@jaimevalasek/aioson 1.30.1 → 1.30.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (90) hide show
  1. package/CHANGELOG.md +9 -0
  2. package/docs/design-previews/cognitive-core-ui-auth.html +95 -0
  3. package/docs/design-previews/cognitive-core-ui-kanban.html +231 -0
  4. package/docs/design-previews/cognitive-core-ui-list-detail.html +174 -0
  5. package/docs/design-previews/cognitive-core-ui-preview.css +1315 -0
  6. package/docs/design-previews/cognitive-core-ui-settings.html +142 -0
  7. package/docs/design-previews/cognitive-core-ui-website.html +190 -1009
  8. package/docs/design-previews/cognitive-core-ui.html +281 -463
  9. package/docs/design-previews/index.html +83 -31
  10. package/package.json +1 -1
  11. package/src/constants.js +567 -511
  12. package/template/.aioson/docs/play/README.md +2 -0
  13. package/template/.aioson/docs/play/agent-usage-guide.md +7 -1
  14. package/template/.aioson/docs/play/app-compatibility-guide.md +6 -1
  15. package/template/.aioson/docs/play/auth-services-and-testing.md +16 -1
  16. package/template/.aioson/docs/play/manifest-and-runtime.md +23 -0
  17. package/template/.aioson/skills/design/aurora-command-ui/SKILL.md +266 -243
  18. package/template/.aioson/skills/design/aurora-command-ui/references/art-direction.md +293 -293
  19. package/template/.aioson/skills/design/aurora-command-ui/references/components.md +827 -827
  20. package/template/.aioson/skills/design/aurora-command-ui/references/dashboards.md +250 -250
  21. package/template/.aioson/skills/design/aurora-command-ui/references/design-tokens.md +585 -585
  22. package/template/.aioson/skills/design/aurora-command-ui/references/motion.md +365 -365
  23. package/template/.aioson/skills/design/aurora-command-ui/references/patterns.md +485 -482
  24. package/template/.aioson/skills/design/aurora-command-ui/references/websites.md +386 -387
  25. package/template/.aioson/skills/design/bold-editorial-ui/SKILL.md +228 -205
  26. package/template/.aioson/skills/design/bold-editorial-ui/references/art-direction.md +338 -338
  27. package/template/.aioson/skills/design/bold-editorial-ui/references/components.md +977 -977
  28. package/template/.aioson/skills/design/bold-editorial-ui/references/dashboards.md +218 -218
  29. package/template/.aioson/skills/design/bold-editorial-ui/references/design-tokens.md +326 -326
  30. package/template/.aioson/skills/design/bold-editorial-ui/references/motion.md +461 -461
  31. package/template/.aioson/skills/design/bold-editorial-ui/references/patterns.md +293 -293
  32. package/template/.aioson/skills/design/bold-editorial-ui/references/websites.md +352 -352
  33. package/template/.aioson/skills/design/clean-saas-ui/SKILL.md +233 -210
  34. package/template/.aioson/skills/design/clean-saas-ui/references/art-direction.md +319 -319
  35. package/template/.aioson/skills/design/clean-saas-ui/references/components.md +365 -365
  36. package/template/.aioson/skills/design/clean-saas-ui/references/dashboards.md +196 -196
  37. package/template/.aioson/skills/design/clean-saas-ui/references/design-tokens.md +244 -244
  38. package/template/.aioson/skills/design/clean-saas-ui/references/motion.md +235 -235
  39. package/template/.aioson/skills/design/clean-saas-ui/references/patterns.md +215 -215
  40. package/template/.aioson/skills/design/clean-saas-ui/references/websites.md +295 -295
  41. package/template/.aioson/skills/design/cognitive-core-ui/SKILL.md +239 -203
  42. package/template/.aioson/skills/design/cognitive-core-ui/references/art-direction.md +339 -339
  43. package/template/.aioson/skills/design/cognitive-core-ui/references/components.md +417 -407
  44. package/template/.aioson/skills/design/cognitive-core-ui/references/dashboards.md +289 -272
  45. package/template/.aioson/skills/design/cognitive-core-ui/references/design-tokens.md +525 -524
  46. package/template/.aioson/skills/design/cognitive-core-ui/references/motion.md +279 -279
  47. package/template/.aioson/skills/design/cognitive-core-ui/references/patterns.md +355 -289
  48. package/template/.aioson/skills/design/cognitive-core-ui/references/websites.md +443 -437
  49. package/template/.aioson/skills/design/glassmorphism-ui/SKILL.md +245 -222
  50. package/template/.aioson/skills/design/glassmorphism-ui/references/art-direction.md +159 -159
  51. package/template/.aioson/skills/design/glassmorphism-ui/references/components.md +498 -498
  52. package/template/.aioson/skills/design/glassmorphism-ui/references/dashboards.md +236 -236
  53. package/template/.aioson/skills/design/glassmorphism-ui/references/design-tokens.md +274 -274
  54. package/template/.aioson/skills/design/glassmorphism-ui/references/motion.md +355 -355
  55. package/template/.aioson/skills/design/glassmorphism-ui/references/patterns.md +198 -198
  56. package/template/.aioson/skills/design/glassmorphism-ui/references/websites.md +307 -307
  57. package/template/.aioson/skills/design/interface-design/SKILL.md +68 -47
  58. package/template/.aioson/skills/design/interface-design/references/components-and-states.md +105 -105
  59. package/template/.aioson/skills/design/interface-design/references/design-directions.md +101 -101
  60. package/template/.aioson/skills/design/interface-design/references/handoff-and-quality.md +92 -71
  61. package/template/.aioson/skills/design/interface-design/references/intent-and-domain.md +74 -74
  62. package/template/.aioson/skills/design/interface-design/references/tokens-and-depth.md +173 -173
  63. package/template/.aioson/skills/design/neo-brutalist-ui/SKILL.md +236 -213
  64. package/template/.aioson/skills/design/neo-brutalist-ui/references/art-direction.md +228 -228
  65. package/template/.aioson/skills/design/neo-brutalist-ui/references/components.md +855 -855
  66. package/template/.aioson/skills/design/neo-brutalist-ui/references/dashboards.md +334 -334
  67. package/template/.aioson/skills/design/neo-brutalist-ui/references/design-tokens.md +342 -342
  68. package/template/.aioson/skills/design/neo-brutalist-ui/references/motion.md +286 -286
  69. package/template/.aioson/skills/design/neo-brutalist-ui/references/patterns.md +458 -458
  70. package/template/.aioson/skills/design/neo-brutalist-ui/references/websites.md +723 -723
  71. package/template/.aioson/skills/design/premium-command-center-ui/SKILL.md +83 -62
  72. package/template/.aioson/skills/design/premium-command-center-ui/references/operations.md +74 -74
  73. package/template/.aioson/skills/design/premium-command-center-ui/references/patterns.md +116 -116
  74. package/template/.aioson/skills/design/premium-command-center-ui/references/validation.md +47 -47
  75. package/template/.aioson/skills/design/premium-command-center-ui/references/visual-system.md +215 -215
  76. package/template/.aioson/skills/design/pt.squarespace.com/.skill-meta.json +31 -31
  77. package/template/.aioson/skills/design/pt.squarespace.com/SKILL.md +94 -66
  78. package/template/.aioson/skills/design/pt.squarespace.com/references/components.md +366 -366
  79. package/template/.aioson/skills/design/pt.squarespace.com/references/design-tokens.md +150 -150
  80. package/template/.aioson/skills/design/pt.squarespace.com/references/motion.md +270 -270
  81. package/template/.aioson/skills/design/pt.squarespace.com/references/patterns.md +189 -189
  82. package/template/.aioson/skills/design/pt.squarespace.com/references/websites.md +161 -161
  83. package/template/.aioson/skills/design/warm-craft-ui/SKILL.md +232 -209
  84. package/template/.aioson/skills/design/warm-craft-ui/references/art-direction.md +324 -324
  85. package/template/.aioson/skills/design/warm-craft-ui/references/components.md +508 -508
  86. package/template/.aioson/skills/design/warm-craft-ui/references/dashboards.md +223 -223
  87. package/template/.aioson/skills/design/warm-craft-ui/references/design-tokens.md +374 -374
  88. package/template/.aioson/skills/design/warm-craft-ui/references/motion.md +356 -356
  89. package/template/.aioson/skills/design/warm-craft-ui/references/patterns.md +288 -288
  90. package/template/.aioson/skills/design/warm-craft-ui/references/websites.md +289 -289
@@ -60,6 +60,7 @@ AIOSON can build any kind of app. Apply this Play compatibility layer only when
60
60
  - Data Bindings and Global Connectors via `app-config.yaml`
61
61
  - MCPI/API/MCP connector execution through the Play registry
62
62
  - Local operator auth via `aioson-auth` and `@aioson/auth-sdk`
63
+ - App-owned RBAC catalog via `manifest.json` `auth.permissions[]`
63
64
  - Cloud owner/trial auth via `AIOSON_COM_TOKEN`
64
65
  - Play Services via `service.json` and `requires_services`
65
66
  - Dev-link and local smoke testing
@@ -69,4 +70,5 @@ AIOSON can build any kind of app. Apply this Play compatibility layer only when
69
70
  - Do not copy the whole Play integration directory into app projects.
70
71
  - Do not make apps depend on source-repo-only files from `aioson-play`.
71
72
  - Do not invent Play env vars, port ranges, manifest fields, or connector APIs.
73
+ - Do not infer app permissions by scanning source code; Play apps declare the catalog in `manifest.json` `auth.permissions[]`.
72
74
  - Do not treat `llm-chain.json` or `aioson-models.json` in the app cwd as the primary credential contract for installed apps.
@@ -26,6 +26,7 @@ Load this folder when the user mentions:
26
26
  - `manifest.json` for Play apps
27
27
  - `app-config.yaml`
28
28
  - `requires_services`
29
+ - `auth.permissions`
29
30
  - `/api/aioson-play`
30
31
 
31
32
  Do not load it for generic web apps unless the user connects the app to Play.
@@ -61,7 +62,7 @@ For a Play-targeted app, answer these before creating files:
61
62
 
62
63
  4. Does the app need users/operators?
63
64
  - Owner/trial/billing: use `AIOSON_COM_TOKEN` and backend proxy routes.
64
- - Local operators/RBAC: use `aioson-auth` as Play Service and `@aioson/auth-sdk`.
65
+ - Local operators/RBAC: use `aioson-auth` as Play Service, declare `manifest.json` `auth.permissions[]`, and use `@aioson/auth-sdk`.
65
66
  - No auth: do not add login just because it is a Play app.
66
67
 
67
68
  ## Source priority
@@ -81,6 +82,8 @@ Use this priority order:
81
82
  - Do not put provider API keys in `llm-chain.json`, `tools.json`, manifest, app docs, or frontend code.
82
83
  - Do not make browser code call `https://aioson.com` directly with a token.
83
84
  - Do not treat `aioson-auth` and `aioson.com` auth as the same system.
85
+ - Do not create app permissions only in the Auth dashboard. For Play apps, the app declares the permission catalog in `manifest.json` `auth.permissions[]`; the dashboard assigns those permissions to roles.
86
+ - Do not ask Auth or Play to scan source code for policies/permissions.
84
87
  - Do not add `@tauri-apps/api` to Play Services. Services are standalone background processes.
85
88
  - Do not assume SSO operator token injection is implemented unless the canonical Play docs and code confirm it.
86
89
 
@@ -94,6 +97,8 @@ For implementation, produce or verify:
94
97
  - `/api/aioson-play` when `has_api: true`
95
98
  - Lazy LLM client initialization when the app uses LLM providers
96
99
  - Degraded state when required bindings are absent
100
+ - `manifest.json` `auth.permissions[]` when the app uses `aioson-auth`
101
+ - Frontend/backend permission gates implemented with `@aioson/auth-sdk`
97
102
  - Local smoke steps through dev-link or standalone `PORT=...` run
98
103
 
99
104
  For QA, verify:
@@ -103,4 +108,5 @@ For QA, verify:
103
108
  - No secret in frontend or package artifact
104
109
  - Data bindings use alias names that match `app-config.yaml`
105
110
  - Auth path uses the right system: `aioson-auth` for operators, `aioson.com` for owner/trial
111
+ - Apps using `aioson-auth` declare permissions in `manifest.json`, and those declared permissions match implemented route/API gates.
106
112
  - `manifest.compatibility` exists for publishable apps
@@ -42,6 +42,7 @@ If the app has a UI, the Play webview must be able to load the UI from the proce
42
42
  - Use `http://localhost:5180` or `VITE_AIOSON_PLAY_URL` for ProductBridge calls.
43
43
  - Use `GET /api/registry` when discovering other apps or services dynamically.
44
44
  - Use `requires_services` for Play Service dependencies.
45
+ - If the app uses `aioson-auth`, declare the permission catalog in `manifest.json` `auth.permissions[]` and implement matching gates in the app with `@aioson/auth-sdk`.
45
46
  - Keep app-local operational DB separate from Play Global Connectors.
46
47
  - Fail clearly or degrade gracefully when optional Play integrations are absent.
47
48
 
@@ -53,6 +54,8 @@ If the app has a UI, the Play webview must be able to load the UI from the proce
53
54
  - Do not create a UI inside the app for creating global Database Connections or Data Connectors. Those live in Play Settings.
54
55
  - Do not put LLM provider secrets in files shipped with the app.
55
56
  - Do not call cloud APIs from browser code with `AIOSON_COM_TOKEN`.
57
+ - Do not rely on Auth/Play scanning source code to discover permissions.
58
+ - Do not create app permissions only in the Auth dashboard for manifest-driven Play apps.
56
59
 
57
60
  ## Implementation sequence
58
61
 
@@ -61,7 +64,7 @@ If the app has a UI, the Play webview must be able to load the UI from the proce
61
64
  3. Make every server listen on Play-injected env ports.
62
65
  4. Add `GET /api/aioson-play` if the app exposes API capabilities.
63
66
  5. Add `app-config.yaml` for operational DB defaults and/or `data_bindings`.
64
- 6. Add Play auth only if the app needs it.
67
+ 6. Add Play auth only if the app needs it; include `requires_services: ["aioson-auth"]`, `auth.permissions[]`, and SDK gates.
65
68
  7. Add local smoke tests and dev-link run instructions.
66
69
 
67
70
  ## Ready-for-Play checklist
@@ -77,6 +80,8 @@ If the app has a UI, the Play webview must be able to load the UI from the proce
77
80
  - [ ] App handles missing bindings with degraded UI or a clear blocking state.
78
81
  - [ ] LLM clients are lazy-initialized and read credentials from app config or injected env vars.
79
82
  - [ ] Auth uses the correct path: `aioson-auth` for operators/RBAC, `aioson.com` for owner/trial/billing.
83
+ - [ ] Apps using `aioson-auth` declare `manifest.json` `auth.permissions[]`.
84
+ - [ ] Declared permissions match frontend/backend gates implemented by the app.
80
85
  - [ ] Publishable apps declare `manifest.compatibility`.
81
86
  - [ ] Dev-link smoke was run inside Play or the app was manually started with a test `PORT`.
82
87
 
@@ -57,10 +57,22 @@ For operator login and RBAC, depend on `aioson-auth`:
57
57
 
58
58
  ```json
59
59
  {
60
- "requires_services": ["aioson-auth"]
60
+ "requires_services": ["aioson-auth"],
61
+ "auth": {
62
+ "version": 1,
63
+ "permissions": ["orders:read", "orders:create"],
64
+ "policies": [
65
+ { "id": "page:orders", "kind": "route", "path": "/orders", "requires": ["orders:read"] }
66
+ ]
67
+ }
61
68
  }
62
69
  ```
63
70
 
71
+ `auth.permissions[]` is the app-owned permission catalog. Play syncs it through
72
+ the owner-only app inventory; `aioson-auth` registers it on the existing binding
73
+ so the admin can assign permissions to global roles. Do not rely on Auth scanning
74
+ app source code.
75
+
64
76
  Use `@aioson/auth-sdk` as the client layer when available. Avoid handwritten calls to auth endpoints unless the SDK cannot cover the specific case.
65
77
 
66
78
  Env vars Play injects for auth (only these exist):
@@ -83,6 +95,7 @@ Legacy `?token=` may still work in older paths, but new app code should prefer B
83
95
  Current implemented auth expectations from the Play docs:
84
96
 
85
97
  - JWT can include `binding_id` and `permissions`.
98
+ - App permissions are declared in `manifest.json` `auth.permissions[]` and implemented by the app with SDK gates.
86
99
  - `/me/permissions` exists in `aioson-auth`.
87
100
  - `@aioson/auth-sdk` MVP exists.
88
101
  - Operator SSO token injection from Play keyring is planned in docs, not safe to rely on unless the local code confirms it.
@@ -199,6 +212,8 @@ curl http://localhost:3001/health
199
212
  ## QA checklist
200
213
 
201
214
  - [ ] `requires_services` matches actual service use.
215
+ - [ ] Apps using `aioson-auth` declare `auth.permissions[]` in `manifest.json`.
216
+ - [ ] Frontend and backend gates use `@aioson/auth-sdk` or a Bearer-compatible server check for those permissions.
202
217
  - [ ] Missing service does not produce a confusing crash.
203
218
  - [ ] `AIOSON_COM_TOKEN` is never exposed to frontend code.
204
219
  - [ ] Operator auth uses SDK or Bearer-compatible client.
@@ -209,6 +209,29 @@ When an app requires a Play Service:
209
209
 
210
210
  Play uses this to show onboarding requirements, check service install/runtime state, and block or degrade app launch when the required service is missing.
211
211
 
212
+ For apps that use `aioson-auth`, declare the RBAC catalog in the same manifest:
213
+
214
+ ```json
215
+ {
216
+ "requires_services": ["aioson-auth"],
217
+ "auth": {
218
+ "version": 1,
219
+ "permissions": [
220
+ "orders:read",
221
+ { "name": "orders:create", "label": "Criar pedidos" }
222
+ ],
223
+ "policies": [
224
+ { "id": "page:orders", "kind": "route", "path": "/orders", "requires": ["orders:read"] }
225
+ ]
226
+ }
227
+ }
228
+ ```
229
+
230
+ `auth.permissions[]` is the source of truth for the permission catalog shown by
231
+ `aioson-auth`. The app still implements the actual route/API gates with the SDK;
232
+ the Auth dashboard assigns the declared permissions to global roles. Play/Auth do
233
+ not scan app source code to infer permissions.
234
+
212
235
  ## Publish compatibility
213
236
 
214
237
  Publishable apps should declare compatibility: