aios-core 2.2.2 → 3.0.0

package/.aios-core/product/templates/tmpl-rls-roles.sql

@@ -1,135 +1,135 @@
--- RLS Roles Template
--- Role-Based Access Control (RBAC) foundation for RLS policies
--- Created: :created_date
---
--- This template sets up the foundation for role-based RLS policies
-
--- =============================================================================
--- ROLES TABLE
--- =============================================================================
-CREATE TABLE IF NOT EXISTS roles (
-    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    name TEXT NOT NULL UNIQUE,
-    description TEXT,
-    permissions JSONB DEFAULT '[]'::JSONB,
-    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-
--- Insert default roles
-INSERT INTO roles (name, description, permissions) VALUES
-    ('admin', 'Full system access', '["*"]'::JSONB),
-    ('editor', 'Can read and modify content', '["read", "write", "update"]'::JSONB),
-    ('viewer', 'Read-only access', '["read"]'::JSONB),
-    ('creator', 'Can create new content', '["read", "write"]'::JSONB)
-ON CONFLICT (name) DO NOTHING;
-
--- =============================================================================
--- USER ROLES TABLE (Many-to-Many)
--- =============================================================================
-CREATE TABLE IF NOT EXISTS user_roles (
-    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
-    role_id UUID NOT NULL REFERENCES roles(id) ON DELETE CASCADE,
-    granted_by UUID REFERENCES auth.users(id),
-    granted_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-    expires_at TIMESTAMPTZ, -- NULL means never expires
-
-    UNIQUE(user_id, role_id)
-);
-
--- Index for fast role lookups
-CREATE INDEX IF NOT EXISTS idx_user_roles_user_id ON user_roles(user_id);
-CREATE INDEX IF NOT EXISTS idx_user_roles_role_id ON user_roles(role_id);
-
--- =============================================================================
--- HELPER FUNCTIONS FOR RLS
--- =============================================================================
-
--- Check if user has a specific role
-CREATE OR REPLACE FUNCTION has_role(role_name TEXT)
-RETURNS BOOLEAN AS $$
-BEGIN
-    RETURN EXISTS (
-        SELECT 1
-        FROM user_roles ur
-        JOIN roles r ON ur.role_id = r.id
-        WHERE ur.user_id = auth.uid()
-        AND r.name = role_name
-        AND (ur.expires_at IS NULL OR ur.expires_at > NOW())
-    );
-END;
-$$ LANGUAGE plpgsql SECURITY DEFINER STABLE;
-
--- Check if user has any of the specified roles
-CREATE OR REPLACE FUNCTION has_any_role(role_names TEXT[])
-RETURNS BOOLEAN AS $$
-BEGIN
-    RETURN EXISTS (
-        SELECT 1
-        FROM user_roles ur
-        JOIN roles r ON ur.role_id = r.id
-        WHERE ur.user_id = auth.uid()
-        AND r.name = ANY(role_names)
-        AND (ur.expires_at IS NULL OR ur.expires_at > NOW())
-    );
-END;
-$$ LANGUAGE plpgsql SECURITY DEFINER STABLE;
-
--- Check if user has a specific permission
-CREATE OR REPLACE FUNCTION has_permission(permission TEXT)
-RETURNS BOOLEAN AS $$
-BEGIN
-    RETURN EXISTS (
-        SELECT 1
-        FROM user_roles ur
-        JOIN roles r ON ur.role_id = r.id
-        WHERE ur.user_id = auth.uid()
-        AND (
-            r.permissions @> '["*"]'::JSONB
-            OR r.permissions @> to_jsonb(permission)
-        )
-        AND (ur.expires_at IS NULL OR ur.expires_at > NOW())
-    );
-END;
-$$ LANGUAGE plpgsql SECURITY DEFINER STABLE;
-
--- =============================================================================
--- RLS ON ROLES TABLES
--- =============================================================================
-
--- Roles table: Admins can manage, everyone can read
-ALTER TABLE roles ENABLE ROW LEVEL SECURITY;
-
-CREATE POLICY "roles_select" ON roles
-FOR SELECT TO authenticated
-USING (true);
-
-CREATE POLICY "roles_admin" ON roles
-FOR ALL TO authenticated
-USING (has_role('admin'))
-WITH CHECK (has_role('admin'));
-
--- User roles: Users see their own, admins see all
-ALTER TABLE user_roles ENABLE ROW LEVEL SECURITY;
-
-CREATE POLICY "user_roles_select" ON user_roles
-FOR SELECT TO authenticated
-USING (user_id = auth.uid() OR has_role('admin'));
-
-CREATE POLICY "user_roles_admin" ON user_roles
-FOR ALL TO authenticated
-USING (has_role('admin'))
-WITH CHECK (has_role('admin'));
-
--- =============================================================================
--- USAGE EXAMPLE IN OTHER POLICIES
--- =============================================================================
---
--- CREATE POLICY "my_table_select" ON my_table
--- FOR SELECT TO authenticated
--- USING (
---     user_id = auth.uid()
---     OR has_any_role(ARRAY['admin', 'viewer'])
--- );
---
+-- RLS Roles Template
+-- Role-Based Access Control (RBAC) foundation for RLS policies
+-- Created: :created_date
+--
+-- This template sets up the foundation for role-based RLS policies
+
+-- =============================================================================
+-- ROLES TABLE
+-- =============================================================================
+CREATE TABLE IF NOT EXISTS roles (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    name TEXT NOT NULL UNIQUE,
+    description TEXT,
+    permissions JSONB DEFAULT '[]'::JSONB,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Insert default roles
+INSERT INTO roles (name, description, permissions) VALUES
+    ('admin', 'Full system access', '["*"]'::JSONB),
+    ('editor', 'Can read and modify content', '["read", "write", "update"]'::JSONB),
+    ('viewer', 'Read-only access', '["read"]'::JSONB),
+    ('creator', 'Can create new content', '["read", "write"]'::JSONB)
+ON CONFLICT (name) DO NOTHING;
+
+-- =============================================================================
+-- USER ROLES TABLE (Many-to-Many)
+-- =============================================================================
+CREATE TABLE IF NOT EXISTS user_roles (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
+    role_id UUID NOT NULL REFERENCES roles(id) ON DELETE CASCADE,
+    granted_by UUID REFERENCES auth.users(id),
+    granted_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    expires_at TIMESTAMPTZ, -- NULL means never expires
+
+    UNIQUE(user_id, role_id)
+);
+
+-- Index for fast role lookups
+CREATE INDEX IF NOT EXISTS idx_user_roles_user_id ON user_roles(user_id);
+CREATE INDEX IF NOT EXISTS idx_user_roles_role_id ON user_roles(role_id);
+
+-- =============================================================================
+-- HELPER FUNCTIONS FOR RLS
+-- =============================================================================
+
+-- Check if user has a specific role
+CREATE OR REPLACE FUNCTION has_role(role_name TEXT)
+RETURNS BOOLEAN AS $$
+BEGIN
+    RETURN EXISTS (
+        SELECT 1
+        FROM user_roles ur
+        JOIN roles r ON ur.role_id = r.id
+        WHERE ur.user_id = auth.uid()
+        AND r.name = role_name
+        AND (ur.expires_at IS NULL OR ur.expires_at > NOW())
+    );
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER STABLE;
+
+-- Check if user has any of the specified roles
+CREATE OR REPLACE FUNCTION has_any_role(role_names TEXT[])
+RETURNS BOOLEAN AS $$
+BEGIN
+    RETURN EXISTS (
+        SELECT 1
+        FROM user_roles ur
+        JOIN roles r ON ur.role_id = r.id
+        WHERE ur.user_id = auth.uid()
+        AND r.name = ANY(role_names)
+        AND (ur.expires_at IS NULL OR ur.expires_at > NOW())
+    );
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER STABLE;
+
+-- Check if user has a specific permission
+CREATE OR REPLACE FUNCTION has_permission(permission TEXT)
+RETURNS BOOLEAN AS $$
+BEGIN
+    RETURN EXISTS (
+        SELECT 1
+        FROM user_roles ur
+        JOIN roles r ON ur.role_id = r.id
+        WHERE ur.user_id = auth.uid()
+        AND (
+            r.permissions @> '["*"]'::JSONB
+            OR r.permissions @> to_jsonb(permission)
+        )
+        AND (ur.expires_at IS NULL OR ur.expires_at > NOW())
+    );
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER STABLE;
+
+-- =============================================================================
+-- RLS ON ROLES TABLES
+-- =============================================================================
+
+-- Roles table: Admins can manage, everyone can read
+ALTER TABLE roles ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "roles_select" ON roles
+FOR SELECT TO authenticated
+USING (true);
+
+CREATE POLICY "roles_admin" ON roles
+FOR ALL TO authenticated
+USING (has_role('admin'))
+WITH CHECK (has_role('admin'));
+
+-- User roles: Users see their own, admins see all
+ALTER TABLE user_roles ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "user_roles_select" ON user_roles
+FOR SELECT TO authenticated
+USING (user_id = auth.uid() OR has_role('admin'));
+
+CREATE POLICY "user_roles_admin" ON user_roles
+FOR ALL TO authenticated
+USING (has_role('admin'))
+WITH CHECK (has_role('admin'));
+
+-- =============================================================================
+-- USAGE EXAMPLE IN OTHER POLICIES
+-- =============================================================================
+--
+-- CREATE POLICY "my_table_select" ON my_table
+-- FOR SELECT TO authenticated
+-- USING (
+--     user_id = auth.uid()
+--     OR has_any_role(ARRAY['admin', 'viewer'])
+-- );
+--

package/.aios-core/product/templates/tmpl-rls-simple.sql

@@ -1,77 +1,77 @@
--- Simple RLS Policy Template
--- Table: :table_name
--- Security Model: Simple owner-based access
--- Created: :created_date
---
--- This template creates a simple RLS policy where users can only
--- access rows they own (based on user_id column)
-
--- Enable RLS on table
-ALTER TABLE :table_name ENABLE ROW LEVEL SECURITY;
-
--- =============================================================================
--- SIMPLE OWNER-BASED POLICY
--- =============================================================================
-
--- Drop existing policies if re-running
-DROP POLICY IF EXISTS ":table_name_owner_policy" ON :table_name;
-
--- Single policy for all operations (SELECT, INSERT, UPDATE, DELETE)
--- Users can only access rows where user_id matches their auth.uid()
-CREATE POLICY ":table_name_owner_policy"
-ON :table_name
-FOR ALL
-TO authenticated
-USING (auth.uid() = user_id)
-WITH CHECK (auth.uid() = user_id);
-
--- =============================================================================
--- OPTIONAL: Allow service role to bypass RLS
--- =============================================================================
--- Note: This is enabled by default in Supabase
--- The service_role can access all rows regardless of RLS policies
--- Be careful with service_role key exposure
-
--- =============================================================================
--- OPTIONAL: Public read access (if needed)
--- =============================================================================
--- Uncomment if you want anonymous users to read data
---
--- DROP POLICY IF EXISTS ":table_name_public_read" ON :table_name;
--- CREATE POLICY ":table_name_public_read"
--- ON :table_name
--- FOR SELECT
--- TO anon
--- USING (is_public = true);
-
--- =============================================================================
--- VERIFICATION
--- =============================================================================
--- Test the policy:
---
--- 1. As authenticated user (should see only their rows):
---    SET LOCAL ROLE authenticated;
---    SET LOCAL request.jwt.claims = '{"sub": "user-uuid-here"}';
---    SELECT * FROM :table_name;
---
--- 2. As service role (should see all rows):
---    SET LOCAL ROLE service_role;
---    SELECT * FROM :table_name;
---
--- 3. As anonymous (should see nothing unless public_read enabled):
---    SET LOCAL ROLE anon;
---    SELECT * FROM :table_name;
-
--- =============================================================================
--- TABLE REQUIREMENTS
--- =============================================================================
--- This template assumes :table_name has a user_id column:
---
--- CREATE TABLE :table_name (
---     id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
---     user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
---     -- other columns...
---     created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
--- );
---
--- CREATE INDEX idx_:table_name_user_id ON :table_name(user_id);
+-- Simple RLS Policy Template
+-- Table: :table_name
+-- Security Model: Simple owner-based access
+-- Created: :created_date
+--
+-- This template creates a simple RLS policy where users can only
+-- access rows they own (based on user_id column)
+
+-- Enable RLS on table
+ALTER TABLE :table_name ENABLE ROW LEVEL SECURITY;
+
+-- =============================================================================
+-- SIMPLE OWNER-BASED POLICY
+-- =============================================================================
+
+-- Drop existing policies if re-running
+DROP POLICY IF EXISTS ":table_name_owner_policy" ON :table_name;
+
+-- Single policy for all operations (SELECT, INSERT, UPDATE, DELETE)
+-- Users can only access rows where user_id matches their auth.uid()
+CREATE POLICY ":table_name_owner_policy"
+ON :table_name
+FOR ALL
+TO authenticated
+USING (auth.uid() = user_id)
+WITH CHECK (auth.uid() = user_id);
+
+-- =============================================================================
+-- OPTIONAL: Allow service role to bypass RLS
+-- =============================================================================
+-- Note: This is enabled by default in Supabase
+-- The service_role can access all rows regardless of RLS policies
+-- Be careful with service_role key exposure
+
+-- =============================================================================
+-- OPTIONAL: Public read access (if needed)
+-- =============================================================================
+-- Uncomment if you want anonymous users to read data
+--
+-- DROP POLICY IF EXISTS ":table_name_public_read" ON :table_name;
+-- CREATE POLICY ":table_name_public_read"
+-- ON :table_name
+-- FOR SELECT
+-- TO anon
+-- USING (is_public = true);
+
+-- =============================================================================
+-- VERIFICATION
+-- =============================================================================
+-- Test the policy:
+--
+-- 1. As authenticated user (should see only their rows):
+--    SET LOCAL ROLE authenticated;
+--    SET LOCAL request.jwt.claims = '{"sub": "user-uuid-here"}';
+--    SELECT * FROM :table_name;
+--
+-- 2. As service role (should see all rows):
+--    SET LOCAL ROLE service_role;
+--    SELECT * FROM :table_name;
+--
+-- 3. As anonymous (should see nothing unless public_read enabled):
+--    SET LOCAL ROLE anon;
+--    SELECT * FROM :table_name;
+
+-- =============================================================================
+-- TABLE REQUIREMENTS
+-- =============================================================================
+-- This template assumes :table_name has a user_id column:
+--
+-- CREATE TABLE :table_name (
+--     id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+--     user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
+--     -- other columns...
+--     created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+-- );
+--
+-- CREATE INDEX idx_:table_name_user_id ON :table_name(user_id);