feat: unified system object architecture with namespace-based auto-derivation

[Copilot]

System objects were scattered across plugins with inconsistent naming, no namespace convention, and manual tableName boilerplate. This unifies all sys_* objects under a single architectural pattern.

ObjectSchema namespace property

New optional field on ObjectSchemaBase. When set, ObjectSchema.create() auto-derives tableName as {namespace}_{name}:

const SysUser = ObjectSchema.create({
  namespace: 'sys',
  name: 'user',        // short logical name
  // tableName auto-derived → 'sys_user'
  fields: { ... },
});

Explicit tableName still wins. Objects without namespace are unaffected.

StorageNameMapping.resolveTableName() updated with the same fallback chain: tableName → {namespace}_{name} → name.

SystemObjectName expansion

Added 10 constants: ORGANIZATION, MEMBER, INVITATION, TEAM, TEAM_MEMBER, API_KEY, TWO_FACTOR, ROLE, PERMISSION_SET, AUDIT_LOG (15 total including existing USER, SESSION, ACCOUNT, VERIFICATION, METADATA).

System object definitions by plugin

• plugin-auth (11 objects): Migrated 4 existing (SysUser, SysSession, SysAccount, SysVerification) to namespace: 'sys'. Added SysOrganization, SysMember, SysInvitation, SysTeam, SysTeamMember, SysApiKey, SysTwoFactor.
• plugin-security (2 objects): SysRole, SysPermissionSet.
• plugin-audit (new package, 1 object): SysAuditLog — immutable, API read-only.

All files follow sys-{name}.object.ts / Sys{PascalCase} convention.

auth-schema-config.ts unified to use SystemObjectName constants

All 6 organization plugin schema mappings (AUTH_ORGANIZATION_SCHEMA, AUTH_MEMBER_SCHEMA, AUTH_INVITATION_SCHEMA, AUTH_TEAM_SCHEMA, AUTH_TEAM_MEMBER_SCHEMA, AUTH_TWO_FACTOR_SCHEMA) now reference SystemObjectName.* constants instead of hardcoded 'sys_*' strings, ensuring a single source of truth for all system object names.

Backward compatibility

Old auth-*.object.ts files re-export as deprecated aliases (AuthUser → SysUser, etc.). Removal planned for v4.0.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>系统对象架构与命名规范统一升级提案</issue_title>
<issue_description># 系统对象架构与命名规范统一提案

背景

本项目目前存在系统对象、系统设置相关的元数据、API、权限、命名多处定义分散与不一致的问题：

• 系统对象（如 user、role、org、audit_log 等）目前部分定义在 plugin-auth、部分定义在 plugin-security、部分为业务层（objectui）手动副本。
• 命名规范混乱：对象名、表名、文件名、API 路由、权限声明等未有统一设计。
• 不同插件/包之间的对象导出、注册与消费方式不一致。

这导致：

• 元数据冗余，定义难以追踪、维护。
• 新增/变更系统对象时需多处同步，易产生技术债。
• 消费端（前端与 API client）难以一致性消费和自动生成界面。
• 权限声明、事件、路由等常因命名不统一出现混乱。

长期统一架构方案提案

1. 系统对象统一归属与结构

• 在 objectstack-ai/spec 项目的系统插件层（如 plugin-auth、plugin-security、plugin-audit），所有系统对象统一在 objects 文件夹以 ObjectSchema 定义。
• 每个对象设定 namespace: 'sys'，如：

  export const SysUser = ObjectSchema.create({
    namespace: 'sys',
    name: 'user',
    tableName: 'sys_user',
    // ...
  });

• 新增/补齐对象：
  • sys_user、sys_account、sys_session、sys_verification、sys_org、sys_member、sys_invitation, sys_api_key （plugin-auth, better-auth 内核和插件用到的所有对象）。
  • sys_role、sys_permission_set（plugin-security）。
  • sys_audit_log（新建 plugin-audit）。
  • 等，如有需求补充。
• 文件命名全部采用 sys-{name}.object.ts，如 sys-user.object.ts、sys-role.object.ts。
• 导出常量全部采用 PascalCase，如 SysUser、SysRole。

2. 命名规范分层与自动推导

• ObjectSchema 层：
  • namespace: 'sys' —— 消费者视角分类统一。
  • name: 'user' —— 逻辑标识，snake_case，不带前缀。
  • tableName: 'sys_user' —— 物理表名，自动推导：{namespace}_{name}，减少手动冗余。
• 文件名：sys-{name}.object.ts（全部系统对象统一化）。
• 路由与 API：前端统一 /system/{name}，API /api/v1/objects?namespace=sys。
• 权限声明、事件类型、关联关系也统一以 sys::{name} 进行辨识和管理。
• 消费方无需关心对象来源插件，全部系统对象都属于 sys 域。

3. 架构分包与对象注册

• 保持插件分包：plugin-auth、plugin-security、plugin-audit 等分别注册自己的系统对象（sys 域），避免合并为单一包，保证内聚、可选、解耦。
• 每个插件注册时，按 namespace 归类，消费端自动聚合。
• 补齐所有遗失的 ObjectSchema 层定义，不再允许只写 Zod/schema 或手动前端副本。

Ω

收益与影响

• 彻底解耦对象名与表名、文件名、插件归属，追求长期维护与自动化的可扩展能力。
• 系统对象一眼可见、零冗余，新增/变更只需一处。
• 路由、权限声明、API、界面渲染全平台统一，消除技术债。
• 推动平台架构与成熟 SaaS/企业平台看齐（Salesforce/Strapi/Payload 的对象体系）。
• 为未来自动生成、批量运维、对象 discovery，和 DSL/低代码场景打下基本盘。

需要执行的具体工程任务

1. 在各系统插件补齐所有系统对象 ObjectSchema 并统一命名。
2. 扩展 ObjectSchema 协议，明确 namespace/tableName 自动推导规范。
3. 改造对象注册流程 plugin 内统一归档。
4. 前端同步全量消费 sys namespace 对象。
5. 路由、权限、事件等所有系统对象管理统一。
6. 升级文档、ROADMAP，并记录 breaking change。

附加参考资料

• plugin-auth 对象定义示例
• plugin-security RBAC 权限模型
• 系统对象命名规范调整建议

---

建议本议题为平台长期唯一的系统对象与命名规范架构方案指导，所有相关改动或讨论均以此 issue 为准。</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes 系统对象架构与命名规范统一升级提案 #906

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
objectstack-play	Ready	Preview, Comment	Mar 12, 2026 4:14am
spec	Ready	Preview, Comment	Mar 12, 2026 4:14am

[hotlong]

@copilot 仔细评估是否已经完成了任务中要求的所有开发

[Copilot]

@copilot 仔细评估是否已经完成了任务中要求的所有开发

经过完整评估，发现了遗漏并在 72bc3eb 中修复：

补齐的遗漏项：

1. sys_team 和 sys_team_member 对象定义 — auth-schema-config.ts 中 AUTH_TEAM_SCHEMA 和 AUTH_TEAM_MEMBER_SCHEMA 已引用但缺少 ObjectSchema 定义
2. SystemObjectName.TEAM 和 TEAM_MEMBER 常量
3. auth-schema-config.ts 中 organization 插件相关的 6 个 schema（organization/member/invitation/team/teamMember/twoFactor）之前用硬编码字符串，现已统一使用 SystemObjectName 常量

当前完成状态（issue 6 项工程任务）：

• ✅ 任务1：15 个系统对象全部补齐（plugin-auth 11 个 + plugin-security 2 个 + plugin-audit 1 个 + metadata 1 个）
• ✅ 任务2：ObjectSchema 协议扩展 namespace 属性，tableName 自动推导 {namespace}_{name}
• ⚠️ 任务3：对象注册流程 — ObjectSchema 定义已在各 plugin 的 objects/ 目录统一归档并导出；运行时注册逻辑（plugin.init 时自动注册 objects 到 kernel metadata）属于 runtime 层改造，超出 spec 仓库范围
• ⚠️ 任务4：前端消费 — 属于 Studio/UI 层改造，超出 spec 仓库范围
• ⚠️ 任务5：路由、权限、事件统一 — 协议层已就绪（namespace + SystemObjectName 常量），具体路由/权限运行时实现属于 runtime 层
• ✅ 任务6：CHANGELOG.md 和 ROADMAP.md 已更新

[Copilot]

Pull request overview

Introduces a namespace-based system-object naming approach by adding an optional namespace to ObjectSchema, auto-deriving tableName from {namespace}_{name}, and adding/expanding canonical sys_* object definitions across auth/security/audit plugins.

Changes:

• Add ObjectSchema.namespace with ObjectSchema.create() auto-deriving tableName as {namespace}_{name}.
• Expand SystemObjectName constants and tests; update auth schema mappings to use the constants.
• Add new sys namespace object definitions for plugin-auth/plugin-security and introduce a new plugin-audit package exporting SysAuditLog.

Reviewed changes

Copilot reviewed 33 out of 34 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
ROADMAP.md	Updates roadmap documentation for namespace-based system object naming + plugin ownership listing.
pnpm-lock.yaml	Lockfile updates including new plugin-audit importer and metadata fields.
packages/spec/src/system/constants/system-names.ts	Adds new SystemObjectName.* entries and makes resolveTableName namespace-aware.
packages/spec/src/system/constants/system-names.test.ts	Extends tests for new system object names and namespace table derivation behavior.
packages/spec/src/data/object.zod.ts	Adds namespace to ObjectSchema and auto-derives tableName in ObjectSchema.create().
packages/spec/src/data/object.test.ts	Adds validation + factory tests for namespace acceptance and tableName derivation.
packages/plugins/plugin-security/src/objects/sys-role.object.ts	Adds SysRole system object definition (namespace: 'sys').
packages/plugins/plugin-security/src/objects/sys-permission-set.object.ts	Adds SysPermissionSet system object definition (namespace: 'sys').
packages/plugins/plugin-security/src/objects/index.ts	Exposes security plugin sys objects via a local barrel export.
packages/plugins/plugin-security/src/index.ts	Re-exports sys objects from plugin-security package entry.
packages/plugins/plugin-auth/src/objects/sys-verification.object.ts	Adds SysVerification system object definition.
packages/plugins/plugin-auth/src/objects/sys-user.object.ts	Adds SysUser system object definition.
packages/plugins/plugin-auth/src/objects/sys-two-factor.object.ts	Adds SysTwoFactor system object definition.
packages/plugins/plugin-auth/src/objects/sys-team.object.ts	Adds SysTeam system object definition.
packages/plugins/plugin-auth/src/objects/sys-team-member.object.ts	Adds SysTeamMember system object definition.
packages/plugins/plugin-auth/src/objects/sys-session.object.ts	Adds SysSession system object definition.
packages/plugins/plugin-auth/src/objects/sys-organization.object.ts	Adds SysOrganization system object definition.
packages/plugins/plugin-auth/src/objects/sys-member.object.ts	Adds SysMember system object definition.
packages/plugins/plugin-auth/src/objects/sys-invitation.object.ts	Adds SysInvitation system object definition.
packages/plugins/plugin-auth/src/objects/sys-api-key.object.ts	Adds SysApiKey system object definition.
packages/plugins/plugin-auth/src/objects/sys-account.object.ts	Adds SysAccount system object definition.
packages/plugins/plugin-auth/src/objects/index.ts	Reworks plugin-auth object exports: canonical Sys* plus deprecated Auth* re-exports.
packages/plugins/plugin-auth/src/objects/auth-verification.object.ts	Converts AuthVerification to a deprecated re-export of SysVerification.
packages/plugins/plugin-auth/src/objects/auth-user.object.ts	Converts AuthUser to a deprecated re-export of SysUser.
packages/plugins/plugin-auth/src/objects/auth-session.object.ts	Converts AuthSession to a deprecated re-export of SysSession.
packages/plugins/plugin-auth/src/objects/auth-account.object.ts	Converts AuthAccount to a deprecated re-export of SysAccount.
packages/plugins/plugin-auth/src/auth-schema-config.ts	Uses SystemObjectName.* constants for better-auth plugin schema model names.
packages/plugins/plugin-audit/tsconfig.json	Adds TS config for the new plugin-audit package.
packages/plugins/plugin-audit/src/objects/sys-audit-log.object.ts	Adds SysAuditLog system object definition for immutable audit trails.
packages/plugins/plugin-audit/src/objects/index.ts	Barrel export for audit plugin sys objects.
packages/plugins/plugin-audit/src/index.ts	Package entry exporting SysAuditLog.
packages/plugins/plugin-audit/package.json	New @objectstack/plugin-audit package definition and build/test scripts.
packages/metadata/src/objects/sys-metadata.object.ts	Migrates sys_metadata object to namespace: 'sys', name: 'metadata'.
CHANGELOG.md	Documents the namespace feature, new system objects, and new plugin-audit package.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

[Copilot]

The Unreleased section now contains two consecutive "### Changed" headings (one starting at line 26 and another at line 35). This breaks Keep-a-Changelog formatting and makes it unclear which bullets belong to which section. Please merge these into a single "### Changed" section (or otherwise restructure the headings) so there's only one "Changed" block per release section.

[Copilot]

The new namespace docs say it must be a "single lowercase word" and the test descriptions below also imply alpha-only, but the regex /^[a-z][a-z0-9]*$/ allows digits after the first character. Please either tighten the regex to match the stated constraint, or update the docs to explicitly allow lowercase alphanumerics.

[Copilot]

Test description says namespace "must be lowercase alpha", but the actual schema regex allows digits (e.g. sys2). Please align the test wording with the implemented validation (or change the regex if alpha-only is intended).

[Copilot]

In this section, the table column is labeled "Protocol Name" but the values shown (e.g. sys_user) are described elsewhere in the section as the physical table name auto-derived from {namespace}_{name}. Consider renaming the column to something like "Physical Table" / "Derived Table Name" to avoid confusing protocol identifiers with storage names. Also, since this section now describes a namespace-based convention, the section title still referencing a "sys_ Prefix" is misleading.