feat(auth): standalone shell-less /set-password page for SSO recovery (#1544)

[xuyushun441-sys]

Why

After SSO-as-owner entry on a per-environment runtime, a user with no local credential account is sent to "set a recovery password". That affordance lived inside the full-shell profile page (/system/profile?recovery_needed=true — banner + auto-scroll to the password card). An auth surface should be standalone and shell-less, like login / reset-password. This makes it so.

Changes

• New SetPasswordPage at /set-password — wrapped in AuthLayout, rendered outside ProtectedRoute (the cloud sso-exchange already set the session cookie). Reads ?next=, calls useAuth().setInitialPassword(), and redirects to a sanitised same-origin next on success. Shows an expired-session fallback with a sign-in link.
• ProfilePage — drop the recovery banner, scroll-to-card effect, and useRecoveryNeededFlag hook (+ now-unused AlertTitle / ShieldAlert imports). Its PasswordCard still offers "set local password" for any credential-less user.

Pairs with framework

objectstack-ai/framework#1577 — the cloud auth-proxy sso-exchange now redirects to /_console/set-password?next=… (instead of the profile page), and adds the missing set-initial-password endpoint on per-environment runtimes (the original 404).

Verification

• tsc --noEmit clean (apps/console)
• No remaining refs to recovery_needed / profile-recovery-banner

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
objectui	Ignored		Jun 4, 2026 10:56am

[github-actions]

✅ Console Performance Budget

Metric	Value	Budget
Main entry (gzip)	281.8 KB	350 KB
Entry file	index-COGhCV8I.js	—
Status	PASS	—

---

📦 Bundle Size Report

Package	Size	Gzipped
app-shell (index.js)	5.75KB	2.02KB
app-shell (runtime-config.js)	4.29KB	1.54KB
app-shell (types.js)	0.01KB	0.04KB
auth (AuthContext.js)	0.31KB	0.24KB
auth (AuthGuard.js)	1.17KB	0.53KB
auth (AuthProvider.js)	17.16KB	3.44KB
auth (AuthShell.js)	3.49KB	1.40KB
auth (ForgotPasswordForm.js)	4.79KB	1.88KB
auth (LoginForm.js)	5.11KB	1.92KB
auth (PreviewBanner.js)	0.90KB	0.50KB
auth (RegisterForm.js)	6.63KB	2.15KB
auth (SocialSignInButtons.js)	8.89KB	3.61KB
auth (UserMenu.js)	3.40KB	1.22KB
auth (authStyles.js)	5.04KB	1.72KB
auth (createAuthClient.js)	22.29KB	5.30KB
auth (createAuthenticatedFetch.js)	3.33KB	1.32KB
auth (index.js)	1.75KB	0.76KB
auth (types.js)	0.59KB	0.35KB
auth (useAuth.js)	4.01KB	0.79KB
auth (useIsWorkspaceAdmin.js)	1.28KB	0.70KB
collaboration (CommentThread.js)	18.38KB	4.49KB
collaboration (LiveCursors.js)	3.17KB	1.27KB
collaboration (PresenceAvatars.js)	3.65KB	1.42KB
collaboration (PresenceProvider.js)	2.42KB	0.96KB
collaboration (index.js)	1.25KB	0.53KB
collaboration (useCommentSearch.js)	1.98KB	0.88KB
collaboration (useConflictResolution.js)	7.75KB	1.86KB
collaboration (useMentionNotifications.js)	1.81KB	0.68KB
collaboration (usePresence.js)	6.33KB	1.84KB
collaboration (useRealtimeSubscription.js)	7.91KB	2.01KB
components (index.js)	393.42KB	83.11KB
core (index.js)	1.45KB	0.54KB
create-plugin (index.js)	9.28KB	2.98KB
data-objectstack (index.js)	90.43KB	22.43KB
fields (index.js)	138.02KB	32.56KB
i18n (i18n.js)	4.32KB	1.77KB
i18n (index.js)	2.27KB	0.91KB
i18n (provider.js)	5.37KB	1.72KB
i18n (useObjectLabel.js)	18.42KB	4.30KB
i18n (useSafeTranslation.js)	1.63KB	0.57KB
layout (index.js)	36.05KB	9.94KB
mobile (MobileProvider.js)	0.92KB	0.49KB
mobile (ResponsiveContainer.js)	0.94KB	0.38KB
mobile (breakpoints.js)	1.51KB	0.70KB
mobile (createOfflineDataSource.js)	5.61KB	1.74KB
mobile (index.js)	1.50KB	0.62KB
mobile (offlineQueue.js)	3.91KB	1.35KB
mobile (pwa.js)	0.97KB	0.49KB
mobile (serviceWorker.js)	1.48KB	0.62KB
mobile (serviceWorkerSource.js)	3.41KB	1.48KB
mobile (useBreakpoint.js)	1.54KB	0.65KB
mobile (useGesture.js)	4.42KB	1.27KB
mobile (useOfflineSync.js)	1.99KB	0.72KB
mobile (usePullToRefresh.js)	2.53KB	0.85KB
mobile (useResponsive.js)	0.71KB	0.42KB
mobile (useResponsiveConfig.js)	1.36KB	0.63KB
mobile (useSpecGesture.js)	1.77KB	0.77KB
mobile (useTouchTarget.js)	1.01KB	0.54KB
permissions (MePermissionsProvider.js)	4.87KB	1.77KB
permissions (PermissionContext.js)	0.31KB	0.25KB
permissions (PermissionGuard.js)	0.89KB	0.45KB
permissions (PermissionProvider.js)	3.11KB	0.87KB
permissions (evaluator.js)	4.00KB	1.23KB
permissions (index.js)	0.91KB	0.41KB
permissions (store.js)	0.91KB	0.42KB
permissions (useFieldPermissions.js)	1.28KB	0.52KB
permissions (usePermissions.js)	1.42KB	0.68KB
plugin-ai (index.js)	15.71KB	3.79KB
plugin-calendar (index.js)	45.98KB	12.65KB
plugin-charts (index.js)	39.09KB	11.07KB
plugin-chatbot (index.js)	110.26KB	27.07KB
plugin-dashboard (index.js)	87.61KB	20.96KB
plugin-designer (index.js)	213.42KB	42.94KB
plugin-detail (index.js)	192.43KB	46.33KB
plugin-editor (index.js)	2.38KB	1.06KB
plugin-form (index.js)	64.00KB	14.83KB
plugin-gantt (index.js)	28.30KB	7.76KB
plugin-grid (index.js)	110.04KB	29.58KB
plugin-kanban (index.js)	48.82KB	13.13KB
plugin-list (index.js)	89.76KB	21.04KB
plugin-map (index.js)	16.02KB	4.98KB
plugin-markdown (index.js)	2.62KB	1.18KB
plugin-report (index.js)	129.03KB	28.39KB
plugin-timeline (index.js)	25.37KB	7.20KB
plugin-view (index.js)	140.77KB	28.99KB
plugin-workflow (index.js)	69.35KB	14.42KB
providers (DataSourceProvider.js)	0.75KB	0.39KB
providers (MetadataProvider.js)	1.37KB	0.59KB
providers (ThemeProvider.js)	1.55KB	0.67KB
providers (UploadProvider.js)	11.71KB	3.53KB
providers (index.js)	0.44KB	0.22KB
providers (types.js)	0.01KB	0.04KB
react (LazyPluginLoader.js)	3.77KB	1.33KB
react (SchemaRenderer.js)	14.98KB	4.84KB
react (index.js)	0.76KB	0.42KB
tenant (TenantContext.js)	0.31KB	0.25KB
tenant (TenantGuard.js)	1.04KB	0.43KB
tenant (TenantProvider.js)	2.76KB	0.98KB
tenant (TenantScopedQuery.js)	0.77KB	0.44KB
tenant (index.js)	0.75KB	0.38KB
tenant (resolver.js)	2.64KB	0.76KB
tenant (useTenant.js)	0.50KB	0.32KB
tenant (useTenantBranding.js)	0.62KB	0.39KB
types (ai.js)	0.20KB	0.17KB
types (api-types.js)	0.20KB	0.18KB
types (app.js)	2.87KB	0.99KB
types (base.js)	0.20KB	0.18KB
types (blocks.js)	0.20KB	0.18KB
types (complex.js)	0.20KB	0.18KB
types (crud.js)	0.20KB	0.18KB
types (data-display.js)	0.20KB	0.18KB
types (data-protocol.js)	0.20KB	0.19KB
types (data.js)	0.20KB	0.18KB
types (designer.js)	0.77KB	0.41KB
types (disclosure.js)	0.20KB	0.18KB
types (feedback.js)	0.20KB	0.18KB
types (field-types.js)	0.20KB	0.18KB
types (form.js)	0.20KB	0.18KB
types (index.js)	1.54KB	0.68KB
types (layout.js)	0.20KB	0.18KB
types (mobile.js)	0.20KB	0.18KB
types (navigation.js)	0.20KB	0.18KB
types (objectql.js)	0.20KB	0.18KB
types (overlay.js)	0.20KB	0.18KB
types (permissions.js)	0.20KB	0.18KB
types (plugin-scope.js)	0.20KB	0.18KB
types (record-components.js)	0.20KB	0.19KB
types (registry.js)	0.20KB	0.18KB
types (reports.js)	0.20KB	0.18KB
types (spec-report.js)	4.80KB	1.76KB
types (tenant.js)	0.20KB	0.18KB
types (theme.js)	0.20KB	0.18KB
types (ui-action.js)	0.75KB	0.46KB
types (views.js)	0.20KB	0.18KB
types (widget.js)	0.20KB	0.18KB
types (workflow.js)	0.20KB	0.18KB

Size Limits

• ✅ Core packages should be < 50KB gzipped
• ✅ Component packages should be < 100KB gzipped
• ⚠️ Plugin packages should be < 150KB gzipped