@usehercules/convex 0.0.0

package/dist/_generated/component.js

@@ -0,0 +1,11 @@
+/* eslint-disable */
+/**
+ * Generated `ComponentApi` utility.
+ *
+ * THIS CODE MATCHES THE CONVEX-GENERATED COMPONENT API SHAPE.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+export {};
+//# sourceMappingURL=component.js.map

package/dist/_generated/component.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"component.js","sourceRoot":"","sources":["../../src/_generated/component.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB;;;;;;;GAOG"}

package/dist/checker/cli.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/checker/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/checker/cli.ts"],"names":[],"mappings":""}

package/dist/checker/cli.js

@@ -0,0 +1,71 @@
+#!/usr/bin/env node
+import { checkAccessControlSource, formatAccessControlCheckResult } from "./index.js";
+const parsedArgs = parseArgs(process.argv.slice(2));
+if (!parsedArgs.ok) {
+    console.error(parsedArgs.message);
+    console.error(helpText());
+    process.exitCode = 2;
+}
+else if (parsedArgs.help) {
+    console.log(helpText());
+}
+else {
+    const result = checkAccessControlSource({
+        cwd: process.cwd(),
+        convexDir: parsedArgs.convexDir,
+        fixAuthenticated: parsedArgs.fixAuthenticated,
+    });
+    if (parsedArgs.json) {
+        console.log(JSON.stringify(result, null, 2));
+    }
+    else {
+        console.log(formatAccessControlCheckResult(result));
+    }
+    process.exitCode = result.ok ? 0 : 1;
+}
+function parseArgs(args) {
+    let convexDir;
+    let json = false;
+    let fixAuthenticated = false;
+    let help = false;
+    for (const arg of args) {
+        if (arg === "--json") {
+            json = true;
+            continue;
+        }
+        if (arg === "--fix-authenticated") {
+            fixAuthenticated = true;
+            continue;
+        }
+        if (arg === "--help" || arg === "-h") {
+            help = true;
+            continue;
+        }
+        if (arg.startsWith("-")) {
+            return { ok: false, message: `Unknown option: ${arg}` };
+        }
+        if (convexDir) {
+            return { ok: false, message: `Unexpected argument: ${arg}` };
+        }
+        convexDir = arg;
+    }
+    return { ok: true, convexDir, json, fixAuthenticated, help };
+}
+function helpText() {
+    return [
+        "Usage: hercules-convex-access-check [convex-dir] [--json] [--fix-authenticated]",
+        "",
+        "Checks exported Convex functions for raw query(), mutation(), or action()",
+        "builders that should use Hercules Access Control builders from convex/hercules.ts.",
+        "Also checks common managed organization mistakes such as placeholder scope ids,",
+        "app-local org membership tables, unsafe org slug lookups,",
+        "and access* permission keys that are not declared in hercules/iam.jsonc.",
+        "Apps that do not use the @usehercules/convex Access Control SDK in their Convex",
+        "functions pass unchanged: raw Convex builders stay allowed there.",
+        "",
+        "--fix-authenticated rewrites exported raw builders to authenticated* builders",
+        "as a conservative migration starting point. Review public and permissioned",
+        "handlers afterward and switch them to public* or access* deliberately.",
+    ].join("\n");
+}
+//# sourceMappingURL=cli.js.map

package/dist/checker/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/checker/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,wBAAwB,EAAE,8BAA8B,EAAE,MAAM,YAAY,CAAC;AAMtF,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AAEpD,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;IACnB,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC1B,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACvB,CAAC;KAAM,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;IAC3B,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;AAC1B,CAAC;KAAM,CAAC;IACN,MAAM,MAAM,GAAG,wBAAwB,CAAC;QACtC,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE;QAClB,SAAS,EAAE,UAAU,CAAC,SAAS;QAC/B,gBAAgB,EAAE,UAAU,CAAC,gBAAgB;KAC9C,CAAC,CAAC;IAEH,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;QACpB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/C,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,MAAM,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,SAAS,CAAC,IAAc;IAC/B,IAAI,SAA6B,CAAC;IAClC,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,gBAAgB,GAAG,KAAK,CAAC;IAC7B,IAAI,IAAI,GAAG,KAAK,CAAC;IAEjB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YACrB,IAAI,GAAG,IAAI,CAAC;YACZ,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,qBAAqB,EAAE,CAAC;YAClC,gBAAgB,GAAG,IAAI,CAAC;YACxB,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACrC,IAAI,GAAG,IAAI,CAAC;YACZ,SAAS;QACX,CAAC;QACD,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,mBAAmB,GAAG,EAAE,EAAE,CAAC;QAC1D,CAAC;QACD,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,wBAAwB,GAAG,EAAE,EAAE,CAAC;QAC/D,CAAC;QACD,SAAS,GAAG,GAAG,CAAC;IAClB,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAC;AAC/D,CAAC;AAED,SAAS,QAAQ;IACf,OAAO;QACL,iFAAiF;QACjF,EAAE;QACF,2EAA2E;QAC3E,oFAAoF;QACpF,iFAAiF;QACjF,2DAA2D;QAC3D,0EAA0E;QAC1E,iFAAiF;QACjF,mEAAmE;QACnE,EAAE;QACF,+EAA+E;QAC/E,4EAA4E;QAC5E,wEAAwE;KACzE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC"}

package/dist/checker/index.d.ts

@@ -0,0 +1,28 @@
+type RawConvexBuilder = "query" | "mutation" | "action";
+export type AccessControlCheckFinding = {
+    code: "convex_dir_missing" | "raw_exported_convex_builder" | "placeholder_access_scope_id" | "hardcoded_access_scope_id" | "local_org_membership_table" | "optional_org_scope_id" | "org_scoped_global_slug_lookup" | "org_row_scope_from_arg" | "authenticated_org_data_read" | "privileged_resource_permission_rule" | "public_service_authority_call" | "noncanonical_permission_key";
+    severity: "error";
+    filePath: string;
+    line: number;
+    column: number;
+    functionName?: string;
+    builder?: RawConvexBuilder;
+    message: string;
+    suggestion?: string;
+};
+export type AccessControlCheckResult = {
+    ok: boolean;
+    convexDir: string;
+    filesChecked: number;
+    fixedFiles: number;
+    findings: AccessControlCheckFinding[];
+};
+export type CheckAccessControlSourceOptions = {
+    cwd?: string;
+    convexDir?: string;
+    fixAuthenticated?: boolean;
+};
+export declare function checkAccessControlSource(options?: CheckAccessControlSourceOptions): AccessControlCheckResult;
+export declare function formatAccessControlCheckResult(result: AccessControlCheckResult): string;
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/checker/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/checker/index.ts"],"names":[],"mappings":"AAUA,KAAK,gBAAgB,GAAG,OAAO,GAAG,UAAU,GAAG,QAAQ,CAAC;AAUxD,MAAM,MAAM,yBAAyB,GAAG;IACtC,IAAI,EACA,oBAAoB,GACpB,6BAA6B,GAC7B,6BAA6B,GAC7B,2BAA2B,GAC3B,4BAA4B,GAC5B,uBAAuB,GACvB,+BAA+B,GAC/B,wBAAwB,GACxB,6BAA6B,GAC7B,qCAAqC,GACrC,+BAA+B,GAC/B,6BAA6B,CAAC;IAClC,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,gBAAgB,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG;IACrC,EAAE,EAAE,OAAO,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,yBAAyB,EAAE,CAAC;CACvC,CAAC;AAEF,MAAM,MAAM,+BAA+B,GAAG;IAC5C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B,CAAC;AA+EF,wBAAgB,wBAAwB,CACtC,OAAO,GAAE,+BAAoC,GAC5C,wBAAwB,CA4F1B;AAED,wBAAgB,8BAA8B,CAC5C,MAAM,EAAE,wBAAwB,GAC/B,MAAM,CAwBR"}