@objectstack/plugin-auth 6.7.0 → 6.8.0

package/LICENSE

@@ -1,202 +1,93 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute
-          must include a readable copy of the attribution notices
-          contained within such NOTICE file, excluding those notices
-          that do not pertain to any part of the Derivative Works,
-          in at least one of the following places: within a NOTICE
-          text file distributed as part of the Derivative Works; within
-          the Source form or documentation, if provided along with
-          the Derivative Works; or, within a display generated by the
-          Derivative Works, if and wherever such third-party notices
-          normally appear. The contents of the NOTICE file are for
-          informational purposes only and do not modify the License.
-          You may add Your own attribution notices within Derivative
-          Works that You distribute, alongside or as an addendum to
-          the NOTICE text from the Work, provided that such additional
-          attribution notices cannot be construed as modifying the
-          License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright 2026 ObjectStack
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
+License text copyright (c) 2020 MariaDB Corporation Ab, All Rights Reserved.
+"Business Source License" is a trademark of MariaDB Corporation Ab.
+
+Parameters
+
+Licensor:             ObjectStack AI LLC
+Licensed Work:        ObjectStack Runtime: the BSL-licensed packages
+                      of the ObjectStack monorepo as listed in LICENSING.md.
+                      Copyright (c) 2026 ObjectStack AI LLC.
+Additional Use Grant: You may make production use of the Licensed Work, provided
+                      Your use does not include offering the Licensed Work to third
+                      parties on a hosted or embedded basis in order to compete with 
+                      ObjectStack AI LLC's paid version(s) of the Licensed Work. For purposes 
+                      of this license:
+
+                      A "competitive offering" is a Product that is offered to third
+                      parties on a paid basis, including through paid support 
+                      arrangements, that significantly overlaps with the capabilities 
+                      of ObjectStack AI LLC's paid version(s) of the Licensed Work. If Your 
+                      Product is not a competitive offering when You first make it 
+                      generally available, it will not become a competitive offering
+                      later due to ObjectStack AI LLC releasing a new version of the Licensed 
+                      Work with additional capabilities. In addition, Products that 
+                      are not provided on a paid basis are not competitive.
+
+                      "Product" means software that is offered to end users to manage 
+                      in their own environments or offered as a service on a hosted 
+                      basis.
+
+                      "Embedded" means including the source code or executable code 
+                      from the Licensed Work in a competitive offering. "Embedded" 
+                      also means packaging the competitive offering in such a way 
+                      that the Licensed Work must be accessed or downloaded for the 
+                      competitive offering to operate.
+
+                      Hosting or using the Licensed Work(s) for internal purposes 
+                      within an organization is not considered a competitive 
+                      offering. ObjectStack AI LLC considers your organization to include all 
+                      of your affiliates under common control.
+
+                      For binding interpretive guidance on using ObjectStack AI LLC products 
+                      under the Business Source License, please visit our FAQ. 
+                      (see LICENSING.md in this repository)
+Change Date:          Four years from the date the Licensed Work is published.
+Change License:       Apache License, Version 2.0
+
+For information about alternative licensing arrangements for the Licensed Work,
+please contact licensing@objectstack.dev.
+
+Notice
+
+Business Source License 1.1
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under
+the terms of the Change License, and the rights granted in the paragraph
+above terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or authorized
+resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works
+of the Licensed Work, are subject to this License. This License applies
+separately for each version of the Licensed Work and the Change Date may vary
+for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or
+modified form from a third party, the terms and conditions set forth in this
+License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other
+versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of
+Licensor or its affiliates (provided that you may use a trademark or logo of
+Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
+AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
+EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
+TITLE.

package/README.md

@@ -300,4 +300,5 @@ pnpm test
 
 ## License
 
-Apache-2.0 © ObjectStack
+BUSL-1.1 with a four-year conversion to Apache-2.0. See
+[LICENSING.md](../../../LICENSING.md).

package/dist/index.d.mts

@@ -332,10 +332,13 @@ declare class AuthManager {
             type: "oidc";
         })[];
         features: {
+            privacyUrl?: string | undefined;
+            termsUrl?: string | undefined;
             twoFactor: boolean;
             passkeys: boolean;
             magicLink: boolean;
             organization: boolean;
+            multiOrgEnabled: boolean;
             oidcProvider: boolean;
             deviceAuthorization: boolean;
         };

package/dist/index.d.ts

@@ -332,10 +332,13 @@ declare class AuthManager {
             type: "oidc";
         })[];
         features: {
+            privacyUrl?: string | undefined;
+            termsUrl?: string | undefined;
             twoFactor: boolean;
             passkeys: boolean;
             magicLink: boolean;
             organization: boolean;
+            multiOrgEnabled: boolean;
             oidcProvider: boolean;
             deviceAuthorization: boolean;
         };

package/dist/index.js

@@ -592,6 +592,7 @@ var AuthManager = class {
    */
   async createAuthInstance() {
     const { betterAuth } = await import("better-auth");
+    const { createAuthMiddleware } = await import("better-auth/api");
     const plugins = await this.buildPluginList();
     const passwordHasher = await this.resolvePasswordHasher();
     const betterAuthConfig = {
@@ -650,46 +651,55 @@ var AuthManager = class {
       },
       // Social / OAuth providers
       ...this.config.socialProviders ? { socialProviders: this.config.socialProviders } : {},
-      // Email and password configuration
-      emailAndPassword: {
-        enabled: this.config.emailAndPassword?.enabled ?? true,
-        ...passwordHasher ? { password: passwordHasher } : {},
-        ...this.config.emailAndPassword?.disableSignUp != null ? { disableSignUp: this.config.emailAndPassword.disableSignUp } : {},
-        ...this.config.emailAndPassword?.requireEmailVerification != null ? { requireEmailVerification: this.config.emailAndPassword.requireEmailVerification } : {},
-        ...this.config.emailAndPassword?.minPasswordLength != null ? { minPasswordLength: this.config.emailAndPassword.minPasswordLength } : {},
-        ...this.config.emailAndPassword?.maxPasswordLength != null ? { maxPasswordLength: this.config.emailAndPassword.maxPasswordLength } : {},
-        ...this.config.emailAndPassword?.resetPasswordTokenExpiresIn != null ? { resetPasswordTokenExpiresIn: this.config.emailAndPassword.resetPasswordTokenExpiresIn } : {},
-        ...this.config.emailAndPassword?.autoSignIn != null ? { autoSignIn: this.config.emailAndPassword.autoSignIn } : {},
-        ...this.config.emailAndPassword?.revokeSessionsOnPasswordReset != null ? { revokeSessionsOnPasswordReset: this.config.emailAndPassword.revokeSessionsOnPasswordReset } : {},
-        sendResetPassword: async ({ user, url, token }) => {
-          const email = this.getEmailService();
-          if (!email) {
-            console.warn(
-              `[AuthManager] Password-reset requested for ${user.email} but no email service is wired. URL: ${url}`
-            );
-            return;
-          }
-          const ttlSec = this.config.emailAndPassword?.resetPasswordTokenExpiresIn ?? 60 * 60;
-          try {
-            await email.sendTemplate({
-              template: "auth.password_reset",
-              to: { address: user.email, ...user.name ? { name: user.name } : {} },
-              data: {
-                user: { name: user.name || user.email, email: user.email, id: user.id },
-                resetUrl: url,
-                token,
-                expiresInMinutes: Math.round(ttlSec / 60),
-                appName: this.getAppName()
-              },
-              relatedObject: "sys_user",
-              relatedId: user.id
-            });
-          } catch (err) {
-            console.error(`[AuthManager] sendResetPassword failed: ${err?.message ?? err}`);
-            throw err;
+      // Email and password configuration.
+      // `disableSignUp`: the env var `OS_DISABLE_SIGNUP=true` overrides
+      // the config-file value so deployments can flip the toggle without
+      // a code change (`getPublicConfig()` applies the same precedence so
+      // `/auth/config` stays consistent with the server enforcement).
+      emailAndPassword: (() => {
+        const disableSignUpEnv = globalThis?.process?.env?.OS_DISABLE_SIGNUP;
+        const disableSignUpFromEnv = disableSignUpEnv != null ? String(disableSignUpEnv).toLowerCase() === "true" : void 0;
+        const effectiveDisableSignUp = disableSignUpFromEnv ?? this.config.emailAndPassword?.disableSignUp;
+        return {
+          enabled: this.config.emailAndPassword?.enabled ?? true,
+          ...passwordHasher ? { password: passwordHasher } : {},
+          ...effectiveDisableSignUp != null ? { disableSignUp: effectiveDisableSignUp } : {},
+          ...this.config.emailAndPassword?.requireEmailVerification != null ? { requireEmailVerification: this.config.emailAndPassword.requireEmailVerification } : {},
+          ...this.config.emailAndPassword?.minPasswordLength != null ? { minPasswordLength: this.config.emailAndPassword.minPasswordLength } : {},
+          ...this.config.emailAndPassword?.maxPasswordLength != null ? { maxPasswordLength: this.config.emailAndPassword.maxPasswordLength } : {},
+          ...this.config.emailAndPassword?.resetPasswordTokenExpiresIn != null ? { resetPasswordTokenExpiresIn: this.config.emailAndPassword.resetPasswordTokenExpiresIn } : {},
+          ...this.config.emailAndPassword?.autoSignIn != null ? { autoSignIn: this.config.emailAndPassword.autoSignIn } : {},
+          ...this.config.emailAndPassword?.revokeSessionsOnPasswordReset != null ? { revokeSessionsOnPasswordReset: this.config.emailAndPassword.revokeSessionsOnPasswordReset } : {},
+          sendResetPassword: async ({ user, url, token }) => {
+            const email = this.getEmailService();
+            if (!email) {
+              console.warn(
+                `[AuthManager] Password-reset requested for ${user.email} but no email service is wired. URL: ${url}`
+              );
+              return;
+            }
+            const ttlSec = this.config.emailAndPassword?.resetPasswordTokenExpiresIn ?? 60 * 60;
+            try {
+              await email.sendTemplate({
+                template: "auth.password_reset",
+                to: { address: user.email, ...user.name ? { name: user.name } : {} },
+                data: {
+                  user: { name: user.name || user.email, email: user.email, id: user.id },
+                  resetUrl: url,
+                  token,
+                  expiresInMinutes: Math.round(ttlSec / 60),
+                  appName: this.getAppName()
+                },
+                relatedObject: "sys_user",
+                relatedId: user.id
+              });
+            } catch (err) {
+              console.error(`[AuthManager] sendResetPassword failed: ${err?.message ?? err}`);
+              throw err;
+            }
           }
-        }
-      },
+        };
+      })(),
       // Email verification
       ...this.config.emailVerification || this.config.emailService ? {
         emailVerification: {
@@ -741,6 +751,38 @@ var AuthManager = class {
       // for SSO JIT-provisioning too, unlike kernel-level ObjectQL
       // middleware which better-auth's adapter bypasses).
       ...this.config.databaseHooks ? { databaseHooks: this.config.databaseHooks } : {},
+      // Bootstrap bypass for `disableSignUp`. The first-run owner wizard
+      // (`/_account/setup`) calls `POST /auth/sign-up/email` to create
+      // the very first user — if `OS_DISABLE_SIGNUP=true` is set on a
+      // fresh install we'd lock the operator out of their own instance.
+      // Solution: when the request hits `/sign-up/email` AND no users
+      // exist yet, temporarily flip `disableSignUp` off for *this*
+      // request's context. Once the owner is created the next request
+      // sees `userCount > 0` and the toggle is enforced again.
+      hooks: {
+        before: createAuthMiddleware(async (ctx) => {
+          if (ctx?.path !== "/sign-up/email") return;
+          const ep = ctx?.context?.options?.emailAndPassword;
+          if (!ep?.disableSignUp) return;
+          try {
+            const adapter = ctx.context.adapter;
+            const existing = await adapter.findOne({ model: "user", where: [] });
+            if (!existing) {
+              ctx.context.__osDisableSignUpOrig = ep.disableSignUp;
+              ep.disableSignUp = false;
+            }
+          } catch {
+          }
+        }),
+        after: createAuthMiddleware(async (ctx) => {
+          if (ctx?.path !== "/sign-up/email") return;
+          const ep = ctx?.context?.options?.emailAndPassword;
+          if (ep && ctx.context.__osDisableSignUpOrig !== void 0) {
+            ep.disableSignUp = ctx.context.__osDisableSignUpOrig;
+            delete ctx.context.__osDisableSignUpOrig;
+          }
+        })
+      },
       // Trusted origins for CSRF protection (supports wildcards like "https://*.example.com")
       // Auto-includes origins from CORS_ORIGIN env var so CORS and CSRF stay in sync.
       ...(() => {
@@ -895,6 +937,22 @@ var AuthManager = class {
         // never seed `sys_environment`) keep working: any lookup error
         // is treated as "no envs to protect".
         organizationHooks: {
+          // Gate fresh organization creation behind `OS_MULTI_ORG_ENABLED`.
+          // The plugin itself is always installed (so list/update/invite endpoints
+          // keep responding); only the `create` operation is denied when the
+          // deployment is provisioned in single-org mode. Default is enabled
+          // to preserve historical behaviour.
+          beforeCreateOrganization: async () => {
+            const flag = String(
+              globalThis?.process?.env?.OS_MULTI_ORG_ENABLED ?? "true"
+            ).toLowerCase();
+            if (flag === "false") {
+              const { APIError } = await import("better-auth/api");
+              throw new APIError("FORBIDDEN", {
+                message: "Creating additional organizations is disabled on this deployment."
+              });
+            }
+          },
           beforeUpdateOrganization: async ({ organization: organization2, member }) => {
             const newSlug = organization2?.slug;
             const orgId = member?.organizationId;
@@ -1268,20 +1326,40 @@ var AuthManager = class {
       }
     }
     const emailPasswordConfig = this.config.emailAndPassword ?? {};
+    const disableSignUpEnv = globalThis?.process?.env?.OS_DISABLE_SIGNUP;
+    const disableSignUpFromEnv = disableSignUpEnv != null ? String(disableSignUpEnv).toLowerCase() === "true" : void 0;
     const emailPassword = {
       enabled: emailPasswordConfig.enabled !== false,
       // Default to true
-      disableSignUp: emailPasswordConfig.disableSignUp ?? false,
+      disableSignUp: disableSignUpFromEnv ?? emailPasswordConfig.disableSignUp ?? false,
       requireEmailVerification: emailPasswordConfig.requireEmailVerification ?? false
     };
     const pluginConfig = this.config.plugins ?? {};
+    const multiOrgEnabled = String(
+      globalThis?.process?.env?.OS_MULTI_ORG_ENABLED ?? "true"
+    ).toLowerCase() !== "false";
+    const DEFAULT_TERMS_URL = "https://objectstack.ai/terms";
+    const DEFAULT_PRIVACY_URL = "https://objectstack.ai/privacy";
+    const rawTermsUrl = globalThis?.process?.env?.OS_TERMS_URL;
+    const rawPrivacyUrl = globalThis?.process?.env?.OS_PRIVACY_URL;
+    const resolveLegalUrl = (raw, fallback) => {
+      if (typeof raw !== "string") return fallback;
+      const trimmed = raw.trim();
+      if (trimmed === "") return void 0;
+      return trimmed;
+    };
+    const termsUrl = resolveLegalUrl(rawTermsUrl, DEFAULT_TERMS_URL);
+    const privacyUrl = resolveLegalUrl(rawPrivacyUrl, DEFAULT_PRIVACY_URL);
     const features = {
       twoFactor: pluginConfig.twoFactor ?? false,
       passkeys: pluginConfig.passkeys ?? false,
       magicLink: pluginConfig.magicLink ?? false,
       organization: pluginConfig.organization ?? true,
+      multiOrgEnabled,
       oidcProvider: pluginConfig.oidcProvider ?? false,
-      deviceAuthorization: pluginConfig.deviceAuthorization ?? false
+      deviceAuthorization: pluginConfig.deviceAuthorization ?? false,
+      ...termsUrl ? { termsUrl } : {},
+      ...privacyUrl ? { privacyUrl } : {}
     };
     return {
       emailPassword,
@@ -1370,7 +1448,7 @@ var AuthPlugin = class {
       // @objectstack/platform-objects/apps). plugin-auth is the natural
       // owner of its registration since it loads first among the trio
       // (auth + security + audit) that supplies the underlying objects.
-      apps: [import_apps.SETUP_APP],
+      apps: [import_apps.SETUP_APP, import_apps.STUDIO_APP],
       // List views for each Setup-nav object are defined on the schema
       // itself via the canonical `listViews` map (e.g.
       // sys_user.listViews.{all_users,unverified,two_factor}). Registering