@objectstack/platform-objects 6.5.0 → 6.6.0

package/dist/index.mjs

@@ -423,6 +423,30 @@ var SysAccount = ObjectSchema.create({
   description: "OAuth and authentication provider accounts",
   titleFormat: "{provider_id} - {account_id}",
   compactLayout: ["provider_id", "user_id", "account_id"],
+  // Custom actions — sysadmins routinely need to revoke a user's OAuth
+  // link (e.g. when an SSO provider is decommissioned or the user
+  // requests it). Better-auth exposes `/unlink-account { providerId,
+  // accountId }` for this. The form is locked to the row's values so
+  // it acts as a one-click confirmation rather than a free-form edit.
+  actions: [
+    {
+      name: "unlink_account",
+      label: "Unlink Account",
+      icon: "unlink",
+      variant: "danger",
+      mode: "delete",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      target: "/api/v1/auth/unlink-account",
+      confirmText: "Unlink this identity link? The user will no longer be able to sign in with this provider until they re-link it from their account settings.",
+      successMessage: "Identity link removed",
+      refreshAfter: true,
+      params: [
+        { name: "providerId", field: "provider_id", defaultFromRow: true, required: true },
+        { name: "accountId", field: "account_id", defaultFromRow: true, required: true }
+      ]
+    }
+  ],
   listViews: {
     mine: {
       type: "grid",
@@ -1977,6 +2001,96 @@ var SysOauthApplication = ObjectSchema.create({
   displayNameField: "name",
   titleFormat: "{name}",
   compactLayout: ["name", "client_id", "type", "disabled"],
+  // Custom actions — all OAuth-application mutations are routed through
+  // better-auth's `@better-auth/oauth-provider` endpoints (and a thin
+  // ObjectStack-added auth route for the enable/disable toggle) rather
+  // than the generic data layer, so server-side validation, secret
+  // hashing, and audit hooks all run. The generic `delete` API method
+  // is intentionally dropped from `apiMethods` below so the only delete
+  // path is the better-auth wrapper.
+  //
+  // Upstream gap (better-auth 1.6.11): the stock `/admin/oauth2/update-client`
+  // endpoint's Zod body schema does NOT accept the `disabled` flag, even
+  // though the column exists and the runtime honours it. We bridge the
+  // gap with `POST /api/v1/auth/admin/oauth2/toggle-disabled`, registered
+  // by plugin-auth, which writes through better-auth's own adapter under
+  // the auth namespace (no generic data-layer bypass). When upstream
+  // ships `disabled` support, retarget the enable/disable actions and
+  // delete the bridge route.
+  actions: [
+    {
+      name: "disable_oauth_application",
+      label: "Disable OAuth Application",
+      icon: "pause-circle",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/auth/admin/oauth2/toggle-disabled",
+      confirmText: "Disable this OAuth application? Active access/refresh tokens issued to it will continue to be rejected at the token, authorize, and introspect endpoints. Existing integrations will stop working immediately.",
+      successMessage: "OAuth application disabled",
+      refreshAfter: true,
+      visible: "!record.disabled",
+      bodyExtra: { disabled: true },
+      params: [
+        { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
+      ]
+    },
+    {
+      name: "enable_oauth_application",
+      label: "Enable OAuth Application",
+      icon: "play-circle",
+      variant: "primary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/auth/admin/oauth2/toggle-disabled",
+      confirmText: "Re-enable this OAuth application? Token issuance, authorization, and introspection will resume immediately.",
+      successMessage: "OAuth application enabled",
+      refreshAfter: true,
+      visible: "record.disabled",
+      bodyExtra: { disabled: false },
+      params: [
+        { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
+      ]
+    },
+    {
+      name: "rotate_client_secret",
+      label: "Rotate Client Secret",
+      icon: "refresh-cw",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/auth/oauth2/client/rotate-secret",
+      confirmText: "Rotate this OAuth client's secret? The previous secret will stop working immediately and any integrations using it will break until they are updated with the new secret. The new secret is shown only once.",
+      successMessage: "Client secret rotated \u2014 copy the new value from the response now.",
+      refreshAfter: true,
+      params: [
+        { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
+      ]
+    },
+    {
+      name: "delete_oauth_application",
+      label: "Delete OAuth Application",
+      icon: "trash-2",
+      variant: "danger",
+      mode: "delete",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/auth/oauth2/delete-client",
+      confirmText: "Permanently delete this OAuth application? All issued tokens and consents will be invalidated and integrations using this client_id will stop working immediately. This cannot be undone.",
+      successMessage: "OAuth application deleted",
+      refreshAfter: true,
+      params: [
+        { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
+      ]
+    }
+  ],
   listViews: {
     active: {
       type: "grid",
@@ -2208,7 +2322,12 @@ var SysOauthApplication = ObjectSchema.create({
     trackHistory: true,
     searchable: true,
     apiEnabled: true,
-    apiMethods: ["get", "list", "delete"],
+    // All mutations (create/update/delete) must go through better-auth's
+    // oauth-provider endpoints under /api/v1/auth/{admin/,}oauth2/* — the
+    // generic data layer is read-only for this object so sysadmins cannot
+    // bypass server-side OAuth validation. The Delete row action above is
+    // wired to /api/v1/auth/oauth2/delete-client.
+    apiMethods: ["get", "list"],
     trash: false,
     mru: false
   }
@@ -2491,6 +2610,83 @@ var SysRole = ObjectSchema.create({
   displayNameField: "label",
   titleFormat: "{label}",
   compactLayout: ["label", "name", "active", "is_default"],
+  // Custom actions — system roles drive RBAC and are edited rarely but
+  // require the four high-frequency sysadmin affordances every IdP
+  // (Salesforce, ServiceNow, Okta) ships: activate/deactivate (lifecycle
+  // without losing assignments), mark default (auto-assign to new users),
+  // and clone (template for new roles). All operations hit the generic
+  // data CRUD endpoint exposed by `apiEnabled` — no custom server route
+  // required because `managedBy: 'config'` allows direct mutation.
+  actions: [
+    {
+      name: "activate_role",
+      label: "Activate Role",
+      icon: "circle-check",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "PATCH",
+      target: "/api/v1/data/sys_role/{id}",
+      bodyExtra: { active: true },
+      successMessage: "Role activated",
+      refreshAfter: true
+    },
+    {
+      name: "deactivate_role",
+      label: "Deactivate Role",
+      icon: "circle-off",
+      variant: "danger",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "PATCH",
+      target: "/api/v1/data/sys_role/{id}",
+      bodyExtra: { active: false },
+      confirmText: "Deactivate this role? Users with the role keep their assignment but the role stops granting permissions until re-activated.",
+      successMessage: "Role deactivated",
+      refreshAfter: true
+    },
+    {
+      name: "set_default_role",
+      label: "Set as Default",
+      icon: "star",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "PATCH",
+      target: "/api/v1/data/sys_role/{id}",
+      bodyExtra: { is_default: true },
+      confirmText: "Make this the default role for new users? Existing users are unaffected.",
+      successMessage: "Default role updated",
+      refreshAfter: true
+    },
+    {
+      // Clone — POST a new sys_role row pre-filled from the source. The
+      // dialog asks only for the new API name / label so the operator
+      // can rename atomically; permissions JSON is copied wholesale via
+      // defaultFromRow.
+      name: "clone_role",
+      label: "Clone Role",
+      icon: "copy",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/data/sys_role",
+      bodyExtra: { is_default: false, active: true },
+      successMessage: "Role cloned",
+      refreshAfter: true,
+      params: [
+        { name: "label", label: "New Display Name", type: "text", required: true },
+        { name: "name", label: "New API Name", type: "text", required: true, helpText: "Unique snake_case machine name" },
+        { field: "description", defaultFromRow: true },
+        { field: "permissions", defaultFromRow: true }
+      ]
+    }
+  ],
   listViews: {
     active: {
       type: "grid",
@@ -2617,6 +2813,64 @@ var SysPermissionSet = ObjectSchema.create({
   displayNameField: "label",
   titleFormat: "{label}",
   compactLayout: ["label", "name", "active"],
+  // Custom actions — permission sets are templates assigned to roles or
+  // users (via sys_role_permission_set / sys_user_permission_set). The
+  // sysadmin operations that don't live on the parent-detail tabs are
+  // lifecycle (activate/deactivate without losing assignments) and
+  // clone (build a new permset by tweaking an existing one). Both hit
+  // the generic data CRUD endpoint — managedBy: 'config' permits it.
+  actions: [
+    {
+      name: "activate_permission_set",
+      label: "Activate",
+      icon: "circle-check",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "PATCH",
+      target: "/api/v1/data/sys_permission_set/{id}",
+      bodyExtra: { active: true },
+      successMessage: "Permission set activated",
+      refreshAfter: true
+    },
+    {
+      name: "deactivate_permission_set",
+      label: "Deactivate",
+      icon: "circle-off",
+      variant: "danger",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "PATCH",
+      target: "/api/v1/data/sys_permission_set/{id}",
+      bodyExtra: { active: false },
+      confirmText: "Deactivate this permission set? Existing assignments stay in place but stop granting access until re-activated.",
+      successMessage: "Permission set deactivated",
+      refreshAfter: true
+    },
+    {
+      name: "clone_permission_set",
+      label: "Clone",
+      icon: "copy",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/data/sys_permission_set",
+      bodyExtra: { active: true },
+      successMessage: "Permission set cloned",
+      refreshAfter: true,
+      params: [
+        { name: "label", label: "New Display Name", type: "text", required: true },
+        { name: "name", label: "New API Name", type: "text", required: true, helpText: "Unique snake_case machine name" },
+        { field: "description", defaultFromRow: true },
+        { field: "object_permissions", defaultFromRow: true },
+        { field: "field_permissions", defaultFromRow: true }
+      ]
+    }
+  ],
   listViews: {
     active: {
       type: "grid",