feat(plugin-security,plugin-sharing,platform-objects): ADR-0029 K2 security domain ownership + D7 nav#1445
Merged
Merged
Conversation
…curity domain ownership + D7 nav Move the security objects out of the platform-objects monolith into the two capability plugins that already register/operate them (orthogonal split — sharing never references RBAC): - plugin-security (RBAC): sys_role, sys_permission_set, sys_user_permission_set, sys_role_permission_set + defaultPermissionSets seed (consumed by bootstrap-platform-admin). RBAC/default-permission-set tests move with them. - plugin-sharing: sys_record_share, sys_sharing_rule, sys_share_link. - platform-objects /security subpath is now an empty barrel; runtime unchanged (both plugins already registered these at runtime). D7: group_access_control is assembled from plugin-security (Roles/Permission Sets, prio 100) + plugin-sharing (Sharing Rules/Record Shares, prio 200) + platform-objects base (API Keys / sys_api_key identity object, prio 300), preserving menu order. D8: removed from the platform-objects i18n extract config; generated bundles keep working. Plugin-side i18n extraction tracked as follow-up. Tests: plugin-security 76 (incl. moved RBAC tests), plugin-sharing 54, platform-objects 58 — green; turbo build (incl. DTS type-check) green. https://claude.ai/code/session_01Tv6F1Ub6bhCedrx3r8sZM4
…curity-ownership # Conflicts: # packages/platform-objects/src/apps/setup-nav.contributions.ts
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
github-actions
Bot
added
documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements ADR-0029 K2 for the security domain — moves the security objects out of the
platform-objectsmonolith into the two capability plugins that already register and operate them, split by concern (the two are orthogonal: sharing objects never reference RBAC objects).Ownership split
sys_role,sys_permission_set,sys_user_permission_set,sys_role_permission_set+defaultPermissionSetsseed@objectstack/plugin-security(RBAC; itsbootstrap-platform-adminalready consumes the seed)sys_record_share,sys_sharing_rule,sys_share_link@objectstack/plugin-sharinggit mv, history preserved) into each plugin'ssrc/objects/; the RBAC + default-permission-set tests move with them intoplugin-security.platform-objects'/securitysubpath is now an empty barrel. Runtime is unchanged — both plugins already registered these objects at runtime; only the definitions' home moved. (Clean move, no facade: the dep direction would cycle and there are no external importers, as in K2.a/K2.b.)D7 navigation
group_access_controlis now assembled from three sources, preserving the original menu order:plugin-security→ Roles / Permission Sets (priority 100)plugin-sharing→ Sharing Rules / Record Shares (priority 200)platform-objectsbase → API Keys only (sys_api_keyis an identity object owned by plugin-auth; priority 300)i18n (D8)
Removed from the
platform-objectsi18n extract config; existing generated bundles keep working at runtime (object-name keyed). Migrating extraction into the owning plugins remains the tracked follow-up.Verification
turbo build(platform-objects + plugin-security + plugin-sharing + dep graph, incl. DTS type-check): greendriver-mongodbskip fix (test(driver-mongodb): skip suite when in-memory MongoDB binary is unavailable #1442) and approvals move (feat(plugin-approvals,platform-objects): ADR-0029 K2.b approvals domain ownership + D7 nav #1440) via a clean main merge.Notes
plugin-security/plugin-sharingno longer import security objects fromplatform-objectsin code; theirpackage.jsondeps are left in place (consistent with prior K2 PRs).platform-objects/securityis fully decomposed;audit/(jobs/email/notifications) is intentionally untouched to avoid colliding with concurrent message-engine work.https://claude.ai/code/session_01Tv6F1Ub6bhCedrx3r8sZM4
Generated by Claude Code