@objectstack/platform-objects 14.8.0 → 15.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (39) hide show
  1. package/dist/apps/index.d.mts +2 -0
  2. package/dist/apps/index.d.ts +2 -0
  3. package/dist/apps/index.js +1316 -136
  4. package/dist/apps/index.js.map +1 -1
  5. package/dist/apps/index.mjs +1316 -136
  6. package/dist/apps/index.mjs.map +1 -1
  7. package/dist/audit/index.d.mts +933 -578
  8. package/dist/audit/index.d.ts +933 -578
  9. package/dist/audit/index.js +6 -19
  10. package/dist/audit/index.js.map +1 -1
  11. package/dist/audit/index.mjs +6 -19
  12. package/dist/audit/index.mjs.map +1 -1
  13. package/dist/identity/index.d.mts +15025 -2760
  14. package/dist/identity/index.d.ts +15025 -2760
  15. package/dist/identity/index.js +381 -27
  16. package/dist/identity/index.js.map +1 -1
  17. package/dist/identity/index.mjs +379 -28
  18. package/dist/identity/index.mjs.map +1 -1
  19. package/dist/index.d.mts +1 -1
  20. package/dist/index.d.ts +1 -1
  21. package/dist/index.js +1859 -197
  22. package/dist/index.js.map +1 -1
  23. package/dist/index.mjs +1857 -198
  24. package/dist/index.mjs.map +1 -1
  25. package/dist/metadata-translations/index.js +64 -0
  26. package/dist/metadata-translations/index.js.map +1 -1
  27. package/dist/metadata-translations/index.mjs +64 -0
  28. package/dist/metadata-translations/index.mjs.map +1 -1
  29. package/dist/pages/index.js +77 -0
  30. package/dist/pages/index.js.map +1 -1
  31. package/dist/pages/index.mjs +77 -0
  32. package/dist/pages/index.mjs.map +1 -1
  33. package/dist/plugin.js +1380 -136
  34. package/dist/plugin.js.map +1 -1
  35. package/dist/plugin.mjs +1380 -136
  36. package/dist/plugin.mjs.map +1 -1
  37. package/dist/system/index.d.mts +240 -24
  38. package/dist/system/index.d.ts +240 -24
  39. package/package.json +3 -3
@@ -51,7 +51,7 @@ var SysUser = ObjectSchema.create({
51
51
  // "add a teammate" affordance — the Users list is always reachable —
52
52
  // and every add flows through better-auth invitations, never bespoke
53
53
  // sys_user CRUD.
54
- visible: "features.organization != false",
54
+ requiresFeature: "organization",
55
55
  successMessage: "Invitation sent",
56
56
  refreshAfter: true,
57
57
  params: [
@@ -62,9 +62,11 @@ var SysUser = ObjectSchema.create({
62
62
  // ── Platform admin operations (require better-auth `admin` plugin) ─
63
63
  //
64
64
  // These actions hit /api/v1/auth/admin/* endpoints that are only
65
- // wired when `auth.plugins.admin` is enabled. When the plugin is
66
- // disabled the actions still render (schema is static) but server
67
- // returns 404. UI surfaces them under the row menu AND the
65
+ // wired when `auth.plugins.admin` is enabled, so each one is gated on
66
+ // `requiresFeature: 'admin'` (#2874) when the plugin is off the UI
67
+ // hides them instead of rendering buttons that 404. SCIM deployments
68
+ // keep them: SCIM forces the admin plugin (and `features.admin`) on
69
+ // (ADR-0071). UI surfaces them under the row menu AND the
68
70
  // record-detail header (`record_header`, overflowing into the ⋯
69
71
  // "More" menu) so platform admins can manage an account from either
70
72
  // the Users list or an open user record — without dropping to SQL or
@@ -77,6 +79,7 @@ var SysUser = ObjectSchema.create({
77
79
  locations: ["list_item", "record_header"],
78
80
  type: "api",
79
81
  target: "/api/v1/auth/admin/ban-user",
82
+ requiresFeature: "admin",
80
83
  recordIdParam: "userId",
81
84
  successMessage: "User banned",
82
85
  refreshAfter: true,
@@ -93,6 +96,7 @@ var SysUser = ObjectSchema.create({
93
96
  locations: ["list_item", "record_header"],
94
97
  type: "api",
95
98
  target: "/api/v1/auth/admin/unban-user",
99
+ requiresFeature: "admin",
96
100
  recordIdParam: "userId",
97
101
  successMessage: "User unbanned",
98
102
  refreshAfter: true
@@ -108,6 +112,7 @@ var SysUser = ObjectSchema.create({
108
112
  locations: ["list_item", "record_header"],
109
113
  type: "api",
110
114
  target: "/api/v1/auth/admin/unlock-user",
115
+ requiresFeature: "admin",
111
116
  recordIdParam: "userId",
112
117
  successMessage: "Account unlocked",
113
118
  refreshAfter: true
@@ -127,7 +132,7 @@ var SysUser = ObjectSchema.create({
127
132
  locations: ["list_toolbar"],
128
133
  type: "api",
129
134
  target: "/api/v1/auth/admin/create-user",
130
- visible: "features.admin == true",
135
+ requiresFeature: "admin",
131
136
  successMessage: "User created",
132
137
  refreshAfter: true,
133
138
  params: [
@@ -144,7 +149,7 @@ var SysUser = ObjectSchema.create({
144
149
  // otherwise the create-user endpoint rejects a phone with
145
150
  // "Phone numbers require the phoneNumber auth plugin". `features.phoneNumber`
146
151
  // is served in /api/v1/auth/config (getPublicConfig).
147
- visible: "features.phoneNumber == true"
152
+ requiresFeature: "phoneNumber"
148
153
  },
149
154
  { field: "name", required: false },
150
155
  {
@@ -186,6 +191,7 @@ var SysUser = ObjectSchema.create({
186
191
  // legacy role scalar), can mint a temporary password, and stamps
187
192
  // must_change_password.
188
193
  target: "/api/v1/auth/admin/set-user-password",
194
+ requiresFeature: "admin",
189
195
  recordIdParam: "userId",
190
196
  successMessage: "Password updated",
191
197
  refreshAfter: false,
@@ -223,6 +229,7 @@ var SysUser = ObjectSchema.create({
223
229
  locations: ["list_item", "record_header"],
224
230
  type: "api",
225
231
  target: "/api/v1/auth/admin/set-role",
232
+ requiresFeature: "admin",
226
233
  recordIdParam: "userId",
227
234
  successMessage: "Role updated",
228
235
  refreshAfter: true,
@@ -238,6 +245,7 @@ var SysUser = ObjectSchema.create({
238
245
  locations: ["list_item", "record_header"],
239
246
  type: "api",
240
247
  target: "/api/v1/auth/admin/impersonate-user",
248
+ requiresFeature: "admin",
241
249
  recordIdParam: "userId",
242
250
  successMessage: "Now impersonating user",
243
251
  refreshAfter: true,
@@ -355,6 +363,7 @@ var SysUser = ObjectSchema.create({
355
363
  type: "api",
356
364
  target: "/api/v1/auth/two-factor/enable",
357
365
  visible: "record.id == ctx.user.id && record.two_factor_enabled != true",
366
+ requiresFeature: "twoFactor",
358
367
  successMessage: "Two-factor authentication enabled. Scan the QR code or paste the otpauth URI into your authenticator app, then verify a code to complete setup.",
359
368
  refreshAfter: true,
360
369
  params: [
@@ -370,6 +379,7 @@ var SysUser = ObjectSchema.create({
370
379
  type: "api",
371
380
  target: "/api/v1/auth/two-factor/disable",
372
381
  visible: "record.id == ctx.user.id && record.two_factor_enabled == true",
382
+ requiresFeature: "twoFactor",
373
383
  confirmText: "Turn off two-factor authentication? Your account will be less secure.",
374
384
  successMessage: "Two-factor authentication disabled.",
375
385
  refreshAfter: true,
@@ -386,6 +396,7 @@ var SysUser = ObjectSchema.create({
386
396
  type: "api",
387
397
  target: "/api/v1/auth/two-factor/generate-backup-codes",
388
398
  visible: "record.id == ctx.user.id && record.two_factor_enabled == true",
399
+ requiresFeature: "twoFactor",
389
400
  confirmText: "Generate a new set of backup codes? Any previously generated codes will stop working.",
390
401
  successMessage: "New backup codes generated \u2014 save them somewhere safe.",
391
402
  refreshAfter: false,
@@ -1193,7 +1204,7 @@ var SysOrganization = ObjectSchema.create({
1193
1204
  // populated by the console/account shells from `/auth/config`;
1194
1205
  // we default to visible when the flag is undefined so we don't
1195
1206
  // accidentally hide the button while auth config is still loading.
1196
- visible: "features.multiOrgEnabled != false",
1207
+ requiresFeature: "multiOrgEnabled",
1197
1208
  params: [
1198
1209
  { field: "name", required: true },
1199
1210
  { field: "slug", required: true },
@@ -1214,7 +1225,7 @@ var SysOrganization = ObjectSchema.create({
1214
1225
  // Org-admin actions are multi-org-only; hide them in single-org for
1215
1226
  // consistency with `create_organization` (the org list is empty there,
1216
1227
  // but this also guards direct record-URL access).
1217
- visible: "features.multiOrgEnabled != false",
1228
+ requiresFeature: "multiOrgEnabled",
1218
1229
  successMessage: "Organization updated",
1219
1230
  refreshAfter: true,
1220
1231
  params: [
@@ -1233,7 +1244,7 @@ var SysOrganization = ObjectSchema.create({
1233
1244
  type: "api",
1234
1245
  target: "/api/v1/auth/organization/delete",
1235
1246
  recordIdParam: "organizationId",
1236
- visible: "features.multiOrgEnabled != false",
1247
+ requiresFeature: "multiOrgEnabled",
1237
1248
  confirmText: "Delete this organization? All members will lose access immediately. This cannot be undone.",
1238
1249
  successMessage: "Organization deleted",
1239
1250
  refreshAfter: true
@@ -1252,7 +1263,7 @@ var SysOrganization = ObjectSchema.create({
1252
1263
  type: "api",
1253
1264
  target: "/api/v1/auth/organization/set-active",
1254
1265
  recordIdParam: "organizationId",
1255
- visible: "features.multiOrgEnabled != false",
1266
+ requiresFeature: "multiOrgEnabled",
1256
1267
  successMessage: "Active organization switched",
1257
1268
  refreshAfter: true
1258
1269
  },
@@ -1269,7 +1280,7 @@ var SysOrganization = ObjectSchema.create({
1269
1280
  type: "api",
1270
1281
  target: "/api/v1/auth/organization/leave",
1271
1282
  recordIdParam: "organizationId",
1272
- visible: "features.multiOrgEnabled != false",
1283
+ requiresFeature: "multiOrgEnabled",
1273
1284
  confirmText: "Leave this organization? You will lose access to all of its resources.",
1274
1285
  successMessage: "You have left the organization",
1275
1286
  refreshAfter: true
@@ -1291,7 +1302,7 @@ var SysOrganization = ObjectSchema.create({
1291
1302
  type: "api",
1292
1303
  target: "/api/v1/cloud/organizations/{id}/change-slug",
1293
1304
  method: "POST",
1294
- visible: "features.multiOrgEnabled != false",
1305
+ requiresFeature: "multiOrgEnabled",
1295
1306
  confirmText: "Renaming the slug rewrites every platform subdomain for this org and parks the old slug for 90 days. Continue?",
1296
1307
  successMessage: "Organization slug changed",
1297
1308
  refreshAfter: true,
@@ -1429,7 +1440,7 @@ var SysMember = ObjectSchema.create({
1429
1440
  // better-auth endpoints resolve the session's active org, which
1430
1441
  // single-org mode now guarantees via plugin-auth's default-org
1431
1442
  // bootstrap. Same gate on every membership mutation below.
1432
- visible: "features.organization != false",
1443
+ requiresFeature: "organization",
1433
1444
  successMessage: "Member added",
1434
1445
  refreshAfter: true,
1435
1446
  params: [
@@ -1447,7 +1458,7 @@ var SysMember = ObjectSchema.create({
1447
1458
  type: "api",
1448
1459
  target: "/api/v1/auth/organization/update-member-role",
1449
1460
  recordIdParam: "memberId",
1450
- visible: "features.organization != false",
1461
+ requiresFeature: "organization",
1451
1462
  successMessage: "Member role updated",
1452
1463
  refreshAfter: true,
1453
1464
  params: [
@@ -1464,7 +1475,7 @@ var SysMember = ObjectSchema.create({
1464
1475
  type: "api",
1465
1476
  target: "/api/v1/auth/organization/remove-member",
1466
1477
  recordIdParam: "memberIdOrEmail",
1467
- visible: "features.organization != false",
1478
+ requiresFeature: "organization",
1468
1479
  confirmText: "Remove this member from the organization? They will lose access to all org resources.",
1469
1480
  successMessage: "Member removed",
1470
1481
  refreshAfter: true
@@ -1486,7 +1497,10 @@ var SysMember = ObjectSchema.create({
1486
1497
  target: "/api/v1/auth/organization/update-member-role",
1487
1498
  recordIdParam: "memberId",
1488
1499
  bodyExtra: { role: "owner" },
1489
- visible: "record.role != 'owner' && features.organization != false",
1500
+ // The residual row predicate stays hand-written; the feature gate is
1501
+ // AND-composed onto it by the requiresFeature lowering.
1502
+ visible: "record.role != 'owner'",
1503
+ requiresFeature: "organization",
1490
1504
  confirmText: "Transfer ownership of this organization to the selected member? You will be demoted to admin and lose owner-only privileges.",
1491
1505
  successMessage: "Ownership transferred",
1492
1506
  refreshAfter: true
@@ -1594,7 +1608,7 @@ var SysInvitation = ObjectSchema.create({
1594
1608
  // sys_organization.create_organization). The recipient-side
1595
1609
  // accept/reject actions below stay record-gated — they are
1596
1610
  // unreachable in single-org anyway (no invitation rows exist).
1597
- visible: "features.organization != false",
1611
+ requiresFeature: "organization",
1598
1612
  successMessage: "Invitation sent",
1599
1613
  refreshAfter: true,
1600
1614
  params: [
@@ -1612,7 +1626,7 @@ var SysInvitation = ObjectSchema.create({
1612
1626
  type: "api",
1613
1627
  target: "/api/v1/auth/organization/cancel-invitation",
1614
1628
  recordIdParam: "invitationId",
1615
- visible: "features.organization != false",
1629
+ requiresFeature: "organization",
1616
1630
  confirmText: "Cancel this invitation? The recipient will no longer be able to accept it.",
1617
1631
  successMessage: "Invitation canceled",
1618
1632
  refreshAfter: true
@@ -1626,7 +1640,7 @@ var SysInvitation = ObjectSchema.create({
1626
1640
  type: "api",
1627
1641
  target: "/api/v1/auth/organization/invite-member",
1628
1642
  bodyExtra: { resend: true },
1629
- visible: "features.organization != false",
1643
+ requiresFeature: "organization",
1630
1644
  successMessage: "Invitation resent",
1631
1645
  refreshAfter: true,
1632
1646
  params: [
@@ -1816,7 +1830,7 @@ var SysTeam = ObjectSchema.create({
1816
1830
  // Teams are nested inside organizations — a multi-org-only concept.
1817
1831
  // Gate every team mutation on the multi-org flag so the affordances
1818
1832
  // disappear in single-org (mirrors sys_organization.create_organization).
1819
- visible: "features.organization != false",
1833
+ requiresFeature: "organization",
1820
1834
  successMessage: "Team created",
1821
1835
  refreshAfter: true,
1822
1836
  params: [
@@ -1837,7 +1851,7 @@ var SysTeam = ObjectSchema.create({
1837
1851
  target: "/api/v1/auth/organization/update-team",
1838
1852
  recordIdParam: "teamId",
1839
1853
  bodyShape: { wrap: "data" },
1840
- visible: "features.organization != false",
1854
+ requiresFeature: "organization",
1841
1855
  successMessage: "Team updated",
1842
1856
  refreshAfter: true,
1843
1857
  params: [
@@ -1856,7 +1870,7 @@ var SysTeam = ObjectSchema.create({
1856
1870
  type: "api",
1857
1871
  target: "/api/v1/auth/organization/remove-team",
1858
1872
  recordIdParam: "teamId",
1859
- visible: "features.organization != false",
1873
+ requiresFeature: "organization",
1860
1874
  confirmText: "Delete this team? Members will lose any team-scoped access. This cannot be undone.",
1861
1875
  successMessage: "Team deleted",
1862
1876
  refreshAfter: true
@@ -1970,7 +1984,7 @@ var SysTeamMember = ObjectSchema.create({
1970
1984
  // Team membership lives under organizations — multi-org-only. Gate
1971
1985
  // both mutations so they vanish in single-org (mirrors
1972
1986
  // sys_organization.create_organization).
1973
- visible: "features.organization != false",
1987
+ requiresFeature: "organization",
1974
1988
  successMessage: "Team member added",
1975
1989
  refreshAfter: true,
1976
1990
  params: [
@@ -1991,7 +2005,7 @@ var SysTeamMember = ObjectSchema.create({
1991
2005
  locations: ["list_item"],
1992
2006
  type: "api",
1993
2007
  target: "/api/v1/auth/organization/remove-team-member",
1994
- visible: "features.organization != false",
2008
+ requiresFeature: "organization",
1995
2009
  confirmText: "Remove this user from the team? They will lose any team-scoped access.",
1996
2010
  successMessage: "Team member removed",
1997
2011
  refreshAfter: true,
@@ -2547,6 +2561,7 @@ var SysTwoFactor = ObjectSchema.create({
2547
2561
  locations: ["list_toolbar"],
2548
2562
  type: "api",
2549
2563
  target: "/api/v1/auth/two-factor/enable",
2564
+ requiresFeature: "twoFactor",
2550
2565
  refreshAfter: true,
2551
2566
  params: [
2552
2567
  { name: "password", label: "Current Password", type: "text", required: true }
@@ -2569,6 +2584,7 @@ var SysTwoFactor = ObjectSchema.create({
2569
2584
  locations: ["list_toolbar"],
2570
2585
  type: "api",
2571
2586
  target: "/api/v1/auth/two-factor/disable",
2587
+ requiresFeature: "twoFactor",
2572
2588
  confirmText: "Disable two-factor authentication on your account?",
2573
2589
  successMessage: "2FA disabled",
2574
2590
  refreshAfter: true,
@@ -2584,6 +2600,7 @@ var SysTwoFactor = ObjectSchema.create({
2584
2600
  locations: ["list_toolbar", "list_item"],
2585
2601
  type: "api",
2586
2602
  target: "/api/v1/auth/two-factor/generate-backup-codes",
2603
+ requiresFeature: "twoFactor",
2587
2604
  confirmText: "Regenerate backup codes? All previous backup codes will stop working immediately.",
2588
2605
  refreshAfter: true,
2589
2606
  params: [
@@ -2898,6 +2915,7 @@ var SysOauthApplication = ObjectSchema.create({
2898
2915
  type: "api",
2899
2916
  method: "POST",
2900
2917
  target: "/api/v1/auth/admin/oauth2/toggle-disabled",
2918
+ requiresFeature: "oidcProvider",
2901
2919
  confirmText: "Disable this OAuth application? Active access/refresh tokens issued to it will continue to be rejected at the token, authorize, and introspect endpoints. Existing integrations will stop working immediately.",
2902
2920
  successMessage: "OAuth application disabled",
2903
2921
  refreshAfter: true,
@@ -2917,6 +2935,7 @@ var SysOauthApplication = ObjectSchema.create({
2917
2935
  type: "api",
2918
2936
  method: "POST",
2919
2937
  target: "/api/v1/auth/admin/oauth2/toggle-disabled",
2938
+ requiresFeature: "oidcProvider",
2920
2939
  confirmText: "Re-enable this OAuth application? Token issuance, authorization, and introspection will resume immediately.",
2921
2940
  successMessage: "OAuth application enabled",
2922
2941
  refreshAfter: true,
@@ -2936,6 +2955,7 @@ var SysOauthApplication = ObjectSchema.create({
2936
2955
  type: "api",
2937
2956
  method: "POST",
2938
2957
  target: "/api/v1/auth/sys-oauth-application/register",
2958
+ requiresFeature: "oidcProvider",
2939
2959
  refreshAfter: true,
2940
2960
  params: [
2941
2961
  { name: "name", label: "Application Name", type: "text", required: true },
@@ -2967,6 +2987,7 @@ var SysOauthApplication = ObjectSchema.create({
2967
2987
  type: "api",
2968
2988
  method: "POST",
2969
2989
  target: "/api/v1/auth/oauth2/client/rotate-secret",
2990
+ requiresFeature: "oidcProvider",
2970
2991
  confirmText: "Rotate this OAuth client's secret? The previous secret will stop working immediately and any integrations using it will break until they are updated with the new secret. The new secret is shown only once.",
2971
2992
  refreshAfter: true,
2972
2993
  params: [
@@ -2991,6 +3012,7 @@ var SysOauthApplication = ObjectSchema.create({
2991
3012
  type: "api",
2992
3013
  method: "POST",
2993
3014
  target: "/api/v1/auth/oauth2/delete-client",
3015
+ requiresFeature: "oidcProvider",
2994
3016
  confirmText: "Permanently delete this OAuth application? All issued tokens and consents will be invalidated and integrations using this client_id will stop working immediately. This cannot be undone.",
2995
3017
  successMessage: "OAuth application deleted",
2996
3018
  refreshAfter: true,
@@ -3170,6 +3192,25 @@ var SysOauthApplication = ObjectSchema.create({
3170
3192
  description: "OIDC subject type (e.g. public, pairwise)",
3171
3193
  group: "Credentials"
3172
3194
  }),
3195
+ jwks: Field.textarea({
3196
+ label: "JWKS",
3197
+ required: false,
3198
+ description: "Client JSON Web Key Set (for private_key_jwt / signed-request verification)",
3199
+ group: "Credentials"
3200
+ }),
3201
+ jwks_uri: Field.url({
3202
+ label: "JWKS URI",
3203
+ required: false,
3204
+ description: "URL of the client JSON Web Key Set",
3205
+ group: "Credentials"
3206
+ }),
3207
+ dpop_bound_access_tokens: Field.boolean({
3208
+ label: "DPoP-bound Access Tokens",
3209
+ required: false,
3210
+ defaultValue: false,
3211
+ description: "Require access tokens issued to this client to be DPoP-bound (RFC 9449)",
3212
+ group: "Credentials"
3213
+ }),
3173
3214
  // ── Behaviour flags ──────────────────────────────────────────
3174
3215
  disabled: Field.boolean({
3175
3216
  label: "Disabled",
@@ -3189,6 +3230,18 @@ var SysOauthApplication = ObjectSchema.create({
3189
3230
  description: "Allow the client to call the OIDC end-session endpoint",
3190
3231
  group: "Behaviour"
3191
3232
  }),
3233
+ backchannel_logout_uri: Field.url({
3234
+ label: "Back-channel Logout URI",
3235
+ required: false,
3236
+ description: "OIDC back-channel logout endpoint of the client",
3237
+ group: "Behaviour"
3238
+ }),
3239
+ backchannel_logout_session_required: Field.boolean({
3240
+ label: "Back-channel Logout Session Required",
3241
+ required: false,
3242
+ description: "Whether the back-channel logout token must include a sid claim",
3243
+ group: "Behaviour"
3244
+ }),
3192
3245
  // ── Software statement (RFC 7591 §2.3) ───────────────────────
3193
3246
  software_id: Field.text({
3194
3247
  label: "Software ID",
@@ -3314,6 +3367,22 @@ var SysOauthAccessToken = ObjectSchema.create({
3314
3367
  maxLength: 255,
3315
3368
  description: "Caller-supplied correlation identifier"
3316
3369
  }),
3370
+ authorization_code_id: Field.text({
3371
+ label: "Authorization Code ID",
3372
+ required: false,
3373
+ maxLength: 255,
3374
+ description: "ID of the authorization-code grant this token originates from"
3375
+ }),
3376
+ resources: Field.textarea({
3377
+ label: "Resources",
3378
+ required: false,
3379
+ description: "JSON-serialized list of RFC 8707 resource indicators bound to this token"
3380
+ }),
3381
+ requested_user_info_claims: Field.textarea({
3382
+ label: "Requested UserInfo Claims",
3383
+ required: false,
3384
+ description: "JSON-serialized list of OIDC claims requested for the userinfo endpoint"
3385
+ }),
3317
3386
  scopes: Field.textarea({
3318
3387
  label: "Scopes",
3319
3388
  required: true,
@@ -3327,6 +3396,16 @@ var SysOauthAccessToken = ObjectSchema.create({
3327
3396
  label: "Created At",
3328
3397
  defaultValue: "NOW()",
3329
3398
  readonly: true
3399
+ }),
3400
+ revoked: Field.datetime({
3401
+ label: "Revoked At",
3402
+ required: false,
3403
+ description: "Timestamp at which this access token was revoked"
3404
+ }),
3405
+ confirmation: Field.textarea({
3406
+ label: "Confirmation",
3407
+ required: false,
3408
+ description: "JSON RFC 7800 cnf claim (e.g. DPoP key thumbprint) binding this token to a key"
3330
3409
  })
3331
3410
  },
3332
3411
  indexes: [
@@ -3334,7 +3413,8 @@ var SysOauthAccessToken = ObjectSchema.create({
3334
3413
  { fields: ["client_id"] },
3335
3414
  { fields: ["session_id"] },
3336
3415
  { fields: ["user_id"] },
3337
- { fields: ["refresh_id"] }
3416
+ { fields: ["refresh_id"] },
3417
+ { fields: ["authorization_code_id"] }
3338
3418
  ],
3339
3419
  enable: {
3340
3420
  trackHistory: false,
@@ -3400,6 +3480,22 @@ var SysOauthRefreshToken = ObjectSchema.create({
3400
3480
  maxLength: 255,
3401
3481
  description: "Caller-supplied correlation identifier"
3402
3482
  }),
3483
+ authorization_code_id: Field.text({
3484
+ label: "Authorization Code ID",
3485
+ required: false,
3486
+ maxLength: 255,
3487
+ description: "ID of the authorization-code grant this token chain originates from"
3488
+ }),
3489
+ resources: Field.textarea({
3490
+ label: "Resources",
3491
+ required: false,
3492
+ description: "JSON-serialized list of RFC 8707 resource indicators bound to this token"
3493
+ }),
3494
+ requested_user_info_claims: Field.textarea({
3495
+ label: "Requested UserInfo Claims",
3496
+ required: false,
3497
+ description: "JSON-serialized list of OIDC claims requested for the userinfo endpoint"
3498
+ }),
3403
3499
  scopes: Field.textarea({
3404
3500
  label: "Scopes",
3405
3501
  required: true,
@@ -3419,17 +3515,38 @@ var SysOauthRefreshToken = ObjectSchema.create({
3419
3515
  required: false,
3420
3516
  description: "Timestamp at which this refresh token was revoked"
3421
3517
  }),
3518
+ rotated_at: Field.datetime({
3519
+ label: "Rotated At",
3520
+ required: false,
3521
+ description: "Timestamp at which this token was rotated (superseded by a new row)"
3522
+ }),
3523
+ rotation_replay_response: Field.textarea({
3524
+ label: "Rotation Replay Response",
3525
+ required: false,
3526
+ description: "Cached token response replayed when the old token is re-presented within the reuse interval"
3527
+ }),
3528
+ rotation_replay_expires_at: Field.datetime({
3529
+ label: "Rotation Replay Expires At",
3530
+ required: false,
3531
+ description: "End of the post-rotation reuse interval during which the replay response is served"
3532
+ }),
3422
3533
  auth_time: Field.datetime({
3423
3534
  label: "Auth Time",
3424
3535
  required: false,
3425
3536
  description: "When the user originally authenticated for this token chain"
3537
+ }),
3538
+ confirmation: Field.textarea({
3539
+ label: "Confirmation",
3540
+ required: false,
3541
+ description: "JSON RFC 7800 cnf claim (e.g. DPoP key thumbprint) binding this token to a key"
3426
3542
  })
3427
3543
  },
3428
3544
  indexes: [
3429
3545
  { fields: ["token"], unique: true },
3430
3546
  { fields: ["client_id"] },
3431
3547
  { fields: ["session_id"] },
3432
- { fields: ["user_id"] }
3548
+ { fields: ["user_id"] },
3549
+ { fields: ["authorization_code_id"] }
3433
3550
  ],
3434
3551
  enable: {
3435
3552
  trackHistory: false,
@@ -3479,6 +3596,16 @@ var SysOauthConsent = ObjectSchema.create({
3479
3596
  maxLength: 255,
3480
3597
  description: "Caller-supplied correlation identifier"
3481
3598
  }),
3599
+ resources: Field.textarea({
3600
+ label: "Resources",
3601
+ required: false,
3602
+ description: "JSON-serialized list of RFC 8707 resource indicators the consent covers"
3603
+ }),
3604
+ requested_user_info_claims: Field.textarea({
3605
+ label: "Requested UserInfo Claims",
3606
+ required: false,
3607
+ description: "JSON-serialized list of OIDC claims the user consented to expose"
3608
+ }),
3482
3609
  scopes: Field.textarea({
3483
3610
  label: "Scopes",
3484
3611
  required: true,
@@ -3508,6 +3635,215 @@ var SysOauthConsent = ObjectSchema.create({
3508
3635
  mru: false
3509
3636
  }
3510
3637
  });
3638
+ var SysOauthResource = ObjectSchema.create({
3639
+ name: "sys_oauth_resource",
3640
+ label: "OAuth Resource",
3641
+ pluralLabel: "OAuth Resources",
3642
+ icon: "server",
3643
+ isSystem: true,
3644
+ managedBy: "better-auth",
3645
+ // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,
3646
+ // but may add overlay row-level config. Use `no-overlay` if you need to
3647
+ // forbid sys_metadata overlays entirely.
3648
+ protection: {
3649
+ lock: "full",
3650
+ reason: "Identity table managed by better-auth \u2014 see ADR-0010.",
3651
+ docsUrl: "https://docs.objectstack.ai/adr/0010-metadata-protection"
3652
+ },
3653
+ description: "Registered OAuth protected resources (RFC 8707 resource indicators)",
3654
+ displayNameField: "name",
3655
+ nameField: "name",
3656
+ highlightFields: ["name", "identifier", "disabled"],
3657
+ fields: {
3658
+ id: Field.text({
3659
+ label: "ID",
3660
+ required: true,
3661
+ readonly: true
3662
+ }),
3663
+ identifier: Field.text({
3664
+ label: "Identifier",
3665
+ required: true,
3666
+ maxLength: 1024,
3667
+ description: "Resource indicator URI presented in the RFC 8707 resource parameter"
3668
+ }),
3669
+ name: Field.text({
3670
+ label: "Name",
3671
+ required: true,
3672
+ maxLength: 255
3673
+ }),
3674
+ access_token_ttl: Field.number({
3675
+ label: "Access Token TTL",
3676
+ required: false,
3677
+ description: "Access-token lifetime in seconds for this resource (overrides the server default)"
3678
+ }),
3679
+ refresh_token_ttl: Field.number({
3680
+ label: "Refresh Token TTL",
3681
+ required: false,
3682
+ description: "Refresh-token lifetime in seconds for this resource (overrides the server default)"
3683
+ }),
3684
+ signing_algorithm: Field.text({
3685
+ label: "Signing Algorithm",
3686
+ required: false,
3687
+ maxLength: 32,
3688
+ description: "JWS algorithm used to sign access tokens for this resource"
3689
+ }),
3690
+ signing_key_id: Field.text({
3691
+ label: "Signing Key ID",
3692
+ required: false,
3693
+ maxLength: 255,
3694
+ description: "Key id (kid) used to sign access tokens for this resource"
3695
+ }),
3696
+ allowed_scopes: Field.textarea({
3697
+ label: "Allowed Scopes",
3698
+ required: false,
3699
+ description: "JSON-serialized list of scopes clients may request for this resource"
3700
+ }),
3701
+ custom_claims: Field.textarea({
3702
+ label: "Custom Claims",
3703
+ required: false,
3704
+ description: "JSON object of extra claims stamped on access tokens for this resource"
3705
+ }),
3706
+ dpop_bound_access_tokens_required: Field.boolean({
3707
+ label: "DPoP Required",
3708
+ required: false,
3709
+ defaultValue: false,
3710
+ description: "Require access tokens for this resource to be DPoP-bound (RFC 9449)"
3711
+ }),
3712
+ disabled: Field.boolean({
3713
+ label: "Disabled",
3714
+ required: false,
3715
+ defaultValue: false
3716
+ }),
3717
+ policy_version: Field.number({
3718
+ label: "Policy Version",
3719
+ required: false,
3720
+ defaultValue: 1,
3721
+ description: "Monotonic version of the resource token policy"
3722
+ }),
3723
+ metadata: Field.textarea({
3724
+ label: "Metadata",
3725
+ required: false,
3726
+ description: "JSON object of additional resource metadata"
3727
+ }),
3728
+ created_at: Field.datetime({
3729
+ label: "Created At",
3730
+ defaultValue: "NOW()",
3731
+ readonly: true
3732
+ }),
3733
+ updated_at: Field.datetime({
3734
+ label: "Updated At",
3735
+ defaultValue: "NOW()",
3736
+ readonly: true
3737
+ })
3738
+ },
3739
+ indexes: [
3740
+ { fields: ["identifier"], unique: true }
3741
+ ],
3742
+ enable: {
3743
+ trackHistory: false,
3744
+ searchable: false,
3745
+ apiEnabled: false,
3746
+ apiMethods: [],
3747
+ trash: false,
3748
+ mru: false
3749
+ }
3750
+ });
3751
+ var SysOauthClientResource = ObjectSchema.create({
3752
+ name: "sys_oauth_client_resource",
3753
+ label: "OAuth Client Resource",
3754
+ pluralLabel: "OAuth Client Resources",
3755
+ icon: "link",
3756
+ isSystem: true,
3757
+ managedBy: "better-auth",
3758
+ // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,
3759
+ // but may add overlay row-level config. Use `no-overlay` if you need to
3760
+ // forbid sys_metadata overlays entirely.
3761
+ protection: {
3762
+ lock: "full",
3763
+ reason: "Identity table managed by better-auth \u2014 see ADR-0010.",
3764
+ docsUrl: "https://docs.objectstack.ai/adr/0010-metadata-protection"
3765
+ },
3766
+ description: "Grants allowing an OAuth client to request tokens for a protected resource",
3767
+ highlightFields: ["client_id", "resource_id"],
3768
+ fields: {
3769
+ id: Field.text({
3770
+ label: "ID",
3771
+ required: true,
3772
+ readonly: true
3773
+ }),
3774
+ client_id: Field.text({
3775
+ label: "Client ID",
3776
+ required: true,
3777
+ description: "Foreign key to sys_oauth_application.client_id"
3778
+ }),
3779
+ resource_id: Field.text({
3780
+ label: "Resource ID",
3781
+ required: true,
3782
+ maxLength: 1024,
3783
+ description: "Foreign key to sys_oauth_resource.identifier"
3784
+ }),
3785
+ metadata: Field.textarea({
3786
+ label: "Metadata",
3787
+ required: false,
3788
+ description: "JSON object of additional grant metadata"
3789
+ }),
3790
+ created_at: Field.datetime({
3791
+ label: "Created At",
3792
+ defaultValue: "NOW()",
3793
+ readonly: true
3794
+ })
3795
+ },
3796
+ indexes: [
3797
+ { fields: ["client_id"] },
3798
+ { fields: ["resource_id"] }
3799
+ ],
3800
+ enable: {
3801
+ trackHistory: false,
3802
+ searchable: false,
3803
+ apiEnabled: false,
3804
+ apiMethods: [],
3805
+ trash: false,
3806
+ mru: false
3807
+ }
3808
+ });
3809
+ var SysOauthClientAssertion = ObjectSchema.create({
3810
+ name: "sys_oauth_client_assertion",
3811
+ label: "OAuth Client Assertion",
3812
+ pluralLabel: "OAuth Client Assertions",
3813
+ icon: "shield-check",
3814
+ isSystem: true,
3815
+ managedBy: "better-auth",
3816
+ // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema,
3817
+ // but may add overlay row-level config. Use `no-overlay` if you need to
3818
+ // forbid sys_metadata overlays entirely.
3819
+ protection: {
3820
+ lock: "full",
3821
+ reason: "Identity table managed by better-auth \u2014 see ADR-0010.",
3822
+ docsUrl: "https://docs.objectstack.ai/adr/0010-metadata-protection"
3823
+ },
3824
+ description: "Consumed OAuth client-assertion JTIs (RFC 7523 replay prevention)",
3825
+ highlightFields: ["expires_at"],
3826
+ fields: {
3827
+ id: Field.text({
3828
+ label: "ID",
3829
+ required: true,
3830
+ readonly: true
3831
+ }),
3832
+ expires_at: Field.datetime({
3833
+ label: "Expires At",
3834
+ required: true,
3835
+ description: "Assertion expiry \u2014 rows past this instant are safe to prune"
3836
+ })
3837
+ },
3838
+ enable: {
3839
+ trackHistory: false,
3840
+ searchable: false,
3841
+ apiEnabled: false,
3842
+ apiMethods: [],
3843
+ trash: false,
3844
+ mru: false
3845
+ }
3846
+ });
3511
3847
  var SysJwks = ObjectSchema.create({
3512
3848
  name: "sys_jwks",
3513
3849
  label: "JWKS Key",
@@ -3549,6 +3885,21 @@ var SysJwks = ObjectSchema.create({
3549
3885
  required: true,
3550
3886
  description: "JSON-serialized JWK private key (encrypted at rest)"
3551
3887
  }),
3888
+ // better-auth 1.7 records the key's signing algorithm and (for EdDSA/EC
3889
+ // keys) its curve alongside the key material, so tokens can advertise the
3890
+ // correct `alg`/`crv` in the JWKS response. Both are optional — legacy rows
3891
+ // minted before 1.7 leave them null and better-auth falls back to the
3892
+ // configured `keyPairConfig.alg` (default `EdDSA`).
3893
+ alg: Field.text({
3894
+ label: "Algorithm",
3895
+ required: false,
3896
+ description: "JWK signing algorithm, e.g. `EdDSA` (better-auth 1.7+)"
3897
+ }),
3898
+ crv: Field.text({
3899
+ label: "Curve",
3900
+ required: false,
3901
+ description: "JWK curve for EdDSA/EC keys, e.g. `Ed25519` (better-auth 1.7+)"
3902
+ }),
3552
3903
  created_at: Field.datetime({
3553
3904
  label: "Created At",
3554
3905
  required: true,
@@ -3591,7 +3942,7 @@ var SysSsoProvider = ObjectSchema.create({
3591
3942
  // Together: admins see all env providers; non-admins get 403. better-auth's
3592
3943
  // own endpoints already read via a system context. (Env-only object — no
3593
3944
  // control-plane cross-tenant risk.)
3594
- tenancy: { enabled: false, strategy: "shared" },
3945
+ tenancy: { enabled: false },
3595
3946
  requiredPermissions: ["manage_platform_settings"],
3596
3947
  // ADR-0010 §3.7 — managed by better-auth; tenants may not edit schema.
3597
3948
  protection: {
@@ -3923,6 +4274,6 @@ var SysScimProvider = ObjectSchema.create({
3923
4274
  }
3924
4275
  });
3925
4276
 
3926
- export { SysAccount, SysApiKey, SysBusinessUnit, SysBusinessUnitMember, SysDeviceCode, SysInvitation, SysJwks, SysMember, SysOauthAccessToken, SysOauthApplication, SysOauthConsent, SysOauthRefreshToken, SysOrganization, SysScimProvider, SysSession, SysSsoProvider, SysTeam, SysTeamMember, SysTwoFactor, SysUser, SysUserPreference, SysVerification };
4277
+ export { SysAccount, SysApiKey, SysBusinessUnit, SysBusinessUnitMember, SysDeviceCode, SysInvitation, SysJwks, SysMember, SysOauthAccessToken, SysOauthApplication, SysOauthClientAssertion, SysOauthClientResource, SysOauthConsent, SysOauthRefreshToken, SysOauthResource, SysOrganization, SysScimProvider, SysSession, SysSsoProvider, SysTeam, SysTeamMember, SysTwoFactor, SysUser, SysUserPreference, SysVerification };
3927
4278
  //# sourceMappingURL=index.mjs.map
3928
4279
  //# sourceMappingURL=index.mjs.map