npm - gencow - Versions diffs - 0.1.81 → 0.1.82 - Mend

gencow 0.1.81 → 0.1.82

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/bin/gencow.mjs +4 -6
package/core/index.js +325 -0
package/dashboard/assets/{index-CLmqVsl3.js → index-RH5HoiTX.js} +57 -57
package/dashboard/index.html +1 -1
package/lib/readme-codegen.mjs +9 -1
package/package.json +1 -1
package/server/index.js +5310 -25372
package/server/index.js.map +4 -4
package/templates/SECURITY.md +74 -50

package/bin/gencow.mjs CHANGED Viewed

@@ -2,16 +2,14 @@
 /**
  * @gencow/cli — Gencow CLI
  *
- * Like `npx convex dev` but for Gencow projects.
- *
  * Commands:
  *   gencow dev         — push schema → start server with hot-reload
- *   gencow db:push     — push schema.ts changes to DB (Convex-like, no migration files)
+ *   gencow db:push     — push schema.ts changes to DB (instant, no migration files)
  *   gencow db:generate — generate SQL migration files from schema.ts
  *   gencow db:migrate  — apply pending migrations
  *   gencow db:reset    — backup + reset DB (safe reset)
  *   gencow db:restore  — restore DB from backup
- *   gencow db:studio   — open Drizzle Studio (like Convex dashboard)
+ *   gencow db:studio   — open Drizzle Studio (visual DB browser)
  *   gencow dashboard   — open /_admin in browser
  *   gencow backup      — manage database backups (list/create/restore/delete/download)
  *   gencow help        — show this help
@@ -1351,7 +1349,7 @@ ${hasPrompt ? `
     async "db:studio"() {
             const config = loadConfig();
             log(`\n${BOLD}${CYAN}Gencow DB Studio${RESET}\n`);
-            info("Opening Drizzle Studio (Convex Dashboard equivalent)...");
+            info("Opening Drizzle Studio...");
             runInServer("pnpm db:studio", buildEnv(config));
         },
@@ -2933,7 +2931,7 @@ process.exit(0);
                 // Save current app to creds
                 saveCreds({ ...creds, currentApp: name });
-                // ── Scaffold local project files (Convex-like) ──────────
+                // ── Scaffold local project files ────────────────────
                 const cwd = process.cwd();
                 const config = loadConfig();

package/core/index.js CHANGED Viewed

@@ -1822,23 +1822,348 @@ function intervalToPattern(options) {
 function defineAuth(config) {
   return config;
 }
+// ../core/src/table.ts
+import { pgTable } from "drizzle-orm/pg-core";
+import { eq } from "drizzle-orm";
+function isOwnerFilter(opts) {
+  return "_ownerColumn" in opts;
+}
+if (!globalThis.__gencow_tableAccessRegistry) {
+  globalThis.__gencow_tableAccessRegistry = /* @__PURE__ */ new Map();
+}
+var tableAccessRegistry = globalThis.__gencow_tableAccessRegistry;
+function gencowTable(name, columns, options) {
+  if (!options || typeof options.filter !== "function" && !isOwnerFilter(options)) {
+    throw new Error(
+      `[gencow] gencowTable("${name}") requires a filter option. Use ownerFilter("userId") for simple user isolation, or { filter: () => true } for public tables.`
+    );
+  }
+  const table = pgTable(name, columns);
+  let filter;
+  if (isOwnerFilter(options)) {
+    const columnName = options._ownerColumn;
+    const col = table[columnName];
+    if (!col) {
+      throw new Error(
+        `[gencow] ownerFilter("${columnName}"): column "${columnName}" not found on table "${name}". Available columns: ${Object.keys(table).filter((k) => !k.startsWith("_") && !k.startsWith("$")).join(", ")}`
+      );
+    }
+    filter = (ctx) => {
+      const user = ctx.auth.requireAuth();
+      return eq(col, user.id);
+    };
+  } else {
+    filter = options.filter;
+  }
+  tableAccessRegistry.set(table, {
+    filter,
+    fieldAccess: options.fieldAccess,
+    tableName: name
+  });
+  return table;
+}
+function ownerFilter(columnName = "userId") {
+  return {
+    _ownerColumn: columnName,
+    // Placeholder filter — replaced by gencowTable()
+    filter: () => {
+      throw new Error("[gencow] ownerFilter placeholder should not be called directly");
+    }
+  };
+}
+function getTableAccessMeta(table) {
+  return tableAccessRegistry.get(table);
+}
+function isGencowTable(table) {
+  return tableAccessRegistry.has(table);
+}
+function getAllGencowTables() {
+  return new Map(tableAccessRegistry);
+}
+// ../core/src/scoped-db.ts
+import { and } from "drizzle-orm";
+function createScopedDb(db, ctx) {
+  return new Proxy(db, {
+    get(target, prop) {
+      const propStr = typeof prop === "string" ? prop : "";
+      if (propStr === "execute") {
+        return () => {
+          throw new Error(
+            "[gencow] ctx.db.execute() is not allowed. Use ctx.db.select().from(table) for type-safe queries with automatic access control. If you need raw SQL, use ctx.unsafeDb.execute()."
+          );
+        };
+      }
+      if (propStr === "$client" || propStr === "_") {
+        throw new Error(
+          `[gencow] ctx.db.${propStr} is not allowed. Direct database client access bypasses access control. Use ctx.unsafeDb if you need direct access.`
+        );
+      }
+      if (propStr === "select") {
+        return (...selectArgs) => {
+          const selectResult = target.select(...selectArgs);
+          return wrapSelectChain(selectResult, ctx);
+        };
+      }
+      if (propStr === "update") {
+        return (table) => {
+          const updateResult = target.update(table);
+          return wrapWriteChain(updateResult, table, ctx);
+        };
+      }
+      if (propStr === "delete") {
+        return (table) => {
+          const deleteResult = target.delete(table);
+          return wrapWriteChain(deleteResult, table, ctx);
+        };
+      }
+      if (propStr === "query") {
+        return wrapRelationalQuery(target.query, ctx);
+      }
+      const value = target[prop];
+      if (typeof value === "function") {
+        return value.bind(target);
+      }
+      return value;
+    }
+  });
+}
+function wrapSelectChain(selectResult, ctx) {
+  return new Proxy(selectResult, {
+    get(target, prop) {
+      const propStr = typeof prop === "string" ? prop : "";
+      if (propStr === "from") {
+        return (table, ...restArgs) => {
+          const fromResult = target.from(table, ...restArgs);
+          const meta = getTableAccessMeta(table);
+          if (meta) {
+            return wrapFromChain(fromResult, ctx, [{ table, meta }]);
+          }
+          return wrapFromChain(fromResult, ctx, []);
+        };
+      }
+      const value = target[prop];
+      if (typeof value === "function") {
+        return value.bind(target);
+      }
+      return value;
+    }
+  });
+}
+function wrapFromChain(chain, ctx, pendingFilters) {
+  return new Proxy(chain, {
+    get(target, prop) {
+      const propStr = typeof prop === "string" ? prop : "";
+      if (["leftJoin", "rightJoin", "innerJoin", "fullJoin"].includes(propStr)) {
+        return (joinTable, ...joinArgs) => {
+          const joinResult = target[propStr](joinTable, ...joinArgs);
+          const joinMeta = getTableAccessMeta(joinTable);
+          const newFilters = joinMeta ? [...pendingFilters, { table: joinTable, meta: joinMeta }] : pendingFilters;
+          return wrapFromChain(joinResult, ctx, newFilters);
+        };
+      }
+      if (propStr === "where") {
+        return (...whereArgs) => {
+          const combinedFilter = buildCombinedFilter(pendingFilters, ctx);
+          if (combinedFilter) {
+            const userWhere = whereArgs[0];
+            const merged = userWhere ? and(userWhere, combinedFilter) : combinedFilter;
+            const result = target.where(merged);
+            return wrapFromChain(result, ctx, []);
+          }
+          return wrapFromChain(target.where(...whereArgs), ctx, []);
+        };
+      }
+      if (propStr === "then" || propStr === "execute") {
+        if (pendingFilters.length > 0) {
+          const combinedFilter = buildCombinedFilter(pendingFilters, ctx);
+          if (combinedFilter) {
+            const filtered = target.where(combinedFilter);
+            return filtered[prop].bind(filtered);
+          }
+        }
+        const value2 = target[prop];
+        return typeof value2 === "function" ? value2.bind(target) : value2;
+      }
+      const value = target[prop];
+      if (typeof value === "function") {
+        return (...args) => {
+          const result = value.apply(target, args);
+          if (result && typeof result === "object" && typeof result.then === "function") {
+            return wrapFromChain(result, ctx, pendingFilters);
+          }
+          if (result && typeof result === "object" && "where" in result) {
+            return wrapFromChain(result, ctx, pendingFilters);
+          }
+          return result;
+        };
+      }
+      return value;
+    }
+  });
+}
+function wrapWriteChain(chain, table, ctx) {
+  const meta = getTableAccessMeta(table);
+  if (!meta) {
+    return chain;
+  }
+  return new Proxy(chain, {
+    get(target, prop) {
+      const propStr = typeof prop === "string" ? prop : "";
+      if (propStr === "where") {
+        return (...whereArgs) => {
+          const filterResult = evaluateFilterSync(meta, ctx);
+          if (typeof filterResult === "boolean") {
+            if (!filterResult) {
+              return target.where(whereArgs[0]);
+            }
+            return target.where(...whereArgs);
+          }
+          const userWhere = whereArgs[0];
+          const merged = userWhere ? and(userWhere, filterResult) : filterResult;
+          return target.where(merged);
+        };
+      }
+      if (propStr === "then" || propStr === "execute" || propStr === "returning") {
+        const filterResult = evaluateFilterSync(meta, ctx);
+        if (filterResult && typeof filterResult !== "boolean") {
+          const filtered = target.where(filterResult);
+          const value3 = filtered[prop];
+          return typeof value3 === "function" ? value3.bind(filtered) : value3;
+        }
+        const value2 = target[prop];
+        return typeof value2 === "function" ? value2.bind(target) : value2;
+      }
+      const value = target[prop];
+      if (typeof value === "function") {
+        return value.bind(target);
+      }
+      return value;
+    }
+  });
+}
+function wrapRelationalQuery(queryObj, ctx) {
+  if (!queryObj) return queryObj;
+  return new Proxy(queryObj, {
+    get(target, tableName) {
+      const tableProxy = target[tableName];
+      if (!tableProxy || typeof tableProxy !== "object") return tableProxy;
+      return new Proxy(tableProxy, {
+        get(tableTarget, method) {
+          const methodStr = typeof method === "string" ? method : "";
+          if (methodStr === "findMany" || methodStr === "findFirst") {
+            return (args = {}) => {
+              const meta = findMetaByTableName(String(tableName));
+              if (meta) {
+                const filterResult = evaluateFilterSync(meta, ctx);
+                if (filterResult && typeof filterResult !== "boolean") {
+                  args.where = args.where ? and(args.where, filterResult) : filterResult;
+                } else if (filterResult === false) {
+                  args.where = args.where;
+                }
+              }
+              return tableTarget[method](args);
+            };
+          }
+          const value = tableTarget[method];
+          if (typeof value === "function") {
+            return value.bind(tableTarget);
+          }
+          return value;
+        }
+      });
+    }
+  });
+}
+function buildCombinedFilter(pendingFilters, ctx) {
+  const sqlConditions = [];
+  for (const { meta } of pendingFilters) {
+    const result = evaluateFilterSync(meta, ctx);
+    if (result === false) {
+      const { sql: sqlTag } = __require("drizzle-orm");
+      return sqlTag`1 = 0`;
+    }
+    if (result === true) {
+      continue;
+    }
+    if (result) {
+      sqlConditions.push(result);
+    }
+  }
+  if (sqlConditions.length === 0) return null;
+  if (sqlConditions.length === 1) return sqlConditions[0];
+  return and(...sqlConditions) ?? null;
+}
+function evaluateFilterSync(meta, ctx) {
+  const result = meta.filter(ctx);
+  if (result instanceof Promise) {
+    throw new Error(
+      `[gencow] Async filter on table "${meta.tableName}" is not supported in synchronous context. Use synchronous filters for schema-level access control.`
+    );
+  }
+  return result;
+}
+function findMetaByTableName(name) {
+  for (const [, meta] of globalThis.__gencow_tableAccessRegistry || []) {
+    if (meta.tableName === name) return meta;
+  }
+  return void 0;
+}
+function applyFieldAccess(result, table, ctx) {
+  const meta = getTableAccessMeta(table);
+  if (!meta?.fieldAccess) return result;
+  const fieldAccess = meta.fieldAccess;
+  const maskedFields = [];
+  for (const [field, rule] of Object.entries(fieldAccess)) {
+    try {
+      if (!rule.read(ctx)) {
+        maskedFields.push(field);
+      }
+    } catch {
+      maskedFields.push(field);
+    }
+  }
+  if (maskedFields.length === 0) return result;
+  const maskRow = (row) => {
+    if (!row || typeof row !== "object") return row;
+    const masked = { ...row };
+    for (const field of maskedFields) {
+      if (field in masked) {
+        masked[field] = null;
+      }
+    }
+    return masked;
+  };
+  if (Array.isArray(result)) {
+    return result.map(maskRow);
+  }
+  return maskRow(result);
+}
 export {
   GencowValidationError,
+  applyFieldAccess,
   buildRealtimeCtx,
   createScheduler,
+  createScopedDb,
   cronJobs,
   defineAuth,
   deregisterClient,
+  gencowTable,
+  getAllGencowTables,
   getQueryDef,
   getQueryHandler,
   getRegisteredHttpActions,
   getRegisteredMutations,
   getRegisteredQueries,
   getSchedulerInfo,
+  getTableAccessMeta,
   handleWsMessage,
   httpAction,
   invalidateQueries,
+  isGencowTable,
   mutation,
+  ownerFilter,
   parseArgs,
   query,
   registerClient,