objectstack-ai
diff --git a/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎ROADMAP.md‎
Lines changed: 1 addition & 0 deletions b/‎ROADMAP.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/platform-objects/src/identity/index.ts‎
Lines changed: 4 additions & 0 deletions b/‎packages/platform-objects/src/identity/index.ts‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎packages/platform-objects/src/identity/sys-department-member.object.ts‎
Lines changed: 108 additions & 0 deletions b/‎packages/platform-objects/src/identity/sys-department-member.object.ts‎
Lines changed: 108 additions & 0 deletions
diff --git a/‎packages/platform-objects/src/identity/sys-department.object.ts‎
Lines changed: 157 additions & 0 deletions b/‎packages/platform-objects/src/identity/sys-department.object.ts‎
Lines changed: 157 additions & 0 deletions
diff --git a/‎packages/platform-objects/src/identity/sys-team.object.ts‎
Lines changed: 0 additions & 7 deletions b/‎packages/platform-objects/src/identity/sys-team.object.ts‎
Lines changed: 0 additions & 7 deletions
diff --git a/‎packages/platform-objects/src/security/sys-sharing-rule.object.ts‎
Lines changed: 4 additions & 4 deletions b/‎packages/platform-objects/src/security/sys-sharing-rule.object.ts‎
Lines changed: 4 additions & 4 deletions
@@ -7,6 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added — M10.17.1 dedicated org-skeleton (`sys_department`) ⭐
+- **Architectural split** — better-auth's `sys_team` is now used *only* for flat collaboration groupings (matching the upstream contract). The enterprise org chart moves to a dedicated **`sys_department`** + **`sys_department_member`** pair (`packages/platform-objects/src/identity/`). This removes the M10.17 overload where `sys_team.parent_team_id` was doing double duty and risks colliding with future better-auth schema changes.
+- **`sys_department`** — recursive (`parent_department_id` self-lookup), tenant-scoped (`organization_id`), with `kind` enum (`company | division | department | team | office | cost_center`), `manager_user_id` for department head, `active` flag, effective-dated (`effective_from` / `effective_to`), and `external_ref` for HRIS sync (Workday / SAP HR / 北森).
+- **`sys_department_member`** — many-to-many user ↔ department supporting matrix orgs (multiple memberships per user, one `is_primary`), `role_in_department` (`member | lead | deputy`), and effective dates so historical reports can reconstruct who reported where.
+- **Schema cleanup** — dropped `sys_team.parent_team_id` (better-auth contract restored to vanilla); both new schemas registered automatically by `SharingServicePlugin.init()`.
+- **`DepartmentGraphService implements IDepartmentGraphService`** — new file `packages/plugins/plugin-sharing/src/department-graph.ts`. BFS over `parent_department_id` (active-only — inactive subtrees stop descent), `expandUsers` via `sys_department_member`, `headOf` reads `manager_user_id`, proxies `managerOf` to `TeamGraphService` so callers need only one service.
+- **`TeamGraphService` flattened** — removed the BFS descendant walk; `expandUsers(teamId)` now returns flat members of one `sys_team`. Added a top-level `expandPrincipal(input, ctx)` helper that dispatches `user | team | department | role | manager | field | queue` to the right service (legacy `team:`/`role:`/`manager:` substring fallback retained for back-compat).
+- **`SharingRuleService.expandRecipient`** — now routes `recipient_type='department'` through `DepartmentGraphService`. `sys_sharing_rule.recipient_type` enum bumped to `'user' | 'team' | 'department' | 'role' | 'queue'` (default flipped from `team` → `department` to nudge users toward the org skeleton).
+- **`ApproverType` extended** — `packages/spec/src/automation/approval.zod.ts` adds `'team'` and `'department'` to the enum (previously only `'role'` covered grouped approvers).
+- **`ApprovalService.expandApprovers`** — `team:` is now flat (was previously walking `parent_team_id`); new `department:` / `dept:` prefix walks `sys_department` BFS + members via `sys_department_member`; `role:` / `manager:` / `field:` / `user:` unchanged. Unknown / missing-row fallbacks still echo `type:value` for legacy storage compatibility.
+- **Contracts (`@objectstack/spec/contracts/sharing-service.ts`)** — added `IDepartmentGraphService`; `ITeamGraphService` reduced to flat semantics (`descendants` removed); `SharingRuleRecipientType` includes `'department'`.
+- **Tests** — 47/47 (`plugin-sharing` — 20 sharing-rule incl. dept-rule reconcile + 27 share enforcement, with 6 new tests covering BFS / inactive-subtree skip / cross-tenant guard / head lookup / dispatcher fallback), 32/32 (`plugin-approvals` — 3 new tests: flat team expansion, dept BFS expansion, dept fallback to prefixed literal), 74/74 (`rest`), 85/85 (`platform-objects`).
+- **Migration note** — any caller that wrote to `sys_team.parent_team_id` in M10.17 needs to migrate that data into `sys_department`; sharing rules with `recipient_type='team'` that previously relied on team hierarchy must either flatten or be switched to `recipient_type='department'`.
+
 ### Added — M10.17 declarative sharing rules + team hierarchy ⭐
 - **`sys_sharing_rule`** — new tenant-scoped object (`packages/platform-objects/src/security/sys-sharing-rule.object.ts`) describing "any record of object O matching FilterCondition C is granted access level A to recipient R (user/team/role/queue)". Salesforce-style criteria-based sharing, with criteria stored as a JSON `FilterCondition` so the engine's native `find()` can evaluate matches without a separate predicate runtime.
 - **Team hierarchy (`sys_team.parent_team_id`)** — added an optional self-lookup to `sys_team` so descendants can be walked into a flat user set. `sys_team` continues to conform to better-auth's organization plugin schema (extension columns are ignored by better-auth selects).
 
@@ -564,6 +564,7 @@ D9 / D10 / D11                   (resolved through M9 sub-tasks above)
 - [x] M10.15 — Workflow / approval engine — delivered as M11.C15 (`@objectstack/plugin-approvals` + `sys_approval_process` / `sys_approval_request` / `sys_approval_action`, tenant-scoped REST surface, autopilot lifecycle hooks).
 - [x] M10.16 — Saved reports + scheduled email — delivered as M11.C16 (`@objectstack/plugin-reports` + matrix `groupBy` with `dateGranularity`).
 - [x] M10.17 — Record-level sharing rules (`sys_sharing_rule`) + team hierarchy (`sys_team.parent_team_id`). Declarative criteria-based sharing materialised into `sys_record_share` with `source='rule'` and reconciled by `SharingRuleService`; team graph used by both rule evaluator and `ApprovalService.expandApprovers()` for `team:` / `role:` / `manager:` approver expansion. REST surface at `/api/v1/data/sharing/rules`; auto-loaded by the CLI capability resolver when `requires: ['…, 'sharing']`.
+- [x] M10.17.1 — Split enterprise org skeleton (`sys_department` + `sys_department_member`) from better-auth's flat `sys_team`. Dropped `sys_team.parent_team_id` (better-auth contract restored); new `DepartmentGraphService` BFS over `parent_department_id` with active-only subtree, effective dates, `kind` enum (`company|division|department|team|office|cost_center`) for HRIS-grade modelling. `ApprovalService` `department:`/`dept:` approver prefix + `SharingRuleService` `recipient_type='department'` now resolve through the dept graph; `team:` is flat. Contracts split (`ITeamGraphService` flat, `IDepartmentGraphService` hierarchical).
 - [ ] M10.18 — Tags (`sys_tag`).
 - [ ] M10.19 — Re-enable GraphQL (currently 501) and OpenAPI spec endpoint (currently 404).
 - [ ] M10.20 — Realtime channels (collaborative editing on the same opportunity).
 
@@ -19,6 +19,10 @@ export { SysInvitation } from './sys-invitation.object.js';
 export { SysTeam } from './sys-team.object.js';
 export { SysTeamMember } from './sys-team-member.object.js';
 
+// ── Org Skeleton (hierarchical, distinct from flat sys_team) ────────────────
+export { SysDepartment } from './sys-department.object.js';
+export { SysDepartmentMember } from './sys-department-member.object.js';
+
 // ── Additional Auth Objects ────────────────────────────────────────────────
 export { SysApiKey } from './sys-api-key.object.js';
 export { SysTwoFactor } from './sys-two-factor.object.js';
 
@@ -0,0 +1,108 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { ObjectSchema, Field } from '@objectstack/spec/data';
+
+/**
+ * sys_department_member — User ↔ Department Assignment
+ *
+ * Many-to-many between `sys_user` and `sys_department`. A user can belong
+ * to multiple departments (matrix orgs) but exactly one is marked
+ * `is_primary` to drive the default reporting view.
+ *
+ * Effective-dated so that historical reports & audits can reconstruct
+ * who reported to which unit at any point in time.
+ *
+ * @namespace sys
+ */
+export const SysDepartmentMember = ObjectSchema.create({
+  name: 'sys_department_member',
+  label: 'Department Member',
+  pluralLabel: 'Department Members',
+  icon: 'user-cog',
+  isSystem: true,
+  managedBy: 'platform',
+  description: 'User assignment to a department (matrix-org friendly, effective-dated).',
+  titleFormat: '{user_id} in {department_id}',
+  compactLayout: ['user_id', 'department_id', 'role_in_department', 'is_primary'],
+
+  fields: {
+    id: Field.text({
+      label: 'Member ID',
+      required: true,
+      readonly: true,
+      group: 'System',
+    }),
+
+    department_id: Field.lookup('sys_department', {
+      label: 'Department',
+      required: true,
+      group: 'Assignment',
+    }),
+
+    user_id: Field.lookup('sys_user', {
+      label: 'User',
+      required: true,
+      group: 'Assignment',
+    }),
+
+    role_in_department: Field.select(
+      ['member', 'lead', 'deputy'],
+      {
+        label: 'Role in Department',
+        required: false,
+        defaultValue: 'member',
+        description: '`lead` is the day-to-day head; `deputy` may stand in for the lead in approval routing.',
+        group: 'Assignment',
+      },
+    ),
+
+    is_primary: Field.boolean({
+      label: 'Primary Assignment',
+      required: false,
+      defaultValue: true,
+      description: 'When the user is in multiple departments, this marks the canonical one for reporting.',
+      group: 'Assignment',
+    }),
+
+    effective_from: Field.datetime({
+      label: 'Effective From',
+      required: false,
+      group: 'Lifecycle',
+    }),
+
+    effective_to: Field.datetime({
+      label: 'Effective To',
+      required: false,
+      group: 'Lifecycle',
+    }),
+
+    created_at: Field.datetime({
+      label: 'Created At',
+      defaultValue: 'NOW()',
+      readonly: true,
+      group: 'System',
+    }),
+
+    updated_at: Field.datetime({
+      label: 'Updated At',
+      defaultValue: 'NOW()',
+      readonly: true,
+      group: 'System',
+    }),
+  },
+
+  indexes: [
+    { fields: ['department_id', 'user_id'], unique: true },
+    { fields: ['user_id'] },
+    { fields: ['is_primary'] },
+  ],
+
+  enable: {
+    trackHistory: true,
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ['get', 'list', 'create', 'update', 'delete'],
+    trash: true,
+    mru: false,
+  },
+});
@@ -0,0 +1,157 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+import { ObjectSchema, Field } from '@objectstack/spec/data';
+
+/**
+ * sys_department — Enterprise Org-Skeleton Node
+ *
+ * The persistent, hierarchical org chart node. **This is distinct from
+ * `sys_team`** (which is the flat better-auth collaboration grouping).
+ *
+ * A single tenant typically has one `kind='company'` root, then nested
+ * `division` / `department` / `team` / `office` nodes underneath. The
+ * `kind` enum is purely a display/categorisation hint — the recursive
+ * structure works identically regardless of value.
+ *
+ * Drives:
+ *   - `recipient_type='department'` sharing rules
+ *   - `dept:` approver prefix in the approval engine
+ *   - Report rollups and manager chains in CRM/PM apps
+ *
+ * @namespace sys
+ */
+export const SysDepartment = ObjectSchema.create({
+  name: 'sys_department',
+  label: 'Department',
+  pluralLabel: 'Departments',
+  icon: 'building',
+  isSystem: true,
+  managedBy: 'platform',
+  description: 'Hierarchical org-skeleton node (department / division / business unit / office).',
+  displayNameField: 'name',
+  titleFormat: '{name}',
+  compactLayout: ['name', 'kind', 'parent_department_id', 'manager_user_id'],
+
+  fields: {
+    // ── Identity ─────────────────────────────────────────────────
+    name: Field.text({
+      label: 'Name',
+      required: true,
+      searchable: true,
+      maxLength: 255,
+      group: 'Identity',
+    }),
+
+    code: Field.text({
+      label: 'Code',
+      required: false,
+      searchable: true,
+      maxLength: 64,
+      description: 'Short stable code (e.g. EMEA-SALES). Unique within tenant.',
+      group: 'Identity',
+    }),
+
+    kind: Field.select(
+      ['company', 'division', 'department', 'team', 'office', 'cost_center'],
+      {
+        label: 'Kind',
+        required: true,
+        defaultValue: 'department',
+        description: 'Categorisation hint — does not change graph semantics.',
+        group: 'Identity',
+      },
+    ),
+
+    // ── Hierarchy ────────────────────────────────────────────────
+    parent_department_id: Field.lookup('sys_department', {
+      label: 'Parent Department',
+      required: false,
+      description: 'Self-reference for the org tree. Null = root of tenant.',
+      group: 'Hierarchy',
+    }),
+
+    organization_id: Field.lookup('sys_organization', {
+      label: 'Organization',
+      required: true,
+      description: 'Tenant scope.',
+      group: 'Hierarchy',
+    }),
+
+    // ── Leadership ───────────────────────────────────────────────
+    manager_user_id: Field.lookup('sys_user', {
+      label: 'Department Head',
+      required: false,
+      description: 'User responsible for this org unit (department head / lead).',
+      group: 'Leadership',
+    }),
+
+    // ── Lifecycle ────────────────────────────────────────────────
+    active: Field.boolean({
+      label: 'Active',
+      required: false,
+      defaultValue: true,
+      description: 'When false, members are not expanded by graph queries.',
+      group: 'Lifecycle',
+    }),
+
+    effective_from: Field.datetime({
+      label: 'Effective From',
+      required: false,
+      description: 'When this department came into existence (HRIS sync).',
+      group: 'Lifecycle',
+    }),
+
+    effective_to: Field.datetime({
+      label: 'Effective To',
+      required: false,
+      description: 'When this department was retired (HRIS sync).',
+      group: 'Lifecycle',
+    }),
+
+    external_ref: Field.text({
+      label: 'External Reference',
+      required: false,
+      maxLength: 200,
+      description: 'ID in upstream HRIS (Workday / SAP HR / 北森).',
+      group: 'Lifecycle',
+    }),
+
+    // ── System ───────────────────────────────────────────────────
+    id: Field.text({
+      label: 'Department ID',
+      required: true,
+      readonly: true,
+      group: 'System',
+    }),
+
+    created_at: Field.datetime({
+      label: 'Created At',
+      defaultValue: 'NOW()',
+      readonly: true,
+      group: 'System',
+    }),
+
+    updated_at: Field.datetime({
+      label: 'Updated At',
+      defaultValue: 'NOW()',
+      readonly: true,
+      group: 'System',
+    }),
+  },
+
+  indexes: [
+    { fields: ['organization_id'] },
+    { fields: ['parent_department_id'] },
+    { fields: ['code', 'organization_id'], unique: true },
+    { fields: ['active'] },
+  ],
+
+  enable: {
+    trackHistory: true,
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ['get', 'list', 'create', 'update', 'delete'],
+    trash: true,
+    mru: false,
+  },
+});
@@ -39,13 +39,6 @@ export const SysTeam = ObjectSchema.create({
       group: 'Identity',
     }),
 
-    parent_team_id: Field.lookup('sys_team', {
-      label: 'Parent Team',
-      required: false,
-      description: 'Optional parent team for hierarchical team structures. Better-auth does not require this column; ObjectStack uses it for the team graph expansion in sharing rules and approval routing.',
-      group: 'Identity',
-    }),
-
     // ── System ───────────────────────────────────────────────────
     id: Field.text({
       label: 'Team ID',
 
@@ -83,12 +83,12 @@ export const SysSharingRule = ObjectSchema.create({
     }),
 
     recipient_type: Field.select(
-      ['user', 'team', 'role', 'queue'],
+      ['user', 'team', 'department', 'role', 'queue'],
       {
         label: 'Recipient Type',
         required: true,
-        defaultValue: 'team',
-        description: 'Kind of principal that receives access — expanded to user grants at evaluation time',
+        defaultValue: 'department',
+        description: 'Kind of principal that receives access — expanded to user grants at evaluation time. `department` walks the parent_department_id tree; `team` is flat (better-auth).',
         group: 'Recipient',
       },
     ),
@@ -97,7 +97,7 @@ export const SysSharingRule = ObjectSchema.create({
       label: 'Recipient',
       required: true,
       maxLength: 200,
-      description: 'team id / role name / queue name / user id depending on recipient_type',
+      description: 'department id / team id / role name / queue name / user id depending on recipient_type',
       group: 'Recipient',
     }),