Upgrade @objectstack to v2.0.4, add plugin-auth for server-side authentication

OBJECTSTACK_CLIENT_EVALUATION.md

@@ -1,8 +1,9 @@
 # @objectstack/client Evaluation for Low-Code App UI Development
 
 > **Date:** February 10, 2026  
-> **Spec Version:** @objectstack/spec v2.0.1  
-> **Client Version:** @objectstack/client v2.0.1  
+> **Spec Version:** @objectstack/spec v2.0.4  
+> **Client Version:** @objectstack/client v2.0.4  
+> **Auth Plugin Version:** @objectstack/plugin-auth v2.0.3  
 > **ObjectUI Version:** v0.5.x  
 > **Scope:** Evaluate whether @objectstack/client can fully support developing a complete low-code application UI based on the @objectstack/spec protocol
 
@@ -104,6 +105,7 @@ The @objectstack/spec defines `ActionSchema` with 5 action types:
 
 | Capability | Implementation | Client Dependency | Status |
 |------------|---------------|-------------------|--------|
+| **Server-Side Auth** | `@objectstack/plugin-auth` (AuthPlugin) | ObjectKernel plugin | ✅ Complete |
 | **Token Authentication** | `ObjectStackAdapter({ token })` | Client constructor | ✅ Complete |
 | **Dynamic Token Injection** | `ObjectStackAdapter({ fetch })` | Custom fetch wrapper | ✅ Complete |
 | **Session Management** | `@object-ui/auth` (AuthProvider) | better-auth integration | ✅ Complete |
@@ -114,7 +116,7 @@ The @objectstack/spec defines `ActionSchema` with 5 action types:
 | **OAuth/SSO** | better-auth plugins | External auth providers | ✅ Complete |
 | **Multi-Factor Auth** | better-auth 2FA plugin | External auth providers | ✅ Available |
 
-**Auth Assessment: 100% — Full auth stack is implemented via @object-ui/auth + better-auth.**
+**Auth Assessment: 100% — Full auth stack is implemented. Server-side via @objectstack/plugin-auth (better-auth powered, ObjectQL persistence). Client-side via @object-ui/auth + better-auth.**
 
 ### 2.6 Multi-Tenancy
 
@@ -170,6 +172,19 @@ A complete low-code app built on @objectstack/spec follows this data flow:
 │         │                                                            │
 │         ▼                                                            │
 │  ┌──────────────────────────────────────────────────────────────┐   │
+│  │                   ObjectStack Server                          │   │
+│  │                                                               │   │
+│  │  ObjectKernel                                                 │   │
+│  │    ├── ObjectQLPlugin     (query engine)                      │   │
+│  │    ├── DriverPlugin       (data storage)                      │   │
+│  │    ├── AuthPlugin         (@objectstack/plugin-auth)          │   │
+│  │    │     └── better-auth  (session, OAuth, 2FA, passkeys)     │   │
+│  │    ├── HonoServerPlugin   (HTTP /api/v1/*)                    │   │
+│  │    └── AppPlugin          (stack config)                      │   │
+│  └──────────────────────────────────────────────────────────────┘   │
+│         │                                                            │
+│         ▼                                                            │
+│  ┌──────────────────────────────────────────────────────────────┐   │
 │  │                    ObjectUI Runtime                           │   │
 │  │                                                               │   │
 │  │  AuthProvider → PermissionProvider → TenantProvider            │   │
@@ -208,7 +223,7 @@ A complete low-code app built on @objectstack/spec follows this data flow:
 | **Validation Rules** | `Data.Validation` | Server + client-side | `@object-ui/core` | ✅ Yes |
 | **Permissions/RBAC** | `Security.RBAC` | Role data from server | `@object-ui/permissions` | ✅ Yes |
 | **Multi-Tenancy** | `System.Tenant` | X-Tenant-ID header | `@object-ui/tenant` | ✅ Yes |
-| **Authentication** | `Identity.Auth` | Token via custom fetch | `@object-ui/auth` | ✅ Yes |
+| **Authentication** | `Identity.Auth` | Token via custom fetch | `@object-ui/auth` + `@objectstack/plugin-auth` | ✅ Yes |
 | **i18n** | `Shared.i18n` | None (client-side) | `@object-ui/i18n` | ✅ Yes |
 | **Theming** | `UI.Theme` | None (client-side) | Theme Provider | ✅ Yes |
 | **AI Assistance** | `AI.Config` | AI API endpoints | `plugin-ai` | ✅ Yes |
@@ -291,7 +306,49 @@ export default defineStack({
 });
 ```
 
-### 5.2 Runtime Initialization
+### 5.2 Server-Side Setup (with @objectstack/plugin-auth)
+
+```typescript
+// server.ts — Bootstrap the ObjectStack server with authentication
+import { ObjectKernel } from '@objectstack/core';
+import { ObjectQLPlugin } from '@objectstack/objectql';
+import { AppPlugin, DriverPlugin } from '@objectstack/runtime';
+import { HonoServerPlugin } from '@objectstack/plugin-hono-server';
+import { InMemoryDriver } from '@objectstack/driver-memory';
+import { AuthPlugin } from '@objectstack/plugin-auth';
+import config from './objectstack.config';
+
+async function startServer() {
+  const kernel = new ObjectKernel();
+
+  // Core engine + data driver
+  await kernel.use(new ObjectQLPlugin());
+  await kernel.use(new DriverPlugin(new InMemoryDriver()));
+
+  // Application stack
+  await kernel.use(new AppPlugin(config));
+
+  // Authentication via @objectstack/plugin-auth
+  // Provides /api/v1/auth/* endpoints (sign-in, sign-up, session, OAuth, 2FA, etc.)
+  await kernel.use(new AuthPlugin({
+    secret: process.env.AUTH_SECRET || 'dev-secret',
+    baseUrl: 'http://localhost:3000',
+    providers: [
+      // Optional: OAuth providers
+      // { id: 'google', clientId: '...', clientSecret: '...' },
+    ],
+  }));
+
+  // HTTP server
+  await kernel.use(new HonoServerPlugin({ port: 3000 }));
+
+  await kernel.bootstrap();
+}
+
+startServer();
+```
+
+### 5.3 Runtime Initialization
 
 ```typescript
 // App.tsx — Bootstrap the low-code runtime
@@ -312,7 +369,7 @@ function App() {
   });
 
   return (
-    <AuthProvider authUrl="/api/auth">
+    <AuthProvider authUrl="/api/v1/auth">
       <TenantProvider>
         <PermissionProvider>
           <SchemaRenderer
@@ -326,7 +383,7 @@ function App() {
 }
 ```
 
-### 5.3 Object Definition
+### 5.4 Object Definition
 
 ```typescript
 // objects/task.object.ts — Spec-compliant object definition
@@ -382,7 +439,7 @@ export const TaskObject = ObjectSchema.create({
 The combination provides:
 - **Data Layer**: Complete CRUD, bulk ops, metadata, and caching via ObjectStackAdapter
 - **UI Layer**: 35 packages, 91+ components, 13+ view types covering all spec requirements
-- **Security**: Auth, RBAC, field/row-level permissions, multi-tenancy
+- **Security**: Server-side auth via @objectstack/plugin-auth, client-side via @object-ui/auth, RBAC, field/row-level permissions, multi-tenancy
 - **Developer Experience**: TypeScript-first, Shadcn design quality, expression engine
 - **Extensibility**: Plugin system, custom widgets, theme customization
 

apps/console/package.json

@@ -50,19 +50,19 @@
     "@object-ui/plugin-view": "workspace:*",
     "@object-ui/react": "workspace:*",
     "@object-ui/types": "workspace:*",
-    "@objectstack/client": "^2.0.1",
-    "@objectstack/driver-memory": "^2.0.1",
-    "@objectstack/objectql": "^2.0.1",
-    "@objectstack/plugin-msw": "^2.0.1",
-    "@objectstack/runtime": "^2.0.1",
-    "@objectstack/spec": "^2.0.1",
+    "@objectstack/client": "^2.0.4",
+    "@objectstack/driver-memory": "^2.0.4",
+    "@objectstack/objectql": "^2.0.4",
+    "@objectstack/plugin-msw": "^2.0.4",
+    "@objectstack/runtime": "^2.0.4",
+    "@objectstack/spec": "^2.0.4",
     "lucide-react": "^0.563.0",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
     "react-router-dom": "^7.13.0"
   },
   "devDependencies": {
-    "@objectstack/cli": "^2.0.1",
+    "@objectstack/cli": "^2.0.4",
     "@tailwindcss/postcss": "^4.1.18",
     "@testing-library/jest-dom": "^6.6.3",
     "@testing-library/react": "^16.1.0",

apps/console/vite.config.ts

@@ -73,6 +73,14 @@ export default defineConfig({
       transformMixedEsModules: true
     },
     rollupOptions: {
+      // @objectstack/core@2.0.4 statically imports Node.js crypto (for plugin hashing).
+      // The code already has a browser fallback, so we treat it as external in the browser build.
+      external: ['crypto'],
+      output: {
+        globals: {
+          crypto: '{}',
+        },
+      },
       onwarn(warning, warn) {
         if (
           warning.code === 'UNRESOLVED_IMPORT' &&

examples/crm/package.json

@@ -15,13 +15,14 @@
     "start": "tsx server.ts"
   },
   "dependencies": {
-    "@objectstack/core": "^2.0.1",
-    "@objectstack/runtime": "^2.0.1",
-    "@objectstack/spec": "^2.0.1",
+    "@objectstack/core": "^2.0.4",
+    "@objectstack/plugin-auth": "^2.0.3",
+    "@objectstack/runtime": "^2.0.4",
+    "@objectstack/spec": "^2.0.4",
     "pino": "^8.21.0"
   },
   "devDependencies": {
-    "@objectstack/cli": "^2.0.1",
+    "@objectstack/cli": "^2.0.4",
     "typescript": "^5.0.0"
   }
 }

examples/crm/server.ts

@@ -4,6 +4,7 @@ import { ObjectQLPlugin } from '@objectstack/objectql';
 import { AppPlugin, DriverPlugin } from '@objectstack/runtime';
 import { HonoServerPlugin } from '@objectstack/plugin-hono-server';
 import { InMemoryDriver } from '@objectstack/driver-memory';
+import { AuthPlugin } from '@objectstack/plugin-auth';
 import config from './objectstack.config';
 import { pino } from 'pino';
 import { ConsolePlugin } from './console-plugin';
@@ -42,11 +43,19 @@ async function startServer() {
     const appPlugin = new AppPlugin(config);
     await kernel.use(appPlugin);
 
-    // 4. HTTP Server
+    // 4. Authentication (via @objectstack/plugin-auth)
+    // NOTE: In production, always set AUTH_SECRET env var. The fallback is for local development only.
+    const authPlugin = new AuthPlugin({
+      secret: process.env.AUTH_SECRET || 'objectui-dev-secret',
+      baseUrl: 'http://localhost:3000',
+    });
+    await kernel.use(authPlugin);
+
+    // 5. HTTP Server
     const serverPlugin = new HonoServerPlugin({ port: 3000 });
     await kernel.use(serverPlugin);
 
-    // 5. Console Plugin
+    // 6. Console Plugin
     const consolePlugin = new ConsolePlugin();
     await kernel.use(consolePlugin);
 

examples/kitchen-sink/package.json

@@ -14,10 +14,10 @@
     "build": "objectstack compile objectstack.config.ts"
   },
   "dependencies": {
-    "@objectstack/spec": "^2.0.1"
+    "@objectstack/spec": "^2.0.4"
   },
   "devDependencies": {
-    "@objectstack/cli": "^2.0.1",
+    "@objectstack/cli": "^2.0.4",
     "typescript": "^5.0.0"
   }
 }

examples/msw-todo/package.json

@@ -11,12 +11,12 @@
   },
   "dependencies": {
     "@object-ui/example-todo": "workspace:*",
-    "@objectstack/client": "^2.0.1",
-    "@objectstack/driver-memory": "^2.0.1",
-    "@objectstack/objectql": "^2.0.1",
-    "@objectstack/plugin-msw": "^2.0.1",
-    "@objectstack/runtime": "^2.0.1",
-    "@objectstack/spec": "^2.0.1",
+    "@objectstack/client": "^2.0.4",
+    "@objectstack/driver-memory": "^2.0.4",
+    "@objectstack/objectql": "^2.0.4",
+    "@objectstack/plugin-msw": "^2.0.4",
+    "@objectstack/runtime": "^2.0.4",
+    "@objectstack/spec": "^2.0.4",
     "react": "^18.3.1",
     "react-dom": "^18.3.1"
   },

examples/msw-todo/vite.config.ts

@@ -35,7 +35,15 @@ export default defineConfig({
           return;
         }
         warn(warning);
-      }
+      },
+      // @objectstack/core@2.0.4 statically imports Node.js crypto (for plugin hashing).
+      // The code already has a browser fallback, so we treat it as external in the browser build.
+      external: ['crypto'],
+      output: {
+        globals: {
+          crypto: '{}',
+        },
+      },
     }
   }
 });

examples/todo/package.json

@@ -12,11 +12,11 @@
     "build": "objectstack compile objectstack.config.ts"
   },
   "dependencies": {
-    "@objectstack/client": "^2.0.1",
-    "@objectstack/spec": "^2.0.1"
+    "@objectstack/client": "^2.0.4",
+    "@objectstack/spec": "^2.0.4"
   },
   "devDependencies": {
-    "@objectstack/cli": "^2.0.1",
+    "@objectstack/cli": "^2.0.4",
     "typescript": "^5.0.0"
   }
 }

package.json

@@ -71,13 +71,13 @@
   "devDependencies": {
     "@changesets/cli": "^2.29.8",
     "@eslint/js": "^9.39.1",
-    "@objectstack/cli": "^2.0.1",
-    "@objectstack/core": "^2.0.1",
-    "@objectstack/driver-memory": "^2.0.1",
-    "@objectstack/objectql": "^2.0.1",
-    "@objectstack/plugin-msw": "^2.0.1",
-    "@objectstack/runtime": "^2.0.1",
-    "@objectstack/spec": "^2.0.1",
+    "@objectstack/cli": "^2.0.4",
+    "@objectstack/core": "^2.0.4",
+    "@objectstack/driver-memory": "^2.0.4",
+    "@objectstack/objectql": "^2.0.4",
+    "@objectstack/plugin-msw": "^2.0.4",
+    "@objectstack/runtime": "^2.0.4",
+    "@objectstack/spec": "^2.0.4",
     "@storybook/addon-essentials": "^8.6.14",
     "@storybook/addon-interactions": "^8.6.14",
     "@storybook/addon-links": "^8.6.15",
@@ -131,7 +131,7 @@
   },
   "dependencies": {
     "@hono/node-server": "^1.19.9",
-    "@objectstack/plugin-hono-server": "^2.0.1",
+    "@objectstack/plugin-hono-server": "^2.0.4",
     "coverage-v8": "0.0.1-security",
     "hono": "^4.11.9",
     "pino": "^8.21.0",

packages/core/package.json

@@ -30,7 +30,7 @@
   },
   "dependencies": {
     "@object-ui/types": "workspace:*",
-    "@objectstack/spec": "^2.0.1",
+    "@objectstack/spec": "^2.0.4",
     "lodash": "^4.17.23",
     "zod": "^4.3.6"
   },

packages/data-objectstack/package.json

@@ -30,7 +30,7 @@
   "dependencies": {
     "@object-ui/core": "workspace:*",
     "@object-ui/types": "workspace:*",
-    "@objectstack/client": "^2.0.1"
+    "@objectstack/client": "^2.0.4"
   },
   "devDependencies": {
     "tsup": "^8.0.1",

packages/plugin-gantt/package.json

@@ -36,7 +36,7 @@
     "@object-ui/fields": "workspace:*",
     "@object-ui/react": "workspace:*",
     "@object-ui/types": "workspace:*",
-    "@objectstack/spec": "^2.0.1",
+    "@objectstack/spec": "^2.0.4",
     "lucide-react": "^0.563.0"
   },
   "peerDependencies": {

packages/plugin-map/package.json

@@ -35,7 +35,7 @@
     "@object-ui/core": "workspace:*",
     "@object-ui/react": "workspace:*",
     "@object-ui/types": "workspace:*",
-    "@objectstack/spec": "^2.0.1",
+    "@objectstack/spec": "^2.0.4",
     "lucide-react": "^0.563.0",
     "maplibre-gl": "^5.17.0",
     "react-map-gl": "^8.1.0",

packages/plugin-timeline/package.json

@@ -35,7 +35,7 @@
     "@object-ui/core": "workspace:*",
     "@object-ui/react": "workspace:*",
     "@object-ui/types": "workspace:*",
-    "@objectstack/spec": "^2.0.1",
+    "@objectstack/spec": "^2.0.4",
     "zod": "^4.3.6"
   },
   "peerDependencies": {

packages/react/package.json

@@ -31,7 +31,7 @@
   "dependencies": {
     "@object-ui/core": "workspace:*",
     "@object-ui/types": "workspace:*",
-    "@objectstack/spec": "^2.0.1",
+    "@objectstack/spec": "^2.0.4",
     "react-hook-form": "^7.71.1"
   },
   "peerDependencies": {

packages/types/package.json

@@ -81,7 +81,7 @@
     "directory": "packages/types"
   },
   "dependencies": {
-    "@objectstack/spec": "^2.0.1",
+    "@objectstack/spec": "^2.0.4",
     "zod": "^4.3.6"
   },
   "devDependencies": {