npm - @base44-preview/cli - Versions diffs - 0.0.50-pr.477.43f5b00 → 0.0.50-pr.481.773d5d4 - Mend

@base44-preview/cli 0.0.50-pr.477.43f5b00 → 0.0.50-pr.481.773d5d4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli/index.js CHANGED Viewed

@@ -219926,7 +219926,8 @@ var theme = {
     bold: source_default.bold,
     dim: source_default.dim,
     error: source_default.red,
-    warn: source_default.yellow
+    warn: source_default.yellow,
+    info: source_default.cyan
   },
   format: {
     errorContext(ctx) {
@@ -235041,8 +235042,8 @@ var TOKEN_REFRESH_BUFFER_MS = 60 * 1000;
 var refreshPromise = null;
 async function readAuth() {
   try {
-    const parsed = await readJsonFile(getAuthFilePath());
-    const result = AuthDataSchema.safeParse(parsed);
+    const authData = await readJsonFile(getAuthFilePath());
+    const result = AuthDataSchema.safeParse(authData);
     if (!result.success) {
       throw new SchemaValidationError("Invalid authentication data", result.error, getAuthFilePath());
     }
@@ -243210,10 +243211,12 @@ var package_default = {
     "@types/ejs": "^3.1.5",
     "@types/express": "^5.0.6",
     "@types/json-schema": "^7.0.15",
+    "@types/jsonwebtoken": "^9.0.10",
     "@types/lodash": "^4.17.24",
     "@types/multer": "^2.0.0",
     "@types/node": "^22.10.5",
     "@vercel/detect-agent": "^1.1.0",
+    outdent: "^0.8.0",
     chalk: "^5.6.2",
     chokidar: "^5.0.0",
     commander: "^12.1.0",
@@ -243228,6 +243231,7 @@ var package_default = {
     globby: "^16.1.0",
     "http-proxy-middleware": "^3.0.5",
     "json-schema-to-typescript": "^15.0.4",
+    jsonwebtoken: "^9.0.3",
     json5: "^2.2.3",
     ky: "^1.14.2",
     lodash: "^4.17.23",
@@ -243243,6 +243247,7 @@ var package_default = {
     typescript: "^5.7.2",
     vitest: "^4.0.16",
     yaml: "^2.8.2",
+    qs: "^6.12.3",
     zod: "^4.3.5"
   },
   engines: {
@@ -252755,9 +252760,12 @@ function getTypesCommand() {
   return new Command("types").description("Manage TypeScript type generation").addCommand(getTypesGenerateCommand());
 }
+// src/cli/commands/dev.ts
+import process21 from "node:process";
 // src/cli/dev/dev-server/main.ts
 var import_cors = __toESM(require_lib4(), 1);
-var import_express5 = __toESM(require_express(), 1);
+var import_express6 = __toESM(require_express(), 1);
 import { dirname as dirname16, join as join23 } from "node:path";
 // ../../node_modules/get-port/index.js
@@ -252931,6 +252939,7 @@ function createDevLogger() {
 // src/cli/dev/dev-server/function-manager.ts
 import { spawn as spawn2 } from "node:child_process";
+import { pathToFileURL } from "node:url";
 var READY_TIMEOUT = 30000;
 class FunctionManager {
@@ -253010,7 +253019,7 @@ class FunctionManager {
     const process21 = spawn2("deno", ["run", "--allow-all", this.wrapperPath], {
       env: {
         ...globalThis.process.env,
-        FUNCTION_PATH: func.entryPath,
+        FUNCTION_PATH: pathToFileURL(func.entryPath).href,
         FUNCTION_PORT: String(port),
         FUNCTION_NAME: func.name
       },
@@ -253089,9 +253098,13 @@ function createFunctionRouter(manager, logger2) {
     on: {
       proxyReq: (proxyReq, req) => {
         const xAppId = req.headers["x-app-id"];
+        const authorization = req.headers.authorization;
         if (xAppId) {
           proxyReq.setHeader("Base44-App-Id", xAppId);
         }
+        if (authorization) {
+          proxyReq.setHeader("Base44-Service-Authorization", authorization);
+        }
         proxyReq.setHeader("Base44-Api-Url", `${req.protocol}://${req.headers.host}`);
       },
       error: (err, _req, res) => {
@@ -253316,7 +253329,9 @@ class Validator {
 }
 // src/cli/dev/dev-server/db/database.ts
+var PRIVATE_COLLECTION_PREFIX = "$";
 var USER_COLLECTION = "user";
+var PRIVATE_USER_COLLECTION = PRIVATE_COLLECTION_PREFIX + USER_COLLECTION;
 class Database {
   collections = new Map;
@@ -253338,6 +253353,7 @@ class Database {
     this.schemas.set(USER_COLLECTION, this.buildUserSchema(userEntity));
     const collection = new import_nedb.default;
     this.collections.set(USER_COLLECTION, collection);
+    this.collections.set(PRIVATE_USER_COLLECTION, new import_nedb.default);
     const userInfo = await readAuth();
     const now = getNowISOTimestamp();
     await collection.insertAsync({
@@ -253378,8 +253394,13 @@ class Database {
   getCollection(name2) {
     return this.collections.get(this.normalizeName(name2));
   }
+  getSchema(entityName) {
+    return this.schemas.get(this.normalizeName(entityName));
+  }
   getCollectionNames() {
-    return Array.from(this.collections.keys());
+    return Array.from(this.collections.keys()).filter((name2) => {
+      return !name2.startsWith(PRIVATE_COLLECTION_PREFIX);
+    });
   }
   dropAll() {
     for (const collection of this.collections.values()) {
@@ -253443,15 +253464,339 @@ function broadcastEntityEvent(io6, appId, entityName, event) {
   });
 }
-// src/cli/dev/dev-server/routes/entities/entities-router.ts
-var import_express3 = __toESM(require_express(), 1);
-// src/cli/dev/dev-server/routes/entities/entities-user-router.ts
+// src/cli/dev/dev-server/routes/auth-router.ts
 var import_express2 = __toESM(require_express(), 1);
 var import_jsonwebtoken = __toESM(require_jsonwebtoken(), 1);
-function createUserRouter(db2, logger2) {
+import { randomInt } from "node:crypto";
+var LOCAL_DEV_SECRET = "LOCAL_DEV_SECRET";
+var generateCode = () => {
+  return randomInt(1e5, 1e6).toString();
+};
+var createJwtToken = (email3) => {
+  return import_jsonwebtoken.default.sign({ sub: email3 }, LOCAL_DEV_SECRET, {
+    expiresIn: "360d"
+  });
+};
+var LoginBody = object({ email: email2(), password: string2() });
+var VerifyOtpBody = object({ email: email2(), otp_code: string2() });
+function createAuthRouter(db2, logger2) {
   const router = import_express2.Router({ mergeParams: true });
   const parseBody = import_express2.json();
+  router.post("/login", parseBody, async (req, res) => {
+    const { email: email3, password } = LoginBody.parse(req.body);
+    const result = await db2.getCollection(USER_COLLECTION)?.findOneAsync({ email: email3 });
+    if (result) {
+      const privateUserData = await db2.getCollection(PRIVATE_USER_COLLECTION)?.findOneAsync({ email: email3 });
+      if (result.role === "admin" || privateUserData?.password === password) {
+        res.json({
+          access_token: createJwtToken(email3),
+          success: true,
+          user: {}
+        });
+      } else {
+        res.status(400).json({
+          detail: "Invalid email or password",
+          error_type: "HTTPException",
+          message: "Invalid email or password",
+          request_id: null,
+          traceback: ""
+        });
+      }
+      return;
+    }
+    res.status(401).json({ error: "Unauthorized" });
+  });
+  router.post("/register", parseBody, async (req, res) => {
+    const { email: email3, password } = LoginBody.parse(req.body);
+    if ((password || "").length < 8) {
+      res.status(400).json({
+        detail: "Password must be at least 8 characters long",
+        error_type: "HTTPException",
+        message: "Password must be at least 8 characters long",
+        request_id: null,
+        traceback: ""
+      });
+      return;
+    }
+    const result = await db2.getCollection(USER_COLLECTION)?.findOneAsync({ email: email3 });
+    if (result) {
+      res.status(400).json({
+        detail: "A user with this email already exists",
+        error_type: "HTTPException",
+        message: "A user with this email already exists",
+        request_id: null,
+        traceback: ""
+      });
+      return;
+    }
+    const privateUserCollection = db2.getCollection(PRIVATE_USER_COLLECTION);
+    const privateUserData = await privateUserCollection?.findOneAsync({
+      email: email3
+    });
+    const otpCode = generateCode();
+    const id2 = privateUserData ? privateUserData.id : nanoid3();
+    if (!privateUserData) {
+      await privateUserCollection?.insertAsync({
+        id: id2,
+        email: email3,
+        otpCode,
+        password,
+        createdAt: Date.now()
+      });
+    } else {
+      await privateUserCollection?.updateAsync({
+        email: email3
+      }, {
+        $set: {
+          otpCode,
+          createdAt: Date.now()
+        }
+      });
+    }
+    logger2.log(theme.styles.info(`
+In order to complete registration use this verification code: ${otpCode}
+`));
+    res.json({
+      id: id2,
+      message: "Registration successful. Please check your email for the verification code.",
+      otp_expires_in_minutes: 10
+    });
+  });
+  router.post("/verify-otp", parseBody, async (req, res) => {
+    const { email: email3, otp_code } = VerifyOtpBody.parse(req.body);
+    const privateUserCollection = db2.getCollection(PRIVATE_USER_COLLECTION);
+    const privateUserData = await privateUserCollection?.findOneAsync({
+      email: email3
+    });
+    if (privateUserData && privateUserData.otpCode === otp_code) {
+      if (+Date.now() - privateUserData.createdAt < 10 * 60 * 1000) {
+        await privateUserCollection?.updateAsync({
+          email: email3
+        }, {
+          $unset: { otpCode: true }
+        });
+        const collection = db2.getCollection(USER_COLLECTION);
+        const now = getNowISOTimestamp();
+        const nameFromEmailMatch = /^([^@]+)/.exec(email3);
+        const fullName = nameFromEmailMatch ? nameFromEmailMatch[1] : email3;
+        await collection?.insertAsync({
+          id: privateUserData.id,
+          email: email3,
+          full_name: fullName,
+          is_service: false,
+          is_verified: true,
+          disabled: null,
+          role: "user",
+          collaborator_role: "editor",
+          created_date: now,
+          updated_date: now
+        });
+        res.json({
+          id: privateUserData.id,
+          access_token: createJwtToken(email3),
+          message: "Email verified successfully. You are now logged in.",
+          success: true
+        });
+      } else {
+        res.status(400).json({
+          detail: "Verification code has expired",
+          error_type: "HTTPException",
+          message: "Verification code has expired",
+          request_id: null,
+          traceback: ""
+        });
+      }
+    } else {
+      const appId = req.params.appId;
+      res.status(500).json({
+        detail: `{'email': '${email3}', 'app_id': '${appId}}'} -> Object not found`,
+        error_type: "ObjectNotFoundError",
+        message: `{'email': '${email3}', 'app_id': '${appId}}'} -> Object not found`,
+        request_id: null,
+        traceback: ""
+      });
+    }
+  });
+  return router;
+}
+// src/cli/dev/dev-server/routes/entities/entities-router.ts
+var import_express4 = __toESM(require_express(), 1);
+var import_jsonwebtoken3 = __toESM(require_jsonwebtoken(), 1);
+// src/cli/dev/dev-server/db/rls.ts
+function resolveTemplate(value, user) {
+  return value.replace(/\{\{user\.([\w.]+)\}\}/g, (_match, path18) => {
+    if (path18.startsWith("data.")) {
+      return String(user[path18.slice(5)] ?? "");
+    }
+    return String(user[path18] ?? "");
+  });
+}
+function getRecordField(key2, record2) {
+  if (key2.startsWith("data.")) {
+    return record2[key2.slice(5)];
+  }
+  return record2[key2];
+}
+function evaluateOperator(recordValue, operator) {
+  for (const [op2, opValue] of Object.entries(operator)) {
+    switch (op2) {
+      case "$in":
+        if (!Array.isArray(opValue) || !opValue.includes(recordValue))
+          return false;
+        break;
+      case "$nin":
+        if (Array.isArray(opValue) && opValue.includes(recordValue))
+          return false;
+        break;
+      case "$ne":
+        if (recordValue === opValue)
+          return false;
+        break;
+      case "$all":
+        if (!Array.isArray(recordValue) || !Array.isArray(opValue))
+          return false;
+        if (!opValue.every((v10) => recordValue.includes(v10)))
+          return false;
+        break;
+    }
+  }
+  return true;
+}
+function evaluateUserCondition(condition, user) {
+  for (const [key2, expected] of Object.entries(condition)) {
+    const userValue = key2.startsWith("data.") ? user[key2.slice(5)] : user[key2];
+    if (typeof expected === "object" && expected !== null) {
+      if (!evaluateOperator(userValue, expected))
+        return false;
+    } else {
+      if (userValue !== expected)
+        return false;
+    }
+  }
+  return true;
+}
+function evaluateCondition(condition, record2, user) {
+  for (const [key2, value] of Object.entries(condition)) {
+    if (key2 === "user_condition") {
+      if (!evaluateUserCondition(value, user))
+        return false;
+      continue;
+    }
+    if (key2 === "$or") {
+      const conditions = value;
+      if (!conditions.some((c8) => evaluateCondition(c8, record2, user)))
+        return false;
+      continue;
+    }
+    if (key2 === "$and") {
+      const conditions = value;
+      if (!conditions.every((c8) => evaluateCondition(c8, record2, user)))
+        return false;
+      continue;
+    }
+    if (key2 === "$nor") {
+      const conditions = value;
+      if (conditions.some((c8) => evaluateCondition(c8, record2, user)))
+        return false;
+      continue;
+    }
+    const recordValue = getRecordField(key2, record2);
+    const resolvedValue = typeof value === "string" ? resolveTemplate(value, user) : value;
+    if (typeof resolvedValue === "object" && resolvedValue !== null) {
+      if (!evaluateOperator(recordValue, resolvedValue))
+        return false;
+    } else {
+      if (recordValue !== resolvedValue)
+        return false;
+    }
+  }
+  return true;
+}
+function checkRLS(rule, record2, user) {
+  if (rule === undefined)
+    return true;
+  if (typeof rule === "boolean")
+    return rule;
+  if (!user)
+    return false;
+  return evaluateCondition(rule, record2, user);
+}
+function applyFLS(record2, schema10, user, operation) {
+  const result = {};
+  for (const [key2, value] of Object.entries(record2)) {
+    const rule = schema10.properties[key2]?.rls?.[operation];
+    if (!rule || checkRLS(rule, record2, user)) {
+      result[key2] = value;
+    }
+  }
+  return result;
+}
+// src/cli/dev/dev-server/db/entity-queries.ts
+function parseSort(sort) {
+  if (!sort) {
+    return;
+  }
+  if (sort.startsWith("-")) {
+    return { [sort.slice(1)]: -1 };
+  }
+  return { [sort]: 1 };
+}
+function parseFields(fields) {
+  if (!fields) {
+    return;
+  }
+  const projection = {};
+  for (const field of fields.split(",")) {
+    const trimmed = field.trim();
+    if (trimmed) {
+      projection[trimmed] = 1;
+    }
+  }
+  return Object.keys(projection).length > 0 ? projection : undefined;
+}
+var queryEntity = async (collection, reqQuery) => {
+  const { sort, limit, skip: skip2, fields, q: q13 } = reqQuery;
+  let query = {};
+  if (q13 && typeof q13 === "string") {
+    try {
+      query = JSON.parse(q13);
+    } catch {
+      throw new InvalidInputError("Invalid query parameter 'q'");
+    }
+  }
+  let cursor3 = collection.findAsync(query);
+  const sortObj = parseSort(sort);
+  if (sortObj) {
+    cursor3 = cursor3.sort(sortObj);
+  }
+  if (skip2) {
+    const skipNum = Number.parseInt(skip2, 10);
+    if (!Number.isNaN(skipNum)) {
+      cursor3 = cursor3.skip(skipNum);
+    }
+  }
+  if (limit) {
+    const limitNum = Number.parseInt(limit, 10);
+    if (!Number.isNaN(limitNum)) {
+      cursor3 = cursor3.limit(limitNum);
+    }
+  }
+  const projection = parseFields(fields);
+  if (projection) {
+    cursor3 = cursor3.projection(projection);
+  }
+  return cursor3;
+};
+// src/cli/dev/dev-server/routes/entities/entities-user-router.ts
+var import_express3 = __toESM(require_express(), 1);
+var import_jsonwebtoken2 = __toESM(require_jsonwebtoken(), 1);
+function createUserRouter(db2, logger2) {
+  const router = import_express3.Router({ mergeParams: true });
+  const parseBody = import_express3.json();
   function withAuth(handler) {
     return async (req, res) => {
       const auth2 = req.headers.authorization;
@@ -253460,13 +253805,13 @@ function createUserRouter(db2, logger2) {
         return;
       }
       try {
-        const { payload } = import_jsonwebtoken.default.decode(auth2.replace("Bearer ", ""), { complete: true }) ?? {};
-        const result = await db2.getCollection(USER_COLLECTION)?.findOneAsync({ email: payload?.sub });
-        if (!result) {
+        const { payload } = import_jsonwebtoken2.default.decode(auth2.replace("Bearer ", ""), { complete: true }) ?? {};
+        const currentUser = await db2.getCollection(USER_COLLECTION)?.findOneAsync({ email: payload?.sub });
+        if (!currentUser) {
           res.status(404).json({ error: "Unable to read data for the current user" });
           return;
         }
-        await handler(req, res, result);
+        await handler(req, res, currentUser);
       } catch {
         res.status(401).json({ error: "Unauthorized" });
       }
@@ -253493,6 +253838,28 @@ function createUserRouter(db2, logger2) {
       ...req.body
     });
   }));
+  router.get("/", withAuth(async (req, res, currentUser) => {
+    const collection = db2.getCollection(USER_COLLECTION);
+    if (!collection) {
+      res.status(404).json({ error: `Entity "${USER_COLLECTION}" not found` });
+      return;
+    }
+    try {
+      if (currentUser.role === "admin") {
+        const result = await queryEntity(collection, req.query);
+        res.json(stripInternalFields(result));
+      } else {
+        res.json([stripInternalFields(currentUser)]);
+      }
+    } catch (error48) {
+      if (error48 instanceof InvalidInputError) {
+        res.status(400).json({ error: error48.message });
+      } else {
+        logger2.error(`Error in GET /${USER_COLLECTION}:`, error48);
+        res.status(500).json({ error: "Internal server error" });
+      }
+    }
+  }));
   router.post("/bulk", async (_req, res) => {
     res.json({});
   });
@@ -253542,31 +253909,9 @@ function createUserRouter(db2, logger2) {
 }
 // src/cli/dev/dev-server/routes/entities/entities-router.ts
-function parseSort(sort) {
-  if (!sort) {
-    return;
-  }
-  if (sort.startsWith("-")) {
-    return { [sort.slice(1)]: -1 };
-  }
-  return { [sort]: 1 };
-}
-function parseFields(fields) {
-  if (!fields) {
-    return;
-  }
-  const projection = {};
-  for (const field of fields.split(",")) {
-    const trimmed = field.trim();
-    if (trimmed) {
-      projection[trimmed] = 1;
-    }
-  }
-  return Object.keys(projection).length > 0 ? projection : undefined;
-}
 async function createEntityRoutes(db2, logger2, broadcast) {
-  const router = import_express3.Router({ mergeParams: true });
-  const parseBody = import_express3.json();
+  const router = import_express4.Router({ mergeParams: true });
+  const parseBody = import_express4.json();
   function withCollection(handler) {
     return async (req, res) => {
       const collection = db2.getCollection(req.params.entityName);
@@ -253574,7 +253919,13 @@ async function createEntityRoutes(db2, logger2, broadcast) {
         res.status(404).json({ error: `Entity "${req.params.entityName}" not found` });
         return;
       }
-      await handler(req, res, collection);
+      let currentUser;
+      try {
+        const auth2 = req.headers.authorization || "";
+        const { payload } = import_jsonwebtoken3.default.decode(auth2.replace("Bearer ", ""), { complete: true }) ?? {};
+        currentUser = await db2.getCollection(USER_COLLECTION)?.findOneAsync({ email: payload?.sub });
+      } catch {}
+      await handler(req, res, collection, currentUser);
     };
   }
   function emit(appId, entityName, type, data) {
@@ -253594,7 +253945,7 @@ async function createEntityRoutes(db2, logger2, broadcast) {
   }
   const userRouter = createUserRouter(db2, logger2);
   router.use("/User", userRouter);
-  router.get("/:entityName/:id", withCollection(async (req, res, collection) => {
+  router.get("/:entityName/:id", withCollection(async (req, res, collection, currentUser) => {
     const { entityName, id: id2 } = req.params;
     try {
       const doc2 = await collection.findOneAsync({ id: id2 });
@@ -253602,63 +253953,70 @@ async function createEntityRoutes(db2, logger2, broadcast) {
         res.status(404).json({ error: `Record with id "${id2}" not found` });
         return;
       }
-      res.json(stripInternalFields(doc2));
+      const schema10 = db2.getSchema(entityName);
+      if (!checkRLS(schema10?.rls?.read, doc2, currentUser)) {
+        res.status(403).json({ error: "Permission denied" });
+        return;
+      }
+      let result = stripInternalFields(doc2);
+      if (schema10) {
+        result = applyFLS(result, schema10, currentUser, "read");
+      }
+      res.json(result);
     } catch (error48) {
       logger2.error(`Error in GET /${entityName}/${id2}:`, error48);
       res.status(500).json({ error: "Internal server error" });
     }
   }));
-  router.get("/:entityName", withCollection(async (req, res, collection) => {
+  router.get("/:entityName", withCollection(async (req, res, collection, currentUser) => {
     const { entityName } = req.params;
     try {
-      const { sort, limit, skip: skip2, fields, q: q13 } = req.query;
-      let query = {};
-      if (q13 && typeof q13 === "string") {
-        try {
-          query = JSON.parse(q13);
-        } catch {
-          res.status(400).json({ error: "Invalid query parameter 'q'" });
-          return;
-        }
-      }
-      let cursor3 = collection.findAsync(query);
-      const sortObj = parseSort(sort);
-      if (sortObj) {
-        cursor3 = cursor3.sort(sortObj);
-      }
-      if (skip2) {
-        const skipNum = Number.parseInt(skip2, 10);
-        if (!Number.isNaN(skipNum)) {
-          cursor3 = cursor3.skip(skipNum);
-        }
+      const schema10 = db2.getSchema(entityName);
+      if (schema10?.rls?.read === false) {
+        res.json([]);
+        return;
       }
-      if (limit) {
-        const limitNum = Number.parseInt(limit, 10);
-        if (!Number.isNaN(limitNum)) {
-          cursor3 = cursor3.limit(limitNum);
-        }
+      let results = stripInternalFields(await queryEntity(collection, req.query));
+      if (schema10?.rls?.read && schema10.rls.read !== true) {
+        results = results.filter((doc2) => checkRLS(schema10.rls.read, doc2, currentUser));
       }
-      const projection = parseFields(fields);
-      if (projection) {
-        cursor3 = cursor3.projection(projection);
+      if (schema10) {
+        results = results.map((doc2) => applyFLS(doc2, schema10, currentUser, "read"));
       }
-      const docs = await cursor3;
-      res.json(stripInternalFields(docs));
+      res.json(results);
     } catch (error48) {
-      logger2.error(`Error in GET /${entityName}:`, error48);
-      res.status(500).json({ error: "Internal server error" });
+      if (error48 instanceof InvalidInputError) {
+        res.status(400).json({ error: error48.message });
+      } else {
+        logger2.error(`Error in GET /${entityName}:`, error48);
+        res.status(500).json({ error: "Internal server error" });
+      }
     }
   }));
-  router.post("/:entityName", parseBody, withCollection(async (req, res, collection) => {
+  router.post("/:entityName", parseBody, withCollection(async (req, res, collection, currentUser) => {
     const { appId, entityName } = req.params;
     try {
       const now = new Date().toISOString();
       const { _id, ...body } = req.body;
-      const filteredBody = db2.prepareRecord(entityName, body);
+      const schema10 = db2.getSchema(entityName);
+      if (!checkRLS(schema10?.rls?.create, {
+        ...body,
+        created_by: currentUser?.email,
+        created_by_id: currentUser?.id
+      }, currentUser)) {
+        res.status(403).json({ error: "Permission denied" });
+        return;
+      }
+      let filteredBody = db2.prepareRecord(entityName, body);
+      if (schema10) {
+        filteredBody = applyFLS(filteredBody, schema10, currentUser, "write");
+      }
       db2.validate(entityName, filteredBody);
       const record2 = {
         ...filteredBody,
         id: nanoid3(),
+        created_by: currentUser?.email,
+        created_by_id: currentUser?.id,
         created_date: now,
         updated_date: now
       };
@@ -253674,7 +254032,7 @@ async function createEntityRoutes(db2, logger2, broadcast) {
       res.status(500).json({ error: "Internal server error" });
     }
   }));
-  router.post("/:entityName/bulk", parseBody, withCollection(async (req, res, collection) => {
+  router.post("/:entityName/bulk", parseBody, withCollection(async (req, res, collection, currentUser) => {
     const { appId, entityName } = req.params;
     if (!Array.isArray(req.body)) {
       res.status(400).json({ error: "Request body must be an array" });
@@ -253682,13 +254040,27 @@ async function createEntityRoutes(db2, logger2, broadcast) {
     }
     try {
       const now = new Date().toISOString();
+      const schema10 = db2.getSchema(entityName);
       const records = [];
       for (const record2 of req.body) {
-        const filteredRecord = db2.prepareRecord(entityName, record2);
+        if (!checkRLS(schema10?.rls?.create, {
+          ...record2,
+          created_by: currentUser?.email,
+          created_by_id: currentUser?.id
+        }, currentUser)) {
+          res.status(403).json({ error: "Permission denied" });
+          return;
+        }
+        let filteredRecord = db2.prepareRecord(entityName, record2);
+        if (schema10) {
+          filteredRecord = applyFLS(filteredRecord, schema10, currentUser, "write");
+        }
         db2.validate(entityName, filteredRecord);
         records.push({
           ...filteredRecord,
           id: nanoid3(),
+          created_by: currentUser?.email,
+          created_by_id: currentUser?.id,
           created_date: now,
           updated_date: now
         });
@@ -253705,11 +254077,26 @@ async function createEntityRoutes(db2, logger2, broadcast) {
       res.status(500).json({ error: "Internal server error" });
     }
   }));
-  router.put("/:entityName/:id", parseBody, withCollection(async (req, res, collection) => {
+  router.put("/:entityName/:id", parseBody, withCollection(async (req, res, collection, currentUser) => {
     const { appId, entityName, id: id2 } = req.params;
     const { id: _id, created_date: _created_date, ...body } = req.body;
     try {
-      const filteredBody = db2.prepareRecord(entityName, body, true);
+      const schema10 = db2.getSchema(entityName);
+      if (schema10?.rls?.update !== undefined) {
+        const existing = await collection.findOneAsync({ id: id2 });
+        if (!existing) {
+          res.status(404).json({ error: `Record with id "${id2}" not found` });
+          return;
+        }
+        if (!checkRLS(schema10.rls.update, existing, currentUser)) {
+          res.status(403).json({ error: "Permission denied" });
+          return;
+        }
+      }
+      let filteredBody = db2.prepareRecord(entityName, body, true);
+      if (schema10) {
+        filteredBody = applyFLS(filteredBody, schema10, currentUser, "write");
+      }
       db2.validate(entityName, filteredBody, true);
       const updateData = {
         ...filteredBody,
@@ -253732,30 +254119,48 @@ async function createEntityRoutes(db2, logger2, broadcast) {
       res.status(500).json({ error: "Internal server error" });
     }
   }));
-  router.delete("/:entityName/:id", withCollection(async (req, res, collection) => {
+  router.delete("/:entityName/:id", withCollection(async (req, res, collection, currentUser) => {
     const { appId, entityName, id: id2 } = req.params;
     try {
       const doc2 = await collection.findOneAsync({ id: id2 });
-      const numRemoved = await collection.removeAsync({ id: id2 }, { multi: false });
-      if (numRemoved === 0) {
+      if (!doc2) {
         res.status(404).json({ error: `Record with id "${id2}" not found` });
         return;
       }
-      if (doc2) {
-        emit(appId, entityName, "delete", stripInternalFields(doc2));
+      const schema10 = db2.getSchema(entityName);
+      if (!checkRLS(schema10?.rls?.delete, doc2, currentUser)) {
+        res.status(403).json({ error: "Permission denied" });
+        return;
       }
+      await collection.removeAsync({ id: id2 }, { multi: false });
+      emit(appId, entityName, "delete", stripInternalFields(doc2));
       res.json({ success: true });
     } catch (error48) {
       logger2.error(`Error in DELETE /${entityName}/${id2}:`, error48);
       res.status(500).json({ error: "Internal server error" });
     }
   }));
-  router.delete("/:entityName", parseBody, withCollection(async (req, res, collection) => {
+  router.delete("/:entityName", parseBody, withCollection(async (req, res, collection, currentUser) => {
     const { entityName } = req.params;
     try {
       const query = req.body || {};
-      const numRemoved = await collection.removeAsync(query, { multi: true });
-      res.json({ success: true, deleted: numRemoved });
+      const schema10 = db2.getSchema(entityName);
+      const rlsDelete = schema10?.rls?.delete;
+      if (rlsDelete !== undefined && rlsDelete !== true) {
+        if (rlsDelete === false) {
+          res.status(403).json({ error: "Permission denied" });
+          return;
+        }
+        const docs = await collection.findAsync(query);
+        const allowedIds = docs.filter((doc2) => checkRLS(rlsDelete, doc2, currentUser)).map((doc2) => doc2.id);
+        const numRemoved = await collection.removeAsync({ id: { $in: allowedIds } }, { multi: true });
+        res.json({ success: true, deleted: numRemoved });
+      } else {
+        const numRemoved = await collection.removeAsync(query, {
+          multi: true
+        });
+        res.json({ success: true, deleted: numRemoved });
+      }
     } catch (error48) {
       logger2.error(`Error in DELETE /${entityName}:`, error48);
       res.status(500).json({ error: "Internal server error" });
@@ -253765,7 +254170,7 @@ async function createEntityRoutes(db2, logger2, broadcast) {
 }
 // src/cli/dev/dev-server/routes/integrations.ts
-var import_express4 = __toESM(require_express(), 1);
+var import_express5 = __toESM(require_express(), 1);
 var import_multer = __toESM(require_multer(), 1);
 import { createHash, randomUUID as randomUUID4 } from "node:crypto";
 import fs28 from "node:fs";
@@ -253774,8 +254179,8 @@ function createFileToken(fileUri) {
   return createHash("sha256").update(fileUri).digest("hex");
 }
 function createIntegrationRoutes(mediaFilesDir, baseUrl, remoteProxy, logger2) {
-  const router = import_express4.Router({ mergeParams: true });
-  const parseBody = import_express4.json();
+  const router = import_express5.Router({ mergeParams: true });
+  const parseBody = import_express5.json();
   const privateFilesDir = path18.join(mediaFilesDir, "private");
   fs28.mkdirSync(mediaFilesDir, { recursive: true });
   fs28.mkdirSync(privateFilesDir, { recursive: true });
@@ -253845,7 +254250,7 @@ function createIntegrationRoutes(mediaFilesDir, baseUrl, remoteProxy, logger2) {
   return router;
 }
 function createCustomIntegrationRoutes(remoteProxy, logger2) {
-  const router = import_express4.Router({ mergeParams: true });
+  const router = import_express5.Router({ mergeParams: true });
   router.post("/:slug/:operationId", (req, res, next) => {
     logger2.warn(`"${req.originalUrl}" is not supported in local development, passing call to production`);
     req.url = req.originalUrl;
@@ -255558,7 +255963,7 @@ async function createDevServer(options8) {
   const port = userPort ?? await getPorts({ port: DEFAULT_PORT });
   const baseUrl = `http://localhost:${port}`;
   const { functions, entities, project: project2 } = await options8.loadResources();
-  const app = import_express5.default();
+  const app = import_express6.default();
   const remoteProxy = import_http_proxy_middleware2.createProxyMiddleware({
     target: BASE44_APP_URL,
     changeOrigin: true
@@ -255590,6 +255995,8 @@ async function createDevServer(options8) {
   let emitEntityEvent = () => {};
   const entityRoutes = await createEntityRoutes(db2, devLogger, (...args) => emitEntityEvent(...args));
   app.use("/api/apps/:appId/entities", entityRoutes);
+  const authRouter = createAuthRouter(db2, devLogger);
+  app.use("/api/apps/:appId/auth", authRouter);
   const { path: mediaFilesDir } = await $dir();
   app.use("/media/private/:fileUri", (req, res, next) => {
     const { fileUri } = req.params;
@@ -255609,13 +256016,15 @@ async function createDevServer(options8) {
     }
     next();
   });
-  app.use("/media", import_express5.default.static(mediaFilesDir));
+  app.use("/media", import_express6.default.static(mediaFilesDir));
   const integrationRoutes = createIntegrationRoutes(mediaFilesDir, baseUrl, remoteProxy, devLogger);
   app.use("/api/apps/:appId/integration-endpoints", integrationRoutes);
   const customIntegrationRoutes = createCustomIntegrationRoutes(remoteProxy, devLogger);
   app.use("/api/apps/:appId/integrations/custom", customIntegrationRoutes);
   app.use((req, res, next) => {
-    devLogger.warn(`"${req.originalUrl}" is not supported in local development, passing call to production`);
+    if (!req.originalUrl.endsWith("analytics/track/batch")) {
+      devLogger.warn(`"${req.originalUrl}" is not supported in local development, passing call to production`);
+    }
     remoteProxy(req, res, next);
   });
   const server = await new Promise((resolve8, reject) => {
@@ -255686,6 +256095,7 @@ async function devAction({ log }, options8) {
   const { port: resolvedPort } = await createDevServer({
     log,
     port,
+    cwd: process21.cwd(),
     denoWrapperPath: getDenoWrapperPath(),
     loadResources: async () => {
       const { functions, entities, project: project2 } = await readProjectConfig();
@@ -260193,4 +260603,4 @@ export {
   CLIExitError
 };
-//# debugId=CBBBAC71F12A75D664756E2164756E21
+//# debugId=FF5639434B8FD38C64756E2164756E21