npm - @bloomneo/appkit - Versions diffs - 1.2.9 → 1.5.2 - Mend

@bloomneo/appkit 1.2.9 → 1.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (118) hide show

package/AGENTS.md +195 -0
package/CHANGELOG.md +253 -0
package/README.md +147 -799
package/bin/commands/generate.js +7 -7
package/cookbook/README.md +26 -0
package/cookbook/api-key-service.ts +106 -0
package/cookbook/auth-protected-crud.ts +112 -0
package/cookbook/file-upload-pipeline.ts +113 -0
package/cookbook/multi-tenant-saas.ts +87 -0
package/cookbook/real-time-chat.ts +121 -0
package/dist/auth/auth.d.ts +21 -4
package/dist/auth/auth.d.ts.map +1 -1
package/dist/auth/auth.js +56 -44
package/dist/auth/auth.js.map +1 -1
package/dist/auth/defaults.d.ts +1 -1
package/dist/auth/defaults.js +35 -35
package/dist/cache/cache.d.ts +29 -6
package/dist/cache/cache.d.ts.map +1 -1
package/dist/cache/cache.js +72 -44
package/dist/cache/cache.js.map +1 -1
package/dist/cache/defaults.js +29 -29
package/dist/cache/index.d.ts +19 -10
package/dist/cache/index.d.ts.map +1 -1
package/dist/cache/index.js +21 -18
package/dist/cache/index.js.map +1 -1
package/dist/config/defaults.d.ts +1 -1
package/dist/config/defaults.js +11 -11
package/dist/config/index.d.ts +3 -3
package/dist/config/index.js +4 -4
package/dist/database/adapters/mongoose.d.ts +4 -4
package/dist/database/adapters/mongoose.js +7 -7
package/dist/database/adapters/prisma.d.ts +4 -4
package/dist/database/adapters/prisma.js +7 -7
package/dist/database/defaults.d.ts +1 -1
package/dist/database/defaults.js +4 -4
package/dist/database/index.js +2 -2
package/dist/database/index.js.map +1 -1
package/dist/email/defaults.js +26 -26
package/dist/email/index.js +7 -7
package/dist/email/strategies/resend.js +1 -1
package/dist/error/defaults.d.ts +1 -1
package/dist/error/defaults.js +13 -13
package/dist/error/error.d.ts +12 -0
package/dist/error/error.d.ts.map +1 -1
package/dist/error/error.js +19 -0
package/dist/error/error.js.map +1 -1
package/dist/error/index.d.ts +14 -3
package/dist/error/index.d.ts.map +1 -1
package/dist/error/index.js +14 -3
package/dist/error/index.js.map +1 -1
package/dist/event/defaults.js +35 -35
package/dist/event/index.js +7 -7
package/dist/logger/defaults.d.ts +1 -1
package/dist/logger/defaults.js +40 -40
package/dist/logger/index.d.ts +1 -0
package/dist/logger/index.d.ts.map +1 -1
package/dist/logger/index.js.map +1 -1
package/dist/logger/logger.d.ts +8 -0
package/dist/logger/logger.d.ts.map +1 -1
package/dist/logger/logger.js +13 -3
package/dist/logger/logger.js.map +1 -1
package/dist/logger/transports/console.js +2 -2
package/dist/logger/transports/http.d.ts +1 -1
package/dist/logger/transports/http.js +2 -2
package/dist/logger/transports/webhook.d.ts +1 -1
package/dist/logger/transports/webhook.js +3 -3
package/dist/queue/defaults.d.ts +2 -2
package/dist/queue/defaults.js +38 -38
package/dist/security/defaults.d.ts +1 -1
package/dist/security/defaults.js +30 -30
package/dist/security/index.d.ts +1 -1
package/dist/security/index.js +3 -3
package/dist/security/security.d.ts +1 -1
package/dist/security/security.js +4 -4
package/dist/storage/defaults.js +26 -26
package/dist/storage/index.js +3 -3
package/dist/util/defaults.d.ts +1 -1
package/dist/util/defaults.js +41 -41
package/dist/util/env.d.ts +35 -0
package/dist/util/env.d.ts.map +1 -0
package/dist/util/env.js +50 -0
package/dist/util/env.js.map +1 -0
package/dist/util/errors.d.ts +52 -0
package/dist/util/errors.d.ts.map +1 -0
package/dist/util/errors.js +82 -0
package/dist/util/errors.js.map +1 -0
package/dist/util/util.js +1 -1
package/examples/.env.example +80 -0
package/examples/README.md +16 -0
package/examples/auth.ts +228 -0
package/examples/cache.ts +36 -0
package/examples/config.ts +45 -0
package/examples/database.ts +69 -0
package/examples/email.ts +53 -0
package/examples/error.ts +50 -0
package/examples/event.ts +42 -0
package/examples/logger.ts +41 -0
package/examples/queue.ts +58 -0
package/examples/security.ts +46 -0
package/examples/storage.ts +44 -0
package/examples/util.ts +47 -0
package/llms.txt +591 -0
package/package.json +19 -10
package/src/auth/README.md +850 -0
package/src/cache/README.md +756 -0
package/src/config/README.md +604 -0
package/src/database/README.md +818 -0
package/src/email/README.md +759 -0
package/src/error/README.md +660 -0
package/src/event/README.md +729 -0
package/src/logger/README.md +435 -0
package/src/queue/README.md +851 -0
package/src/security/README.md +612 -0
package/src/storage/README.md +1008 -0
package/src/util/README.md +955 -0
package/bin/templates/backend/docs/APPKIT_CLI.md +0 -507
package/bin/templates/backend/docs/APPKIT_COMMENTS_GUIDELINES.md +0 -61
package/bin/templates/backend/docs/APPKIT_LLM_GUIDE.md +0 -2539

package/bin/commands/generate.js CHANGED Viewed

@@ -555,13 +555,13 @@ async function generateFromTemplate(
       const envPath = path.join(currentDir, '.env');
       const envContent = await fs.readFile(envPath, 'utf8');
       const keyMatch = envContent.match(
-        /VOILA_FRONTEND_KEY\s*=\s*["']?([^"'\n\r]+)["']?/
+        /BLOOM_FRONTEND_KEY\s*=\s*["']?([^"'\n\r]+)["']?/
       );
       if (keyMatch) {
         frontendKey = keyMatch[1];
       }
       const authMatch = envContent.match(
-        /VOILA_AUTH_SECRET\s*=\s*["']?([^"'\n\r]+)["']?/
+        /BLOOM_AUTH_SECRET\s*=\s*["']?([^"'\n\r]+)["']?/
       );
       if (authMatch) {
         authSecret = authMatch[1];
@@ -989,7 +989,7 @@ async function generateUserSeedingFiles(templatesPath, projectDir) {
 }
 /**
- * Ensure DATABASE_URL, VOILA_AUTH_SECRET, and DEFAULT_USER_PASSWORD exist in .env
+ * Ensure DATABASE_URL, BLOOM_AUTH_SECRET, and DEFAULT_USER_PASSWORD exist in .env
  */
 async function ensureDatabaseUrl(projectDir) {
   const envPath = path.join(projectDir, '.env');
@@ -1013,17 +1013,17 @@ async function ensureDatabaseUrl(projectDir) {
       console.log(`✅ Added DATABASE_URL to .env`);
     }
-    // Check if VOILA_AUTH_SECRET already exists
-    if (!envContent.includes('VOILA_AUTH_SECRET=')) {
+    // Check if BLOOM_AUTH_SECRET already exists
+    if (!envContent.includes('BLOOM_AUTH_SECRET=')) {
       const authSecret =
         'auth_' +
         Math.random().toString(36).substring(2, 15) +
         Math.random().toString(36).substring(2, 15) +
         Math.random().toString(36).substring(2, 15);
-      const authSecretLine = '\nVOILA_AUTH_SECRET=' + authSecret + '\n';
+      const authSecretLine = '\nBLOOM_AUTH_SECRET=' + authSecret + '\n';
       envContent += authSecretLine;
       updated = true;
-      console.log(`✅ Added VOILA_AUTH_SECRET to .env`);
+      console.log(`✅ Added BLOOM_AUTH_SECRET to .env`);
     }
     // Check if DEFAULT_USER_PASSWORD already exists

package/cookbook/README.md ADDED Viewed

@@ -0,0 +1,26 @@
+# Cookbook
+Composed multi-module recipes. Whole-pattern files showing how the 12 modules
+work together for common backend scenarios. Copy a recipe, swap the data
+source, ship.
+For single-module examples (one canonical file per module), see
+[`../examples/`](../examples/).
+## Recipes
+| File | Pattern |
+|---|---|
+| [`auth-protected-crud.ts`](./auth-protected-crud.ts) | Auth + database + error + logger — full CRUD endpoint with role-based access |
+| [`multi-tenant-saas.ts`](./multi-tenant-saas.ts) | Multi-tenant database + cache + per-tenant rate limiting |
+| [`file-upload-pipeline.ts`](./file-upload-pipeline.ts) | Storage + queue + logger — upload → background processing → result |
+| [`real-time-chat.ts`](./real-time-chat.ts) | Event + auth + database — WebSocket-friendly real-time event flow |
+| [`api-key-service.ts`](./api-key-service.ts) | Auth (API tokens) + security (encryption) + rate limiting — third-party API key management |
+## Conventions
+- All recipes use **flat imports** from `@bloomneo/appkit`.
+- All recipes follow the canonical `xxxClass.get()` pattern.
+- All recipes wrap async route handlers in `error.asyncRoute(...)`.
+- All recipes mount `error.handleErrors()` last in the Express middleware stack.
+- All recipes use `BLOOM_*` env vars (the `VOILA_*` prefix was removed in 1.5.2).

package/cookbook/api-key-service.ts ADDED Viewed

@@ -0,0 +1,106 @@
+/**
+ * COOKBOOK RECIPE — Third-party API key management with encryption.
+ *
+ * Demonstrates how to issue API tokens (separate from user login tokens)
+ * for webhooks and integrations, store the actual key encrypted at rest,
+ * and rate-limit the key holder. This is the "give my customer a key to
+ * call our API" pattern.
+ *
+ * Modules used: auth (API tokens), security (encryption + rate limiting),
+ *               database, error, logger
+ * Required env: BLOOM_AUTH_SECRET, BLOOM_SECURITY_ENCRYPTION_KEY, DATABASE_URL
+ */
+import { Router } from 'express';
+import {
+  authClass,
+  securityClass,
+  databaseClass,
+  errorClass,
+  loggerClass,
+  utilClass,
+} from '@bloomneo/appkit';
+const auth = authClass.get();
+const security = securityClass.get();
+const database = await databaseClass.get();
+const error = errorClass.get();
+const logger = loggerClass.get('api-keys');
+const util = utilClass.get();
+const router = Router();
+// ── ISSUE: admin issues a new API key for a third party ────────────
+router.post(
+  '/api-keys',
+  auth.requireUserRoles(['admin.tenant']),
+  error.asyncRoute(async (req, res) => {
+    const u = auth.user(req);
+    if (!u) throw error.unauthorized();
+    const { name, scopes } = req.body;
+    if (!name) throw error.badRequest('name required');
+    // Generate a fresh API token (separate from user login tokens)
+    const apiToken = auth.generateApiToken({
+      keyId: util.uuid(),
+      role: 'service',
+      level: scopes?.[0] ?? 'webhook',
+    }, '1y');  // long expiry
+    // Store the token ENCRYPTED at rest (so a database leak doesn't
+    // expose the plaintext keys)
+    const encryptedToken = security.encrypt(apiToken);
+    const record = await database.apiKey.create({
+      data: {
+        name,
+        scopes: JSON.stringify(scopes ?? []),
+        encryptedToken,
+        createdBy: u.userId,
+        tenantId: u.tenantId,
+      },
+    });
+    logger.info('API key issued', { keyId: record.id, by: u.userId });
+    // Return the plaintext token ONCE — caller is responsible for storing it.
+    // The plaintext is never written to disk in our system.
+    res.status(201).json({
+      id: record.id,
+      name: record.name,
+      token: apiToken,
+      warning: 'Store this token now. It will not be shown again.',
+    });
+  }),
+);
+// ── REVOKE: admin revokes a key ─────────────────────────────────────
+router.delete(
+  '/api-keys/:id',
+  auth.requireUserRoles(['admin.tenant']),
+  error.asyncRoute(async (req, res) => {
+    const id = Number(req.params.id);
+    await database.apiKey.update({
+      where: { id },
+      data: { revokedAt: new Date() },
+    });
+    logger.warn('API key revoked', { keyId: id });
+    res.json({ revoked: true });
+  }),
+);
+// ── PROTECTED ROUTE: third party hits this with their API token ────
+// Note: requireApiToken (NOT requireLoginToken) — different middleware
+// for different token types.
+router.get(
+  '/webhook-data',
+  auth.requireApiToken(),
+  security.requests(60, 60 * 1000),  // 60 requests per minute per token
+  error.asyncRoute(async (req, res) => {
+    const data = await database.event.findMany({ take: 100 });
+    res.json({ data });
+  }),
+);
+export default router;

package/cookbook/auth-protected-crud.ts ADDED Viewed

@@ -0,0 +1,112 @@
+/**
+ * COOKBOOK RECIPE — Auth-protected CRUD endpoint with role-based access.
+ *
+ * Demonstrates the canonical bloomneo backend pattern: 4 modules
+ * (auth, database, error, logger) composed into a complete CRUD resource.
+ *
+ * Modules used: auth, database, error, logger
+ * Required env: BLOOM_AUTH_SECRET, DATABASE_URL
+ *
+ * Drop this file into src/api/features/products/products.route.ts and
+ * mount with `app.use('/api/products', router)`.
+ */
+import { Router } from 'express';
+import {
+  authClass,
+  databaseClass,
+  errorClass,
+  loggerClass,
+} from '@bloomneo/appkit';
+const auth = authClass.get();
+const database = await databaseClass.get();
+const error = errorClass.get();
+const logger = loggerClass.get('products');
+const router = Router();
+// ── LIST: any logged-in user can list ───────────────────────────────
+router.get(
+  '/',
+  auth.requireLoginToken(),
+  error.asyncRoute(async (req, res) => {
+    const products = await database.product.findMany({
+      orderBy: { createdAt: 'desc' },
+      take: 100,
+    });
+    res.json({ products });
+  }),
+);
+// ── READ: any logged-in user can read one ───────────────────────────
+router.get(
+  '/:id',
+  auth.requireLoginToken(),
+  error.asyncRoute(async (req, res) => {
+    const id = Number(req.params.id);
+    if (!Number.isFinite(id)) throw error.badRequest('id must be a number');
+    const product = await database.product.findUnique({ where: { id } });
+    if (!product) throw error.notFound('Product not found');
+    res.json({ product });
+  }),
+);
+// ── CREATE: only admins can create ──────────────────────────────────
+router.post(
+  '/',
+  auth.requireUserRoles(['admin.tenant']),
+  error.asyncRoute(async (req, res) => {
+    const { name, price } = req.body;
+    if (!name) throw error.badRequest('name required');
+    if (typeof price !== 'number' || price < 0)
+      throw error.badRequest('price must be a positive number');
+    const product = await database.product.create({ data: { name, price } });
+    logger.info('Product created', { productId: product.id, by: auth.user(req)?.userId });
+    res.status(201).json({ product });
+  }),
+);
+// ── UPDATE: only admins can update ──────────────────────────────────
+router.patch(
+  '/:id',
+  auth.requireUserRoles(['admin.tenant']),
+  error.asyncRoute(async (req, res) => {
+    const id = Number(req.params.id);
+    const { name, price } = req.body;
+    const existing = await database.product.findUnique({ where: { id } });
+    if (!existing) throw error.notFound('Product not found');
+    const product = await database.product.update({
+      where: { id },
+      data: { ...(name && { name }), ...(price !== undefined && { price }) },
+    });
+    logger.info('Product updated', { productId: id, by: auth.user(req)?.userId });
+    res.json({ product });
+  }),
+);
+// ── DELETE: only admins can delete ──────────────────────────────────
+router.delete(
+  '/:id',
+  auth.requireUserRoles(['admin.tenant']),
+  error.asyncRoute(async (req, res) => {
+    const id = Number(req.params.id);
+    const existing = await database.product.findUnique({ where: { id } });
+    if (!existing) throw error.notFound('Product not found');
+    await database.product.delete({ where: { id } });
+    logger.warn('Product deleted', { productId: id, by: auth.user(req)?.userId });
+    res.json({ deleted: true });
+  }),
+);
+export default router;

package/cookbook/file-upload-pipeline.ts ADDED Viewed

@@ -0,0 +1,113 @@
+/**
+ * COOKBOOK RECIPE — File upload → background processing pipeline.
+ *
+ * Demonstrates the producer-consumer pattern: upload route stores the file
+ * and enqueues a job, a worker process picks up the job and processes the
+ * file in the background. Same code works against local disk + memory queue
+ * (dev) or S3 + Redis queue (production).
+ *
+ * Modules used: storage, queue, logger, security, error, auth
+ * Required env: BLOOM_AUTH_SECRET
+ * Optional env: AWS_S3_BUCKET (cloud storage), REDIS_URL (distributed queue)
+ *
+ * Note: this example uses multer-style req.file which means you need
+ * `import multer from 'multer'` and `app.use(multer().single('file'))`
+ * — multer is a peerDependency of @bloomneo/appkit.
+ */
+import { Router, Request, Response } from 'express';
+import {
+  storageClass,
+  queueClass,
+  loggerClass,
+  securityClass,
+  errorClass,
+  authClass,
+} from '@bloomneo/appkit';
+const storage = storageClass.get();
+const queue = queueClass.get();
+const logger = loggerClass.get('uploads');
+const security = securityClass.get();
+const error = errorClass.get();
+const auth = authClass.get();
+const router = Router();
+// ── PRODUCER: upload route ──────────────────────────────────────────
+router.post(
+  '/upload',
+  auth.requireLoginToken(),
+  security.requests(10, 60 * 1000),  // 10 uploads / minute / IP
+  error.asyncRoute(async (req: Request & { file?: any }, res: Response) => {
+    if (!req.file) throw error.badRequest('File required');
+    // Sanitize filename
+    const safeName = security.input(req.file.originalname);
+    const key = `uploads/${Date.now()}-${safeName}`;
+    // Store the file (auto-detects local vs S3 from env)
+    await storage.put(key, req.file.buffer, {
+      contentType: req.file.mimetype,
+    });
+    // Enqueue background processing
+    await queue.add('process-upload', {
+      key,
+      userId: auth.user(req)?.userId,
+      originalName: req.file.originalname,
+      mimeType: req.file.mimetype,
+      size: req.file.size,
+    }, {
+      attempts: 3,
+    });
+    logger.info('File uploaded, queued for processing', {
+      key,
+      userId: auth.user(req)?.userId,
+      size: req.file.size,
+    });
+    res.status(202).json({
+      key,
+      url: storage.url(key),
+      status: 'processing',
+    });
+  }),
+);
+// ── CONSUMER: background worker (run in same process or separate worker) ──
+queue.process('process-upload', async (data) => {
+  const { key, userId, originalName } = data;
+  const workerLogger = loggerClass.get('upload-worker');
+  try {
+    workerLogger.info('Processing upload', { key, userId });
+    // Fetch the file
+    const buffer = await storage.get(key);
+    // ...do something with it (resize, OCR, virus scan, transcode, etc.)
+    // const processed = await processImage(buffer);
+    // Store the processed result
+    const processedKey = key.replace(/(\.[^.]+)$/, '-processed$1');
+    await storage.put(processedKey, buffer);
+    workerLogger.info('Upload processed', {
+      original: key,
+      processed: processedKey,
+      userId,
+    });
+    return { processedKey, originalName };
+  } catch (err) {
+    workerLogger.error('Upload processing failed', {
+      key,
+      error: (err as Error).message,
+    });
+    throw err;  // queue will retry per the attempts: 3 setting above
+  }
+});
+export default router;

package/cookbook/multi-tenant-saas.ts ADDED Viewed

@@ -0,0 +1,87 @@
+/**
+ * COOKBOOK RECIPE — Multi-tenant SaaS with auto-filtering and per-tenant cache.
+ *
+ * Demonstrates the unique bloomneo multi-tenant pattern: every database
+ * query is automatically filtered by the current user's tenant_id, and
+ * the cache namespace is derived from the tenant id so cache entries
+ * never leak between tenants.
+ *
+ * Modules used: auth, database, cache, security, error
+ * Required env: BLOOM_AUTH_SECRET, DATABASE_URL, BLOOM_DB_TENANT=auto
+ * Optional env: REDIS_URL (for distributed cache)
+ */
+import { Router } from 'express';
+import {
+  authClass,
+  databaseClass,
+  cacheClass,
+  securityClass,
+  errorClass,
+} from '@bloomneo/appkit';
+const auth = authClass.get();
+const security = securityClass.get();
+const error = errorClass.get();
+// IMPORTANT: databaseClass.get() returns a tenant-aware client when
+// BLOOM_DB_TENANT=auto. Every query below is auto-filtered.
+const database = await databaseClass.get();
+const router = Router();
+// ── Per-tenant cached list ──────────────────────────────────────────
+router.get(
+  '/users',
+  auth.requireLoginToken(),
+  security.requests(100, 15 * 60 * 1000), // per-IP rate limit
+  error.asyncRoute(async (req, res) => {
+    const user = auth.user(req);
+    if (!user) throw error.unauthorized();
+    // Cache key includes tenantId so different tenants don't share cache.
+    const tenantCache = cacheClass.get(`tenant:${user.tenantId}`);
+    const users = await tenantCache.getOrSet(
+      'users:list',
+      () => database.user.findMany({ orderBy: { createdAt: 'desc' } }),
+      300, // 5 minutes
+    );
+    res.json({ users, tenant: user.tenantId });
+  }),
+);
+// ── Per-tenant cache invalidation on write ──────────────────────────
+router.post(
+  '/users',
+  auth.requireUserRoles(['admin.tenant']),
+  error.asyncRoute(async (req, res) => {
+    const u = auth.user(req);
+    if (!u) throw error.unauthorized();
+    const newUser = await database.user.create({ data: req.body });
+    // Invalidate the cached list so the next read sees the new user.
+    const tenantCache = cacheClass.get(`tenant:${u.tenantId}`);
+    await tenantCache.delete('users:list');
+    res.status(201).json({ user: newUser });
+  }),
+);
+// ── Cross-tenant analytics (admin.system only — uses unfiltered client) ──
+router.get(
+  '/admin/analytics',
+  auth.requireUserRoles(['admin.system']),
+  error.asyncRoute(async (req, res) => {
+    const dbAll = await databaseClass.getTenants();
+    const stats = await dbAll.user.groupBy({
+      by: ['tenant_id'],
+      _count: { _all: true },
+    });
+    res.json({ tenants: stats });
+  }),
+);
+export default router;

package/cookbook/real-time-chat.ts ADDED Viewed

@@ -0,0 +1,121 @@
+/**
+ * COOKBOOK RECIPE — Real-time chat with pub/sub events.
+ *
+ * Demonstrates the eventClass pattern for real-time features. Same code
+ * works in single-process mode (memory backend) or distributed mode
+ * (Redis pub/sub when REDIS_URL is set).
+ *
+ * Pair with a WebSocket library (Socket.IO, ws, etc.) for the actual
+ * client transport. This file shows the bloomneo backend half — the
+ * WebSocket layer just calls events.emit() / events.on() under the hood.
+ *
+ * Modules used: event, auth, database, error
+ * Required env: BLOOM_AUTH_SECRET, DATABASE_URL
+ * Optional env: REDIS_URL (for cross-process event distribution)
+ */
+import {
+  eventClass,
+  authClass,
+  databaseClass,
+  errorClass,
+} from '@bloomneo/appkit';
+// Namespaced events: 'chat' isolates these events from other event streams
+// in the same app.
+const events = eventClass.get('chat');
+const auth = authClass.get();
+const database = await databaseClass.get();
+const error = errorClass.get();
+// ── EVENT HANDLERS (subscribe at startup) ───────────────────────────
+// User connects (called from your WebSocket onConnection handler)
+events.on('user.connected', async (data: { userId: number; socketId: string }) => {
+  const { userId, socketId } = data;
+  // Look up the user's rooms from the database
+  const memberships = await database.roomMember.findMany({
+    where: { userId },
+    select: { roomId: true },
+  });
+  // Tell the WebSocket layer to join this socket to its rooms
+  await events.emit('socket.join-rooms', {
+    socketId,
+    rooms: [
+      `user:${userId}`,
+      ...memberships.map((m) => `room:${m.roomId}`),
+    ],
+  });
+});
+// User sends a message
+events.on('message.send', async (data: {
+  userId: number;
+  roomId: number;
+  content: string;
+}) => {
+  // Persist the message
+  const message = await database.message.create({
+    data: {
+      content: data.content,
+      userId: data.userId,
+      roomId: data.roomId,
+    },
+    include: { user: { select: { id: true, name: true, avatar: true } } },
+  });
+  // Broadcast to everyone in the room
+  await events.emit('message.broadcast', {
+    roomId: data.roomId,
+    message: {
+      id: message.id,
+      content: message.content,
+      user: message.user,
+      timestamp: message.createdAt.toISOString(),
+    },
+  });
+});
+// Wildcard subscriber for analytics / logging
+events.on('*', async (eventName: string, data: any) => {
+  // Log every chat event for analytics
+  // (in production, send to a queue instead of logging inline)
+  console.log(`[chat] ${eventName}`, JSON.stringify(data));
+});
+// ── REST API: send message via HTTP (alternative to WebSocket) ──────
+import { Router } from 'express';
+const router = Router();
+router.post(
+  '/rooms/:roomId/messages',
+  auth.requireLoginToken(),
+  error.asyncRoute(async (req, res) => {
+    const u = auth.user(req);
+    if (!u) throw error.unauthorized();
+    const roomId = Number(req.params.roomId);
+    const { content } = req.body;
+    if (!content) throw error.badRequest('content required');
+    // Verify membership
+    const membership = await database.roomMember.findFirst({
+      where: { userId: u.userId, roomId },
+    });
+    if (!membership) throw error.forbidden('Not a member of this room');
+    // Emit the event — WebSocket layer + persistence both happen via the
+    // events.on('message.send') handler above.
+    await events.emit('message.send', {
+      userId: u.userId,
+      roomId,
+      content,
+    });
+    res.status(202).json({ queued: true });
+  }),
+);
+export default router;

package/dist/auth/auth.d.ts CHANGED Viewed

@@ -129,14 +129,31 @@ export declare class AuthenticationClass {
      */
     hasRole(userRoleLevel: string, requiredRoleLevel: string): boolean;
     /**
-     * Checks if user has specific permission with automatic action inheritance
+     * Checks if user has specific permission with automatic action inheritance.
+     *
+     * Permission resolution rule (REPLACEMENT, not additive):
+     *   - If `user.permissions` is set (an array, even empty), it is the COMPLETE
+     *     permission set for the user. Role defaults are NOT consulted.
+     *   - If `user.permissions` is undefined / null, the role.level's default
+     *     permissions from the configured RolePermissionConfig are used.
+     *
+     * This matches AWS IAM, Casbin, OPA, Auth0 RBAC, and every mainstream
+     * permission system: explicit permissions are the truth, defaults are the
+     * fallback. To downgrade a user below their role's defaults, pass an
+     * explicit `permissions: [...]` array (even an empty `[]` is valid — it
+     * means "no permissions despite the role").
+     *
+     * Action inheritance rule (within a scope):
+     *   - `manage:<scope>` includes view, create, edit, delete for that scope
+     *   - No upward inheritance: `edit:tenant` does NOT grant `manage:tenant`
+     *
      * @llm-rule WHEN: Checking fine-grained permissions for specific actions
-     * @llm-rule AVOID: Hardcoding permission checks - this handles action inheritance
+     * @llm-rule AVOID: Hardcoding permission checks - this handles inheritance
      * @llm-rule NOTE: 'manage:scope' includes ALL other actions for that scope
-     * @llm-rule NOTE: PERMISSION INHERITANCE EXAMPLES:
+     * @llm-rule NOTE: Explicit user.permissions REPLACES role defaults (not additive)
      * @llm-rule NOTE: If user has 'manage:tenant' → can('edit:tenant') returns TRUE
-     * @llm-rule NOTE: If user has 'manage:tenant' → can('view:tenant') returns TRUE
      * @llm-rule NOTE: If user has 'edit:tenant' → can('manage:tenant') returns FALSE
+     * @llm-rule NOTE: To downgrade a user, pass permissions: [] (empty array)
      * @llm-rule NOTE: Actions hierarchy: manage > delete > edit > create > view
      */
     can(user: JwtPayload, permission: string): boolean;

package/dist/auth/auth.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/auth/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EAKL,KAAK,UAAU,EAChB,MAAM,eAAe,CAAC;~~AAEvB~~,MAAM,WAAW,UAAU;IACzB,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,OAAO,GAAG,SAAS,CAAC;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,IAAI,EAAE,OAAO,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAA;KAAE,CAAC;IAC1D,OAAO,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC;IACpC,KAAK,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KAAE,CAAC;IAC/B,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK;QAAE,IAAI,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,IAAI,CAAA;KAAE,CAAC;IACxD,IAAI,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,MAAM,GAAG,IAAI,CAAC;CACvD;AAED,MAAM,MAAM,iBAAiB,GAAG,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,IAAI,KAAK,IAAI,CAAC;AAEtG;;GAEG;AACH,qBAAa,mBAAmB;IACvB,MAAM,EAAE,UAAU,CAAC;gBAEd,MAAM,EAAE,UAAU;IAI9B;;;;;OAKG;IACH,kBAAkB,CAAC,OAAO,EAAE,IAAI,CAAC,iBAAiB,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM;IASxH;;;;;OAKG;IACH,gBAAgB,CAAC,OAAO,EAAE,IAAI,CAAC,eAAe,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM;IASpH;;;OAGG;IACH,OAAO,CAAC,SAAS;IA8CjB;;;;;OAKG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU;IA0CtC;;;;;OAKG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAetE;;;;;OAKG;IACG,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAiBvE;;;;;;OAMG;IACH,IAAI,CAAC,OAAO,EAAE,cAAc,GAAG,UAAU,GAAG,IAAI;IAkBhD;;;;;;;;;;OAUG;IACH,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,GAAG,OAAO;IA2BlE~~;;;;;;;;;;OAUG~~;IACH,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO;~~IAuDlD~~;;;;;OAKG;IACH,iBAAiB,CAAC,OAAO,GAAE,iBAAsB,GAAG,iBAAiB;IA2CrE;;;;;;;OAOG;IACH,gBAAgB,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,iBAAiB;IA6C5D;;;;;;;OAOG;IACH,sBAAsB,CAAC,mBAAmB,EAAE,MAAM,EAAE,GAAG,iBAAiB;IA4CxE;;;;;OAKG;IACH,eAAe,CAAC,OAAO,GAAE,iBAAsB,GAAG,iBAAiB;IA2CnE;;;;OAIG;IACH,OAAO,CAAC,wBAAwB;CAwBjC"}
1	+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/auth/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EAKL,KAAK,UAAU,EAChB,MAAM,eAAe,CAAC;AAUvB,MAAM,WAAW,UAAU;IACzB,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,OAAO,GAAG,SAAS,CAAC;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,IAAI,EAAE,OAAO,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAA;KAAE,CAAC;IAC1D,OAAO,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC;IACpC,KAAK,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KAAE,CAAC;IAC/B,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK;QAAE,IAAI,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,IAAI,CAAA;KAAE,CAAC;IACxD,IAAI,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,MAAM,GAAG,IAAI,CAAC;CACvD;AAED,MAAM,MAAM,iBAAiB,GAAG,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,IAAI,KAAK,IAAI,CAAC;AAEtG;;GAEG;AACH,qBAAa,mBAAmB;IACvB,MAAM,EAAE,UAAU,CAAC;gBAEd,MAAM,EAAE,UAAU;IAI9B;;;;;OAKG;IACH,kBAAkB,CAAC,OAAO,EAAE,IAAI,CAAC,iBAAiB,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM;IASxH;;;;;OAKG;IACH,gBAAgB,CAAC,OAAO,EAAE,IAAI,CAAC,eAAe,EAAE,MAAM,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM;IASpH;;;OAGG;IACH,OAAO,CAAC,SAAS;IA8CjB;;;;;OAKG;IACH,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU;IA0CtC;;;;;OAKG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAetE;;;;;OAKG;IACG,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAiBvE;;;;;;OAMG;IACH,IAAI,CAAC,OAAO,EAAE,cAAc,GAAG,UAAU,GAAG,IAAI;IAkBhD;;;;;;;;;;OAUG;IACH,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,GAAG,OAAO;IA2BlE;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO;IA2ClD;;;;;OAKG;IACH,iBAAiB,CAAC,OAAO,GAAE,iBAAsB,GAAG,iBAAiB;IA2CrE;;;;;;;OAOG;IACH,gBAAgB,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,iBAAiB;IA6C5D;;;;;;;OAOG;IACH,sBAAsB,CAAC,mBAAmB,EAAE,MAAM,EAAE,GAAG,iBAAiB;IA4CxE;;;;;OAKG;IACH,eAAe,CAAC,OAAO,GAAE,iBAAsB,GAAG,iBAAiB;IA2CnE;;;;OAIG;IACH,OAAO,CAAC,wBAAwB;CAwBjC"}