@chimerai/cli 0.2.73

package/dist/templates/mfa.js

@@ -0,0 +1,353 @@
+"use strict";
+/**
+ * MFA (Multi-Factor Authentication) Templates
+ * TOTP-based 2FA using otpauth + qrcode
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MFA_USER_FIELDS = exports.MFA_SCHEMA_EXTENSION = void 0;
+exports.generateMfaLib = generateMfaLib;
+exports.generateMfaSetupRoute = generateMfaSetupRoute;
+exports.generateMfaVerifyRoute = generateMfaVerifyRoute;
+exports.generateMfaDisableRoute = generateMfaDisableRoute;
+exports.generateMfaPage = generateMfaPage;
+/** lib/mfa.ts — TOTP helpers */
+function generateMfaLib() {
+    return `// @chimerai component=MfaLib version=1.0
+import * as OTPAuth from 'otpauth';
+import QRCode from 'qrcode';
+
+export interface MfaSetupResult {
+  secret: string;
+  otpauthUrl: string;
+  qrCodeDataUrl: string;
+}
+
+/**
+ * Generate a new TOTP secret and QR code for the user.
+ */
+export async function generateMfaSetup(userEmail: string, appName = 'ChimerAI'): Promise<MfaSetupResult> {
+  const totp = new OTPAuth.TOTP({
+    issuer: appName,
+    label: userEmail,
+    algorithm: 'SHA1',
+    digits: 6,
+    period: 30,
+    secret: new OTPAuth.Secret({ size: 20 }),
+  });
+
+  const otpauthUrl = totp.toString();
+  const secret = totp.secret.base32;
+  const qrCodeDataUrl = await QRCode.toDataURL(otpauthUrl);
+
+  return { secret, otpauthUrl, qrCodeDataUrl };
+}
+
+/**
+ * Verify a TOTP code against the stored secret.
+ * Returns true if valid (with ±1 period drift tolerance).
+ */
+export function verifyMfaCode(secret: string, code: string): boolean {
+  try {
+    const totp = new OTPAuth.TOTP({
+      algorithm: 'SHA1',
+      digits: 6,
+      period: 30,
+      secret: OTPAuth.Secret.fromBase32(secret),
+    });
+
+    const delta = totp.validate({ token: code, window: 1 });
+    return delta !== null;
+  } catch {
+    return false;
+  }
+}
+`;
+}
+/** app/api/mfa/setup/route.ts — generate TOTP secret */
+function generateMfaSetupRoute() {
+    return `// @chimerai component=MfaSetupRoute version=1.0
+import { NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+import { generateMfaSetup } from '@/lib/mfa';
+import { prisma } from '@/lib/prisma';
+
+export async function POST() {
+  const session = await getServerSession(authOptions);
+  if (!session?.user?.email) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  const { secret, qrCodeDataUrl } = await generateMfaSetup(session.user.email);
+
+  // Store the pending (unconfirmed) secret
+  await (prisma as any).user.update({
+    where: { email: session.user.email },
+    data: { mfaSecret: secret, mfaEnabled: false },
+  });
+
+  return NextResponse.json({ qrCodeDataUrl, secret });
+}
+`;
+}
+/** app/api/mfa/verify/route.ts — confirm TOTP code to enable MFA */
+function generateMfaVerifyRoute() {
+    return `// @chimerai component=MfaVerifyRoute version=1.0
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+import { verifyMfaCode } from '@/lib/mfa';
+import { prisma } from '@/lib/prisma';
+
+export async function POST(req: NextRequest) {
+  const session = await getServerSession(authOptions);
+  if (!session?.user?.email) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  const { code } = await req.json() as { code: string };
+
+  const user = await (prisma as any).user.findUnique({
+    where: { email: session.user.email },
+    select: { mfaSecret: true },
+  });
+
+  if (!user?.mfaSecret) {
+    return NextResponse.json({ error: 'MFA not set up' }, { status: 400 });
+  }
+
+  const valid = verifyMfaCode(user.mfaSecret, code);
+  if (!valid) {
+    return NextResponse.json({ error: 'Invalid code' }, { status: 400 });
+  }
+
+  await (prisma as any).user.update({
+    where: { email: session.user.email },
+    data: { mfaEnabled: true },
+  });
+
+  return NextResponse.json({ success: true });
+}
+`;
+}
+/** app/api/mfa/disable/route.ts — disable MFA */
+function generateMfaDisableRoute() {
+    return `// @chimerai component=MfaDisableRoute version=1.0
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { authOptions } from '@/lib/auth';
+import { verifyMfaCode } from '@/lib/mfa';
+import { prisma } from '@/lib/prisma';
+
+export async function POST(req: NextRequest) {
+  const session = await getServerSession(authOptions);
+  if (!session?.user?.email) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  const { code } = await req.json() as { code: string };
+
+  const user = await (prisma as any).user.findUnique({
+    where: { email: session.user.email },
+    select: { mfaSecret: true },
+  });
+
+  if (!user?.mfaSecret) {
+    return NextResponse.json({ error: 'MFA not configured' }, { status: 400 });
+  }
+
+  const valid = verifyMfaCode(user.mfaSecret, code);
+  if (!valid) {
+    return NextResponse.json({ error: 'Invalid code' }, { status: 400 });
+  }
+
+  await (prisma as any).user.update({
+    where: { email: session.user.email },
+    data: { mfaEnabled: false, mfaSecret: null },
+  });
+
+  return NextResponse.json({ success: true });
+}
+`;
+}
+/** app/(app)/settings/mfa/page.tsx — MFA setup UI */
+function generateMfaPage() {
+    return `// @chimerai component=MfaPage version=1.0
+'use client';
+
+import { useState } from 'react';
+import Image from 'next/image';
+
+export default function MfaPage() {
+  const [qrCode, setQrCode] = useState<string | null>(null);
+  const [secret, setSecret] = useState<string | null>(null);
+  const [code, setCode] = useState('');
+  const [step, setStep] = useState<'idle' | 'setup' | 'done' | 'disable'>('idle');
+  const [error, setError] = useState('');
+  const [loading, setLoading] = useState(false);
+
+  async function startSetup() {
+    setLoading(true);
+    setError('');
+    const res = await fetch('/api/mfa/setup', { method: 'POST' });
+    const data = await res.json();
+    if (res.ok) {
+      setQrCode(data.qrCodeDataUrl);
+      setSecret(data.secret);
+      setStep('setup');
+    } else {
+      setError(data.error ?? 'Failed to start setup');
+    }
+    setLoading(false);
+  }
+
+  async function confirmCode(endpoint: string) {
+    setLoading(true);
+    setError('');
+    const res = await fetch(endpoint, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ code }),
+    });
+    const data = await res.json();
+    if (res.ok) {
+      setStep('done');
+      setCode('');
+    } else {
+      setError(data.error ?? 'Invalid code');
+    }
+    setLoading(false);
+  }
+
+  return (
+    <div className="max-w-md mx-auto py-10 px-4">
+      <h1 className="text-2xl font-bold mb-2">Two-Factor Authentication</h1>
+      <p className="text-gray-500 mb-8">
+        Protect your account with an authenticator app (Google Authenticator, Authy, etc.)
+      </p>
+
+      {step === 'idle' && (
+        <button
+          onClick={startSetup}
+          disabled={loading}
+          className="w-full bg-blue-600 text-white py-2 px-4 rounded-lg hover:bg-blue-700 disabled:opacity-50"
+        >
+          {loading ? 'Loading...' : 'Set up 2FA'}
+        </button>
+      )}
+
+      {step === 'setup' && qrCode && (
+        <div className="space-y-6">
+          <div>
+            <p className="text-sm font-medium mb-3">
+              1. Scan this QR code with your authenticator app:
+            </p>
+            <div className="flex justify-center bg-white p-4 rounded-lg">
+              <Image src={qrCode} alt="MFA QR Code" width={200} height={200} />
+            </div>
+          </div>
+
+          {secret && (
+            <div>
+              <p className="text-sm font-medium mb-1">Or enter this key manually:</p>
+              <code className="block bg-gray-100 rounded px-3 py-2 text-sm font-mono break-all">
+                {secret}
+              </code>
+            </div>
+          )}
+
+          <div>
+            <p className="text-sm font-medium mb-2">2. Enter the 6-digit code from your app:</p>
+            <input
+              type="text"
+              value={code}
+              onChange={(e) => setCode(e.target.value.replace(/\\D/g, '').slice(0, 6))}
+              placeholder="000000"
+              className="w-full border rounded-lg px-3 py-2 text-center text-xl tracking-widest font-mono"
+              maxLength={6}
+            />
+          </div>
+
+          {error && <p className="text-red-500 text-sm">{error}</p>}
+
+          <button
+            onClick={() => confirmCode('/api/mfa/verify')}
+            disabled={loading || code.length !== 6}
+            className="w-full bg-green-600 text-white py-2 px-4 rounded-lg hover:bg-green-700 disabled:opacity-50"
+          >
+            {loading ? 'Verifying...' : 'Enable 2FA'}
+          </button>
+        </div>
+      )}
+
+      {step === 'done' && (
+        <div className="text-center space-y-4">
+          <div className="text-5xl">✅</div>
+          <p className="text-lg font-semibold text-green-700">2FA is now enabled!</p>
+          <p className="text-gray-500 text-sm">
+            Your account is now protected. You will be asked for a code each time you sign in.
+          </p>
+          <button
+            onClick={() => setStep('disable')}
+            className="text-sm text-red-500 hover:underline"
+          >
+            Disable 2FA
+          </button>
+        </div>
+      )}
+
+      {step === 'disable' && (
+        <div className="space-y-4">
+          <p className="text-sm font-medium">Enter your current 2FA code to disable:</p>
+          <input
+            type="text"
+            value={code}
+            onChange={(e) => setCode(e.target.value.replace(/\\D/g, '').slice(0, 6))}
+            placeholder="000000"
+            className="w-full border rounded-lg px-3 py-2 text-center text-xl tracking-widest font-mono"
+            maxLength={6}
+          />
+          {error && <p className="text-red-500 text-sm">{error}</p>}
+          <button
+            onClick={() => confirmCode('/api/mfa/disable')}
+            disabled={loading || code.length !== 6}
+            className="w-full bg-red-600 text-white py-2 px-4 rounded-lg hover:bg-red-700 disabled:opacity-50"
+          >
+            {loading ? 'Disabling...' : 'Disable 2FA'}
+          </button>
+          <button onClick={() => setStep('done')} className="w-full text-sm text-gray-500 hover:underline">
+            Cancel
+          </button>
+        </div>
+      )}
+    </div>
+  );
+}
+`;
+}
+/**
+ * Prisma schema extension: adds mfaSecret + mfaEnabled to User model
+ * and creates a standalone MfaBackupCode model for recovery codes.
+ * SQLite-safe: no @db.Text, no Json, no arrays.
+ */
+exports.MFA_SCHEMA_EXTENSION = `
+  mfaSecret       String?
+  mfaEnabled      Boolean @default(false)
+
+model MfaBackupCode {
+  id        String   @id @default(cuid())
+  userId    String
+  codeHash  String
+  usedAt    DateTime?
+  createdAt DateTime @default(now())
+  user      User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+}
+`;
+/** Fields to patch onto the User model (added by extendPrismaSchema) */
+exports.MFA_USER_FIELDS = `
+  mfaSecret       String?
+  mfaEnabled      Boolean  @default(false)
+  mfaBackupCodes  MfaBackupCode[]
+`;

package/dist/templates/middleware.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Next.js middleware template with security headers and CORS for widget endpoints.
+ * Generates middleware.ts for the root of the Next.js project.
+ */
+/**
+ * Generates the Next.js middleware with security headers and CORS.
+ * Widget endpoints (/api/v1/*) get CORS headers from CORS_ALLOWED_ORIGINS env.
+ * Also reads WIDGET_ALLOWED_ORIGINS as legacy alias for backward compatibility.
+ * @returns TypeScript content for middleware.ts
+ */
+export declare function generateMiddleware(): string;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/templates/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/templates/middleware.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;;GAKG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAsG3C"}

package/dist/templates/middleware.js

@@ -0,0 +1,116 @@
+"use strict";
+/**
+ * Next.js middleware template with security headers and CORS for widget endpoints.
+ * Generates middleware.ts for the root of the Next.js project.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateMiddleware = generateMiddleware;
+/**
+ * Generates the Next.js middleware with security headers and CORS.
+ * Widget endpoints (/api/v1/*) get CORS headers from CORS_ALLOWED_ORIGINS env.
+ * Also reads WIDGET_ALLOWED_ORIGINS as legacy alias for backward compatibility.
+ * @returns TypeScript content for middleware.ts
+ */
+function generateMiddleware() {
+    return `// @chimerai component=Middleware version=1.2
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+import { getToken } from 'next-auth/jwt';
+
+/** Routes that require authentication */
+const PROTECTED_PATHS = ['/dashboard', '/chat', '/admin', '/api/models', '/api/conversations', '/api/admin', '/api/billing'];
+
+/** Routes that are always public (no auth needed) */
+const PUBLIC_PATHS = ['/auth', '/api/auth', '/api/v1/', '/_next', '/favicon.ico', '/widget'];
+
+/** Merge CORS_ALLOWED_ORIGINS + WIDGET_ALLOWED_ORIGINS (legacy alias) */
+function getAllowedOrigins(): string[] {
+  const raw = [
+    process.env.CORS_ALLOWED_ORIGINS || '',
+    process.env.WIDGET_ALLOWED_ORIGINS || '',
+  ].filter(Boolean).join(',');
+  if (!raw) return ['*'];
+  return raw.split(',').map(o => o.trim()).filter(Boolean);
+}
+
+export async function middleware(request: NextRequest) {
+  const { pathname } = request.nextUrl;
+
+  // --- CORS for Widget/Public API Endpoints (/api/v1/*) ---
+  if (pathname.startsWith('/api/v1/')) {
+    const allowedOrigins = getAllowedOrigins();
+    const origin = request.headers.get('origin') || '';
+
+    // Preflight (OPTIONS) — respond directly without further processing
+    if (request.method === 'OPTIONS') {
+      const res = new NextResponse(null, { status: 204 });
+      const allowOrigin = allowedOrigins.includes('*') ? '*' : (allowedOrigins.includes(origin) ? origin : '');
+      if (allowOrigin) {
+        res.headers.set('Access-Control-Allow-Origin', allowOrigin);
+      }
+      res.headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+      res.headers.set('Access-Control-Allow-Headers', 'Content-Type, x-api-key, Authorization');
+      res.headers.set('Access-Control-Max-Age', '86400');
+      return res;
+    }
+
+    // Actual request — add CORS headers
+    const response = NextResponse.next();
+    const allowOrigin = allowedOrigins.includes('*') ? '*' :
+      (allowedOrigins.includes(origin) ? origin : '');
+    if (allowOrigin) {
+      response.headers.set('Access-Control-Allow-Origin', allowOrigin);
+    }
+    return response;
+  }
+
+  // --- Auth protection for protected routes ---
+  const isPublic = PUBLIC_PATHS.some(p => pathname.startsWith(p));
+  const isProtected = PROTECTED_PATHS.some(p => pathname.startsWith(p));
+
+  if (!isPublic && isProtected) {
+    const token = await getToken({ req: request, secret: process.env.NEXTAUTH_SECRET });
+    if (!token) {
+      // API routes return 401, pages redirect to sign-in
+      if (pathname.startsWith('/api/')) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+      }
+      const signInUrl = new URL('/auth/signin', request.url);
+      signInUrl.searchParams.set('callbackUrl', pathname);
+      return NextResponse.redirect(signInUrl);
+    }
+  }
+
+  // --- Standard security headers for all other routes ---
+  const response = NextResponse.next();
+
+  // X-Frame-Options — Prevent clickjacking
+  response.headers.set('X-Frame-Options', 'DENY');
+
+  // X-Content-Type-Options — Prevent MIME sniffing
+  response.headers.set('X-Content-Type-Options', 'nosniff');
+
+  // Referrer-Policy
+  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+
+  // Permissions-Policy
+  response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
+
+  // HSTS in production
+  if (process.env.NODE_ENV === 'production') {
+    response.headers.set(
+      'Strict-Transport-Security',
+      'max-age=31536000; includeSubDomains; preload'
+    );
+  }
+
+  return response;
+}
+
+export const config = {
+  matcher: [
+    '/((?!_next/static|_next/image|favicon.ico).*)',
+  ],
+};
+`;
+}

package/dist/templates/prisma.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Prisma and library templates
+ * Generates Prisma client initialization, encryption utilities, and API key auth
+ */
+/**
+ * Generates the Prisma client singleton
+ * Uses global singleton pattern to prevent connection exhaustion in serverless environments
+ * @returns TypeScript content for lib/prisma.ts
+ */
+export declare function generatePrismaLib(): string;
+/**
+ * Generates the encryption utility for API key storage
+ * Uses AES-256-GCM for authenticated symmetric encryption
+ * @returns TypeScript content for lib/encryption.ts
+ */
+export declare function generateEncryptionLib(): string;
+/**
+ * Generates the API key authentication middleware
+ * Supports API key-based auth for standalone widgets and external integrations
+ * @returns TypeScript content for lib/api-key-auth.ts
+ */
+export declare function generateApiKeyAuthLib(): string;
+/**
+ * Generates the API protection middleware
+ * Handles session/auth checks, permission verification, and usage tracking
+ * @returns TypeScript content for lib/api-protection.ts
+ */
+export declare function generateApiProtectionLib(): string;
+/**
+ * Generates the Prisma schema for all features
+ * Includes User, Role, Provider, Model, Conversation, Message, AuditLog, and SystemSetting models
+ * @returns TypeScript content for prisma/schema.prisma (content)
+ */
+export declare function generatePrismaSchema(): string;
+//# sourceMappingURL=prisma.d.ts.map

package/dist/templates/prisma.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prisma.d.ts","sourceRoot":"","sources":["../../src/templates/prisma.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAY1C;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,IAAI,MAAM,CA8D9C;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,IAAI,MAAM,CAiJ9C;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,CAiLjD;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CA+R7C"}