@harperfast/skills 1.0.0

package/harper-best-practices/rules/caching.md

@@ -0,0 +1,46 @@
+---
+name: caching
+description: How to implement integrated data caching in Harper from external sources.
+---
+
+# Caching
+
+Instructions for the agent to follow when implementing caching in Harper.
+
+## When to Use
+
+Use this skill when you need high-performance, low-latency storage for data from external sources. It's ideal for reducing API calls to third-party services, preventing cache stampedes, and making external data queryable as if it were native Harper tables.
+
+## Steps
+
+1. **Configure a Cache Table**: Define a table in your `schema.graphql` with an `expiration` (in seconds):
+   ```graphql
+   type MyCache @table(expiration: 3600) @export {
+   	id: ID @primaryKey
+   }
+   ```
+2. **Define an External Source**: Create a Resource class that fetches the data:
+   ```js
+   import { Resource } from 'harperdb';
+
+   export class ThirdPartyAPI extends Resource {
+   	async get() {
+   		const id = this.getId();
+   		const response = await fetch(`https://api.example.com/items/${id}`);
+   		if (!response.ok) {
+   			throw new Error('Source fetch failed');
+   		}
+   		return await response.json();
+   	}
+   }
+   ```
+3. **Attach Source to Table**: Use `sourcedFrom` to link your resource to the table:
+   ```js
+   import { tables } from 'harperdb';
+   import { ThirdPartyAPI } from './ThirdPartyAPI.js';
+
+   const { MyCache } = tables;
+   MyCache.sourcedFrom(ThirdPartyAPI);
+   ```
+4. **Implement Active Caching (Optional)**: Use `subscribe()` for proactive updates. See [Real Time Apps](real-time-apps.md).
+5. **Implement Write-Through Caching (Optional)**: Define `put` or `post` in your resource to propagate updates upstream.

package/harper-best-practices/rules/checking-authentication.md

@@ -0,0 +1,165 @@
+---
+name: checking-authentication
+description: How to handle user authentication and sessions in Harper Resources.
+---
+
+# Checking Authentication
+
+Instructions for the agent to follow when handling authentication and sessions.
+
+## When to Use
+
+Use this skill when you need to implement sign-in/sign-out functionality, protect specific resource endpoints, or identify the currently logged-in user in a Harper application.
+
+## Steps
+
+1. **Configure Harper for Sessions**: Ensure `harperdb-config.yaml` has sessions enabled and local auto-authorization disabled for testing:
+   ```yaml
+   authentication:
+     authorizeLocal: false
+     enableSessions: true
+   ```
+2. **Implement Sign In**: Use `this.getContext().login(username, password)` to create a session:
+   ```ts
+   async post(_target, data) {
+     const context = this.getContext();
+     try {
+       await context.login(data.username, data.password);
+     } catch {
+       return new Response('Invalid credentials', { status: 403 });
+     }
+     return new Response('Logged in', { status: 200 });
+   }
+   ```
+3. **Identify Current User**: Use `this.getCurrentUser()` to access session data:
+   ```ts
+   async get() {
+     const user = this.getCurrentUser?.();
+     if (!user) return new Response(null, { status: 401 });
+     return { username: user.username, role: user.role };
+   }
+   ```
+4. **Implement Sign Out**: Use `this.getContext().logout()` or delete the session from context:
+   ```ts
+   async post() {
+     const context = this.getContext();
+     await context.session?.delete?.(context.session.id);
+     return new Response('Logged out', { status: 200 });
+   }
+   ```
+5. **Protect Routes**: In your Resource, use `allowRead()`, `allowUpdate()`, etc., to enforce authorization logic based on `this.getCurrentUser()`. For privileged actions, verify `user.role.permission.super_user`.
+
+## Status code conventions used here
+
+- 200: Successful operation. For `GET /me`, a `200` with empty body means “not signed in”.
+- 400: Missing required fields (e.g., username/password on sign-in).
+- 401: No current session for an action that requires one (e.g., sign out when not signed in).
+- 403: Authenticated but not authorized (bad credentials on login attempt, or insufficient privileges).
+
+## Client considerations
+
+- Sessions are cookie-based; the server handles setting and reading the cookie via Harper. If you make cross-origin requests, ensure the appropriate `credentials` mode and CORS settings.
+- If developing locally, double-check the server config still has `authentication.authorizeLocal: false` to avoid accidental superuser bypass.
+
+## Token-based auth (JWT + refresh token) for non-browser clients
+
+Cookie-backed sessions are great for browser flows. For CLI tools, mobile apps, or other non-browser clients, it’s often easier to use **explicit tokens**:
+
+- **JWT (`operation_token`)**: short-lived bearer token used to authorize API requests.
+- **Refresh token (`refresh_token`)**: longer-lived token used to mint a new JWT when it expires.
+
+This project includes two Resource patterns for that flow:
+
+### Issuing tokens: `IssueTokens`
+
+**Description / use case:** Generate `{ refreshToken, jwt }` either:
+
+- with an existing Authorization token (either Basic Auth or a JWT) and you want to issue new tokens, or
+- from an explicit `{ username, password }` payload (useful for direct “login” from a CLI/mobile client).
+
+```
+js
+export class IssueTokens extends Resource {
+static loadAsInstance = false;
+
+	async get(target) {
+		const { refresh_token: refreshToken, operation_token: jwt } =
+			await databases.system.hdb_user.operation(
+				{ operation: 'create_authentication_tokens' },
+				this.getContext(),
+			);
+		return { refreshToken, jwt };
+	}
+
+	async post(target, data) {
+		if (!data.username || !data.password) {
+			throw new Error('username and password are required');
+		}
+
+		const { refresh_token: refreshToken, operation_token: jwt } =
+			await databases.system.hdb_user.operation({
+				operation: 'create_authentication_tokens',
+				username: data.username,
+				password: data.password,
+			});
+		return { refreshToken, jwt };
+	}
+}
+```
+
+**Recommended documentation notes to include:**
+
+- `GET` variant: intended for “I already have an Authorization token, give me new tokens”.
+- `POST` variant: intended for “I have credentials, give me tokens”.
+- Response shape:
+  - `refreshToken`: store securely (long-lived).
+  - `jwt`: attach to requests (short-lived).
+
+### Refreshing a JWT: `RefreshJWT`
+
+**Description / use case:** When the JWT expires, the client uses the refresh token to get a new JWT without re-supplying username/password.
+
+```
+js
+export class RefreshJWT extends Resource {
+static loadAsInstance = false;
+
+	async post(target, data) {
+		if (!data.refreshToken) {
+			throw new Error('refreshToken is required');
+		}
+
+		const { operation_token: jwt } = await databases.system.hdb_user.operation({
+			operation: 'refresh_operation_token',
+			refresh_token: data.refreshToken,
+		});
+		return { jwt };
+	}
+}
+```
+
+**Recommended documentation notes to include:**
+
+- Requires `refreshToken` in the request body.
+- Returns a new `{ jwt }`.
+- If refresh fails (expired/revoked), client must re-authenticate (e.g., call `IssueTokens.post` again).
+
+### Suggested client flow (high-level)
+
+1. **Sign in (token flow)**
+   - POST /IssueTokens/ with a body of `{ "username": "your username", "password": "your password" }` or GET /IssueTokens/ with an existing Authorization token.
+   - Receive `{ jwt, refreshToken }` in the response
+2. **Call protected APIs**
+   - Send the JWT with each request in the Authorization header (as your auth mechanism expects)
+3. **JWT expires**
+   - POST /RefreshJWT/ with a body of `{ "refreshToken": "your refresh token" }`.
+   - Receive `{ jwt }` in the response and continue
+
+## Quick checklist
+
+- [ ] Public endpoints explicitly `allowRead`/`allowCreate` as needed.
+- [ ] Sign-in uses `context.login` and handles 400/403 correctly.
+- [ ] Protected routes call `ensureSuperUser(this.getCurrentUser())` (or another role check) before doing work.
+- [ ] Sign-out verifies a session and deletes it.
+- [ ] `authentication.authorizeLocal` is `false` and `enableSessions` is `true` in Harper config.
+- [ ] If using tokens: `IssueTokens` issues `{ jwt, refreshToken }`, `RefreshJWT` refreshes `{ jwt }` with a `refreshToken`.

package/harper-best-practices/rules/custom-resources.md

@@ -0,0 +1,35 @@
+---
+name: custom-resources
+description: How to define custom REST endpoints with JavaScript or TypeScript in Harper.
+---
+
+# Custom Resources
+
+Instructions for the agent to follow when creating custom resources in Harper.
+
+## When to Use
+
+Use this skill when the automatic CRUD operations provided by `@table @export` are insufficient, and you need custom logic, third-party API integration, or specialized data handling for your REST endpoints.
+
+## Steps
+
+1. **Check if a Custom Resource is Necessary**: Verify if [Automatic APIs](./automatic-apis.md) or [Extending Tables](./extending-tables.md) can satisfy the requirement first.
+2. **Create the Resource File**: Create a `.ts` or `.js` file in the directory specified by `jsResource` in `config.yaml` (typically `resources/`).
+3. **Define the Resource Class**: Export a class extending `Resource` from `harperdb`:
+   ```typescript
+   import { type RequestTargetOrId, Resource } from 'harperdb';
+
+   export class MyResource extends Resource {
+   	async get(target?: RequestTargetOrId) {
+   		return { message: 'Hello from custom GET!' };
+   	}
+   }
+   ```
+4. **Implement HTTP Methods**: Add methods like `get`, `post`, `put`, `patch`, or `delete` to handle corresponding requests. Note that paths are **case-sensitive** and match the class name.
+5. **Access Tables (Optional)**: Import and use the `tables` object to interact with your data:
+   ```typescript
+   import { tables } from 'harperdb';
+   // ... inside a method
+   const results = await tables.MyTable.list();
+   ```
+6. **Configure Loading**: Ensure `config.yaml` points to your resource files (e.g., `jsResource: { files: 'resources/*.ts' }`).

package/harper-best-practices/rules/defining-relationships.md

@@ -0,0 +1,33 @@
+---
+name: defining-relationships
+description: How to define and use relationships between tables in Harper using GraphQL.
+---
+
+# Defining Relationships
+
+Instructions for the agent to follow when defining relationships between Harper tables.
+
+## When to Use
+
+Use this skill when you need to link data across different tables, enabling automatic joins and efficient related-data fetching via REST APIs.
+
+## Steps
+
+1. **Identify the Relationship Type**: Determine if it's one-to-one, many-to-one, or one-to-many.
+2. **Use the `@relationship` Directive**: Apply it to a field in your GraphQL schema.
+   - **Many-to-One (Current table holds FK)**: Use `from`.
+     ```graphql
+     type Book @table @export {
+     	authorId: ID
+     	author: Author @relationship(from: "authorId")
+     }
+     ```
+   - **One-to-Many (Related table holds FK)**: Use `to` and an array type.
+     ```graphql
+     type Author @table @export {
+     	books: [Book] @relationship(to: "authorId")
+     }
+     ```
+3. **Query with Relationships**: Use dot syntax in REST API calls for filtering or the `select()` operator for including related data.
+   - Example Filter: `GET /Book/?author.name=Harper`
+   - Example Select: `GET /Author/?select(name,books(title))`

package/harper-best-practices/rules/deploying-to-harper-fabric.md

@@ -0,0 +1,24 @@
+---
+name: deploying-to-harper-fabric
+description: How to deploy a Harper application to the Harper Fabric cloud.
+---
+
+# Deploying to Harper Fabric
+
+Instructions for the agent to follow when deploying to Harper Fabric.
+
+## When to Use
+
+Use this skill when you are ready to move your Harper application from local development to a cloud-hosted environment.
+
+## Steps
+
+1. **Sign up**: Create an account at [https://fabric.harper.fast/](https://fabric.harper.fast/) and create a cluster.
+2. **Configure Environment**: Add your cluster credentials and cluster application URL to `.env`:
+   ```bash
+   CLI_TARGET_USERNAME='YOUR_CLUSTER_USERNAME'
+   CLI_TARGET_PASSWORD='YOUR_CLUSTER_PASSWORD'
+   CLI_TARGET='YOUR_CLUSTER_URL'
+   ```
+3. **Deploy From Local Environment**: Run `npm run deploy`.
+4. **Set up CI/CD**: Configure `.github/workflows/deploy.yaml` and set repository secrets for automated deployments.

package/harper-best-practices/rules/extending-tables.md

@@ -0,0 +1,37 @@
+---
+name: extending-tables
+description: How to add custom logic to automatically generated table resources in Harper.
+---
+
+# Extending Tables
+
+Instructions for the agent to follow when extending table resources in Harper.
+
+## When to Use
+
+Use this skill when you need to add custom validation, side effects (like webhooks), data transformation, or custom access control to the standard CRUD operations of a Harper table.
+
+## Steps
+
+1. **Define the Table in GraphQL**: In your `.graphql` schema, define the table using the `@table` directive. **Do not** use `@export` if you plan to extend it.
+   ```graphql
+   type MyTable @table {
+   	id: ID @primaryKey
+   	name: String
+   }
+   ```
+2. **Create the Extension File**: Create a `.ts` file in your `resources/` directory.
+3. **Extend the Table Resource**: Export a class that extends `tables.YourTableName`:
+   ```typescript
+   import { type RequestTargetOrId, tables } from 'harperdb';
+
+   export class MyTable extends tables.MyTable {
+   	async post(target: RequestTargetOrId, record: any) {
+   		// Custom logic here
+   		if (!record.name) { throw new Error('Name required'); }
+   		return super.post(target, record);
+   	}
+   }
+   ```
+4. **Override Methods**: Override `get`, `post`, `put`, `patch`, or `delete` as needed. Always call `super[method]` to maintain default Harper functionality unless you intend to replace it entirely.
+5. **Implement Logic**: Use overrides for validation, side effects, or transforming data before/after database operations.

package/harper-best-practices/rules/handling-binary-data.md

@@ -0,0 +1,43 @@
+---
+name: handling-binary-data
+description: How to store and serve binary data like images or audio in Harper.
+---
+
+# Handling Binary Data
+
+Instructions for the agent to follow when handling binary data in Harper.
+
+## When to Use
+
+Use this skill when you need to store binary files (images, audio, etc.) in the database or serve them back to clients via REST endpoints.
+
+## Steps
+
+1. **Store Base64 as Blobs**: In your resource's `post` or `put` method, convert incoming base64 strings to Buffers and then to Blobs using `createBlob`:
+   ```typescript
+   import { createBlob } from 'harperdb';
+
+   async post(target, record) {
+     if (record.data) {
+       record.data = createBlob(Buffer.from(record.data, 'base64'), {
+         type: 'image/jpeg',
+       });
+     }
+     return super.post(target, record);
+   }
+   ```
+2. **Serve Binary Data**: In your resource's `get` method, return a response object with the appropriate `Content-Type` and the binary data in the `body`:
+   ```typescript
+   async get(target) {
+     const record = await super.get(target);
+     if (record?.data) {
+       return {
+         status: 200,
+         headers: { 'Content-Type': 'image/jpeg' },
+         body: record.data,
+       };
+     }
+     return record;
+   }
+   ```
+3. **Use the Blob Type**: Ensure your GraphQL schema uses the `Blob` scalar for binary fields.

package/harper-best-practices/rules/programmatic-table-requests.md

@@ -0,0 +1,39 @@
+---
+name: programmatic-table-requests
+description: How to interact with Harper tables programmatically using the `tables` object.
+---
+
+# Programmatic Table Requests
+
+Instructions for the agent to follow when interacting with Harper tables via code.
+
+## When to Use
+
+Use this skill when you need to perform database operations (CRUD, search, subscribe) from within Harper Resources or scripts.
+
+## Steps
+
+1. **Access the Table**: Use the global `tables` object followed by your table name (e.g., `tables.MyTable`).
+2. **Perform CRUD Operations**:
+   - **Get**: `await tables.MyTable.get(id)` for a single record or `await tables.MyTable.get({ conditions: [...] })` for multiple.
+   - **Create**: `await tables.MyTable.post(record)` (auto-generates ID) or `await tables.MyTable.put(id, record)`.
+   - **Update**: `await tables.MyTable.patch(id, partialRecord)` for partial updates.
+   - **Delete**: `await tables.MyTable.delete(id)`.
+3. **Use Updatable Records for Atomic Ops**: Call `update(id)` to get a reference, then use `addTo` or `subtractFrom` for atomic increments/decrements:
+   ```typescript
+   const stats = await tables.Stats.update('daily');
+   stats.addTo('viewCount', 1);
+   ```
+4. **Search and Stream**: Use `search(query)` for efficient streaming of large result sets:
+   ```typescript
+   for await (const record of tables.MyTable.search({ conditions: [...] })) {
+     // process record
+   }
+   ```
+5. **Real-time Subscriptions**: Use `subscribe(query)` to listen for changes:
+   ```typescript
+   for await (const event of tables.MyTable.subscribe(query)) {
+   	// handle event
+   }
+   ```
+6. **Publish Events**: Use `publish(id, message)` to trigger subscriptions without necessarily persisting data.

package/harper-best-practices/rules/querying-rest-apis.md

@@ -0,0 +1,22 @@
+---
+name: querying-rest-apis
+description: How to use query parameters to filter, sort, and paginate Harper REST APIs.
+---
+
+# Querying REST APIs
+
+Instructions for the agent to follow when querying Harper's REST APIs.
+
+## When to Use
+
+Use this skill when you need to perform advanced data retrieval (filtering, sorting, pagination, joins) using Harper's automatic REST endpoints.
+
+## Steps
+
+1. **Basic Filtering**: Use attribute names as query parameters: `GET /Table/?key=value`.
+2. **Use Comparison Operators**: Append operators like `gt`, `ge`, `lt`, `le`, `ne` using FIQL-style syntax: `GET /Table/?price=gt=100`.
+3. **Apply Logic and Grouping**: Use `&` for AND, `|` for OR, and `()` for grouping: `GET /Table/?(rating=5|featured=true)&price=lt=50`.
+4. **Select Specific Fields**: Use `select()` to limit returned attributes: `GET /Table/?select(name,price)`.
+5. **Paginate Results**: Use `limit(count)` or `limit(offset, count)`: `GET /Table/?limit(20, 10)`.
+6. **Sort Results**: Use `sort()` with `+` (asc) or `-` (desc): `GET /Table/?sort(-price,+name)`.
+7. **Query Relationships**: Use dot syntax for tables linked with `@relationship`: `GET /Book/?author.name=Harper`.

package/harper-best-practices/rules/real-time-apps.md

@@ -0,0 +1,37 @@
+---
+name: real-time-apps
+description: How to build real-time features in Harper using WebSockets and Pub/Sub.
+---
+
+# Real-time Applications
+
+Instructions for the agent to follow when building real-time applications in Harper.
+
+## When to Use
+
+Use this skill when you need to stream live updates to clients, implement chat features, or provide real-time data synchronization between the database and a frontend.
+
+## Steps
+
+1. **Check Automatic WebSockets**: If you only need to stream table changes, use [Automatic APIs](automatic-apis.md) which provide a WebSocket endpoint for every `@export`ed table.
+2. **Implement `connect` in a Resource**: For custom bi-directional logic, implement the `connect` method:
+   ```typescript
+   import { Resource, tables } from 'harperdb';
+
+   export class MySocket extends Resource {
+   	async *connect(target, incomingMessages) {
+   		// Subscribe to table changes
+   		const subscription = await tables.MyTable.subscribe(target);
+   		if (!incomingMessages) { return subscription; // SSE mode
+   		 }
+
+   		// Handle incoming client messages
+   		for await (let message of incomingMessages) {
+   			yield { received: message };
+   		}
+   	}
+   }
+   ```
+3. **Use Pub/Sub**: Use `tables.TableName.subscribe(query)` to listen for specific data changes and stream them to the client.
+4. **Handle SSE**: Ensure your `connect` method gracefully handles cases where `incomingMessages` is null (Server-Sent Events).
+5. **Connect from Client**: Use standard WebSockets (`new WebSocket('ws://...')`) to connect to your resource endpoint.

package/harper-best-practices/rules/serving-web-content.md

@@ -0,0 +1,34 @@
+---
+name: serving-web-content
+description: How to serve static files and integrated Vite/React applications in Harper.
+---
+
+# Serving Web Content
+
+Instructions for the agent to follow when serving web content from Harper.
+
+## When to Use
+
+Use this skill when you need to serve a frontend (HTML, CSS, JS, or a React app) directly from your Harper instance.
+
+## Steps
+
+1. **Choose a Method**: Decide between the simple Static Plugin or the integrated Vite Plugin.
+2. **Option A: Static Plugin (Simple)**:
+   - Add to `config.yaml`:
+     ```yaml
+     static:
+       files: 'web/*'
+     ```
+   - Place files in a `web/` folder in the project root.
+   - Files are served at the root URL (e.g., `http://localhost:9926/index.html`).
+3. **Option B: Vite Plugin (Advanced/Development)**:
+   - Add to `config.yaml`:
+     ```yaml
+     '@harperfast/vite-plugin':
+       package: '@harperfast/vite-plugin'
+     ```
+   - Ensure `vite.config.ts` and `index.html` are in the project root.
+   - Install dependencies: `npm install --save-dev vite @harperfast/vite-plugin`.
+   - Use `npm run dev` for development with HMR.
+4. **Deploy for Production**: For Vite apps, use a build script to generate static files into a `web/` folder and deploy them using the static handler pattern.

package/harper-best-practices/rules/typescript-type-stripping.md

@@ -0,0 +1,32 @@
+---
+name: typescript-type-stripping
+description: How to run TypeScript files directly in Harper without a build step.
+---
+
+# TypeScript Type Stripping
+
+Instructions for the agent to follow when using TypeScript in Harper.
+
+## When to Use
+
+Use this skill when you want to write Harper Resources in TypeScript and have them execute directly in Node.js without an intermediate build or compilation step.
+
+## Steps
+
+1. **Verify Node.js Version**: Ensure you are using Node.js v22.6.0 or higher.
+2. **Name Files with `.ts`**: Create your resource files in the `resources/` directory with a `.ts` extension.
+3. **Use TypeScript Syntax**: Write your resource classes using standard TypeScript (interfaces, types, etc.).
+   ```typescript
+   import { Resource } from 'harperdb';
+   export class MyResource extends Resource {
+   	async get(): Promise<{ message: string }> {
+   		return { message: 'Running TS directly!' };
+   	}
+   }
+   ```
+4. **Use Explicit Extensions in Imports**: When importing other local modules, include the `.ts` extension: `import { helper } from './helper.ts'`.
+5. **Configure `config.yaml`**: Ensure `jsResource` points to your `.ts` files:
+   ```yaml
+   jsResource:
+     files: 'resources/*.ts'
+   ```

package/harper-best-practices/rules/using-blob-datatype.md

@@ -0,0 +1,36 @@
+---
+name: using-blob-datatype
+description: How to use the Blob data type for efficient binary storage in Harper.
+---
+
+# Using Blob Datatype
+
+Instructions for the agent to follow when working with the Blob data type in Harper.
+
+## When to Use
+
+Use this skill when you need to store unstructured or large binary data (media, documents) that is too large for standard JSON fields. Blobs provide efficient storage and integrated streaming support.
+
+## Steps
+
+1. **Define Blob Fields**: In your GraphQL schema, use the `Blob` type:
+   ```graphql
+   type MyTable @table {
+   	id: ID @primaryKey
+   	data: Blob
+   }
+   ```
+2. **Create and Store Blobs**: Use `createBlob()` from `harperdb` to wrap Buffers or Streams:
+   ```javascript
+   import { createBlob, tables } from 'harperdb';
+   const blob = createBlob(largeBuffer);
+   await tables.MyTable.put('my-id', { data: blob });
+   ```
+3. **Use Streaming (Optional)**: For very large files, pass a stream to `createBlob()` to avoid loading the entire file into memory.
+4. **Read Blob Data**: Retrieve the record and use `.bytes()` or streaming interfaces on the blob field:
+   ```javascript
+   const record = await tables.MyTable.get('my-id');
+   const buffer = await record.data.bytes();
+   ```
+5. **Ensure Write Completion**: Use `saveBeforeCommit: true` in `createBlob` options if you need the blob fully written before the record is committed.
+6. **Handle Errors**: Attach error listeners to the blob object to handle streaming failures.