Add identity and policy schemas to spec package

Introduced new Zod schemas for authentication providers (OIDC, SAML, LDAP, etc.) in identity.zod.ts and for security policies (password, network, session, audit) in policy.zod.ts. Updated index.ts to export these new modules for broader use.

Author: hotlong

content/docs/concepts/security_architecture.md

@@ -0,0 +1,62 @@
+# ObjectStack Security Model: The "Defense in Depth" Architecture
+
+ObjectStack adopts the **"Salesforce-style"** metadata-driven security model. This is chosen over the Microsoft (Dataverse) model for its superior granularity and decoupling, which is essential for complex enterprise scenarios.
+
+## 1. Comparison of Major Models
+
+| Layer | ObjectStack / Salesforce | Microsoft Dataverse (Dynamics) | Why we chose ObjectStack's way? |
+| :--- | :--- | :--- | :--- |
+| **Who is this?** | **User + Identity** | User + Azure AD | Standard OIDC/SAML integration. |
+| **What can they do?**<br>(Functionality) | **Permission Set / Profile**<br>*(Boolean Flags)* | **Security Role**<br>*(The "Matrix" of Dots)* | Decoupling functional rights (e.g., "Export Data") from data scope allows more flexible assignment. |
+| **Where do they sit?**<br>(Hierarchy) | **Role**<br>*(Reporting Line)* | **Business Unit**<br>*(Department Tree)* | "Role" implies logical reporting (VP can see Manager), whereas "BU" implies rigid department silos. |
+| **What data can they see?**<br>(Visibility) | **Sharing Rules**<br>*(Criteria & Ownership)* | **Access Teams**<br>*(Ad-hoc)* | **Sharing Rules** are the "Killer Feature". They allow logic like "Share Deal > 1M with Finance", which Microsoft's static hierarchy cannot easily express. |
+| **Super Access** | **View All / Modify All** | **Organization Level** (Green Dot) | Separating "Super Access" from standard "Read" prevents accidental data leaks. |
+
+## 2. The Protocols
+
+### A. Functional permissions (`src/data/permission.zod.ts`)
+Defines the **Baseline**.
+*   If `allowRead = false`, the user cannot see *any* record, regardless of sharing.
+*   If `allowRead = true`, the user can see *their own* records (Ownership).
+
+### B. Structural Hierarchy (`src/system/role.zod.ts`)
+Defines the **Reporting Line**.
+*   A user is assigned to one Role (e.g., "Sales Manager").
+*   **Automatic Inheritance**: The "Sales Manager" implicitly sees data owned by "Sales Rep".
+*   *Note: This is closest to Microsoft's "Business Unit" concept.*
+
+### C. Data Access Scope (`src/data/sharing.zod.ts`)
+Defines the **Expansion**.
+*   We start with "Private" (OWD).
+*   We expand access via **Sharing Rules**.
+    *   **Criteria-based**: "If Status = 'Published', share with All Internal Users."
+    *   **Owner-based**: "Share 'Western Region' records with 'Western VP'."
+
+## 3. Terminology Map
+
+If you are coming from the Microsoft/Dynamics ecosystem:
+
+*   **Security Role (User Level)** -> `allowRead: true`
+*   **Security Role (BU Level)** -> `allowRead: true` + `Sharing Rule (Share with Role)`
+*   **Security Role (Org Level)** -> `viewAllRecords: true`
+*   **Business Unit** -> `Role` (Functional) / `OrgUnit` (Physical)
+
+## 4. The Chinese Enterprise Extension (中国企业适配)
+
+In the context of Chinese enterprises, the hierarchy is often strictly defined by **legal entities and departments** (Organization), which is distinct from the **reporting line** (Role).
+
+*   **OrgUnit (组织机构)**: `src/system/org_unit.zod.ts`
+    *   **Group (集团)**
+    *   **Company (分公司)**
+    *   **Department (部门)**
+*   **Role (角色)**: `src/system/role.zod.ts`
+    *   Defines titles regardless of department (e.g., "Department Manager", "Accountant").
+
+**Example Assignment:**
+*   User: "Zhang San"
+*   OrgUnit: "Shanghai Branch / Sales Dept"
+*   Role: "Sales Manager"
+
+The **Sharing Engine** can then support rules like:
+> "Share records owned by [Shanghai Branch] with [Headquarters Audit Role]."
+

packages/spec/src/data/permission.zod.ts

@@ -2,20 +2,31 @@ import { z } from 'zod';
 
 /**
  * Entity (Object) Level Permissions
+ * Defines CRUD + VAMA (View All / Modify All) access.
  */
 export const ObjectPermissionSchema = z.object({
-  /** Can create new records */
+  /** C: Create */
   allowCreate: z.boolean().default(false).describe('Create permission'),
-  /** Can read records */
+  /** R: Read (Owned records or Shared records) */
   allowRead: z.boolean().default(false).describe('Read permission'),
-  /** Can edit records */
+  /** U: Edit (Owned records or Shared records) */
   allowEdit: z.boolean().default(false).describe('Edit permission'),
-  /** Can delete records */
+  /** D: Delete (Owned records or Shared records) */
   allowDelete: z.boolean().default(false).describe('Delete permission'),
-  /** Can view all records (ignores sharing rules) */
-  viewAllNodes: z.boolean().default(false).describe('View All Data (admin)'),
-  /** Can modify all records (ignores sharing rules) */
-  modifyAllNodes: z.boolean().default(false).describe('Modify All Data (admin)'),
+  
+  /** 
+   * View All Records: Super-user read access. 
+   * Bypasses Sharing Rules and Ownership checks.
+   * Equivalent to Microsoft Dataverse "Organization" level read access.
+   */
+  viewAllRecords: z.boolean().default(false).describe('View All Data (Bypass Sharing)'),
+  
+  /** 
+   * Modify All Records: Super-user write access. 
+   * Bypasses Sharing Rules and Ownership checks.
+   * Equivalent to Microsoft Dataverse "Organization" level write access.
+   */
+  modifyAllRecords: z.boolean().default(false).describe('Modify All Data (Bypass Sharing)'),
 });
 
 /**
@@ -31,6 +42,11 @@ export const FieldPermissionSchema = z.object({
 /**
  * Permission Set Schema
  * Defines a collection of permissions that can be assigned to users.
+ * 
+ * DIFFERENTIATION:
+ * - Profile: The ONE primary functional definition of a user (e.g. Standard User).
+ * - Permission Set: Add-on capabilities assigned to users (e.g. Export Reports).
+ * - Role: (Defined in src/system/role.zod.ts) Defines data visibility hierarchy.
  */
 export const PermissionSetSchema = z.object({
   /** Unique permission set name */

packages/spec/src/data/sharing.zod.ts

@@ -0,0 +1,66 @@
+import { z } from 'zod';
+
+/**
+ * Sharing Rule Type
+ * How is the data shared?
+ */
+export const SharingRuleType = z.enum([
+  'owner',        // Based on record ownership (Role Hierarchy)
+  'criteria',     // Based on field values (e.g. Status = 'Open')
+  'manual',       // Ad-hoc sharing (User specific)
+  'guest'         // Public access
+]);
+
+/**
+ * Sharing Level
+ * What access is granted?
+ */
+export const SharingLevel = z.enum([
+  'read',      // Read Only
+  'edit'       // Read / Write
+]);
+
+/**
+ * Sharing Rule Schema
+ * Defines AUTOMATIC access grants based on logic.
+ * The core engine of the governance layer.
+ */
+export const SharingRuleSchema = z.object({
+  name: z.string().regex(/^[a-z_][a-z0-9_]*$/).describe('Unique rule name'),
+  label: z.string().optional(),
+  active: z.boolean().default(true),
+  
+  /** Target Object */
+  object: z.string().describe('Object to share'),
+  
+  /** Grant Logic */
+  type: SharingRuleType.default('criteria'),
+  
+  /** 
+   * Criteria (for type='criteria') 
+   * SQL-like condition: "department = 'Sales' AND amount > 10000"
+   */
+  criteria: z.string().optional(),
+  
+  /** Access Level */
+  accessLevel: SharingLevel.default('read'),
+  
+  /** 
+   * Target Audience (Whom to share with)
+   * ID of a Group, Role, or User.
+   */
+  sharedWith: z.string().describe('Group/Role ID to share records with'),
+});
+
+/**
+ * Organization-Wide Defaults (OWD)
+ * The baseline security posture for an object.
+ */
+export const OWDModel = z.enum([
+  'private',          // Only owner can see
+  'public_read',      // Everyone can see, owner can edit
+  'public_read_write' // Everyone can see and edit
+]);
+
+export type SharingRule = z.infer<typeof SharingRuleSchema>;
+export type SharingRuleType = z.infer<typeof SharingRuleType>;

packages/spec/src/index.ts

@@ -12,6 +12,7 @@ export * from './data/field.zod';
 export * from './data/object.zod';
 export * from './data/validation.zod';
 export * from './data/permission.zod';
+export * from './data/sharing.zod';
 export * from './data/workflow.zod';
 export * from './data/flow.zod';
 export * from './data/dataset.zod';
@@ -30,6 +31,11 @@ export * from './ui/action.zod';
 export * from './system/manifest.zod';
 export * from './system/datasource.zod';
 export * from './system/api.zod';
+export * from './system/identity.zod';
+export * from './system/policy.zod';
+export * from './system/role.zod';
+export * from './system/org_unit.zod';
+export * from './system/license.zod';
 export * from './system/translation.zod';
 export * from './system/constants';
 export * from './system/types';

packages/spec/src/system/identity.zod.ts

@@ -0,0 +1,75 @@
+import { z } from 'zod';
+
+/**
+ * Authentication Protocol
+ * Defines supported authentication standards (OIDC, SAML, LDAP).
+ */
+export const AuthProtocol = z.enum([
+  'oidc',       // OpenID Connect (Modern standard)
+  'saml',       // SAML 2.0 (Legacy Enterprise)
+  'ldap',       // LDAP/Active Directory (On-premise)
+  'oauth2',     // Generic OAuth2
+  'local',      // Database username/password
+  'mock'        // Testing
+]);
+
+/**
+ * OIDC / OAuth2 Config (Standard)
+ */
+export const OIDCConfigSchema = z.object({
+  issuer: z.string().url().describe('OIDC Issuer URL (.well-known/openid-configuration)'),
+  clientId: z.string(),
+  clientSecret: z.string(), // Usually value is ENV reference
+  scopes: z.array(z.string()).default(['openid', 'profile', 'email']),
+  attributeMapping: z.record(z.string()).optional().describe('Map IdP claims to User fields'),
+});
+
+/**
+ * SAML 2.0 Config (Enterprise)
+ */
+export const SAMLConfigSchema = z.object({
+  entryPoint: z.string().url().describe('IdP SSO URL'),
+  cert: z.string().describe('IdP Public Certificate'), // PEM format
+  issuer: z.string().describe('Entity ID of the IdP'),
+  signatureAlgorithm: z.enum(['sha256', 'sha512']).default('sha256'),
+  attributeMapping: z.record(z.string()).optional(),
+});
+
+/**
+ * LDAP / AD Config (On-premise)
+ */
+export const LDAPConfigSchema = z.object({
+  url: z.string().url().describe('LDAP Server URL (ldap:// or ldaps://)'),
+  bindDn: z.string(),
+  bindCredentials: z.string(),
+  searchBase: z.string(),
+  searchFilter: z.string(),
+  groupSearchBase: z.string().optional(),
+});
+
+/**
+ * Identity Provider (IdP) Schema
+ * Connects the OS to an external source of truth for identities.
+ */
+export const AuthProviderSchema = z.object({
+  name: z.string().regex(/^[a-z_][a-z0-9_]*$/).describe('Provider ID'),
+  label: z.string().describe('Button Label (e.g. "Login with Okta")'),
+  type: AuthProtocol,
+  
+  /** Configuration (Polymorphic based on type) */
+  config: z.union([
+    OIDCConfigSchema,
+    SAMLConfigSchema,
+    LDAPConfigSchema,
+    z.record(z.any()) // Fallback
+  ]).describe('Provider specific configuration'),
+
+  /** Visuals */
+  icon: z.string().optional().describe('Icon URL or helper class'),
+  
+  /** Policies */
+  active: z.boolean().default(true),
+  registrationEnabled: z.boolean().default(false).describe('Allow new users to sign up via this provider'),
+});
+
+export type AuthProvider = z.infer<typeof AuthProviderSchema>;

packages/spec/src/system/license.zod.ts

@@ -0,0 +1,78 @@
+import { z } from 'zod';
+
+/**
+ * Metric Type Classification
+ */
+export const MetricType = z.enum([
+  'boolean',   // Feature Flag (Enabled/Disabled)
+  'counter',   // Usage Count (e.g. API Calls, Records Created) - Accumulates
+  'gauge',     // Current Level (e.g. Storage Used, Users Active) - Point in time
+]);
+
+/**
+ * Feature/Limit Definition Schema
+ * Defines a controllable capability of the system.
+ */
+export const FeatureSchema = z.object({
+  code: z.string().regex(/^[a-z_][a-z0-9_.]*$/).describe('Feature code (e.g. core.api_access)'),
+  label: z.string(),
+  description: z.string().optional(),
+  
+  type: MetricType.default('boolean'),
+  
+  /** For counters/gauges */
+  unit: z.enum(['count', 'bytes', 'seconds', 'percent']).optional(),
+  
+  /** Dependencies (e.g. 'audit_log' requires 'enterprise_tier') */
+  requires: z.array(z.string()).optional(),
+});
+
+/**
+ * Subscription Plan Schema
+ * Defines a tier of service (e.g. "Free", "Pro", "Enterprise").
+ */
+export const PlanSchema = z.object({
+  code: z.string().describe('Plan code (e.g. pro_v1)'),
+  label: z.string(),
+  active: z.boolean().default(true),
+  
+  /** Feature Entitlements */
+  features: z.array(z.string()).describe('List of enabled boolean features'),
+  
+  /** Limit Quotas */
+  limits: z.record(z.number()).describe('Map of metric codes to limit values (e.g. { storage_gb: 10 })'),
+  
+  /** Pricing (Optional Metadata) */
+  currency: z.string().default('USD').optional(),
+  priceMonthly: z.number().optional(),
+  priceYearly: z.number().optional(),
+});
+
+/**
+ * License Schema
+ * The actual entitlement object assigned to a Tenant.
+ * Often signed as a JWT.
+ */
+export const LicenseSchema = z.object({
+  /** Identity */
+  tenantId: z.string(),
+  planCode: z.string(),
+  
+  /** Validity */
+  issuedAt: z.string().datetime(),
+  expiresAt: z.string().datetime().optional(), // Null = Perpetual
+  
+  /** Status */
+  status: z.enum(['active', 'expired', 'suspended', 'trial']),
+  
+  /** Overrides (Specific to this tenant, exceeding the plan) */
+  customFeatures: z.array(z.string()).optional(),
+  customLimits: z.record(z.number()).optional(),
+  
+  /** Signature */
+  signature: z.string().optional().describe('Cryptographic signature of the license'),
+});
+
+export type Feature = z.infer<typeof FeatureSchema>;
+export type Plan = z.infer<typeof PlanSchema>;
+export type License = z.infer<typeof LicenseSchema>;