@pylonsync/create-pylon 0.3.53 → 0.3.55

package/templates/backend/b2b/apps/api/schema.ts

@@ -0,0 +1,171 @@
+import {
+	entity,
+	field,
+	query,
+	action,
+	policy,
+	buildManifest,
+} from "@pylonsync/sdk";
+
+// ---------------------------------------------------------------------------
+// Multi-tenant SaaS schema. The shape:
+//
+//   User       — global, one per real person (auth-managed)
+//   Org        — a tenant. Has a unique slug. Owner is the founding User.
+//   Membership — pivot row: which Users belong to which Orgs, and at
+//                what role (owner | admin | member).
+//   Project    — an org-scoped resource. Every row belongs to one Org;
+//                policies enforce that a query without `orgId` returns
+//                nothing.
+//
+// Pylon's policy expression language can read `auth.userId` and any
+// columns on the row. Cross-row checks (e.g. "is the caller a member
+// of this org?") are expressed by joining a Membership probe into the
+// allowRead/allowInsert/etc. expression.
+// ---------------------------------------------------------------------------
+
+const Org = entity("Org", {
+	slug: field.string(),
+	name: field.string(),
+	ownerId: field.id("User"),
+	createdAt: field.datetime(),
+});
+
+const Membership = entity("Membership", {
+	orgId: field.id("Org"),
+	userId: field.id("User"),
+	role: field.enum_(["owner", "admin", "member"]),
+	createdAt: field.datetime(),
+});
+
+const Project = entity("Project", {
+	orgId: field.id("Org"),
+	name: field.string(),
+	createdBy: field.id("User"),
+	archived: field.bool(),
+	createdAt: field.datetime(),
+});
+
+// ---------------------------------------------------------------------------
+// Function declarations
+// ---------------------------------------------------------------------------
+
+const myOrgs = query("myOrgs");
+const orgMembers = query("orgMembers");
+const orgProjects = query("orgProjects");
+
+const createOrg = action("createOrg", {
+	input: [
+		{ name: "slug", type: "string" },
+		{ name: "name", type: "string" },
+	],
+});
+
+const inviteMember = action("inviteMember", {
+	input: [
+		{ name: "orgId", type: "id(Org)" },
+		{ name: "userId", type: "id(User)" },
+		{ name: "role", type: "string" },
+	],
+});
+
+const removeMember = action("removeMember", {
+	input: [
+		{ name: "orgId", type: "id(Org)" },
+		{ name: "userId", type: "id(User)" },
+	],
+});
+
+const setMemberRole = action("setMemberRole", {
+	input: [
+		{ name: "orgId", type: "id(Org)" },
+		{ name: "userId", type: "id(User)" },
+		{ name: "role", type: "string" },
+	],
+});
+
+const createProject = action("createProject", {
+	input: [
+		{ name: "orgId", type: "id(Org)" },
+		{ name: "name", type: "string" },
+	],
+});
+
+const archiveProject = action("archiveProject", {
+	input: [{ name: "id", type: "id(Project)" }],
+});
+
+// ---------------------------------------------------------------------------
+// Policies — RBAC enforced on every read/write.
+//
+// Each entity's policy hooks read `auth.userId` and check membership
+// of the row's `orgId` via the Membership table. Pylon evaluates
+// policy expressions against the database, so a `Membership(orgId,
+// userId)` probe is a join the planner pushes into the same query —
+// no per-request round trip.
+// ---------------------------------------------------------------------------
+
+const orgPolicy = policy({
+	name: "org_membership",
+	entity: "Org",
+	// Anyone can read an org if they're a member; only the owner can update.
+	allowRead: "exists(Membership where orgId = data.id and userId = auth.userId)",
+	allowInsert: "auth.userId == data.ownerId",
+	allowUpdate: "data.ownerId == auth.userId",
+	allowDelete: "data.ownerId == auth.userId",
+});
+
+const membershipPolicy = policy({
+	name: "membership_admin",
+	entity: "Membership",
+	// You can see your own memberships, plus all memberships in any org
+	// where you're an owner/admin (so the admin UI can list everyone).
+	allowRead:
+		"data.userId == auth.userId or exists(Membership where orgId = data.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
+	allowInsert:
+		"exists(Membership where orgId = data.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
+	allowUpdate:
+		"exists(Membership where orgId = data.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
+	allowDelete:
+		"exists(Membership where orgId = data.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
+});
+
+const projectPolicy = policy({
+	name: "project_org_scope",
+	entity: "Project",
+	// Tenant scope: you can only touch a project if you're a member of
+	// its org. Regardless of which `orgId` the client claims, the policy
+	// pulls the row's actual orgId and checks membership.
+	allowRead:
+		"exists(Membership where orgId = data.orgId and userId = auth.userId)",
+	allowInsert:
+		"exists(Membership where orgId = data.orgId and userId = auth.userId)",
+	// Only owners/admins can rename or archive.
+	allowUpdate:
+		"exists(Membership where orgId = data.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
+	allowDelete:
+		"exists(Membership where orgId = data.orgId and userId = auth.userId and (role = 'owner' or role = 'admin'))",
+});
+
+// ---------------------------------------------------------------------------
+// Manifest
+// ---------------------------------------------------------------------------
+
+const manifest = buildManifest({
+	name: "__APP_NAME_SNAKE__",
+	version: "0.0.1",
+	entities: [Org, Membership, Project],
+	queries: [myOrgs, orgMembers, orgProjects],
+	actions: [
+		createOrg,
+		inviteMember,
+		removeMember,
+		setMemberRole,
+		createProject,
+		archiveProject,
+	],
+	policies: [orgPolicy, membershipPolicy, projectPolicy],
+	routes: [],
+});
+
+console.log(JSON.stringify(manifest));

package/templates/backend/b2b/apps/api/tsconfig.json

@@ -0,0 +1,13 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "strict": true,
+    "skipLibCheck": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "allowSyntheticDefaultImports": true
+  },
+  "include": ["schema.ts", "functions/**/*.ts"]
+}

package/templates/backend/chat/apps/api/functions/createRoom.ts

@@ -0,0 +1,32 @@
+import { mutation, v } from "@pylonsync/functions";
+
+/**
+ * Create a chat room. Slug must be unique (lowercase + dashes).
+ */
+export default mutation({
+	args: { slug: v.string(), name: v.string() },
+	async handler(ctx, args: { slug: string; name: string }) {
+		if (!ctx.auth.userId) {
+			throw ctx.error("UNAUTHENTICATED", "log in first");
+		}
+		const slug = args.slug.trim().toLowerCase();
+		if (!/^[a-z0-9][a-z0-9-]{1,30}[a-z0-9]$/.test(slug)) {
+			throw ctx.error(
+				"INVALID_SLUG",
+				"slug must be 3–32 chars: lowercase letters, digits, dashes",
+			);
+		}
+		const name = args.name.trim();
+		if (!name) throw ctx.error("EMPTY_NAME", "room name cannot be empty");
+		const dup = (await ctx.db.query("Room", { slug })) as any[];
+		if (dup.length > 0) {
+			throw ctx.error("SLUG_TAKEN", `room slug "${slug}" is taken`);
+		}
+		const id = await ctx.db.insert("Room", {
+			slug,
+			name,
+			createdAt: new Date().toISOString(),
+		});
+		return await ctx.db.get("Room", id);
+	},
+});

package/templates/backend/chat/apps/api/functions/listRooms.ts

@@ -0,0 +1,15 @@
+import { query } from "@pylonsync/functions";
+
+/**
+ * Every room, oldest first (so the General room created on first run
+ * stays at the top regardless of activity).
+ */
+export default query({
+	args: {},
+	async handler(ctx) {
+		const rows = (await ctx.db.query("Room", {})) as any[];
+		return rows.sort(
+			(a, b) => Date.parse(a.createdAt) - Date.parse(b.createdAt),
+		);
+	},
+});

package/templates/backend/chat/apps/api/functions/roomMessages.ts

@@ -0,0 +1,20 @@
+import { query, v } from "@pylonsync/functions";
+
+/**
+ * Last 200 messages in a room, oldest first (chat-conventional —
+ * scroll up for history). For a real chat app, paginate via cursor;
+ * the scaffold caps at 200 since rendering more in a single FlatList
+ * / SwiftUI List without virtualization gets expensive.
+ */
+export default query({
+	args: { roomId: v.id("Room") },
+	async handler(ctx, args: { roomId: string }) {
+		const rows = (await ctx.db.query("Message", {
+			roomId: args.roomId,
+		})) as any[];
+		const sorted = [...rows].sort(
+			(a, b) => Date.parse(a.createdAt) - Date.parse(b.createdAt),
+		);
+		return sorted.slice(-200);
+	},
+});

package/templates/backend/chat/apps/api/functions/sendMessage.ts

@@ -0,0 +1,37 @@
+import { mutation, v } from "@pylonsync/functions";
+
+/**
+ * Append a message. authorId comes from `ctx.auth.userId`; the
+ * authorName the client passes is denormalized into the row so we
+ * don't have to join Profile (or any equivalent table) on every
+ * read. For real apps, swap this for a Profile join — denormalized
+ * names go stale when the user renames themselves.
+ */
+export default mutation({
+	args: {
+		roomId: v.id("Room"),
+		body: v.string(),
+		authorName: v.string(),
+	},
+	async handler(
+		ctx,
+		args: { roomId: string; body: string; authorName: string },
+	) {
+		if (!ctx.auth.userId) {
+			throw ctx.error("UNAUTHENTICATED", "log in first");
+		}
+		const body = args.body.trim();
+		if (!body) throw ctx.error("EMPTY_BODY", "message body cannot be empty");
+		if (body.length > 2000) {
+			throw ctx.error("TOO_LONG", "message capped at 2000 chars");
+		}
+		const id = await ctx.db.insert("Message", {
+			roomId: args.roomId,
+			authorId: ctx.auth.userId,
+			authorName: args.authorName.trim() || "anonymous",
+			body,
+			createdAt: new Date().toISOString(),
+		});
+		return await ctx.db.get("Message", id);
+	},
+});

package/templates/backend/chat/apps/api/package.json

@@ -0,0 +1,20 @@
+{
+  "name": "@__APP_NAME_KEBAB__/api",
+  "version": "0.0.1",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "pylon dev schema.ts --port 4321",
+    "build": "pylon codegen schema.ts --out pylon.manifest.json && pylon codegen client pylon.manifest.json --out pylon.client.ts",
+    "schema:push": "pylon schema push pylon.manifest.json --sqlite dev.db",
+    "schema:inspect": "pylon schema inspect --sqlite dev.db"
+  },
+  "dependencies": {
+    "@pylonsync/sdk": "^__PYLON_VERSION__",
+    "@pylonsync/functions": "^__PYLON_VERSION__"
+  },
+  "devDependencies": {
+    "@pylonsync/cli": "^__PYLON_VERSION__",
+    "typescript": "^5.5.0"
+  }
+}

package/templates/backend/chat/apps/api/schema.ts

@@ -0,0 +1,93 @@
+import {
+	entity,
+	field,
+	query,
+	action,
+	policy,
+	buildManifest,
+} from "@pylonsync/sdk";
+
+// ---------------------------------------------------------------------------
+// Realtime chat schema. The shape:
+//
+//   Room    — a chat channel. slug + name.
+//   Message — one row per message. roomId + authorId + body.
+//
+// Public reads inside a room (anyone can browse). Writes require a
+// signed-in user. For private rooms in production, add a Membership
+// entity and gate Room reads on it (mirrors the b2b pattern).
+// ---------------------------------------------------------------------------
+
+const Room = entity("Room", {
+	slug: field.string(),
+	name: field.string(),
+	createdAt: field.datetime(),
+});
+
+const Message = entity("Message", {
+	roomId: field.id("Room"),
+	authorId: field.id("User"),
+	authorName: field.string(),
+	body: field.string(),
+	createdAt: field.datetime(),
+});
+
+// ---------------------------------------------------------------------------
+// Function declarations
+// ---------------------------------------------------------------------------
+
+const listRooms = query("listRooms");
+const roomMessages = query("roomMessages");
+
+const createRoom = action("createRoom", {
+	input: [
+		{ name: "slug", type: "string" },
+		{ name: "name", type: "string" },
+	],
+});
+
+const sendMessage = action("sendMessage", {
+	input: [
+		{ name: "roomId", type: "id(Room)" },
+		{ name: "body", type: "string" },
+		{ name: "authorName", type: "string" },
+	],
+});
+
+// ---------------------------------------------------------------------------
+// Policies — wide-open reads, signed-in writes.
+// ---------------------------------------------------------------------------
+
+const roomPolicy = policy({
+	name: "room_public",
+	entity: "Room",
+	allowRead: "true",
+	allowInsert: "auth.userId != null",
+	allowUpdate: "false",
+	allowDelete: "false",
+});
+
+const messagePolicy = policy({
+	name: "message_public",
+	entity: "Message",
+	allowRead: "true",
+	allowInsert: "auth.userId != null and data.authorId == auth.userId",
+	allowUpdate: "false",
+	allowDelete: "data.authorId == auth.userId",
+});
+
+// ---------------------------------------------------------------------------
+// Manifest
+// ---------------------------------------------------------------------------
+
+const manifest = buildManifest({
+	name: "__APP_NAME_SNAKE__",
+	version: "0.0.1",
+	entities: [Room, Message],
+	queries: [listRooms, roomMessages],
+	actions: [createRoom, sendMessage],
+	policies: [roomPolicy, messagePolicy],
+	routes: [],
+});
+
+console.log(JSON.stringify(manifest));

package/templates/backend/chat/apps/api/tsconfig.json

@@ -0,0 +1,13 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "strict": true,
+    "skipLibCheck": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "allowSyntheticDefaultImports": true
+  },
+  "include": ["schema.ts", "functions/**/*.ts"]
+}

package/templates/backend/consumer/apps/api/functions/createPost.ts

@@ -0,0 +1,48 @@
+import { mutation, v } from "@pylonsync/functions";
+
+/**
+ * Post something. Resolves the caller's Profile, then writes a Post
+ * with `authorId = profile.id`. Returns the inserted row + author
+ * card so the client can render it without a follow-up read.
+ */
+export default mutation({
+	args: { body: v.string() },
+	async handler(ctx, args: { body: string }) {
+		if (!ctx.auth.userId) {
+			throw ctx.error("UNAUTHENTICATED", "log in first");
+		}
+		const body = args.body.trim();
+		if (!body) throw ctx.error("EMPTY_BODY", "post body cannot be empty");
+		if (body.length > 1000) {
+			throw ctx.error("TOO_LONG", "post body capped at 1000 chars");
+		}
+		const profiles = (await ctx.db.query("Profile", {
+			userId: ctx.auth.userId,
+		})) as any[];
+		if (profiles.length === 0) {
+			throw ctx.error(
+				"NO_PROFILE",
+				"create a profile first via upsertProfile",
+			);
+		}
+		const profile = profiles[0];
+		const id = await ctx.db.insert("Post", {
+			authorId: profile.id,
+			body,
+			createdAt: new Date().toISOString(),
+		});
+		const post = (await ctx.db.get("Post", id)) as any;
+		return {
+			id: post.id,
+			body: post.body,
+			createdAt: post.createdAt,
+			author: {
+				id: profile.id,
+				handle: profile.handle,
+				displayName: profile.displayName,
+			},
+			likeCount: 0,
+			likedByMe: false,
+		};
+	},
+});

package/templates/backend/consumer/apps/api/functions/deletePost.ts

@@ -0,0 +1,21 @@
+import { mutation, v } from "@pylonsync/functions";
+
+/**
+ * Delete a Post and any associated Likes. Post policy already gates
+ * deletes to the author's Profile, so a non-author can't reach the
+ * actual delete call — but we double-check so a future policy
+ * loosening doesn't accidentally orphan Like rows.
+ */
+export default mutation({
+	args: { id: v.id("Post") },
+	async handler(ctx, args: { id: string }) {
+		const snapshot = (await ctx.db.get("Post", args.id)) as any;
+		if (!snapshot) throw ctx.error("NOT_FOUND", "post not found");
+		const likes = (await ctx.db.query("Like", { postId: args.id })) as any[];
+		for (const like of likes) {
+			await ctx.db.delete("Like", like.id);
+		}
+		await ctx.db.delete("Post", args.id);
+		return snapshot;
+	},
+});

package/templates/backend/consumer/apps/api/functions/feed.ts

@@ -0,0 +1,57 @@
+import { query } from "@pylonsync/functions";
+
+/**
+ * Public feed — every Post, newest first. Joins author Profile + the
+ * caller's like state into the response so the client can render a
+ * row without N+1 follow-up queries.
+ *
+ * For a real consumer app, paginate this (limit + cursor by createdAt)
+ * — the scaffold returns at most 100 rows, which is plenty for a
+ * Hello-World feed but unsustainable past a few thousand posts.
+ */
+export default query({
+	args: {},
+	async handler(ctx) {
+		const posts = (await ctx.db.query("Post", {})) as any[];
+		const sorted = [...posts]
+			.sort((a, b) => Date.parse(b.createdAt) - Date.parse(a.createdAt))
+			.slice(0, 100);
+
+		const callerProfile = ctx.auth.userId
+			? ((await ctx.db.query("Profile", {
+					userId: ctx.auth.userId,
+				})) as any[])[0]
+			: null;
+
+		const out: Array<{
+			id: string;
+			body: string;
+			createdAt: string;
+			author: { id: string; handle: string; displayName: string } | null;
+			likeCount: number;
+			likedByMe: boolean;
+		}> = [];
+		for (const p of sorted) {
+			const author = (await ctx.db.get("Profile", p.authorId)) as any;
+			const likes = (await ctx.db.query("Like", { postId: p.id })) as any[];
+			const likedByMe = callerProfile
+				? likes.some((l) => l.profileId === callerProfile.id)
+				: false;
+			out.push({
+				id: p.id,
+				body: p.body,
+				createdAt: p.createdAt,
+				author: author
+					? {
+							id: author.id,
+							handle: author.handle,
+							displayName: author.displayName,
+						}
+					: null,
+				likeCount: likes.length,
+				likedByMe,
+			});
+		}
+		return out;
+	},
+});

package/templates/backend/consumer/apps/api/functions/myProfile.ts

@@ -0,0 +1,17 @@
+import { query } from "@pylonsync/functions";
+
+/**
+ * Resolve the caller's own Profile (or null if they haven't created
+ * one yet). Used by the client to decide whether to show the
+ * profile-setup screen on first launch.
+ */
+export default query({
+	args: {},
+	async handler(ctx) {
+		if (!ctx.auth.userId) return null;
+		const rows = (await ctx.db.query("Profile", {
+			userId: ctx.auth.userId,
+		})) as any[];
+		return rows[0] ?? null;
+	},
+});

package/templates/backend/consumer/apps/api/functions/profilePosts.ts

@@ -0,0 +1,17 @@
+import { query, v } from "@pylonsync/functions";
+
+/**
+ * Every Post by a single Profile, newest first. Used by the profile
+ * page on each platform.
+ */
+export default query({
+	args: { profileId: v.id("Profile") },
+	async handler(ctx, args: { profileId: string }) {
+		const rows = (await ctx.db.query("Post", {
+			authorId: args.profileId,
+		})) as any[];
+		return rows.sort(
+			(a, b) => Date.parse(b.createdAt) - Date.parse(a.createdAt),
+		);
+	},
+});

package/templates/backend/consumer/apps/api/functions/toggleLike.ts

@@ -0,0 +1,48 @@
+import { mutation, v } from "@pylonsync/functions";
+
+/**
+ * Toggle a like on a Post. Idempotent — calling twice from the same
+ * user lands at the original state. Returns { liked: boolean,
+ * likeCount: number } so the client can update its UI without a
+ * follow-up read.
+ */
+export default mutation({
+	args: { postId: v.id("Post") },
+	async handler(ctx, args: { postId: string }) {
+		if (!ctx.auth.userId) {
+			throw ctx.error("UNAUTHENTICATED", "log in first");
+		}
+		const profiles = (await ctx.db.query("Profile", {
+			userId: ctx.auth.userId,
+		})) as any[];
+		if (profiles.length === 0) {
+			throw ctx.error("NO_PROFILE", "create a profile first");
+		}
+		const profile = profiles[0];
+
+		const existing = (await ctx.db.query("Like", {
+			postId: args.postId,
+			profileId: profile.id,
+		})) as any[];
+
+		if (existing.length === 0) {
+			await ctx.db.insert("Like", {
+				postId: args.postId,
+				profileId: profile.id,
+				createdAt: new Date().toISOString(),
+			});
+		} else {
+			for (const like of existing) {
+				await ctx.db.delete("Like", like.id);
+			}
+		}
+
+		const allLikes = (await ctx.db.query("Like", {
+			postId: args.postId,
+		})) as any[];
+		return {
+			liked: existing.length === 0,
+			likeCount: allLikes.length,
+		};
+	},
+});