graphile-bucket-provisioner-plugin 0.2.0

package/LICENSE

@@ -0,0 +1,23 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 Dan Lynch <pyramation@gmail.com>
+Copyright (c) 2025 Constructive <developers@constructive.io>
+Copyright (c) 2020-present, Interweb, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,228 @@
+# graphile-bucket-provisioner-plugin
+
+<p align="center" width="100%">
+  <img height="250" src="https://raw.githubusercontent.com/constructive-io/constructive/refs/heads/main/assets/outline-logo.svg" />
+</p>
+
+<p align="center" width="100%">
+  <a href="https://github.com/constructive-io/constructive/actions/workflows/run-tests.yaml">
+    <img height="20" src="https://github.com/constructive-io/constructive/actions/workflows/run-tests.yaml/badge.svg" />
+  </a>
+   <a href="https://github.com/constructive-io/constructive/blob/main/LICENSE"><img height="20" src="https://img.shields.io/badge/license-MIT-blue.svg"/></a>
+   <a href="https://www.npmjs.com/package/graphile-bucket-provisioner-plugin"><img height="20" src="https://img.shields.io/github/package-json/v/constructive-io/constructive?filename=graphile%2Fgraphile-bucket-provisioner-plugin%2Fpackage.json"/></a>
+</p>
+
+PostGraphile v5 plugin that automatically provisions S3-compatible buckets when bucket rows are created in the database. Wraps bucket creation mutations to call [`@constructive-io/bucket-provisioner`](../packages/bucket-provisioner) after the database row is inserted.
+
+## Features
+
+- **Auto-provisioning hook** — Wraps `create*` mutations on tables tagged with `@storageBuckets` to automatically provision S3 buckets after row creation
+- **CORS update hook** — Wraps `update*` mutations to detect `allowed_origins` changes and re-apply CORS rules to the S3 bucket
+- **3-tier CORS resolution** — Bucket-level `allowed_origins` → storage module-level `allowed_origins` → plugin config `allowedOrigins`
+- **Wildcard CORS** — Set `allowed_origins = ['*']` on a bucket for fully open CDN/public deployments
+- **Explicit `provisionBucket` mutation** — GraphQL mutation for manual/retry provisioning of any bucket
+- **Per-database overrides** — Reads `endpoint`, `provider`, `public_url_prefix`, and `allowed_origins` from the `storage_module` table for multi-tenant setups
+- **Lazy S3 config** — Connection config can be a function (evaluated once, cached) to avoid eager env-var reads at import time
+- **Graceful error handling** — Provisioning and CORS update failures are logged but never fail the mutation (admin can retry via `provisionBucket`)
+- **Custom bucket naming** — Supports prefix-based naming or a fully custom `resolveBucketName` function
+
+## Installation
+
+```bash
+pnpm add graphile-bucket-provisioner-plugin
+```
+
+## Quick Start
+
+```typescript
+import { createBucketProvisionerPlugin } from 'graphile-bucket-provisioner-plugin';
+
+const BucketProvisionerPlugin = createBucketProvisionerPlugin({
+  connection: {
+    provider: 'minio',
+    region: 'us-east-1',
+    endpoint: 'http://minio:9000',
+    accessKeyId: process.env.S3_ACCESS_KEY_ID!,
+    secretAccessKey: process.env.S3_SECRET_ACCESS_KEY!,
+  },
+  allowedOrigins: ['https://app.example.com'],
+});
+
+// Add to your PostGraphile preset
+const preset: GraphileConfig.Preset = {
+  plugins: [BucketProvisionerPlugin],
+};
+```
+
+Or use the convenience preset:
+
+```typescript
+import { BucketProvisionerPreset } from 'graphile-bucket-provisioner-plugin';
+
+const preset: GraphileConfig.Preset = {
+  extends: [
+    BucketProvisionerPreset({
+      connection: () => ({
+        provider: 'minio',
+        region: 'us-east-1',
+        endpoint: process.env.S3_ENDPOINT!,
+        accessKeyId: process.env.S3_ACCESS_KEY_ID!,
+        secretAccessKey: process.env.S3_SECRET_ACCESS_KEY!,
+      }),
+      allowedOrigins: ['https://app.example.com'],
+    }),
+  ],
+};
+```
+
+## How It Works
+
+### Auto-Provisioning (default)
+
+When a `createBucket` mutation runs on a table tagged with `@storageBuckets`:
+
+1. The original resolver runs first (creates the DB row via RLS)
+2. The plugin reads the bucket's `key` and `type` from the mutation input
+3. It reads the `storage_module` config for per-database endpoint/provider overrides
+4. It calls `BucketProvisioner.provision()` to create and configure the S3 bucket
+5. If provisioning fails, the error is logged but the mutation result is returned normally
+
+### Explicit Mutation
+
+The plugin also adds a `provisionBucket` mutation for manual provisioning or retrying failed provisions:
+
+```graphql
+mutation {
+  provisionBucket(input: { bucketKey: "public" }) {
+    success
+    bucketName
+    accessType
+    provider
+    endpoint
+    error
+  }
+}
+```
+
+This mutation:
+1. Reads the bucket row from the database (protected by RLS)
+2. Reads the storage module config for the current database
+3. Provisions the S3 bucket with the appropriate settings
+4. Returns a success/error payload
+
+## API
+
+### `createBucketProvisionerPlugin(options)`
+
+Creates the plugin instance. Returns a `GraphileConfig.Plugin`.
+
+| Option | Type | Description |
+|--------|------|-------------|
+| `connection` | `StorageConnectionConfig \| () => StorageConnectionConfig` | S3 connection config (static or lazy getter) |
+| `allowedOrigins` | `string[]` | CORS allowed origins for bucket configuration |
+| `bucketNamePrefix` | `string?` | Prefix for S3 bucket names (e.g., `"myapp"` → `"myapp-public"`) |
+| `resolveBucketName` | `(bucketKey, databaseId) => string` | Custom bucket name resolver (takes precedence over prefix) |
+| `versioning` | `boolean?` | Enable S3 versioning on provisioned buckets (default: `false`) |
+| `autoProvision` | `boolean?` | Enable auto-provisioning hook on create mutations (default: `true`) |
+
+### `BucketProvisionerPreset(options)`
+
+Convenience function that wraps the plugin in a `GraphileConfig.Preset`.
+
+### Connection Config
+
+```typescript
+interface StorageConnectionConfig {
+  provider: 's3' | 'minio' | 'r2' | 'gcs' | 'spaces';
+  region: string;
+  endpoint?: string;
+  accessKeyId: string;
+  secretAccessKey: string;
+}
+```
+
+### Smart Tag Detection
+
+The plugin detects tables tagged with `@storageBuckets` (set by the storage module generator in constructive-db):
+
+```sql
+COMMENT ON TABLE app_public.buckets IS E'@storageBuckets\nStorage buckets table';
+```
+
+The plugin wraps `create*` mutations for auto-provisioning and `update*` mutations for CORS change detection. Delete mutations are not wrapped.
+
+## Error Handling
+
+The plugin is designed to never break mutations:
+
+- **Auto-provisioning errors** are caught and logged. The mutation result is returned normally. The admin can retry via the `provisionBucket` mutation.
+- **Explicit `provisionBucket` errors** return a structured payload with `success: false` and an `error` message.
+- **Validation errors** (`INVALID_BUCKET_KEY`, `DATABASE_NOT_FOUND`, `STORAGE_MODULE_NOT_PROVISIONED`, `BUCKET_NOT_FOUND`) are thrown as exceptions since they indicate configuration issues.
+
+## Multi-Tenant Support
+
+The plugin reads per-database overrides from the `storage_module` table:
+
+- `endpoint` — Override the S3 endpoint for this database
+- `provider` — Override the storage provider for this database
+- `public_url_prefix` — CDN/public URL prefix for public buckets
+
+This allows different tenants to use different storage backends while sharing the same plugin configuration.
+
+---
+
+## Education and Tutorials
+
+ 1. 🚀 [Quickstart: Getting Up and Running](https://constructive.io/learn/quickstart)
+Get started with modular databases in minutes. Install prerequisites and deploy your first module.
+
+ 2. 📦 [Modular PostgreSQL Development with Database Packages](https://constructive.io/learn/modular-postgres)
+Learn to organize PostgreSQL projects with pgpm workspaces and reusable database modules.
+
+ 3. ✏️ [Authoring Database Changes](https://constructive.io/learn/authoring-database-changes)
+Master the workflow for adding, organizing, and managing database changes with pgpm.
+
+ 4. 🧪 [End-to-End PostgreSQL Testing with TypeScript](https://constructive.io/learn/e2e-postgres-testing)
+Master end-to-end PostgreSQL testing with ephemeral databases, RLS testing, and CI/CD automation.
+
+ 5. ⚡ [Supabase Testing](https://constructive.io/learn/supabase)
+Use TypeScript-first tools to test Supabase projects with realistic RLS, policies, and auth contexts.
+
+ 6. 💧 [Drizzle ORM Testing](https://constructive.io/learn/drizzle-testing)
+Run full-stack tests with Drizzle ORM, including database setup, teardown, and RLS enforcement.
+
+ 7. 🔧 [Troubleshooting](https://constructive.io/learn/troubleshooting)
+Common issues and solutions for pgpm, PostgreSQL, and testing.
+
+## Related Constructive Tooling
+
+### 📦 Package Management
+
+* [pgpm](https://github.com/constructive-io/constructive/tree/main/pgpm/pgpm): **🖥️ PostgreSQL Package Manager** for modular Postgres development. Works with database workspaces, scaffolding, migrations, seeding, and installing database packages.
+
+### 🧪 Testing
+
+* [pgsql-test](https://github.com/constructive-io/constructive/tree/main/postgres/pgsql-test): **📊 Isolated testing environments** with per-test transaction rollbacks—ideal for integration tests, complex migrations, and RLS simulation.
+* [pgsql-seed](https://github.com/constructive-io/constructive/tree/main/postgres/pgsql-seed): **🌱 PostgreSQL seeding utilities** for CSV, JSON, SQL data loading, and pgpm deployment.
+* [supabase-test](https://github.com/constructive-io/constructive/tree/main/postgres/supabase-test): **🧪 Supabase-native test harness** preconfigured for the local Supabase stack—per-test rollbacks, JWT/role context helpers, and CI/GitHub Actions ready.
+* [graphile-test](https://github.com/constructive-io/constructive/tree/main/graphile/graphile-test): **🔐 Authentication mocking** for Graphile-focused test helpers and emulating row-level security contexts.
+* [pg-query-context](https://github.com/constructive-io/constructive/tree/main/postgres/pg-query-context): **🔒 Session context injection** to add session-local context (e.g., `SET LOCAL`) into queries—ideal for setting `role`, `jwt.claims`, and other session settings.
+
+### 🧠 Parsing & AST
+
+* [pgsql-parser](https://www.npmjs.com/package/pgsql-parser): **🔄 SQL conversion engine** that interprets and converts PostgreSQL syntax.
+* [libpg-query-node](https://www.npmjs.com/package/libpg-query): **🌉 Node.js bindings** for `libpg_query`, converting SQL into parse trees.
+* [pg-proto-parser](https://www.npmjs.com/package/pg-proto-parser): **📦 Protobuf parser** for parsing PostgreSQL Protocol Buffers definitions to generate TypeScript interfaces, utility functions, and JSON mappings for enums.
+* [@pgsql/enums](https://www.npmjs.com/package/@pgsql/enums): **🏷️ TypeScript enums** for PostgreSQL AST for safe and ergonomic parsing logic.
+* [@pgsql/types](https://www.npmjs.com/package/@pgsql/types): **📝 Type definitions** for PostgreSQL AST nodes in TypeScript.
+* [@pgsql/utils](https://www.npmjs.com/package/@pgsql/utils): **🛠️ AST utilities** for constructing and transforming PostgreSQL syntax trees.
+
+## Credits
+
+**🛠 Built by the [Constructive](https://constructive.io) team — creators of modular Postgres tooling for secure, composable backends. If you like our work, contribute on [GitHub](https://github.com/constructive-io).**
+
+## Disclaimer
+
+AS DESCRIBED IN THE LICENSES, THE SOFTWARE IS PROVIDED "AS IS", AT YOUR OWN RISK, AND WITHOUT WARRANTIES OF ANY KIND.
+
+No developer or entity involved in creating this software will be liable for any claims or damages whatsoever associated with your use, inability to use, or your interaction with other users of the code, including any direct, indirect, incidental, special, exemplary, punitive or consequential damages, or loss of profits, cryptocurrencies, tokens, or anything else of value.

package/esm/index.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Bucket Provisioner Plugin for PostGraphile v5
+ *
+ * Provides automatic S3 bucket provisioning for PostGraphile v5.
+ * When bucket rows are created via GraphQL mutations, this plugin
+ * automatically provisions the corresponding S3 bucket with the
+ * correct privacy policies, CORS rules, and lifecycle settings.
+ *
+ * Also provides an explicit `provisionBucket` mutation for manual
+ * provisioning or re-provisioning of S3 buckets.
+ *
+ * @example
+ * ```typescript
+ * import { BucketProvisionerPreset } from 'graphile-bucket-provisioner-plugin';
+ * import { getEnvOptions } from '@constructive-io/graphql-env';
+ *
+ * // Use a lazy getter so env vars are read at runtime, not import time
+ * function getConnection() {
+ *   const { cdn } = getEnvOptions();
+ *   return {
+ *     provider: cdn?.provider || 'minio',
+ *     region: cdn?.awsRegion || 'us-east-1',
+ *     endpoint: cdn?.endpoint || 'http://minio:9000',
+ *     accessKeyId: cdn?.awsAccessKey!,
+ *     secretAccessKey: cdn?.awsSecretKey!,
+ *   };
+ * }
+ *
+ * const preset = {
+ *   extends: [
+ *     BucketProvisionerPreset({
+ *       connection: getConnection, // pass function ref, NOT getConnection()
+ *       allowedOrigins: ['https://app.example.com'],
+ *       bucketNamePrefix: 'myapp',
+ *     }),
+ *   ],
+ * };
+ * ```
+ */
+export { BucketProvisionerPlugin, createBucketProvisionerPlugin } from './plugin';
+export { BucketProvisionerPreset } from './preset';
+export type { BucketProvisionerPluginOptions, ConnectionConfigOrGetter, BucketNameResolver, ProvisionBucketInput, ProvisionBucketPayload, StorageConnectionConfig, StorageProvider, BucketAccessType, ProvisionResult, } from './types';

package/esm/index.js

@@ -0,0 +1,41 @@
+/**
+ * Bucket Provisioner Plugin for PostGraphile v5
+ *
+ * Provides automatic S3 bucket provisioning for PostGraphile v5.
+ * When bucket rows are created via GraphQL mutations, this plugin
+ * automatically provisions the corresponding S3 bucket with the
+ * correct privacy policies, CORS rules, and lifecycle settings.
+ *
+ * Also provides an explicit `provisionBucket` mutation for manual
+ * provisioning or re-provisioning of S3 buckets.
+ *
+ * @example
+ * ```typescript
+ * import { BucketProvisionerPreset } from 'graphile-bucket-provisioner-plugin';
+ * import { getEnvOptions } from '@constructive-io/graphql-env';
+ *
+ * // Use a lazy getter so env vars are read at runtime, not import time
+ * function getConnection() {
+ *   const { cdn } = getEnvOptions();
+ *   return {
+ *     provider: cdn?.provider || 'minio',
+ *     region: cdn?.awsRegion || 'us-east-1',
+ *     endpoint: cdn?.endpoint || 'http://minio:9000',
+ *     accessKeyId: cdn?.awsAccessKey!,
+ *     secretAccessKey: cdn?.awsSecretKey!,
+ *   };
+ * }
+ *
+ * const preset = {
+ *   extends: [
+ *     BucketProvisionerPreset({
+ *       connection: getConnection, // pass function ref, NOT getConnection()
+ *       allowedOrigins: ['https://app.example.com'],
+ *       bucketNamePrefix: 'myapp',
+ *     }),
+ *   ],
+ * };
+ * ```
+ */
+export { BucketProvisionerPlugin, createBucketProvisionerPlugin } from './plugin';
+export { BucketProvisionerPreset } from './preset';

package/esm/plugin.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Bucket Provisioner Plugin for PostGraphile v5
+ *
+ * Adds S3 bucket provisioning support to PostGraphile v5:
+ *
+ * 1. `provisionBucket` mutation — explicitly provision an S3 bucket for a
+ *    logical bucket row in the database. Reads the bucket config via RLS,
+ *    then calls BucketProvisioner to create and configure the S3 bucket.
+ *
+ * 2. Auto-provisioning hook — wraps `create*` mutations on tables tagged
+ *    with `@storageBuckets` to automatically provision the S3 bucket after
+ *    the database row is created.
+ *
+ * 3. CORS update hook — wraps `update*` mutations on `@storageBuckets` tables
+ *    to detect changes to `allowed_origins` and re-apply CORS rules to the
+ *    S3 bucket.
+ *
+ * CORS resolution hierarchy (most specific wins):
+ *   1. Bucket-level `allowed_origins` column (per-bucket override)
+ *   2. Storage-module-level `allowed_origins` column (per-database default)
+ *   3. Plugin config `allowedOrigins` (global fallback)
+ * Supports `['*']` for open/CDN mode (wildcard CORS).
+ *
+ * Both pathways use `@constructive-io/bucket-provisioner` for the actual
+ * S3 operations (bucket creation, Block Public Access, CORS, policies,
+ * versioning, lifecycle rules).
+ *
+ * Detection: Uses the `@storageBuckets` smart tag on the codec (table).
+ * The storage module generator in constructive-db sets this tag on the
+ * generated buckets table via a smart comment:
+ *   COMMENT ON TABLE buckets IS E'@storageBuckets\nStorage buckets table';
+ */
+import type { GraphileConfig } from 'graphile-config';
+import type { BucketProvisionerPluginOptions } from './types';
+/**
+ * Creates the bucket provisioner plugin.
+ *
+ * This plugin provides two provisioning pathways:
+ *
+ * 1. **Explicit `provisionBucket` mutation** — Call this mutation with a
+ *    bucket key to provision (or re-provision) the S3 bucket. Protected
+ *    by RLS on the buckets table.
+ *
+ * 2. **Auto-provisioning hook** — When `autoProvision` is true (default),
+ *    wraps `create*` mutation resolvers on tables tagged with `@storageBuckets`
+ *    to automatically provision the S3 bucket after the row is created.
+ *
+ * @param options - Plugin configuration (S3 credentials, CORS origins, naming)
+ */
+export declare function createBucketProvisionerPlugin(options: BucketProvisionerPluginOptions): GraphileConfig.Plugin;
+export declare const BucketProvisionerPlugin: typeof createBucketProvisionerPlugin;
+export default BucketProvisionerPlugin;