bedrock-flows 0.7.1

package/auth-schema.sql

@@ -0,0 +1,8 @@
+PRAGMA defer_foreign_keys=TRUE;
+CREATE TABLE IF NOT EXISTS "user" ("id" text not null primary key, "name" text not null, "email" text not null unique, "emailVerified" integer not null, "image" text, "createdAt" date not null, "updatedAt" date not null, "role" text, "banned" integer, "banReason" text, "banExpires" date);
+CREATE TABLE IF NOT EXISTS "session" ("id" text not null primary key, "expiresAt" date not null, "token" text not null unique, "createdAt" date not null, "updatedAt" date not null, "ipAddress" text, "userAgent" text, "userId" text not null references "user" ("id") on delete cascade, "impersonatedBy" text);
+CREATE TABLE IF NOT EXISTS "account" ("id" text not null primary key, "accountId" text not null, "providerId" text not null, "userId" text not null references "user" ("id") on delete cascade, "accessToken" text, "refreshToken" text, "idToken" text, "accessTokenExpiresAt" date, "refreshTokenExpiresAt" date, "scope" text, "password" text, "createdAt" date not null, "updatedAt" date not null);
+CREATE TABLE IF NOT EXISTS "verification" ("id" text not null primary key, "identifier" text not null, "value" text not null, "expiresAt" date not null, "createdAt" date not null, "updatedAt" date not null);
+CREATE INDEX "session_userId_idx" on "session" ("userId");
+CREATE INDEX "account_userId_idx" on "account" ("userId");
+CREATE INDEX "verification_identifier_idx" on "verification" ("identifier");

package/bin/bedrock-flows.mjs

@@ -0,0 +1,127 @@
+#!/usr/bin/env node
+/**
+ * bedrock-flows — the project CLI.
+ *
+ *   npx bedrock-flows create [dir]      scaffold a new project (Part 1: local)
+ *   bedrock-flows setup [name]          stand up its Cloudflare backend (Part 2: team)
+ *
+ * `create` unpacks the bundled `template/` (a project that depends on the
+ * published @obra-studio/bedrock-flows platform) and stamps THIS CLI's version
+ * — which ships in lockstep with the platform — so the project pulls a matching
+ * platform from npm and the person never clones the platform repo.
+ */
+import fs from 'node:fs'
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const HERE = path.dirname(fileURLToPath(import.meta.url))
+const CLI_ROOT = path.resolve(HERE, '..')
+const TEMPLATE = path.join(CLI_ROOT, 'template')
+const VERSION_TOKEN = '__BEDROCK_FLOWS_VERSION__'
+const { version } = JSON.parse(fs.readFileSync(path.join(CLI_ROOT, 'package.json'), 'utf8'))
+
+function usage() {
+  console.log(`bedrock-flows ${version}
+
+  npx bedrock-flows create [dir]   scaffold a new project (local — needs nothing)
+  bedrock-flows setup [name]       stand up its Cloudflare backend + deploy
+
+setup options:
+  --domains=a.com,b.com   restrict signup to these domains (default: open)
+  --google                enable Google sign-in (needs google creds in your config)
+  --dry-run               print every action without executing
+  --print-config          print the operator config template and exit
+`)
+}
+
+// ── create ─────────────────────────────────────────────────────────────────
+function cmdCreate(args) {
+  const dirArg = args[0]
+  const target = path.resolve(dirArg || '.')
+
+  // Refuse to clobber a non-empty folder (a few harmless entries are tolerated).
+  const HARMLESS = new Set(['.git', '.DS_Store', '.gitignore'])
+  if (fs.existsSync(target)) {
+    const entries = fs.readdirSync(target).filter((e) => !HARMLESS.has(e))
+    if (entries.length) {
+      console.error(`✗ ${target} is not empty (${entries.length} item(s)).`)
+      console.error('  Run `bedrock-flows create` in an empty folder, or pass a new dir name.')
+      process.exit(1)
+    }
+  }
+  if (!fs.existsSync(TEMPLATE)) {
+    console.error(`✗ bundled template missing at ${TEMPLATE} — broken install?`)
+    process.exit(1)
+  }
+
+  fs.mkdirSync(target, { recursive: true })
+  fs.cpSync(TEMPLATE, target, { recursive: true })
+
+  // `gitignore` ships dotless (npm mangles a real .gitignore inside a package).
+  const ignoreSrc = path.join(target, 'gitignore')
+  if (fs.existsSync(ignoreSrc)) fs.renameSync(ignoreSrc, path.join(target, '.gitignore'))
+
+  // Stamp the platform version into every package.json (replaces the placeholder).
+  let stamped = 0
+  function stamp(dir) {
+    for (const e of fs.readdirSync(dir, { withFileTypes: true })) {
+      if (e.name === 'node_modules') continue
+      const p = path.join(dir, e.name)
+      if (e.isDirectory()) stamp(p)
+      else if (e.name === 'package.json') {
+        const txt = fs.readFileSync(p, 'utf8')
+        if (txt.includes(VERSION_TOKEN)) {
+          fs.writeFileSync(p, txt.split(VERSION_TOKEN).join(`^${version}`))
+          stamped++
+        }
+      }
+    }
+  }
+  stamp(target)
+  if (!stamped) {
+    console.error('✗ template had no version placeholder to stamp — regenerate it with build-starter.')
+    process.exit(1)
+  }
+
+  const shown = dirArg || '.'
+  const cd = shown === '.' ? '' : `cd ${shown}\n  `
+  console.log(`✓ Created a Bedrock Flows project in ${shown}  (platform ^${version})
+
+Next:
+  ${cd}npm install
+  npm run dev       # one command → http://localhost:5173
+
+Edit prototypes/ and design-system/. Upgrade later with:
+  npm install @obra-studio/bedrock-flows@latest
+`)
+}
+
+// ── setup ──────────────────────────────────────────────────────────────────
+async function cmdSetup(args) {
+  const { runSetup, printConfigTemplate } = await import('../lib/setup.mjs')
+  const opts = { domains: '', google: false, dryRun: false }
+  let name
+  for (const a of args) {
+    if (a === '--print-config') return printConfigTemplate()
+    else if (a === '--google') opts.google = true
+    else if (a === '--dry-run') opts.dryRun = true
+    else if (a.startsWith('--domains=')) opts.domains = a.slice('--domains='.length)
+    else if (a.startsWith('--')) throw new Error(`Unknown flag: ${a}`)
+    else name = a
+  }
+  runSetup({ name, opts })
+}
+
+// ── dispatch ───────────────────────────────────────────────────────────────
+const [cmd, ...rest] = process.argv.slice(2)
+try {
+  if (cmd === 'create') cmdCreate(rest)
+  else if (cmd === 'setup') await cmdSetup(rest)
+  else {
+    usage()
+    process.exit(cmd ? 1 : 0)
+  }
+} catch (e) {
+  console.error(`\n✗ ${e.message}\n`)
+  process.exit(1)
+}

package/lib/setup.mjs

@@ -0,0 +1,262 @@
+// bedrock-flows setup — stand up a project's Cloudflare backend and deploy it.
+//
+// Ported from bedrock-provision, minus the scaffold step: the project already
+// exists (from `bedrock-flows create`), so setup runs IN it (cwd). It creates
+// KV + D1, applies the bundled Better Auth schema, patches wrangler.jsonc,
+// deploys (which creates the Worker), then pushes prod secrets.
+//
+// Required: a Cloudflare account. Postmark is OPTIONAL — without it the worker
+// just no-ops notification email (invite links are shared manually). Google
+// OAuth is opt-in (--google).
+import { execSync } from 'node:child_process'
+import { randomBytes } from 'node:crypto'
+import { readFileSync, writeFileSync, existsSync, mkdirSync, rmSync } from 'node:fs'
+import { join, dirname, basename } from 'node:path'
+import { homedir } from 'node:os'
+import { fileURLToPath } from 'node:url'
+
+const HERE = dirname(fileURLToPath(import.meta.url))
+const SCHEMA = join(HERE, '..', 'auth-schema.sql') // cli/auth-schema.sql
+const CONFIG_DIR = join(process.env.XDG_CONFIG_HOME || join(homedir(), '.config'), 'bedrock-flows')
+const CONFIG_PATH = process.env.BEDROCK_FLOWS_CONFIG || join(CONFIG_DIR, 'config.json')
+
+export const genSecret = () => randomBytes(32).toString('base64')
+
+// ── shell ────────────────────────────────────────────────────────────────────
+function sh(cmd, { cwd, env, stream = false, dryRun = false } = {}) {
+  if (dryRun) {
+    console.log(`  \x1b[2m[dry-run] ${cmd}${cwd ? `  (cwd: ${cwd})` : ''}\x1b[0m`)
+    return ''
+  }
+  return execSync(cmd, {
+    cwd,
+    env: { ...process.env, ...env },
+    encoding: 'utf8',
+    stdio: stream ? 'inherit' : ['inherit', 'pipe', 'inherit'],
+  })
+}
+
+// ── operator config (shared across the operator's projects) ──────────────────
+const CONFIG_TEMPLATE = {
+  cloudflare: { accountId: '<from the Cloudflare dashboard>', subdomain: '<your workers.dev subdomain>' },
+  ownerEmail: 'you@example.com',
+  postmark: { '//': 'OPTIONAL — omit to skip emailed invites/notifications', token: '', from: 'you@your-verified-domain.com', stream: 'outbound' },
+  google: { '//': 'OPTIONAL — only used with --google', clientId: '', clientSecret: '' },
+}
+
+export function printConfigTemplate() {
+  console.log(`# bedrock-flows operator config → ${CONFIG_PATH}\n`)
+  console.log(JSON.stringify(CONFIG_TEMPLATE, null, 2))
+}
+
+function loadConfig() {
+  if (!existsSync(CONFIG_PATH)) {
+    throw new Error(
+      `No operator config at ${CONFIG_PATH}\n` +
+        `  Create it (run \`bedrock-flows setup --print-config\` for a template) with your\n` +
+        `  Cloudflare account; Postmark + Google are optional.`,
+    )
+  }
+  const cfg = JSON.parse(readFileSync(CONFIG_PATH, 'utf8'))
+  if (!cfg.cloudflare?.accountId || !cfg.cloudflare?.subdomain) {
+    throw new Error(`${CONFIG_PATH}: "cloudflare" needs both accountId and subdomain.`)
+  }
+  return cfg
+}
+
+const hasPostmark = (cfg) => Boolean(cfg.postmark && cfg.postmark.token)
+
+// A worker name must be lowercase alnum + hyphens (also the DB + resource names).
+function validateName(name) {
+  if (!/^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/.test(name)) {
+    throw new Error(`Invalid name "${name}". Use lowercase letters, digits and hyphens (e.g. acme-bedrock-flows).`)
+  }
+  return name
+}
+
+// ── Cloudflare resources ──────────────────────────────────────────────────────
+const workerDir = (dir) => join(dir, 'apps', 'worker')
+const HEX32 = /[0-9a-f]{32}/
+const UUID = /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/
+const wenv = (cfg) => ({ CLOUDFLARE_ACCOUNT_ID: cfg.cloudflare.accountId })
+
+// wrangler prepends chatter (version line, banners) so stdout isn't pure JSON.
+function parseJsonLoose(out, what) {
+  const i = out.search(/[[{]/)
+  if (i === -1) throw new Error(`No JSON found in ${what} output:\n${out}`)
+  return JSON.parse(out.slice(i))
+}
+
+function createKv(dir, cfg, title, opts) {
+  if (!opts.dryRun) {
+    const list = sh(`npx wrangler kv namespace list`, { cwd: workerDir(dir), env: wenv(cfg) })
+    const found = parseJsonLoose(list, 'kv namespace list').find((n) => n.title === title)
+    if (found) {
+      console.log(`  • KV "${title}" exists → ${found.id}`)
+      return found.id
+    }
+  }
+  const out = sh(`npx wrangler kv namespace create "${title}"`, { cwd: workerDir(dir), env: wenv(cfg), dryRun: opts.dryRun })
+  const id = opts.dryRun ? 'DRY_KV_ID'.padEnd(32, '0') : (out.match(HEX32) || [])[0]
+  if (!id) throw new Error(`Could not parse KV id from:\n${out}`)
+  console.log(`  • KV "${title}" → ${id}`)
+  return id
+}
+
+function createD1(dir, cfg, dbName, opts) {
+  if (!opts.dryRun) {
+    const list = sh(`npx wrangler d1 list --json`, { cwd: workerDir(dir), env: wenv(cfg) })
+    const found = parseJsonLoose(list, 'd1 list').find((d) => d.name === dbName)
+    if (found) {
+      console.log(`  • D1 "${dbName}" exists → ${found.uuid}`)
+      return found.uuid
+    }
+  }
+  const out = sh(`npx wrangler d1 create ${dbName}`, { cwd: workerDir(dir), env: wenv(cfg), dryRun: opts.dryRun })
+  const id = opts.dryRun ? '00000000-0000-0000-0000-000000000000' : (out.match(UUID) || [])[0]
+  if (!id) throw new Error(`Could not parse D1 id from:\n${out}`)
+  console.log(`  • D1 "${dbName}" → ${id}`)
+  return id
+}
+
+function applySchema(dir, cfg, dbName, opts) {
+  if (!existsSync(SCHEMA)) throw new Error(`Bundled auth-schema.sql not found at ${SCHEMA}`)
+  sh(`npx wrangler d1 execute ${dbName} --remote --yes --file "${SCHEMA}"`, {
+    cwd: workerDir(dir), env: wenv(cfg), stream: true, dryRun: opts.dryRun,
+  })
+  console.log(`  • D1 "${dbName}" schema applied (user/session/account/verification)`)
+}
+
+function patchWrangler(dir, { name, kv, d1Id, d1Name, url, domains, ownerEmail }, opts) {
+  const wf = join(workerDir(dir), 'wrangler.jsonc')
+  if (opts.dryRun) {
+    console.log(`  [dry-run] patch ${wf} (name=${name}, kv, d1=${d1Name}, vars)`)
+    return
+  }
+  let s = readFileSync(wf, 'utf8')
+  s = s.replace(/("name":\s*")[^"]*(")/, `$1${name}$2`)
+  s = s.replace(/("binding":\s*"WF_COMMENTS",\s*"id":\s*")[0-9a-f]+(")/, `$1${kv.comments}$2`)
+  s = s.replace(/("binding":\s*"SPEC_KV",\s*"id":\s*")[0-9a-f]+(")/, `$1${kv.spec}$2`)
+  s = s.replace(/("database_name":\s*")[^"]*(")/, `$1${d1Name}$2`)
+  s = s.replace(/("database_id":\s*")[^"]*(")/, `$1${d1Id}$2`)
+  // Inject a vars block right after the assets binding (the template has none).
+  const varsBlock =
+    `\n  "vars": {\n` +
+    `    "BETTER_AUTH_URL": "${url}",\n` +
+    `    "AUTH_ALLOWED_DOMAINS": "${domains}",\n` +
+    `    "AUTH_ALLOWLIST": "",\n` +
+    `    "AUTH_OWNER_EMAIL": "${ownerEmail || ''}"\n` +
+    `  },`
+  if (!s.includes('"vars"')) s = s.replace(/("assets":\s*\{[^}]*\},)/, `$1${varsBlock}`)
+  writeFileSync(wf, s)
+  console.log(`  • patched apps/worker/wrangler.jsonc`)
+}
+
+function deploy(dir, opts) {
+  sh(`npm run deploy`, { cwd: dir, stream: true, dryRun: opts.dryRun })
+}
+
+function pushSecrets(dir, { secret, cfg, google }, opts) {
+  const secrets = { BETTER_AUTH_SECRET: secret }
+  if (hasPostmark(cfg)) {
+    secrets.POSTMARK_TOKEN = cfg.postmark.token
+    secrets.POSTMARK_FROM = cfg.postmark.from
+    secrets.POSTMARK_STREAM = cfg.postmark.stream || 'outbound'
+  }
+  if (google) {
+    secrets.GOOGLE_CLIENT_ID = cfg.google.clientId
+    secrets.GOOGLE_CLIENT_SECRET = cfg.google.clientSecret
+  }
+  if (opts.dryRun) {
+    console.log(`  [dry-run] wrangler secret bulk (${Object.keys(secrets).join(', ')})`)
+    return
+  }
+  const tmp = join(workerDir(dir), '.secrets.tmp.json')
+  writeFileSync(tmp, JSON.stringify(secrets))
+  try {
+    sh(`npx wrangler secret bulk .secrets.tmp.json`, { cwd: workerDir(dir), env: wenv(cfg), stream: true })
+  } finally {
+    rmSync(tmp, { force: true })
+  }
+  console.log(`  • pushed ${Object.keys(secrets).length} prod secrets`)
+}
+
+function writeManifest(name, data) {
+  const dir = join(CONFIG_DIR, 'manifests')
+  mkdirSync(dir, { recursive: true })
+  writeFileSync(join(dir, `${name}.json`), JSON.stringify(data, null, 2) + '\n')
+  console.log(`  • manifest → ${join(dir, `${name}.json`)}`)
+}
+
+// The bits that can't be automated — printed AND saved into the project.
+function manualSteps({ name, url, google, ownerEmail, emailOn }) {
+  const L = [`# ${name} — after setup`, '', `Live: ${url}`, '']
+  L.push(`## Invite your team`, ``)
+  L.push(`Sign in as ${ownerEmail || 'the owner email'} (auto-promoted to admin) → the **Users**`)
+  L.push(`tab: invite by email, promote, ban, remove.`)
+  L.push(
+    emailOn
+      ? `Invitees get an email with a signup link.`
+      : `Email is off, so the invite link isn't sent — copy it from the Users tab and share it (Slack/DM).`,
+  )
+  L.push('')
+  if (google) {
+    L.push(`## Register the Google OAuth redirect URIs (the only manual step)`, ``)
+    L.push(`Google Cloud Console → your OAuth client → Authorized redirect URIs, add BOTH`)
+    L.push(`(exact, no trailing slash):`)
+    L.push(`  ${url}/api/auth/callback/google`)
+    L.push(`  http://localhost:8787/api/auth/callback/google`)
+    L.push(`Until then "Continue with Google" 404s; email/password works immediately.`)
+    L.push('')
+  }
+  return L.join('\n')
+}
+
+export function runSetup({ name, opts }) {
+  const dir = process.cwd()
+  if (!existsSync(join(dir, 'apps', 'worker', 'wrangler.jsonc'))) {
+    throw new Error(
+      `Not a Bedrock Flows project here (no apps/worker/wrangler.jsonc).\n` +
+        `  Run this inside your project dir, or \`npx bedrock-flows create\` first.`,
+    )
+  }
+  const cfg = loadConfig()
+  name = validateName(name || basename(dir))
+  if (opts.google && !(cfg.google?.clientId && cfg.google?.clientSecret)) {
+    throw new Error(`--google needs google.clientId/clientSecret in ${CONFIG_PATH}.`)
+  }
+  const dbName = `${name}-auth`
+  const url = `https://${name}.${cfg.cloudflare.subdomain}.workers.dev`
+  const secret = genSecret()
+  const ownerEmail = cfg.ownerEmail || ''
+  const emailOn = hasPostmark(cfg)
+  const banner = opts.dryRun ? ' (dry run)' : ''
+  console.log(
+    `\n▶ Setting up "${name}"${banner}\n  URL:      ${url}\n  Email:    ${emailOn ? 'Postmark' : 'off (share invite links manually)'}\n  Google:   ${opts.google ? 'on' : 'off'}\n`,
+  )
+
+  console.log('1/6 KV namespaces')
+  const kv = { comments: createKv(dir, cfg, `${name}-comments`, opts), spec: createKv(dir, cfg, `${name}-spec`, opts) }
+
+  console.log('2/6 D1 auth store')
+  const d1Id = createD1(dir, cfg, dbName, opts)
+  applySchema(dir, cfg, dbName, opts)
+
+  console.log('3/6 Patch wrangler.jsonc')
+  patchWrangler(dir, { name, kv, d1Id, d1Name: dbName, url, domains: opts.domains, ownerEmail }, opts)
+
+  console.log('4/6 Deploy')
+  deploy(dir, opts)
+
+  console.log('5/6 Push prod secrets')
+  pushSecrets(dir, { secret, cfg, google: opts.google }, opts)
+
+  console.log('6/6 Manifest')
+  if (!opts.dryRun) writeManifest(name, { name, url, dbName, d1Id, kv, ownerEmail, google: opts.google, domains: opts.domains, emailOn })
+
+  const steps = manualSteps({ name, url, google: opts.google, ownerEmail, emailOn })
+  if (!opts.dryRun) writeFileSync(join(dir, 'SETUP-NEXT-STEPS.md'), steps)
+
+  console.log(`\n✅ Done${banner}.\n   Live: ${url}\n   Re-ship changes any time with: npm run deploy\n`)
+  console.log(steps)
+}

package/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "bedrock-flows",
+  "version": "0.7.1",
+  "description": "Bedrock Flows CLI — `create` a project, `setup` its Cloudflare backend.",
+  "type": "module",
+  "license": "FSL-1.1-MIT",
+  "repository": { "type": "git", "url": "git+https://github.com/Obra-Studio/bedrock-flows-mr.git" },
+  "bin": { "bedrock-flows": "bin/bedrock-flows.mjs" },
+  "files": ["bin", "lib", "template", "auth-schema.sql"],
+  "engines": { "node": ">=18" }
+}

package/template/.storybook/main.js

@@ -0,0 +1,46 @@
+// Per-version Storybook config. The `DS_VERSION` env var selects which version
+// of the design system this build documents. scripts/build-storybooks.mjs
+// (→ @obra-studio/bedrock-flows/design-system buildStorybooks) invokes Storybook once per
+// version, each writing into dist/ds/<v>/storybook.
+// Fallback when DS_VERSION isn't set (e.g. running Storybook directly):
+// the project's defaultDsVersion from bedrock.config.ts. Read with a regex —
+// this file is plain JS and can't import the TS config.
+import fs from 'node:fs'
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+const projectDefault = (() => {
+  try {
+    const cfg = fs.readFileSync(
+      path.resolve(path.dirname(fileURLToPath(import.meta.url)), '../bedrock.config.ts'),
+      'utf8',
+    )
+    return cfg.match(/defaultDsVersion:\s*'([^']+)'/)?.[1]
+  } catch {
+    return undefined
+  }
+})()
+const version = process.env.DS_VERSION || projectDefault || 'starter-v1'
+
+/** @type {import('@storybook/html-vite').StorybookConfig} */
+const config = {
+  stories: [`../.stories-generated/${version}/**/*.stories.js`],
+  // `@storybook/addon-docs` is required in Storybook 10 for autodocs. Without
+  // it the html-vite renderer's `entry-preview-docs` is never loaded and every
+  // Docs page throws `r.renderer is not a function` at render time.
+  addons: ['@storybook/addon-docs'],
+  framework: { name: '@storybook/html-vite', options: {} },
+  // Per-story `tags: ['autodocs']` (set by the generator) opts each component
+  // into a Docs page that stacks all its variants. `docs.autodocs: 'tag'` is
+  // the canonical SB switch that respects that tag.
+  docs: { autodocs: 'tag', defaultName: 'Docs' },
+  staticDirs: [{ from: `../design-system/${version}`, to: '/ds-current' }],
+  async viteFinal(viteConfig, { configType }) {
+    if (configType === 'PRODUCTION') {
+      // Deployed path: https://.../ds/<version>/storybook/
+      viteConfig.base = `/ds/${version}/storybook/`
+    }
+    return viteConfig
+  },
+}
+
+export default config