@objectstack/spec 0.1.1 → 0.2.0

package/dist/system/auth.zod.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.zod.d.ts","sourceRoot":"","sources":["../../src/system/auth.zod.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;;;;;;GASG;AAEH;;GAEG;AACH,eAAO,MAAM,YAAY,qFAOvB,CAAC;AAEH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;GAGG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;EA0B9B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;GAEG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;EAYpC,CAAC;AAEH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE5E;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAchC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;EAY9B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgB9B,CAAC;AAEH,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;EAUhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;EAQ3B,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;EAMrC,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAE9E;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;;GAGG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;EAQjC,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;EAQhC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;;GAGG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;EAMjC,CAAC;AAEH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEtE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,eAAO,MAAM,gBAAgB;IAC3B;;;OAGG;;IAKH;;OAEG;;IAGH;;;;OAIG;;IAGH;;OAEG;;IAGH;;OAEG;;IAGH;;;OAGG;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAKH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAuCH;;OAEG;;;;;;;;;;;;;;;;;;;;IAaH;;OAEG;;;;;;;;;;;;;;;;;IAWH;;OAEG;;;;;;;;;;;;;;;;;IAWH;;OAEG;;IAGH;;OAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAEH,CAAC;AAEH;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;QAxMrC;;;WAGG;;QAKH;;WAEG;;QAGH;;;;WAIG;;QAGH;;WAEG;;QAGH;;WAEG;;QAGH;;;WAGG;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAKH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAuCH;;WAEG;;;;;;;;;;;;;;;;;;;;QAaH;;WAEG;;;;;;;;;;;;;;;;;QAWH;;WAEG;;;;;;;;;;;;;;;;;QAWH;;WAEG;;QAGH;;WAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAiBH,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC"}

package/dist/system/auth.zod.js

@@ -0,0 +1,365 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StandardAuthProviderSchema = exports.AuthConfigSchema = exports.AuthPluginConfigSchema = exports.DatabaseAdapterSchema = exports.UserFieldMappingSchema = exports.TwoFactorConfigSchema = exports.AccountLinkingConfigSchema = exports.CSRFConfigSchema = exports.RateLimitConfigSchema = exports.SessionConfigSchema = exports.PasskeyConfigSchema = exports.MagicLinkConfigSchema = exports.EmailPasswordConfigSchema = exports.OAuthProviderSchema = exports.AuthStrategy = void 0;
+const zod_1 = require("zod");
+/**
+ * Authentication Protocol
+ *
+ * Defines the standard authentication specification for the ObjectStack ecosystem.
+ * This protocol supports multiple authentication strategies, session management,
+ * and comprehensive security features.
+ *
+ * This is a framework-agnostic specification that can be implemented with any
+ * authentication library (better-auth, Auth.js, Passport, etc.)
+ */
+/**
+ * Supported authentication strategies
+ */
+exports.AuthStrategy = zod_1.z.enum([
+    'email_password', // Traditional email & password authentication
+    'magic_link', // Passwordless email magic link
+    'oauth', // OAuth2 providers (Google, GitHub, etc.)
+    'passkey', // WebAuthn / FIDO2 passkeys
+    'otp', // One-time password (SMS, Email)
+    'anonymous', // Anonymous/guest sessions
+]);
+/**
+ * OAuth Provider Configuration
+ * Supports popular OAuth2 providers
+ */
+exports.OAuthProviderSchema = zod_1.z.object({
+    provider: zod_1.z.enum([
+        'google',
+        'github',
+        'facebook',
+        'twitter',
+        'linkedin',
+        'microsoft',
+        'apple',
+        'discord',
+        'gitlab',
+        'custom',
+    ]).describe('OAuth provider type'),
+    clientId: zod_1.z.string().describe('OAuth client ID'),
+    clientSecret: zod_1.z.string().describe('OAuth client secret (typically from ENV)'),
+    scopes: zod_1.z.array(zod_1.z.string()).optional().describe('Requested OAuth scopes'),
+    redirectUri: zod_1.z.string().url().optional().describe('OAuth callback URL'),
+    enabled: zod_1.z.boolean().default(true).describe('Whether this provider is enabled'),
+    displayName: zod_1.z.string().optional().describe('Display name for the provider button'),
+    icon: zod_1.z.string().optional().describe('Icon URL or identifier'),
+});
+/**
+ * Email & Password Strategy Configuration
+ */
+exports.EmailPasswordConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(true),
+    requireEmailVerification: zod_1.z.boolean().default(true).describe('Require email verification before login'),
+    minPasswordLength: zod_1.z.number().min(6).max(128).default(8).describe('Minimum password length'),
+    requirePasswordComplexity: zod_1.z.boolean().default(true).describe('Require uppercase, lowercase, numbers, symbols'),
+    allowPasswordReset: zod_1.z.boolean().default(true).describe('Enable password reset functionality'),
+    passwordResetExpiry: zod_1.z.number().default(3600).describe('Password reset token expiry in seconds'),
+});
+/**
+ * Magic Link Strategy Configuration
+ */
+exports.MagicLinkConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(true),
+    expiryTime: zod_1.z.number().default(900).describe('Magic link expiry time in seconds (default 15 min)'),
+    sendEmail: zod_1.z.function()
+        .args(zod_1.z.object({
+        to: zod_1.z.string().email(),
+        link: zod_1.z.string().url(),
+        token: zod_1.z.string(),
+    }))
+        .returns(zod_1.z.promise(zod_1.z.void()))
+        .optional()
+        .describe('Custom email sending function'),
+});
+/**
+ * Passkey (WebAuthn) Strategy Configuration
+ */
+exports.PasskeyConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(false),
+    rpName: zod_1.z.string().describe('Relying Party name'),
+    rpId: zod_1.z.string().optional().describe('Relying Party ID (defaults to domain)'),
+    allowedOrigins: zod_1.z.array(zod_1.z.string().url()).optional().describe('Allowed origins for WebAuthn'),
+    userVerification: zod_1.z.enum(['required', 'preferred', 'discouraged']).default('preferred'),
+    attestation: zod_1.z.enum(['none', 'indirect', 'direct', 'enterprise']).default('none'),
+});
+/**
+ * Session Configuration
+ */
+exports.SessionConfigSchema = zod_1.z.object({
+    expiresIn: zod_1.z.number().default(86400 * 7).describe('Session expiry in seconds (default 7 days)'),
+    updateAge: zod_1.z.number().default(86400).describe('Session update interval in seconds (default 1 day)'),
+    cookieName: zod_1.z.string().default('session_token').describe('Session cookie name'),
+    cookieSecure: zod_1.z.boolean().default(true).describe('Use secure cookies (HTTPS only)'),
+    cookieSameSite: zod_1.z.enum(['strict', 'lax', 'none']).default('lax').describe('SameSite cookie attribute'),
+    cookieDomain: zod_1.z.string().optional().describe('Cookie domain'),
+    cookiePath: zod_1.z.string().default('/').describe('Cookie path'),
+    cookieHttpOnly: zod_1.z.boolean().default(true).describe('HttpOnly cookie attribute'),
+});
+/**
+ * Rate Limiting Configuration
+ */
+exports.RateLimitConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(true),
+    maxAttempts: zod_1.z.number().default(5).describe('Maximum login attempts'),
+    windowMs: zod_1.z.number().default(900000).describe('Time window in milliseconds (default 15 min)'),
+    blockDuration: zod_1.z.number().default(900000).describe('Block duration after max attempts in ms'),
+    skipSuccessfulRequests: zod_1.z.boolean().default(false).describe('Only count failed requests'),
+});
+/**
+ * CSRF Protection Configuration
+ */
+exports.CSRFConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(true),
+    tokenLength: zod_1.z.number().default(32).describe('CSRF token length'),
+    cookieName: zod_1.z.string().default('csrf_token').describe('CSRF cookie name'),
+    headerName: zod_1.z.string().default('X-CSRF-Token').describe('CSRF header name'),
+});
+/**
+ * Account Linking Configuration
+ * Allows linking multiple auth methods to a single user account
+ */
+exports.AccountLinkingConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(true).describe('Allow account linking'),
+    autoLink: zod_1.z.boolean().default(false).describe('Automatically link accounts with same email'),
+    requireVerification: zod_1.z.boolean().default(true).describe('Require email verification before linking'),
+});
+/**
+ * Two-Factor Authentication (2FA) Configuration
+ */
+exports.TwoFactorConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().default(false),
+    issuer: zod_1.z.string().optional().describe('TOTP issuer name'),
+    qrCodeSize: zod_1.z.number().default(200).describe('QR code size in pixels'),
+    backupCodes: zod_1.z.object({
+        enabled: zod_1.z.boolean().default(true),
+        count: zod_1.z.number().default(10).describe('Number of backup codes to generate'),
+    }).optional(),
+});
+/**
+ * User Field Mapping Configuration
+ * Maps authentication user fields to ObjectStack user object fields
+ */
+exports.UserFieldMappingSchema = zod_1.z.object({
+    id: zod_1.z.string().default('id').describe('User ID field'),
+    email: zod_1.z.string().default('email').describe('Email field'),
+    name: zod_1.z.string().default('name').describe('Name field'),
+    image: zod_1.z.string().default('image').optional().describe('Profile image field'),
+    emailVerified: zod_1.z.string().default('email_verified').describe('Email verification status field'),
+    createdAt: zod_1.z.string().default('created_at').describe('Created timestamp field'),
+    updatedAt: zod_1.z.string().default('updated_at').describe('Updated timestamp field'),
+});
+/**
+ * Database Adapter Configuration
+ */
+exports.DatabaseAdapterSchema = zod_1.z.object({
+    type: zod_1.z.enum(['prisma', 'drizzle', 'kysely', 'custom']).describe('Database adapter type'),
+    connectionString: zod_1.z.string().optional().describe('Database connection string'),
+    tablePrefix: zod_1.z.string().default('auth_').describe('Prefix for auth tables'),
+    schema: zod_1.z.string().optional().describe('Database schema name'),
+});
+/**
+ * Authentication Plugin Configuration
+ * Extends authentication with additional features
+ */
+exports.AuthPluginConfigSchema = zod_1.z.object({
+    name: zod_1.z.string().describe('Plugin name'),
+    enabled: zod_1.z.boolean().default(true),
+    options: zod_1.z.record(zod_1.z.any()).optional().describe('Plugin-specific options'),
+});
+/**
+ * Complete Authentication Configuration Schema
+ *
+ * This is the main configuration object for authentication
+ * in an ObjectStack application.
+ *
+ * @example
+ * ```typescript
+ * const authConfig: AuthConfig = {
+ *   name: 'main_auth',
+ *   label: 'Main Authentication',
+ *   strategies: ['email_password', 'oauth'],
+ *   baseUrl: 'https://app.example.com',
+ *   secret: process.env.AUTH_SECRET,
+ *   driver: 'better-auth', // Optional, defaults to 'better-auth'
+ *   emailPassword: {
+ *     enabled: true,
+ *     minPasswordLength: 8,
+ *   },
+ *   oauth: {
+ *     providers: [{
+ *       provider: 'google',
+ *       clientId: process.env.GOOGLE_CLIENT_ID,
+ *       clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+ *     }],
+ *   },
+ *   session: {
+ *     expiresIn: 604800, // 7 days
+ *   },
+ * };
+ * ```
+ */
+exports.AuthConfigSchema = zod_1.z.object({
+    /**
+     * Unique identifier for this auth configuration
+     * Must be in snake_case following ObjectStack conventions
+     */
+    name: zod_1.z.string()
+        .regex(/^[a-z_][a-z0-9_]*$/)
+        .describe('Configuration name (snake_case)'),
+    /**
+     * Human-readable label
+     */
+    label: zod_1.z.string().describe('Display label'),
+    /**
+     * The underlying authentication implementation driver
+     * Default: 'better-auth' (the reference implementation)
+     * Can be: 'better-auth', 'auth-js', 'passport', or custom driver name
+     */
+    driver: zod_1.z.string().default('better-auth').describe('The underlying authentication implementation driver'),
+    /**
+     * Enabled authentication strategies
+     */
+    strategies: zod_1.z.array(exports.AuthStrategy).min(1).describe('Enabled authentication strategies'),
+    /**
+     * Base URL for the application
+     */
+    baseUrl: zod_1.z.string().url().describe('Application base URL'),
+    /**
+     * Secret key for signing tokens and cookies
+     * Should be loaded from environment variables
+     */
+    secret: zod_1.z.string().min(32).describe('Secret key for signing (min 32 chars)'),
+    /**
+     * Email & Password configuration
+     */
+    emailPassword: exports.EmailPasswordConfigSchema.optional(),
+    /**
+     * Magic Link configuration
+     */
+    magicLink: exports.MagicLinkConfigSchema.optional(),
+    /**
+     * Passkey (WebAuthn) configuration
+     */
+    passkey: exports.PasskeyConfigSchema.optional(),
+    /**
+     * OAuth configuration
+     */
+    oauth: zod_1.z.object({
+        providers: zod_1.z.array(exports.OAuthProviderSchema).min(1),
+    }).optional(),
+    /**
+     * Session configuration
+     */
+    session: exports.SessionConfigSchema.default({}),
+    /**
+     * Rate limiting configuration
+     */
+    rateLimit: exports.RateLimitConfigSchema.default({}),
+    /**
+     * CSRF protection configuration
+     */
+    csrf: exports.CSRFConfigSchema.default({}),
+    /**
+     * Account linking configuration
+     */
+    accountLinking: exports.AccountLinkingConfigSchema.default({}),
+    /**
+     * Two-factor authentication configuration
+     */
+    twoFactor: exports.TwoFactorConfigSchema.optional(),
+    /**
+     * User field mapping
+     */
+    userFieldMapping: exports.UserFieldMappingSchema.default({}),
+    /**
+     * Database adapter configuration
+     */
+    database: exports.DatabaseAdapterSchema.optional(),
+    /**
+     * Additional authentication plugins
+     */
+    plugins: zod_1.z.array(exports.AuthPluginConfigSchema).default([]),
+    /**
+     * Custom hooks for authentication events
+     */
+    hooks: zod_1.z.object({
+        beforeSignIn: zod_1.z.function()
+            .args(zod_1.z.object({ email: zod_1.z.string() }))
+            .returns(zod_1.z.promise(zod_1.z.void()))
+            .optional()
+            .describe('Called before user sign in'),
+        afterSignIn: zod_1.z.function()
+            .args(zod_1.z.object({ user: zod_1.z.any(), session: zod_1.z.any() }))
+            .returns(zod_1.z.promise(zod_1.z.void()))
+            .optional()
+            .describe('Called after user sign in'),
+        beforeSignUp: zod_1.z.function()
+            .args(zod_1.z.object({ email: zod_1.z.string(), name: zod_1.z.string().optional() }))
+            .returns(zod_1.z.promise(zod_1.z.void()))
+            .optional()
+            .describe('Called before user registration'),
+        afterSignUp: zod_1.z.function()
+            .args(zod_1.z.object({ user: zod_1.z.any() }))
+            .returns(zod_1.z.promise(zod_1.z.void()))
+            .optional()
+            .describe('Called after user registration'),
+        beforeSignOut: zod_1.z.function()
+            .args(zod_1.z.object({ sessionId: zod_1.z.string() }))
+            .returns(zod_1.z.promise(zod_1.z.void()))
+            .optional()
+            .describe('Called before user sign out'),
+        afterSignOut: zod_1.z.function()
+            .args(zod_1.z.object({ sessionId: zod_1.z.string() }))
+            .returns(zod_1.z.promise(zod_1.z.void()))
+            .optional()
+            .describe('Called after user sign out'),
+    }).optional().describe('Authentication lifecycle hooks'),
+    /**
+     * Advanced security settings
+     */
+    security: zod_1.z.object({
+        allowedOrigins: zod_1.z.array(zod_1.z.string()).optional().describe('CORS allowed origins'),
+        trustProxy: zod_1.z.boolean().default(false).describe('Trust proxy headers'),
+        ipRateLimiting: zod_1.z.boolean().default(true).describe('Enable IP-based rate limiting'),
+        sessionFingerprinting: zod_1.z.boolean().default(true).describe('Enable session fingerprinting'),
+        maxSessions: zod_1.z.number().default(5).describe('Maximum concurrent sessions per user'),
+    }).optional().describe('Advanced security settings'),
+    /**
+     * Email configuration for transactional emails
+     */
+    email: zod_1.z.object({
+        from: zod_1.z.string().email().describe('From email address'),
+        fromName: zod_1.z.string().optional().describe('From name'),
+        provider: zod_1.z.enum(['smtp', 'sendgrid', 'mailgun', 'ses', 'resend', 'custom']).describe('Email provider'),
+        config: zod_1.z.record(zod_1.z.any()).optional().describe('Provider-specific configuration'),
+    }).optional().describe('Email configuration'),
+    /**
+     * UI customization options
+     */
+    ui: zod_1.z.object({
+        brandName: zod_1.z.string().optional().describe('Brand name displayed in auth UI'),
+        logo: zod_1.z.string().optional().describe('Logo URL'),
+        primaryColor: zod_1.z.string().optional().describe('Primary brand color (hex)'),
+        customCss: zod_1.z.string().optional().describe('Custom CSS for auth pages'),
+    }).optional().describe('UI customization'),
+    /**
+     * Whether this auth provider is active
+     */
+    active: zod_1.z.boolean().default(true).describe('Whether this provider is active'),
+    /**
+     * Whether to allow new user registration
+     */
+    allowRegistration: zod_1.z.boolean().default(true).describe('Allow new user registration'),
+});
+/**
+ * Standard Authentication Provider Schema
+ * Wraps the configuration for use in the identity system
+ */
+exports.StandardAuthProviderSchema = zod_1.z.object({
+    type: zod_1.z.literal('standard_auth').describe('Provider type identifier'),
+    config: exports.AuthConfigSchema.describe('Standard authentication configuration'),
+});

package/dist/system/datasource.zod.d.ts

@@ -1,9 +1,122 @@
 import { z } from 'zod';
 /**
- * Driver Type Enum
- * Defines the underlying technology of the datasource.
+ * Driver Type Enum (Built-in)
+ * Standard drivers supported by the core platform.
+ * Plugins can register additional drivers using different identifiers.
  */
-export declare const DriverType: z.ZodEnum<["postgres", "mysql", "sqlserver", "oracle", "sqlite", "mongo", "redis", "excel", "csv", "airtable", "rest_api", "graphql", "odata", "salesforce", "sap", "workday"]>;
+export declare const BuiltInDrivers: readonly ["postgres", "mysql", "sqlserver", "oracle", "sqlite", "mongo", "redis", "excel", "csv", "airtable", "rest_api", "graphql", "odata", "salesforce", "sap", "workday"];
+/**
+ * Driver Identifier
+ * Can be a built-in driver or a plugin-contributed driver (e.g., "com.vendor.snowflake").
+ */
+export declare const DriverType: z.ZodString;
+/**
+ * Driver Definition Schema
+ * Metadata describing a Database Driver.
+ * Plugins use this to register new connectivity options.
+ */
+export declare const DriverDefinitionSchema: z.ZodObject<{
+    id: z.ZodString;
+    label: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    icon: z.ZodOptional<z.ZodString>;
+    /**
+     * Configuration Schema (JSON Schema)
+     * Describes the structure of the `config` object needed for this driver.
+     * Used by the UI to generate the connection form.
+     */
+    configSchema: z.ZodRecord<z.ZodString, z.ZodAny>;
+    /**
+     * Default Capabilities
+     * What this driver supports out-of-the-box.
+     */
+    capabilities: z.ZodOptional<z.ZodLazy<z.ZodObject<{
+        /** Can handle ACID transactions? */
+        transactions: z.ZodDefault<z.ZodBoolean>;
+        /** Can execute WHERE clause filters natively? */
+        queryFilters: z.ZodDefault<z.ZodBoolean>;
+        /** Can perform aggregation (group by, sum, avg)? */
+        queryAggregations: z.ZodDefault<z.ZodBoolean>;
+        /** Can perform ORDER BY sorting? */
+        querySorting: z.ZodDefault<z.ZodBoolean>;
+        /** Can perform LIMIT/OFFSET pagination? */
+        queryPagination: z.ZodDefault<z.ZodBoolean>;
+        /** Can perform window functions? */
+        queryWindowFunctions: z.ZodDefault<z.ZodBoolean>;
+        /** Can perform subqueries? */
+        querySubqueries: z.ZodDefault<z.ZodBoolean>;
+        /** Can execute SQL-like joins natively? */
+        joins: z.ZodDefault<z.ZodBoolean>;
+        /** Can perform full-text search? */
+        fullTextSearch: z.ZodDefault<z.ZodBoolean>;
+        /** Is read-only? */
+        readOnly: z.ZodDefault<z.ZodBoolean>;
+        /** Is scheme-less (needs schema inference)? */
+        dynamicSchema: z.ZodDefault<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        joins: boolean;
+        transactions: boolean;
+        queryFilters: boolean;
+        queryAggregations: boolean;
+        querySorting: boolean;
+        queryPagination: boolean;
+        queryWindowFunctions: boolean;
+        querySubqueries: boolean;
+        fullTextSearch: boolean;
+        readOnly: boolean;
+        dynamicSchema: boolean;
+    }, {
+        joins?: boolean | undefined;
+        transactions?: boolean | undefined;
+        queryFilters?: boolean | undefined;
+        queryAggregations?: boolean | undefined;
+        querySorting?: boolean | undefined;
+        queryPagination?: boolean | undefined;
+        queryWindowFunctions?: boolean | undefined;
+        querySubqueries?: boolean | undefined;
+        fullTextSearch?: boolean | undefined;
+        readOnly?: boolean | undefined;
+        dynamicSchema?: boolean | undefined;
+    }>>>;
+}, "strip", z.ZodTypeAny, {
+    label: string;
+    id: string;
+    configSchema: Record<string, any>;
+    description?: string | undefined;
+    icon?: string | undefined;
+    capabilities?: {
+        joins: boolean;
+        transactions: boolean;
+        queryFilters: boolean;
+        queryAggregations: boolean;
+        querySorting: boolean;
+        queryPagination: boolean;
+        queryWindowFunctions: boolean;
+        querySubqueries: boolean;
+        fullTextSearch: boolean;
+        readOnly: boolean;
+        dynamicSchema: boolean;
+    } | undefined;
+}, {
+    label: string;
+    id: string;
+    configSchema: Record<string, any>;
+    description?: string | undefined;
+    icon?: string | undefined;
+    capabilities?: {
+        joins?: boolean | undefined;
+        transactions?: boolean | undefined;
+        queryFilters?: boolean | undefined;
+        queryAggregations?: boolean | undefined;
+        querySorting?: boolean | undefined;
+        queryPagination?: boolean | undefined;
+        queryWindowFunctions?: boolean | undefined;
+        querySubqueries?: boolean | undefined;
+        fullTextSearch?: boolean | undefined;
+        readOnly?: boolean | undefined;
+        dynamicSchema?: boolean | undefined;
+    } | undefined;
+}>;
 /**
  * Datasource Capabilities Schema
  * Declares what this datasource naturally supports.
@@ -11,32 +124,52 @@ export declare const DriverType: z.ZodEnum<["postgres", "mysql", "sqlserver", "o
  * and what to compute in memory.
  */
 export declare const DatasourceCapabilities: z.ZodObject<{
-    /** Can execute SQL-like joins natively? */
-    joins: z.ZodDefault<z.ZodBoolean>;
     /** Can handle ACID transactions? */
     transactions: z.ZodDefault<z.ZodBoolean>;
+    /** Can execute WHERE clause filters natively? */
+    queryFilters: z.ZodDefault<z.ZodBoolean>;
+    /** Can perform aggregation (group by, sum, avg)? */
+    queryAggregations: z.ZodDefault<z.ZodBoolean>;
+    /** Can perform ORDER BY sorting? */
+    querySorting: z.ZodDefault<z.ZodBoolean>;
+    /** Can perform LIMIT/OFFSET pagination? */
+    queryPagination: z.ZodDefault<z.ZodBoolean>;
+    /** Can perform window functions? */
+    queryWindowFunctions: z.ZodDefault<z.ZodBoolean>;
+    /** Can perform subqueries? */
+    querySubqueries: z.ZodDefault<z.ZodBoolean>;
+    /** Can execute SQL-like joins natively? */
+    joins: z.ZodDefault<z.ZodBoolean>;
     /** Can perform full-text search? */
     fullTextSearch: z.ZodDefault<z.ZodBoolean>;
-    /** Can perform aggregation (group by, sum, avg)? */
-    aggregation: z.ZodDefault<z.ZodBoolean>;
-    /** Is scheme-less (needs schema inference)? */
-    dynamicSchema: z.ZodDefault<z.ZodBoolean>;
     /** Is read-only? */
     readOnly: z.ZodDefault<z.ZodBoolean>;
+    /** Is scheme-less (needs schema inference)? */
+    dynamicSchema: z.ZodDefault<z.ZodBoolean>;
 }, "strip", z.ZodTypeAny, {
     joins: boolean;
     transactions: boolean;
+    queryFilters: boolean;
+    queryAggregations: boolean;
+    querySorting: boolean;
+    queryPagination: boolean;
+    queryWindowFunctions: boolean;
+    querySubqueries: boolean;
     fullTextSearch: boolean;
-    aggregation: boolean;
-    dynamicSchema: boolean;
     readOnly: boolean;
+    dynamicSchema: boolean;
 }, {
     joins?: boolean | undefined;
     transactions?: boolean | undefined;
+    queryFilters?: boolean | undefined;
+    queryAggregations?: boolean | undefined;
+    querySorting?: boolean | undefined;
+    queryPagination?: boolean | undefined;
+    queryWindowFunctions?: boolean | undefined;
+    querySubqueries?: boolean | undefined;
     fullTextSearch?: boolean | undefined;
-    aggregation?: boolean | undefined;
-    dynamicSchema?: boolean | undefined;
     readOnly?: boolean | undefined;
+    dynamicSchema?: boolean | undefined;
 }>;
 /**
  * Datasource Schema
@@ -48,7 +181,7 @@ export declare const DatasourceSchema: z.ZodObject<{
     /** Human Label */
     label: z.ZodOptional<z.ZodString>;
     /** Driver */
-    driver: z.ZodEnum<["postgres", "mysql", "sqlserver", "oracle", "sqlite", "mongo", "redis", "excel", "csv", "airtable", "rest_api", "graphql", "odata", "salesforce", "sap", "workday"]>;
+    driver: z.ZodString;
     /**
      * Connection Configuration
      * Specific to the driver (e.g., host, port, user, password, bucket, etc.)
@@ -60,32 +193,52 @@ export declare const DatasourceSchema: z.ZodObject<{
      * Manually override what the driver claims to support.
      */
     capabilities: z.ZodOptional<z.ZodObject<{
-        /** Can execute SQL-like joins natively? */
-        joins: z.ZodDefault<z.ZodBoolean>;
         /** Can handle ACID transactions? */
         transactions: z.ZodDefault<z.ZodBoolean>;
+        /** Can execute WHERE clause filters natively? */
+        queryFilters: z.ZodDefault<z.ZodBoolean>;
+        /** Can perform aggregation (group by, sum, avg)? */
+        queryAggregations: z.ZodDefault<z.ZodBoolean>;
+        /** Can perform ORDER BY sorting? */
+        querySorting: z.ZodDefault<z.ZodBoolean>;
+        /** Can perform LIMIT/OFFSET pagination? */
+        queryPagination: z.ZodDefault<z.ZodBoolean>;
+        /** Can perform window functions? */
+        queryWindowFunctions: z.ZodDefault<z.ZodBoolean>;
+        /** Can perform subqueries? */
+        querySubqueries: z.ZodDefault<z.ZodBoolean>;
+        /** Can execute SQL-like joins natively? */
+        joins: z.ZodDefault<z.ZodBoolean>;
         /** Can perform full-text search? */
         fullTextSearch: z.ZodDefault<z.ZodBoolean>;
-        /** Can perform aggregation (group by, sum, avg)? */
-        aggregation: z.ZodDefault<z.ZodBoolean>;
-        /** Is scheme-less (needs schema inference)? */
-        dynamicSchema: z.ZodDefault<z.ZodBoolean>;
         /** Is read-only? */
         readOnly: z.ZodDefault<z.ZodBoolean>;
+        /** Is scheme-less (needs schema inference)? */
+        dynamicSchema: z.ZodDefault<z.ZodBoolean>;
     }, "strip", z.ZodTypeAny, {
         joins: boolean;
         transactions: boolean;
+        queryFilters: boolean;
+        queryAggregations: boolean;
+        querySorting: boolean;
+        queryPagination: boolean;
+        queryWindowFunctions: boolean;
+        querySubqueries: boolean;
         fullTextSearch: boolean;
-        aggregation: boolean;
-        dynamicSchema: boolean;
         readOnly: boolean;
+        dynamicSchema: boolean;
     }, {
         joins?: boolean | undefined;
         transactions?: boolean | undefined;
+        queryFilters?: boolean | undefined;
+        queryAggregations?: boolean | undefined;
+        querySorting?: boolean | undefined;
+        queryPagination?: boolean | undefined;
+        queryWindowFunctions?: boolean | undefined;
+        querySubqueries?: boolean | undefined;
         fullTextSearch?: boolean | undefined;
-        aggregation?: boolean | undefined;
-        dynamicSchema?: boolean | undefined;
         readOnly?: boolean | undefined;
+        dynamicSchema?: boolean | undefined;
     }>>;
     /** Description */
     description: z.ZodOptional<z.ZodString>;
@@ -95,31 +248,41 @@ export declare const DatasourceSchema: z.ZodObject<{
     name: string;
     active: boolean;
     config: Record<string, any>;
-    driver: "csv" | "postgres" | "mysql" | "sqlserver" | "oracle" | "sqlite" | "mongo" | "redis" | "excel" | "airtable" | "rest_api" | "graphql" | "odata" | "salesforce" | "sap" | "workday";
+    driver: string;
     label?: string | undefined;
     description?: string | undefined;
     capabilities?: {
         joins: boolean;
         transactions: boolean;
+        queryFilters: boolean;
+        queryAggregations: boolean;
+        querySorting: boolean;
+        queryPagination: boolean;
+        queryWindowFunctions: boolean;
+        querySubqueries: boolean;
         fullTextSearch: boolean;
-        aggregation: boolean;
-        dynamicSchema: boolean;
         readOnly: boolean;
+        dynamicSchema: boolean;
     } | undefined;
 }, {
     name: string;
     config: Record<string, any>;
-    driver: "csv" | "postgres" | "mysql" | "sqlserver" | "oracle" | "sqlite" | "mongo" | "redis" | "excel" | "airtable" | "rest_api" | "graphql" | "odata" | "salesforce" | "sap" | "workday";
+    driver: string;
     label?: string | undefined;
     description?: string | undefined;
     active?: boolean | undefined;
     capabilities?: {
         joins?: boolean | undefined;
         transactions?: boolean | undefined;
+        queryFilters?: boolean | undefined;
+        queryAggregations?: boolean | undefined;
+        querySorting?: boolean | undefined;
+        queryPagination?: boolean | undefined;
+        queryWindowFunctions?: boolean | undefined;
+        querySubqueries?: boolean | undefined;
         fullTextSearch?: boolean | undefined;
-        aggregation?: boolean | undefined;
-        dynamicSchema?: boolean | undefined;
         readOnly?: boolean | undefined;
+        dynamicSchema?: boolean | undefined;
     } | undefined;
 }>;
 export type Datasource = z.infer<typeof DatasourceSchema>;