@donkeylabs/cli 1.1.16 → 1.1.18

package/templates/sveltekit-app/src/server/routes/auth/handlers/refresh.handler.ts

@@ -1,14 +1,12 @@
-import type { Handler, Routes, AppContext } from "$server/api";
-
 /**
  * Refresh Handler - Get new access token using refresh token
  * Only available with refresh-token strategy
  */
-export class RefreshHandler implements Handler<Routes.Auth.Refresh> {
-  constructor(private ctx: AppContext) {}
+export class RefreshHandler {
+  constructor(private ctx: any) {}
 
-  async handle(input: Routes.Auth.Refresh.Input): Promise<Routes.Auth.Refresh.Output> {
-    const tokens = await this.ctx.plugins.auth.refresh(input.refreshToken);
+  async handle(input: { refreshToken: string }) {
+    const tokens = await (this.ctx.plugins as any).auth.refresh(input.refreshToken);
 
     return {
       accessToken: tokens.accessToken,

package/templates/sveltekit-app/src/server/routes/auth/handlers/register.handler.ts

@@ -1,13 +1,11 @@
-import type { Handler, Routes, AppContext } from "$server/api";
-
 /**
  * Register Handler - Create a new user account
  */
-export class RegisterHandler implements Handler<Routes.Auth.Register> {
-  constructor(private ctx: AppContext) {}
+export class RegisterHandler {
+  constructor(private ctx: any) {}
 
-  async handle(input: Routes.Auth.Register.Input): Promise<Routes.Auth.Register.Output> {
-    const result = await this.ctx.plugins.auth.register({
+  async handle(input: { email: string; password: string; name: string }) {
+    const result = await (this.ctx.plugins as any).auth.register({
       email: input.email,
       password: input.password,
       name: input.name,

package/templates/sveltekit-app/src/server/routes/auth/handlers/update-profile.handler.ts

@@ -1,20 +1,17 @@
-import type { Handler, Routes, AppContext } from "$server/api";
-
 /**
  * Update Profile Handler - Update current user's profile
  */
-export class UpdateProfileHandler implements Handler<Routes.Auth.UpdateProfile> {
-  constructor(private ctx: AppContext) {}
+export class UpdateProfileHandler {
+  constructor(private ctx: any) {}
 
-  async handle(input: Routes.Auth.UpdateProfile.Input): Promise<Routes.Auth.UpdateProfile.Output> {
-    // Get user from request context (set by auth middleware)
-    const user = (this.ctx as any).user;
+  async handle(input: { name?: string; email?: string }) {
+    const user = this.ctx.user;
 
     if (!user) {
       throw this.ctx.errors.Unauthorized("Not authenticated");
     }
 
-    const updated = await this.ctx.plugins.auth.updateProfile(user.id, {
+    const updated = await (this.ctx.plugins as any).auth.updateProfile(user.id, {
       name: input.name,
       email: input.email,
     });

package/templates/sveltekit-app/src/server/routes/auth/index.ts

@@ -5,9 +5,9 @@
  * - auth.register - Create new account
  * - auth.login - Login and get tokens
  * - auth.refresh - Refresh access token (refresh-token strategy only)
- * - auth.logout - Invalidate session/token (requires auth)
- * - auth.me - Get current user (optional auth)
- * - auth.updateProfile - Update profile (requires auth)
+ * - auth.logout - Invalidate session/token
+ * - auth.me - Get current user
+ * - auth.updateProfile - Update profile
  */
 
 import { createRouter } from "@donkeylabs/server";
@@ -51,22 +51,21 @@ export const authRouter = createRouter("auth")
     handle: RefreshHandler,
   })
 
-  // Optional auth - returns user if logged in, null otherwise
-  .middleware.auth({ required: false })
+  // Get current user (returns null if not authenticated)
   .route("me").typed({
     input: z.object({}),
     output: userSchema.nullable(),
     handle: MeHandler,
   })
 
-  // Protected routes - require authentication
-  .middleware.auth({ required: true })
+  // Logout (invalidate session/token)
   .route("logout").typed({
     input: z.object({}),
     output: logoutResponseSchema,
     handle: LogoutHandler,
   })
 
+  // Update profile
   .route("updateProfile").typed({
     input: updateProfileSchema,
     output: userSchema,

package/templates/sveltekit-app/src/server/routes/example/handlers/greet.handler.ts

@@ -1,15 +1,13 @@
-import type { Handler, Routes, AppContext } from "$server/api";
-
 /**
  * Greet Handler
  *
  * Example handler demonstrating the feature module pattern.
  * Business logic lives directly in the handler - no separate model layer needed.
  */
-export class GreetHandler implements Handler<Routes.Example.Greet> {
-  constructor(private ctx: AppContext) {}
+export class GreetHandler {
+  constructor(private ctx: any) {}
 
-  handle(input: Routes.Example.Greet.Input): Routes.Example.Greet.Output {
+  handle(input: { name: string; formal?: boolean }) {
     // Business logic directly in handler
     const greeting = input.formal
       ? `Good day, ${input.name}. How may I assist you?`

package/templates/sveltekit-app/src/server/routes/permissions/index.ts

@@ -0,0 +1,248 @@
+/**
+ * Permissions Routes - Client-side permission checking
+ *
+ * These routes allow the frontend to check permissions for UI locking.
+ */
+
+import { createRouter, defineRoute } from "@donkeylabs/server";
+import { z } from "zod";
+
+const permissions = createRouter("permissions");
+
+/**
+ * Get current user's permission context for a tenant
+ * Returns roles and all static permissions
+ */
+permissions.route("context").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+    }),
+    output: z.object({
+      tenantId: z.string(),
+      roles: z.array(z.object({
+        id: z.string(),
+        name: z.string(),
+      })),
+      permissions: z.array(z.string()),
+    }),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      return (ctx.plugins as any).permissions.getClientContext(ctx.user.id, input.tenantId);
+    },
+  })
+);
+
+/**
+ * Check if user has specific static permissions
+ * Returns a map of permission -> boolean
+ */
+permissions.route("check").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      permissions: z.array(z.string()),
+    }),
+    output: z.record(z.string(), z.boolean()),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      const results: Record<string, boolean> = {};
+
+      for (const permission of input.permissions) {
+        results[permission] = await (ctx.plugins as any).permissions.hasPermission(
+          ctx.user.id,
+          input.tenantId,
+          permission
+        );
+      }
+
+      return results;
+    },
+  })
+);
+
+/**
+ * Check if user can access specific resources
+ * Returns a map of "resourceType:resourceId:action" -> boolean
+ */
+permissions.route("canAccess").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      checks: z.array(z.object({
+        resourceType: z.string(),
+        resourceId: z.string(),
+        action: z.enum(["create", "read", "write", "delete", "admin"]),
+        ownerId: z.string().optional(), // For owner check
+      })),
+    }),
+    output: z.record(z.string(), z.boolean()),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      const results: Record<string, boolean> = {};
+
+      for (const check of input.checks) {
+        const key = `${check.resourceType}:${check.resourceId}:${check.action}`;
+        results[key] = await (ctx.plugins as any).permissions.canAccess(
+          ctx.user.id,
+          input.tenantId,
+          check.resourceType,
+          check.resourceId,
+          check.action,
+          check.ownerId
+        );
+      }
+
+      return results;
+    },
+  })
+);
+
+/**
+ * Get all grants for a specific resource
+ * Useful for showing "shared with" UI
+ */
+permissions.route("grants").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      resourceType: z.string(),
+      resourceId: z.string(),
+    }),
+    output: z.array(z.object({
+      resourceType: z.string(),
+      resourceId: z.string(),
+      granteeType: z.enum(["user", "role"]),
+      granteeId: z.string(),
+      permissions: z.array(z.enum(["create", "read", "write", "delete", "admin"])),
+    })),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      // Check if user can admin this resource (to see grants)
+      const canAdmin = await (ctx.plugins as any).permissions.canAccess(
+        ctx.user.id,
+        input.tenantId,
+        input.resourceType,
+        input.resourceId,
+        "admin"
+      );
+
+      if (!canAdmin) {
+        throw ctx.errors.Forbidden("Cannot view grants for this resource");
+      }
+
+      return (ctx.plugins as any).permissions.getResourceGrants(
+        input.tenantId,
+        input.resourceType,
+        input.resourceId
+      );
+    },
+  })
+);
+
+/**
+ * Grant access to a resource
+ */
+permissions.route("grant").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      resourceType: z.string(),
+      resourceId: z.string(),
+      granteeType: z.enum(["user", "role"]),
+      granteeId: z.string(),
+      permissions: z.array(z.enum(["create", "read", "write", "delete", "admin"])),
+    }),
+    output: z.object({ success: z.boolean() }),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      // Check if user can admin this resource
+      const canAdmin = await (ctx.plugins as any).permissions.canAccess(
+        ctx.user.id,
+        input.tenantId,
+        input.resourceType,
+        input.resourceId,
+        "admin"
+      );
+
+      if (!canAdmin) {
+        throw ctx.errors.Forbidden("Cannot grant access to this resource");
+      }
+
+      await (ctx.plugins as any).permissions.grantAccess({
+        tenantId: input.tenantId,
+        resourceType: input.resourceType,
+        resourceId: input.resourceId,
+        granteeType: input.granteeType,
+        granteeId: input.granteeId,
+        permissions: input.permissions,
+        grantedBy: ctx.user.id,
+      });
+
+      return { success: true };
+    },
+  })
+);
+
+/**
+ * Revoke access to a resource
+ */
+permissions.route("revoke").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      resourceType: z.string(),
+      resourceId: z.string(),
+      granteeType: z.enum(["user", "role"]),
+      granteeId: z.string(),
+      permissions: z.array(z.enum(["create", "read", "write", "delete", "admin"])).optional(),
+    }),
+    output: z.object({ success: z.boolean() }),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      // Check if user can admin this resource
+      const canAdmin = await (ctx.plugins as any).permissions.canAccess(
+        ctx.user.id,
+        input.tenantId,
+        input.resourceType,
+        input.resourceId,
+        "admin"
+      );
+
+      if (!canAdmin) {
+        throw ctx.errors.Forbidden("Cannot revoke access to this resource");
+      }
+
+      await (ctx.plugins as any).permissions.revokeAccess({
+        tenantId: input.tenantId,
+        resourceType: input.resourceType,
+        resourceId: input.resourceId,
+        granteeType: input.granteeType,
+        granteeId: input.granteeId,
+        permissions: input.permissions,
+      });
+
+      return { success: true };
+    },
+  })
+);
+
+export { permissions as permissionsRouter };

package/templates/sveltekit-app/src/server/routes/tenants/index.ts

@@ -0,0 +1,339 @@
+/**
+ * Tenants Routes - Multi-tenant management
+ */
+
+import { createRouter, defineRoute } from "@donkeylabs/server";
+import { z } from "zod";
+
+const tenants = createRouter("tenants");
+
+/**
+ * Get all tenants the current user is a member of
+ */
+tenants.route("mine").typed(
+  defineRoute({
+    input: z.object({}),
+    output: z.array(z.object({
+      id: z.string(),
+      name: z.string(),
+      slug: z.string(),
+      settings: z.record(z.string(), z.unknown()).nullable(),
+    })),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      return (ctx.plugins as any).permissions.getUserTenants(ctx.user.id);
+    },
+  })
+);
+
+/**
+ * Create a new tenant (user becomes owner/admin)
+ */
+tenants.route("create").typed(
+  defineRoute({
+    input: z.object({
+      name: z.string().min(1).max(100),
+      slug: z.string().min(1).max(50).regex(/^[a-z0-9-]+$/, "Slug must be lowercase alphanumeric with hyphens"),
+      settings: z.record(z.string(), z.unknown()).optional(),
+    }),
+    output: z.object({
+      id: z.string(),
+      name: z.string(),
+      slug: z.string(),
+      settings: z.record(z.string(), z.unknown()).nullable(),
+    }),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      // Check if slug is taken
+      const existing = await (ctx.plugins as any).permissions.getTenantBySlug(input.slug);
+      if (existing) {
+        throw ctx.errors.BadRequest("Tenant slug already taken");
+      }
+
+      return (ctx.plugins as any).permissions.createTenant({
+        name: input.name,
+        slug: input.slug,
+        ownerId: ctx.user.id,
+        settings: input.settings,
+      });
+    },
+  })
+);
+
+/**
+ * Get tenant by ID
+ */
+tenants.route("get").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+    }),
+    output: z.object({
+      id: z.string(),
+      name: z.string(),
+      slug: z.string(),
+      settings: z.record(z.string(), z.unknown()).nullable(),
+    }).nullable(),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      // Verify membership
+      const isMember = await (ctx.plugins as any).permissions.isTenantMember(ctx.user.id, input.tenantId);
+      if (!isMember) {
+        throw ctx.errors.Forbidden("Not a member of this tenant");
+      }
+
+      return (ctx.plugins as any).permissions.getTenant(input.tenantId);
+    },
+  })
+);
+
+/**
+ * Get tenant roles
+ */
+tenants.route("roles").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+    }),
+    output: z.array(z.object({
+      id: z.string(),
+      name: z.string(),
+      description: z.string().nullable(),
+      permissions: z.array(z.string()),
+      inheritsFrom: z.string().nullable(),
+      isDefault: z.boolean(),
+    })),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      // Verify membership
+      const isMember = await (ctx.plugins as any).permissions.isTenantMember(ctx.user.id, input.tenantId);
+      if (!isMember) {
+        throw ctx.errors.Forbidden("Not a member of this tenant");
+      }
+
+      const roles = await (ctx.plugins as any).permissions.getTenantRoles(input.tenantId);
+      return roles.map((r: any) => ({
+        id: r.id,
+        name: r.name,
+        description: r.description,
+        permissions: r.permissions,
+        inheritsFrom: r.inheritsFrom,
+        isDefault: r.isDefault,
+      }));
+    },
+  })
+);
+
+/**
+ * Create a role in a tenant
+ */
+tenants.route("createRole").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      name: z.string().min(1).max(50),
+      description: z.string().max(200).optional(),
+      permissions: z.array(z.string()),
+      inheritsFrom: z.string().optional(),
+      isDefault: z.boolean().optional(),
+    }),
+    output: z.object({
+      id: z.string(),
+      name: z.string(),
+      description: z.string().nullable(),
+      permissions: z.array(z.string()),
+      inheritsFrom: z.string().nullable(),
+      isDefault: z.boolean(),
+    }),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      // Check admin permission
+      const hasAdmin = await (ctx.plugins as any).permissions.hasPermission(
+        ctx.user.id,
+        input.tenantId,
+        "roles.manage"
+      );
+      if (!hasAdmin) {
+        throw ctx.errors.Forbidden("Cannot manage roles");
+      }
+
+      const role = await (ctx.plugins as any).permissions.createRole({
+        tenantId: input.tenantId,
+        name: input.name,
+        description: input.description,
+        permissions: input.permissions,
+        inheritsFrom: input.inheritsFrom,
+        isDefault: input.isDefault,
+      });
+
+      return {
+        id: role.id,
+        name: role.name,
+        description: role.description,
+        permissions: role.permissions,
+        inheritsFrom: role.inheritsFrom,
+        isDefault: role.isDefault,
+      };
+    },
+  })
+);
+
+/**
+ * Invite user to tenant (add as member)
+ */
+tenants.route("addMember").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      userId: z.string(),
+    }),
+    output: z.object({ success: z.boolean() }),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      // Check permission
+      const canInvite = await (ctx.plugins as any).permissions.hasPermission(
+        ctx.user.id,
+        input.tenantId,
+        "members.invite"
+      );
+      if (!canInvite) {
+        throw ctx.errors.Forbidden("Cannot invite members");
+      }
+
+      await (ctx.plugins as any).permissions.addTenantMember(
+        input.tenantId,
+        input.userId,
+        ctx.user.id
+      );
+
+      return { success: true };
+    },
+  })
+);
+
+/**
+ * Remove user from tenant
+ */
+tenants.route("removeMember").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      userId: z.string(),
+    }),
+    output: z.object({ success: z.boolean() }),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      // Check permission
+      const canRemove = await (ctx.plugins as any).permissions.hasPermission(
+        ctx.user.id,
+        input.tenantId,
+        "members.remove"
+      );
+      if (!canRemove) {
+        throw ctx.errors.Forbidden("Cannot remove members");
+      }
+
+      await (ctx.plugins as any).permissions.removeTenantMember(input.tenantId, input.userId);
+
+      return { success: true };
+    },
+  })
+);
+
+/**
+ * Assign role to user
+ */
+tenants.route("assignRole").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      userId: z.string(),
+      roleId: z.string(),
+    }),
+    output: z.object({ success: z.boolean() }),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      // Check permission
+      const canManage = await (ctx.plugins as any).permissions.hasPermission(
+        ctx.user.id,
+        input.tenantId,
+        "roles.assign"
+      );
+      if (!canManage) {
+        throw ctx.errors.Forbidden("Cannot assign roles");
+      }
+
+      await (ctx.plugins as any).permissions.assignRole(
+        input.userId,
+        input.roleId,
+        input.tenantId,
+        ctx.user.id
+      );
+
+      return { success: true };
+    },
+  })
+);
+
+/**
+ * Revoke role from user
+ */
+tenants.route("revokeRole").typed(
+  defineRoute({
+    input: z.object({
+      tenantId: z.string(),
+      userId: z.string(),
+      roleId: z.string(),
+    }),
+    output: z.object({ success: z.boolean() }),
+    handle: async (input, ctx) => {
+      if (!ctx.user?.id) {
+        throw ctx.errors.Unauthorized("Authentication required");
+      }
+
+      // Check permission
+      const canManage = await (ctx.plugins as any).permissions.hasPermission(
+        ctx.user.id,
+        input.tenantId,
+        "roles.assign"
+      );
+      if (!canManage) {
+        throw ctx.errors.Forbidden("Cannot revoke roles");
+      }
+
+      await (ctx.plugins as any).permissions.revokeRole(
+        input.userId,
+        input.roleId,
+        input.tenantId
+      );
+
+      return { success: true };
+    },
+  })
+);
+
+export { tenants as tenantsRouter };