@objectstack/plugin-auth 4.0.4 → 4.0.5

package/dist/index.mjs

@@ -1,8 +1,15 @@
-// src/auth-manager.ts
-import { betterAuth } from "better-auth";
-import { organization } from "better-auth/plugins/organization";
-import { twoFactor } from "better-auth/plugins/two-factor";
-import { magicLink } from "better-auth/plugins/magic-link";
+// src/auth-plugin.ts
+import {
+  SETUP_APP,
+  SystemOverviewDashboard,
+  SecurityOverviewDashboard,
+  UsersView,
+  OrganizationsView,
+  RolesView,
+  SessionsView,
+  AuditLogsView,
+  PackageInstallationsView
+} from "@objectstack/platform-objects/apps";
 
 // src/objectql-adapter.ts
 import { createAdapterFactory } from "better-auth/adapters";
@@ -276,6 +283,81 @@ var AUTH_TWO_FACTOR_SCHEMA = {
 var AUTH_TWO_FACTOR_USER_FIELDS = {
   twoFactorEnabled: "two_factor_enabled"
 };
+var AUTH_OAUTH_CLIENT_SCHEMA = {
+  modelName: SystemObjectName2.OAUTH_APPLICATION,
+  // 'sys_oauth_application'
+  fields: {
+    clientId: "client_id",
+    clientSecret: "client_secret",
+    skipConsent: "skip_consent",
+    enableEndSession: "enable_end_session",
+    subjectType: "subject_type",
+    userId: "user_id",
+    createdAt: "created_at",
+    updatedAt: "updated_at",
+    redirectUris: "redirect_uris",
+    postLogoutRedirectUris: "post_logout_redirect_uris",
+    tokenEndpointAuthMethod: "token_endpoint_auth_method",
+    grantTypes: "grant_types",
+    responseTypes: "response_types",
+    requirePKCE: "require_pkce",
+    softwareId: "software_id",
+    softwareVersion: "software_version",
+    softwareStatement: "software_statement",
+    referenceId: "reference_id"
+  }
+};
+var AUTH_OAUTH_APPLICATION_SCHEMA = AUTH_OAUTH_CLIENT_SCHEMA;
+var AUTH_OAUTH_ACCESS_TOKEN_SCHEMA = {
+  modelName: SystemObjectName2.OAUTH_ACCESS_TOKEN,
+  // 'sys_oauth_access_token'
+  fields: {
+    clientId: "client_id",
+    sessionId: "session_id",
+    userId: "user_id",
+    referenceId: "reference_id",
+    refreshId: "refresh_id",
+    expiresAt: "expires_at",
+    createdAt: "created_at"
+  }
+};
+var AUTH_OAUTH_REFRESH_TOKEN_SCHEMA = {
+  modelName: SystemObjectName2.OAUTH_REFRESH_TOKEN,
+  // 'sys_oauth_refresh_token'
+  fields: {
+    clientId: "client_id",
+    sessionId: "session_id",
+    userId: "user_id",
+    referenceId: "reference_id",
+    expiresAt: "expires_at",
+    createdAt: "created_at",
+    authTime: "auth_time"
+  }
+};
+var AUTH_OAUTH_CONSENT_SCHEMA = {
+  modelName: SystemObjectName2.OAUTH_CONSENT,
+  // 'sys_oauth_consent'
+  fields: {
+    clientId: "client_id",
+    userId: "user_id",
+    referenceId: "reference_id",
+    createdAt: "created_at",
+    updatedAt: "updated_at"
+  }
+};
+var AUTH_DEVICE_CODE_SCHEMA = {
+  modelName: SystemObjectName2.DEVICE_CODE,
+  // 'sys_device_code'
+  fields: {
+    deviceCode: "device_code",
+    userCode: "user_code",
+    userId: "user_id",
+    expiresAt: "expires_at",
+    lastPolledAt: "last_polled_at",
+    pollingInterval: "polling_interval",
+    clientId: "client_id"
+  }
+};
 function buildTwoFactorPluginSchema() {
   return {
     twoFactor: AUTH_TWO_FACTOR_SCHEMA,
@@ -296,6 +378,35 @@ function buildOrganizationPluginSchema() {
     }
   };
 }
+var AUTH_JWKS_SCHEMA = {
+  modelName: SystemObjectName2.JWKS,
+  // 'sys_jwks'
+  fields: {
+    publicKey: "public_key",
+    privateKey: "private_key",
+    createdAt: "created_at",
+    expiresAt: "expires_at"
+  }
+};
+function buildJwtPluginSchema() {
+  return {
+    jwks: AUTH_JWKS_SCHEMA
+  };
+}
+function buildOauthProviderPluginSchema() {
+  return {
+    oauthClient: AUTH_OAUTH_CLIENT_SCHEMA,
+    oauthAccessToken: AUTH_OAUTH_ACCESS_TOKEN_SCHEMA,
+    oauthRefreshToken: AUTH_OAUTH_REFRESH_TOKEN_SCHEMA,
+    oauthConsent: AUTH_OAUTH_CONSENT_SCHEMA
+  };
+}
+var buildOidcProviderPluginSchema = buildOauthProviderPluginSchema;
+function buildDeviceAuthorizationPluginSchema() {
+  return {
+    deviceCode: AUTH_DEVICE_CODE_SCHEMA
+  };
+}
 
 // src/auth-manager.ts
 var AuthManager = class {
@@ -309,16 +420,18 @@ var AuthManager = class {
   /**
    * Get or create the better-auth instance (lazy initialization)
    */
-  getOrCreateAuth() {
+  async getOrCreateAuth() {
     if (!this.auth) {
-      this.auth = this.createAuthInstance();
+      this.auth = await this.createAuthInstance();
     }
     return this.auth;
   }
   /**
    * Create a better-auth instance from configuration
    */
-  createAuthInstance() {
+  async createAuthInstance() {
+    const { betterAuth } = await import("better-auth");
+    const plugins = await this.buildPluginList();
     const betterAuthConfig = {
       // Base configuration
       secret: this.config.secret || this.generateSecret(),
@@ -370,7 +483,7 @@ var AuthManager = class {
         // 1 day default
       },
       // better-auth plugins — registered based on AuthPluginConfig flags
-      plugins: this.buildPluginList(),
+      plugins,
       // Trusted origins for CSRF protection (supports wildcards like "https://*.example.com")
       // Auto-includes origins from CORS_ORIGIN env var so CORS and CSRF stay in sync.
       ...(() => {
@@ -405,20 +518,51 @@ var AuthManager = class {
    * a `schema` option containing the appropriate snake_case field mappings,
    * so that `createAdapterFactory` transforms them automatically.
    */
-  buildPluginList() {
-    const pluginConfig = this.config.plugins;
+  async buildPluginList() {
+    const pluginConfig = this.config.plugins ?? {};
     const plugins = [];
-    if (pluginConfig?.organization) {
+    const enabled = {
+      organization: pluginConfig.organization ?? true,
+      twoFactor: pluginConfig.twoFactor ?? false,
+      passkeys: pluginConfig.passkeys ?? false,
+      magicLink: pluginConfig.magicLink ?? false,
+      oidcProvider: pluginConfig.oidcProvider ?? false,
+      deviceAuthorization: pluginConfig.deviceAuthorization ?? false
+    };
+    const { bearer } = await import("better-auth/plugins/bearer");
+    plugins.push(bearer());
+    if (enabled.organization) {
+      const { organization } = await import("better-auth/plugins/organization");
       plugins.push(organization({
-        schema: buildOrganizationPluginSchema()
+        schema: buildOrganizationPluginSchema(),
+        // Enable the team sub-feature so the framework's `sys_team` /
+        // `sys_team_member` tables (already declared in platform-objects)
+        // are actually wired up to better-auth's CRUD endpoints
+        // (`/organization/{create,update,remove,list}-team[s]` and
+        // `/organization/{add,remove,list}-team-member[s]`). The Account
+        // portal exposes a Teams page; without this flag those endpoints
+        // 404 and the section silently breaks.
+        teams: { enabled: true },
+        // No mailer is wired in framework yet — log the accept URL so
+        // operators / UI can fall back to copy-paste flows. Replace this
+        // with a real mail integration when available.
+        sendInvitationEmail: async ({ email, invitation, organization: org, inviter }) => {
+          const baseUrl = (this.config.baseUrl ?? "").replace(/\/$/, "");
+          const acceptUrl = `${baseUrl}/accept-invitation/${invitation.id}`;
+          console.warn(
+            `[AuthManager] Invitation email not configured. To: ${email} (org: ${org?.name ?? invitation.organizationId}, role: ${invitation.role}, inviter: ${inviter?.user?.email ?? "unknown"}) URL: ${acceptUrl}`
+          );
+        }
       }));
     }
-    if (pluginConfig?.twoFactor) {
+    if (enabled.twoFactor) {
+      const { twoFactor } = await import("better-auth/plugins/two-factor");
       plugins.push(twoFactor({
         schema: buildTwoFactorPluginSchema()
       }));
     }
-    if (pluginConfig?.magicLink) {
+    if (enabled.magicLink) {
+      const { magicLink } = await import("better-auth/plugins/magic-link");
       plugins.push(magicLink({
         sendMagicLink: async ({ email, url }) => {
           console.warn(
@@ -427,6 +571,43 @@ var AuthManager = class {
         }
       }));
     }
+    if (this.config.oidcProviders?.length) {
+      const { genericOAuth } = await import("better-auth/plugins/generic-oauth");
+      plugins.push(genericOAuth({
+        config: this.config.oidcProviders.map((p) => ({
+          providerId: p.providerId,
+          ...p.discoveryUrl ? { discoveryUrl: p.discoveryUrl } : {},
+          ...p.issuer ? { issuer: p.issuer } : {},
+          ...p.authorizationUrl ? { authorizationUrl: p.authorizationUrl } : {},
+          ...p.tokenUrl ? { tokenUrl: p.tokenUrl } : {},
+          ...p.userInfoUrl ? { userInfoUrl: p.userInfoUrl } : {},
+          clientId: p.clientId,
+          clientSecret: p.clientSecret,
+          ...p.scopes ? { scopes: p.scopes } : {},
+          ...p.pkce != null ? { pkce: p.pkce } : {}
+        }))
+      }));
+    }
+    if (enabled.oidcProvider) {
+      const { jwt } = await import("better-auth/plugins");
+      plugins.push(jwt({ schema: buildJwtPluginSchema() }));
+      const { oauthProvider } = await import("@better-auth/oauth-provider");
+      const baseUrl = (this.config.baseUrl ?? "").replace(/\/$/, "");
+      plugins.push(oauthProvider({
+        // Account SPA renders both pages — see apps/account.
+        loginPage: `${baseUrl}/_account/login`,
+        consentPage: `${baseUrl}/_account/oauth/consent`,
+        schema: buildOauthProviderPluginSchema()
+      }));
+    }
+    if (enabled.deviceAuthorization) {
+      const { deviceAuthorization } = await import("better-auth/plugins/device-authorization");
+      const baseUrl = (this.config.baseUrl ?? "").replace(/\/$/, "");
+      plugins.push(deviceAuthorization({
+        verificationUri: `${baseUrl}/_account/auth/device`,
+        schema: buildDeviceAuthorizationPluginSchema()
+      }));
+    }
     return plugins;
   }
   /**
@@ -502,7 +683,7 @@ var AuthManager = class {
    * @returns Web standard Response object
    */
   async handleRequest(request) {
-    const auth = this.getOrCreateAuth();
+    const auth = await this.getOrCreateAuth();
     const response = await auth.handler(request);
     if (response.status >= 500) {
       try {
@@ -518,18 +699,19 @@ var AuthManager = class {
    * Get the better-auth API for programmatic access
    * Use this for server-side operations (e.g., creating users, checking sessions)
    */
-  get api() {
-    return this.getOrCreateAuth().api;
+  async getApi() {
+    const auth = await this.getOrCreateAuth();
+    return auth.api;
   }
-  /**
-   * Get public authentication configuration
-   * Returns safe, non-sensitive configuration that can be exposed to the frontend
-   *
-   * This allows the frontend to discover:
-   * - Which social/OAuth providers are available
-   * - Whether email/password login is enabled
-   * - Which advanced features are enabled (2FA, magic links, etc.)
-   */
+  // ---------------------------------------------------------------------------
+  // Device Flow (CLI browser-based login)
+  //
+  // The device authorization flow (RFC 8628) is now handled entirely by
+  // better-auth's `device-authorization` plugin. Endpoints are exposed at
+  // `${basePath}/device/{code,token,approve,deny}` and persisted in
+  // `sys_device_code`. Enable via `plugins.deviceAuthorization: true` in
+  // AuthPluginConfig.
+  // ---------------------------------------------------------------------------
   getPublicConfig() {
     const socialProviders = [];
     if (this.config.socialProviders) {
@@ -549,11 +731,22 @@ var AuthManager = class {
           socialProviders.push({
             id,
             name: nameMap[id] || id.charAt(0).toUpperCase() + id.slice(1),
-            enabled: true
+            enabled: true,
+            type: "social"
           });
         }
       }
     }
+    if (this.config.oidcProviders?.length) {
+      for (const p of this.config.oidcProviders) {
+        socialProviders.push({
+          id: p.providerId,
+          name: p.name ?? p.providerId.charAt(0).toUpperCase() + p.providerId.slice(1),
+          enabled: true,
+          type: "oidc"
+        });
+      }
+    }
     const emailPasswordConfig = this.config.emailAndPassword ?? {};
     const emailPassword = {
       enabled: emailPasswordConfig.enabled !== false,
@@ -566,7 +759,9 @@ var AuthManager = class {
       twoFactor: pluginConfig.twoFactor ?? false,
       passkeys: pluginConfig.passkeys ?? false,
       magicLink: pluginConfig.magicLink ?? false,
-      organization: pluginConfig.organization ?? false
+      organization: pluginConfig.organization ?? true,
+      oidcProvider: pluginConfig.oidcProvider ?? false,
+      deviceAuthorization: pluginConfig.deviceAuthorization ?? false
     };
     return {
       emailPassword,
@@ -574,776 +769,69 @@ var AuthManager = class {
       features
     };
   }
-};
-
-// src/objects/sys-user.object.ts
-import { ObjectSchema, Field } from "@objectstack/spec/data";
-var SysUser = ObjectSchema.create({
-  namespace: "sys",
-  name: "user",
-  label: "User",
-  pluralLabel: "Users",
-  icon: "user",
-  isSystem: true,
-  description: "User accounts for authentication",
-  titleFormat: "{name} ({email})",
-  compactLayout: ["name", "email", "email_verified"],
-  fields: {
-    id: Field.text({
-      label: "User ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    email: Field.email({
-      label: "Email",
-      required: true,
-      searchable: true
-    }),
-    email_verified: Field.boolean({
-      label: "Email Verified",
-      defaultValue: false
-    }),
-    name: Field.text({
-      label: "Name",
-      required: true,
-      searchable: true,
-      maxLength: 255
-    }),
-    image: Field.url({
-      label: "Profile Image",
-      required: false
-    })
-  },
-  indexes: [
-    { fields: ["email"], unique: true },
-    { fields: ["created_at"], unique: false }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: true
-  },
-  validations: [
-    {
-      name: "email_unique",
-      type: "unique",
-      severity: "error",
-      message: "Email must be unique",
-      fields: ["email"],
-      caseSensitive: false
-    }
-  ]
-});
-
-// src/objects/sys-session.object.ts
-import { ObjectSchema as ObjectSchema2, Field as Field2 } from "@objectstack/spec/data";
-var SysSession = ObjectSchema2.create({
-  namespace: "sys",
-  name: "session",
-  label: "Session",
-  pluralLabel: "Sessions",
-  icon: "key",
-  isSystem: true,
-  description: "Active user sessions",
-  titleFormat: "Session {token}",
-  compactLayout: ["user_id", "expires_at", "ip_address"],
-  fields: {
-    id: Field2.text({
-      label: "Session ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field2.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field2.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    user_id: Field2.text({
-      label: "User ID",
-      required: true
-    }),
-    expires_at: Field2.datetime({
-      label: "Expires At",
-      required: true
-    }),
-    token: Field2.text({
-      label: "Session Token",
-      required: true
-    }),
-    ip_address: Field2.text({
-      label: "IP Address",
-      required: false,
-      maxLength: 45
-      // Support IPv6
-    }),
-    user_agent: Field2.textarea({
-      label: "User Agent",
-      required: false
-    })
-  },
-  indexes: [
-    { fields: ["token"], unique: true },
-    { fields: ["user_id"], unique: false },
-    { fields: ["expires_at"], unique: false }
-  ],
-  enable: {
-    trackHistory: false,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "delete"],
-    trash: false,
-    mru: false
-  }
-});
-
-// src/objects/sys-account.object.ts
-import { ObjectSchema as ObjectSchema3, Field as Field3 } from "@objectstack/spec/data";
-var SysAccount = ObjectSchema3.create({
-  namespace: "sys",
-  name: "account",
-  label: "Account",
-  pluralLabel: "Accounts",
-  icon: "link",
-  isSystem: true,
-  description: "OAuth and authentication provider accounts",
-  titleFormat: "{provider_id} - {account_id}",
-  compactLayout: ["provider_id", "user_id", "account_id"],
-  fields: {
-    id: Field3.text({
-      label: "Account ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field3.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field3.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    provider_id: Field3.text({
-      label: "Provider ID",
-      required: true,
-      description: "OAuth provider identifier (google, github, etc.)"
-    }),
-    account_id: Field3.text({
-      label: "Provider Account ID",
-      required: true,
-      description: "User's ID in the provider's system"
-    }),
-    user_id: Field3.text({
-      label: "User ID",
-      required: true,
-      description: "Link to user table"
-    }),
-    access_token: Field3.textarea({
-      label: "Access Token",
-      required: false
-    }),
-    refresh_token: Field3.textarea({
-      label: "Refresh Token",
-      required: false
-    }),
-    id_token: Field3.textarea({
-      label: "ID Token",
-      required: false
-    }),
-    access_token_expires_at: Field3.datetime({
-      label: "Access Token Expires At",
-      required: false
-    }),
-    refresh_token_expires_at: Field3.datetime({
-      label: "Refresh Token Expires At",
-      required: false
-    }),
-    scope: Field3.text({
-      label: "OAuth Scope",
-      required: false
-    }),
-    password: Field3.text({
-      label: "Password Hash",
-      required: false,
-      description: "Hashed password for email/password provider"
-    })
-  },
-  indexes: [
-    { fields: ["user_id"], unique: false },
-    { fields: ["provider_id", "account_id"], unique: true }
-  ],
-  enable: {
-    trackHistory: false,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: false
-  }
-});
-
-// src/objects/sys-verification.object.ts
-import { ObjectSchema as ObjectSchema4, Field as Field4 } from "@objectstack/spec/data";
-var SysVerification = ObjectSchema4.create({
-  namespace: "sys",
-  name: "verification",
-  label: "Verification",
-  pluralLabel: "Verifications",
-  icon: "shield-check",
-  isSystem: true,
-  description: "Email and phone verification tokens",
-  titleFormat: "Verification for {identifier}",
-  compactLayout: ["identifier", "expires_at", "created_at"],
-  fields: {
-    id: Field4.text({
-      label: "Verification ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field4.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field4.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    value: Field4.text({
-      label: "Verification Token",
-      required: true,
-      description: "Token or code for verification"
-    }),
-    expires_at: Field4.datetime({
-      label: "Expires At",
-      required: true
-    }),
-    identifier: Field4.text({
-      label: "Identifier",
-      required: true,
-      description: "Email address or phone number"
-    })
-  },
-  indexes: [
-    { fields: ["value"], unique: true },
-    { fields: ["identifier"], unique: false },
-    { fields: ["expires_at"], unique: false }
-  ],
-  enable: {
-    trackHistory: false,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "create", "delete"],
-    trash: false,
-    mru: false
-  }
-});
-
-// src/objects/sys-organization.object.ts
-import { ObjectSchema as ObjectSchema5, Field as Field5 } from "@objectstack/spec/data";
-var SysOrganization = ObjectSchema5.create({
-  namespace: "sys",
-  name: "organization",
-  label: "Organization",
-  pluralLabel: "Organizations",
-  icon: "building-2",
-  isSystem: true,
-  description: "Organizations for multi-tenant grouping",
-  titleFormat: "{name}",
-  compactLayout: ["name", "slug", "created_at"],
-  fields: {
-    id: Field5.text({
-      label: "Organization ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field5.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field5.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    name: Field5.text({
-      label: "Name",
-      required: true,
-      searchable: true,
-      maxLength: 255
-    }),
-    slug: Field5.text({
-      label: "Slug",
-      required: false,
-      maxLength: 255,
-      description: "URL-friendly identifier"
-    }),
-    logo: Field5.url({
-      label: "Logo",
-      required: false
-    }),
-    metadata: Field5.textarea({
-      label: "Metadata",
-      required: false,
-      description: "JSON-serialized organization metadata"
-    })
-  },
-  indexes: [
-    { fields: ["slug"], unique: true },
-    { fields: ["name"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: true
-  }
-});
-
-// src/objects/sys-member.object.ts
-import { ObjectSchema as ObjectSchema6, Field as Field6 } from "@objectstack/spec/data";
-var SysMember = ObjectSchema6.create({
-  namespace: "sys",
-  name: "member",
-  label: "Member",
-  pluralLabel: "Members",
-  icon: "user-check",
-  isSystem: true,
-  description: "Organization membership records",
-  titleFormat: "{user_id} in {organization_id}",
-  compactLayout: ["user_id", "organization_id", "role"],
-  fields: {
-    id: Field6.text({
-      label: "Member ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field6.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    organization_id: Field6.text({
-      label: "Organization ID",
-      required: true
-    }),
-    user_id: Field6.text({
-      label: "User ID",
-      required: true
-    }),
-    role: Field6.text({
-      label: "Role",
-      required: false,
-      description: "Member role within the organization (e.g. admin, member)",
-      maxLength: 100
-    })
-  },
-  indexes: [
-    { fields: ["organization_id", "user_id"], unique: true },
-    { fields: ["user_id"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: false,
-    mru: false
-  }
-});
-
-// src/objects/sys-invitation.object.ts
-import { ObjectSchema as ObjectSchema7, Field as Field7 } from "@objectstack/spec/data";
-var SysInvitation = ObjectSchema7.create({
-  namespace: "sys",
-  name: "invitation",
-  label: "Invitation",
-  pluralLabel: "Invitations",
-  icon: "mail",
-  isSystem: true,
-  description: "Organization invitations for user onboarding",
-  titleFormat: "Invitation to {organization_id}",
-  compactLayout: ["email", "organization_id", "status"],
-  fields: {
-    id: Field7.text({
-      label: "Invitation ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field7.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    organization_id: Field7.text({
-      label: "Organization ID",
-      required: true
-    }),
-    email: Field7.email({
-      label: "Email",
-      required: true,
-      description: "Email address of the invited user"
-    }),
-    role: Field7.text({
-      label: "Role",
-      required: false,
-      maxLength: 100,
-      description: "Role to assign upon acceptance"
-    }),
-    status: Field7.select(["pending", "accepted", "rejected", "expired", "canceled"], {
-      label: "Status",
-      required: true,
-      defaultValue: "pending"
-    }),
-    inviter_id: Field7.text({
-      label: "Inviter ID",
-      required: true,
-      description: "User ID of the person who sent the invitation"
-    }),
-    expires_at: Field7.datetime({
-      label: "Expires At",
-      required: true
-    }),
-    team_id: Field7.text({
-      label: "Team ID",
-      required: false,
-      description: "Optional team to assign upon acceptance"
-    })
-  },
-  indexes: [
-    { fields: ["organization_id"] },
-    { fields: ["email"] },
-    { fields: ["expires_at"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: false,
-    mru: false
-  }
-});
-
-// src/objects/sys-team.object.ts
-import { ObjectSchema as ObjectSchema8, Field as Field8 } from "@objectstack/spec/data";
-var SysTeam = ObjectSchema8.create({
-  namespace: "sys",
-  name: "team",
-  label: "Team",
-  pluralLabel: "Teams",
-  icon: "users",
-  isSystem: true,
-  description: "Teams within organizations for fine-grained grouping",
-  titleFormat: "{name}",
-  compactLayout: ["name", "organization_id", "created_at"],
-  fields: {
-    id: Field8.text({
-      label: "Team ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field8.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field8.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    name: Field8.text({
-      label: "Name",
-      required: true,
-      searchable: true,
-      maxLength: 255
-    }),
-    organization_id: Field8.text({
-      label: "Organization ID",
-      required: true
-    })
-  },
-  indexes: [
-    { fields: ["organization_id"] },
-    { fields: ["name", "organization_id"], unique: true }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: false
-  }
-});
-
-// src/objects/sys-team-member.object.ts
-import { ObjectSchema as ObjectSchema9, Field as Field9 } from "@objectstack/spec/data";
-var SysTeamMember = ObjectSchema9.create({
-  namespace: "sys",
-  name: "team_member",
-  label: "Team Member",
-  pluralLabel: "Team Members",
-  icon: "user-plus",
-  isSystem: true,
-  description: "Team membership records linking users to teams",
-  titleFormat: "{user_id} in {team_id}",
-  compactLayout: ["user_id", "team_id", "created_at"],
-  fields: {
-    id: Field9.text({
-      label: "Team Member ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field9.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    team_id: Field9.text({
-      label: "Team ID",
-      required: true
-    }),
-    user_id: Field9.text({
-      label: "User ID",
-      required: true
-    })
-  },
-  indexes: [
-    { fields: ["team_id", "user_id"], unique: true },
-    { fields: ["user_id"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "delete"],
-    trash: false,
-    mru: false
-  }
-});
-
-// src/objects/sys-api-key.object.ts
-import { ObjectSchema as ObjectSchema10, Field as Field10 } from "@objectstack/spec/data";
-var SysApiKey = ObjectSchema10.create({
-  namespace: "sys",
-  name: "api_key",
-  label: "API Key",
-  pluralLabel: "API Keys",
-  icon: "key-round",
-  isSystem: true,
-  description: "API keys for programmatic access",
-  titleFormat: "{name}",
-  compactLayout: ["name", "user_id", "expires_at"],
-  fields: {
-    id: Field10.text({
-      label: "API Key ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field10.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field10.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    name: Field10.text({
-      label: "Name",
-      required: true,
-      maxLength: 255,
-      description: "Human-readable label for the API key"
-    }),
-    key: Field10.text({
-      label: "Key",
-      required: true,
-      description: "Hashed API key value"
-    }),
-    prefix: Field10.text({
-      label: "Prefix",
-      required: false,
-      maxLength: 16,
-      description: 'Visible prefix for identifying the key (e.g., "osk_")'
-    }),
-    user_id: Field10.text({
-      label: "User ID",
-      required: true,
-      description: "Owner user of this API key"
-    }),
-    scopes: Field10.textarea({
-      label: "Scopes",
-      required: false,
-      description: "JSON array of permission scopes"
-    }),
-    expires_at: Field10.datetime({
-      label: "Expires At",
-      required: false
-    }),
-    last_used_at: Field10.datetime({
-      label: "Last Used At",
-      required: false
-    }),
-    revoked: Field10.boolean({
-      label: "Revoked",
-      defaultValue: false
-    })
-  },
-  indexes: [
-    { fields: ["key"], unique: true },
-    { fields: ["user_id"] },
-    { fields: ["prefix"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: false,
-    mru: false
-  }
-});
-
-// src/objects/sys-two-factor.object.ts
-import { ObjectSchema as ObjectSchema11, Field as Field11 } from "@objectstack/spec/data";
-var SysTwoFactor = ObjectSchema11.create({
-  namespace: "sys",
-  name: "two_factor",
-  label: "Two Factor",
-  pluralLabel: "Two Factor Credentials",
-  icon: "smartphone",
-  isSystem: true,
-  description: "Two-factor authentication credentials",
-  titleFormat: "Two-factor for {user_id}",
-  compactLayout: ["user_id", "created_at"],
-  fields: {
-    id: Field11.text({
-      label: "Two Factor ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field11.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field11.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    user_id: Field11.text({
-      label: "User ID",
-      required: true
-    }),
-    secret: Field11.text({
-      label: "Secret",
-      required: true,
-      description: "TOTP secret key"
-    }),
-    backup_codes: Field11.textarea({
-      label: "Backup Codes",
-      required: false,
-      description: "JSON-serialized backup recovery codes"
-    })
-  },
-  indexes: [
-    { fields: ["user_id"], unique: true }
-  ],
-  enable: {
-    trackHistory: false,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "create", "update", "delete"],
-    trash: false,
-    mru: false
+  /**
+   * Returns the data engine wired into this auth manager. Used by route
+   * handlers (e.g. bootstrap-status) that need to query identity tables
+   * directly without going through better-auth.
+   */
+  getDataEngine() {
+    return this.config.dataEngine;
   }
-});
+};
 
-// src/objects/sys-user-preference.object.ts
-import { ObjectSchema as ObjectSchema12, Field as Field12 } from "@objectstack/spec/data";
-var SysUserPreference = ObjectSchema12.create({
+// src/manifest.ts
+import {
+  SysAccount,
+  SysApiKey,
+  SysDeviceCode,
+  SysInvitation,
+  SysMember,
+  SysJwks,
+  SysOauthAccessToken,
+  SysOauthApplication,
+  SysOauthConsent,
+  SysOauthRefreshToken,
+  SysOrganization,
+  SysSession,
+  SysTeam,
+  SysTeamMember,
+  SysTwoFactor,
+  SysUser,
+  SysUserPreference,
+  SysVerification
+} from "@objectstack/platform-objects/identity";
+var AUTH_PLUGIN_ID = "com.objectstack.plugin-auth";
+var AUTH_PLUGIN_VERSION = "3.0.1";
+var authIdentityObjects = [
+  SysUser,
+  SysSession,
+  SysAccount,
+  SysVerification,
+  SysOrganization,
+  SysMember,
+  SysInvitation,
+  SysTeam,
+  SysTeamMember,
+  SysApiKey,
+  SysTwoFactor,
+  SysUserPreference,
+  SysOauthApplication,
+  SysOauthAccessToken,
+  SysOauthRefreshToken,
+  SysOauthConsent,
+  SysJwks,
+  SysDeviceCode
+];
+var authPluginManifestHeader = {
+  id: AUTH_PLUGIN_ID,
   namespace: "sys",
-  name: "user_preference",
-  label: "User Preference",
-  pluralLabel: "User Preferences",
-  icon: "settings",
-  isSystem: true,
-  description: "Per-user key-value preferences (theme, locale, etc.)",
-  titleFormat: "{key}",
-  compactLayout: ["user_id", "key"],
-  fields: {
-    id: Field12.text({
-      label: "Preference ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field12.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field12.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    user_id: Field12.text({
-      label: "User ID",
-      required: true,
-      maxLength: 255,
-      description: "Owner user of this preference"
-    }),
-    key: Field12.text({
-      label: "Key",
-      required: true,
-      maxLength: 255,
-      description: "Preference key (e.g., theme, locale, plugin.ai.auto_save)"
-    }),
-    value: Field12.json({
-      label: "Value",
-      description: "Preference value (any JSON-serializable type)"
-    })
-  },
-  indexes: [
-    { fields: ["user_id", "key"], unique: true },
-    { fields: ["user_id"], unique: false }
-  ],
-  enable: {
-    trackHistory: false,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: false,
-    mru: false
-  }
-});
+  version: AUTH_PLUGIN_VERSION,
+  type: "plugin",
+  scope: "system",
+  defaultDatasource: "cloud",
+  name: "Authentication & Identity Plugin",
+  description: "Core authentication objects for ObjectStack (User, Session, Account, Verification)"
+};
 
 // src/auth-plugin.ts
 var AuthPlugin = class {
@@ -1374,43 +862,27 @@ var AuthPlugin = class {
     });
     ctx.registerService("auth", this.authManager);
     ctx.getService("manifest").register({
-      id: "com.objectstack.system",
-      name: "System",
-      version: "1.0.0",
-      type: "plugin",
-      namespace: "sys",
-      objects: [
-        SysUser,
-        SysSession,
-        SysAccount,
-        SysVerification,
-        SysOrganization,
-        SysMember,
-        SysInvitation,
-        SysTeam,
-        SysTeamMember,
-        SysApiKey,
-        SysTwoFactor,
-        SysUserPreference
-      ]
+      ...authPluginManifestHeader,
+      objects: authIdentityObjects,
+      // The platform Setup App is a static metadata artifact (lives in
+      // @objectstack/platform-objects/apps). plugin-auth is the natural
+      // owner of its registration since it loads first among the trio
+      // (auth + security + audit) that supplies the underlying objects.
+      apps: [SETUP_APP],
+      // Curated list views and dashboards consumed by the Setup App's
+      // navigation entries. The manifest service does NOT auto-discover
+      // these from the app definition — they must be registered as
+      // explicit top-level arrays per ObjectStackDefinitionSchema.
+      views: [
+        UsersView,
+        OrganizationsView,
+        RolesView,
+        SessionsView,
+        AuditLogsView,
+        PackageInstallationsView
+      ],
+      dashboards: [SystemOverviewDashboard, SecurityOverviewDashboard]
     });
-    try {
-      const setupNav = ctx.getService("setupNav");
-      if (setupNav) {
-        setupNav.contribute({
-          areaId: "area_administration",
-          items: [
-            { id: "nav_users", type: "object", label: "Users", objectName: "user", icon: "users", order: 10 },
-            { id: "nav_organizations", type: "object", label: "Organizations", objectName: "organization", icon: "building-2", order: 20 },
-            { id: "nav_teams", type: "object", label: "Teams", objectName: "team", icon: "users-round", order: 30 },
-            { id: "nav_api_keys", type: "object", label: "API Keys", objectName: "api_key", icon: "key", order: 40 },
-            { id: "nav_sessions", type: "object", label: "Sessions", objectName: "session", icon: "monitor", order: 50 }
-          ]
-        });
-        ctx.logger.info("Auth navigation items contributed to Setup App");
-      }
-    } catch {
-    }
     ctx.logger.info("Auth Plugin initialized successfully");
   }
   async start(ctx) {
@@ -1433,7 +905,8 @@ var AuthPlugin = class {
               const configuredUrl = this.options.baseUrl || "http://localhost:3000";
               const configuredOrigin = new URL(configuredUrl).origin;
               const actualUrl = `http://localhost:${actualPort}`;
-              if (configuredOrigin !== actualUrl) {
+              const configuredIsLocalhost = configuredOrigin.startsWith("http://localhost");
+              if (configuredIsLocalhost && configuredOrigin !== actualUrl) {
                 this.authManager.setRuntimeBaseUrl(actualUrl);
                 ctx.logger.info(
                   `Auth baseUrl auto-updated to ${actualUrl} (configured: ${configuredUrl})`
@@ -1491,23 +964,26 @@ var AuthPlugin = class {
       );
     }
     const rawApp = httpServer.getRawApp();
-    rawApp.get(`${basePath}/config`, async (c) => {
+    rawApp.get(`${basePath}/config`, (c) => {
       try {
         const config = this.authManager.getPublicConfig();
-        return c.json({
-          success: true,
-          data: config
-        });
+        return c.json({ success: true, data: config });
       } catch (error) {
         const err = error instanceof Error ? error : new Error(String(error));
-        ctx.logger.error("Auth config error:", err);
-        return c.json({
-          success: false,
-          error: {
-            code: "auth_config_error",
-            message: err.message
-          }
-        }, 500);
+        return c.json({ success: false, error: { code: "auth_config_error", message: err.message } }, 500);
+      }
+    });
+    rawApp.get(`${basePath}/bootstrap-status`, async (c) => {
+      try {
+        const dataEngine = this.authManager.getDataEngine();
+        if (!dataEngine) {
+          return c.json({ hasOwner: true });
+        }
+        const count = await dataEngine.count("sys_user", {});
+        return c.json({ hasOwner: (count ?? 0) > 0 });
+      } catch (error) {
+        ctx.logger.warn("[AuthPlugin] bootstrap-status check failed; assuming bootstrapped", error);
+        return c.json({ hasOwner: true });
       }
     });
     rawApp.all(`${basePath}/*`, async (c) => {
@@ -1537,14 +1013,43 @@ var AuthPlugin = class {
         );
       }
     });
+    if (this.options.plugins?.oidcProvider) {
+      void this.registerOidcDiscoveryRoutes(rawApp, ctx).catch((error) => {
+        ctx.logger.error("Failed to register OIDC discovery routes", error);
+      });
+    }
     ctx.logger.info(`Auth routes registered: All requests under ${basePath}/* forwarded to better-auth`);
   }
+  /**
+   * Mount the OIDC / OAuth 2.0 well-known discovery documents at the root
+   * URL. Required by RFC 8414 §3 and OpenID Connect Discovery 1.0 §4 — the
+   * documents must live at `/.well-known/{oauth-authorization-server,openid-configuration}`
+   * relative to the issuer, not under the auth basePath.
+   */
+  async registerOidcDiscoveryRoutes(rawApp, ctx) {
+    const auth = await this.authManager.getAuthInstance();
+    const { oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata } = await import("@better-auth/oauth-provider");
+    const authServerHandler = oauthProviderAuthServerMetadata(auth);
+    const openidConfigHandler = oauthProviderOpenIdConfigMetadata(auth);
+    rawApp.get("/.well-known/oauth-authorization-server", (c) => authServerHandler(c.req.raw));
+    rawApp.get("/.well-known/openid-configuration", (c) => openidConfigHandler(c.req.raw));
+    ctx.logger.info(
+      "OIDC discovery endpoints mounted at /.well-known/{oauth-authorization-server,openid-configuration}"
+    );
+  }
 };
 export {
   AUTH_ACCOUNT_CONFIG,
+  AUTH_DEVICE_CODE_SCHEMA,
   AUTH_INVITATION_SCHEMA,
+  AUTH_JWKS_SCHEMA,
   AUTH_MEMBER_SCHEMA,
   AUTH_MODEL_TO_PROTOCOL,
+  AUTH_OAUTH_ACCESS_TOKEN_SCHEMA,
+  AUTH_OAUTH_APPLICATION_SCHEMA,
+  AUTH_OAUTH_CLIENT_SCHEMA,
+  AUTH_OAUTH_CONSENT_SCHEMA,
+  AUTH_OAUTH_REFRESH_TOKEN_SCHEMA,
   AUTH_ORGANIZATION_SCHEMA,
   AUTH_ORG_SESSION_FIELDS,
   AUTH_SESSION_CONFIG,
@@ -1554,24 +1059,12 @@ export {
   AUTH_TWO_FACTOR_USER_FIELDS,
   AUTH_USER_CONFIG,
   AUTH_VERIFICATION_CONFIG,
-  SysAccount as AuthAccount,
   AuthManager,
   AuthPlugin,
-  SysSession as AuthSession,
-  SysUser as AuthUser,
-  SysVerification as AuthVerification,
-  SysAccount,
-  SysApiKey,
-  SysInvitation,
-  SysMember,
-  SysOrganization,
-  SysSession,
-  SysTeam,
-  SysTeamMember,
-  SysTwoFactor,
-  SysUser,
-  SysUserPreference,
-  SysVerification,
+  buildDeviceAuthorizationPluginSchema,
+  buildJwtPluginSchema,
+  buildOauthProviderPluginSchema,
+  buildOidcProviderPluginSchema,
   buildOrganizationPluginSchema,
   buildTwoFactorPluginSchema,
   createObjectQLAdapter,