Merge branch 'main' of https://github.com/objectstack-ai/framework

Author: hotlong

CHANGELOG.md

@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- **Studio: cascade-delete projects and organizations** — The previously-disabled "Archive project" button on `/projects/$projectId` is now an enabled "Delete project" action with typed-name confirmation. New "Danger zone" section on `/orgs/$orgId` lets owners delete an organization, which cascades to every project the org owns (including each project's physical database). Server side adds `DELETE /api/v1/cloud/projects/:id[?force=1]` and `DELETE /api/v1/cloud/organizations/:id` to `HttpDispatcher`, both routed via `dispatcher-plugin`. The org-delete path uses better-auth's `auth.api.deleteOrganization` (which removes members + invitations + teams) and falls back to a direct `sys_organization` row delete when the plugin isn't loaded. Client SDK gains `client.projects.delete(id, { force })` and `client.organizations.delete(id)`. New Studio hooks `useDeleteProject` and `useDeleteOrganization` (the latter refreshes the session + org list so the active-org pointer is cleared automatically).
 - **`os auth login` — browser-based device flow (Vercel CLI style)** — Running `os auth login` in an interactive TTY no longer requires typing a password into the terminal. The CLI now calls `POST /api/v1/auth/device/request` to obtain a one-time device code, prints the verification URL, auto-opens the browser, and polls `GET /api/v1/auth/device/token` every 2 s until the user approves. A new Studio page at `/_studio/auth/device?code=…` lets authenticated users (or users who sign in inline) approve the request with one click. The old `--email`/`--password` path is preserved for non-interactive / CI use; `--no-browser` skips auto-open. Server-side: two new endpoints (`/device/request`, `/device/token`) and an approval endpoint (`/device/approve`) added to `plugin-auth`; device codes expire after 5 min and are stored in-memory.
 - **`os auth register` CLI command** — New `os auth register` command creates an account and stores credentials in one step, with interactive prompts (email, name, password) and `--email`/`--name`/`--password`/`--url` flags for non-interactive use.
 - **`os auth login` — already-logged-in guard** — If a valid token already exists in `~/.objectstack/credentials.json`, `os auth login` now prints "Already logged in as \<email\>" and exits 0. Use `os auth logout` first to switch accounts, or pass `--force` to bypass the check.

apps/studio/src/hooks/useProjects.ts

@@ -337,3 +337,42 @@ export function useRetryProvisioning() {
 
   return { retry, retrying, error };
 }
+
+/**
+ * Hook: cascade-delete a project (clears credential / member / package
+ * installation rows, releases the physical DB, then drops `sys_project`).
+ *
+ * Wraps `client.projects.delete(id, { force })`.
+ */
+export function useDeleteProject() {
+  const client = useClient() as any;
+  const [deleting, setDeleting] = useState(false);
+  const [error, setError] = useState<Error | null>(null);
+
+  const remove = useCallback(
+    async (projectId: string, opts?: { force?: boolean }) => {
+      if (!client?.projects?.delete) {
+        throw new Error('Client not ready');
+      }
+      setDeleting(true);
+      setError(null);
+      try {
+        const result = await client.projects.delete(projectId, opts);
+        // Forget the active-project pointer if it was this one.
+        if (recallActiveProject() === projectId) {
+          rememberActiveProject(null);
+          client?.setProjectId?.(undefined);
+        }
+        return result;
+      } catch (err) {
+        setError(err as Error);
+        throw err;
+      } finally {
+        setDeleting(false);
+      }
+    },
+    [client],
+  );
+
+  return { remove, deleting, error };
+}

apps/studio/src/hooks/useSession.ts

@@ -247,3 +247,44 @@ export function useCreateOrganization() {
 
   return { create, creating, error };
 }
+
+/**
+ * Hook: cascade-delete an organization.
+ *
+ * Wraps `client.organizations.delete(id)` (which hits
+ * `DELETE /api/v1/cloud/organizations/:id`). The server tears down every
+ * project owned by the organization (including each project's physical
+ * database) before dropping the org row itself.
+ *
+ * On success the local session + organization list are refreshed so the
+ * deleted org disappears from the switcher and `activeOrganizationId`
+ * gets cleared if it pointed at this org.
+ */
+export function useDeleteOrganization() {
+  const client = useClient() as any;
+  const { reloadOrganizations, refresh } = useSession();
+  const [deleting, setDeleting] = useState(false);
+  const [error, setError] = useState<Error | null>(null);
+
+  const remove = useCallback(
+    async (organizationId: string) => {
+      if (!client?.organizations?.delete) throw new Error('Client not ready');
+      setDeleting(true);
+      setError(null);
+      try {
+        const result = await client.organizations.delete(organizationId);
+        await reloadOrganizations();
+        await refresh();
+        return result;
+      } catch (err) {
+        setError(err as Error);
+        throw err;
+      } finally {
+        setDeleting(false);
+      }
+    },
+    [client, reloadOrganizations, refresh],
+  );
+
+  return { remove, deleting, error };
+}

apps/studio/src/routes/orgs.$orgId.tsx

@@ -31,7 +31,7 @@ import {
 import { Tabs, TabsContent, TabsList, TabsTrigger } from '@/components/ui/tabs';
 import { Badge } from '@/components/ui/badge';
 import { toast } from '@/hooks/use-toast';
-import { useOrganizations, useSession } from '@/hooks/useSession';
+import { useOrganizations, useSession, useDeleteOrganization } from '@/hooks/useSession';
 import {
   useOrganizationMembers,
   useOrganizationInvitations,
@@ -64,10 +64,14 @@ function OrgDetailPage() {
 
   const { apps, loading: loadingApps } = useOrgApps(orgId);
 
+  const { remove: deleteOrganization, deleting: deletingOrg } = useDeleteOrganization();
+
   const [inviteDialogOpen, setInviteDialogOpen] = useState(false);
   const [inviteEmail, setInviteEmail] = useState('');
   const [inviteRole, setInviteRole] = useState('member');
   const [inviting, setInviting] = useState(false);
+  const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
+  const [deleteConfirmText, setDeleteConfirmText] = useState('');
 
   const handleSetActive = async () => {
     try {
@@ -144,6 +148,39 @@ function OrgDetailPage() {
     }
   };
 
+  const handleDeleteOrganization = async () => {
+    if (!org) return;
+    if (deleteConfirmText !== org.name) {
+      toast({
+        title: 'Confirmation does not match',
+        description: `Type "${org.name}" to confirm deletion.`,
+        variant: 'destructive',
+      });
+      return;
+    }
+    try {
+      const result = await deleteOrganization(orgId);
+      const warnings = (result as any)?.warnings as string[] | undefined;
+      const deletedProjects = (result as any)?.deletedProjects ?? 0;
+      toast({
+        title: 'Organization deleted',
+        description: warnings?.length
+          ? `Removed ${deletedProjects} project(s). Warnings: ${warnings[0]}${warnings.length > 1 ? ` (+${warnings.length - 1} more)` : ''}`
+          : `${org.name} and ${deletedProjects} project(s) (with their databases) have been removed.`,
+        variant: warnings?.length ? 'destructive' : undefined,
+      });
+      setDeleteDialogOpen(false);
+      setDeleteConfirmText('');
+      navigate({ to: '/orgs' });
+    } catch (err) {
+      toast({
+        title: 'Failed to delete organization',
+        description: (err as Error).message,
+        variant: 'destructive',
+      });
+    }
+  };
+
   const isActive = session?.activeOrganizationId === orgId;
   const pendingInvitations = invitations.filter((i) => i.status === 'pending');
 
@@ -422,9 +459,81 @@ function OrgDetailPage() {
               Go to projects
             </Link>
           </p>
+
+          {/* Danger zone — cascade-delete the organization. */}
+          <Card className="border-destructive/40">
+            <CardHeader>
+              <CardTitle className="text-base text-destructive">Danger zone</CardTitle>
+              <CardDescription>
+                Permanently delete this organization, all of its projects, and every
+                project's underlying database. This action cannot be undone.
+              </CardDescription>
+            </CardHeader>
+            <CardContent>
+              <Button
+                variant="destructive"
+                size="sm"
+                onClick={() => setDeleteDialogOpen(true)}
+                disabled={deletingOrg}
+              >
+                <Trash2 className="mr-2 h-4 w-4" />
+                Delete organization
+              </Button>
+            </CardContent>
+          </Card>
         </div>
       </div>
 
+      {/* Delete Organization Dialog */}
+      <Dialog
+        open={deleteDialogOpen}
+        onOpenChange={(open) => {
+          setDeleteDialogOpen(open);
+          if (!open) setDeleteConfirmText('');
+        }}
+      >
+        <DialogContent>
+          <DialogHeader>
+            <DialogTitle className="text-destructive">Delete organization</DialogTitle>
+            <DialogDescription>
+              This will permanently delete <strong>{org?.name}</strong>, all of its
+              projects, and every project's underlying database. Members and pending
+              invitations will be removed. This action cannot be undone.
+            </DialogDescription>
+          </DialogHeader>
+          <div className="space-y-4 py-2">
+            <div className="space-y-2">
+              <Label htmlFor="delete-confirm">
+                Type <code className="font-mono text-xs">{org?.name}</code> to confirm
+              </Label>
+              <Input
+                id="delete-confirm"
+                value={deleteConfirmText}
+                onChange={(e) => setDeleteConfirmText(e.target.value)}
+                placeholder={org?.name ?? ''}
+                disabled={deletingOrg}
+              />
+            </div>
+          </div>
+          <DialogFooter>
+            <Button
+              variant="outline"
+              onClick={() => setDeleteDialogOpen(false)}
+              disabled={deletingOrg}
+            >
+              Cancel
+            </Button>
+            <Button
+              variant="destructive"
+              onClick={handleDeleteOrganization}
+              disabled={deletingOrg || !org || deleteConfirmText !== org.name}
+            >
+              {deletingOrg ? 'Deleting…' : 'Delete organization'}
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
+
       {/* Invite Member Dialog */}
       <Dialog open={inviteDialogOpen} onOpenChange={setInviteDialogOpen}>
         <DialogContent>

apps/studio/src/routes/projects.$projectId.index.tsx

@@ -33,7 +33,7 @@ import { Button } from '@/components/ui/button';
 import { Badge } from '@/components/ui/badge';
 import { Separator } from '@/components/ui/separator';
 import { Input } from '@/components/ui/input';
-import { useProjectDetail, useRetryProvisioning, useUpdateHostname } from '@/hooks/useProjects';
+import { useProjectDetail, useRetryProvisioning, useUpdateHostname, useDeleteProject } from '@/hooks/useProjects';
 import { useClient } from '@objectstack/client-react';
 import { useProductionGuard } from '@/components/production-guard';
 import { toast } from '@/hooks/use-toast';
@@ -49,6 +49,7 @@ function ProjectOverviewComponent() {
   const [rotating, setRotating] = useState(false);
   const { retry, retrying } = useRetryProvisioning();
   const { updateHostname, updating: hostnameUpdating } = useUpdateHostname();
+  const { remove: deleteProject, deleting } = useDeleteProject();
   const [hostnameEditing, setHostnameEditing] = useState(false);
   const [hostnameInput, setHostnameInput] = useState('');
 
@@ -133,6 +134,38 @@ function ProjectOverviewComponent() {
     }
   };
 
+  const handleDelete = async () => {
+    if (!project) return;
+    const ok = await guard.confirm({
+      title: `Delete project "${project.display_name}"?`,
+      description:
+        'This permanently deletes the project, its credentials, members, package installations, and the underlying physical database. This action cannot be undone.',
+      confirmLabel: 'Delete project',
+      confirmVariant: 'destructive',
+      requireTypedConfirmation: true,
+      typedConfirmationValue: project.display_name,
+    });
+    if (!ok) return;
+    try {
+      const result = await deleteProject(project.id, { force: project.is_default });
+      const warnings = (result as any)?.warnings as string[] | undefined;
+      toast({
+        title: 'Project deleted',
+        description: warnings?.length
+          ? `Completed with warnings: ${warnings[0]}${warnings.length > 1 ? ` (+${warnings.length - 1} more)` : ''}`
+          : `${project.display_name} and its database have been removed.`,
+        variant: warnings?.length ? 'destructive' : undefined,
+      });
+      navigate({ to: '/projects' });
+    } catch (err) {
+      toast({
+        title: 'Failed to delete project',
+        description: (err as Error).message,
+        variant: 'destructive',
+      });
+    }
+  };
+
   return (
     <main className="flex min-w-0 flex-1 flex-col overflow-hidden bg-background">
       <div className="flex-1 overflow-auto p-6">
@@ -424,9 +457,19 @@ function ProjectOverviewComponent() {
                 <Separator />
 
                 <div className="flex justify-end">
-                  <Button variant="destructive" size="sm" className="gap-2" disabled>
-                    <Trash className="h-3.5 w-3.5" />
-                    Archive project
+                  <Button
+                    variant="destructive"
+                    size="sm"
+                    className="gap-2"
+                    disabled={deleting}
+                    onClick={handleDelete}
+                  >
+                    {deleting ? (
+                      <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                    ) : (
+                      <Trash className="h-3.5 w-3.5" />
+                    )}
+                    {deleting ? 'Deleting…' : 'Delete project'}
                   </Button>
                 </div>
               </>

packages/client/src/index.ts

@@ -669,6 +669,20 @@ export class ObjectStackClient {
       return this.unwrapResponse<{ project: any }>(res);
     },
 
+    /**
+     * Cascade-delete a project: cleans up credential/member/package_installation
+     * rows, releases the physical database via the provisioning adapter, and
+     * removes the `sys_project` row. Default projects require `force: true`.
+     */
+    delete: async (id: string, opts?: { force?: boolean }) => {
+      const qs = opts?.force ? '?force=1' : '';
+      const res = await this.fetch(
+        `${this.baseUrl}/api/v1/cloud/projects/${encodeURIComponent(id)}${qs}`,
+        { method: 'DELETE' },
+      );
+      return this.unwrapResponse<{ deleted: boolean; projectId: string; warnings: string[] }>(res);
+    },
+
     /**
      * Activate this project for the current session. The server writes
      * `active_environment_id` on the better-auth session; subsequent requests
@@ -947,6 +961,28 @@ export class ObjectStackClient {
       });
       return res.json();
     },
+
+    /**
+     * Cascade-delete an organization: tears down every project owned by the
+     * org (including each project's physical database), then drops the
+     * organization itself (members + invitations are removed by better-auth's
+     * organization plugin, or the row is deleted directly if the plugin is
+     * not loaded).
+     *
+     * DELETE /api/v1/cloud/organizations/:id
+     */
+    delete: async (organizationId: string) => {
+      const res = await this.fetch(
+        `${this.baseUrl}/api/v1/cloud/organizations/${encodeURIComponent(organizationId)}`,
+        { method: 'DELETE' },
+      );
+      return this.unwrapResponse<{
+        deleted: boolean;
+        organizationId: string;
+        deletedProjects: number;
+        warnings: string[];
+      }>(res);
+    },
   };
 
   /**

packages/runtime/src/dispatcher-plugin.ts

@@ -407,7 +407,16 @@ export function createDispatcherPlugin(config: DispatcherPluginConfig = {}): Plu
 
             server.delete(`${prefix}/cloud/projects/:id`, async (req: any, res: any) => {
                 try {
-                    const result = await dispatcher.handleCloud(`/projects/${req.params.id}`, 'DELETE', {}, {}, { request: req });
+                    const result = await dispatcher.handleCloud(`/projects/${req.params.id}`, 'DELETE', {}, req.query, { request: req });
+                    sendResult(result, res);
+                } catch (err: any) {
+                    errorResponse(err, res);
+                }
+            });
+
+            server.delete(`${prefix}/cloud/organizations/:id`, async (req: any, res: any) => {
+                try {
+                    const result = await dispatcher.handleCloud(`/organizations/${req.params.id}`, 'DELETE', {}, req.query, { request: req });
                     sendResult(result, res);
                 } catch (err: any) {
                     errorResponse(err, res);