Skip to content

feat(plugin-security): customized flag on packaged permission sets — Setup badge (ADR-0094)#2913

Merged
os-zhuang merged 1 commit into
mainfrom
claude/sys-permission-set-projection-2c7w0h
Jul 14, 2026
Merged

feat(plugin-security): customized flag on packaged permission sets — Setup badge (ADR-0094)#2913
os-zhuang merged 1 commit into
mainfrom
claude/sys-permission-set-projection-2c7w0h

Conversation

@os-zhuang

Copy link
Copy Markdown
Contributor

ADR-0094 的 UX 收尾之一(承接已合并的 #2901 / #2905)。浏览器实测时确认的两个缺口之一:Setup 列表分不清"原厂包集"和"被环境 overlay 定制过的包集",要进 Studio 分层视图才看得出。

改动

  • 投影器:对 managed_by:'package' 行,当有 overlay 遮蔽其发布基线时打上 customized: true,重置(数据门删除)时清除。环境自有行永不打标(它本身就是定义,不是对定义的定制)。
  • 对象元数据:sys_permission_set 新增只读布尔字段 customized,并加入 "All" Setup 列表视图(与 managed_by 并列)——SDUI,objectui 原生渲染,无需前端改动。

验证(真实 showcase 栈,权威 API)

showcase_contributor 全生命周期实测:

  • 定制前:managed_by=package, customized=false
  • 数据门 PATCH 后:label 变、managed_by=package(保留)、customized=true
  • 数据门 DELETE(重置)后:label 回退发布值、customized=false

单测:plugin-security 337 全通过;projection dogfood 7 项(含新增 customized 断言)真实栈全绿。

说明:我用 objectui HMR console 尝试做像素级浏览器验证,但 better-auth 客户端不认测试夹具手动注入的 token、登录守卫持续重定向——这是夹具时序问题,非产品缺陷。故按 dogfood 技能"改用 API+源码权威验证"的规则,用真实栈 REST 端到端证明了行为(矩阵编辑器 client.save() → 元数据门这条路,正是本改动覆盖的路径)。

配套的 objectui 侧(删除按钮文案 = 重置语义)在单独 PR。

🤖 Generated with Claude Code

https://claude.ai/code/session_01SXjD7g2JkEsdqhZFZgAo1Q


Generated by Claude Code

…sion sets (ADR-0094)

The Setup list couldn't tell a pristine packaged permission set from one an
admin has overlaid — you had to open the Studio layered diff. Stamp it on the
projection:

- the env projector sets `customized: true` on a managed_by:'package' row
  while an overlay shadows its shipped baseline, and clears it on reset
  (data-door delete). Env-authored rows are never flagged (they ARE the
  definition, not a customization of one).
- new read-only boolean field on sys_permission_set + added to the "All" Setup
  list view alongside managed_by.

Verified on the real showcase stack: showcase_contributor goes
customized=false → true (data-door PATCH) → false (data-door reset), with
managed_by:'package' preserved throughout. Covered by the projection dogfood
proof and unit tests.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SXjD7g2JkEsdqhZFZgAo1Q
@vercel

vercel Bot commented Jul 14, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
spec Ready Ready Preview, Comment Jul 14, 2026 11:56am

Request Review

@github-actions github-actions Bot added size/s documentation Improvements or additions to documentation tests tooling labels Jul 14, 2026
@github-actions

Copy link
Copy Markdown
Contributor

📓 Docs Drift Check

This PR changes 2 package(s): @objectstack/dogfood, @objectstack/plugin-security.

12 hand-written doc(s) reference the affected code and may need an implementation-accuracy re-verification:

  • content/docs/getting-started/cli.mdx (via @objectstack/plugin-security)
  • content/docs/permissions/access-recipes.mdx (via packages/plugins/plugin-security)
  • content/docs/permissions/authorization.mdx (via packages/dogfood, packages/plugins/plugin-security)
  • content/docs/permissions/delegated-administration.mdx (via packages/dogfood)
  • content/docs/permissions/explain.mdx (via @objectstack/plugin-security)
  • content/docs/permissions/permissions-matrix.mdx (via packages/plugins/plugin-security)
  • content/docs/permissions/sharing-rules.mdx (via @objectstack/plugin-security)
  • content/docs/plugins/index.mdx (via @objectstack/plugin-security)
  • content/docs/plugins/packages.mdx (via @objectstack/plugin-security)
  • content/docs/releases/implementation-status.mdx (via @objectstack/plugin-security)
  • content/docs/ui/audience-based-interfaces.mdx (via packages/plugins/plugin-security)
  • content/docs/ui/dashboards.mdx (via @objectstack/plugin-security)

Advisory only. To re-verify, run the docs-accuracy-audit workflow scoped to these files:
node scripts/docs-audit/affected-docs.mjs origin/main → pass the list as args.docs.

@os-zhuang os-zhuang marked this pull request as ready for review July 14, 2026 12:30
@os-zhuang os-zhuang merged commit f0acf25 into main Jul 14, 2026
17 checks passed
@os-zhuang os-zhuang deleted the claude/sys-permission-set-projection-2c7w0h branch July 14, 2026 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation size/s tests tooling

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants