@objectstack/plugin-auth 3.2.5 → 3.2.7

package/dist/index.js

@@ -33,12 +33,23 @@ __export(index_exports, {
   AUTH_TWO_FACTOR_USER_FIELDS: () => AUTH_TWO_FACTOR_USER_FIELDS,
   AUTH_USER_CONFIG: () => AUTH_USER_CONFIG,
   AUTH_VERIFICATION_CONFIG: () => AUTH_VERIFICATION_CONFIG,
-  AuthAccount: () => AuthAccount,
+  AuthAccount: () => SysAccount,
   AuthManager: () => AuthManager,
   AuthPlugin: () => AuthPlugin,
-  AuthSession: () => AuthSession,
-  AuthUser: () => AuthUser,
-  AuthVerification: () => AuthVerification,
+  AuthSession: () => SysSession,
+  AuthUser: () => SysUser,
+  AuthVerification: () => SysVerification,
+  SysAccount: () => SysAccount,
+  SysApiKey: () => SysApiKey,
+  SysInvitation: () => SysInvitation,
+  SysMember: () => SysMember,
+  SysOrganization: () => SysOrganization,
+  SysSession: () => SysSession,
+  SysTeam: () => SysTeam,
+  SysTeamMember: () => SysTeamMember,
+  SysTwoFactor: () => SysTwoFactor,
+  SysUser: () => SysUser,
+  SysVerification: () => SysVerification,
   buildOrganizationPluginSchema: () => buildOrganizationPluginSchema,
   buildTwoFactorPluginSchema: () => buildTwoFactorPluginSchema,
   createObjectQLAdapter: () => createObjectQLAdapter,
@@ -265,14 +276,16 @@ var AUTH_VERIFICATION_CONFIG = {
   }
 };
 var AUTH_ORGANIZATION_SCHEMA = {
-  modelName: "sys_organization",
+  modelName: import_system2.SystemObjectName.ORGANIZATION,
+  // 'sys_organization'
   fields: {
     createdAt: "created_at",
     updatedAt: "updated_at"
   }
 };
 var AUTH_MEMBER_SCHEMA = {
-  modelName: "sys_member",
+  modelName: import_system2.SystemObjectName.MEMBER,
+  // 'sys_member'
   fields: {
     organizationId: "organization_id",
     userId: "user_id",
@@ -280,7 +293,8 @@ var AUTH_MEMBER_SCHEMA = {
   }
 };
 var AUTH_INVITATION_SCHEMA = {
-  modelName: "sys_invitation",
+  modelName: import_system2.SystemObjectName.INVITATION,
+  // 'sys_invitation'
   fields: {
     organizationId: "organization_id",
     inviterId: "inviter_id",
@@ -294,7 +308,8 @@ var AUTH_ORG_SESSION_FIELDS = {
   activeTeamId: "active_team_id"
 };
 var AUTH_TEAM_SCHEMA = {
-  modelName: "sys_team",
+  modelName: import_system2.SystemObjectName.TEAM,
+  // 'sys_team'
   fields: {
     organizationId: "organization_id",
     createdAt: "created_at",
@@ -302,7 +317,8 @@ var AUTH_TEAM_SCHEMA = {
   }
 };
 var AUTH_TEAM_MEMBER_SCHEMA = {
-  modelName: "sys_team_member",
+  modelName: import_system2.SystemObjectName.TEAM_MEMBER,
+  // 'sys_team_member'
   fields: {
     teamId: "team_id",
     userId: "user_id",
@@ -310,7 +326,8 @@ var AUTH_TEAM_MEMBER_SCHEMA = {
   }
 };
 var AUTH_TWO_FACTOR_SCHEMA = {
-  modelName: "sys_two_factor",
+  modelName: import_system2.SystemObjectName.TWO_FACTOR,
+  // 'sys_two_factor'
   fields: {
     backupCodes: "backup_codes",
     userId: "user_id"
@@ -382,10 +399,28 @@ var AuthManager = class {
       verification: {
         ...AUTH_VERIFICATION_CONFIG
       },
-      // Email configuration
+      // Social / OAuth providers
+      ...this.config.socialProviders ? { socialProviders: this.config.socialProviders } : {},
+      // Email and password configuration
       emailAndPassword: {
-        enabled: true
+        enabled: this.config.emailAndPassword?.enabled ?? true,
+        ...this.config.emailAndPassword?.disableSignUp != null ? { disableSignUp: this.config.emailAndPassword.disableSignUp } : {},
+        ...this.config.emailAndPassword?.requireEmailVerification != null ? { requireEmailVerification: this.config.emailAndPassword.requireEmailVerification } : {},
+        ...this.config.emailAndPassword?.minPasswordLength != null ? { minPasswordLength: this.config.emailAndPassword.minPasswordLength } : {},
+        ...this.config.emailAndPassword?.maxPasswordLength != null ? { maxPasswordLength: this.config.emailAndPassword.maxPasswordLength } : {},
+        ...this.config.emailAndPassword?.resetPasswordTokenExpiresIn != null ? { resetPasswordTokenExpiresIn: this.config.emailAndPassword.resetPasswordTokenExpiresIn } : {},
+        ...this.config.emailAndPassword?.autoSignIn != null ? { autoSignIn: this.config.emailAndPassword.autoSignIn } : {},
+        ...this.config.emailAndPassword?.revokeSessionsOnPasswordReset != null ? { revokeSessionsOnPasswordReset: this.config.emailAndPassword.revokeSessionsOnPasswordReset } : {}
       },
+      // Email verification
+      ...this.config.emailVerification ? {
+        emailVerification: {
+          ...this.config.emailVerification.sendOnSignUp != null ? { sendOnSignUp: this.config.emailVerification.sendOnSignUp } : {},
+          ...this.config.emailVerification.sendOnSignIn != null ? { sendOnSignIn: this.config.emailVerification.sendOnSignIn } : {},
+          ...this.config.emailVerification.autoSignInAfterVerification != null ? { autoSignInAfterVerification: this.config.emailVerification.autoSignInAfterVerification } : {},
+          ...this.config.emailVerification.expiresIn != null ? { expiresIn: this.config.emailVerification.expiresIn } : {}
+        }
+      } : {},
       // Session configuration
       session: {
         ...AUTH_SESSION_CONFIG,
@@ -395,7 +430,18 @@ var AuthManager = class {
         // 1 day default
       },
       // better-auth plugins — registered based on AuthPluginConfig flags
-      plugins: this.buildPluginList()
+      plugins: this.buildPluginList(),
+      // Trusted origins for CSRF protection (supports wildcards like "https://*.example.com")
+      ...this.config.trustedOrigins?.length ? { trustedOrigins: this.config.trustedOrigins } : {},
+      // Advanced options (cross-subdomain cookies, secure cookies, CSRF, etc.)
+      ...this.config.advanced ? {
+        advanced: {
+          ...this.config.advanced.crossSubDomainCookies ? { crossSubDomainCookies: this.config.advanced.crossSubDomainCookies } : {},
+          ...this.config.advanced.useSecureCookies != null ? { useSecureCookies: this.config.advanced.useSecureCookies } : {},
+          ...this.config.advanced.disableCSRFCheck != null ? { disableCSRFCheck: this.config.advanced.disableCSRFCheck } : {},
+          ...this.config.advanced.cookiePrefix != null ? { cookiePrefix: this.config.advanced.cookiePrefix } : {}
+        }
+      } : {}
     };
     return (0, import_better_auth.betterAuth)(betterAuthConfig);
   }
@@ -465,6 +511,25 @@ var AuthManager = class {
     }
     return envSecret;
   }
+  /**
+   * Update the base URL at runtime.
+   *
+   * This **must** be called before the first request triggers lazy
+   * initialisation of the better-auth instance — typically from a
+   * `kernel:ready` hook where the actual server port is known.
+   *
+   * If the auth instance has already been created this is a no-op and
+   * a warning is emitted.
+   */
+  setRuntimeBaseUrl(url) {
+    if (this.auth) {
+      console.warn(
+        "[AuthManager] setRuntimeBaseUrl() called after the auth instance was already created \u2014 ignoring. Ensure this method is called before the first request."
+      );
+      return;
+    }
+    this.config = { ...this.config, baseUrl: url };
+  }
   /**
    * Get the underlying better-auth instance
    * Useful for advanced use cases
@@ -548,6 +613,21 @@ var AuthPlugin = class {
         } catch {
         }
         if (httpServer) {
+          const serverWithPort = httpServer;
+          if (this.authManager && typeof serverWithPort.getPort === "function") {
+            const actualPort = serverWithPort.getPort();
+            if (actualPort) {
+              const configuredUrl = this.options.baseUrl || "http://localhost:3000";
+              const configuredOrigin = new URL(configuredUrl).origin;
+              const actualUrl = `http://localhost:${actualPort}`;
+              if (configuredOrigin !== actualUrl) {
+                this.authManager.setRuntimeBaseUrl(actualUrl);
+                ctx.logger.info(
+                  `Auth baseUrl auto-updated to ${actualUrl} (configured: ${configuredUrl})`
+                );
+              }
+            }
+          }
           this.registerAuthRoutes(httpServer, ctx);
           ctx.logger.info(`Auth routes registered at ${this.options.basePath}`);
         } else {
@@ -629,18 +709,19 @@ var AuthPlugin = class {
   }
 };
 
-// src/objects/auth-user.object.ts
+// src/objects/sys-user.object.ts
 var import_data = require("@objectstack/spec/data");
-var AuthUser = import_data.ObjectSchema.create({
-  name: "sys_user",
+var SysUser = import_data.ObjectSchema.create({
+  namespace: "sys",
+  name: "user",
   label: "User",
   pluralLabel: "Users",
   icon: "user",
+  isSystem: true,
   description: "User accounts for authentication",
   titleFormat: "{name} ({email})",
   compactLayout: ["name", "email", "email_verified"],
   fields: {
-    // ID is auto-generated by ObjectQL
     id: import_data.Field.text({
       label: "User ID",
       required: true,
@@ -676,12 +757,10 @@ var AuthUser = import_data.ObjectSchema.create({
       required: false
     })
   },
-  // Database indexes for performance
   indexes: [
     { fields: ["email"], unique: true },
     { fields: ["created_at"], unique: false }
   ],
-  // Enable features
   enable: {
     trackHistory: true,
     searchable: true,
@@ -690,7 +769,6 @@ var AuthUser = import_data.ObjectSchema.create({
     trash: true,
     mru: true
   },
-  // Validation Rules
   validations: [
     {
       name: "email_unique",
@@ -703,13 +781,15 @@ var AuthUser = import_data.ObjectSchema.create({
   ]
 });
 
-// src/objects/auth-session.object.ts
+// src/objects/sys-session.object.ts
 var import_data2 = require("@objectstack/spec/data");
-var AuthSession = import_data2.ObjectSchema.create({
-  name: "sys_session",
+var SysSession = import_data2.ObjectSchema.create({
+  namespace: "sys",
+  name: "session",
   label: "Session",
   pluralLabel: "Sessions",
   icon: "key",
+  isSystem: true,
   description: "Active user sessions",
   titleFormat: "Session {token}",
   compactLayout: ["user_id", "expires_at", "ip_address"],
@@ -752,33 +832,30 @@ var AuthSession = import_data2.ObjectSchema.create({
       required: false
     })
   },
-  // Database indexes for performance
   indexes: [
     { fields: ["token"], unique: true },
     { fields: ["user_id"], unique: false },
     { fields: ["expires_at"], unique: false }
   ],
-  // Enable features
   enable: {
     trackHistory: false,
-    // Sessions don't need history tracking
     searchable: false,
     apiEnabled: true,
     apiMethods: ["get", "list", "create", "delete"],
-    // No update for sessions
     trash: false,
-    // Sessions should be hard deleted
     mru: false
   }
 });
 
-// src/objects/auth-account.object.ts
+// src/objects/sys-account.object.ts
 var import_data3 = require("@objectstack/spec/data");
-var AuthAccount = import_data3.ObjectSchema.create({
-  name: "sys_account",
+var SysAccount = import_data3.ObjectSchema.create({
+  namespace: "sys",
+  name: "account",
   label: "Account",
   pluralLabel: "Accounts",
   icon: "link",
+  isSystem: true,
   description: "OAuth and authentication provider accounts",
   titleFormat: "{provider_id} - {account_id}",
   compactLayout: ["provider_id", "user_id", "account_id"],
@@ -843,12 +920,10 @@ var AuthAccount = import_data3.ObjectSchema.create({
       description: "Hashed password for email/password provider"
     })
   },
-  // Database indexes for performance
   indexes: [
     { fields: ["user_id"], unique: false },
     { fields: ["provider_id", "account_id"], unique: true }
   ],
-  // Enable features
   enable: {
     trackHistory: false,
     searchable: false,
@@ -859,13 +934,15 @@ var AuthAccount = import_data3.ObjectSchema.create({
   }
 });
 
-// src/objects/auth-verification.object.ts
+// src/objects/sys-verification.object.ts
 var import_data4 = require("@objectstack/spec/data");
-var AuthVerification = import_data4.ObjectSchema.create({
-  name: "sys_verification",
+var SysVerification = import_data4.ObjectSchema.create({
+  namespace: "sys",
+  name: "verification",
   label: "Verification",
   pluralLabel: "Verifications",
   icon: "shield-check",
+  isSystem: true,
   description: "Email and phone verification tokens",
   titleFormat: "Verification for {identifier}",
   compactLayout: ["identifier", "expires_at", "created_at"],
@@ -900,21 +977,444 @@ var AuthVerification = import_data4.ObjectSchema.create({
       description: "Email address or phone number"
     })
   },
-  // Database indexes for performance
   indexes: [
     { fields: ["value"], unique: true },
     { fields: ["identifier"], unique: false },
     { fields: ["expires_at"], unique: false }
   ],
-  // Enable features
   enable: {
     trackHistory: false,
     searchable: false,
     apiEnabled: true,
     apiMethods: ["get", "create", "delete"],
-    // No list or update
     trash: false,
-    // Hard delete expired tokens
+    mru: false
+  }
+});
+
+// src/objects/sys-organization.object.ts
+var import_data5 = require("@objectstack/spec/data");
+var SysOrganization = import_data5.ObjectSchema.create({
+  namespace: "sys",
+  name: "organization",
+  label: "Organization",
+  pluralLabel: "Organizations",
+  icon: "building-2",
+  isSystem: true,
+  description: "Organizations for multi-tenant grouping",
+  titleFormat: "{name}",
+  compactLayout: ["name", "slug", "created_at"],
+  fields: {
+    id: import_data5.Field.text({
+      label: "Organization ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: import_data5.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updated_at: import_data5.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    name: import_data5.Field.text({
+      label: "Name",
+      required: true,
+      searchable: true,
+      maxLength: 255
+    }),
+    slug: import_data5.Field.text({
+      label: "Slug",
+      required: false,
+      maxLength: 255,
+      description: "URL-friendly identifier"
+    }),
+    logo: import_data5.Field.url({
+      label: "Logo",
+      required: false
+    }),
+    metadata: import_data5.Field.textarea({
+      label: "Metadata",
+      required: false,
+      description: "JSON-serialized organization metadata"
+    })
+  },
+  indexes: [
+    { fields: ["slug"], unique: true },
+    { fields: ["name"] }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: true,
+    mru: true
+  }
+});
+
+// src/objects/sys-member.object.ts
+var import_data6 = require("@objectstack/spec/data");
+var SysMember = import_data6.ObjectSchema.create({
+  namespace: "sys",
+  name: "member",
+  label: "Member",
+  pluralLabel: "Members",
+  icon: "user-check",
+  isSystem: true,
+  description: "Organization membership records",
+  titleFormat: "{user_id} in {organization_id}",
+  compactLayout: ["user_id", "organization_id", "role"],
+  fields: {
+    id: import_data6.Field.text({
+      label: "Member ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: import_data6.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    organization_id: import_data6.Field.text({
+      label: "Organization ID",
+      required: true
+    }),
+    user_id: import_data6.Field.text({
+      label: "User ID",
+      required: true
+    }),
+    role: import_data6.Field.text({
+      label: "Role",
+      required: false,
+      description: "Member role within the organization (e.g. admin, member)",
+      maxLength: 100
+    })
+  },
+  indexes: [
+    { fields: ["organization_id", "user_id"], unique: true },
+    { fields: ["user_id"] }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: false,
+    mru: false
+  }
+});
+
+// src/objects/sys-invitation.object.ts
+var import_data7 = require("@objectstack/spec/data");
+var SysInvitation = import_data7.ObjectSchema.create({
+  namespace: "sys",
+  name: "invitation",
+  label: "Invitation",
+  pluralLabel: "Invitations",
+  icon: "mail",
+  isSystem: true,
+  description: "Organization invitations for user onboarding",
+  titleFormat: "Invitation to {organization_id}",
+  compactLayout: ["email", "organization_id", "status"],
+  fields: {
+    id: import_data7.Field.text({
+      label: "Invitation ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: import_data7.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    organization_id: import_data7.Field.text({
+      label: "Organization ID",
+      required: true
+    }),
+    email: import_data7.Field.email({
+      label: "Email",
+      required: true,
+      description: "Email address of the invited user"
+    }),
+    role: import_data7.Field.text({
+      label: "Role",
+      required: false,
+      maxLength: 100,
+      description: "Role to assign upon acceptance"
+    }),
+    status: import_data7.Field.select(["pending", "accepted", "rejected", "expired", "canceled"], {
+      label: "Status",
+      required: true,
+      defaultValue: "pending"
+    }),
+    inviter_id: import_data7.Field.text({
+      label: "Inviter ID",
+      required: true,
+      description: "User ID of the person who sent the invitation"
+    }),
+    expires_at: import_data7.Field.datetime({
+      label: "Expires At",
+      required: true
+    }),
+    team_id: import_data7.Field.text({
+      label: "Team ID",
+      required: false,
+      description: "Optional team to assign upon acceptance"
+    })
+  },
+  indexes: [
+    { fields: ["organization_id"] },
+    { fields: ["email"] },
+    { fields: ["expires_at"] }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: false,
+    mru: false
+  }
+});
+
+// src/objects/sys-team.object.ts
+var import_data8 = require("@objectstack/spec/data");
+var SysTeam = import_data8.ObjectSchema.create({
+  namespace: "sys",
+  name: "team",
+  label: "Team",
+  pluralLabel: "Teams",
+  icon: "users",
+  isSystem: true,
+  description: "Teams within organizations for fine-grained grouping",
+  titleFormat: "{name}",
+  compactLayout: ["name", "organization_id", "created_at"],
+  fields: {
+    id: import_data8.Field.text({
+      label: "Team ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: import_data8.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updated_at: import_data8.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    name: import_data8.Field.text({
+      label: "Name",
+      required: true,
+      searchable: true,
+      maxLength: 255
+    }),
+    organization_id: import_data8.Field.text({
+      label: "Organization ID",
+      required: true
+    })
+  },
+  indexes: [
+    { fields: ["organization_id"] },
+    { fields: ["name", "organization_id"], unique: true }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: true,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: true,
+    mru: false
+  }
+});
+
+// src/objects/sys-team-member.object.ts
+var import_data9 = require("@objectstack/spec/data");
+var SysTeamMember = import_data9.ObjectSchema.create({
+  namespace: "sys",
+  name: "team_member",
+  label: "Team Member",
+  pluralLabel: "Team Members",
+  icon: "user-plus",
+  isSystem: true,
+  description: "Team membership records linking users to teams",
+  titleFormat: "{user_id} in {team_id}",
+  compactLayout: ["user_id", "team_id", "created_at"],
+  fields: {
+    id: import_data9.Field.text({
+      label: "Team Member ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: import_data9.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    team_id: import_data9.Field.text({
+      label: "Team ID",
+      required: true
+    }),
+    user_id: import_data9.Field.text({
+      label: "User ID",
+      required: true
+    })
+  },
+  indexes: [
+    { fields: ["team_id", "user_id"], unique: true },
+    { fields: ["user_id"] }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "delete"],
+    trash: false,
+    mru: false
+  }
+});
+
+// src/objects/sys-api-key.object.ts
+var import_data10 = require("@objectstack/spec/data");
+var SysApiKey = import_data10.ObjectSchema.create({
+  namespace: "sys",
+  name: "api_key",
+  label: "API Key",
+  pluralLabel: "API Keys",
+  icon: "key-round",
+  isSystem: true,
+  description: "API keys for programmatic access",
+  titleFormat: "{name}",
+  compactLayout: ["name", "user_id", "expires_at"],
+  fields: {
+    id: import_data10.Field.text({
+      label: "API Key ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: import_data10.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updated_at: import_data10.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    name: import_data10.Field.text({
+      label: "Name",
+      required: true,
+      maxLength: 255,
+      description: "Human-readable label for the API key"
+    }),
+    key: import_data10.Field.text({
+      label: "Key",
+      required: true,
+      description: "Hashed API key value"
+    }),
+    prefix: import_data10.Field.text({
+      label: "Prefix",
+      required: false,
+      maxLength: 16,
+      description: 'Visible prefix for identifying the key (e.g., "osk_")'
+    }),
+    user_id: import_data10.Field.text({
+      label: "User ID",
+      required: true,
+      description: "Owner user of this API key"
+    }),
+    scopes: import_data10.Field.textarea({
+      label: "Scopes",
+      required: false,
+      description: "JSON array of permission scopes"
+    }),
+    expires_at: import_data10.Field.datetime({
+      label: "Expires At",
+      required: false
+    }),
+    last_used_at: import_data10.Field.datetime({
+      label: "Last Used At",
+      required: false
+    }),
+    revoked: import_data10.Field.boolean({
+      label: "Revoked",
+      defaultValue: false
+    })
+  },
+  indexes: [
+    { fields: ["key"], unique: true },
+    { fields: ["user_id"] },
+    { fields: ["prefix"] }
+  ],
+  enable: {
+    trackHistory: true,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "list", "create", "update", "delete"],
+    trash: false,
+    mru: false
+  }
+});
+
+// src/objects/sys-two-factor.object.ts
+var import_data11 = require("@objectstack/spec/data");
+var SysTwoFactor = import_data11.ObjectSchema.create({
+  namespace: "sys",
+  name: "two_factor",
+  label: "Two Factor",
+  pluralLabel: "Two Factor Credentials",
+  icon: "smartphone",
+  isSystem: true,
+  description: "Two-factor authentication credentials",
+  titleFormat: "Two-factor for {user_id}",
+  compactLayout: ["user_id", "created_at"],
+  fields: {
+    id: import_data11.Field.text({
+      label: "Two Factor ID",
+      required: true,
+      readonly: true
+    }),
+    created_at: import_data11.Field.datetime({
+      label: "Created At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    updated_at: import_data11.Field.datetime({
+      label: "Updated At",
+      defaultValue: "NOW()",
+      readonly: true
+    }),
+    user_id: import_data11.Field.text({
+      label: "User ID",
+      required: true
+    }),
+    secret: import_data11.Field.text({
+      label: "Secret",
+      required: true,
+      description: "TOTP secret key"
+    }),
+    backup_codes: import_data11.Field.textarea({
+      label: "Backup Codes",
+      required: false,
+      description: "JSON-serialized backup recovery codes"
+    })
+  },
+  indexes: [
+    { fields: ["user_id"], unique: true }
+  ],
+  enable: {
+    trackHistory: false,
+    searchable: false,
+    apiEnabled: true,
+    apiMethods: ["get", "create", "update", "delete"],
+    trash: false,
     mru: false
   }
 });
@@ -939,6 +1439,17 @@ var AuthVerification = import_data4.ObjectSchema.create({
   AuthSession,
   AuthUser,
   AuthVerification,
+  SysAccount,
+  SysApiKey,
+  SysInvitation,
+  SysMember,
+  SysOrganization,
+  SysSession,
+  SysTeam,
+  SysTeamMember,
+  SysTwoFactor,
+  SysUser,
+  SysVerification,
   buildOrganizationPluginSchema,
   buildTwoFactorPluginSchema,
   createObjectQLAdapter,