@codeyam/codeyam-cli 0.1.29 → 0.1.31

package/codeyam-cli/templates/codeyam-editor-gemini.md

@@ -0,0 +1,59 @@
+# CodeYam Editor Project (Gemini)
+
+This project is being built with CodeYam's Code + Data Editor. The core principle is **code and data are developed together** — every component should have scenario data that drives what it renders.
+
+## Architecture: Components + Scenarios
+
+### Component Structure
+
+Build with a clear component hierarchy so individual components can be previewed in isolation:
+
+```
+app/
+  components/
+    Dashboard.tsx        ← page-level component
+    TaskList.tsx         ← displays a list, gets data from API or props
+    TaskCard.tsx         ← single item, pure props
+    EmptyState.tsx       ← shown when no data
+```
+
+### Scenarios
+
+A **scenario** is a named set of data that drives how the app renders. Scenarios exist at two levels:
+
+- **App-level scenarios**: Full application state.
+- **Component-level scenarios**: Props for a single component in isolation.
+
+**Always register scenarios with CodeYam** using the CLI:
+
+```bash
+codeyam editor register @.codeyam/tmp/scenario.json
+```
+
+**To list existing scenarios:** `codeyam editor scenarios`
+
+## Workflow
+
+1. Build a component
+2. Create scenarios with rich, realistic data.
+3. Register the scenarios with CodeYam.
+4. Preview each scenario to verify the component handles all states.
+5. Repeat for the next component.
+
+## Key Conventions
+
+- Component files go in `app/components/` (or `src/components/`)
+- One component per file, default export.
+- Components accept props that can be provided by scenarios.
+
+## AI Handoff
+
+Since you are working in an AI-assisted workflow, you must maintain a handoff summary for other AI agents (or yourself in a later session).
+
+**At the end of every step, update the handoff summary:**
+
+```bash
+codeyam editor handoff '{"summary": "Built the X component and registered 3 scenarios. Ready to start on Y."}'
+```
+
+This summary will be displayed when starting a new session or switching between AI providers (Claude <-> Gemini).

package/codeyam-cli/templates/nextjs-prisma-sqlite/gitignore

@@ -55,6 +55,7 @@ dev.db-journal
 .codeyam/editor-user-prompt.txt
 .codeyam/editor-mode-context.md
 .codeyam/dev-mode-context.md
+.codeyam/handoff-context.md
 .codeyam/logs/
 .codeyam/llm-calls/
 .codeyam/captures/

package/codeyam-cli/templates/seed-adapters/supabase.ts

@@ -10,28 +10,39 @@
  *   "tableName": [{ "column": "value", ... }, ...],
  *   "_auth": {                          // optional
  *     "email": "alice@example.com",
- *     "password": "test123"
+ *     "password": "test123"             // optional — default used if omitted
  *   }
  * }
  *
  * When _auth is present, the adapter:
  * 1. Creates the user if they don't exist (auto-confirms email)
- * 2. Signs in with signInWithPassword to get a valid session
- * 3. Writes session cookies to .codeyam/tmp/seed-session.json
+ * 2. Builds a synthetic JWT with far-future expiry (no real sign-in needed)
+ * 3. Writes session cookies + auth mocks to .codeyam/tmp/seed-session.json
  *    so the CodeYam proxy can inject them into the browser
  *
+ * The password field is optional — if omitted, a default dev password is used.
+ * No real JWTs are stored; the preload module intercepts all auth API calls.
+ *
+ * Data operations use direct PostgreSQL (pg) for speed — TRUNCATE CASCADE
+ * and batched INSERT are ~2x faster than individual PostgREST HTTP calls.
+ *
  * Requirements:
+ * - DATABASE_URL env var with a PostgreSQL connection string (session pooler recommended)
  * - A Supabase project URL (https://<ref>.supabase.co) in any env var
  * - A secret key (sb_secret_... or legacy eyJ... service_role JWT) in any env var
  *
- * The adapter scans ALL env vars by value pattern — no specific naming required.
+ * The adapter scans ALL env vars by value pattern for Supabase URL and secret key —
+ * no specific naming required. DATABASE_URL must be set explicitly.
  */
 
 import { createClient } from '@supabase/supabase-js';
 import { Prisma } from '@prisma/client';
+import pg from 'pg';
 import * as fs from 'fs';
 import * as path from 'path';
 
+const { Client } = pg;
+
 /**
  * Scan all env vars for values matching a pattern.
  * Returns ALL unique matches (not just the first) so callers can disambiguate.
@@ -66,7 +77,6 @@ const supabaseUrl = findAllEnvByPattern(
 
 // New-format keys are unambiguous by prefix
 const newSecretKey = findAllEnvByPattern(/^sb_secret_/)[0];
-const newAnonKey = findAllEnvByPattern(/^sb_publishable_/)[0];
 
 // Legacy JWT keys — disambiguate by decoding the role claim
 const legacyJwts = findAllEnvByPattern(
@@ -75,10 +85,8 @@ const legacyJwts = findAllEnvByPattern(
 const legacyServiceRole = legacyJwts.find(
   (jwt) => getJwtRole(jwt) === 'service_role',
 );
-const legacyAnon = legacyJwts.find((jwt) => getJwtRole(jwt) === 'anon');
 
 const secretKey = newSecretKey || legacyServiceRole;
-const anonKey = newAnonKey || legacyAnon;
 
 if (!supabaseUrl || !secretKey) {
   console.error(
@@ -93,7 +101,17 @@ if (!supabaseUrl || !secretKey) {
   process.exit(1);
 }
 
-// Admin client for user management (uses secret key to bypass RLS)
+// DATABASE_URL for direct PostgreSQL access (session pooler recommended for speed)
+const databaseUrl = process.env.DATABASE_URL;
+if (!databaseUrl || !databaseUrl.startsWith('postgresql://')) {
+  console.error('DATABASE_URL must be set to a PostgreSQL connection string.');
+  console.error(
+    'Use the session pooler connection string (port 5432) from your Supabase dashboard.',
+  );
+  process.exit(1);
+}
+
+// Admin client for user management only (uses secret key to bypass RLS)
 const supabase = createClient(supabaseUrl, secretKey, {
   auth: { autoRefreshToken: false, persistSession: false },
 });
@@ -112,7 +130,7 @@ function getProjectRef(): string {
 /**
  * Build a mapping from lowercased seed-data keys to actual PostgreSQL table names.
  * Prisma creates tables with the model name (PascalCase) unless @@map is used.
- * PostgREST requires the exact table name, so we need this translation.
+ * PostgreSQL requires the exact table name, so we need this translation.
  */
 function buildTableNameMap(): Record<string, string> {
   const map: Record<string, string> = {};
@@ -127,6 +145,25 @@ function buildTableNameMap(): Record<string, string> {
   return map;
 }
 
+/**
+ * Build column name mapping from Prisma field names to database column names.
+ * Prisma uses camelCase field names but generates snake_case columns unless @map is used.
+ */
+function buildColumnMap(tableName: string): Record<string, string> {
+  const map: Record<string, string> = {};
+  for (const model of Prisma.dmmf.datamodel.models) {
+    const dbName = (model as any).dbName || model.name;
+    if (dbName !== tableName) continue;
+    for (const field of model.fields) {
+      if (field.kind === 'object') continue; // Skip relation fields
+      const colName = (field as any).dbName || field.name;
+      map[field.name] = colName;
+    }
+    break;
+  }
+  return map;
+}
+
 async function seedTables(seed: Record<string, unknown[]>) {
   if (Object.keys(seed).length === 0) return;
 
@@ -134,7 +171,7 @@ async function seedTables(seed: Record<string, unknown[]>) {
 
   // Discover ALL models from the Prisma schema — not just the tables in the seed data.
   // This ensures FK-dependent tables are cleared even when the seed only contains
-  // the parent table's data. Every editor project has Prisma installed.
+  // the parent table's data.
   const allTables = Prisma.dmmf.datamodel.models.map(
     (m) => (m as any).dbName || m.name,
   );
@@ -143,34 +180,102 @@ async function seedTables(seed: Record<string, unknown[]>) {
     `Clearing ${allTables.length} tables, seeding: ${Object.keys(seed).join(', ')}`,
   );
 
-  // Clear ALL tables in reverse order (children before parents for FK safety)
-  for (const table of [...allTables].reverse()) {
-    const { error } = await supabase.from(table).delete().gte('id', 0);
-    if (error) {
-      const { error: error2 } = await supabase
-        .from(table)
-        .delete()
-        .not('id', 'is', null);
-      if (error2) {
-        console.warn(`  Could not clear ${table}: ${error2.message}`);
-      } else {
-        console.log(`  Cleared ${table}`);
+  const client = new Client({
+    connectionString: databaseUrl,
+    ssl: { rejectUnauthorized: false },
+  });
+  await client.connect();
+
+  try {
+    // TRUNCATE all tables in one statement — CASCADE handles FK dependencies
+    // automatically, so table order doesn't matter. Much faster than
+    // individual DELETE FROM queries via PostgREST.
+    const quoted = allTables.map((t) => `"${t}"`).join(', ');
+    await client.query(`TRUNCATE ${quoted} CASCADE`);
+    console.log(`  Cleared ${allTables.length} tables`);
+
+    // Reset auto-increment sequences so IDs start from 1 on each scenario switch.
+    // Without this, IDs keep climbing and hardcoded URLs like /drinks/1 break.
+    for (const table of allTables) {
+      try {
+        await client.query(
+          `SELECT setval(pg_get_serial_sequence('"${table}"', 'id'), 1, false)`,
+        );
+      } catch {
+        // Table may not have an 'id' serial column — skip
       }
-    } else {
-      console.log(`  Cleared ${table}`);
     }
+
+    // Insert seed data using batched INSERT for speed
+    for (const [seedKey, rows] of Object.entries(seed)) {
+      if (!Array.isArray(rows) || rows.length === 0) continue;
+      const table = tableMap[seedKey] || seedKey;
+      const columnMap = buildColumnMap(table);
+
+      // Get column names from the first row's keys, mapped to DB column names
+      const fieldNames = Object.keys(rows[0] as Record<string, unknown>);
+      const dbColumns = fieldNames.map((f) => columnMap[f] || f);
+      const quotedCols = dbColumns.map((c) => `"${c}"`).join(', ');
+
+      // Build parameterized VALUES clause for all rows at once
+      const params: unknown[] = [];
+      const valueClauses: string[] = [];
+      for (let i = 0; i < rows.length; i++) {
+        const row = rows[i] as Record<string, unknown>;
+        const placeholders: string[] = [];
+        for (const field of fieldNames) {
+          params.push(row[field]);
+          placeholders.push(`$${params.length}`);
+        }
+        valueClauses.push(`(${placeholders.join(', ')})`);
+      }
+
+      await client.query(
+        `INSERT INTO "${table}" (${quotedCols}) VALUES ${valueClauses.join(', ')}`,
+        params,
+      );
+      console.log(`  Seeded ${rows.length} rows into ${table}`);
+    }
+  } finally {
+    await client.end();
   }
+}
 
-  // Insert seed data — translate seed keys to actual table names
-  for (const [seedKey, rows] of Object.entries(seed)) {
-    if (!Array.isArray(rows) || rows.length === 0) continue;
-    const table = tableMap[seedKey] || seedKey;
-    const { error } = await supabase.from(table).insert(rows);
-    if (error) {
-      console.error(`  Failed to seed ${table}: ${error.message}`);
-      process.exit(1);
+/**
+ * Export mode: dump current database state to a JSON file.
+ * Used by CodeYam to save interactive changes back to scenario seed data.
+ *
+ * Usage: npx tsx .codeyam/seed-adapter.ts --export <output-path.json>
+ */
+async function exportData(outputPath: string) {
+  const tableMap = buildTableNameMap();
+  const modelNames = Prisma.dmmf.datamodel.models.map((m) => m.name);
+
+  const client = new Client({
+    connectionString: databaseUrl,
+    ssl: { rejectUnauthorized: false },
+  });
+  await client.connect();
+
+  try {
+    const seed: Record<string, unknown[]> = {};
+    for (const model of modelNames) {
+      const camelCase = model.charAt(0).toLowerCase() + model.slice(1);
+      const table = tableMap[camelCase] || model;
+      try {
+        const result = await client.query(`SELECT * FROM "${table}"`);
+        if (result.rows.length > 0) {
+          seed[camelCase] = result.rows;
+        }
+      } catch {
+        // Skip tables that can't be queried
+      }
     }
-    console.log(`  Seeded ${rows.length} rows into ${table}`);
+
+    fs.writeFileSync(outputPath, JSON.stringify(seed, null, 2));
+    console.log(`Exported ${Object.keys(seed).length} tables`);
+  } finally {
+    await client.end();
   }
 }
 
@@ -210,17 +315,25 @@ function buildUserResponse(user: { id: string; email?: string }) {
   };
 }
 
+const DEFAULT_AUTH_PASSWORD = 'codeyam-dev-password-123!';
+
 /**
- * Handle auth: create user, sign in, write session cookies.
+ * Handle auth: create user, build synthetic session, write session cookies.
  * Returns the user ID so callers can replace __AUTH_USER_ID__ placeholders in seed data.
+ *
+ * No real sign-in is performed — the session cookie uses a synthetic JWT with
+ * far-future expiry, and externalApis mocks intercept all Supabase auth API calls.
+ * This avoids storing real tokens (security risk + expiration) in scenario files.
  */
 async function handleAuth(auth: {
   email: string;
-  password: string;
+  password?: string;
 }): Promise<string> {
-  const { email, password } = auth;
+  const email = auth.email;
+  const password = auth.password || DEFAULT_AUTH_PASSWORD;
 
-  // Create user if they don't exist (auto-confirm email so sign-in works)
+  // Create user if they don't exist (auto-confirm email)
+  // We still need the auth.users row for PostgREST FK relationships.
   const { data: createData, error: createError } =
     await supabase.auth.admin.createUser({
       email,
@@ -228,52 +341,36 @@ async function handleAuth(auth: {
       email_confirm: true,
     });
 
+  let userId: string;
+
   if (createError) {
     if (createError.message.includes('already been registered')) {
-      // User exists — update their password so sign-in works even if the
-      // scenario specifies a different password than a previous run.
+      // User exists — look up their ID
       const { data: listData } = await supabase.auth.admin.listUsers();
       const existingUser = listData?.users?.find((u) => u.email === email);
       if (existingUser) {
-        await supabase.auth.admin.updateUserById(existingUser.id, {
-          password,
-        });
-        console.log(`  Updated password for existing user ${email}`);
+        userId = existingUser.id;
+        console.log(`  Found existing user ${email} (user: ${userId})`);
+      } else {
+        console.error(
+          `  User ${email} reported as registered but not found in listUsers`,
+        );
+        process.exit(1);
       }
     } else {
       console.error(`  Failed to create auth user: ${createError.message}`);
       process.exit(1);
     }
+  } else {
+    userId = createData!.user.id;
+    console.log(`  Created user ${email} (user: ${userId})`);
   }
 
-  // Sign in to get a valid session
-  // Use a separate client with the publishable/anon key for sign-in (if available)
-  const signInClient =
-    anonKey && anonKey !== secretKey
-      ? createClient(supabaseUrl!, anonKey, {
-          auth: { autoRefreshToken: false, persistSession: false },
-        })
-      : supabase;
-
-  const { data: signInData, error: signInError } =
-    await signInClient.auth.signInWithPassword({ email, password });
-
-  if (signInError || !signInData.session) {
-    console.error(
-      `  Failed to sign in as ${email}: ${signInError?.message || 'no session returned'}`,
-    );
-    process.exit(1);
-  }
-
-  const userId = signInData.user.id;
-  console.log(`  Signed in as ${email} (user: ${userId})`);
-
-  // Use the REAL JWT from Supabase sign-in for the session cookie so auth
-  // works immediately against the real Supabase API. The externalApis below
-  // provide a fallback for when the CLI supports preload-based auth
-  // interception (no real Supabase calls needed at render time).
-  const fakeJwt = buildFakeJwt(userId, email);
-  const userResponse = buildUserResponse(signInData.user);
+  // Build synthetic JWT and mock responses — no real sign-in needed.
+  // The preload module intercepts server-side getUser() calls so Next.js
+  // middleware returns the mock user without hitting real Supabase.
+  const fakeJwt = buildFakeJwt(userId!, email);
+  const userResponse = buildUserResponse({ id: userId!, email });
 
   const projectRef = getProjectRef();
   const sessionOutput = {
@@ -281,19 +378,16 @@ async function handleAuth(auth: {
       {
         name: `sb-${projectRef}-auth-token`,
         value: JSON.stringify({
-          access_token: signInData.session.access_token,
-          refresh_token: signInData.session.refresh_token,
+          access_token: fakeJwt,
+          refresh_token: 'codeyam-mock-refresh-token',
           token_type: 'bearer',
-          expires_in: signInData.session.expires_in,
-          expires_at: signInData.session.expires_at,
+          expires_in: 315360000,
+          expires_at: 9999999999,
         }),
         path: '/',
         sameSite: 'Lax' as const,
       },
     ],
-    // External API mocks — when the CLI supports propagating these, the
-    // preload module will intercept server-side getUser() calls so Next.js
-    // middleware returns the mock user without hitting real Supabase.
     externalApis: {
       [`${supabaseUrl}/auth/v1/user`]: {
         body: userResponse,
@@ -319,7 +413,7 @@ async function handleAuth(auth: {
   fs.writeFileSync(outputPath, JSON.stringify(sessionOutput, null, 2));
   console.log(`  Session cookies + auth mocks written to ${outputPath}`);
 
-  return userId;
+  return userId!;
 }
 
 /**
@@ -358,7 +452,7 @@ async function main() {
   // in seed data (e.g. for user_id foreign key columns with Supabase RLS)
   if (auth) {
     const userId = await handleAuth(
-      auth as { email: string; password: string },
+      auth as { email: string; password?: string },
     );
     seed = replaceAuthPlaceholders(seed, userId);
   }
@@ -368,7 +462,14 @@ async function main() {
   console.log('Seed complete');
 }
 
-main().catch((e) => {
-  console.error('Seed adapter error:', e);
-  process.exit(1);
-});
+if (process.argv[2] === '--export') {
+  exportData(process.argv[3]).catch((e) => {
+    console.error('Seed adapter export error:', e);
+    process.exit(1);
+  });
+} else {
+  main().catch((e) => {
+    console.error('Seed adapter error:', e);
+    process.exit(1);
+  });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@codeyam/codeyam-cli",
-  "version": "0.1.29",
+  "version": "0.1.31",
   "description": "Local development CLI for CodeYam analysis",
   "type": "module",
   "bin": {