@jaimevalasek/aioson 1.30.1 → 1.30.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +9 -0
- package/docs/design-previews/cognitive-core-ui-auth.html +95 -0
- package/docs/design-previews/cognitive-core-ui-kanban.html +231 -0
- package/docs/design-previews/cognitive-core-ui-list-detail.html +174 -0
- package/docs/design-previews/cognitive-core-ui-preview.css +1315 -0
- package/docs/design-previews/cognitive-core-ui-settings.html +142 -0
- package/docs/design-previews/cognitive-core-ui-website.html +190 -1009
- package/docs/design-previews/cognitive-core-ui.html +281 -463
- package/docs/design-previews/index.html +83 -31
- package/package.json +1 -1
- package/src/constants.js +567 -511
- package/template/.aioson/docs/play/README.md +2 -0
- package/template/.aioson/docs/play/agent-usage-guide.md +7 -1
- package/template/.aioson/docs/play/app-compatibility-guide.md +6 -1
- package/template/.aioson/docs/play/auth-services-and-testing.md +16 -1
- package/template/.aioson/docs/play/manifest-and-runtime.md +23 -0
- package/template/.aioson/skills/design/aurora-command-ui/SKILL.md +266 -243
- package/template/.aioson/skills/design/aurora-command-ui/references/art-direction.md +293 -293
- package/template/.aioson/skills/design/aurora-command-ui/references/components.md +827 -827
- package/template/.aioson/skills/design/aurora-command-ui/references/dashboards.md +250 -250
- package/template/.aioson/skills/design/aurora-command-ui/references/design-tokens.md +585 -585
- package/template/.aioson/skills/design/aurora-command-ui/references/motion.md +365 -365
- package/template/.aioson/skills/design/aurora-command-ui/references/patterns.md +485 -482
- package/template/.aioson/skills/design/aurora-command-ui/references/websites.md +386 -387
- package/template/.aioson/skills/design/bold-editorial-ui/SKILL.md +228 -205
- package/template/.aioson/skills/design/bold-editorial-ui/references/art-direction.md +338 -338
- package/template/.aioson/skills/design/bold-editorial-ui/references/components.md +977 -977
- package/template/.aioson/skills/design/bold-editorial-ui/references/dashboards.md +218 -218
- package/template/.aioson/skills/design/bold-editorial-ui/references/design-tokens.md +326 -326
- package/template/.aioson/skills/design/bold-editorial-ui/references/motion.md +461 -461
- package/template/.aioson/skills/design/bold-editorial-ui/references/patterns.md +293 -293
- package/template/.aioson/skills/design/bold-editorial-ui/references/websites.md +352 -352
- package/template/.aioson/skills/design/clean-saas-ui/SKILL.md +233 -210
- package/template/.aioson/skills/design/clean-saas-ui/references/art-direction.md +319 -319
- package/template/.aioson/skills/design/clean-saas-ui/references/components.md +365 -365
- package/template/.aioson/skills/design/clean-saas-ui/references/dashboards.md +196 -196
- package/template/.aioson/skills/design/clean-saas-ui/references/design-tokens.md +244 -244
- package/template/.aioson/skills/design/clean-saas-ui/references/motion.md +235 -235
- package/template/.aioson/skills/design/clean-saas-ui/references/patterns.md +215 -215
- package/template/.aioson/skills/design/clean-saas-ui/references/websites.md +295 -295
- package/template/.aioson/skills/design/cognitive-core-ui/SKILL.md +239 -203
- package/template/.aioson/skills/design/cognitive-core-ui/references/art-direction.md +339 -339
- package/template/.aioson/skills/design/cognitive-core-ui/references/components.md +417 -407
- package/template/.aioson/skills/design/cognitive-core-ui/references/dashboards.md +289 -272
- package/template/.aioson/skills/design/cognitive-core-ui/references/design-tokens.md +525 -524
- package/template/.aioson/skills/design/cognitive-core-ui/references/motion.md +279 -279
- package/template/.aioson/skills/design/cognitive-core-ui/references/patterns.md +355 -289
- package/template/.aioson/skills/design/cognitive-core-ui/references/websites.md +443 -437
- package/template/.aioson/skills/design/glassmorphism-ui/SKILL.md +245 -222
- package/template/.aioson/skills/design/glassmorphism-ui/references/art-direction.md +159 -159
- package/template/.aioson/skills/design/glassmorphism-ui/references/components.md +498 -498
- package/template/.aioson/skills/design/glassmorphism-ui/references/dashboards.md +236 -236
- package/template/.aioson/skills/design/glassmorphism-ui/references/design-tokens.md +274 -274
- package/template/.aioson/skills/design/glassmorphism-ui/references/motion.md +355 -355
- package/template/.aioson/skills/design/glassmorphism-ui/references/patterns.md +198 -198
- package/template/.aioson/skills/design/glassmorphism-ui/references/websites.md +307 -307
- package/template/.aioson/skills/design/interface-design/SKILL.md +68 -47
- package/template/.aioson/skills/design/interface-design/references/components-and-states.md +105 -105
- package/template/.aioson/skills/design/interface-design/references/design-directions.md +101 -101
- package/template/.aioson/skills/design/interface-design/references/handoff-and-quality.md +92 -71
- package/template/.aioson/skills/design/interface-design/references/intent-and-domain.md +74 -74
- package/template/.aioson/skills/design/interface-design/references/tokens-and-depth.md +173 -173
- package/template/.aioson/skills/design/neo-brutalist-ui/SKILL.md +236 -213
- package/template/.aioson/skills/design/neo-brutalist-ui/references/art-direction.md +228 -228
- package/template/.aioson/skills/design/neo-brutalist-ui/references/components.md +855 -855
- package/template/.aioson/skills/design/neo-brutalist-ui/references/dashboards.md +334 -334
- package/template/.aioson/skills/design/neo-brutalist-ui/references/design-tokens.md +342 -342
- package/template/.aioson/skills/design/neo-brutalist-ui/references/motion.md +286 -286
- package/template/.aioson/skills/design/neo-brutalist-ui/references/patterns.md +458 -458
- package/template/.aioson/skills/design/neo-brutalist-ui/references/websites.md +723 -723
- package/template/.aioson/skills/design/premium-command-center-ui/SKILL.md +83 -62
- package/template/.aioson/skills/design/premium-command-center-ui/references/operations.md +74 -74
- package/template/.aioson/skills/design/premium-command-center-ui/references/patterns.md +116 -116
- package/template/.aioson/skills/design/premium-command-center-ui/references/validation.md +47 -47
- package/template/.aioson/skills/design/premium-command-center-ui/references/visual-system.md +215 -215
- package/template/.aioson/skills/design/pt.squarespace.com/.skill-meta.json +31 -31
- package/template/.aioson/skills/design/pt.squarespace.com/SKILL.md +94 -66
- package/template/.aioson/skills/design/pt.squarespace.com/references/components.md +366 -366
- package/template/.aioson/skills/design/pt.squarespace.com/references/design-tokens.md +150 -150
- package/template/.aioson/skills/design/pt.squarespace.com/references/motion.md +270 -270
- package/template/.aioson/skills/design/pt.squarespace.com/references/patterns.md +189 -189
- package/template/.aioson/skills/design/pt.squarespace.com/references/websites.md +161 -161
- package/template/.aioson/skills/design/warm-craft-ui/SKILL.md +232 -209
- package/template/.aioson/skills/design/warm-craft-ui/references/art-direction.md +324 -324
- package/template/.aioson/skills/design/warm-craft-ui/references/components.md +508 -508
- package/template/.aioson/skills/design/warm-craft-ui/references/dashboards.md +223 -223
- package/template/.aioson/skills/design/warm-craft-ui/references/design-tokens.md +374 -374
- package/template/.aioson/skills/design/warm-craft-ui/references/motion.md +356 -356
- package/template/.aioson/skills/design/warm-craft-ui/references/patterns.md +288 -288
- package/template/.aioson/skills/design/warm-craft-ui/references/websites.md +289 -289
|
@@ -60,6 +60,7 @@ AIOSON can build any kind of app. Apply this Play compatibility layer only when
|
|
|
60
60
|
- Data Bindings and Global Connectors via `app-config.yaml`
|
|
61
61
|
- MCPI/API/MCP connector execution through the Play registry
|
|
62
62
|
- Local operator auth via `aioson-auth` and `@aioson/auth-sdk`
|
|
63
|
+
- App-owned RBAC catalog via `manifest.json` `auth.permissions[]`
|
|
63
64
|
- Cloud owner/trial auth via `AIOSON_COM_TOKEN`
|
|
64
65
|
- Play Services via `service.json` and `requires_services`
|
|
65
66
|
- Dev-link and local smoke testing
|
|
@@ -69,4 +70,5 @@ AIOSON can build any kind of app. Apply this Play compatibility layer only when
|
|
|
69
70
|
- Do not copy the whole Play integration directory into app projects.
|
|
70
71
|
- Do not make apps depend on source-repo-only files from `aioson-play`.
|
|
71
72
|
- Do not invent Play env vars, port ranges, manifest fields, or connector APIs.
|
|
73
|
+
- Do not infer app permissions by scanning source code; Play apps declare the catalog in `manifest.json` `auth.permissions[]`.
|
|
72
74
|
- Do not treat `llm-chain.json` or `aioson-models.json` in the app cwd as the primary credential contract for installed apps.
|
|
@@ -26,6 +26,7 @@ Load this folder when the user mentions:
|
|
|
26
26
|
- `manifest.json` for Play apps
|
|
27
27
|
- `app-config.yaml`
|
|
28
28
|
- `requires_services`
|
|
29
|
+
- `auth.permissions`
|
|
29
30
|
- `/api/aioson-play`
|
|
30
31
|
|
|
31
32
|
Do not load it for generic web apps unless the user connects the app to Play.
|
|
@@ -61,7 +62,7 @@ For a Play-targeted app, answer these before creating files:
|
|
|
61
62
|
|
|
62
63
|
4. Does the app need users/operators?
|
|
63
64
|
- Owner/trial/billing: use `AIOSON_COM_TOKEN` and backend proxy routes.
|
|
64
|
-
- Local operators/RBAC: use `aioson-auth` as Play Service and `@aioson/auth-sdk`.
|
|
65
|
+
- Local operators/RBAC: use `aioson-auth` as Play Service, declare `manifest.json` `auth.permissions[]`, and use `@aioson/auth-sdk`.
|
|
65
66
|
- No auth: do not add login just because it is a Play app.
|
|
66
67
|
|
|
67
68
|
## Source priority
|
|
@@ -81,6 +82,8 @@ Use this priority order:
|
|
|
81
82
|
- Do not put provider API keys in `llm-chain.json`, `tools.json`, manifest, app docs, or frontend code.
|
|
82
83
|
- Do not make browser code call `https://aioson.com` directly with a token.
|
|
83
84
|
- Do not treat `aioson-auth` and `aioson.com` auth as the same system.
|
|
85
|
+
- Do not create app permissions only in the Auth dashboard. For Play apps, the app declares the permission catalog in `manifest.json` `auth.permissions[]`; the dashboard assigns those permissions to roles.
|
|
86
|
+
- Do not ask Auth or Play to scan source code for policies/permissions.
|
|
84
87
|
- Do not add `@tauri-apps/api` to Play Services. Services are standalone background processes.
|
|
85
88
|
- Do not assume SSO operator token injection is implemented unless the canonical Play docs and code confirm it.
|
|
86
89
|
|
|
@@ -94,6 +97,8 @@ For implementation, produce or verify:
|
|
|
94
97
|
- `/api/aioson-play` when `has_api: true`
|
|
95
98
|
- Lazy LLM client initialization when the app uses LLM providers
|
|
96
99
|
- Degraded state when required bindings are absent
|
|
100
|
+
- `manifest.json` `auth.permissions[]` when the app uses `aioson-auth`
|
|
101
|
+
- Frontend/backend permission gates implemented with `@aioson/auth-sdk`
|
|
97
102
|
- Local smoke steps through dev-link or standalone `PORT=...` run
|
|
98
103
|
|
|
99
104
|
For QA, verify:
|
|
@@ -103,4 +108,5 @@ For QA, verify:
|
|
|
103
108
|
- No secret in frontend or package artifact
|
|
104
109
|
- Data bindings use alias names that match `app-config.yaml`
|
|
105
110
|
- Auth path uses the right system: `aioson-auth` for operators, `aioson.com` for owner/trial
|
|
111
|
+
- Apps using `aioson-auth` declare permissions in `manifest.json`, and those declared permissions match implemented route/API gates.
|
|
106
112
|
- `manifest.compatibility` exists for publishable apps
|
|
@@ -42,6 +42,7 @@ If the app has a UI, the Play webview must be able to load the UI from the proce
|
|
|
42
42
|
- Use `http://localhost:5180` or `VITE_AIOSON_PLAY_URL` for ProductBridge calls.
|
|
43
43
|
- Use `GET /api/registry` when discovering other apps or services dynamically.
|
|
44
44
|
- Use `requires_services` for Play Service dependencies.
|
|
45
|
+
- If the app uses `aioson-auth`, declare the permission catalog in `manifest.json` `auth.permissions[]` and implement matching gates in the app with `@aioson/auth-sdk`.
|
|
45
46
|
- Keep app-local operational DB separate from Play Global Connectors.
|
|
46
47
|
- Fail clearly or degrade gracefully when optional Play integrations are absent.
|
|
47
48
|
|
|
@@ -53,6 +54,8 @@ If the app has a UI, the Play webview must be able to load the UI from the proce
|
|
|
53
54
|
- Do not create a UI inside the app for creating global Database Connections or Data Connectors. Those live in Play Settings.
|
|
54
55
|
- Do not put LLM provider secrets in files shipped with the app.
|
|
55
56
|
- Do not call cloud APIs from browser code with `AIOSON_COM_TOKEN`.
|
|
57
|
+
- Do not rely on Auth/Play scanning source code to discover permissions.
|
|
58
|
+
- Do not create app permissions only in the Auth dashboard for manifest-driven Play apps.
|
|
56
59
|
|
|
57
60
|
## Implementation sequence
|
|
58
61
|
|
|
@@ -61,7 +64,7 @@ If the app has a UI, the Play webview must be able to load the UI from the proce
|
|
|
61
64
|
3. Make every server listen on Play-injected env ports.
|
|
62
65
|
4. Add `GET /api/aioson-play` if the app exposes API capabilities.
|
|
63
66
|
5. Add `app-config.yaml` for operational DB defaults and/or `data_bindings`.
|
|
64
|
-
6. Add Play auth only if the app needs it.
|
|
67
|
+
6. Add Play auth only if the app needs it; include `requires_services: ["aioson-auth"]`, `auth.permissions[]`, and SDK gates.
|
|
65
68
|
7. Add local smoke tests and dev-link run instructions.
|
|
66
69
|
|
|
67
70
|
## Ready-for-Play checklist
|
|
@@ -77,6 +80,8 @@ If the app has a UI, the Play webview must be able to load the UI from the proce
|
|
|
77
80
|
- [ ] App handles missing bindings with degraded UI or a clear blocking state.
|
|
78
81
|
- [ ] LLM clients are lazy-initialized and read credentials from app config or injected env vars.
|
|
79
82
|
- [ ] Auth uses the correct path: `aioson-auth` for operators/RBAC, `aioson.com` for owner/trial/billing.
|
|
83
|
+
- [ ] Apps using `aioson-auth` declare `manifest.json` `auth.permissions[]`.
|
|
84
|
+
- [ ] Declared permissions match frontend/backend gates implemented by the app.
|
|
80
85
|
- [ ] Publishable apps declare `manifest.compatibility`.
|
|
81
86
|
- [ ] Dev-link smoke was run inside Play or the app was manually started with a test `PORT`.
|
|
82
87
|
|
|
@@ -57,10 +57,22 @@ For operator login and RBAC, depend on `aioson-auth`:
|
|
|
57
57
|
|
|
58
58
|
```json
|
|
59
59
|
{
|
|
60
|
-
"requires_services": ["aioson-auth"]
|
|
60
|
+
"requires_services": ["aioson-auth"],
|
|
61
|
+
"auth": {
|
|
62
|
+
"version": 1,
|
|
63
|
+
"permissions": ["orders:read", "orders:create"],
|
|
64
|
+
"policies": [
|
|
65
|
+
{ "id": "page:orders", "kind": "route", "path": "/orders", "requires": ["orders:read"] }
|
|
66
|
+
]
|
|
67
|
+
}
|
|
61
68
|
}
|
|
62
69
|
```
|
|
63
70
|
|
|
71
|
+
`auth.permissions[]` is the app-owned permission catalog. Play syncs it through
|
|
72
|
+
the owner-only app inventory; `aioson-auth` registers it on the existing binding
|
|
73
|
+
so the admin can assign permissions to global roles. Do not rely on Auth scanning
|
|
74
|
+
app source code.
|
|
75
|
+
|
|
64
76
|
Use `@aioson/auth-sdk` as the client layer when available. Avoid handwritten calls to auth endpoints unless the SDK cannot cover the specific case.
|
|
65
77
|
|
|
66
78
|
Env vars Play injects for auth (only these exist):
|
|
@@ -83,6 +95,7 @@ Legacy `?token=` may still work in older paths, but new app code should prefer B
|
|
|
83
95
|
Current implemented auth expectations from the Play docs:
|
|
84
96
|
|
|
85
97
|
- JWT can include `binding_id` and `permissions`.
|
|
98
|
+
- App permissions are declared in `manifest.json` `auth.permissions[]` and implemented by the app with SDK gates.
|
|
86
99
|
- `/me/permissions` exists in `aioson-auth`.
|
|
87
100
|
- `@aioson/auth-sdk` MVP exists.
|
|
88
101
|
- Operator SSO token injection from Play keyring is planned in docs, not safe to rely on unless the local code confirms it.
|
|
@@ -199,6 +212,8 @@ curl http://localhost:3001/health
|
|
|
199
212
|
## QA checklist
|
|
200
213
|
|
|
201
214
|
- [ ] `requires_services` matches actual service use.
|
|
215
|
+
- [ ] Apps using `aioson-auth` declare `auth.permissions[]` in `manifest.json`.
|
|
216
|
+
- [ ] Frontend and backend gates use `@aioson/auth-sdk` or a Bearer-compatible server check for those permissions.
|
|
202
217
|
- [ ] Missing service does not produce a confusing crash.
|
|
203
218
|
- [ ] `AIOSON_COM_TOKEN` is never exposed to frontend code.
|
|
204
219
|
- [ ] Operator auth uses SDK or Bearer-compatible client.
|
|
@@ -209,6 +209,29 @@ When an app requires a Play Service:
|
|
|
209
209
|
|
|
210
210
|
Play uses this to show onboarding requirements, check service install/runtime state, and block or degrade app launch when the required service is missing.
|
|
211
211
|
|
|
212
|
+
For apps that use `aioson-auth`, declare the RBAC catalog in the same manifest:
|
|
213
|
+
|
|
214
|
+
```json
|
|
215
|
+
{
|
|
216
|
+
"requires_services": ["aioson-auth"],
|
|
217
|
+
"auth": {
|
|
218
|
+
"version": 1,
|
|
219
|
+
"permissions": [
|
|
220
|
+
"orders:read",
|
|
221
|
+
{ "name": "orders:create", "label": "Criar pedidos" }
|
|
222
|
+
],
|
|
223
|
+
"policies": [
|
|
224
|
+
{ "id": "page:orders", "kind": "route", "path": "/orders", "requires": ["orders:read"] }
|
|
225
|
+
]
|
|
226
|
+
}
|
|
227
|
+
}
|
|
228
|
+
```
|
|
229
|
+
|
|
230
|
+
`auth.permissions[]` is the source of truth for the permission catalog shown by
|
|
231
|
+
`aioson-auth`. The app still implements the actual route/API gates with the SDK;
|
|
232
|
+
the Auth dashboard assigns the declared permissions to global roles. Play/Auth do
|
|
233
|
+
not scan app source code to infer permissions.
|
|
234
|
+
|
|
212
235
|
## Publish compatibility
|
|
213
236
|
|
|
214
237
|
Publishable apps should declare compatibility:
|