npm - @donkeylabs/cli - Versions diffs - 1.1.15 → 1.1.17 - Mend

@donkeylabs/cli 1.1.15 → 1.1.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/templates/sveltekit-app/src/server/plugins/permissions/migrations/001_create_tenants.ts ADDED Viewed

@@ -0,0 +1,63 @@
+import type { Kysely } from "kysely";
+export async function up(db: Kysely<any>): Promise<void> {
+  // Tenants table
+  await db.schema
+    .createTable("tenants")
+    .ifNotExists()
+    .addColumn("id", "text", (col) => col.primaryKey())
+    .addColumn("name", "text", (col) => col.notNull())
+    .addColumn("slug", "text", (col) => col.notNull().unique())
+    .addColumn("settings", "text") // JSON
+    .addColumn("created_at", "text", (col) => col.notNull().defaultTo("CURRENT_TIMESTAMP"))
+    .addColumn("updated_at", "text", (col) => col.notNull())
+    .execute();
+  await db.schema
+    .createIndex("idx_tenants_slug")
+    .ifNotExists()
+    .on("tenants")
+    .column("slug")
+    .execute();
+  // Tenant members table
+  await db.schema
+    .createTable("tenant_members")
+    .ifNotExists()
+    .addColumn("id", "text", (col) => col.primaryKey())
+    .addColumn("tenant_id", "text", (col) =>
+      col.notNull().references("tenants.id").onDelete("cascade")
+    )
+    .addColumn("user_id", "text", (col) =>
+      col.notNull().references("users.id").onDelete("cascade")
+    )
+    .addColumn("created_at", "text", (col) => col.notNull().defaultTo("CURRENT_TIMESTAMP"))
+    .execute();
+  await db.schema
+    .createIndex("idx_tenant_members_tenant_id")
+    .ifNotExists()
+    .on("tenant_members")
+    .column("tenant_id")
+    .execute();
+  await db.schema
+    .createIndex("idx_tenant_members_user_id")
+    .ifNotExists()
+    .on("tenant_members")
+    .column("user_id")
+    .execute();
+  await db.schema
+    .createIndex("idx_tenant_members_unique")
+    .ifNotExists()
+    .on("tenant_members")
+    .columns(["tenant_id", "user_id"])
+    .unique()
+    .execute();
+}
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.dropTable("tenant_members").ifExists().execute();
+  await db.schema.dropTable("tenants").ifExists().execute();
+}

package/templates/sveltekit-app/src/server/plugins/permissions/migrations/002_create_roles.ts ADDED Viewed

@@ -0,0 +1,90 @@
+import type { Kysely } from "kysely";
+export async function up(db: Kysely<any>): Promise<void> {
+  // Roles table
+  await db.schema
+    .createTable("roles")
+    .ifNotExists()
+    .addColumn("id", "text", (col) => col.primaryKey())
+    .addColumn("tenant_id", "text", (col) =>
+      col.references("tenants.id").onDelete("cascade")
+    ) // null = global role
+    .addColumn("name", "text", (col) => col.notNull())
+    .addColumn("description", "text")
+    .addColumn("permissions", "text", (col) => col.notNull().defaultTo("[]")) // JSON array
+    .addColumn("inherits_from", "text", (col) =>
+      col.references("roles.id").onDelete("set null")
+    )
+    .addColumn("is_default", "integer", (col) => col.notNull().defaultTo(0))
+    .addColumn("created_at", "text", (col) => col.notNull().defaultTo("CURRENT_TIMESTAMP"))
+    .addColumn("updated_at", "text", (col) => col.notNull())
+    .execute();
+  await db.schema
+    .createIndex("idx_roles_tenant_id")
+    .ifNotExists()
+    .on("roles")
+    .column("tenant_id")
+    .execute();
+  await db.schema
+    .createIndex("idx_roles_name_tenant")
+    .ifNotExists()
+    .on("roles")
+    .columns(["tenant_id", "name"])
+    .execute();
+  // User roles table
+  await db.schema
+    .createTable("user_roles")
+    .ifNotExists()
+    .addColumn("id", "text", (col) => col.primaryKey())
+    .addColumn("user_id", "text", (col) =>
+      col.notNull().references("users.id").onDelete("cascade")
+    )
+    .addColumn("role_id", "text", (col) =>
+      col.notNull().references("roles.id").onDelete("cascade")
+    )
+    .addColumn("tenant_id", "text", (col) =>
+      col.notNull().references("tenants.id").onDelete("cascade")
+    )
+    .addColumn("assigned_by", "text", (col) =>
+      col.references("users.id").onDelete("set null")
+    )
+    .addColumn("created_at", "text", (col) => col.notNull().defaultTo("CURRENT_TIMESTAMP"))
+    .execute();
+  await db.schema
+    .createIndex("idx_user_roles_user_id")
+    .ifNotExists()
+    .on("user_roles")
+    .column("user_id")
+    .execute();
+  await db.schema
+    .createIndex("idx_user_roles_role_id")
+    .ifNotExists()
+    .on("user_roles")
+    .column("role_id")
+    .execute();
+  await db.schema
+    .createIndex("idx_user_roles_tenant_id")
+    .ifNotExists()
+    .on("user_roles")
+    .column("tenant_id")
+    .execute();
+  await db.schema
+    .createIndex("idx_user_roles_unique")
+    .ifNotExists()
+    .on("user_roles")
+    .columns(["user_id", "role_id", "tenant_id"])
+    .unique()
+    .execute();
+}
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.dropTable("user_roles").ifExists().execute();
+  await db.schema.dropTable("roles").ifExists().execute();
+}

package/templates/sveltekit-app/src/server/plugins/permissions/migrations/003_create_resource_grants.ts ADDED Viewed

@@ -0,0 +1,50 @@
+import type { Kysely } from "kysely";
+export async function up(db: Kysely<any>): Promise<void> {
+  await db.schema
+    .createTable("resource_grants")
+    .ifNotExists()
+    .addColumn("id", "text", (col) => col.primaryKey())
+    .addColumn("tenant_id", "text", (col) =>
+      col.notNull().references("tenants.id").onDelete("cascade")
+    )
+    .addColumn("resource_type", "text", (col) => col.notNull())
+    .addColumn("resource_id", "text", (col) => col.notNull())
+    .addColumn("grantee_type", "text", (col) => col.notNull()) // "user" | "role"
+    .addColumn("grantee_id", "text", (col) => col.notNull())
+    .addColumn("permissions", "text", (col) => col.notNull().defaultTo("[]")) // JSON array
+    .addColumn("granted_by", "text", (col) =>
+      col.references("users.id").onDelete("set null")
+    )
+    .addColumn("created_at", "text", (col) => col.notNull().defaultTo("CURRENT_TIMESTAMP"))
+    .execute();
+  // Index for looking up grants by resource
+  await db.schema
+    .createIndex("idx_resource_grants_resource")
+    .ifNotExists()
+    .on("resource_grants")
+    .columns(["tenant_id", "resource_type", "resource_id"])
+    .execute();
+  // Index for looking up grants by grantee
+  await db.schema
+    .createIndex("idx_resource_grants_grantee")
+    .ifNotExists()
+    .on("resource_grants")
+    .columns(["tenant_id", "grantee_type", "grantee_id"])
+    .execute();
+  // Unique constraint: one grant per resource+grantee combination
+  await db.schema
+    .createIndex("idx_resource_grants_unique")
+    .ifNotExists()
+    .on("resource_grants")
+    .columns(["tenant_id", "resource_type", "resource_id", "grantee_type", "grantee_id"])
+    .unique()
+    .execute();
+}
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.dropTable("resource_grants").ifExists().execute();
+}

package/templates/sveltekit-app/src/server/routes/permissions/index.ts ADDED Viewed

@@ -0,0 +1,248 @@
+/**
+ * Permissions Routes - Client-side permission checking
+ *
+ * These routes allow the frontend to check permissions for UI locking.
+ */
+import { createRouter, defineRoute } from "@donkeylabs/server";
+import { z } from "zod";
+const permissions = createRouter("permissions");
+/**
+ * Get current user's permission context for a tenant
+ * Returns roles and all static permissions
+ */
+permissions.route("context").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+    }),
+    output: z.object({
+      tenantId: z.string(),
+      roles: z.array(z.object({
+        id: z.string(),
+        name: z.string(),
+      })),
+      permissions: z.array(z.string()),
+    }),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+      return ctx.plugins.permissions.getClientContext(ctx.user.id, input.tenantId);
+    },
+  })
+);
+/**
+ * Check if user has specific static permissions
+ * Returns a map of permission -> boolean
+ */
+permissions.route("check").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      permissions: z.array(z.string()),
+    }),
+    output: z.record(z.string(), z.boolean()),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+      const results: Record<string, boolean> = {};
+      for (const permission of input.permissions) {
+        results[permission] = await ctx.plugins.permissions.hasPermission(
+          ctx.user.id,
+          input.tenantId,
+          permission
+        );
+      }
+      return results;
+    },
+  })
+);
+/**
+ * Check if user can access specific resources
+ * Returns a map of "resourceType:resourceId:action" -> boolean
+ */
+permissions.route("canAccess").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      checks: z.array(z.object({
+        resourceType: z.string(),
+        resourceId: z.string(),
+        action: z.enum(["create", "read", "write", "delete", "admin"]),
+        ownerId: z.string().optional(), // For owner check
+      })),
+    }),
+    output: z.record(z.string(), z.boolean()),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+      const results: Record<string, boolean> = {};
+      for (const check of input.checks) {
+        const key = `${check.resourceType}:${check.resourceId}:${check.action}`;
+        results[key] = await ctx.plugins.permissions.canAccess(
+          ctx.user.id,
+          input.tenantId,
+          check.resourceType,
+          check.resourceId,
+          check.action,
+          check.ownerId
+        );
+      }
+      return results;
+    },
+  })
+);
+/**
+ * Get all grants for a specific resource
+ * Useful for showing "shared with" UI
+ */
+permissions.route("grants").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      resourceType: z.string(),
+      resourceId: z.string(),
+    }),
+    output: z.array(z.object({
+      resourceType: z.string(),
+      resourceId: z.string(),
+      granteeType: z.enum(["user", "role"]),
+      granteeId: z.string(),
+      permissions: z.array(z.enum(["create", "read", "write", "delete", "admin"])),
+    })),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+      // Check if user can admin this resource (to see grants)
+      const canAdmin = await ctx.plugins.permissions.canAccess(
+        ctx.user.id,
+        input.tenantId,
+        input.resourceType,
+        input.resourceId,
+        "admin"
+      );
+      if (!canAdmin) {
+        throw ctx.errors.Forbidden("Cannot view grants for this resource");
+      }
+      return ctx.plugins.permissions.getResourceGrants(
+        input.tenantId,
+        input.resourceType,
+        input.resourceId
+      );
+    },
+  })
+);
+/**
+ * Grant access to a resource
+ */
+permissions.route("grant").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      resourceType: z.string(),
+      resourceId: z.string(),
+      granteeType: z.enum(["user", "role"]),
+      granteeId: z.string(),
+      permissions: z.array(z.enum(["create", "read", "write", "delete", "admin"])),
+    }),
+    output: z.object({ success: z.boolean() }),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+      // Check if user can admin this resource
+      const canAdmin = await ctx.plugins.permissions.canAccess(
+        ctx.user.id,
+        input.tenantId,
+        input.resourceType,
+        input.resourceId,
+        "admin"
+      );
+      if (!canAdmin) {
+        throw ctx.errors.Forbidden("Cannot grant access to this resource");
+      }
+      await ctx.plugins.permissions.grantAccess({
+        tenantId: input.tenantId,
+        resourceType: input.resourceType,
+        resourceId: input.resourceId,
+        granteeType: input.granteeType,
+        granteeId: input.granteeId,
+        permissions: input.permissions,
+        grantedBy: ctx.user.id,
+      });
+      return { success: true };
+    },
+  })
+);
+/**
+ * Revoke access to a resource
+ */
+permissions.route("revoke").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      resourceType: z.string(),
+      resourceId: z.string(),
+      granteeType: z.enum(["user", "role"]),
+      granteeId: z.string(),
+      permissions: z.array(z.enum(["create", "read", "write", "delete", "admin"])).optional(),
+    }),
+    output: z.object({ success: z.boolean() }),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+      // Check if user can admin this resource
+      const canAdmin = await ctx.plugins.permissions.canAccess(
+        ctx.user.id,
+        input.tenantId,
+        input.resourceType,
+        input.resourceId,
+        "admin"
+      );
+      if (!canAdmin) {
+        throw ctx.errors.Forbidden("Cannot revoke access to this resource");
+      }
+      await ctx.plugins.permissions.revokeAccess({
+        tenantId: input.tenantId,
+        resourceType: input.resourceType,
+        resourceId: input.resourceId,
+        granteeType: input.granteeType,
+        granteeId: input.granteeId,
+        permissions: input.permissions,
+      });
+      return { success: true };
+    },
+  })
+);
+export { permissions as permissionsRouter };