chadstart 1.0.0

package/admin/login.html

@@ -0,0 +1,207 @@
+<!DOCTYPE html>
+<html lang="en" id="html-root">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Sign in — ChadStart Admin</title>
+  <script src="/admin/vendor/tailwind.js"></script>
+  <style type="text/tailwindcss">
+    @theme {
+      --color-cs-bg: #121212;
+      --color-cs-surface: #1e1e1e;
+      --color-cs-border: #2a2a2a;
+      --color-cs-primary: #34b1eb;
+      --color-cs-accent: #03dac6;
+      --color-cs-text: #e1e1e1;
+      --color-cs-muted: #888888;
+    }
+  </style>
+  <style>
+    /* ── Animated glowing border button ────────────────────────────── */
+    @property --glow-a { syntax: '<angle>'; inherits: false; initial-value: 0deg; }
+    @keyframes spin-glow { to { --glow-a: 360deg; } }
+    .btn-glow {
+      border: 2px solid transparent;
+      background:
+        linear-gradient(#1e1e1e, #1e1e1e) padding-box,
+        conic-gradient(from var(--glow-a), #34b1eb 0%, #0e7fc4 40%, transparent 60%, #34b1eb 100%) border-box;
+      animation: spin-glow 2s linear infinite;
+      color: #34b1eb; font-weight: 500;
+      transition: opacity 150ms ease;
+    }
+    .btn-glow:hover { opacity: 0.8; }
+    .btn-glow:disabled { opacity: 0.4; animation: none; }
+  </style>
+</head>
+<body class="bg-cs-bg text-cs-text min-h-screen flex items-center justify-center p-4"
+  style="font-family: ui-sans-serif, system-ui, -apple-system, sans-serif;">
+
+<div class="bg-cs-surface border border-cs-border rounded p-8 w-full max-w-sm" style="box-shadow: 0 2px 16px rgba(52,177,235,.1);">
+  <div id="login-project-name" class="font-bold text-cs-text text-xl mb-0.5">Admin</div>
+  <div class="text-[11px] text-cs-muted mb-6">Powered by ChadStart.com</div>
+
+  <div id="login-error" class="text-red-400 text-sm mb-4 hidden"></div>
+
+  <div id="login-collection-section" class="hidden mb-4">
+    <label class="block text-sm text-cs-muted mb-1">Collection</label>
+    <input type="text" id="login-collection"
+      class="w-full bg-cs-bg border border-cs-border rounded text-cs-text px-3 py-2 text-sm outline-none focus:border-cs-primary"
+      style="transition: border-color 150ms ease;"
+      placeholder="Admin collection name" autocomplete="off" />
+  </div>
+  <div class="mb-4 text-right">
+    <button type="button" id="toggle-collection-btn" onclick="toggleCollectionField()"
+      class="text-xs text-cs-muted hover:text-cs-primary cursor-pointer"
+      style="transition: color 150ms ease; background: none; border: none; padding: 0;">
+      Change collection
+    </button>
+  </div>
+
+  <label class="block text-sm text-cs-muted mb-1">Email</label>
+  <input type="email" id="login-email" placeholder="admin@example.com" autocomplete="email"
+    class="w-full bg-cs-bg border border-cs-border rounded text-cs-text px-3 py-2 text-sm mb-4 outline-none focus:border-cs-primary"
+    style="transition: border-color 150ms ease;" />
+
+  <label class="block text-sm text-cs-muted mb-1">Password</label>
+  <input type="password" id="login-password" placeholder="••••••••" autocomplete="current-password"
+    class="w-full bg-cs-bg border border-cs-border rounded text-cs-text px-3 py-2 text-sm mb-5 outline-none focus:border-cs-primary"
+    style="transition: border-color 150ms ease;" />
+
+  <button id="login-btn" onclick="doLogin()" class="btn-glow w-full py-2 px-4 rounded text-sm cursor-pointer">
+    <span>Sign in</span>
+  </button>
+</div>
+
+<script>
+  // ── State ──────────────────────────────────────────────────────────────
+  let schema = null;
+
+  function toSlug(name) {
+    return name.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '');
+  }
+
+  function escHtml(s) {
+    return String(s).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+  }
+
+  // ── Bootstrap ──────────────────────────────────────────────────────────
+  async function init() {
+    // If already authenticated, redirect to admin
+    const token = localStorage.getItem('cs_token');
+    if (token) {
+      // Verify token is still valid before redirect
+      try {
+        const verifySchema = await fetch('/admin/schema').then(r => r.json());
+        const cols = getAdminCollections(verifySchema);
+        if (cols.length) {
+          const r = await fetch(`/api/auth/${toSlug(cols[0].name)}/me`, {
+            headers: { Authorization: `Bearer ${token}` }
+          });
+          if (r.ok) {
+            window.location.replace('/admin');
+            return;
+          }
+        }
+      } catch { /* fall through to show login */ }
+      localStorage.removeItem('cs_token');
+    }
+
+    // Load schema for collection selection
+    try {
+      schema = await fetch('/admin/schema').then(r => r.json());
+      if (schema.name) {
+        document.getElementById('login-project-name').textContent = schema.name;
+        document.title = `Sign in — ${escHtml(schema.name)}`;
+      }
+      populateLoginCollections();
+    } catch { /* ignore */ }
+  }
+
+  function getAdminCollections(s) {
+    const src = s || schema;
+    return (src && src.userCollections) || [];
+  }
+
+  function populateLoginCollections() {
+    const cols = getAdminCollections();
+    const input = document.getElementById('login-collection');
+    const errEl = document.getElementById('login-error');
+    const btn = document.getElementById('login-btn');
+    if (cols.length) {
+      input.value = cols[0].name;
+    } else {
+      input.value = '';
+      errEl.textContent = 'No admin collections found. Please configure an authenticable entity.';
+      errEl.classList.remove('hidden');
+      btn.disabled = true;
+    }
+  }
+
+  function toggleCollectionField() {
+    const section = document.getElementById('login-collection-section');
+    const btn = document.getElementById('toggle-collection-btn');
+    const isHidden = section.classList.contains('hidden');
+    section.classList.toggle('hidden', !isHidden);
+    btn.textContent = isHidden ? 'Hide collection' : 'Change collection';
+    if (isHidden) document.getElementById('login-collection').focus();
+  }
+
+  async function doLogin() {
+    const collectionName = document.getElementById('login-collection').value.trim().replace(/[^a-zA-Z0-9 _-]/g, '');
+    const email = document.getElementById('login-email').value.trim();
+    const password = document.getElementById('login-password').value;
+    const errEl = document.getElementById('login-error');
+    const btn = document.getElementById('login-btn');
+    const btnText = btn.querySelector('span');
+
+    errEl.classList.add('hidden');
+    if (!collectionName || !email || !password) {
+      errEl.textContent = 'All fields are required';
+      errEl.classList.remove('hidden');
+      return;
+    }
+
+    btn.disabled = true;
+    btnText.textContent = 'Signing in…';
+
+    const cols = getAdminCollections();
+    const col = cols.find(c => c.name === collectionName);
+    if (!col) {
+      showLoginError('Collection not found');
+      return;
+    }
+
+    try {
+      const r = await fetch(`/api/auth/${toSlug(col.name)}/login`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ email, password }),
+      });
+      const data = await r.json();
+      if (!r.ok) {
+        showLoginError(data.error || 'Login failed');
+        return;
+      }
+      localStorage.setItem('cs_token', data.token);
+      localStorage.setItem('cs_collection', col.name);
+      window.location.replace('/admin');
+    } catch {
+      showLoginError('Network error');
+    }
+
+    function showLoginError(msg) {
+      errEl.textContent = msg;
+      errEl.classList.remove('hidden');
+      btn.disabled = false;
+      btnText.textContent = 'Sign in';
+    }
+  }
+
+  document.addEventListener('keydown', e => {
+    if (e.key === 'Enter') doLogin();
+  });
+
+  init();
+</script>
+</body>
+</html>

package/chadstart.example.yml

@@ -0,0 +1,416 @@
+# chadstart.example.yml
+# ─────────────────────────────────────────────────────────────────────────────
+# Reference file that lists every available option in a ChadStart YAML config.
+# Copy this file to chadstart.yaml and remove / adjust the sections you need.
+# Secrets (JWT_SECRET, DB passwords, SENTRY_DSN, OTLP auth headers …) must
+# always be stored in .env — never put them in this file.
+# ─────────────────────────────────────────────────────────────────────────────
+
+# ── App identity ──────────────────────────────────────────────────────────────
+
+# (required) Human-readable name of your application.
+name: My App
+
+# TCP port the HTTP server listens on. Overridable by PORT env var.
+# Default: 3000
+port: 3000
+
+# Path to the SQLite database file (relative to this config file).
+# Overridable by DB_PATH env var.
+# Default: data/chadstart.db
+database: data/chadstart.db
+
+# ── Entities ──────────────────────────────────────────────────────────────────
+# Define every data model here. ChadStart auto-generates REST + SDK CRUD for
+# each entity. Every entity gets id (UUID), createdAt, and updatedAt for free.
+
+entities:
+
+  # ── Authenticable (user-like) entity ────────────────────────────────────────
+  User:
+    # Makes this entity a user: adds email + password fields and enables
+    # login / signup / token-refresh endpoints.
+    authenticable: true
+
+    # Identifier property shown in the admin panel (defaults to first string field).
+    mainProp: name
+
+    # Overrides for the auto-generated singular / plural display names.
+    nameSingular: user
+    namePlural: users
+
+    # Number of records created when running `npm run seed`. Default: 50
+    seedCount: 10
+
+    # Custom kebab-case slug used in API paths (default: pluralised entity name).
+    slug: users
+
+    properties:
+      # Short syntax — type defaults to "string".
+      - name
+
+      # Long syntax — all available property options shown below.
+      - name: bio
+        type: text            # string | text | richText | number | link | money |
+                              # date | timestamp | email | boolean | file | image |
+                              # password | choice | location | group | json |
+                              # integer | float | real
+        hidden: false         # Exclude this field from API responses. Default: false
+        helpText: A short bio # Hint displayed in the admin UI
+        default: ''           # Default value when property is omitted on create
+
+      - name: email
+        type: email
+        validation:
+          required: true
+          isEmail: true
+
+      - name: age
+        type: integer
+        validation:
+          min: 0
+          max: 120
+
+      - name: website
+        type: link
+
+      - name: balance
+        type: money
+        options:
+          currency: USD       # ISO 4217 currency code. Default: USD
+
+      - name: avatar
+        type: image
+        options:
+          sizes:
+            thumbnail:
+              width: 80
+              height: 80
+              fit: cover      # cover | contain | fill | inside | outside (Sharp)
+            medium:
+              width: 400
+
+      - name: resume
+        type: file
+
+      - name: password
+        type: password        # Value is automatically hashed before storage
+
+      - name: role
+        type: choice
+        options:
+          values: [admin, editor, viewer]
+          sequential: false   # true = values follow a logical progression
+
+      - name: coordinates
+        type: location        # Stored as { lat, lng }
+
+      - name: metadata
+        type: json
+
+      - name: publishedAt
+        type: timestamp       # ISO 8601 datetime
+
+      - name: birthDate
+        type: date
+
+      - name: isActive
+        type: boolean
+        default: true
+
+    # ── Access policies ────────────────────────────────────────────────────────
+    # Each CRUD operation can have one or more policy rules evaluated in order.
+    # access values: public | restricted | admin | forbidden
+    # Emoji shortcuts: 🌐 = public | 🔒 = restricted | 👨🏻‍💻 = admin | 🚫 = forbidden
+    policies:
+      create:
+        - access: public                  # Anyone can sign up
+      read:
+        - access: restricted              # Must be authenticated
+          allow: User                     # …and belong to the User entity
+          condition: self                 # …and only read their own record
+      update:
+        - access: restricted
+          allow: User
+          condition: self
+      delete:
+        - access: admin                   # Only admins
+      # signup policy controls who can call the signup endpoint (authenticable only)
+      signup:
+        - access: public
+
+    # ── Entity-level validation ────────────────────────────────────────────────
+    # Validation rules applied per property on create / update requests.
+    # All available validation rules are listed here (use only what you need).
+    validation:
+      name:
+        required: true        # Field must be present in the request
+        isNotEmpty: true      # Value must not be an empty string
+        minLength: 2
+        maxLength: 100
+      email:
+        isDefined: true       # Value must not be undefined
+        isEmail: true
+      age:
+        isOptional: true
+        min: 0
+        max: 120
+      role:
+        isIn: [admin, editor, viewer]
+      bio:
+        isOptional: true
+        maxLength: 500
+        # Additional validators (not all will apply to every type):
+        # equals: someValue
+        # notEquals: someValue
+        # isEmpty: false
+        # isNotIn: [banned, blocked]
+        # contains: '@'
+        # notContains: spam
+        # isAlpha: true
+        # isAlphanumeric: true
+        # isAscii: true
+        # isJSON: false
+        # matches: '^[a-z]+$'
+        # isMimeType: true
+
+    # ── Webhooks (lifecycle hooks) ─────────────────────────────────────────────
+    # Send HTTP requests to external services on entity lifecycle events.
+    hooks:
+      afterCreate:
+        - url: https://hooks.example.com/user-created
+          method: POST          # GET | POST | PUT | PATCH | DELETE. Default: POST
+          headers:
+            X-Api-Key: my-key
+      afterUpdate:
+        - url: https://hooks.example.com/user-updated
+          method: POST
+      beforeDelete:
+        - url: https://hooks.example.com/before-user-deleted
+          method: POST
+      # Other available events: beforeCreate | beforeUpdate | afterDelete
+
+    # ── Middlewares ────────────────────────────────────────────────────────────
+    # Run a custom function at specific lifecycle points.
+    # Handler files live in the /functions (or CHADSTART_FUNCTIONS_FOLDER) folder.
+    middlewares:
+      beforeCreate:
+        - function: hashApiKey.js
+      afterCreate:
+        - function: sendWelcomeEmail.js
+      # Other available events: beforeUpdate | afterUpdate | beforeDelete | afterDelete
+
+  # ── Standard collection entity ────────────────────────────────────────────
+  Post:
+    mainProp: title
+    properties:
+      - title
+      - { name: content, type: richText }
+      - { name: publishedAt, type: timestamp }
+      - { name: coverImage, type: image, options: { sizes: { large: { width: 1200 } } } }
+
+    # ── Relations ───────────────────────────────────────────────────────────
+    # belongsTo  → many-to-one (adds a foreign key on this entity)
+    # belongsToMany → many-to-many (uses a join table)
+
+    # Short syntax: just the related entity name.
+    belongsTo:
+      - User
+
+    # Long syntax: rename the relation and/or add extra options.
+    # belongsTo:
+    #   - name: author
+    #     entity: User
+    #     helpText: The author of this post
+    #     eager: false   # true = automatically load this relation in all queries
+
+    belongsToMany:
+      - Tag
+
+    policies:
+      create:
+        - { access: restricted, allow: User }
+      read:
+        - access: public
+      update:
+        - { access: restricted, allow: User, condition: self }
+      delete:
+        - access: admin
+
+  Tag:
+    properties:
+      - name
+    policies:
+      create:
+        - access: admin
+      read:
+        - access: public
+      update:
+        - access: admin
+      delete:
+        - access: admin
+
+  # ── Single entity ──────────────────────────────────────────────────────────
+  # A single entity has exactly one record — Create and Delete are disabled.
+  # Useful for site settings, homepage content, etc.
+  SiteSettings:
+    single: true
+    slug: site-settings
+    properties:
+      - { name: siteName, type: string }
+      - { name: tagline, type: text }
+      - { name: logo, type: image }
+    validation:
+      siteName: { required: true }
+
+# ── Reusable property groups ──────────────────────────────────────────────────
+# Groups are sets of properties you can embed in multiple entities using
+# type: group. They are stored as JSON in the parent entity's row.
+
+groups:
+  Address:
+    properties:
+      - { name: street, type: string }
+      - { name: city, type: string }
+      - { name: zipCode, type: string }
+      - { name: country, type: string }
+    validation:
+      city: { isNotEmpty: true }
+
+  # Usage in an entity property (multiple items by default):
+  #   - name: addresses
+  #     type: group
+  #     options:
+  #       group: Address      # Name of the group defined above
+  #       multiple: true      # false = single nested object; Default: true
+
+# ── Custom functions ──────────────────────────────────────────────────────────
+# Add your own functions — each can have multiple triggers (HTTP, cron, event).
+# Runtime is optional; defaults to 'js'. Files live in /functions (or CHADSTART_FUNCTIONS_FOLDER).
+#
+# Supported runtimes: js | bash | python | go | c++ | ruby | php
+# Supported triggers: http | cron | event
+#
+# Predefined cron aliases: @yearly @annually @monthly @weekly @daily @midnight @hourly
+# HTTP policies: public (default) | restricted | admin | forbidden
+
+functions:
+  hello:
+    runtime: js                   # js (default) | bash | python | go | c++ | ruby | php
+    function: hello.js            # path relative to CHADSTART_FUNCTIONS_FOLDER (default: functions/)
+    triggers:
+      - type: http
+        method: GET
+        path: /hello
+        # policies omitted → public (anyone can call)
+      - type: event
+        name: user.created        # Emitted by middleware/other functions via eventBus
+      - type: cron
+        schedule: "*/10 * * * *"  # Every 10 minutes
+      - type: cron
+        schedule: "@daily"        # Predefined alias (resolves to "0 0 * * *")
+
+  sendPasswordReset:
+    function: sendPasswordReset.js
+    description: Sends a password-reset email. Open to anyone.
+    triggers:
+      - type: http
+        method: POST
+        path: /auth/password-reset
+        policies:
+          - access: public
+
+  adminStats:
+    function: adminStats.js
+    description: Usage statistics. Requires any valid auth token.
+    triggers:
+      - type: http
+        method: GET
+        path: /admin/stats
+        policies:
+          - access: admin
+
+  myProfile:
+    function: myProfile.js
+    description: User-specific data. Only Customer tokens may access it.
+    triggers:
+      - type: http
+        method: GET
+        path: /me
+        policies:
+          - access: restricted
+            allow: Customer
+
+# ── File buckets ──────────────────────────────────────────────────────────────
+# Named storage locations for uploaded files.
+
+files:
+  uploads:
+    path: ./uploads           # Local directory (relative to this config file)
+    public: true              # Serve files at /files/uploads/*. Default: false
+
+  privateDocuments:
+    path: ./private-docs
+    public: false
+
+# ── Static public folder ──────────────────────────────────────────────────────
+# Serve a folder of static assets (HTML, CSS, images, …) from the root path.
+
+public:
+  folder: ./public
+
+# ── Plugins ───────────────────────────────────────────────────────────────────
+# Extend the server with additional Express routes and logic.
+# ⚠ Remote plugins execute arbitrary code — only load plugins from trusted sources.
+
+plugins:
+  - repo: https://github.com/org/chadstart-plugin-example  # Remote GitHub repo
+  - path: ./my-local-plugin                                 # Local directory
+    name: my-local-plugin                                   # Optional display name
+
+# ── Admin UI & Admin Entity ───────────────────────────────────────────────────
+# Control the built-in Admin UI and Admin entity (superuser access).
+#
+# By default:
+#   - An Admin entity is auto-created with email + password (authenticable).
+#   - The Admin UI is available at /admin (login page at /login).
+#   - The admin UI requires admin-level access.
+#
+# If you define entities.Admin in your YAML, it will be merged with the default.
+
+admin:
+  enable_app: true          # Serve the Admin UI at /admin. Default: true
+  enable_entity: true       # Create the built-in Admin entity. Default: true
+  policies:
+    - access: admin         # Who can access /admin. Default: access: admin
+
+# ── Rate limiting ─────────────────────────────────────────────────────────────
+# Protect your API from abuse.
+
+rateLimits:
+  - name: default
+    limit: 100              # Max requests allowed in the time window
+    ttl: 60000              # Time window in milliseconds (60 s here)
+  - name: strict
+    limit: 10
+    ttl: 60000
+
+# ── OpenTelemetry tracing ──────────────────────────────────────────────────────
+# Non-secret values can be set here; secret values (auth headers / API keys)
+# must be set via environment variables only — see .env.example.
+
+telemetry:
+  enabled: false            # Also configurable via OTEL_ENABLED env var
+  serviceName: my-app       # Overridable via OTEL_SERVICE_NAME env var
+  endpoint: http://localhost:4318  # Overridable via OTEL_EXPORTER_OTLP_ENDPOINT env var
+  # Auth headers (e.g., "authorization=Bearer <token>") must be set via
+  # OTEL_EXPORTER_OTLP_HEADERS env var — never place secrets in this file.
+
+# ── Error reporting (Sentry / Bugsink) ────────────────────────────────────────
+# Set SENTRY_DSN in your .env to enable. The DSN is a secret — never put it here.
+# Bugsink (https://www.bugsink.com) is a self-hosted Sentry-compatible alternative.
+
+sentry:
+  environment: production     # Label sent to Sentry. Defaults to NODE_ENV.
+  tracesSampleRate: 1.0       # Fraction of transactions to sample (0.0–1.0)
+  debug: false                # Enable Sentry SDK debug logging