objectstack-ai
diff --git a/‎objectstack.config.ts‎
Lines changed: 13 additions & 1 deletion b/‎objectstack.config.ts‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎package.json‎
Lines changed: 1 addition & 0 deletions b/‎package.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/permissions/src/index.ts‎
Lines changed: 2 additions & 0 deletions b/‎packages/permissions/src/index.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎packages/permissions/src/plugin.ts‎
Lines changed: 52 additions & 0 deletions b/‎packages/permissions/src/plugin.ts‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎packages/permissions/src/types.ts‎
Lines changed: 21 additions & 0 deletions b/‎packages/permissions/src/types.ts‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎packages/telemetry/jest.config.cjs‎
Lines changed: 22 additions & 0 deletions b/‎packages/telemetry/jest.config.cjs‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎packages/telemetry/package.json‎
Lines changed: 25 additions & 0 deletions b/‎packages/telemetry/package.json‎
Lines changed: 25 additions & 0 deletions
@@ -20,6 +20,7 @@ import { NotificationPlugin } from '@objectos/notification';
 import { PermissionsPlugin } from '@objectos/permissions';
 import { createRealtimePlugin } from '@objectos/realtime';
 import { StoragePlugin } from '@objectos/storage';
+import { TelemetryPlugin } from '@objectos/telemetry';
 import { UIPlugin } from '@objectos/ui';
 import { WorkflowPlugin } from '@objectos/workflow';
 import { resolve } from 'path';
@@ -64,6 +65,15 @@ export default defineStack({
     new MetricsPlugin(),
     new CachePlugin(),
     new StoragePlugin(),
+    new TelemetryPlugin({
+      serviceName: 'objectos',
+      serviceVersion: '0.1.0',
+      environment: process.env.NODE_ENV || 'development',
+      exporter: {
+        protocol: (process.env.OTEL_EXPORTER_PROTOCOL as any) || 'none',
+        endpoint: process.env.OTEL_EXPORTER_OTLP_ENDPOINT || 'http://localhost:4318/v1/traces',
+      },
+    }),
 
     // Core
     new AuthPlugin({
@@ -76,7 +86,9 @@ export default defineStack({
       })(),
       baseUrl: process.env.BETTER_AUTH_URL || 'http://localhost:5320',
     }),
-    new PermissionsPlugin(),
+    new PermissionsPlugin({
+      tenantIsolation: true,
+    }),
     new AuditLogPlugin(),
 
     // Logic
 
@@ -89,6 +89,7 @@
     "@objectos/permissions": "workspace:*",
     "@objectos/realtime": "workspace:*",
     "@objectos/storage": "workspace:*",
+    "@objectos/telemetry": "workspace:*",
     "@objectos/ui": "workspace:*",
     "@objectos/workflow": "workspace:*",
     "@objectql/core": "^4.2.0",
 
@@ -53,6 +53,8 @@ export type {
     // Runtime
     PermissionContext,
     PermissionCheckResult,
+    // Multi-tenancy
+    TenantContext,
     // Plugin Config
     PermissionPluginConfig,
 } from './types.js';
 
@@ -56,6 +56,8 @@ export class PermissionsPlugin implements Plugin {
             defaultDeny: true,
             permissionsDir: './permissions',
             cachePermissions: true,
+            tenantIsolation: false,
+            tenantField: '_organizationId',
             ...config,
         };
 
@@ -236,21 +238,69 @@ export class PermissionsPlugin implements Plugin {
         // Hook into data operations for permission checking (PRE-Operation)
         context.hook('data.beforeCreate', async (data: any) => {
             await this.checkDataPermission(data, 'create');
+            this.applyTenantToWrite(data);
         });
 
         context.hook('data.beforeUpdate', async (data: any) => {
             await this.checkDataPermission(data, 'update');
+            this.applyTenantToWrite(data);
         });
 
         context.hook('data.beforeDelete', async (data: any) => {
             await this.checkDataPermission(data, 'delete');
+            this.applyTenantFilter(data);
         });
 
         context.hook('data.beforeFind', async (data: any) => {
             await this.applyRecordLevelSecurity(data);
+            this.applyTenantFilter(data);
         });
 
         this.context?.logger.info('[Permissions Plugin] Event listeners registered');
+
+        if (this.config.tenantIsolation) {
+            this.context?.logger.info(`[Permissions Plugin] Tenant isolation enabled (field: ${this.config.tenantField})`);
+        }
+    }
+
+    /**
+     * Apply tenant ID to write operations (create/update).
+     * Stamps the tenant field on the record data so it belongs to the user's organization.
+     */
+    private applyTenantToWrite(data: any): void {
+        if (!this.config.tenantIsolation) return;
+
+        const organizationId = data.organizationId || data.metadata?.organizationId;
+        if (!organizationId) return;
+
+        const tenantField = this.config.tenantField || '_organizationId';
+
+        // Stamp the tenant field on the record being written
+        if (data.doc) {
+            data.doc[tenantField] = organizationId;
+        }
+        if (data.record) {
+            data.record[tenantField] = organizationId;
+        }
+    }
+
+    /**
+     * Apply tenant filter to read/delete operations.
+     * Ensures queries are automatically scoped to the user's organization.
+     */
+    private applyTenantFilter(data: any): void {
+        if (!this.config.tenantIsolation) return;
+
+        const organizationId = data.organizationId || data.metadata?.organizationId;
+        if (!organizationId) return;
+
+        const tenantField = this.config.tenantField || '_organizationId';
+
+        // Merge tenant filter into existing query filters
+        data.filters = {
+            ...data.filters,
+            [tenantField]: organizationId,
+        };
     }
 
     /**
@@ -266,6 +316,7 @@ export class PermissionsPlugin implements Plugin {
 
         const permissionContext: PermissionContext = {
             userId,
+            organizationId: data.organizationId || data.metadata?.organizationId,
             profiles: userProfiles || [],
             metadata: data.metadata,
         };
@@ -302,6 +353,7 @@ export class PermissionsPlugin implements Plugin {
 
         const permissionContext: PermissionContext = {
             userId,
+            organizationId: data.organizationId || data.metadata?.organizationId,
             profiles: userProfiles || [],
             metadata: data.metadata,
         };
 
@@ -344,6 +344,8 @@ export interface RLSEvaluationResult {
 export interface PermissionContext {
     /** User ID */
     userId: string;
+    /** Organization / Tenant ID for multi-tenancy data isolation */
+    organizationId?: string;
     /** User's profile name */
     profileName?: string;
     /** User's profiles (array of profile names) */
@@ -356,6 +358,21 @@ export interface PermissionContext {
     metadata?: Record<string, any>;
 }
 
+/**
+ * Tenant context — extracted from authenticated session for data isolation.
+ * Used by the tenant middleware to scope all data queries to a specific organization.
+ */
+export interface TenantContext {
+    /** Organization / Tenant ID */
+    organizationId: string;
+    /** Organization slug (for URL routing) */
+    slug?: string;
+    /** User ID within the organization */
+    userId: string;
+    /** User's role within the organization (e.g., 'owner', 'admin', 'member') */
+    role?: string;
+}
+
 /**
  * Permission check result
  */
@@ -384,6 +401,10 @@ export interface PermissionPluginConfig {
     cachePermissions?: boolean;
     /** Custom storage implementation */
     storage?: any; // PermissionStorage
+    /** Enable multi-tenancy data isolation — automatically scopes data queries to the user's organization */
+    tenantIsolation?: boolean;
+    /** Field name used to store the tenant/organization ID on data records (default: '_organizationId') */
+    tenantField?: string;
 }
 
 // ─── Kernel Compliance Types (from @objectstack/spec) ──────────────────────────
 
@@ -0,0 +1,22 @@
+module.exports = {
+  preset: 'ts-jest/presets/default-esm',
+  testEnvironment: 'node',
+  extensionsToTreatAsEsm: ['.ts'],
+  moduleNameMapper: {
+    '^(\\.{1,2}/.*)\\.js$': '$1',
+  },
+  transform: {
+    '^.+\\.ts$': [
+      'ts-jest',
+      {
+        useESM: true,
+      },
+    ],
+  },
+  roots: ['<rootDir>/test'],
+  testMatch: ['**/*.test.ts'],
+  collectCoverageFrom: [
+    'src/**/*.ts',
+    '!src/**/*.d.ts'
+  ]
+};
@@ -0,0 +1,25 @@
+{
+  "name": "@objectos/telemetry",
+  "version": "0.1.0",
+  "type": "module",
+  "license": "AGPL-3.0",
+  "description": "OpenTelemetry integration for ObjectOS — distributed tracing, span collection, and OTLP export",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsup src/index.ts --format esm,cjs --clean && tsc --emitDeclarationOnly --declaration",
+    "test": "jest --forceExit --passWithNoTests"
+  },
+  "dependencies": {
+    "@objectstack/runtime": "^2.0.7",
+    "@objectstack/spec": "2.0.7"
+  },
+  "devDependencies": {
+    "@types/jest": "^30.0.0",
+    "@types/node": "^25.2.0",
+    "jest": "^30.2.0",
+    "ts-jest": "^29.4.6",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3"
+  }
+}