@studiocubics/cms 0.0.1

package/.turbo/turbo-build.log

@@ -0,0 +1,7 @@
+
+> @studiocubics/cms@0.0.1 build /home/runner/work/StudioCubics/StudioCubics/packages/cms
+> rollup -c
+
+
+src/index.ts → dist...
+created dist in 6.7s

package/CHANGELOG.md

@@ -0,0 +1,12 @@
+# @studiocubics/cms
+
+## 0.0.1
+
+### Patch Changes
+
+- First publish inshallah!
+- Updated dependencies
+  - @studiocubics/hooks@0.0.1
+  - @studiocubics/utils@0.0.1
+  - @studiocubics/next@0.0.1
+  - @studiocubics/ui@0.0.1

package/README.md

@@ -0,0 +1,15 @@
+# @studiocubics/cms
+
+To install dependencies:
+
+```bash
+bun install
+```
+
+To run:
+
+```bash
+bun run index.ts
+```
+
+This project was created using `bun init` in bun v1.3.7. [Bun](https://bun.com) is a fast all-in-one JavaScript runtime.

package/eslint.config.js

@@ -0,0 +1,21 @@
+import js from "@eslint/js";
+import globals from "globals";
+import reactHooks from "eslint-plugin-react-hooks";
+import tseslint from "typescript-eslint";
+import { defineConfig, globalIgnores } from "eslint/config";
+
+export default defineConfig([
+  globalIgnores(["dist"]),
+  {
+    files: ["**/*.{ts,tsx}"],
+    extends: [
+      js.configs.recommended,
+      tseslint.configs.recommended,
+      reactHooks.configs.flat.recommended,
+    ],
+    languageOptions: {
+      ecmaVersion: 2020,
+      globals: globals.browser,
+    },
+  },
+]);

package/package.json

@@ -0,0 +1,79 @@
+{
+  "name": "@studiocubics/cms",
+  "description": "A collection of pages and components to build a cms for a website.",
+  "publishConfig": {
+    "access": "public"
+  },
+  "private": false,
+  "version": "0.0.1",
+  "keywords": [
+    "@studiocubics",
+    "cubics",
+    "studio",
+    "react",
+    "hooks"
+  ],
+  "author": {
+    "name": "Studio Cubics",
+    "email": "studiocubics7@gmail.com",
+    "url": "https://studio-cubics.vercel.app"
+  },
+  "license": "MIT",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "development": "./src/index.ts",
+      "production": "./dist/index.js",
+      "default": "./dist/index.js"
+    },
+    "./styles.css": "./dist/index.css"
+  },
+  "dependencies": {
+    "@monaco-editor/react": "4.8.0-rc.3",
+    "lucide-react": "^0.554.0",
+    "next-themes": "^0.4.6",
+    "zod": "^4.3.6",
+    "@studiocubics/hooks": "^0.0.1",
+    "@studiocubics/ui": "^0.0.1",
+    "@studiocubics/utils": "^0.0.1",
+    "@studiocubics/next": "^0.0.1"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.39.1",
+    "@rollup/plugin-terser": "^0.4.4",
+    "@rollup/plugin-typescript": "^12.3.0",
+    "@types/node": "^24.10.1",
+    "@types/react": "^19.2.5",
+    "@types/react-dom": "^19.2.3",
+    "eslint": "^9.39.1",
+    "eslint-plugin-react-hooks": "^7.0.1",
+    "globals": "^16.5.0",
+    "postcss": "^8.5.6",
+    "postcss-modules": "^6.0.1",
+    "rollup": "^4.53.3",
+    "rollup-plugin-postcss": "^4.0.2",
+    "rollup-preserve-directives": "^1.1.3",
+    "typescript-eslint": "^8.46.4",
+    "babel-plugin-react-compiler": "1.0.0",
+    "next": "16.1.6",
+    "react": "19.2.4",
+    "react-dom": "19.2.4",
+    "typescript": "^5.9.3",
+    "@studiocubics/types": "^0.0.1"
+  },
+  "peerDependencies": {
+    "babel-plugin-react-compiler": ">= 1",
+    "@clerk/nextjs": ">= 6",
+    "next": ">= 16",
+    "react": ">= 19",
+    "react-dom": ">= 19",
+    "typescript": ">= 5"
+  },
+  "scripts": {
+    "build": "rollup -c",
+    "clean:build": "rimraf dist node_modules && rollup -c",
+    "lint": "eslint .",
+    "clean": "rimraf dist node_modules"
+  }
+}

package/rollup.config.js

@@ -0,0 +1,48 @@
+import { defineConfig } from "rollup";
+import typescript from "@rollup/plugin-typescript";
+import postcss from "rollup-plugin-postcss";
+import terser from "@rollup/plugin-terser";
+import preserveDirectives from "rollup-preserve-directives";
+
+export default defineConfig({
+  input: "src/index.ts",
+  output: {
+    preserveModules: true,
+    preserveModulesRoot: "src",
+    dir: "dist",
+    format: "esm",
+    sourcemap: true,
+  },
+  plugins: [
+    preserveDirectives(),
+    postcss({
+      include: ["globals.css", "**/*.module.css"],
+      modules: true,
+      extract: true,
+      // minimize: true,
+    }),
+    typescript({ tsconfig: "./tsconfig.json" }),
+    // terser({ compress: { directives: false } }),
+  ],
+  external: [
+    "lucide-react",
+    "next/cache",
+    "next/font/google",
+    "next/headers",
+    "next/link",
+    "next/navigation",
+    "next/server",
+    "next-themes",
+    "react/jsx-runtime",
+    "react",
+    "react-dom",
+    "@clerk/nextjs",
+    "@clerk/nextjs/server",
+    "@monaco-editor/react",
+    "@studiocubics/ui",
+    "@studiocubics/utils",
+    "@studiocubics/hooks",
+    "@studiocubics/next",
+    "zod",
+  ],
+});

package/src/clerk/_index.ts

@@ -0,0 +1,6 @@
+export * from "./actions/_index";
+export * from "./auth";
+export * from "./hasPermission";
+export * from "./rbacConfig";
+export * from "./schemas/_index";
+export * from "./toClientSafeUser";

package/src/clerk/actions/_index.ts

@@ -0,0 +1,2 @@
+export * from "./invitations";
+export * from "./systemUsers";

package/src/clerk/actions/invitations.ts

@@ -0,0 +1,78 @@
+"use server";
+
+import { clerkClient, type Invitation } from "@clerk/nextjs/server";
+import { auth } from "../auth";
+import { revalidatePath } from "next/cache";
+import { headers } from "next/headers";
+import { getInvitationPublicMetadata } from "../rbacConfig";
+import { createInvitationSchema } from "../schemas/invitation";
+import z from "zod";
+import type { InvitationCreateState } from "../../ui/System/Invitations/InvitationListActions";
+import { apiRes } from "@studiocubics/utils";
+import type { PaginatedResponse } from "../clerk";
+import { cache } from "react";
+
+export const invitationListReadAction = cache(
+  async (
+    params: ClerkInvitationListParams,
+  ): Promise<PaginatedResponse<Invitation[]>> => {
+    const session = await auth();
+    if (!session.hasPermission("invitations", "read")) {
+      throw new Error(apiRes.forbidden);
+    }
+    const client = await clerkClient();
+    const invitationsList = await client.invitations.getInvitationList(params);
+    return invitationsList;
+  },
+);
+export const invitationDeleteAction = async (id: string) => {
+  const session = await auth();
+  if (!session.hasPermission("invitations", "delete")) {
+    return apiRes.actionFail(apiRes.forbidden);
+  }
+
+  if (!id || typeof id !== "string")
+    return apiRes.actionFail(apiRes.wrongType("id", "string"));
+
+  const client = await clerkClient();
+  await client.invitations.revokeInvitation(id);
+
+  revalidatePath("/dashboard/security/invitations");
+  return apiRes.actionSuccess();
+};
+
+export async function invitationCreateAction(
+  _: InvitationCreateState,
+  formData: FormData,
+): Promise<InvitationCreateState> {
+  const session = await auth();
+  if (!session.hasPermission("invitations", "create")) {
+    return apiRes.actionFail(apiRes.forbidden);
+  }
+
+  const headersList = await headers();
+  const host = headersList.get("host");
+  const protocol = host?.startsWith("localhost") ? "http" : "https";
+
+  const formDataObj = Object.fromEntries(formData.entries());
+  const { success, data, error } =
+    createInvitationSchema.safeParse(formDataObj);
+  if (!success) {
+    const flattenedError = z.flattenError(error);
+    return apiRes.actionFail(
+      flattenedError.formErrors.join("\n"),
+      flattenedError.fieldErrors,
+    );
+  }
+
+  const publicMetadata = getInvitationPublicMetadata(data.role);
+  const client = await clerkClient();
+  await client.invitations.createInvitation({
+    ...data,
+    redirectUrl: `${protocol}://${host}/auth/signUp`,
+    publicMetadata,
+  });
+
+  revalidatePath("/dashboard/security/invitations");
+  return apiRes.actionSuccess();
+}

package/src/clerk/actions/systemUsers.ts

@@ -0,0 +1,94 @@
+"use server";
+import { clerkClient, type User } from "@clerk/nextjs/server";
+import { auth } from "../auth";
+import { apiRes } from "@studiocubics/utils";
+import type { PaginatedResponse } from "../clerk";
+import type { SystemUserRoleUpdateState } from "../../ui/System/SystemUser/SystemUserRoleForm/SystemUserRoleForm";
+import { cache } from "react";
+import type { SystemUserDetailsUpdateState } from "../../ui/_index";
+
+export const systemUserListReadAction = cache(
+  async (
+    params: ClerkUserListParams,
+    removeCurrent: boolean = false,
+  ): Promise<PaginatedResponse<User[]>> => {
+    const session = await auth();
+
+    if (!session.hasPermission("systemUsers", "read")) {
+      throw new Error(apiRes.forbidden);
+    }
+
+    const client = await clerkClient();
+    const systemUserList = await client.users.getUserList(params);
+
+    if (removeCurrent) {
+      systemUserList.data = systemUserList.data.filter(
+        (su) => su.id !== session.userId,
+      );
+      systemUserList.totalCount--;
+    }
+
+    return systemUserList;
+  },
+);
+
+export const systemUserReadAction = cache(async (id: string) => {
+  const session = await auth();
+
+  if (!session.hasPermission("systemUsers", "read")) {
+    throw new Error(apiRes.forbidden);
+  }
+
+  const client = await clerkClient();
+  const systemUser = await client.users.getUser(id);
+
+  if (!systemUser) {
+    throw new Error(apiRes.notFound(`System User: ${id}`));
+  }
+
+  return systemUser;
+});
+
+export async function systemUserRoleUpdateAction(
+  userId: string,
+  _: SystemUserRoleUpdateState,
+  formData: FormData,
+): Promise<SystemUserRoleUpdateState> {
+  const session = await auth();
+
+  if (!session.hasPermission("systemUsers", "update")) {
+    throw new Error(apiRes.forbidden);
+  }
+  const role = formData.get("role");
+  console.log("userId", userId);
+  console.log("role", role);
+  return apiRes.actionSuccess();
+
+  // const client = await clerkClient();
+  // const { publicMetadata } = await client.users.getUser(userId);
+  // const patchedUser = await client.users.updateUserMetadata(userId, {
+  //   publicMetadata: {
+  //     ...publicMetadata,
+  //     role,
+  //   },
+  // });
+  // return apiRes.actionSuccess(patchedUser);
+}
+
+export async function systemUserDetailsUpdateAction(
+  userId: string,
+  _: SystemUserDetailsUpdateState,
+  formData: FormData,
+): Promise<SystemUserDetailsUpdateState> {
+  const session = await auth();
+
+  if (!session.hasPermission("systemUsers", "update")) {
+    throw new Error(apiRes.forbidden);
+  }
+  console.log("firstName", formData.get("firstName"));
+  console.log("lastName", formData.get("firstName"));
+  console.log("imageFile", formData.get("imageFile"));
+
+  console.log("userId", userId);
+  return apiRes.actionSuccess();
+}

package/src/clerk/auth.ts

@@ -0,0 +1,34 @@
+"use server";
+import { auth as clerkAuth } from "@clerk/nextjs/server";
+import { hasPermissionForClaims } from "./hasPermission";
+import type { Resource, RoleActions } from "./rbacConfig";
+type ClerkAuthResult = Awaited<ReturnType<typeof clerkAuth>>;
+
+export type AuthWithPermissions = ClerkAuthResult & {
+  hasPermission: (
+    resource: Resource,
+    action: RoleActions,
+    record?: Record<string, any>,
+  ) => Promise<boolean>;
+};
+export async function auth(
+  options?: Parameters<typeof clerkAuth>[0],
+): Promise<AuthWithPermissions> {
+  const clerkAuthResult = await clerkAuth(options);
+
+  return {
+    ...clerkAuthResult,
+    hasPermission: async (
+      resource: Resource,
+      action: RoleActions,
+      record?: Record<string, any>,
+    ) => {
+      return hasPermissionForClaims({
+        claims: clerkAuthResult.sessionClaims,
+        resource,
+        action,
+        record,
+      });
+    },
+  };
+}

package/src/clerk/clerk.d.ts

@@ -0,0 +1,105 @@
+import { EmailAddress, User } from "@clerk/nextjs/server";
+import { Role } from "@studiocubics/cms";
+import { WithSign } from "@/clerk/Users";
+import { useUser } from "@clerk/nextjs";
+
+type WithSign<T extends string> = `+${T}` | `-${T}` | T;
+export type PaginatedResponse<T> = { data: T; totalCount: number };
+type SessionStatus =
+  | "abandoned"
+  | "active"
+  | "ended"
+  | "expired"
+  | "removed"
+  | "replaced"
+  | "revoked";
+
+type UserListOrderBy =
+  | "created_at"
+  | "updated_at"
+  | "email_address"
+  | "web3wallet"
+  | "first_name"
+  | "last_name"
+  | "phone_number"
+  | "username"
+  | "last_active_at"
+  | "last_sign_in_at";
+
+declare global {
+  type ClerkClientUser = ReturnType<typeof useUser>["user"];
+  type ClerkSessionClaims = NonNullable<
+    Awaited<ReturnType<typeof auth>>["sessionClaims"]
+  >;
+  interface CustomJwtSessionClaims {
+    metadata: {
+      role?: Role;
+      onboardingComplete?: boolean;
+      // TODO add currentStatus?:"online"|"offline"
+    };
+  }
+  interface ClerkUserListParams extends Record<string, any> {
+    limit?: number;
+    offset?: number;
+    orderBy?: WithSign<UserListOrderBy>;
+    query?: string;
+  }
+  interface ClerkUserSessionListParams {
+    clientId?: string;
+    userId?: string;
+    status?: SessionStatus;
+    limit?: number;
+    offset?: number;
+  }
+  interface ClerkUserSession {
+    id: string;
+    clientId: string;
+    userId: string;
+    status: SessionStatus;
+    lastActiveAt: number;
+    expireAt: number;
+    abandonAt: number;
+    createdAt: number;
+    updatedAt: number;
+    lastActiveOrganizationId?: string;
+    latestActivity?: ClerkUserSessionActivity;
+    actor: Record<string, unknown> | null;
+  }
+  interface ClerkUserSessionActivity {
+    id: string;
+    isMobile: boolean;
+    ipAddress?: string;
+    city?: string;
+    country?: string;
+    browserVersion?: string;
+    browserName?: string;
+    deviceType?: string;
+  }
+  interface ClerkInvitation {
+    id: string;
+    emailAddress: string;
+    url: string;
+    publicMetadata: UserPublicMetadata;
+    createdAt: number;
+    updatedAt: number;
+    status: "pending" | "accepted" | "revoked";
+    revoked?: boolean;
+  }
+  interface ClerkInvitationCreateParams {
+    emailAddress: string;
+    expiresInDays?: number;
+    ignoreExisting?: boolean;
+    /**
+     * Whether an email invitation should be sent to the given email address. Defaults to true.
+     */
+    notify?: boolean;
+    publicMetadata?: UserPublicMetadata;
+    redirectUrl?: string;
+    templateSlug?: "invitation" | "waitlist_invitation";
+  }
+  interface ClerkInvitationListParams extends Record<string, any> {
+    status?: "pending" | "accepted" | "revoked";
+    limit?: number;
+    offset?: number;
+  }
+}

package/src/clerk/hasPermission.ts

@@ -0,0 +1,96 @@
+"use server";
+import { auth } from "@clerk/nextjs/server";
+import {
+  type Resource,
+  type RoleActions,
+  type Role,
+  RBAC_CONFIG,
+} from "./rbacConfig";
+
+/**
+ * Evaluates RBAC permissions using explicitly provided session claims.
+ *
+ * @returns `true` if the role defined in `sessionClaims.metadata.role`
+ * is allowed to perform `action` on `resource` under RBAC rules.
+ */
+export async function hasPermissionForClaims(args: {
+  claims: ClerkSessionClaims;
+  resource: Resource;
+  action: RoleActions;
+  record?: Record<string, any>;
+}): Promise<boolean> {
+  if (!("metadata" in args.claims)) return false;
+  const role = args.claims?.metadata.role;
+  if (!role) return false;
+  return checkPermissions({ role, ...args });
+}
+
+/**
+ * Evaluates RBAC permissions for the currently authenticated user.
+ *
+ * Use this when you do NOT already have session claims.
+ *
+ * @returns `true` if the current user's role is allowed
+ * to perform `action` on `resource` under RBAC rules.
+ */
+export async function hasPermission(args: {
+  resource: Resource;
+  action: RoleActions;
+  record?: Record<string, any>;
+}): Promise<boolean> {
+  let claims;
+
+  const a = await auth();
+  claims = a.sessionClaims;
+
+  const role = claims?.metadata.role;
+  if (!role) return false;
+  return checkPermissions({
+    role,
+    claims,
+    ...args,
+  });
+}
+export type PermissionCheckInput = {
+  role: Role;
+  claims: ClerkSessionClaims;
+  resource: Resource;
+  action: RoleActions;
+  record?: Record<string, any>;
+};
+
+/**
+ * Core RBAC policy evaluator.
+ *
+ * This is the authorization engine shared by all permission checks.
+ * It does NOT perform authentication or session resolution.
+ *
+ * Rules:
+ * - `isSystem` roles bypass all checks
+ * - permissions are matched by `{ resource, action }`
+ * - optional ownership constraints are enforced via `ownerField`
+ * @param {PermissionCheckInput} args
+ * @returns `true` if at least one permission grants access
+ */
+function checkPermissions(args: PermissionCheckInput) {
+  const def = RBAC_CONFIG[args.role];
+  if (!def) return false;
+
+  // Allow system
+  if (def.isSystem) return true;
+
+  // Iterate over all permissions
+  for (const p of def.permissions) {
+    if (p.resource !== args.resource) continue;
+    if (!p.actions?.[args.action]) continue;
+
+    // Ownership conditions
+    if (p.conditions?.ownerField && args.record) {
+      const ownerField = p.conditions.ownerField;
+      if (args.record[ownerField] !== args.claims.id) continue;
+    }
+
+    return true;
+  }
+  return false;
+}

package/src/clerk/rbacConfig.ts

@@ -0,0 +1,68 @@
+export const roles = ["admin", "manager", "member"] as const;
+export const resources = ["systemUsers", "projects", "invitations"] as const;
+
+export const RBAC_CONFIG: {
+  [K in Role]: RoleDoc;
+} = {
+  admin: {
+    desc: "Full system authority with unrestricted access and management capabilities.",
+    isSystem: true,
+    permissions: [], // system role bypasses all checks
+  },
+  manager: {
+    desc: "Responsible for overseeing teams and resources; can manage existing items and invite users.",
+    inherits: ["member"],
+    permissions: [
+      {
+        resource: "systemUsers",
+        actions: { create: true, read: true, update: true },
+        conditions: { ownerField: "id" },
+      },
+      {
+        resource: "projects",
+        actions: { create: true, read: true, update: true, delete: true },
+      },
+      {
+        resource: "invitations",
+        actions: { create: true, read: true, update: true, delete: true },
+      },
+    ],
+  },
+  member: {
+    desc: "Standard user with read-level access to assigned resources; limited modification rights.",
+    permissions: [
+      { resource: "systemUsers", actions: { read: true } },
+      { resource: "projects", actions: { read: true } },
+    ],
+  },
+} as const;
+
+export type Role = (typeof roles)[number];
+export type Resource = (typeof resources)[number];
+
+export type RoleActions = "create" | "read" | "update" | "delete";
+
+export type ResourcePermission = {
+  resource: Resource;
+  actions: Partial<Record<RoleActions, boolean>>;
+  conditions?: {
+    ownerField?: string; // e.g. “creatorId”
+  };
+};
+export type RoleDoc = {
+  desc?: string;
+  inherits?: string[];
+  isSystem?: boolean;
+  permissions: ResourcePermission[];
+};
+
+export const getInvitationPublicMetadata = (role: Role) => {
+  switch (role) {
+    case "admin":
+      return { role, onboardingComplete: true };
+    case "manager":
+      return { role, onboardingComplete: true };
+    default:
+      return { role, onboardingComplete: false };
+  }
+};

package/src/clerk/schemas/_index.ts

@@ -0,0 +1 @@
+export * from "./invitation";