chore(deps): bump @objectstack/spec from 0.8.2 to 4.0.4

[dependabot]

Bumps @objectstack/spec from 0.8.2 to 4.0.4.

Release notes

Sourced from @​objectstack/spec's releases.

@​objectstack/spec@​4.0.4

Patch Changes

• 326b66b: fix: studio CI test failures and metadata protocol mock handler improvements

@​objectstack/spec@​4.0.3

No release notes provided.

@​objectstack/spec@​4.0.2

Patch Changes

• 5f659e9: fix ai

Changelog

Sourced from @​objectstack/spec's changelog.

Changelog

All notable changes to the ObjectStack Protocol will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Fixed

• Doubly-prefixed FQN for @objectstack/objectos system objects — The ObjectOS-layer object definitions (SysObject, SysView, SysAgent, SysTool, SysFlow, SysMetadata) were being registered with fully-qualified names like sys__sys_object, sys__sys_view, sys__sys_metadata, because each object hard-coded a sys_ prefix into its name and its manifest was registered under namespace: 'sys', causing SchemaRegistry.computeFQN(namespace, name) to apply the prefix twice. The object name values are now the unprefixed short form (object, view, agent, tool, flow, metadata), producing the correct FQNs (sys__object, sys__view, sys__agent, sys__tool, sys__flow). SysMetadata (which would collide with the canonical sys__metadata owned by @objectstack/metadata) is now exported separately and excluded from the auto-registered SystemObjects catalog to avoid ownership conflicts; consumers that need it can still import it directly. See packages/objectos/src/objects/*.ts and packages/objectos/src/registry.ts.

Added

• Environment-per-database multi-tenancy (service-tenant v4.1) — Refactored the multi-tenant architecture from "per-organization database" to per-environment database high-isolation, with a hard split between Control Plane (environment registry / addressing / credentials / RBAC) and Data Plane (one physical database per environment). See https://github.com/objectstack-ai/framework/blob/main/docs/adr/0002-environment-database-isolation.md for the full rationale and trade-offs.
  • Zod protocol schemas (packages/spec/src/cloud/environment.zod.ts): EnvironmentSchema, EnvironmentDatabaseSchema, DatabaseCredentialSchema, EnvironmentMemberSchema, EnvironmentTypeSchema, EnvironmentStatusSchema, EnvironmentRoleSchema, DatabaseCredentialStatusSchema, ProvisionEnvironmentRequest/ResponseSchema, ProvisionOrganizationRequest/ResponseSchema. TenantDatabaseSchema is now marked @deprecated.
  • Control-plane objects (packages/services/service-tenant/src/objects/): sys_environment (UNIQUE (organization_id, slug)), sys_environment_database (UNIQUE environment_id — exactly one DB per environment), sys_database_credential (rotatable, encrypted, with active / rotating / revoked lifecycle), sys_environment_member (UNIQUE (environment_id, user_id), owner / admin / maker / reader / guest). Every field carries .describe() metadata and every uniqueness constraint is explicit.
  • EnvironmentProvisioningService (packages/services/service-tenant/src/environment-provisioning.ts): provisionOrganization() bootstraps a new org with a default environment and DB in one call; provisionEnvironment() allocates any subsequent dev / test / sandbox / preview environment; rotateCredential() mints a new active credential and revokes the previous one. Pluggable EnvironmentDatabaseAdapter (initial turso; libsql / sqlite / postgres drop in without core changes) and SecretEncryptor hooks.
  • Tenant plugin wiring: createTenantPlugin() now registers all four new control-plane objects out of the box, plus sys_tenant_database as a v4.x shim (opt out via registerLegacyTenantDatabase: false).
  • v4 → v5 migration skeleton (packages/services/service-tenant/migrations/v4-to-v5-env-migration.ts): idempotent, non-destructive, re-encrypts credentials with the current KMS key, reuses existing physical DBs as each org's new prod environment DB — no data movement required.
  • Tests: 22 new schema round-trip tests in packages/spec/src/cloud/environment.test.ts, 10 new provisioning tests in packages/services/service-tenant/src/environment-provisioning.test.ts covering organization bootstrap, environment creation, default-environment invariants, adapter routing, credential rotation, and encryption hooks.

Deprecated

• TenantDatabaseSchema / sys_tenant_database — Superseded by the environment-per-database model above. The schema and object remain registered in v4.x as a deprecation shim; both will be removed in v5.0. Consumers should migrate by running migrateV4ToV5Environments() before upgrading to v5.0.

Changed

• Polished examples/app-crm dashboards — Rewrote executive, sales, and service dashboards and added a new unified crm overview dashboard, modeled after the reference implementation at objectstack-ai/objectui/examples/crm. The dashboards now use the framework's first-class metadata fields instead of ad-hoc hex strings stuffed into options.color:
  • Semantic colorVariant tokens (success/warning/danger/blue/teal/purple/orange) replace raw hex codes
  • Each widget carries a description, chartConfig (axes, color palette, annotations, interaction), and a header actionUrl/actionType/actionIcon for drill-down
  • Each dashboard declares a structured header with action buttons, a dateRange global time filter, globalFilters (owner / industry / priority lookups), and a refreshInterval
  • KPI metric widgets carry icon, format, and trend indicators (direction + delta + label) in options, mirroring the objectui reference visual style
  • Chart variety expanded: area (revenue trends), donut (lead source / industry), funnel (pipeline by stage), gauge (SLA compliance), horizontal-bar (rep ranking), with proper axis titles and value formatters
  • Table widgets use structured columns: [{ header, accessorKey, format }] instead of bare field-name arrays
  • New examples/app-crm/test/dashboard.test.ts validates every dashboard against DashboardSchema and enforces these conventions

Added

• Release-readiness documentation pass (42 packages) — Aligned every @objectstack/* package for the formal v4.x release:
  • Canonical README template and package.json publishing checklist committed at docs/internal/PACKAGE_README_TEMPLATE.md
  • New packages/services/service-package/README.md documenting the package registry service
  • All package.json files now carry description, at least 3 keywords, a full repository block with directory, homepage, bugs, engines.node, publishConfig.access: public, and a files whitelist
  • @objectstack/service-tenant (was 0.1.0) and @objectstack/service-package (was 1.0.0) bumped to 4.0.4 in lockstep with the release train
  • Rewrote thin READMEs for core, rest, driver-memory, plugin-security, and all seven framework adapters (express, fastify, hono, nestjs, nextjs, nuxt, sveltekit) to the canonical structure: overview, installation, quick start, key exports, configuration, when/when-not, related packages, and docs links
  • Updated content/docs/guides/packages.mdx and content/docs/concepts/packages.mdx to reflect the actual 42 package inventory and to include service-package and service-tenant

Fixed

• Studio left metadata list not refreshing on package switch — In apps/studio/src/routes/$package.tsx, the AppSidebar package-switcher's onSelectPackage handler only updated local selectedPackage state. A URL→state useEffect in the same layout then immediately reverted that state back to match the unchanged $package route param, so AppSidebar.loadMetadata (keyed on selectedPackage) never re-ran and the left metadata tree stayed stuck on the previous package. The dropdown now navigates to /$newPackage, making the URL the single source of truth; the URL→state effect then updates selectedPackage normally and the metadata list refreshes for the new package. (apps/studio/src/routes/$package.tsx)
• Cross-origin auth tokens stripped in @objectstack/hono adapter (follow-up to PR #1178) — createHonoApp() was not exposing set-auth-token via Access-Control-Expose-Headers, diverging from plugin-hono-server's CORS wiring. On Vercel deployments (where all traffic flows through createHonoApp()), the browser stripped the header from every response, preventing the better-auth bearer() plugin from delivering rotated session tokens to cross-origin clients. Cross-origin sessions silently broke even after the wildcard fixes in #1177/#1178. The adapter now always includes set-auth-token in exposeHeaders, merged with any user-supplied values, mirroring the invariant established in commit 151dd19c. (packages/adapters/hono/src/index.ts)
• CORS wildcard patterns in @objectstack/hono adapter (follow-up to PR #1177) — createHonoApp() was the third CORS code path that still treated wildcard origins (e.g. https://*.objectui.org) as literal strings when passing them to Hono's cors() middleware. Because apps/server routes all non-OPTIONS requests through this adapter on Vercel, the browser would see a successful preflight (handled by the Vercel short-circuit) followed by a POST/GET response with no Access-Control-Allow-Origin header, blocking every real request. The adapter now imports hasWildcardPattern / createOriginMatcher from @objectstack/plugin-hono-server and uses the same matcher-function branch as plugin-hono-server, so all three Hono-based CORS paths share a single source of truth. (packages/adapters/hono/src/index.ts)
• CORS wildcard patterns on Vercel deployments — CORS_ORIGIN values containing wildcard patterns (e.g. https://*.objectui.org,https://*.objectstack.ai,http://localhost:*) no longer cause browser CORS errors when apps/server is deployed to Vercel. The Vercel entrypoint's OPTIONS preflight short-circuit previously matched origins with a literal Array.includes(), treating * as a plain character and rejecting legitimate subdomains. It now shares the same pattern-matching logic as the Hono plugin's cors() middleware via new exports createOriginMatcher / hasWildcardPattern / matchOriginPattern / normalizeOriginPatterns from @objectstack/plugin-hono-server. (apps/server/server/index.ts, packages/plugins/plugin-hono-server/src/pattern-matcher.ts)

Added

... (truncated)

Commits

• 7089fa8 Merge pull request #1157 from objectstack-ai/changeset-release/main
• 0b65725 chore: version packages
• 8d32884 Merge pull request #1156 from objectstack-ai/copilot/send-patch-for-changeset...
• 326b66b chore: add changeset for patch release
• dfe08e6 Merge pull request #1155 from objectstack-ai/copilot/fix-ci-errors-7957bead-2...
• 2b8d4a0 fix: studio CI test failures - fix simulateBrowser mock handlers for query pa...
• a432ff6 Merge pull request #1154 from objectstack-ai/copilot/fix-object-list-change
• 402ad5e merge: resolve CHANGELOG.md conflict with main
• 22a6454 Merge pull request #1153 from objectstack-ai/copilot/fix-ci-errors-3d6bc093-6...
• 5e0777e fix: race kernel.shutdown() against timeout to prevent afterAll hook hang in CI
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.