@objectstack/platform-objects 4.0.5 → 4.1.0

package/dist/identity/index.js

@@ -14,6 +14,149 @@ var SysUser = data.ObjectSchema.create({
   displayNameField: "name",
   titleFormat: "{name}",
   compactLayout: ["name", "email", "email_verified"],
+  // Custom actions — generic CRUD is suppressed because user accounts are
+  // managed by better-auth, but we still need first-class affordances for
+  // common operations. Each action delegates to a Console-side named script
+  // registered on the ActionRunner (see objectui `AppContent.tsx`). Adding
+  // new affordances (reset password, revoke session, …) is now a pure
+  // schema + script-registration change — no per-view code.
+  actions: [
+    {
+      name: "invite_user",
+      label: "Invite User",
+      icon: "user-plus",
+      variant: "primary",
+      locations: ["list_toolbar"],
+      type: "api",
+      target: "/api/v1/auth/organization/invite-member",
+      successMessage: "Invitation sent",
+      refreshAfter: true,
+      params: [
+        { field: "email", required: true },
+        { field: "role", objectOverride: "sys_member", required: true }
+      ]
+    },
+    // ── Platform admin operations (require better-auth `admin` plugin) ─
+    //
+    // These actions hit /api/v1/auth/admin/* endpoints that are only
+    // wired when `auth.plugins.admin` is enabled. When the plugin is
+    // disabled the actions still render (schema is static) but server
+    // returns 404. UI surfaces them under the row menu so platform
+    // admins can manage accounts without dropping to SQL or
+    // a custom Setup wizard.
+    {
+      name: "ban_user",
+      label: "Ban User",
+      icon: "ban",
+      variant: "danger",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/admin/ban-user",
+      recordIdParam: "userId",
+      successMessage: "User banned",
+      refreshAfter: true,
+      confirmText: "Ban this user? They will be signed out and unable to sign in until unbanned.",
+      params: [
+        { name: "banReason", label: "Ban Reason", type: "text", required: false }
+      ]
+    },
+    {
+      name: "unban_user",
+      label: "Unban User",
+      icon: "check-circle-2",
+      variant: "secondary",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/admin/unban-user",
+      recordIdParam: "userId",
+      successMessage: "User unbanned",
+      refreshAfter: true
+    },
+    {
+      name: "set_user_password",
+      label: "Set Password",
+      icon: "key-round",
+      variant: "secondary",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/admin/set-user-password",
+      recordIdParam: "userId",
+      successMessage: "Password updated",
+      refreshAfter: false,
+      params: [
+        { name: "newPassword", label: "New Password", type: "text", required: true }
+      ]
+    },
+    {
+      name: "set_user_role",
+      label: "Set Platform Role",
+      icon: "shield-check",
+      variant: "secondary",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/admin/set-role",
+      recordIdParam: "userId",
+      successMessage: "Role updated",
+      refreshAfter: true,
+      params: [
+        { name: "role", label: "Platform Role", type: "text", required: true }
+      ]
+    },
+    {
+      name: "impersonate_user",
+      label: "Impersonate User",
+      icon: "user-cog",
+      variant: "secondary",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/admin/impersonate-user",
+      recordIdParam: "userId",
+      successMessage: "Now impersonating user",
+      refreshAfter: true,
+      confirmText: "Start an impersonation session for this user? Use only for legitimate support cases \u2014 actions will be logged."
+    }
+  ],
+  listViews: {
+    all_users: {
+      type: "grid",
+      name: "all_users",
+      label: "All Users",
+      data: { provider: "object", object: "sys_user" },
+      columns: ["name", "email", "email_verified", "two_factor_enabled", "created_at"],
+      sort: [{ field: "name", order: "asc" }],
+      pagination: { pageSize: 50 }
+    },
+    unverified: {
+      type: "grid",
+      name: "unverified",
+      label: "Unverified",
+      data: { provider: "object", object: "sys_user" },
+      columns: ["name", "email", "created_at"],
+      filter: [{ field: "email_verified", operator: "equals", value: false }],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    two_factor: {
+      type: "grid",
+      name: "two_factor",
+      label: "2FA Enabled",
+      data: { provider: "object", object: "sys_user" },
+      columns: ["name", "email", "two_factor_enabled", "updated_at"],
+      filter: [{ field: "two_factor_enabled", operator: "equals", value: true }],
+      sort: [{ field: "name", order: "asc" }],
+      pagination: { pageSize: 50 }
+    },
+    banned: {
+      type: "grid",
+      name: "banned",
+      label: "Banned",
+      data: { provider: "object", object: "sys_user" },
+      columns: ["name", "email", "banned", "ban_reason", "ban_expires"],
+      filter: [{ field: "banned", operator: "equals", value: true }],
+      sort: [{ field: "updated_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    }
+  },
   fields: {
     // ── Identity (primary business fields) ───────────────────────
     name: data.Field.text({
@@ -40,6 +183,32 @@ var SysUser = data.ObjectSchema.create({
       group: "Identity",
       description: "Whether two-factor authentication is enabled for this user. Maintained by the better-auth `twoFactor` plugin."
     }),
+    // ── Admin (managed by better-auth `admin` plugin when enabled) ───
+    role: data.Field.text({
+      label: "Platform Role",
+      required: false,
+      maxLength: 64,
+      group: "Admin",
+      description: "Platform-level role (admin, user, \u2026). Set via the Set Platform Role action."
+    }),
+    banned: data.Field.boolean({
+      label: "Banned",
+      defaultValue: false,
+      group: "Admin",
+      description: "When true, the user cannot sign in. Toggle via Ban User / Unban User actions."
+    }),
+    ban_reason: data.Field.text({
+      label: "Ban Reason",
+      required: false,
+      maxLength: 255,
+      group: "Admin"
+    }),
+    ban_expires: data.Field.datetime({
+      label: "Ban Expires",
+      required: false,
+      group: "Admin",
+      description: "When set, the ban auto-clears at this time."
+    }),
     // ── Profile ──────────────────────────────────────────────────
     image: data.Field.url({
       label: "Profile Image",
@@ -100,6 +269,62 @@ var SysSession = data.ObjectSchema.create({
   displayNameField: "user_id",
   titleFormat: "Session \u2014 {user_id}",
   compactLayout: ["user_id", "ip_address", "expires_at"],
+  // Custom actions — sessions are managed by better-auth (generic CRUD
+  // suppressed). "Sign out other devices" is the high-value self-service
+  // affordance every IdP exposes. Maps to better-auth's
+  // `revoke-other-sessions` endpoint which terminates every session for
+  // the current user except the one making the request.
+  actions: [
+    {
+      name: "revoke_my_other_sessions",
+      label: "Sign out other devices",
+      icon: "log-out",
+      variant: "danger",
+      locations: ["list_toolbar"],
+      type: "api",
+      target: "/api/v1/auth/revoke-other-sessions",
+      confirmText: "Sign out of every other device where you're currently logged in? Your current session will remain active.",
+      successMessage: "All other sessions revoked",
+      refreshAfter: true
+    },
+    {
+      name: "revoke_session",
+      label: "Revoke Session",
+      icon: "log-out",
+      variant: "danger",
+      mode: "delete",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/revoke-session",
+      // better-auth `revoke-session` keys off the session token, not the id.
+      recordIdParam: "token",
+      recordIdField: "token",
+      confirmText: "Revoke this session? The user will be signed out from that device.",
+      successMessage: "Session revoked",
+      refreshAfter: true
+    }
+  ],
+  listViews: {
+    mine: {
+      type: "grid",
+      name: "mine",
+      label: "My Sessions",
+      data: { provider: "object", object: "sys_session" },
+      columns: ["ip_address", "active_organization_id", "created_at", "expires_at"],
+      filter: [{ field: "user_id", operator: "equals", value: "{current_user_id}" }],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    all_sessions: {
+      type: "grid",
+      name: "all_sessions",
+      label: "All",
+      data: { provider: "object", object: "sys_session" },
+      columns: ["user_id", "ip_address", "active_organization_id", "created_at", "expires_at"],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    }
+  },
   fields: {
     // ── Session owner & expiry ──────────────────────────────────
     user_id: data.Field.lookup("sys_user", {
@@ -137,6 +362,13 @@ var SysSession = data.ObjectSchema.create({
       required: false,
       group: "Client"
     }),
+    // ── Admin (managed by better-auth `admin` plugin) ────────────
+    impersonated_by: data.Field.lookup("sys_user", {
+      label: "Impersonated By",
+      required: false,
+      group: "Admin",
+      description: "User id of the admin that started this impersonation session, if any."
+    }),
     // ── Secret (hidden by default) ──────────────────────────────
     token: data.Field.text({
       label: "Session Token",
@@ -191,6 +423,37 @@ var SysAccount = data.ObjectSchema.create({
   description: "OAuth and authentication provider accounts",
   titleFormat: "{provider_id} - {account_id}",
   compactLayout: ["provider_id", "user_id", "account_id"],
+  listViews: {
+    mine: {
+      type: "grid",
+      name: "mine",
+      label: "My Links",
+      data: { provider: "object", object: "sys_account" },
+      columns: ["provider_id", "account_id", "created_at", "updated_at"],
+      filter: [{ field: "user_id", operator: "equals", value: "{current_user_id}" }],
+      sort: [{ field: "provider_id", order: "asc" }],
+      pagination: { pageSize: 50 }
+    },
+    by_provider: {
+      type: "grid",
+      name: "by_provider",
+      label: "By Provider",
+      data: { provider: "object", object: "sys_account" },
+      columns: ["provider_id", "user_id", "account_id", "created_at"],
+      sort: [{ field: "provider_id", order: "asc" }, { field: "created_at", order: "desc" }],
+      grouping: { fields: [{ field: "provider_id", order: "asc", collapsed: false }] },
+      pagination: { pageSize: 100 }
+    },
+    all_links: {
+      type: "grid",
+      name: "all_links",
+      label: "All",
+      data: { provider: "object", object: "sys_account" },
+      columns: ["provider_id", "user_id", "account_id", "created_at", "updated_at"],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 100 }
+    }
+  },
   fields: {
     id: data.Field.text({
       label: "Account ID",
@@ -331,6 +594,104 @@ var SysOrganization = data.ObjectSchema.create({
   displayNameField: "name",
   titleFormat: "{name}",
   compactLayout: ["name", "slug"],
+  // Custom actions — generic CRUD is suppressed (better-auth-managed),
+  // but admins still need to create new orgs from the Setup app.
+  actions: [
+    {
+      name: "create_organization",
+      label: "Create Organization",
+      icon: "plus",
+      variant: "primary",
+      locations: ["list_toolbar"],
+      type: "api",
+      target: "/api/v1/auth/organization/create",
+      successMessage: "Organization created",
+      refreshAfter: true,
+      params: [
+        { field: "name", required: true },
+        { field: "slug", required: true },
+        { field: "logo" }
+      ]
+    },
+    {
+      name: "update_organization",
+      label: "Edit Organization",
+      icon: "pencil",
+      mode: "edit",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/organization/update",
+      recordIdParam: "organizationId",
+      // better-auth `organization/update` nests editable fields under `data`.
+      bodyShape: { wrap: "data" },
+      successMessage: "Organization updated",
+      refreshAfter: true,
+      params: [
+        { field: "name", required: true, defaultFromRow: true },
+        { field: "slug", required: true, defaultFromRow: true },
+        { field: "logo", defaultFromRow: true }
+      ]
+    },
+    {
+      name: "delete_organization",
+      label: "Delete Organization",
+      icon: "trash-2",
+      variant: "danger",
+      mode: "delete",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/organization/delete",
+      recordIdParam: "organizationId",
+      confirmText: "Delete this organization? All members will lose access immediately. This cannot be undone.",
+      successMessage: "Organization deleted",
+      refreshAfter: true
+    },
+    {
+      // Switch the caller's active organization context. Standard
+      // better-auth endpoint; no extra params needed (org id ships as
+      // the row id). Used from the Setup list and the record header so
+      // admins can context-switch without leaving the page.
+      name: "set_active_organization",
+      label: "Set Active",
+      icon: "check-circle-2",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      target: "/api/v1/auth/organization/set-active",
+      recordIdParam: "organizationId",
+      successMessage: "Active organization switched",
+      refreshAfter: true
+    },
+    {
+      // Current user leaves the org. Distinct from `delete_organization`
+      // (admin-only, destroys the org) — `leave` only removes the caller's
+      // own membership. Better-auth: `organization/leave { organizationId }`.
+      name: "leave_organization",
+      label: "Leave Organization",
+      icon: "log-out",
+      variant: "danger",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      target: "/api/v1/auth/organization/leave",
+      recordIdParam: "organizationId",
+      confirmText: "Leave this organization? You will lose access to all of its resources.",
+      successMessage: "You have left the organization",
+      refreshAfter: true
+    }
+  ],
+  listViews: {
+    all_orgs: {
+      type: "grid",
+      name: "all_orgs",
+      label: "All",
+      data: { provider: "object", object: "sys_organization" },
+      columns: ["name", "slug", "created_at", "updated_at"],
+      sort: [{ field: "name", order: "asc" }],
+      pagination: { pageSize: 50 }
+    }
+  },
   fields: {
     // ── Identity ─────────────────────────────────────────────────
     name: data.Field.text({
@@ -404,6 +765,63 @@ var SysMember = data.ObjectSchema.create({
   description: "Organization membership records",
   titleFormat: "{user_id} in {organization_id}",
   compactLayout: ["user_id", "organization_id", "role"],
+  // Row-level actions: better-auth `organization/update-member-role` and
+  // `organization/remove-member`. Generic CRUD is suppressed on better-auth
+  // managed tables, so these are the canonical edit/delete entry points.
+  // The `add_member` toolbar action covers the admin "attach an existing
+  // user directly without sending an invitation" flow.
+  actions: [
+    {
+      // Admin-only: directly attach an existing user to the active org,
+      // bypassing the invite-accept flow. Better-auth:
+      // `organization/add-member { userId, role, organizationId?, teamId? }`.
+      // organizationId/teamId default to the caller's active org/team when
+      // omitted, so we leave them as optional params.
+      name: "add_member",
+      label: "Add Member",
+      icon: "user-plus",
+      variant: "primary",
+      locations: ["list_toolbar"],
+      type: "api",
+      target: "/api/v1/auth/organization/add-member",
+      successMessage: "Member added",
+      refreshAfter: true,
+      params: [
+        { name: "userId", field: "user_id", required: true },
+        { field: "role", required: true },
+        { name: "organizationId", field: "organization_id" }
+      ]
+    },
+    {
+      name: "update_member_role",
+      label: "Change Role",
+      icon: "shield",
+      mode: "edit",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/organization/update-member-role",
+      recordIdParam: "memberId",
+      successMessage: "Member role updated",
+      refreshAfter: true,
+      params: [
+        { field: "role", required: true, defaultFromRow: true }
+      ]
+    },
+    {
+      name: "remove_member",
+      label: "Remove Member",
+      icon: "user-minus",
+      variant: "danger",
+      mode: "delete",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/organization/remove-member",
+      recordIdParam: "memberIdOrEmail",
+      confirmText: "Remove this member from the organization? They will lose access to all org resources.",
+      successMessage: "Member removed",
+      refreshAfter: true
+    }
+  ],
   fields: {
     id: data.Field.text({
       label: "Member ID",
@@ -423,11 +841,16 @@ var SysMember = data.ObjectSchema.create({
       label: "User",
       required: true
     }),
-    role: data.Field.text({
+    role: data.Field.select({
       label: "Role",
       required: false,
-      description: "Member role within the organization (e.g. admin, member)",
-      maxLength: 100
+      description: "Member role within the organization",
+      options: [
+        { label: "Owner", value: "owner" },
+        { label: "Admin", value: "admin" },
+        { label: "Member", value: "member" }
+      ],
+      defaultValue: "member"
     })
   },
   indexes: [
@@ -453,6 +876,97 @@ var SysInvitation = data.ObjectSchema.create({
   description: "Organization invitations for user onboarding",
   titleFormat: "Invitation to {organization_id}",
   compactLayout: ["email", "organization_id", "status"],
+  // Custom actions — generic CRUD is suppressed (better-auth-managed).
+  // Mirror the `invite_user` toolbar action from sys_user here so admins
+  // landing on the Invitations page get an obvious entry point.
+  actions: [
+    {
+      name: "invite_user",
+      label: "Invite User",
+      icon: "user-plus",
+      variant: "primary",
+      locations: ["list_toolbar"],
+      type: "api",
+      target: "/api/v1/auth/organization/invite-member",
+      successMessage: "Invitation sent",
+      refreshAfter: true,
+      params: [
+        { field: "email", required: true },
+        { field: "role", required: true }
+      ]
+    },
+    {
+      name: "cancel_invitation",
+      label: "Cancel Invitation",
+      icon: "x-circle",
+      variant: "danger",
+      mode: "delete",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/organization/cancel-invitation",
+      recordIdParam: "invitationId",
+      confirmText: "Cancel this invitation? The recipient will no longer be able to accept it.",
+      successMessage: "Invitation canceled",
+      refreshAfter: true
+    },
+    {
+      name: "resend_invitation",
+      label: "Resend Invitation",
+      icon: "send",
+      variant: "secondary",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/organization/invite-member",
+      bodyExtra: { resend: true },
+      successMessage: "Invitation resent",
+      refreshAfter: true,
+      params: [
+        { field: "email", required: true, defaultFromRow: true },
+        { field: "role", required: true, defaultFromRow: true }
+      ]
+    }
+  ],
+  listViews: {
+    pending: {
+      type: "grid",
+      name: "pending",
+      label: "Pending",
+      data: { provider: "object", object: "sys_invitation" },
+      columns: ["email", "role", "organization_id", "inviter_id", "expires_at"],
+      filter: [{ field: "status", operator: "equals", value: "pending" }],
+      sort: [{ field: "expires_at", order: "asc" }],
+      pagination: { pageSize: 50 }
+    },
+    accepted: {
+      type: "grid",
+      name: "accepted",
+      label: "Accepted",
+      data: { provider: "object", object: "sys_invitation" },
+      columns: ["email", "role", "organization_id", "inviter_id", "created_at"],
+      filter: [{ field: "status", operator: "equals", value: "accepted" }],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    expired: {
+      type: "grid",
+      name: "expired",
+      label: "Expired / Canceled",
+      data: { provider: "object", object: "sys_invitation" },
+      columns: ["email", "status", "organization_id", "expires_at"],
+      filter: [{ field: "status", operator: "in", value: ["expired", "rejected", "canceled"] }],
+      sort: [{ field: "expires_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    all_invitations: {
+      type: "grid",
+      name: "all_invitations",
+      label: "All",
+      data: { provider: "object", object: "sys_invitation" },
+      columns: ["email", "status", "role", "organization_id", "inviter_id", "created_at"],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    }
+  },
   fields: {
     id: data.Field.text({
       label: "Invitation ID",
@@ -473,11 +987,16 @@ var SysInvitation = data.ObjectSchema.create({
       required: true,
       description: "Email address of the invited user"
     }),
-    role: data.Field.text({
+    role: data.Field.select({
       label: "Role",
       required: false,
-      maxLength: 100,
-      description: "Role to assign upon acceptance"
+      description: "Role to assign upon acceptance",
+      options: [
+        { label: "Owner", value: "owner" },
+        { label: "Admin", value: "admin" },
+        { label: "Member", value: "member" }
+      ],
+      defaultValue: "member"
     }),
     status: data.Field.select(["pending", "accepted", "rejected", "expired", "canceled"], {
       label: "Status",
@@ -524,6 +1043,84 @@ var SysTeam = data.ObjectSchema.create({
   displayNameField: "name",
   titleFormat: "{name}",
   compactLayout: ["name", "organization_id"],
+  // Custom actions calling better-auth's team endpoints. Generic CRUD is
+  // suppressed (managedBy: 'better-auth'), so these are the canonical
+  // entry points for create/update/delete.
+  actions: [
+    {
+      // Better-auth: `organization/create-team { name, organizationId? }`.
+      // organizationId defaults to the caller's active org when omitted.
+      name: "create_team",
+      label: "Create Team",
+      icon: "plus",
+      variant: "primary",
+      locations: ["list_toolbar"],
+      type: "api",
+      target: "/api/v1/auth/organization/create-team",
+      successMessage: "Team created",
+      refreshAfter: true,
+      params: [
+        { field: "name", required: true },
+        { name: "organizationId", field: "organization_id" }
+      ]
+    },
+    {
+      // Better-auth: `organization/update-team { teamId, data: { name } }`.
+      // teamId stays flat (top-level); the user-editable params nest under
+      // `data` via bodyShape.
+      name: "update_team",
+      label: "Edit Team",
+      icon: "pencil",
+      mode: "edit",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/organization/update-team",
+      recordIdParam: "teamId",
+      bodyShape: { wrap: "data" },
+      successMessage: "Team updated",
+      refreshAfter: true,
+      params: [
+        { field: "name", required: true, defaultFromRow: true }
+      ]
+    },
+    {
+      // Better-auth: `organization/remove-team { teamId, organizationId? }`.
+      // organizationId defaults to the caller's active org when omitted.
+      name: "remove_team",
+      label: "Delete Team",
+      icon: "trash-2",
+      variant: "danger",
+      mode: "delete",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/organization/remove-team",
+      recordIdParam: "teamId",
+      confirmText: "Delete this team? Members will lose any team-scoped access. This cannot be undone.",
+      successMessage: "Team deleted",
+      refreshAfter: true
+    }
+  ],
+  listViews: {
+    by_org: {
+      type: "grid",
+      name: "by_org",
+      label: "By Organization",
+      data: { provider: "object", object: "sys_team" },
+      columns: ["organization_id", "name", "created_at", "updated_at"],
+      sort: [{ field: "organization_id", order: "asc" }, { field: "name", order: "asc" }],
+      grouping: { fields: [{ field: "organization_id", order: "asc", collapsed: false }] },
+      pagination: { pageSize: 100 }
+    },
+    all_teams: {
+      type: "grid",
+      name: "all_teams",
+      label: "All",
+      data: { provider: "object", object: "sys_team" },
+      columns: ["name", "organization_id", "created_at", "updated_at"],
+      sort: [{ field: "name", order: "asc" }],
+      pagination: { pageSize: 50 }
+    }
+  },
   fields: {
     // ── Identity ─────────────────────────────────────────────────
     name: data.Field.text({
@@ -582,6 +1179,48 @@ var SysTeamMember = data.ObjectSchema.create({
   description: "Team membership records linking users to teams",
   titleFormat: "{user_id} in {team_id}",
   compactLayout: ["user_id", "team_id", "created_at"],
+  // Custom actions calling better-auth's team-member endpoints. Generic
+  // CRUD is suppressed (managedBy: 'better-auth') so these are the
+  // canonical add/remove entry points.
+  actions: [
+    {
+      // Better-auth: `organization/add-team-member { teamId, userId }`.
+      name: "add_team_member",
+      label: "Add Member",
+      icon: "user-plus",
+      variant: "primary",
+      locations: ["list_toolbar"],
+      type: "api",
+      target: "/api/v1/auth/organization/add-team-member",
+      successMessage: "Team member added",
+      refreshAfter: true,
+      params: [
+        { name: "teamId", field: "team_id", required: true },
+        { name: "userId", field: "user_id", required: true }
+      ]
+    },
+    {
+      // Better-auth: `organization/remove-team-member { teamId, userId }`.
+      // The endpoint identifies the membership by the (teamId, userId)
+      // pair rather than the join-row id, so we pull both from the row
+      // via `defaultFromRow` instead of using `recordIdParam`.
+      name: "remove_team_member",
+      label: "Remove from Team",
+      icon: "user-minus",
+      variant: "danger",
+      mode: "delete",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/organization/remove-team-member",
+      confirmText: "Remove this user from the team? They will lose any team-scoped access.",
+      successMessage: "Team member removed",
+      refreshAfter: true,
+      params: [
+        { name: "teamId", field: "team_id", required: true, defaultFromRow: true },
+        { name: "userId", field: "user_id", required: true, defaultFromRow: true }
+      ]
+    }
+  ],
   fields: {
     id: data.Field.text({
       label: "Team Member ID",
@@ -615,6 +1254,248 @@ var SysTeamMember = data.ObjectSchema.create({
     mru: false
   }
 });
+var SysDepartment = data.ObjectSchema.create({
+  name: "sys_department",
+  label: "Department",
+  pluralLabel: "Departments",
+  icon: "building",
+  isSystem: true,
+  managedBy: "platform",
+  description: "Hierarchical org-skeleton node (department / division / business unit / office).",
+  displayNameField: "name",
+  titleFormat: "{name}",
+  compactLayout: ["name", "kind", "parent_department_id", "manager_user_id"],
+  listViews: {
+    active: {
+      type: "grid",
+      name: "active",
+      label: "Active",
+      data: { provider: "object", object: "sys_department" },
+      columns: ["name", "code", "kind", "parent_department_id", "manager_user_id", "effective_from"],
+      filter: [{ field: "active", operator: "equals", value: true }],
+      sort: [{ field: "name", order: "asc" }],
+      pagination: { pageSize: 100 }
+    },
+    inactive: {
+      type: "grid",
+      name: "inactive",
+      label: "Inactive",
+      data: { provider: "object", object: "sys_department" },
+      columns: ["name", "code", "kind", "effective_to"],
+      filter: [{ field: "active", operator: "equals", value: false }],
+      sort: [{ field: "effective_to", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    by_kind: {
+      type: "grid",
+      name: "by_kind",
+      label: "By Kind",
+      data: { provider: "object", object: "sys_department" },
+      columns: ["kind", "name", "code", "parent_department_id", "manager_user_id", "active"],
+      sort: [{ field: "kind", order: "asc" }, { field: "name", order: "asc" }],
+      grouping: { fields: [{ field: "kind", order: "asc", collapsed: false }] },
+      pagination: { pageSize: 100 }
+    },
+    all_departments: {
+      type: "grid",
+      name: "all_departments",
+      label: "All",
+      data: { provider: "object", object: "sys_department" },
+      columns: ["name", "code", "kind", "parent_department_id", "manager_user_id", "active"],
+      sort: [{ field: "name", order: "asc" }],
+      pagination: { pageSize: 100 }
+    }
+  },
+  fields: {
+    // ── Identity ─────────────────────────────────────────────────
+    name: data.Field.text({
+      label: "Name",
+      required: true,
+      searchable: true,
+      maxLength: 255,
+      group: "Identity"
+    }),
+    code: data.Field.text({
+      label: "Code",
+      required: false,
+      searchable: true,
+      maxLength: 64,
+      description: "Short stable code (e.g. EMEA-SALES). Unique within tenant.",
+      group: "Identity"
+    }),
+    kind: data.Field.select(
+      ["company", "division", "department", "team", "office", "cost_center"],
+      {
+        label: "Kind",
+        required: true,
+        defaultValue: "department",
+        description: "Categorisation hint \u2014 does not change graph semantics.",
+        group: "Identity"
+      }
+    ),
+    // ── Hierarchy ────────────────────────────────────────────────
+    parent_department_id: data.Field.lookup("sys_department", {
+      label: "Parent Department",
+      required: false,
+      description: "Self-reference for the org tree. Null = root of tenant.",
+      group: "Hierarchy"
+    }),
+    organization_id: data.Field.lookup("sys_organization", {
+      label: "Organization",
+      required: true,
+      description: "Tenant scope.",
+      group: "Hierarchy"
+    }),
+    // ── Leadership ───────────────────────────────────────────────
+    manager_user_id: data.Field.lookup("sys_user", {
+      label: "Department Head",
+      required: false,
+      description: "User responsible for this org unit (department head / lead).",
+      group: "Leadership"
+    }),
+    // ── Lifecycle ────────────────────────────────────────────────
+    active: data.Field.boolean({
+      label: "Active",
+      required: false,
+      defaultValue: true,
+      description: "When false, members are not expanded by graph queries.",
+      group: "Lifecycle"
+    }),
+    effective_from: data.Field.datetime({
+      label: "Effective From",
+      required: false,
+      description: "When this department came into existence (HRIS sync).",
+      group: "Lifecycle"
+    }),
+    effective_to: data.Field.datetime({
+      label: "Effective To",
+      required: false,
+      description: "When this department was retired (HRIS sync).",
+      group: "Lifecycle"
+    }),
+    external_ref: data.Field.text({
+      label: "External Reference",
+      required: false,
+      maxLength: 200,
+      description: "ID in upstream HRIS (Workday / SAP HR / \u5317\u68EE).",
+      group: "Lifecycle"
+    }),
+    // ── System ───────────────────────────────────────────────────
+    id: data.Field.text({
+      label: "Department ID",
+      required: true,
+      readonly: true,
+      group: "System"
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    })
+  },
+  indexes: [
+    { fields: ["organization_id"] },
+    { fields: ["parent_department_id"] },
+    { fields: ["code", "organization_id"], unique: true },
+    { fields: ["active"] }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: true,
+    mru: false
+  }
+});
+var SysDepartmentMember = data.ObjectSchema.create({
+  name: "sys_department_member",
+  label: "Department Member",
+  pluralLabel: "Department Members",
+  icon: "user-cog",
+  isSystem: true,
+  managedBy: "platform",
+  description: "User assignment to a department (matrix-org friendly, effective-dated).",
+  titleFormat: "{user_id} in {department_id}",
+  compactLayout: ["user_id", "department_id", "role_in_department", "is_primary"],
+  fields: {
+    id: data.Field.text({
+      label: "Member ID",
+      required: true,
+      readonly: true,
+      group: "System"
+    }),
+    department_id: data.Field.lookup("sys_department", {
+      label: "Department",
+      required: true,
+      group: "Assignment"
+    }),
+    user_id: data.Field.lookup("sys_user", {
+      label: "User",
+      required: true,
+      group: "Assignment"
+    }),
+    role_in_department: data.Field.select(
+      ["member", "lead", "deputy"],
+      {
+        label: "Role in Department",
+        required: false,
+        defaultValue: "member",
+        description: "`lead` is the day-to-day head; `deputy` may stand in for the lead in approval routing.",
+        group: "Assignment"
+      }
+    ),
+    is_primary: data.Field.boolean({
+      label: "Primary Assignment",
+      required: false,
+      defaultValue: true,
+      description: "When the user is in multiple departments, this marks the canonical one for reporting.",
+      group: "Assignment"
+    }),
+    effective_from: data.Field.datetime({
+      label: "Effective From",
+      required: false,
+      group: "Lifecycle"
+    }),
+    effective_to: data.Field.datetime({
+      label: "Effective To",
+      required: false,
+      group: "Lifecycle"
+    }),
+    created_at: data.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    }),
+    updated_at: data.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true,
+      group: "System"
+    })
+  },
+  indexes: [
+    { fields: ["department_id", "user_id"], unique: true },
+    { fields: ["user_id"] },
+    { fields: ["is_primary"] }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: true,
+    mru: false
+  }
+});
 var SysApiKey = data.ObjectSchema.create({
   name: "sys_api_key",
   label: "API Key",
@@ -626,6 +1507,85 @@ var SysApiKey = data.ObjectSchema.create({
   displayNameField: "name",
   titleFormat: "{name}",
   compactLayout: ["name", "prefix", "user_id", "expires_at", "revoked"],
+  // Custom actions — sys_api_key is managed-by 'better-auth' but the
+  // `revoked` boolean is a column we control via the data API. These row
+  // actions use the generic PATCH /api/v1/sys_api_key/{id} endpoint with
+  // `bodyExtra` to set the `revoked` flag explicitly.
+  actions: [
+    {
+      name: "revoke_api_key",
+      label: "Revoke API Key",
+      icon: "shield-off",
+      variant: "danger",
+      mode: "custom",
+      locations: ["list_item"],
+      type: "api",
+      method: "PATCH",
+      target: "/api/v1/data/sys_api_key/{id}",
+      bodyExtra: { revoked: true },
+      confirmText: "Revoke this API key? Any clients using it will immediately lose access.",
+      successMessage: "API key revoked",
+      refreshAfter: true
+    },
+    {
+      name: "restore_api_key",
+      label: "Restore API Key",
+      icon: "shield-check",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["list_item"],
+      type: "api",
+      method: "PATCH",
+      target: "/api/v1/data/sys_api_key/{id}",
+      bodyExtra: { revoked: false },
+      confirmText: "Restore this revoked API key? Existing clients holding the key will regain access.",
+      successMessage: "API key restored",
+      refreshAfter: true
+    }
+  ],
+  listViews: {
+    mine: {
+      type: "grid",
+      name: "mine",
+      label: "My Keys",
+      data: { provider: "object", object: "sys_api_key" },
+      columns: ["name", "prefix", "expires_at", "last_used_at", "revoked"],
+      filter: [
+        { field: "user_id", operator: "equals", value: "{current_user_id}" }
+      ],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    active: {
+      type: "grid",
+      name: "active",
+      label: "Active",
+      data: { provider: "object", object: "sys_api_key" },
+      columns: ["name", "prefix", "user_id", "expires_at", "last_used_at"],
+      filter: [{ field: "revoked", operator: "equals", value: false }],
+      sort: [{ field: "last_used_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    revoked: {
+      type: "grid",
+      name: "revoked",
+      label: "Revoked",
+      data: { provider: "object", object: "sys_api_key" },
+      columns: ["name", "prefix", "user_id", "expires_at", "updated_at"],
+      filter: [{ field: "revoked", operator: "equals", value: true }],
+      sort: [{ field: "updated_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    all_keys: {
+      type: "grid",
+      name: "all_keys",
+      label: "All",
+      data: { provider: "object", object: "sys_api_key" },
+      columns: ["name", "prefix", "user_id", "expires_at", "last_used_at", "revoked"],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    }
+  },
   fields: {
     // ── Identity ─────────────────────────────────────────────────
     name: data.Field.text({
@@ -728,6 +1688,62 @@ var SysTwoFactor = data.ObjectSchema.create({
   description: "Two-factor authentication credentials",
   titleFormat: "Two-factor for {user_id}",
   compactLayout: ["user_id", "created_at"],
+  listViews: {
+    mine: {
+      type: "grid",
+      name: "mine",
+      label: "My Enrollment",
+      data: { provider: "object", object: "sys_two_factor" },
+      columns: ["created_at", "updated_at"],
+      filter: [{ field: "user_id", operator: "equals", value: "{current_user_id}" }],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    all_enrollments: {
+      type: "grid",
+      name: "all_enrollments",
+      label: "All",
+      data: { provider: "object", object: "sys_two_factor" },
+      columns: ["user_id", "created_at", "updated_at"],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    }
+  },
+  // Toolbar actions for self-service 2FA enrollment. The actual TOTP secret
+  // and backup codes returned by better-auth must be shown in the response
+  // toast / dialog — the action runner surfaces successMessage; the raw
+  // payload is logged client-side for now (TODO: dedicated 2FA setup wizard).
+  actions: [
+    {
+      name: "enable_two_factor",
+      label: "Enable 2FA",
+      icon: "shield-check",
+      variant: "primary",
+      locations: ["list_toolbar"],
+      type: "api",
+      target: "/api/v1/auth/two-factor/enable",
+      successMessage: "2FA enrollment started \u2014 check response for TOTP URI and backup codes",
+      refreshAfter: true,
+      params: [
+        { name: "password", label: "Current Password", type: "text", required: true }
+      ]
+    },
+    {
+      name: "disable_two_factor",
+      label: "Disable 2FA",
+      icon: "shield-off",
+      variant: "danger",
+      locations: ["list_toolbar"],
+      type: "api",
+      target: "/api/v1/auth/two-factor/disable",
+      confirmText: "Disable two-factor authentication on your account?",
+      successMessage: "2FA disabled",
+      refreshAfter: true,
+      params: [
+        { name: "password", label: "Current Password", type: "text", required: true }
+      ]
+    }
+  ],
   fields: {
     id: data.Field.text({
       label: "Two Factor ID",
@@ -867,9 +1883,44 @@ var SysUserPreference = data.ObjectSchema.create({
   pluralLabel: "User Preferences",
   icon: "settings",
   isSystem: true,
+  // managedBy: 'system' — preferences are per-user state authored from
+  // the user's own settings page, never created by an admin. The list
+  // surface in Setup is a support/diagnostic view only.
+  managedBy: "system",
   description: "Per-user key-value preferences (theme, locale, etc.)",
   titleFormat: "{key}",
   compactLayout: ["user_id", "key"],
+  listViews: {
+    mine: {
+      type: "grid",
+      name: "mine",
+      label: "My Preferences",
+      data: { provider: "object", object: "sys_user_preference" },
+      columns: ["key", "updated_at"],
+      filter: [{ field: "user_id", operator: "equals", value: "{current_user_id}" }],
+      sort: [{ field: "key", order: "asc" }],
+      pagination: { pageSize: 100 }
+    },
+    by_user: {
+      type: "grid",
+      name: "by_user",
+      label: "By User",
+      data: { provider: "object", object: "sys_user_preference" },
+      columns: ["user_id", "key", "updated_at"],
+      sort: [{ field: "user_id", order: "asc" }, { field: "key", order: "asc" }],
+      grouping: { fields: [{ field: "user_id", order: "asc", collapsed: true }] },
+      pagination: { pageSize: 200 }
+    },
+    all_preferences: {
+      type: "grid",
+      name: "all_preferences",
+      label: "All",
+      data: { provider: "object", object: "sys_user_preference" },
+      columns: ["user_id", "key", "created_at", "updated_at"],
+      sort: [{ field: "updated_at", order: "desc" }],
+      pagination: { pageSize: 100 }
+    }
+  },
   fields: {
     id: data.Field.text({
       label: "Preference ID",
@@ -926,6 +1977,37 @@ var SysOauthApplication = data.ObjectSchema.create({
   displayNameField: "name",
   titleFormat: "{name}",
   compactLayout: ["name", "client_id", "type", "disabled"],
+  listViews: {
+    active: {
+      type: "grid",
+      name: "active",
+      label: "Active",
+      data: { provider: "object", object: "sys_oauth_application" },
+      columns: ["name", "client_id", "type", "updated_at"],
+      filter: [{ field: "disabled", operator: "equals", value: false }],
+      sort: [{ field: "name", order: "asc" }],
+      pagination: { pageSize: 50 }
+    },
+    disabled_apps: {
+      type: "grid",
+      name: "disabled_apps",
+      label: "Disabled",
+      data: { provider: "object", object: "sys_oauth_application" },
+      columns: ["name", "client_id", "type", "updated_at"],
+      filter: [{ field: "disabled", operator: "equals", value: true }],
+      sort: [{ field: "updated_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
+    all_apps: {
+      type: "grid",
+      name: "all_apps",
+      label: "All",
+      data: { provider: "object", object: "sys_oauth_application" },
+      columns: ["name", "client_id", "type", "disabled", "created_at"],
+      sort: [{ field: "name", order: "asc" }],
+      pagination: { pageSize: 50 }
+    }
+  },
   fields: {
     // ── Identity ─────────────────────────────────────────────────
     id: data.Field.text({
@@ -1401,6 +2483,8 @@ var SysJwks = data.ObjectSchema.create({
 
 exports.SysAccount = SysAccount;
 exports.SysApiKey = SysApiKey;
+exports.SysDepartment = SysDepartment;
+exports.SysDepartmentMember = SysDepartmentMember;
 exports.SysDeviceCode = SysDeviceCode;
 exports.SysInvitation = SysInvitation;
 exports.SysJwks = SysJwks;