@vibecodiq/cli 0.4.0 → 0.5.1

package/dist/foundation/auth_basic/shared/guards.ts

@@ -0,0 +1,89 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { createServerClient } from '@/shared/db/supabase-client';
+
+// --- ASA GENERATED START ---
+// Server-side auth guards for route handlers.
+// Security: uses getUser() (verified against Supabase Auth server), NOT getSession() (unverified JWT).
+// See: https://supabase.com/docs/reference/javascript/auth-getsession
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+/**
+ * Require authenticated user in a route handler.
+ * Uses getUser() for server-side verification — NOT getSession().
+ *
+ * Usage in route handler:
+ * ```ts
+ * const { user, response } = await requireAuth(request);
+ * if (response) return response;
+ * // user is guaranteed to be authenticated
+ * ```
+ */
+export async function requireAuth(request: NextRequest): Promise<{
+  user: { id: string; email: string } | null;
+  response: NextResponse | null;
+}> {
+  const supabase = createServerClient();
+
+  // SECURITY: getUser() verifies the JWT against Supabase Auth server.
+  // getSession() only reads the JWT from cookies without verification — NOT safe for security checks.
+  const { data: { user }, error } = await supabase.auth.getUser();
+
+  if (error || !user) {
+    return {
+      user: null,
+      response: NextResponse.json(
+        { error: 'Authentication required' },
+        { status: 401 },
+      ),
+    };
+  }
+
+  return {
+    user: { id: user.id, email: user.email ?? '' },
+    response: null,
+  };
+}
+
+/**
+ * Require specific role in a route handler.
+ * Checks profiles.role against required role.
+ *
+ * Usage:
+ * ```ts
+ * const { user, response } = await requireRole(request, 'admin');
+ * if (response) return response;
+ * ```
+ */
+export async function requireRole(request: NextRequest, role: string): Promise<{
+  user: { id: string; email: string; role: string } | null;
+  response: NextResponse | null;
+}> {
+  const { user, response } = await requireAuth(request);
+  if (response) return { user: null, response };
+
+  const supabase = createServerClient();
+  const { data: profile } = await supabase
+    .from('profiles')
+    .select('role')
+    .eq('id', user!.id)
+    .single();
+
+  if (!profile || profile.role !== role) {
+    return {
+      user: null,
+      response: NextResponse.json(
+        { error: 'Insufficient permissions' },
+        { status: 403 },
+      ),
+    };
+  }
+
+  return {
+    user: { ...user!, role: profile.role },
+    response: null,
+  };
+}
+
+// --- USER CODE END ---

package/dist/foundation/auth_basic/shared/hooks.ts

@@ -0,0 +1,63 @@
+'use client';
+
+import { useEffect, useState } from 'react';
+import { createBrowserClient } from '@/shared/db/supabase-client';
+import type { User, Session } from './types';
+
+// --- ASA GENERATED START ---
+// Auth hooks for client components.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export function useUser() {
+  const [user, setUser] = useState<User | null>(null);
+  const [loading, setLoading] = useState(true);
+
+  useEffect(() => {
+    const supabase = createBrowserClient();
+
+    supabase.auth.getUser().then(({ data: { user } }) => {
+      setUser(user as User | null);
+      setLoading(false);
+    });
+
+    const { data: { subscription } } = supabase.auth.onAuthStateChange(
+      (_event, session) => {
+        setUser(session?.user as User | null ?? null);
+        setLoading(false);
+      },
+    );
+
+    return () => subscription.unsubscribe();
+  }, []);
+
+  return { user, loading };
+}
+
+export function useSession() {
+  const [session, setSession] = useState<Session | null>(null);
+  const [loading, setLoading] = useState(true);
+
+  useEffect(() => {
+    const supabase = createBrowserClient();
+
+    supabase.auth.getSession().then(({ data: { session } }) => {
+      setSession(session as Session | null);
+      setLoading(false);
+    });
+
+    const { data: { subscription } } = supabase.auth.onAuthStateChange(
+      (_event, session) => {
+        setSession(session as Session | null);
+        setLoading(false);
+      },
+    );
+
+    return () => subscription.unsubscribe();
+  }, []);
+
+  return { session, loading };
+}
+
+// --- USER CODE END ---

package/dist/foundation/auth_basic/shared/middleware.ts

@@ -0,0 +1,46 @@
+import { NextResponse, type NextRequest } from 'next/server';
+import { createServerClient } from '@/shared/db/supabase-client';
+
+// --- ASA GENERATED START ---
+// Auth middleware — session check, redirect to /login for protected routes.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+const PUBLIC_ROUTES = ['/auth/login', '/auth/register', '/auth/reset-password', '/'];
+
+export async function middleware(request: NextRequest) {
+  const { pathname } = request.nextUrl;
+
+  // Allow public routes
+  if (PUBLIC_ROUTES.some((route) => pathname.startsWith(route))) {
+    return NextResponse.next();
+  }
+
+  // Check session
+  const response = NextResponse.next();
+  const supabase = createServerClient({
+    getAll: () => request.cookies.getAll(),
+    setAll: (cookies: any[]) => {
+      cookies.forEach(({ name, value, options }) => {
+        response.cookies.set(name, value, options);
+      });
+    },
+  });
+
+  const { data: { user } } = await supabase.auth.getUser();
+
+  if (!user) {
+    const loginUrl = new URL('/auth/login', request.url);
+    loginUrl.searchParams.set('redirect', pathname);
+    return NextResponse.redirect(loginUrl);
+  }
+
+  return response;
+}
+
+export const config = {
+  matcher: ['/((?!_next/static|_next/image|favicon.ico|api/auth).*)'],
+};
+
+// --- USER CODE END ---

package/dist/foundation/auth_basic/shared/server-user.ts

@@ -0,0 +1,61 @@
+import { createServerClient } from '@/shared/db/supabase-client';
+
+// --- ASA GENERATED START ---
+// Server-side user helpers.
+// Security: ALL functions use getUser() for verified identity — NOT getSession().
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+/**
+ * Get the current authenticated user (server-side, verified).
+ * Returns null if not authenticated.
+ *
+ * IMPORTANT: This uses getUser() which verifies the JWT against Supabase Auth server.
+ * Do NOT use getSession() for security-sensitive operations — it reads unverified JWT from cookies.
+ */
+export async function getCurrentUser() {
+  const supabase = createServerClient();
+  const { data: { user }, error } = await supabase.auth.getUser();
+
+  if (error || !user) {
+    return null;
+  }
+
+  return {
+    id: user.id,
+    email: user.email ?? '',
+  };
+}
+
+/**
+ * Get the current user or throw.
+ * Use in server actions / route handlers where auth is required.
+ */
+export async function requireUser() {
+  const user = await getCurrentUser();
+  if (!user) {
+    throw new Error('Authentication required');
+  }
+  return user;
+}
+
+/**
+ * Get user profile from profiles table.
+ * Returns null if not found.
+ */
+export async function getUserProfile(userId: string) {
+  const supabase = createServerClient();
+  const { data, error } = await supabase
+    .from('profiles')
+    .select('id, display_name, role, created_at, updated_at')
+    .eq('id', userId)
+    .single();
+
+  if (error) {
+    return null;
+  }
+  return data;
+}
+
+// --- USER CODE END ---

package/dist/foundation/auth_basic/shared/session.ts

@@ -0,0 +1,38 @@
+import { cookies } from 'next/headers';
+import { createServerClient } from '@/shared/db/supabase-client';
+
+// --- ASA GENERATED START ---
+// Session helpers for server-side auth operations.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export async function getCurrentUser() {
+  const cookieStore = await cookies();
+  const supabase = createServerClient(cookieStore);
+  const { data: { user }, error } = await supabase.auth.getUser();
+  if (error || !user) return null;
+  return user;
+}
+
+export async function requireUser() {
+  const user = await getCurrentUser();
+  if (!user) {
+    throw new Error('Authentication required');
+  }
+  return user;
+}
+
+export async function getUserProfile() {
+  const user = await requireUser();
+  const cookieStore = await cookies();
+  const supabase = createServerClient(cookieStore);
+  const { data: profile } = await supabase
+    .from('profiles')
+    .select('*')
+    .eq('id', user.id)
+    .single();
+  return { user, profile };
+}
+
+// --- USER CODE END ---

package/dist/foundation/auth_basic/shared/types.ts

@@ -0,0 +1,29 @@
+// --- ASA GENERATED START ---
+// Auth types for auth-basic module.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export type User = {
+  id: string;
+  email: string;
+  created_at: string;
+  updated_at: string;
+};
+
+export type Session = {
+  access_token: string;
+  refresh_token: string;
+  user: User;
+  expires_at: number;
+};
+
+export type Profile = {
+  id: string;
+  display_name: string | null;
+  role: 'user' | 'admin';
+  created_at: string;
+  updated_at: string;
+};
+
+// --- USER CODE END ---

package/dist/foundation/auth_basic/slices/login/handler.ts

@@ -0,0 +1,50 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { createServerClient } from '@/shared/db/supabase-client';
+import { loginInputSchema } from './schemas';
+import type { LoginOutput } from './schemas';
+
+// --- ASA GENERATED START ---
+// Route handler for auth/login slice.
+// Uses Supabase Auth signInWithPassword — creates SSR cookie-based session.
+// Security: server-side validation, no client trust.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export async function POST(request: NextRequest): Promise<NextResponse<LoginOutput>> {
+  try {
+    const body = await request.json();
+    const parsed = loginInputSchema.safeParse(body);
+
+    if (!parsed.success) {
+      return NextResponse.json(
+        { success: false, error: parsed.error.errors[0]?.message ?? 'Invalid input' },
+        { status: 400 },
+      );
+    }
+
+    const { email, password } = parsed.data;
+    const supabase = createServerClient();
+
+    const { error } = await supabase.auth.signInWithPassword({
+      email,
+      password,
+    });
+
+    if (error) {
+      return NextResponse.json(
+        { success: false, error: 'Invalid email or password' },
+        { status: 401 },
+      );
+    }
+
+    return NextResponse.json({ success: true, error: null });
+  } catch {
+    return NextResponse.json(
+      { success: false, error: 'Login failed. Please try again.' },
+      { status: 500 },
+    );
+  }
+}
+
+// --- USER CODE END ---

package/dist/foundation/auth_basic/slices/login/repository.ts

@@ -0,0 +1,23 @@
+import { createServerClient } from '@/shared/db/supabase-client';
+
+// --- ASA GENERATED START ---
+// Repository for auth/login slice.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export async function getProfileByUserId(userId: string) {
+  const supabase = createServerClient();
+  const { data, error } = await supabase
+    .from('profiles')
+    .select('*')
+    .eq('id', userId)
+    .single();
+
+  if (error) {
+    return null;
+  }
+  return data;
+}
+
+// --- USER CODE END ---

package/dist/foundation/auth_basic/slices/login/schemas.ts

@@ -0,0 +1,22 @@
+import { z } from 'zod';
+
+// --- ASA GENERATED START ---
+// Validation schemas for auth/login slice.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export const loginInputSchema = z.object({
+  email: z.string().email('Please enter a valid email address'),
+  password: z.string().min(1, 'Password is required'),
+});
+
+export const loginOutputSchema = z.object({
+  success: z.boolean(),
+  error: z.string().nullable(),
+});
+
+export type LoginInput = z.infer<typeof loginInputSchema>;
+export type LoginOutput = z.infer<typeof loginOutputSchema>;
+
+// --- USER CODE END ---

package/dist/foundation/auth_basic/slices/login/slice.contract.json

@@ -0,0 +1,19 @@
+{
+  "domain": "auth",
+  "slice": "login",
+  "type": "route",
+  "has_ui": true,
+  "has_repository": true,
+  "description": "User login with email and password. Creates SSR cookie-based session.",
+  "input": {
+    "email": "string",
+    "password": "string"
+  },
+  "output": {
+    "success": "boolean",
+    "error": "string | null"
+  },
+  "side_effects": [
+    "Creates Supabase Auth session (cookie-based)"
+  ]
+}

package/dist/foundation/auth_basic/slices/login/ui/AuthLogin.tsx

@@ -0,0 +1,107 @@
+'use client';
+
+import { useState } from 'react';
+import Link from 'next/link';
+import { useRouter, useSearchParams } from 'next/navigation';
+import { useLogin } from './hook';
+
+// --- ASA GENERATED START ---
+// UI component for auth/login slice.
+// Uses shadcn/ui-compatible styling with Tailwind CSS.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export default function AuthLogin() {
+  const router = useRouter();
+  const searchParams = useSearchParams();
+  const justRegistered = searchParams.get('registered') === 'true';
+  const { login, loading, error } = useLogin();
+  const [form, setForm] = useState({ email: '', password: '' });
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    const result = await login(form);
+    if (result.success) {
+      router.push('/');
+      router.refresh();
+    }
+  }
+
+  return (
+    <div className="flex min-h-screen items-center justify-center bg-neutral-50 px-4">
+      <div className="w-full max-w-md rounded-xl border border-neutral-200 bg-white p-8 shadow-sm">
+        <h1 className="text-2xl font-bold text-neutral-900">Sign in</h1>
+        <p className="mt-2 text-sm text-neutral-500">
+          Don&apos;t have an account?{' '}
+          <Link href="/auth/register" className="font-medium text-neutral-900 underline underline-offset-4">
+            Create one
+          </Link>
+        </p>
+
+        {justRegistered && (
+          <div className="mt-4 rounded-lg border border-green-200 bg-green-50 px-4 py-3 text-sm text-green-700">
+            Account created. Check your email for a confirmation link, then sign in.
+          </div>
+        )}
+
+        <form onSubmit={handleSubmit} className="mt-8 space-y-4">
+          <div>
+            <label htmlFor="email" className="block text-sm font-medium text-neutral-700">
+              Email
+            </label>
+            <input
+              id="email"
+              type="email"
+              required
+              autoComplete="email"
+              value={form.email}
+              onChange={(e) => setForm((f) => ({ ...f, email: e.target.value }))}
+              className="mt-1 block w-full rounded-lg border border-neutral-300 px-3 py-2 text-sm shadow-sm placeholder:text-neutral-400 focus:border-neutral-500 focus:outline-none focus:ring-1 focus:ring-neutral-500"
+              placeholder="jane@example.com"
+            />
+          </div>
+
+          <div>
+            <div className="flex items-center justify-between">
+              <label htmlFor="password" className="block text-sm font-medium text-neutral-700">
+                Password
+              </label>
+              <Link
+                href="/auth/reset-password"
+                className="text-xs text-neutral-500 hover:text-neutral-700"
+              >
+                Forgot password?
+              </Link>
+            </div>
+            <input
+              id="password"
+              type="password"
+              required
+              autoComplete="current-password"
+              value={form.password}
+              onChange={(e) => setForm((f) => ({ ...f, password: e.target.value }))}
+              className="mt-1 block w-full rounded-lg border border-neutral-300 px-3 py-2 text-sm shadow-sm placeholder:text-neutral-400 focus:border-neutral-500 focus:outline-none focus:ring-1 focus:ring-neutral-500"
+            />
+          </div>
+
+          {error && (
+            <div className="rounded-lg border border-red-200 bg-red-50 px-4 py-3 text-sm text-red-700">
+              {error}
+            </div>
+          )}
+
+          <button
+            type="submit"
+            disabled={loading}
+            className="w-full rounded-lg bg-neutral-900 px-4 py-2.5 text-sm font-medium text-white shadow-sm hover:bg-neutral-800 focus:outline-none focus:ring-2 focus:ring-neutral-500 focus:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50"
+          >
+            {loading ? 'Signing in...' : 'Sign in'}
+          </button>
+        </form>
+      </div>
+    </div>
+  );
+}
+
+// --- USER CODE END ---

package/dist/foundation/auth_basic/slices/login/ui/hook.ts

@@ -0,0 +1,44 @@
+import { useState } from 'react';
+import type { LoginInput, LoginOutput } from '../schemas';
+
+// --- ASA GENERATED START ---
+// React hook for auth/login slice.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export function useLogin() {
+  const [loading, setLoading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  async function login(input: LoginInput): Promise<LoginOutput> {
+    setLoading(true);
+    setError(null);
+
+    try {
+      const res = await fetch('/api/auth/login', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(input),
+      });
+
+      const data: LoginOutput = await res.json();
+
+      if (!data.success) {
+        setError(data.error);
+      }
+
+      return data;
+    } catch {
+      const output: LoginOutput = { success: false, error: 'Network error. Please try again.' };
+      setError(output.error);
+      return output;
+    } finally {
+      setLoading(false);
+    }
+  }
+
+  return { login, loading, error };
+}
+
+// --- USER CODE END ---

package/dist/foundation/auth_basic/slices/logout/handler.ts

@@ -0,0 +1,19 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { createServerClient } from '@/shared/db/supabase-client';
+
+// --- ASA GENERATED START ---
+// Route handler for auth/logout slice.
+// Invalidates Supabase Auth session and redirects to login page.
+// No UI — logout is triggered from existing UI (e.g., header dropdown button).
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  const supabase = createServerClient();
+  await supabase.auth.signOut();
+
+  return NextResponse.json({ success: true });
+}
+
+// --- USER CODE END ---

package/dist/foundation/auth_basic/slices/logout/slice.contract.json

@@ -0,0 +1,16 @@
+{
+  "domain": "auth",
+  "slice": "logout",
+  "type": "route",
+  "has_ui": false,
+  "has_repository": false,
+  "description": "User logout. Invalidates Supabase Auth session and redirects to login.",
+  "input": {},
+  "output": {
+    "success": "boolean"
+  },
+  "side_effects": [
+    "Invalidates Supabase Auth session",
+    "Clears session cookies"
+  ]
+}