST /api/settings/*` derived the caller's identity from `x-user-id` / `x-tenant-id` / `x-permissions` request headers (the route default), and `setMany` performed **no permission check** — so on a standard `os serve --server` deployment (settings + HTTP server composed by default, routes registered on the raw app with no auth middleware) an **unauthenticated** remote client could write tenant- or platform-scoped settings (including the auth security-policy, localization, and company manifests) and enumerate every namespace. + + Fixes: + + - **Verified identity.** `SettingsServicePlugin` now derives the caller's identity and capabilities from the platform's verified resolution (`resolveAuthzContext` — session cookie / API key / OAuth), never from request headers. The route default is now SECURE: it trusts no identity header and yields an anonymous, denied context. + - **Capability gates.** Manifest `readPermission` / `writePermission` are enforced for HTTP callers: reads of a protected namespace, writes, and actions require the declared capability (writes default to at least the read capability, never ungated). Enforced via a new `enforced` flag set only at the HTTP boundary — **in-process/boot callers (`kernel.getService('settings')`, seed) are unchanged** and keep full trusted access. + - Unauthenticated HTTP callers can no longer enumerate protected manifests or write; a `403 SETTINGS_FORBIDDEN` is returned when the capability is missing. + + **`setup.write` capability now real.** Enforcing the manifests' declared `writePermission` surfaced a modeling gap: `setup.write` (the write counterpart to `setup.access`, used by the branding / company / localization / feature-flag manifests) was referenced but never declared or granted — so under enforcement _nobody_, not even an admin, could write those namespaces. It is now a declared platform capability (`PLATFORM_CAPABILITIES`) held by `admin_full_access` and `organization_admin`, alongside `setup.access`. + + **Behaviour change:** a deployment that relied on the old header-trusted default must present a real verified session/API-key/OAuth credential (which the console already does). A custom integration may still inject its own `contextFromRequest`. + + Found by an adversarial security review of the request→ExecutionContext trust boundary. + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/types@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-settings/package.json b/packages/services/service-settings/package.json index 291f84239..13edbf529 100644 --- a/packages/services/service-settings/package.json +++ b/packages/services/service-settings/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-settings", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Settings service for ObjectStack — manifest registry + K/V resolver (OS_* env > Tenant > User > Default) + REST routes. See ADR-0007.", "type": "module", diff --git a/packages/services/service-sms/CHANGELOG.md b/packages/services/service-sms/CHANGELOG.md index ad7a3562d..27cf35aca 100644 --- a/packages/services/service-sms/CHANGELOG.md +++ b/packages/services/service-sms/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/service-sms +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-sms/package.json b/packages/services/service-sms/package.json index 1a89375be..1df8ce796 100644 --- a/packages/services/service-sms/package.json +++ b/packages/services/service-sms/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-sms", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "SMS service for ObjectStack — ISmsService + transport-pluggable outbound delivery (Aliyun / Twilio / log).", "main": "dist/index.js", diff --git a/packages/services/service-storage/CHANGELOG.md b/packages/services/service-storage/CHANGELOG.md index 0eef11b1b..83f5d3b97 100644 --- a/packages/services/service-storage/CHANGELOG.md +++ b/packages/services/service-storage/CHANGELOG.md @@ -1,5 +1,22 @@ # @objectstack/service-storage +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] +- Updated dependencies [8f23746] +- Updated dependencies [b97af7e] +- Updated dependencies [6da03ee] + - @objectstack/spec@14.5.0 + - @objectstack/platform-objects@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/observability@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/services/service-storage/package.json b/packages/services/service-storage/package.json index 112af1c60..149f15236 100644 --- a/packages/services/service-storage/package.json +++ b/packages/services/service-storage/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/service-storage", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Storage Service for ObjectStack — implements IStorageService with local filesystem and S3 adapter skeleton", "type": "module", diff --git a/packages/spec/CHANGELOG.md b/packages/spec/CHANGELOG.md index b503cff79..c66d70165 100644 --- a/packages/spec/CHANGELOG.md +++ b/packages/spec/CHANGELOG.md @@ -1,5 +1,63 @@ # @objectstack/spec +## 14.5.0 + +### Minor Changes + +- 526805e: ADR-0057 data-lifecycle follow-ups (#2834): the per-plugin retention sweepers are retired, telemetry separation goes live in dev, and the lifecycle contract reaches the Studio. + + - **BREAKING (ships as minor per the launch-window convention)**: `JobRunRetention` / `NotificationRetention` and the `retentionDays` / `retentionSweepMs` options on `JobServicePlugin` / `MessagingServicePlugin` are removed. The platform LifecycleService enforces the same windows from the `lifecycle` declarations (`sys_job_run` 30d, notification pipeline 90d); tune them at runtime via the `lifecycle` settings namespace (`retention_overrides`, tenant-scoped). + - **Fix**: `sys_automation_run` no longer declares a blanket 30d lifecycle retention — that table interleaves live SUSPENDED runs (an approval may stay paused for months) with terminal history, and a blanket age reap could strand in-flight approvals. Bounding stays with the automation store's terminal-only sweep. + - **CLI**: `objectstack dev` now provisions a dedicated `telemetry` datasource (`.telemetry.db`) for file-backed SQLite primaries, so lifecycle-classed system data stops sharing the business dev DB (`OS_TELEMETRY_DB=0` opts out; `OS_TELEMETRY_DB=` opts in anywhere). New `os db clean` runs the one-time `VACUUM` that lets legacy files adopt `auto_vacuum=INCREMENTAL` and reports reclaimed bytes. + - **Studio**: the object metadata form exposes the `lifecycle` block (class + retention/TTL/rotation/archive/reclaim); metadata-forms i18n bundles regenerated with curated zh-CN translations. + +- d79ca07: ADR-0090 D10 — activate the agent principal (OAuth → `principalKind:'agent'` + scope-derived ceiling). This wires the _producer_ side of the D10 intersection that shipped in #2838, so it stops being dormant: an MCP request authenticated with an OAuth access token is now resolved as an AI **agent acting on behalf of** the human `sub`, and its effective permission is the intersection of a scope-derived capability ceiling AND the user's own grants. + + - **`resolve-execution-context` (producer)**: when a verified MCP OAuth token names an authorized client (`azp`), the request resolves to `principalKind:'agent'` with `onBehalfOf:{ userId }` (the human), and the agent's OWN grants are replaced by the scope-derived ceiling — `data:read` → read-only, `data:write` → full CRUD, neither → no data access. `userId` stays the human so owner-stamping and `current_user.*` RLS resolve to them; the user-derived `systemPermissions` are cleared so a cap-gated action can't ride the user's capabilities. A token without a client stays a `human` principal. + - **`plugin-security`**: three built-in ceiling sets (`mcp_agent_data_read` / `mcp_agent_data_write` / `mcp_agent_restricted`) — pure CRUD bits, no row-level security (all row/owner/tenant narrowing comes from the delegating user on the other side of the intersection). An `agent` principal skips the additive human baseline (`member_default`) — its grants are exactly its ceiling — and its fallback is the restricted (no-object-access) set, so a mis-resolved agent fails CLOSED, never open. + - **`spec`**: `MCP_AGENT_PERMISSION_SET_*` names + `scopesToAgentPermissionSets()`, single-sourced next to the OAuth scope constants. + + **Behaviour change (a security tightening).** Previously an MCP OAuth request executed with the FULL authority of the logged-in user, and scopes narrowed only the tool surface. Now the scope is also a real data-layer ceiling: a `data:read` token can never write ANY record, even via a crafted call, no matter what the user could do. This is strictly consistent with the existing contract that "a scope can never grant more than the user could do" — the intersection only ever narrows — and closes the gap where a compromised or confused agent could act with the user's full reach. + + Verified end-to-end: a `data:read` agent acting for a member who owns a record can read it but cannot edit or create; a `data:write` agent for the same user can. Producer mapping unit-tested in `@objectstack/runtime`; enforcement dogfooded against the served engine (`showcase-agent-scope-ceiling`). + +- 33ebd34: ADR-0057 (#2834): `retention.onlyWhen` status predicate — mixed tables can scope the age reap. + + - **spec**: `lifecycle.retention.onlyWhen` — a row filter (per-field equality or `{ $in: [...] }`) the retention window applies to; rows outside it are retained regardless of age. Rejected when combined with rotation `storage` (shard DROPs ignore filters) or `archive` (the Archiver moves rows by age alone). + - **objectql**: the LifecycleService Reaper merges `onlyWhen` into every retention delete, including tenant-override passes. + - **service-automation**: the run-history age sweep is now declarative — `sys_automation_run` declares `retention: { maxAge: '30d', onlyWhen: { status: { $in: ['completed', 'failed'] } } }` and the platform Reaper owns it; suspended (`paused`) runs never match. The plugin's own sweep loop is retired: `ObjectStoreSuspendedRunStore.pruneHistory`, the `DEFAULT_RUN_HISTORY_RETENTION_DAYS` export, and the `runHistoryRetentionDays` / `runHistorySweepMs` plugin options are removed (launch-window breaking-as-minor). The write-time per-flow overflow cap (`runHistoryMaxPerFlow`) stays. + +- c044f08: **Security fix (Critical): the settings HTTP routes no longer trust spoofable identity headers, and writes are now capability-gated.** + + Previously `GET/PUT/POST /api/settings/*` derived the caller's identity from `x-user-id` / `x-tenant-id` / `x-permissions` request headers (the route default), and `setMany` performed **no permission check** — so on a standard `os serve --server` deployment (settings + HTTP server composed by default, routes registered on the raw app with no auth middleware) an **unauthenticated** remote client could write tenant- or platform-scoped settings (including the auth security-policy, localization, and company manifests) and enumerate every namespace. + + Fixes: + + - **Verified identity.** `SettingsServicePlugin` now derives the caller's identity and capabilities from the platform's verified resolution (`resolveAuthzContext` — session cookie / API key / OAuth), never from request headers. The route default is now SECURE: it trusts no identity header and yields an anonymous, denied context. + - **Capability gates.** Manifest `readPermission` / `writePermission` are enforced for HTTP callers: reads of a protected namespace, writes, and actions require the declared capability (writes default to at least the read capability, never ungated). Enforced via a new `enforced` flag set only at the HTTP boundary — **in-process/boot callers (`kernel.getService('settings')`, seed) are unchanged** and keep full trusted access. + - Unauthenticated HTTP callers can no longer enumerate protected manifests or write; a `403 SETTINGS_FORBIDDEN` is returned when the capability is missing. + + **`setup.write` capability now real.** Enforcing the manifests' declared `writePermission` surfaced a modeling gap: `setup.write` (the write counterpart to `setup.access`, used by the branding / company / localization / feature-flag manifests) was referenced but never declared or granted — so under enforcement _nobody_, not even an admin, could write those namespaces. It is now a declared platform capability (`PLATFORM_CAPABILITIES`) held by `admin_full_access` and `organization_admin`, alongside `setup.access`. + + **Behaviour change:** a deployment that relied on the old header-trusted default must present a real verified session/API-key/OAuth credential (which the console already does). A custom integration may still inject its own `contextFromRequest`. + + Found by an adversarial security review of the request→ExecutionContext trust boundary. + +- 01274eb: **Security fix (#2851): the share-link HTTP routes no longer trust spoofable identity headers, and the service enforces ownership.** + + The raw-app share-link routes (`POST/GET/DELETE /api/v1/share-links`, registered by `SharingServicePlugin`) derived the caller from `x-user-id` / `x-tenant-id` request headers, and the service ignored the caller context on revoke. So a client could forge link attribution, enumerate another user's link tokens (`GET ?createdBy=` → tokens that resolve records under a system context, bypassing RLS), and revoke arbitrary users' links. + + Fixes: + + - **Verified identity.** `SharingServicePlugin` now derives the caller (and their positions/permissions) from the platform's verified resolution (`resolveAuthzContext` — session / API key / OAuth), never from headers. The route default is SECURE (anonymous). Create / list / revoke require a signed-in principal (401 otherwise); the public `/:token/resolve` route stays public (the token is the authorization) but keys its `audience: 'signed_in'` check off the verified session rather than a spoofable `x-user-id`. + - **List scoping.** `GET /api/v1/share-links` is forced to the caller's own links — a client can no longer pass `?createdBy=` to enumerate others' tokens. + - **Revoke ownership.** `revokeLink` now requires the caller to be the link's creator (system/internal callers bypass). Previously the caller context was ignored, so anyone could revoke any link (sharing DoS). + - **Create access check.** `createLink` verifies the record is visible to the caller (read under the caller's own RLS) before minting a link — you can only share a record you can actually see. Internal (system) callers are unchanged. + + `ShareLinkExecutionContext` gains optional `positions` / `permissions` so the record-access check evaluates the real principal. + + Found by an adversarial security review of the request→ExecutionContext trust boundary (companion to the settings-routes fix, #2848). + ## 14.4.0 ### Minor Changes diff --git a/packages/spec/package.json b/packages/spec/package.json index 8da98dbf8..9dacf60b5 100644 --- a/packages/spec/package.json +++ b/packages/spec/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/spec", - "version": "14.4.0", + "version": "14.5.0", "description": "ObjectStack Protocol & Specification - TypeScript Interfaces, JSON Schemas, and Convention Configurations", "license": "Apache-2.0", "main": "dist/index.js", diff --git a/packages/triggers/trigger-api/CHANGELOG.md b/packages/triggers/trigger-api/CHANGELOG.md index 456c6d17e..8144d2e79 100644 --- a/packages/triggers/trigger-api/CHANGELOG.md +++ b/packages/triggers/trigger-api/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/trigger-api +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/triggers/trigger-api/package.json b/packages/triggers/trigger-api/package.json index 343717a6e..8ada42100 100644 --- a/packages/triggers/trigger-api/package.json +++ b/packages/triggers/trigger-api/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/trigger-api", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Inbound HTTP/webhook flow trigger for ObjectStack — per-flow HMAC-verified endpoints with queue-backed ingestion (ADR-0041)", "main": "dist/index.js", diff --git a/packages/triggers/trigger-record-change/CHANGELOG.md b/packages/triggers/trigger-record-change/CHANGELOG.md index 9d5b0fbf6..36578fb06 100644 --- a/packages/triggers/trigger-record-change/CHANGELOG.md +++ b/packages/triggers/trigger-record-change/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/plugin-trigger-record-change +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/triggers/trigger-record-change/package.json b/packages/triggers/trigger-record-change/package.json index 8e2ca3e49..38cacc22c 100644 --- a/packages/triggers/trigger-record-change/package.json +++ b/packages/triggers/trigger-record-change/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/trigger-record-change", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Record-change flow trigger for ObjectStack — auto-launches flows on object insert/update/delete via ObjectQL lifecycle hooks (ADR-0018)", "main": "dist/index.js", diff --git a/packages/triggers/trigger-schedule/CHANGELOG.md b/packages/triggers/trigger-schedule/CHANGELOG.md index 31996becf..10390209e 100644 --- a/packages/triggers/trigger-schedule/CHANGELOG.md +++ b/packages/triggers/trigger-schedule/CHANGELOG.md @@ -1,5 +1,17 @@ # @objectstack/plugin-trigger-schedule +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/core@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/triggers/trigger-schedule/package.json b/packages/triggers/trigger-schedule/package.json index ca48c231c..d7a5af96f 100644 --- a/packages/triggers/trigger-schedule/package.json +++ b/packages/triggers/trigger-schedule/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/trigger-schedule", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Schedule flow trigger for ObjectStack — auto-launches flows on a cron/interval/once schedule via the IJobService (ADR-0018)", "main": "dist/index.js", diff --git a/packages/types/CHANGELOG.md b/packages/types/CHANGELOG.md index 571230e1c..73a16d1df 100644 --- a/packages/types/CHANGELOG.md +++ b/packages/types/CHANGELOG.md @@ -1,5 +1,16 @@ # @objectstack/types +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [d79ca07] +- Updated dependencies [33ebd34] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/types/package.json b/packages/types/package.json index e06d6e1ca..5554dcd95 100644 --- a/packages/types/package.json +++ b/packages/types/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/types", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Shared interfaces describing the ObjectStack Runtime environment", "main": "dist/index.js", diff --git a/packages/verify/CHANGELOG.md b/packages/verify/CHANGELOG.md index fe18bec2f..000810963 100644 --- a/packages/verify/CHANGELOG.md +++ b/packages/verify/CHANGELOG.md @@ -1,5 +1,38 @@ # @objectstack/verify +## 14.5.0 + +### Patch Changes + +- Updated dependencies [526805e] +- Updated dependencies [5f43f88] +- Updated dependencies [261aff5] +- Updated dependencies [f70eb2c] +- Updated dependencies [d79ca07] +- Updated dependencies [a348394] +- Updated dependencies [4d9dd7b] +- Updated dependencies [5bced2f] +- Updated dependencies [3fd87b2] +- Updated dependencies [33ebd34] +- Updated dependencies [6da03ee] +- Updated dependencies [e2c05d6] +- Updated dependencies [c044f08] +- Updated dependencies [01274eb] + - @objectstack/spec@14.5.0 + - @objectstack/service-automation@14.5.0 + - @objectstack/runtime@14.5.0 + - @objectstack/plugin-security@14.5.0 + - @objectstack/plugin-sharing@14.5.0 + - @objectstack/plugin-auth@14.5.0 + - @objectstack/rest@14.5.0 + - @objectstack/objectql@14.5.0 + - @objectstack/plugin-hono-server@14.5.0 + - @objectstack/service-settings@14.5.0 + - @objectstack/core@14.5.0 + - @objectstack/driver-sqlite-wasm@14.5.0 + - @objectstack/service-analytics@14.5.0 + - @objectstack/service-datasource@14.5.0 + ## 14.4.0 ### Patch Changes diff --git a/packages/verify/package.json b/packages/verify/package.json index b23263550..5129327cb 100644 --- a/packages/verify/package.json +++ b/packages/verify/package.json @@ -1,6 +1,6 @@ { "name": "@objectstack/verify", - "version": "14.4.0", + "version": "14.5.0", "license": "Apache-2.0", "description": "Boot any ObjectStack app in-process and verify it through the real HTTP stack — auto-derived CRUD round-trip fidelity plus the cross-owner RLS invariant. Catches runtime regressions that static checks miss.", "type": "module", diff --git a/packages/vscode-objectstack/CHANGELOG.md b/packages/vscode-objectstack/CHANGELOG.md index 70355c00e..5dd222f9e 100644 --- a/packages/vscode-objectstack/CHANGELOG.md +++ b/packages/vscode-objectstack/CHANGELOG.md @@ -1,5 +1,7 @@ # objectstack-vscode +## 14.5.0 + ## 14.4.0 ## 14.3.0 diff --git a/packages/vscode-objectstack/package.json b/packages/vscode-objectstack/package.json index 6dcccf865..726509c84 100644 --- a/packages/vscode-objectstack/package.json +++ b/packages/vscode-objectstack/package.json @@ -2,7 +2,7 @@ "name": "objectstack-vscode", "displayName": "ObjectStack", "description": "ObjectStack Protocol — Autocomplete, validation, and inline diagnostics for .object.ts, .view.ts, and objectstack.config.ts files", - "version": "14.4.0", + "version": "14.5.0", "publisher": "objectstack", "license": "Apache-2.0", "repository": {