@objectstack/platform-objects 6.5.1 → 6.6.0

package/dist/apps/index.d.mts

@@ -87,6 +87,9 @@ declare const SystemOverviewDashboard: {
                 type?: "table" | "bar" | "line" | "pie" | "area" | "scatter" | "horizontal-bar" | "column" | "grouped-bar" | "stacked-bar" | "bi-polar-bar" | "stacked-area" | "step-line" | "spline" | "donut" | "funnel" | "pyramid" | "bubble" | "treemap" | "sunburst" | "sankey" | "word-cloud" | "gauge" | "solid-gauge" | "metric" | "kpi" | "bullet" | "choropleth" | "bubble-map" | "gl-map" | "heatmap" | "radar" | "waterfall" | "box-plot" | "violin" | "candlestick" | "stock" | "pivot" | undefined;
                 color?: string | undefined;
                 stack?: string | undefined;
+                variant?: "primary" | "comparison" | undefined;
+                dashArray?: string | undefined;
+                opacity?: number | undefined;
             }[] | undefined;
             colors?: string[] | undefined;
             height?: number | undefined;
@@ -119,7 +122,11 @@ declare const SystemOverviewDashboard: {
         actionIcon?: string | undefined;
         object?: string | undefined;
         filter?: _objectstack_spec_data.FilterCondition | undefined;
+        compareTo?: "previousPeriod" | "previousYear" | {
+            offset: string;
+        } | undefined;
         categoryField?: string | undefined;
+        categoryGranularity?: "day" | "week" | "month" | "quarter" | "year" | undefined;
         valueField?: string | undefined;
         measures?: {
             valueField: string;
@@ -270,6 +277,9 @@ declare const SecurityOverviewDashboard: {
                 type?: "table" | "bar" | "line" | "pie" | "area" | "scatter" | "horizontal-bar" | "column" | "grouped-bar" | "stacked-bar" | "bi-polar-bar" | "stacked-area" | "step-line" | "spline" | "donut" | "funnel" | "pyramid" | "bubble" | "treemap" | "sunburst" | "sankey" | "word-cloud" | "gauge" | "solid-gauge" | "metric" | "kpi" | "bullet" | "choropleth" | "bubble-map" | "gl-map" | "heatmap" | "radar" | "waterfall" | "box-plot" | "violin" | "candlestick" | "stock" | "pivot" | undefined;
                 color?: string | undefined;
                 stack?: string | undefined;
+                variant?: "primary" | "comparison" | undefined;
+                dashArray?: string | undefined;
+                opacity?: number | undefined;
             }[] | undefined;
             colors?: string[] | undefined;
             height?: number | undefined;
@@ -302,7 +312,11 @@ declare const SecurityOverviewDashboard: {
         actionIcon?: string | undefined;
         object?: string | undefined;
         filter?: _objectstack_spec_data.FilterCondition | undefined;
+        compareTo?: "previousPeriod" | "previousYear" | {
+            offset: string;
+        } | undefined;
         categoryField?: string | undefined;
+        categoryGranularity?: "day" | "week" | "month" | "quarter" | "year" | undefined;
         valueField?: string | undefined;
         measures?: {
             valueField: string;

package/dist/apps/index.d.ts

@@ -87,6 +87,9 @@ declare const SystemOverviewDashboard: {
                 type?: "table" | "bar" | "line" | "pie" | "area" | "scatter" | "horizontal-bar" | "column" | "grouped-bar" | "stacked-bar" | "bi-polar-bar" | "stacked-area" | "step-line" | "spline" | "donut" | "funnel" | "pyramid" | "bubble" | "treemap" | "sunburst" | "sankey" | "word-cloud" | "gauge" | "solid-gauge" | "metric" | "kpi" | "bullet" | "choropleth" | "bubble-map" | "gl-map" | "heatmap" | "radar" | "waterfall" | "box-plot" | "violin" | "candlestick" | "stock" | "pivot" | undefined;
                 color?: string | undefined;
                 stack?: string | undefined;
+                variant?: "primary" | "comparison" | undefined;
+                dashArray?: string | undefined;
+                opacity?: number | undefined;
             }[] | undefined;
             colors?: string[] | undefined;
             height?: number | undefined;
@@ -119,7 +122,11 @@ declare const SystemOverviewDashboard: {
         actionIcon?: string | undefined;
         object?: string | undefined;
         filter?: _objectstack_spec_data.FilterCondition | undefined;
+        compareTo?: "previousPeriod" | "previousYear" | {
+            offset: string;
+        } | undefined;
         categoryField?: string | undefined;
+        categoryGranularity?: "day" | "week" | "month" | "quarter" | "year" | undefined;
         valueField?: string | undefined;
         measures?: {
             valueField: string;
@@ -270,6 +277,9 @@ declare const SecurityOverviewDashboard: {
                 type?: "table" | "bar" | "line" | "pie" | "area" | "scatter" | "horizontal-bar" | "column" | "grouped-bar" | "stacked-bar" | "bi-polar-bar" | "stacked-area" | "step-line" | "spline" | "donut" | "funnel" | "pyramid" | "bubble" | "treemap" | "sunburst" | "sankey" | "word-cloud" | "gauge" | "solid-gauge" | "metric" | "kpi" | "bullet" | "choropleth" | "bubble-map" | "gl-map" | "heatmap" | "radar" | "waterfall" | "box-plot" | "violin" | "candlestick" | "stock" | "pivot" | undefined;
                 color?: string | undefined;
                 stack?: string | undefined;
+                variant?: "primary" | "comparison" | undefined;
+                dashArray?: string | undefined;
+                opacity?: number | undefined;
             }[] | undefined;
             colors?: string[] | undefined;
             height?: number | undefined;
@@ -302,7 +312,11 @@ declare const SecurityOverviewDashboard: {
         actionIcon?: string | undefined;
         object?: string | undefined;
         filter?: _objectstack_spec_data.FilterCondition | undefined;
+        compareTo?: "previousPeriod" | "previousYear" | {
+            offset: string;
+        } | undefined;
         categoryField?: string | undefined;
+        categoryGranularity?: "day" | "week" | "month" | "quarter" | "year" | undefined;
         valueField?: string | undefined;
         measures?: {
             valueField: string;

package/dist/identity/index.d.mts

@@ -6384,6 +6384,30 @@ declare const SysAccount: Omit<{
     readonly description: "OAuth and authentication provider accounts";
     readonly titleFormat: "{provider_id} - {account_id}";
     readonly compactLayout: ["provider_id", "user_id", "account_id"];
+    readonly actions: [{
+        readonly name: "unlink_account";
+        readonly label: "Unlink Account";
+        readonly icon: "unlink";
+        readonly variant: "danger";
+        readonly mode: "delete";
+        readonly locations: ["list_item", "record_header"];
+        readonly type: "api";
+        readonly target: "/api/v1/auth/unlink-account";
+        readonly confirmText: "Unlink this identity link? The user will no longer be able to sign in with this provider until they re-link it from their account settings.";
+        readonly successMessage: "Identity link removed";
+        readonly refreshAfter: true;
+        readonly params: [{
+            readonly name: "providerId";
+            readonly field: "provider_id";
+            readonly defaultFromRow: true;
+            readonly required: true;
+        }, {
+            readonly name: "accountId";
+            readonly field: "account_id";
+            readonly defaultFromRow: true;
+            readonly required: true;
+        }];
+    }];
     readonly listViews: {
         readonly mine: {
             readonly type: "grid";
@@ -34977,6 +35001,91 @@ declare const SysOauthApplication: Omit<{
     readonly displayNameField: "name";
     readonly titleFormat: "{name}";
     readonly compactLayout: ["name", "client_id", "type", "disabled"];
+    readonly actions: [{
+        readonly name: "disable_oauth_application";
+        readonly label: "Disable OAuth Application";
+        readonly icon: "pause-circle";
+        readonly variant: "secondary";
+        readonly mode: "custom";
+        readonly locations: ["list_item", "record_header"];
+        readonly type: "api";
+        readonly method: "POST";
+        readonly target: "/api/v1/auth/admin/oauth2/toggle-disabled";
+        readonly confirmText: "Disable this OAuth application? Active access/refresh tokens issued to it will continue to be rejected at the token, authorize, and introspect endpoints. Existing integrations will stop working immediately.";
+        readonly successMessage: "OAuth application disabled";
+        readonly refreshAfter: true;
+        readonly visible: "!record.disabled";
+        readonly bodyExtra: {
+            readonly disabled: true;
+        };
+        readonly params: [{
+            readonly name: "client_id";
+            readonly field: "client_id";
+            readonly defaultFromRow: true;
+            readonly required: true;
+        }];
+    }, {
+        readonly name: "enable_oauth_application";
+        readonly label: "Enable OAuth Application";
+        readonly icon: "play-circle";
+        readonly variant: "primary";
+        readonly mode: "custom";
+        readonly locations: ["list_item", "record_header"];
+        readonly type: "api";
+        readonly method: "POST";
+        readonly target: "/api/v1/auth/admin/oauth2/toggle-disabled";
+        readonly confirmText: "Re-enable this OAuth application? Token issuance, authorization, and introspection will resume immediately.";
+        readonly successMessage: "OAuth application enabled";
+        readonly refreshAfter: true;
+        readonly visible: "record.disabled";
+        readonly bodyExtra: {
+            readonly disabled: false;
+        };
+        readonly params: [{
+            readonly name: "client_id";
+            readonly field: "client_id";
+            readonly defaultFromRow: true;
+            readonly required: true;
+        }];
+    }, {
+        readonly name: "rotate_client_secret";
+        readonly label: "Rotate Client Secret";
+        readonly icon: "refresh-cw";
+        readonly variant: "secondary";
+        readonly mode: "custom";
+        readonly locations: ["list_item", "record_header"];
+        readonly type: "api";
+        readonly method: "POST";
+        readonly target: "/api/v1/auth/oauth2/client/rotate-secret";
+        readonly confirmText: "Rotate this OAuth client's secret? The previous secret will stop working immediately and any integrations using it will break until they are updated with the new secret. The new secret is shown only once.";
+        readonly successMessage: "Client secret rotated — copy the new value from the response now.";
+        readonly refreshAfter: true;
+        readonly params: [{
+            readonly name: "client_id";
+            readonly field: "client_id";
+            readonly defaultFromRow: true;
+            readonly required: true;
+        }];
+    }, {
+        readonly name: "delete_oauth_application";
+        readonly label: "Delete OAuth Application";
+        readonly icon: "trash-2";
+        readonly variant: "danger";
+        readonly mode: "delete";
+        readonly locations: ["list_item", "record_header"];
+        readonly type: "api";
+        readonly method: "POST";
+        readonly target: "/api/v1/auth/oauth2/delete-client";
+        readonly confirmText: "Permanently delete this OAuth application? All issued tokens and consents will be invalidated and integrations using this client_id will stop working immediately. This cannot be undone.";
+        readonly successMessage: "OAuth application deleted";
+        readonly refreshAfter: true;
+        readonly params: [{
+            readonly name: "client_id";
+            readonly field: "client_id";
+            readonly defaultFromRow: true;
+            readonly required: true;
+        }];
+    }];
     readonly listViews: {
         readonly active: {
             readonly type: "grid";
@@ -40304,7 +40413,7 @@ declare const SysOauthApplication: Omit<{
         readonly trackHistory: true;
         readonly searchable: true;
         readonly apiEnabled: true;
-        readonly apiMethods: ["get", "list", "delete"];
+        readonly apiMethods: ["get", "list"];
         readonly trash: false;
         readonly mru: false;
     };

package/dist/identity/index.d.ts

@@ -6384,6 +6384,30 @@ declare const SysAccount: Omit<{
     readonly description: "OAuth and authentication provider accounts";
     readonly titleFormat: "{provider_id} - {account_id}";
     readonly compactLayout: ["provider_id", "user_id", "account_id"];
+    readonly actions: [{
+        readonly name: "unlink_account";
+        readonly label: "Unlink Account";
+        readonly icon: "unlink";
+        readonly variant: "danger";
+        readonly mode: "delete";
+        readonly locations: ["list_item", "record_header"];
+        readonly type: "api";
+        readonly target: "/api/v1/auth/unlink-account";
+        readonly confirmText: "Unlink this identity link? The user will no longer be able to sign in with this provider until they re-link it from their account settings.";
+        readonly successMessage: "Identity link removed";
+        readonly refreshAfter: true;
+        readonly params: [{
+            readonly name: "providerId";
+            readonly field: "provider_id";
+            readonly defaultFromRow: true;
+            readonly required: true;
+        }, {
+            readonly name: "accountId";
+            readonly field: "account_id";
+            readonly defaultFromRow: true;
+            readonly required: true;
+        }];
+    }];
     readonly listViews: {
         readonly mine: {
             readonly type: "grid";
@@ -34977,6 +35001,91 @@ declare const SysOauthApplication: Omit<{
     readonly displayNameField: "name";
     readonly titleFormat: "{name}";
     readonly compactLayout: ["name", "client_id", "type", "disabled"];
+    readonly actions: [{
+        readonly name: "disable_oauth_application";
+        readonly label: "Disable OAuth Application";
+        readonly icon: "pause-circle";
+        readonly variant: "secondary";
+        readonly mode: "custom";
+        readonly locations: ["list_item", "record_header"];
+        readonly type: "api";
+        readonly method: "POST";
+        readonly target: "/api/v1/auth/admin/oauth2/toggle-disabled";
+        readonly confirmText: "Disable this OAuth application? Active access/refresh tokens issued to it will continue to be rejected at the token, authorize, and introspect endpoints. Existing integrations will stop working immediately.";
+        readonly successMessage: "OAuth application disabled";
+        readonly refreshAfter: true;
+        readonly visible: "!record.disabled";
+        readonly bodyExtra: {
+            readonly disabled: true;
+        };
+        readonly params: [{
+            readonly name: "client_id";
+            readonly field: "client_id";
+            readonly defaultFromRow: true;
+            readonly required: true;
+        }];
+    }, {
+        readonly name: "enable_oauth_application";
+        readonly label: "Enable OAuth Application";
+        readonly icon: "play-circle";
+        readonly variant: "primary";
+        readonly mode: "custom";
+        readonly locations: ["list_item", "record_header"];
+        readonly type: "api";
+        readonly method: "POST";
+        readonly target: "/api/v1/auth/admin/oauth2/toggle-disabled";
+        readonly confirmText: "Re-enable this OAuth application? Token issuance, authorization, and introspection will resume immediately.";
+        readonly successMessage: "OAuth application enabled";
+        readonly refreshAfter: true;
+        readonly visible: "record.disabled";
+        readonly bodyExtra: {
+            readonly disabled: false;
+        };
+        readonly params: [{
+            readonly name: "client_id";
+            readonly field: "client_id";
+            readonly defaultFromRow: true;
+            readonly required: true;
+        }];
+    }, {
+        readonly name: "rotate_client_secret";
+        readonly label: "Rotate Client Secret";
+        readonly icon: "refresh-cw";
+        readonly variant: "secondary";
+        readonly mode: "custom";
+        readonly locations: ["list_item", "record_header"];
+        readonly type: "api";
+        readonly method: "POST";
+        readonly target: "/api/v1/auth/oauth2/client/rotate-secret";
+        readonly confirmText: "Rotate this OAuth client's secret? The previous secret will stop working immediately and any integrations using it will break until they are updated with the new secret. The new secret is shown only once.";
+        readonly successMessage: "Client secret rotated — copy the new value from the response now.";
+        readonly refreshAfter: true;
+        readonly params: [{
+            readonly name: "client_id";
+            readonly field: "client_id";
+            readonly defaultFromRow: true;
+            readonly required: true;
+        }];
+    }, {
+        readonly name: "delete_oauth_application";
+        readonly label: "Delete OAuth Application";
+        readonly icon: "trash-2";
+        readonly variant: "danger";
+        readonly mode: "delete";
+        readonly locations: ["list_item", "record_header"];
+        readonly type: "api";
+        readonly method: "POST";
+        readonly target: "/api/v1/auth/oauth2/delete-client";
+        readonly confirmText: "Permanently delete this OAuth application? All issued tokens and consents will be invalidated and integrations using this client_id will stop working immediately. This cannot be undone.";
+        readonly successMessage: "OAuth application deleted";
+        readonly refreshAfter: true;
+        readonly params: [{
+            readonly name: "client_id";
+            readonly field: "client_id";
+            readonly defaultFromRow: true;
+            readonly required: true;
+        }];
+    }];
     readonly listViews: {
         readonly active: {
             readonly type: "grid";
@@ -40304,7 +40413,7 @@ declare const SysOauthApplication: Omit<{
         readonly trackHistory: true;
         readonly searchable: true;
         readonly apiEnabled: true;
-        readonly apiMethods: ["get", "list", "delete"];
+        readonly apiMethods: ["get", "list"];
         readonly trash: false;
         readonly mru: false;
     };

package/dist/identity/index.js

@@ -423,6 +423,30 @@ var SysAccount = data.ObjectSchema.create({
   description: "OAuth and authentication provider accounts",
   titleFormat: "{provider_id} - {account_id}",
   compactLayout: ["provider_id", "user_id", "account_id"],
+  // Custom actions — sysadmins routinely need to revoke a user's OAuth
+  // link (e.g. when an SSO provider is decommissioned or the user
+  // requests it). Better-auth exposes `/unlink-account { providerId,
+  // accountId }` for this. The form is locked to the row's values so
+  // it acts as a one-click confirmation rather than a free-form edit.
+  actions: [
+    {
+      name: "unlink_account",
+      label: "Unlink Account",
+      icon: "unlink",
+      variant: "danger",
+      mode: "delete",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      target: "/api/v1/auth/unlink-account",
+      confirmText: "Unlink this identity link? The user will no longer be able to sign in with this provider until they re-link it from their account settings.",
+      successMessage: "Identity link removed",
+      refreshAfter: true,
+      params: [
+        { name: "providerId", field: "provider_id", defaultFromRow: true, required: true },
+        { name: "accountId", field: "account_id", defaultFromRow: true, required: true }
+      ]
+    }
+  ],
   listViews: {
     mine: {
       type: "grid",
@@ -1977,6 +2001,96 @@ var SysOauthApplication = data.ObjectSchema.create({
   displayNameField: "name",
   titleFormat: "{name}",
   compactLayout: ["name", "client_id", "type", "disabled"],
+  // Custom actions — all OAuth-application mutations are routed through
+  // better-auth's `@better-auth/oauth-provider` endpoints (and a thin
+  // ObjectStack-added auth route for the enable/disable toggle) rather
+  // than the generic data layer, so server-side validation, secret
+  // hashing, and audit hooks all run. The generic `delete` API method
+  // is intentionally dropped from `apiMethods` below so the only delete
+  // path is the better-auth wrapper.
+  //
+  // Upstream gap (better-auth 1.6.11): the stock `/admin/oauth2/update-client`
+  // endpoint's Zod body schema does NOT accept the `disabled` flag, even
+  // though the column exists and the runtime honours it. We bridge the
+  // gap with `POST /api/v1/auth/admin/oauth2/toggle-disabled`, registered
+  // by plugin-auth, which writes through better-auth's own adapter under
+  // the auth namespace (no generic data-layer bypass). When upstream
+  // ships `disabled` support, retarget the enable/disable actions and
+  // delete the bridge route.
+  actions: [
+    {
+      name: "disable_oauth_application",
+      label: "Disable OAuth Application",
+      icon: "pause-circle",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/auth/admin/oauth2/toggle-disabled",
+      confirmText: "Disable this OAuth application? Active access/refresh tokens issued to it will continue to be rejected at the token, authorize, and introspect endpoints. Existing integrations will stop working immediately.",
+      successMessage: "OAuth application disabled",
+      refreshAfter: true,
+      visible: "!record.disabled",
+      bodyExtra: { disabled: true },
+      params: [
+        { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
+      ]
+    },
+    {
+      name: "enable_oauth_application",
+      label: "Enable OAuth Application",
+      icon: "play-circle",
+      variant: "primary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/auth/admin/oauth2/toggle-disabled",
+      confirmText: "Re-enable this OAuth application? Token issuance, authorization, and introspection will resume immediately.",
+      successMessage: "OAuth application enabled",
+      refreshAfter: true,
+      visible: "record.disabled",
+      bodyExtra: { disabled: false },
+      params: [
+        { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
+      ]
+    },
+    {
+      name: "rotate_client_secret",
+      label: "Rotate Client Secret",
+      icon: "refresh-cw",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/auth/oauth2/client/rotate-secret",
+      confirmText: "Rotate this OAuth client's secret? The previous secret will stop working immediately and any integrations using it will break until they are updated with the new secret. The new secret is shown only once.",
+      successMessage: "Client secret rotated \u2014 copy the new value from the response now.",
+      refreshAfter: true,
+      params: [
+        { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
+      ]
+    },
+    {
+      name: "delete_oauth_application",
+      label: "Delete OAuth Application",
+      icon: "trash-2",
+      variant: "danger",
+      mode: "delete",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/auth/oauth2/delete-client",
+      confirmText: "Permanently delete this OAuth application? All issued tokens and consents will be invalidated and integrations using this client_id will stop working immediately. This cannot be undone.",
+      successMessage: "OAuth application deleted",
+      refreshAfter: true,
+      params: [
+        { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
+      ]
+    }
+  ],
   listViews: {
     active: {
       type: "grid",
@@ -2208,7 +2322,12 @@ var SysOauthApplication = data.ObjectSchema.create({
     trackHistory: true,
     searchable: true,
     apiEnabled: true,
-    apiMethods: ["get", "list", "delete"],
+    // All mutations (create/update/delete) must go through better-auth's
+    // oauth-provider endpoints under /api/v1/auth/{admin/,}oauth2/* — the
+    // generic data layer is read-only for this object so sysadmins cannot
+    // bypass server-side OAuth validation. The Delete row action above is
+    // wired to /api/v1/auth/oauth2/delete-client.
+    apiMethods: ["get", "list"],
     trash: false,
     mru: false
   }