npm - convex-cms - Versions diffs - 0.0.1 - Mend

convex-cms 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (379) hide show

package/dist/cli/commands/admin.d.ts +16 -0
package/dist/cli/commands/admin.d.ts.map +1 -0
package/dist/cli/commands/admin.js +88 -0
package/dist/cli/commands/admin.js.map +1 -0
package/dist/cli/index.d.ts +3 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +18 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/utils/detectConvexUrl.d.ts +13 -0
package/dist/cli/utils/detectConvexUrl.d.ts.map +1 -0
package/dist/cli/utils/detectConvexUrl.js +48 -0
package/dist/cli/utils/detectConvexUrl.js.map +1 -0
package/dist/cli/utils/openBrowser.d.ts +7 -0
package/dist/cli/utils/openBrowser.d.ts.map +1 -0
package/dist/cli/utils/openBrowser.js +17 -0
package/dist/cli/utils/openBrowser.js.map +1 -0
package/dist/client/admin-config.d.ts +126 -0
package/dist/client/admin-config.d.ts.map +1 -0
package/dist/client/admin-config.js +117 -0
package/dist/client/admin-config.js.map +1 -0
package/dist/client/adminApi.d.ts +2273 -0
package/dist/client/adminApi.d.ts.map +1 -0
package/dist/client/adminApi.js +716 -0
package/dist/client/adminApi.js.map +1 -0
package/dist/client/agentTools.d.ts +933 -0
package/dist/client/agentTools.d.ts.map +1 -0
package/dist/client/agentTools.js +1004 -0
package/dist/client/agentTools.js.map +1 -0
package/dist/client/argTypes.d.ts +212 -0
package/dist/client/argTypes.d.ts.map +1 -0
package/dist/client/argTypes.js +5 -0
package/dist/client/argTypes.js.map +1 -0
package/dist/client/field-types.d.ts +55 -0
package/dist/client/field-types.d.ts.map +1 -0
package/dist/client/field-types.js +152 -0
package/dist/client/field-types.js.map +1 -0
package/dist/client/index.d.ts +189 -0
package/dist/client/index.d.ts.map +1 -0
package/dist/client/index.js +668 -0
package/dist/client/index.js.map +1 -0
package/dist/client/queryBuilder.d.ts +765 -0
package/dist/client/queryBuilder.d.ts.map +1 -0
package/dist/client/queryBuilder.js +970 -0
package/dist/client/queryBuilder.js.map +1 -0
package/dist/client/schema/codegen.d.ts +128 -0
package/dist/client/schema/codegen.d.ts.map +1 -0
package/dist/client/schema/codegen.js +318 -0
package/dist/client/schema/codegen.js.map +1 -0
package/dist/client/schema/defineContentType.d.ts +221 -0
package/dist/client/schema/defineContentType.d.ts.map +1 -0
package/dist/client/schema/defineContentType.js +380 -0
package/dist/client/schema/defineContentType.js.map +1 -0
package/dist/client/schema/index.d.ts +85 -0
package/dist/client/schema/index.d.ts.map +1 -0
package/dist/client/schema/index.js +92 -0
package/dist/client/schema/index.js.map +1 -0
package/dist/client/schema/schemaDrift.d.ts +199 -0
package/dist/client/schema/schemaDrift.d.ts.map +1 -0
package/dist/client/schema/schemaDrift.js +340 -0
package/dist/client/schema/schemaDrift.js.map +1 -0
package/dist/client/schema/typedClient.d.ts +401 -0
package/dist/client/schema/typedClient.d.ts.map +1 -0
package/dist/client/schema/typedClient.js +269 -0
package/dist/client/schema/typedClient.js.map +1 -0
package/dist/client/schema/types.d.ts +477 -0
package/dist/client/schema/types.d.ts.map +1 -0
package/dist/client/schema/types.js +39 -0
package/dist/client/schema/types.js.map +1 -0
package/dist/client/types.d.ts +449 -0
package/dist/client/types.d.ts.map +1 -0
package/dist/client/types.js +149 -0
package/dist/client/types.js.map +1 -0
package/dist/client/workflows.d.ts +51 -0
package/dist/client/workflows.d.ts.map +1 -0
package/dist/client/workflows.js +103 -0
package/dist/client/workflows.js.map +1 -0
package/dist/client/wrapper.d.ts +2198 -0
package/dist/client/wrapper.d.ts.map +1 -0
package/dist/client/wrapper.js +2651 -0
package/dist/client/wrapper.js.map +1 -0
package/dist/component/_generated/api.d.ts +124 -0
package/dist/component/_generated/api.d.ts.map +1 -0
package/dist/component/_generated/api.js +31 -0
package/dist/component/_generated/api.js.map +1 -0
package/dist/component/_generated/component.d.ts +4321 -0
package/dist/component/_generated/component.d.ts.map +1 -0
package/dist/component/_generated/component.js +11 -0
package/dist/component/_generated/component.js.map +1 -0
package/dist/component/_generated/dataModel.d.ts +46 -0
package/dist/component/_generated/dataModel.d.ts.map +1 -0
package/dist/component/_generated/dataModel.js +11 -0
package/dist/component/_generated/dataModel.js.map +1 -0
package/dist/component/_generated/server.d.ts +121 -0
package/dist/component/_generated/server.d.ts.map +1 -0
package/dist/component/_generated/server.js +78 -0
package/dist/component/_generated/server.js.map +1 -0
package/dist/component/auditLog.d.ts +410 -0
package/dist/component/auditLog.d.ts.map +1 -0
package/dist/component/auditLog.js +607 -0
package/dist/component/auditLog.js.map +1 -0
package/dist/component/authorization.d.ts +323 -0
package/dist/component/authorization.d.ts.map +1 -0
package/dist/component/authorization.js +464 -0
package/dist/component/authorization.js.map +1 -0
package/dist/component/authorizationHooks.d.ts +184 -0
package/dist/component/authorizationHooks.d.ts.map +1 -0
package/dist/component/authorizationHooks.js +521 -0
package/dist/component/authorizationHooks.js.map +1 -0
package/dist/component/bulkOperations.d.ts +200 -0
package/dist/component/bulkOperations.d.ts.map +1 -0
package/dist/component/bulkOperations.js +568 -0
package/dist/component/bulkOperations.js.map +1 -0
package/dist/component/contentEntries.d.ts +719 -0
package/dist/component/contentEntries.d.ts.map +1 -0
package/dist/component/contentEntries.js +1617 -0
package/dist/component/contentEntries.js.map +1 -0
package/dist/component/contentEntryMutations.d.ts +505 -0
package/dist/component/contentEntryMutations.d.ts.map +1 -0
package/dist/component/contentEntryMutations.js +1009 -0
package/dist/component/contentEntryMutations.js.map +1 -0
package/dist/component/contentEntryValidation.d.ts +115 -0
package/dist/component/contentEntryValidation.d.ts.map +1 -0
package/dist/component/contentEntryValidation.js +546 -0
package/dist/component/contentEntryValidation.js.map +1 -0
package/dist/component/contentLock.d.ts +328 -0
package/dist/component/contentLock.d.ts.map +1 -0
package/dist/component/contentLock.js +471 -0
package/dist/component/contentLock.js.map +1 -0
package/dist/component/contentTypeMigration.d.ts +411 -0
package/dist/component/contentTypeMigration.d.ts.map +1 -0
package/dist/component/contentTypeMigration.js +805 -0
package/dist/component/contentTypeMigration.js.map +1 -0
package/dist/component/contentTypeMutations.d.ts +975 -0
package/dist/component/contentTypeMutations.d.ts.map +1 -0
package/dist/component/contentTypeMutations.js +768 -0
package/dist/component/contentTypeMutations.js.map +1 -0
package/dist/component/contentTypes.d.ts +538 -0
package/dist/component/contentTypes.d.ts.map +1 -0
package/dist/component/contentTypes.js +304 -0
package/dist/component/contentTypes.js.map +1 -0
package/dist/component/convex.config.d.ts +42 -0
package/dist/component/convex.config.d.ts.map +1 -0
package/dist/component/convex.config.js +43 -0
package/dist/component/convex.config.js.map +1 -0
package/dist/component/documentTypes.d.ts +186 -0
package/dist/component/documentTypes.d.ts.map +1 -0
package/dist/component/documentTypes.js +23 -0
package/dist/component/documentTypes.js.map +1 -0
package/dist/component/eventEmitter.d.ts +281 -0
package/dist/component/eventEmitter.d.ts.map +1 -0
package/dist/component/eventEmitter.js +300 -0
package/dist/component/eventEmitter.js.map +1 -0
package/dist/component/exportImport.d.ts +1120 -0
package/dist/component/exportImport.d.ts.map +1 -0
package/dist/component/exportImport.js +931 -0
package/dist/component/exportImport.js.map +1 -0
package/dist/component/index.d.ts +28 -0
package/dist/component/index.d.ts.map +1 -0
package/dist/component/index.js +142 -0
package/dist/component/index.js.map +1 -0
package/dist/component/lib/deepReferenceResolver.d.ts +252 -0
package/dist/component/lib/deepReferenceResolver.d.ts.map +1 -0
package/dist/component/lib/deepReferenceResolver.js +601 -0
package/dist/component/lib/deepReferenceResolver.js.map +1 -0
package/dist/component/lib/errors.d.ts +306 -0
package/dist/component/lib/errors.d.ts.map +1 -0
package/dist/component/lib/errors.js +407 -0
package/dist/component/lib/errors.js.map +1 -0
package/dist/component/lib/index.d.ts +10 -0
package/dist/component/lib/index.d.ts.map +1 -0
package/dist/component/lib/index.js +33 -0
package/dist/component/lib/index.js.map +1 -0
package/dist/component/lib/mediaReferenceResolver.d.ts +217 -0
package/dist/component/lib/mediaReferenceResolver.d.ts.map +1 -0
package/dist/component/lib/mediaReferenceResolver.js +326 -0
package/dist/component/lib/mediaReferenceResolver.js.map +1 -0
package/dist/component/lib/metadataExtractor.d.ts +245 -0
package/dist/component/lib/metadataExtractor.d.ts.map +1 -0
package/dist/component/lib/metadataExtractor.js +548 -0
package/dist/component/lib/metadataExtractor.js.map +1 -0
package/dist/component/lib/mutationAuth.d.ts +95 -0
package/dist/component/lib/mutationAuth.d.ts.map +1 -0
package/dist/component/lib/mutationAuth.js +146 -0
package/dist/component/lib/mutationAuth.js.map +1 -0
package/dist/component/lib/queries.d.ts +17 -0
package/dist/component/lib/queries.d.ts.map +1 -0
package/dist/component/lib/queries.js +49 -0
package/dist/component/lib/queries.js.map +1 -0
package/dist/component/lib/ragContentChunker.d.ts +423 -0
package/dist/component/lib/ragContentChunker.d.ts.map +1 -0
package/dist/component/lib/ragContentChunker.js +897 -0
package/dist/component/lib/ragContentChunker.js.map +1 -0
package/dist/component/lib/referenceResolver.d.ts +175 -0
package/dist/component/lib/referenceResolver.d.ts.map +1 -0
package/dist/component/lib/referenceResolver.js +293 -0
package/dist/component/lib/referenceResolver.js.map +1 -0
package/dist/component/lib/slugGenerator.d.ts +71 -0
package/dist/component/lib/slugGenerator.d.ts.map +1 -0
package/dist/component/lib/slugGenerator.js +207 -0
package/dist/component/lib/slugGenerator.js.map +1 -0
package/dist/component/lib/slugUniqueness.d.ts +131 -0
package/dist/component/lib/slugUniqueness.d.ts.map +1 -0
package/dist/component/lib/slugUniqueness.js +229 -0
package/dist/component/lib/slugUniqueness.js.map +1 -0
package/dist/component/lib/softDelete.d.ts +18 -0
package/dist/component/lib/softDelete.d.ts.map +1 -0
package/dist/component/lib/softDelete.js +29 -0
package/dist/component/lib/softDelete.js.map +1 -0
package/dist/component/localeFallbackChain.d.ts +410 -0
package/dist/component/localeFallbackChain.d.ts.map +1 -0
package/dist/component/localeFallbackChain.js +467 -0
package/dist/component/localeFallbackChain.js.map +1 -0
package/dist/component/localeFields.d.ts +508 -0
package/dist/component/localeFields.d.ts.map +1 -0
package/dist/component/localeFields.js +592 -0
package/dist/component/localeFields.js.map +1 -0
package/dist/component/mediaAssetMutations.d.ts +235 -0
package/dist/component/mediaAssetMutations.d.ts.map +1 -0
package/dist/component/mediaAssetMutations.js +558 -0
package/dist/component/mediaAssetMutations.js.map +1 -0
package/dist/component/mediaAssets.d.ts +168 -0
package/dist/component/mediaAssets.d.ts.map +1 -0
package/dist/component/mediaAssets.js +618 -0
package/dist/component/mediaAssets.js.map +1 -0
package/dist/component/mediaFolderMutations.d.ts +642 -0
package/dist/component/mediaFolderMutations.d.ts.map +1 -0
package/dist/component/mediaFolderMutations.js +849 -0
package/dist/component/mediaFolderMutations.js.map +1 -0
package/dist/component/mediaUploadMutations.d.ts +136 -0
package/dist/component/mediaUploadMutations.d.ts.map +1 -0
package/dist/component/mediaUploadMutations.js +205 -0
package/dist/component/mediaUploadMutations.js.map +1 -0
package/dist/component/mediaVariantMutations.d.ts +468 -0
package/dist/component/mediaVariantMutations.d.ts.map +1 -0
package/dist/component/mediaVariantMutations.js +737 -0
package/dist/component/mediaVariantMutations.js.map +1 -0
package/dist/component/mediaVariants.d.ts +525 -0
package/dist/component/mediaVariants.d.ts.map +1 -0
package/dist/component/mediaVariants.js +661 -0
package/dist/component/mediaVariants.js.map +1 -0
package/dist/component/ragContentIndexer.d.ts +595 -0
package/dist/component/ragContentIndexer.d.ts.map +1 -0
package/dist/component/ragContentIndexer.js +794 -0
package/dist/component/ragContentIndexer.js.map +1 -0
package/dist/component/rateLimitHooks.d.ts +266 -0
package/dist/component/rateLimitHooks.d.ts.map +1 -0
package/dist/component/rateLimitHooks.js +412 -0
package/dist/component/rateLimitHooks.js.map +1 -0
package/dist/component/roles.d.ts +649 -0
package/dist/component/roles.d.ts.map +1 -0
package/dist/component/roles.js +884 -0
package/dist/component/roles.js.map +1 -0
package/dist/component/scheduledPublish.d.ts +182 -0
package/dist/component/scheduledPublish.d.ts.map +1 -0
package/dist/component/scheduledPublish.js +304 -0
package/dist/component/scheduledPublish.js.map +1 -0
package/dist/component/schema.d.ts +4114 -0
package/dist/component/schema.d.ts.map +1 -0
package/dist/component/schema.js +469 -0
package/dist/component/schema.js.map +1 -0
package/dist/component/taxonomies.d.ts +476 -0
package/dist/component/taxonomies.d.ts.map +1 -0
package/dist/component/taxonomies.js +785 -0
package/dist/component/taxonomies.js.map +1 -0
package/dist/component/taxonomyMutations.d.ts +206 -0
package/dist/component/taxonomyMutations.d.ts.map +1 -0
package/dist/component/taxonomyMutations.js +1001 -0
package/dist/component/taxonomyMutations.js.map +1 -0
package/dist/component/trash.d.ts +265 -0
package/dist/component/trash.d.ts.map +1 -0
package/dist/component/trash.js +621 -0
package/dist/component/trash.js.map +1 -0
package/dist/component/types.d.ts +4 -0
package/dist/component/types.d.ts.map +1 -0
package/dist/component/types.js +2 -0
package/dist/component/types.js.map +1 -0
package/dist/component/userContext.d.ts +508 -0
package/dist/component/userContext.d.ts.map +1 -0
package/dist/component/userContext.js +615 -0
package/dist/component/userContext.js.map +1 -0
package/dist/component/validation.d.ts +387 -0
package/dist/component/validation.d.ts.map +1 -0
package/dist/component/validation.js +1052 -0
package/dist/component/validation.js.map +1 -0
package/dist/component/validators.d.ts +4645 -0
package/dist/component/validators.d.ts.map +1 -0
package/dist/component/validators.js +641 -0
package/dist/component/validators.js.map +1 -0
package/dist/component/versionMutations.d.ts +216 -0
package/dist/component/versionMutations.d.ts.map +1 -0
package/dist/component/versionMutations.js +321 -0
package/dist/component/versionMutations.js.map +1 -0
package/dist/component/webhookTrigger.d.ts +770 -0
package/dist/component/webhookTrigger.d.ts.map +1 -0
package/dist/component/webhookTrigger.js +1413 -0
package/dist/component/webhookTrigger.js.map +1 -0
package/dist/react/index.d.ts +316 -0
package/dist/react/index.d.ts.map +1 -0
package/dist/react/index.js +558 -0
package/dist/react/index.js.map +1 -0
package/dist/test.d.ts +2230 -0
package/dist/test.d.ts.map +1 -0
package/dist/test.js +1107 -0
package/dist/test.js.map +1 -0
package/package.json +95 -0
package/src/cli/commands/admin.ts +104 -0
package/src/cli/index.ts +21 -0
package/src/cli/utils/detectConvexUrl.ts +54 -0
package/src/cli/utils/openBrowser.ts +16 -0
package/src/client/admin-config.ts +138 -0
package/src/client/adminApi.ts +942 -0
package/src/client/agentTools.ts +1311 -0
package/src/client/argTypes.ts +316 -0
package/src/client/field-types.ts +187 -0
package/src/client/index.ts +1301 -0
package/src/client/queryBuilder.ts +1100 -0
package/src/client/schema/codegen.ts +500 -0
package/src/client/schema/defineContentType.ts +501 -0
package/src/client/schema/index.ts +169 -0
package/src/client/schema/schemaDrift.ts +574 -0
package/src/client/schema/typedClient.ts +688 -0
package/src/client/schema/types.ts +666 -0
package/src/client/types.ts +723 -0
package/src/client/workflows.ts +141 -0
package/src/client/wrapper.ts +4304 -0
package/src/component/_generated/api.ts +140 -0
package/src/component/_generated/component.ts +5029 -0
package/src/component/_generated/dataModel.ts +60 -0
package/src/component/_generated/server.ts +156 -0
package/src/component/authorization.ts +647 -0
package/src/component/authorizationHooks.ts +668 -0
package/src/component/bulkOperations.ts +687 -0
package/src/component/contentEntries.ts +1976 -0
package/src/component/contentEntryMutations.ts +1223 -0
package/src/component/contentEntryValidation.ts +707 -0
package/src/component/contentLock.ts +550 -0
package/src/component/contentTypeMigration.ts +1064 -0
package/src/component/contentTypeMutations.ts +969 -0
package/src/component/contentTypes.ts +346 -0
package/src/component/convex.config.ts +44 -0
package/src/component/documentTypes.ts +240 -0
package/src/component/eventEmitter.ts +485 -0
package/src/component/exportImport.ts +1169 -0
package/src/component/index.ts +491 -0
package/src/component/lib/deepReferenceResolver.ts +999 -0
package/src/component/lib/errors.ts +816 -0
package/src/component/lib/index.ts +145 -0
package/src/component/lib/mediaReferenceResolver.ts +495 -0
package/src/component/lib/metadataExtractor.ts +792 -0
package/src/component/lib/mutationAuth.ts +199 -0
package/src/component/lib/queries.ts +79 -0
package/src/component/lib/ragContentChunker.ts +1371 -0
package/src/component/lib/referenceResolver.ts +430 -0
package/src/component/lib/slugGenerator.ts +262 -0
package/src/component/lib/slugUniqueness.ts +333 -0
package/src/component/lib/softDelete.ts +44 -0
package/src/component/localeFallbackChain.ts +673 -0
package/src/component/localeFields.ts +896 -0
package/src/component/mediaAssetMutations.ts +725 -0
package/src/component/mediaAssets.ts +932 -0
package/src/component/mediaFolderMutations.ts +1046 -0
package/src/component/mediaUploadMutations.ts +224 -0
package/src/component/mediaVariantMutations.ts +900 -0
package/src/component/mediaVariants.ts +793 -0
package/src/component/ragContentIndexer.ts +1067 -0
package/src/component/rateLimitHooks.ts +572 -0
package/src/component/roles.ts +1360 -0
package/src/component/scheduledPublish.ts +358 -0
package/src/component/schema.ts +617 -0
package/src/component/taxonomies.ts +949 -0
package/src/component/taxonomyMutations.ts +1210 -0
package/src/component/trash.ts +724 -0
package/src/component/userContext.ts +898 -0
package/src/component/validation.ts +1388 -0
package/src/component/validators.ts +949 -0
package/src/component/versionMutations.ts +392 -0
package/src/component/webhookTrigger.ts +1922 -0
package/src/react/index.ts +898 -0
package/src/test.ts +1580 -0

package/src/component/lib/mutationAuth.ts ADDED Viewed

@@ -0,0 +1,199 @@
+/**
+ * Mutation-Level Authorization Helper
+ *
+ * Provides defense-in-depth authorization for component mutations.
+ * When auth context is provided, mutations verify the role has permission.
+ *
+ * This complements the client wrapper's authorization:
+ * - Client wrapper: Primary authorization layer (runs hooks, RBAC)
+ * - Mutation auth: Secondary validation layer (pure RBAC check)
+ *
+ * @example
+ * ```typescript
+ * import { requireMutationAuth } from "./lib/mutationAuth.js";
+ *
+ * export const createEntry = mutation({
+ *   args: {
+ *     ...createContentEntryArgs.fields,
+ *     _auth: v.optional(mutationAuthContext),
+ *   },
+ *   handler: async (ctx, args) => {
+ *     requireMutationAuth(args._auth, "contentEntries", "create");
+ *     // ... mutation logic
+ *   },
+ * });
+ * ```
+ */
+import type { MutationAuthContext } from "../validators.js";
+import { hasPermission, type Resource, type Action, type RoleDefinition } from "../roles.js";
+import { permissionDenied } from "./errors.js";
+/**
+ * Options for mutation authorization check.
+ */
+export interface MutationAuthOptions {
+  /**
+   * Custom role definitions to include in permission checks.
+   * These are in addition to the default roles (admin, editor, author, viewer).
+   */
+  customRoles?: Record<string, RoleDefinition>;
+}
+/**
+ * Verify the auth context has permission for the requested operation.
+ *
+ * This function:
+ * 1. If `_auth` is undefined, does nothing (backwards compatible)
+ * 2. If `_auth` is provided, checks the role has permission
+ * 3. Throws CMSError with PERMISSION_DENIED if check fails
+ *
+ * For ownership-scoped permissions (e.g., author editing their own content):
+ * - If the role only has "own" scope, verifies resourceOwnerId matches userId
+ * - If the role has "all" scope, ownership is not checked
+ *
+ * @param auth - The auth context from mutation args (may be undefined)
+ * @param resource - The resource being accessed (e.g., "contentEntries")
+ * @param action - The action being performed (e.g., "create", "update")
+ * @param options - Optional configuration including custom roles
+ * @throws CMSError with code PERMISSION_DENIED if authorization fails
+ *
+ * @example
+ * ```typescript
+ * // Basic usage - check if role can create content entries
+ * requireMutationAuth(args._auth, "contentEntries", "create");
+ *
+ * // For update/delete - include resource owner for "own" scope check
+ * const entry = await ctx.db.get(args.id);
+ * requireMutationAuth(
+ *   { ...args._auth, resourceOwnerId: entry.createdBy },
+ *   "contentEntries",
+ *   "update"
+ * );
+ * ```
+ */
+export function requireMutationAuth(
+  auth: MutationAuthContext | undefined,
+  resource: Resource,
+  action: Action,
+  options?: MutationAuthOptions
+): void {
+  // If no auth context provided, skip authorization (backwards compatible)
+  // Security note: Caller is responsible for ensuring authorization was done elsewhere
+  if (!auth) {
+    return;
+  }
+  const { userId, role, resourceOwnerId } = auth;
+  // No role means no permissions
+  if (!role) {
+    throw permissionDenied(action, resource);
+  }
+  // Check if role has "all" scope permission
+  const hasAllScope = hasPermission(
+    role,
+    { resource, action, scope: "all" },
+    options?.customRoles
+  );
+  if (hasAllScope) {
+    return; // Authorized with "all" scope
+  }
+  // Check if role has "own" scope permission
+  const hasOwnScope = hasPermission(
+    role,
+    { resource, action, scope: "own" },
+    options?.customRoles
+  );
+  if (hasOwnScope) {
+    // "own" scope requires ownership verification
+    if (resourceOwnerId && resourceOwnerId === userId) {
+      return; // Authorized - user owns the resource
+    }
+    // For create operations, ownership is always satisfied (user will own it)
+    if (action === "create") {
+      return; // Authorized - creating own resource
+    }
+    // Ownership check failed
+    throw permissionDenied(
+      `${action} other users'`,
+      resource
+    );
+  }
+  // No permission found
+  throw permissionDenied(action, resource);
+}
+/**
+ * Check if auth context has permission without throwing.
+ *
+ * Useful for conditional logic based on permissions.
+ *
+ * @param auth - The auth context from mutation args
+ * @param resource - The resource being accessed
+ * @param action - The action being performed
+ * @param options - Optional configuration including custom roles
+ * @returns true if authorized, false otherwise
+ */
+export function hasMutationAuth(
+  auth: MutationAuthContext | undefined,
+  resource: Resource,
+  action: Action,
+  options?: MutationAuthOptions
+): boolean {
+  if (!auth) {
+    return true; // No auth = no restriction (backwards compatible)
+  }
+  const { userId, role, resourceOwnerId } = auth;
+  if (!role) {
+    return false;
+  }
+  // Check "all" scope first
+  if (hasPermission(role, { resource, action, scope: "all" }, options?.customRoles)) {
+    return true;
+  }
+  // Check "own" scope
+  if (hasPermission(role, { resource, action, scope: "own" }, options?.customRoles)) {
+    // For "own" scope, verify ownership or it's a create action
+    if (action === "create") {
+      return true;
+    }
+    if (resourceOwnerId && resourceOwnerId === userId) {
+      return true;
+    }
+    return false;
+  }
+  return false;
+}
+/**
+ * Augment auth context with resource owner information.
+ *
+ * Use this when you have an auth context and need to add ownership info
+ * for permission checks on existing resources.
+ *
+ * @param auth - The original auth context
+ * @param resourceOwnerId - The owner of the resource being accessed
+ * @returns Auth context with resourceOwnerId set
+ */
+export function withResourceOwner(
+  auth: MutationAuthContext | undefined,
+  resourceOwnerId: string | undefined
+): MutationAuthContext | undefined {
+  if (!auth) {
+    return undefined;
+  }
+  return { ...auth, resourceOwnerId };
+}

package/src/component/lib/queries.ts ADDED Viewed

@@ -0,0 +1,79 @@
+/**
+ * Common query helpers for the CMS component.
+ *
+ * Provides reusable query patterns for looking up documents by name,
+ * ID, or other common patterns with soft-delete awareness.
+ */
+import type { QueryCtx } from "../_generated/server.js";
+import type { Id, Doc, TableNames } from "../_generated/dataModel.js";
+import { isDeleted } from "./softDelete.js";
+export interface GetByIdOptions {
+  includeDeleted?: boolean;
+}
+export async function getContentTypeByName(
+  ctx: QueryCtx,
+  name: string,
+  options: GetByIdOptions = {}
+): Promise<Doc<"contentTypes"> | null> {
+  const contentType = await ctx.db
+    .query("contentTypes")
+    .withIndex("by_name", (q) => q.eq("name", name))
+    .first();
+  if (!contentType) return null;
+  if (!options.includeDeleted && isDeleted(contentType)) return null;
+  return contentType;
+}
+export async function getTaxonomyByName(
+  ctx: QueryCtx,
+  name: string,
+  options: GetByIdOptions = {}
+): Promise<Doc<"taxonomies"> | null> {
+  const taxonomy = await ctx.db
+    .query("taxonomies")
+    .withIndex("by_name", (q) => q.eq("name", name))
+    .first();
+  if (!taxonomy) return null;
+  if (!options.includeDeleted && isDeleted(taxonomy)) return null;
+  return taxonomy;
+}
+export async function contentTypeExists(
+  ctx: QueryCtx,
+  name: string,
+  options: GetByIdOptions = {}
+): Promise<boolean> {
+  const contentType = await getContentTypeByName(ctx, name, options);
+  return contentType !== null;
+}
+export async function taxonomyExists(
+  ctx: QueryCtx,
+  name: string,
+  options: GetByIdOptions = {}
+): Promise<boolean> {
+  const taxonomy = await getTaxonomyByName(ctx, name, options);
+  return taxonomy !== null;
+}
+export async function getActiveById<T extends TableNames>(
+  ctx: QueryCtx,
+  id: Id<T>,
+  options: GetByIdOptions = {}
+): Promise<Doc<T> | null> {
+  const doc = await ctx.db.get(id);
+  if (!doc) return null;
+  if (
+    !options.includeDeleted &&
+    "deletedAt" in doc &&
+    (doc as { deletedAt?: number }).deletedAt !== undefined
+  ) {
+    return null;
+  }
+  return doc;
+}