npm - db-model-router - Versions diffs - 1.0.6 → 1.0.7 - Mend

db-model-router 1.0.6 → 1.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/README.md +150 -11
package/TODO.md +0 -15
package/db-manager/.dbmanager.sqlite +0 -0
package/db-manager/README.md +223 -0
package/db-manager/adapter-proxy.js +361 -0
package/db-manager/demo/cockroachdb.env +6 -0
package/db-manager/demo/demo.sqlite +0 -0
package/db-manager/demo/dynamodb.env +7 -0
package/db-manager/demo/mongodb.env +4 -0
package/db-manager/demo/mssql.env +6 -0
package/db-manager/demo/mysql.env +6 -0
package/db-manager/demo/oracle.env +6 -0
package/db-manager/demo/postgres.env +6 -0
package/db-manager/demo/redis.env +4 -0
package/db-manager/demo/seeds/cockroachdb.sql +32 -0
package/db-manager/demo/seeds/mssql.sql +32 -0
package/db-manager/demo/seeds/mysql.sql +32 -0
package/db-manager/demo/seeds/oracle.sql +43 -0
package/db-manager/demo/seeds/postgres.sql +32 -0
package/db-manager/demo/seeds/sqlite3.sql +32 -0
package/db-manager/demo/sqlite3.env +2 -0
package/db-manager/metadata-db.js +170 -0
package/db-manager/public/.gitkeep +1 -0
package/db-manager/public/css/style.css +1413 -0
package/db-manager/public/js/app.js +1370 -0
package/db-manager/routes/api.js +388 -0
package/db-manager/routes/views.js +61 -0
package/db-manager/server.js +39 -0
package/db-manager/utils/build-filter-config.js +18 -0
package/db-manager/utils/csv-export.js +59 -0
package/db-manager/utils/export-filename.js +39 -0
package/db-manager/utils/filter-tables.js +20 -0
package/db-manager/utils/parse-filters.js +93 -0
package/db-manager/utils/sort-state.js +35 -0
package/db-manager/views/.gitkeep +1 -0
package/db-manager/views/dashboard.ejs +53 -0
package/db-manager/views/history.ejs +52 -0
package/db-manager/views/index.ejs +35 -0
package/db-manager/views/layout.ejs +31 -0
package/db-manager/views/partials/data-panel.ejs +74 -0
package/db-manager/views/partials/header.ejs +36 -0
package/db-manager/views/partials/sidebar.ejs +30 -0
package/db-manager/views/query.ejs +58 -0
package/dbmr.schema.json +22 -44
package/demo/.dockerignore +7 -0
package/demo/.env.example +14 -0
package/demo/Dockerfile +20 -0
package/demo/app.js +39 -0
package/demo/commons/add_migration.js +43 -0
package/demo/commons/db.js +28 -0
package/demo/commons/migrate.js +68 -0
package/demo/commons/modules.js +18 -0
package/demo/commons/password.js +36 -0
package/demo/commons/security.js +30 -0
package/demo/commons/session.js +13 -0
package/demo/commons/webhook.js +81 -0
package/demo/dbmr.schema.json +338 -0
package/demo/middleware/authenticate.js +14 -0
package/demo/middleware/hasPermission.js +30 -0
package/demo/middleware/logger.js +67 -0
package/demo/middleware/tenantIsolation.js +17 -0
package/demo/migrations/20260509170349_create_migrations_table.sql +6 -0
package/demo/migrations/20260509170349_create_saas_tables.sql +69 -0
package/demo/migrations/20260509170349_create_tables.sql +193 -0
package/demo/models/addresses.js +24 -0
package/demo/models/cart_items.js +20 -0
package/demo/models/carts.js +18 -0
package/demo/models/categories.js +22 -0
package/demo/models/coupons.js +25 -0
package/demo/models/index.js +43 -0
package/demo/models/order_items.js +23 -0
package/demo/models/orders.js +27 -0
package/demo/models/payments.js +23 -0
package/demo/models/product_images.js +20 -0
package/demo/models/product_reviews.js +22 -0
package/demo/models/product_variants.js +22 -0
package/demo/models/products.js +32 -0
package/demo/models/role_permissions.js +17 -0
package/demo/models/roles.js +17 -0
package/demo/models/shipments.js +21 -0
package/demo/models/tenants.js +18 -0
package/demo/models/users.js +23 -0
package/demo/models/webhook_logs.js +22 -0
package/demo/models/webhooks.js +19 -0
package/demo/models/wishlists.js +17 -0
package/demo/openapi.json +7000 -0
package/demo/package-lock.json +2810 -0
package/demo/package.json +43 -0
package/demo/routes/addresses/index.js +6 -0
package/demo/routes/auth/index.js +55 -0
package/demo/routes/carts/cart_items/index.js +7 -0
package/demo/routes/carts/index.js +6 -0
package/demo/routes/categories/index.js +6 -0
package/demo/routes/coupons/index.js +6 -0
package/demo/routes/docs.js +18 -0
package/demo/routes/health.js +35 -0
package/demo/routes/index.js +54 -0
package/demo/routes/orders/index.js +6 -0
package/demo/routes/orders/order_items/index.js +7 -0
package/demo/routes/orders/payments/index.js +7 -0
package/demo/routes/orders/shipments/index.js +7 -0
package/demo/routes/products/index.js +6 -0
package/demo/routes/products/product_images/index.js +7 -0
package/demo/routes/products/product_reviews/index.js +7 -0
package/demo/routes/products/product_variants/index.js +7 -0
package/demo/routes/roles/index.js +75 -0
package/demo/routes/roles/permissions/index.js +47 -0
package/demo/routes/tenants/index.js +45 -0
package/demo/routes/users/index.js +45 -0
package/demo/routes/wishlists/index.js +6 -0
package/demo/seeds/saas-seed.js +329 -0
package/docker-compose.yml +61 -0
package/package.json +120 -113
package/scripts/demo-create.js +1 -1
package/skill/SKILL.md +119 -3
package/src/cli/commands/db-manager.js +134 -0
package/src/cli/commands/generate.js +106 -60
package/src/cli/commands/help.js +0 -1
package/src/cli/generate-route.js +60 -21
package/src/cli/generate-saas-structure.js +122 -0
package/src/cli/init/generators.js +6 -0
package/src/cli/init.js +8 -0
package/src/cli/main.js +8 -1
package/src/cli/saas/generate-saas-middleware.js +108 -0
package/src/cli/saas/generate-saas-migrations.js +480 -0
package/src/cli/saas/generate-saas-models.js +211 -0
package/src/cli/saas/generate-saas-openapi.js +419 -0
package/src/cli/saas/generate-saas-routes.js +435 -0
package/src/cli/saas/generate-saas-seeds.js +243 -0
package/src/cli/saas/generate-saas-utils.js +176 -0
package/src/commons/kafka.js +139 -0
package/src/commons/model.js +29 -9
package/src/index.js +2 -0
package/src/mssql/db.js +41 -3
package/src/mysql/db.js +3 -0
package/src/postgres/db.js +6 -0
package/src/cli/generate-db-manager.js +0 -1573

package/src/cli/saas/generate-saas-routes.js ADDED Viewed

@@ -0,0 +1,435 @@
+"use strict";
+/**
+ * SaaS route generators.
+ *
+ * Generates CRUD routes, auth routes, and the routes index file
+ * for the SaaS structure generator. All generated code uses ES6 module syntax.
+ * Routes use folder-based structure: routes/<module>/index.js
+ * Imports use package.json #imports aliases: #models, #middleware, #commons
+ */
+/**
+ * Generate CRUD route files for users, tenants, roles, and role_permissions.
+ *
+ * @returns {Array<{ relPath: string, content: string }>}
+ */
+function generateCrudRoutes() {
+  const files = [];
+  files.push({
+    relPath: "routes/users/index.js",
+    content: generateUsersRoute(),
+  });
+  files.push({
+    relPath: "routes/tenants/index.js",
+    content: generateTenantsRoute(),
+  });
+  files.push({
+    relPath: "routes/roles/index.js",
+    content: generateRolesRoute(),
+  });
+  files.push({
+    relPath: "routes/roles/permissions/index.js",
+    content: generatePermissionsRoute(),
+  });
+  return files;
+}
+function generateUsersRoute() {
+  return `import express from "express";
+import authenticate from "#middleware/authenticate.js";
+import tenantIsolation from "#middleware/tenantIsolation.js";
+import hasPermission from "#middleware/hasPermission.js";
+import { users } from "#models";
+const router = express.Router({ mergeParams: true });
+router.get("/", authenticate, tenantIsolation, hasPermission("users", "read"), async (req, res) => {
+  try {
+    const results = await users.findAll(req.query);
+    res.json(results);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+router.post("/", authenticate, tenantIsolation, hasPermission("users", "write"), async (req, res) => {
+  try {
+    const result = await users.create(req.body);
+    res.status(201).json(result);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+router.put("/:id", authenticate, tenantIsolation, hasPermission("users", "update"), async (req, res) => {
+  try {
+    const result = await users.update(req.params.id, req.body);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+router.delete("/:id", authenticate, tenantIsolation, hasPermission("users", "delete"), async (req, res) => {
+  try {
+    const result = await users.delete(req.params.id);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+export default router;
+`;
+}
+function generateTenantsRoute() {
+  return `import express from "express";
+import authenticate from "#middleware/authenticate.js";
+import tenantIsolation from "#middleware/tenantIsolation.js";
+import hasPermission from "#middleware/hasPermission.js";
+import { tenants } from "#models";
+const router = express.Router({ mergeParams: true });
+router.get("/", authenticate, tenantIsolation, hasPermission("tenants", "read"), async (req, res) => {
+  try {
+    const results = await tenants.findAll(req.query);
+    res.json(results);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+router.post("/", authenticate, tenantIsolation, hasPermission("tenants", "write"), async (req, res) => {
+  try {
+    const result = await tenants.create(req.body);
+    res.status(201).json(result);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+router.put("/:id", authenticate, tenantIsolation, hasPermission("tenants", "update"), async (req, res) => {
+  try {
+    const result = await tenants.update(req.params.id, req.body);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+router.delete("/:id", authenticate, tenantIsolation, hasPermission("tenants", "delete"), async (req, res) => {
+  try {
+    const result = await tenants.delete(req.params.id);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+export default router;
+`;
+}
+function generateRolesRoute() {
+  return `import express from "express";
+import authenticate from "#middleware/authenticate.js";
+import tenantIsolation from "#middleware/tenantIsolation.js";
+import hasPermission from "#middleware/hasPermission.js";
+import { roles } from "#models";
+const router = express.Router({ mergeParams: true });
+function userHasGlobalPermission(req) {
+  return req.session.permission.some((p) => p.scope === "global");
+}
+function guardSystemRole(req, res, role) {
+  if (role.tenant_id === null && !userHasGlobalPermission(req)) {
+    res.status(403).json({ message: "Cannot modify system roles" });
+    return true;
+  }
+  return false;
+}
+function guardGlobalPermissionEscalation(req, res) {
+  const permissions = req.body.permissions || [];
+  const hasGlobalEntry = permissions.some((p) => p.scope === "global");
+  if (hasGlobalEntry && !userHasGlobalPermission(req)) {
+    res.status(403).json({ message: "Cannot assign global permissions" });
+    return true;
+  }
+  return false;
+}
+router.get("/", authenticate, tenantIsolation, hasPermission("roles", "read"), async (req, res) => {
+  try {
+    const results = await roles.findAll(req.query);
+    res.json(results);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+router.post("/", authenticate, tenantIsolation, hasPermission("roles", "write"), async (req, res) => {
+  try {
+    if (guardGlobalPermissionEscalation(req, res)) return;
+    const result = await roles.create(req.body);
+    res.status(201).json(result);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+router.put("/:id", authenticate, tenantIsolation, hasPermission("roles", "update"), async (req, res) => {
+  try {
+    const role = await roles.findById(req.params.id);
+    if (!role) return res.status(404).json({ message: "Role not found" });
+    if (guardSystemRole(req, res, role)) return;
+    if (guardGlobalPermissionEscalation(req, res)) return;
+    const result = await roles.update(req.params.id, req.body);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+router.delete("/:id", authenticate, tenantIsolation, hasPermission("roles", "delete"), async (req, res) => {
+  try {
+    const role = await roles.findById(req.params.id);
+    if (!role) return res.status(404).json({ message: "Role not found" });
+    if (guardSystemRole(req, res, role)) return;
+    const result = await roles.delete(req.params.id);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+export default router;
+`;
+}
+function generatePermissionsRoute() {
+  return `import express from "express";
+import authenticate from "#middleware/authenticate.js";
+import tenantIsolation from "#middleware/tenantIsolation.js";
+import hasPermission from "#middleware/hasPermission.js";
+import { role_permissions } from "#models";
+const router = express.Router({ mergeParams: true });
+router.get("/", authenticate, tenantIsolation, hasPermission("permissions", "read"), async (req, res) => {
+  try {
+    const query = { ...req.query, role_id: req.params.role_id };
+    const results = await role_permissions.findAll(query);
+    res.json(results);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+router.post("/", authenticate, tenantIsolation, hasPermission("permissions", "write"), async (req, res) => {
+  try {
+    const data = { ...req.body, role_id: req.params.role_id };
+    const result = await role_permissions.create(data);
+    res.status(201).json(result);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+router.put("/:permission_id", authenticate, tenantIsolation, hasPermission("permissions", "update"), async (req, res) => {
+  try {
+    const result = await role_permissions.update(req.params.permission_id, req.body);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+router.delete("/:permission_id", authenticate, tenantIsolation, hasPermission("permissions", "delete"), async (req, res) => {
+  try {
+    const result = await role_permissions.delete(req.params.permission_id);
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+export default router;
+`;
+}
+/**
+ * Generate the auth routes file (login and logout) in ES6.
+ *
+ * @returns {{ relPath: string, content: string }}
+ */
+function generateAuthRoutes() {
+  const relPath = "routes/auth/index.js";
+  const content = `import express from "express";
+import authenticate from "#middleware/authenticate.js";
+import { verifyPassword } from "#commons/password.js";
+import { users, roles, role_permissions } from "#models";
+const router = express.Router({ mergeParams: true });
+// POST /api/auth/login - Authenticate user and create session
+router.post("/login", async (req, res) => {
+  try {
+    const { email, password } = req.body;
+    if (!email || !password) {
+      return res.status(401).json({ message: "Invalid credentials" });
+    }
+    const userResults = await users.findAll({ email });
+    const user = Array.isArray(userResults) ? userResults[0] : (userResults?.data?.[0] ?? null);
+    if (!user) {
+      return res.status(401).json({ message: "Invalid credentials" });
+    }
+    const isValid = await verifyPassword(password, user.password_hash);
+    if (!isValid) {
+      return res.status(401).json({ message: "Invalid credentials" });
+    }
+    const role = await roles.findById(user.role_id);
+    const permsResult = await role_permissions.findAll({ role_id: user.role_id });
+    const permissionList = Array.isArray(permsResult) ? permsResult : (permsResult?.data ?? []);
+    req.session.user = user;
+    req.session.role = role;
+    req.session.permission = permissionList.map((p) =>
+      typeof p.permission === "string" ? JSON.parse(p.permission) : p.permission
+    );
+    res.json({ message: "Login successful", user: { id: user.user_id, email: user.email, name: user.name } });
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+// POST /api/auth/logout - Destroy session
+router.post("/logout", authenticate, (req, res) => {
+  req.session.destroy((err) => {
+    if (err) {
+      return res.status(500).json({ message: "Failed to destroy session" });
+    }
+    res.json({ message: "Logout successful" });
+  });
+});
+export default router;
+`;
+  return { relPath, content };
+}
+/**
+ * Generate the routes index file that wires both SaaS routes and dbmr-generated routes.
+ * Uses folder-based imports with #imports aliases.
+ *
+ * @param {string[]} [tableNames] - Schema-generated table names (from dbmr)
+ * @param {Array<{parent, child, foreignKey}>} [relationships] - Schema relationships
+ * @param {{ includeDocs?: boolean }} [options]
+ * @returns {{ relPath: string, content: string }}
+ */
+function generateRoutesIndex(tableNames, relationships, options) {
+  tableNames = tableNames || [];
+  relationships = relationships || [];
+  options = options || {};
+  // SaaS tables that have their own dedicated route folders
+  const saasRouteModules = new Set([
+    "users",
+    "tenants",
+    "roles",
+    "role_permissions",
+  ]);
+  // Collect child tables from relationships
+  const nestedChildren = new Set();
+  for (const rel of relationships) {
+    nestedChildren.add(rel.child);
+  }
+  let code = `import express from "express";\n\nconst router = express.Router({ mergeParams: true });\n\n`;
+  // --- SaaS route imports (folder-based with #routes alias) ---
+  code += `// SaaS auth & CRUD routes\n`;
+  code += `import authRoute from "#routes/auth/index.js";\n`;
+  code += `import saasUsersRoute from "#routes/users/index.js";\n`;
+  code += `import saasTenantsRoute from "#routes/tenants/index.js";\n`;
+  code += `import saasRolesRoute from "#routes/roles/index.js";\n`;
+  code += `import saasPermissionsRoute from "#routes/roles/permissions/index.js";\n\n`;
+  // --- dbmr schema-generated route imports (folder-based, skip SaaS-owned tables) ---
+  const dbmrTables = tableNames.filter(
+    (t) => !saasRouteModules.has(t) && !nestedChildren.has(t),
+  );
+  if (dbmrTables.length > 0 || relationships.length > 0) {
+    code += `// Schema-generated routes\n`;
+  }
+  for (const table of dbmrTables) {
+    code += `import ${safeVarName(table)}Route from "#routes/${table}/index.js";\n`;
+  }
+  for (const rel of relationships) {
+    if (saasRouteModules.has(rel.child)) continue;
+    code += `import ${safeVarName(rel.child)}ChildRoute from "#routes/${rel.parent}/${rel.child}/index.js";\n`;
+  }
+  if (options.includeDocs) {
+    code += `import docsRoute from "#routes/docs.js";\n`;
+  }
+  code += `\n`;
+  // --- Mount SaaS routes ---
+  code += `// SaaS routes\n`;
+  code += `router.use("/auth", authRoute);\n`;
+  code += `router.use("/users", saasUsersRoute);\n`;
+  code += `router.use("/tenants", saasTenantsRoute);\n`;
+  code += `router.use("/roles", saasRolesRoute);\n`;
+  code += `router.use("/roles/:role_id/permissions", saasPermissionsRoute);\n\n`;
+  // --- Mount docs route ---
+  if (options.includeDocs) {
+    code += `router.use("/docs", docsRoute);\n`;
+  }
+  // --- Mount dbmr child routes before parent routes ---
+  for (const rel of relationships) {
+    if (saasRouteModules.has(rel.child)) continue;
+    const childVar = safeVarName(rel.child);
+    code += `router.use("/${rel.parent}/:${rel.foreignKey}/${rel.child}", ${childVar}ChildRoute);\n`;
+  }
+  // --- Mount dbmr top-level routes ---
+  if (dbmrTables.length > 0) {
+    code += `\n// Schema-generated routes\n`;
+  }
+  for (const table of dbmrTables) {
+    code += `router.use("/${table}", ${safeVarName(table)}Route);\n`;
+  }
+  code += `\nexport default router;\n`;
+  return { relPath: "routes/index.js", content: code };
+}
+function safeVarName(name) {
+  if (/^[a-zA-Z_$][a-zA-Z0-9_$]*$/.test(name)) return name;
+  return name.replace(/[^a-zA-Z0-9_$]/g, "_");
+}
+module.exports = {
+  generateCrudRoutes,
+  generateAuthRoutes,
+  generateRoutesIndex,
+};

package/src/cli/saas/generate-saas-seeds.js ADDED Viewed

@@ -0,0 +1,243 @@
+"use strict";
+const crypto = require("crypto");
+/**
+ * SaaS seed generator.
+ *
+ * Generates seed files for the Super Admin user and Tenant Admin Role,
+ * plus a credentials.md file with the generated password.
+ */
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+/**
+ * All valid modules in the SaaS system.
+ * @type {string[]}
+ */
+const MODULES = ["users", "tenants", "roles", "permissions", "webhooks"];
+/**
+ * All valid actions in the permission system.
+ * @type {string[]}
+ */
+const ACTIONS = [
+  "read",
+  "write",
+  "update",
+  "delete",
+  "export",
+  "approve",
+  "global",
+];
+/**
+ * Super Admin permissions: all actions for all modules with global scope.
+ * @type {Array<{ module: string, action: string, scope: string }>}
+ */
+const SUPER_ADMIN_PERMISSIONS = [];
+for (const mod of MODULES) {
+  for (const action of ACTIONS) {
+    SUPER_ADMIN_PERMISSIONS.push({ module: mod, action, scope: "global" });
+  }
+}
+/**
+ * Tenant Admin permissions: CRUD actions for users and roles with tenant scope.
+ * No global permissions allowed.
+ * @type {Array<{ module: string, action: string, scope: string }>}
+ */
+const TENANT_ADMIN_PERMISSIONS = [];
+for (const mod of ["users", "roles"]) {
+  for (const action of ["read", "write", "update", "delete"]) {
+    TENANT_ADMIN_PERMISSIONS.push({ module: mod, action, scope: "tenant" });
+  }
+}
+// ---------------------------------------------------------------------------
+// Seed File Content Generation
+// ---------------------------------------------------------------------------
+/**
+ * Generate the content of the `seeds/saas-seed.js` file.
+ *
+ * The seed file, when executed:
+ * - Hashes the embedded password using the generated password utility
+ * - Inserts the Super Admin user with NULL tenant_id and all permissions
+ * - Inserts the Tenant Admin Role with NULL tenant_id and tenant-scoped permissions
+ * - Writes credentials.md with the super admin email and password
+ *
+ * @param {string} password - The generated random password to embed
+ * @returns {string} File content for seeds/saas-seed.js
+ */
+function generateSeedContent(password) {
+  const superAdminPermsStr = JSON.stringify(SUPER_ADMIN_PERMISSIONS, null, 2);
+  const tenantAdminPermsStr = JSON.stringify(TENANT_ADMIN_PERMISSIONS, null, 2);
+  return `"use strict";
+const path = require("path");
+const fs = require("fs");
+const { hashPassword } = require("../commons/password");
+/**
+ * Super Admin email address.
+ */
+const SUPER_ADMIN_EMAIL = "admin@system.local";
+/**
+ * Generated password for the Super Admin.
+ * This is cryptographically random and unique per generation.
+ */
+const SUPER_ADMIN_PASSWORD = "${password}";
+/**
+ * Super Admin permissions: all actions for all modules with global scope.
+ */
+const SUPER_ADMIN_PERMISSIONS = ${superAdminPermsStr};
+/**
+ * Tenant Admin permissions: CRUD for users and roles with tenant scope.
+ */
+const TENANT_ADMIN_PERMISSIONS = ${tenantAdminPermsStr};
+/**
+ * Write the credentials.md file with the super admin login details.
+ */
+function writeCredentials() {
+  const content = \`# Super Admin Credentials
+**Email:** \${SUPER_ADMIN_EMAIL}
+**Password:** \${SUPER_ADMIN_PASSWORD}
+> ⚠️ **WARNING:** Change this password after first login. This file should not be committed to version control.
+\`;
+  fs.writeFileSync(path.join(process.cwd(), "credentials.md"), content, "utf8");
+}
+/**
+ * Seed the database with Super Admin user and Tenant Admin Role.
+ *
+ * @param {object} db - Database connection/query interface
+ * @returns {Promise<void>}
+ */
+async function seed(db) {
+  const passwordHash = await hashPassword(SUPER_ADMIN_PASSWORD);
+  // Insert Super Admin role with all permissions
+  const superAdminRoleResult = await db("roles").insert({
+    tenant_id: null,
+    name: "Super Admin",
+    created_at: new Date(),
+    modified_at: new Date(),
+  });
+  const superAdminRoleId = Array.isArray(superAdminRoleResult)
+    ? superAdminRoleResult[0]
+    : superAdminRoleResult;
+  // Insert Super Admin permissions
+  for (const perm of SUPER_ADMIN_PERMISSIONS) {
+    await db("role_permissions").insert({
+      role_id: superAdminRoleId,
+      permission: JSON.stringify(perm),
+      created_at: new Date(),
+      modified_at: new Date(),
+    });
+  }
+  // Insert Super Admin user
+  await db("users").insert({
+    email: SUPER_ADMIN_EMAIL,
+    password_hash: passwordHash,
+    name: "Super Admin",
+    tenant_id: null,
+    role_id: superAdminRoleId,
+    created_at: new Date(),
+    modified_at: new Date(),
+  });
+  // Insert Tenant Admin Role
+  const tenantAdminRoleResult = await db("roles").insert({
+    tenant_id: null,
+    name: "Tenant Admin",
+    created_at: new Date(),
+    modified_at: new Date(),
+  });
+  const tenantAdminRoleId = Array.isArray(tenantAdminRoleResult)
+    ? tenantAdminRoleResult[0]
+    : tenantAdminRoleResult;
+  // Insert Tenant Admin permissions
+  for (const perm of TENANT_ADMIN_PERMISSIONS) {
+    await db("role_permissions").insert({
+      role_id: tenantAdminRoleId,
+      permission: JSON.stringify(perm),
+      created_at: new Date(),
+      modified_at: new Date(),
+    });
+  }
+  // Write credentials file
+  writeCredentials();
+  console.log("SaaS seed completed successfully.");
+  console.log("Super Admin:", SUPER_ADMIN_EMAIL);
+  console.log("Credentials written to credentials.md");
+}
+module.exports = { seed, SUPER_ADMIN_PERMISSIONS, TENANT_ADMIN_PERMISSIONS, SUPER_ADMIN_EMAIL, SUPER_ADMIN_PASSWORD };
+`;
+}
+/**
+ * Generate the content of the `credentials.md` file.
+ *
+ * @param {string} password - The generated random password
+ * @returns {string} File content for credentials.md
+ */
+function generateCredentialsContent(password) {
+  return `# Super Admin Credentials
+**Email:** admin@system.local
+**Password:** ${password}
+> ⚠️ **WARNING:** Change this password after first login. This file should not be committed to version control.
+`;
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Generate seed files for the SaaS structure.
+ *
+ * Produces:
+ * - `seeds/saas-seed.js`: Seed script that inserts Super Admin and Tenant Admin Role
+ * - `credentials.md`: File with super admin email and generated password
+ *
+ * @param {string} adapter - Database adapter name (accepted for API consistency)
+ * @returns {Array<{ relPath: string, content: string }>}
+ */
+function generateSaasSeeds(adapter) {
+  const password = crypto.randomBytes(16).toString("hex");
+  return [
+    {
+      relPath: "seeds/saas-seed.js",
+      content: generateSeedContent(password),
+    },
+    {
+      relPath: "credentials.md",
+      content: generateCredentialsContent(password),
+    },
+  ];
+}
+module.exports = {
+  generateSaasSeeds,
+  SUPER_ADMIN_PERMISSIONS,
+  TENANT_ADMIN_PERMISSIONS,
+};