@objectstack/platform-objects 6.9.0 → 7.1.0

package/dist/identity/index.mjs

@@ -112,9 +112,166 @@ var SysUser = ObjectSchema.create({
       successMessage: "Now impersonating user",
       refreshAfter: true,
       confirmText: "Start an impersonation session for this user? Use only for legitimate support cases \u2014 actions will be logged."
+    },
+    // ── Self-service actions (the row owner only) ─────────────────────
+    //
+    // These four actions are the "account settings" surfaces the standalone
+    // Account SPA used to own (`/account/profile`, `/account/security`).
+    // They are visible only when the current row is the signed-in user —
+    // i.e. opened from the user's own detail page or a "My Account" view —
+    // via the `visible` CEL predicate. Admin equivalents (set_user_password
+    // for any account) are above and stay separate.
+    {
+      name: "update_my_profile",
+      label: "Update Profile",
+      icon: "user-pen",
+      variant: "primary",
+      mode: "edit",
+      locations: ["record_header"],
+      type: "api",
+      target: "/api/v1/auth/update-user",
+      visible: "record.id == ctx.user.id",
+      successMessage: "Profile updated",
+      refreshAfter: true,
+      params: [
+        { field: "name", required: false, defaultFromRow: true },
+        { field: "image", required: false, defaultFromRow: true }
+      ]
+    },
+    {
+      name: "change_my_password",
+      label: "Change Password",
+      icon: "key",
+      variant: "secondary",
+      locations: ["record_header", "record_more", "record_section"],
+      type: "api",
+      target: "/api/v1/auth/change-password",
+      visible: "record.id == ctx.user.id",
+      successMessage: "Password changed",
+      refreshAfter: false,
+      params: [
+        { name: "currentPassword", label: "Current Password", type: "text", required: true },
+        { name: "newPassword", label: "New Password", type: "text", required: true },
+        { name: "revokeOtherSessions", label: "Sign out other devices", type: "boolean", required: false, defaultValue: true }
+      ]
+    },
+    {
+      name: "change_my_email",
+      label: "Change Email",
+      icon: "mail",
+      variant: "secondary",
+      locations: ["record_header", "record_more", "record_section"],
+      type: "api",
+      target: "/api/v1/auth/change-email",
+      visible: "record.id == ctx.user.id",
+      successMessage: "Verification email sent \u2014 check the new address to confirm.",
+      refreshAfter: false,
+      params: [
+        { name: "newEmail", label: "New Email", type: "email", required: true }
+      ]
+    },
+    {
+      name: "resend_verification_email",
+      label: "Resend Verification Email",
+      icon: "mail-check",
+      variant: "secondary",
+      locations: ["record_header", "record_more", "record_section"],
+      type: "api",
+      target: "/api/v1/auth/send-verification-email",
+      // Only render for the row owner AND when their email is still
+      // unverified — there's nothing to resend once verified.
+      visible: "record.id == ctx.user.id && record.email_verified == false",
+      successMessage: "Verification email sent \u2014 check your inbox.",
+      refreshAfter: false,
+      params: []
+    },
+    {
+      name: "delete_my_account",
+      label: "Delete My Account",
+      icon: "user-x",
+      variant: "danger",
+      mode: "delete",
+      locations: ["record_more", "record_section"],
+      type: "api",
+      target: "/api/v1/auth/delete-user",
+      visible: "record.id == ctx.user.id",
+      confirmText: "Permanently delete your account? This cannot be undone \u2014 all your sessions will be terminated and all data you own will be removed per the configured retention policy.",
+      successMessage: "Account deleted",
+      refreshAfter: false,
+      params: [
+        { name: "password", label: "Current Password", type: "text", required: true }
+      ]
+    },
+    // ── Two-factor authentication ─────────────────────────────────
+    // Enable flow returns { totpURI, backupCodes } — surfacing those
+    // safely needs a QR + verify UI that the generic action engine
+    // can't render yet. We still expose it so the API call works
+    // and the success toast displays the otpauth:// URI that users
+    // can manually add to an authenticator app as a fallback.
+    {
+      name: "enable_two_factor",
+      label: "Enable Two-Factor Auth",
+      icon: "shield-plus",
+      variant: "primary",
+      locations: ["record_section"],
+      type: "api",
+      target: "/api/v1/auth/two-factor/enable",
+      visible: "record.id == ctx.user.id && record.two_factor_enabled != true",
+      successMessage: "Two-factor authentication enabled. Scan the QR code or paste the otpauth URI into your authenticator app, then verify a code to complete setup.",
+      refreshAfter: true,
+      params: [
+        { name: "password", label: "Current Password", type: "text", required: true }
+      ]
+    },
+    {
+      name: "disable_two_factor",
+      label: "Disable Two-Factor Auth",
+      icon: "shield-off",
+      variant: "danger",
+      locations: ["record_section"],
+      type: "api",
+      target: "/api/v1/auth/two-factor/disable",
+      visible: "record.id == ctx.user.id && record.two_factor_enabled == true",
+      confirmText: "Turn off two-factor authentication? Your account will be less secure.",
+      successMessage: "Two-factor authentication disabled.",
+      refreshAfter: true,
+      params: [
+        { name: "password", label: "Current Password", type: "text", required: true }
+      ]
+    },
+    {
+      name: "generate_backup_codes",
+      label: "Regenerate Backup Codes",
+      icon: "list-restart",
+      variant: "secondary",
+      locations: ["record_section"],
+      type: "api",
+      target: "/api/v1/auth/two-factor/generate-backup-codes",
+      visible: "record.id == ctx.user.id && record.two_factor_enabled == true",
+      confirmText: "Generate a new set of backup codes? Any previously generated codes will stop working.",
+      successMessage: "New backup codes generated \u2014 save them somewhere safe.",
+      refreshAfter: false,
+      params: [
+        { name: "password", label: "Current Password", type: "text", required: true }
+      ]
     }
   ],
   listViews: {
+    // Self-service profile entry — surfaced by the Account App so every
+    // authenticated user can view / edit their own basic profile (name,
+    // email, avatar). Filtered to a single row (the caller) via the
+    // `{current_user_id}` template variable; RLS additionally enforces
+    // that non-admins cannot read other users' rows.
+    me: {
+      type: "grid",
+      name: "me",
+      label: "My Profile",
+      data: { provider: "object", object: "sys_user" },
+      columns: ["name", "email", "email_verified", "two_factor_enabled", "updated_at"],
+      filter: [{ field: "id", operator: "equals", value: "{current_user_id}" }],
+      sort: [{ field: "name", order: "asc" }],
+      pagination: { pageSize: 1 }
+    },
     all_users: {
       type: "grid",
       name: "all_users",
@@ -426,7 +583,41 @@ var SysAccount = ObjectSchema.create({
   // requests it). Better-auth exposes `/unlink-account { providerId,
   // accountId }` for this. The form is locked to the row's values so
   // it acts as a one-click confirmation rather than a free-form edit.
+  //
+  // `link_social` is the self-service counterpart — a toolbar action
+  // that redirects the browser to better-auth's social sign-in endpoint
+  // with a callbackURL pointing back to the linked-accounts view. The
+  // endpoint sets the link cookie and OAuth-dances through the provider,
+  // which is why it's `type: 'url'` (full page navigation) rather than
+  // `type: 'api'` (XHR — would block on CORS / 302).
   actions: [
+    {
+      name: "link_social",
+      label: "Link Social Account",
+      icon: "link-2",
+      variant: "primary",
+      mode: "create",
+      locations: ["list_toolbar"],
+      type: "url",
+      target: "/api/v1/auth/sign-in/social?provider=${param.provider}&callbackURL=${ctx.origin}/apps/account/sys_account",
+      params: [
+        {
+          name: "provider",
+          label: "Provider",
+          type: "select",
+          required: true,
+          options: [
+            { label: "Google", value: "google" },
+            { label: "GitHub", value: "github" },
+            { label: "Microsoft", value: "microsoft" },
+            { label: "Apple", value: "apple" },
+            { label: "Facebook", value: "facebook" },
+            { label: "GitLab", value: "gitlab" },
+            { label: "Discord", value: "discord" }
+          ]
+        }
+      ]
+    },
     {
       name: "unlink_account",
       label: "Unlink Account",
@@ -707,6 +898,30 @@ var SysOrganization = ObjectSchema.create({
       confirmText: "Leave this organization? You will lose access to all of its resources.",
       successMessage: "You have left the organization",
       refreshAfter: true
+    },
+    {
+      // Rename the organization slug (URL prefix). Backed by the cloud
+      // orchestrator at /api/v1/cloud/organizations/{id}/change-slug,
+      // which atomically updates sys_organization.slug, rewrites
+      // platform_subdomain sys_domain rows under the new slug, soft-
+      // retires the old rows with a redirect window, parks the old
+      // slug in sys_slug_reservation, and refreshes the registry
+      // mirror. See cloud `docs/design/sys-domain.md` §6.
+      name: "change_slug",
+      label: "Change Slug",
+      icon: "edit-3",
+      variant: "secondary",
+      mode: "custom",
+      locations: ["record_header"],
+      type: "api",
+      target: "/api/v1/cloud/organizations/{id}/change-slug",
+      method: "POST",
+      confirmText: "Renaming the slug rewrites every platform subdomain for this org and parks the old slug for 90 days. Continue?",
+      successMessage: "Organization slug changed",
+      refreshAfter: true,
+      params: [
+        { field: "slug", required: true, defaultFromRow: true }
+      ]
     }
   ],
   listViews: {
@@ -848,8 +1063,46 @@ var SysMember = ObjectSchema.create({
       confirmText: "Remove this member from the organization? They will lose access to all org resources.",
       successMessage: "Member removed",
       refreshAfter: true
+    },
+    // Transfer ownership is modeled as `update-member-role` with role=owner
+    // (better-auth's organization plugin auto-demotes the previous owner
+    // to admin). Kept as a separate action so the row menu can present a
+    // distinct destructive-style affordance with the right confirm copy —
+    // mixing it into `update_member_role` would hide the ownership-handoff
+    // semantics behind a generic role dropdown.
+    {
+      name: "transfer_ownership",
+      label: "Transfer Ownership",
+      icon: "crown",
+      variant: "danger",
+      mode: "custom",
+      locations: ["list_item"],
+      type: "api",
+      target: "/api/v1/auth/organization/update-member-role",
+      recordIdParam: "memberId",
+      bodyExtra: { role: "owner" },
+      visible: "record.role != 'owner'",
+      confirmText: "Transfer ownership of this organization to the selected member? You will be demoted to admin and lose owner-only privileges.",
+      successMessage: "Ownership transferred",
+      refreshAfter: true
     }
   ],
+  listViews: {
+    mine: {
+      type: "grid",
+      name: "mine",
+      label: "My Memberships",
+      data: { provider: "object", object: "sys_member" },
+      columns: ["organization_id", "role", "created_at"],
+      filter: [{ field: "user_id", operator: "equals", value: "{current_user_id}" }],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 },
+      emptyState: {
+        title: "No organizations yet",
+        message: "You haven't joined any organizations."
+      }
+    }
+  },
   fields: {
     id: Field.text({
       label: "Member ID",
@@ -952,6 +1205,40 @@ var SysInvitation = ObjectSchema.create({
         { field: "email", required: true, defaultFromRow: true },
         { field: "role", required: true, defaultFromRow: true }
       ]
+    },
+    // ── Recipient-side actions (the invited user) ────────────────────
+    //
+    // These two are the counterpart to invite/cancel/resend: they are
+    // visible only on invitations addressed to the current user. Used
+    // by an "Inbox / Pending invitations" list opened from the user's
+    // own account page. The recipient-only `visible` predicate keeps
+    // them out of the admin org-management view.
+    {
+      name: "accept_invitation",
+      label: "Accept Invitation",
+      icon: "check",
+      variant: "primary",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      target: "/api/v1/auth/organization/accept-invitation",
+      recordIdParam: "invitationId",
+      visible: "record.email == ctx.user.email && record.status == 'pending'",
+      successMessage: "Invitation accepted",
+      refreshAfter: true
+    },
+    {
+      name: "reject_invitation",
+      label: "Decline Invitation",
+      icon: "x",
+      variant: "ghost",
+      locations: ["list_item", "record_header"],
+      type: "api",
+      target: "/api/v1/auth/organization/reject-invitation",
+      recordIdParam: "invitationId",
+      visible: "record.email == ctx.user.email && record.status == 'pending'",
+      confirmText: "Decline this invitation? The inviter will be notified and you will need a new invitation to join.",
+      successMessage: "Invitation declined",
+      refreshAfter: true
     }
   ],
   listViews: {
@@ -1737,10 +2024,12 @@ var SysTwoFactor = ObjectSchema.create({
       pagination: { pageSize: 50 }
     }
   },
-  // Toolbar actions for self-service 2FA enrollment. The actual TOTP secret
-  // and backup codes returned by better-auth must be shown in the response
-  // toast / dialog — the action runner surfaces successMessage; the raw
-  // payload is logged client-side for now (TODO: dedicated 2FA setup wizard).
+  // Toolbar actions for self-service 2FA enrollment. Better-auth's
+  // `/two-factor/enable` returns `{ totpURI, backupCodes }` — the user must
+  // scan the URI into an authenticator app and save the backup codes NOW;
+  // they are never recoverable afterward. The `resultDialog` field tells
+  // the renderer to open a one-shot reveal dialog instead of toasting the
+  // success message. Same shape used by `regenerate_backup_codes`.
   actions: [
     {
       name: "enable_two_factor",
@@ -1750,11 +2039,19 @@ var SysTwoFactor = ObjectSchema.create({
       locations: ["list_toolbar"],
       type: "api",
       target: "/api/v1/auth/two-factor/enable",
-      successMessage: "2FA enrollment started \u2014 check response for TOTP URI and backup codes",
       refreshAfter: true,
       params: [
         { name: "password", label: "Current Password", type: "text", required: true }
-      ]
+      ],
+      resultDialog: {
+        title: "Two-factor authentication enabled",
+        description: "Scan the QR code with your authenticator app, then save the backup codes somewhere safe. The backup codes are shown only once.",
+        acknowledge: "I have saved my backup codes",
+        fields: [
+          { path: "totpURI", label: "Authenticator URI", format: "qrcode" },
+          { path: "backupCodes", label: "Backup Codes", format: "code-list" }
+        ]
+      }
     },
     {
       name: "disable_two_factor",
@@ -1770,6 +2067,28 @@ var SysTwoFactor = ObjectSchema.create({
       params: [
         { name: "password", label: "Current Password", type: "text", required: true }
       ]
+    },
+    {
+      name: "regenerate_backup_codes",
+      label: "Regenerate Backup Codes",
+      icon: "refresh-cw",
+      variant: "secondary",
+      locations: ["list_toolbar", "list_item"],
+      type: "api",
+      target: "/api/v1/auth/two-factor/generate-backup-codes",
+      confirmText: "Regenerate backup codes? All previous backup codes will stop working immediately.",
+      refreshAfter: true,
+      params: [
+        { name: "password", label: "Current Password", type: "text", required: true }
+      ],
+      resultDialog: {
+        title: "New backup codes generated",
+        description: "Previous backup codes are now invalid. Save these new codes somewhere safe \u2014 they are shown only once.",
+        acknowledge: "I have saved the new codes",
+        fields: [
+          { path: "backupCodes", label: "Backup Codes", format: "code-list" }
+        ]
+      }
     }
   ],
   fields: {
@@ -1801,6 +2120,11 @@ var SysTwoFactor = ObjectSchema.create({
       label: "Backup Codes",
       required: false,
       description: "JSON-serialized backup recovery codes"
+    }),
+    verified: Field.boolean({
+      label: "Verified",
+      defaultValue: true,
+      description: "Whether the enrollment was confirmed with a valid TOTP code (managed by better-auth)"
     })
   },
   indexes: [
@@ -2060,6 +2384,37 @@ var SysOauthApplication = ObjectSchema.create({
         { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
       ]
     },
+    {
+      name: "create_oauth_application",
+      label: "Register OAuth Application",
+      icon: "plus-circle",
+      variant: "primary",
+      mode: "create",
+      locations: ["list_toolbar"],
+      type: "api",
+      method: "POST",
+      target: "/api/v1/auth/sys-oauth-application/register",
+      refreshAfter: true,
+      params: [
+        { name: "name", label: "Application Name", type: "text", required: true },
+        { name: "redirectURLs", label: "Redirect URLs", type: "textarea", required: true, helpText: "One URL per line. Must use https:// in production." },
+        { name: "type", label: "Application Type", type: "select", required: true, defaultValue: "web", options: [
+          { label: "Web", value: "web" },
+          { label: "Native", value: "native" },
+          { label: "User-agent based", value: "user-agent-based" },
+          { label: "Public", value: "public" }
+        ] }
+      ],
+      resultDialog: {
+        title: "OAuth application registered",
+        description: "Save the client_secret now \u2014 it is shown only once and cannot be recovered. You can rotate it later if it leaks.",
+        acknowledge: "I have saved the client secret",
+        fields: [
+          { path: "client.client_id", label: "Client ID", format: "text" },
+          { path: "client.client_secret", label: "Client Secret", format: "secret" }
+        ]
+      }
+    },
     {
       name: "rotate_client_secret",
       label: "Rotate Client Secret",
@@ -2071,11 +2426,18 @@ var SysOauthApplication = ObjectSchema.create({
       method: "POST",
       target: "/api/v1/auth/oauth2/client/rotate-secret",
       confirmText: "Rotate this OAuth client's secret? The previous secret will stop working immediately and any integrations using it will break until they are updated with the new secret. The new secret is shown only once.",
-      successMessage: "Client secret rotated \u2014 copy the new value from the response now.",
       refreshAfter: true,
       params: [
         { name: "client_id", field: "client_id", defaultFromRow: true, required: true }
-      ]
+      ],
+      resultDialog: {
+        title: "Client secret rotated",
+        description: "Save the new secret now \u2014 it is shown only once. Update every integration before the previous secret's grace period ends.",
+        acknowledge: "I have updated my integrations",
+        fields: [
+          { path: "client_secret", label: "New Client Secret", format: "secret" }
+        ]
+      }
     },
     {
       name: "delete_oauth_application",
@@ -2096,6 +2458,20 @@ var SysOauthApplication = ObjectSchema.create({
     }
   ],
   listViews: {
+    mine: {
+      type: "grid",
+      name: "mine",
+      label: "My Applications",
+      data: { provider: "object", object: "sys_oauth_application" },
+      columns: ["name", "client_id", "type", "disabled", "created_at"],
+      // Self-service Account view — scope to the signed-in user's own
+      // registrations so they don't see other developers' apps. Admins
+      // get the unfiltered `active` / `disabled_apps` / `all_apps` views
+      // via the Setup → OAuth Applications nav.
+      filter: [{ field: "user_id", operator: "equals", value: "{current_user_id}" }],
+      sort: [{ field: "created_at", order: "desc" }],
+      pagination: { pageSize: 50 }
+    },
     active: {
       type: "grid",
       name: "active",