@percepta/create 3.1.5 → 3.2.0

package/templates/webapp/src/server/trpc.ts

@@ -1,8 +1,17 @@
+import type { PermissionClient, SubjectRef } from "@percepta/access-control";
+import {
+  createRequireApplicationAccess,
+  createRequirePermission,
+} from "@percepta/access-control/trpc";
 import { TRPCError, initTRPC } from "@trpc/server";
-import { headers } from "next/headers";
 import superjson from "superjson";
-import { type BetterAuthSession, auth } from "../lib/auth";
+import { accessManifest } from "../access/access.manifest";
+import { type BetterAuthSession, getServerSession } from "../lib/auth";
 import { AuthContextService } from "../services/AuthContextService";
+import {
+  getAccessControl,
+  toUserSubject,
+} from "../services/access/AppAccessControl";
 import { getTracer } from "../services/logger/AppLogger";
 
 export interface Context {
@@ -16,16 +25,23 @@ export interface ProtectedContext extends Context {
   session: BetterAuthSession;
 }
 
-export async function createContext(): Promise<Context> {
-  const session = await auth.api.getSession({
-    headers: await headers(),
-  });
+const lazyPermissionClient = {
+  can(check) {
+    return getAccessControl().permissions.can(check);
+  },
+} satisfies Pick<PermissionClient, "can">;
 
+function getCurrentSubject(ctx: Context): SubjectRef | null {
+  const userId = ctx.session?.user.id;
+  return userId == null ? null : toUserSubject(userId);
+}
+
+export async function createContext(): Promise<Context> {
   const services: Context["services"] = {
     authContext: AuthContextService.create(),
   };
 
-  return { session, services };
+  return { session: await getServerSession(), services };
 }
 
 export const { router, procedure } = initTRPC.context<Context>().create({
@@ -42,7 +58,7 @@ export const { router, procedure } = initTRPC.context<Context>().create({
   },
 });
 
-export const protectedProcedure = procedure.use(
+const requireAuthenticatedUser = procedure.use(
   ({ ctx, next }): ReturnType<typeof next<ProtectedContext>> => {
     const {
       session,
@@ -59,3 +75,21 @@ export const protectedProcedure = procedure.use(
     );
   },
 );
+
+const requireApplicationAccess =
+  createRequireApplicationAccess<ProtectedContext>({
+    accessControl: lazyPermissionClient,
+    getSubject: getCurrentSubject,
+    manifest: accessManifest,
+  });
+
+export const requirePermission = createRequirePermission<ProtectedContext>({
+  accessControl: lazyPermissionClient,
+  getSubject: getCurrentSubject,
+});
+
+export const protectedProcedure = requireAuthenticatedUser;
+
+export const appProcedure = requireAuthenticatedUser.use(
+  requireApplicationAccess,
+);

package/templates/webapp/src/services/DatabaseService.ts

@@ -1,7 +1,6 @@
 import { AsyncLocalStorage } from "node:async_hooks";
 import { type NodePgDatabase } from "drizzle-orm/node-postgres";
 import { db } from "../drizzle/db";
-import type * as schema from "../drizzle/schema";
 
 export class DatabaseService {
   private static SINGLETON: DatabaseService | undefined;
@@ -15,10 +14,10 @@ export class DatabaseService {
 
   private transactionAsyncLocalStorage = new AsyncLocalStorage<LocalStorage>();
 
-  private constructor(private database: NodePgDatabase<typeof schema>) {}
+  private constructor(private database: NodePgDatabase) {}
 
   public async createTransaction<TReturn>(
-    callback: (txn: NodePgDatabase<typeof schema>) => Promise<TReturn>,
+    callback: (txn: NodePgDatabase) => Promise<TReturn>,
   ): Promise<TReturn> {
     const currentContext = this.transactionAsyncLocalStorage.getStore();
     if (currentContext != null) {
@@ -47,8 +46,8 @@ export class DatabaseService {
   }
 }
 
-type Database = Omit<NodePgDatabase<typeof schema>, "transaction">;
+type Database = Omit<NodePgDatabase, "transaction">;
 
 interface LocalStorage {
-  txn: NodePgDatabase<typeof schema>;
+  txn: NodePgDatabase;
 }

package/templates/webapp/src/services/access/AppAccessControl.ts

@@ -0,0 +1,39 @@
+import {
+  type AppAccessRuntime,
+  createAppAccessRuntime,
+} from "@percepta/access-control";
+import { accessManifest } from "../../access/access.manifest";
+import { getEnvConfig } from "../../config/getEnvConfig";
+
+export type AppAccessControl = AppAccessRuntime<typeof accessManifest>;
+
+const appAccessRuntime = createAppAccessRuntime({
+  manifest: accessManifest,
+  spicedb: () => {
+    const {
+      NODE_ENV: nodeEnv,
+      SPICEDB_ENDPOINT: endpoint,
+      SPICEDB_INSECURE: insecure,
+      SPICEDB_PRESHARED_KEY: presharedKey,
+    } = getEnvConfig();
+
+    return {
+      endpoint,
+      insecure,
+      nodeEnv,
+      presharedKey,
+    };
+  },
+});
+
+export function canAccessApplication(userId: string): Promise<boolean> {
+  return appAccessRuntime.canAccessApplication(userId);
+}
+
+export function getAccessControl(): AppAccessControl {
+  return appAccessRuntime.getAccessControl();
+}
+
+export function toUserSubject(userId: string) {
+  return appAccessRuntime.toUserSubject(userId);
+}

package/dist/init-OeK4Yk6_.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"init-OeK4Yk6_.js","names":[],"sources":["../src/commands/init.ts"],"sourcesContent":["import path from \"node:path\";\nimport chalk from \"chalk\";\nimport fs from \"fs-extra\";\nimport inquirer from \"inquirer\";\nimport {\n  writeManifest,\n  manifestExists,\n  derivePlaceholders,\n  type MosaicManifest,\n} from \"../utils/manifest.js\";\nimport { isValidProjectType, VALID_PROJECT_TYPES } from \"../utils/prompts.js\";\n\nexport interface InitOptions {\n  type?: string;\n  templateVersion?: string;\n}\n\nexport async function initCommand(options: InitOptions): Promise<void> {\n  const cwd = process.cwd();\n\n  if (await manifestExists(cwd)) {\n    console.error(\n      chalk.red(\".mosaic-template.json already exists in this directory.\"),\n    );\n    process.exit(1);\n  }\n\n  // Auto-detect app name from package.json\n  const pkgPath = path.join(cwd, \"package.json\");\n  let appName = path.basename(cwd);\n  if (await fs.pathExists(pkgPath)) {\n    const pkg = JSON.parse(await fs.readFile(pkgPath, \"utf-8\"));\n    appName = pkg.name?.replace(/^@[^/]+\\//, \"\") || appName;\n  }\n\n  // Determine template type\n  let templateType = options.type;\n  if (templateType && !isValidProjectType(templateType)) {\n    console.error(\n      chalk.red(\n        `Invalid template type \"${templateType}\". Valid types: ${VALID_PROJECT_TYPES.join(\", \")}`,\n      ),\n    );\n    process.exit(1);\n  }\n  if (!templateType) {\n    const answer = await inquirer.prompt([\n      {\n        type: \"list\",\n        name: \"type\",\n        message: \"Template type:\",\n        choices: [\"webapp\", \"library\"],\n      },\n    ]);\n    templateType = answer.type;\n  }\n\n  const templateVersion = options.templateVersion || \"1.0.0\";\n\n  // Derive placeholders from app name\n  const appTitle = appName\n    .split(\"-\")\n    .map((w: string) => w.charAt(0).toUpperCase() + w.slice(1))\n    .join(\" \");\n\n  const manifest: MosaicManifest = {\n    templateType: templateType!,\n    templateVersion,\n    templateCommit: \"unknown\",\n    createdAt: new Date().toISOString(),\n    placeholders: derivePlaceholders(appName, appTitle),\n    source: {\n      templatePath: `packages/create-mosaic-module/templates/${templateType}`,\n    },\n  };\n\n  await writeManifest(cwd, manifest);\n\n  // Create mosaic-template-notes.md if it doesn't exist\n  const notesPath = path.join(cwd, \"mosaic-template-notes.md\");\n  if (!(await fs.pathExists(notesPath))) {\n    await fs.writeFile(\n      notesPath,\n      `# Mosaic Divergence Notes\\n\\nDocument intentional differences from the ${templateType} template here.\\nClaude reads this file during sync to preserve your customizations.\\n\\n## Intentional Divergences\\n\\n`,\n    );\n  }\n\n  console.log();\n  console.log(\n    chalk.green(\"\\u2714\"),\n    chalk.bold(\"Initialized .mosaic-template.json\"),\n  );\n  console.log();\n  console.log(chalk.dim(\"  Template:\"), templateType);\n  console.log(chalk.dim(\"  Version:\"), templateVersion);\n  console.log(chalk.dim(\"  App name:\"), appName);\n  console.log();\n  console.log(\n    chalk.dim(\n      \"Review .mosaic-template.json and mosaic-template-notes.md, then commit them.\",\n    ),\n  );\n  console.log();\n}\n"],"mappings":";;;;;;AAiBA,eAAsB,YAAY,SAAqC;CACrE,MAAM,MAAM,QAAQ,KAAK;AAEzB,KAAI,MAAM,eAAe,IAAI,EAAE;AAC7B,UAAQ,MACN,MAAM,IAAI,0DAA0D,CACrE;AACD,UAAQ,KAAK,EAAE;;CAIjB,MAAM,UAAU,KAAK,KAAK,KAAK,eAAe;CAC9C,IAAI,UAAU,KAAK,SAAS,IAAI;AAChC,KAAI,MAAM,GAAG,WAAW,QAAQ,CAE9B,WADY,KAAK,MAAM,MAAM,GAAG,SAAS,SAAS,QAAQ,CAC7C,CAAC,MAAM,QAAQ,aAAa,GAAG,IAAI;CAIlD,IAAI,eAAe,QAAQ;AAC3B,KAAI,gBAAgB,CAAC,mBAAmB,aAAa,EAAE;AACrD,UAAQ,MACN,MAAM,IACJ,0BAA0B,aAAa,kBAAkB,oBAAoB,KAAK,KAAK,GACxF,CACF;AACD,UAAQ,KAAK,EAAE;;AAEjB,KAAI,CAAC,aASH,iBAAe,MARM,SAAS,OAAO,CACnC;EACE,MAAM;EACN,MAAM;EACN,SAAS;EACT,SAAS,CAAC,UAAU,UAAU;EAC/B,CACF,CAAC,EACoB;CAGxB,MAAM,kBAAkB,QAAQ,mBAAmB;CAGnD,MAAM,WAAW,QACd,MAAM,IAAI,CACV,KAAK,MAAc,EAAE,OAAO,EAAE,CAAC,aAAa,GAAG,EAAE,MAAM,EAAE,CAAC,CAC1D,KAAK,IAAI;AAaZ,OAAM,cAAc,KAAK;EAVT;EACd;EACA,gBAAgB;EAChB,4BAAW,IAAI,MAAM,EAAC,aAAa;EACnC,cAAc,mBAAmB,SAAS,SAAS;EACnD,QAAQ,EACN,cAAc,2CAA2C,gBAC1D;EAG8B,CAAC;CAGlC,MAAM,YAAY,KAAK,KAAK,KAAK,2BAA2B;AAC5D,KAAI,CAAE,MAAM,GAAG,WAAW,UAAU,CAClC,OAAM,GAAG,UACP,WACA,0EAA0E,aAAa,wHACxF;AAGH,SAAQ,KAAK;AACb,SAAQ,IACN,MAAM,MAAM,IAAS,EACrB,MAAM,KAAK,oCAAoC,CAChD;AACD,SAAQ,KAAK;AACb,SAAQ,IAAI,MAAM,IAAI,cAAc,EAAE,aAAa;AACnD,SAAQ,IAAI,MAAM,IAAI,aAAa,EAAE,gBAAgB;AACrD,SAAQ,IAAI,MAAM,IAAI,cAAc,EAAE,QAAQ;AAC9C,SAAQ,KAAK;AACb,SAAQ,IACN,MAAM,IACJ,+EACD,CACF;AACD,SAAQ,KAAK"}

package/templates/webapp/scripts/create-user.ts

@@ -1,47 +0,0 @@
-#!/usr/bin/env tsx
-
-import { AsyncLocalStorage } from "node:async_hooks";
-import { loadEnvConfig } from "@next/env";
-import yargs from "yargs";
-import { hideBin } from "yargs/helpers";
-
-async function main(): Promise<void> {
-  loadEnvConfig(process.cwd());
-  globalThis.AsyncLocalStorage = AsyncLocalStorage;
-
-  const { email, password, name } = yargs(hideBin(process.argv))
-    .usage(
-      "Usage: tsx scripts/create-user.ts <email> <password> [--name <name>]",
-    )
-    .command("$0 <email> <password>", "Create a new user.")
-    .positional("email", {
-      type: "string",
-      demandOption: true,
-    })
-    .positional("password", {
-      type: "string",
-      demandOption: true,
-    })
-    .option("name", {
-      alias: "n",
-      describe: "Display name for the user.",
-      type: "string",
-      demandOption: true,
-    })
-    .strict()
-    .help(false)
-    .parseSync();
-
-  // Dynamically load because we need to load the environment variables before importing modules that depend on them.
-  const { auth } = await import("../src/lib/auth");
-
-  // Create user via Better Auth's signUpEmail API (handles password hashing + account creation)
-  const { user } = await auth.api.signUpEmail({
-    body: { email, password, name },
-  });
-
-  console.log(`User "${user.id}" created successfully.`);
-  process.exit(0);
-}
-
-void main();

package/templates/webapp/src/drizzle/schema/auth/users.ts

@@ -1,38 +0,0 @@
-import { sql } from "drizzle-orm";
-import {
-  boolean,
-  pgTable,
-  text,
-  timestamp,
-  uniqueIndex,
-  uuid,
-} from "drizzle-orm/pg-core";
-
-/**
- * Users table for Better Auth.
- * @see https://better-auth.com/docs/concepts/database
- */
-export const users = pgTable(
-  "users",
-  {
-    id: uuid("id")
-      .$defaultFn(() => crypto.randomUUID())
-      .primaryKey(),
-    name: text("name").notNull(),
-    email: text("email").notNull().unique(),
-    emailVerified: boolean("email_verified").notNull().default(false),
-    image: text("image"),
-    role: text("role").notNull().default("user"),
-    banned: boolean("banned").default(false),
-    banReason: text("ban_reason"),
-    banExpires: timestamp("ban_expires", { mode: "date" }),
-    createdAt: timestamp("created_at").defaultNow().notNull(),
-    updatedAt: timestamp("updated_at").defaultNow().notNull(),
-  },
-  (table) => ({
-    emailIndex: uniqueIndex("lower_email_index").on(sql`lower(${table.email})`),
-  }),
-);
-
-export type User = typeof users.$inferSelect;
-export type NewUser = typeof users.$inferInsert;