npm - @thinksoftai/cli - Versions diffs - 1.6.12 → 1.6.16 - Mend

@thinksoftai/cli 1.6.12 → 1.6.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/commands/export.js +1550 -99
package/dist/commands/export.js.map +1 -1
package/dist/index.js +10 -2
package/dist/index.js.map +1 -1
package/package.json +1 -1

package/dist/commands/export.js CHANGED Viewed

@@ -126,6 +126,7 @@ async function exportBackend(options = {}) {
     }
     // Chat option (only for node-express)
     let chatOption = 'none';
+    let authOption = 'none';
     if (answers.format === 'node-express') {
         const chatAnswer = await inquirer_1.default.prompt([
             {
@@ -141,6 +142,21 @@ async function exportBackend(options = {}) {
             }
         ]);
         chatOption = chatAnswer.chatOption;
+        // Auth option
+        const authAnswer = await inquirer_1.default.prompt([
+            {
+                type: 'list',
+                name: 'authOption',
+                message: 'User authentication:',
+                choices: [
+                    { name: 'ThinkSoft Email OTP (no setup needed)', value: 'thinksoft' },
+                    { name: 'Self-hosted Email OTP (requires Resend/SendGrid)', value: 'self-hosted' },
+                    { name: 'None (no authentication)', value: 'none' }
+                ],
+                default: 'thinksoft'
+            }
+        ]);
+        authOption = authAnswer.authOption;
     }
     // Output directory
     const appSlug = exportData.app?.name?.toLowerCase().replace(/\s+/g, '-') || appId.toLowerCase();
@@ -158,6 +174,7 @@ async function exportBackend(options = {}) {
         const fileCount = await generateExport(exportData, {
             ...answers,
             chatOption,
+            authOption,
             baseUrl: answers.baseUrl
         }, endpointConfig, outputDir);
         generatorSpinner.succeed(`Generated ${fileCount} files`);
@@ -193,7 +210,7 @@ async function generateExport(data, config, endpoints, outputDir) {
         // PostgreSQL only - just schema and triggers
         fs.mkdirSync(path.join(outputDir, 'database'), { recursive: true });
         // Generate schema
-        const schema = generateSchema(data.tables);
+        const schema = generateSchema(data.tables, config.authOption);
         fs.writeFileSync(path.join(outputDir, 'database/schema.sql'), schema);
         fileCount++;
         // Generate triggers if rules included
@@ -226,7 +243,7 @@ async function generateExport(data, config, endpoints, outputDir) {
             fs.mkdirSync(path.join(outputDir, dir), { recursive: true });
         }
         // Database files
-        const schema = generateSchema(data.tables);
+        const schema = generateSchema(data.tables, config.authOption);
         fs.writeFileSync(path.join(outputDir, 'database/schema.sql'), schema);
         fileCount++;
         if (config.includeRules && data.rules?.length > 0) {
@@ -264,7 +281,7 @@ async function generateExport(data, config, endpoints, outputDir) {
         fs.writeFileSync(path.join(outputDir, 'src/routes/agents.js'), agentRoutes);
         fileCount++;
         // Agents
-        const agentConfig = generateAgentConfig(data.agents);
+        const agentConfig = generateAgentConfig(data.agents, data.rules);
         fs.writeFileSync(path.join(outputDir, 'agents/config.json'), agentConfig);
         fileCount++;
         const agentActions = generateAgentActions();
@@ -289,7 +306,7 @@ async function generateExport(data, config, endpoints, outputDir) {
         fs.writeFileSync(path.join(outputDir, 'src/events/index.js'), events);
         fileCount++;
         // Main files
-        const indexJs = generateIndex(config.baseUrl);
+        const indexJs = generateIndex(config.baseUrl, config.authOption);
         fs.writeFileSync(path.join(outputDir, 'src/index.js'), indexJs);
         fileCount++;
         const dbJs = generateDb();
@@ -298,6 +315,15 @@ async function generateExport(data, config, endpoints, outputDir) {
         const authMiddleware = generateAuthMiddleware();
         fs.writeFileSync(path.join(outputDir, 'src/middleware/auth.js'), authMiddleware);
         fileCount++;
+        // Auth controller and routes (if auth enabled)
+        if (config.authOption && config.authOption !== 'none') {
+            const authController = generateAuthController(data.app, config.authOption);
+            fs.writeFileSync(path.join(outputDir, 'src/controllers/auth.js'), authController);
+            fileCount++;
+            const authRoutes = generateAuthRoutes();
+            fs.writeFileSync(path.join(outputDir, 'src/routes/auth.js'), authRoutes);
+            fileCount++;
+        }
         // Config files
         const apiConfig = generateApiConfig(data.tables, endpoints, config);
         fs.writeFileSync(path.join(outputDir, 'api.config.json'), apiConfig);
@@ -319,16 +345,37 @@ async function generateExport(data, config, endpoints, outputDir) {
         const readme = generateReadme(data.app, config);
         fs.writeFileSync(path.join(outputDir, 'README.md'), readme);
         fileCount++;
+        // Context.md - comprehensive app documentation for developers and AI
+        const context = generateContext(data, config, endpoints);
+        fs.writeFileSync(path.join(outputDir, 'context.md'), context);
+        fileCount++;
     }
     return fileCount;
 }
 // ============================================
 // Generator Functions
 // ============================================
-function generateSchema(tables) {
+function generateSchema(tables, authOption = 'none') {
     let sql = '-- Auto-generated PostgreSQL schema\n';
     sql += '-- Generated by ThinkSoft CLI\n\n';
     sql += 'CREATE EXTENSION IF NOT EXISTS "pgcrypto";\n\n';
+    // Add app_users table for authentication
+    if (authOption !== 'none') {
+        sql += '-- Users table for authentication\n';
+        sql += 'CREATE TABLE app_users (\n';
+        sql += '  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n';
+        sql += '  email VARCHAR(255) UNIQUE NOT NULL,\n';
+        sql += '  name VARCHAR(255),\n';
+        sql += '  otp_code VARCHAR(6),\n';
+        sql += '  otp_expires_at TIMESTAMP,\n';
+        sql += '  refresh_token VARCHAR(500),\n';
+        sql += '  last_login TIMESTAMP,\n';
+        sql += '  is_active BOOLEAN DEFAULT TRUE,\n';
+        sql += '  created_at TIMESTAMP DEFAULT NOW(),\n';
+        sql += '  updated_at TIMESTAMP DEFAULT NOW()\n';
+        sql += ');\n\n';
+        sql += 'CREATE INDEX idx_app_users_email ON app_users(email);\n\n';
+    }
     const typeMap = {
         'text': 'VARCHAR(255)',
         'textarea': 'TEXT',
@@ -596,37 +643,271 @@ module.exports = { schema, validate };
 `;
 }
 function generateHooks(table, rules) {
+    // Group rules by trigger
+    const rulesByTrigger = {
+        before_create: [],
+        after_create: [],
+        before_update: [],
+        after_update: [],
+        before_delete: [],
+        after_delete: []
+    };
+    for (const rule of rules || []) {
+        if (rule.trigger && rulesByTrigger[rule.trigger]) {
+            rulesByTrigger[rule.trigger].push(rule);
+        }
+    }
+    // Sort each group by priority
+    for (const trigger of Object.keys(rulesByTrigger)) {
+        rulesByTrigger[trigger].sort((a, b) => (a.priority || 100) - (b.priority || 100));
+    }
+    // Generate condition evaluation code
+    const generateCondition = (condition) => {
+        if (!condition || condition === 'true')
+            return 'true';
+        // Convert Liquid-style conditions to JavaScript
+        // Handle common patterns
+        let jsCondition = condition
+            // Liquid equality: {% if x == 'value' %} -> x === 'value'
+            .replace(/\{\%\s*if\s+([^%]+)\s*\%\}/g, '$1')
+            .replace(/\{\%\s*endif\s*\%\}/g, '')
+            // Liquid variables: {{ field }} -> data.field
+            .replace(/\{\{\s*([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, 'data.$1')
+            .replace(/\{\{\s*record\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, 'data.$1')
+            .replace(/\{\{\s*_new\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, 'data.$1')
+            .replace(/\{\{\s*_old\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, 'oldData.$1')
+            // Field access without braces
+            .replace(/\brecord\.([a-zA-Z_][a-zA-Z0-9_]*)/g, 'data.$1')
+            .replace(/\b_new\.([a-zA-Z_][a-zA-Z0-9_]*)/g, 'data.$1')
+            .replace(/\b_old\.([a-zA-Z_][a-zA-Z0-9_]*)/g, 'oldData.$1')
+            // Operators
+            .replace(/\s+==\s+/g, ' === ')
+            .replace(/\s+!=\s+/g, ' !== ')
+            .replace(/\s+and\s+/g, ' && ')
+            .replace(/\s+or\s+/g, ' || ')
+            .replace(/\s+contains\s+/g, '.includes(')
+            // Liquid filters: | size -> .length
+            .replace(/\|\s*size/g, '.length')
+            // Blank check
+            .replace(/\s+blank/g, " === '' || data.$1 === null || data.$1 === undefined")
+            .replace(/\s+present/g, " !== '' && data.$1 !== null && data.$1 !== undefined")
+            .trim();
+        // If still has Liquid syntax, wrap in try-catch eval
+        if (jsCondition.includes('{%') || jsCondition.includes('{{')) {
+            return `/* Complex condition: ${condition} */ true`;
+        }
+        return jsCondition || 'true';
+    };
+    // Generate action code
+    const generateActionCode = (action, indent = '    ') => {
+        switch (action.type) {
+            case 'set_field': {
+                let value = action.value;
+                // Convert Liquid template to JS
+                if (typeof value === 'string') {
+                    if (value.includes('{{') || value.includes('{%')) {
+                        // Replace Liquid variables with JS
+                        value = value
+                            .replace(/\{\{\s*([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, "' + data.$1 + '")
+                            .replace(/\{\{\s*record\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, "' + data.$1 + '")
+                            .replace(/\{\{\s*_timestamp\s*\}\}/g, "' + new Date().toISOString() + '")
+                            .replace(/\{\{\s*_date\s*\}\}/g, "' + new Date().toISOString().split('T')[0] + '");
+                        value = `'${value}'`;
+                    }
+                    else {
+                        value = `'${value}'`;
+                    }
+                }
+                return `${indent}data.${action.field} = ${value};`;
+            }
+            case 'calculate': {
+                // Convert Liquid math to JS
+                let formula = action.value || '';
+                formula = formula
+                    .replace(/\{\{\s*([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, 'data.$1')
+                    .replace(/\{\{\s*record\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, 'data.$1')
+                    .replace(/\|\s*plus:\s*/g, ' + ')
+                    .replace(/\|\s*minus:\s*/g, ' - ')
+                    .replace(/\|\s*times:\s*/g, ' * ')
+                    .replace(/\|\s*divided_by:\s*/g, ' / ');
+                return `${indent}data.${action.field} = ${formula};`;
+            }
+            case 'reject': {
+                let message = action.message || 'Operation rejected by business rule';
+                // Convert Liquid variables in message
+                message = message
+                    .replace(/\{\{\s*([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, '${data.$1}')
+                    .replace(/\{\{\s*record\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, '${data.$1}');
+                return `${indent}throw new Error(\`${message}\`);`;
+            }
+            case 'validate': {
+                const condition = generateCondition(action.condition || 'true');
+                let message = action.message || 'Validation failed';
+                message = message
+                    .replace(/\{\{\s*([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, '${data.$1}')
+                    .replace(/\{\{\s*record\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, '${data.$1}');
+                return `${indent}if (!(${condition})) {\n${indent}  throw new Error(\`${message}\`);\n${indent}}`;
+            }
+            case 'lookup_and_set': {
+                // Generate lookup query
+                const lookupFilter = action.lookupFilter || {};
+                const filterEntries = Object.entries(lookupFilter);
+                let filterCode = '';
+                if (filterEntries.length > 0) {
+                    const conditions = filterEntries.map(([key, val]) => {
+                        if (typeof val === 'string' && val.includes('{{')) {
+                            const jsVal = val.replace(/\{\{\s*([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, 'data.$1')
+                                .replace(/\{\{\s*record\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, 'data.$1');
+                            return `${key} = $\${paramIndex++}`;
+                        }
+                        return `${key} = $\${paramIndex++}`;
+                    });
+                    filterCode = conditions.join(' AND ');
+                }
+                return `${indent}// Lookup from ${action.lookupTable}
+${indent}const lookupResult = await db.query(
+${indent}  'SELECT ${action.returnField || 'id'} FROM ${action.lookupTable} WHERE ${filterCode || 'TRUE'} LIMIT 1',
+${indent}  [${filterEntries.map(([k, v]) => {
+                    if (typeof v === 'string' && v.includes('{{')) {
+                        return v.replace(/\{\{\s*([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, 'data.$1')
+                            .replace(/\{\{\s*record\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, 'data.$1');
+                    }
+                    return `'${v}'`;
+                }).join(', ')}]
+${indent});
+${indent}if (lookupResult.rows.length > 0) {
+${indent}  data.${action.field} = lookupResult.rows[0].${action.returnField || 'id'};
+${indent}}`;
+            }
+            case 'create_record': {
+                const recordData = action.data || {};
+                const fields = Object.keys(recordData);
+                const values = Object.values(recordData).map((v) => {
+                    if (typeof v === 'string' && v.includes('{{')) {
+                        return v.replace(/\{\{\s*([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, 'data.$1')
+                            .replace(/\{\{\s*record\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, 'data.$1')
+                            .replace(/\{\{\s*_new\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g, 'data.$1');
+                    }
+                    return typeof v === 'string' ? `'${v}'` : v;
+                });
+                return `${indent}// Create record in ${action.table}
+${indent}await db.query(
+${indent}  'INSERT INTO ${action.table} (${fields.join(', ')}) VALUES (${fields.map((_, i) => '$' + (i + 1)).join(', ')})',
+${indent}  [${values.join(', ')}]
+${indent});`;
+            }
+            default:
+                return `${indent}// Unknown action type: ${action.type}`;
+        }
+    };
+    // Generate hook function code
+    const generateHookCode = (trigger, rulesForTrigger) => {
+        if (rulesForTrigger.length === 0) {
+            if (trigger.startsWith('before')) {
+                return `    // No rules for this trigger
+    return data;`;
+            }
+            return `    // No rules for this trigger`;
+        }
+        let code = '';
+        for (const rule of rulesForTrigger) {
+            const condition = generateCondition(rule.condition || 'true');
+            code += `    // Rule: ${rule.name} (priority: ${rule.priority || 100})\n`;
+            code += `    if (${condition}) {\n`;
+            for (const action of rule.actions || []) {
+                code += generateActionCode(action, '      ') + '\n';
+            }
+            code += `    }\n\n`;
+        }
+        if (trigger.startsWith('before')) {
+            code += `    return data;`;
+        }
+        return code;
+    };
+    // Build the full hooks file
     return `/**
  * ${table.name} Hooks
- * Auto-generated by ThinkSoft CLI
+ * Auto-generated from business rules by ThinkSoft CLI
+ *
+ * Rules converted: ${rules?.length || 0}
  */
-module.exports = {
-  beforeCreate: async (data, db) => {
-    // Add custom logic here
-    return data;
-  },
-  afterCreate: async (record, db) => {
-    // Add custom logic here
-  },
-  beforeUpdate: async (oldRecord, data, db) => {
-    // Add custom logic here
-    return data;
-  },
-  afterUpdate: async (oldRecord, newRecord, db) => {
-    // Add custom logic here
-  },
-  beforeDelete: async (record, db) => {
-    // Add custom logic here
-  },
+/**
+ * Before Create Hook
+ * Called before a new record is inserted
+ * @param {object} data - The data being inserted
+ * @param {object} db - Database connection
+ * @returns {object} Modified data or throws error to reject
+ */
+async function beforeCreate(data, db) {
+${generateHookCode('before_create', rulesByTrigger.before_create)}
+}
+/**
+ * After Create Hook
+ * Called after a record is successfully inserted
+ * @param {object} record - The created record (with id)
+ * @param {object} db - Database connection
+ */
+async function afterCreate(record, db) {
+  const data = record; // Alias for rule compatibility
+${generateHookCode('after_create', rulesByTrigger.after_create)}
+}
+/**
+ * Before Update Hook
+ * Called before a record is updated
+ * @param {object} oldData - The current record data
+ * @param {object} data - The new data being applied
+ * @param {object} db - Database connection
+ * @returns {object} Modified data or throws error to reject
+ */
+async function beforeUpdate(oldData, data, db) {
+${generateHookCode('before_update', rulesByTrigger.before_update)}
+}
+/**
+ * After Update Hook
+ * Called after a record is successfully updated
+ * @param {object} oldData - The previous record data
+ * @param {object} newData - The updated record
+ * @param {object} db - Database connection
+ */
+async function afterUpdate(oldData, newData, db) {
+  const data = newData; // Alias for rule compatibility
+${generateHookCode('after_update', rulesByTrigger.after_update)}
+}
+/**
+ * Before Delete Hook
+ * Called before a record is deleted
+ * @param {object} record - The record being deleted
+ * @param {object} db - Database connection
+ * @throws {Error} To prevent deletion
+ */
+async function beforeDelete(record, db) {
+  const data = record; // Alias for rule compatibility
+${generateHookCode('before_delete', rulesByTrigger.before_delete)}
+}
+/**
+ * After Delete Hook
+ * Called after a record is successfully deleted
+ * @param {object} record - The deleted record
+ * @param {object} db - Database connection
+ */
+async function afterDelete(record, db) {
+  const data = record; // Alias for rule compatibility
+${generateHookCode('after_delete', rulesByTrigger.after_delete)}
+}
-  afterDelete: async (record, db) => {
-    // Add custom logic here
-  }
+module.exports = {
+  beforeCreate,
+  afterCreate,
+  beforeUpdate,
+  afterUpdate,
+  beforeDelete,
+  afterDelete
 };
 `;
 }
@@ -663,30 +944,33 @@ function generateAgentRoutes() {
 const express = require('express');
 const router = express.Router();
-const { authenticate } = require('../middleware/auth');
-const agentAuth = require('../middleware/agentAuth');
-const { getActionChips, executeAction } = require('../../agents/actions');
+const { optionalAuth } = require('../middleware/auth');
+const { checkAgentAccess, checkTablePermissions } = require('../middleware/agentAuth');
+const { executeAction } = require('../../agents/actions');
 const agentConfig = require('../../agents/config.json');
+// Middleware chain: optionalAuth -> checkAgentAccess -> checkTablePermissions
+// optionalAuth: tries to authenticate but doesn't fail if no token (for public agents)
+// checkAgentAccess: enforces access rules (public/authenticated/table-based)
+// checkTablePermissions: enforces CRUD permissions on tables
 // Get agent info
-router.get('/:agent', authenticate, (req, res) => {
-  const agent = agentConfig[req.params.agent];
-  if (!agent) {
-    return res.status(404).json({ error: 'Agent not found' });
-  }
+router.get('/:agent', optionalAuth, checkAgentAccess, (req, res) => {
+  const agent = req.agent;
   res.json({
     name: agent.name,
     description: agent.description,
     welcome_message: agent.welcome_message,
-    action_chips: agent.action_chips
+    action_chips: agent.action_chips,
+    access_type: agent.access_rules?.type || 'authenticated'
   });
 });
 // Execute action chip
-router.post('/:agent/action', authenticate, async (req, res) => {
+router.post('/:agent/action', optionalAuth, checkAgentAccess, async (req, res) => {
   try {
     const { action } = req.body;
-    const result = await executeAction(req.params.agent, action, req.user?.id);
+    const result = await executeAction(req.params.agent, action, req.user?.userId, req.matchedRecord?.id);
     res.json(result);
   } catch (error) {
     res.status(400).json({ error: error.message });
@@ -694,49 +978,101 @@ router.post('/:agent/action', authenticate, async (req, res) => {
 });
 // Agent-scoped CRUD
-router.get('/:agent/:table', authenticate, agentAuth, async (req, res) => {
+router.get('/:agent/:table', optionalAuth, checkAgentAccess, checkTablePermissions, async (req, res) => {
   const controller = require(\`../controllers/\${req.params.table}\`);
   return controller.list(req, res);
 });
-router.get('/:agent/:table/:id', authenticate, agentAuth, async (req, res) => {
+router.get('/:agent/:table/:id', optionalAuth, checkAgentAccess, checkTablePermissions, async (req, res) => {
   const controller = require(\`../controllers/\${req.params.table}\`);
   return controller.get(req, res);
 });
-router.post('/:agent/:table', authenticate, agentAuth, async (req, res) => {
+router.post('/:agent/:table', optionalAuth, checkAgentAccess, checkTablePermissions, async (req, res) => {
   const controller = require(\`../controllers/\${req.params.table}\`);
   return controller.create(req, res);
 });
-router.put('/:agent/:table/:id', authenticate, agentAuth, async (req, res) => {
+router.put('/:agent/:table/:id', optionalAuth, checkAgentAccess, checkTablePermissions, async (req, res) => {
   const controller = require(\`../controllers/\${req.params.table}\`);
   return controller.update(req, res);
 });
+router.delete('/:agent/:table/:id', optionalAuth, checkAgentAccess, checkTablePermissions, async (req, res) => {
+  const controller = require(\`../controllers/\${req.params.table}\`);
+  return controller.delete(req, res);
+});
 module.exports = router;
 `;
 }
-function generateAgentConfig(agents) {
+function generateAgentConfig(agents, rules = []) {
     const config = {};
     for (const agent of agents || []) {
+        // Build access_rules from auth_type
+        let accessRules = { type: 'authenticated' };
+        const authType = agent.auth_type || 'authenticated';
+        if (authType === 'public') {
+            accessRules = { type: 'public' };
+        }
+        else if (authType === 'table' || authType === 'table-based') {
+            // Table-based auth - user must exist in specific table
+            accessRules = {
+                type: 'table-based',
+                table: agent.auth_table || agent.audience?.toLowerCase().replace(/\s+/g, '_'),
+                match_field: 'email',
+                match_value: '{{user.email}}'
+            };
+        }
+        else {
+            accessRules = { type: 'authenticated' };
+        }
         config[agent.slug] = {
             name: agent.name,
             slug: agent.slug,
             description: agent.description,
+            audience: agent.audience || agent.name,
             welcome_message: agent.welcome_message,
-            auth_type: agent.auth_type || 'authenticated',
+            access_rules: accessRules,
             permissions: agent.permissions || {},
             user_filter: agent.user_filter || {},
-            action_chips: (agent.action_chips || []).map((chip) => ({
-                label: chip.label,
-                icon: chip.icon,
-                action: chip.action,
-                table: chip.table,
-                display: chip.display || 'table',
-                filter: chip.filter,
-                fields: chip.fields
-            }))
+            action_chips: (agent.action_chips || []).map((chip) => {
+                // Start with chip's existing autoFill and hiddenFields
+                const autoFill = [...(chip.autoFill || [])];
+                const hiddenFields = [...(chip.hiddenFields || [])];
+                // For create actions, add autoFill from before_create rules
+                if (chip.action === 'create' && chip.table) {
+                    const createRules = (rules || []).filter((r) => (r.table === chip.table || r.table_slug === chip.table) &&
+                        r.trigger === 'before_create' &&
+                        r.enabled !== false);
+                    for (const rule of createRules) {
+                        for (const action of (rule.actions || [])) {
+                            if (action.type === 'set_field' && action.field) {
+                                // Add to autoFill if not already set by chip
+                                if (!autoFill.find((af) => af.field === action.field)) {
+                                    autoFill.push({ field: action.field, value: action.value });
+                                }
+                                // Add to hiddenFields if not already there
+                                if (!hiddenFields.includes(action.field)) {
+                                    hiddenFields.push(action.field);
+                                }
+                            }
+                        }
+                    }
+                }
+                return {
+                    label: chip.label,
+                    icon: chip.icon,
+                    action: chip.action,
+                    table: chip.table,
+                    display: chip.display || 'table',
+                    filter: chip.filter,
+                    filters: chip.filters,
+                    fields: chip.fields,
+                    autoFill: autoFill.length > 0 ? autoFill : undefined,
+                    hiddenFields: hiddenFields.length > 0 ? hiddenFields : undefined
+                };
+            })
         };
     }
     return JSON.stringify(config, null, 2);
@@ -813,18 +1149,94 @@ function generateAgentMiddleware() {
     return `/**
  * Agent Permission Middleware
  * Auto-generated by ThinkSoft CLI
+ *
+ * Handles:
+ * 1. Access Rules (public/authenticated/table-based)
+ * 2. Table Permissions (CRUD)
  */
+const db = require('../db');
 const agentConfig = require('../../agents/config.json');
-const agentAuth = (req, res, next) => {
+/**
+ * Check agent access rules
+ * - public: anyone can access (no login required)
+ * - authenticated: must be logged in (in app_users)
+ * - table-based: must be logged in AND exist in specified table
+ */
+const checkAgentAccess = async (req, res, next) => {
   const agent = agentConfig[req.params.agent];
   if (!agent) {
     return res.status(404).json({ error: 'Agent not found' });
   }
+  const accessRules = agent.access_rules || { type: 'authenticated' };
+  switch (accessRules.type) {
+    case 'public':
+      // Anyone can access, no login required
+      req.agent = agent;
+      return next();
+    case 'authenticated':
+      // Must be logged in
+      if (!req.user) {
+        return res.status(401).json({ error: 'Authentication required' });
+      }
+      req.agent = agent;
+      return next();
+    case 'table-based':
+      // Must be logged in AND exist in specified table
+      if (!req.user) {
+        return res.status(401).json({ error: 'Authentication required' });
+      }
+      if (!accessRules.table) {
+        // No table specified, fall back to authenticated
+        req.agent = agent;
+        return next();
+      }
+      try {
+        const matchField = accessRules.match_field || 'email';
+        const matchValue = accessRules.match_value === '{{user.id}}'
+          ? req.user.userId
+          : req.user.email;
+        const { rows } = await db.query(
+          \`SELECT id FROM \${accessRules.table} WHERE \${matchField} = $1 LIMIT 1\`,
+          [matchValue]
+        );
+        if (rows.length === 0) {
+          return res.status(403).json({
+            error: \`Access denied. You are not registered as a \${agent.audience || 'user'}.\`
+          });
+        }
+        req.matchedRecord = rows[0];
+        req.agent = agent;
+        return next();
+      } catch (error) {
+        console.error('Access check error:', error);
+        // If table doesn't exist, fall back to authenticated
+        req.agent = agent;
+        return next();
+      }
+    default:
+      return res.status(403).json({ error: 'Unknown access rule type' });
+  }
+};
+/**
+ * Check table-level permissions (CRUD)
+ */
+const checkTablePermissions = (req, res, next) => {
+  const agent = req.agent;
   const table = req.params.table;
-  const permissions = agent.permissions[table];
+  const permissions = agent.permissions?.[table];
   if (!permissions) {
     return res.status(403).json({ error: 'No access to this table' });
@@ -838,18 +1250,20 @@ const agentAuth = (req, res, next) => {
     (method === 'DELETE' && permissions.delete);
   if (!allowed) {
-    return res.status(403).json({ error: 'Permission denied' });
+    return res.status(403).json({ error: 'Permission denied for this action' });
   }
+  // Apply user filter if configured
   if (agent.user_filter?.[table] && req.user) {
-    req.userFilter = agent.user_filter[table].replace(/:current_user_id/g, req.user.id);
+    req.userFilter = agent.user_filter[table]
+      .replace(/{{user\\.id}}/g, req.user.userId)
+      .replace(/{{user\\.email}}/g, req.user.email);
   }
-  req.agent = agent;
   next();
 };
-module.exports = agentAuth;
+module.exports = { checkAgentAccess, checkTablePermissions };
 `;
 }
 function generateChat(option) {
@@ -918,61 +1332,513 @@ module.exports = { chat };
 `;
 }
 function generateClient(tables, endpoints, baseUrl) {
-    let code = `/**
- * API Client
+    // Generate table list for schema endpoint
+    const tableSchemas = (tables || []).map(t => ({
+        slug: t.slug,
+        name: t.name,
+        fields: t.fields || []
+    }));
+    return `/**
+ * ThinkSoft Compatible Client SDK
  * Auto-generated by ThinkSoft CLI
+ *
+ * This client mirrors the @thinksoftai/sdk interface.
+ * Code written for ThinkSoft hosted will work with this client.
+ *
+ * Usage:
+ *   import { ThinkSoft } from './client/api';
+ *   const client = new ThinkSoft({ appId: 'my-app' });
+ *
+ *   // Auth
+ *   await client.auth.sendOtp('user@example.com');
+ *   await client.auth.verifyOtp('user@example.com', '123456');
+ *
+ *   // CRUD
+ *   const records = await client.from('orders').list();
+ *   await client.from('orders').create({ product: 'Widget' });
  */
-const API_BASE = process.env.REACT_APP_API_URL || 'http://localhost:3000${baseUrl}';
+const DEFAULT_BASE_URL = 'http://localhost:3000${baseUrl}';
-const getHeaders = () => ({
-  'Content-Type': 'application/json',
-  ...(localStorage.getItem('token') && {
-    'Authorization': \`Bearer \${localStorage.getItem('token')}\`
-  })
-});
+// Storage keys
+const TOKEN_KEY = 'thinksoft_token';
+const REFRESH_TOKEN_KEY = 'thinksoft_refresh_token';
+const EXPIRES_AT_KEY = 'thinksoft_expires_at';
+const USER_KEY = 'thinksoft_user';
-const handleResponse = async (response) => {
-  const data = await response.json();
-  if (!response.ok) throw new Error(data.error || 'Request failed');
-  return data;
-};
+// In-memory storage fallback
+const memoryStorage = {};
-const api = {
-`;
-    for (const table of tables || []) {
-        const path = endpoints[table.slug]?.path || `/${table.slug}`;
-        code += `  ${table.slug}: {
-    list: (params = {}) => fetch(\`\${API_BASE}${path}?\${new URLSearchParams(params)}\`, { headers: getHeaders() }).then(handleResponse),
-    get: (id) => fetch(\`\${API_BASE}${path}/\${id}\`, { headers: getHeaders() }).then(handleResponse),
-    create: (data) => fetch(\`\${API_BASE}${path}\`, { method: 'POST', headers: getHeaders(), body: JSON.stringify(data) }).then(handleResponse),
-    update: (id, data) => fetch(\`\${API_BASE}${path}/\${id}\`, { method: 'PUT', headers: getHeaders(), body: JSON.stringify(data) }).then(handleResponse),
-    delete: (id) => fetch(\`\${API_BASE}${path}/\${id}\`, { method: 'DELETE', headers: getHeaders() }).then(handleResponse),
-  },
-`;
-    }
-    code += `};
+function getStorage(type) {
+  if (type === 'none') return null;
+  if (type === 'memory') {
+    return {
+      getItem: (key) => memoryStorage[key] || null,
+      setItem: (key, value) => { memoryStorage[key] = value; },
+      removeItem: (key) => { delete memoryStorage[key]; },
+      clear: () => { Object.keys(memoryStorage).forEach(k => delete memoryStorage[k]); }
+    };
+  }
+  // Check if localStorage is available (browser)
+  if (typeof window !== 'undefined' && window.localStorage) {
+    return window.localStorage;
+  }
+  // Fallback to memory
+  return getStorage('memory');
+}
+/**
+ * Token Storage - handles storing and retrieving auth tokens
+ */
+class TokenStorage {
+  constructor(type = 'localStorage') {
+    this.storage = getStorage(type);
+    this._token = null;
+    this._refreshToken = null;
+    this._expiresAt = null;
+    this._user = null;
+    this.load();
+  }
+  load() {
+    if (!this.storage) return;
+    this._token = this.storage.getItem(TOKEN_KEY);
+    this._refreshToken = this.storage.getItem(REFRESH_TOKEN_KEY);
+    const expiresAtStr = this.storage.getItem(EXPIRES_AT_KEY);
+    if (expiresAtStr) this._expiresAt = parseInt(expiresAtStr, 10);
+    const userJson = this.storage.getItem(USER_KEY);
+    if (userJson) {
+      try { this._user = JSON.parse(userJson); } catch { this._user = null; }
+    }
+  }
+  get token() { return this._token; }
+  get refreshToken() { return this._refreshToken; }
+  get expiresAt() { return this._expiresAt; }
+  get user() { return this._user; }
+  isTokenExpired(bufferSeconds = 300) {
+    if (!this._token || !this._expiresAt) return true;
+    const now = Math.floor(Date.now() / 1000);
+    return now >= (this._expiresAt - bufferSeconds);
+  }
+  setToken(token, refreshToken, expiresIn) {
+    this._token = token;
+    this._refreshToken = refreshToken || null;
+    if (expiresIn) {
+      this._expiresAt = Math.floor(Date.now() / 1000) + expiresIn;
+    }
+    if (this.storage) {
+      this.storage.setItem(TOKEN_KEY, token);
+      if (refreshToken) this.storage.setItem(REFRESH_TOKEN_KEY, refreshToken);
+      if (this._expiresAt) this.storage.setItem(EXPIRES_AT_KEY, this._expiresAt.toString());
+    }
+  }
+  setUser(user) {
+    this._user = user;
+    if (this.storage) {
+      this.storage.setItem(USER_KEY, JSON.stringify(user));
+    }
+  }
+  clear() {
+    this._token = null;
+    this._refreshToken = null;
+    this._expiresAt = null;
+    this._user = null;
+    if (this.storage) {
+      this.storage.removeItem(TOKEN_KEY);
+      this.storage.removeItem(REFRESH_TOKEN_KEY);
+      this.storage.removeItem(EXPIRES_AT_KEY);
+      this.storage.removeItem(USER_KEY);
+    }
+  }
+}
+/**
+ * HTTP Client - handles API requests
+ */
+class HttpClient {
+  constructor(baseUrl, storage) {
+    this.baseUrl = baseUrl;
+    this.storage = storage;
+  }
+  async request(method, path, body = null, requiresAuth = true) {
+    const headers = { 'Content-Type': 'application/json' };
+    if (requiresAuth && this.storage.token) {
+      headers['Authorization'] = \`Bearer \${this.storage.token}\`;
+    }
+    const options = { method, headers };
+    if (body && method !== 'GET') {
+      options.body = JSON.stringify(body);
+    }
+    const response = await fetch(\`\${this.baseUrl}\${path}\`, options);
+    const data = await response.json();
+    if (!response.ok) {
+      return { error: data.error || 'Request failed' };
+    }
+    return data;
+  }
+  get(path, requiresAuth = true) { return this.request('GET', path, null, requiresAuth); }
+  post(path, body, requiresAuth = true) { return this.request('POST', path, body, requiresAuth); }
+  put(path, body, requiresAuth = true) { return this.request('PUT', path, body, requiresAuth); }
+  delete(path, requiresAuth = true) { return this.request('DELETE', path, null, requiresAuth); }
+}
+/**
+ * Auth Module - handles authentication
+ */
+class Auth {
+  constructor(http, storage) {
+    this.http = http;
+    this.storage = storage;
+  }
+  async sendOtp(email) {
+    const response = await this.http.post('/auth/send-otp', { email }, false);
+    if (response.error) return { success: false, error: response.error };
+    return { success: true, message: response.message || 'OTP sent' };
+  }
+  async verifyOtp(email, otp) {
+    const response = await this.http.post('/auth/verify-otp', { email, otp }, false);
+    if (response.error) return { success: false, error: response.error };
+    if (response.accessToken || response.token) {
+      const token = response.accessToken || response.token;
+      this.storage.setToken(token, response.refreshToken || response.refresh_token, response.expires_in || 3600);
+    }
+    if (response.user) {
+      this.storage.setUser(response.user);
+    }
+    return {
+      success: true,
+      token: response.accessToken || response.token,
+      refresh_token: response.refreshToken || response.refresh_token,
+      expires_in: response.expires_in,
+      user: response.user
+    };
+  }
+  setToken(token) { this.storage.setToken(token); }
+  getToken() { return this.storage.token; }
+  getUser() { return this.storage.user; }
+  isAuthenticated() { return !!this.storage.token; }
+  isTokenExpired(bufferSeconds = 300) { return this.storage.isTokenExpired(bufferSeconds); }
+  getExpiresAt() { return this.storage.expiresAt; }
+  async refreshSession() {
+    const refreshToken = this.storage.refreshToken;
+    if (!refreshToken) return { success: false, error: 'No refresh token available' };
+    const response = await this.http.post('/auth/refresh-token', { refreshToken }, false);
+    if (response.error) {
+      this.storage.clear();
+      return { success: false, error: response.error };
+    }
+    if (response.accessToken || response.token) {
+      const token = response.accessToken || response.token;
+      this.storage.setToken(token, response.refreshToken || refreshToken, response.expires_in || 3600);
+    }
+    return { success: true, token: response.accessToken || response.token };
+  }
-export default api;
+  async ensureValidToken() {
+    if (!this.storage.token) return false;
+    if (!this.isTokenExpired()) return true;
+    const result = await this.refreshSession();
+    return result.success;
+  }
+  logout() { this.storage.clear(); }
+}
+/**
+ * Query Builder - handles CRUD operations for a table
+ */
+class QueryBuilder {
+  constructor(http, table, tableSchemas) {
+    this.http = http;
+    this.table = table;
+    this.tableSchemas = tableSchemas;
+  }
+  async schema() {
+    // Return from local schema (self-hosted)
+    const tableSchema = this.tableSchemas.find(t => t.slug === this.table);
+    if (!tableSchema) throw new Error('Table not found');
+    return tableSchema;
+  }
+  async fields() {
+    const tableSchema = await this.schema();
+    return tableSchema.fields || [];
+  }
+  async list(options = {}) {
+    const { filter, sort, limit = 50, offset = 0 } = options;
+    const params = new URLSearchParams();
+    if (filter) params.set('filter', JSON.stringify(filter));
+    if (sort) params.set('sort', sort);
+    params.set('limit', limit.toString());
+    params.set('offset', offset.toString());
+    const queryString = params.toString();
+    const path = \`/\${this.table}\${queryString ? '?' + queryString : ''}\`;
+    const response = await this.http.get(path);
+    if (response.error) throw new Error(response.error);
+    const data = Array.isArray(response.data) ? response.data : [];
+    return { data, count: response.count ?? data.length };
+  }
+  async get(id) {
+    const response = await this.http.get(\`/\${this.table}/\${id}\`);
+    if (response.error) throw new Error(response.error);
+    return response.data;
+  }
+  async create(data) {
+    const response = await this.http.post(\`/\${this.table}\`, data);
+    if (response.error) throw new Error(response.error);
+    return response.data;
+  }
+  async update(id, data) {
+    const response = await this.http.put(\`/\${this.table}/\${id}\`, data);
+    if (response.error) throw new Error(response.error);
+    return response.data;
+  }
+  async delete(id) {
+    const response = await this.http.delete(\`/\${this.table}/\${id}\`);
+    if (response.error) throw new Error(response.error);
+    return response.success || true;
+  }
+  async findFirst(filter) {
+    const result = await this.list({ filter, limit: 1 });
+    return result.data[0] || null;
+  }
+  async count(filter) {
+    const result = await this.list({ filter, limit: 0 });
+    return result.count;
+  }
+}
+/**
+ * ThinkSoft Client - Main SDK class
+ * Compatible with @thinksoftai/sdk interface
+ */
+class ThinkSoft {
+  constructor(config) {
+    if (!config.appId) {
+      throw new Error('appId is required');
+    }
+    this.config = {
+      appId: config.appId,
+      baseUrl: config.baseUrl || DEFAULT_BASE_URL,
+      token: config.token || '',
+      storage: config.storage || 'localStorage'
+    };
+    // Table schemas (generated from export)
+    this.tableSchemas = ${JSON.stringify(tableSchemas, null, 2).split('\n').map((line, i) => i === 0 ? line : '    ' + line).join('\n')};
+    // Initialize storage
+    this.storage = new TokenStorage(this.config.storage);
+    // Set initial token if provided
+    if (this.config.token) {
+      this.storage.setToken(this.config.token);
+    }
+    // Initialize HTTP client
+    this.http = new HttpClient(this.config.baseUrl, this.storage);
+    // Initialize modules
+    this.auth = new Auth(this.http, this.storage);
+  }
+  async tables() {
+    return this.tableSchemas.map(t => ({
+      id: t.slug,
+      slug: t.slug,
+      name: t.name,
+      fieldCount: (t.fields || []).length
+    }));
+  }
+  from(table) {
+    return new QueryBuilder(this.http, table, this.tableSchemas);
+  }
+  getAppId() { return this.config.appId; }
+  getBaseUrl() { return this.config.baseUrl; }
+}
+// ES Module export
+export { ThinkSoft, Auth, QueryBuilder, TokenStorage };
+export default ThinkSoft;
+// CommonJS compatibility
+if (typeof module !== 'undefined' && module.exports) {
+  module.exports = { ThinkSoft, Auth, QueryBuilder, TokenStorage, default: ThinkSoft };
+}
 `;
-    return code;
 }
 function generateEvents(tables) {
+    const tableListeners = (tables || []).map(t => `
+// ${t.name} events
+eventBus.on('${t.slug}.created', async ({ new: record }) => {
+  console.log('📝 ${t.name} created:', record.id);
+  await processNotifications('${t.slug}', 'created', record);
+});
+eventBus.on('${t.slug}.updated', async ({ old: oldRecord, new: newRecord }) => {
+  console.log('✏️ ${t.name} updated:', newRecord.id);
+  await processNotifications('${t.slug}', 'updated', newRecord, oldRecord);
+});
+eventBus.on('${t.slug}.deleted', async ({ old: record }) => {
+  console.log('🗑️ ${t.name} deleted:', record.id);
+  await processNotifications('${t.slug}', 'deleted', record);
+});
+`).join('\n');
     return `/**
  * Event Bus
  * Auto-generated by ThinkSoft CLI
+ *
+ * Events emitted:
+ * - {table}.created - { new: record }
+ * - {table}.updated - { old: oldRecord, new: newRecord }
+ * - {table}.deleted - { old: record }
  */
 const EventEmitter = require('events');
 const eventBus = new EventEmitter();
-// Add event listeners here
-// eventBus.on('orders.created', async ({ new: record }) => { ... });
+// Notification queue (for external actions like emails, webhooks)
+const notificationQueue = [];
+/**
+ * Process notifications for an event
+ * This handles email, webhook, and other external actions
+ */
+async function processNotifications(table, action, record, oldRecord = null) {
+  // Load notification handlers from config
+  const handlers = getNotificationHandlers(table, action);
+  for (const handler of handlers) {
+    try {
+      switch (handler.type) {
+        case 'email':
+          await sendEmailNotification(handler, record, oldRecord);
+          break;
+        case 'webhook':
+          await sendWebhook(handler, record, action, oldRecord);
+          break;
+        case 'log':
+          console.log(\`[Notification] \${handler.message || table + '.' + action}\`, record.id);
+          break;
+      }
+    } catch (error) {
+      console.error(\`Notification handler error (\${handler.type}):\`, error.message);
+    }
+  }
+}
+/**
+ * Get notification handlers for a table/action
+ * Override this to customize notification behavior
+ */
+function getNotificationHandlers(table, action) {
+  // Default: no notifications
+  // Add your notification rules here
+  return [];
+}
+/**
+ * Send email notification
+ */
+async function sendEmailNotification(handler, record, oldRecord) {
+  // ThinkSoft email proxy or custom implementation
+  const emailEndpoint = process.env.EMAIL_ENDPOINT || 'https://developerapi-ir6zo3lfxq-uc.a.run.app/api/v1/email/send';
+  if (!handler.to) return;
+  const to = typeof handler.to === 'function' ? handler.to(record) : handler.to;
+  const subject = typeof handler.subject === 'function' ? handler.subject(record) : handler.subject;
+  const body = typeof handler.body === 'function' ? handler.body(record) : handler.body;
+  // Queue the email (implement your email sending logic)
+  console.log(\`📧 Email queued: to=\${to}, subject=\${subject}\`);
+  // If using ThinkSoft email proxy:
+  // await fetch(emailEndpoint, { method: 'POST', body: JSON.stringify({ to, subject, body }) });
+}
+/**
+ * Send webhook notification
+ */
+async function sendWebhook(handler, record, action, oldRecord) {
+  if (!handler.url) return;
+  try {
+    const payload = {
+      event: \`\${action}\`,
+      timestamp: new Date().toISOString(),
+      data: record,
+      ...(oldRecord && { previousData: oldRecord })
+    };
+    const response = await fetch(handler.url, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        ...(handler.headers || {}),
+        ...(handler.secret && { 'X-Webhook-Secret': handler.secret })
+      },
+      body: JSON.stringify(payload)
+    });
+    if (!response.ok) {
+      console.error(\`Webhook failed: \${response.status}\`);
+    }
+  } catch (error) {
+    console.error('Webhook error:', error.message);
+  }
+}
+// Table event listeners
+${tableListeners}
 module.exports = eventBus;
+module.exports.processNotifications = processNotifications;
+module.exports.getNotificationHandlers = getNotificationHandlers;
 `;
 }
-function generateIndex(baseUrl) {
+function generateIndex(baseUrl, authOption = 'none') {
+    const authImport = authOption !== 'none' ? "const authRoutes = require('./routes/auth');\n" : '';
+    const authRoute = authOption !== 'none' ? `app.use('${baseUrl}/auth', authRoutes);\n` : '';
     return `/**
  * Server Entry Point
  * Auto-generated by ThinkSoft CLI
@@ -983,7 +1849,7 @@ const express = require('express');
 const cors = require('cors');
 const routes = require('./routes');
 const agentRoutes = require('./routes/agents');
+${authImport}
 const app = express();
 const PORT = process.env.PORT || 3000;
@@ -993,7 +1859,7 @@ app.use(express.json());
 // Routes
 app.use('${baseUrl}', routes);
 app.use('${baseUrl}/agent', agentRoutes);
+${authRoute}
 // Health check
 app.get('/health', (req, res) => res.json({ status: 'ok' }));
@@ -1029,6 +1895,10 @@ function generateAuthMiddleware() {
 const jwt = require('jsonwebtoken');
+/**
+ * Strict authentication - fails if no valid token
+ * Use for protected endpoints that always require login
+ */
 const authenticate = (req, res, next) => {
   const authHeader = req.headers.authorization;
@@ -1047,7 +1917,276 @@ const authenticate = (req, res, next) => {
   }
 };
-module.exports = { authenticate };
+/**
+ * Optional authentication - sets req.user if token present, but doesn't fail
+ * Use for endpoints that may be public or authenticated based on agent config
+ */
+const optionalAuth = (req, res, next) => {
+  const authHeader = req.headers.authorization;
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    // No token, but that's ok - continue without user
+    req.user = null;
+    return next();
+  }
+  const token = authHeader.split(' ')[1];
+  try {
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+    req.user = decoded;
+  } catch (error) {
+    // Invalid token, continue without user
+    req.user = null;
+  }
+  next();
+};
+module.exports = { authenticate, optionalAuth };
+`;
+}
+function generateAuthController(app, authOption) {
+    const appId = app?.id || 'APP_ID';
+    const appName = app?.name || 'App';
+    const emailSendCode = authOption === 'thinksoft'
+        ? `// Send OTP via ThinkSoft email proxy (no setup needed)
+    const response = await fetch('https://developerapi-ir6zo3lfxq-uc.a.run.app/api/v1/email/send-otp', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        appId: process.env.THINKSOFT_APP_ID || '${appId}',
+        email,
+        otp,
+        appName: process.env.APP_NAME || '${appName}',
+        expiresInMinutes: 10
+      })
+    });
+    if (!response.ok) {
+      const error = await response.json();
+      throw new Error(error.error || 'Failed to send OTP');
+    }`
+        : `// Send OTP via self-hosted email (requires RESEND_API_KEY)
+    const { Resend } = require('resend');
+    const resend = new Resend(process.env.RESEND_API_KEY);
+    await resend.emails.send({
+      from: process.env.EMAIL_FROM || 'noreply@example.com',
+      to: email,
+      subject: \`\${otp} is your verification code\`,
+      html: \`<h1>Your verification code</h1><p style="font-size:36px;font-weight:bold">\${otp}</p><p>This code expires in 10 minutes.</p>\`
+    });`;
+    return `/**
+ * Authentication Controller
+ * Auto-generated by ThinkSoft CLI
+ * Auth type: ${authOption}
+ */
+const db = require('../db');
+const jwt = require('jsonwebtoken');
+// Generate 6-digit OTP
+function generateOtp() {
+  return Math.floor(100000 + Math.random() * 900000).toString();
+}
+// Send OTP to email
+async function sendOtp(req, res) {
+  try {
+    const { email } = req.body;
+    if (!email) {
+      return res.status(400).json({ error: 'Email is required' });
+    }
+    // Validate email format
+    const emailRegex = /^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$/;
+    if (!emailRegex.test(email)) {
+      return res.status(400).json({ error: 'Invalid email format' });
+    }
+    const otp = generateOtp();
+    const expiresAt = new Date(Date.now() + 10 * 60 * 1000); // 10 minutes
+    // Create or update user with OTP
+    await db.query(\`
+      INSERT INTO app_users (email, otp_code, otp_expires_at)
+      VALUES ($1, $2, $3)
+      ON CONFLICT (email) DO UPDATE SET
+        otp_code = $2,
+        otp_expires_at = $3,
+        updated_at = NOW()
+    \`, [email, otp, expiresAt]);
+    ${emailSendCode}
+    res.json({ success: true, message: 'OTP sent to email' });
+  } catch (error) {
+    console.error('Send OTP error:', error);
+    res.status(500).json({ error: 'Failed to send OTP' });
+  }
+}
+// Verify OTP and return tokens
+async function verifyOtp(req, res) {
+  try {
+    const { email, otp } = req.body;
+    if (!email || !otp) {
+      return res.status(400).json({ error: 'Email and OTP are required' });
+    }
+    // Find user with valid OTP
+    const { rows } = await db.query(\`
+      SELECT * FROM app_users
+      WHERE email = $1 AND otp_code = $2 AND otp_expires_at > NOW()
+    \`, [email, otp]);
+    if (rows.length === 0) {
+      return res.status(401).json({ error: 'Invalid or expired OTP' });
+    }
+    const user = rows[0];
+    // Generate tokens
+    const accessToken = jwt.sign(
+      { userId: user.id, email: user.email },
+      process.env.JWT_SECRET,
+      { expiresIn: '1h' }
+    );
+    const refreshToken = jwt.sign(
+      { userId: user.id, type: 'refresh' },
+      process.env.JWT_SECRET,
+      { expiresIn: '7d' }
+    );
+    // Clear OTP and save refresh token
+    await db.query(\`
+      UPDATE app_users SET
+        otp_code = NULL,
+        otp_expires_at = NULL,
+        refresh_token = $2,
+        last_login = NOW(),
+        updated_at = NOW()
+      WHERE id = $1
+    \`, [user.id, refreshToken]);
+    res.json({
+      success: true,
+      user: {
+        id: user.id,
+        email: user.email,
+        name: user.name
+      },
+      accessToken,
+      refreshToken
+    });
+  } catch (error) {
+    console.error('Verify OTP error:', error);
+    res.status(500).json({ error: 'Authentication failed' });
+  }
+}
+// Refresh access token
+async function refreshToken(req, res) {
+  try {
+    const { refreshToken } = req.body;
+    if (!refreshToken) {
+      return res.status(400).json({ error: 'Refresh token is required' });
+    }
+    // Verify refresh token
+    let decoded;
+    try {
+      decoded = jwt.verify(refreshToken, process.env.JWT_SECRET);
+    } catch (err) {
+      return res.status(401).json({ error: 'Invalid refresh token' });
+    }
+    if (decoded.type !== 'refresh') {
+      return res.status(401).json({ error: 'Invalid token type' });
+    }
+    // Find user with this refresh token
+    const { rows } = await db.query(
+      'SELECT * FROM app_users WHERE id = $1 AND refresh_token = $2',
+      [decoded.userId, refreshToken]
+    );
+    if (rows.length === 0) {
+      return res.status(401).json({ error: 'Token revoked or user not found' });
+    }
+    const user = rows[0];
+    // Generate new access token
+    const accessToken = jwt.sign(
+      { userId: user.id, email: user.email },
+      process.env.JWT_SECRET,
+      { expiresIn: '1h' }
+    );
+    res.json({ success: true, accessToken });
+  } catch (error) {
+    console.error('Refresh token error:', error);
+    res.status(500).json({ error: 'Token refresh failed' });
+  }
+}
+// Get current user
+async function getMe(req, res) {
+  try {
+    const { rows } = await db.query(
+      'SELECT id, email, name, created_at FROM app_users WHERE id = $1',
+      [req.user.userId]
+    );
+    if (rows.length === 0) {
+      return res.status(404).json({ error: 'User not found' });
+    }
+    res.json({ user: rows[0] });
+  } catch (error) {
+    console.error('Get me error:', error);
+    res.status(500).json({ error: 'Failed to get user' });
+  }
+}
+module.exports = {
+  sendOtp,
+  verifyOtp,
+  refreshToken,
+  getMe
+};
+`;
+}
+function generateAuthRoutes() {
+    return `/**
+ * Authentication Routes
+ * Auto-generated by ThinkSoft CLI
+ */
+const express = require('express');
+const router = express.Router();
+const auth = require('../controllers/auth');
+const { authenticate } = require('../middleware/auth');
+// Public routes (no auth required)
+router.post('/send-otp', auth.sendOtp);
+router.post('/verify-otp', auth.verifyOtp);
+router.post('/refresh-token', auth.refreshToken);
+// Protected routes
+router.get('/me', authenticate, auth.getMe);
+module.exports = router;
 `;
 }
 function generateApiConfig(tables, endpoints, config) {
@@ -1091,6 +2230,9 @@ function generatePackageJson(app, config) {
     if (config.chatOption === 'openai') {
         pkg.dependencies.openai = '^4.20.0';
     }
+    if (config.authOption === 'self-hosted') {
+        pkg.dependencies.resend = '^3.0.0';
+    }
     return JSON.stringify(pkg, null, 2);
 }
 function generateDockerCompose(app) {
@@ -1152,6 +2294,20 @@ NODE_ENV=development
 JWT_SECRET=your-secret-key-change-in-production
 JWT_EXPIRES_IN=7d
 `;
+    if (config.authOption === 'thinksoft') {
+        env += `
+# ThinkSoft Email Proxy (no additional setup needed)
+THINKSOFT_APP_ID=${config.appId || 'YOUR_APP_ID'}
+APP_NAME=${config.appName || 'Your App'}
+`;
+    }
+    else if (config.authOption === 'self-hosted') {
+        env += `
+# Self-hosted Email (requires Resend account)
+RESEND_API_KEY=re_...
+EMAIL_FROM=noreply@yourdomain.com
+`;
+    }
     if (config.chatOption === 'openai') {
         env += `
 # OpenAI (for AI chat)
@@ -1225,4 +2381,299 @@ psql -d your_database -f database/triggers.sql
 \`\`\`
 `;
 }
+function generateContext(data, config, endpoints) {
+    const app = data.app || {};
+    const tables = data.tables || [];
+    const agents = data.agents || [];
+    const rules = data.rules || [];
+    const exportDate = new Date().toISOString().split('T')[0];
+    // Generate tables section
+    const tablesSection = tables.map((t) => {
+        const fields = (t.fields || []).map((f) => f.slug).join(', ');
+        return `| ${t.name} | ${t.slug} | ${fields || '-'} |`;
+    }).join('\n');
+    // Generate relationships section
+    const relationships = [];
+    for (const table of tables) {
+        for (const field of table.fields || []) {
+            if (field.type === 'reference' && field.reference_table) {
+                relationships.push(`- \`${table.slug}.${field.slug}\` → \`${field.reference_table}.id\``);
+            }
+        }
+    }
+    // Generate field details per table
+    const fieldDetails = tables.map((t) => {
+        const fieldsTable = (t.fields || []).map((f) => {
+            const required = f.required ? '✓' : '';
+            const options = f.options?.length ? f.options.join(', ') : '-';
+            return `| ${f.slug} | ${f.label || f.slug} | ${f.type} | ${required} | ${options} |`;
+        }).join('\n');
+        return `### ${t.name} (\`${t.slug}\`)
+| Field | Label | Type | Required | Options |
+|-------|-------|------|----------|---------|
+${fieldsTable || '| - | - | - | - | - |'}`;
+    }).join('\n\n');
+    // Generate business rules section
+    const rulesByTable = {};
+    for (const rule of rules) {
+        const table = rule.table || rule.table_slug || '*';
+        if (!rulesByTable[table])
+            rulesByTable[table] = [];
+        rulesByTable[table].push(rule);
+    }
+    const rulesSection = Object.entries(rulesByTable).map(([table, tableRules]) => {
+        const rulesList = tableRules.map((r) => {
+            const trigger = r.trigger || 'unknown';
+            const actions = (r.actions || []).map((a) => a.type).join(', ');
+            return `| ${r.name} | ${trigger} | ${r.condition || 'true'} | ${actions} |`;
+        }).join('\n');
+        return `#### ${table === '*' ? 'All Tables' : table}
+| Rule | Trigger | Condition | Actions |
+|------|---------|-----------|---------|
+${rulesList}`;
+    }).join('\n\n');
+    // Generate agents section
+    const agentsSection = agents.map((a) => {
+        const accessType = a.auth_type || 'authenticated';
+        const permissions = Object.entries(a.permissions || {}).map(([table, perms]) => {
+            const p = [];
+            if (perms.read)
+                p.push('R');
+            if (perms.create)
+                p.push('C');
+            if (perms.update)
+                p.push('U');
+            if (perms.delete)
+                p.push('D');
+            return `${table}:${p.join('')}`;
+        }).join(', ');
+        return `| ${a.name} | ${a.slug} | ${a.audience || '-'} | ${accessType} | ${permissions || 'all'} |`;
+    }).join('\n');
+    // Generate action chips section
+    const actionChipsSection = agents.map((a) => {
+        if (!a.action_chips?.length)
+            return '';
+        const chips = a.action_chips.map((c) => {
+            return `  - **${c.label}**: ${c.action} on \`${c.table || '-'}\` ${c.filter ? `(filter: ${c.filter})` : ''}`;
+        }).join('\n');
+        return `#### ${a.name}\n${chips}`;
+    }).filter(Boolean).join('\n\n');
+    // Generate API endpoints section
+    const apiEndpoints = tables.map((t) => {
+        const path = endpoints[t.slug]?.path || `/${t.slug}`;
+        return `| ${t.name} | \`GET ${config.baseUrl}${path}\` | \`POST ${config.baseUrl}${path}\` | \`PUT ${config.baseUrl}${path}/:id\` | \`DELETE ${config.baseUrl}${path}/:id\` |`;
+    }).join('\n');
+    // Generate env vars section
+    const envVars = [
+        { name: 'DATABASE_URL', required: true, desc: 'PostgreSQL connection string' },
+        { name: 'JWT_SECRET', required: true, desc: 'Secret key for JWT tokens' },
+        { name: 'PORT', required: false, desc: 'Server port (default: 3000)' }
+    ];
+    if (config.authOption === 'thinksoft') {
+        envVars.push({ name: 'THINKSOFT_APP_ID', required: false, desc: 'App ID for ThinkSoft email proxy' });
+        envVars.push({ name: 'APP_NAME', required: false, desc: 'App name shown in emails' });
+    }
+    else if (config.authOption === 'self-hosted') {
+        envVars.push({ name: 'RESEND_API_KEY', required: true, desc: 'Resend API key for emails' });
+        envVars.push({ name: 'EMAIL_FROM', required: true, desc: 'Sender email address' });
+    }
+    if (config.chatOption === 'openai') {
+        envVars.push({ name: 'OPENAI_API_KEY', required: true, desc: 'OpenAI API key for chat' });
+    }
+    const envVarsSection = envVars.map(v => `| \`${v.name}\` | ${v.required ? 'Yes' : 'No'} | ${v.desc} |`).join('\n');
+    return `# App Context: ${app.name || 'ThinkSoft App'}
+> Auto-generated context documentation by ThinkSoft CLI
+> This file helps developers and AI assistants understand the application
+## Overview
+| Property | Value |
+|----------|-------|
+| **App Name** | ${app.name || 'Unknown'} |
+| **App ID** | ${app.id || 'Unknown'} |
+| **Description** | ${app.description || '-'} |
+| **Original Platform** | ThinkSoft |
+| **Export Date** | ${exportDate} |
+| **Tables** | ${tables.length} |
+| **Agents** | ${agents.length} |
+| **Business Rules** | ${rules.length} |
+---
+## Data Model
+### Tables Overview
+| Name | Slug | Key Fields |
+|------|------|------------|
+${tablesSection || '| - | - | - |'}
+### Relationships
+${relationships.length > 0 ? relationships.join('\n') : '_No relationships defined_'}
+### Field Definitions
+${fieldDetails || '_No tables defined_'}
+---
+## Business Rules
+Business rules are converted to application hooks in \`src/hooks/\`.
+${rulesSection || '_No business rules defined_'}
+### Rule Triggers
+| Trigger | When it fires |
+|---------|---------------|
+| \`before_create\` | Before inserting a new record |
+| \`after_create\` | After a record is created |
+| \`before_update\` | Before updating a record |
+| \`after_update\` | After a record is updated |
+| \`before_delete\` | Before deleting a record |
+| \`after_delete\` | After a record is deleted |
+### Action Types
+| Action | Description |
+|--------|-------------|
+| \`set_field\` | Set a field to a value |
+| \`calculate\` | Calculate a field from formula |
+| \`validate\` | Validate condition, reject if false |
+| \`reject\` | Reject the operation with message |
+| \`lookup_and_set\` | Query another table and set field |
+| \`create_record\` | Create a record in another table |
+---
+## Service Agents
+Agents define access control and user interfaces.
+| Name | Slug | Audience | Access Type | Permissions |
+|------|------|----------|-------------|-------------|
+${agentsSection || '| - | - | - | - | - |'}
+### Access Types
+| Type | Description |
+|------|-------------|
+| \`public\` | Anyone can access (no login required) |
+| \`authenticated\` | Must be logged in (exist in \`app_users\`) |
+| \`table-based\` | Must be logged in AND exist in specific role table |
+### Action Chips
+${actionChipsSection || '_No action chips defined_'}
+---
+## API Reference
+Base URL: \`http://localhost:3000${config.baseUrl}\`
+### Authentication
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| \`/auth/send-otp\` | POST | Send OTP to email |
+| \`/auth/verify-otp\` | POST | Verify OTP, get tokens |
+| \`/auth/refresh-token\` | POST | Refresh access token |
+| \`/auth/me\` | GET | Get current user |
+### CRUD Endpoints
+| Table | List | Create | Update | Delete |
+|-------|------|--------|--------|--------|
+${apiEndpoints || '| - | - | - | - | - |'}
+### Agent Endpoints
+| Endpoint | Description |
+|----------|-------------|
+| \`/agent/:slug\` | Get agent info and action chips |
+| \`/agent/:slug/action\` | Execute action chip |
+| \`/agent/:slug/:table\` | Agent-scoped CRUD |
+---
+## Environment Variables
+| Variable | Required | Description |
+|----------|----------|-------------|
+${envVarsSection}
+---
+## File Structure
+\`\`\`
+├── src/
+│   ├── index.js          # Server entry point
+│   ├── db.js             # Database connection
+│   ├── controllers/      # CRUD logic per table
+│   ├── routes/           # API endpoints
+│   │   ├── index.js      # Table routes
+│   │   ├── agents.js     # Agent routes
+│   │   └── auth.js       # Auth routes
+│   ├── middleware/
+│   │   ├── auth.js       # JWT authentication
+│   │   └── agentAuth.js  # Agent access control
+│   ├── validators/       # Request validation (Joi)
+│   ├── hooks/            # Business rules as code
+│   └── events/           # Event bus & notifications
+├── agents/
+│   ├── config.json       # Agent configurations
+│   └── actions.js        # Action chip handlers
+├── client/
+│   └── api.js            # Frontend SDK (ThinkSoft compatible)
+├── database/
+│   ├── schema.sql        # PostgreSQL schema
+│   └── triggers.sql      # Database triggers
+├── docker-compose.yml    # Docker setup
+├── Dockerfile
+├── package.json
+├── .env.example
+└── README.md
+\`\`\`
+---
+## Migration Notes
+### From ThinkSoft Hosted to Self-Hosted
+1. **Export Data**: Use \`thinksoft export-data ${app.id || 'APP_ID'}\` to export records
+2. **Update Frontend**: Change SDK import or set \`baseUrl\` to self-hosted server
+3. **DNS**: Point your domain to the self-hosted server
+4. **Email**: Configure email provider or use ThinkSoft email proxy
+### SDK Compatibility
+The generated \`client/api.js\` is compatible with \`@thinksoftai/sdk\`:
+\`\`\`javascript
+// ThinkSoft hosted
+import { ThinkSoft } from '@thinksoftai/sdk';
+const client = new ThinkSoft({ appId: '${app.id || 'APP_ID'}' });
+// Self-hosted (same code, different import)
+import { ThinkSoft } from './client/api';
+const client = new ThinkSoft({ appId: '${app.id || 'APP_ID'}' });
+// Same API works
+await client.auth.sendOtp('user@example.com');
+const orders = await client.from('orders').list();
+\`\`\`
+---
+_Generated by ThinkSoft CLI v1.6.x_
+`;
+}
 //# sourceMappingURL=export.js.map