@vibecodiq/cli 0.5.0 → 0.5.1

package/dist/foundation/admin_basic/shared/roles.ts

@@ -0,0 +1,151 @@
+import { createAdminClient } from '@/shared/db/supabase-client';
+
+// --- ASA GENERATED START ---
+// RBAC engine — canonical built-in roles with permission-based guards.
+// Roles: owner, admin, support (defined in 004_user_roles.sql).
+// JWT claims populated via Supabase Custom Access Token Hook.
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export const BUILTIN_ROLES = ['owner', 'admin', 'support'] as const;
+export type BuiltinRole = typeof BUILTIN_ROLES[number];
+
+/**
+ * Get all roles assigned to a user.
+ */
+export async function getUserRoles(userId: string): Promise<string[]> {
+  const supabase = createAdminClient();
+  const { data } = await supabase
+    .from('user_roles')
+    .select('role_id')
+    .eq('user_id', userId);
+
+  return data?.map((r) => r.role_id) ?? [];
+}
+
+/**
+ * Get all permissions for a user (resolved through their roles).
+ */
+export async function getUserPermissions(userId: string): Promise<string[]> {
+  const supabase = createAdminClient();
+
+  const { data } = await supabase
+    .from('user_roles')
+    .select('role_id, role:roles!inner(id), permissions:role_permissions!inner(permission_id)')
+    .eq('user_id', userId);
+
+  if (!data) return [];
+
+  const permissions = new Set<string>();
+  for (const entry of data) {
+    const perms = entry.permissions as unknown as { permission_id: string }[];
+    if (Array.isArray(perms)) {
+      for (const p of perms) {
+        permissions.add(p.permission_id);
+      }
+    }
+  }
+
+  return Array.from(permissions);
+}
+
+/**
+ * Check if a user has a specific permission.
+ */
+export async function hasPermission(userId: string, permission: string): Promise<boolean> {
+  const permissions = await getUserPermissions(userId);
+  return permissions.includes(permission);
+}
+
+/**
+ * Assign a role to a user.
+ * Requires the assigner to have ROLES_ASSIGN permission.
+ */
+export async function assignRole(
+  userId: string,
+  roleId: string,
+  assignedBy: string,
+): Promise<{ success: boolean; error?: string }> {
+  const supabase = createAdminClient();
+
+  // Validate role exists
+  const { data: role } = await supabase
+    .from('roles')
+    .select('id')
+    .eq('id', roleId)
+    .single();
+
+  if (!role) {
+    return { success: false, error: `Role '${roleId}' does not exist` };
+  }
+
+  const { error } = await supabase
+    .from('user_roles')
+    .upsert(
+      { user_id: userId, role_id: roleId, assigned_by: assignedBy },
+      { onConflict: 'user_id,role_id' },
+    );
+
+  if (error) {
+    return { success: false, error: error.message };
+  }
+
+  return { success: true };
+}
+
+/**
+ * Remove a role from a user.
+ */
+export async function removeRole(
+  userId: string,
+  roleId: string,
+): Promise<{ success: boolean; error?: string }> {
+  const supabase = createAdminClient();
+
+  const { error } = await supabase
+    .from('user_roles')
+    .delete()
+    .eq('user_id', userId)
+    .eq('role_id', roleId);
+
+  if (error) {
+    return { success: false, error: error.message };
+  }
+
+  return { success: true };
+}
+
+/**
+ * Supabase Custom Access Token Hook handler.
+ * Add this as a Postgres function + hook in Supabase Dashboard.
+ *
+ * SQL for the hook function:
+ * ```sql
+ * CREATE OR REPLACE FUNCTION public.custom_access_token_hook(event JSONB)
+ * RETURNS JSONB LANGUAGE plpgsql AS $$
+ * DECLARE
+ *   claims JSONB;
+ *   user_roles TEXT[];
+ *   user_perms TEXT[];
+ * BEGIN
+ *   SELECT ARRAY_AGG(ur.role_id) INTO user_roles
+ *   FROM public.user_roles ur WHERE ur.user_id = (event->>'user_id')::UUID;
+ *
+ *   SELECT ARRAY_AGG(DISTINCT rp.permission_id) INTO user_perms
+ *   FROM public.user_roles ur
+ *   JOIN public.role_permissions rp ON rp.role_id = ur.role_id
+ *   WHERE ur.user_id = (event->>'user_id')::UUID;
+ *
+ *   claims := event->'claims';
+ *   claims := jsonb_set(claims, '{user_roles}', COALESCE(to_jsonb(user_roles), '[]'));
+ *   claims := jsonb_set(claims, '{user_permissions}', COALESCE(to_jsonb(user_perms), '[]'));
+ *
+ *   event := jsonb_set(event, '{claims}', claims);
+ *   RETURN event;
+ * END;
+ * $$;
+ * ```
+ */
+
+// --- USER CODE END ---

package/dist/foundation/admin_basic/slices/audit_log/handler.ts

@@ -0,0 +1,34 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { requirePermission } from '@/shared/admin/guards';
+import { PERMISSIONS } from '@/shared/admin/permissions';
+import { queryAuditLog } from '@/shared/admin/audit';
+
+// --- ASA GENERATED START ---
+// Route handler for admin/audit-log slice.
+// Filterable, paginated audit log viewer.
+// Security: requires admin.audit.view permission (server-side).
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export async function GET(request: NextRequest): Promise<NextResponse> {
+  const { response } = await requirePermission(request, PERMISSIONS.AUDIT_VIEW);
+  if (response) return response;
+
+  const url = new URL(request.url);
+
+  const result = await queryAuditLog({
+    actor_id: url.searchParams.get('actor_id') ?? undefined,
+    subject_id: url.searchParams.get('subject_id') ?? undefined,
+    action: url.searchParams.get('action') ?? undefined,
+    resource_type: url.searchParams.get('resource_type') ?? undefined,
+    from_date: url.searchParams.get('from') ?? undefined,
+    to_date: url.searchParams.get('to') ?? undefined,
+    limit: parseInt(url.searchParams.get('limit') ?? '50'),
+    offset: parseInt(url.searchParams.get('offset') ?? '0'),
+  });
+
+  return NextResponse.json(result);
+}
+
+// --- USER CODE END ---

package/dist/foundation/admin_basic/slices/audit_log/slice.contract.json

@@ -0,0 +1,19 @@
+{
+  "domain": "admin",
+  "slice": "audit-log",
+  "type": "route",
+  "has_ui": true,
+  "has_repository": true,
+  "description": "Audit log viewer — filterable, paginated, immutable log of all admin actions.",
+  "input": {
+    "actor_id": "string (optional)",
+    "action": "string (optional)",
+    "from_date": "string (optional)",
+    "to_date": "string (optional)"
+  },
+  "output": {
+    "entries": "array",
+    "total": "number"
+  },
+  "side_effects": []
+}

package/dist/foundation/admin_basic/slices/dashboard/handler.ts

@@ -0,0 +1,51 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { requirePermission } from '@/shared/admin/guards';
+import { PERMISSIONS } from '@/shared/admin/permissions';
+import { createAdminClient } from '@/shared/db/supabase-client';
+
+// --- ASA GENERATED START ---
+// Route handler for admin/dashboard slice.
+// Returns overview stats for admin dashboard.
+// Security: requires admin.access permission (server-side).
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export async function GET(request: NextRequest): Promise<NextResponse> {
+  const { response } = await requirePermission(request, PERMISSIONS.ADMIN_ACCESS);
+  if (response) return response;
+
+  const supabase = createAdminClient();
+
+  // Parallel queries for dashboard stats
+  const [usersResult, subsResult, recentActivityResult] = await Promise.all([
+    supabase.from('profiles').select('id', { count: 'exact', head: true }),
+    supabase.from('subscriptions').select('plan, status'),
+    supabase
+      .from('audit_log')
+      .select('action, actor_email, created_at')
+      .order('created_at', { ascending: false })
+      .limit(10),
+  ]);
+
+  const totalUsers = usersResult.count ?? 0;
+  const subscriptions = subsResult.data ?? [];
+
+  const planCounts: Record<string, number> = {};
+  const statusCounts: Record<string, number> = {};
+  for (const sub of subscriptions) {
+    planCounts[sub.plan] = (planCounts[sub.plan] ?? 0) + 1;
+    statusCounts[sub.status] = (statusCounts[sub.status] ?? 0) + 1;
+  }
+
+  return NextResponse.json({
+    stats: {
+      total_users: totalUsers,
+      plans: planCounts,
+      statuses: statusCounts,
+    },
+    recent_activity: recentActivityResult.data ?? [],
+  });
+}
+
+// --- USER CODE END ---

package/dist/foundation/admin_basic/slices/dashboard/slice.contract.json

@@ -0,0 +1,13 @@
+{
+  "domain": "admin",
+  "slice": "dashboard",
+  "type": "route",
+  "has_ui": true,
+  "has_repository": true,
+  "description": "Admin dashboard — overview stats (users, subscriptions, recent activity).",
+  "input": {},
+  "output": {
+    "stats": "object"
+  },
+  "side_effects": []
+}

package/dist/foundation/admin_basic/slices/impersonation/handler.ts

@@ -0,0 +1,61 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { requirePermission } from '@/shared/admin/guards';
+import { PERMISSIONS } from '@/shared/admin/permissions';
+import { startImpersonation, stopImpersonation, getActiveImpersonation } from '@/shared/admin/impersonation';
+import { requireAuth } from '@/shared/auth/guards';
+
+// --- ASA GENERATED START ---
+// Route handler for admin/impersonation slice.
+// POST: start impersonation, DELETE: stop, GET: check active session.
+// Security: requires admin.impersonate permission (server-side).
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  const { user, response } = await requirePermission(request, PERMISSIONS.IMPERSONATE);
+  if (response) return response;
+
+  const body = await request.json();
+  const { subject_user_id, reason } = body;
+
+  if (!subject_user_id || !reason) {
+    return NextResponse.json(
+      { success: false, error: 'subject_user_id and reason are required' },
+      { status: 400 },
+    );
+  }
+
+  const result = await startImpersonation(
+    user!.id,
+    user!.email,
+    subject_user_id,
+    reason,
+  );
+
+  if (result.error) {
+    return NextResponse.json({ success: false, error: result.error }, { status: 400 });
+  }
+
+  return NextResponse.json({ success: true, session: result.session });
+}
+
+export async function DELETE(request: NextRequest): Promise<NextResponse> {
+  const { user, response } = await requireAuth(request);
+  if (response) return response;
+
+  const result = await stopImpersonation(user!.id, user!.email);
+
+  if (result.error) {
+    return NextResponse.json({ success: false, error: result.error }, { status: 400 });
+  }
+
+  return NextResponse.json({ success: true });
+}
+
+export async function GET(): Promise<NextResponse> {
+  const session = await getActiveImpersonation();
+  return NextResponse.json({ active: !!session, session });
+}
+
+// --- USER CODE END ---

package/dist/foundation/admin_basic/slices/impersonation/slice.contract.json

@@ -0,0 +1,21 @@
+{
+  "domain": "admin",
+  "slice": "impersonation",
+  "type": "route",
+  "has_ui": true,
+  "has_repository": true,
+  "description": "Safe impersonation — start/stop impersonation with reason, TTL, and full audit chain.",
+  "input": {
+    "subject_user_id": "string",
+    "reason": "string"
+  },
+  "output": {
+    "success": "boolean",
+    "error": "string | null"
+  },
+  "side_effects": [
+    "Creates impersonation_sessions record",
+    "Sets HttpOnly cookie",
+    "Logs to audit_log"
+  ]
+}

package/dist/foundation/admin_basic/slices/roles/handler.ts

@@ -0,0 +1,90 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { requirePermission } from '@/shared/admin/guards';
+import { PERMISSIONS } from '@/shared/admin/permissions';
+import { assignRole, removeRole, getUserRoles } from '@/shared/admin/roles';
+import { logAuditEvent } from '@/shared/admin/audit';
+
+// --- ASA GENERATED START ---
+// Route handler for admin/roles slice.
+// GET: list user roles, POST: assign role, DELETE: remove role.
+// Security: requires admin.roles.assign permission (server-side).
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export async function GET(request: NextRequest): Promise<NextResponse> {
+  const { response } = await requirePermission(request, PERMISSIONS.ROLES_ASSIGN);
+  if (response) return response;
+
+  const url = new URL(request.url);
+  const userId = url.searchParams.get('user_id');
+
+  if (!userId) {
+    return NextResponse.json({ error: 'user_id is required' }, { status: 400 });
+  }
+
+  const roles = await getUserRoles(userId);
+  return NextResponse.json({ user_id: userId, roles });
+}
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  const { user, response } = await requirePermission(request, PERMISSIONS.ROLES_ASSIGN);
+  if (response) return response;
+
+  const body = await request.json();
+  const { user_id, role_id } = body;
+
+  if (!user_id || !role_id) {
+    return NextResponse.json(
+      { success: false, error: 'user_id and role_id are required' },
+      { status: 400 },
+    );
+  }
+
+  const result = await assignRole(user_id, role_id, user!.id);
+
+  if (result.success) {
+    await logAuditEvent({
+      actor_id: user!.id,
+      actor_email: user!.email,
+      subject_id: user_id,
+      action: 'role.assign',
+      resource_type: 'role',
+      resource_id: role_id,
+    });
+  }
+
+  return NextResponse.json(result, { status: result.success ? 200 : 400 });
+}
+
+export async function DELETE(request: NextRequest): Promise<NextResponse> {
+  const { user, response } = await requirePermission(request, PERMISSIONS.ROLES_ASSIGN);
+  if (response) return response;
+
+  const body = await request.json();
+  const { user_id, role_id } = body;
+
+  if (!user_id || !role_id) {
+    return NextResponse.json(
+      { success: false, error: 'user_id and role_id are required' },
+      { status: 400 },
+    );
+  }
+
+  const result = await removeRole(user_id, role_id);
+
+  if (result.success) {
+    await logAuditEvent({
+      actor_id: user!.id,
+      actor_email: user!.email,
+      subject_id: user_id,
+      action: 'role.remove',
+      resource_type: 'role',
+      resource_id: role_id,
+    });
+  }
+
+  return NextResponse.json(result, { status: result.success ? 200 : 400 });
+}
+
+// --- USER CODE END ---

package/dist/foundation/admin_basic/slices/roles/slice.contract.json

@@ -0,0 +1,21 @@
+{
+  "domain": "admin",
+  "slice": "roles",
+  "type": "route",
+  "has_ui": true,
+  "has_repository": true,
+  "description": "Role management — assign/remove roles for users. Requires admin.roles.assign permission.",
+  "input": {
+    "user_id": "string",
+    "role_id": "string",
+    "action": "assign | remove"
+  },
+  "output": {
+    "success": "boolean",
+    "error": "string | null"
+  },
+  "side_effects": [
+    "Modifies user_roles table",
+    "Logs to audit_log"
+  ]
+}

package/dist/foundation/admin_basic/slices/users/handler.ts

@@ -0,0 +1,48 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { requirePermission } from '@/shared/admin/guards';
+import { PERMISSIONS } from '@/shared/admin/permissions';
+import { createAdminClient } from '@/shared/db/supabase-client';
+
+// --- ASA GENERATED START ---
+// Route handler for admin/users slice.
+// Lists users with their profiles and roles.
+// Security: requires admin.users.list permission (server-side).
+// --- ASA GENERATED END ---
+
+// --- USER CODE START ---
+
+export async function GET(request: NextRequest): Promise<NextResponse> {
+  const { user, response } = await requirePermission(request, PERMISSIONS.USERS_LIST);
+  if (response) return response;
+
+  const supabase = createAdminClient();
+  const url = new URL(request.url);
+  const page = parseInt(url.searchParams.get('page') ?? '1');
+  const limit = Math.min(parseInt(url.searchParams.get('limit') ?? '50'), 100);
+  const search = url.searchParams.get('search') ?? '';
+
+  let query = supabase
+    .from('profiles')
+    .select('id, display_name, role, created_at, updated_at', { count: 'exact' })
+    .order('created_at', { ascending: false })
+    .range((page - 1) * limit, page * limit - 1);
+
+  if (search) {
+    query = query.or(`display_name.ilike.%${search}%`);
+  }
+
+  const { data: profiles, count, error } = await query;
+
+  if (error) {
+    return NextResponse.json({ error: 'Failed to fetch users' }, { status: 500 });
+  }
+
+  return NextResponse.json({
+    users: profiles ?? [],
+    total: count ?? 0,
+    page,
+    limit,
+  });
+}
+
+// --- USER CODE END ---

package/dist/foundation/admin_basic/slices/users/slice.contract.json

@@ -0,0 +1,15 @@
+{
+  "domain": "admin",
+  "slice": "users",
+  "type": "route",
+  "has_ui": true,
+  "has_repository": true,
+  "description": "Admin user management — list, view, edit users. Requires admin.users.list permission.",
+  "input": {},
+  "output": {
+    "users": "array"
+  },
+  "side_effects": [
+    "All admin actions are audit-logged"
+  ]
+}

package/dist/foundation/auth_basic/manifest.json

@@ -0,0 +1,32 @@
+{
+  "name": "auth-basic",
+  "version": "1.0.0",
+  "description": "Basic authentication for SaaS apps — Supabase Auth with SSR sessions",
+  "min_cli_version": "2.0.0",
+  "stack": "asa-native-v1",
+  "dependencies": ["db-basic"],
+  "package_dependencies": {},
+  "package_dev_dependencies": {},
+  "slices": [
+    { "domain": "auth", "name": "register", "type": "route", "has_ui": true, "has_repository": true },
+    { "domain": "auth", "name": "login", "type": "route", "has_ui": true, "has_repository": true },
+    { "domain": "auth", "name": "logout", "type": "route", "has_ui": false, "has_repository": false },
+    { "domain": "auth", "name": "reset-password", "type": "route", "has_ui": true, "has_repository": true }
+  ],
+  "shared": [
+    { "src": "shared/middleware.ts", "dest": "shared/auth/middleware.ts", "overwrite": false },
+    { "src": "shared/session.ts", "dest": "shared/auth/session.ts", "overwrite": false },
+    { "src": "shared/guards.ts", "dest": "shared/auth/guards.ts", "overwrite": false },
+    { "src": "shared/server-user.ts", "dest": "shared/auth/server-user.ts", "overwrite": false },
+    { "src": "shared/hooks.ts", "dest": "shared/auth/hooks.ts", "overwrite": false },
+    { "src": "shared/types.ts", "dest": "shared/auth/types.ts", "overwrite": false }
+  ],
+  "migrations": [
+    { "src": "migrations/001_create_profiles.sql", "dest": "shared/db/migrations/001_create_profiles.sql" }
+  ],
+  "env_vars": [],
+  "post_install_notes": [
+    "Enable Email/Password provider in Supabase Dashboard → Authentication → Providers",
+    "Run migration: Apply shared/db/migrations/001_create_profiles.sql in Supabase SQL Editor"
+  ]
+}

package/dist/foundation/auth_basic/migrations/001_create_profiles.sql

@@ -0,0 +1,36 @@
+-- ASA Module: auth-basic
+-- Migration: 001_create_profiles
+-- Creates profiles table extending Supabase auth.users
+
+create table if not exists profiles (
+  id uuid references auth.users(id) on delete cascade primary key,
+  display_name text,
+  role text not null default 'user',
+  created_at timestamptz default now(),
+  updated_at timestamptz default now()
+);
+
+-- RLS policies
+alter table profiles enable row level security;
+
+create policy "Users can view own profile"
+  on profiles for select
+  using (auth.uid() = id);
+
+create policy "Users can update own profile"
+  on profiles for update
+  using (auth.uid() = id);
+
+-- Trigger: auto-create profile on user signup
+create or replace function handle_new_user()
+returns trigger as $$
+begin
+  insert into public.profiles (id, display_name)
+  values (new.id, new.raw_user_meta_data->>'display_name');
+  return new;
+end;
+$$ language plpgsql security definer;
+
+create or replace trigger on_auth_user_created
+  after insert on auth.users
+  for each row execute function handle_new_user();