feat: add OAuth application management features

- Introduced new hooks for managing OAuth applications, including listing, registering, and deleting applications.
- Created routes for displaying a list of OAuth applications, application details, and a registration form.
- Implemented consent screen for OAuth authorization requests.
- Added new system objects for OAuth access tokens, applications, and consent records.
- Updated tests to include new system object names for OAuth-related constants.

Author: hotlong

apps/account/src/components/account-sidebar.tsx

@@ -3,7 +3,7 @@
 /**
  * AccountSidebar — global left navigation for the Account portal.
  *
- * Two semantic groups:
+ * Three semantic groups:
  *
  *   Account
  *   ├─ Profile
@@ -16,6 +16,9 @@
  *   ├─ General         (/organizations/:id/general — only when an org is active)
  *   └─ Members         (/organizations/:id/members — only when an org is active)
  *
+ *   Developer
+ *   └─ OAuth Apps      (/account/oauth-applications)
+ *
  * The active org's name is intentionally NOT used as a group label —
  * the top-bar OrganizationSwitcher already shows it prominently. When
  * collapsed to icon-only the labels hide automatically.
@@ -24,6 +27,7 @@
 import { Link, useLocation } from '@tanstack/react-router';
 import {
   Building2,
+  KeyRound,
   Monitor,
   PanelLeft,
   Settings,
@@ -53,6 +57,7 @@ interface NavItem {
     | '/account/security'
     | '/account/sessions'
     | '/account/two-factor'
+    | '/account/oauth-applications'
     | '/organizations';
   label: string;
   icon: React.ComponentType<{ className?: string }>;
@@ -105,8 +110,6 @@ export function AccountSidebar() {
 
         <SidebarSeparator />
 
-        <SidebarSeparator />
-
         <SidebarGroup>
           <SidebarGroupLabel>Organization</SidebarGroupLabel>
           <SidebarGroupContent>
@@ -154,6 +157,28 @@ export function AccountSidebar() {
             </SidebarMenu>
           </SidebarGroupContent>
         </SidebarGroup>
+
+        <SidebarSeparator />
+
+        <SidebarGroup>
+          <SidebarGroupLabel>Developer</SidebarGroupLabel>
+          <SidebarGroupContent>
+            <SidebarMenu>
+              <SidebarMenuItem>
+                <SidebarMenuButton
+                  asChild
+                  isActive={pathname.startsWith('/account/oauth-applications')}
+                  tooltip="OAuth Apps"
+                >
+                  <Link to="/account/oauth-applications">
+                    <KeyRound className="size-4" />
+                    <span>OAuth Apps</span>
+                  </Link>
+                </SidebarMenuButton>
+              </SidebarMenuItem>
+            </SidebarMenu>
+          </SidebarGroupContent>
+        </SidebarGroup>
       </SidebarContent>
       <SidebarFooter>
         <SidebarMenu>

apps/account/src/hooks/useOAuthApplications.ts

@@ -0,0 +1,161 @@
+// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
+
+/**
+ * React hooks for managing OAuth/OIDC client applications.
+ *
+ * Wraps `client.oauth.applications.*` (better-auth `oidc-provider` plugin).
+ * Used by the OAuth Apps pages under /account/oauth-applications.
+ */
+
+import { useCallback, useEffect, useState } from 'react';
+import { useClient } from '@objectstack/client-react';
+
+export interface OAuthApplication {
+  id: string;
+  name: string;
+  client_id: string;
+  client_secret?: string | null;
+  redirect_urls: string;
+  type: 'web' | 'native' | 'user-agent-based' | 'public';
+  disabled?: boolean;
+  icon?: string | null;
+  metadata?: string | null;
+  user_id?: string | null;
+  created_at?: string;
+  updated_at?: string;
+}
+
+/**
+ * Hook: list the current user's OAuth client applications.
+ */
+export function useOAuthApplications() {
+  const client = useClient() as any;
+  const [applications, setApplications] = useState<OAuthApplication[]>([]);
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState<Error | null>(null);
+
+  const reload = useCallback(async () => {
+    if (!client?.oauth?.applications) return;
+    setLoading(true);
+    setError(null);
+    try {
+      const res = await client.oauth.applications.list();
+      setApplications(res?.applications ?? []);
+    } catch (err) {
+      setError(err as Error);
+      setApplications([]);
+    } finally {
+      setLoading(false);
+    }
+  }, [client]);
+
+  useEffect(() => {
+    reload();
+  }, [reload]);
+
+  return { applications, loading, error, reload };
+}
+
+/**
+ * Hook: register a new OAuth client application.
+ *
+ * Returns `{ register, registering, error, lastResult }` where `lastResult`
+ * holds the response of the most recent successful registration — including
+ * the freshly issued `client_secret`, which is only returned once.
+ */
+export function useRegisterOAuthApplication() {
+  const client = useClient() as any;
+  const [registering, setRegistering] = useState(false);
+  const [error, setError] = useState<Error | null>(null);
+  const [lastResult, setLastResult] = useState<any>(null);
+
+  const register = useCallback(
+    async (req: {
+      client_name: string;
+      redirect_uris: string[];
+      token_endpoint_auth_method?: 'none' | 'client_secret_basic' | 'client_secret_post';
+      grant_types?: string[];
+      response_types?: string[];
+      client_uri?: string;
+      logo_uri?: string;
+      scope?: string;
+      contacts?: string[];
+      tos_uri?: string;
+      policy_uri?: string;
+      metadata?: Record<string, unknown>;
+    }) => {
+      if (!client?.oauth?.applications?.register) throw new Error('Client not ready');
+      setRegistering(true);
+      setError(null);
+      try {
+        const result = await client.oauth.applications.register(req);
+        setLastResult(result);
+        return result;
+      } catch (err) {
+        setError(err as Error);
+        throw err;
+      } finally {
+        setRegistering(false);
+      }
+    },
+    [client],
+  );
+
+  return { register, registering, error, lastResult };
+}
+
+/**
+ * Hook: delete (revoke) an OAuth client application by row id.
+ */
+export function useDeleteOAuthApplication() {
+  const client = useClient() as any;
+  const [deleting, setDeleting] = useState(false);
+  const [error, setError] = useState<Error | null>(null);
+
+  const remove = useCallback(
+    async (id: string) => {
+      if (!client?.oauth?.applications?.delete) throw new Error('Client not ready');
+      setDeleting(true);
+      setError(null);
+      try {
+        return await client.oauth.applications.delete(id);
+      } catch (err) {
+        setError(err as Error);
+        throw err;
+      } finally {
+        setDeleting(false);
+      }
+    },
+    [client],
+  );
+
+  return { remove, deleting, error };
+}
+
+/**
+ * Hook: submit a consent decision to a pending OAuth authorization request.
+ */
+export function useOAuthConsent() {
+  const client = useClient() as any;
+  const [submitting, setSubmitting] = useState(false);
+  const [error, setError] = useState<Error | null>(null);
+
+  const submit = useCallback(
+    async (req: { accept: boolean; consent_code?: string }) => {
+      if (!client?.oauth?.consent) throw new Error('Client not ready');
+      setSubmitting(true);
+      setError(null);
+      try {
+        return await client.oauth.consent(req);
+      } catch (err) {
+        setError(err as Error);
+        throw err;
+      } finally {
+        setSubmitting(false);
+      }
+    },
+    [client],
+  );
+
+  return { submit, submitting, error };
+}