@pya-platform/shared 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,9 @@
+# @pya/shared
+
+## 0.1.0
+
+### Minor Changes
+
+- a9ca6bf: Initial release of the Pya platform packages. Extracted from `pyaeats-app`, consumed by `pyaeats-app` (food delivery) and `pyaserv` (services classifieds).
+
+  Each package exposes a Hono router factory (auth/cms/reviews/comments) or a typed helper (email/audit/cf) parameterised over Cloudflare D1 + KV bindings. UI primitives ship as Lit web components on top of `@pya/tokens` (CSS custom properties). See `ROADMAP.md` and `docs/phase-6-rollout.md` for the consumer cutover plan.

package/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "@pya-platform/shared",
+  "version": "0.1.0",
+  "private": false,
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/undeadliner/pya-platform.git"
+  },
+  "type": "module",
+  "description": "Common Valibot schemas, id helpers, money/time primitives — shared by every Pya project.",
+  "exports": {
+    ".": "./src/index.ts",
+    "./schemas/*": "./src/schemas/*.ts"
+  },
+  "scripts": {
+    "type-check": "tsc --noEmit",
+    "test": "echo '@pya/shared has no tests yet'"
+  },
+  "dependencies": {
+    "effect": "^3.10.0",
+    "valibot": "^1.0.0"
+  }
+}

package/src/errors.ts

@@ -0,0 +1,81 @@
+import { Data } from 'effect'
+
+/** Domain-tagged errors. Mapped to HTTP by `mapErrorToResponse`. */
+export class UnauthorizedError extends Data.TaggedError('Unauthorized')<{
+  readonly reason: string
+}> {}
+
+export class ForbiddenError extends Data.TaggedError('Forbidden')<{
+  readonly required: string
+}> {}
+
+export class NotFoundError extends Data.TaggedError('NotFound')<{
+  readonly resource: string
+  readonly id?: string
+}> {}
+
+export class ValidationError extends Data.TaggedError('Validation')<{
+  readonly issues: readonly { readonly path: string; readonly message: string }[]
+}> {}
+
+export class ConflictError extends Data.TaggedError('Conflict')<{
+  readonly reason: string
+}> {}
+
+export class RateLimitedError extends Data.TaggedError('RateLimited')<{
+  readonly retryAfterSec: number
+}> {}
+
+export class UpstreamError extends Data.TaggedError('Upstream')<{
+  readonly provider: string
+  readonly status: number
+}> {}
+
+export class InvalidTokenError extends Data.TaggedError('InvalidToken')<{
+  readonly reason: string
+}> {}
+
+export class IdentityConflictError extends Data.TaggedError('IdentityConflict')<{
+  readonly provider: string
+}> {}
+
+export class ProviderNotEnabledError extends Data.TaggedError('ProviderNotEnabled')<{
+  readonly provider: string
+}> {}
+
+export type DomainError =
+  | UnauthorizedError
+  | ForbiddenError
+  | NotFoundError
+  | ValidationError
+  | ConflictError
+  | RateLimitedError
+  | UpstreamError
+  | InvalidTokenError
+  | IdentityConflictError
+  | ProviderNotEnabledError
+
+export const mapErrorToStatus = (error: DomainError): number => {
+  switch (error._tag) {
+    case 'Unauthorized':
+      return 401
+    case 'Forbidden':
+      return 403
+    case 'NotFound':
+      return 404
+    case 'Validation':
+      return 422
+    case 'Conflict':
+      return 409
+    case 'RateLimited':
+      return 429
+    case 'Upstream':
+      return 502
+    case 'InvalidToken':
+      return 401
+    case 'IdentityConflict':
+      return 409
+    case 'ProviderNotEnabled':
+      return 501
+  }
+}

package/src/index.ts

@@ -0,0 +1,10 @@
+// @pya-platform/shared — common Valibot schemas, id helpers, domain
+// errors, type primitives. Consumed by every Pya project (PyaEats, PyaServ,
+// …) and by the rest of the platform packages.
+
+export * from './schemas/id.ts'
+export * from './schemas/user.ts'
+export * from './schemas/session.ts'
+export * from './schemas/passkey.ts'
+export * from './schemas/oauth.ts'
+export * from './errors.ts'

package/src/schemas/id.ts

@@ -0,0 +1,20 @@
+import * as v from 'valibot'
+
+export const UuidSchema = v.pipe(
+  v.string(),
+  v.regex(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i, 'Invalid UUID'),
+)
+export type Uuid = v.InferOutput<typeof UuidSchema>
+
+/** UUID v7 — time-ordered, sortable, monotonic enough for our load levels. */
+export const uuidV7 = (): string => {
+  const ts = BigInt(Date.now())
+  const rand = crypto.getRandomValues(new Uint8Array(10))
+  const tsHex = ts.toString(16).padStart(12, '0')
+  const a = tsHex.slice(0, 8)
+  const b = tsHex.slice(8, 12)
+  const c = `7${((rand[0] ?? 0) & 0x0f).toString(16).padStart(1, '0')}${(rand[1] ?? 0).toString(16).padStart(2, '0')}`
+  const d = `${(((rand[2] ?? 0) & 0x3f) | 0x80).toString(16).padStart(2, '0')}${(rand[3] ?? 0).toString(16).padStart(2, '0')}`
+  const e = Array.from(rand.slice(4, 10), (x) => x.toString(16).padStart(2, '0')).join('')
+  return `${a}-${b}-${c}-${d}-${e}`
+}

package/src/schemas/oauth.ts

@@ -0,0 +1,12 @@
+import * as v from 'valibot'
+import { EmailSchema, IdentityProviderSchema } from './user.ts'
+
+export const ProviderClaimsSchema = v.object({
+  provider: IdentityProviderSchema,
+  subject: v.pipe(v.string(), v.minLength(1), v.maxLength(255)),
+  email: EmailSchema,
+  emailVerified: v.boolean(),
+  displayName: v.optional(v.pipe(v.string(), v.maxLength(120))),
+  locale: v.optional(v.string()),
+})
+export type ProviderClaims = v.InferOutput<typeof ProviderClaimsSchema>

package/src/schemas/passkey.ts

@@ -0,0 +1,32 @@
+import * as v from 'valibot'
+import { EmailSchema } from './user.ts'
+
+export const StartBodySchema = v.object({
+  email: EmailSchema,
+  force: v.optional(v.picklist(['otp'])),
+  redirect: v.optional(v.string()),
+})
+export type StartBody = v.InferOutput<typeof StartBodySchema>
+
+export const OtpVerifyBodySchema = v.object({
+  email: EmailSchema,
+  code: v.pipe(v.string(), v.regex(/^\d{6}$/)),
+})
+export type OtpVerifyBody = v.InferOutput<typeof OtpVerifyBodySchema>
+
+/**
+ * Passkey authentication assertion — shape comes from SimpleWebAuthn library;
+ * we keep it as `record(unknown)` at the boundary and let the lib validate.
+ */
+export const PasskeyAuthVerifyBodySchema = v.object({
+  email: EmailSchema,
+  assertion: v.record(v.string(), v.unknown()),
+})
+export type PasskeyAuthVerifyBody = v.InferOutput<typeof PasskeyAuthVerifyBodySchema>
+
+export const PasskeyRegisterVerifyBodySchema = v.object({
+  challengeId: v.pipe(v.string(), v.minLength(1)),
+  attestation: v.record(v.string(), v.unknown()),
+  label: v.optional(v.pipe(v.string(), v.maxLength(80))),
+})
+export type PasskeyRegisterVerifyBody = v.InferOutput<typeof PasskeyRegisterVerifyBodySchema>

package/src/schemas/session.ts

@@ -0,0 +1,27 @@
+import * as v from 'valibot'
+import { UuidSchema } from './id.ts'
+import { RoleSchema } from './user.ts'
+
+/** Stored in KV under key `sess:<sid>`. Never sent to the client. */
+export const SessionRecordSchema = v.object({
+  userId: UuidSchema,
+  roles: v.array(RoleSchema),
+  storeIds: v.array(UuidSchema),
+  iat: v.number(),
+  lastSeen: v.number(),
+  ipHash: v.string(),
+  uaHash: v.string(),
+  mfaAt: v.optional(v.number()),
+})
+export type SessionRecord = v.InferOutput<typeof SessionRecordSchema>
+
+/** Stored in KV under key `oauth:state:<state>`, TTL 600s. */
+export const OAuthStateSchema = v.object({
+  verifier: v.string(),
+  provider: v.picklist(['google', 'apple', 'facebook']),
+  redirectAfter: v.string(),
+  nonce: v.string(),
+  intent: v.optional(v.picklist(['login', 'link'])),
+  currentUserId: v.optional(UuidSchema),
+})
+export type OAuthState = v.InferOutput<typeof OAuthStateSchema>

package/src/schemas/user.ts

@@ -0,0 +1,61 @@
+import * as v from 'valibot'
+import { UuidSchema } from './id.ts'
+
+/** Application roles. Customer is implicit when no other role applies.
+ *  `system` is a synthetic actor used by cron / background jobs for
+ *  transitions (e.g. auto-cancel after acknowledge window). */
+export const RoleSchema = v.picklist([
+  'customer',
+  'store_owner',
+  'store_staff',
+  'courier',
+  'admin',
+  'super_admin',
+  'system',
+])
+export type Role = v.InferOutput<typeof RoleSchema>
+
+export const OAuthProviderSchema = v.picklist(['google', 'apple', 'facebook'])
+export type OAuthProvider = v.InferOutput<typeof OAuthProviderSchema>
+
+/** Includes email as an identity provider (magic link). */
+export const IdentityProviderSchema = v.picklist(['google', 'apple', 'facebook', 'email'])
+export type IdentityProvider = v.InferOutput<typeof IdentityProviderSchema>
+
+export const EmailSchema = v.pipe(v.string(), v.email(), v.toLowerCase(), v.maxLength(254))
+export type Email = v.InferOutput<typeof EmailSchema>
+
+export const LocaleSchema = v.picklist(['es-PY', 'gn-PY'])
+export type Locale = v.InferOutput<typeof LocaleSchema>
+
+export const UserStatusSchema = v.picklist(['active', 'suspended', 'deleted'])
+export type UserStatus = v.InferOutput<typeof UserStatusSchema>
+
+export const UserSchema = v.object({
+  id: UuidSchema,
+  email: EmailSchema,
+  emailVerified: v.boolean(),
+  displayName: v.optional(v.string()),
+  locale: v.optional(LocaleSchema, 'es-PY'),
+  createdAt: v.number(),
+  status: UserStatusSchema,
+})
+export type User = v.InferOutput<typeof UserSchema>
+
+export const UserIdentitySchema = v.object({
+  userId: UuidSchema,
+  provider: OAuthProviderSchema,
+  subject: v.string(),
+  emailAtLink: v.optional(EmailSchema),
+  linkedAt: v.number(),
+})
+export type UserIdentity = v.InferOutput<typeof UserIdentitySchema>
+
+export const RoleAssignmentSchema = v.object({
+  userId: UuidSchema,
+  role: RoleSchema,
+  storeId: v.optional(UuidSchema),
+  grantedBy: v.optional(UuidSchema),
+  grantedAt: v.number(),
+})
+export type RoleAssignment = v.InferOutput<typeof RoleAssignmentSchema>

package/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist",
+    "noEmit": true
+  },
+  "include": ["src/**/*.ts"]
+}