@objectstack/platform-objects 0.1.0

package/dist/identity/index.js

@@ -0,0 +1,1404 @@
+'use strict';
+
+var data = require('@objectstack/spec/data');
+
+// src/identity/sys-user.object.ts
+var SysUser = data.ObjectSchema.create({
+  name: "sys_user",
+  label: "User",
+  pluralLabel: "Users",
+  icon: "user",
+  isSystem: true,
+  description: "User accounts for authentication",
+  displayNameField: "name",
+  titleFormat: "{name}",
+  compactLayout: ["name", "email", "email_verified"],
+  fields: {
+    // ── Identity (primary business fields) ───────────────────────
+    name: data.Field.text({
+      label: "Name",
+      required: true,
+      searchable: true,
+      maxLength: 255,
+      group: "Identity"
+    }),
+    email: data.Field.email({
+      label: "Email",
+      required: true,
+      searchable: true,
+      group: "Identity"
+    }),
+    email_verified: data.Field.boolean({
+      label: "Email Verified",
+      defaultValue: false,
+      group: "Identity"
+    }),
+    two_factor_enabled: data.Field.boolean({
+      label: "Two-Factor Enabled",
+      defaultValue: false,
+      group: "Identity",
+      description: "Whether two-factor authentication is enabled for this user. Maintained by the better-auth `twoFactor` plugin."
+    }),
+    // ── Profile ──────────────────────────────────────────────────
+    image: data.Field.url({
+      label: "Profile Image",
+      required: false,
+      group: "Profile"
+    }),
+    // ── System (auto-managed, hidden from create/edit forms) ─────
+    id: data.Field.text({
+      label: "User ID",
+      required: true,
+      readonly: true,
+      group: "System"
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    })
+  },
+  indexes: [
+    { fields: ["email"], unique: true },
+    { fields: ["created_at"], unique: false }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: true,
+    mru: true
+  },
+  validations: [
+    {
+      name: "email_unique",
+      type: "unique",
+      severity: "error",
+      message: "Email must be unique",
+      fields: ["email"],
+      caseSensitive: false
+    }
+  ]
+});
+var SysSession = data.ObjectSchema.create({
+  name: "sys_session",
+  label: "Session",
+  pluralLabel: "Sessions",
+  icon: "key",
+  isSystem: true,
+  description: "Active user sessions",
+  displayNameField: "user_id",
+  titleFormat: "Session \u2014 {user_id}",
+  compactLayout: ["user_id", "ip_address", "expires_at"],
+  fields: {
+    // ── Session owner & expiry ──────────────────────────────────
+    user_id: data.Field.lookup("sys_user", {
+      label: "User",
+      required: true,
+      searchable: true,
+      group: "Session"
+    }),
+    expires_at: data.Field.datetime({
+      label: "Expires At",
+      required: true,
+      group: "Session"
+    }),
+    // ── Active context (multi-org/team) ──────────────────────────
+    active_organization_id: data.Field.lookup("sys_organization", {
+      label: "Active Organization",
+      required: false,
+      group: "Context"
+    }),
+    active_team_id: data.Field.lookup("sys_team", {
+      label: "Active Team",
+      required: false,
+      group: "Context"
+    }),
+    // ── Client fingerprint ───────────────────────────────────────
+    ip_address: data.Field.text({
+      label: "IP Address",
+      required: false,
+      maxLength: 45,
+      // Support IPv6
+      group: "Client"
+    }),
+    user_agent: data.Field.textarea({
+      label: "User Agent",
+      required: false,
+      group: "Client"
+    }),
+    // ── Secret (hidden by default) ──────────────────────────────
+    token: data.Field.text({
+      label: "Session Token",
+      required: true,
+      hidden: true,
+      readonly: true,
+      description: "Opaque session token \u2014 never exposed in UI",
+      group: "Secret"
+    }),
+    // ── System ───────────────────────────────────────────────────
+    id: data.Field.text({
+      label: "Session ID",
+      required: true,
+      readonly: true,
+      group: "System"
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    })
+  },
+  indexes: [
+    { fields: ["token"], unique: true },
+    { fields: ["user_id"], unique: false },
+    { fields: ["expires_at"], unique: false }
+  ],
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "delete"],
+    trash: false,
+    mru: false,
+    clone: false
+  }
+});
+var SysAccount = data.ObjectSchema.create({
+  name: "sys_account",
+  label: "Account",
+  pluralLabel: "Accounts",
+  icon: "link",
+  isSystem: true,
+  description: "OAuth and authentication provider accounts",
+  titleFormat: "{provider_id} - {account_id}",
+  compactLayout: ["provider_id", "user_id", "account_id"],
+  fields: {
+    id: data.Field.text({
+      label: "Account ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    provider_id: data.Field.text({
+      label: "Provider ID",
+      required: true,
+      description: "OAuth provider identifier (google, github, etc.)"
+    }),
+    account_id: data.Field.text({
+      label: "Provider Account ID",
+      required: true,
+      description: "User's ID in the provider's system"
+    }),
+    user_id: data.Field.lookup("sys_user", {
+      label: "User",
+      required: true,
+      description: "Link to user table"
+    }),
+    access_token: data.Field.textarea({
+      label: "Access Token",
+      required: false
+    }),
+    refresh_token: data.Field.textarea({
+      label: "Refresh Token",
+      required: false
+    }),
+    id_token: data.Field.textarea({
+      label: "ID Token",
+      required: false
+    }),
+    access_token_expires_at: data.Field.datetime({
+      label: "Access Token Expires At",
+      required: false
+    }),
+    refresh_token_expires_at: data.Field.datetime({
+      label: "Refresh Token Expires At",
+      required: false
+    }),
+    scope: data.Field.text({
+      label: "OAuth Scope",
+      required: false
+    }),
+    password: data.Field.text({
+      label: "Password Hash",
+      required: false,
+      description: "Hashed password for email/password provider"
+    })
+  },
+  indexes: [
+    { fields: ["user_id"], unique: false },
+    { fields: ["provider_id", "account_id"], unique: true }
+  ],
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: true,
+    mru: false
+  }
+});
+var SysVerification = data.ObjectSchema.create({
+  name: "sys_verification",
+  label: "Verification",
+  pluralLabel: "Verifications",
+  icon: "shield-check",
+  isSystem: true,
+  description: "Email and phone verification tokens",
+  titleFormat: "Verification for {identifier}",
+  compactLayout: ["identifier", "expires_at", "created_at"],
+  fields: {
+    id: data.Field.text({
+      label: "Verification ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    value: data.Field.text({
+      label: "Verification Token",
+      required: true,
+      description: "Token or code for verification"
+    }),
+    expires_at: data.Field.datetime({
+      label: "Expires At",
+      required: true
+    }),
+    identifier: data.Field.text({
+      label: "Identifier",
+      required: true,
+      description: "Email address or phone number"
+    })
+  },
+  indexes: [
+    { fields: ["value"], unique: true },
+    { fields: ["identifier"], unique: false },
+    { fields: ["expires_at"], unique: false }
+  ],
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "create", "delete"],
+    trash: false,
+    mru: false
+  }
+});
+var SysOrganization = data.ObjectSchema.create({
+  name: "sys_organization",
+  label: "Organization",
+  pluralLabel: "Organizations",
+  icon: "building-2",
+  isSystem: true,
+  description: "Organizations for multi-tenant grouping",
+  displayNameField: "name",
+  titleFormat: "{name}",
+  compactLayout: ["name", "slug"],
+  fields: {
+    // ── Identity ─────────────────────────────────────────────────
+    name: data.Field.text({
+      label: "Name",
+      required: true,
+      searchable: true,
+      maxLength: 255,
+      group: "Identity"
+    }),
+    slug: data.Field.text({
+      label: "Slug",
+      required: false,
+      searchable: true,
+      maxLength: 255,
+      description: "URL-friendly identifier",
+      group: "Identity"
+    }),
+    // ── Branding ─────────────────────────────────────────────────
+    logo: data.Field.url({
+      label: "Logo",
+      required: false,
+      group: "Branding"
+    }),
+    // ── Configuration ────────────────────────────────────────────
+    metadata: data.Field.textarea({
+      label: "Metadata",
+      required: false,
+      description: "JSON-serialized organization metadata",
+      group: "Configuration"
+    }),
+    // ── System ───────────────────────────────────────────────────
+    id: data.Field.text({
+      label: "Organization ID",
+      required: true,
+      readonly: true,
+      group: "System"
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    })
+  },
+  indexes: [
+    { fields: ["slug"], unique: true },
+    { fields: ["name"] }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: true,
+    mru: true
+  }
+});
+var SysMember = data.ObjectSchema.create({
+  name: "sys_member",
+  label: "Member",
+  pluralLabel: "Members",
+  icon: "user-check",
+  isSystem: true,
+  description: "Organization membership records",
+  titleFormat: "{user_id} in {organization_id}",
+  compactLayout: ["user_id", "organization_id", "role"],
+  fields: {
+    id: data.Field.text({
+      label: "Member ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    organization_id: data.Field.lookup("sys_organization", {
+      label: "Organization",
+      required: true
+    }),
+    user_id: data.Field.lookup("sys_user", {
+      label: "User",
+      required: true
+    }),
+    role: data.Field.text({
+      label: "Role",
+      required: false,
+      description: "Member role within the organization (e.g. admin, member)",
+      maxLength: 100
+    })
+  },
+  indexes: [
+    { fields: ["organization_id", "user_id"], unique: true },
+    { fields: ["user_id"] }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: false,
+    mru: false
+  }
+});
+var SysInvitation = data.ObjectSchema.create({
+  name: "sys_invitation",
+  label: "Invitation",
+  pluralLabel: "Invitations",
+  icon: "mail",
+  isSystem: true,
+  description: "Organization invitations for user onboarding",
+  titleFormat: "Invitation to {organization_id}",
+  compactLayout: ["email", "organization_id", "status"],
+  fields: {
+    id: data.Field.text({
+      label: "Invitation ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    organization_id: data.Field.lookup("sys_organization", {
+      label: "Organization",
+      required: true
+    }),
+    email: data.Field.email({
+      label: "Email",
+      required: true,
+      description: "Email address of the invited user"
+    }),
+    role: data.Field.text({
+      label: "Role",
+      required: false,
+      maxLength: 100,
+      description: "Role to assign upon acceptance"
+    }),
+    status: data.Field.select(["pending", "accepted", "rejected", "expired", "canceled"], {
+      label: "Status",
+      required: true,
+      defaultValue: "pending"
+    }),
+    inviter_id: data.Field.lookup("sys_user", {
+      label: "Inviter",
+      required: true,
+      description: "User who sent the invitation"
+    }),
+    expires_at: data.Field.datetime({
+      label: "Expires At",
+      required: true
+    }),
+    team_id: data.Field.lookup("sys_team", {
+      label: "Team",
+      required: false,
+      description: "Optional team to assign upon acceptance"
+    })
+  },
+  indexes: [
+    { fields: ["organization_id"] },
+    { fields: ["email"] },
+    { fields: ["expires_at"] }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: false,
+    mru: false
+  }
+});
+var SysTeam = data.ObjectSchema.create({
+  name: "sys_team",
+  label: "Team",
+  pluralLabel: "Teams",
+  icon: "users",
+  isSystem: true,
+  description: "Teams within organizations for fine-grained grouping",
+  displayNameField: "name",
+  titleFormat: "{name}",
+  compactLayout: ["name", "organization_id"],
+  fields: {
+    // ── Identity ─────────────────────────────────────────────────
+    name: data.Field.text({
+      label: "Name",
+      required: true,
+      searchable: true,
+      maxLength: 255,
+      group: "Identity"
+    }),
+    organization_id: data.Field.lookup("sys_organization", {
+      label: "Organization",
+      required: true,
+      description: "Parent organization for this team",
+      group: "Identity"
+    }),
+    // ── System ───────────────────────────────────────────────────
+    id: data.Field.text({
+      label: "Team ID",
+      required: true,
+      readonly: true,
+      group: "System"
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    })
+  },
+  indexes: [
+    { fields: ["organization_id"] },
+    { fields: ["name", "organization_id"], unique: true }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: true,
+    mru: false
+  }
+});
+var SysTeamMember = data.ObjectSchema.create({
+  name: "sys_team_member",
+  label: "Team Member",
+  pluralLabel: "Team Members",
+  icon: "user-plus",
+  isSystem: true,
+  description: "Team membership records linking users to teams",
+  titleFormat: "{user_id} in {team_id}",
+  compactLayout: ["user_id", "team_id", "created_at"],
+  fields: {
+    id: data.Field.text({
+      label: "Team Member ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    team_id: data.Field.lookup("sys_team", {
+      label: "Team",
+      required: true
+    }),
+    user_id: data.Field.lookup("sys_user", {
+      label: "User",
+      required: true
+    })
+  },
+  indexes: [
+    { fields: ["team_id", "user_id"], unique: true },
+    { fields: ["user_id"] }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "delete"],
+    trash: false,
+    mru: false
+  }
+});
+var SysApiKey = data.ObjectSchema.create({
+  name: "sys_api_key",
+  label: "API Key",
+  pluralLabel: "API Keys",
+  icon: "key-round",
+  isSystem: true,
+  description: "API keys for programmatic access",
+  displayNameField: "name",
+  titleFormat: "{name}",
+  compactLayout: ["name", "prefix", "user_id", "expires_at", "revoked"],
+  fields: {
+    // ── Identity ─────────────────────────────────────────────────
+    name: data.Field.text({
+      label: "Name",
+      required: true,
+      searchable: true,
+      maxLength: 255,
+      description: "Human-readable label for the API key",
+      group: "Identity"
+    }),
+    prefix: data.Field.text({
+      label: "Prefix",
+      required: false,
+      maxLength: 16,
+      description: 'Visible prefix for identifying the key (e.g., "osk_")',
+      group: "Identity"
+    }),
+    user_id: data.Field.lookup("sys_user", {
+      label: "Owner",
+      required: true,
+      description: "User who owns this API key",
+      group: "Identity"
+    }),
+    // ── Access ───────────────────────────────────────────────────
+    scopes: data.Field.textarea({
+      label: "Scopes",
+      required: false,
+      description: "JSON array of permission scopes",
+      group: "Access"
+    }),
+    // ── Lifecycle ────────────────────────────────────────────────
+    expires_at: data.Field.datetime({
+      label: "Expires At",
+      required: false,
+      group: "Lifecycle"
+    }),
+    last_used_at: data.Field.datetime({
+      label: "Last Used At",
+      required: false,
+      readonly: true,
+      description: "Automatically updated on each API call",
+      group: "Lifecycle"
+    }),
+    revoked: data.Field.boolean({
+      label: "Revoked",
+      defaultValue: false,
+      group: "Lifecycle"
+    }),
+    // ── Secret (hidden by default) ──────────────────────────────
+    key: data.Field.text({
+      label: "Hashed Key",
+      required: true,
+      hidden: true,
+      readonly: true,
+      description: "Hashed API key value \u2014 never exposed to clients",
+      group: "Secret"
+    }),
+    // ── System ───────────────────────────────────────────────────
+    id: data.Field.text({
+      label: "API Key ID",
+      required: true,
+      readonly: true,
+      group: "System"
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    })
+  },
+  indexes: [
+    { fields: ["key"], unique: true },
+    { fields: ["user_id"] },
+    { fields: ["prefix"] },
+    { fields: ["revoked"] }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: false,
+    mru: false
+  }
+});
+var SysTwoFactor = data.ObjectSchema.create({
+  name: "sys_two_factor",
+  label: "Two Factor",
+  pluralLabel: "Two Factor Credentials",
+  icon: "smartphone",
+  isSystem: true,
+  description: "Two-factor authentication credentials",
+  titleFormat: "Two-factor for {user_id}",
+  compactLayout: ["user_id", "created_at"],
+  fields: {
+    id: data.Field.text({
+      label: "Two Factor ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    user_id: data.Field.lookup("sys_user", {
+      label: "User",
+      required: true
+    }),
+    secret: data.Field.text({
+      label: "Secret",
+      required: true,
+      description: "TOTP secret key"
+    }),
+    backup_codes: data.Field.textarea({
+      label: "Backup Codes",
+      required: false,
+      description: "JSON-serialized backup recovery codes"
+    })
+  },
+  indexes: [
+    { fields: ["user_id"], unique: true }
+  ],
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "create", "update", "delete"],
+    trash: false,
+    mru: false
+  }
+});
+var SysDeviceCode = data.ObjectSchema.create({
+  name: "sys_device_code",
+  label: "Device Code",
+  pluralLabel: "Device Codes",
+  icon: "key-round",
+  isSystem: true,
+  description: "OAuth 2.0 Device Authorization Grant (RFC 8628) pending requests",
+  titleFormat: "{user_code}",
+  compactLayout: ["user_code", "status", "client_id", "expires_at"],
+  fields: {
+    id: data.Field.text({
+      label: "Device Code ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    /** High-entropy token returned to the device (CLI). Polled at /device/token. */
+    device_code: data.Field.text({
+      label: "Device Code",
+      required: true,
+      description: "High-entropy token returned to the polling device"
+    }),
+    /** Human-readable short code displayed to the user (e.g. ABCD-EFGH). */
+    user_code: data.Field.text({
+      label: "User Code",
+      required: true,
+      description: "Short user-facing code (e.g. ABCD-EFGH)"
+    }),
+    /** Owning user — populated when the request is approved. */
+    user_id: data.Field.lookup("sys_user", {
+      label: "User",
+      required: false,
+      description: "User who approved the device authorization"
+    }),
+    expires_at: data.Field.datetime({
+      label: "Expires At",
+      required: true,
+      description: "When the device & user codes are no longer valid"
+    }),
+    /** 'pending' | 'approved' | 'denied' */
+    status: data.Field.text({
+      label: "Status",
+      required: true,
+      description: "Current status: 'pending' | 'approved' | 'denied'"
+    }),
+    last_polled_at: data.Field.datetime({
+      label: "Last Polled At",
+      required: false,
+      description: "Timestamp of the most recent /device/token poll"
+    }),
+    polling_interval: data.Field.number({
+      label: "Polling Interval (ms)",
+      required: false,
+      description: "Server-recommended minimum polling interval, in ms"
+    }),
+    client_id: data.Field.text({
+      label: "Client ID",
+      required: false,
+      description: "OAuth client identifier of the requesting device"
+    }),
+    scope: data.Field.text({
+      label: "Scope",
+      required: false,
+      description: "Space-separated OAuth scopes requested by the device"
+    })
+  },
+  indexes: [
+    { fields: ["device_code"], unique: true },
+    { fields: ["user_code"], unique: true },
+    { fields: ["status"], unique: false }
+  ],
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "create", "update", "delete"],
+    trash: false,
+    mru: false
+  }
+});
+var SysUserPreference = data.ObjectSchema.create({
+  name: "sys_user_preference",
+  label: "User Preference",
+  pluralLabel: "User Preferences",
+  icon: "settings",
+  isSystem: true,
+  description: "Per-user key-value preferences (theme, locale, etc.)",
+  titleFormat: "{key}",
+  compactLayout: ["user_id", "key"],
+  fields: {
+    id: data.Field.text({
+      label: "Preference ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    user_id: data.Field.lookup("sys_user", {
+      label: "User",
+      required: true,
+      description: "Owner user of this preference"
+    }),
+    key: data.Field.text({
+      label: "Key",
+      required: true,
+      maxLength: 255,
+      description: "Preference key (e.g., theme, locale, plugin.ai.auto_save)"
+    }),
+    value: data.Field.json({
+      label: "Value",
+      description: "Preference value (any JSON-serializable type)"
+    })
+  },
+  indexes: [
+    { fields: ["user_id", "key"], unique: true },
+    { fields: ["user_id"], unique: false }
+  ],
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: false,
+    mru: false
+  }
+});
+var SysOauthApplication = data.ObjectSchema.create({
+  name: "sys_oauth_application",
+  label: "OAuth Application",
+  pluralLabel: "OAuth Applications",
+  icon: "key-round",
+  isSystem: true,
+  description: "Registered OAuth/OIDC client applications",
+  displayNameField: "name",
+  titleFormat: "{name}",
+  compactLayout: ["name", "client_id", "type", "disabled"],
+  fields: {
+    // ── Identity ─────────────────────────────────────────────────
+    id: data.Field.text({
+      label: "ID",
+      required: true,
+      readonly: true,
+      group: "System"
+    }),
+    name: data.Field.text({
+      label: "Name",
+      required: false,
+      searchable: true,
+      maxLength: 255,
+      group: "Identity"
+    }),
+    icon: data.Field.url({
+      label: "Icon",
+      required: false,
+      description: "Logo URL shown on the consent screen",
+      group: "Identity"
+    }),
+    uri: data.Field.url({
+      label: "Home URI",
+      required: false,
+      description: "Public homepage of the registered client",
+      group: "Identity"
+    }),
+    contacts: data.Field.textarea({
+      label: "Contacts",
+      required: false,
+      description: "JSON-serialized list of contact email addresses",
+      group: "Identity"
+    }),
+    tos: data.Field.url({
+      label: "Terms of Service",
+      required: false,
+      group: "Identity"
+    }),
+    policy: data.Field.url({
+      label: "Privacy Policy",
+      required: false,
+      group: "Identity"
+    }),
+    metadata: data.Field.textarea({
+      label: "Metadata",
+      required: false,
+      description: "JSON-serialized application metadata",
+      group: "Identity"
+    }),
+    // ── OAuth Credentials ────────────────────────────────────────
+    client_id: data.Field.text({
+      label: "Client ID",
+      required: true,
+      readonly: true,
+      maxLength: 255,
+      description: "Public OAuth client identifier",
+      group: "Credentials"
+    }),
+    client_secret: data.Field.text({
+      label: "Client Secret",
+      required: false,
+      maxLength: 1024,
+      description: "OAuth client secret (hashed/encrypted at rest)",
+      group: "Credentials"
+    }),
+    redirect_uris: data.Field.textarea({
+      label: "Redirect URIs",
+      required: true,
+      description: "JSON-serialized list of allowed redirect URIs",
+      group: "Credentials"
+    }),
+    post_logout_redirect_uris: data.Field.textarea({
+      label: "Post-logout Redirect URIs",
+      required: false,
+      description: "JSON-serialized list of allowed post-logout redirect URIs",
+      group: "Credentials"
+    }),
+    type: data.Field.select(["web", "native", "user-agent-based", "public"], {
+      label: "Client Type",
+      required: false,
+      defaultValue: "web",
+      group: "Credentials"
+    }),
+    public: data.Field.boolean({
+      label: "Public Client",
+      required: false,
+      description: "Marks the client as a public (non-confidential) OAuth client",
+      group: "Credentials"
+    }),
+    require_pkce: data.Field.boolean({
+      label: "Require PKCE",
+      required: false,
+      group: "Credentials"
+    }),
+    token_endpoint_auth_method: data.Field.text({
+      label: "Token Endpoint Auth Method",
+      required: false,
+      maxLength: 64,
+      description: "e.g. client_secret_basic, client_secret_post, none",
+      group: "Credentials"
+    }),
+    grant_types: data.Field.textarea({
+      label: "Grant Types",
+      required: false,
+      description: "JSON-serialized list of allowed grant types",
+      group: "Credentials"
+    }),
+    response_types: data.Field.textarea({
+      label: "Response Types",
+      required: false,
+      description: "JSON-serialized list of allowed response types",
+      group: "Credentials"
+    }),
+    scopes: data.Field.textarea({
+      label: "Allowed Scopes",
+      required: false,
+      description: "JSON-serialized list of scopes the client may request",
+      group: "Credentials"
+    }),
+    subject_type: data.Field.text({
+      label: "Subject Type",
+      required: false,
+      maxLength: 32,
+      description: "OIDC subject type (e.g. public, pairwise)",
+      group: "Credentials"
+    }),
+    // ── Behaviour flags ──────────────────────────────────────────
+    disabled: data.Field.boolean({
+      label: "Disabled",
+      required: false,
+      defaultValue: false,
+      group: "Behaviour"
+    }),
+    skip_consent: data.Field.boolean({
+      label: "Skip Consent",
+      required: false,
+      description: "Treat as a trusted client and bypass the consent screen",
+      group: "Behaviour"
+    }),
+    enable_end_session: data.Field.boolean({
+      label: "Enable End Session",
+      required: false,
+      description: "Allow the client to call the OIDC end-session endpoint",
+      group: "Behaviour"
+    }),
+    // ── Software statement (RFC 7591 §2.3) ───────────────────────
+    software_id: data.Field.text({
+      label: "Software ID",
+      required: false,
+      maxLength: 255,
+      group: "Software"
+    }),
+    software_version: data.Field.text({
+      label: "Software Version",
+      required: false,
+      maxLength: 64,
+      group: "Software"
+    }),
+    software_statement: data.Field.textarea({
+      label: "Software Statement",
+      required: false,
+      description: "Signed JWT asserting the client metadata (RFC 7591 \xA72.3)",
+      group: "Software"
+    }),
+    // ── Ownership / system ───────────────────────────────────────
+    user_id: data.Field.lookup("sys_user", {
+      label: "Owner User",
+      required: false,
+      description: "User who registered this application",
+      group: "System"
+    }),
+    reference_id: data.Field.text({
+      label: "Reference ID",
+      required: false,
+      maxLength: 255,
+      description: "Caller-supplied correlation identifier",
+      group: "System"
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    })
+  },
+  indexes: [
+    { fields: ["client_id"], unique: true },
+    { fields: ["user_id"] },
+    { fields: ["reference_id"] }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "delete"],
+    trash: false,
+    mru: false
+  }
+});
+var SysOauthAccessToken = data.ObjectSchema.create({
+  name: "sys_oauth_access_token",
+  label: "OAuth Access Token",
+  pluralLabel: "OAuth Access Tokens",
+  icon: "ticket",
+  isSystem: true,
+  description: "Opaque OAuth access tokens issued to client applications",
+  compactLayout: ["client_id", "user_id", "expires_at"],
+  fields: {
+    id: data.Field.text({
+      label: "ID",
+      required: true,
+      readonly: true
+    }),
+    token: data.Field.text({
+      label: "Token",
+      required: true,
+      maxLength: 1024,
+      description: "Opaque access token value"
+    }),
+    client_id: data.Field.text({
+      label: "Client ID",
+      required: true,
+      description: "Foreign key to sys_oauth_application.client_id"
+    }),
+    session_id: data.Field.lookup("sys_session", {
+      label: "Session",
+      required: false,
+      description: "Foreign key to sys_session.id"
+    }),
+    user_id: data.Field.lookup("sys_user", {
+      label: "User",
+      required: false,
+      description: "Foreign key to sys_user.id"
+    }),
+    refresh_id: data.Field.lookup("sys_oauth_refresh_token", {
+      label: "Refresh Token",
+      required: false,
+      description: "Foreign key to sys_oauth_refresh_token.id"
+    }),
+    reference_id: data.Field.text({
+      label: "Reference ID",
+      required: false,
+      maxLength: 255,
+      description: "Caller-supplied correlation identifier"
+    }),
+    scopes: data.Field.textarea({
+      label: "Scopes",
+      required: true,
+      description: "JSON-serialized list of scopes granted to this token"
+    }),
+    expires_at: data.Field.datetime({
+      label: "Expires At",
+      required: true
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    })
+  },
+  indexes: [
+    { fields: ["token"], unique: true },
+    { fields: ["client_id"] },
+    { fields: ["session_id"] },
+    { fields: ["user_id"] },
+    { fields: ["refresh_id"] }
+  ],
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: false,
+    apiMethods: [],
+    trash: false,
+    mru: false
+  }
+});
+var SysOauthRefreshToken = data.ObjectSchema.create({
+  name: "sys_oauth_refresh_token",
+  label: "OAuth Refresh Token",
+  pluralLabel: "OAuth Refresh Tokens",
+  icon: "refresh-cw",
+  isSystem: true,
+  description: "Opaque OAuth refresh tokens (linked to a session)",
+  compactLayout: ["client_id", "user_id", "expires_at"],
+  fields: {
+    id: data.Field.text({
+      label: "ID",
+      required: true,
+      readonly: true
+    }),
+    token: data.Field.text({
+      label: "Token",
+      required: true,
+      maxLength: 1024,
+      description: "Opaque refresh token value"
+    }),
+    client_id: data.Field.text({
+      label: "Client ID",
+      required: true,
+      description: "Foreign key to sys_oauth_application.client_id"
+    }),
+    session_id: data.Field.lookup("sys_session", {
+      label: "Session",
+      required: false,
+      description: "Foreign key to sys_session.id"
+    }),
+    user_id: data.Field.lookup("sys_user", {
+      label: "User",
+      required: true,
+      description: "Foreign key to sys_user.id"
+    }),
+    reference_id: data.Field.text({
+      label: "Reference ID",
+      required: false,
+      maxLength: 255,
+      description: "Caller-supplied correlation identifier"
+    }),
+    scopes: data.Field.textarea({
+      label: "Scopes",
+      required: true,
+      description: "JSON-serialized list of scopes granted to this token"
+    }),
+    expires_at: data.Field.datetime({
+      label: "Expires At",
+      required: true
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    revoked: data.Field.datetime({
+      label: "Revoked At",
+      required: false,
+      description: "Timestamp at which this refresh token was revoked"
+    }),
+    auth_time: data.Field.datetime({
+      label: "Auth Time",
+      required: false,
+      description: "When the user originally authenticated for this token chain"
+    })
+  },
+  indexes: [
+    { fields: ["token"], unique: true },
+    { fields: ["client_id"] },
+    { fields: ["session_id"] },
+    { fields: ["user_id"] }
+  ],
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: false,
+    apiMethods: [],
+    trash: false,
+    mru: false
+  }
+});
+var SysOauthConsent = data.ObjectSchema.create({
+  name: "sys_oauth_consent",
+  label: "OAuth Consent",
+  pluralLabel: "OAuth Consents",
+  icon: "shield-check",
+  isSystem: true,
+  description: "User consent records for OAuth client applications",
+  compactLayout: ["client_id", "user_id", "scopes"],
+  fields: {
+    id: data.Field.text({
+      label: "ID",
+      required: true,
+      readonly: true
+    }),
+    client_id: data.Field.text({
+      label: "Client ID",
+      required: true,
+      description: "Foreign key to sys_oauth_application.client_id"
+    }),
+    user_id: data.Field.lookup("sys_user", {
+      label: "User",
+      required: false,
+      description: "Foreign key to sys_user.id"
+    }),
+    reference_id: data.Field.text({
+      label: "Reference ID",
+      required: false,
+      maxLength: 255,
+      description: "Caller-supplied correlation identifier"
+    }),
+    scopes: data.Field.textarea({
+      label: "Scopes",
+      required: true,
+      description: "JSON-serialized list of scopes the user consented to"
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    })
+  },
+  indexes: [
+    { fields: ["client_id"] },
+    { fields: ["user_id"] }
+  ],
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: false,
+    apiMethods: [],
+    trash: false,
+    mru: false
+  }
+});
+var SysJwks = data.ObjectSchema.create({
+  name: "sys_jwks",
+  label: "JWKS Key",
+  pluralLabel: "JWKS Keys",
+  icon: "key",
+  isSystem: true,
+  description: "Asymmetric key pairs used to sign and verify issued JWTs",
+  compactLayout: ["id", "created_at", "expires_at"],
+  fields: {
+    id: data.Field.text({
+      label: "Key ID",
+      required: true,
+      readonly: true,
+      description: "JWK `kid` value"
+    }),
+    public_key: data.Field.textarea({
+      label: "Public Key",
+      required: true,
+      description: "JSON-serialized JWK public key"
+    }),
+    private_key: data.Field.textarea({
+      label: "Private Key",
+      required: true,
+      description: "JSON-serialized JWK private key (encrypted at rest)"
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      required: true,
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    expires_at: data.Field.datetime({
+      label: "Expires At",
+      required: false,
+      description: "When the key may no longer be used to verify tokens"
+    })
+  },
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: false,
+    apiMethods: [],
+    trash: false,
+    mru: false
+  }
+});
+
+exports.SysAccount = SysAccount;
+exports.SysApiKey = SysApiKey;
+exports.SysDeviceCode = SysDeviceCode;
+exports.SysInvitation = SysInvitation;
+exports.SysJwks = SysJwks;
+exports.SysMember = SysMember;
+exports.SysOauthAccessToken = SysOauthAccessToken;
+exports.SysOauthApplication = SysOauthApplication;
+exports.SysOauthConsent = SysOauthConsent;
+exports.SysOauthRefreshToken = SysOauthRefreshToken;
+exports.SysOrganization = SysOrganization;
+exports.SysSession = SysSession;
+exports.SysTeam = SysTeam;
+exports.SysTeamMember = SysTeamMember;
+exports.SysTwoFactor = SysTwoFactor;
+exports.SysUser = SysUser;
+exports.SysUserPreference = SysUserPreference;
+exports.SysVerification = SysVerification;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map