@adminforge/core 0.3.1

package/package.json

@@ -0,0 +1,99 @@
+{
+  "name": "@adminforge/core",
+  "version": "0.3.1",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/YuZaGa/AdminForge.git",
+    "directory": "packages/adminforge"
+  },
+  "type": "module",
+  "bin": {
+    "adminforge": "./bin/adminforge.js"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    },
+    "./ui": {
+      "types": "./dist/ui.d.ts",
+      "import": "./dist/ui.js",
+      "require": "./dist/ui.cjs"
+    },
+    "./next": {
+      "types": "./dist/next.d.ts",
+      "import": "./dist/next.js",
+      "require": "./dist/next.cjs"
+    },
+    "./auth": {
+      "types": "./dist/auth.d.ts",
+      "import": "./dist/auth.js",
+      "require": "./dist/auth.cjs"
+    },
+    "./auth-client": {
+      "types": "./dist/auth-client.d.ts",
+      "import": "./dist/auth-client.js",
+      "require": "./dist/auth-client.cjs"
+    },
+    "./styles": "./dist/styles.css"
+  },
+  "dependencies": {
+    "@prisma/client": "^6.0.0",
+    "@tanstack/react-table": "^8.20.0",
+    "@tiptap/core": "3.23.1",
+    "@tiptap/extension-bubble-menu": "3.23.1",
+    "@tiptap/extension-floating-menu": "3.23.1",
+    "@tiptap/extension-highlight": "3.23.1",
+    "@tiptap/extension-horizontal-rule": "3.23.1",
+    "@tiptap/extension-image": "3.23.1",
+    "@tiptap/extension-link": "3.23.1",
+    "@tiptap/extension-placeholder": "3.23.1",
+    "@tiptap/extension-subscript": "3.23.1",
+    "@tiptap/extension-superscript": "3.23.1",
+    "@tiptap/extension-task-item": "3.23.1",
+    "@tiptap/extension-task-list": "3.23.1",
+    "@tiptap/extension-text-align": "3.23.1",
+    "@tiptap/extension-typography": "3.23.1",
+    "@tiptap/extension-underline": "3.23.1",
+    "@tiptap/pm": "3.23.1",
+    "@tiptap/react": "3.23.1",
+    "@tiptap/starter-kit": "3.23.1",
+    "jsonwebtoken": "^9.0.3",
+    "next": "^15.0.0",
+    "next-auth": "^5.0.0-beta.25",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
+    "zod": "^3.24.0"
+  },
+  "devDependencies": {
+    "@eslint/js": "^10.0.1",
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/node": "^22.10.1",
+    "@types/react": "^19.0.0",
+    "@types/react-dom": "^19.0.0",
+    "@typescript-eslint/eslint-plugin": "^8.59.3",
+    "@typescript-eslint/parser": "^8.59.3",
+    "eslint": "^10.3.0",
+    "eslint-plugin-react": "^7.37.5",
+    "eslint-plugin-react-hooks": "^7.1.1",
+    "globals": "^17.6.0",
+    "prisma": "^6.0.0",
+    "tsup": "^8.3.0",
+    "typescript": "^5.7.0",
+    "typescript-eslint": "^8.59.3"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "DEV=true tsup --watch",
+    "lint": "eslint .",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist"
+  }
+}

package/src/api/controller.ts

@@ -0,0 +1,234 @@
+import type { AdminForgeConfig, CollectionDefinition, AccessConfig } from "../core";
+import type { DbClient } from "../db";
+import { z } from "zod";
+import { assertScope, type SecurityContext, type Action } from "./security/agent-auth";
+
+function buildValidationSchema(collection: CollectionDefinition): z.ZodObject<Record<string, z.ZodTypeAny>> {
+  const shape: Record<string, z.ZodTypeAny> = {};
+  for (const [name, field] of Object.entries(collection.fields)) {
+    shape[name] = field.validation;
+  }
+  return z.object(shape);
+}
+
+interface AdminSession {
+  user: { id: string; email: string; role?: string } | null;
+  role?: string; // Support for root-level role
+}
+
+function hasAccess(access: AccessConfig | undefined, operation: string, role?: string): boolean {
+  if (!access) return true;
+  const allowed = access[operation as keyof AccessConfig];
+  if (!allowed || !Array.isArray(allowed)) return true;
+  if (!role) return false;
+  return allowed.includes(role);
+}
+
+export type AccessInfo = SecurityContext;
+
+export interface Controller {
+  list: (args?: { where?: Record<string, unknown>; orderBy?: Record<string, string>; page?: number; pageSize?: number; search?: string }) => Promise<{ data: unknown[]; total: number; page: number; pageSize: number }>;
+  get: (id: string) => Promise<unknown | null>;
+  create: (data: Record<string, unknown>) => Promise<unknown>;
+  update: (id: string, data: Record<string, unknown>) => Promise<unknown>;
+  delete: (id: string) => Promise<unknown>;
+}
+
+export function createController(
+  collection: CollectionDefinition,
+  db: DbClient,
+  session?: SecurityContext,
+): Controller {
+  const validationSchema = buildValidationSchema(collection);
+  const role = session?.user?.role || session?.agent?.role;
+  const actorId = session?.user?.id || session?.agent?.sub;
+
+  function requireAccess(operation: Action) {
+    console.error(`[ACL] Operation: ${operation}, Collection: ${collection.name}, Role: ${role}, Source: ${session?.source}`);
+    
+    // 1. Scope Enforcement (limiter)
+    if (session?.agent) {
+      assertScope(session.agent, collection.name, operation);
+    }
+
+    // 2. RBAC Enforcement (authority)
+    if (!hasAccess(collection.access, operation, role)) {
+      console.warn(`[ACL] DENIED: ${role} not allowed to ${operation} on ${collection.name}. Allowed:`, collection.access?.[operation]);
+      throw new Error(`Access denied: ${operation} on ${collection.name}`);
+    }
+
+    // 3. Audit Logging
+    console.error(JSON.stringify({
+      timestamp: new Date().toISOString(),
+      type: "mutation_attempt",
+      source: session?.source || "unknown",
+      userId: actorId || "anonymous",
+      role: role || "none",
+      collection: collection.name,
+      action: operation,
+      sessionId: session?.agent?.sessionId,
+    }));
+  }
+
+  function buildSearchWhere(search?: string): Record<string, unknown> | undefined {
+    if (!search) return undefined;
+    
+    // Find all text-based fields to search in
+    const searchFields = Object.entries(collection.fields)
+      .filter(([_, field]) => field.type === "text" || field.type === "slug" || field.type === "richText")
+      .map(([name]) => name);
+
+    if (searchFields.length === 0) return undefined;
+
+    return {
+      OR: searchFields.map(field => ({
+        [field]: { contains: search, mode: 'insensitive' }
+      }))
+    };
+  }
+
+  function filterFields(fields: Record<string, unknown>): Record<string, unknown> {
+    const filtered: Record<string, unknown> = {};
+    for (const [key, value] of Object.entries(fields)) {
+      const field = collection.fields[key];
+      if (hasAccess(field?.access, "read", role)) {
+        filtered[key] = value;
+      }
+    }
+    return filtered;
+  }
+
+  function filterWritableFields(
+    fields: Record<string, unknown>,
+    operation: "create" | "update"
+  ): Record<string, unknown> {
+    const filtered: Record<string, unknown> = {};
+    for (const [key, value] of Object.entries(fields)) {
+      const field = collection.fields[key];
+      if (field && hasAccess(field.access, operation, role)) {
+        filtered[key] = value;
+      }
+    }
+    return filtered;
+  }
+
+  function applyFieldHooks(
+    fields: Record<string, unknown>,
+    hookName: "beforeValidate" | "beforeSave"
+  ): Record<string, unknown> {
+    const next = { ...fields };
+    for (const [key, value] of Object.entries(next)) {
+      const hook = collection.fields[key]?.hooks?.[hookName];
+      if (hook) {
+        next[key] = hook(value);
+      }
+    }
+    return next;
+  }
+
+  function applyDerivedFields(fields: Record<string, unknown>): Record<string, unknown> {
+    const next = { ...fields };
+    for (const [name, field] of Object.entries(collection.fields)) {
+      if (field.type !== "slug") continue;
+      const current = next[name];
+      if (typeof current === "string" && current.trim().length > 0) continue;
+      const from = field.ui.props?.from;
+      if (typeof from !== "string") continue;
+      const source = next[from];
+      if (typeof source !== "string" || source.trim().length === 0) continue;
+      const slugified = source
+        .toLowerCase()
+        .normalize("NFD")
+        .replace(/[\u0300-\u036f]/g, "") // Remove accents
+        .replace(/\s+/g, "-")           // Replace spaces with -
+        .replace(/[^a-z0-9-]/g, "")     // Remove non-alphanumeric
+        .replace(/-+/g, "-")            // Remove double dashes
+        .replace(/^-+|-+$/g, "");       // Trim dashes
+
+      next[name] = slugified;
+    }
+    return next;
+  }
+
+  return {
+    async list(args = {}) {
+      requireAccess("read");
+      const { where, orderBy, page = 1, pageSize = 50, search } = args;
+      
+      const searchWhere = buildSearchWhere(search);
+      const combinedWhere = searchWhere ? { ...where, ...searchWhere } : where;
+      
+      const skip = (page - 1) * pageSize;
+      
+      // Default sorting to newest first. 
+      // We check for 'createdAt' but default to 'id' desc as a safe fallback for all DBs.
+      const effectiveOrderBy = orderBy || (collection.fields.createdAt ? { createdAt: 'desc' } : { id: 'desc' });
+
+      const [raw, total] = await Promise.all([
+        db.findMany(collection.name, { where: combinedWhere, orderBy: effectiveOrderBy, skip, take: pageSize }),
+        db.count(collection.name, { where: combinedWhere })
+      ]);
+      
+      const data = (raw as Record<string, unknown>[]).map(filterFields);
+      return { data, total, page, pageSize };
+    },
+
+    async get(id: string) {
+      requireAccess("read");
+      const raw = await db.findUnique(collection.name, id);
+      if (!raw) return null;
+      return filterFields(raw as Record<string, unknown>);
+    },
+
+    async create(data: Record<string, unknown>) {
+      requireAccess("create");
+      const allowed = filterWritableFields(data, "create");
+      const withDerived = applyDerivedFields(allowed);
+      const beforeValidate = applyFieldHooks(withDerived, "beforeValidate");
+      const parsed = validationSchema.parse(beforeValidate);
+      const beforeSave = applyFieldHooks(parsed, "beforeSave");
+      const transformed = transformRelations(beforeSave, false);
+      return db.create(collection.name, transformed);
+    },
+
+    async update(id: string, data: Record<string, unknown>) {
+      requireAccess("update");
+      const allowed = filterWritableFields(data, "update");
+      const beforeValidate = applyFieldHooks(allowed, "beforeValidate");
+      const parsed = validationSchema.partial().parse(beforeValidate);
+      const beforeSave = applyFieldHooks(parsed, "beforeSave");
+      const transformed = transformRelations(beforeSave, true);
+      return db.update(collection.name, id, transformed);
+    },
+
+    async delete(id: string) {
+      requireAccess("delete");
+      return db.delete(collection.name, id);
+    },
+  };
+
+  function transformRelations(data: Record<string, unknown>, isUpdate: boolean) {
+    const transformed = { ...data };
+    for (const [key, value] of Object.entries(transformed)) {
+      const field = collection.fields[key];
+      if (field?.type === "relation") {
+        const relationType = field.db.relationType ?? "many-to-one";
+        const isMulti = relationType === "many-to-many" || relationType === "one-to-many";
+
+        if (Array.isArray(value)) {
+          const ids = value.filter((id): id is string => typeof id === "string" && id.length > 0);
+          transformed[key] = isUpdate
+            ? { set: ids.map((id) => ({ id })) }
+            : { connect: ids.map((id) => ({ id })) };
+        } else if (!isMulti && typeof value === "string" && value.length > 0) {
+          transformed[key] = { connect: { id: value } };
+        } else if ((value === null || value === "") && isUpdate) {
+          transformed[key] = { disconnect: true };
+        } else if (value === null || value === "") {
+          delete transformed[key];
+        }
+      }
+    }
+    return transformed;
+  }
+}

package/src/api/index.ts

@@ -0,0 +1,4 @@
+export { createController } from "./controller.js";
+export type { Controller } from "./controller.js";
+export * from "./security/agent-auth.js";
+

package/src/api/next.ts

@@ -0,0 +1,281 @@
+import type { AdminForgeConfig, CollectionDefinition } from "../core";
+import type { DbClient } from "../db";
+import { createController } from "./controller.js";
+import { verifyAgentToken, type SecurityContext } from "./security/agent-auth.js";
+
+interface RouteContext {
+  params: Promise<Record<string, string>>;
+}
+
+function jsonResponse(data: unknown, status = 200): Response {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: { "Content-Type": "application/json" },
+  });
+}
+
+function getBody(request: Request): Promise<Record<string, unknown>> {
+  return request.json().catch(() => ({}));
+}
+
+interface RouteParams {
+  config: AdminForgeConfig;
+  db: DbClient;
+  auth?: any; // The NextAuth auth() function
+}
+
+export function createRouteHandlers({ config, db, auth }: RouteParams) {
+  // We'll create controllers per request to inject the correct security context
+  const getSecurity = async (request: Request): Promise<SecurityContext> => {
+    const authHeader = request.headers.get("authorization");
+    
+    if (authHeader?.startsWith("Bearer ")) {
+      const token = authHeader.split(" ")[1];
+      try {
+        const agent = verifyAgentToken(token);
+        return {
+          source: "agent",
+          agent,
+          user: { id: agent.sub, role: agent.role } 
+        };
+      } catch (e: any) {
+        console.error(`[Auth] Agent Verification Failed: ${e.message}`);
+      }
+    }
+
+    // Try to get session via NextAuth if provided
+    if (auth) {
+      try {
+        const session = await auth();
+        if (session?.user) {
+          return {
+            source: "user",
+            user: {
+              id: session.user.id || session.user.email,
+              role: (session as any).role || "user"
+            }
+          };
+        }
+      } catch (e: any) {
+        console.error(`[Auth] Session Retrieval Failed: ${e.message}`);
+      }
+    }
+
+    return { source: "user" }; 
+  };
+
+  function generateHandlers(collectionName: string) {
+    const collection = config.collections.find((c) => c.name === collectionName);
+    if (!collection) {
+      throw new Error(`Collection "${collectionName}" not found in config`);
+    }
+
+    return {
+      GET: async (request: Request, context: RouteContext) => {
+        const security = await getSecurity(request);
+        const controller = createController(collection, db, security);
+        const params = await context.params;
+        if (params.id) {
+          const result = await controller.get(params.id);
+          if (!result) return jsonResponse({ error: "Not found" }, 404);
+          return jsonResponse(result);
+        }
+        const url = new URL(request.url);
+        const page = parseInt(url.searchParams.get("page") ?? "1");
+        const pageSize = parseInt(url.searchParams.get("pageSize") ?? "10");
+        const search = url.searchParams.get("search") ?? undefined;
+        const result = await controller.list({ page, pageSize, search });
+        return jsonResponse(result);
+      },
+
+      POST: async (request: Request) => {
+        const security = await getSecurity(request);
+        const controller = createController(collection, db, security);
+        const body = await getBody(request);
+        try {
+          const result = await controller.create(body);
+          return jsonResponse(result, 201);
+        } catch (err) {
+          const error = err as any;
+          if (error.name === "ZodError") {
+            const issues = error.issues.map((i: any) => `${i.path.join(".")}: ${i.message}`).join(", ");
+            return jsonResponse({ error: `Validation failed: ${issues}` }, 400);
+          }
+          return jsonResponse({ error: error.message }, 400);
+        }
+      },
+
+      PATCH: async (request: Request, context: RouteContext) => {
+        const security = await getSecurity(request);
+        const controller = createController(collection, db, security);
+        const params = await context.params;
+        if (!params.id) return jsonResponse({ error: "ID required" }, 400);
+        const body = await getBody(request);
+        try {
+          const result = await controller.update(params.id, body);
+          return jsonResponse(result);
+        } catch (err) {
+          const error = err as any;
+          if (error.name === "ZodError") {
+            const issues = error.issues.map((i: any) => `${i.path.join(".")}: ${i.message}`).join(", ");
+            return jsonResponse({ error: `Validation failed: ${issues}` }, 400);
+          }
+          return jsonResponse({ error: error.message }, 400);
+        }
+      },
+
+      DELETE: async (request: Request, context: RouteContext) => {
+        const security = await getSecurity(request);
+        const controller = createController(collection, db, security);
+        const params = await context.params;
+        if (!params.id) return jsonResponse({ error: "ID required" }, 400);
+        try {
+          const result = await controller.delete(params.id);
+          return jsonResponse(result);
+        } catch (err) {
+          const error = err as Error;
+          return jsonResponse({ error: error.message }, 400);
+        }
+      },
+    };
+  }
+
+  return { generateHandlers };
+}
+
+export function createAdminForgeApi({ config, db, auth }: RouteParams) {
+  const { generateHandlers } = createRouteHandlers({ config, db, auth });
+
+  const getCollectionAndId = (slug: string[]) => {
+    const [collectionName, id] = slug;
+    const handlers = generateHandlers(collectionName);
+    return { handlers, id };
+  };
+
+  return {
+    async GET(request: Request, { params }: { params: Promise<any> }) {
+      try {
+        const resolvedParams = await params;
+        const slug = resolvedParams.slug || resolvedParams.admin || Object.values(resolvedParams)[0] as string[];
+        
+        // Return serialized config for the UI
+        // Detect _config anywhere in the slug to support various mounting points
+        if (slug.includes("_config")) {
+          if (config.auth?.enabled && auth) {
+            try {
+              const session = await auth();
+              if (!session?.user) {
+                return jsonResponse({ error: "Unauthorized" }, 401);
+              }
+            } catch {
+              return jsonResponse({ error: "Unauthorized" }, 401);
+            }
+          }
+          const { serializeConfig } = await import("../core/index.js");
+          return jsonResponse(serializeConfig(config));
+        }
+
+        const { handlers, id } = getCollectionAndId(slug);
+        return handlers.GET(request, { params: Promise.resolve({ id: id || "" }) });
+      } catch (err) {
+        return jsonResponse({ error: (err as Error).message }, 404);
+      }
+    },
+
+    async POST(request: Request, { params }: { params: Promise<any> }) {
+      try {
+        const resolvedParams = await params;
+        const slug = resolvedParams.slug || resolvedParams.admin || Object.values(resolvedParams)[0] as string[];
+        
+        // Handle Media Uploads
+        if (slug[0] === "_media") {
+          const formData = await request.formData();
+          const file = formData.get("file") as File;
+          if (!file) return jsonResponse({ error: "No file uploaded" }, 400);
+
+          const bytes = await file.arrayBuffer();
+          const buffer = Buffer.from(bytes);
+
+          const path = await import("path");
+          const fs = await import("fs/promises");
+          const uploadDir = path.join(process.cwd(), "public", "uploads");
+          
+          try {
+            await fs.mkdir(uploadDir, { recursive: true });
+          } catch {}
+
+          const filename = `${Date.now()}-${file.name.replace(/\s+/g, "-")}`;
+          const filePath = path.join(uploadDir, filename);
+          await fs.writeFile(filePath, buffer);
+
+          return jsonResponse({ 
+            url: `/uploads/${filename}`,
+            filename
+          }, 201);
+        }
+
+        // Handle Agent Token Generation
+        if (slug[0] === "_tokens") {
+          const { generateAgentToken } = await import("./security/agent-auth.js");
+          const body = await request.json();
+          const { scope, expiresIn = 600 } = body;
+
+          if (!Array.isArray(scope)) {
+            return jsonResponse({ error: "Scope must be an array" }, 400);
+          }
+
+          // Validation: Ensure collections exist
+          for (const s of scope) {
+            const [collection, action] = s.split(":");
+            const exists = config.collections.find(c => c.name === collection);
+            if (!exists) return jsonResponse({ error: `Invalid collection: ${collection}` }, 400);
+            if (!["create", "read", "update", "delete"].includes(action)) {
+              return jsonResponse({ error: `Invalid action: ${action}` }, 400);
+            }
+          }
+
+          // Auth: Get session
+          let userId = "admin";
+          let role = "admin";
+          if (auth) {
+            const session = await auth();
+            if (session?.user) {
+              userId = session.user.id || session.user.email;
+              role = (session as any).role || "admin";
+            }
+          }
+
+          const token = generateAgentToken(userId, role, scope, expiresIn);
+          return jsonResponse({ token });
+        }
+
+        const { handlers } = getCollectionAndId(slug);
+        return handlers.POST(request);
+      } catch (err) {
+        return jsonResponse({ error: (err as Error).message }, 404);
+      }
+    },
+
+    async PATCH(request: Request, { params }: { params: Promise<any> }) {
+      try {
+        const resolvedParams = await params;
+        const slug = resolvedParams.slug || resolvedParams.admin || Object.values(resolvedParams)[0] as string[];
+        const { handlers, id } = getCollectionAndId(slug);
+        return handlers.PATCH(request, { params: Promise.resolve({ id: id || "" }) });
+      } catch (err) {
+        return jsonResponse({ error: (err as Error).message }, 404);
+      }
+    },
+
+    async DELETE(request: Request, { params }: { params: Promise<any> }) {
+      try {
+        const resolvedParams = await params;
+        const slug = resolvedParams.slug || resolvedParams.admin || Object.values(resolvedParams)[0] as string[];
+        const { handlers, id } = getCollectionAndId(slug);
+        return handlers.DELETE(request, { params: Promise.resolve({ id: id || "" }) });
+      } catch (err) {
+        return jsonResponse({ error: (err as Error).message }, 404);
+      }
+    },
+  };
+}