chore: version packages#1256
Merged
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
98ed539 to
5040b2e
Compare
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
5040b2e to
bd780d9
Compare
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
bd780d9 to
f5aea47
Compare
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
f5aea47 to
d29c10a
Compare
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
d29c10a to
7c64adb
Compare
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
7c64adb to
e1f421b
Compare
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
e1f421b to
9e2a19b
Compare
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
9e2a19b to
1e9d25b
Compare
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
1e9d25b to
3ed285e
Compare
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
3ed285e to
2598032
Compare
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
2598032 to
cf5d4aa
Compare
os-zhuang
added a commit
that referenced
this pull request
May 21, 2026
The package was removed from this repo in #1257 (cloud split) but its entry in .changeset/config.json's `fixed` list was left behind. Every Release workflow run since then has failed with: ValidationError: The package or glob expression "@objectstack/service-cloud" specified in the `fixed` option does not match any package in the project. Removing the entry unblocks 'changesets/action', which will then update PR #1256 (chore: version packages) to bump remaining published packages 4.0.5 -> 4.1.0 (minor, driven by the @objectstack/cli changeset added in #1260). Merging that PR triggers npm publish. Co-authored-by: Jack Zhuang <50353452+hotlong@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions
Bot
force-pushed
the
changeset-release/main
branch
from
cf5d4aa to
0615dcd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.
Releases
@objectstack/cli@4.1.0
Minor Changes
96fb108: Artifact-first boot:
objectstack start(andobjectstack serve) now boot directly from a compileddist/objectstack.jsonwhen noobjectstack.config.tsis present.@objectstack/runtimeexportscreateDefaultHostConfig()andresolveDefaultArtifactPath()— a standalone-only default host that wrapscreateStandaloneStack()and surfaces the artifact'srequires/objects/manifest. No dependency on@objectstack/service-cloud.objectstack startacceptsOS_ARTIFACT_PATHas a file path or anhttp(s)://URL. New flags--artifact,--database,--database-driver,--database-auth-token,--auth-secret,--project-id,--portlet you specify all runtime conditions on the command line (each overrides the matching env var).objectstack devaccepts the same runtime-override flags. When--artifactis supplied, the auto-compile step is skipped and the dev server boots the supplied artifact directly — noobjectstack.config.tsrequired in cwd.objectstack startno longer mounts Studio / Account / Console by default — those are dev/admin surfaces. Pass--uito opt back in.objectstack servefalls back to the default host config when the config file is missing but an artifact is resolvable.apps/objectos(cloud / multi-project) is unchanged.8cbc768: CLI no longer hard-depends on
@objectstack/service-cloud. The control plane(
apps/cloud+@objectstack/service-cloud) and tenant runtime (apps/objectos)have been split into a private companion repo
objectstack-ai/cloud. Frameworkremains pure open-core.
User impact:
os serve --mode=cloudkeeps working in cloud-aware distributions — the CLIloads
@objectstack/service-cloudvia dynamicimport()with try/catch andsurfaces a clear "install the cloud distribution" hint when absent.
pnpm dev/pnpm start/pnpm doctorscripts in this repo areremoved (they were thin filters of
@objectstack/objectos, which no longerlives here). For a runnable local stack, use one of the examples
(
pnpm --filter @example/app-crm dev).Patch Changes
@objectstack/metadata@4.1.0
Minor Changes
1234920: v3.1 — Runtime controls & read-through cache.
LRUCache(lazy TTL, promote-on-get, size cap, hits/misses/hitRate stats) wired intoDatabaseLoader.{load,loadMany,list,stat}with write invalidation. Configured viacache.databaseLoader.MetadataPluginConfig.bootstrapmodes:eager(default),lazy,artifact-only.artifact-onlyrequiresartifactSource.mode = 'local-file'.MetadataManagerConfig.persistencetwo-axis write gates:writable(gatesregister()) andoverlayWritable(gatessaveOverlay()). Both defaulttrue; either becomes a throw undervalidation.throwOnError.MetadataManagerConfigSchema/MetadataFallbackStrategySchemalive inkernel/metadata-loader.zod.tsand are re-exported fromsystem/metadata-persistence.zod.ts.Patch Changes
@objectstack/objectql@4.1.0
Minor Changes
f0b3972: Driver-level tenant isolation for objects with
organization_id.SqlDrivernow auto-applies aWHERE organization_id = :tenantIdpredicate on every read/update/delete and auto-injects the column on insert when the caller passesoptions.tenantIdand the object schema declares anorganization_idfield.bulkCreate,bulkDelete,updateMany,deleteMany,countandaggregateare all scoped.ObjectQL's engine now threads
ExecutionContext.tenantIdinto the driver options for every CRUD entry point (includingexpandRelatedRecords), so a tenant-scoped session can no longer cross tenants — even through lookup expansion or count fallbacks.Backward compatible: callers that omit
tenantId(system tasks, seed scripts) keep getting unscoped behaviour. Explicitorganization_idon an insert row always wins over the contextualtenantIdso admin tooling can still target a specific tenant.13 new tests in
sql-driver-tenant-scope.test.tsverify cross-tenant find/findOne/update/delete/count/bulkCreate/updateMany/deleteMany isolation, the unscoped admin path, and that global objects (noorganization_id) are not scoped.Patch Changes
5683206: Document the tenant-isolation bypass on raw
execute()(bothSqlDriver.execute()andengine.execute()). The behaviour is unchanged —execute()has always passed commands through verbatim — but the JSDoc now spells out the security contract so callers know they must inlineWHERE organization_id = ?themselves or restrict raw execution to genuinely global statements (migrations, control-plane tables).0e63f2f: Declarative tenant scoping + audit warn for missing tenantId.
SqlDrivernow readsobj.tenancy.tenantFieldfirst when picking the tenant column for an object, falling back to the implicitorganization_iddetection so legacy objects keep working without a spec migration. Settenancy: { enabled: true, strategy: 'shared', tenantField: 'workspace_id' }on any object to use a custom column.Writes (
create,update,delete,bulkCreate,bulkDelete,updateMany,deleteMany,upsert) that target a tenant-scoped object withoutoptions.tenantIdnow emit one[tenant-audit]warning per{object}:{op}so missing-context bugs surface in CI/logs instead of silently writing globally. The engine auto-silences whenExecutionContext.isSystem === true(boot-time seeds, kernel mirrors). Callers can opt out per-call withoptions.bypassTenantAudit = trueor globally withOS_TENANT_AUDIT=0.Driver README now documents the full scope/bypass matrix and the audit warning.
Three new tests cover the declared-tenant-field path, the audit throttle, and the bypass flag.
Updated dependencies [2108c30]
Updated dependencies [23db640]
@objectstack/driver-sql@4.1.0
Minor Changes
0cc0374: feat(driver-sql): tenant-isolated auto_number sequences backed by a persistent counter table
Breaking nothing; new behaviour is opt-in via object schema.
The SQL driver now generates auto_number / autonumber field values via a
dedicated
_objectstack_sequencestable keyed by(object, tenant_id, field)instead of scanning the data table for thecurrent MAX on every insert.
Highlights:
organization_idfield get aseparate counter per organization. Two tenants creating contracts at
the same time both legitimately observe
CTR-0001,CTR-0002, … intheir own namespaces — they no longer interleave or skip numbers.
row[organization_id]→DriverOptions.tenantId→__global__sentinel for org-less objects(e.g. setup-side singletons share one counter).
(object, tenant, field)tuple, the driver seedslast_valuefrom thecurrent per-tenant MAX so legacy/seeded records keep their position
and downstream inserts pick up monotonically (gaps are tolerated).
SELECT … FOR UPDATE(where the dialect supports it) and a singleUPDATEoflast_value. Tested with 25 concurrent inserts in onetenant producing 25 distinct sequence values.
value for the auto_number field is left untouched, and the sequence
bootstrap respects that value so future reservations advance past it.
type: 'auto_number'(snake) andtype: 'autonumber'(the spec factory output) are recognised.Migration notes:
the
_objectstack_sequencestable automatically — no manual DDL.cross-tenant logic (where a tenant's number could "jump" because it
inherited another tenant's MAX) remain in place; subsequent inserts
continue from
MAX + 1in the affected tenant.5b878d9: Generate
auto_number/autonumberfield values on insert. The driverparses the field's
formattemplate (e.g.CTR-{0000}) to extract theprefix and pad-width, then scans existing rows with the same prefix and
emits
prefix + padded(maxN + 1)for any row that omits the field.Note: per-call MAX+1 — not atomic across concurrent writers. Fine for
seed-data and low-write demo loads; production deployments should layer
a dedicated sequence table.
f0b3972: Driver-level tenant isolation for objects with
organization_id.SqlDrivernow auto-applies aWHERE organization_id = :tenantIdpredicate on every read/update/delete and auto-injects the column on insert when the caller passesoptions.tenantIdand the object schema declares anorganization_idfield.bulkCreate,bulkDelete,updateMany,deleteMany,countandaggregateare all scoped.ObjectQL's engine now threads
ExecutionContext.tenantIdinto the driver options for every CRUD entry point (includingexpandRelatedRecords), so a tenant-scoped session can no longer cross tenants — even through lookup expansion or count fallbacks.Backward compatible: callers that omit
tenantId(system tasks, seed scripts) keep getting unscoped behaviour. Explicitorganization_idon an insert row always wins over the contextualtenantIdso admin tooling can still target a specific tenant.13 new tests in
sql-driver-tenant-scope.test.tsverify cross-tenant find/findOne/update/delete/count/bulkCreate/updateMany/deleteMany isolation, the unscoped admin path, and that global objects (noorganization_id) are not scoped.0e63f2f: Declarative tenant scoping + audit warn for missing tenantId.
SqlDrivernow readsobj.tenancy.tenantFieldfirst when picking the tenant column for an object, falling back to the implicitorganization_iddetection so legacy objects keep working without a spec migration. Settenancy: { enabled: true, strategy: 'shared', tenantField: 'workspace_id' }on any object to use a custom column.Writes (
create,update,delete,bulkCreate,bulkDelete,updateMany,deleteMany,upsert) that target a tenant-scoped object withoutoptions.tenantIdnow emit one[tenant-audit]warning per{object}:{op}so missing-context bugs surface in CI/logs instead of silently writing globally. The engine auto-silences whenExecutionContext.isSystem === true(boot-time seeds, kernel mirrors). Callers can opt out per-call withoptions.bypassTenantAudit = trueor globally withOS_TENANT_AUDIT=0.Driver README now documents the full scope/bypass matrix and the audit warning.
Three new tests cover the declared-tenant-field path, the audit throttle, and the bypass flag.
Patch Changes
execute()(bothSqlDriver.execute()andengine.execute()). The behaviour is unchanged —execute()has always passed commands through verbatim — but the JSDoc now spells out the security contract so callers know they must inlineWHERE organization_id = ?themselves or restrict raw execution to genuinely global statements (migrations, control-plane tables).@objectstack/plugin-security@4.1.0
Minor Changes
d3b455f: Add server-side Field-Level Security write enforcement. Client-side
ObjectForm / inline-grid already hides non-editable fields, but the
SecurityPlugin middleware previously only enforced FLS on read
(
maskResultson find/findOne). Insert and update operations couldtarget any field — a hand-crafted POST bypassed FLS entirely.
The middleware now runs
FieldMasker.detectForbiddenWriteson everyinsert / update payload (single record or bulk array) and throws
PermissionDeniedError(HTTP 403) when the payload references a fieldthe caller is not permitted to edit. The offending field list is
exposed via
details.forbiddenFieldsfor actionable client error UI.Allow-list semantics: only fields explicitly enumerated in a
permission set's
fieldsmap are constrained. System operations(
ExecutionContext.isSystem) continue to bypass the check.Why throw vs. silently stripping: silent strip hides the boundary
from honest clients (partial-save confusion) AND gives probing clients
no signal that the field exists. Throwing makes the boundary
observable in both directions.
Also exposes
FieldMasker.detectForbiddenWrites(data, fieldPermissions)as a standalone helper for callers that want to do the check
out-of-band (e.g., adapters that strip-then-warn instead of fail-closed).
Patch Changes
@objectstack/runtime@4.1.0
Minor Changes
96fb108: Artifact-first boot:
objectstack start(andobjectstack serve) now boot directly from a compileddist/objectstack.jsonwhen noobjectstack.config.tsis present.@objectstack/runtimeexportscreateDefaultHostConfig()andresolveDefaultArtifactPath()— a standalone-only default host that wrapscreateStandaloneStack()and surfaces the artifact'srequires/objects/manifest. No dependency on@objectstack/service-cloud.objectstack startacceptsOS_ARTIFACT_PATHas a file path or anhttp(s)://URL. New flags--artifact,--database,--database-driver,--database-auth-token,--auth-secret,--project-id,--portlet you specify all runtime conditions on the command line (each overrides the matching env var).objectstack devaccepts the same runtime-override flags. When--artifactis supplied, the auto-compile step is skipped and the dev server boots the supplied artifact directly — noobjectstack.config.tsrequired in cwd.objectstack startno longer mounts Studio / Account / Console by default — those are dev/admin surfaces. Pass--uito opt back in.objectstack servefalls back to the default host config when the config file is missing but an artifact is resolvable.apps/objectos(cloud / multi-project) is unchanged.70db902: Add production observability primitives.
createDispatcherPluginnowexposes an
observabilityconfig that auto-instruments every mountedroute with:
X-Request-Idecho +req.requestId(honorsincoming header when well-formed, mints
req_<uuid>otherwise).http_requests_total{method,route,status}counter.http_request_duration_ms{method,route}histogram.http_request_errors_total{method,route}counter.metrics only, not reported, to keep APM signal:noise high).
All defaults are no-op (zero overhead). Hosts plug their own
MetricsRegistry(Prometheus / OTel) andErrorReporter(Sentry /Datadog) — see
docs/OBSERVABILITY.mdfor adapter recipes and thego-live checklist.
Standalone primitives also exported for adapter-layer use:
extractRequestId,resolveRequestId,parseTraceparent,formatTraceparent,InMemoryMetricsRegistry,InMemoryErrorReporter,instrumentRouteHandler.70db902: Add production HTTP hardening primitives.
createDispatcherPluginnowsends conservative security response headers by default
(CSP / X-Content-Type-Options / X-Frame-Options / Referrer-Policy /
Permissions-Policy / Cross-Origin-Resource-Policy). HSTS is opt-in.
Caller can disable with
securityHeaders: false(e.g., when an upstreamreverse proxy already injects them) or customize per-header via
SecurityHeadersOptions.Also exports a standalone token-bucket
RateLimiterwith a pluggableRateLimitStoreinterface (in-memory default; trivially backed byRedis) and curated
DEFAULT_RATE_LIMITSfor auth / write / read buckets.The limiter is NOT auto-wired into the dispatcher — adapter-layer
wire-up (Fastify / Hono / Express) is recommended for proper IP/key
extraction; see
docs/HARDENING.mdfor recipes.Patch Changes
@objectstack/spec@4.1.0
Minor Changes
23db640:
record:highlightsnow accepts richer field items.Each entry in
fieldsmay be either a bare field name (backward compatible) or an object{ name, label?, icon?, type? }that lets the schema override the displayed label, attach a Lucide icon, or force a specific cell renderer without editing the underlying object metadata. Useful when the same field appears in multiple highlight strips with different framing (e.g. "Annual Revenue" vs "ARR") or when you want a tiny icon for status-like fields.Patch Changes
ActionParamSchema.requirednow defaults tofalse(was effectivelyundefined). Functionally equivalent for existing consumers (which check truthiness), but makes the parsed object shape complete and unblocks downstream type narrowing. Fixes pre-existing failing testaction.test.ts > should accept minimal action parameter.@objectstack/studio@4.1.0
Patch Changes
@objectstack/hono@4.1.0
Patch Changes
@objectstack/client@4.1.0
Patch Changes
@objectstack/client-react@4.1.0
Patch Changes
@objectstack/core@4.1.0
Patch Changes
@objectstack/formula@4.1.0
Patch Changes
@objectstack/platform-objects@4.1.0
Patch Changes
@objectstack/driver-memory@4.1.0
Patch Changes
@objectstack/driver-mongodb@4.1.0
Patch Changes
@objectstack/driver-turso@4.1.0
Patch Changes
@objectstack/plugin-approvals@4.0.1
Patch Changes
@objectstack/plugin-audit@4.1.0
Patch Changes
@objectstack/plugin-auth@4.1.0
Patch Changes
@objectstack/plugin-dev@4.1.0
Patch Changes
@objectstack/plugin-email@4.0.1
Patch Changes
@objectstack/plugin-hono-server@4.1.0
Patch Changes
@objectstack/plugin-mcp-server@4.1.0
Patch Changes
@objectstack/plugin-msw@4.1.0
Patch Changes
@objectstack/plugin-reports@4.0.1
Patch Changes
@objectstack/plugin-sharing@4.0.1
Patch Changes
@objectstack/plugin-webhooks@4.0.1
Patch Changes
@objectstack/rest@4.1.0
Patch Changes
@objectstack/service-ai@4.1.0
Patch Changes
@objectstack/service-analytics@4.1.0
Patch Changes
@objectstack/service-automation@4.1.0
Patch Changes
@objectstack/service-cache@4.1.0
Patch Changes
@objectstack/service-feed@4.1.0
Patch Changes
@objectstack/service-i18n@4.1.0
Patch Changes
@objectstack/service-job@4.1.0
Patch Changes
@objectstack/service-package@4.1.0
Patch Changes
@objectstack/service-queue@4.1.0
Patch Changes
@objectstack/service-realtime@4.1.0
Patch Changes
@objectstack/service-settings@0.1.1
Patch Changes
@objectstack/service-storage@4.1.0
Patch Changes
@objectstack/service-tenant@4.1.0
Patch Changes
@objectstack/types@4.1.0
Patch Changes
@objectstack/express@4.1.0
@objectstack/fastify@4.1.0
@objectstack/nestjs@4.1.0
@objectstack/nextjs@4.1.0
@objectstack/nuxt@4.1.0
@objectstack/sveltekit@4.1.0
create-objectstack@4.1.0
objectstack-vscode@4.1.0
@objectstack/account@4.0.6
Patch Changes
/setuppage. Removed the optional teammate-invite section, the manually-edited org slug field, the large shield banner and the footer note. The form is now 4 fields (name + org name on one row, then email + password) with concise copy — the new owner can invite teammates from the dashboard after first login.@objectstack/example-crm@4.0.6
Patch Changes
fcc54fd: chore(example-crm): cull duplicate/low-value reports
Remove three reports from the CRM example that didn't pass the
"Report vs. Dashboard" value test:
LeadsBySourceReport(single-dim count bylead_source) — fullyredundant with the sales dashboard's "Lead Source" pie tile.
ContactsByAccountReport— really a Contact List View grouped byaccount, not a report.
TasksByOwnerReport— single-dim count, not navigated anywhere.Remaining 10 reports keep full shape coverage: summary (2), matrix (4),
joined (2), multi-pane (1) plus a chartful summary.
Updated dependencies [2108c30]
Updated dependencies [96fb108]
Updated dependencies [23db640]
Updated dependencies [70db902]
Updated dependencies [70db902]
@example/app-todo@4.0.6
Patch Changes
@objectstack/docs@4.1.0