@polymorphism-tech/morph-spec 4.6.0 → 4.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +394 -700
- package/docs/ARCHITECTURE.md +331 -0
- package/docs/CHEATSHEET.md +221 -0
- package/docs/COMMAND-FLOWS.md +368 -0
- package/docs/QUICKSTART.md +212 -0
- package/docs/examples/order-management/contracts.cs +84 -0
- package/docs/examples/order-management/proposal.md +24 -0
- package/docs/examples/order-management/spec.md +162 -0
- package/docs/plans/2026-02-23-ddd-architecture-refactor.md +1153 -0
- package/docs/plans/2026-02-23-ddd-nextsteps.md +682 -0
- package/docs/plans/2026-02-23-infra-architect-refactor.md +437 -0
- package/docs/plans/2026-02-23-nextjs-code-review-design.md +156 -0
- package/docs/plans/2026-02-23-nextjs-code-review-impl.md +1254 -0
- package/docs/plans/2026-02-23-nextjs-standards-design.md +149 -0
- package/docs/plans/2026-02-23-nextjs-standards-impl.md +1846 -0
- package/framework/agents/README.md +14 -14
- package/framework/agents/architecture/standards-architect.md +159 -159
- package/framework/agents/frontend/nextjs-expert.md +87 -127
- package/framework/agents/infrastructure/azure-architect.md +147 -147
- package/framework/agents/infrastructure/infra-architect.md +45 -0
- package/framework/agents.json +1145 -278
- package/framework/rules/frontend-standards.md +0 -3
- package/framework/rules/nextjs-standards.md +17 -0
- package/framework/skills/level-0-meta/code-review-nextjs/SKILL.md +147 -0
- package/framework/skills/level-0-meta/code-review-nextjs/references/review-example-nextjs.md +254 -0
- package/framework/skills/level-0-meta/tool-usage-guide/SKILL.md +3 -3
- package/framework/skills/level-1-workflows/phase-design/SKILL.md +45 -9
- package/framework/skills/level-1-workflows/phase-tasks/SKILL.md +38 -0
- package/framework/standards/STANDARDS.json +121 -0
- package/framework/standards/architecture/ddd/bounded-contexts.md +105 -0
- package/framework/standards/architecture/ddd/complexity-levels.md +108 -0
- package/framework/standards/architecture/ddd/ubiquitous-language.md +58 -0
- package/framework/standards/frontend/nextjs/app-router.md +123 -0
- package/framework/standards/frontend/nextjs/components.md +132 -0
- package/framework/standards/frontend/nextjs/data-fetching.md +126 -0
- package/framework/standards/frontend/nextjs/forms.md +128 -0
- package/framework/standards/frontend/nextjs/naming-conventions.md +67 -0
- package/framework/standards/frontend/nextjs/project-structure.md +102 -0
- package/framework/standards/frontend/nextjs/state-management.md +72 -0
- package/framework/standards/frontend/nextjs/testing.md +111 -0
- package/framework/templates/REGISTRY.json +538 -142
- package/framework/templates/code/dotnet/contracts/contracts-level1.cs +69 -0
- package/framework/templates/code/dotnet/contracts/contracts-level2.cs +86 -0
- package/framework/templates/code/dotnet/contracts/contracts-level3.cs +41 -0
- package/framework/templates/docs/spec.md +49 -0
- package/framework/templates/frontend/nextjs/Dockerfile.nextjs.hbs +43 -0
- package/framework/templates/frontend/nextjs/client-component.tsx.hbs +26 -0
- package/framework/templates/frontend/nextjs/env.mjs.hbs +32 -0
- package/framework/templates/frontend/nextjs/feature-form.tsx.hbs +56 -0
- package/framework/templates/frontend/nextjs/page.tsx.hbs +22 -0
- package/framework/templates/frontend/nextjs/tsconfig.json.hbs +26 -0
- package/framework/templates/frontend/nextjs/use-feature.ts.hbs +54 -0
- package/framework/templates/project-structure/dotnet-ddd.md +70 -0
- package/framework/workflows/docs/enforcement-pipeline.md +2 -1
- package/package.json +1 -1
- package/scripts/scan-nextjs.mjs +169 -0
- package/src/commands/project/doctor.js +52 -1
- package/src/commands/project/init.js +15 -1
- package/src/commands/project/update.js +6 -1
- package/src/lib/standards/standards-context-injector.js +5 -0
- package/src/lib/validators/nextjs/index.js +6 -0
- package/src/lib/validators/nextjs/next-component-validator.js +181 -0
- package/src/lib/validators/validation-runner.js +5 -0
- package/src/utils/agents-installer.js +14 -2
- package/.morph/.morphversion +0 -5
- package/.morph/analytics/threads-log.jsonl +0 -6
- package/.morph/config/config.json +0 -8
- package/.morph/framework/agents.json +0 -948
- package/.morph/framework/standards/STANDARDS.json +0 -812
- package/.morph/framework/standards/ai-agents/blazor-ui.md +0 -364
- package/.morph/framework/standards/ai-agents/production.md +0 -415
- package/.morph/framework/standards/ai-agents/setup.md +0 -418
- package/.morph/framework/standards/ai-agents/team-orchestration.md +0 -479
- package/.morph/framework/standards/ai-agents/workflows.md +0 -354
- package/.morph/framework/standards/architecture/ddd/aggregates.md +0 -120
- package/.morph/framework/standards/architecture/ddd/entities.md +0 -99
- package/.morph/framework/standards/architecture/ddd/value-objects.md +0 -124
- package/.morph/framework/standards/backend/api/minimal-api.md +0 -494
- package/.morph/framework/standards/backend/api/rest.md +0 -492
- package/.morph/framework/standards/backend/api/validation.md +0 -88
- package/.morph/framework/standards/backend/authentication/passkeys.md +0 -428
- package/.morph/framework/standards/backend/database/ef-core.md +0 -199
- package/.morph/framework/standards/backend/database/migrations.md +0 -393
- package/.morph/framework/standards/backend/database/postgresql/database.md +0 -352
- package/.morph/framework/standards/backend/database/repository-patterns.md +0 -528
- package/.morph/framework/standards/backend/database/vector-search-rag.md +0 -541
- package/.morph/framework/standards/backend/dotnet/async.md +0 -366
- package/.morph/framework/standards/backend/dotnet/core.md +0 -117
- package/.morph/framework/standards/backend/dotnet/di.md +0 -439
- package/.morph/framework/standards/backend/dotnet/program-cs-checklist.md +0 -92
- package/.morph/framework/standards/backend/integrations/asaas/asaas-api.md +0 -216
- package/.morph/framework/standards/backend/integrations/clerk/clerk-auth.md +0 -290
- package/.morph/framework/standards/backend/integrations/hangfire/hangfire-jobs.md +0 -350
- package/.morph/framework/standards/backend/integrations/resend/resend-email.md +0 -385
- package/.morph/framework/standards/context/analytics.md +0 -96
- package/.morph/framework/standards/context/bundles.md +0 -110
- package/.morph/framework/standards/context/priming.md +0 -78
- package/.morph/framework/standards/core/architecture.md +0 -185
- package/.morph/framework/standards/core/coding.md +0 -214
- package/.morph/framework/standards/core/git-branching-strategy.md +0 -403
- package/.morph/framework/standards/core/git.md +0 -185
- package/.morph/framework/standards/core/testing.md +0 -295
- package/.morph/framework/standards/data/nosql/blob-storage.md +0 -102
- package/.morph/framework/standards/data/nosql/cache/redis.md +0 -97
- package/.morph/framework/standards/data/nosql/cosmos-db.md +0 -118
- package/.morph/framework/standards/data/vector-search/azure-ai-search.md +0 -121
- package/.morph/framework/standards/data/vector-search/rag-chunking.md +0 -104
- package/.morph/framework/standards/frontend/blazor/design-checklist.md +0 -222
- package/.morph/framework/standards/frontend/blazor/fluent-ui-setup.md +0 -595
- package/.morph/framework/standards/frontend/blazor/fluent-ui.md +0 -137
- package/.morph/framework/standards/frontend/blazor/html-conversion.md +0 -184
- package/.morph/framework/standards/frontend/blazor/lifecycle.md +0 -195
- package/.morph/framework/standards/frontend/blazor/pitfalls.md +0 -198
- package/.morph/framework/standards/frontend/blazor/state.md +0 -191
- package/.morph/framework/standards/frontend/design-system/animations.md +0 -151
- package/.morph/framework/standards/frontend/design-system/naming.md +0 -64
- package/.morph/framework/standards/frontend/nextjs/nextjs-patterns.md +0 -215
- package/.morph/framework/standards/infrastructure/azure/azure.md +0 -624
- package/.morph/framework/standards/infrastructure/azure/bicep/bicep-patterns.md +0 -422
- package/.morph/framework/standards/infrastructure/azure/devops/azure-devops-setup.md +0 -516
- package/.morph/framework/standards/infrastructure/azure/devops/local-development.md +0 -520
- package/.morph/framework/standards/infrastructure/azure/services/functions.md +0 -486
- package/.morph/framework/standards/infrastructure/azure/services/service-bus.md +0 -459
- package/.morph/framework/standards/infrastructure/azure/services/storage.md +0 -407
- package/.morph/framework/standards/infrastructure/docker/easypanel-deploy.md +0 -196
- package/.morph/framework/standards/infrastructure/supabase/mcp-setup.md +0 -252
- package/.morph/framework/standards/infrastructure/supabase/supabase-auth.md +0 -176
- package/.morph/framework/standards/infrastructure/supabase/supabase-pgvector.md +0 -169
- package/.morph/framework/standards/infrastructure/supabase/supabase-rls.md +0 -184
- package/.morph/framework/standards/infrastructure/supabase/supabase-storage.md +0 -153
- package/.morph/framework/standards/integration/api/graphql.md +0 -91
- package/.morph/framework/standards/integration/api/grpc.md +0 -114
- package/.morph/framework/standards/integration/api/rest-design.md +0 -95
- package/.morph/framework/standards/integration/event-driven/cqrs.md +0 -101
- package/.morph/framework/standards/integration/event-driven/event-sourcing.md +0 -124
- package/.morph/framework/standards/integration/event-driven/service-bus.md +0 -95
- package/.morph/framework/standards/integration/mcp/mcp-tools.md +0 -384
- package/.morph/framework/standards/observability/logging.md +0 -131
- package/.morph/framework/standards/observability/metrics.md +0 -121
- package/.morph/framework/standards/observability/monitoring.md +0 -114
- package/.morph/framework/standards/observability/tracing.md +0 -132
- package/.morph/framework/standards/workflows/parallel-execution.md +0 -112
- package/.morph/framework/standards/workflows/thread-management.md +0 -113
- package/.morph/framework/templates/.idea/morph-templates.xml +0 -92
- package/.morph/framework/templates/.vscode/morph-templates.code-snippets +0 -186
- package/.morph/framework/templates/IDE-SNIPPETS.md +0 -266
- package/.morph/framework/templates/README.md +0 -814
- package/.morph/framework/templates/REGISTRY.json +0 -1492
- package/.morph/framework/templates/code/dotnet/backend/repository.cs +0 -141
- package/.morph/framework/templates/code/dotnet/backend/service.cs +0 -139
- package/.morph/framework/templates/code/dotnet/contracts/Commands.cs +0 -74
- package/.morph/framework/templates/code/dotnet/contracts/Entities.cs +0 -25
- package/.morph/framework/templates/code/dotnet/contracts/Queries.cs +0 -74
- package/.morph/framework/templates/code/dotnet/contracts/README.md +0 -74
- package/.morph/framework/templates/code/dotnet/contracts/api-contracts.cs +0 -173
- package/.morph/framework/templates/code/dotnet/contracts/contracts.cs +0 -217
- package/.morph/framework/templates/code/dotnet/contracts/contracts.cs.hbs +0 -172
- package/.morph/framework/templates/code/dotnet/database/migration.cs +0 -83
- package/.morph/framework/templates/code/dotnet/frontend/component.razor +0 -239
- package/.morph/framework/templates/code/dotnet/jobs/agent.cs +0 -163
- package/.morph/framework/templates/code/dotnet/jobs/job.cs +0 -171
- package/.morph/framework/templates/code/dotnet/test.cs +0 -239
- package/.morph/framework/templates/code/sql/rls-policy.sql +0 -57
- package/.morph/framework/templates/code/sql/supabase-migration.sql +0 -100
- package/.morph/framework/templates/code/sql/supabase-migration.template.sql +0 -113
- package/.morph/framework/templates/code/typescript/contracts.ts +0 -168
- package/.morph/framework/templates/context/CONTEXT-FEATURE.md +0 -276
- package/.morph/framework/templates/context/CONTEXT.md +0 -181
- package/.morph/framework/templates/docs/clarifications.md +0 -253
- package/.morph/framework/templates/docs/onboarding.md +0 -123
- package/.morph/framework/templates/docs/proposal.md +0 -182
- package/.morph/framework/templates/docs/schema-analysis.md +0 -119
- package/.morph/framework/templates/docs/spec.md +0 -149
- package/.morph/framework/templates/docs/ui-components.md +0 -124
- package/.morph/framework/templates/docs/ui-design-system.md +0 -76
- package/.morph/framework/templates/docs/ui-flows.md +0 -167
- package/.morph/framework/templates/docs/ui-mockups.md +0 -98
- package/.morph/framework/templates/docs/user-stories.md +0 -34
- package/.morph/framework/templates/examples/design-system-examples.md +0 -357
- package/.morph/framework/templates/examples/spec-examples.md +0 -90
- package/.morph/framework/templates/feature/decisions.md +0 -187
- package/.morph/framework/templates/feature/recap.md +0 -146
- package/.morph/framework/templates/feature/tasks.md +0 -199
- package/.morph/framework/templates/infrastructure/azure/Dockerfile.example +0 -82
- package/.morph/framework/templates/infrastructure/azure/README.md +0 -286
- package/.morph/framework/templates/infrastructure/azure/app-insights.bicep +0 -63
- package/.morph/framework/templates/infrastructure/azure/app-service.bicep +0 -164
- package/.morph/framework/templates/infrastructure/azure/container-app-env.bicep +0 -49
- package/.morph/framework/templates/infrastructure/azure/container-app.bicep +0 -156
- package/.morph/framework/templates/infrastructure/azure/deploy-checklist.md +0 -426
- package/.morph/framework/templates/infrastructure/azure/deploy.ps1 +0 -229
- package/.morph/framework/templates/infrastructure/azure/deploy.sh +0 -208
- package/.morph/framework/templates/infrastructure/azure/key-vault.bicep +0 -91
- package/.morph/framework/templates/infrastructure/azure/main.bicep +0 -189
- package/.morph/framework/templates/infrastructure/azure/parameters.dev.json +0 -29
- package/.morph/framework/templates/infrastructure/azure/parameters.prod.json +0 -29
- package/.morph/framework/templates/infrastructure/azure/parameters.staging.json +0 -29
- package/.morph/framework/templates/infrastructure/azure/sql-database.bicep +0 -103
- package/.morph/framework/templates/infrastructure/azure/storage.bicep +0 -106
- package/.morph/framework/templates/infrastructure/docker/Dockerfile.template +0 -58
- package/.morph/framework/templates/infrastructure/docker/docker-compose.template.yml +0 -67
- package/.morph/framework/templates/infrastructure/docker/dockerfile-api.dockerfile +0 -38
- package/.morph/framework/templates/infrastructure/docker/dockerfile-web.dockerfile +0 -48
- package/.morph/framework/templates/infrastructure/docker/easypanel.template.json +0 -54
- package/.morph/framework/templates/infrastructure/github/README.md +0 -593
- package/.morph/framework/templates/infrastructure/github/actions/azure-auth/action.yml.hbs +0 -22
- package/.morph/framework/templates/infrastructure/github/actions/docker-build-push/action.yml.hbs +0 -45
- package/.morph/framework/templates/infrastructure/github/actions/health-check/action.yml.hbs +0 -27
- package/.morph/framework/templates/infrastructure/github/workflows/deploy-azure-app-service.yml.hbs +0 -61
- package/.morph/framework/templates/infrastructure/github/workflows/deploy-easypanel.yml.hbs +0 -31
- package/.morph/framework/templates/infrastructure/github/workflows/docker-build-push.yml.hbs +0 -59
- package/.morph/framework/templates/infrastructure/github/workflows/dotnet-build.yml.hbs +0 -39
- package/.morph/framework/templates/integrations/asaas-client.cs +0 -387
- package/.morph/framework/templates/integrations/asaas-webhook.cs +0 -351
- package/.morph/framework/templates/integrations/azure-identity-config.cs +0 -288
- package/.morph/framework/templates/integrations/clerk-config.cs +0 -258
- package/.morph/framework/templates/meta-prompts/fusion/fusion-agent.md +0 -76
- package/.morph/framework/templates/meta-prompts/fusion/fusion-aggregator.md +0 -100
- package/.morph/framework/templates/meta-prompts/hops/hop-retry.md +0 -78
- package/.morph/framework/templates/meta-prompts/hops/hop-validation.md +0 -97
- package/.morph/framework/templates/meta-prompts/hops/hop-wrapper.md +0 -36
- package/.morph/framework/templates/meta-prompts/parallel-workers/parallel-coordinator.md +0 -113
- package/.morph/framework/templates/meta-prompts/parallel-workers/parallel-worker.md +0 -80
- package/.morph/framework/templates/meta-prompts/squad-leaders/backend-squad.md +0 -90
- package/.morph/framework/templates/meta-prompts/squad-leaders/frontend-squad.md +0 -126
- package/.morph/framework/templates/meta-prompts/squad-leaders/squad-leader.md +0 -43
- package/.morph/framework/templates/meta-prompts/validators/checkpoint-validator.md +0 -107
- package/.morph/framework/templates/meta-prompts/validators/pre-commit-validator.md +0 -95
- package/.morph/framework/templates/saas/subscription.cs +0 -347
- package/.morph/framework/templates/saas/tenant.cs +0 -338
- package/.morph/framework/templates/state.template.json +0 -17
- package/.morph/framework/templates/ui/FluentDesignTheme.cs +0 -149
- package/.morph/framework/templates/ui/MudTheme.cs +0 -281
- package/.morph/framework/templates/ui/design-system.css +0 -226
- package/.morph/logs/tool-failures.log +0 -7
- package/.morph/memory/pre-compact-2026-02-23T15-43-03-521Z.json +0 -16
- package/.morph/state.json +0 -48
- package/framework/templates/code/dotnet/contracts/contracts.cs +0 -217
- package/framework/templates/code/dotnet/contracts/contracts.cs.hbs +0 -172
|
@@ -1,184 +0,0 @@
|
|
|
1
|
-
# Supabase Row Level Security Standard
|
|
2
|
-
|
|
3
|
-
> **Scope:** nextjs-supabase
|
|
4
|
-
> **Layer:** 2 (on keyword)
|
|
5
|
-
> **Keywords:** supabase, rls, policy, security, row level security
|
|
6
|
-
> **Load When:** supabase rls keywords detected
|
|
7
|
-
|
|
8
|
-
Stack: Next.js 15 + Supabase + .NET Backend
|
|
9
|
-
|
|
10
|
-
## Core Rules
|
|
11
|
-
|
|
12
|
-
- ALWAYS enable RLS on every table: `ALTER TABLE t ENABLE ROW LEVEL SECURITY`
|
|
13
|
-
- NEVER rely solely on application-level filtering — RLS is the security boundary
|
|
14
|
-
- `service_role` key bypasses ALL RLS — use only on trusted backend
|
|
15
|
-
- ALWAYS create at least one policy after enabling RLS — otherwise no rows are accessible
|
|
16
|
-
- ALWAYS add indexes on columns used in RLS policies
|
|
17
|
-
|
|
18
|
-
## Policy Syntax
|
|
19
|
-
|
|
20
|
-
### USING vs WITH CHECK
|
|
21
|
-
|
|
22
|
-
| Clause | Applies To | Purpose |
|
|
23
|
-
|--------|-----------|---------|
|
|
24
|
-
| `USING (expr)` | SELECT, UPDATE, DELETE | Filter which existing rows are visible |
|
|
25
|
-
| `WITH CHECK (expr)` | INSERT, UPDATE | Validate new/modified row data |
|
|
26
|
-
|
|
27
|
-
```sql
|
|
28
|
-
-- SELECT: only see your own rows
|
|
29
|
-
CREATE POLICY "users_select_own" ON documents
|
|
30
|
-
FOR SELECT USING (user_id = auth.uid());
|
|
31
|
-
|
|
32
|
-
-- INSERT: can only insert rows owned by you
|
|
33
|
-
CREATE POLICY "users_insert_own" ON documents
|
|
34
|
-
FOR INSERT WITH CHECK (user_id = auth.uid());
|
|
35
|
-
|
|
36
|
-
-- UPDATE: can only see AND modify your own rows
|
|
37
|
-
CREATE POLICY "users_update_own" ON documents
|
|
38
|
-
FOR UPDATE
|
|
39
|
-
USING (user_id = auth.uid())
|
|
40
|
-
WITH CHECK (user_id = auth.uid());
|
|
41
|
-
|
|
42
|
-
-- DELETE: can only delete your own rows
|
|
43
|
-
CREATE POLICY "users_delete_own" ON documents
|
|
44
|
-
FOR DELETE USING (user_id = auth.uid());
|
|
45
|
-
```
|
|
46
|
-
|
|
47
|
-
## Auth Functions
|
|
48
|
-
|
|
49
|
-
| Function | Returns | Use Case |
|
|
50
|
-
|----------|---------|----------|
|
|
51
|
-
| `auth.uid()` | UUID of authenticated user | Ownership checks |
|
|
52
|
-
| `auth.jwt()` | Full JWT claims as JSON | Custom claims, roles, tenant ID |
|
|
53
|
-
| `auth.role()` | Current role string | Distinguish anon vs authenticated |
|
|
54
|
-
|
|
55
|
-
```sql
|
|
56
|
-
-- Access custom JWT claims
|
|
57
|
-
auth.jwt() ->> 'tenant_id'
|
|
58
|
-
auth.jwt() -> 'app_metadata' ->> 'role'
|
|
59
|
-
```
|
|
60
|
-
|
|
61
|
-
## Common Patterns
|
|
62
|
-
|
|
63
|
-
### 1. Ownership
|
|
64
|
-
|
|
65
|
-
```sql
|
|
66
|
-
ALTER TABLE documents ENABLE ROW LEVEL SECURITY;
|
|
67
|
-
|
|
68
|
-
CREATE POLICY "owner_all" ON documents
|
|
69
|
-
FOR ALL USING (user_id = auth.uid())
|
|
70
|
-
WITH CHECK (user_id = auth.uid());
|
|
71
|
-
```
|
|
72
|
-
|
|
73
|
-
### 2. Tenant Isolation
|
|
74
|
-
|
|
75
|
-
```sql
|
|
76
|
-
-- Requires tenant_id in JWT app_metadata
|
|
77
|
-
CREATE POLICY "tenant_isolation" ON orders
|
|
78
|
-
FOR ALL
|
|
79
|
-
USING (tenant_id = (auth.jwt() -> 'app_metadata' ->> 'tenant_id')::uuid)
|
|
80
|
-
WITH CHECK (tenant_id = (auth.jwt() -> 'app_metadata' ->> 'tenant_id')::uuid);
|
|
81
|
-
```
|
|
82
|
-
|
|
83
|
-
### 3. Role-Based Access
|
|
84
|
-
|
|
85
|
-
```sql
|
|
86
|
-
-- Admins see everything, users see own
|
|
87
|
-
CREATE POLICY "admin_full_access" ON documents
|
|
88
|
-
FOR ALL USING (
|
|
89
|
-
auth.jwt() -> 'app_metadata' ->> 'role' = 'admin'
|
|
90
|
-
);
|
|
91
|
-
|
|
92
|
-
CREATE POLICY "user_own_access" ON documents
|
|
93
|
-
FOR ALL USING (user_id = auth.uid())
|
|
94
|
-
WITH CHECK (user_id = auth.uid());
|
|
95
|
-
```
|
|
96
|
-
|
|
97
|
-
### 4. Public Read, Authenticated Write
|
|
98
|
-
|
|
99
|
-
```sql
|
|
100
|
-
CREATE POLICY "public_read" ON posts
|
|
101
|
-
FOR SELECT USING (published = true);
|
|
102
|
-
|
|
103
|
-
CREATE POLICY "auth_write" ON posts
|
|
104
|
-
FOR INSERT WITH CHECK (auth.role() = 'authenticated');
|
|
105
|
-
```
|
|
106
|
-
|
|
107
|
-
### 5. Team/Organization Access
|
|
108
|
-
|
|
109
|
-
```sql
|
|
110
|
-
CREATE POLICY "team_access" ON projects
|
|
111
|
-
FOR SELECT USING (
|
|
112
|
-
EXISTS (
|
|
113
|
-
SELECT 1 FROM team_members
|
|
114
|
-
WHERE team_members.team_id = projects.team_id
|
|
115
|
-
AND team_members.user_id = auth.uid()
|
|
116
|
-
)
|
|
117
|
-
);
|
|
118
|
-
```
|
|
119
|
-
|
|
120
|
-
## Index Recommendations
|
|
121
|
-
|
|
122
|
-
Always index columns used in RLS policies for performance:
|
|
123
|
-
|
|
124
|
-
```sql
|
|
125
|
-
CREATE INDEX idx_documents_user_id ON documents (user_id);
|
|
126
|
-
CREATE INDEX idx_orders_tenant_id ON orders (tenant_id);
|
|
127
|
-
CREATE INDEX idx_team_members_lookup ON team_members (team_id, user_id);
|
|
128
|
-
```
|
|
129
|
-
|
|
130
|
-
## Testing RLS Policies
|
|
131
|
-
|
|
132
|
-
### Via SQL (Supabase SQL Editor)
|
|
133
|
-
|
|
134
|
-
```sql
|
|
135
|
-
-- Test as a specific user
|
|
136
|
-
SET request.jwt.claims = '{"sub": "user-uuid-here", "role": "authenticated",
|
|
137
|
-
"app_metadata": {"tenant_id": "tenant-uuid", "role": "admin"}}';
|
|
138
|
-
SET role = 'authenticated';
|
|
139
|
-
|
|
140
|
-
SELECT * FROM documents; -- should only return rows matching policy
|
|
141
|
-
|
|
142
|
-
RESET role;
|
|
143
|
-
RESET request.jwt.claims;
|
|
144
|
-
```
|
|
145
|
-
|
|
146
|
-
### Via Client (different auth contexts)
|
|
147
|
-
|
|
148
|
-
```ts
|
|
149
|
-
// Test with anon key (unauthenticated)
|
|
150
|
-
const anonClient = createClient(url, anonKey);
|
|
151
|
-
const { data } = await anonClient.from("documents").select("*");
|
|
152
|
-
// Should return empty if no public policy
|
|
153
|
-
|
|
154
|
-
// Test with authenticated user
|
|
155
|
-
const { data: userData } = await authClient.from("documents").select("*");
|
|
156
|
-
// Should return only user's rows
|
|
157
|
-
```
|
|
158
|
-
|
|
159
|
-
## Migration Pattern
|
|
160
|
-
|
|
161
|
-
```sql
|
|
162
|
-
-- migration: 001_enable_rls.sql
|
|
163
|
-
ALTER TABLE documents ENABLE ROW LEVEL SECURITY;
|
|
164
|
-
ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
|
|
165
|
-
ALTER TABLE team_members ENABLE ROW LEVEL SECURITY;
|
|
166
|
-
|
|
167
|
-
-- Always pair with policies
|
|
168
|
-
CREATE POLICY "documents_owner" ON documents
|
|
169
|
-
FOR ALL USING (user_id = auth.uid())
|
|
170
|
-
WITH CHECK (user_id = auth.uid());
|
|
171
|
-
```
|
|
172
|
-
|
|
173
|
-
## Common Mistakes
|
|
174
|
-
|
|
175
|
-
| Wrong | Right | Why |
|
|
176
|
-
|-------|-------|-----|
|
|
177
|
-
| Enable RLS without policies | Enable RLS + create policies | No policies = no access at all |
|
|
178
|
-
| `FOR ALL USING (true)` | Specific conditions per operation | Grants unrestricted access, defeats RLS |
|
|
179
|
-
| UPDATE with only USING | UPDATE with USING + WITH CHECK | User could change user_id to another user |
|
|
180
|
-
| Complex subqueries in policies | Simple conditions + indexed columns | Subqueries in policies cause N+1 perf issues |
|
|
181
|
-
| Using `anon` key as service_role | Separate keys, service_role only on backend | anon key respects RLS (correct), don't confuse |
|
|
182
|
-
| RLS on some tables but not others | RLS on ALL tables with user data | Attackers target unprotected tables |
|
|
183
|
-
| `auth.uid()` without null check | `auth.uid() IS NOT NULL AND user_id = auth.uid()` | Prevents anon access when policy is permissive |
|
|
184
|
-
| Forgetting junction table RLS | RLS on junction tables too | team_members without RLS leaks membership |
|
|
@@ -1,153 +0,0 @@
|
|
|
1
|
-
# Supabase Storage Standard
|
|
2
|
-
|
|
3
|
-
> **Scope:** nextjs-supabase
|
|
4
|
-
> **Layer:** 2 (on keyword)
|
|
5
|
-
> **Keywords:** supabase, storage, bucket, upload, file storage
|
|
6
|
-
> **Load When:** supabase storage keywords detected
|
|
7
|
-
|
|
8
|
-
Stack: Next.js 15 + Supabase + .NET Backend
|
|
9
|
-
|
|
10
|
-
## Core Rules
|
|
11
|
-
|
|
12
|
-
- ALWAYS use RLS policies on storage.objects for access control
|
|
13
|
-
- NEVER serve private files without signed URLs
|
|
14
|
-
- ALWAYS validate file type and size before upload
|
|
15
|
-
- Public buckets: anyone can read, still need auth for write
|
|
16
|
-
- Private buckets: require signed URLs or authenticated access
|
|
17
|
-
|
|
18
|
-
## Bucket Configuration
|
|
19
|
-
|
|
20
|
-
```sql
|
|
21
|
-
-- Public bucket (avatars, logos)
|
|
22
|
-
INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)
|
|
23
|
-
VALUES ('avatars', 'avatars', true, 2097152, ARRAY['image/jpeg','image/png','image/webp']);
|
|
24
|
-
|
|
25
|
-
-- Private bucket (documents, reports)
|
|
26
|
-
INSERT INTO storage.buckets (id, name, public, file_size_limit, allowed_mime_types)
|
|
27
|
-
VALUES ('documents', 'documents', false, 10485760, ARRAY['application/pdf','image/jpeg','image/png']);
|
|
28
|
-
```
|
|
29
|
-
|
|
30
|
-
| Setting | Public Bucket | Private Bucket |
|
|
31
|
-
|---------|--------------|----------------|
|
|
32
|
-
| Read access | Anyone via URL | Signed URL or auth required |
|
|
33
|
-
| Write access | RLS policy required | RLS policy required |
|
|
34
|
-
| Use case | Avatars, public images | Documents, reports |
|
|
35
|
-
|
|
36
|
-
## Storage RLS Policies
|
|
37
|
-
|
|
38
|
-
```sql
|
|
39
|
-
-- Users upload/view/delete in their own folder
|
|
40
|
-
CREATE POLICY "user_upload" ON storage.objects FOR INSERT
|
|
41
|
-
WITH CHECK (bucket_id = 'documents' AND (storage.foldername(name))[1] = auth.uid()::text);
|
|
42
|
-
|
|
43
|
-
CREATE POLICY "user_select" ON storage.objects FOR SELECT
|
|
44
|
-
USING (bucket_id = 'documents' AND (storage.foldername(name))[1] = auth.uid()::text);
|
|
45
|
-
|
|
46
|
-
CREATE POLICY "user_delete" ON storage.objects FOR DELETE
|
|
47
|
-
USING (bucket_id = 'documents' AND (storage.foldername(name))[1] = auth.uid()::text);
|
|
48
|
-
|
|
49
|
-
-- Public bucket: anyone reads, auth users upload to own folder
|
|
50
|
-
CREATE POLICY "public_read" ON storage.objects FOR SELECT
|
|
51
|
-
USING (bucket_id = 'avatars');
|
|
52
|
-
|
|
53
|
-
CREATE POLICY "auth_upload_avatar" ON storage.objects FOR INSERT
|
|
54
|
-
WITH CHECK (bucket_id = 'avatars' AND (storage.foldername(name))[1] = auth.uid()::text);
|
|
55
|
-
```
|
|
56
|
-
|
|
57
|
-
## Path Naming Convention
|
|
58
|
-
|
|
59
|
-
```
|
|
60
|
-
{bucket}/{user_id}/{category}/{filename}
|
|
61
|
-
avatars/{user_id}/profile.webp
|
|
62
|
-
documents/{user_id}/invoices/2026-01-invoice.pdf
|
|
63
|
-
```
|
|
64
|
-
|
|
65
|
-
First folder segment = user_id (enables simple RLS). Use lowercase, hyphens, include extension.
|
|
66
|
-
|
|
67
|
-
## Upload Patterns
|
|
68
|
-
|
|
69
|
-
### Browser Upload (Next.js)
|
|
70
|
-
|
|
71
|
-
```ts
|
|
72
|
-
async function uploadFile(file: File, userId: string) {
|
|
73
|
-
if (file.size > 10 * 1024 * 1024) throw new Error("File too large");
|
|
74
|
-
const allowedTypes = ["application/pdf", "image/jpeg", "image/png"];
|
|
75
|
-
if (!allowedTypes.includes(file.type)) throw new Error("Invalid type");
|
|
76
|
-
|
|
77
|
-
const path = `${userId}/uploads/${Date.now()}-${file.name}`;
|
|
78
|
-
const { data, error } = await supabase.storage
|
|
79
|
-
.from("documents")
|
|
80
|
-
.upload(path, file, { cacheControl: "3600", upsert: false, contentType: file.type });
|
|
81
|
-
if (error) throw error;
|
|
82
|
-
return data.path;
|
|
83
|
-
}
|
|
84
|
-
```
|
|
85
|
-
|
|
86
|
-
### Server Upload (.NET)
|
|
87
|
-
|
|
88
|
-
```csharp
|
|
89
|
-
public sealed class StorageService(Supabase.Client client, ILogger<StorageService> logger)
|
|
90
|
-
{
|
|
91
|
-
private static readonly string[] AllowedTypes = ["application/pdf", "image/jpeg", "image/png"];
|
|
92
|
-
|
|
93
|
-
public async Task<string> UploadAsync(
|
|
94
|
-
string bucket, string path, Stream stream,
|
|
95
|
-
string contentType, CancellationToken ct = default)
|
|
96
|
-
{
|
|
97
|
-
if (!AllowedTypes.Contains(contentType))
|
|
98
|
-
throw new ValidationException($"Invalid content type: {contentType}");
|
|
99
|
-
var response = await client.Storage.From(bucket)
|
|
100
|
-
.Upload(stream, path, new FileOptions { ContentType = contentType, Upsert = false });
|
|
101
|
-
return response;
|
|
102
|
-
}
|
|
103
|
-
}
|
|
104
|
-
```
|
|
105
|
-
|
|
106
|
-
## Download and Signed URLs
|
|
107
|
-
|
|
108
|
-
```ts
|
|
109
|
-
// Public bucket: direct URL
|
|
110
|
-
const { data } = supabase.storage.from("avatars").getPublicUrl("user-id/profile.webp");
|
|
111
|
-
|
|
112
|
-
// Private bucket: signed URL (time-limited)
|
|
113
|
-
const { data } = await supabase.storage
|
|
114
|
-
.from("documents").createSignedUrl("user-id/report.pdf", 3600); // 1 hour
|
|
115
|
-
|
|
116
|
-
// Download file content (returns Blob)
|
|
117
|
-
const { data } = await supabase.storage.from("documents").download("user-id/report.pdf");
|
|
118
|
-
```
|
|
119
|
-
|
|
120
|
-
## Image Transformations
|
|
121
|
-
|
|
122
|
-
```ts
|
|
123
|
-
const { data } = supabase.storage.from("avatars").getPublicUrl("user-id/photo.jpg", {
|
|
124
|
-
transform: { width: 200, height: 200, resize: "cover", quality: 80 },
|
|
125
|
-
});
|
|
126
|
-
```
|
|
127
|
-
|
|
128
|
-
| Parameter | Options | Default |
|
|
129
|
-
|-----------|---------|---------|
|
|
130
|
-
| `width` / `height` | 1-2500 px | original |
|
|
131
|
-
| `resize` | cover, contain, fill | cover |
|
|
132
|
-
| `quality` | 20-100 | 80 |
|
|
133
|
-
| `format` | origin, avif, webp | origin |
|
|
134
|
-
|
|
135
|
-
## File Validation
|
|
136
|
-
|
|
137
|
-
| Check | Client-Side | Server-Side | Bucket Config |
|
|
138
|
-
|-------|------------|-------------|---------------|
|
|
139
|
-
| File size | `file.size` | Stream length | `file_size_limit` |
|
|
140
|
-
| MIME type | `file.type` | Content-Type | `allowed_mime_types` |
|
|
141
|
-
| Extension | File name | File name | -- |
|
|
142
|
-
|
|
143
|
-
Always validate at all three levels. Client-side can be bypassed.
|
|
144
|
-
|
|
145
|
-
## Common Mistakes
|
|
146
|
-
|
|
147
|
-
| Wrong | Right | Why |
|
|
148
|
-
|-------|-------|-----|
|
|
149
|
-
| No RLS on storage.objects | Policies for each bucket | Anyone can read/write without policies |
|
|
150
|
-
| Private files via public URL | `createSignedUrl()` | Private bucket returns 403 without auth |
|
|
151
|
-
| User-provided filename as-is | Sanitize + timestamp prefix | Path traversal attacks, collisions |
|
|
152
|
-
| `upsert: true` by default | `upsert: false` | Prevents accidental file overwrites |
|
|
153
|
-
| Files without user folder | `{user_id}/...` path pattern | Cannot write simple RLS policies |
|
|
@@ -1,91 +0,0 @@
|
|
|
1
|
-
# Integration Standard: GraphQL
|
|
2
|
-
|
|
3
|
-
## When to Use GraphQL
|
|
4
|
-
✅ Client needs fine-grained field selection (mobile apps, different clients)
|
|
5
|
-
✅ Complex nested resource relationships (avoid N+1 with DataLoader)
|
|
6
|
-
✅ Real-time subscriptions alongside queries
|
|
7
|
-
❌ Simple CRUD APIs (REST is simpler)
|
|
8
|
-
❌ File upload as primary use case (use REST for uploads)
|
|
9
|
-
❌ When caching is critical (GraphQL caching is harder)
|
|
10
|
-
|
|
11
|
-
## Setup (Hot Chocolate)
|
|
12
|
-
```xml
|
|
13
|
-
<PackageReference Include="HotChocolate.AspNetCore" Version="14.*" />
|
|
14
|
-
<PackageReference Include="HotChocolate.Data.EntityFramework" Version="14.*" />
|
|
15
|
-
```
|
|
16
|
-
|
|
17
|
-
```csharp
|
|
18
|
-
builder.Services
|
|
19
|
-
.AddGraphQLServer()
|
|
20
|
-
.AddQueryType<QueryType>()
|
|
21
|
-
.AddMutationType<MutationType>()
|
|
22
|
-
.AddSubscriptionType<SubscriptionType>()
|
|
23
|
-
.AddProjections()
|
|
24
|
-
.AddFiltering()
|
|
25
|
-
.AddSorting()
|
|
26
|
-
.AddAuthorization();
|
|
27
|
-
|
|
28
|
-
app.MapGraphQL("/graphql");
|
|
29
|
-
```
|
|
30
|
-
|
|
31
|
-
## Query Type
|
|
32
|
-
```csharp
|
|
33
|
-
[QueryType]
|
|
34
|
-
public class QueryType
|
|
35
|
-
{
|
|
36
|
-
[UseProjection]
|
|
37
|
-
[UseFiltering]
|
|
38
|
-
[UseSorting]
|
|
39
|
-
[UsePaging]
|
|
40
|
-
public IQueryable<Order> GetOrders([Service] AppDbContext ctx) => ctx.Orders;
|
|
41
|
-
|
|
42
|
-
public async Task<Order?> GetOrder(Guid id, [Service] AppDbContext ctx)
|
|
43
|
-
=> await ctx.Orders.FindAsync(id);
|
|
44
|
-
}
|
|
45
|
-
```
|
|
46
|
-
|
|
47
|
-
## Mutation Type
|
|
48
|
-
```csharp
|
|
49
|
-
[MutationType]
|
|
50
|
-
public class MutationType
|
|
51
|
-
{
|
|
52
|
-
public async Task<CreateOrderPayload> CreateOrder(
|
|
53
|
-
CreateOrderInput input,
|
|
54
|
-
[Service] ISender sender)
|
|
55
|
-
{
|
|
56
|
-
var result = await sender.Send(new CreateOrderCommand(input.UserId, input.Items));
|
|
57
|
-
return new CreateOrderPayload(result.OrderId);
|
|
58
|
-
}
|
|
59
|
-
}
|
|
60
|
-
|
|
61
|
-
public record CreateOrderInput(Guid UserId, List<OrderItemInput> Items);
|
|
62
|
-
public record CreateOrderPayload(Guid OrderId);
|
|
63
|
-
```
|
|
64
|
-
|
|
65
|
-
## DataLoader (N+1 Prevention)
|
|
66
|
-
```csharp
|
|
67
|
-
public class UserDataLoader : BatchDataLoader<Guid, User>
|
|
68
|
-
{
|
|
69
|
-
protected override async Task<IReadOnlyDictionary<Guid, User>> LoadBatchAsync(
|
|
70
|
-
IReadOnlyList<Guid> keys, CancellationToken ct)
|
|
71
|
-
{
|
|
72
|
-
return await _context.Users
|
|
73
|
-
.Where(u => keys.Contains(u.Id))
|
|
74
|
-
.ToDictionaryAsync(u => u.Id, ct);
|
|
75
|
-
}
|
|
76
|
-
}
|
|
77
|
-
|
|
78
|
-
// Use in resolver
|
|
79
|
-
public async Task<User?> GetUser([Parent] Order order, UserDataLoader loader)
|
|
80
|
-
=> await loader.LoadAsync(order.UserId);
|
|
81
|
-
```
|
|
82
|
-
|
|
83
|
-
## Security
|
|
84
|
-
- Apply `[Authorize]` on mutations and sensitive queries
|
|
85
|
-
- Disable introspection in production
|
|
86
|
-
- Depth limiting: max 5 levels
|
|
87
|
-
- Complexity limiting: max 1000 nodes per query
|
|
88
|
-
```csharp
|
|
89
|
-
.AddMaxExecutionDepthRule(5)
|
|
90
|
-
.ModifyRequestOptions(opts => opts.MaxAllowedRequestSize = 1_000_000)
|
|
91
|
-
```
|
|
@@ -1,114 +0,0 @@
|
|
|
1
|
-
# Integration Standard: gRPC
|
|
2
|
-
|
|
3
|
-
## When to Use gRPC
|
|
4
|
-
✅ Internal service-to-service communication (high performance)
|
|
5
|
-
✅ Streaming (server-streaming for real-time data, client-streaming for uploads)
|
|
6
|
-
✅ Multi-language microservices (proto contracts shared across .NET, Go, Python)
|
|
7
|
-
❌ Browser-to-server (use gRPC-Web or REST instead)
|
|
8
|
-
❌ Debugging priority (binary format is harder to inspect than JSON)
|
|
9
|
-
|
|
10
|
-
## Setup
|
|
11
|
-
```xml
|
|
12
|
-
<PackageReference Include="Grpc.AspNetCore" Version="2.*" />
|
|
13
|
-
```
|
|
14
|
-
|
|
15
|
-
```csharp
|
|
16
|
-
// Program.cs
|
|
17
|
-
builder.Services.AddGrpc(opts =>
|
|
18
|
-
{
|
|
19
|
-
opts.EnableDetailedErrors = builder.Environment.IsDevelopment();
|
|
20
|
-
opts.MaxReceiveMessageSize = 4 * 1024 * 1024; // 4 MB
|
|
21
|
-
});
|
|
22
|
-
app.MapGrpcService<OrdersService>();
|
|
23
|
-
```
|
|
24
|
-
|
|
25
|
-
## Proto Definition
|
|
26
|
-
```protobuf
|
|
27
|
-
syntax = "proto3";
|
|
28
|
-
option csharp_namespace = "MyApp.Grpc";
|
|
29
|
-
|
|
30
|
-
service Orders {
|
|
31
|
-
rpc CreateOrder(CreateOrderRequest) returns (CreateOrderResponse);
|
|
32
|
-
rpc GetOrder(GetOrderRequest) returns (OrderResponse);
|
|
33
|
-
rpc StreamOrders(StreamOrdersRequest) returns (stream OrderResponse);
|
|
34
|
-
}
|
|
35
|
-
|
|
36
|
-
message CreateOrderRequest {
|
|
37
|
-
string user_id = 1;
|
|
38
|
-
repeated OrderItem items = 2;
|
|
39
|
-
}
|
|
40
|
-
|
|
41
|
-
message CreateOrderResponse {
|
|
42
|
-
string order_id = 1;
|
|
43
|
-
double total = 2;
|
|
44
|
-
}
|
|
45
|
-
```
|
|
46
|
-
|
|
47
|
-
## Service Implementation
|
|
48
|
-
```csharp
|
|
49
|
-
public class OrdersService : Orders.OrdersBase
|
|
50
|
-
{
|
|
51
|
-
public override async Task<CreateOrderResponse> CreateOrder(
|
|
52
|
-
CreateOrderRequest request, ServerCallContext context)
|
|
53
|
-
{
|
|
54
|
-
var cmd = new CreateOrderCommand(
|
|
55
|
-
Guid.Parse(request.UserId),
|
|
56
|
-
request.Items.Select(i => new OrderItem(i.ProductId, i.Quantity)).ToList());
|
|
57
|
-
|
|
58
|
-
var result = await _sender.Send(cmd, context.CancellationToken);
|
|
59
|
-
|
|
60
|
-
return new CreateOrderResponse
|
|
61
|
-
{
|
|
62
|
-
OrderId = result.OrderId.ToString(),
|
|
63
|
-
Total = (double)result.Total
|
|
64
|
-
};
|
|
65
|
-
}
|
|
66
|
-
|
|
67
|
-
public override async Task StreamOrders(
|
|
68
|
-
StreamOrdersRequest request,
|
|
69
|
-
IServerStreamWriter<OrderResponse> responseStream,
|
|
70
|
-
ServerCallContext context)
|
|
71
|
-
{
|
|
72
|
-
await foreach (var order in _service.GetOrderStreamAsync(context.CancellationToken))
|
|
73
|
-
{
|
|
74
|
-
await responseStream.WriteAsync(MapToResponse(order), context.CancellationToken);
|
|
75
|
-
if (context.CancellationToken.IsCancellationRequested) break;
|
|
76
|
-
}
|
|
77
|
-
}
|
|
78
|
-
}
|
|
79
|
-
```
|
|
80
|
-
|
|
81
|
-
## Client Setup
|
|
82
|
-
```csharp
|
|
83
|
-
// Program.cs (client service)
|
|
84
|
-
builder.Services.AddGrpcClient<Orders.OrdersClient>(opts =>
|
|
85
|
-
{
|
|
86
|
-
opts.Address = new Uri(config["Services:OrdersUrl"]);
|
|
87
|
-
})
|
|
88
|
-
.ConfigureChannel(opts =>
|
|
89
|
-
{
|
|
90
|
-
opts.HttpHandler = new SocketsHttpHandler
|
|
91
|
-
{
|
|
92
|
-
PooledConnectionIdleTimeout = Timeout.InfiniteTimeSpan,
|
|
93
|
-
KeepAlivePingDelay = TimeSpan.FromSeconds(60),
|
|
94
|
-
KeepAlivePingTimeout = TimeSpan.FromSeconds(30)
|
|
95
|
-
};
|
|
96
|
-
});
|
|
97
|
-
```
|
|
98
|
-
|
|
99
|
-
## Error Handling
|
|
100
|
-
```csharp
|
|
101
|
-
// Map exceptions to gRPC status codes
|
|
102
|
-
try
|
|
103
|
-
{
|
|
104
|
-
return await _service.ProcessAsync(request.Id);
|
|
105
|
-
}
|
|
106
|
-
catch (NotFoundException)
|
|
107
|
-
{
|
|
108
|
-
throw new RpcException(new Status(StatusCode.NotFound, "Order not found"));
|
|
109
|
-
}
|
|
110
|
-
catch (ValidationException ex)
|
|
111
|
-
{
|
|
112
|
-
throw new RpcException(new Status(StatusCode.InvalidArgument, ex.Message));
|
|
113
|
-
}
|
|
114
|
-
```
|
|
@@ -1,95 +0,0 @@
|
|
|
1
|
-
# Integration Standard: REST API Design
|
|
2
|
-
|
|
3
|
-
## URL Structure
|
|
4
|
-
```
|
|
5
|
-
GET /api/v1/orders — list (paginated)
|
|
6
|
-
GET /api/v1/orders/{id} — get by ID
|
|
7
|
-
POST /api/v1/orders — create
|
|
8
|
-
PUT /api/v1/orders/{id} — full update
|
|
9
|
-
PATCH /api/v1/orders/{id} — partial update
|
|
10
|
-
DELETE /api/v1/orders/{id} — delete
|
|
11
|
-
|
|
12
|
-
GET /api/v1/users/{id}/orders — nested resource (ownership)
|
|
13
|
-
POST /api/v1/orders/{id}/cancel — verb action (exception to noun rule)
|
|
14
|
-
```
|
|
15
|
-
|
|
16
|
-
## Request/Response Conventions
|
|
17
|
-
|
|
18
|
-
### Pagination (always paginate lists)
|
|
19
|
-
```json
|
|
20
|
-
// Request
|
|
21
|
-
GET /api/v1/orders?page=1&pageSize=20&sort=createdAt&order=desc
|
|
22
|
-
|
|
23
|
-
// Response
|
|
24
|
-
{
|
|
25
|
-
"data": [...],
|
|
26
|
-
"pagination": {
|
|
27
|
-
"page": 1,
|
|
28
|
-
"pageSize": 20,
|
|
29
|
-
"total": 150,
|
|
30
|
-
"totalPages": 8,
|
|
31
|
-
"hasNext": true,
|
|
32
|
-
"hasPrevious": false
|
|
33
|
-
}
|
|
34
|
-
}
|
|
35
|
-
```
|
|
36
|
-
|
|
37
|
-
### Error Response (RFC 7807 ProblemDetails)
|
|
38
|
-
```json
|
|
39
|
-
{
|
|
40
|
-
"type": "https://api.myapp.com/errors/validation",
|
|
41
|
-
"title": "Validation Failed",
|
|
42
|
-
"status": 422,
|
|
43
|
-
"detail": "One or more fields failed validation",
|
|
44
|
-
"instance": "/api/v1/orders",
|
|
45
|
-
"errors": {
|
|
46
|
-
"userId": ["UserId is required"],
|
|
47
|
-
"items": ["At least one item is required"]
|
|
48
|
-
}
|
|
49
|
-
}
|
|
50
|
-
```
|
|
51
|
-
|
|
52
|
-
## Status Codes
|
|
53
|
-
| Code | When |
|
|
54
|
-
|------|------|
|
|
55
|
-
| 200 OK | GET, PUT, PATCH success |
|
|
56
|
-
| 201 Created | POST success (include Location header) |
|
|
57
|
-
| 204 No Content | DELETE success |
|
|
58
|
-
| 400 Bad Request | Malformed request body |
|
|
59
|
-
| 401 Unauthorized | Missing/invalid auth token |
|
|
60
|
-
| 403 Forbidden | Valid token, insufficient permissions |
|
|
61
|
-
| 404 Not Found | Resource doesn't exist |
|
|
62
|
-
| 409 Conflict | Duplicate/optimistic lock conflict |
|
|
63
|
-
| 422 Unprocessable | Validation failures |
|
|
64
|
-
| 429 Too Many Requests | Rate limit exceeded (include Retry-After) |
|
|
65
|
-
| 500 Internal Server Error | Unexpected server error |
|
|
66
|
-
|
|
67
|
-
## Versioning
|
|
68
|
-
- URL versioning: `/api/v1/`, `/api/v2/`
|
|
69
|
-
- Never version via headers (poor discoverability)
|
|
70
|
-
- Maintain N-1 version for 6 months before deprecating
|
|
71
|
-
|
|
72
|
-
## Minimal API Setup (.NET 10)
|
|
73
|
-
```csharp
|
|
74
|
-
var ordersGroup = app.MapGroup("/api/v1/orders")
|
|
75
|
-
.RequireAuthorization()
|
|
76
|
-
.WithTags("Orders")
|
|
77
|
-
.WithOpenApi();
|
|
78
|
-
|
|
79
|
-
ordersGroup.MapGet("/", GetOrdersHandler)
|
|
80
|
-
.WithName("GetOrders")
|
|
81
|
-
.Produces<PagedResponse<OrderDto>>()
|
|
82
|
-
.Produces<ProblemDetails>(400);
|
|
83
|
-
|
|
84
|
-
ordersGroup.MapPost("/", CreateOrderHandler)
|
|
85
|
-
.WithName("CreateOrder")
|
|
86
|
-
.Produces<OrderDto>(201)
|
|
87
|
-
.Produces<ProblemDetails>(422);
|
|
88
|
-
```
|
|
89
|
-
|
|
90
|
-
## Security Requirements
|
|
91
|
-
- All endpoints require authentication (except /health, /api/docs)
|
|
92
|
-
- Authorization policy per endpoint (not just [Authorize])
|
|
93
|
-
- Rate limiting on write endpoints
|
|
94
|
-
- Input validation via FluentValidation
|
|
95
|
-
- Never expose internal IDs in error messages
|