@objectstack/plugin-auth 4.0.4 → 4.1.0

package/dist/index.mjs

@@ -1,8 +1,9 @@
-// src/auth-manager.ts
-import { betterAuth } from "better-auth";
-import { organization } from "better-auth/plugins/organization";
-import { twoFactor } from "better-auth/plugins/two-factor";
-import { magicLink } from "better-auth/plugins/magic-link";
+// src/auth-plugin.ts
+import {
+  SETUP_APP,
+  SystemOverviewDashboard,
+  SecurityOverviewDashboard
+} from "@objectstack/platform-objects/apps";
 
 // src/objectql-adapter.ts
 import { createAdapterFactory } from "better-auth/adapters";
@@ -16,6 +17,41 @@ var AUTH_MODEL_TO_PROTOCOL = {
 function resolveProtocolName(model) {
   return AUTH_MODEL_TO_PROTOCOL[model] ?? model;
 }
+var LEGACY_DATETIME_FIELDS_BY_MODEL = {
+  user: ["created_at", "updated_at"],
+  session: ["expires_at", "created_at", "updated_at"],
+  account: [
+    "access_token_expires_at",
+    "refresh_token_expires_at",
+    "created_at",
+    "updated_at"
+  ],
+  verification: ["expires_at", "created_at", "updated_at"]
+};
+var NUMERIC_STRING_RE = /^-?\d+(\.\d+)?$/;
+function normaliseLegacyDate(value) {
+  if (typeof value !== "string") return value;
+  if (!NUMERIC_STRING_RE.test(value)) return value;
+  const n = parseFloat(value);
+  if (!Number.isFinite(n)) return value;
+  if (Math.abs(n) < 1e10) return value;
+  const d = new Date(n);
+  if (Number.isNaN(d.getTime())) return value;
+  return d.toISOString();
+}
+function normaliseLegacyDates(model, record) {
+  if (!record) return record;
+  const cols = LEGACY_DATETIME_FIELDS_BY_MODEL[model];
+  if (!cols) return record;
+  for (const col of cols) {
+    if (col in record) {
+      record[col] = normaliseLegacyDate(
+        record[col]
+      );
+    }
+  }
+  return record;
+}
 function convertWhere(where) {
   const filter = {};
   for (const condition of where) {
@@ -44,20 +80,24 @@ function createObjectQLAdapterFactory(dataEngine) {
   return createAdapterFactory({
     config: {
       adapterId: "objectql",
-      // ObjectQL natively supports these types — no extra conversion needed
-      supportsBooleans: true,
-      supportsDates: true,
+      // We let better-auth handle Date↔string and boolean↔0/1 conversion so
+      // that values land in the underlying SQL driver as primitive strings
+      // and integers. Some drivers (e.g. libsql over the HTTP transport)
+      // otherwise mangle `Date` objects into `"<epoch>.0"` strings that
+      // break the client-side session parser.
+      supportsBooleans: false,
+      supportsDates: false,
       supportsJSON: true
     },
     adapter: () => ({
       create: async ({ model, data, select: _select }) => {
         const result = await dataEngine.insert(model, data);
-        return result;
+        return normaliseLegacyDates(model, result);
       },
       findOne: async ({ model, where, select, join: _join }) => {
         const filter = convertWhere(where);
         const result = await dataEngine.findOne(model, { where: filter, fields: select });
-        return result ? result : null;
+        return result ? normaliseLegacyDates(model, result) : null;
       },
       findMany: async ({ model, where, limit, offset, sortBy, join: _join }) => {
         const filter = where ? convertWhere(where) : {};
@@ -68,7 +108,7 @@ function createObjectQLAdapterFactory(dataEngine) {
           offset,
           orderBy
         });
-        return results;
+        return results.map((r) => normaliseLegacyDates(model, r));
       },
       count: async ({ model, where }) => {
         const filter = where ? convertWhere(where) : {};
@@ -79,7 +119,7 @@ function createObjectQLAdapterFactory(dataEngine) {
         const record = await dataEngine.findOne(model, { where: filter });
         if (!record) return null;
         const result = await dataEngine.update(model, { ...update, id: record.id });
-        return result ? result : null;
+        return result ? normaliseLegacyDates(model, result) : null;
       },
       updateMany: async ({ model, where, update }) => {
         const filter = convertWhere(where);
@@ -276,6 +316,88 @@ var AUTH_TWO_FACTOR_SCHEMA = {
 var AUTH_TWO_FACTOR_USER_FIELDS = {
   twoFactorEnabled: "two_factor_enabled"
 };
+var AUTH_ADMIN_USER_FIELDS = {
+  banReason: "ban_reason",
+  banExpires: "ban_expires"
+};
+var AUTH_ADMIN_SESSION_FIELDS = {
+  impersonatedBy: "impersonated_by"
+};
+var AUTH_OAUTH_CLIENT_SCHEMA = {
+  modelName: SystemObjectName2.OAUTH_APPLICATION,
+  // 'sys_oauth_application'
+  fields: {
+    clientId: "client_id",
+    clientSecret: "client_secret",
+    skipConsent: "skip_consent",
+    enableEndSession: "enable_end_session",
+    subjectType: "subject_type",
+    userId: "user_id",
+    createdAt: "created_at",
+    updatedAt: "updated_at",
+    redirectUris: "redirect_uris",
+    postLogoutRedirectUris: "post_logout_redirect_uris",
+    tokenEndpointAuthMethod: "token_endpoint_auth_method",
+    grantTypes: "grant_types",
+    responseTypes: "response_types",
+    requirePKCE: "require_pkce",
+    softwareId: "software_id",
+    softwareVersion: "software_version",
+    softwareStatement: "software_statement",
+    referenceId: "reference_id"
+  }
+};
+var AUTH_OAUTH_APPLICATION_SCHEMA = AUTH_OAUTH_CLIENT_SCHEMA;
+var AUTH_OAUTH_ACCESS_TOKEN_SCHEMA = {
+  modelName: SystemObjectName2.OAUTH_ACCESS_TOKEN,
+  // 'sys_oauth_access_token'
+  fields: {
+    clientId: "client_id",
+    sessionId: "session_id",
+    userId: "user_id",
+    referenceId: "reference_id",
+    refreshId: "refresh_id",
+    expiresAt: "expires_at",
+    createdAt: "created_at"
+  }
+};
+var AUTH_OAUTH_REFRESH_TOKEN_SCHEMA = {
+  modelName: SystemObjectName2.OAUTH_REFRESH_TOKEN,
+  // 'sys_oauth_refresh_token'
+  fields: {
+    clientId: "client_id",
+    sessionId: "session_id",
+    userId: "user_id",
+    referenceId: "reference_id",
+    expiresAt: "expires_at",
+    createdAt: "created_at",
+    authTime: "auth_time"
+  }
+};
+var AUTH_OAUTH_CONSENT_SCHEMA = {
+  modelName: SystemObjectName2.OAUTH_CONSENT,
+  // 'sys_oauth_consent'
+  fields: {
+    clientId: "client_id",
+    userId: "user_id",
+    referenceId: "reference_id",
+    createdAt: "created_at",
+    updatedAt: "updated_at"
+  }
+};
+var AUTH_DEVICE_CODE_SCHEMA = {
+  modelName: SystemObjectName2.DEVICE_CODE,
+  // 'sys_device_code'
+  fields: {
+    deviceCode: "device_code",
+    userCode: "user_code",
+    userId: "user_id",
+    expiresAt: "expires_at",
+    lastPolledAt: "last_polled_at",
+    pollingInterval: "polling_interval",
+    clientId: "client_id"
+  }
+};
 function buildTwoFactorPluginSchema() {
   return {
     twoFactor: AUTH_TWO_FACTOR_SCHEMA,
@@ -284,6 +406,16 @@ function buildTwoFactorPluginSchema() {
     }
   };
 }
+function buildAdminPluginSchema() {
+  return {
+    user: {
+      fields: AUTH_ADMIN_USER_FIELDS
+    },
+    session: {
+      fields: AUTH_ADMIN_SESSION_FIELDS
+    }
+  };
+}
 function buildOrganizationPluginSchema() {
   return {
     organization: AUTH_ORGANIZATION_SCHEMA,
@@ -296,6 +428,35 @@ function buildOrganizationPluginSchema() {
     }
   };
 }
+var AUTH_JWKS_SCHEMA = {
+  modelName: SystemObjectName2.JWKS,
+  // 'sys_jwks'
+  fields: {
+    publicKey: "public_key",
+    privateKey: "private_key",
+    createdAt: "created_at",
+    expiresAt: "expires_at"
+  }
+};
+function buildJwtPluginSchema() {
+  return {
+    jwks: AUTH_JWKS_SCHEMA
+  };
+}
+function buildOauthProviderPluginSchema() {
+  return {
+    oauthClient: AUTH_OAUTH_CLIENT_SCHEMA,
+    oauthAccessToken: AUTH_OAUTH_ACCESS_TOKEN_SCHEMA,
+    oauthRefreshToken: AUTH_OAUTH_REFRESH_TOKEN_SCHEMA,
+    oauthConsent: AUTH_OAUTH_CONSENT_SCHEMA
+  };
+}
+var buildOidcProviderPluginSchema = buildOauthProviderPluginSchema;
+function buildDeviceAuthorizationPluginSchema() {
+  return {
+    deviceCode: AUTH_DEVICE_CODE_SCHEMA
+  };
+}
 
 // src/auth-manager.ts
 var AuthManager = class {
@@ -309,16 +470,18 @@ var AuthManager = class {
   /**
    * Get or create the better-auth instance (lazy initialization)
    */
-  getOrCreateAuth() {
+  async getOrCreateAuth() {
     if (!this.auth) {
-      this.auth = this.createAuthInstance();
+      this.auth = await this.createAuthInstance();
     }
     return this.auth;
   }
   /**
    * Create a better-auth instance from configuration
    */
-  createAuthInstance() {
+  async createAuthInstance() {
+    const { betterAuth } = await import("better-auth");
+    const plugins = await this.buildPluginList();
     const betterAuthConfig = {
       // Base configuration
       secret: this.config.secret || this.generateSecret(),
@@ -334,7 +497,41 @@ var AuthManager = class {
         ...AUTH_USER_CONFIG
       },
       account: {
-        ...AUTH_ACCOUNT_CONFIG
+        ...AUTH_ACCOUNT_CONFIG,
+        // Allow OIDC/OAuth callbacks to implicitly link the incoming
+        // identity to a pre-existing local user when the emails match.
+        //
+        // ObjectStack's platform SSO ("objectstack-cloud" provider) is the
+        // canonical case: cloud is the IdP for every project, so a user
+        // arriving via SSO is — by construction — the same person who was
+        // auto-seeded as the project owner when the project was created.
+        // Without trusting the provider, better-auth's safety check rejects
+        // the link with `error=account_not_linked` because the seeded user
+        // row has `emailVerified=false` (no actual verification ever runs
+        // in the IdP-mediated flow). See packages/plugins/plugin-auth/
+        // node_modules/better-auth/dist/oauth2/link-account.mjs:22.
+        //
+        // Custom-deployment consumers can extend the trusted set via
+        // `config.account.accountLinking.trustedProviders`; we always
+        // include `objectstack-cloud` because it is the platform IdP.
+        accountLinking: {
+          enabled: true,
+          // better-auth's account-linking gate has TWO independent clauses
+          // (see link-account.mjs:22). Trusting the provider only satisfies
+          // the first clause; the second — `requireLocalEmailVerified &&
+          // !dbUser.user.emailVerified` — still blocks linking when the
+          // pre-existing local user row has `emailVerified=false` (the
+          // default for owner-seeded rows). Disabling the local-email gate
+          // is safe here because the OAuth side is what we actually trust:
+          // the incoming identity was verified by the IdP. Consumers who
+          // need the stricter behavior can override via config.
+          requireLocalEmailVerified: false,
+          ...this.config?.account?.accountLinking ?? {},
+          trustedProviders: Array.from(/* @__PURE__ */ new Set([
+            "objectstack-cloud",
+            ...this.config?.account?.accountLinking?.trustedProviders ?? []
+          ]))
+        }
       },
       verification: {
         ...AUTH_VERIFICATION_CONFIG
@@ -350,15 +547,71 @@ var AuthManager = class {
         ...this.config.emailAndPassword?.maxPasswordLength != null ? { maxPasswordLength: this.config.emailAndPassword.maxPasswordLength } : {},
         ...this.config.emailAndPassword?.resetPasswordTokenExpiresIn != null ? { resetPasswordTokenExpiresIn: this.config.emailAndPassword.resetPasswordTokenExpiresIn } : {},
         ...this.config.emailAndPassword?.autoSignIn != null ? { autoSignIn: this.config.emailAndPassword.autoSignIn } : {},
-        ...this.config.emailAndPassword?.revokeSessionsOnPasswordReset != null ? { revokeSessionsOnPasswordReset: this.config.emailAndPassword.revokeSessionsOnPasswordReset } : {}
+        ...this.config.emailAndPassword?.revokeSessionsOnPasswordReset != null ? { revokeSessionsOnPasswordReset: this.config.emailAndPassword.revokeSessionsOnPasswordReset } : {},
+        sendResetPassword: async ({ user, url, token }) => {
+          const email = this.getEmailService();
+          if (!email) {
+            console.warn(
+              `[AuthManager] Password-reset requested for ${user.email} but no email service is wired. URL: ${url}`
+            );
+            return;
+          }
+          const ttlSec = this.config.emailAndPassword?.resetPasswordTokenExpiresIn ?? 60 * 60;
+          try {
+            await email.sendTemplate({
+              template: "auth.password_reset",
+              to: { address: user.email, ...user.name ? { name: user.name } : {} },
+              data: {
+                user: { name: user.name || user.email, email: user.email, id: user.id },
+                resetUrl: url,
+                token,
+                expiresInMinutes: Math.round(ttlSec / 60),
+                appName: this.getAppName()
+              },
+              relatedObject: "sys_user",
+              relatedId: user.id
+            });
+          } catch (err) {
+            console.error(`[AuthManager] sendResetPassword failed: ${err?.message ?? err}`);
+            throw err;
+          }
+        }
       },
       // Email verification
-      ...this.config.emailVerification ? {
+      ...this.config.emailVerification || this.config.emailService ? {
         emailVerification: {
-          ...this.config.emailVerification.sendOnSignUp != null ? { sendOnSignUp: this.config.emailVerification.sendOnSignUp } : {},
-          ...this.config.emailVerification.sendOnSignIn != null ? { sendOnSignIn: this.config.emailVerification.sendOnSignIn } : {},
-          ...this.config.emailVerification.autoSignInAfterVerification != null ? { autoSignInAfterVerification: this.config.emailVerification.autoSignInAfterVerification } : {},
-          ...this.config.emailVerification.expiresIn != null ? { expiresIn: this.config.emailVerification.expiresIn } : {}
+          ...this.config.emailVerification?.sendOnSignUp != null ? { sendOnSignUp: this.config.emailVerification.sendOnSignUp } : {},
+          ...this.config.emailVerification?.sendOnSignIn != null ? { sendOnSignIn: this.config.emailVerification.sendOnSignIn } : {},
+          ...this.config.emailVerification?.autoSignInAfterVerification != null ? { autoSignInAfterVerification: this.config.emailVerification.autoSignInAfterVerification } : {},
+          ...this.config.emailVerification?.expiresIn != null ? { expiresIn: this.config.emailVerification.expiresIn } : {},
+          sendVerificationEmail: async ({ user, url, token }) => {
+            const email = this.getEmailService();
+            if (!email) {
+              console.warn(
+                `[AuthManager] Verification email requested for ${user.email} but no email service is wired. URL: ${url}`
+              );
+              return;
+            }
+            const ttlSec = this.config.emailVerification?.expiresIn ?? 60 * 60;
+            try {
+              await email.sendTemplate({
+                template: "auth.verify_email",
+                to: { address: user.email, ...user.name ? { name: user.name } : {} },
+                data: {
+                  user: { name: user.name || user.email, email: user.email, id: user.id },
+                  verificationUrl: url,
+                  token,
+                  expiresInMinutes: Math.round(ttlSec / 60),
+                  appName: this.getAppName()
+                },
+                relatedObject: "sys_user",
+                relatedId: user.id
+              });
+            } catch (err) {
+              console.error(`[AuthManager] sendVerificationEmail failed: ${err?.message ?? err}`);
+              throw err;
+            }
+          }
         }
       } : {},
       // Session configuration
@@ -370,7 +623,7 @@ var AuthManager = class {
         // 1 day default
       },
       // better-auth plugins — registered based on AuthPluginConfig flags
-      plugins: this.buildPluginList(),
+      plugins,
       // Trusted origins for CSRF protection (supports wildcards like "https://*.example.com")
       // Auto-includes origins from CORS_ORIGIN env var so CORS and CSRF stay in sync.
       ...(() => {
@@ -383,6 +636,8 @@ var AuthManager = class {
         }
         if (!origins.length && (!corsOrigin || corsOrigin === "*")) {
           origins.push("http://localhost:*");
+          origins.push("http://*.localhost:*");
+          origins.push("https://*.localhost:*");
         }
         return origins.length ? { trustedOrigins: origins } : {};
       })(),
@@ -405,28 +660,224 @@ var AuthManager = class {
    * a `schema` option containing the appropriate snake_case field mappings,
    * so that `createAdapterFactory` transforms them automatically.
    */
-  buildPluginList() {
-    const pluginConfig = this.config.plugins;
+  async buildPluginList() {
+    const pluginConfig = this.config.plugins ?? {};
     const plugins = [];
-    if (pluginConfig?.organization) {
+    const enabled = {
+      organization: pluginConfig.organization ?? true,
+      twoFactor: pluginConfig.twoFactor ?? false,
+      passkeys: pluginConfig.passkeys ?? false,
+      magicLink: pluginConfig.magicLink ?? false,
+      oidcProvider: pluginConfig.oidcProvider ?? false,
+      deviceAuthorization: pluginConfig.deviceAuthorization ?? false,
+      admin: pluginConfig.admin ?? false
+    };
+    const { bearer } = await import("better-auth/plugins/bearer");
+    plugins.push(bearer());
+    if (enabled.organization) {
+      const { organization } = await import("better-auth/plugins/organization");
+      let customOrgRoles;
+      const extra = this.config.additionalOrgRoles;
+      if (extra && extra.length > 0) {
+        try {
+          const accessMod = await import("better-auth/plugins/organization/access");
+          const { defaultAc, memberAc, defaultRoles: importedDefaultRoles } = accessMod;
+          const defaultRoles = importedDefaultRoles || null;
+          if (defaultAc && memberAc && typeof memberAc.statements === "object") {
+            const built = defaultRoles ? { ...defaultRoles } : {};
+            const stmts = memberAc.statements;
+            for (const name of extra) {
+              if (!name) continue;
+              if (built[name]) continue;
+              built[name] = defaultAc.newRole(stmts);
+            }
+            customOrgRoles = built;
+          }
+        } catch {
+          customOrgRoles = void 0;
+        }
+      }
       plugins.push(organization({
-        schema: buildOrganizationPluginSchema()
+        schema: buildOrganizationPluginSchema(),
+        // Enable the team sub-feature so the framework's `sys_team` /
+        // `sys_team_member` tables (already declared in platform-objects)
+        // are actually wired up to better-auth's CRUD endpoints
+        // (`/organization/{create,update,remove,list}-team[s]` and
+        // `/organization/{add,remove,list}-team-member[s]`). The Account
+        // portal exposes a Teams page; without this flag those endpoints
+        // 404 and the section silently breaks.
+        teams: { enabled: true },
+        // Without a mailer wired in framework, requiring email verification
+        // before accepting invitations dead-ends every invite flow with
+        // FORBIDDEN EMAIL_VERIFICATION_REQUIRED…. Default-off here keeps
+        // the built-in /accept-invitation route usable for pilots; operators
+        // who wire a real mailer can re-enable downstream.
+        requireEmailVerificationOnInvitation: false,
+        ...customOrgRoles ? { roles: customOrgRoles } : {},
+        // No mailer is wired in framework yet — log the accept URL so
+        // operators / UI can fall back to copy-paste flows. Replace this
+        // with a real mail integration when available.
+        sendInvitationEmail: async ({ email: recipientEmail, invitation, organization: org, inviter }) => {
+          const baseUrl = (this.config.baseUrl ?? "").replace(/\/$/, "");
+          const acceptUrl = `${baseUrl}/accept-invitation/${invitation.id}`;
+          const emailService = this.getEmailService();
+          if (!emailService) {
+            console.warn(
+              `[AuthManager] Invitation email not configured. To: ${recipientEmail} (org: ${org?.name ?? invitation.organizationId}, role: ${invitation.role}, inviter: ${inviter?.user?.email ?? "unknown"}) URL: ${acceptUrl}`
+            );
+            return;
+          }
+          try {
+            await emailService.sendTemplate({
+              template: "auth.invitation",
+              to: recipientEmail,
+              data: {
+                inviter: {
+                  name: inviter?.user?.name ?? inviter?.user?.email ?? "A teammate",
+                  email: inviter?.user?.email ?? ""
+                },
+                organization: { name: org?.name ?? invitation.organizationId },
+                role: invitation.role || "",
+                acceptUrl,
+                appName: this.getAppName()
+              },
+              relatedObject: "sys_invitation",
+              relatedId: invitation.id
+            });
+          } catch (err) {
+            console.error(`[AuthManager] sendInvitationEmail failed: ${err?.message ?? err}`);
+            throw err;
+          }
+        }
       }));
     }
-    if (pluginConfig?.twoFactor) {
+    if (enabled.twoFactor) {
+      const { twoFactor } = await import("better-auth/plugins/two-factor");
       plugins.push(twoFactor({
         schema: buildTwoFactorPluginSchema()
       }));
     }
-    if (pluginConfig?.magicLink) {
+    if (enabled.admin) {
+      const { admin } = await import("better-auth/plugins/admin");
+      plugins.push(admin({
+        schema: buildAdminPluginSchema()
+      }));
+    }
+    if (enabled.magicLink) {
+      const { magicLink } = await import("better-auth/plugins/magic-link");
       plugins.push(magicLink({
-        sendMagicLink: async ({ email, url }) => {
-          console.warn(
-            `[AuthManager] Magic-link requested for ${email} but no sendMagicLink handler configured. URL: ${url}`
-          );
+        sendMagicLink: async ({ email: recipientEmail, url, token }) => {
+          const emailService = this.getEmailService();
+          if (!emailService) {
+            console.warn(
+              `[AuthManager] Magic-link requested for ${recipientEmail} but no email service is wired. URL: ${url}`
+            );
+            return;
+          }
+          try {
+            await emailService.sendTemplate({
+              template: "auth.magic_link",
+              to: recipientEmail,
+              data: {
+                magicLinkUrl: url,
+                token,
+                expiresInMinutes: 10,
+                appName: this.getAppName()
+              }
+            });
+          } catch (err) {
+            console.error(`[AuthManager] sendMagicLink failed: ${err?.message ?? err}`);
+            throw err;
+          }
         }
       }));
     }
+    if (this.config.oidcProviders?.length) {
+      const { genericOAuth } = await import("better-auth/plugins/generic-oauth");
+      plugins.push(genericOAuth({
+        config: this.config.oidcProviders.map((p) => ({
+          providerId: p.providerId,
+          ...p.discoveryUrl ? { discoveryUrl: p.discoveryUrl } : {},
+          ...p.issuer ? { issuer: p.issuer } : {},
+          ...p.authorizationUrl ? { authorizationUrl: p.authorizationUrl } : {},
+          ...p.tokenUrl ? { tokenUrl: p.tokenUrl } : {},
+          ...p.userInfoUrl ? { userInfoUrl: p.userInfoUrl } : {},
+          clientId: p.clientId,
+          clientSecret: p.clientSecret,
+          ...p.scopes ? { scopes: p.scopes } : {},
+          ...p.pkce != null ? { pkce: p.pkce } : {}
+        }))
+      }));
+    }
+    if (enabled.oidcProvider) {
+      const { jwt } = await import("better-auth/plugins");
+      plugins.push(jwt({ schema: buildJwtPluginSchema() }));
+      const { oauthProvider } = await import("@better-auth/oauth-provider");
+      const baseUrl = (this.config.baseUrl ?? "").replace(/\/$/, "");
+      plugins.push(oauthProvider({
+        // Account SPA renders both pages — see apps/account.
+        loginPage: `${baseUrl}/_account/login`,
+        consentPage: `${baseUrl}/_account/oauth/consent`,
+        schema: buildOauthProviderPluginSchema()
+      }));
+    }
+    if (enabled.deviceAuthorization) {
+      const { deviceAuthorization } = await import("better-auth/plugins/device-authorization");
+      const baseUrl = (this.config.baseUrl ?? "").replace(/\/$/, "");
+      plugins.push(deviceAuthorization({
+        verificationUri: `${baseUrl}/_account/auth/device`,
+        schema: buildDeviceAuthorizationPluginSchema()
+      }));
+    }
+    const dataEngine = this.config.dataEngine;
+    if (dataEngine) {
+      const { customSession } = await import("better-auth/plugins/custom-session");
+      plugins.push(customSession(async ({ user, session }) => {
+        if (!user?.id) return { user, session };
+        const isPlatformAdmin = async () => {
+          try {
+            const links = await dataEngine.find("sys_user_permission_set", {
+              where: { user_id: user.id },
+              limit: 50
+            });
+            const platformLinks = (Array.isArray(links) ? links : []).filter(
+              (l) => !l.organization_id
+            );
+            if (platformLinks.length === 0) return false;
+            const sets = await dataEngine.find("sys_permission_set", { limit: 50 });
+            const adminSet = (Array.isArray(sets) ? sets : []).find(
+              (r) => r.name === "admin_full_access"
+            );
+            if (!adminSet) return false;
+            return platformLinks.some(
+              (l) => l.permission_set_id === adminSet.id
+            );
+          } catch {
+            return false;
+          }
+        };
+        const isActiveOrgAdmin = async () => {
+          try {
+            const orgId = session?.activeOrganizationId;
+            if (!orgId) return false;
+            const members = await dataEngine.find("sys_member", {
+              where: { user_id: user.id, organization_id: orgId },
+              limit: 5
+            });
+            return (Array.isArray(members) ? members : []).some((m) => {
+              const raw = typeof m?.role === "string" ? m.role : "";
+              const roles = raw.split(",").map((s) => s.trim().toLowerCase());
+              return roles.includes("owner") || roles.includes("admin");
+            });
+          } catch {
+            return false;
+          }
+        };
+        const promote = await isPlatformAdmin() || await isActiveOrgAdmin();
+        if (!promote) return { user, session };
+        return { user: { ...user, role: "admin" }, session };
+      }));
+    }
     return plugins;
   }
   /**
@@ -483,6 +934,26 @@ var AuthManager = class {
     }
     this.config = { ...this.config, baseUrl: url };
   }
+  /**
+   * Inject (or replace) the outbound email service used by better-auth
+   * callbacks. Safe to call after construction but BEFORE the first
+   * request hits the auth handler — callbacks read this via
+   * {@link getEmailService} when invoked.
+   *
+   * AuthPlugin calls this on `kernel:ready` once `ctx.getService('email')`
+   * resolves. For tests / serverless, callers may invoke directly.
+   */
+  setEmailService(email) {
+    this.config.emailService = email;
+  }
+  /** @internal Used by callback closures. */
+  getEmailService() {
+    return this.config.emailService;
+  }
+  /** @internal `{{appName}}` placeholder value for built-in templates. */
+  getAppName() {
+    return this.config.appName ?? "ObjectStack";
+  }
   /**
    * Get the underlying better-auth instance
    * Useful for advanced use cases
@@ -502,7 +973,7 @@ var AuthManager = class {
    * @returns Web standard Response object
    */
   async handleRequest(request) {
-    const auth = this.getOrCreateAuth();
+    const auth = await this.getOrCreateAuth();
     const response = await auth.handler(request);
     if (response.status >= 500) {
       try {
@@ -518,18 +989,19 @@ var AuthManager = class {
    * Get the better-auth API for programmatic access
    * Use this for server-side operations (e.g., creating users, checking sessions)
    */
-  get api() {
-    return this.getOrCreateAuth().api;
+  async getApi() {
+    const auth = await this.getOrCreateAuth();
+    return auth.api;
   }
-  /**
-   * Get public authentication configuration
-   * Returns safe, non-sensitive configuration that can be exposed to the frontend
-   *
-   * This allows the frontend to discover:
-   * - Which social/OAuth providers are available
-   * - Whether email/password login is enabled
-   * - Which advanced features are enabled (2FA, magic links, etc.)
-   */
+  // ---------------------------------------------------------------------------
+  // Device Flow (CLI browser-based login)
+  //
+  // The device authorization flow (RFC 8628) is now handled entirely by
+  // better-auth's `device-authorization` plugin. Endpoints are exposed at
+  // `${basePath}/device/{code,token,approve,deny}` and persisted in
+  // `sys_device_code`. Enable via `plugins.deviceAuthorization: true` in
+  // AuthPluginConfig.
+  // ---------------------------------------------------------------------------
   getPublicConfig() {
     const socialProviders = [];
     if (this.config.socialProviders) {
@@ -549,11 +1021,22 @@ var AuthManager = class {
           socialProviders.push({
             id,
             name: nameMap[id] || id.charAt(0).toUpperCase() + id.slice(1),
-            enabled: true
+            enabled: true,
+            type: "social"
           });
         }
       }
     }
+    if (this.config.oidcProviders?.length) {
+      for (const p of this.config.oidcProviders) {
+        socialProviders.push({
+          id: p.providerId,
+          name: p.name ?? p.providerId.charAt(0).toUpperCase() + p.providerId.slice(1),
+          enabled: true,
+          type: "oidc"
+        });
+      }
+    }
     const emailPasswordConfig = this.config.emailAndPassword ?? {};
     const emailPassword = {
       enabled: emailPasswordConfig.enabled !== false,
@@ -566,7 +1049,9 @@ var AuthManager = class {
       twoFactor: pluginConfig.twoFactor ?? false,
       passkeys: pluginConfig.passkeys ?? false,
       magicLink: pluginConfig.magicLink ?? false,
-      organization: pluginConfig.organization ?? false
+      organization: pluginConfig.organization ?? true,
+      oidcProvider: pluginConfig.oidcProvider ?? false,
+      deviceAuthorization: pluginConfig.deviceAuthorization ?? false
     };
     return {
       emailPassword,
@@ -574,776 +1059,69 @@ var AuthManager = class {
       features
     };
   }
-};
-
-// src/objects/sys-user.object.ts
-import { ObjectSchema, Field } from "@objectstack/spec/data";
-var SysUser = ObjectSchema.create({
-  namespace: "sys",
-  name: "user",
-  label: "User",
-  pluralLabel: "Users",
-  icon: "user",
-  isSystem: true,
-  description: "User accounts for authentication",
-  titleFormat: "{name} ({email})",
-  compactLayout: ["name", "email", "email_verified"],
-  fields: {
-    id: Field.text({
-      label: "User ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    email: Field.email({
-      label: "Email",
-      required: true,
-      searchable: true
-    }),
-    email_verified: Field.boolean({
-      label: "Email Verified",
-      defaultValue: false
-    }),
-    name: Field.text({
-      label: "Name",
-      required: true,
-      searchable: true,
-      maxLength: 255
-    }),
-    image: Field.url({
-      label: "Profile Image",
-      required: false
-    })
-  },
-  indexes: [
-    { fields: ["email"], unique: true },
-    { fields: ["created_at"], unique: false }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: true
-  },
-  validations: [
-    {
-      name: "email_unique",
-      type: "unique",
-      severity: "error",
-      message: "Email must be unique",
-      fields: ["email"],
-      caseSensitive: false
-    }
-  ]
-});
-
-// src/objects/sys-session.object.ts
-import { ObjectSchema as ObjectSchema2, Field as Field2 } from "@objectstack/spec/data";
-var SysSession = ObjectSchema2.create({
-  namespace: "sys",
-  name: "session",
-  label: "Session",
-  pluralLabel: "Sessions",
-  icon: "key",
-  isSystem: true,
-  description: "Active user sessions",
-  titleFormat: "Session {token}",
-  compactLayout: ["user_id", "expires_at", "ip_address"],
-  fields: {
-    id: Field2.text({
-      label: "Session ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field2.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field2.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    user_id: Field2.text({
-      label: "User ID",
-      required: true
-    }),
-    expires_at: Field2.datetime({
-      label: "Expires At",
-      required: true
-    }),
-    token: Field2.text({
-      label: "Session Token",
-      required: true
-    }),
-    ip_address: Field2.text({
-      label: "IP Address",
-      required: false,
-      maxLength: 45
-      // Support IPv6
-    }),
-    user_agent: Field2.textarea({
-      label: "User Agent",
-      required: false
-    })
-  },
-  indexes: [
-    { fields: ["token"], unique: true },
-    { fields: ["user_id"], unique: false },
-    { fields: ["expires_at"], unique: false }
-  ],
-  enable: {
-    trackHistory: false,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "delete"],
-    trash: false,
-    mru: false
-  }
-});
-
-// src/objects/sys-account.object.ts
-import { ObjectSchema as ObjectSchema3, Field as Field3 } from "@objectstack/spec/data";
-var SysAccount = ObjectSchema3.create({
-  namespace: "sys",
-  name: "account",
-  label: "Account",
-  pluralLabel: "Accounts",
-  icon: "link",
-  isSystem: true,
-  description: "OAuth and authentication provider accounts",
-  titleFormat: "{provider_id} - {account_id}",
-  compactLayout: ["provider_id", "user_id", "account_id"],
-  fields: {
-    id: Field3.text({
-      label: "Account ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field3.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field3.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    provider_id: Field3.text({
-      label: "Provider ID",
-      required: true,
-      description: "OAuth provider identifier (google, github, etc.)"
-    }),
-    account_id: Field3.text({
-      label: "Provider Account ID",
-      required: true,
-      description: "User's ID in the provider's system"
-    }),
-    user_id: Field3.text({
-      label: "User ID",
-      required: true,
-      description: "Link to user table"
-    }),
-    access_token: Field3.textarea({
-      label: "Access Token",
-      required: false
-    }),
-    refresh_token: Field3.textarea({
-      label: "Refresh Token",
-      required: false
-    }),
-    id_token: Field3.textarea({
-      label: "ID Token",
-      required: false
-    }),
-    access_token_expires_at: Field3.datetime({
-      label: "Access Token Expires At",
-      required: false
-    }),
-    refresh_token_expires_at: Field3.datetime({
-      label: "Refresh Token Expires At",
-      required: false
-    }),
-    scope: Field3.text({
-      label: "OAuth Scope",
-      required: false
-    }),
-    password: Field3.text({
-      label: "Password Hash",
-      required: false,
-      description: "Hashed password for email/password provider"
-    })
-  },
-  indexes: [
-    { fields: ["user_id"], unique: false },
-    { fields: ["provider_id", "account_id"], unique: true }
-  ],
-  enable: {
-    trackHistory: false,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: false
-  }
-});
-
-// src/objects/sys-verification.object.ts
-import { ObjectSchema as ObjectSchema4, Field as Field4 } from "@objectstack/spec/data";
-var SysVerification = ObjectSchema4.create({
-  namespace: "sys",
-  name: "verification",
-  label: "Verification",
-  pluralLabel: "Verifications",
-  icon: "shield-check",
-  isSystem: true,
-  description: "Email and phone verification tokens",
-  titleFormat: "Verification for {identifier}",
-  compactLayout: ["identifier", "expires_at", "created_at"],
-  fields: {
-    id: Field4.text({
-      label: "Verification ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field4.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field4.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    value: Field4.text({
-      label: "Verification Token",
-      required: true,
-      description: "Token or code for verification"
-    }),
-    expires_at: Field4.datetime({
-      label: "Expires At",
-      required: true
-    }),
-    identifier: Field4.text({
-      label: "Identifier",
-      required: true,
-      description: "Email address or phone number"
-    })
-  },
-  indexes: [
-    { fields: ["value"], unique: true },
-    { fields: ["identifier"], unique: false },
-    { fields: ["expires_at"], unique: false }
-  ],
-  enable: {
-    trackHistory: false,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "create", "delete"],
-    trash: false,
-    mru: false
-  }
-});
-
-// src/objects/sys-organization.object.ts
-import { ObjectSchema as ObjectSchema5, Field as Field5 } from "@objectstack/spec/data";
-var SysOrganization = ObjectSchema5.create({
-  namespace: "sys",
-  name: "organization",
-  label: "Organization",
-  pluralLabel: "Organizations",
-  icon: "building-2",
-  isSystem: true,
-  description: "Organizations for multi-tenant grouping",
-  titleFormat: "{name}",
-  compactLayout: ["name", "slug", "created_at"],
-  fields: {
-    id: Field5.text({
-      label: "Organization ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field5.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field5.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    name: Field5.text({
-      label: "Name",
-      required: true,
-      searchable: true,
-      maxLength: 255
-    }),
-    slug: Field5.text({
-      label: "Slug",
-      required: false,
-      maxLength: 255,
-      description: "URL-friendly identifier"
-    }),
-    logo: Field5.url({
-      label: "Logo",
-      required: false
-    }),
-    metadata: Field5.textarea({
-      label: "Metadata",
-      required: false,
-      description: "JSON-serialized organization metadata"
-    })
-  },
-  indexes: [
-    { fields: ["slug"], unique: true },
-    { fields: ["name"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: true
-  }
-});
-
-// src/objects/sys-member.object.ts
-import { ObjectSchema as ObjectSchema6, Field as Field6 } from "@objectstack/spec/data";
-var SysMember = ObjectSchema6.create({
-  namespace: "sys",
-  name: "member",
-  label: "Member",
-  pluralLabel: "Members",
-  icon: "user-check",
-  isSystem: true,
-  description: "Organization membership records",
-  titleFormat: "{user_id} in {organization_id}",
-  compactLayout: ["user_id", "organization_id", "role"],
-  fields: {
-    id: Field6.text({
-      label: "Member ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field6.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    organization_id: Field6.text({
-      label: "Organization ID",
-      required: true
-    }),
-    user_id: Field6.text({
-      label: "User ID",
-      required: true
-    }),
-    role: Field6.text({
-      label: "Role",
-      required: false,
-      description: "Member role within the organization (e.g. admin, member)",
-      maxLength: 100
-    })
-  },
-  indexes: [
-    { fields: ["organization_id", "user_id"], unique: true },
-    { fields: ["user_id"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: false,
-    mru: false
-  }
-});
-
-// src/objects/sys-invitation.object.ts
-import { ObjectSchema as ObjectSchema7, Field as Field7 } from "@objectstack/spec/data";
-var SysInvitation = ObjectSchema7.create({
-  namespace: "sys",
-  name: "invitation",
-  label: "Invitation",
-  pluralLabel: "Invitations",
-  icon: "mail",
-  isSystem: true,
-  description: "Organization invitations for user onboarding",
-  titleFormat: "Invitation to {organization_id}",
-  compactLayout: ["email", "organization_id", "status"],
-  fields: {
-    id: Field7.text({
-      label: "Invitation ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field7.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    organization_id: Field7.text({
-      label: "Organization ID",
-      required: true
-    }),
-    email: Field7.email({
-      label: "Email",
-      required: true,
-      description: "Email address of the invited user"
-    }),
-    role: Field7.text({
-      label: "Role",
-      required: false,
-      maxLength: 100,
-      description: "Role to assign upon acceptance"
-    }),
-    status: Field7.select(["pending", "accepted", "rejected", "expired", "canceled"], {
-      label: "Status",
-      required: true,
-      defaultValue: "pending"
-    }),
-    inviter_id: Field7.text({
-      label: "Inviter ID",
-      required: true,
-      description: "User ID of the person who sent the invitation"
-    }),
-    expires_at: Field7.datetime({
-      label: "Expires At",
-      required: true
-    }),
-    team_id: Field7.text({
-      label: "Team ID",
-      required: false,
-      description: "Optional team to assign upon acceptance"
-    })
-  },
-  indexes: [
-    { fields: ["organization_id"] },
-    { fields: ["email"] },
-    { fields: ["expires_at"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: false,
-    mru: false
-  }
-});
-
-// src/objects/sys-team.object.ts
-import { ObjectSchema as ObjectSchema8, Field as Field8 } from "@objectstack/spec/data";
-var SysTeam = ObjectSchema8.create({
-  namespace: "sys",
-  name: "team",
-  label: "Team",
-  pluralLabel: "Teams",
-  icon: "users",
-  isSystem: true,
-  description: "Teams within organizations for fine-grained grouping",
-  titleFormat: "{name}",
-  compactLayout: ["name", "organization_id", "created_at"],
-  fields: {
-    id: Field8.text({
-      label: "Team ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field8.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field8.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    name: Field8.text({
-      label: "Name",
-      required: true,
-      searchable: true,
-      maxLength: 255
-    }),
-    organization_id: Field8.text({
-      label: "Organization ID",
-      required: true
-    })
-  },
-  indexes: [
-    { fields: ["organization_id"] },
-    { fields: ["name", "organization_id"], unique: true }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: true,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: true,
-    mru: false
-  }
-});
-
-// src/objects/sys-team-member.object.ts
-import { ObjectSchema as ObjectSchema9, Field as Field9 } from "@objectstack/spec/data";
-var SysTeamMember = ObjectSchema9.create({
-  namespace: "sys",
-  name: "team_member",
-  label: "Team Member",
-  pluralLabel: "Team Members",
-  icon: "user-plus",
-  isSystem: true,
-  description: "Team membership records linking users to teams",
-  titleFormat: "{user_id} in {team_id}",
-  compactLayout: ["user_id", "team_id", "created_at"],
-  fields: {
-    id: Field9.text({
-      label: "Team Member ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field9.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    team_id: Field9.text({
-      label: "Team ID",
-      required: true
-    }),
-    user_id: Field9.text({
-      label: "User ID",
-      required: true
-    })
-  },
-  indexes: [
-    { fields: ["team_id", "user_id"], unique: true },
-    { fields: ["user_id"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "delete"],
-    trash: false,
-    mru: false
-  }
-});
-
-// src/objects/sys-api-key.object.ts
-import { ObjectSchema as ObjectSchema10, Field as Field10 } from "@objectstack/spec/data";
-var SysApiKey = ObjectSchema10.create({
-  namespace: "sys",
-  name: "api_key",
-  label: "API Key",
-  pluralLabel: "API Keys",
-  icon: "key-round",
-  isSystem: true,
-  description: "API keys for programmatic access",
-  titleFormat: "{name}",
-  compactLayout: ["name", "user_id", "expires_at"],
-  fields: {
-    id: Field10.text({
-      label: "API Key ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field10.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field10.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    name: Field10.text({
-      label: "Name",
-      required: true,
-      maxLength: 255,
-      description: "Human-readable label for the API key"
-    }),
-    key: Field10.text({
-      label: "Key",
-      required: true,
-      description: "Hashed API key value"
-    }),
-    prefix: Field10.text({
-      label: "Prefix",
-      required: false,
-      maxLength: 16,
-      description: 'Visible prefix for identifying the key (e.g., "osk_")'
-    }),
-    user_id: Field10.text({
-      label: "User ID",
-      required: true,
-      description: "Owner user of this API key"
-    }),
-    scopes: Field10.textarea({
-      label: "Scopes",
-      required: false,
-      description: "JSON array of permission scopes"
-    }),
-    expires_at: Field10.datetime({
-      label: "Expires At",
-      required: false
-    }),
-    last_used_at: Field10.datetime({
-      label: "Last Used At",
-      required: false
-    }),
-    revoked: Field10.boolean({
-      label: "Revoked",
-      defaultValue: false
-    })
-  },
-  indexes: [
-    { fields: ["key"], unique: true },
-    { fields: ["user_id"] },
-    { fields: ["prefix"] }
-  ],
-  enable: {
-    trackHistory: true,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: false,
-    mru: false
-  }
-});
-
-// src/objects/sys-two-factor.object.ts
-import { ObjectSchema as ObjectSchema11, Field as Field11 } from "@objectstack/spec/data";
-var SysTwoFactor = ObjectSchema11.create({
-  namespace: "sys",
-  name: "two_factor",
-  label: "Two Factor",
-  pluralLabel: "Two Factor Credentials",
-  icon: "smartphone",
-  isSystem: true,
-  description: "Two-factor authentication credentials",
-  titleFormat: "Two-factor for {user_id}",
-  compactLayout: ["user_id", "created_at"],
-  fields: {
-    id: Field11.text({
-      label: "Two Factor ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field11.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field11.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    user_id: Field11.text({
-      label: "User ID",
-      required: true
-    }),
-    secret: Field11.text({
-      label: "Secret",
-      required: true,
-      description: "TOTP secret key"
-    }),
-    backup_codes: Field11.textarea({
-      label: "Backup Codes",
-      required: false,
-      description: "JSON-serialized backup recovery codes"
-    })
-  },
-  indexes: [
-    { fields: ["user_id"], unique: true }
-  ],
-  enable: {
-    trackHistory: false,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "create", "update", "delete"],
-    trash: false,
-    mru: false
+  /**
+   * Returns the data engine wired into this auth manager. Used by route
+   * handlers (e.g. bootstrap-status) that need to query identity tables
+   * directly without going through better-auth.
+   */
+  getDataEngine() {
+    return this.config.dataEngine;
   }
-});
+};
 
-// src/objects/sys-user-preference.object.ts
-import { ObjectSchema as ObjectSchema12, Field as Field12 } from "@objectstack/spec/data";
-var SysUserPreference = ObjectSchema12.create({
+// src/manifest.ts
+import {
+  SysAccount,
+  SysApiKey,
+  SysDeviceCode,
+  SysInvitation,
+  SysMember,
+  SysJwks,
+  SysOauthAccessToken,
+  SysOauthApplication,
+  SysOauthConsent,
+  SysOauthRefreshToken,
+  SysOrganization,
+  SysSession,
+  SysTeam,
+  SysTeamMember,
+  SysTwoFactor,
+  SysUser,
+  SysUserPreference,
+  SysVerification
+} from "@objectstack/platform-objects/identity";
+var AUTH_PLUGIN_ID = "com.objectstack.plugin-auth";
+var AUTH_PLUGIN_VERSION = "3.0.1";
+var authIdentityObjects = [
+  SysUser,
+  SysSession,
+  SysAccount,
+  SysVerification,
+  SysOrganization,
+  SysMember,
+  SysInvitation,
+  SysTeam,
+  SysTeamMember,
+  SysApiKey,
+  SysTwoFactor,
+  SysUserPreference,
+  SysOauthApplication,
+  SysOauthAccessToken,
+  SysOauthRefreshToken,
+  SysOauthConsent,
+  SysJwks,
+  SysDeviceCode
+];
+var authPluginManifestHeader = {
+  id: AUTH_PLUGIN_ID,
   namespace: "sys",
-  name: "user_preference",
-  label: "User Preference",
-  pluralLabel: "User Preferences",
-  icon: "settings",
-  isSystem: true,
-  description: "Per-user key-value preferences (theme, locale, etc.)",
-  titleFormat: "{key}",
-  compactLayout: ["user_id", "key"],
-  fields: {
-    id: Field12.text({
-      label: "Preference ID",
-      required: true,
-      readonly: true
-    }),
-    created_at: Field12.datetime({
-      label: "Created At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    updated_at: Field12.datetime({
-      label: "Updated At",
-      defaultValue: "NOW()",
-      readonly: true
-    }),
-    user_id: Field12.text({
-      label: "User ID",
-      required: true,
-      maxLength: 255,
-      description: "Owner user of this preference"
-    }),
-    key: Field12.text({
-      label: "Key",
-      required: true,
-      maxLength: 255,
-      description: "Preference key (e.g., theme, locale, plugin.ai.auto_save)"
-    }),
-    value: Field12.json({
-      label: "Value",
-      description: "Preference value (any JSON-serializable type)"
-    })
-  },
-  indexes: [
-    { fields: ["user_id", "key"], unique: true },
-    { fields: ["user_id"], unique: false }
-  ],
-  enable: {
-    trackHistory: false,
-    searchable: false,
-    apiEnabled: true,
-    apiMethods: ["get", "list", "create", "update", "delete"],
-    trash: false,
-    mru: false
-  }
-});
+  version: AUTH_PLUGIN_VERSION,
+  type: "plugin",
+  scope: "system",
+  defaultDatasource: "cloud",
+  name: "Authentication & Identity Plugin",
+  description: "Core authentication objects for ObjectStack (User, Session, Account, Verification)"
+};
 
 // src/auth-plugin.ts
 var AuthPlugin = class {
@@ -1374,43 +1152,25 @@ var AuthPlugin = class {
     });
     ctx.registerService("auth", this.authManager);
     ctx.getService("manifest").register({
-      id: "com.objectstack.system",
-      name: "System",
-      version: "1.0.0",
-      type: "plugin",
-      namespace: "sys",
-      objects: [
-        SysUser,
-        SysSession,
-        SysAccount,
-        SysVerification,
-        SysOrganization,
-        SysMember,
-        SysInvitation,
-        SysTeam,
-        SysTeamMember,
-        SysApiKey,
-        SysTwoFactor,
-        SysUserPreference
-      ]
+      ...authPluginManifestHeader,
+      ...this.options.manifestDatasource ? { defaultDatasource: this.options.manifestDatasource } : {},
+      objects: authIdentityObjects,
+      // The platform Setup App is a static metadata artifact (lives in
+      // @objectstack/platform-objects/apps). plugin-auth is the natural
+      // owner of its registration since it loads first among the trio
+      // (auth + security + audit) that supplies the underlying objects.
+      apps: [SETUP_APP],
+      // List views for each Setup-nav object are defined on the schema
+      // itself via the canonical `listViews` map (e.g.
+      // sys_user.listViews.{all_users,unverified,two_factor}). Registering
+      // top-level views here is the legacy pre-M10.30c pattern — it caused
+      // duplicate "Users"/"Roles"/"Sessions" tabs to appear alongside the
+      // schema-derived ones, sometimes referencing nonexistent fields
+      // (e.g. legacy `users.view` had phone/status/active columns that do
+      // not exist on sys_user). Schema-embedded listViews is the single
+      // source of truth.
+      dashboards: [SystemOverviewDashboard, SecurityOverviewDashboard]
     });
-    try {
-      const setupNav = ctx.getService("setupNav");
-      if (setupNav) {
-        setupNav.contribute({
-          areaId: "area_administration",
-          items: [
-            { id: "nav_users", type: "object", label: "Users", objectName: "user", icon: "users", order: 10 },
-            { id: "nav_organizations", type: "object", label: "Organizations", objectName: "organization", icon: "building-2", order: 20 },
-            { id: "nav_teams", type: "object", label: "Teams", objectName: "team", icon: "users-round", order: 30 },
-            { id: "nav_api_keys", type: "object", label: "API Keys", objectName: "api_key", icon: "key", order: 40 },
-            { id: "nav_sessions", type: "object", label: "Sessions", objectName: "session", icon: "monitor", order: 50 }
-          ]
-        });
-        ctx.logger.info("Auth navigation items contributed to Setup App");
-      }
-    } catch {
-    }
     ctx.logger.info("Auth Plugin initialized successfully");
   }
   async start(ctx) {
@@ -1420,6 +1180,17 @@ var AuthPlugin = class {
     }
     if (this.options.registerRoutes) {
       ctx.hook("kernel:ready", async () => {
+        if (this.authManager) {
+          try {
+            const emailSvc = ctx.getService("email");
+            if (emailSvc) {
+              this.authManager.setEmailService(emailSvc);
+              ctx.logger.info("Auth: email service wired (transactional mail enabled)");
+            }
+          } catch {
+            ctx.logger.info("Auth: no email service registered \u2014 auth callbacks will log instead of sending");
+          }
+        }
         let httpServer = null;
         try {
           httpServer = ctx.getService("http-server");
@@ -1433,7 +1204,8 @@ var AuthPlugin = class {
               const configuredUrl = this.options.baseUrl || "http://localhost:3000";
               const configuredOrigin = new URL(configuredUrl).origin;
               const actualUrl = `http://localhost:${actualPort}`;
-              if (configuredOrigin !== actualUrl) {
+              const configuredIsLocalhost = configuredOrigin.startsWith("http://localhost");
+              if (configuredIsLocalhost && configuredOrigin !== actualUrl) {
                 this.authManager.setRuntimeBaseUrl(actualUrl);
                 ctx.logger.info(
                   `Auth baseUrl auto-updated to ${actualUrl} (configured: ${configuredUrl})`
@@ -1491,23 +1263,26 @@ var AuthPlugin = class {
       );
     }
     const rawApp = httpServer.getRawApp();
-    rawApp.get(`${basePath}/config`, async (c) => {
+    rawApp.get(`${basePath}/config`, (c) => {
       try {
         const config = this.authManager.getPublicConfig();
-        return c.json({
-          success: true,
-          data: config
-        });
+        return c.json({ success: true, data: config });
       } catch (error) {
         const err = error instanceof Error ? error : new Error(String(error));
-        ctx.logger.error("Auth config error:", err);
-        return c.json({
-          success: false,
-          error: {
-            code: "auth_config_error",
-            message: err.message
-          }
-        }, 500);
+        return c.json({ success: false, error: { code: "auth_config_error", message: err.message } }, 500);
+      }
+    });
+    rawApp.get(`${basePath}/bootstrap-status`, async (c) => {
+      try {
+        const dataEngine = this.authManager.getDataEngine();
+        if (!dataEngine) {
+          return c.json({ hasOwner: true });
+        }
+        const count = await dataEngine.count("sys_user", {});
+        return c.json({ hasOwner: (count ?? 0) > 0 });
+      } catch (error) {
+        ctx.logger.warn("[AuthPlugin] bootstrap-status check failed; assuming bootstrapped", error);
+        return c.json({ hasOwner: true });
       }
     });
     rawApp.all(`${basePath}/*`, async (c) => {
@@ -1521,6 +1296,19 @@ var AuthPlugin = class {
             ctx.logger.error("[AuthPlugin] better-auth returned server error", new Error(`HTTP ${response.status}: (unable to read body)`));
           }
         }
+        try {
+          const url = c.req.url;
+          if (response.ok && /\/jwks(\?|$)/.test(url)) {
+            const existing = response.headers.get("cache-control");
+            if (!existing) {
+              response.headers.set(
+                "cache-control",
+                "public, max-age=300, stale-while-revalidate=86400"
+              );
+            }
+          }
+        } catch {
+        }
         return response;
       } catch (error) {
         const err = error instanceof Error ? error : new Error(String(error));
@@ -1537,14 +1325,56 @@ var AuthPlugin = class {
         );
       }
     });
+    if (this.options.plugins?.oidcProvider) {
+      void this.registerOidcDiscoveryRoutes(rawApp, ctx).catch((error) => {
+        ctx.logger.error("Failed to register OIDC discovery routes", error);
+      });
+    }
     ctx.logger.info(`Auth routes registered: All requests under ${basePath}/* forwarded to better-auth`);
   }
+  /**
+   * Mount the OIDC / OAuth 2.0 well-known discovery documents at the root
+   * URL. Required by RFC 8414 §3 and OpenID Connect Discovery 1.0 §4 — the
+   * documents must live at `/.well-known/{oauth-authorization-server,openid-configuration}`
+   * relative to the issuer, not under the auth basePath.
+   */
+  async registerOidcDiscoveryRoutes(rawApp, ctx) {
+    const auth = await this.authManager.getAuthInstance();
+    const { oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata } = await import("@better-auth/oauth-provider");
+    const authServerHandler = oauthProviderAuthServerMetadata(auth);
+    const openidConfigHandler = oauthProviderOpenIdConfigMetadata(auth);
+    const DISCOVERY_CACHE = "public, max-age=300, stale-while-revalidate=86400";
+    const withDiscoveryCache = async (handler, req) => {
+      const resp = await handler(req);
+      try {
+        if (resp.ok && !resp.headers.get("cache-control")) {
+          resp.headers.set("cache-control", DISCOVERY_CACHE);
+        }
+      } catch {
+      }
+      return resp;
+    };
+    rawApp.get("/.well-known/oauth-authorization-server", (c) => withDiscoveryCache(authServerHandler, c.req.raw));
+    rawApp.get("/.well-known/openid-configuration", (c) => withDiscoveryCache(openidConfigHandler, c.req.raw));
+    ctx.logger.info(
+      "OIDC discovery endpoints mounted at /.well-known/{oauth-authorization-server,openid-configuration}"
+    );
+  }
 };
 export {
   AUTH_ACCOUNT_CONFIG,
+  AUTH_ADMIN_SESSION_FIELDS,
+  AUTH_ADMIN_USER_FIELDS,
+  AUTH_DEVICE_CODE_SCHEMA,
   AUTH_INVITATION_SCHEMA,
+  AUTH_JWKS_SCHEMA,
   AUTH_MEMBER_SCHEMA,
   AUTH_MODEL_TO_PROTOCOL,
+  AUTH_OAUTH_ACCESS_TOKEN_SCHEMA,
+  AUTH_OAUTH_APPLICATION_SCHEMA,
+  AUTH_OAUTH_CLIENT_SCHEMA,
+  AUTH_OAUTH_CONSENT_SCHEMA,
+  AUTH_OAUTH_REFRESH_TOKEN_SCHEMA,
   AUTH_ORGANIZATION_SCHEMA,
   AUTH_ORG_SESSION_FIELDS,
   AUTH_SESSION_CONFIG,
@@ -1554,24 +1384,13 @@ export {
   AUTH_TWO_FACTOR_USER_FIELDS,
   AUTH_USER_CONFIG,
   AUTH_VERIFICATION_CONFIG,
-  SysAccount as AuthAccount,
   AuthManager,
   AuthPlugin,
-  SysSession as AuthSession,
-  SysUser as AuthUser,
-  SysVerification as AuthVerification,
-  SysAccount,
-  SysApiKey,
-  SysInvitation,
-  SysMember,
-  SysOrganization,
-  SysSession,
-  SysTeam,
-  SysTeamMember,
-  SysTwoFactor,
-  SysUser,
-  SysUserPreference,
-  SysVerification,
+  buildAdminPluginSchema,
+  buildDeviceAuthorizationPluginSchema,
+  buildJwtPluginSchema,
+  buildOauthProviderPluginSchema,
+  buildOidcProviderPluginSchema,
   buildOrganizationPluginSchema,
   buildTwoFactorPluginSchema,
   createObjectQLAdapter,