npm - aios-core - Versions diffs - 4.2.14 → 4.3.0 - Mend

aios-core 4.2.14 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (288) hide show

package/.aios-core/product/templates/tmpl-rls-roles.sql CHANGED Viewed

@@ -1,135 +1,135 @@
--- RLS Roles Template
--- Role-Based Access Control (RBAC) foundation for RLS policies
--- Created: :created_date
---
--- This template sets up the foundation for role-based RLS policies
--- =============================================================================
--- ROLES TABLE
--- =============================================================================
-CREATE TABLE IF NOT EXISTS roles (
-    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    name TEXT NOT NULL UNIQUE,
-    description TEXT,
-    permissions JSONB DEFAULT '[]'::JSONB,
-    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
--- Insert default roles
-INSERT INTO roles (name, description, permissions) VALUES
-    ('admin', 'Full system access', '["*"]'::JSONB),
-    ('editor', 'Can read and modify content', '["read", "write", "update"]'::JSONB),
-    ('viewer', 'Read-only access', '["read"]'::JSONB),
-    ('creator', 'Can create new content', '["read", "write"]'::JSONB)
-ON CONFLICT (name) DO NOTHING;
--- =============================================================================
--- USER ROLES TABLE (Many-to-Many)
--- =============================================================================
-CREATE TABLE IF NOT EXISTS user_roles (
-    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
-    role_id UUID NOT NULL REFERENCES roles(id) ON DELETE CASCADE,
-    granted_by UUID REFERENCES auth.users(id),
-    granted_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-    expires_at TIMESTAMPTZ, -- NULL means never expires
-    UNIQUE(user_id, role_id)
-);
--- Index for fast role lookups
-CREATE INDEX IF NOT EXISTS idx_user_roles_user_id ON user_roles(user_id);
-CREATE INDEX IF NOT EXISTS idx_user_roles_role_id ON user_roles(role_id);
--- =============================================================================
--- HELPER FUNCTIONS FOR RLS
--- =============================================================================
--- Check if user has a specific role
-CREATE OR REPLACE FUNCTION has_role(role_name TEXT)
-RETURNS BOOLEAN AS $$
-BEGIN
-    RETURN EXISTS (
-        SELECT 1
-        FROM user_roles ur
-        JOIN roles r ON ur.role_id = r.id
-        WHERE ur.user_id = auth.uid()
-        AND r.name = role_name
-        AND (ur.expires_at IS NULL OR ur.expires_at > NOW())
-    );
-END;
-$$ LANGUAGE plpgsql SECURITY DEFINER STABLE;
--- Check if user has any of the specified roles
-CREATE OR REPLACE FUNCTION has_any_role(role_names TEXT[])
-RETURNS BOOLEAN AS $$
-BEGIN
-    RETURN EXISTS (
-        SELECT 1
-        FROM user_roles ur
-        JOIN roles r ON ur.role_id = r.id
-        WHERE ur.user_id = auth.uid()
-        AND r.name = ANY(role_names)
-        AND (ur.expires_at IS NULL OR ur.expires_at > NOW())
-    );
-END;
-$$ LANGUAGE plpgsql SECURITY DEFINER STABLE;
--- Check if user has a specific permission
-CREATE OR REPLACE FUNCTION has_permission(permission TEXT)
-RETURNS BOOLEAN AS $$
-BEGIN
-    RETURN EXISTS (
-        SELECT 1
-        FROM user_roles ur
-        JOIN roles r ON ur.role_id = r.id
-        WHERE ur.user_id = auth.uid()
-        AND (
-            r.permissions @> '["*"]'::JSONB
-            OR r.permissions @> to_jsonb(permission)
-        )
-        AND (ur.expires_at IS NULL OR ur.expires_at > NOW())
-    );
-END;
-$$ LANGUAGE plpgsql SECURITY DEFINER STABLE;
--- =============================================================================
--- RLS ON ROLES TABLES
--- =============================================================================
--- Roles table: Admins can manage, everyone can read
-ALTER TABLE roles ENABLE ROW LEVEL SECURITY;
-CREATE POLICY "roles_select" ON roles
-FOR SELECT TO authenticated
-USING (true);
-CREATE POLICY "roles_admin" ON roles
-FOR ALL TO authenticated
-USING (has_role('admin'))
-WITH CHECK (has_role('admin'));
--- User roles: Users see their own, admins see all
-ALTER TABLE user_roles ENABLE ROW LEVEL SECURITY;
-CREATE POLICY "user_roles_select" ON user_roles
-FOR SELECT TO authenticated
-USING (user_id = auth.uid() OR has_role('admin'));
-CREATE POLICY "user_roles_admin" ON user_roles
-FOR ALL TO authenticated
-USING (has_role('admin'))
-WITH CHECK (has_role('admin'));
--- =============================================================================
--- USAGE EXAMPLE IN OTHER POLICIES
--- =============================================================================
---
--- CREATE POLICY "my_table_select" ON my_table
--- FOR SELECT TO authenticated
--- USING (
---     user_id = auth.uid()
---     OR has_any_role(ARRAY['admin', 'viewer'])
--- );
---
+-- RLS Roles Template
+-- Role-Based Access Control (RBAC) foundation for RLS policies
+-- Created: :created_date
+--
+-- This template sets up the foundation for role-based RLS policies
+-- =============================================================================
+-- ROLES TABLE
+-- =============================================================================
+CREATE TABLE IF NOT EXISTS roles (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    name TEXT NOT NULL UNIQUE,
+    description TEXT,
+    permissions JSONB DEFAULT '[]'::JSONB,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+-- Insert default roles
+INSERT INTO roles (name, description, permissions) VALUES
+    ('admin', 'Full system access', '["*"]'::JSONB),
+    ('editor', 'Can read and modify content', '["read", "write", "update"]'::JSONB),
+    ('viewer', 'Read-only access', '["read"]'::JSONB),
+    ('creator', 'Can create new content', '["read", "write"]'::JSONB)
+ON CONFLICT (name) DO NOTHING;
+-- =============================================================================
+-- USER ROLES TABLE (Many-to-Many)
+-- =============================================================================
+CREATE TABLE IF NOT EXISTS user_roles (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
+    role_id UUID NOT NULL REFERENCES roles(id) ON DELETE CASCADE,
+    granted_by UUID REFERENCES auth.users(id),
+    granted_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    expires_at TIMESTAMPTZ, -- NULL means never expires
+    UNIQUE(user_id, role_id)
+);
+-- Index for fast role lookups
+CREATE INDEX IF NOT EXISTS idx_user_roles_user_id ON user_roles(user_id);
+CREATE INDEX IF NOT EXISTS idx_user_roles_role_id ON user_roles(role_id);
+-- =============================================================================
+-- HELPER FUNCTIONS FOR RLS
+-- =============================================================================
+-- Check if user has a specific role
+CREATE OR REPLACE FUNCTION has_role(role_name TEXT)
+RETURNS BOOLEAN AS $$
+BEGIN
+    RETURN EXISTS (
+        SELECT 1
+        FROM user_roles ur
+        JOIN roles r ON ur.role_id = r.id
+        WHERE ur.user_id = auth.uid()
+        AND r.name = role_name
+        AND (ur.expires_at IS NULL OR ur.expires_at > NOW())
+    );
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER STABLE;
+-- Check if user has any of the specified roles
+CREATE OR REPLACE FUNCTION has_any_role(role_names TEXT[])
+RETURNS BOOLEAN AS $$
+BEGIN
+    RETURN EXISTS (
+        SELECT 1
+        FROM user_roles ur
+        JOIN roles r ON ur.role_id = r.id
+        WHERE ur.user_id = auth.uid()
+        AND r.name = ANY(role_names)
+        AND (ur.expires_at IS NULL OR ur.expires_at > NOW())
+    );
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER STABLE;
+-- Check if user has a specific permission
+CREATE OR REPLACE FUNCTION has_permission(permission TEXT)
+RETURNS BOOLEAN AS $$
+BEGIN
+    RETURN EXISTS (
+        SELECT 1
+        FROM user_roles ur
+        JOIN roles r ON ur.role_id = r.id
+        WHERE ur.user_id = auth.uid()
+        AND (
+            r.permissions @> '["*"]'::JSONB
+            OR r.permissions @> to_jsonb(permission)
+        )
+        AND (ur.expires_at IS NULL OR ur.expires_at > NOW())
+    );
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER STABLE;
+-- =============================================================================
+-- RLS ON ROLES TABLES
+-- =============================================================================
+-- Roles table: Admins can manage, everyone can read
+ALTER TABLE roles ENABLE ROW LEVEL SECURITY;
+CREATE POLICY "roles_select" ON roles
+FOR SELECT TO authenticated
+USING (true);
+CREATE POLICY "roles_admin" ON roles
+FOR ALL TO authenticated
+USING (has_role('admin'))
+WITH CHECK (has_role('admin'));
+-- User roles: Users see their own, admins see all
+ALTER TABLE user_roles ENABLE ROW LEVEL SECURITY;
+CREATE POLICY "user_roles_select" ON user_roles
+FOR SELECT TO authenticated
+USING (user_id = auth.uid() OR has_role('admin'));
+CREATE POLICY "user_roles_admin" ON user_roles
+FOR ALL TO authenticated
+USING (has_role('admin'))
+WITH CHECK (has_role('admin'));
+-- =============================================================================
+-- USAGE EXAMPLE IN OTHER POLICIES
+-- =============================================================================
+--
+-- CREATE POLICY "my_table_select" ON my_table
+-- FOR SELECT TO authenticated
+-- USING (
+--     user_id = auth.uid()
+--     OR has_any_role(ARRAY['admin', 'viewer'])
+-- );
+--

package/.aios-core/product/templates/tmpl-rls-simple.sql CHANGED Viewed

@@ -1,77 +1,77 @@
--- Simple RLS Policy Template
--- Table: :table_name
--- Security Model: Simple owner-based access
--- Created: :created_date
---
--- This template creates a simple RLS policy where users can only
--- access rows they own (based on user_id column)
--- Enable RLS on table
-ALTER TABLE :table_name ENABLE ROW LEVEL SECURITY;
--- =============================================================================
--- SIMPLE OWNER-BASED POLICY
--- =============================================================================
--- Drop existing policies if re-running
-DROP POLICY IF EXISTS ":table_name_owner_policy" ON :table_name;
--- Single policy for all operations (SELECT, INSERT, UPDATE, DELETE)
--- Users can only access rows where user_id matches their auth.uid()
-CREATE POLICY ":table_name_owner_policy"
-ON :table_name
-FOR ALL
-TO authenticated
-USING (auth.uid() = user_id)
-WITH CHECK (auth.uid() = user_id);
--- =============================================================================
--- OPTIONAL: Allow service role to bypass RLS
--- =============================================================================
--- Note: This is enabled by default in Supabase
--- The service_role can access all rows regardless of RLS policies
--- Be careful with service_role key exposure
--- =============================================================================
--- OPTIONAL: Public read access (if needed)
--- =============================================================================
--- Uncomment if you want anonymous users to read data
---
--- DROP POLICY IF EXISTS ":table_name_public_read" ON :table_name;
--- CREATE POLICY ":table_name_public_read"
--- ON :table_name
--- FOR SELECT
--- TO anon
--- USING (is_public = true);
--- =============================================================================
--- VERIFICATION
--- =============================================================================
--- Test the policy:
---
--- 1. As authenticated user (should see only their rows):
---    SET LOCAL ROLE authenticated;
---    SET LOCAL request.jwt.claims = '{"sub": "user-uuid-here"}';
---    SELECT * FROM :table_name;
---
--- 2. As service role (should see all rows):
---    SET LOCAL ROLE service_role;
---    SELECT * FROM :table_name;
---
--- 3. As anonymous (should see nothing unless public_read enabled):
---    SET LOCAL ROLE anon;
---    SELECT * FROM :table_name;
--- =============================================================================
--- TABLE REQUIREMENTS
--- =============================================================================
--- This template assumes :table_name has a user_id column:
---
--- CREATE TABLE :table_name (
---     id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
---     user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
---     -- other columns...
---     created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
--- );
---
--- CREATE INDEX idx_:table_name_user_id ON :table_name(user_id);
+-- Simple RLS Policy Template
+-- Table: :table_name
+-- Security Model: Simple owner-based access
+-- Created: :created_date
+--
+-- This template creates a simple RLS policy where users can only
+-- access rows they own (based on user_id column)
+-- Enable RLS on table
+ALTER TABLE :table_name ENABLE ROW LEVEL SECURITY;
+-- =============================================================================
+-- SIMPLE OWNER-BASED POLICY
+-- =============================================================================
+-- Drop existing policies if re-running
+DROP POLICY IF EXISTS ":table_name_owner_policy" ON :table_name;
+-- Single policy for all operations (SELECT, INSERT, UPDATE, DELETE)
+-- Users can only access rows where user_id matches their auth.uid()
+CREATE POLICY ":table_name_owner_policy"
+ON :table_name
+FOR ALL
+TO authenticated
+USING (auth.uid() = user_id)
+WITH CHECK (auth.uid() = user_id);
+-- =============================================================================
+-- OPTIONAL: Allow service role to bypass RLS
+-- =============================================================================
+-- Note: This is enabled by default in Supabase
+-- The service_role can access all rows regardless of RLS policies
+-- Be careful with service_role key exposure
+-- =============================================================================
+-- OPTIONAL: Public read access (if needed)
+-- =============================================================================
+-- Uncomment if you want anonymous users to read data
+--
+-- DROP POLICY IF EXISTS ":table_name_public_read" ON :table_name;
+-- CREATE POLICY ":table_name_public_read"
+-- ON :table_name
+-- FOR SELECT
+-- TO anon
+-- USING (is_public = true);
+-- =============================================================================
+-- VERIFICATION
+-- =============================================================================
+-- Test the policy:
+--
+-- 1. As authenticated user (should see only their rows):
+--    SET LOCAL ROLE authenticated;
+--    SET LOCAL request.jwt.claims = '{"sub": "user-uuid-here"}';
+--    SELECT * FROM :table_name;
+--
+-- 2. As service role (should see all rows):
+--    SET LOCAL ROLE service_role;
+--    SELECT * FROM :table_name;
+--
+-- 3. As anonymous (should see nothing unless public_read enabled):
+--    SET LOCAL ROLE anon;
+--    SELECT * FROM :table_name;
+-- =============================================================================
+-- TABLE REQUIREMENTS
+-- =============================================================================
+-- This template assumes :table_name has a user_id column:
+--
+-- CREATE TABLE :table_name (
+--     id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+--     user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
+--     -- other columns...
+--     created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+-- );
+--
+-- CREATE INDEX idx_:table_name_user_id ON :table_name(user_id);