@palettelab/cli 0.3.29 → 0.3.30

package/README.md

@@ -224,7 +224,8 @@ Declare database ownership in `palette-plugin.json`:
 }
 ```
 
-Define org-scoped models with the backend SDK:
+Define org-scoped models with the backend SDK. Table names must start with the
+app prefix (`my_app__` for `my-app`):
 
 ```python
 from sqlalchemy import String
@@ -232,7 +233,7 @@ from sqlalchemy.orm import Mapped, mapped_column
 from palette_sdk import OrgScopedTable
 
 class Invoice(OrgScopedTable):
-    __tablename__ = "invoices"
+    __tablename__ = "my_app__invoices"
 
     id: Mapped[int] = mapped_column(primary_key=True)
     customer_name: Mapped[str] = mapped_column(String(255))
@@ -245,7 +246,7 @@ from palette_sdk.db import ensure_org_rls
 
 def upgrade():
     op.create_table(...)
-    ensure_org_rls(op, "invoices")
+    ensure_org_rls(op, "my_app__invoices")
 ```
 
 Use `ctx.repo(Model)` for org-safe CRUD:

package/backend-sdk/palette_sdk/__init__.py

@@ -12,7 +12,14 @@ from palette_sdk.schemas import (
     ErrorResponse,
     PaginatedResponse,
 )
-from palette_sdk.db import OrgScopedTable, PluginBase, ensure_org_rls
+from palette_sdk.db import (
+    OrgScopedTable,
+    PluginBase,
+    ensure_org_rls,
+    plugin_safe_id,
+    plugin_schema,
+    plugin_table_prefix,
+)
 from palette_sdk.permissions import (
     KNOWN_PERMISSIONS,
     is_known_permission,
@@ -39,6 +46,9 @@ __all__ = [
     "OrgScopedTable",
     "PluginBase",
     "ensure_org_rls",
+    "plugin_safe_id",
+    "plugin_schema",
+    "plugin_table_prefix",
     "KNOWN_PERMISSIONS",
     "is_known_permission",
     "require_permission",

package/backend-sdk/palette_sdk/db/__init__.py

@@ -12,7 +12,7 @@ Typical plugin usage:
     from sqlalchemy.orm import Mapped, mapped_column
 
     class Expense(OrgScopedTable):
-        __tablename__ = "expenses"
+        __tablename__ = "my_app__expenses"
         title: Mapped[str] = mapped_column(String(200))
         amount_cents: Mapped[int]
 
@@ -23,16 +23,29 @@ Typical plugin usage:
 
     def upgrade():
         op.create_table(
-            "expenses",
+            "my_app__expenses",
             sa.Column("id", sa.Integer, primary_key=True),
             sa.Column("organization_id", sa.BigInteger, nullable=False, index=True),
             sa.Column("title", sa.String(200), nullable=False),
             sa.Column("amount_cents", sa.Integer, nullable=False),
         )
-        ensure_org_rls(op, "expenses")
+        ensure_org_rls(op, "my_app__expenses")
 """
 
-from palette_sdk.db.base import OrgScopedTable, PluginBase
+from palette_sdk.db.base import (
+    OrgScopedTable,
+    PluginBase,
+    plugin_safe_id,
+    plugin_schema,
+    plugin_table_prefix,
+)
 from palette_sdk.db.rls import ensure_org_rls
 
-__all__ = ["OrgScopedTable", "PluginBase", "ensure_org_rls"]
+__all__ = [
+    "OrgScopedTable",
+    "PluginBase",
+    "ensure_org_rls",
+    "plugin_safe_id",
+    "plugin_schema",
+    "plugin_table_prefix",
+]

package/backend-sdk/palette_sdk/db/base.py

@@ -11,6 +11,23 @@ from sqlalchemy import BigInteger, Index
 from sqlalchemy.orm import DeclarativeBase, Mapped, declared_attr, mapped_column
 
 
+def plugin_safe_id(plugin_id: str) -> str:
+    """Return the DB-safe form of a plugin id."""
+    import re
+
+    return re.sub(r"[^a-z0-9_]", "_", plugin_id.lower())
+
+
+def plugin_schema(plugin_id: str) -> str:
+    """Return the Postgres schema name owned by a plugin."""
+    return f"app_{plugin_safe_id(plugin_id)}"
+
+
+def plugin_table_prefix(plugin_id: str) -> str:
+    """Return the required table-name prefix for plugin-owned tables."""
+    return f"{plugin_safe_id(plugin_id)}__"
+
+
 class PluginBase(DeclarativeBase):
     """Declarative base for plugin models.
 

package/docs/python-backend-sdk.md

@@ -183,7 +183,7 @@ from palette_sdk import OrgScopedTable
 
 
 class Invoice(OrgScopedTable):
-    __tablename__ = "invoices"
+    __tablename__ = "finance_tools__invoices"
 
     id: Mapped[int] = mapped_column(primary_key=True)
     customer_name: Mapped[str] = mapped_column(String(255), nullable=False)
@@ -191,8 +191,10 @@ class Invoice(OrgScopedTable):
     status: Mapped[str] = mapped_column(String(32), default="draft")
 ```
 
-`OrgScopedTable` adds `organization_id` automatically. Do not manually set
-`organization_id` in route code; `ctx.repo(Model)` handles it.
+`OrgScopedTable` adds `organization_id` automatically. Table names must start
+with the app prefix (`finance_tools__` for `finance-tools`) so app-owned data is
+easy to identify and validate. Do not manually set `organization_id` in route
+code; `ctx.repo(Model)` handles it.
 
 ### Migration Example
 
@@ -210,22 +212,22 @@ down_revision = None
 
 def upgrade():
     op.create_table(
-        "invoices",
+        "finance_tools__invoices",
         sa.Column("id", sa.Integer(), primary_key=True),
         sa.Column("organization_id", sa.BigInteger(), nullable=False),
         sa.Column("customer_name", sa.String(length=255), nullable=False),
         sa.Column("amount", sa.Numeric(12, 2), nullable=False),
         sa.Column("status", sa.String(length=32), nullable=False),
     )
-    op.create_index("ix_invoices_org", "invoices", ["organization_id"])
-    ensure_org_rls(op, "invoices")
+    op.create_index("ix_finance_tools__invoices_org", "finance_tools__invoices", ["organization_id"])
+    ensure_org_rls(op, "finance_tools__invoices")
 
 
 def downgrade():
-    op.drop_table("invoices")
+    op.drop_table("finance_tools__invoices")
 ```
 
-`ensure_org_rls(op, "invoices")` enables row-level security so each
+`ensure_org_rls(op, "finance_tools__invoices")` enables row-level security so each
 organization can only access its own rows.
 
 ## 7. Repository CRUD

package/lib/commands/build.js

@@ -19,9 +19,35 @@ const BANNED_PATTERNS = [
   { re: /\bDROP\s+SCHEMA\b/i, reason: "DROP SCHEMA is not allowed in plugin migrations" },
 ]
 
-function lintMigrationFile(absPath) {
+function pluginSafeId(pluginId) {
+  return String(pluginId || "").toLowerCase().replace(/[^a-z0-9_]/g, "_")
+}
+
+function pluginSchema(pluginId) {
+  return `app_${pluginSafeId(pluginId)}`
+}
+
+function pluginTablePrefix(pluginId) {
+  return `${pluginSafeId(pluginId)}__`
+}
+
+function crossPluginSchemaRefs(src, allowedSchema) {
+  if (!allowedSchema) return []
+  const refs = new Set()
+  const re = /(^|[^a-z0-9_])"?((?:app)_[a-z0-9_]+)"?\s*\./gi
+  let match
+  while ((match = re.exec(src)) !== null) {
+    const schema = match[2].toLowerCase()
+    if (schema !== allowedSchema) refs.add(schema)
+  }
+  return [...refs].sort()
+}
+
+function lintMigrationFile(absPath, pluginId) {
   const issues = []
   const src = fs.readFileSync(absPath, "utf8")
+  const requiredPrefix = pluginId ? pluginTablePrefix(pluginId) : null
+  const allowedSchema = pluginId ? pluginSchema(pluginId) : null
 
   for (const { re, reason } of BANNED_PATTERNS) {
     if (re.test(src)) {
@@ -29,12 +55,16 @@ function lintMigrationFile(absPath) {
     }
   }
 
+  for (const schema of crossPluginSchemaRefs(src, allowedSchema)) {
+    issues.push(`${path.basename(absPath)}: plugin migrations must not reference another app schema (${schema})`)
+  }
+
   // Every op.create_table("foo", ...) in the file must have a matching
   // ensure_org_rls(op, "foo") somewhere in the same file. Caveat: this is a
   // cheap syntactic check, not a full AST walk. If your table name is dynamic
   // or your migration is unusual, you can silence the check by adding the
   // magic comment `# palette:rls-ok` on the same logical migration.
-  if (/#\s*palette:rls-ok\b/.test(src)) return issues
+  const skipRlsCheck = /#\s*palette:rls-ok\b/.test(src)
 
   const tableNames = new Set()
   const createTableRe = /op\.create_table\(\s*['"]([a-zA-Z_][a-zA-Z0-9_]*)['"]/g
@@ -44,8 +74,13 @@ function lintMigrationFile(absPath) {
   }
 
   for (const name of tableNames) {
+    if (requiredPrefix && !name.startsWith(requiredPrefix)) {
+      issues.push(
+        `${path.basename(absPath)}: create_table("${name}") must use the app table prefix "${requiredPrefix}"`,
+      )
+    }
     const rlsRe = new RegExp(`ensure_org_rls\\(\\s*op\\s*,\\s*['"]${name}['"]`)
-    if (!rlsRe.test(src)) {
+    if (!skipRlsCheck && !rlsRe.test(src)) {
       issues.push(
         `${path.basename(absPath)}: create_table("${name}") is missing ensure_org_rls(op, "${name}"). ` +
           `Inherit from OrgScopedTable and call ensure_org_rls, or mark the migration with # palette:rls-ok if the table is intentionally global.`,
@@ -56,7 +91,7 @@ function lintMigrationFile(absPath) {
   return issues
 }
 
-function lintMigrationsDir(migrationsDir) {
+function lintMigrationsDir(migrationsDir, pluginId) {
   const errors = []
   const versionsDir = path.join(migrationsDir, "versions")
   if (!fs.existsSync(versionsDir)) {
@@ -66,7 +101,7 @@ function lintMigrationsDir(migrationsDir) {
   for (const entry of fs.readdirSync(versionsDir)) {
     if (!entry.endsWith(".py")) continue
     const abs = path.join(versionsDir, entry)
-    errors.push(...lintMigrationFile(abs))
+    errors.push(...lintMigrationFile(abs, pluginId))
   }
   return errors
 }
@@ -92,7 +127,7 @@ async function run(args, { cwd }) {
     } else if (!fs.existsSync(path.join(migrationsAbs, "env.py"))) {
       errors.push(`database.migrations directory is missing env.py: ${migrationsRel}`)
     } else {
-      errors.push(...lintMigrationsDir(migrationsAbs))
+      errors.push(...lintMigrationsDir(migrationsAbs, manifest.id))
     }
   }
 
@@ -107,3 +142,4 @@ async function run(args, { cwd }) {
 module.exports = run
 module.exports.lintMigrationsDir = lintMigrationsDir
 module.exports.lintMigrationFile = lintMigrationFile
+module.exports.pluginTablePrefix = pluginTablePrefix

package/lib/commands/init.js

@@ -19,6 +19,10 @@ function toSlug(name) {
     .replace(/^-|-$/g, "")
 }
 
+function toDbSafeId(pluginId) {
+  return pluginId.toLowerCase().replace(/[^a-z0-9_]/g, "_")
+}
+
 function fetchTemplate(destDir) {
   const git = spawnSync(
     "git",
@@ -69,11 +73,16 @@ function rewriteScaffold(destDir, slug, displayName) {
   if (!fs.existsSync(manifestPath)) return
   const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"))
   const originalId = manifest.id
+  const originalDbSafeId = originalId ? toDbSafeId(originalId) : null
+  const nextDbSafeId = toDbSafeId(slug)
   if (originalId && originalId !== slug) {
     walkFiles(destDir, (filePath) => {
       try {
         const before = fs.readFileSync(filePath, "utf8")
-        const after = before.split(originalId).join(slug)
+        let after = before.split(originalId).join(slug)
+        if (originalDbSafeId && originalDbSafeId !== nextDbSafeId) {
+          after = after.split(originalDbSafeId).join(nextDbSafeId)
+        }
         if (after !== before) fs.writeFileSync(filePath, after)
       } catch (_err) {
         // Ignore non-text files. Templates are expected to be text, but this
@@ -85,7 +94,7 @@ function rewriteScaffold(destDir, slug, displayName) {
   rewrittenManifest.id = slug
   rewrittenManifest.name = displayName
   if (rewrittenManifest.database?.schema) {
-    rewrittenManifest.database.schema = `app_${slug.replace(/-/g, "_")}`
+    rewrittenManifest.database.schema = `app_${nextDbSafeId}`
   }
   fs.writeFileSync(manifestPath, JSON.stringify(rewrittenManifest, null, 2) + "\n")
 }

package/lib/commands/test.js

@@ -252,7 +252,7 @@ function lintMigrations(cwd, manifest, out) {
   if (!fs.existsSync(path.join(migrationsAbs, "env.py"))) {
     return out.fail(`database.migrations directory is missing env.py: ${migrationsRel}`)
   }
-  const errors = buildCommand.lintMigrationsDir(migrationsAbs)
+  const errors = buildCommand.lintMigrationsDir(migrationsAbs, manifest.id)
   for (const err of errors) out.fail(err)
   if (errors.length === 0) out.ok("migration lint passed")
   return errors.length

package/lib/manifest.js

@@ -69,6 +69,18 @@ function isObject(v) {
   return v !== null && typeof v === "object" && !Array.isArray(v)
 }
 
+function pluginSafeId(pluginId) {
+  return String(pluginId || "").toLowerCase().replace(/[^a-z0-9_]/g, "_")
+}
+
+function expectedPluginSchema(pluginId) {
+  return `app_${pluginSafeId(pluginId)}`
+}
+
+function expectedTablePrefix(pluginId) {
+  return `${pluginSafeId(pluginId)}__`
+}
+
 function unknownKeys(obj, allowed, label, errors) {
   if (!isObject(obj)) return
   for (const key of Object.keys(obj)) {
@@ -249,11 +261,21 @@ function validateManifest(m) {
       }
       if (m.database.schema !== undefined && !/^app_[a-z0-9_]+$/.test(m.database.schema)) {
         errors.push("database.schema must match /^app_[a-z0-9_]+$/")
+      } else if (m.database.schema !== undefined && m.id && m.database.schema !== expectedPluginSchema(m.id)) {
+        errors.push(`database.schema must be ${expectedPluginSchema(m.id)} for plugin ${m.id}`)
       }
     }
   }
 
   validateArray(m.shared_tables, "shared_tables", errors)
+  if (Array.isArray(m.shared_tables) && m.id) {
+    const prefix = expectedTablePrefix(m.id)
+    for (const table of m.shared_tables) {
+      if (typeof table === "string" && !table.startsWith(prefix)) {
+        errors.push(`shared_tables entries must use the app table prefix "${prefix}": ${table}`)
+      }
+    }
+  }
   validateArray(m.permissions, "permissions", errors)
   if (Array.isArray(m.permissions)) {
     const seen = new Set()

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@palettelab/cli",
-  "version": "0.3.29",
+  "version": "0.3.30",
   "description": "Developer CLI for building Palette platform plugins — no platform source access required.",
   "bin": {
     "pltt": "bin/pltt.js"

package/template-fallback/templates/database/backend/api/models.py

@@ -5,7 +5,7 @@ from palette_sdk.db import OrgScopedTable
 
 
 class Note(OrgScopedTable):
-    __tablename__ = "notes"
+    __tablename__ = "my_db_plugin__notes"
 
     id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
     body: Mapped[str] = mapped_column(Text, nullable=False)

package/template-fallback/templates/database/backend/migrations/versions/001_init.py

@@ -11,15 +11,15 @@ down_revision = None
 
 def upgrade() -> None:
     op.create_table(
-        "notes",
+        "my_db_plugin__notes",
         sa.Column("id", sa.Integer(), primary_key=True, autoincrement=True),
         sa.Column("organization_id", sa.BigInteger(), nullable=False),
         sa.Column("body", sa.Text(), nullable=False),
     )
-    op.create_index("ix_notes_org", "notes", ["organization_id"])
-    ensure_org_rls(op, "notes")
+    op.create_index("ix_my_db_plugin__notes_org", "my_db_plugin__notes", ["organization_id"])
+    ensure_org_rls(op, "my_db_plugin__notes")
 
 
 def downgrade() -> None:
-    op.drop_index("ix_notes_org", table_name="notes")
-    op.drop_table("notes")
+    op.drop_index("ix_my_db_plugin__notes_org", table_name="my_db_plugin__notes")
+    op.drop_table("my_db_plugin__notes")