@percepta/create 3.1.5 → 3.3.0

package/templates/webapp/src/app/(auth)/auth/signup/page.tsx

@@ -1,8 +1,7 @@
 import type { Metadata } from "next";
-import { headers } from "next/headers";
 import { redirect } from "next/navigation";
 import { Suspense } from "react";
-import { auth } from "../../../../lib/auth";
+import { getServerSession } from "../../../../lib/auth";
 import { CredentialsSignUpForm } from "./CredentialsSignUpForm";
 
 export const metadata: Metadata = {
@@ -10,9 +9,7 @@ export const metadata: Metadata = {
 };
 
 export default async function SignUpPage() {
-  const session = await auth.api.getSession({
-    headers: await headers(),
-  });
+  const session = await getServerSession();
 
   if (session?.user != null) {
     redirect("/");

package/templates/webapp/src/config/getEnvConfig.ts

@@ -59,6 +59,14 @@ export const { getEnvConfig, schema: ENV_CONFIG_SCHEMA } = createEnvConfig(
     ENCRYPTION_SECRET_KEY: z.string().optional(),
     TRIGGER_ENDPOINT_API_KEY: z.string().optional(),
 
+    // Access Control (SpiceDB):
+    SPICEDB_ENDPOINT: z.string().default("localhost:50051"),
+    SPICEDB_PRESHARED_KEY: z.string().default("dev-spicedb-token"),
+    SPICEDB_INSECURE: z
+      .string()
+      .transform((value: string): boolean => value === "true" || value === "1")
+      .default(true),
+
     // LLM/AI providers:
     ANTHROPIC_API_KEY: z.string().optional(),
     OPENAI_API_KEY: z.string().optional(),

package/templates/webapp/src/drizzle/db.ts

@@ -1,13 +1,12 @@
 import { type NodePgDatabase, drizzle } from "drizzle-orm/node-postgres";
 import { Pool } from "pg";
 import { getEnvConfig } from "../config/getEnvConfig";
-import * as schema from "./schema";
 import { getPgSearchPathOption } from "./searchPath";
 import { getPgSslConfig } from "./ssl";
 
 export const { client, db } = createDb();
 
-function createDb(): { client: Pool; db: NodePgDatabase<typeof schema> } {
+function createDb(): { client: Pool; db: NodePgDatabase } {
   const {
     DATABASE_HOST: host,
     DATABASE_PORT: port,
@@ -18,7 +17,7 @@ function createDb(): { client: Pool; db: NodePgDatabase<typeof schema> } {
     DATABASE_USE_SSL: useSSL,
   } = getEnvConfig();
 
-  const _client = new Pool({
+  const pool = new Pool({
     host,
     port,
     user,
@@ -28,5 +27,5 @@ function createDb(): { client: Pool; db: NodePgDatabase<typeof schema> } {
     options: getPgSearchPathOption(databaseSchema),
   });
 
-  return { client: _client, db: drizzle(_client, { schema }) };
+  return { client: pool, db: drizzle(pool) };
 }

package/templates/webapp/src/drizzle/migrations/0000_eager_grandmaster.sql

@@ -1,57 +1 @@
-CREATE TABLE "account" (
-	"id" text PRIMARY KEY NOT NULL,
-	"user_id" uuid NOT NULL,
-	"account_id" text NOT NULL,
-	"provider_id" text NOT NULL,
-	"access_token" text,
-	"refresh_token" text,
-	"expires_at" integer,
-	"access_token_expires_at" timestamp,
-	"refresh_token_expires_at" timestamp,
-	"scope" text,
-	"id_token" text,
-	"password" text,
-	"created_at" timestamp NOT NULL,
-	"updated_at" timestamp NOT NULL
-);
---> statement-breakpoint
-CREATE TABLE "session" (
-	"id" text PRIMARY KEY NOT NULL,
-	"user_id" uuid NOT NULL,
-	"token" text NOT NULL,
-	"expires_at" timestamp NOT NULL,
-	"ip_address" text,
-	"user_agent" text,
-	"impersonated_by" text,
-	"created_at" timestamp NOT NULL,
-	"updated_at" timestamp NOT NULL,
-	CONSTRAINT "session_token_unique" UNIQUE("token")
-);
---> statement-breakpoint
-CREATE TABLE "users" (
-	"id" uuid PRIMARY KEY NOT NULL,
-	"name" text NOT NULL,
-	"email" text NOT NULL,
-	"email_verified" boolean DEFAULT false NOT NULL,
-	"image" text,
-	"role" text DEFAULT 'user' NOT NULL,
-	"banned" boolean DEFAULT false,
-	"ban_reason" text,
-	"ban_expires" timestamp,
-	"created_at" timestamp DEFAULT now() NOT NULL,
-	"updated_at" timestamp DEFAULT now() NOT NULL,
-	CONSTRAINT "users_email_unique" UNIQUE("email")
-);
---> statement-breakpoint
-CREATE TABLE "verification" (
-	"id" text PRIMARY KEY NOT NULL,
-	"identifier" text NOT NULL,
-	"value" text NOT NULL,
-	"expires_at" timestamp NOT NULL,
-	"created_at" timestamp,
-	"updated_at" timestamp
-);
---> statement-breakpoint
-ALTER TABLE "account" ADD CONSTRAINT "account_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "session" ADD CONSTRAINT "session_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-CREATE UNIQUE INDEX "lower_email_index" ON "users" USING btree (lower("email"));
+-- App-local migrations go here. Customer-global auth tables are migrated by ../../auth.

package/templates/webapp/src/drizzle/migrations/meta/0000_snapshot.json

@@ -3,353 +3,7 @@
   "prevId": "00000000-0000-0000-0000-000000000000",
   "version": "7",
   "dialect": "postgresql",
-  "tables": {
-    "public.account": {
-      "name": "account",
-      "schema": "",
-      "columns": {
-        "id": {
-          "name": "id",
-          "type": "text",
-          "primaryKey": true,
-          "notNull": true
-        },
-        "user_id": {
-          "name": "user_id",
-          "type": "uuid",
-          "primaryKey": false,
-          "notNull": true
-        },
-        "account_id": {
-          "name": "account_id",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true
-        },
-        "provider_id": {
-          "name": "provider_id",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true
-        },
-        "access_token": {
-          "name": "access_token",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "refresh_token": {
-          "name": "refresh_token",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "expires_at": {
-          "name": "expires_at",
-          "type": "integer",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "access_token_expires_at": {
-          "name": "access_token_expires_at",
-          "type": "timestamp",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "refresh_token_expires_at": {
-          "name": "refresh_token_expires_at",
-          "type": "timestamp",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "scope": {
-          "name": "scope",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "id_token": {
-          "name": "id_token",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "password": {
-          "name": "password",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "created_at": {
-          "name": "created_at",
-          "type": "timestamp",
-          "primaryKey": false,
-          "notNull": true
-        },
-        "updated_at": {
-          "name": "updated_at",
-          "type": "timestamp",
-          "primaryKey": false,
-          "notNull": true
-        }
-      },
-      "indexes": {},
-      "foreignKeys": {
-        "account_user_id_users_id_fk": {
-          "name": "account_user_id_users_id_fk",
-          "tableFrom": "account",
-          "tableTo": "users",
-          "columnsFrom": ["user_id"],
-          "columnsTo": ["id"],
-          "onDelete": "cascade",
-          "onUpdate": "no action"
-        }
-      },
-      "compositePrimaryKeys": {},
-      "uniqueConstraints": {},
-      "policies": {},
-      "checkConstraints": {},
-      "isRLSEnabled": false
-    },
-    "public.session": {
-      "name": "session",
-      "schema": "",
-      "columns": {
-        "id": {
-          "name": "id",
-          "type": "text",
-          "primaryKey": true,
-          "notNull": true
-        },
-        "user_id": {
-          "name": "user_id",
-          "type": "uuid",
-          "primaryKey": false,
-          "notNull": true
-        },
-        "token": {
-          "name": "token",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true
-        },
-        "expires_at": {
-          "name": "expires_at",
-          "type": "timestamp",
-          "primaryKey": false,
-          "notNull": true
-        },
-        "ip_address": {
-          "name": "ip_address",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "user_agent": {
-          "name": "user_agent",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "impersonated_by": {
-          "name": "impersonated_by",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "created_at": {
-          "name": "created_at",
-          "type": "timestamp",
-          "primaryKey": false,
-          "notNull": true
-        },
-        "updated_at": {
-          "name": "updated_at",
-          "type": "timestamp",
-          "primaryKey": false,
-          "notNull": true
-        }
-      },
-      "indexes": {},
-      "foreignKeys": {
-        "session_user_id_users_id_fk": {
-          "name": "session_user_id_users_id_fk",
-          "tableFrom": "session",
-          "tableTo": "users",
-          "columnsFrom": ["user_id"],
-          "columnsTo": ["id"],
-          "onDelete": "cascade",
-          "onUpdate": "no action"
-        }
-      },
-      "compositePrimaryKeys": {},
-      "uniqueConstraints": {
-        "session_token_unique": {
-          "name": "session_token_unique",
-          "nullsNotDistinct": false,
-          "columns": ["token"]
-        }
-      },
-      "policies": {},
-      "checkConstraints": {},
-      "isRLSEnabled": false
-    },
-    "public.users": {
-      "name": "users",
-      "schema": "",
-      "columns": {
-        "id": {
-          "name": "id",
-          "type": "uuid",
-          "primaryKey": true,
-          "notNull": true
-        },
-        "name": {
-          "name": "name",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true
-        },
-        "email": {
-          "name": "email",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true
-        },
-        "email_verified": {
-          "name": "email_verified",
-          "type": "boolean",
-          "primaryKey": false,
-          "notNull": true,
-          "default": false
-        },
-        "image": {
-          "name": "image",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "role": {
-          "name": "role",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true,
-          "default": "'user'"
-        },
-        "banned": {
-          "name": "banned",
-          "type": "boolean",
-          "primaryKey": false,
-          "notNull": false,
-          "default": false
-        },
-        "ban_reason": {
-          "name": "ban_reason",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "ban_expires": {
-          "name": "ban_expires",
-          "type": "timestamp",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "created_at": {
-          "name": "created_at",
-          "type": "timestamp",
-          "primaryKey": false,
-          "notNull": true,
-          "default": "now()"
-        },
-        "updated_at": {
-          "name": "updated_at",
-          "type": "timestamp",
-          "primaryKey": false,
-          "notNull": true,
-          "default": "now()"
-        }
-      },
-      "indexes": {
-        "lower_email_index": {
-          "name": "lower_email_index",
-          "columns": [
-            {
-              "expression": "lower(\"email\")",
-              "asc": true,
-              "isExpression": true,
-              "nulls": "last"
-            }
-          ],
-          "isUnique": true,
-          "concurrently": false,
-          "method": "btree",
-          "with": {}
-        }
-      },
-      "foreignKeys": {},
-      "compositePrimaryKeys": {},
-      "uniqueConstraints": {
-        "users_email_unique": {
-          "name": "users_email_unique",
-          "nullsNotDistinct": false,
-          "columns": ["email"]
-        }
-      },
-      "policies": {},
-      "checkConstraints": {},
-      "isRLSEnabled": false
-    },
-    "public.verification": {
-      "name": "verification",
-      "schema": "",
-      "columns": {
-        "id": {
-          "name": "id",
-          "type": "text",
-          "primaryKey": true,
-          "notNull": true
-        },
-        "identifier": {
-          "name": "identifier",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true
-        },
-        "value": {
-          "name": "value",
-          "type": "text",
-          "primaryKey": false,
-          "notNull": true
-        },
-        "expires_at": {
-          "name": "expires_at",
-          "type": "timestamp",
-          "primaryKey": false,
-          "notNull": true
-        },
-        "created_at": {
-          "name": "created_at",
-          "type": "timestamp",
-          "primaryKey": false,
-          "notNull": false
-        },
-        "updated_at": {
-          "name": "updated_at",
-          "type": "timestamp",
-          "primaryKey": false,
-          "notNull": false
-        }
-      },
-      "indexes": {},
-      "foreignKeys": {},
-      "compositePrimaryKeys": {},
-      "uniqueConstraints": {},
-      "policies": {},
-      "checkConstraints": {},
-      "isRLSEnabled": false
-    }
-  },
+  "tables": {},
   "enums": {},
   "schemas": {},
   "sequences": {},

package/templates/webapp/src/drizzle/schema/index.ts

@@ -1,4 +1,3 @@
-export { accounts } from "./auth/accounts";
-export { sessions } from "./auth/sessions";
-export { users } from "./auth/users";
-export { verifications } from "./auth/verifications";
+// App-local resource tables are exported from this module.
+// Customer-global auth tables are exported by @__REPO_NAME__/auth/schema.
+export {};

package/templates/webapp/src/lib/auth/index.ts

@@ -1,85 +1,10 @@
-import { betterAuth } from "better-auth";
-import { drizzleAdapter } from "better-auth/adapters/drizzle";
-import { admin } from "better-auth/plugins";
-import { getEnvConfig } from "../../config/getEnvConfig";
-import { db } from "../../drizzle/db";
-import { accounts } from "../../drizzle/schema/auth/accounts";
-import { sessions } from "../../drizzle/schema/auth/sessions";
-import { users } from "../../drizzle/schema/auth/users";
-import { verifications } from "../../drizzle/schema/auth/verifications";
-import { getLogger } from "../../services/logger/AppLogger";
+import { auth } from "@__REPO_NAME__/auth";
+import { headers } from "next/headers";
 
-// eslint-disable-next-line n/no-process-env -- detecting Next.js build phase
-const isBuildPhase = process.env.NEXT_PHASE === "phase-production-build";
+export { auth, type BetterAuthSession } from "@__REPO_NAME__/auth";
 
-function getSecret(): string {
-  if (isBuildPhase) {
-    return "build-placeholder-not-used-at-runtime";
-  }
-
-  const secret = getEnvConfig().BETTER_AUTH_SECRET;
-  if (secret == null) {
-    throw new Error(
-      "BETTER_AUTH_SECRET is required. Set it in your environment variables.",
-    );
-  }
-  return secret;
-}
-
-function createAuth() {
-  const config = getEnvConfig();
-
-  return betterAuth({
-    baseURL: config.BETTER_AUTH_URL,
-    secret: getSecret(),
-    database: drizzleAdapter(db, {
-      provider: "pg",
-      schema: {
-        user: users,
-        session: sessions,
-        account: accounts,
-        verification: verifications,
-      },
-    }),
-    emailAndPassword: {
-      enabled: true,
-    },
-    plugins: [admin()],
-    advanced: {
-      database: {
-        generateId: false,
-      },
-    },
-    logger: {
-      disabled: false,
-    },
+export async function getServerSession() {
+  return auth.api.getSession({
+    headers: await headers(),
   });
 }
-
-type Auth = ReturnType<typeof createAuth>;
-
-let _auth: Auth | undefined;
-
-function getAuth(): Auth {
-  if (_auth == null) {
-    _auth = createAuth();
-    getLogger().info(undefined, "Better Auth initialized");
-  }
-  return _auth;
-}
-
-/**
- * Lazy proxy that defers auth initialization to first access (runtime),
- * avoiding build-time evaluation of environment variables.
- */
-export const auth = new Proxy({} as Auth, {
-  get(_target, prop, receiver) {
-    // eslint-disable-next-line @typescript-eslint/no-unsafe-return
-    return Reflect.get(getAuth(), prop, receiver);
-  },
-  has(_target, prop) {
-    return Reflect.has(getAuth(), prop);
-  },
-});
-
-export type BetterAuthSession = typeof auth.$Infer.Session;

package/templates/webapp/src/server/api/root.ts

@@ -1,5 +1,8 @@
 import { router } from "../trpc";
+import { accessRouter } from "./routers/access";
 
-export const appRouter = router({});
+export const appRouter = router({
+  access: accessRouter,
+});
 
 export type AppRouter = typeof appRouter;

package/templates/webapp/src/server/api/routers/access.ts

@@ -0,0 +1,13 @@
+import { accessManifest } from "../../../access/access.manifest";
+import { protectedProcedure, requirePermission, router } from "../../trpc";
+
+export const accessRouter = router({
+  roleManagementStatus: protectedProcedure
+    .use(
+      requirePermission({
+        permission: accessManifest.system.manageRolesPermission,
+        resource: accessManifest.system.ref(),
+      }),
+    )
+    .query(() => ({ canManageRoles: true })),
+});

package/templates/webapp/src/server/trpc.ts

@@ -1,8 +1,17 @@
+import type { PermissionClient, SubjectRef } from "@percepta/access-control";
+import {
+  createRequireApplicationAccess,
+  createRequirePermission,
+} from "@percepta/access-control/trpc";
 import { TRPCError, initTRPC } from "@trpc/server";
-import { headers } from "next/headers";
 import superjson from "superjson";
-import { type BetterAuthSession, auth } from "../lib/auth";
+import { accessManifest } from "../access/access.manifest";
+import { type BetterAuthSession, getServerSession } from "../lib/auth";
 import { AuthContextService } from "../services/AuthContextService";
+import {
+  getAccessControl,
+  toUserSubject,
+} from "../services/access/AppAccessControl";
 import { getTracer } from "../services/logger/AppLogger";
 
 export interface Context {
@@ -16,16 +25,23 @@ export interface ProtectedContext extends Context {
   session: BetterAuthSession;
 }
 
-export async function createContext(): Promise<Context> {
-  const session = await auth.api.getSession({
-    headers: await headers(),
-  });
+const lazyPermissionClient = {
+  can(check) {
+    return getAccessControl().permissions.can(check);
+  },
+} satisfies Pick<PermissionClient, "can">;
 
+function getCurrentSubject(ctx: Context): SubjectRef | null {
+  const userId = ctx.session?.user.id;
+  return userId == null ? null : toUserSubject(userId);
+}
+
+export async function createContext(): Promise<Context> {
   const services: Context["services"] = {
     authContext: AuthContextService.create(),
   };
 
-  return { session, services };
+  return { session: await getServerSession(), services };
 }
 
 export const { router, procedure } = initTRPC.context<Context>().create({
@@ -42,7 +58,7 @@ export const { router, procedure } = initTRPC.context<Context>().create({
   },
 });
 
-export const protectedProcedure = procedure.use(
+const requireAuthenticatedUser = procedure.use(
   ({ ctx, next }): ReturnType<typeof next<ProtectedContext>> => {
     const {
       session,
@@ -59,3 +75,21 @@ export const protectedProcedure = procedure.use(
     );
   },
 );
+
+const requireApplicationAccess =
+  createRequireApplicationAccess<ProtectedContext>({
+    accessControl: lazyPermissionClient,
+    getSubject: getCurrentSubject,
+    manifest: accessManifest,
+  });
+
+export const requirePermission = createRequirePermission<ProtectedContext>({
+  accessControl: lazyPermissionClient,
+  getSubject: getCurrentSubject,
+});
+
+export const protectedProcedure = requireAuthenticatedUser;
+
+export const appProcedure = requireAuthenticatedUser.use(
+  requireApplicationAccess,
+);