create-instant-app 0.22.98-experimental.highl.20766596946.1 → 0.22.99-experimental.add-user-perm-rules.20792844601.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-instant-app",
-  "version": "0.22.98-experimental.highl.20766596946.1",
+  "version": "0.22.99-experimental.add-user-perm-rules.20792844601.1",
   "description": "Scaffold a new web/mobile app with InstantDB",
   "homepage": "https://github.com/instantdb/instant/tree/main/client/packages/create-instant-app",
   "repository": {
@@ -33,8 +33,8 @@
     "ora": "6.3.1",
     "slugify": "^1.6.6",
     "sort-package-json": "^2.10.0",
-    "@instantdb/version": "0.22.98-experimental.highl.20766596946.1",
-    "instant-cli": "0.22.98-experimental.highl.20766596946.1"
+    "@instantdb/version": "0.22.99-experimental.add-user-perm-rules.20792844601.1",
+    "instant-cli": "0.22.99-experimental.add-user-perm-rules.20792844601.1"
   },
   "devDependencies": {
     "@anthropic-ai/sdk": "^0.60.0",

package/template/base/next-js-app-dir/package.json

@@ -11,7 +11,7 @@
   "dependencies": {
     "@instantdb/react": "latest",
     "@instantdb/admin": "latest",
-    "next": "15.4.10",
+    "next": "15.4.8",
     "react": "19.1.0",
     "react-dom": "19.1.0"
   },

package/template/rules/AGENTS.md

@@ -166,6 +166,35 @@ newData.ref('x')
 data.ref(someVar + '.members.id')
 ```
 
+## $users Permissions
+
+- Default `view` permission is `auth.id == data.id`
+- Default `create`, `update`, and `delete` permissions is false
+- Can override `view` and `update`
+- Cannot override `create` or `delete`
+
+## Field-level Permissions
+
+Restrict access to specific fields while keeping the entity public:
+
+```json
+{
+  "$users": {
+    "allow": {
+      "view": "true"
+    },
+    "fields": {
+      "email": "auth.id == data.id"
+    }
+  }
+}
+```
+
+Notes:
+
+- Field rules override entity-level `view` for that field
+- Useful for hiding sensitive data (emails, phone numbers) on public entities
+
 # Best Practices
 
 ## Pass `schema` when initializing Instant

package/template/rules/cursor-rules.md

@@ -172,6 +172,35 @@ newData.ref('x')
 data.ref(someVar + '.members.id')
 ```
 
+## $users Permissions
+
+- Default `view` permission is `auth.id == data.id`
+- Default `create`, `update`, and `delete` permissions is false
+- Can override `view` and `update`
+- Cannot override `create` or `delete`
+
+## Field-level Permissions
+
+Restrict access to specific fields while keeping the entity public:
+
+```json
+{
+  "$users": {
+    "allow": {
+      "view": "true"
+    },
+    "fields": {
+      "email": "auth.id == data.id"
+    }
+  }
+}
+```
+
+Notes:
+
+- Field rules override entity-level `view` for that field
+- Useful for hiding sensitive data (emails, phone numbers) on public entities
+
 # Best Practices
 
 ## Pass `schema` when initializing Instant

package/template/rules/windsurf-rules.md

@@ -172,6 +172,35 @@ newData.ref('x')
 data.ref(someVar + '.members.id')
 ```
 
+## $users Permissions
+
+- Default `view` permission is `auth.id == data.id`
+- Default `create`, `update`, and `delete` permissions is false
+- Can override `view` and `update`
+- Cannot override `create` or `delete`
+
+## Field-level Permissions
+
+Restrict access to specific fields while keeping the entity public:
+
+```json
+{
+  "$users": {
+    "allow": {
+      "view": "true"
+    },
+    "fields": {
+      "email": "auth.id == data.id"
+    }
+  }
+}
+```
+
+Notes:
+
+- Field rules override entity-level `view` for that field
+- Useful for hiding sensitive data (emails, phone numbers) on public entities
+
 # Best Practices
 
 ## Pass `schema` when initializing Instant