From f586610ab7b130429f36f0545d3ce2eee3870dfa Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Feb 2026 15:53:18 +0000 Subject: [PATCH 1/4] Initial plan From 7dea6de3c94be7ab9fb9e74aa5f749c249b00820 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Feb 2026 16:01:11 +0000 Subject: [PATCH 2/4] feat: upgrade @objectstack to latest and add plugin-auth for server-side auth - Upgrade all @objectstack packages from ^2.0.1 to ^2.0.4 across 13 package.json files - Add @objectstack/plugin-auth ^2.0.3 to CRM example for server-side authentication - Update CRM server.ts to integrate AuthPlugin into the ObjectKernel - Update OBJECTSTACK_CLIENT_EVALUATION.md with latest versions and plugin-auth documentation Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com> --- OBJECTSTACK_CLIENT_EVALUATION.md | 73 +++- apps/console/package.json | 14 +- examples/crm/package.json | 9 +- examples/crm/server.ts | 12 +- examples/kitchen-sink/package.json | 4 +- examples/msw-todo/package.json | 12 +- examples/todo/package.json | 6 +- package.json | 16 +- packages/core/package.json | 2 +- packages/data-objectstack/package.json | 2 +- packages/plugin-gantt/package.json | 2 +- packages/plugin-map/package.json | 2 +- packages/plugin-timeline/package.json | 2 +- packages/react/package.json | 2 +- packages/types/package.json | 2 +- pnpm-lock.yaml | 568 +++++++++++++++++-------- 16 files changed, 501 insertions(+), 227 deletions(-) diff --git a/OBJECTSTACK_CLIENT_EVALUATION.md b/OBJECTSTACK_CLIENT_EVALUATION.md index 0ba0f09ca..6c720f919 100644 --- a/OBJECTSTACK_CLIENT_EVALUATION.md +++ b/OBJECTSTACK_CLIENT_EVALUATION.md @@ -1,8 +1,9 @@ # @objectstack/client Evaluation for Low-Code App UI Development > **Date:** February 10, 2026 -> **Spec Version:** @objectstack/spec v2.0.1 -> **Client Version:** @objectstack/client v2.0.1 +> **Spec Version:** @objectstack/spec v2.0.4 +> **Client Version:** @objectstack/client v2.0.4 +> **Auth Plugin Version:** @objectstack/plugin-auth v2.0.3 > **ObjectUI Version:** v0.5.x > **Scope:** Evaluate whether @objectstack/client can fully support developing a complete low-code application UI based on the @objectstack/spec protocol @@ -104,6 +105,7 @@ The @objectstack/spec defines `ActionSchema` with 5 action types: | Capability | Implementation | Client Dependency | Status | |------------|---------------|-------------------|--------| +| **Server-Side Auth** | `@objectstack/plugin-auth` (AuthPlugin) | ObjectKernel plugin | ✅ Complete | | **Token Authentication** | `ObjectStackAdapter({ token })` | Client constructor | ✅ Complete | | **Dynamic Token Injection** | `ObjectStackAdapter({ fetch })` | Custom fetch wrapper | ✅ Complete | | **Session Management** | `@object-ui/auth` (AuthProvider) | better-auth integration | ✅ Complete | @@ -114,7 +116,7 @@ The @objectstack/spec defines `ActionSchema` with 5 action types: | **OAuth/SSO** | better-auth plugins | External auth providers | ✅ Complete | | **Multi-Factor Auth** | better-auth 2FA plugin | External auth providers | ✅ Available | -**Auth Assessment: 100% — Full auth stack is implemented via @object-ui/auth + better-auth.** +**Auth Assessment: 100% — Full auth stack is implemented. Server-side via @objectstack/plugin-auth (better-auth powered, ObjectQL persistence). Client-side via @object-ui/auth + better-auth.** ### 2.6 Multi-Tenancy @@ -170,6 +172,19 @@ A complete low-code app built on @objectstack/spec follows this data flow: │ │ │ │ ▼ │ │ ┌──────────────────────────────────────────────────────────────┐ │ +│ │ ObjectStack Server │ │ +│ │ │ │ +│ │ ObjectKernel │ │ +│ │ ├── ObjectQLPlugin (query engine) │ │ +│ │ ├── DriverPlugin (data storage) │ │ +│ │ ├── AuthPlugin (@objectstack/plugin-auth) │ │ +│ │ │ └── better-auth (session, OAuth, 2FA, passkeys) │ │ +│ │ ├── HonoServerPlugin (HTTP /api/v1/*) │ │ +│ │ └── AppPlugin (stack config) │ │ +│ └──────────────────────────────────────────────────────────────┘ │ +│ │ │ +│ ▼ │ +│ ┌──────────────────────────────────────────────────────────────┐ │ │ │ ObjectUI Runtime │ │ │ │ │ │ │ │ AuthProvider → PermissionProvider → TenantProvider │ │ @@ -208,7 +223,7 @@ A complete low-code app built on @objectstack/spec follows this data flow: | **Validation Rules** | `Data.Validation` | Server + client-side | `@object-ui/core` | ✅ Yes | | **Permissions/RBAC** | `Security.RBAC` | Role data from server | `@object-ui/permissions` | ✅ Yes | | **Multi-Tenancy** | `System.Tenant` | X-Tenant-ID header | `@object-ui/tenant` | ✅ Yes | -| **Authentication** | `Identity.Auth` | Token via custom fetch | `@object-ui/auth` | ✅ Yes | +| **Authentication** | `Identity.Auth` | Token via custom fetch | `@object-ui/auth` + `@objectstack/plugin-auth` | ✅ Yes | | **i18n** | `Shared.i18n` | None (client-side) | `@object-ui/i18n` | ✅ Yes | | **Theming** | `UI.Theme` | None (client-side) | Theme Provider | ✅ Yes | | **AI Assistance** | `AI.Config` | AI API endpoints | `plugin-ai` | ✅ Yes | @@ -291,7 +306,49 @@ export default defineStack({ }); ``` -### 5.2 Runtime Initialization +### 5.2 Server-Side Setup (with @objectstack/plugin-auth) + +```typescript +// server.ts — Bootstrap the ObjectStack server with authentication +import { ObjectKernel } from '@objectstack/core'; +import { ObjectQLPlugin } from '@objectstack/objectql'; +import { AppPlugin, DriverPlugin } from '@objectstack/runtime'; +import { HonoServerPlugin } from '@objectstack/plugin-hono-server'; +import { InMemoryDriver } from '@objectstack/driver-memory'; +import { AuthPlugin } from '@objectstack/plugin-auth'; +import config from './objectstack.config'; + +async function startServer() { + const kernel = new ObjectKernel(); + + // Core engine + data driver + await kernel.use(new ObjectQLPlugin()); + await kernel.use(new DriverPlugin(new InMemoryDriver())); + + // Application stack + await kernel.use(new AppPlugin(config)); + + // Authentication via @objectstack/plugin-auth + // Provides /api/v1/auth/* endpoints (sign-in, sign-up, session, OAuth, 2FA, etc.) + await kernel.use(new AuthPlugin({ + secret: process.env.AUTH_SECRET || 'dev-secret', + baseUrl: 'http://localhost:3000', + providers: [ + // Optional: OAuth providers + // { id: 'google', clientId: '...', clientSecret: '...' }, + ], + })); + + // HTTP server + await kernel.use(new HonoServerPlugin({ port: 3000 })); + + await kernel.bootstrap(); +} + +startServer(); +``` + +### 5.3 Runtime Initialization ```typescript // App.tsx — Bootstrap the low-code runtime @@ -312,7 +369,7 @@ function App() { }); return ( - + =18'} + '@better-auth/core@1.4.18': + resolution: {integrity: sha512-q+awYgC7nkLEBdx2sW0iJjkzgSHlIxGnOpsN1r/O1+a4m7osJNHtfK2mKJSL1I+GfNyIlxJF8WvD/NLuYMpmcg==} + peerDependencies: + '@better-auth/utils': 0.3.0 + '@better-fetch/fetch': 1.1.21 + better-call: 1.1.8 + jose: ^6.1.0 + kysely: ^0.28.5 + nanostores: ^1.0.1 + + '@better-auth/telemetry@1.4.18': + resolution: {integrity: sha512-e5rDF8S4j3Um/0LIVATL2in9dL4lfO2fr2v1Wio4qTMRbfxqnUDTa+6SZtwdeJrbc4O+a3c+IyIpjG9Q/6GpfQ==} + peerDependencies: + '@better-auth/core': 1.4.18 + + '@better-auth/utils@0.3.0': + resolution: {integrity: sha512-W+Adw6ZA6mgvnSnhOki270rwJ42t4XzSK6YWGF//BbVXL6SwCLWfyzBc1lN2m/4RM28KubdBKQ4X5VMoLRNPQw==} + + '@better-fetch/fetch@1.1.21': + resolution: {integrity: sha512-/ImESw0sskqlVR94jB+5+Pxjf+xBwDZF/N5+y2/q4EqD7IARUTSpPfIo8uf39SYpCxyOCtbyYpUrZ3F/k0zT4A==} + '@changesets/apply-release-plan@7.0.14': resolution: {integrity: sha512-ddBvf9PHdy2YY0OUiEl3TV78mH9sckndJR14QAt87KLEbIov81XO0q0QAmvooBxXlqRRP8I9B7XOzZwQG7JkWA==} @@ -3909,6 +3933,10 @@ packages: resolution: {integrity: sha512-2I0gnIVPtfnMw9ee9h1dJG7tp81+8Ob3OJb3Mv37rx5L40/b0i7djjCVvGOVqc9AEIQyvyu1i6ypKdFw8R8gQw==} engines: {node: ^14.21.3 || >=16} + '@noble/ciphers@2.1.1': + resolution: {integrity: sha512-bysYuiVfhxNJuldNXlFEitTVdNnYUc+XNJZd7Qm2a5j1vZHgY+fazadNFWFaMK/2vye0JVlxV3gHmC0WDfAOQw==} + engines: {node: '>= 20.19.0'} + '@noble/curves@1.9.7': resolution: {integrity: sha512-gbKGcRUYIjA3/zCCNaWDciTMFI0dCkvou3TL8Zmy5Nc7sJ47a0jtOeZoTaMxkuqRo9cRhjOdZJXegxYE5FN/xw==} engines: {node: ^14.21.3 || >=16} @@ -3917,6 +3945,10 @@ packages: resolution: {integrity: sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==} engines: {node: ^14.21.3 || >=16} + '@noble/hashes@2.0.1': + resolution: {integrity: sha512-XlOlEbQcE9fmuXxrVTXCTlG2nlRXa9Rj3rr5Ue/+tX+nmkgbX720YHh0VR3hBF9xDvwnb8D2shVGOwNx+ulArw==} + engines: {node: '>= 20.19.0'} + '@nodelib/fs.scandir@2.1.5': resolution: {integrity: sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==} engines: {node: '>= 8'} @@ -3929,49 +3961,52 @@ packages: resolution: {integrity: sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==} engines: {node: '>= 8'} - '@objectstack/cli@2.0.1': - resolution: {integrity: sha512-VRtqTr/pFFy1MoM2/6UMT4UDPp1Z3aHfnS9McoDQvjTdXC9dcl4O15PvonLFl1OAtnphdbUopsDiBqd5FDO6vA==} + '@objectstack/cli@2.0.4': + resolution: {integrity: sha512-GKZIi2ney3JHpdNVbnjftMl5R7kiREyp2hTYfKQQ/WXFhy7QdRO7MpmS9mGQbMZyxOzCu8LFPX1lKPPgoB1ZmA==} hasBin: true peerDependencies: - '@objectstack/core': 2.0.1 + '@objectstack/core': 2.0.4 - '@objectstack/client@2.0.1': - resolution: {integrity: sha512-2+JUM+oxqhNger8mF/NN3AzQUkm/VZx9/6wjMoJxVklgiiLfqHELLWpkZXmVGR4g2A+mq4aqULqYsAg+gwV6qA==} + '@objectstack/client@2.0.4': + resolution: {integrity: sha512-6/1g8XBWVXqy3b6cxUDLwuRY0wDbrUAcC8m4h18NJ+ZyH9R+7FrZFt7HIknIOJx3HfHPZuCqlQNDRjsnqO9csg==} - '@objectstack/core@2.0.1': - resolution: {integrity: sha512-RX+SEBE3mLrXyR6/KZwjlvu41CepxJjmhTvt0LX05kqaX6UgGz9T5UBQUdXUSMDUsxg53mwDRkQXgrffcKSPDg==} + '@objectstack/core@2.0.4': + resolution: {integrity: sha512-mFqDxZek7n74oBxHbvAppQgAO2uGUkdJHn3Vm1+eroX5GcKB+zAz3g91uzln9wKqQNo3ZQaq/F8PBqJB1kjQxg==} peerDependencies: pino: ^8.0.0 peerDependenciesMeta: pino: optional: true - '@objectstack/driver-memory@2.0.1': - resolution: {integrity: sha512-cgSU1a0SO2RLAVqz1msZO6DrE76QZO48HH/0L12MKyILSjwgnQnmHTf1qttm3PKq8W15ag0P6mxIBK7vJGZEqw==} + '@objectstack/driver-memory@2.0.4': + resolution: {integrity: sha512-LdPvf2IB+5y+mVhl36tG89AL9rwRM8YShQ0wUUCE75/JqiAnpb9klcVvytA4bBVIped/dXZUP/zvqYCeq9lP8w==} + + '@objectstack/objectql@2.0.4': + resolution: {integrity: sha512-c3bim7bhmcFnSCWDM2cDbZMJvxaDPYYDTEq6CvBcpBnae7X87PpovSO0xxz7RTV3fYm8pBWMEAx0NgfSgzmlZA==} - '@objectstack/objectql@2.0.1': - resolution: {integrity: sha512-ehSTiEN6ioICuXnCqjAvBh6yk5YHkndnHN6V5gTUm1fXN9We+zPJQznC5fSw+6nPlpL9hwbxT7VsjUJas9w4ng==} + '@objectstack/plugin-auth@2.0.3': + resolution: {integrity: sha512-9kzUCEfqa95OqIkPvK4DpelgdcowRawKMxGs4Hbky2kz9ru2fDsv9pIBgyt7fOGD+QmMFvtMpf5U8wc7I4EHHQ==} - '@objectstack/plugin-hono-server@2.0.1': - resolution: {integrity: sha512-atw9OtwBporjjNZFZA6GTyr0Yk694HY+eR6O3Ds9vcwDnjKgXazyk2m65f+JwkgZ4MnxuQzqx9ISwNY/SiMp9g==} + '@objectstack/plugin-hono-server@2.0.4': + resolution: {integrity: sha512-/Wz+UMmuWXRbI+M41y74LNdPA9k7IeehNOaAKc1A2pUitACdMNErR0plFKLzVYfaFzOVixGBO7yu50P0pu3Z9g==} - '@objectstack/plugin-msw@2.0.1': - resolution: {integrity: sha512-bv2mMep5f8Xx0x5lMsjoe2dES3JbDW/cppbDCF+rCaNZ1iDemzk/OB/fUd28tw8VovDFTfjX/2NoJ25uRWAjLA==} + '@objectstack/plugin-msw@2.0.4': + resolution: {integrity: sha512-OlH/U1Bn8UqG78GX8HBszlAv2JTDJwCMrRI+aR/2jDXeG0JMr0Bf0u0bN/ycb2BQwZtbCk61c+71Ud8Z8w4V/Q==} peerDependencies: - '@objectstack/runtime': 2.0.1 + '@objectstack/runtime': 2.0.4 - '@objectstack/rest@2.0.1': - resolution: {integrity: sha512-Xkoj7xVz2Z7CKd9RXZygJjkTeqNiNcZKTY53bfC3nGYyFdgA+2lWfEXaIzwWUk/a8zM41RmaFb7nzo1rC0TU4w==} + '@objectstack/rest@2.0.4': + resolution: {integrity: sha512-K3B8nEtCTj378/gxyKnA1Rzt+mY6MR24DXT6tv3EGVE3ZtuJpJU7djCYcM5dUEZyF6fEUgg+8P3Z8Gwsjeng3w==} - '@objectstack/runtime@2.0.1': - resolution: {integrity: sha512-6HbbPN4Msb3PGEhNEvdYNz+jK8s1SU0NL6Y8DuQifwkUK+sxo9ekOY8/eQQSSZbGHPhvIp308suUW+LmLQlLSQ==} + '@objectstack/runtime@2.0.4': + resolution: {integrity: sha512-OWwRw7DedUMwKGbdI71EgF9EmLj1hwydz1xZNmbkgvxnkdqbRtkDmjlw+ED/52iKnsyJMHhuXAY13CzaIpeiUA==} - '@objectstack/spec@2.0.1': - resolution: {integrity: sha512-NgaMpmcXBT+AGQuCTwIYqVxKZkGs9WO5zeNIz17J8lPQ0SrhS+Hzv+5KVhOO98G4MqyJCDkodI8XMms/TVSMTg==} + '@objectstack/spec@2.0.4': + resolution: {integrity: sha512-aK7/+f9KV1f2xoQsvxq7yoktevKjR51hq5on6bGBtKYU2MtxHs7TGcXG4D7EbXeQxNmYdtE3OX9Vow0GRPYNdQ==} engines: {node: '>=18.0.0'} - '@objectstack/types@2.0.1': - resolution: {integrity: sha512-X0aZK3OrvvGogfhpqvmL+8eHpXcJNRxsbts0PrbXGFoxgwOxrxx0YR87SNO7qg+Na06LGOOtWuLXx9ZwcOVrgQ==} + '@objectstack/types@2.0.4': + resolution: {integrity: sha512-Iap9gIoMen+1mEGZOmSvMZXdpNtpc+9saJqg7fbc+qd8DUCoSky+tCK13c52YAvYcBJppusB3jVKEGQHjtEoRg==} '@open-draft/deferred-promise@2.2.0': resolution: {integrity: sha512-CecwLWx3rhxVQF6V4bAgPS5t+So2sTbPgAzafKkVizyi7tlwpcFpdFqq+wqF2OwNBmqFuu6tOyouTuxgpMfzmA==} @@ -6272,6 +6307,76 @@ packages: resolution: {integrity: sha512-ipDqC8FrAl/76p2SSWKSI+H9tFwm7vYqXQrItCuiVPt26Km0jS+NzSsBWAaBusvSbQcfJG+JitdMm+wZAgTYqg==} hasBin: true + better-auth@1.4.18: + resolution: {integrity: sha512-bnyifLWBPcYVltH3RhS7CM62MoelEqC6Q+GnZwfiDWNfepXoQZBjEvn4urcERC7NTKgKq5zNBM8rvPvRBa6xcg==} + peerDependencies: + '@lynx-js/react': '*' + '@prisma/client': ^5.0.0 || ^6.0.0 || ^7.0.0 + '@sveltejs/kit': ^2.0.0 + '@tanstack/react-start': ^1.0.0 + '@tanstack/solid-start': ^1.0.0 + better-sqlite3: ^12.0.0 + drizzle-kit: '>=0.31.4' + drizzle-orm: '>=0.41.0' + mongodb: ^6.0.0 || ^7.0.0 + mysql2: ^3.0.0 + next: ^14.0.0 || ^15.0.0 || ^16.0.0 + pg: ^8.0.0 + prisma: ^5.0.0 || ^6.0.0 || ^7.0.0 + react: 19.2.4 + react-dom: 19.2.4 + solid-js: ^1.0.0 + svelte: ^4.0.0 || ^5.0.0 + vitest: ^2.0.0 || ^3.0.0 || ^4.0.0 + vue: ^3.0.0 + peerDependenciesMeta: + '@lynx-js/react': + optional: true + '@prisma/client': + optional: true + '@sveltejs/kit': + optional: true + '@tanstack/react-start': + optional: true + '@tanstack/solid-start': + optional: true + better-sqlite3: + optional: true + drizzle-kit: + optional: true + drizzle-orm: + optional: true + mongodb: + optional: true + mysql2: + optional: true + next: + optional: true + pg: + optional: true + prisma: + optional: true + react: + optional: true + react-dom: + optional: true + solid-js: + optional: true + svelte: + optional: true + vitest: + optional: true + vue: + optional: true + + better-call@1.1.8: + resolution: {integrity: sha512-XMQ2rs6FNXasGNfMjzbyroSwKwYbZ/T3IxruSS6U2MJRsSYh3wYtG3o6H00ZlKZ/C/UPOAD97tqgQJNsxyeTXw==} + peerDependencies: + zod: ^4.0.0 + peerDependenciesMeta: + zod: + optional: true + better-opn@3.0.2: resolution: {integrity: sha512-aVNobHnJqLiUelTaHat9DZ1qM2w0C0Eym4LPI/3JxOnSokGVdsl1T1kN7TFvsEAD8G47A6VKQ0TVHqbBnYMJlQ==} engines: {node: '>=12.0.0'} @@ -6845,6 +6950,9 @@ packages: resolution: {integrity: sha512-N+MeXYoqr3pOgn8xfyRPREN7gHakLYjhsHhWGT3fWAiL4IkAt0iDw14QiiEm2bE30c5XX5q0FtAA3CK5f9/BUg==} engines: {node: '>=12'} + defu@6.1.4: + resolution: {integrity: sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==} + delayed-stream@1.0.0: resolution: {integrity: sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==} engines: {node: '>=0.4.0'} @@ -8492,6 +8600,10 @@ packages: kolorist@1.8.0: resolution: {integrity: sha512-Y+60/zizpJ3HRH8DCss+q95yr6145JXZo46OTpFvDZWLfRCE4qChOyk1b26nMaNpfHHgxagk9dXT5OP0Tfe+dQ==} + kysely@0.28.11: + resolution: {integrity: sha512-zpGIFg0HuoC893rIjYX1BETkVWdDnzTzF5e0kWXJFg5lE0k1/LfNWBejrcnOFu8Q2Rfq/hTDTU7XLUM8QOrpzg==} + engines: {node: '>=20.0.0'} + leven@3.1.0: resolution: {integrity: sha512-qsda+H8jTaUaN/x5vzW2rzc+8Rw4TAQ/4KjB46IwK5VH+IlVeeeje/EoZRpiXvIqjFgK84QffqPztGI3VBLG1A==} engines: {node: '>=6'} @@ -9093,6 +9205,10 @@ packages: engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1} hasBin: true + nanostores@1.1.0: + resolution: {integrity: sha512-yJBmDJr18xy47dbNVlHcgdPrulSn1nhSE6Ns9vTG+Nx9VPT6iV1MD6aQFp/t52zpf82FhLLTXAXr30NuCnxvwA==} + engines: {node: ^20.0.0 || >=22.0.0} + napi-build-utils@2.0.0: resolution: {integrity: sha512-GEbrYkbfF7MoNaoh2iGG84Mnf/WZfB0GdGEsM8wz7Expx/LlWf5U8t9nvJKXSp3qr5IsEbK04cBGhol/KwOsWA==} @@ -10049,6 +10165,9 @@ packages: engines: {node: '>=18.0.0', npm: '>=8.0.0'} hasBin: true + rou3@0.7.12: + resolution: {integrity: sha512-iFE4hLDuloSWcD7mjdCDhx2bKcIsYbtOTpfH5MHHLSKMOUyjqQXTeZVa289uuwEGEKFoE/BAPbhaU4B774nceg==} + router@2.2.0: resolution: {integrity: sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==} engines: {node: '>= 18'} @@ -11792,6 +11911,27 @@ snapshots: '@bcoe/v8-coverage@1.0.2': {} + '@better-auth/core@1.4.18(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.21)(better-call@1.1.8(zod@4.3.6))(jose@6.1.3)(kysely@0.28.11)(nanostores@1.1.0)': + dependencies: + '@better-auth/utils': 0.3.0 + '@better-fetch/fetch': 1.1.21 + '@standard-schema/spec': 1.1.0 + better-call: 1.1.8(zod@4.3.6) + jose: 6.1.3 + kysely: 0.28.11 + nanostores: 1.1.0 + zod: 4.3.6 + + '@better-auth/telemetry@1.4.18(@better-auth/core@1.4.18(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.21)(better-call@1.1.8(zod@4.3.6))(jose@6.1.3)(kysely@0.28.11)(nanostores@1.1.0))': + dependencies: + '@better-auth/core': 1.4.18(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.21)(better-call@1.1.8(zod@4.3.6))(jose@6.1.3)(kysely@0.28.11)(nanostores@1.1.0) + '@better-auth/utils': 0.3.0 + '@better-fetch/fetch': 1.1.21 + + '@better-auth/utils@0.3.0': {} + + '@better-fetch/fetch@1.1.21': {} + '@changesets/apply-release-plan@7.0.14': dependencies: '@changesets/config': 3.1.2 @@ -12366,9 +12506,9 @@ snapshots: '@eslint/core': 0.17.0 levn: 0.4.1 - '@exodus/bytes@1.11.0(@noble/hashes@1.8.0)': + '@exodus/bytes@1.11.0(@noble/hashes@2.0.1)': optionalDependencies: - '@noble/hashes': 1.8.0 + '@noble/hashes': 2.0.1 '@floating-ui/core@1.7.4': dependencies: @@ -13067,12 +13207,16 @@ snapshots: '@noble/ciphers@1.3.0': {} + '@noble/ciphers@2.1.1': {} + '@noble/curves@1.9.7': dependencies: '@noble/hashes': 1.8.0 '@noble/hashes@1.8.0': {} + '@noble/hashes@2.0.1': {} + '@nodelib/fs.scandir@2.1.5': dependencies: '@nodelib/fs.stat': 2.0.5 @@ -13085,101 +13229,128 @@ snapshots: '@nodelib/fs.scandir': 2.1.5 fastq: 1.20.1 - '@objectstack/cli@2.0.1(@objectstack/core@2.0.1(pino@8.21.0))(esbuild@0.27.3)(pino@8.21.0)': + '@objectstack/cli@2.0.4(@objectstack/core@2.0.4(pino@8.21.0))(esbuild@0.27.3)(pino@8.21.0)': dependencies: - '@objectstack/core': 2.0.1(pino@8.21.0) - '@objectstack/driver-memory': 2.0.1(pino@8.21.0) - '@objectstack/objectql': 2.0.1(pino@8.21.0) - '@objectstack/plugin-hono-server': 2.0.1(pino@8.21.0) - '@objectstack/rest': 2.0.1(pino@8.21.0) - '@objectstack/runtime': 2.0.1(pino@8.21.0) - '@objectstack/spec': 2.0.1 + '@objectstack/core': 2.0.4(pino@8.21.0) + '@objectstack/driver-memory': 2.0.4(pino@8.21.0) + '@objectstack/objectql': 2.0.4(pino@8.21.0) + '@objectstack/plugin-hono-server': 2.0.4(pino@8.21.0) + '@objectstack/rest': 2.0.4(pino@8.21.0) + '@objectstack/runtime': 2.0.4(pino@8.21.0) + '@objectstack/spec': 2.0.4 bundle-require: 5.1.0(esbuild@0.27.3) chalk: 5.6.2 commander: 14.0.3 tsx: 4.21.0 - zod: 3.25.76 + zod: 4.3.6 transitivePeerDependencies: - esbuild - pino - '@objectstack/client@2.0.1(pino@8.21.0)': + '@objectstack/client@2.0.4(pino@8.21.0)': dependencies: - '@objectstack/core': 2.0.1(pino@8.21.0) - '@objectstack/spec': 2.0.1 + '@objectstack/core': 2.0.4(pino@8.21.0) + '@objectstack/spec': 2.0.4 transitivePeerDependencies: - pino - '@objectstack/core@2.0.1(pino@8.21.0)': + '@objectstack/core@2.0.4(pino@8.21.0)': dependencies: - '@objectstack/spec': 2.0.1 + '@objectstack/spec': 2.0.4 pino-pretty: 13.1.3 - zod: 3.25.76 + zod: 4.3.6 optionalDependencies: pino: 8.21.0 - '@objectstack/driver-memory@2.0.1(pino@8.21.0)': + '@objectstack/driver-memory@2.0.4(pino@8.21.0)': dependencies: - '@objectstack/core': 2.0.1(pino@8.21.0) - '@objectstack/spec': 2.0.1 + '@objectstack/core': 2.0.4(pino@8.21.0) + '@objectstack/spec': 2.0.4 transitivePeerDependencies: - pino - '@objectstack/objectql@2.0.1(pino@8.21.0)': + '@objectstack/objectql@2.0.4(pino@8.21.0)': dependencies: - '@objectstack/core': 2.0.1(pino@8.21.0) - '@objectstack/spec': 2.0.1 - '@objectstack/types': 2.0.1 + '@objectstack/core': 2.0.4(pino@8.21.0) + '@objectstack/spec': 2.0.4 + '@objectstack/types': 2.0.4 transitivePeerDependencies: - pino - '@objectstack/plugin-hono-server@2.0.1(pino@8.21.0)': + '@objectstack/plugin-auth@2.0.3(next@16.1.6(@babel/core@7.29.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(pino@8.21.0)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@4.0.18)': + dependencies: + '@objectstack/core': 2.0.4(pino@8.21.0) + '@objectstack/spec': 2.0.4 + better-auth: 1.4.18(next@16.1.6(@babel/core@7.29.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@4.0.18) + transitivePeerDependencies: + - '@lynx-js/react' + - '@prisma/client' + - '@sveltejs/kit' + - '@tanstack/react-start' + - '@tanstack/solid-start' + - better-sqlite3 + - drizzle-kit + - drizzle-orm + - mongodb + - mysql2 + - next + - pg + - pino + - prisma + - react + - react-dom + - solid-js + - svelte + - vitest + - vue + + '@objectstack/plugin-hono-server@2.0.4(pino@8.21.0)': dependencies: '@hono/node-server': 1.19.9(hono@4.11.9) - '@objectstack/core': 2.0.1(pino@8.21.0) - '@objectstack/spec': 2.0.1 + '@objectstack/core': 2.0.4(pino@8.21.0) + '@objectstack/spec': 2.0.4 hono: 4.11.9 transitivePeerDependencies: - pino - '@objectstack/plugin-msw@2.0.1(@objectstack/runtime@2.0.1(pino@8.21.0))(@types/node@25.2.2)(pino@8.21.0)(typescript@5.9.3)': + '@objectstack/plugin-msw@2.0.4(@objectstack/runtime@2.0.4(pino@8.21.0))(@types/node@25.2.2)(pino@8.21.0)(typescript@5.9.3)': dependencies: - '@objectstack/core': 2.0.1(pino@8.21.0) - '@objectstack/objectql': 2.0.1(pino@8.21.0) - '@objectstack/runtime': 2.0.1(pino@8.21.0) - '@objectstack/spec': 2.0.1 - '@objectstack/types': 2.0.1 + '@objectstack/core': 2.0.4(pino@8.21.0) + '@objectstack/objectql': 2.0.4(pino@8.21.0) + '@objectstack/runtime': 2.0.4(pino@8.21.0) + '@objectstack/spec': 2.0.4 + '@objectstack/types': 2.0.4 msw: 2.12.9(@types/node@25.2.2)(typescript@5.9.3) transitivePeerDependencies: - '@types/node' - pino - typescript - '@objectstack/rest@2.0.1(pino@8.21.0)': + '@objectstack/rest@2.0.4(pino@8.21.0)': dependencies: - '@objectstack/core': 2.0.1(pino@8.21.0) - '@objectstack/spec': 2.0.1 - zod: 3.25.76 + '@objectstack/core': 2.0.4(pino@8.21.0) + '@objectstack/spec': 2.0.4 + zod: 4.3.6 transitivePeerDependencies: - pino - '@objectstack/runtime@2.0.1(pino@8.21.0)': + '@objectstack/runtime@2.0.4(pino@8.21.0)': dependencies: - '@objectstack/core': 2.0.1(pino@8.21.0) - '@objectstack/rest': 2.0.1(pino@8.21.0) - '@objectstack/spec': 2.0.1 - '@objectstack/types': 2.0.1 - zod: 3.25.76 + '@objectstack/core': 2.0.4(pino@8.21.0) + '@objectstack/rest': 2.0.4(pino@8.21.0) + '@objectstack/spec': 2.0.4 + '@objectstack/types': 2.0.4 + zod: 4.3.6 transitivePeerDependencies: - pino - '@objectstack/spec@2.0.1': + '@objectstack/spec@2.0.4': dependencies: - zod: 3.25.76 + zod: 4.3.6 - '@objectstack/types@2.0.1': + '@objectstack/types@2.0.4': dependencies: - '@objectstack/spec': 2.0.1 + '@objectstack/spec': 2.0.4 '@open-draft/deferred-promise@2.2.0': {} @@ -15176,7 +15347,7 @@ snapshots: obug: 2.1.1 std-env: 3.10.0 tinyrainbow: 3.0.3 - vitest: 4.0.18(@types/node@25.2.2)(@vitest/ui@4.0.18)(happy-dom@20.5.3)(jiti@2.6.1)(jsdom@28.0.0(@noble/hashes@1.8.0))(lightningcss@1.30.2)(msw@2.12.9(@types/node@25.2.2)(typescript@5.9.3))(tsx@4.21.0) + vitest: 4.0.18(@types/node@25.2.2)(@vitest/ui@4.0.18)(happy-dom@20.5.3)(jiti@2.6.1)(jsdom@28.0.0(@noble/hashes@2.0.1))(lightningcss@1.30.2)(msw@2.12.9(@types/node@25.2.2)(typescript@5.9.3))(tsx@4.21.0) '@vitest/expect@1.6.1': dependencies: @@ -15263,7 +15434,7 @@ snapshots: sirv: 3.0.2 tinyglobby: 0.2.15 tinyrainbow: 3.0.3 - vitest: 4.0.18(@types/node@25.2.2)(@vitest/ui@4.0.18)(happy-dom@20.5.3)(jiti@2.6.1)(jsdom@28.0.0(@noble/hashes@1.8.0))(lightningcss@1.30.2)(msw@2.12.9(@types/node@25.2.2)(typescript@5.9.3))(tsx@4.21.0) + vitest: 4.0.18(@types/node@25.2.2)(@vitest/ui@4.0.18)(happy-dom@20.5.3)(jiti@2.6.1)(jsdom@28.0.0(@noble/hashes@2.0.1))(lightningcss@1.30.2)(msw@2.12.9(@types/node@25.2.2)(typescript@5.9.3))(tsx@4.21.0) '@vitest/utils@1.6.1': dependencies: @@ -15709,6 +15880,35 @@ snapshots: baseline-browser-mapping@2.9.19: {} + better-auth@1.4.18(next@16.1.6(@babel/core@7.29.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@4.0.18): + dependencies: + '@better-auth/core': 1.4.18(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.21)(better-call@1.1.8(zod@4.3.6))(jose@6.1.3)(kysely@0.28.11)(nanostores@1.1.0) + '@better-auth/telemetry': 1.4.18(@better-auth/core@1.4.18(@better-auth/utils@0.3.0)(@better-fetch/fetch@1.1.21)(better-call@1.1.8(zod@4.3.6))(jose@6.1.3)(kysely@0.28.11)(nanostores@1.1.0)) + '@better-auth/utils': 0.3.0 + '@better-fetch/fetch': 1.1.21 + '@noble/ciphers': 2.1.1 + '@noble/hashes': 2.0.1 + better-call: 1.1.8(zod@4.3.6) + defu: 6.1.4 + jose: 6.1.3 + kysely: 0.28.11 + nanostores: 1.1.0 + zod: 4.3.6 + optionalDependencies: + next: 16.1.6(@babel/core@7.29.0)(@playwright/test@1.58.2)(react-dom@19.2.4(react@19.2.4))(react@19.2.4) + react: 19.2.4 + react-dom: 19.2.4(react@19.2.4) + vitest: 4.0.18(@types/node@25.2.2)(@vitest/ui@4.0.18)(happy-dom@20.5.3)(jiti@2.6.1)(jsdom@28.0.0(@noble/hashes@2.0.1))(lightningcss@1.30.2)(msw@2.12.9(@types/node@25.2.2)(typescript@5.9.3))(tsx@4.21.0) + + better-call@1.1.8(zod@4.3.6): + dependencies: + '@better-auth/utils': 0.3.0 + '@better-fetch/fetch': 1.1.21 + rou3: 0.7.12 + set-cookie-parser: 2.7.2 + optionalDependencies: + zod: 4.3.6 + better-opn@3.0.2: dependencies: open: 8.4.2 @@ -16193,10 +16393,10 @@ snapshots: data-uri-to-buffer@4.0.1: {} - data-urls@7.0.0(@noble/hashes@1.8.0): + data-urls@7.0.0(@noble/hashes@2.0.1): dependencies: whatwg-mimetype: 5.0.0 - whatwg-url: 16.0.0(@noble/hashes@1.8.0) + whatwg-url: 16.0.0(@noble/hashes@2.0.1) transitivePeerDependencies: - '@noble/hashes' @@ -16267,6 +16467,8 @@ snapshots: define-lazy-prop@3.0.0: {} + defu@6.1.4: {} + delayed-stream@1.0.0: {} depd@2.0.0: {} @@ -17525,9 +17727,9 @@ snapshots: dependencies: lru-cache: 10.4.3 - html-encoding-sniffer@6.0.0(@noble/hashes@1.8.0): + html-encoding-sniffer@6.0.0(@noble/hashes@2.0.1): dependencies: - '@exodus/bytes': 1.11.0(@noble/hashes@1.8.0) + '@exodus/bytes': 1.11.0(@noble/hashes@2.0.1) transitivePeerDependencies: - '@noble/hashes' @@ -18250,15 +18452,15 @@ snapshots: jsdoc-type-pratt-parser@4.8.0: {} - jsdom@28.0.0(@noble/hashes@1.8.0): + jsdom@28.0.0(@noble/hashes@2.0.1): dependencies: '@acemir/cssom': 0.9.31 '@asamuzakjp/dom-selector': 6.7.7 - '@exodus/bytes': 1.11.0(@noble/hashes@1.8.0) + '@exodus/bytes': 1.11.0(@noble/hashes@2.0.1) cssstyle: 5.3.7 - data-urls: 7.0.0(@noble/hashes@1.8.0) + data-urls: 7.0.0(@noble/hashes@2.0.1) decimal.js: 10.6.0 - html-encoding-sniffer: 6.0.0(@noble/hashes@1.8.0) + html-encoding-sniffer: 6.0.0(@noble/hashes@2.0.1) http-proxy-agent: 7.0.2 https-proxy-agent: 7.0.6 is-potential-custom-element-name: 1.0.1 @@ -18270,7 +18472,7 @@ snapshots: w3c-xmlserializer: 5.0.0 webidl-conversions: 8.0.1 whatwg-mimetype: 5.0.0 - whatwg-url: 16.0.0(@noble/hashes@1.8.0) + whatwg-url: 16.0.0(@noble/hashes@2.0.1) xml-name-validator: 5.0.0 transitivePeerDependencies: - '@noble/hashes' @@ -18350,6 +18552,8 @@ snapshots: kolorist@1.8.0: {} + kysely@0.28.11: {} + leven@3.1.0: {} levn@0.4.1: @@ -19169,6 +19373,8 @@ snapshots: nanoid@3.3.11: {} + nanostores@1.1.0: {} + napi-build-utils@2.0.0: optional: true @@ -20273,6 +20479,8 @@ snapshots: '@rollup/rollup-win32-x64-msvc': 4.57.1 fsevents: 2.3.3 + rou3@0.7.12: {} + router@2.2.0: dependencies: debug: 4.4.3 @@ -21417,7 +21625,7 @@ snapshots: lightningcss: 1.30.2 tsx: 4.21.0 - vitest@1.6.1(@types/node@25.2.2)(@vitest/ui@4.0.18)(happy-dom@20.5.3)(jsdom@28.0.0(@noble/hashes@1.8.0))(lightningcss@1.30.2): + vitest@1.6.1(@types/node@25.2.2)(@vitest/ui@4.0.18)(happy-dom@20.5.3)(jsdom@28.0.0(@noble/hashes@2.0.1))(lightningcss@1.30.2): dependencies: '@vitest/expect': 1.6.1 '@vitest/runner': 1.6.1 @@ -21443,7 +21651,7 @@ snapshots: '@types/node': 25.2.2 '@vitest/ui': 4.0.18(vitest@4.0.18) happy-dom: 20.5.3 - jsdom: 28.0.0(@noble/hashes@1.8.0) + jsdom: 28.0.0(@noble/hashes@2.0.1) transitivePeerDependencies: - less - lightningcss @@ -21454,7 +21662,7 @@ snapshots: - supports-color - terser - vitest@4.0.18(@types/node@25.2.2)(@vitest/ui@4.0.18)(happy-dom@20.5.3)(jiti@2.6.1)(jsdom@28.0.0(@noble/hashes@1.8.0))(lightningcss@1.30.2)(msw@2.12.9(@types/node@25.2.2)(typescript@5.9.3))(tsx@4.21.0): + vitest@4.0.18(@types/node@25.2.2)(@vitest/ui@4.0.18)(happy-dom@20.5.3)(jiti@2.6.1)(jsdom@28.0.0(@noble/hashes@2.0.1))(lightningcss@1.30.2)(msw@2.12.9(@types/node@25.2.2)(typescript@5.9.3))(tsx@4.21.0): dependencies: '@vitest/expect': 4.0.18 '@vitest/mocker': 4.0.18(msw@2.12.9(@types/node@25.2.2)(typescript@5.9.3))(vite@7.3.1(@types/node@25.2.2)(jiti@2.6.1)(lightningcss@1.30.2)(tsx@4.21.0)) @@ -21480,7 +21688,7 @@ snapshots: '@types/node': 25.2.2 '@vitest/ui': 4.0.18(vitest@4.0.18) happy-dom: 20.5.3 - jsdom: 28.0.0(@noble/hashes@1.8.0) + jsdom: 28.0.0(@noble/hashes@2.0.1) transitivePeerDependencies: - jiti - less @@ -21562,9 +21770,9 @@ snapshots: whatwg-mimetype@5.0.0: {} - whatwg-url@16.0.0(@noble/hashes@1.8.0): + whatwg-url@16.0.0(@noble/hashes@2.0.1): dependencies: - '@exodus/bytes': 1.11.0(@noble/hashes@1.8.0) + '@exodus/bytes': 1.11.0(@noble/hashes@2.0.1) tr46: 6.0.0 webidl-conversions: 8.0.1 transitivePeerDependencies: From 1a9bea1770761e3925b445450d92391a89d4ac4b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Feb 2026 16:03:17 +0000 Subject: [PATCH 3/4] docs: clarify dev-only fallback secret in CRM example server Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com> --- examples/crm/server.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/crm/server.ts b/examples/crm/server.ts index 0ce8e0b81..60082937d 100644 --- a/examples/crm/server.ts +++ b/examples/crm/server.ts @@ -44,6 +44,7 @@ async function startServer() { await kernel.use(appPlugin); // 4. Authentication (via @objectstack/plugin-auth) + // NOTE: In production, always set AUTH_SECRET env var. The fallback is for local development only. const authPlugin = new AuthPlugin({ secret: process.env.AUTH_SECRET || 'objectui-dev-secret', baseUrl: 'http://localhost:3000', From 771fd1943c2621a5d874506732406b4c92c5f3a4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Feb 2026 16:42:26 +0000 Subject: [PATCH 4/4] fix: add crypto external for Vite builds to support @objectstack/core@2.0.4 @objectstack/core@2.0.4 statically imports Node.js crypto module for plugin hashing. The code has a browser fallback, so we mark crypto as external in both the console and msw-todo Vite configs to fix browser bundle builds. Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com> --- apps/console/vite.config.ts | 8 ++++++++ examples/msw-todo/vite.config.ts | 10 +++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/apps/console/vite.config.ts b/apps/console/vite.config.ts index 194076ab4..73d0fcc18 100644 --- a/apps/console/vite.config.ts +++ b/apps/console/vite.config.ts @@ -73,6 +73,14 @@ export default defineConfig({ transformMixedEsModules: true }, rollupOptions: { + // @objectstack/core@2.0.4 statically imports Node.js crypto (for plugin hashing). + // The code already has a browser fallback, so we treat it as external in the browser build. + external: ['crypto'], + output: { + globals: { + crypto: '{}', + }, + }, onwarn(warning, warn) { if ( warning.code === 'UNRESOLVED_IMPORT' && diff --git a/examples/msw-todo/vite.config.ts b/examples/msw-todo/vite.config.ts index 42f131fef..cdda3a5a4 100644 --- a/examples/msw-todo/vite.config.ts +++ b/examples/msw-todo/vite.config.ts @@ -35,7 +35,15 @@ export default defineConfig({ return; } warn(warning); - } + }, + // @objectstack/core@2.0.4 statically imports Node.js crypto (for plugin hashing). + // The code already has a browser fallback, so we treat it as external in the browser build. + external: ['crypto'], + output: { + globals: { + crypto: '{}', + }, + }, } } });