@donotdev/functions 0.0.12 → 0.0.13

package/src/supabase/crud/list.ts

@@ -22,7 +22,11 @@ import type {
   UserRole,
 } from '@donotdev/core/server';
 
-import { defaultFieldMapper } from '@donotdev/supabase';
+import {
+  createEntityAwareMapper,
+  defaultFieldMapper,
+  getEntityFieldNames,
+} from '@donotdev/supabase';
 
 import { DoNotDevError } from '../../shared/utils.js';
 import { createSupabaseHandler } from '../baseFunction.js';
@@ -32,7 +36,9 @@ const mapper = defaultFieldMapper;
 
 /** Ensure we only pass strings to the mapper (entity listFields/ownership can be mis-typed at runtime). */
 function toBackendColumn(field: unknown): string {
-  return mapper.toBackendField(typeof field === 'string' ? field : String(field));
+  return mapper.toBackendField(
+    typeof field === 'string' ? field : String(field)
+  );
 }
 
 export interface ListEntityRequest {
@@ -58,7 +64,10 @@ function encodeCursor(id: string, orderBy: Record<string, any>): string {
 /**
  * Decode cursor for keyset pagination
  */
-function decodeCursor(cursor: string): { id: string; orderBy: Record<string, any> } {
+function decodeCursor(cursor: string): {
+  id: string;
+  orderBy: Record<string, any>;
+} {
   try {
     return JSON.parse(Buffer.from(cursor, 'base64').toString());
   } catch (error) {
@@ -132,7 +141,12 @@ export function createSupabaseListEntities(
   const requestSchema = v.object({
     where: v.optional(v.array(v.tuple([v.string(), v.any(), v.any()]))),
     orderBy: v.optional(
-      v.array(v.tuple([v.pipe(v.string(), v.minLength(1)), v.picklist(['asc', 'desc'])]))
+      v.array(
+        v.tuple([
+          v.pipe(v.string(), v.minLength(1)),
+          v.picklist(['asc', 'desc']),
+        ])
+      )
     ),
     limit: v.optional(v.pipe(v.number(), v.minValue(1))),
     startAfterId: v.optional(v.string()), // Offset-based (legacy)
@@ -149,18 +163,31 @@ export function createSupabaseListEntities(
     isListCard ? `listCard_${collection}` : `list_${collection}`,
     requestSchema,
     async (data: ListEntityRequest, ctx) => {
-      const { where = [], orderBy = [], limit = 50, startAfterId, startAfterCursor, search } = data;
+      const {
+        where = [],
+        orderBy = [],
+        limit = 50,
+        startAfterId,
+        startAfterCursor,
+        search,
+      } = data;
       const { userRole, uid, supabaseAdmin } = ctx;
 
       const isAdmin = hasRoleAccess(userRole, 'admin');
 
       // Build query - select fields (listFields + id + status, or *). Only use string entries (entity may be mis-typed).
-      const safeListFields = listFields?.filter((f): f is string => typeof f === 'string');
-      const selectFields = safeListFields && safeListFields.length > 0
-        ? safeListFields.map((f) => toBackendColumn(f)).join(', ') + ', id, status'
-        : '*';
-      
-      let query = supabaseAdmin.from(collection).select(selectFields, { count: 'exact' });
+      const safeListFields = listFields?.filter(
+        (f): f is string => typeof f === 'string'
+      );
+      const selectFields =
+        safeListFields && safeListFields.length > 0
+          ? safeListFields.map((f) => toBackendColumn(f)).join(', ') +
+            ', id, status'
+          : '*';
+
+      let query = supabaseAdmin
+        .from(collection)
+        .select(selectFields, { count: 'exact' });
 
       // Filter out hidden statuses for non-admin users
       if (!isAdmin) {
@@ -198,14 +225,20 @@ export function createSupabaseListEntities(
           );
         }
         // Escape SQL ILIKE wildcards to prevent wildcard injection
-        const escapedQuery = search.query.replace(/%/g, '\\%').replace(/_/g, '\\_');
+        const escapedQuery = search.query
+          .replace(/%/g, '\\%')
+          .replace(/_/g, '\\_');
         query = query.ilike(toBackendColumn(search.field), `%${escapedQuery}%`);
       }
 
       // Validate where clause fields against entity schema
       for (const [field, operator, value] of where) {
         if (safeListFields && safeListFields.length > 0) {
-          if (!safeListFields.includes(field) && field !== 'status' && field !== 'id') {
+          if (
+            !safeListFields.includes(field) &&
+            field !== 'status' &&
+            field !== 'id'
+          ) {
             throw new DoNotDevError(
               `Where field '${field}' is not allowed`,
               'invalid-argument'
@@ -220,9 +253,13 @@ export function createSupabaseListEntities(
         query = applyOperator(query, toBackendColumn(field), operator, value);
       }
 
-      const hasIdInOrderBy = orderBy.some(([field]) => toBackendColumn(field) === 'id');
+      const hasIdInOrderBy = orderBy.some(
+        ([field]) => toBackendColumn(field) === 'id'
+      );
       for (const [field, direction] of orderBy) {
-        query = query.order(toBackendColumn(field), { ascending: direction === 'asc' });
+        query = query.order(toBackendColumn(field), {
+          ascending: direction === 'asc',
+        });
       }
       // Add id as tiebreaker if not already in orderBy
       if (!hasIdInOrderBy && orderBy.length > 0) {
@@ -236,7 +273,7 @@ export function createSupabaseListEntities(
         useKeysetPagination = true;
         try {
           const cursor = decodeCursor(startAfterCursor);
-          
+
           if (orderBy.length === 0) {
             query = query.gt('id', cursor.id);
           } else {
@@ -271,12 +308,17 @@ export function createSupabaseListEntities(
       const { data: rows, error, count } = await query;
 
       if (error) {
-        throw new DoNotDevError(`Failed to list entities: ${error.message}`, 'internal');
+        throw new DoNotDevError(
+          `Failed to list entities: ${error.message}`,
+          'internal'
+        );
       }
 
       let items = (rows || []) as Record<string, any>[];
-      
-      // Filter out cursor item for keyset pagination
+
+      // Filter out cursor item for keyset pagination.
+      // Note: items are still raw DB rows here (pre-normalization), so mapper.toBackendField
+      // is correct for accessing backend column values. entityMapper is used later for normalization.
       if (useKeysetPagination && startAfterCursor && items.length > 0) {
         try {
           const cursor = decodeCursor(startAfterCursor);
@@ -320,11 +362,23 @@ export function createSupabaseListEntities(
         return value;
       };
 
-      const visibilityOptions = ownership && uid ? { uid, ownership } : undefined;
+      const visibilityOptions =
+        ownership && uid ? { uid, ownership } : undefined;
+
+      // Build entity-aware mapper from schema entries so fromBackendRow returns
+      // entity field names (not blind camelCase), matching filterVisibleFields expectations.
+      const entityFieldNames = getEntityFieldNames(documentSchema);
+      const entityMapper =
+        entityFieldNames.length > 0
+          ? createEntityAwareMapper(entityFieldNames)
+          : mapper;
 
       // Filter document fields based on visibility and user role
       const filteredItems = items.map((row) => {
-        const camelRow = mapper.fromBackendRow(row) as Record<string, any>;
+        const camelRow = entityMapper.fromBackendRow(row) as Record<
+          string,
+          any
+        >;
         const visibleData = filterVisibleFields(
           camelRow,
           documentSchema,
@@ -355,7 +409,7 @@ export function createSupabaseListEntities(
       });
 
       const hasMore = items.length === limit;
-      
+
       // Generate cursor for keyset pagination or offset for legacy
       let lastVisible: string | null = null;
       if (hasMore && filteredItems.length > 0) {

package/src/supabase/crud/update.ts

@@ -18,10 +18,7 @@ import { defaultFieldMapper } from '@donotdev/supabase';
 import { updateMetadata } from '../../shared/index.js';
 import { DoNotDevError, validateDocument } from '../../shared/utils.js';
 import { createSupabaseHandler } from '../baseFunction.js';
-import {
-  checkIdempotency,
-  storeIdempotency,
-} from '../utils/idempotency.js';
+import { checkIdempotency, storeIdempotency } from '../utils/idempotency.js';
 
 const mapper = defaultFieldMapper;
 
@@ -68,7 +65,10 @@ async function checkUniqueKeys(
     // Build query excluding current document
     let query = supabaseAdmin.from(collection).select('*');
     for (const field of uniqueKey.fields) {
-      query = query.eq(mapper.toBackendField(field), normalizeValue(payload[field]));
+      query = query.eq(
+        mapper.toBackendField(field),
+        normalizeValue(payload[field])
+      );
     }
     query = query.neq('id', id);
 
@@ -139,7 +139,10 @@ export function createSupabaseUpdateEntity(
         throw new DoNotDevError('Entity not found', 'not-found');
       }
 
-      const merged = { ...(mapper.fromBackendRow(existing) as Record<string, any>), ...payload };
+      const merged = {
+        ...(mapper.fromBackendRow(existing) as Record<string, any>),
+        ...payload,
+      };
       const status = merged.status ?? existing.status;
       const isDraft = status === 'draft';
 
@@ -150,7 +153,14 @@ export function createSupabaseUpdateEntity(
       const uniqueKeys = schemaWithMeta.metadata?.uniqueKeys;
 
       if (uniqueKeys && uniqueKeys.length > 0) {
-        await checkUniqueKeys(collection, id, merged, uniqueKeys, isDraft, supabaseAdmin);
+        await checkUniqueKeys(
+          collection,
+          id,
+          merged,
+          uniqueKeys,
+          isDraft,
+          supabaseAdmin
+        );
       }
 
       // Validate merged document (skip for drafts)
@@ -159,9 +169,18 @@ export function createSupabaseUpdateEntity(
       }
 
       const metadata = updateMetadata(uid);
-      const snakeMetadata = mapper.toBackendKeys(metadata as Record<string, unknown>);
+      const snakeMetadata = mapper.toBackendKeys(
+        metadata as Record<string, unknown>
+      );
 
-      const { createdAt, updatedAt, created_at, updated_at, id: _id, ...payloadWithoutTimestamps } = payload;
+      const {
+        createdAt,
+        updatedAt,
+        created_at,
+        updated_at,
+        id: _id,
+        ...payloadWithoutTimestamps
+      } = payload;
       const snakePayload = mapper.toBackendKeys(payloadWithoutTimestamps);
 
       // Update document (DB sets updated_at via trigger)
@@ -176,7 +195,10 @@ export function createSupabaseUpdateEntity(
         .single();
 
       if (error) {
-        throw new DoNotDevError(`Failed to update entity: ${error.message}`, 'internal');
+        throw new DoNotDevError(
+          `Failed to update entity: ${error.message}`,
+          'internal'
+        );
       }
 
       const result = mapper.fromBackendRow(updated) as Record<string, any>;

package/src/supabase/helpers/authProvider.ts

@@ -28,10 +28,13 @@ import type { SupabaseClient } from '@supabase/supabase-js';
  * @version 0.0.1
  * @since 0.5.0
  */
-export function createSupabaseAuthProvider(supabaseAdmin: SupabaseClient): AuthProvider {
+export function createSupabaseAuthProvider(
+  supabaseAdmin: SupabaseClient
+): AuthProvider {
   return {
     async getUser(userId: string) {
-      const { data, error } = await supabaseAdmin.auth.admin.getUserById(userId);
+      const { data, error } =
+        await supabaseAdmin.auth.admin.getUserById(userId);
       if (error) throw error;
       return { customClaims: data.user?.app_metadata ?? {} };
     },

package/src/supabase/index.ts

@@ -60,10 +60,7 @@ export {
   checkRateLimitWithPostgres,
   DEFAULT_RATE_LIMITS,
 } from './utils/rateLimiter.js';
-export type {
-  RateLimitConfig,
-  RateLimitResult,
-} from './utils/rateLimiter.js';
+export type { RateLimitConfig, RateLimitResult } from './utils/rateLimiter.js';
 export {
   recordOperationMetrics,
   getFailureRate,

package/src/supabase/registerCrudFunctions.ts

@@ -89,7 +89,7 @@ export function createSupabaseCrudFunctions(
       schemas.update,
       access.update
     );
-    
+
     // Extract reference metadata from entity if available
     const schemaWithMeta = schemas.get as {
       metadata?: {
@@ -108,7 +108,7 @@ export function createSupabaseCrudFunctions(
       };
     };
     const referenceMetadata = schemaWithMeta.metadata?.references;
-    
+
     handlers[`delete_${col}`] = createSupabaseDeleteEntity(
       col,
       access.delete,
@@ -127,7 +127,8 @@ export function createSupabaseCrudFunctions(
   const serve = async (req: Request): Promise<Response> => {
     try {
       const body = await req.json().catch(() => ({}));
-      const functionName = (body as Record<string, unknown>)._functionName as string;
+      const functionName = (body as Record<string, unknown>)
+        ._functionName as string;
 
       if (!functionName) {
         return new Response(
@@ -146,7 +147,7 @@ export function createSupabaseCrudFunctions(
 
       // Remove _functionName from body before passing to handler
       const { _functionName, ...handlerData } = body as Record<string, unknown>;
-      
+
       // Create new request with cleaned body
       const handlerReq = new Request(req.url, {
         method: req.method,
@@ -156,11 +157,12 @@ export function createSupabaseCrudFunctions(
 
       return handler(handlerReq);
     } catch (error) {
-      const message = error instanceof Error ? error.message : 'Internal server error';
-      return new Response(
-        JSON.stringify({ error: message }),
-        { status: 500, headers: { 'Content-Type': 'application/json' } }
-      );
+      const message =
+        error instanceof Error ? error.message : 'Internal server error';
+      return new Response(JSON.stringify({ error: message }), {
+        status: 500,
+        headers: { 'Content-Type': 'application/json' },
+      });
     }
   };
 

package/src/supabase/utils/idempotency.ts

@@ -86,21 +86,19 @@ export async function storeIdempotency<T>(
     const expiresAt = new Date();
     expiresAt.setHours(expiresAt.getHours() + ttl);
 
-    const { error } = await supabaseAdmin
-      .from('idempotency')
-      .upsert(
-        {
-          id,
-          operation,
-          idempotency_key: idempotencyKey,
-          result: result as any,
-          processed_by: uid,
-          expires_at: expiresAt.toISOString(),
-        },
-        {
-          onConflict: 'idempotency_key',
-        }
-      );
+    const { error } = await supabaseAdmin.from('idempotency').upsert(
+      {
+        id,
+        operation,
+        idempotency_key: idempotencyKey,
+        result: result as any,
+        processed_by: uid,
+        expires_at: expiresAt.toISOString(),
+      },
+      {
+        onConflict: 'idempotency_key',
+      }
+    );
 
     if (error) {
       console.error('[idempotency] Store failed:', error);

package/src/supabase/utils/monitoring.ts

@@ -167,7 +167,11 @@ export async function getSlowOperations(
       grouped[metric.operation].count += 1;
     }
 
-    const results: Array<{ operation: string; avgDuration: number; count: number }> = [];
+    const results: Array<{
+      operation: string;
+      avgDuration: number;
+      count: number;
+    }> = [];
     for (const [operation, stats] of Object.entries(grouped)) {
       const avgDuration = stats.sum / stats.count;
       if (avgDuration >= thresholdMs) {

package/src/supabase/utils/rateLimiter.ts

@@ -24,7 +24,10 @@
  */
 
 import type { SupabaseClient } from '@supabase/supabase-js';
-import type { ServerRateLimitConfig as RateLimitConfig, ServerRateLimitResult as RateLimitResult } from '@donotdev/core';
+import type {
+  ServerRateLimitConfig as RateLimitConfig,
+  ServerRateLimitResult as RateLimitResult,
+} from '@donotdev/core';
 
 export type { RateLimitConfig, RateLimitResult };
 
@@ -198,7 +201,11 @@ export async function checkRateLimitWithPostgres(
 
     if (error) {
       // Log for observability — infrastructure errors here need immediate attention.
-      console.error('[rateLimit] rate_limit_check RPC failed:', error.message, error.code);
+      console.error(
+        '[rateLimit] rate_limit_check RPC failed:',
+        error.message,
+        error.code
+      );
       return failClosed();
     }
 
@@ -210,7 +217,10 @@ export async function checkRateLimitWithPostgres(
       blockRemainingSeconds: result.block_remaining_seconds,
     };
   } catch (error) {
-    console.error('[rateLimit] Unexpected error in checkRateLimitWithPostgres:', error);
+    console.error(
+      '[rateLimit] Unexpected error in checkRateLimitWithPostgres:',
+      error
+    );
     return failClosed();
   }
 }

package/src/vercel/api/billing/webhook-handler.ts

@@ -55,7 +55,10 @@ export function createStripeWebhook(billingConfig: StripeBackConfig) {
         async getUser(userId: string) {
           return getFirebaseAdminAuth().getUser(userId);
         },
-        async setCustomUserClaims(userId: string, claims: Record<string, unknown>) {
+        async setCustomUserClaims(
+          userId: string,
+          claims: Record<string, unknown>
+        ) {
           await getFirebaseAdminAuth().setCustomUserClaims(userId, claims);
         },
       };
@@ -90,7 +93,8 @@ async function getRawBody(req: NextApiRequest): Promise<Buffer> {
   const chunks: Buffer[] = [];
   let totalBytes = 0;
   for await (const chunk of req) {
-    const buf = typeof chunk === 'string' ? Buffer.from(chunk) : (chunk as Buffer);
+    const buf =
+      typeof chunk === 'string' ? Buffer.from(chunk) : (chunk as Buffer);
     totalBytes += buf.length;
     if (totalBytes > MAX_BODY_BYTES) {
       throw new Error('Request body too large');

package/src/vercel/api/crud/create.ts

@@ -19,7 +19,10 @@ import {
   transformFirestoreData,
 } from '../../../shared/index.js';
 import { createMetadata } from '../../../shared/index.js';
-import { validateCollectionName, validateDocument } from '../../../shared/utils.js';
+import {
+  validateCollectionName,
+  validateDocument,
+} from '../../../shared/utils.js';
 import { verifyAuthToken } from '../../../shared/utils/internal/auth.js';
 
 import type { NextApiRequest, NextApiResponse } from 'next';
@@ -84,7 +87,9 @@ export default async function handler(
       handleError(error);
     } catch (handledError: any) {
       const status = handledError.code === 'invalid-argument' ? 400 : 500;
-      return res.status(status).json({ error: handledError.message, code: handledError.code });
+      return res
+        .status(status)
+        .json({ error: handledError.message, code: handledError.code });
     }
   }
 }

package/src/vercel/api/crud/delete.ts

@@ -60,7 +60,9 @@ export default async function handler(
       handleError(error);
     } catch (handledError: any) {
       const status = handledError.code === 'invalid-argument' ? 400 : 500;
-      return res.status(status).json({ error: handledError.message, code: handledError.code });
+      return res
+        .status(status)
+        .json({ error: handledError.message, code: handledError.code });
     }
   }
 }

package/src/vercel/api/crud/get.ts

@@ -74,7 +74,9 @@ export default async function handler(
       handleError(error);
     } catch (handledError: any) {
       const status = handledError.code === 'invalid-argument' ? 400 : 500;
-      return res.status(status).json({ error: handledError.message, code: handledError.code });
+      return res
+        .status(status)
+        .json({ error: handledError.message, code: handledError.code });
     }
   }
 }

package/src/vercel/api/crud/list.ts

@@ -87,7 +87,9 @@ export default async function handler(
       handleError(error);
     } catch (handledError: any) {
       const status = handledError.code === 'invalid-argument' ? 400 : 500;
-      return res.status(status).json({ error: handledError.message, code: handledError.code });
+      return res
+        .status(status)
+        .json({ error: handledError.message, code: handledError.code });
     }
   }
 }

package/src/vercel/api/crud/update.ts

@@ -19,7 +19,10 @@ import {
   transformFirestoreData,
 } from '../../../shared/index.js';
 import { updateMetadata } from '../../../shared/index.js';
-import { validateCollectionName, validateDocument } from '../../../shared/utils.js';
+import {
+  validateCollectionName,
+  validateDocument,
+} from '../../../shared/utils.js';
 import { verifyAuthToken } from '../../../shared/utils/internal/auth.js';
 
 import type { NextApiRequest, NextApiResponse } from 'next';
@@ -100,7 +103,9 @@ export default async function handler(
       handleError(error);
     } catch (handledError: any) {
       const status = handledError.code === 'invalid-argument' ? 400 : 500;
-      return res.status(status).json({ error: handledError.message, code: handledError.code });
+      return res
+        .status(status)
+        .json({ error: handledError.message, code: handledError.code });
     }
   }
 }