@opensaas/stack-core 0.13.0 → 0.14.0

package/src/context/index.ts

@@ -92,22 +92,23 @@ async function executeFieldValidateHooks(
   }
 
   for (const [fieldKey, fieldConfig] of Object.entries(fields)) {
-    // Skip if no hooks defined
-    if (!fieldConfig.hooks?.validate) continue
+    // Support both 'validate' (new) and 'validateInput' (deprecated) for backwards compatibility
+    const validateHook = fieldConfig.hooks?.validate ?? fieldConfig.hooks?.validateInput
+    if (!validateHook) continue
 
     // Execute field hook
     // Type assertion is safe here because hooks are typed correctly in field definitions
     if (operation === 'delete') {
-      await fieldConfig.hooks.validate({
+      await validateHook({
         listKey,
         fieldKey,
         operation: 'delete',
         item,
         context,
         addValidationError: addValidationError(fieldKey),
-      } as Parameters<typeof fieldConfig.hooks.validate>[0])
+      } as Parameters<typeof validateHook>[0])
     } else if (operation === 'create') {
-      await fieldConfig.hooks.validate({
+      await validateHook({
         listKey,
         fieldKey,
         operation: 'create',
@@ -116,10 +117,10 @@ async function executeFieldValidateHooks(
         resolvedData,
         context,
         addValidationError: addValidationError(fieldKey),
-      } as Parameters<typeof fieldConfig.hooks.validate>[0])
+      } as Parameters<typeof validateHook>[0])
     } else {
       // operation === 'update'
-      await fieldConfig.hooks.validate({
+      await validateHook({
         listKey,
         fieldKey,
         operation: 'update',
@@ -128,7 +129,7 @@ async function executeFieldValidateHooks(
         resolvedData,
         context,
         addValidationError: addValidationError(fieldKey),
-      } as Parameters<typeof fieldConfig.hooks.validate>[0])
+      } as Parameters<typeof validateHook>[0])
     }
   }
 
@@ -253,6 +254,49 @@ export type ServerActionProps =
   | { listKey: string; action: 'update'; id: string; data: Record<string, unknown> }
   | { listKey: string; action: 'delete'; id: string }
 
+/**
+ * Check if a list is configured as a singleton
+ */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+function isSingletonList(listConfig: ListConfig<any>): boolean {
+  return !!listConfig.isSingleton
+}
+
+/**
+ * Check if auto-create is enabled for a singleton list
+ * Defaults to true if not explicitly set to false
+ */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+function shouldAutoCreate(listConfig: ListConfig<any>): boolean {
+  if (!listConfig.isSingleton) return false
+  if (typeof listConfig.isSingleton === 'boolean') return true
+  return listConfig.isSingleton.autoCreate !== false
+}
+
+/**
+ * Extract default values from field configs
+ * Used to auto-create singleton records with sensible defaults
+ */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+function getDefaultData(listConfig: ListConfig<any>): Record<string, unknown> {
+  const data: Record<string, unknown> = {}
+
+  for (const [fieldKey, fieldConfig] of Object.entries(listConfig.fields)) {
+    // Skip virtual fields - they're not stored in database
+    if (fieldConfig.virtual) continue
+
+    // Skip system fields (id, createdAt, updatedAt)
+    if (fieldKey === 'id' || fieldKey === 'createdAt' || fieldKey === 'updatedAt') continue
+
+    // Add default value if present
+    if ('defaultValue' in fieldConfig && fieldConfig.defaultValue !== undefined) {
+      data[fieldKey] = fieldConfig.defaultValue
+    }
+  }
+
+  return data
+}
+
 /**
  * Parse Prisma error and convert to user-friendly DatabaseError
  */
@@ -392,14 +436,23 @@ export function getContext<
   for (const [listName, listConfig] of Object.entries(config.lists)) {
     const dbKey = getDbKey(listName)
 
-    db[dbKey] = {
+    // Create base operations
+    const createOp = createCreate(listName, listConfig, prisma, context, config)
+    const operations: Record<string, unknown> = {
       findUnique: createFindUnique(listName, listConfig, prisma, context, config),
       findMany: createFindMany(listName, listConfig, prisma, context, config),
-      create: createCreate(listName, listConfig, prisma, context, config),
+      create: createOp,
       update: createUpdate(listName, listConfig, prisma, context, config),
       delete: createDelete(listName, listConfig, prisma, context),
       count: createCount(listName, listConfig, prisma, context),
     }
+
+    // Add get() method for singleton lists
+    if (isSingletonList(listConfig)) {
+      operations.get = createGet(listName, listConfig, prisma, context, config, createOp)
+    }
+
+    db[dbKey] = operations
   }
 
   // Execute plugin runtime functions and populate context.plugins
@@ -617,6 +670,14 @@ function createFindMany<TPrisma extends PrismaClientLike>(
     skip?: number
     include?: Record<string, unknown>
   }) => {
+    // Check singleton constraint (throw error instead of silently returning empty)
+    if (isSingletonList(listConfig)) {
+      throw new ValidationError(
+        [`Cannot use findMany: ${listName} is a singleton list. Use get() instead.`],
+        {},
+      )
+    }
+
     // Check query access (skip if sudo mode)
     let where: Record<string, unknown> | undefined = args?.where
     if (!context._isSudo) {
@@ -696,6 +757,21 @@ function createCreate<TPrisma extends PrismaClientLike>(
   config: OpenSaasConfig,
 ) {
   return async (args: { data: Record<string, unknown> }) => {
+    // 0. Check singleton constraint (enforce even in sudo mode)
+    if (isSingletonList(listConfig)) {
+      // Access Prisma model dynamically - required because model names are generated at runtime
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const model = (prisma as any)[getDbKey(listName)]
+      const existingCount = await model.count()
+
+      if (existingCount > 0) {
+        throw new ValidationError(
+          [`Cannot create: ${listName} is a singleton list with an existing record`],
+          {},
+        )
+      }
+    }
+
     // 1. Check create access (skip if sudo mode)
     if (!context._isSudo) {
       const createAccess = listConfig.access?.operation?.create
@@ -759,6 +835,7 @@ function createCreate<TPrisma extends PrismaClientLike>(
     const filteredData = await filterWritableFields(resolvedData, listConfig.fields, 'create', {
       session: context.session,
       context: { ...context, _isSudo: context._isSudo },
+      inputData: args.data,
     })
 
     // 5.5. Process nested relationship operations
@@ -939,6 +1016,7 @@ function createUpdate<TPrisma extends PrismaClientLike>(
       session: context.session,
       item,
       context: { ...context, _isSudo: context._isSudo },
+      inputData: args.data,
     })
 
     // 6.5. Process nested relationship operations
@@ -1029,6 +1107,11 @@ function createDelete<TPrisma extends PrismaClientLike>(
   context: AccessContext<TPrisma>,
 ) {
   return async (args: { where: { id: string } }) => {
+    // 0. Check singleton constraint (enforce even in sudo mode)
+    if (isSingletonList(listConfig)) {
+      throw new ValidationError([`Cannot delete: ${listName} is a singleton list`], {})
+    }
+
     // 1. Fetch the item to pass to access control and hooks
     // Access Prisma model dynamically - required because model names are generated at runtime
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -1176,3 +1259,86 @@ function createCount<TPrisma extends PrismaClientLike>(
     return count
   }
 }
+
+/**
+ * Create get operation for singleton lists
+ * Returns the single record, or auto-creates it if enabled
+ */
+function createGet<TPrisma extends PrismaClientLike>(
+  listName: string,
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+  listConfig: ListConfig<any>,
+  prisma: TPrisma,
+  context: AccessContext<TPrisma>,
+  config: OpenSaasConfig,
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  createFn: any,
+) {
+  return async () => {
+    // First try to find the existing record
+    // Access Prisma model dynamically - required because model names are generated at runtime
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const model = (prisma as any)[getDbKey(listName)]
+
+    // Check query access (skip if sudo mode)
+    let where: Record<string, unknown> = {}
+    if (!context._isSudo) {
+      const queryAccess = listConfig.access?.operation?.query
+      const accessResult = await checkAccess(queryAccess, {
+        session: context.session,
+        context,
+      })
+
+      if (accessResult === false) {
+        return null
+      }
+
+      // Merge access filter (for singleton, we don't have a specific where clause)
+      if (accessResult && typeof accessResult === 'object') {
+        where = accessResult
+      }
+    }
+
+    // Build include with access control filters
+    const accessControlledInclude = await buildIncludeWithAccessControl(
+      listConfig.fields,
+      {
+        session: context.session,
+        context,
+      },
+      config,
+    )
+
+    // Try to find the record
+    const item = await model.findFirst({
+      where,
+      include: accessControlledInclude,
+    })
+
+    // If record exists, return it
+    if (item) {
+      // Filter readable fields and apply resolveOutput hooks
+      const filtered = await filterReadableFields(
+        item,
+        listConfig.fields,
+        {
+          session: context.session,
+          context: { ...context, _isSudo: context._isSudo },
+        },
+        config,
+        0,
+        listName,
+      )
+      return filtered
+    }
+
+    // If no record and auto-create is enabled, create it
+    if (shouldAutoCreate(listConfig)) {
+      const defaultData = getDefaultData(listConfig)
+      return await createFn({ data: defaultData })
+    }
+
+    // No record and auto-create is disabled
+    return null
+  }
+}

package/src/context/nested-operations.ts

@@ -140,6 +140,7 @@ async function processNestedCreate(
         {
           session: context.session,
           context,
+          inputData: item,
         },
       )
 
@@ -309,6 +310,7 @@ async function processNestedUpdate(
           session: context.session,
           item,
           context,
+          inputData: updateData,
         },
       )
 

package/src/index.ts

@@ -38,6 +38,17 @@ export type {
   Plugin,
   PluginContext,
   GeneratedFiles,
+  // List-level hook argument types
+  ResolveInputHookArgs,
+  ValidateHookArgs,
+  BeforeOperationHookArgs,
+  AfterOperationHookArgs,
+  // Field-level hook argument types
+  FieldResolveInputHookArgs,
+  FieldValidateHookArgs,
+  FieldBeforeOperationHookArgs,
+  FieldAfterOperationHookArgs,
+  FieldResolveOutputHookArgs,
 } from './config/index.js'
 
 // Access control

package/tests/access.test.ts

@@ -192,60 +192,57 @@ describe('Access Control', () => {
       expect(result).toBe(true)
     })
 
-    it('should check filter match when operation returns filter', async () => {
-      const item = { userId: '123' }
+    it('should receive inputData for create operations', async () => {
+      const inputData = { title: 'Test', authorId: '123' }
       const fieldAccess: FieldAccess = {
-        read: vi.fn(async () => ({ userId: '123' })),
+        create: vi.fn(async ({ inputData: data }) => {
+          // Field access can validate inputData
+          return data?.authorId === '123'
+        }),
       }
 
-      const result = await checkFieldAccess(fieldAccess, 'read', {
+      const result = await checkFieldAccess(fieldAccess, 'create', {
         session: null,
-        item,
         context: mockContext,
+        inputData,
       })
 
       expect(result).toBe(true)
+      expect(fieldAccess.create).toHaveBeenCalledWith(expect.objectContaining({ inputData }))
     })
 
-    it('should deny access when filter does not match', async () => {
-      const item = { userId: '456' }
-      const fieldAccess: FieldAccess = {
-        read: vi.fn(async () => ({ userId: '123' })),
-      }
-
-      const result = await checkFieldAccess(fieldAccess, 'read', {
-        session: null,
-        item,
-        context: mockContext,
-      })
-
-      expect(result).toBe(false)
-    })
-
-    it('should work with equals condition', async () => {
-      const item = { status: 'active' }
+    it('should receive inputData for update operations', async () => {
+      const inputData = { title: 'Updated', authorId: '123' }
+      const item = { id: '1', authorId: '123' }
       const fieldAccess: FieldAccess = {
-        read: vi.fn(async () => ({ status: { equals: 'active' } })),
+        update: vi.fn(async ({ inputData: data, item: existingItem }) => {
+          // Field access can validate inputData and check existing item
+          return data?.authorId === existingItem?.authorId
+        }),
       }
 
-      const result = await checkFieldAccess(fieldAccess, 'read', {
+      const result = await checkFieldAccess(fieldAccess, 'update', {
         session: null,
         item,
         context: mockContext,
+        inputData,
       })
 
       expect(result).toBe(true)
+      expect(fieldAccess.update).toHaveBeenCalledWith(expect.objectContaining({ inputData, item }))
     })
 
-    it('should work with not condition', async () => {
-      const item = { status: 'active' }
+    it('should not receive inputData for read operations', async () => {
       const fieldAccess: FieldAccess = {
-        read: vi.fn(async () => ({ status: { not: 'deleted' } })),
+        read: vi.fn(async ({ inputData }) => {
+          // inputData should be undefined for read operations
+          expect(inputData).toBeUndefined()
+          return true
+        }),
       }
 
       const result = await checkFieldAccess(fieldAccess, 'read', {
         session: null,
-        item,
         context: mockContext,
       })
 
@@ -487,12 +484,15 @@ describe('Access Control', () => {
         session: { userId: '123' },
         item,
         context: mockContext,
+        inputData: data,
       })
 
       expect(accessFn).toHaveBeenCalledWith({
         session: { userId: '123' },
         item,
         context: mockContext,
+        inputData: data,
+        operation: 'update',
       })
     })
   })

package/tests/config.test.ts

@@ -76,7 +76,7 @@ describe('config helpers', () => {
   })
 
   describe('list', () => {
-    it('should return the same list config', () => {
+    it('should return normalized list config', () => {
       const testList: ListConfig = {
         fields: {
           name: { type: 'text' },
@@ -85,7 +85,9 @@ describe('config helpers', () => {
       }
 
       const result = list(testList)
-      expect(result).toBe(testList)
+      // list() normalizes access control, so it creates a new object
+      expect(result.fields).toEqual(testList.fields)
+      expect(result.access).toBeUndefined()
     })
 
     it('should support text fields', () => {
@@ -161,7 +163,7 @@ describe('config helpers', () => {
       expect(testList.fields.author.type).toBe('relationship')
     })
 
-    it('should support access control', () => {
+    it('should support access control object form', () => {
       const testList = list({
         fields: { name: { type: 'text' } },
         access: {
@@ -177,6 +179,21 @@ describe('config helpers', () => {
       expect(testList.access?.operation).toBeDefined()
     })
 
+    it('should support access control function shorthand', () => {
+      const isAdmin = () => true
+      const testList = list({
+        fields: { name: { type: 'text' } },
+        access: isAdmin,
+      })
+
+      // Function shorthand should be normalized to object form
+      expect(testList.access?.operation).toBeDefined()
+      expect(testList.access?.operation?.query).toBe(isAdmin)
+      expect(testList.access?.operation?.create).toBe(isAdmin)
+      expect(testList.access?.operation?.update).toBe(isAdmin)
+      expect(testList.access?.operation?.delete).toBe(isAdmin)
+    })
+
     it('should support hooks', () => {
       const testList = list({
         fields: { name: { type: 'text' } },