@objectstack/plugin-auth 4.1.0 → 4.2.0

package/dist/index.mjs

@@ -2,7 +2,8 @@
 import {
   SETUP_APP,
   SystemOverviewDashboard,
-  SecurityOverviewDashboard
+  SecurityOverviewDashboard,
+  SetupAppTranslations
 } from "@objectstack/platform-objects/apps";
 
 // src/objectql-adapter.ts
@@ -714,6 +715,54 @@ var AuthManager = class {
         // who wire a real mailer can re-enable downstream.
         requireEmailVerificationOnInvitation: false,
         ...customOrgRoles ? { roles: customOrgRoles } : {},
+        // ── Slug-change guard ─────────────────────────────────────
+        // An org's slug is baked into every env hostname at creation
+        // time (see service-tenant `project-provisioning.ts`). Renaming
+        // it while live envs exist would silently desync the URL from
+        // the org identity. Block the change here; the cloud Console
+        // surfaces this as an actionable error and points users to
+        // `change_hostname` or archiving the env. Org `name` (display
+        // label) is unaffected — only `slug` is guarded.
+        //
+        // We resolve the data engine lazily so non-cloud apps (which
+        // never seed `sys_environment`) keep working: any lookup error
+        // is treated as "no envs to protect".
+        organizationHooks: {
+          beforeUpdateOrganization: async ({ organization: organization2, member }) => {
+            const newSlug = organization2?.slug;
+            const orgId = member?.organizationId;
+            if (!newSlug || !orgId) return;
+            const dataEngine2 = this.config.dataEngine;
+            if (!dataEngine2) return;
+            let currentSlug;
+            try {
+              const current = await dataEngine2.findOne("sys_organization", {
+                where: { id: orgId }
+              });
+              currentSlug = current?.slug;
+            } catch {
+              return;
+            }
+            if (!currentSlug || currentSlug === newSlug) return;
+            let activeEnvs = 0;
+            try {
+              const envs = await dataEngine2.find("sys_environment", {
+                where: { organization_id: orgId }
+              });
+              activeEnvs = (envs ?? []).filter(
+                (e) => e?.status !== "archived" && e?.status !== "failed"
+              ).length;
+            } catch {
+              return;
+            }
+            if (activeEnvs > 0) {
+              const { APIError } = await import("better-auth/api");
+              throw new APIError("FORBIDDEN", {
+                message: `Cannot change organization slug while ${activeEnvs} active environment(s) still reference it. Archive those environments or rename their hostnames first.`
+              });
+            }
+          }
+        },
         // No mailer is wired in framework yet — log the accept URL so
         // operators / UI can fall back to copy-paste flows. Replace this
         // with a real mail integration when available.
@@ -1178,6 +1227,30 @@ var AuthPlugin = class {
     if (!this.authManager) {
       throw new Error("Auth manager not initialized");
     }
+    ctx.hook("kernel:ready", async () => {
+      try {
+        const i18n = ctx.getService("i18n");
+        let loaded = 0;
+        for (const [locale, data] of Object.entries(SetupAppTranslations)) {
+          if (data && typeof data === "object") {
+            try {
+              i18n.loadTranslations(locale, data);
+              loaded++;
+            } catch (err) {
+              ctx.logger.warn(
+                `Auth: failed to load Setup App translations for '${locale}': ${err?.message ?? err}`
+              );
+            }
+          }
+        }
+        if (loaded > 0) {
+          ctx.logger.info(
+            `Auth: contributed Setup App translations (${loaded} locale${loaded > 1 ? "s" : ""})`
+          );
+        }
+      } catch {
+      }
+    });
     if (this.options.registerRoutes) {
       ctx.hook("kernel:ready", async () => {
         if (this.authManager) {