Skip to content

chore: version packages#2689

Open
github-actions[bot] wants to merge 1 commit into
mainfrom
changeset-release/main
Open

chore: version packages#2689
github-actions[bot] wants to merge 1 commit into
mainfrom
changeset-release/main

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@objectstack/lint@12.7.0

Minor Changes

  • 466adf6: Author-time capability-reference lint (ADR-0066 ⑨) — os validate / os lint
    now warn when a requiredPermissions names a capability that is registered
    nowhere.

    requiredPermissions (on objects, fields, apps, actions) is a free string, so a
    typo like mange_users is schema-valid and fails closed at runtime (the caller
    is denied) — safe, but silent. The new validateCapabilityReferences rule
    (@objectstack/lint) resolves every reference against the author-time known set
    and warns on the unresolved ones:

    • built-in platform capabilities — now sourced from a single canonical list in
      @objectstack/spec (security/capabilities.ts: PLATFORM_CAPABILITIES /
      PLATFORM_CAPABILITY_NAMES), which @objectstack/plugin-security's
      bootstrapSystemCapabilities also seeds from (one source of truth, no drift),
    • any capability a permission set in the stack grants via systemPermissions
      (granting is what declares it — mirrors the runtime derived-defaults rule), and
    • any sys_capability row shipped as seed data.

    It is a warning, not an error: a single package can't see capabilities
    declared by other installed packages, and the reference fails closed anyway.
    systemPermissions itself is never flagged — it is the declaration side, and a
    package legitimately introduces new capabilities there. The object case also
    understands the per-operation requiredPermissions map form (ADR-0066 ⑤) and
    points a finding at the exact operation slice.

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/formula@12.7.0
    • @objectstack/sdui-parser@12.7.0

@objectstack/metadata-protocol@12.7.0

Minor Changes

  • fc7e7f7: Enforce the package namespace-prefix rule for Studio-authored packages.

    The protocol requires every object name in a package to carry the package's
    manifest.namespace prefix (crm_account); defineStack() enforces this at
    compile time via validateNamespacePrefix. Studio/runtime-authored packages
    never take that path, and they were created without a namespace at all — so the
    rule was silently inert and objects published with bare, collision-prone names.

    Two runtime changes close the gap:

    • protocol.installPackage now derives a default namespace from the package id
      (com.example.leaveleave) when the manifest declares none, and persists
      it on the manifest (in-memory registry + sys_packages). An explicitly
      declared namespace always wins (e.g. HotCRM's crm).
    • protocol.publishPackageDrafts now rejects any object draft whose name lacks
      the package namespace prefix, before promoting anything (atomic), with an
      actionable message (Rename it to 'leave_ticket'). Packages that declare no
      namespace are grandfathered — mirroring defineStack, the rule is not
      invented at enforcement time.

    The per-object prefix check and the id→namespace derivation are extracted into
    @objectstack/spec/kernel (validateObjectNamespacePrefix,
    deriveNamespaceFromPackageId) as the single source shared by defineStack and
    the runtime publish path, so the two enforcement points cannot drift.

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/formula@12.7.0
    • @objectstack/metadata-core@12.7.0
    • @objectstack/types@12.7.0

@objectstack/platform-objects@12.7.0

Minor Changes

  • 9fa84f9: Secure-by-default posture for sensitive system objects (ADR-0066 ④, system-object
    slice) — the platform's raw secret/credential stores no longer ride the wildcard
    '*' permission grant.

    sys_secret (encrypted settings/datasource secrets), sys_jwks (JWT signing
    keys), sys_verification (password-reset / verify tokens),
    sys_oauth_access_token, sys_oauth_refresh_token (live bearer credentials),
    and sys_device_code (pending device-grant codes) now declare
    access: { default: 'private' }: an ordinary member's generic data-layer
    read/write gets 403 instead of being covered by member_default's
    '*': allowRead. Platform admins retain access via the posture-gated
    viewAllRecords/modifyAllRecords superuser bypass, and every runtime consumer
    is unaffected — better-auth reads via its adapter (system context),
    engine.resolveSecret reads at driver level, and SettingsService / the
    datasource secret-binder read principal-less (middleware falls open for internal
    calls).

    sys_scim_provider (SCIM bearer-token config) gains the object-level
    requiredPermissions: ['manage_platform_settings'] capability gate, mirroring
    its sibling sys_sso_provider. The Setup nav item for Signing Keys (JWKS) is
    now capability-gated like API Keys, so non-admins don't see a menu entry that
    can only 403.

    Member self-service objects (sys_session, sys_api_key,
    sys_oauth_application, sys_two_factor) deliberately keep the public posture —
    the Account app ("My Sessions" / "My API Keys" / "My Apps" / 2FA "My
    Enrollment") reads them through the generic data layer as the member; row
    scoping remains their guard. The declarations are pinned by
    platform-objects.test.ts and the ADR-0056 D10 conformance-matrix row
    secure-by-default-posture, so dropping the flag from a secret store fails CI.

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/metadata-core@12.7.0

@objectstack/plugin-security@12.7.0

Minor Changes

  • 466adf6: Per-operation object requiredPermissions (ADR-0066 ⑤) — an object can now be
    read-open / write-gated instead of gating all of CRUD on one capability set.

    Object.requiredPermissions accepts either the original string[] (capabilities
    required for all operations) or a { read?, create?, update?, delete? }
    map that gates each operation class independently — mirroring how Salesforce and
    Dataverse separate capability by operation. plugin-security enforces the caps for
    the request's operation class as the same D3 AND-gate (checked before the CRUD
    grant, fail-closed). The mapping folds transfer/restore into update and
    purge into delete, derived from the existing CRUD permission bits so it stays
    in lockstep with them.

    Backward-compatible: the string[] form keeps its gate-every-operation semantics
    (normalized into an all bucket that unions with the per-operation bucket), so
    existing objects are unaffected. The per-operation map's keys are validated
    .strict(), so a mistyped key (e.g. reads) is rejected at author time rather
    than silently ignored.

Patch Changes

  • 466adf6: Author-time capability-reference lint (ADR-0066 ⑨) — os validate / os lint
    now warn when a requiredPermissions names a capability that is registered
    nowhere.

    requiredPermissions (on objects, fields, apps, actions) is a free string, so a
    typo like mange_users is schema-valid and fails closed at runtime (the caller
    is denied) — safe, but silent. The new validateCapabilityReferences rule
    (@objectstack/lint) resolves every reference against the author-time known set
    and warns on the unresolved ones:

    • built-in platform capabilities — now sourced from a single canonical list in
      @objectstack/spec (security/capabilities.ts: PLATFORM_CAPABILITIES /
      PLATFORM_CAPABILITY_NAMES), which @objectstack/plugin-security's
      bootstrapSystemCapabilities also seeds from (one source of truth, no drift),
    • any capability a permission set in the stack grants via systemPermissions
      (granting is what declares it — mirrors the runtime derived-defaults rule), and
    • any sys_capability row shipped as seed data.

    It is a warning, not an error: a single package can't see capabilities
    declared by other installed packages, and the reference fails closed anyway.
    systemPermissions itself is never flagged — it is the declaration side, and a
    package legitimately introduces new capabilities there. The object case also
    understands the per-operation requiredPermissions map form (ADR-0066 ⑤) and
    points a finding at the exact operation slice.

  • 799b285: Fix field-level-security read leak on mutation responses. The security
    middleware only masked read-protected fields on find/findOne results, so a
    caller with edit-but-not-field-read could insert/update a record and read a
    read-protected field back out of the echoed post-image (field WRITES were
    already blocked, but the response image was not masked). The mask now also
    covers insert/update results, matching read behavior.

  • Updated dependencies [466adf6]

  • Updated dependencies [466adf6]

  • Updated dependencies [2bee609]

  • Updated dependencies [9fa84f9]

  • Updated dependencies [fc7e7f7]

    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/formula@12.7.0

@objectstack/spec@12.7.0

Minor Changes

  • 466adf6: Author-time capability-reference lint (ADR-0066 ⑨) — os validate / os lint
    now warn when a requiredPermissions names a capability that is registered
    nowhere.

    requiredPermissions (on objects, fields, apps, actions) is a free string, so a
    typo like mange_users is schema-valid and fails closed at runtime (the caller
    is denied) — safe, but silent. The new validateCapabilityReferences rule
    (@objectstack/lint) resolves every reference against the author-time known set
    and warns on the unresolved ones:

    • built-in platform capabilities — now sourced from a single canonical list in
      @objectstack/spec (security/capabilities.ts: PLATFORM_CAPABILITIES /
      PLATFORM_CAPABILITY_NAMES), which @objectstack/plugin-security's
      bootstrapSystemCapabilities also seeds from (one source of truth, no drift),
    • any capability a permission set in the stack grants via systemPermissions
      (granting is what declares it — mirrors the runtime derived-defaults rule), and
    • any sys_capability row shipped as seed data.

    It is a warning, not an error: a single package can't see capabilities
    declared by other installed packages, and the reference fails closed anyway.
    systemPermissions itself is never flagged — it is the declaration side, and a
    package legitimately introduces new capabilities there. The object case also
    understands the per-operation requiredPermissions map form (ADR-0066 ⑤) and
    points a finding at the exact operation slice.

  • 466adf6: Per-operation object requiredPermissions (ADR-0066 ⑤) — an object can now be
    read-open / write-gated instead of gating all of CRUD on one capability set.

    Object.requiredPermissions accepts either the original string[] (capabilities
    required for all operations) or a { read?, create?, update?, delete? }
    map that gates each operation class independently — mirroring how Salesforce and
    Dataverse separate capability by operation. plugin-security enforces the caps for
    the request's operation class as the same D3 AND-gate (checked before the CRUD
    grant, fail-closed). The mapping folds transfer/restore into update and
    purge into delete, derived from the existing CRUD permission bits so it stays
    in lockstep with them.

    Backward-compatible: the string[] form keeps its gate-every-operation semantics
    (normalized into an all bucket that unions with the per-operation bucket), so
    existing objects are unaffected. The per-operation map's keys are validated
    .strict(), so a mistyped key (e.g. reads) is rejected at author time rather
    than silently ignored.

  • 2bee609: BREAKING (pre-launch): remove the three declared-but-never-enforced compliance
    subsystems per ADR-0056 D8 ("design + enforce, or remove"), and mark the AI
    agent visibility property EXPERIMENTAL ([P1][security] Enforce agent visibility (organization/private) — needs tenant/owner in request context #1901).

    Removed — none of these were read by any runtime path, and compliance-grade
    configuration must never merely look live:

    • ComplianceConfigSchema / GDPRConfigSchema / HIPAAConfigSchema (and the
      rest of system/compliance.zod.ts) — there is no data-subject-rights engine,
      retention enforcer, or BAA gate. FROM import { ComplianceConfigSchema } from '@objectstack/spec/system' TO: delete the reference — a real compliance
      subsystem will be designed top-down when scheduled.
    • MaskingConfigSchema / MaskingRuleSchema (system/masking.zod.ts) — no
      redaction layer applies them. FROM masking config TO: field-level security
      (permission-set field rules, enforced by plugin-security's field masker); a
      subtractive masking/deny layer arrives with ADR-0066 ⑦/⑧ if needed.
    • RLSConfigSchema / RLSAuditEventSchema / RLSAuditConfigSchema
      (security/rls.zod.ts) — the enforced RLS path never read the global config.
      FROM global RLSConfig TO: per-policy RowLevelSecurityPolicySchema (the
      live, enforced surface — unchanged).

    Kept, still [EXPERIMENTAL]: EncryptionConfigSchema (at-rest field
    encryption) — a real enterprise roadmap item with a stable shape; carrying it
    marked costs less than remove-and-re-add (ADR-0087).

    Marked [EXPERIMENTAL — NOT ENFORCED] ([P1][security] Enforce agent visibility (organization/private) — needs tenant/owner in request context #1901): AgentSchema.visibility — the
    chat-access evaluator deliberately excludes it and the agent list route does
    not filter by it, so private does not hide an agent. The schema description
    and the authoring form now say so; use access / permissions (both enforced
    at the chat route since [P0][security] Agent access control is a no-op (permissions/visibility/access) #1884) for real gating. The ADR-0056 D10 conformance
    matrix tracks all dispositions (agent-visibility experimental;
    compliance-configs / data-masking / rls-config-global removed).

  • fc7e7f7: Enforce the package namespace-prefix rule for Studio-authored packages.

    The protocol requires every object name in a package to carry the package's
    manifest.namespace prefix (crm_account); defineStack() enforces this at
    compile time via validateNamespacePrefix. Studio/runtime-authored packages
    never take that path, and they were created without a namespace at all — so the
    rule was silently inert and objects published with bare, collision-prone names.

    Two runtime changes close the gap:

    • protocol.installPackage now derives a default namespace from the package id
      (com.example.leaveleave) when the manifest declares none, and persists
      it on the manifest (in-memory registry + sys_packages). An explicitly
      declared namespace always wins (e.g. HotCRM's crm).
    • protocol.publishPackageDrafts now rejects any object draft whose name lacks
      the package namespace prefix, before promoting anything (atomic), with an
      actionable message (Rename it to 'leave_ticket'). Packages that declare no
      namespace are grandfathered — mirroring defineStack, the rule is not
      invented at enforcement time.

    The per-object prefix check and the id→namespace derivation are extracted into
    @objectstack/spec/kernel (validateObjectNamespacePrefix,
    deriveNamespaceFromPackageId) as the single source shared by defineStack and
    the runtime publish path, so the two enforcement points cannot drift.

@objectstack/hono@12.7.0

Patch Changes

  • Updated dependencies [b1081b8]
    • @objectstack/plugin-hono-server@12.7.0
    • @objectstack/runtime@12.7.0
    • @objectstack/types@12.7.0

@objectstack/account@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0

@objectstack/setup@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0

@objectstack/studio@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0

@objectstack/cli@12.7.0

Patch Changes

  • 466adf6: Author-time capability-reference lint (ADR-0066 ⑨) — os validate / os lint
    now warn when a requiredPermissions names a capability that is registered
    nowhere.

    requiredPermissions (on objects, fields, apps, actions) is a free string, so a
    typo like mange_users is schema-valid and fails closed at runtime (the caller
    is denied) — safe, but silent. The new validateCapabilityReferences rule
    (@objectstack/lint) resolves every reference against the author-time known set
    and warns on the unresolved ones:

    • built-in platform capabilities — now sourced from a single canonical list in
      @objectstack/spec (security/capabilities.ts: PLATFORM_CAPABILITIES /
      PLATFORM_CAPABILITY_NAMES), which @objectstack/plugin-security's
      bootstrapSystemCapabilities also seeds from (one source of truth, no drift),
    • any capability a permission set in the stack grants via systemPermissions
      (granting is what declares it — mirrors the runtime derived-defaults rule), and
    • any sys_capability row shipped as seed data.

    It is a warning, not an error: a single package can't see capabilities
    declared by other installed packages, and the reference fails closed anyway.
    systemPermissions itself is never flagged — it is the declaration side, and a
    package legitimately introduces new capabilities there. The object case also
    understands the per-operation requiredPermissions map form (ADR-0066 ⑤) and
    points a finding at the exact operation slice.

  • Updated dependencies [466adf6]

  • Updated dependencies [799b285]

  • Updated dependencies [b1081b8]

  • Updated dependencies [466adf6]

  • Updated dependencies [a1766fe]

  • Updated dependencies [2bee609]

  • Updated dependencies [9fa84f9]

  • Updated dependencies [fc7e7f7]

    • @objectstack/spec@12.7.0
    • @objectstack/lint@12.7.0
    • @objectstack/plugin-security@12.7.0
    • @objectstack/plugin-hono-server@12.7.0
    • @objectstack/objectql@12.7.0
    • @objectstack/plugin-email@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/account@12.7.0
    • @objectstack/setup@12.7.0
    • @objectstack/client@12.7.0
    • @objectstack/cloud-connection@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/formula@12.7.0
    • @objectstack/mcp@12.7.0
    • @objectstack/observability@12.7.0
    • @objectstack/driver-memory@12.7.0
    • @objectstack/driver-mongodb@12.7.0
    • @objectstack/driver-sql@12.7.0
    • @objectstack/driver-sqlite-wasm@12.7.0
    • @objectstack/plugin-approvals@12.7.0
    • @objectstack/plugin-audit@12.7.0
    • @objectstack/plugin-auth@12.7.0
    • @objectstack/plugin-org-scoping@12.7.0
    • @objectstack/plugin-reports@12.7.0
    • @objectstack/plugin-sharing@12.7.0
    • @objectstack/plugin-webhooks@12.7.0
    • @objectstack/rest@12.7.0
    • @objectstack/runtime@12.7.0
    • @objectstack/service-analytics@12.7.0
    • @objectstack/service-automation@12.7.0
    • @objectstack/service-cache@12.7.0
    • @objectstack/service-datasource@12.7.0
    • @objectstack/service-job@12.7.0
    • @objectstack/service-messaging@12.7.0
    • @objectstack/service-package@12.7.0
    • @objectstack/service-queue@12.7.0
    • @objectstack/service-realtime@12.7.0
    • @objectstack/service-settings@12.7.0
    • @objectstack/service-storage@12.7.0
    • @objectstack/trigger-api@12.7.0
    • @objectstack/trigger-record-change@12.7.0
    • @objectstack/trigger-schedule@12.7.0
    • @objectstack/types@12.7.0
    • @objectstack/verify@12.7.0
    • @objectstack/console@12.7.0

@objectstack/client@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/client-react@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/client@12.7.0
    • @objectstack/core@12.7.0

@objectstack/cloud-connection@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/runtime@12.7.0
    • @objectstack/types@12.7.0

@objectstack/connector-mcp@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/connector-openapi@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/connector-rest@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/connector-slack@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/core@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0

@objectstack/formula@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0

@objectstack/mcp@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/types@12.7.0

@objectstack/metadata@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/metadata-core@12.7.0
    • @objectstack/types@12.7.0
    • @objectstack/metadata-fs@12.7.0

@objectstack/metadata-core@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0

@objectstack/metadata-fs@12.7.0

Patch Changes

  • @objectstack/metadata-core@12.7.0

@objectstack/objectql@12.7.0

Patch Changes

  • a1766fe: fix(validation): remove polynomial ReDoS in email validation regexes

    The email validators used /^[^\s@]+@[^\s@]+\.[^\s@]+$/, whose quantifiers
    around \. overlap (the literal dot is also matched by [^\s@]) and backtrack
    polynomially on adversarial input. The domain part is rewritten as
    [^\s@.]+(?:\.[^\s@.]+)+ so labels exclude . and matching is linear. Valid
    addresses (including multi-label domains) are unaffected; addresses with an
    empty label such as a@b..c are now correctly rejected.

  • Updated dependencies [466adf6]

  • Updated dependencies [466adf6]

  • Updated dependencies [2bee609]

  • Updated dependencies [fc7e7f7]

    • @objectstack/spec@12.7.0
    • @objectstack/metadata-protocol@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/formula@12.7.0
    • @objectstack/metadata-core@12.7.0
    • @objectstack/types@12.7.0

@objectstack/observability@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0

@objectstack/driver-memory@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/driver-mongodb@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/driver-sql@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/types@12.7.0

@objectstack/driver-sqlite-wasm@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/driver-sql@12.7.0

@objectstack/embedder-openai@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0

@objectstack/knowledge-memory@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/service-knowledge@12.7.0

@objectstack/knowledge-ragflow@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/service-knowledge@12.7.0

@objectstack/plugin-approvals@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/formula@12.7.0
    • @objectstack/metadata-core@12.7.0

@objectstack/plugin-audit@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0

@objectstack/plugin-auth@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/types@12.7.0

@objectstack/plugin-dev@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [799b285]
  • Updated dependencies [b1081b8]
  • Updated dependencies [466adf6]
  • Updated dependencies [a1766fe]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/plugin-security@12.7.0
    • @objectstack/plugin-hono-server@12.7.0
    • @objectstack/objectql@12.7.0
    • @objectstack/account@12.7.0
    • @objectstack/setup@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/driver-memory@12.7.0
    • @objectstack/plugin-auth@12.7.0
    • @objectstack/plugin-org-scoping@12.7.0
    • @objectstack/rest@12.7.0
    • @objectstack/runtime@12.7.0
    • @objectstack/service-i18n@12.7.0
    • @objectstack/types@12.7.0

@objectstack/plugin-email@12.7.0

Patch Changes

  • a1766fe: fix(validation): remove polynomial ReDoS in email validation regexes

    The email validators used /^[^\s@]+@[^\s@]+\.[^\s@]+$/, whose quantifiers
    around \. overlap (the literal dot is also matched by [^\s@]) and backtrack
    polynomially on adversarial input. The domain part is rewritten as
    [^\s@.]+(?:\.[^\s@.]+)+ so labels exclude . and matching is linear. Valid
    addresses (including multi-label domains) are unaffected; addresses with an
    empty label such as a@b..c are now correctly rejected.

  • Updated dependencies [466adf6]

  • Updated dependencies [466adf6]

  • Updated dependencies [2bee609]

  • Updated dependencies [9fa84f9]

  • Updated dependencies [fc7e7f7]

    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/formula@12.7.0

@objectstack/plugin-hono-server@12.7.0

Patch Changes

  • b1081b8: Return 405 Method Not Allowed (with an accurate Allow header and a
    descriptive body) instead of an opaque {"error":"Not found"} 404 when a
    request hits a registered path under the wrong HTTP method.

    Hono routes a method mismatch to the same notFound sink as a genuinely
    missing path, so a POST to a PUT-only route (e.g. the metadata save
    endpoint PUT /api/v1/meta/:type/:name) gave callers no hint that the path
    exists under another verb (PUT /api/v1/meta/:type/:name is hard to discover — add a POST convenience alias #2684). The server now tracks every registered
    (method, pattern) pair and re-matches the request path in the notFound
    handler: matching another method yields a 405; matching nothing stays a 404.
    This is framework-wide — every registered endpoint benefits. Static/SPA
    catch-alls registered straight on the raw Hono app are not tracked and never
    produce a spurious 405.

  • Updated dependencies [466adf6]

  • Updated dependencies [466adf6]

  • Updated dependencies [2bee609]

  • Updated dependencies [fc7e7f7]

    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/observability@12.7.0
    • @objectstack/types@12.7.0

@objectstack/plugin-org-scoping@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0

@objectstack/plugin-reports@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0

@objectstack/plugin-sharing@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [a1766fe]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/objectql@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/formula@12.7.0

@objectstack/plugin-webhooks@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/service-messaging@12.7.0

@objectstack/rest@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/service-package@12.7.0

@objectstack/runtime@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [799b285]
  • Updated dependencies [466adf6]
  • Updated dependencies [a1766fe]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/plugin-security@12.7.0
    • @objectstack/objectql@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/formula@12.7.0
    • @objectstack/metadata@12.7.0
    • @objectstack/observability@12.7.0
    • @objectstack/driver-memory@12.7.0
    • @objectstack/driver-sql@12.7.0
    • @objectstack/driver-sqlite-wasm@12.7.0
    • @objectstack/plugin-auth@12.7.0
    • @objectstack/plugin-org-scoping@12.7.0
    • @objectstack/rest@12.7.0
    • @objectstack/service-cluster@12.7.0
    • @objectstack/service-datasource@12.7.0
    • @objectstack/service-i18n@12.7.0
    • @objectstack/types@12.7.0

@objectstack/service-analytics@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/service-automation@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/formula@12.7.0

@objectstack/service-cache@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/observability@12.7.0

@objectstack/service-cluster@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/service-cluster-redis@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/service-cluster@12.7.0

@objectstack/service-datasource@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/service-i18n@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/service-job@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0

@objectstack/service-knowledge@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/service-messaging@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/service-package@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/service-queue@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0

@objectstack/service-realtime@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0

@objectstack/service-settings@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/types@12.7.0

@objectstack/service-storage@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [9fa84f9]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/platform-objects@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/observability@12.7.0

@objectstack/trigger-api@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/trigger-record-change@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/trigger-schedule@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/core@12.7.0

@objectstack/types@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0

@objectstack/verify@12.7.0

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [799b285]
  • Updated dependencies [b1081b8]
  • Updated dependencies [466adf6]
  • Updated dependencies [a1766fe]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/plugin-security@12.7.0
    • @objectstack/plugin-hono-server@12.7.0
    • @objectstack/objectql@12.7.0
    • @objectstack/core@12.7.0
    • @objectstack/driver-sqlite-wasm@12.7.0
    • @objectstack/plugin-auth@12.7.0
    • @objectstack/plugin-org-scoping@12.7.0
    • @objectstack/plugin-sharing@12.7.0
    • @objectstack/rest@12.7.0
    • @objectstack/runtime@12.7.0
    • @objectstack/service-analytics@12.7.0
    • @objectstack/service-automation@12.7.0
    • @objectstack/service-datasource@12.7.0
    • @objectstack/service-settings@12.7.0

@objectstack/console@12.7.0

create-objectstack@12.7.0

@objectstack/sdui-parser@12.7.0

objectstack-vscode@12.7.0

@objectstack/example-crm@4.0.77

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/runtime@12.7.0

@objectstack/example-showcase@0.2.23

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/cloud-connection@12.7.0
    • @objectstack/connector-rest@12.7.0
    • @objectstack/connector-slack@12.7.0
    • @objectstack/driver-sql@12.7.0
    • @objectstack/runtime@12.7.0

@objectstack/example-todo@4.0.77

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [a1766fe]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/objectql@12.7.0
    • @objectstack/client@12.7.0
    • @objectstack/mcp@12.7.0
    • @objectstack/metadata@12.7.0
    • @objectstack/driver-sqlite-wasm@12.7.0
    • @objectstack/knowledge-memory@12.7.0
    • @objectstack/runtime@12.7.0
    • @objectstack/service-knowledge@12.7.0

@objectstack/example-embed-objectql@0.0.17

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [a1766fe]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/objectql@12.7.0
    • @objectstack/driver-memory@12.7.0

@objectstack/dogfood@0.0.25

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [799b285]
  • Updated dependencies [466adf6]
  • Updated dependencies [a1766fe]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0
    • @objectstack/plugin-security@12.7.0
    • @objectstack/objectql@12.7.0
    • @objectstack/example-crm@4.0.77
    • @objectstack/example-showcase@0.2.23
    • @objectstack/verify@12.7.0

@objectstack/downstream-contract@0.0.23

Patch Changes

  • Updated dependencies [466adf6]
  • Updated dependencies [466adf6]
  • Updated dependencies [2bee609]
  • Updated dependencies [fc7e7f7]
    • @objectstack/spec@12.7.0

@vercel

vercel Bot commented Jul 8, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
spec Ready Ready Preview, Comment Jul 8, 2026 5:09pm

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants