@codeyam/codeyam-cli 0.1.28 → 0.1.30

package/codeyam-cli/templates/codeyam-editor-gemini.md

@@ -0,0 +1,59 @@
+# CodeYam Editor Project (Gemini)
+
+This project is being built with CodeYam's Code + Data Editor. The core principle is **code and data are developed together** — every component should have scenario data that drives what it renders.
+
+## Architecture: Components + Scenarios
+
+### Component Structure
+
+Build with a clear component hierarchy so individual components can be previewed in isolation:
+
+```
+app/
+  components/
+    Dashboard.tsx        ← page-level component
+    TaskList.tsx         ← displays a list, gets data from API or props
+    TaskCard.tsx         ← single item, pure props
+    EmptyState.tsx       ← shown when no data
+```
+
+### Scenarios
+
+A **scenario** is a named set of data that drives how the app renders. Scenarios exist at two levels:
+
+- **App-level scenarios**: Full application state.
+- **Component-level scenarios**: Props for a single component in isolation.
+
+**Always register scenarios with CodeYam** using the CLI:
+
+```bash
+codeyam editor register @.codeyam/tmp/scenario.json
+```
+
+**To list existing scenarios:** `codeyam editor scenarios`
+
+## Workflow
+
+1. Build a component
+2. Create scenarios with rich, realistic data.
+3. Register the scenarios with CodeYam.
+4. Preview each scenario to verify the component handles all states.
+5. Repeat for the next component.
+
+## Key Conventions
+
+- Component files go in `app/components/` (or `src/components/`)
+- One component per file, default export.
+- Components accept props that can be provided by scenarios.
+
+## AI Handoff
+
+Since you are working in an AI-assisted workflow, you must maintain a handoff summary for other AI agents (or yourself in a later session).
+
+**At the end of every step, update the handoff summary:**
+
+```bash
+codeyam editor handoff '{"summary": "Built the X component and registered 3 scenarios. Ready to start on Y."}'
+```
+
+This summary will be displayed when starting a new session or switching between AI providers (Claude <-> Gemini).

package/codeyam-cli/templates/editor-step-hook.py

@@ -40,8 +40,8 @@ STEP_RESTRICTIONS = {
     3: "Do NOT create scenarios or run codeyam analyze. Build fast — working prototype with real data.",
     4: "Verify the prototype works. Do NOT add features — only fix broken functionality.",
     5: "Present a selection menu (AskUserQuestion) for confirmation. Do NOT refactor or create scenarios until approved.",
-    6: "Do NOT write any code. Read every file, identify all extractable pieces, write a numbered plan. Planning only.",
-    7: "Execute the extraction plan from step 6. Components first (no tests), then library functions via TDD. Page files must contain ZERO direct JSX.",
+    6: "Do NOT write any code. Read every file, identify all extractable pieces, write a numbered plan. Planning only. Every opportunity to extract code into a function, helper, or sub-component MUST be taken. Then plan to extract from the extracted code until each piece does one clearly defined thing.",
+    7: "Execute the extraction plan from step 6. Components first (no tests), then library functions via TDD. Page files must contain ZERO direct JSX. After extraction: re-read every file — extract further until each piece does one thing. Verify every test file covers all conditional branches.",
     8: "Do NOT write application code or scenarios. Update the glossary only.",
     9: "Create isolation routes for visual components, run tests for library functions. Register component scenarios via codeyam editor register.",
     10: "Do NOT modify application code. Create and register app-level scenarios only.",
@@ -52,7 +52,7 @@ STEP_RESTRICTIONS = {
     15: "Show the results panel, present summary, then selection menu (AskUserQuestion): Save or make changes.",
     16: "Hide the results panel and commit all changes. Do NOT push — that happens in step 18.",
     17: "Update the journal entry with the commit SHA and amend the commit to include the journal update.",
-    18: "Check for a git remote and offer to push. WAIT for the user's answer before starting the next feature.",
+    18: "Check for a git remote and offer to push. After push (or skip), call the feature-complete API and STOP.",
 }
 
 MIGRATION_STEP_LABELS = {
@@ -212,7 +212,7 @@ def main():
         next_cmd = f"codeyam editor migrate {step + 1}" if step < 10 else "codeyam editor migrate next"
     else:
         restriction = STEP_RESTRICTIONS.get(step, "")
-        next_cmd = f"codeyam editor {step + 1}" if step < 18 else "codeyam editor 1"
+        next_cmd = f"codeyam editor {step + 1}" if step < 18 else "(feature complete — UI handles transition)"
 
     # UserPromptSubmit: concise workflow reminder injected before Claude processes the user's message
     if event_type == "user_prompt":

package/codeyam-cli/templates/seed-adapters/supabase.ts

@@ -10,16 +10,19 @@
  *   "tableName": [{ "column": "value", ... }, ...],
  *   "_auth": {                          // optional
  *     "email": "alice@example.com",
- *     "password": "test123"
+ *     "password": "test123"             // optional — default used if omitted
  *   }
  * }
  *
  * When _auth is present, the adapter:
  * 1. Creates the user if they don't exist (auto-confirms email)
- * 2. Signs in with signInWithPassword to get a valid session
- * 3. Writes session cookies to .codeyam/tmp/seed-session.json
+ * 2. Builds a synthetic JWT with far-future expiry (no real sign-in needed)
+ * 3. Writes session cookies + auth mocks to .codeyam/tmp/seed-session.json
  *    so the CodeYam proxy can inject them into the browser
  *
+ * The password field is optional — if omitted, a default dev password is used.
+ * No real JWTs are stored; the preload module intercepts all auth API calls.
+ *
  * Requirements:
  * - A Supabase project URL (https://<ref>.supabase.co) in any env var
  * - A secret key (sb_secret_... or legacy eyJ... service_role JWT) in any env var
@@ -66,7 +69,6 @@ const supabaseUrl = findAllEnvByPattern(
 
 // New-format keys are unambiguous by prefix
 const newSecretKey = findAllEnvByPattern(/^sb_secret_/)[0];
-const newAnonKey = findAllEnvByPattern(/^sb_publishable_/)[0];
 
 // Legacy JWT keys — disambiguate by decoding the role claim
 const legacyJwts = findAllEnvByPattern(
@@ -75,10 +77,8 @@ const legacyJwts = findAllEnvByPattern(
 const legacyServiceRole = legacyJwts.find(
   (jwt) => getJwtRole(jwt) === 'service_role',
 );
-const legacyAnon = legacyJwts.find((jwt) => getJwtRole(jwt) === 'anon');
 
 const secretKey = newSecretKey || legacyServiceRole;
-const anonKey = newAnonKey || legacyAnon;
 
 if (!supabaseUrl || !secretKey) {
   console.error(
@@ -210,17 +210,25 @@ function buildUserResponse(user: { id: string; email?: string }) {
   };
 }
 
+const DEFAULT_AUTH_PASSWORD = 'codeyam-dev-password-123!';
+
 /**
- * Handle auth: create user, sign in, write session cookies.
+ * Handle auth: create user, build synthetic session, write session cookies.
  * Returns the user ID so callers can replace __AUTH_USER_ID__ placeholders in seed data.
+ *
+ * No real sign-in is performed — the session cookie uses a synthetic JWT with
+ * far-future expiry, and externalApis mocks intercept all Supabase auth API calls.
+ * This avoids storing real tokens (security risk + expiration) in scenario files.
  */
 async function handleAuth(auth: {
   email: string;
-  password: string;
+  password?: string;
 }): Promise<string> {
-  const { email, password } = auth;
+  const email = auth.email;
+  const password = auth.password || DEFAULT_AUTH_PASSWORD;
 
-  // Create user if they don't exist (auto-confirm email so sign-in works)
+  // Create user if they don't exist (auto-confirm email)
+  // We still need the auth.users row for PostgREST FK relationships.
   const { data: createData, error: createError } =
     await supabase.auth.admin.createUser({
       email,
@@ -228,52 +236,36 @@ async function handleAuth(auth: {
       email_confirm: true,
     });
 
+  let userId: string;
+
   if (createError) {
     if (createError.message.includes('already been registered')) {
-      // User exists — update their password so sign-in works even if the
-      // scenario specifies a different password than a previous run.
+      // User exists — look up their ID
       const { data: listData } = await supabase.auth.admin.listUsers();
       const existingUser = listData?.users?.find((u) => u.email === email);
       if (existingUser) {
-        await supabase.auth.admin.updateUserById(existingUser.id, {
-          password,
-        });
-        console.log(`  Updated password for existing user ${email}`);
+        userId = existingUser.id;
+        console.log(`  Found existing user ${email} (user: ${userId})`);
+      } else {
+        console.error(
+          `  User ${email} reported as registered but not found in listUsers`,
+        );
+        process.exit(1);
       }
     } else {
       console.error(`  Failed to create auth user: ${createError.message}`);
       process.exit(1);
     }
+  } else {
+    userId = createData!.user.id;
+    console.log(`  Created user ${email} (user: ${userId})`);
   }
 
-  // Sign in to get a valid session
-  // Use a separate client with the publishable/anon key for sign-in (if available)
-  const signInClient =
-    anonKey && anonKey !== secretKey
-      ? createClient(supabaseUrl!, anonKey, {
-          auth: { autoRefreshToken: false, persistSession: false },
-        })
-      : supabase;
-
-  const { data: signInData, error: signInError } =
-    await signInClient.auth.signInWithPassword({ email, password });
-
-  if (signInError || !signInData.session) {
-    console.error(
-      `  Failed to sign in as ${email}: ${signInError?.message || 'no session returned'}`,
-    );
-    process.exit(1);
-  }
-
-  const userId = signInData.user.id;
-  console.log(`  Signed in as ${email} (user: ${userId})`);
-
-  // Use the REAL JWT from Supabase sign-in for the session cookie so auth
-  // works immediately against the real Supabase API. The externalApis below
-  // provide a fallback for when the CLI supports preload-based auth
-  // interception (no real Supabase calls needed at render time).
-  const fakeJwt = buildFakeJwt(userId, email);
-  const userResponse = buildUserResponse(signInData.user);
+  // Build synthetic JWT and mock responses — no real sign-in needed.
+  // The preload module intercepts server-side getUser() calls so Next.js
+  // middleware returns the mock user without hitting real Supabase.
+  const fakeJwt = buildFakeJwt(userId!, email);
+  const userResponse = buildUserResponse({ id: userId!, email });
 
   const projectRef = getProjectRef();
   const sessionOutput = {
@@ -281,19 +273,16 @@ async function handleAuth(auth: {
       {
         name: `sb-${projectRef}-auth-token`,
         value: JSON.stringify({
-          access_token: signInData.session.access_token,
-          refresh_token: signInData.session.refresh_token,
+          access_token: fakeJwt,
+          refresh_token: 'codeyam-mock-refresh-token',
           token_type: 'bearer',
-          expires_in: signInData.session.expires_in,
-          expires_at: signInData.session.expires_at,
+          expires_in: 315360000,
+          expires_at: 9999999999,
         }),
         path: '/',
         sameSite: 'Lax' as const,
       },
     ],
-    // External API mocks — when the CLI supports propagating these, the
-    // preload module will intercept server-side getUser() calls so Next.js
-    // middleware returns the mock user without hitting real Supabase.
     externalApis: {
       [`${supabaseUrl}/auth/v1/user`]: {
         body: userResponse,
@@ -319,7 +308,7 @@ async function handleAuth(auth: {
   fs.writeFileSync(outputPath, JSON.stringify(sessionOutput, null, 2));
   console.log(`  Session cookies + auth mocks written to ${outputPath}`);
 
-  return userId;
+  return userId!;
 }
 
 /**
@@ -358,7 +347,7 @@ async function main() {
   // in seed data (e.g. for user_id foreign key columns with Supabase RLS)
   if (auth) {
     const userId = await handleAuth(
-      auth as { email: string; password: string },
+      auth as { email: string; password?: string },
     );
     seed = replaceAuthPlaceholders(seed, userId);
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@codeyam/codeyam-cli",
-  "version": "0.1.28",
+  "version": "0.1.30",
   "description": "Local development CLI for CodeYam analysis",
   "type": "module",
   "bin": {