@chimerai/cli 0.2.73

package/dist/templates/prisma.js

@@ -0,0 +1,724 @@
+"use strict";
+/**
+ * Prisma and library templates
+ * Generates Prisma client initialization, encryption utilities, and API key auth
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generatePrismaLib = generatePrismaLib;
+exports.generateEncryptionLib = generateEncryptionLib;
+exports.generateApiKeyAuthLib = generateApiKeyAuthLib;
+exports.generateApiProtectionLib = generateApiProtectionLib;
+exports.generatePrismaSchema = generatePrismaSchema;
+/**
+ * Generates the Prisma client singleton
+ * Uses global singleton pattern to prevent connection exhaustion in serverless environments
+ * @returns TypeScript content for lib/prisma.ts
+ */
+function generatePrismaLib() {
+    return `// @chimerai component=PrismaLib version=1.0
+import { PrismaClient } from '@prisma/client';
+
+const globalForPrisma = globalThis as unknown as {
+  prisma: PrismaClient | undefined;
+};
+
+export const prisma = globalForPrisma.prisma ?? new PrismaClient();
+
+if (process.env.NODE_ENV !== 'production') globalForPrisma.prisma = prisma;
+`;
+}
+/**
+ * Generates the encryption utility for API key storage
+ * Uses AES-256-GCM for authenticated symmetric encryption
+ * @returns TypeScript content for lib/encryption.ts
+ */
+function generateEncryptionLib() {
+    return `// @chimerai component=EncryptionLib version=1.0
+import crypto from 'crypto';
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16;  // 128 bits — must match CLI and @chimerai/model-providers
+const AUTH_TAG_LENGTH = 16;
+
+function getKey(): Buffer {
+  const key = process.env.PROVIDER_ENCRYPTION_KEY;
+  if (!key) {
+    throw new Error('PROVIDER_ENCRYPTION_KEY environment variable is required');
+  }
+  // If key is hex (64 chars = 32 bytes), use as-is; otherwise hash it
+  if (key.length === 64 && /^[0-9a-fA-F]+$/.test(key)) {
+    return Buffer.from(key, 'hex');
+  }
+  return crypto.createHash('sha256').update(key).digest();
+}
+
+export function encrypt(text: string): string {
+  if (!text) return '';
+  const key = getKey();
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+  let encrypted = cipher.update(text, 'utf8', 'base64');
+  encrypted += cipher.final('base64');
+  const authTag = cipher.getAuthTag();
+  return iv.toString('base64') + ':' + authTag.toString('base64') + ':' + encrypted;
+}
+
+export function decrypt(text: string): string {
+  if (!text) return '';
+  const key = getKey();
+  const parts = text.split(':');
+  if (parts.length !== 3) {
+    throw new Error('Invalid encrypted text format');
+  }
+  const iv = Buffer.from(parts[0], 'base64');
+  const authTag = Buffer.from(parts[1], 'base64');
+  const encryptedText = parts[2];
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+  decipher.setAuthTag(authTag);
+  let decrypted = decipher.update(encryptedText, 'base64', 'utf8');
+  decrypted += decipher.final('utf8');
+  return decrypted;
+}
+
+/**
+ * Encrypt an API key for storage (alias for encrypt)
+ */
+export function encryptApiKey(apiKey: string): string {
+  return encrypt(apiKey);
+}
+
+/**
+ * Decrypt an API key from storage (alias for decrypt)
+ */
+export function decryptApiKey(encryptedKey: string): string {
+  return decrypt(encryptedKey);
+}
+`;
+}
+/**
+ * Generates the API key authentication middleware
+ * Supports API key-based auth for standalone widgets and external integrations
+ * @returns TypeScript content for lib/api-key-auth.ts
+ */
+function generateApiKeyAuthLib() {
+    return `// @chimerai component=ApiKeyAuthLib version=1.1
+/**
+ * API Key Authentication Middleware for ChimerAI
+ */
+
+import { NextRequest } from 'next/server';
+import { prisma } from './prisma';
+import { createHash } from 'crypto';
+
+export interface ApiKeyResult {
+  valid: boolean;
+  userId?: string;
+  email?: string;
+  error?: string;
+  keyName?: string;
+  scopes?: string[];
+}
+
+export function hashApiKey(apiKey: string): string {
+  return createHash('sha256').update(apiKey).digest('hex');
+}
+
+export function generateApiKey(): string {
+  const randomBytes = createHash('sha256')
+    .update(Math.random().toString() + Date.now().toString())
+    .digest('hex')
+    .slice(0, 32);
+
+  return \`sk_live_\${randomBytes}\`;
+}
+
+/**
+ * Checks if the given scopes include the required scope.
+ * Supports wildcards: ['*'] matches everything, ['chat:*'] matches 'chat:send'.
+ * Empty scopes array = unrestricted (backward-compatible).
+ */
+export function hasScope(scopes: string[], required: string): boolean {
+  if (scopes.length === 0) return true;       // No scope = everything allowed
+  if (scopes.includes('*')) return true;       // Super-wildcard
+  if (scopes.includes(required)) return true;  // Exact match
+
+  // Category wildcard: 'chat:*' matches 'chat:send'
+  const requiredParts = required.split(':');
+  for (const scope of scopes) {
+    if (scope.endsWith(':*')) {
+      const prefix = scope.slice(0, -1);
+      if (required.startsWith(prefix)) return true;
+    }
+  }
+
+  return false;
+}
+
+export async function verifyApiKey(request: NextRequest): Promise<ApiKeyResult> {
+  const authHeader = request.headers.get('authorization');
+  const apiKeyHeader = request.headers.get('x-api-key');
+
+  let apiKey: string | null = null;
+
+  if (authHeader?.startsWith('Bearer ')) {
+    apiKey = authHeader.slice(7);
+  } else if (apiKeyHeader) {
+    apiKey = apiKeyHeader;
+  }
+
+  if (!apiKey) {
+    return {
+      valid: false,
+      error: 'No API key provided',
+    };
+  }
+
+  if (!apiKey.startsWith('sk_live_') && !apiKey.startsWith('sk_test_')) {
+    return {
+      valid: false,
+      error: 'Invalid API key format',
+    };
+  }
+
+  try {
+    const keyHash = hashApiKey(apiKey);
+    const dbKey = await (prisma as any).apiKey.findUnique({
+      where: { keyHash },
+      include: {
+        user: {
+          select: {
+            id: true,
+            email: true,
+            name: true,
+          },
+        },
+      },
+    });
+
+    if (!dbKey) {
+      return {
+        valid: false,
+        error: 'Invalid API key',
+      };
+    }
+
+    if (dbKey.revoked) {
+      return {
+        valid: false,
+        error: 'API key has been revoked',
+      };
+    }
+
+    // Check expiry
+    if (dbKey.expiresAt && new Date(dbKey.expiresAt) < new Date()) {
+      return {
+        valid: false,
+        error: 'API key has expired',
+      };
+    }
+
+    // Update last used timestamp
+    await (prisma as any).apiKey.update({
+      where: { keyHash },
+      data: { lastUsedAt: new Date() },
+    });
+
+    // Parse scopes: stored as comma-separated string in SQLite
+    const rawScopes = dbKey.scopes || '';
+    const scopeList = typeof rawScopes === 'string'
+      ? (rawScopes ? rawScopes.split(',').map((s: string) => s.trim()) : [])
+      : rawScopes;
+
+    return {
+      valid: true,
+      userId: dbKey.user.id,
+      email: dbKey.user.email || '',
+      keyName: dbKey.name,
+      scopes: scopeList,
+    };
+  } catch (error) {
+    console.error('API key verification error:', error);
+    return {
+      valid: false,
+      error: 'API key verification failed',
+    };
+  }
+}
+`;
+}
+/**
+ * Generates the API protection middleware
+ * Handles session/auth checks, permission verification, and usage tracking
+ * @returns TypeScript content for lib/api-protection.ts
+ */
+function generateApiProtectionLib() {
+    return `// @chimerai component=ApiProtectionLib version=1.0
+/**
+ * API Protection & Authorization Utilities
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getServerSession } from 'next-auth';
+import { authOptions } from './auth';
+import { prisma } from './prisma';
+
+export interface AuthResult {
+  authorized: boolean;
+  user?: { id: string; email: string };
+  error?: { code: string; message: string; statusCode: number };
+}
+
+export async function requireAuth(request: NextRequest): Promise<AuthResult> {
+  const session = await getServerSession(authOptions);
+
+  if (!session?.user?.id) {
+    return {
+      authorized: false,
+      error: {
+        code: 'UNAUTHORIZED',
+        message: 'Authentication required',
+        statusCode: 401,
+      },
+    };
+  }
+
+  return {
+    authorized: true,
+    user: {
+      id: session.user.id as string,
+      email: session.user.email as string,
+    },
+  };
+}
+
+export async function requireModelPermission(
+  request: NextRequest,
+  model: string
+): Promise<AuthResult> {
+  const session = await getServerSession(authOptions);
+
+  if (!session?.user?.id) {
+    return {
+      authorized: false,
+      error: {
+        code: 'UNAUTHORIZED',
+        message: 'Authentication required',
+        statusCode: 401,
+      },
+    };
+  }
+
+  // Check if user has access to this model
+  try {
+    const access = await (prisma as any).modelAccess.findFirst({
+      where: {
+        userId: session.user.id,
+        model,
+        enabled: true,
+      },
+    });
+
+    if (!access) {
+      return {
+        authorized: false,
+        error: {
+          code: 'FORBIDDEN',
+          message: \`Access to model '\${model}' is not allowed\`,
+          statusCode: 403,
+        },
+      };
+    }
+  } catch (error) {
+    console.error('Permission check error:', error);
+  }
+
+  return {
+    authorized: true,
+    user: {
+      id: session.user.id as string,
+      email: session.user.email as string,
+    },
+  };
+}
+
+export async function requireCredits(
+  request: NextRequest,
+  estimatedTokens: number
+): Promise<AuthResult> {
+  const session = await getServerSession(authOptions);
+
+  if (!session?.user?.id) {
+    return {
+      authorized: false,
+      error: {
+        code: 'UNAUTHORIZED',
+        message: 'Authentication required',
+        statusCode: 401,
+      },
+    };
+  }
+
+  try {
+    const user = await (prisma as any).user.findUnique({
+      where: { id: session.user.id },
+      select: { credits: true },
+    });
+
+    const requiredCredits = Math.ceil(estimatedTokens / 100);
+
+    if (!user || user.credits < requiredCredits) {
+      return {
+        authorized: false,
+        error: {
+          code: 'INSUFFICIENT_CREDITS',
+          message: 'Insufficient credits for this operation',
+          statusCode: 402,
+        },
+      };
+    }
+  } catch (error) {
+    console.error('Credits check error:', error);
+  }
+
+  return {
+    authorized: true,
+    user: {
+      id: session.user.id as string,
+      email: session.user.email as string,
+    },
+  };
+}
+
+export function createErrorResponse(authResult: AuthResult) {
+  return NextResponse.json(
+    {
+      error: {
+        code: authResult.error?.code || 'ERROR',
+        message: authResult.error?.message || 'Unknown error',
+      },
+    },
+    { status: authResult.error?.statusCode || 500 }
+  );
+}
+
+export async function trackApiUsage(
+  userId: string,
+  endpoint: string,
+  model: string,
+  inputTokens: number,
+  outputTokens: number,
+  success: boolean,
+  errorMessage?: string
+) {
+  try {
+    await (prisma as any).apiUsageLog.create({
+      data: {
+        userId,
+        endpoint,
+        model,
+        inputTokens,
+        outputTokens,
+        success,
+        errorMessage,
+        timestamp: new Date(),
+      },
+    });
+  } catch (error) {
+    console.error('Failed to track API usage:', error);
+  }
+}
+`;
+}
+/**
+ * Generates the Prisma schema for all features
+ * Includes User, Role, Provider, Model, Conversation, Message, AuditLog, and SystemSetting models
+ * @returns TypeScript content for prisma/schema.prisma (content)
+ */
+function generatePrismaSchema() {
+    return `// @chimerai component=PrismaSchema version=2.0
+generator client {
+  provider = "prisma-client-js"
+}
+
+datasource db {
+  provider = "postgresql"
+  url      = env("DATABASE_URL")
+}
+
+model User {
+  id            String    @id @default(cuid())
+  name          String?
+  email         String?   @unique
+  emailVerified DateTime?
+  image         String?
+  password      String?
+  createdAt     DateTime  @default(now())
+  updatedAt     DateTime  @updatedAt
+
+  accounts      Account[]
+  sessions      Session[]
+  roles         UserRole[]
+  providers     Provider[]  @relation("CreatedProviders")
+  apiUsage      ApiUsage[]
+  apiKeys       ApiKey[]
+  modelAccess   ModelAccess[]
+  auditLogs     AuditLog[]
+  conversations Conversation[]
+}
+
+model Account {
+  id                String  @id @default(cuid())
+  userId            String
+  type              String
+  provider          String
+  providerAccountId String
+  refresh_token     String? @db.Text
+  access_token      String? @db.Text
+  expires_at        Int?
+  token_type        String?
+  scope             String?
+  id_token          String? @db.Text
+  session_state     String?
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@unique([provider, providerAccountId])
+}
+
+model Session {
+  id           String   @id @default(cuid())
+  sessionToken String   @unique
+  userId       String
+  expires      DateTime
+  user         User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+}
+
+model VerificationToken {
+  identifier String
+  token      String   @unique
+  expires    DateTime
+
+  @@unique([identifier, token])
+}
+
+model ApiKey {
+  id          String    @id @default(cuid())
+  name        String
+  keyHash     String    @unique
+  userId      String
+  scopes      String[]  @default([])
+  revoked     Boolean   @default(false)
+  lastUsedAt  DateTime?
+  expiresAt   DateTime?
+  createdAt   DateTime  @default(now())
+  updatedAt   DateTime  @updatedAt
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+}
+
+model Role {
+  id          String     @id @default(cuid())
+  name        String     @unique
+  description String?
+  permissions String[]
+  createdAt   DateTime   @default(now())
+  updatedAt   DateTime   @updatedAt
+
+  users       UserRole[]
+}
+
+model UserRole {
+  userId String
+  roleId String
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+  role Role @relation(fields: [roleId], references: [id], onDelete: Cascade)
+
+  @@id([userId, roleId])
+}
+
+// === Provider Management (Core Infrastructure) ===
+
+model Provider {
+  id          String   @id @default(cuid())
+  name        String
+  type        String   // "openai", "anthropic", "ollama", "google", "custom"
+  description String?
+  baseUrl     String?
+  apiKey      String?  @db.Text  // AES-256-GCM encrypted, null for keyless providers (e.g. Ollama)
+  config      Json     @default("{}")
+  status      String   @default("active")
+  isDefault   Boolean  @default(false)
+  priority    Int      @default(0)
+  tags        String[]
+  createdAt   DateTime @default(now())
+  updatedAt   DateTime @updatedAt
+  createdBy   String?
+
+  models        Model[]
+  health        ProviderHealth?
+  apiUsage      ApiUsage[]
+  conversations Conversation[]
+  creator       User?    @relation("CreatedProviders", fields: [createdBy], references: [id])
+
+  @@index([type])
+  @@index([status])
+}
+
+model Model {
+  id              String   @id @default(cuid())
+  providerId      String
+  modelId         String   // e.g. "gpt-4", "claude-3-sonnet"
+  name            String
+  description     String?
+  capabilities    String[] // ["chat", "embedding", "image", "vision"]
+  contextWindow   Int      @default(4096)
+  maxOutputTokens Int?
+  inputCost       Float    @default(0)  // $ per 1M tokens
+  outputCost      Float    @default(0)
+  isAvailable     Boolean  @default(true)
+  isDeprecated    Boolean  @default(false)
+
+  provider Provider @relation(fields: [providerId], references: [id], onDelete: Cascade)
+
+  @@unique([providerId, modelId])
+  @@index([providerId])
+}
+
+model ProviderHealth {
+  id                  String   @id @default(cuid())
+  providerId          String   @unique
+  status              String   @default("unknown") // "healthy", "degraded", "unhealthy"
+  responseTime        Int?     // ms
+  lastCheck           DateTime @default(now())
+  errorMessage        String?
+  modelsAvailable     Int      @default(0)
+  chatAvailable       Boolean  @default(false)
+  embeddingAvailable  Boolean  @default(false)
+  apiKeyValid         Boolean  @default(false)
+
+  provider Provider @relation(fields: [providerId], references: [id], onDelete: Cascade)
+}
+
+model ApiUsage {
+  id               String   @id @default(cuid())
+  userId           String
+  providerId       String?
+  model            String
+  endpoint         String
+  promptTokens     Int      @default(0)
+  completionTokens Int      @default(0)
+  totalTokens      Int      @default(0)
+  tokensUsed       Int      @default(0)
+  creditsUsed      Int      @default(0)
+  cost             Float    @default(0)
+  success          Boolean  @default(true)
+  errorMessage     String?
+  responseTime     Int      @default(0) // ms
+  createdAt        DateTime @default(now())
+
+  user     User      @relation(fields: [userId], references: [id], onDelete: Cascade)
+  provider Provider? @relation(fields: [providerId], references: [id], onDelete: SetNull)
+
+  @@index([userId])
+  @@index([providerId])
+  @@index([createdAt])
+}
+
+model ModelAccess {
+  id        String   @id @default(cuid())
+  userId    String
+  modelId   String
+  granted   Boolean  @default(true)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@unique([userId, modelId])
+  @@index([userId])
+  @@index([modelId])
+}
+
+model AuditLog {
+  id         String   @id @default(cuid())
+  action     String
+  userId     String
+  targetType String?
+  targetId   String?
+  metadata   Json?
+  ipAddress  String?
+  createdAt  DateTime @default(now())
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+  @@index([action])
+  @@index([createdAt])
+}
+
+model PromptTemplate {
+  id          String   @id @default(cuid())
+  name        String   @unique
+  category    String
+  description String?
+  content     String   @db.Text
+  variables   String[]
+  language    String   @default("en")
+  version     Int      @default(1)
+  isActive    Boolean  @default(true)
+  isDefault   Boolean  @default(false)
+  tags        String[]
+  metadata    Json?
+  createdBy   String?
+  createdAt   DateTime @default(now())
+  updatedAt   DateTime @updatedAt
+
+  @@index([category])
+  @@index([isActive])
+  @@index([isDefault])
+}
+
+model Conversation {
+  id         String    @id @default(cuid())
+  userId     String
+  title      String    @default("New Chat")
+  model      String?
+  providerId String?
+  metadata   Json?
+  archived   Boolean   @default(false)
+  createdAt  DateTime  @default(now())
+  updatedAt  DateTime  @updatedAt
+
+  user     User      @relation(fields: [userId], references: [id], onDelete: Cascade)
+  provider Provider? @relation(fields: [providerId], references: [id], onDelete: SetNull)
+  messages Message[]
+
+  @@index([userId])
+  @@index([archived])
+  @@index([providerId])
+}
+
+model Message {
+  id             String       @id @default(cuid())
+  conversationId String
+  role           String
+  content        String       @db.Text
+  model          String?
+  tokens         Int?
+  createdAt      DateTime     @default(now())
+
+  conversation   Conversation @relation(fields: [conversationId], references: [id], onDelete: Cascade)
+
+  @@index([conversationId])
+}
+
+model SystemSetting {
+  key       String   @id
+  value     String   @db.Text
+  updatedAt DateTime @updatedAt
+}
+`;
+}