aios-core 4.2.14 → 4.3.0

package/.aios-core/product/templates/tmpl-migration-script.sql

@@ -1,91 +1,91 @@
--- Migration Script Template
--- Migration: :migration_name
--- Created: :created_date
--- Author: :author
--- Description: :description
---
--- IMPORTANT: Run in transaction, test with dry-run first
--- ROLLBACK: See tmpl-rollback-script.sql for corresponding rollback
-
-BEGIN;
-
--- =============================================================================
--- PRE-MIGRATION CHECKS
--- =============================================================================
-
--- Verify prerequisites are met
-DO $$
-BEGIN
-    -- Add any precondition checks here
-    -- Example: ASSERT (SELECT EXISTS (SELECT 1 FROM :prerequisite_table));
-    RAISE NOTICE 'Pre-migration checks passed';
-END $$;
-
--- =============================================================================
--- SCHEMA CHANGES
--- =============================================================================
-
--- Create new table (if needed)
-CREATE TABLE IF NOT EXISTS :table_name (
-    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    -- Add columns here
-    :column_name :column_type :constraints,
-
-    -- Standard audit columns
-    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-
--- Add column to existing table (if needed)
--- ALTER TABLE :existing_table ADD COLUMN IF NOT EXISTS :new_column :column_type;
-
--- Create index (if needed)
--- CREATE INDEX IF NOT EXISTS idx_:table_:column ON :table_name (:column_name);
-
--- =============================================================================
--- DATA MIGRATION (if needed)
--- =============================================================================
-
--- Migrate data from old structure to new
--- INSERT INTO :new_table (col1, col2)
--- SELECT old_col1, old_col2 FROM :old_table;
-
--- =============================================================================
--- POST-MIGRATION SETUP
--- =============================================================================
-
--- Add updated_at trigger
-CREATE OR REPLACE FUNCTION update_updated_at_column()
-RETURNS TRIGGER AS $$
-BEGIN
-    NEW.updated_at = NOW();
-    RETURN NEW;
-END;
-$$ LANGUAGE plpgsql;
-
-DROP TRIGGER IF EXISTS trigger_update_:table_name_updated_at ON :table_name;
-CREATE TRIGGER trigger_update_:table_name_updated_at
-    BEFORE UPDATE ON :table_name
-    FOR EACH ROW
-    EXECUTE FUNCTION update_updated_at_column();
-
--- Add table comments
-COMMENT ON TABLE :table_name IS ':table_description';
-COMMENT ON COLUMN :table_name.:column_name IS ':column_description';
-
--- =============================================================================
--- VERIFICATION
--- =============================================================================
-
-DO $$
-BEGIN
-    -- Verify migration was successful
-    ASSERT (SELECT EXISTS (
-        SELECT 1 FROM information_schema.tables
-        WHERE table_name = ':table_name'
-    )), 'Table :table_name was not created';
-
-    RAISE NOTICE 'Migration completed successfully';
-END $$;
-
-COMMIT;
+-- Migration Script Template
+-- Migration: :migration_name
+-- Created: :created_date
+-- Author: :author
+-- Description: :description
+--
+-- IMPORTANT: Run in transaction, test with dry-run first
+-- ROLLBACK: See tmpl-rollback-script.sql for corresponding rollback
+
+BEGIN;
+
+-- =============================================================================
+-- PRE-MIGRATION CHECKS
+-- =============================================================================
+
+-- Verify prerequisites are met
+DO $$
+BEGIN
+    -- Add any precondition checks here
+    -- Example: ASSERT (SELECT EXISTS (SELECT 1 FROM :prerequisite_table));
+    RAISE NOTICE 'Pre-migration checks passed';
+END $$;
+
+-- =============================================================================
+-- SCHEMA CHANGES
+-- =============================================================================
+
+-- Create new table (if needed)
+CREATE TABLE IF NOT EXISTS :table_name (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    -- Add columns here
+    :column_name :column_type :constraints,
+
+    -- Standard audit columns
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Add column to existing table (if needed)
+-- ALTER TABLE :existing_table ADD COLUMN IF NOT EXISTS :new_column :column_type;
+
+-- Create index (if needed)
+-- CREATE INDEX IF NOT EXISTS idx_:table_:column ON :table_name (:column_name);
+
+-- =============================================================================
+-- DATA MIGRATION (if needed)
+-- =============================================================================
+
+-- Migrate data from old structure to new
+-- INSERT INTO :new_table (col1, col2)
+-- SELECT old_col1, old_col2 FROM :old_table;
+
+-- =============================================================================
+-- POST-MIGRATION SETUP
+-- =============================================================================
+
+-- Add updated_at trigger
+CREATE OR REPLACE FUNCTION update_updated_at_column()
+RETURNS TRIGGER AS $$
+BEGIN
+    NEW.updated_at = NOW();
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+DROP TRIGGER IF EXISTS trigger_update_:table_name_updated_at ON :table_name;
+CREATE TRIGGER trigger_update_:table_name_updated_at
+    BEFORE UPDATE ON :table_name
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_at_column();
+
+-- Add table comments
+COMMENT ON TABLE :table_name IS ':table_description';
+COMMENT ON COLUMN :table_name.:column_name IS ':column_description';
+
+-- =============================================================================
+-- VERIFICATION
+-- =============================================================================
+
+DO $$
+BEGIN
+    -- Verify migration was successful
+    ASSERT (SELECT EXISTS (
+        SELECT 1 FROM information_schema.tables
+        WHERE table_name = ':table_name'
+    )), 'Table :table_name was not created';
+
+    RAISE NOTICE 'Migration completed successfully';
+END $$;
+
+COMMIT;

package/.aios-core/product/templates/tmpl-rls-granular-policies.sql

@@ -1,104 +1,104 @@
--- Granular RLS Policies Template
--- Table: :table_name
--- Security Model: Granular (separate policies per operation)
--- Created: :created_date
---
--- This template creates separate policies for SELECT, INSERT, UPDATE, DELETE
--- Useful when different users have different permissions per operation
-
--- Enable RLS on table
-ALTER TABLE :table_name ENABLE ROW LEVEL SECURITY;
-
--- Force RLS for table owner too (recommended for security)
-ALTER TABLE :table_name FORCE ROW LEVEL SECURITY;
-
--- =============================================================================
--- SELECT POLICY - Who can read rows
--- =============================================================================
-DROP POLICY IF EXISTS ":table_name_select" ON :table_name;
-CREATE POLICY ":table_name_select"
-ON :table_name
-FOR SELECT
-TO authenticated
-USING (
-    -- Owner can read their own rows
-    auth.uid() = user_id
-    -- OR user has read permission via role
-    OR EXISTS (
-        SELECT 1 FROM user_roles
-        WHERE user_id = auth.uid()
-        AND role IN ('admin', 'reader')
-    )
-);
-
--- =============================================================================
--- INSERT POLICY - Who can create rows
--- =============================================================================
-DROP POLICY IF EXISTS ":table_name_insert" ON :table_name;
-CREATE POLICY ":table_name_insert"
-ON :table_name
-FOR INSERT
-TO authenticated
-WITH CHECK (
-    -- User can only insert rows they will own
-    auth.uid() = user_id
-    -- OR user has creator permission
-    OR EXISTS (
-        SELECT 1 FROM user_roles
-        WHERE user_id = auth.uid()
-        AND role IN ('admin', 'creator')
-    )
-);
-
--- =============================================================================
--- UPDATE POLICY - Who can modify rows
--- =============================================================================
-DROP POLICY IF EXISTS ":table_name_update" ON :table_name;
-CREATE POLICY ":table_name_update"
-ON :table_name
-FOR UPDATE
-TO authenticated
-USING (
-    -- Can only see rows to update if owner
-    auth.uid() = user_id
-    OR EXISTS (
-        SELECT 1 FROM user_roles
-        WHERE user_id = auth.uid()
-        AND role IN ('admin', 'editor')
-    )
-)
-WITH CHECK (
-    -- Can only update to valid state
-    auth.uid() = user_id
-    OR EXISTS (
-        SELECT 1 FROM user_roles
-        WHERE user_id = auth.uid()
-        AND role IN ('admin', 'editor')
-    )
-);
-
--- =============================================================================
--- DELETE POLICY - Who can delete rows
--- =============================================================================
-DROP POLICY IF EXISTS ":table_name_delete" ON :table_name;
-CREATE POLICY ":table_name_delete"
-ON :table_name
-FOR DELETE
-TO authenticated
-USING (
-    -- Only owner or admin can delete
-    auth.uid() = user_id
-    OR EXISTS (
-        SELECT 1 FROM user_roles
-        WHERE user_id = auth.uid()
-        AND role = 'admin'
-    )
-);
-
--- =============================================================================
--- VERIFICATION
--- =============================================================================
--- Test these policies with:
--- SET LOCAL ROLE authenticated;
--- SET LOCAL request.jwt.claims = '{"sub": "user-uuid-here"}';
--- SELECT * FROM :table_name; -- Should only return authorized rows
+-- Granular RLS Policies Template
+-- Table: :table_name
+-- Security Model: Granular (separate policies per operation)
+-- Created: :created_date
+--
+-- This template creates separate policies for SELECT, INSERT, UPDATE, DELETE
+-- Useful when different users have different permissions per operation
+
+-- Enable RLS on table
+ALTER TABLE :table_name ENABLE ROW LEVEL SECURITY;
+
+-- Force RLS for table owner too (recommended for security)
+ALTER TABLE :table_name FORCE ROW LEVEL SECURITY;
+
+-- =============================================================================
+-- SELECT POLICY - Who can read rows
+-- =============================================================================
+DROP POLICY IF EXISTS ":table_name_select" ON :table_name;
+CREATE POLICY ":table_name_select"
+ON :table_name
+FOR SELECT
+TO authenticated
+USING (
+    -- Owner can read their own rows
+    auth.uid() = user_id
+    -- OR user has read permission via role
+    OR EXISTS (
+        SELECT 1 FROM user_roles
+        WHERE user_id = auth.uid()
+        AND role IN ('admin', 'reader')
+    )
+);
+
+-- =============================================================================
+-- INSERT POLICY - Who can create rows
+-- =============================================================================
+DROP POLICY IF EXISTS ":table_name_insert" ON :table_name;
+CREATE POLICY ":table_name_insert"
+ON :table_name
+FOR INSERT
+TO authenticated
+WITH CHECK (
+    -- User can only insert rows they will own
+    auth.uid() = user_id
+    -- OR user has creator permission
+    OR EXISTS (
+        SELECT 1 FROM user_roles
+        WHERE user_id = auth.uid()
+        AND role IN ('admin', 'creator')
+    )
+);
+
+-- =============================================================================
+-- UPDATE POLICY - Who can modify rows
+-- =============================================================================
+DROP POLICY IF EXISTS ":table_name_update" ON :table_name;
+CREATE POLICY ":table_name_update"
+ON :table_name
+FOR UPDATE
+TO authenticated
+USING (
+    -- Can only see rows to update if owner
+    auth.uid() = user_id
+    OR EXISTS (
+        SELECT 1 FROM user_roles
+        WHERE user_id = auth.uid()
+        AND role IN ('admin', 'editor')
+    )
+)
+WITH CHECK (
+    -- Can only update to valid state
+    auth.uid() = user_id
+    OR EXISTS (
+        SELECT 1 FROM user_roles
+        WHERE user_id = auth.uid()
+        AND role IN ('admin', 'editor')
+    )
+);
+
+-- =============================================================================
+-- DELETE POLICY - Who can delete rows
+-- =============================================================================
+DROP POLICY IF EXISTS ":table_name_delete" ON :table_name;
+CREATE POLICY ":table_name_delete"
+ON :table_name
+FOR DELETE
+TO authenticated
+USING (
+    -- Only owner or admin can delete
+    auth.uid() = user_id
+    OR EXISTS (
+        SELECT 1 FROM user_roles
+        WHERE user_id = auth.uid()
+        AND role = 'admin'
+    )
+);
+
+-- =============================================================================
+-- VERIFICATION
+-- =============================================================================
+-- Test these policies with:
+-- SET LOCAL ROLE authenticated;
+-- SET LOCAL request.jwt.claims = '{"sub": "user-uuid-here"}';
+-- SELECT * FROM :table_name; -- Should only return authorized rows

package/.aios-core/product/templates/tmpl-rls-kiss-policy.sql

@@ -1,10 +1,10 @@
--- KISS single FOR ALL policy template (owner-only by column user_id)
-ALTER TABLE :table ENABLE ROW LEVEL SECURITY;
-
-DROP POLICY IF EXISTS ":table_kiss_all" ON :table;
-CREATE POLICY ":table_kiss_all"
-ON :table
-FOR ALL
-TO authenticated
-USING (auth.uid() = user_id)
-WITH CHECK (auth.uid() = user_id);
+-- KISS single FOR ALL policy template (owner-only by column user_id)
+ALTER TABLE :table ENABLE ROW LEVEL SECURITY;
+
+DROP POLICY IF EXISTS ":table_kiss_all" ON :table;
+CREATE POLICY ":table_kiss_all"
+ON :table
+FOR ALL
+TO authenticated
+USING (auth.uid() = user_id)
+WITH CHECK (auth.uid() = user_id);