Skip to content

chore(deps): Bump @objectstack/spec from 4.0.3 to 4.0.4#342

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/objectstack/spec-4.0.4
Open

chore(deps): Bump @objectstack/spec from 4.0.3 to 4.0.4#342
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/objectstack/spec-4.0.4

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026

Bumps @objectstack/spec from 4.0.3 to 4.0.4.

Release notes

Sourced from @​objectstack/spec's releases.

@​objectstack/spec@​4.0.4

Patch Changes

  • 326b66b: fix: studio CI test failures and metadata protocol mock handler improvements
Changelog

Sourced from @​objectstack/spec's changelog.

Changelog

All notable changes to the ObjectStack Protocol will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Added

  • Environment-per-database multi-tenancy (service-tenant v4.1) — Refactored the multi-tenant architecture from "per-organization database" to per-environment database high-isolation, with a hard split between Control Plane (environment registry / addressing / credentials / RBAC) and Data Plane (one physical database per environment). See https://github.com/objectstack-ai/framework/blob/main/docs/adr/0002-environment-database-isolation.md for the full rationale and trade-offs.
    • Zod protocol schemas (packages/spec/src/cloud/environment.zod.ts): EnvironmentSchema, EnvironmentDatabaseSchema, DatabaseCredentialSchema, EnvironmentMemberSchema, EnvironmentTypeSchema, EnvironmentStatusSchema, EnvironmentRoleSchema, DatabaseCredentialStatusSchema, ProvisionEnvironmentRequest/ResponseSchema, ProvisionOrganizationRequest/ResponseSchema. TenantDatabaseSchema is now marked @deprecated.
    • Control-plane objects (packages/services/service-tenant/src/objects/): sys_environment (UNIQUE (organization_id, slug)), sys_environment_database (UNIQUE environment_id — exactly one DB per environment), sys_database_credential (rotatable, encrypted, with active / rotating / revoked lifecycle), sys_environment_member (UNIQUE (environment_id, user_id), owner / admin / maker / reader / guest). Every field carries .describe() metadata and every uniqueness constraint is explicit.
    • EnvironmentProvisioningService (packages/services/service-tenant/src/environment-provisioning.ts): provisionOrganization() bootstraps a new org with a default environment and DB in one call; provisionEnvironment() allocates any subsequent dev / test / sandbox / preview environment; rotateCredential() mints a new active credential and revokes the previous one. Pluggable EnvironmentDatabaseAdapter (initial turso; libsql / sqlite / postgres drop in without core changes) and SecretEncryptor hooks.
    • Tenant plugin wiring: createTenantPlugin() now registers all four new control-plane objects out of the box, plus sys_tenant_database as a v4.x shim (opt out via registerLegacyTenantDatabase: false).
    • v4 → v5 migration skeleton (packages/services/service-tenant/migrations/v4-to-v5-env-migration.ts): idempotent, non-destructive, re-encrypts credentials with the current KMS key, reuses existing physical DBs as each org's new prod environment DB — no data movement required.
    • Tests: 22 new schema round-trip tests in packages/spec/src/cloud/environment.test.ts, 10 new provisioning tests in packages/services/service-tenant/src/environment-provisioning.test.ts covering organization bootstrap, environment creation, default-environment invariants, adapter routing, credential rotation, and encryption hooks.

Deprecated

  • TenantDatabaseSchema / sys_tenant_database — Superseded by the environment-per-database model above. The schema and object remain registered in v4.x as a deprecation shim; both will be removed in v5.0. Consumers should migrate by running migrateV4ToV5Environments() before upgrading to v5.0.

Changed

  • Polished examples/app-crm dashboards — Rewrote executive, sales, and service dashboards and added a new unified crm overview dashboard, modeled after the reference implementation at objectstack-ai/objectui/examples/crm. The dashboards now use the framework's first-class metadata fields instead of ad-hoc hex strings stuffed into options.color:
    • Semantic colorVariant tokens (success/warning/danger/blue/teal/purple/orange) replace raw hex codes
    • Each widget carries a description, chartConfig (axes, color palette, annotations, interaction), and a header actionUrl/actionType/actionIcon for drill-down
    • Each dashboard declares a structured header with action buttons, a dateRange global time filter, globalFilters (owner / industry / priority lookups), and a refreshInterval
    • KPI metric widgets carry icon, format, and trend indicators (direction + delta + label) in options, mirroring the objectui reference visual style
    • Chart variety expanded: area (revenue trends), donut (lead source / industry), funnel (pipeline by stage), gauge (SLA compliance), horizontal-bar (rep ranking), with proper axis titles and value formatters
    • Table widgets use structured columns: [{ header, accessorKey, format }] instead of bare field-name arrays
    • New examples/app-crm/test/dashboard.test.ts validates every dashboard against DashboardSchema and enforces these conventions

Added

  • Release-readiness documentation pass (42 packages) — Aligned every @objectstack/* package for the formal v4.x release:
    • Canonical README template and package.json publishing checklist committed at docs/internal/PACKAGE_README_TEMPLATE.md
    • New packages/services/service-package/README.md documenting the package registry service
    • All package.json files now carry description, at least 3 keywords, a full repository block with directory, homepage, bugs, engines.node, publishConfig.access: public, and a files whitelist
    • @objectstack/service-tenant (was 0.1.0) and @objectstack/service-package (was 1.0.0) bumped to 4.0.4 in lockstep with the release train
    • Rewrote thin READMEs for core, rest, driver-memory, plugin-security, and all seven framework adapters (express, fastify, hono, nestjs, nextjs, nuxt, sveltekit) to the canonical structure: overview, installation, quick start, key exports, configuration, when/when-not, related packages, and docs links
    • Updated content/docs/guides/packages.mdx and content/docs/concepts/packages.mdx to reflect the actual 42 package inventory and to include service-package and service-tenant

Fixed

  • Studio left metadata list not refreshing on package switch — In apps/studio/src/routes/$package.tsx, the AppSidebar package-switcher's onSelectPackage handler only updated local selectedPackage state. A URL→state useEffect in the same layout then immediately reverted that state back to match the unchanged $package route param, so AppSidebar.loadMetadata (keyed on selectedPackage) never re-ran and the left metadata tree stayed stuck on the previous package. The dropdown now navigates to /$newPackage, making the URL the single source of truth; the URL→state effect then updates selectedPackage normally and the metadata list refreshes for the new package. (apps/studio/src/routes/$package.tsx)
  • Cross-origin auth tokens stripped in @objectstack/hono adapter (follow-up to PR #1178)createHonoApp() was not exposing set-auth-token via Access-Control-Expose-Headers, diverging from plugin-hono-server's CORS wiring. On Vercel deployments (where all traffic flows through createHonoApp()), the browser stripped the header from every response, preventing the better-auth bearer() plugin from delivering rotated session tokens to cross-origin clients. Cross-origin sessions silently broke even after the wildcard fixes in #1177/#1178. The adapter now always includes set-auth-token in exposeHeaders, merged with any user-supplied values, mirroring the invariant established in commit 151dd19c. (packages/adapters/hono/src/index.ts)
  • CORS wildcard patterns in @objectstack/hono adapter (follow-up to PR #1177)createHonoApp() was the third CORS code path that still treated wildcard origins (e.g. https://*.objectui.org) as literal strings when passing them to Hono's cors() middleware. Because apps/server routes all non-OPTIONS requests through this adapter on Vercel, the browser would see a successful preflight (handled by the Vercel short-circuit) followed by a POST/GET response with no Access-Control-Allow-Origin header, blocking every real request. The adapter now imports hasWildcardPattern / createOriginMatcher from @objectstack/plugin-hono-server and uses the same matcher-function branch as plugin-hono-server, so all three Hono-based CORS paths share a single source of truth. (packages/adapters/hono/src/index.ts)
  • CORS wildcard patterns on Vercel deploymentsCORS_ORIGIN values containing wildcard patterns (e.g. https://*.objectui.org,https://*.objectstack.ai,http://localhost:*) no longer cause browser CORS errors when apps/server is deployed to Vercel. The Vercel entrypoint's OPTIONS preflight short-circuit previously matched origins with a literal Array.includes(), treating * as a plain character and rejecting legitimate subdomains. It now shares the same pattern-matching logic as the Hono plugin's cors() middleware via new exports createOriginMatcher / hasWildcardPattern / matchOriginPattern / normalizeOriginPatterns from @objectstack/plugin-hono-server. (apps/server/server/index.ts, packages/plugins/plugin-hono-server/src/pattern-matcher.ts)

Added

  • Claude Code integration (CLAUDE.md) — Added root CLAUDE.md file so that Claude Code automatically loads the project's system prompt when launched in the repository. Content is synced with .github/copilot-instructions.md and includes build/test quick-reference commands, all prime directives, monorepo structure, protocol domains, coding patterns, and domain-specific prompt references. This complements the existing GitHub Copilot instructions and skills/ directory.
  • AI Skills documentation pages — Added two new documentation pages covering the Skills System:
    • content/docs/concepts/skills.mdx — Conceptual overview of the skills architecture, philosophy, and structure

... (truncated)

Commits
  • 7089fa8 Merge pull request #1157 from objectstack-ai/changeset-release/main
  • 0b65725 chore: version packages
  • 8d32884 Merge pull request #1156 from objectstack-ai/copilot/send-patch-for-changeset...
  • 326b66b chore: add changeset for patch release
  • dfe08e6 Merge pull request #1155 from objectstack-ai/copilot/fix-ci-errors-7957bead-2...
  • 2b8d4a0 fix: studio CI test failures - fix simulateBrowser mock handlers for query pa...
  • a432ff6 Merge pull request #1154 from objectstack-ai/copilot/fix-object-list-change
  • 402ad5e merge: resolve CHANGELOG.md conflict with main
  • 22a6454 Merge pull request #1153 from objectstack-ai/copilot/fix-ci-errors-3d6bc093-6...
  • 5e0777e fix: race kernel.shutdown() against timeout to prevent afterAll hook hang in CI
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): Bump @objectstack/spec from 4.0.3 to 4.0.4
6679f6d 
Bumps [@objectstack/spec](https://github.com/objectstack-ai/spec) from 4.0.3 to 4.0.4.
- [Release notes](https://github.com/objectstack-ai/spec/releases)
- [Changelog](https://github.com/objectstack-ai/framework/blob/main/CHANGELOG.md)
- [Commits](https://github.com/objectstack-ai/spec/compare/@objectstack/spec@4.0.3...@objectstack/spec@4.0.4)

---
updated-dependencies:
- dependency-name: "@objectstack/spec"
  dependency-version: 4.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 20, 2026

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
hotcrm-demo Ready Ready Preview, Comment Apr 20, 2026 1:16am
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
hotcrm Ignored Ignored Apr 20, 2026 1:16am

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants