Add AUTH_SECRET configuration for AuthPlugin initialization

[Copilot]

Server failed to start: @objectstack/plugin-auth@2.0.6 requires secret parameter but AuthPlugin() was instantiated without options.

Changes

objectstack.config.ts

• Pass secret and baseUrl to AuthPlugin from env vars
• Fallback to dev default with production warning

new AuthPlugin({
  secret: process.env.AUTH_SECRET || (() => {
    const defaultSecret = 'dev-secret-change-in-production-min-32-chars';
    if (process.env.NODE_ENV === 'production') {
      console.error('WARNING: Using default AUTH_SECRET in production!');
    }
    return defaultSecret;
  })(),
  baseUrl: process.env.BETTER_AUTH_URL || 'http://localhost:5320',
}),

.env.example

• Template for AUTH_SECRET (required), database URLs, OAuth/SSO providers, server config

README.md

• Environment setup section: copy .env.example, generate secure secret with openssl rand -base64 32

Original prompt

sign up error

steedos@192 objectos % pnpm dev

objectql-monorepo@0.1.0 dev /Users/steedos/Documents/GitHub/objectos
concurrently -n api,web -c blue,green "pnpm objectstack:serve" "pnpm web:dev"

[web]
[web] > objectql-monorepo@0.1.0 web:dev /Users/steedos/Documents/GitHub/objectos
[web] > pnpm --filter @objectos/web dev
[web]
[api]
[api] > objectql-monorepo@0.1.0 objectstack:serve /Users/steedos/Documents/GitHub/objectos
[api] > objectstack serve --port 5320
[api]
[web]
[web] > @objectos/web@0.1.0 dev /Users/steedos/Documents/GitHub/objectos/apps/web
[web] > vite
[web]
[web] 3:46:39 PM [vite] (client) Re-optimizing dependencies because lockfile has changed
[web]
[web] VITE v6.4.1 ready in 269 ms
[web]
[web] ➜ Local: http://localhost:5321/console/
[web] ➜ Network: use --host to expose
[api]
[api] Loading objectstack.config.ts...
[api]
[api] ✗ AuthPlugin: secret is required
[api]  ELIFECYCLE  Command failed with exit code 1.
[api] pnpm objectstack:serve exited with code 1
[web] 3:46:43 PM [vite] http proxy error: /api/v1/auth/get-session
[web] AggregateError [ECONNREFUSED]:
[web] at internalConnectMultiple (node:net:1128:18)
[web] at afterConnectMultiple (node:net:1693:7)
[web] 3:46:46 PM [vite] http proxy error: /api/v1/auth/providers
[web] AggregateError [ECONNREFUSED]:
[web] at internalConnectMultiple (node:net:1128:18)
[web] at afterConnectMultiple (node:net:1693:7)
[web] 3:46:46 PM [vite] http proxy error: /api/v1/auth/providers
[web] AggregateError [ECONNREFUSED]:
[web] at internalConnectMultiple (node:net:1128:18)
[web] at afterConnectMultiple (node:net:1693:7)
[web] 3:46:47 PM [vite] http proxy error: /api/v1/auth/sign-in/email
[web] AggregateError [ECONNREFUSED]:
[web] at internalConnectMultiple (node:net:1128:18)
[web] at afterConnectMultiple (node:net:1693:7)
[web] 3:46:48 PM [vite] http proxy error: /api/v1/auth/providers
[web] AggregateError [ECONNREFUSED]:
[web] at internalConnectMultiple (node:net:1128:18)
[web] at afterConnectMultiple (node:net:1693:7)
[web] 3:46:48 PM [vite] http proxy error: /api/v1/auth/providers
[web] AggregateError [ECONNREFUSED]:
[web] at internalConnectMultiple (node:net:1128:18)
[web] at afterConnectMultiple (node:net:1693:7)
[web] 3:46:53 PM [vite] http proxy error: /api/v1/auth/sign-up/email
[web] AggregateError [ECONNREFUSED]:
[web] at internalConnectMultiple (node:net:1128:18)

The user has attached the following file paths as relevant context:

• .github/copilot-instructions.md

Created from VS Code.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
objectos	Canceled		Feb 11, 2026 8:34am
objectos-demo	Error		Feb 11, 2026 8:34am

[Copilot]

Pull request overview

Adds missing configuration required to initialize @objectstack/plugin-auth@2.0.6 so the server can boot successfully, and documents the needed environment variables for local/prod setups.

Changes:

• Configure AuthPlugin with AUTH_SECRET (and BETTER_AUTH_URL / base URL) from environment variables.
• Add .env.example template with auth/database/provider/server variables.
• Document environment setup steps in README.md (including generating a secure secret).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
objectstack.config.ts	Passes env-based secret/baseUrl into AuthPlugin to prevent startup failure.
README.md	Documents required AUTH_SECRET and optional env configuration.
.env.example	Provides a baseline env template for auth + database + providers + server config.

[Copilot]

Defaulting baseUrl to a hard-coded http://localhost:5320 can become incorrect when the server port is changed via PORT/objectstack serve --port. Consider deriving the default from the configured server port (and host if available) or requiring BETTER_AUTH_URL when running on a non-default port.

Suggested change

	baseUrl: process.env.BETTER_AUTH_URL || 'http://localhost:5320',
	baseUrl:
	process.env.BETTER_AUTH_URL ||
	`http://${process.env.HOST || 'localhost'}:${process.env.PORT || 5320}`,

[Copilot]

README states the default SQLite DB is objectstack.db, but the codebase defaults to objectos.db when OBJECTQL_DATABASE_URL is unset (see packages/auth/src/auth-client.ts). This mismatch will mislead users configuring their environment.

Suggested change

	- **Database**: Defaults to SQLite (`objectstack.db`). Set `OBJECTQL_DATABASE_URL` for PostgreSQL or MongoDB.
	- **Database**: Defaults to SQLite (`objectos.db`). Set `OBJECTQL_DATABASE_URL` for PostgreSQL or MongoDB.

[Copilot]

The comments/examples indicate the default SQLite database file is objectstack.db, but the runtime code defaults to objectos.db when OBJECTQL_DATABASE_URL is not set. Update the comment/example to match the actual default to avoid confusion.

Suggested change

	# Optional: Database connection URL (defaults to SQLite: objectstack.db)
	# Examples:
	# - PostgreSQL: postgres://user:password@localhost:5432/objectstack
	# - MongoDB: mongodb://localhost:27017/objectstack
	# - SQLite: sqlite:objectstack.db (or omit for default)
	# OBJECTQL_DATABASE_URL=sqlite:objectstack.db
	# Optional: Database connection URL (defaults to SQLite: objectos.db)
	# Examples:
	# - PostgreSQL: postgres://user:password@localhost:5432/objectstack
	# - MongoDB: mongodb://localhost:27017/objectstack
	# - SQLite: sqlite:objectos.db (or omit for default)
	# OBJECTQL_DATABASE_URL=sqlite:objectos.db

[Copilot]

Falling back to a hard-coded secret means a production deployment can accidentally start with a known AUTH_SECRET. In production, this should fail fast (throw) if AUTH_SECRET is missing/empty, and ideally validate a minimum length (e.g., 32+ chars) before passing it to AuthPlugin.