@augmenting-integrations/create-tenant 8.7.0 → 8.8.0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@augmenting-integrations/create-tenant",
-  "version": "8.7.0",
-  "description": "Scaffold a new tenant apex app for an augint deployment. Generates a Next 16 + Auth.js v5 + Cognito apex with TenantConfig wired up, library-owned /api/apps registry handler, and /studio admin. Single command: pnpm dlx @augmenting-integrations/create-tenant my-tenant.",
+  "version": "8.8.0",
+  "description": "Scaffold a new tenant apex app for an augint deployment. Generates a Next 16 + Auth.js v5 + Cognito apex with TenantConfig wired up, library-owned /api/apps static-roster handler, and /studio admin. Single command: pnpm dlx @augmenting-integrations/create-tenant my-tenant.",
   "license": "MIT",
   "publishConfig": {
     "access": "public"

package/templates/.env.example.tmpl

@@ -0,0 +1,20 @@
+APP_DOMAIN=__TENANT_APEX__
+APEX_DOMAIN=__TENANT_APEX__
+AUTH_COOKIE_DOMAIN=__TENANT_PARENT__
+AUTH_ALLOWED_PARENT_DOMAIN=__TENANT_PARENT__
+
+# Cognito (apex-only; from your tenant infra stack)
+AUTH_SECRET_ARN=
+AUTH_COGNITO_SECRET_ARN=
+AUTH_COGNITO_ID=
+AUTH_COGNITO_ISSUER=
+
+TENANT_SLUG=__TENANT_NAME__
+STAGE=staging
+
+AWS_REGION=us-east-1
+ADMIN_EMAILS=
+
+# Local-dev fallbacks
+AUTH_SECRET=dev-only-fallback-not-for-prod
+NODE_ENV=development

package/templates/README.md.tmpl

@@ -5,7 +5,8 @@ Next.js 16 app for a new augint tenant. It owns:
 
 - The OAuth callback (`/api/auth/[...nextauth]`) for the ENTIRE tenant
 - The session cookie scope (`Domain=__TENANT_PARENT__`)
-- The app registry (`/api/apps` for spoke auto-discovery)
+- The runtime tenant app roster (`config/apps.json`, served by
+  `/api/apps`). Every spoke's `/api/apps` proxies to this endpoint.
 - The studio admin
 
 ## Local dev
@@ -25,20 +26,23 @@ The application code is portable; the AWS infra is tenant-specific:
 2. **Cognito User Pool** with one App Client + ONE callback URL:
    `https://__TENANT_APEX__/api/auth/callback/cognito`
 3. **Hosted zone + certs** for `__TENANT_APEX__` and `*.__TENANT_APEX__`.
-4. **App registry DynamoDB table** (PK = `slug`). Apex owns CRUD; spokes
-   read via `/api/apps`. Set `APP_REGISTRY_TABLE` env to the table name.
-5. **Secrets Manager** rows for `AUTH_SECRET`, `AUTH_COGNITO_SECRET`.
-6. **GitHub OIDC role** in each AWS account for CI deploys.
+4. **Secrets Manager** rows for `AUTH_SECRET`, `AUTH_COGNITO_SECRET`.
+5. **GitHub OIDC role** in each AWS account for CI deploys.
+6. **Tenant infra repo** (`__TENANT_NAME__-infra`) with `config/apps.yaml`
+   declaring this tenant's app roster (apex + every spoke). Mirror each
+   entry into this apex's `config/apps.json`.
 
 Copy `template.yaml` from an existing tenant (the example tenant ships one)
 and adapt the parameters.
 
-## Adding spokes
+## Adding spokes after the apex exists
 
 ```bash
 pnpm dlx @augmenting-integrations/create-spoke my-product-spoke
 ```
 
-Then register the new spoke in this apex's app registry table (slug,
-subdomain, displayName, navOrder). The spoke shows up in every other
-spoke's AppShell ecosystem nav automatically.
+Then add the new spoke's entry to `__TENANT_NAME__-infra/config/apps.yaml`
+AND to this apex repo's `config/apps.json`. `pnpm exec augint
+validate-app-roster` enforces the two files agree. The spoke's
+`/api/apps` proxies here, so no per-spoke roster maintenance is needed
+and existing spokes do NOT need to be redeployed.

package/templates/config/apps.json.tmpl

@@ -0,0 +1,12 @@
+{
+  "apps": [
+    {
+      "slug": "apex",
+      "role": "apex",
+      "subdomain": "",
+      "displayName": "__TENANT_NAME__ Portal",
+      "navOrder": 0,
+      "requiredIdentityGroups": []
+    }
+  ]
+}

package/templates/package.json.tmpl

@@ -15,7 +15,6 @@
     "@augmenting-integrations/aws": "^8.0.0",
     "@augmenting-integrations/brand": "^8.0.0",
     "@augmenting-integrations/platform": "^8.0.0",
-    "@augmenting-integrations/registry": "^8.0.0",
     "@augmenting-integrations/themes": "^8.0.0",
     "@augmenting-integrations/ui": "^8.0.0",
     "next": "^16.2.5",
@@ -24,6 +23,7 @@
     "react-dom": "^19.2.0"
   },
   "devDependencies": {
+    "@augmenting-integrations/deploy-tools": "^8.0.0",
     "@types/node": "^22.0.0",
     "@types/react": "^19.0.0",
     "@types/react-dom": "^19.0.0",

package/templates/src/app/api/apps/route.ts.tmpl

@@ -1,7 +1,18 @@
-// Auto-discovery endpoint consumed by every spoke's AppShell. Scans the
-// DynamoDB app registry table + filters by the caller's Cognito groups.
-import { createGetHandler } from "@augmenting-integrations/registry/api-route";
-import { auth } from "@/lib/auth";
+// Apex-owned tenant app roster endpoint. Reads the static roster
+// (config/apps.json), filters by the caller's Cognito identity groups,
+// and returns the visible apps + their absolute URLs. Spokes proxy
+// their /api/apps to this endpoint -- the apex is the single roster
+// owner in the tenant ecosystem.
+
+import { createAppsRouteHandler } from "@augmenting-integrations/platform/server";
+import { auth, tenant } from "@/lib/auth";
+import appsRoster from "../../../../config/apps.json";
 
-export const GET = createGetHandler({ authFn: auth });
 export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+export const { GET } = createAppsRouteHandler({
+  roster: appsRoster,
+  auth,
+  tenant,
+});